From 6e37c1966ff8d6cc15ae660f4f968a70cce9c75d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 11 Oct 2024 00:39:39 +0000 Subject: [PATCH] Added chart versions: codefresh/cf-runtime: - 6.4.3 linkerd/linkerd-control-plane: - 2024.10.2 linkerd/linkerd-crds: - 2024.10.2 minio/minio-operator: - 6.0.4 paravela/chronicle: - 0.1.27 redpanda/redpanda: - 5.9.6 --- assets/codefresh/cf-runtime-6.4.3.tgz | Bin 0 -> 43743 bytes .../linkerd-control-plane-2024.10.1.tgz | Bin 31592 -> 31586 bytes .../linkerd-control-plane-2024.10.2.tgz | Bin 0 -> 31591 bytes assets/linkerd/linkerd-crds-2024.10.2.tgz | Bin 0 -> 113065 bytes assets/minio/minio-operator-6.0.4.tgz | Bin 0 -> 24348 bytes assets/redpanda/redpanda-5.9.6.tgz | Bin 0 -> 409161 bytes charts/codefresh/cf-runtime/6.4.3/.helmignore | 3 + charts/codefresh/cf-runtime/6.4.3/Chart.yaml | 28 + charts/codefresh/cf-runtime/6.4.3/README.md | 1230 + .../cf-runtime/6.4.3/README.md.gotmpl | 1007 + .../cf-runtime/6.4.3/files/cleanup-runtime.sh | 37 + .../6.4.3/files/configure-dind-certs.sh | 132 + .../cf-runtime/6.4.3/files/init-runtime.sh | 80 + .../6.4.3/files/reconcile-runtime.sh | 38 + .../_components/app-proxy/_deployment.yaml | 70 + .../_components/app-proxy/_env-vars.yaml | 19 + .../_components/app-proxy/_helpers.tpl | 43 + .../_components/app-proxy/_ingress.yaml | 32 + .../_components/app-proxy/_rbac.yaml | 47 + .../_components/app-proxy/_service.yaml | 17 + .../event-exporter/_deployment.yaml | 62 + .../_components/event-exporter/_env-vars.yaml | 14 + .../_components/event-exporter/_helpers.tpl | 43 + .../_components/event-exporter/_rbac.yaml | 47 + .../_components/event-exporter/_service.yaml | 17 + .../event-exporter/_serviceMontor.yaml | 14 + .../_components/monitor/_deployment.yaml | 70 + .../_components/monitor/_env-vars.yaml | 26 + .../_components/monitor/_helpers.tpl | 42 + .../templates/_components/monitor/_rbac.yaml | 56 + .../_components/monitor/_service.yaml | 17 + .../_components/runner/_deployment.yaml | 103 + .../templates/_components/runner/_helpers.tpl | 42 + .../templates/_components/runner/_rbac.yaml | 53 + .../_init-container.yaml | 30 + .../_main-container.yaml | 28 + .../_sidecar-container.yaml | 22 + .../volume-provisioner/_cronjob.yaml | 58 + .../volume-provisioner/_daemonset.yaml | 98 + .../volume-provisioner/_deployment.yaml | 67 + .../volume-provisioner/_env-vars.yaml | 88 + .../volume-provisioner/_helpers.tpl | 93 + .../_components/volume-provisioner/_rbac.yaml | 71 + .../volume-provisioner/_secret.yaml | 22 + .../volume-provisioner/_storageclass.yaml | 47 + .../cf-runtime/6.4.3/templates/_helpers.tpl | 51 + .../6.4.3/templates/app-proxy/deployment.yaml | 9 + .../6.4.3/templates/app-proxy/ingress.yaml | 9 + .../6.4.3/templates/app-proxy/rbac.yaml | 9 + .../6.4.3/templates/app-proxy/service.yaml | 9 + .../templates/event-exporter/deployment.yaml | 9 + .../6.4.3/templates/event-exporter/rbac.yaml | 9 + .../templates/event-exporter/service.yaml | 11 + .../templates/extra/extra-resources.yaml | 6 + .../templates/extra/runtime-images-cm.yaml | 19 + .../hooks/post-install/cm-update-runtime.yaml | 18 + .../hooks/post-install/job-gencerts-dind.yaml | 68 + .../post-install/job-update-runtime.yaml | 77 + .../post-install/rbac-gencerts-dind.yaml | 37 + .../pre-delete/job-cleanup-resources.yaml | 73 + .../pre-delete/rbac-cleanup-resources.yaml | 46 + .../6.4.3/templates/monitor/deployment.yaml | 9 + .../6.4.3/templates/monitor/rbac.yaml | 9 + .../6.4.3/templates/monitor/service.yaml | 9 + .../templates/other/external-secrets.yaml | 2 + .../6.4.3/templates/other/podMonitor.yaml | 2 + .../6.4.3/templates/other/serviceMonitor.yaml | 2 + .../6.4.3/templates/runner/deployment.yaml | 9 + .../6.4.3/templates/runner/rbac.yaml | 9 + .../6.4.3/templates/runtime/_helpers.tpl | 123 + .../templates/runtime/cm-dind-daemon.yaml | 10 + .../6.4.3/templates/runtime/rbac.yaml | 48 + .../runtime/runtime-env-spec-tmpl.yaml | 214 + .../6.4.3/templates/runtime/secret.yaml | 11 + .../6.4.3/templates/runtime/svc-dind.yaml | 16 + .../templates/volume-provisioner/cronjob.yaml | 11 + .../volume-provisioner/daemonset.yaml | 11 + .../volume-provisioner/deployment.yaml | 10 + .../templates/volume-provisioner/rbac.yaml | 9 + .../templates/volume-provisioner/secret.yaml | 10 + .../volume-provisioner/storageclass.yaml | 10 + charts/codefresh/cf-runtime/6.4.3/values.yaml | 951 + .../2024.10.1/Chart.yaml | 1 - .../2024.10.2/.helmignore | 22 + .../2024.10.2/Chart.lock | 6 + .../2024.10.2/Chart.yaml | 29 + .../linkerd-control-plane/2024.10.2/README.md | 321 + .../2024.10.2/README.md.gotmpl | 133 + .../2024.10.2/app-readme.md | 14 + .../2024.10.2/charts/partials/.helmignore | 21 + .../2024.10.2/charts/partials/Chart.yaml | 5 + .../2024.10.2/charts/partials/README.md | 9 + .../charts/partials/README.md.gotmpl | 14 + .../charts/partials/templates/NOTES.txt | 0 .../charts/partials/templates/_affinity.tpl | 38 + .../partials/templates/_capabilities.tpl | 16 + .../charts/partials/templates/_debug.tpl | 15 + .../charts/partials/templates/_helpers.tpl | 14 + .../charts/partials/templates/_metadata.tpl | 17 + .../partials/templates/_network-validator.tpl | 45 + .../partials/templates/_nodeselector.tpl | 4 + .../partials/templates/_proxy-config-ann.tpl | 18 + .../charts/partials/templates/_proxy-init.tpl | 98 + .../charts/partials/templates/_proxy.tpl | 271 + .../partials/templates/_pull-secrets.tpl | 6 + .../charts/partials/templates/_resources.tpl | 28 + .../partials/templates/_tolerations.tpl | 4 + .../charts/partials/templates/_trace.tpl | 5 + .../charts/partials/templates/_validate.tpl | 19 + .../charts/partials/templates/_volumes.tpl | 20 + .../2024.10.2/charts/partials/values.yaml | 0 .../2024.10.2/questions.yaml | 19 + .../2024.10.2/templates/NOTES.txt | 19 + .../2024.10.2/templates/config-rbac.yaml | 16 + .../2024.10.2/templates/config.yaml | 39 + .../2024.10.2/templates/destination-rbac.yaml | 327 + .../2024.10.2/templates/destination.yaml | 435 + .../2024.10.2/templates/heartbeat-rbac.yaml | 78 + .../2024.10.2/templates/heartbeat.yaml | 94 + .../2024.10.2/templates/identity-rbac.yaml | 49 + .../2024.10.2/templates/identity.yaml | 272 + .../2024.10.2/templates/namespace.yaml | 18 + .../2024.10.2/templates/podmonitor.yaml | 128 + .../templates/proxy-injector-rbac.yaml | 120 + .../2024.10.2/templates/proxy-injector.yaml | 222 + .../2024.10.2/templates/psp.yaml | 119 + .../2024.10.2/values-ha.yaml | 63 + .../2024.10.2/values.yaml | 664 + .../linkerd-crds/2024.10.2/.helmignore | 22 + .../linkerd/linkerd-crds/2024.10.2/Chart.lock | 6 + .../linkerd/linkerd-crds/2024.10.2/Chart.yaml | 26 + .../linkerd/linkerd-crds/2024.10.2/README.md | 71 + .../linkerd-crds/2024.10.2/README.md.gotmpl | 59 + .../linkerd-crds/2024.10.2/app-readme.md | 9 + .../2024.10.2/charts/partials/.helmignore | 21 + .../2024.10.2/charts/partials/Chart.yaml | 5 + .../2024.10.2/charts/partials/README.md | 9 + .../charts/partials/README.md.gotmpl | 14 + .../charts/partials/templates/NOTES.txt | 0 .../charts/partials/templates/_affinity.tpl | 38 + .../partials/templates/_capabilities.tpl | 16 + .../charts/partials/templates/_debug.tpl | 15 + .../charts/partials/templates/_helpers.tpl | 14 + .../charts/partials/templates/_metadata.tpl | 17 + .../partials/templates/_network-validator.tpl | 45 + .../partials/templates/_nodeselector.tpl | 4 + .../partials/templates/_proxy-config-ann.tpl | 18 + .../charts/partials/templates/_proxy-init.tpl | 98 + .../charts/partials/templates/_proxy.tpl | 271 + .../partials/templates/_pull-secrets.tpl | 6 + .../charts/partials/templates/_resources.tpl | 28 + .../partials/templates/_tolerations.tpl | 4 + .../charts/partials/templates/_trace.tpl | 5 + .../charts/partials/templates/_validate.tpl | 19 + .../charts/partials/templates/_volumes.tpl | 20 + .../2024.10.2/charts/partials/values.yaml | 0 .../2024.10.2/templates/NOTES.txt | 6 + .../gateway.networking.k8s.io_grpcroutes.yaml | 1507 + .../gateway.networking.k8s.io_httproutes.yaml | 3881 +++ .../policy/authorization-policy.yaml | 99 + .../2024.10.2/templates/policy/httproute.yaml | 5328 ++++ .../policy/meshtls-authentication.yaml | 87 + .../policy/network-authentication.yaml | 53 + .../policy/server-authorization.yaml | 266 + .../2024.10.2/templates/policy/server.yaml | 319 + .../2024.10.2/templates/serviceprofile.yaml | 274 + .../templates/workload/external-workload.yaml | 303 + .../linkerd-crds/2024.10.2/values.yaml | 1 + charts/minio/minio-operator/6.0.4/.helmignore | 22 + charts/minio/minio-operator/6.0.4/Chart.yaml | 23 + charts/minio/minio-operator/6.0.4/README.md | 45 + .../minio/minio-operator/6.0.4/app-readme.md | 78 + .../6.0.4/templates/_helpers.tpl | 37 + .../6.0.4/templates/job.min.io_jobs.yaml | 1203 + .../6.0.4/templates/minio.min.io_tenants.yaml | 5673 ++++ .../6.0.4/templates/operator-clusterrole.yaml | 183 + .../operator-clusterrolebinding.yaml | 13 + .../6.0.4/templates/operator-deployment.yaml | 67 + .../6.0.4/templates/operator-service.yaml | 14 + .../templates/operator-serviceaccount.yaml | 10 + .../6.0.4/templates/sts-service.yaml | 12 + .../templates/sts.min.io_policybindings.yaml | 133 + charts/minio/minio-operator/6.0.4/values.yaml | 187 + charts/redpanda/redpanda/5.9.6/.helmignore | 28 + charts/redpanda/redpanda/5.9.6/Chart.lock | 9 + charts/redpanda/redpanda/5.9.6/Chart.yaml | 38 + charts/redpanda/redpanda/5.9.6/LICENSE | 201 + charts/redpanda/redpanda/5.9.6/README.md | 1214 + .../5.9.6/charts/connectors/.helmignore | 29 + .../5.9.6/charts/connectors/Chart.yaml | 25 + .../redpanda/5.9.6/charts/connectors/LICENSE | 201 + .../5.9.6/charts/connectors/README.md | 574 + .../connectors/templates/_deployment.go.tpl | 136 + .../connectors/templates/_helpers.go.tpl | 131 + .../charts/connectors/templates/_helpers.tpl | 79 + .../connectors/templates/_pod-monitor.go.tpl | 18 + .../connectors/templates/_service.go.tpl | 20 + .../templates/_serviceaccount.go.tpl | 18 + .../charts/connectors/templates/_shims.tpl | 289 + .../connectors/templates/_values.go.tpl | 15 + .../connectors/templates/deployment.yaml | 17 + .../connectors/templates/pod-monitor.yaml | 17 + .../charts/connectors/templates/service.yaml | 17 + .../connectors/templates/serviceaccount.yaml | 17 + .../templates/tests/01-mm2-values.yaml | 176 + .../5.9.6/charts/connectors/values.yaml | 311 + .../redpanda/5.9.6/charts/console/.helmignore | 24 + .../redpanda/5.9.6/charts/console/Chart.yaml | 23 + .../redpanda/5.9.6/charts/console/README.md | 353 + .../5.9.6/charts/console/chart_test.go | 158 + .../5.9.6/charts/console/configmap.go | 61 + .../5.9.6/charts/console/deployment.go | 535 + .../console/examples/console-enterprise.yaml | 94 + .../redpanda/5.9.6/charts/console/helpers.go | 84 + .../redpanda/5.9.6/charts/console/hpa.go | 82 + .../redpanda/5.9.6/charts/console/ingress.go | 88 + .../redpanda/5.9.6/charts/console/notes.go | 67 + .../redpanda/5.9.6/charts/console/secret.go | 84 + .../redpanda/5.9.6/charts/console/service.go | 60 + .../5.9.6/charts/console/serviceaccount.go | 60 + .../5.9.6/charts/console/templates/NOTES.txt | 20 + .../console/templates/_configmap.go.tpl | 25 + .../console/templates/_deployment.go.tpl | 133 + .../charts/console/templates/_helpers.go.tpl | 82 + .../charts/console/templates/_helpers.tpl | 25 + .../charts/console/templates/_hpa.go.tpl | 25 + .../charts/console/templates/_ingress.go.tpl | 46 + .../charts/console/templates/_notes.go.tpl | 40 + .../charts/console/templates/_secret.go.tpl | 22 + .../charts/console/templates/_service.go.tpl | 20 + .../console/templates/_serviceaccount.go.tpl | 39 + .../5.9.6/charts/console/templates/_shims.tpl | 289 + .../charts/console/templates/configmap.yaml | 17 + .../charts/console/templates/deployment.yaml | 17 + .../5.9.6/charts/console/templates/hpa.yaml | 17 + .../charts/console/templates/ingress.yaml | 17 + .../charts/console/templates/secret.yaml | 17 + .../charts/console/templates/service.yaml | 17 + .../console/templates/serviceaccount.yaml | 17 + .../templates/tests/test-connection.yaml | 22 + .../testdata/template-cases-generated.txtar | 22208 ++++++++++++++ .../testdata/template-cases.golden.txtar | 24705 ++++++++++++++++ .../console/testdata/template-cases.txtar | 136 + .../redpanda/5.9.6/charts/console/values.go | 215 + .../5.9.6/charts/console/values.schema.json | 323 + .../redpanda/5.9.6/charts/console/values.yaml | 279 + .../charts/console/values_partial.gen.go | 206 + .../redpanda/5.9.6/templates/NOTES.txt | 26 + .../5.9.6/templates/_cert-issuers.go.tpl | 57 + .../redpanda/5.9.6/templates/_certs.go.tpl | 71 + .../redpanda/5.9.6/templates/_chart.go.tpl | 61 + .../5.9.6/templates/_configmap.go.tpl | 504 + .../redpanda/5.9.6/templates/_console.go.tpl | 60 + .../5.9.6/templates/_example-commands.tpl | 58 + .../redpanda/5.9.6/templates/_helpers.go.tpl | 535 + .../redpanda/5.9.6/templates/_helpers.tpl | 368 + .../redpanda/5.9.6/templates/_memory.go.tpl | 63 + .../redpanda/5.9.6/templates/_notes.go.tpl | 167 + .../templates/_poddisruptionbudget.go.tpl | 21 + .../_post-install-upgrade-job.go.tpl | 123 + .../5.9.6/templates/_post_upgrade_job.go.tpl | 87 + .../redpanda/5.9.6/templates/_rbac.go.tpl | 116 + .../redpanda/5.9.6/templates/_secrets.go.tpl | 423 + .../5.9.6/templates/_service.internal.go.tpl | 38 + .../templates/_service.loadbalancer.go.tpl | 101 + .../5.9.6/templates/_service.nodeport.go.tpl | 80 + .../5.9.6/templates/_serviceaccount.go.tpl | 18 + .../5.9.6/templates/_servicemonitor.go.tpl | 26 + .../redpanda/5.9.6/templates/_shims.tpl | 289 + .../5.9.6/templates/_statefulset.go.tpl | 712 + .../redpanda/5.9.6/templates/_values.go.tpl | 1326 + .../templates/connectors/connectors.yaml | 109 + .../console/configmap-and-deployment.yaml | 239 + .../redpanda/5.9.6/templates/entry-point.yaml | 17 + .../templates/tests/test-api-status.yaml | 52 + .../templates/tests/test-auditLogging.yaml | 86 + .../tests/test-connector-via-console.yaml | 166 + .../5.9.6/templates/tests/test-console.yaml | 49 + .../test-internal-external-tls-secrets.yaml | 122 + .../tests/test-kafka-internal-tls-status.yaml | 62 + .../templates/tests/test-kafka-nodelete.yaml | 100 + .../tests/test-kafka-produce-consume.yaml | 83 + .../tests/test-kafka-sasl-status.yaml | 79 + .../tests/test-license-with-console.yaml | 61 + .../tests/test-lifecycle-scripts.yaml | 66 + .../tests/test-loadbalancer-tls.yaml | 173 + .../templates/tests/test-nodeport-tls.yaml | 173 + .../test-pandaproxy-internal-tls-status.yaml | 81 + .../tests/test-pandaproxy-status.yaml | 72 + .../tests/test-prometheus-targets.yaml | 84 + .../templates/tests/test-rack-awareness.yaml | 61 + .../tests/test-rpk-debug-bundle.yaml | 104 + .../templates/tests/test-sasl-updated.yaml | 71 + .../redpanda/5.9.6/values.schema.json | 5845 ++++ charts/redpanda/redpanda/5.9.6/values.yaml | 1131 + index.yaml | 167 +- 296 files changed, 99429 insertions(+), 3 deletions(-) create mode 100644 assets/codefresh/cf-runtime-6.4.3.tgz create mode 100644 assets/linkerd/linkerd-control-plane-2024.10.2.tgz create mode 100644 assets/linkerd/linkerd-crds-2024.10.2.tgz create mode 100644 assets/minio/minio-operator-6.0.4.tgz create mode 100644 assets/redpanda/redpanda-5.9.6.tgz create mode 100644 charts/codefresh/cf-runtime/6.4.3/.helmignore create mode 100644 charts/codefresh/cf-runtime/6.4.3/Chart.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/README.md create mode 100644 charts/codefresh/cf-runtime/6.4.3/README.md.gotmpl create mode 100644 charts/codefresh/cf-runtime/6.4.3/files/cleanup-runtime.sh create mode 100644 charts/codefresh/cf-runtime/6.4.3/files/configure-dind-certs.sh create mode 100644 charts/codefresh/cf-runtime/6.4.3/files/init-runtime.sh create mode 100644 charts/codefresh/cf-runtime/6.4.3/files/reconcile-runtime.sh create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_deployment.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_env-vars.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_helpers.tpl create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_ingress.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_rbac.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_service.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_deployment.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_env-vars.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_helpers.tpl create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_rbac.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_service.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_serviceMontor.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_deployment.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_env-vars.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_helpers.tpl create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_rbac.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_service.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/_deployment.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/_helpers.tpl create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/_rbac.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/environment-variables/_init-container.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/environment-variables/_main-container.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/environment-variables/_sidecar-container.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_cronjob.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_daemonset.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_deployment.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_env-vars.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_helpers.tpl create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_rbac.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_secret.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_storageclass.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/_helpers.tpl create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/deployment.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/ingress.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/rbac.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/service.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/event-exporter/deployment.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/event-exporter/rbac.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/event-exporter/service.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/extra/extra-resources.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/extra/runtime-images-cm.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/cm-update-runtime.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/job-gencerts-dind.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/job-update-runtime.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/rbac-gencerts-dind.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/hooks/pre-delete/job-cleanup-resources.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/hooks/pre-delete/rbac-cleanup-resources.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/monitor/deployment.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/monitor/rbac.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/monitor/service.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/other/external-secrets.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/other/podMonitor.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/other/serviceMonitor.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/runner/deployment.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/runner/rbac.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/runtime/_helpers.tpl create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/runtime/cm-dind-daemon.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/runtime/rbac.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/runtime/runtime-env-spec-tmpl.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/runtime/secret.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/runtime/svc-dind.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/cronjob.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/daemonset.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/deployment.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/rbac.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/secret.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/storageclass.yaml create mode 100644 charts/codefresh/cf-runtime/6.4.3/values.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/.helmignore create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/Chart.lock create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/Chart.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/README.md create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/README.md.gotmpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/app-readme.md create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/.helmignore create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/Chart.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/README.md create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/README.md.gotmpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/NOTES.txt create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_affinity.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_capabilities.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_debug.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_helpers.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_metadata.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_network-validator.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_nodeselector.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_proxy-config-ann.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_proxy-init.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_proxy.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_pull-secrets.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_resources.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_tolerations.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_trace.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_validate.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_volumes.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/values.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/questions.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/templates/NOTES.txt create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/templates/config-rbac.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/templates/config.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/templates/destination-rbac.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/templates/destination.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/templates/heartbeat-rbac.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/templates/heartbeat.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/templates/identity-rbac.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/templates/identity.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/templates/namespace.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/templates/podmonitor.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/templates/proxy-injector-rbac.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/templates/proxy-injector.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/templates/psp.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/values-ha.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.10.2/values.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/.helmignore create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/Chart.lock create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/Chart.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/README.md create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/README.md.gotmpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/app-readme.md create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/.helmignore create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/Chart.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/README.md create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/README.md.gotmpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/NOTES.txt create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_affinity.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_capabilities.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_debug.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_helpers.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_metadata.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_network-validator.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_nodeselector.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_proxy-config-ann.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_proxy-init.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_proxy.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_pull-secrets.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_resources.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_tolerations.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_trace.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_validate.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_volumes.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/charts/partials/values.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/templates/NOTES.txt create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/templates/gateway.networking.k8s.io_grpcroutes.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/templates/gateway.networking.k8s.io_httproutes.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/templates/policy/authorization-policy.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/templates/policy/httproute.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/templates/policy/meshtls-authentication.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/templates/policy/network-authentication.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/templates/policy/server-authorization.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/templates/policy/server.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/templates/serviceprofile.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/templates/workload/external-workload.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.10.2/values.yaml create mode 100644 charts/minio/minio-operator/6.0.4/.helmignore create mode 100644 charts/minio/minio-operator/6.0.4/Chart.yaml create mode 100644 charts/minio/minio-operator/6.0.4/README.md create mode 100644 charts/minio/minio-operator/6.0.4/app-readme.md create mode 100644 charts/minio/minio-operator/6.0.4/templates/_helpers.tpl create mode 100644 charts/minio/minio-operator/6.0.4/templates/job.min.io_jobs.yaml create mode 100644 charts/minio/minio-operator/6.0.4/templates/minio.min.io_tenants.yaml create mode 100644 charts/minio/minio-operator/6.0.4/templates/operator-clusterrole.yaml create mode 100644 charts/minio/minio-operator/6.0.4/templates/operator-clusterrolebinding.yaml create mode 100644 charts/minio/minio-operator/6.0.4/templates/operator-deployment.yaml create mode 100644 charts/minio/minio-operator/6.0.4/templates/operator-service.yaml create mode 100644 charts/minio/minio-operator/6.0.4/templates/operator-serviceaccount.yaml create mode 100644 charts/minio/minio-operator/6.0.4/templates/sts-service.yaml create mode 100644 charts/minio/minio-operator/6.0.4/templates/sts.min.io_policybindings.yaml create mode 100644 charts/minio/minio-operator/6.0.4/values.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/.helmignore create mode 100644 charts/redpanda/redpanda/5.9.6/Chart.lock create mode 100644 charts/redpanda/redpanda/5.9.6/Chart.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/LICENSE create mode 100644 charts/redpanda/redpanda/5.9.6/README.md create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/.helmignore create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/Chart.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/LICENSE create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/README.md create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_deployment.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_helpers.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_helpers.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_pod-monitor.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_service.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_serviceaccount.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_shims.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_values.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/templates/deployment.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/templates/pod-monitor.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/templates/service.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/templates/serviceaccount.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/templates/tests/01-mm2-values.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/connectors/values.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/.helmignore create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/Chart.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/README.md create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/chart_test.go create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/configmap.go create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/deployment.go create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/examples/console-enterprise.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/helpers.go create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/hpa.go create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/ingress.go create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/notes.go create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/secret.go create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/service.go create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/serviceaccount.go create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/NOTES.txt create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/_configmap.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/_deployment.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/_helpers.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/_helpers.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/_hpa.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/_ingress.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/_notes.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/_secret.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/_service.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/_serviceaccount.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/_shims.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/configmap.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/deployment.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/hpa.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/ingress.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/secret.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/service.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/serviceaccount.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/templates/tests/test-connection.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/testdata/template-cases-generated.txtar create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/testdata/template-cases.golden.txtar create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/testdata/template-cases.txtar create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/values.go create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/values.schema.json create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/values.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/charts/console/values_partial.gen.go create mode 100644 charts/redpanda/redpanda/5.9.6/templates/NOTES.txt create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_cert-issuers.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_certs.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_chart.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_configmap.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_console.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_example-commands.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_helpers.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_helpers.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_memory.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_notes.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_poddisruptionbudget.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_post-install-upgrade-job.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_post_upgrade_job.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_rbac.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_secrets.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_service.internal.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_service.loadbalancer.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_service.nodeport.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_serviceaccount.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_servicemonitor.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_shims.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_statefulset.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/_values.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.6/templates/connectors/connectors.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/console/configmap-and-deployment.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/entry-point.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-api-status.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-auditLogging.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-connector-via-console.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-console.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-internal-external-tls-secrets.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-internal-tls-status.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-nodelete.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-produce-consume.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-sasl-status.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-license-with-console.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-lifecycle-scripts.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-loadbalancer-tls.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-nodeport-tls.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-pandaproxy-internal-tls-status.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-pandaproxy-status.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-prometheus-targets.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-rack-awareness.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-rpk-debug-bundle.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/templates/tests/test-sasl-updated.yaml create mode 100644 charts/redpanda/redpanda/5.9.6/values.schema.json create mode 100644 charts/redpanda/redpanda/5.9.6/values.yaml diff --git a/assets/codefresh/cf-runtime-6.4.3.tgz b/assets/codefresh/cf-runtime-6.4.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..8b6d8ab477b9b736ce88ace7ae84149827451545 GIT binary patch literal 43743 zcmV*RKwiHeiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POwia@#o5Fp9pvbrl$8z8c$aNF97gM*ErBuOcgsCO+tsZ*7bZhux?=$P9#Wz5+&QRlZa0}8H)rOjRw%@ zZZx{>krB+i5KUpFHL-%woLf`(KkoObR;$&cg9G;8YPFjFZ|z|J;6G{yFRJzGi`ssz z{vXxae*K{KAE0{Acxay)39aBis&{TH-MO#iu{;llR*0}i8YKX%AVed}4kxo~6XA+I zvAi)P4e(D1000bdgFL4J2()Jb3g_%401hN}fP4z10m?Jqu|njH0rbYmgTV3}U}G<| zkOu?c;_(;;;3Enr5g0H+pCBn~n&;I>UlhEgpeZ`#k>wIdYuHw3xp-{aRv5aFRe}@< zf=&bYRuFnH&=zwL@m*_fc-9m)Knpu?6hJc3mc5x>L*o_(g!S;JUw^5YwUg*ccu0Jc%1Qu%9U z%{gHNx^#qskdy$3(5srYBePmc3`!Hcf$kKr!eE4hxWAw`^C*cXn6^F%L!UG%F?`xs z3E33J2)VFPsaS--kW}b9Qi*$K`rf#71Lq%c;IQsQAW8-ZcpH?A?=)1LT1ZR}l@Q8^ z%mP<~n}M)7Mslu{GV~^R7TBD&vaTp@<7om+CRlY&kB$R_~S!K!n*980z6W9a@V!O5e}wcCxCy= zPyn4DcIjRt3%tQ3Y=Cma)l8LNM<`wr7=RGpKo1}f_%0hD_$iE`0yF|woFFlX0jvxS1ndw9L9^QdZ{eKq%4f(!Q_E#< zZ{Qpd8~b!q=R1+n@knU7E|W=i0%$q^`7uBt+y=-jxlU&27#eJkx z1DrFcn8`twEBe?O$pL!KSk?%;F8)ZznWGFCSG$H_MxX<(K7R)0JH9zaBhGRD@?}Ur z_BhKkX=B8D4etLO7}qdw4e_?{zlN|;d)V7)C+-@z8{H?*`8E92`uW< zal6}Vx0-|Yu^1u^i{h|<_~8d|cG(|*S8WRV7CC&~P0={uD#j?lQ}8cvWPTE|t&rd( z?K2D@r}4Fz!M!4xVGG&WvJyw26%3Ag4pU$y1Y3Bf5{C0haFv=ZiLLMoAdiI5a!L-{ z0TWx~VsK(^#1I0=`JkNfR81_fk#nUY+Q{3Ub?rhffpB#L0Lb1s4G;!1C=2%K{ydvr z!+>tOK6VIKwOnLdq(zxj1Jt4o!ygBh0|5yGD}-aZl{5Vo_Qi_^(}Bae4;!F|T^D&{ zuBEEY`Pc!9qFn;?O;gdlqkTYBV6>KE18*XTC@hpf@itZwW2I22GYm6p+yFJRRyFHU z3mp%Iu}V&x@leQHQ5wu^GOtnFMdCYavueIPG^<8{ap*!qN&?+TDdR<5G(}2U9(K+L?cTfQX#?z6t10rU6Rznvz;YbKHx~*E+*$!Caj+R)B-)}Z<@bx;+t;TT zzYl4Xm%U#5y!E~T4y)i97)+qD%0A-YX5`|Jzz!gr^2{m}!eEL#{yVhD4PmQSZ~)u# zz{K(#7qYFv3M|)!t_hAgFCbKTIIJqGCb&g5j3gU{fdD}GNAZnQiq&dSbfEk$g%tLk zVG1MGAu34KBVC2@U{=hFx5=2klD6quNu~hQ--#jWy=u0ST?(!(JKGUfE*j+p{h(uR z&q#=;Aed3Mi8<%QE-yr1CY2P*mLh|llpN@4p!Iz0uyT4%&Dfo^;kAV5mRu?kcEQYR z5-O%QK&@J>*5a2Z0iOBl+fnjWL@Q`H$b*E??f4o}Tt{d;3#25Pk7Xchc4)>gJ+>qS|zyT zbZohBURg>nV|81@Y-YO94l(6y^mkwUOqUI@3xjCtDZkjLD+R65h<284eezFbzkY|^ z*%X21~`BF#Nd0BW&l8ubs!-$sOc5hL#x7*1mseR`1Tr2XA`q z=5gn|-S0QRL56{M-?ie&NLPFgVvKG30j6_3pKl+0<7}J55M<``)%PV`S$PcrydkDF zwf@GQ^^q`}HD%9+6;O?a{%d_C4P;Fljej*;t&7X^!LW1uYl9Z5{HxPE8}=?v+r#tb zS^L-W_q~(sSET@?Y$VakQR21(-mc|*!pvCjVbmh)3^f17Mx;_@hEk4 zpMf10+mpz+pO&Wee`A9*nP#0F{Kti6neI86!= zt?<j3f3&dd|F?rbAnCNnSTXZ0rq~w*O^%jKZP*x)|%MKCLVZli&j$8+pK2h z6IDTHK>$5_-o-Am=MC^02iM5q@}n5@1}N`UYE`hu|5sLp%hAmJ4PTQth;W4VBMBBd zi4QeVi}=t>=&ARz+C~`;o5OhZJX*Vo5==0?tk~xA4D>@BSYxQn6t=5qq^G?3K{$kl z%89Qn`v!WB0K-H>uye(D>Q&_mUK9SWVH0#!xfXzU(v7 z61Bx0WI_{MiGG^`%U^i!_)3zd|C`x03_KV@!n`N2O)7N8LO&!GQNJRZtUQZ*nYR#G z2}SInq!1+bt#Bf-o?xPqNM(3d0KM=S1r1QSwStO^t}EIVNVFt_DVkXy34qrG&=Dhf zbm60|dCNvWNiQn1ap{eTZt$8^65kUCDU6)#AEcaqDYhSO(yTnQJ`zK;8!?!|`YpUB zDT=pW^-~jj?APfu_V=$UR|waxcH<+NU4{B$N{;<{IS(QM)~$tH>l(RK(EA&EFbzvB z@ZZ>@5NE`I772}-r2rO6A@uBE&dxyMvyffEN7)z3h+@|u1*^AbeYN%toU@~^B#@ga zc?;+936)a6`FnrZY_;0`{_t)4{jhVK!&%ZGQzxbCjd_l$W%%)y&#B2afw&7X`4${y zq&sG&L1_*qQp!zU;YgWbx>fXxNyqd!Qim6iLhp*pwY!iOiV}>L4zs_M!>} zD6T+K*g^Ua5@Z33*bwhLu!N&>oC^`uyg$T3GGao-wfhsHvfcY^2gGm(X_cQAgFhK3-xs){M z>u?g_*?8j5LXM}3<{Jo z9ivvau8sWz+c6H0;K-ow5075F{JCmf$K*+Jo3rS{25sntf#uc=JI4&j$?%Vn zF#7=jKBr%RGMx$K1}F;vLt%<6KhGBR1NU6%%xmwGj6?46y4$C+*`wkOR%w>8<@K zgq{;wZn+hrB4$TrGQSRxQ@MFbhA#d%j1FiMzI)0=j8gip%;wK!!~|V%JhMZY)`e%V zB~2i}o;%-_Dme2Rla6c2gIIk%b_VLT_^gyvWiChJT@fHnLeSWg$8YQiQ4Z#gi%1CY zC_0-%4s$b>WfNWNCM|=<$U6o*-12Q8&)|RUvP0e->&60Q(Mp-V+BJp!IK?FCD{d?{ z@564a8j9;jX3ab>YG(bV`GPh%BM@A z&gdM6-2f6OPE(VejHVs$XvUc<^2-9=Eb>%Jdw4OYtb=NG8oiOuTQ93s;k*@}mnj}X z%IfFYoRIk>yqnCbi}{4BLumZsNnvr*WGuig-M@y z9w<$;xSy^cz!CanDqr71==0-^D_{{I*vAjx7<)g3f=~SrmFGv%$`C0H$Q{{sEkamH zwVf7&1TM}`-vcxPb36kcgbrOVbmk;0pI;2p%rD2$fbI0WZi`msTmDagi)JK2Qef;PIrOSf=vJQ!30+j~$U=0%eU~L#aTN_aW z>?L=4i4Q4MS9||C!itx?;6vxq&mav02jNBFP&VizAG*kcLzEeJb*GK{s@uCkw12C! zGqX_xu~{eR6LmX;9^ao{ILYOxaV;^0{WbDGJichXZTE)l^X9A5_AvGX9(FHJPlx^1 zoAz0ASQ~cEnkVh_o~7}y5i3-GE|sX{TG!Bx%b&8J*`kRveO_97;-ou@*PKJ?j`jt2 z%AD@2lC?O_3zRh+y*tnNqHvdqq!S8d=)PoyDIrank$l6CL2+J0>7L+4tiX)GfSYV| z(ggez29`ALN9FlEPD_t+k5o%UB4Pl?cIb-j)`+%9MTF!mP+v|d#%%>j*%O6uni5B& zGk24N;)a?(2@}YYDxGhIlZJ2^G&3c5d*{WF13;P}mJyTdC~1F0-4@}114zkX`2$Y z?nlZ}Rz&O{|Kh-`?XM&f#dq3mJe^veSc&3?M9l!6KaKtlW?u9+39TRnvao=al%{Gr zX{uI#8M(r1Ww2URSFK(>czLffDwtI&65=Xh1OUCW8FFsz+U%<7u|k7gb^{YPZ~9|Zc0j=bOyuL>Bae?p&c1x z6dJb6+=y#cld3tc$s(EPc{}io-e&^(z*B#P7mjSXd)yxgHd=2_13>tOw zz^oef$gKagy7(wAD1|V%wOp#W*b`{qaMQ&nXj85k&X{X4eU)C0c}u$e?{;h0ded&b zjc&yZ&-w{(K-Tbpd*g$T6XZhRVC0Pzw`Xoa5m&w)=5Lu?C%yLnylnRe!$Ie)eQ`Np zP3%`wZFEMUOn1rhbHLdWqlw^v(Vb1Uq#ZzL;~u|~FPG6puhkw(me+6hI?YqYE7ZeR z(bg%vg)YD&7IsD43Gc;453cJWWU-tj?MB2~B5Hb^``ju8Ti%ONC;k3^DjNDj{GrEqKwiw-+qbydmJZSgMI_J$n=ic9`xQ1n*+K94*GEm^*i)05;wiE=p&#ap-U05VI++%82gCY=O-(4e{JkOqHsd@ z6c>*Pu;yggV@6w#3(3kjZv=4aYIboyM1Q` zDz?hWs9Hcm6SkF;&fv}EtKs0{ZTmd3k}#*Q*8!e3G8U|~`yPm_G(2Eg6x=2L%y12mc|1Poo0{AF8ooExA5L%TwV%d~Lj zwN$Y!(-(InXu))`3YY8+`avzoSc#_G4V*{CkjL(GL1`#PQ0a2*=ek)tdTIXrvstTF z8;4Ti6&i(MIZnW%RnYGKykF<$9r($I0h&TDj7;REXQ1i(MmNBp=1Gs7dpOp!eBbaX zWJ4{O>+NItKEoq@H9Z1T(uDf>ULwrcBSWQw5|HHJMe)n%+-Zl36cQFd-Z)^f8X_PsU zpo9WrsS8+&#wh|Nrb6r^Dak^Gtxxf5(c$Ub!BY#dt5NYswKt(l7^Bj`&ha~AO_>5) zGkIU_;{=7!MI7JALm z96&y~h%|Ta(*1`a$dN&|k!Cg?Y37UvA}HdetHdl&w{7vduq$psKWqUOd1HfF^F4k} zoDvMaFUjEMB{8I#7&s9k=sVPpa(4Gi0q<96W=&w|Pp5tQ_IW!r< zA*+%+QVXqM48ty_3T|`|Maj)fp2!<3%Bf{@Uq<$6YWY#a0UX0m4KN%|VQ39wadGHl zXUIwqcg+9XRY>h)NA5#A@j)u1%x*5><4XBNr#xCExB|Es$rYPsaiYi0_-qlJaT2%J z8v%Z0LPT;~+`B-8c*Rb!&PCx|3wAECp<6!NT=^VOAl;?IFRR>wl=XLB-uX=AyW(`n z@y@;@O>&^#oj#ljx6q@ysE>oNSZF{~7 z;@3mAqSkj7K~m)u0fO;OCfihJYnzMHlf>EiA6wQDXkPynZ2b#fn$YMqog`bD|(b6x%E;*-d;-$HIA5ZF`SPO! zT^K?JF4^%!_xg$TTd0RK!XjlQG=>H!=Vb~g-vi}eA{z=HNg zN&Ubt7-}-(Q=7wBwpOya=uF5AZ1RUI-3oZQ?^FE=nzeH5%nKQB@1x7SSjV zN{yt3VX_Dtyk0_`(acnX*M8mkH{US8Kj5z!4xzfLl7Ft!*RrhpkjfK-F9(T&-6<;0C__s-J__)ZGMwEQ z>u9J}gR2g)99>OGt_ohj(}}5) zvFU`=NJixtlv4<$h17U{Jod^i_N>DHC(!j_K+MozEkXPe{$H=x()OQvt+v1A|C@L| zf3ED6+Mj%uk8vV04dW5NUC$UyX|E#Yb(Yt0&CU>#2rUz@D#^kGr%*Dx3!BWY0*UFU z!OXM4(LVbVP5ZME<6hc@%U6iAhBdL09txh2l?P z^A;eLz^kgcJJDVm(aceUEFN9766Zp0FqCQTp|Y(?9tzvvTGw5dMt~@UptP)h~Wl;s4B`W>w~2K>s_eRa5-Gc39u)e;aw0 z@qaqzt4W$EuO+RMRMDMb!Aa^}&hj<;M5;UYxLqiJ8itW3BU@83@i?{A11tJHzOh4< zG#GeRFbCxxc3~Nm6$iF*n*Ix2@E*mDBI5mNSIIK?ARL}!H%U+?@}!=Bl&+G1`AUKh zSqm@gF>6E)gl?4T`C5oFM(WP4pYHcGio)+PIhfJQCqJgKUu3RV}d#SJIpfa8lxO8iHFLu_NW0S2wExI`1*WD;&UNuRtm9ODjB?BcOU zJ${z1|Kv5JwVZ&L`Ty1q4pZy@pt@h*uK!Iu>iSO(^;hi#oa#z(o|CHhmAM0_uzy&e z;1wGCt{sCjboy4kgEco&!B_7hYz1SgaT+Z03-ZPW@??_5U&3GpKNN5#PR)RO@+eMT zzy?{T;-72P`qmY7>x%m5uBeYKBQE>cLk2-^8;({x9GJ zoaYT&2vW-Z_b#v=+r4&0%B|*OyD~Aij<(yU=(95aU&9G_ssC?1!~bgsTmHY1XC43F z6hpeJ6L1pT))P426FAqZbvJk5I}gBOpWqymT2aSf7OO60T3Fo?c!{xURd3*BNZpI~ zZvn&6-Ccn5Eu~vO;P2pBdH-L-32fQ^e^5`K|I`n+_dhrD6gvNT3@5PSR`WZb`1x3lpI5n@_3~mMNz%b<48!NZMI?LV1Co{s;pzh6Dt?*E&33hn>*Iofw z?>9i%Fs9b0A$FZ1I~N!d^f&zFp!)MsIoCaOG14g?(`L6b99+C@pX;N`syTmo8XQB+ zdgGQZ*>d)1sdakUAGCYJ&hg3tYniBHC^VwjUG`4zA@VKTu5MlunVy(i@kpuJYF%8O z4B`;M1}J?gJCJFV{On`g7UzlguNxZTm=cabsi?w-CH z$^4OAd>@Ek^v&W$Y+VY8aWn(?ud6IrrIOEz|?(15U~ZxenBp+^UU+^v&Z;Fj;- z9qdzfseXFFGatgUU|r|yLZ{Aad0pR$0j)%~t$+4Yc#6w^>qh@95dZV=Mf&`wTHD6| z+{m+7{<|;7?+5hCdZ5Uk;!uBqi+2&%sI+hQ)8kxA*MBhcyfx!~%4f;?f3aW9-2dD^ z+^+wPJnH)AL;Y2|e~K;?=QE%abkBC{!=MoKwJ6s55wd& zav?EKUlqmXW7VY#*O%8_2t%$_-k?_o#5iXSa}T|CSM@8_`zGJP+gLqY zKn}F6AiFO{?1at)8@W*O*oWmT5})-sOaj8w*`_jdyxU$CkJ}x$D+%bqXZ_ai{XzWR z3p%=|+~e2xdw+UXm9OV1Z2wu`{jY%kUpoI&?cl}s{_jSfb^QN?gsb|at?vBCfoy&M z@_qj@wyf1iopk(Lo7{{2{!-?%ySx1fRdIE%zZ`4T{W<;RVRlEKzXevLc)W{v-pKti z>-d*7iZ1p06I-qD{7Zu_?ERPL4)fStZ~Mrn@czHP``^<2|L8D%|F2f7ZvFo@@+>_6 zc?|cz|bN2q91cfJFs( z9pEWvXMD4H3+IAMEM!L+=0KktIBx*nmlzWki9i&!u6KDp=$z?-Q7lDLeo&zG z+pS(ZXAWu_zwEbr#pu39bcwasRXLVNAJSt>w4e`^unIfL1T~Pj=Y&gGjj`lGUlcS! z6uHN+3Hgpn4-z<`n8a|${eNm9@6P*w{V?tS`Qo6q-Tyc8X!QRATR-1z&MuDI4bbs~ z^L44;K7BnrZg)>F-k(L=cy^a$7ItNaWWT%2KSF90%z(Ir`>i5StQ?&uBTmE|{=S5Y z7-HvqD8mSet?cf**dq%o#}}=)v^(vSPJhsQuZuRsoFRH}j7S*Fmv44YGZ;|8C9_&A zpu+R}I|~K0JvO-i=Z^coaMf8X0xaAA>7Jk1|M#oa7u)@RBacR_Sm?*Kt_ffoJ`~cq~x+-8$8QKB%{>0Zs-2s;D{|ATrnfyQXZT_FlJSyLHkmnfL z@m3rH#K3RlHmEq*^l%7v;9oJ{3UOeKp?PiDH+1EfU2I!!c{lBSaBYS5B)&n~3b6MZ zzFu->sZzjpq2GvY_C;^GGfl<}Vc;7@!# zNZejk?|dfjwF1rER-n1xT4=}?U3jh4K_ps8p~ z^^fKEVe{C>k_)n6y-Tv-K`zP`AUSjW2(2L0EZ4*r^>)uWyoEtI2_}1A5-69PG&3_X zXCC1aCAi;IEFgWUXwd{-NoG`yUWv}+4|GiUZtvnI%p1Alx};~#Zll&6VP63y7z{)cbq`pJ*P#@R~Iz@m0w9( zOa6B(IK>`;1w+9sk^f&D9Hsq#4-U8fKbv`0lmDZE-;f3Xeq_=;zdG2p0_cUuC`gzw zggU^=NuC=ORP>1DDunc?To8tab-xdn`7kp=y0^yaVXx9Pm#Pn|#f?dWf7k#rtF-oA zN0M1na$ZAf-fU=@6oO)P!eELB3yhk@Z*edhNun6S!`}SQBD{VKfE-xG#pO&K02v4% zHw-{34gfH~KdQK6Pw+<%7(EqB%^V75UXxrBNTtWd;-VwMyqm$7FCdq9FAXALfGK^$ z9YTtL0UC|TK|zuyu?=7cgt#9D$Qy&51p`BJDX_Z>%GNBziGf+Zrj|CrjQzX~y;_=( zK+{+Aa*-(Bez7)_B6rbLhuPM(icEC@Bgqdfl-gq+mLF^^OKFO6M%^!96UWTipc*3E`sE_@~;Lmbq!>lON6oaj_!iQI=(vc02v3F17vtjOpEzVzJ>FS zv+R3cxp7G$H-GOBo2^#6-ygnhzaMsv8=7!`IZZLvvDS^w!Wt2Xu6TYVL*DlA2F{1b zQNsf+$2HyUrFg4H7e!!dMA4&M=bYsu%F$`c#)_2DjjV_x5fAW^(M>nI=@I6zm4PlW z%1g+w_DC;+dyk_%wxNT_O-i}?jbLwuqUlbbTwI)-wujAb_q5Y$4mua-!&a|-+&&+4 zny3B5g{cY*?L6tfVh50R4p}a#FyqO3D491fp`(m39=p&Gl?)M{)cliRubjS8qYW-5 zT4yHz=HIgbGJ4TT|KFFrw$j((>&|Jr0azz*qA0r+i`HT7m0G74m&g1<*^t#S>&bXQ`WqFlEov{~#v6u7_l*rhU&yPT4t$mGLxOo35 zHmNjr2(??A+QIbW8XwsT$}5Myg?F;@{f^jjoU}t%-UgLcH{fz!! zJ>1^^+{m*|{)ap!re-NvCnZD{02TLMh-Yb#HOG`(1$3=E=)C% z2C)mckvDr6b|xK5;O=AL-$pGzB*G6z`Gp<0TSA^yJTO*CjqzEVo2P&lzcg9TXXQS? z=XKKb+(B^_+fj?|M$wj{ZYP{GCS1K&*gPIvJpSgNwe-Iga{(>$|J*-H$N$|wINJJu zZsb|b|MM{t0EYbzwwdg7U{6b^dN39ugH z>cP4xvet4tUn^&px?|mmYELhh*4Ox~CI53qU04HHBLCO+tJ(9P{q6bBMxNE=e?IUD z4PZ^T$YoA;i@hdtvoffrW;{KLj(v97V8 zZLO-X_hAnFEl0oKXFdL}s2v4%fo1le+KY7l$HV%;*8a1RXGQ+6 z3_RZj1nX6-zzOD@RASRI^XJc%JutBd2r;;Z0DiLU(4B*DVugU&E4i*P8hu5UMyR?X56I9+^hxqRz+G@+v?O9L$vA-{9 z-%OEa$v7}cVx=+A*0=-x0f3$z%>5AR2}IkAN~jQ6SekM&l=?!+=4PsjOY)bHVlrTg zNlOU(!azd*x*M!;65!c*;?G3Xf%x|lxT{QI=3>d%!;*;{6>3H zEZ5OEYR(j;)S>PMaEfNr;c2g5zS~^0Eqj8z@fmiOp`nyagbBwUEH4?%7>ItMq~EST zZQ_=s1R%rvm13iyu)!>!Lf?8Mov-uJ%l|7n_%3;t$p7^h2dVrowZo(R!>#=TSuxU|{#mmBS6^h}|5f*EFSh&t zCLYG?E#L3b;g(Up7~6+_3;XkUiT*gG?+FaE<)f>%J7XAy4+CXcEWTHs4cMvZ-^jCF z|6keq=Pvm7v-p>dp6!}G2BI&fVNT&CrC~x?TXWZTc0T`gmx#+un_Xy*n{Oc z3*qPTi6nXRj0M^O`_983efLih{(n~`a5?|4rtQDg?fu`)JX`+%E%Se&EN(gf_Q`pQ z@c+9S0haOq+I~IF|Bvd`E&t!dv*rI!hyUL%?~e@ydF(&BL|qitnT%w&-BG@kN6-I1 zg@MKYHR4IIwg#}w{=0uzOY{GOZT#2GJP(|~kuik8^2RWkC8-x>^@{kAHqd+My8-kZ z7!=F!tVDPJF%{kYu?hV|p9Sk*yf;{m9b(wibveLN{r@n1|Fe3uwf}DBdEoU=!QV!i zAfiAl!o?AKW8^{kv%}_@WC$W!2=+#3d}jISEC0!Bqz0($0cSRy&ZA_d;LjOhK^|R1 zLLi#pnH@>~+%SgY34{C|JHx;_8j$n&WDpT$8_t^i0rsOY*YZUu!oI`N_X)$nt5$;Dhfi>#E` z)YMM2qo!Qi>3;A#BU{D&`+bV?|3C4yF@~NEgOC^w@|=5&|9fzhw*T(e54Ze(BhRDq ze>tI)Er6YY>9+xu?O)TKqY{Pw`VC*Nw+$qw^nLFK^4c6-P7RPb{`2!rpWCi_B~rLWc!Mc!14`ZY+ryW)g51 zx_xM4&mqlG2!q$iLu3MF1Q`9t<^lQt$!K2YBnj#U&LVXhjB0yfKfhJiTA0Ktb z=)+xxUVIOJ0tDyfmojjdDdlsNjdKYRF zu}k!P?DUhx_4(k%#b6flh`*6p-E=6aDyhyk$i9kek{TWsSqE9Ua)d1VnMnhgXtFzV z-L6<)F$WV3`q4)C8kx4mvYXxJXmNA%MDu4aM zCiH9MLSml45R^ys&x*~2;aLC~!3;(_lT6AA-D_198R*@rjc}@;H_zJrZnM>nzKD#y z3j(^PVf5Ok?Pk9K1YPCU>tVCo8NRvb53~S^OSn<05MzQ#n8M@wwtcR&r(LRo zQ!@r>g!l$}hR8ZQ4-k#Fv|oe;Y)NN-!p%cZRyEod!(R2mHB+Q0B#TgaUS@Y_|7R+0bL zH2^J<{|~eN-}?tg+xRaVdAjk{--GL%h>|%UC`gGn9cej8TeMr zj(`25NN&_in$k0R^KP?h}KEMxL+q{AayXk_GMIMe>qCZKQ{9`Df{n+oj=5keqbwbw2GEmc0tmL`&?(~-I{jq*|Zx^0`PTtaU>Cc zWdDsMGFy}K0?!S(jmk*jt2%8oPuk~$;d%2+?{iVyu*vMmhL_CgtG3j;JRfw<+V|0x z{IH<4O*(>XzzZZXTzc;qtzAEnLq|9A{dTL@E;s?S$xM?#k2~kbi($qTGAP5u=z!-7Bjq zT{)xhmGd>ea-)dG$9;Q77ILApS+n!kMVciB@4Z}$xBSFS+lkkYVW$4dsJx|ta7qLJTH#dBi5iBj4iYDoy| zhk46^bEg1rIWX@S+D!{JH>jH^ofpYDH2`i*){%{rzqH*Nr^e_5XFO|2UfK{jvb<`p4k}1{L@z zgn?(dhHwdcsQAy-dMz9Ouey!@w~^=bXYivO_;Zo+TW9(+)3ae6TVOoHlWm$TKk{Rf z;=6nntbZRnBH;5K1%RdNzj~P7{|~nM|7M=T>pz|i+m-(fJqy-nqs|Ej$>da;%NH}Wv$mydT*^*>oUNBif6 zv1Nb02n94Y^~_xsZxiC%tg$K;r-U=vuh{_n~BUm*W;TK+#e zsBhQ*MxO2Z|613-I1yNTc(?SR55n} z3q3ybY;d$MqLBAzqY?T9%0@Xgi%Sg07Q0srtmxtfU3PQu*UWO!2tfx}zR$2XOTR-7 zo0Sh~3$!N$TtnNM5eNvLLhyEW4FeB`knlc_5Of^^tN;QRO;HFP5MmHc5CJ>ab4HKj z^FA$$yfM4wvul<*BM@*mAr3@bkRhCO{2dCxN94NT8iE<2coJYSAgg}_9(V)?#{Y~~ggMVHB95;^lP!-a@~ zr^|6l7hM;(9t>xJmrN=Hc5K%o1ljWSE_dYj19VF#VgSd8guxv60UV)E`TbF|;hZbO zFQY+4fYe#>Ba+4GW(IcXPk!0zMZ6LR_8og`t!Hq1qi z_#V-K)}&+4D!mTyv{3>gOu}0@7tW81d=52;@apO7P&aU{UbnG)#EYv$UxsO4K@2QK zn}RJ4?jL!6@Zt@;WcNFB*x!QTg7SPHh2nKdrhYeGJ>P{1tpT3^Gyxp3VX`;oO7GD$wClgk; z=R0+5ihBIkTKLaFtSQEHXoy$gTx@C5p$DsylTj;~^L%*ixWuT`8Jg8cb3il}lQi1W zvo>|a8lx!Y3pZb|#3UFHRO_B_72Uu1E z91iAps-snEtrl$M>4e!1ZK|R-GbSMQGh{2UZzg!TLSr=B{Zh~)gEAugQKGH|RHvI7 zj)jd!|Am5DE~v+AjmOx@y@?)I+5-(be&ZSmEJF}_YqCGn=>oFv0CgG$C13t+-+*i{ z4E;H9B`5pV)kC6=+-x{)lluby=GUqhmsLX=UYlF|Vs!Kl_32+hQzrLB&ZX&naofZFB!{BG=nTnT6(^AL zTw~ctsLM%h_zXH!BC7O>Ru$$;P1D`o^P!$JI&QP9G~08l+uf`Co5t|<)!IC4pIdyd zU+H!LCUyx{f#RG`+soiV!yo?LZY~)!0F~Vx!1i2I5;BoIDc$T0A&pA}FZt`8xf^^t z$Q@35y-g_U#=y)*;;5U+TplNVJEmbyFbxBm)pRgs1g)Z+snG9tE`})tRj+$dacTxS zqVbz%?S?tj>R}s`kuvbY$&C6w{l}}H2%f=IsBPc}rk?P$!Q^Sk<(J|_K8SB|>m>$r zoh})OK_N&wDNTx=yD9T~^jg z)qo*c!-PD2wEhR7Cg+`Ncm+mz`HgOgVbySHjN`-Tl}$H?*Yieaug?mo3#4(eHg8X_ zceHx7JIw%F!1SUZ`v@uKy3oVXI8n|BdGzDO_ifRpzo@JlSmRml|KlD^8f(xHw8(b# zd#n-TH@6p~U*dxb7W^>U?aMd$uW}Ya>KF(!OHcNa#JuMCFY?$SuZ%uEOPs$s$I2Y% zF4g`w+Az9aqzd;dy8H>ut@Ia42Vd_l7uTsl_~Wd^&a-p<{P+Mjw6nP3+({4>V?~!` zjUnN*!#*j3y*R`7*g$`@c+!n}QkI>&xG>f)7zuCC%-c)ubpb8mRQYsr2Q(;GP@iZ# zEHSE9&XTy~xt62I-cP6$#T$}=yQ;*-Wl~>OVs**|;S(2dPx`oCI_z%C0H%yP%V4dq zZs4xWi<2=xV%0>8^FPdT;QKdcQ;Ukexj#c@8H`agj*60rWBIWiNQ;p`i!vfim|2hG zV+%^E|Gc#nGc6aa$^Lm;^^eLo&CUNT7dJ=TXViVu_r-dD-y085^jg<7iNliA;-Ajv z$aO8S#MuR4cU>@~p?O>|toeEH%2A*lnoLJDU(TG0 zw&u6iY|)1KL9GO}GBLtFtLpzCL9Sr6>P9C#JX)!B1@2}Q-ayPb8!FP3!`X4c>#Ps> ztD;EWxorAAwh0%%>Lpp-{u7h2M6Ii2)jwgH+}a+S1W5*n==zidDKXOHn^XGGJykwL zd0IpMJgdo!LVmWjOW%0#0ZA>S5P46_`bJ{(hZ=~a-V7+sJJjt@CckBTy%A$rATq5? z=>Mer9#nwB=@gvcgYq(hg&^MLU5}HB&}ooJP0|G^iq~bCFY}W=S<}fNu$B%q!-?h$ zJJ$8M?gAE1lQE=DefXYFgi;XFTEFt@Jc5OitPFg1kFsD5n@RB(&P||`g>4a zib9k6;@XLx6g4v$Nq%>#4)h4B@a-Xtp^@$pZ~%KUL$D`v@^}7ZpzS*geVSeMR{QZ?e}@b%frB3-!tz?}Vok4g^X}dIvfnGf;_kh- zWgR^aG7jLSSZ8+7i+A-?sZr#Ky|AHNyfUQI1J(QV_Fp#1vQxY42dAd3r}*MY5_){M zO#MllU*+}0{Hg}F{#d2~VDBMquGs|$RpaV>RtP%AWtQ_um4L_Id0zsr-xliubm2Ju zo4aze87ek_UVcT^tsa2MtoUE;QQ-qx+%z};i|z-vqTf8+5BC{xU>Mqp*lBVysTtB5 zG8{;-v)O;?=*uXfwU)g3dJb0J+qAShO?4c1?~PRbl6>=`&v1u{Y(snJ6CKrA5T{Vo zFY~b{fOmDH-jact_I!DFUJ+=PLjc(%B{pX^b)g zSaCg?uUm;DR3B42~GIk=rptLd#99K-VjPNMtkl~{B>}q zi5U)l1$xCqy=<^y|Cs-h7j^Bw8#9zh( z2x~7M7{c{oF+A6TnEiaD{Pn8Gr?akyFTnwEsV)5es_^|;vWKt80sdBkwVskH#Elbn z@8{aI`{Wmf?K;zVtgYv2{=co4xHK=n*OADgfR6%CZoYngYmbdtbbL%i6}0~Cg)U$Z zD-pL5?^Xw9t%waSe1&SEPpVoE>2rLOJr~Ojc@N?~<_;dsuGySyNCi4$JF8@I&b-dd z_nTWQn3fO7+Ub%S$fHv9GQ1)sV3aZcUT3S%f>`RmJEU)FgYeI$oAq%s5-ox@7C3MRJKj7%pBnhu~A1PZ@{p`6dl%TK_J>^aFpLEFk@!Lc}P&$~0-v9sr_;?-d#Jx|006)f;Byxs@U**7R}jyO8>EAr z^gdRToe#Dt4ED;(5{R(2IrzgxZx-jA6fH+C`e+mX9bmUsrC|Y>59QI^m3gbte8GSL z$odeG5U9v@($ED3g^xP=I$9DYUoq}EIXJVCIkOwpsiI5pl6vwQSIvWTD73ww;mEkO zDqUP%%}nAAG1Dp_fX2Z5!BS%BCGuD3pNPTye}?QI4!SyE+(|GIGeYD2)V9g8oVy4O z@wUp5lWMO(6r7fo&26ih@0?KdjJB6oz|z)&`F$n~sDS%ueq>G&B~fFbJvPLMOz7?sC%=kmUX~X=voxADJfa4WxCJg*&iFX3 zfu#C>JLy`4Z7=|nJ!C8|gbLERL*hPB5Q>FKuX~Vd%;xnJm_16- zA7l2+O=CDbYp2HfKg=&7f*kyA=?WP|^L-bhMok&(V_S-z>EmtUR0Ht6wU5dWiS z59v*y_kThr@^Q1)|1mNZQK`p}r^iGjZ{#GGWp*Kv2O1G+F&&(PV+k;c3+|WnF?lfH zlMaAlP3$5=#o?=QHwHOI-jM0m3;C;ns5m_&)$Kt+Dn7$_9_GY?dm0I9k=~Dpycd#) z5<$#DQ3`vo|H0;6_dJSqZ+A;TYX6sQ5g@Zxx?mUtm7(o_KqUQ6Ah;rNGI1#=5YUP) z42k3c3p$C8R+KHABTtxPgfap5LHOJ8(0CGfejPSLv&|(tkl;8o4gUa$+q`n=N9rPH zwNeXK!BWmC}hh<{MCp@|0 zrjyE)?_~cqC?ahhmJl_{?USZ?q#2!%M*!Kebm)Ctkr^BQf+kDu!-d_7O#Z!n)t(?Y zVdfXV$oenj=qJc4yk@-c0D)io+t(Gm0+Z2L;o>AB-wXu;!1uy*M+cTT*`>hS&*gLX zP=dOKBOydI17R8Xza_b%nMnK4@uz586aIL-j?+pTgV-m6e=BNEhvPRDeU?nRIn=TK z2l=B;0;h36YUX$%)d$O3Rte3}Sl72ksoPcc&Fz$$mJUed9Opl!8lfh_G|Thg(BML4 zo1n>?ug3UxR5Zf6SyJv(+MIXZa*3=6A#5}E5t>xsR?#6%dn8O?g@rv2G87*Z_MmSh zKlSVM+{`@SAZ5y|iCt5>mAuwccTaZu{Mfq`2NsOMXi!fn8y#cb;O0xm+Cezi8h9-* zGc-0rcr;WyH#fawLCd=Rn?b@4u5^ey#2H{t@mM$S1A?Jc8nE08I^)Yo=jqlqCrO4Z z=@n-DjF@BpH0NZ`)^>MG@)gcKve=hKY}B{C5X|GkAS@bcZqq3Z+WJ;5$FzYa;FCX-77-DnZWVU@CgQ=qaOGyVG(2M z|2w|#=A-s(k`o^5E`t*~(1rF(Q%0-{5L5OB34Q|w^~8gIhO-RoWzkRc%{A{tYoqR2 z7W~KAzU#1;L$-IJ=_s$a?WP2*;b|)XDlXC;bd*J8dYMx^ijHQe|7VV}R+>)BtnT99*@y5W>Et4zTHf5I3piNZ=joe=3L}|yY zc+E+JveeaOATMlS{D@oEpY?5{+6wH_p0Ev|Rk)7w1Mfm_k>P>S-OO-Ba$_ak-I*z2u9^+vN^O&+@ zQVJF$5ixqw*r%!XuO04tXO4I0+iT>wudg*F!j3PTWL`koq?q*23W&P@4WMTiK~`4F z%2Q(uQ>H$22B`^2AKbRJ{Kp}_U=gG>ke>zriLH53tVE-C{0eLU%+k-gx^Hev2%#eS zy6zSMEI?ABX=J&c90fY;uZtzzA+Om)0^(9hhRDb>&AK0lvw*-wyMF>xT9 zYtQp!U2DHoC4L3InK$t@2SePMzXRld>k(#rLEV=5OM#Y657R%UwaF=Yx~>8Qv*psO zc>H~!h1B)1Y*)Lc(|7iM94!334%9~W(cqCO9=qk<@V<^a<5Pw}))?{(r_u9xT~Q?y zGhzA!W3FwgH*)V}eHI3IxEv9A-7LqOo5Wifh93AgzM6jS{9i^H{WeSaP%$6Es3Iz*@w?j}$k8Lo$=sCS5m_#{^X3%aVEe4+Bs1hnq zbFjKds|HaqhyAWY)s)`k0ko!%3u|Y@z_J<*sW18SHU-}b%S@>JpJLspY1#VaW3cV& zWpIZ1&|$q2Ctu>`UfdWb%ETDBxx25LWIHVrqVz6JaVCFV%1hqpPAj9a$biFfXYTRu zuKm*nD0pU2w|wk}G~aA__W`PJwagOjyM%i=CJ~7D+-PKJC+h341I`GA3>R`XLf9J_Zc=2R+pvt4rFUHK z6$#@F5A8w`Q%zvCz_Z>Ji3P!x=J{8Rrsa;myo5jcs9tu6>BCXPy?ujCr*!nRL6ybcw zax{w2yHJ^O+)xoZ8WoX~AfgAd0OZua$&Fqs5w&Ghkt`lDS95HCNrQ+LW*1lNd@EJ8 zhXx@Juo=ur%1hy-f3aiE`;_&L8{0hW@NM1EfV{*q;cu3^DsQ2id{11 z6Z74E5bLug z0|SBmWNzWLfx{2TSi+n!0bdGL-^*OA5J?FYp3O*v*)*kDfv=o``UM6iBD{7C2ZwCf z!0)sPX7_3CCO2*f;+8@>c_BT+3kku{DKs#oM`)taDA$sl(xyCut1K<)-)(c|h?#N?* zg7RziX8>6$Fs;QhS-vnbc>hpOCGNl1zd{jx@5y&#OhZpL`MrswCi3TB7NgaZjmhTP zi9u4CUzwpXun1n2)Z-OPiy*RTXgZKv|3jnvV7d)vvJpa-A~%I6z_C;n{(2v0iK z^tB&MFw`;q+PBuUTu>&aSmWiMf=`nk+?R%K3GhB6vJC&dk;+1k?4NU-g!@Vjg0!D=R zwNm}JK%eR@7RiZc067QZDJIGJqEW`WXR$_{EL8i>Z7PXAX1WBj*t_EpN_ z_T+xq@xN6T2Fsz8i60A0Srd2lR;oZyFAHJT*~%XuESqCSQf+Gzq7>=K^i@aWZ4!dU zkWz1qDkC&T@;7wYFIX@M&q{h{C_=Cxm6;D!~%ogo6@oQ(8lWh5K2&$#dBf z(MRa;590}h5Nx5~s2)kM6vy0ZN_2ii-T5@c4k7J?slnox?0#6wW@L`$t&be{pg#2O z*t{UEW(oyb9T!mi@nV}@{k(j!zl+d}FQo%K@|Zsxo9KWa`RAg`TMz`?h$B$&k&cuC zmD4m%maq{XmrPDzcwzei-v$84yV`&My;Bmx;mI2!xohKlLc}0cuq3W2vXJsUfM*xn zk!97qNC%o0Ui95xj?YbMg(v-@9tb#jYw#H*-eQe23K%iLs)m08IB9Q zOF@h4xZH!f?YtuG3BCyw=xB`n9)c+#C1P+Tjwx^+<+Cu4j#-mFiu^mp%JSyF?%jFS z`rFK?zU~bT>d@KtUq;H&-`wVoTwk=z-_0g61XA)h-#Ia&$q7StQL3mZ_-$8OySP(d zHJL3Z%qN~Ruv4@?u%U!OXw>6BH2234W+XgFD2O7JDmsjs8`sdybf%i+J=w@`}QfJDHj&S%t$$1MxmFLzmTvG05`-i^i{F-Tb_gOxbUlW z=1_ZM^ye^6?M^JKucD1Y+<*&9Fn`7>VPUuGdbhTc%Uy)Kz!xWM&kG~Lc!}!nklend z$OxahYTRYvpH!;3%#MLP8KGU0{Eas)TN$oQLM6(<3@EI0s6GMC#v6FST6Tpxjx?tK z)0F+kQ7GZI)xx!(&bAmT{Ihm!yvL&`y{X?=(79*rnMMYbEyM|UZq-qFx zB(+jb;ReP*tBUl5T?*+NPr{9$()q}39eOh18AO!<6sBp8K3y&NyBOKL@A+u6f|h}22xCa zF9vg;EQ?YCeR`pOJ6-w`F7vkJx+Z~893cu_+^dJM5|nScilVtITdgjCwnS6Ho>zO! z+9WeKqbf)->mkD*Y#oYrH?yOD&*~8v6+XxMu0SLkX&zt99U{bL31J?4W~4PYibfo> zKbL-S>}O4b5Jz|$MXTJ`I@>Blc$<{OPN#`Ty=Ogvr|3+~&cbioHjg4tyK`}>Yz)4- zMUJ5#f5Bqt#A;uO*gCT#Pi2RorI`MnN7r+xiz6%Tv&=pxJ6>|3y@$r2bi9pt5g2Xe zDnE)jo_~&hQ6T&Y7bMHD&Tw;yc3WtRRUM>CZ?{$Wk=y%*!h{Cf6bi8^)QEdKn!D=c z77NW0EzfX{t@gQ8RrEC=}#>Orpif;>@o%~?ZXX1r~jS%DeNZJ_VMwO~x z{2X_REuVK?Yj-+lpv8) z9ED!S{GDjzaO)CZ3tu(2il(MMWop09p?M;+D^5lB&Qikqu1{DFqSH{1ZNqW^Z7 z#nlf6Ze;j6!6k}u(+9>qi-6p;adM})LtYwthOu0w!l*ew9GJX3X(m@3w9Q1GKhBxX zjG!3-?xBAK&af_SL6~KVZbI$1Ux#DnM3-&ItQRJY-+iQ>CQnAXiI#DLk#l`?e#?70 z!Q@0gz-5PtWwCm$W9P`iW&OEOU7T)sVVXj}f|}D|?>MxMqG&k49BzdqVwG1o3h;x@ zC?k7GMk_p8>_B2(5CxYw+W;An4$?5zEF_i0-x|E*KI);UBxE3cDmDd+k?G@6;bwoP zl;!-sWExDyLe;Y2aakd!afL9wKWdSrv1%8TzuBd8nhvHRrxrr1tFp8RBZY));2R-N zJ^W*zg``Y_Qd<^?ogZa|T*HDhLvpk6(9P@?K4Bv{=R0vs1$Q{VRlY#G8d-@W4$gK< zU zq0|-BS)TRW&xP&c+<-1d!J)~cfnE(?Gl|!U>7vEwaiVYyD;oLZfl`O%w+zgI+)UtrGGiIb zR7HBR%GDK=_Ci2I7Q)n}R#WV@=1j4c`@yN@f-RVd4J)d+eJQib6p+QIjjHRjxZwIe z%op#H{8Hdv3Q9OsMD;gBx2a)(b*7^hu@?1WjT`3|j~&gGmY(N!#-#m`+sqa9>>?8J z2*NF=+LT0sM;m>x;5`p5Q0&5Y>@)94_}*_*$Oc0NtTmOo^^nPXG9pTUgDHar>SG(- z(&XlJ=QEqm;sRf>dCPPg*KxjP#Wr{$fqF&gT%wdYGXnwYh8un%<8*ME1)vk_c+XSb zcliFs6($&3ZtaNgJe`$h4OsnW?pH)7IC8QCAL(&PnVY}Qqr~-7#$aoqA_KD=$3H|i26;QVX3XAaIRL*H{s+(1KHSDn*C$hu2sQ z?2J%eygcW)Nxe_z7lSL4rXFJ9lfw}&!}$MD_4eL@tiq1q2+x;ZIlhSwNheCs#G}#w z;cArsWRjoJLaS-Et@$b4%S9G{g`b)HCXb+1QI&yybsA&0BG+L>mraCRpZZ`Bp(R*A zb^Ggt-UMy2qAN&nM#>c@olrp36to@!yp5U`KoK4?hrO$19YV<6Bt2I1kG>c;IYi|$ zOl1>RmNMr=Y*&GjET9(lLv0H@dp88;RYa!cwY-q#7jm3BeD^hIyAC44t-^m zqiQB#AOk2!|1P3Wff;(GIBZyx#d~P#tTB;bsF0{J29o3& z0b{opl4%cEt4N5fnb7HeGc`TTjkS#?)Pau1tVi2Gdc|Ql8+s`!x0C&J5&TN)ew>)E zL2(0ucTxM@NbuyrX+iJW55xF6!~bT*=-91#Mh|*nSIK6{1xSX!L(7|9)8x!Vnr9_( zwK(_~6+Om1Vc*#GC{U!aA7N(A$D*-qS)ma|cFd{%M6u$U3j)Pe-gEXRVrD~=>*Sl@ z{gqZsAX^WBa|VP{;z^cQ%)>nbOJo8qPkr*0*CdktQOt6~Tlj4NWj?7d>$YK`cj4l= z#AVmK5$vwM>ZR8}O*$PvIo#^$l;s1ABx!siTmN$&2V-uz)~DAi2}$Pt@HR2|a~BO8 zzx25a7f14RoVLTRwqEtN0<@*!lAeaB&0RoNoLqg3>B70h>w z7qYEp4}UDry$u1@8g+fNuN`H?F2~^Z_)38aB9>7mn=K|hiO)-mjK-;G%=I(Msc06Y zcMZRk*IDDcNotE>^#Ej`giy`%q4MaWzL@`5qj(~JBe8aG-Pt*0eS}I1u5xyO5v6b} zRB^an%APTr!1*_IBM1&*ev5yr5QK$5RwYrmv0J@GIGdWKPe+TRj0>3 zgmML{IBXwpCPbmM>{lCx?xlviEMmyCf(ccm7u^d_P&k{XRET8#4I2NJM$OSSpsD7! zhCn}kbUkH$p9CHkck7Z7djx;W*;&3u^T)VxBR%^%@6yj(haZ&-E{qA;V3Yccfd3d;;3!(-9 z@?(riS5_z$rE8rN^RDOl7M>+$tY)1k!S=e2ECc4Fl1 zty9jHi23)m$(CM3^diDgcsJ@oTso{|1{QB0|YtAH)Xw_z17Z)X<_1Wru;4H9YYNE!~)d> z9mT|BNRq4YKO+)X%1FH}v=0>XfLQ%&Y2scUw-~>7Xsz6~Gqw%oek>_g`avXY9@F$` zZS$Mu`ITIl6CqSES#Y9}%0{-NjNwahi3+pmr?u!J*UZnATvHyzEX}1-%iBC`oY0gC zb~|>0BkzS@GqzR)za$A8Yc#M>dPTqvr&jdRei8hteo&|TS;XzUGqxaE{5AtSiD^+G z6JZ7yQ@qQ|c6R&2hpV48WOPQl+c|JHaPEo{sL7d+Qv;k#S9Q|UZa{riM7*mzs25@a znX39Qhr$f-7(;}=twxd`zP+BB5@0or<7&?y#udYY7}|fqa}%PX5~ky1iBUq6C$1ed ziW)+Uh9W4M7`qKFx={oVKSHn_wyi`p>H+hTsgxb8W^=TUYa$DP? zZLkBIe)D<7Tb+JwVqbkmIDo!q$EZ^&X$|#D z7FKMNCSp%EOCV_^4wxfIo)N&`5QLo(MDV=TupcN>c1WbFdbdl6%xGVS!iMr?W3y^= zY~FI07l&Pt@I;yl)9P&^OL3U(bXAUYK)qJ4y7ITb|H(7OT)FVFHjpfN)Z=R%_0p@$ zQga5BGK5d^NIl`kkjh3>u0g<_M0H!JUc~n0<84f0c-9jGh&m+5!d9(cEGsTh$anHq z$8GqbrF7@sE4D=*StHC-PQW=MO!+9mgLBvKj$$JH-W;vKiSeq6x7r6hM%E~uKaNAV zYv2mysC#?YPTS96I*Oy5FJ+E1h1DUGIohgD9s7eyg~v*C%9~^{o5N2dtZU&yVhn77 z(e~$PVquJ3(0pJ_U95OA@%!pz&XM%E#*t5>Q2shDTwvxG@cb>7DJc;tDF(OU*JpE6gXh ztV;6&rZ}R5VN|&+4rlHd^79Zm61$_QRG-mdAfJ1HLM6}|dMVS-0Zu@`OC<&mMR|JP9<)cWJ9E`DC_&lrSL&-WqpI19 zx(F@T-sqCB*mvaZ;9%4q*{{LOSGO$B(oIJ~*ssM361Bau@`O=@BJuNVm_ z;>@yYvqZWcPbLD|G*h4&B>C6FGP8s6Wm@BsKxtxdC%~wuurx$;Y+M&yOe|uL7^h5} zK&s*jHz@0zMqWtuY&Tv+c8;H?Av;e~V*-Ky9G#%1>lPjMmSYQ0l(1PH>)7G!Rp8kC@u6D$;rLjciySwqL?3!%JPb z78#~oAJ4>{!#R7v%Mhj@;)1QKQv^00JqA^P7cMHtJPh_{=Y|_{ob;l`h7H&EBH}RH z#GYfm$zpcypJ!eCjwZ_&Ue|aiVIOs2M_;9SW+LX~HDt?hL%8G*g54w(lt`I3 zmnIo3<?S3ZDlk332ghauUL+y(q6XUPIB zt=1LxrN7qDn)!N-K9jIwDw?)l4qcVK$(~N4c$htaZo`a;JufDLO{Yu&l%Z zgVVJZV0#GF@=h)Pim>NU_7**ieZmLtv*t0V8rEPwtnA~MH&MRo-TIRV(w50jCd8Wv z%^3J%IZR{qjuk82{NAlv`T3nEA5Ig{8+oq^WNlI_)#qK)LAJqHifm_>Yi=&lU{P1M zdf8Vw zNlU~EOiXS>phzoP&lCU?LheK#iImix_F(0l76poz3?w zc?#eAC~7hPE2XJRo$cj*#%bPQ&kUPvY5pQUh0I5x{m}QRTZ>H;iSjG3^}r`1I{(`Y;IeZ(QD@XOV z&rINWzA^pycMSCtX9u*wxiKXiUi>u{cAZ5SzImmzL?y6A+!*fg*f6tOW68H>e>8`; zbh}K9A+(H+3!0iv)&e{;PY^H1hy)K~+JbN3@bAQkhfWlIHIp2qU(shZ9scMW5?js5 zSjvY&7VV(v+*mey&E88^J#8JJ)!QDRp6;RBE{<+~PAq3^yISS3LUusJ(d`O>!YfVf zH~B)gEZu+F#IKn6qnV7jzfC0bjA{S*-1OCCeuz(Rd7Jf=JpLi5fqQ%WO+6`pDRUVu zP>0Vs5A4Dh&f#P~);S~9P-y)3*RXh5``AbEsw??RSWorC>ayG}MM$Z|>b_Fp;jCT^ z|G5}fOVbtq`Ismo;yZ(X^!9^aalJL>wTjwbPqkX};R3_!55!LHeIu0O z)<;Gu=k+Bp=F$KLlDIN`AXZqOdX3p)cYKhmywu+>YbhX; zWH>emPVwjw&Vsfin5V%;T}IGggfvHNJ#H*l-yh8AYnFsaVC9BEA)J=c=5#M$?+z?_ zBE#{xW&4*RdB!QMMzmy?O^DS{dLY^<0Y+)qDHNz4ndx!gj||wR!tMX|fsti?b?@GLcn9KiHvCQG zRwTR4iBnOQ3RGyX87y~2mQ;_PAy;EqAluop%1xBUZJL_~?o|bot^sGPQVy5KDfm5v zYVP?~zp63nq)i#59v3vQ2J|6g2HLKux?j@=GVT+$v?a(@qk#Nx1*i!szzl;*8QyHp zi@-WhKujah(dL;&ZydT@B|GmG(~GJ22yYscQ|6LtML>9o~zeNfrYD1 zEGiOyDR_{(i?MIL{FzV`Xd%g12)0Ma?t!3wn9M=xt z?r#x#J5x`ZehwwG5UY>l9xd;N2AYm73cYE^vF`KlYLY=0dX=_TNHs#YQ02uSUXU0p z>}AJo;aSfj40&S0u_prba~tvLPl6Ngz?k#^EbN6N)7O2Em}0N#n&qi92`=%Ap z_X}&qAzVm^nsVS--s1PXb_aEM3owi~b9YBY?>DF0)+fa3Y}nyv3;lqLHT=b=Lms$B zf!gyNn;4{JT=BaghV~F4_w6hqD(r)b?}?wXG@T}7r?Z7P0Xps+5^X>Tq;Qwh4=!bm z09KMI%hy-Ke-qbb#!DtEJ_310vfKPR)8%n=`pMkkaxAktYqzPa_PfAy!HSXm$D;6T zJa|XkE>vr+{H46R{L@SWyS|k?$m|pK1C}I79G7iW#cG!y^}cFc&2yVK(1x-fmdW6B zou|qpXWVzW`FN}zYXg`0?OPr;r@N}>5HHl4S{+s%>&zJ{yJ;HJZ_)N@_9$Zhi2Hds zleAA-9TL_qJ}e3y9+f;axq^*O?!`W}F1A2e=-JF&=vZ_M-E>K5b?XZhoXWLM&*ol# zv{B~fL%KjdwE9+iZ&-7@*UIbE{n*DeHnkpK>*FB0`Ez+UB19H01S+07)O$ZB3+Bro zwr7u zTb0bld5I+gequn6L0umVdZS&_VgW&R?aj0dy6pB7VQTlhW$RSEm{HD-)-RV=y-#eO zh#@y#N|H?{8H!ru zg?|UCPKFA!{;0py~e9!oz|MxJ>M zB+1}F7?khc2dSvqF=W7#H|$@jBh6#JKFcEbS6y#@+TLLZe`=@IY7-S0x?9xYm@~m5 z{ciHGKD)GcRi(%BwM}-!#yn6V)%~NtQU;XbDaqe>U3bg^;mGo`(t+u=z>^#dXEQJITwYZ zK!(@xlj0KV%64{K6|7C7jmeo(IY(;fd(bN&7)R}*1t6Zg)qdmKSAqFw(|X{n)DD#H2BfX&oW(-zUhO~WERpJFprS@)$GrB zPK*vF^(LG{%7fAGc7(X2fp1uWc>p5vF2+%>65T_!{@$Et1pN}gYAr9X+!LDD3CABDR6 zR0_iBa2U0U{cS&kXfv|ghOx&tYQJ`L90OtrQb0^nOQDVHXdusUGoDhnw1mU}jno_M zFoM!9CHQGfqffn2In~ZCs%l`K*JD_U7xSKC26W}|`OdPAwKJs`b3dp40}bAmchCfn zlQZg}v{S5URdIXUf7xZAYDy06EXF8hh{WX=$xfq zP5wx(e$d8TKED-!D%?xHt;&EeI0Ys+lZEtNvhI_hou$1yhPTb>DGKiM*1T^SiCP;2 za#NHKBkiY6AESGaAg0hmYYC+s%zA&MlJXXx%T1$Ln&$h5+L=`oIv_ZuxYFQ;W|$Ia3dQgPThy7Y=z)?Hf<(m zPXBRb=;iJSvKyb18Fwq|UC^CXhOg`@Lc5dNT!QX2W()7y^~1ltl1&*j)@w#kD;xJP z=~N?X@Q($zKaL5|um|CBS2CJKFzyz6M1?c;EJNubUpAaWxawghkc#-~VJKI!>90u{ z>>kElqiyZTQkHeG`QE`05!1mhD~!P_iT7Fb$0x<2e|$k4DnaroM5bXoO_^wgX*Fen zC{0Ig7@nQ&ynB5Az3KaW2n-O3KsXy4W)F!^r#V}8|C72wZef0pZB5%p#Yl&Qly~8Y z{%!s{;MsNAeC%9_y?{;xV`JInpLDOlRb{}RTl$b9>abCYI%0EQXyB(B^VM_Ohxb$R zqN#$Om;{W`+^aaFQPLZlMUK3yWB z_;qS(!^PRbiQ9(=(^v3Qs_Jn7MDkyAvLpX3Ues4cWq*Cdf5CS*WG`RPf(U~R@k(`p z-#Zu0fu&#B|xc5WAtw56kD<3-az$AB`au3igjd zw?$WJ1De-a&+!c7{XudekC=@#Fg5}DvxOQ@pDv8W8qdw+r2kR{Is6#Aq23y9LNSSX zr7UHxI_vI}Lw;Af)Q-$on#t=qODn&Odwn{-amYDO;8XmHg|TCrNkou6Uh+( z-N#e@e{cr&wV!% z3$F@rmJE@ytPSISuE)+${fkgRj};s+YS#=xAPmuQ7H&EF`Du0PiHGAoa$52jO66Oa zb{)Oo+w$nG^xm!QMI?=ASsBQHlgN5!d^z+0<-g%+PwU?}Z#J4rfZSIKV>N=48mDpq zuKM-W{D5bG61<8gtVbZ2@HL+(@n_7s?}plt$r@XgL%TZou&jmR_3#CQ9L@rNFANjw zkap_Bl4YO#X(K|O2rc@#hI2b;6m>>!I0wkEWhq89tY&!scXv3SzNrG7z||2Suk7mS zJGj(&6pDV`GXwikA?{QS^&2YInG;FXQL%>vyGZ zrJ(NIjS&|U%51{aNw%ivLI0G=tbP`Ov`NM(4fE7AOTd%=SMLvr_2ORzu&z@=yv`E+ zKb@UJbfsMwrDNN+lS*#PifyN2r()Z-d1Ko)Z=6(6K}8i;Y&)I5d-bG8-90+v@2vH$ z7iT|v12!OClwij1;ey-YnHe%b1O4AJ$oH(9(}odRO*!;(5o{`~>Lo^Lf-RDy!tN3u z&85_7u6zxFg1+hWu|8z)G$ zUz9aA!aL~tHd?CCz-Te3cAKQSLZk7UZYv&?d6+1xT0evX__BV|CO`ehrWY>KHier= zV=owDxywv-xZlaQAfjPT@;%Q%enFL<*W5%(I=>CgSJx;0Lv0^EIM!beq%#irtYLxy zd8e?4A+}dfnEh03k>%_Awj*S2J^9vfc6DzPYN2!k(WdtUIcTh@VM?~nt}$?u=^B-7 ztF(i!j@ooO?iR(66!+Zo^}>G7^AZ(xor2RMoBCurR{Xiej7h>NyMNR&eb~XGSVdHx zC7$-)$w?d=pPoB=`Fb|#w~ECj%vps_6CIw-nVE4gic5U)!i@Eo?Gs?gMBMgYx82zN6RnR0JP)r2H`Z%(Bo$6kE{~GN$>xh5Lg#4x#Fu2-unP6s zzaA*HRtO~?r?4+W!V#_hc2Eupb(3r-SlcNwM+G6xVc$Pr6 z=NON>4GQF6s=YNF9+1-`I#mGP{O=IXW#nNfVnorav`!qbY0wI`Ll)_owtATN7J^el z6KlYv964<=q}e9Awy~BB?IU|k4s|3G#AaX{G%7V`Z^2?JWzg?g{c5LB6IrWR(IELJ z3%_)^khW6{*QAutJH)i(LtZlEbc(+&z`kLV(}uf;%9fMi#TRuXpb0w5asHyl4RlkRbpWWXrYxhD;m z2Bm>S>#dgaQUyYME=I0qx_}^dB3eU|T38lsZH_iq&m55tMPv7#PZ~yo{o88ZjBgL( zcvl{xu`2T@k3%I+(EdRt@!rb#yK-=64_HS1ufg@^%mCd*@BlSIc)7n>-^7fBCIhCT)?E`UI zk!0sEiHKHu=Qc~pH>UzMPhB~=iB+T-&d_Hk=c!%h;@;S~=62v74QdlG%2V(glB+_{ zxM2sMa&`>l+u5Uslgv$oLD35N=w;U_HZ#k{Kq1~Jn-33miytVE9Q++jfBWmD6ep(H zHe;6yx!$FqWn<`4>nXit`>=64xXo)!0vb7H6~j$rTxLAd7H{DSg7r z7e-_mtGTF4FB>&-h&>~1ZGIG62M1#MeuDqCP$<<{_eQ;Y7oYti1FS?)+%>xGv@sg)u8XC zu&VsUoH6@Cv+AYA_$FelH%mEwnL(PeoI_?DxLp5nb@KI)^vd#Jjp()l+|~lQ#KFg3 zi4x-+S{Uz#9M>kr)N|BaOa6X4sA|P(mPfggMZanRWMtZwlKl0mjKV2xi4qCe{4rL` zb@D)PRI~mvccgpNdynYLs-Olw(nYOOX1s9npzENku$CyLO=oM1+y2cOl()Em+$X8K zdKZ+G{V<@2gX2hC%JfVIgnpvQ9YA~dtE=47F{rKKRH)F0kvM*XNYtV_@W0p}>U3?K z{Isb#pDwjY-AK$qAL4B)0Lr9NFxs;*Al%pe42|s=tiuiBpP@dL2Rh>N(_Og6H;~nf zf_7kYjxbOITG@PkkXWqPZ}G^ZtG^%{9%WgE;hD*_Lca@q-i4~B0TE}uG+WMYytLK1 zlXz79P~=^Phg2z1>K~W;;1}+*;(KWAQ*iP5@BUVw>jrKCf~aF!AnaKe7-oj#1Sevo zX<-uB(#7g-($LwEgJh7{N6pQt0YGu2VwuND7QT9|XOV#_Bxfa}F}ejc#P3?hmmX{1 zThFyXlVX{b_mK2Who^sI{Vj-P1pnE*I*?ziAxN0T#pKvaOfh88AB3;#$B!NnsgJIH z#?zK7GcxifL^=k%z`Q?>DT|t#*4#_&rloQp>WL4U`;Zv|qhiS2YFse=S+BFsZmm)L zfDupIi@VNR<|AHTj97r_)OUg-ecPe}dIS-AC71Pf}0wzC3!n8I81{Y zaaY*c;P>9@{e0wa`u9Ns!K)0x6MYARW`@y57_>LctaBRM+c~2(!AETkqW-gI+0vm6 zSK67vAIB*->uig?r{4-=MxhBO7<(ZQe_N5{sT3eZS6La#NeWL-0cvSRTh+K5aZCUDaZNHM>*}exn9Ll zEd=%-)%f>&Gnw0b*Z~h3NykD(t{<245QK6!?SSE3Mw2zQ*LJ|ytalu`fS^wSimyNr z|7>-T{@YxB|DqIU@t=;W9Q( z7+k0~-cj^iR!^IZ^d;Q571=W%Ry%YO{zev2o|yI98aMuaO_R&;ICZTrSIOA&k~}tQ zyy@pjGhrYH!fz7U_vtfF)x)8x%;%XGtNIX(eBm{09Q&7o_{Zm}P1|C6*q;jAST#ZvTqri=YH6?$Lvxa=x7IElOf(FlSi9YFnZ%0y(rS+=e#%P}#lvZN9%dL7(TD|m z&ddQ8QJ6|$b#euwMC(9`vm0kPIUG_x9)+Xp7ia@3n2SZ(D|(ROoKteMz><4=QQ+}W z_UEi^=4*?V-9)E9IVq&%I8YXt7sJIfMu{E?LVU6wB~x)R)ppQ5 z*X&;+>9NcG5y3d2%`w9?x3e7oo-I&0fV~dz&)qx1InJvt_PJY)AB8ghiBXh1JaFPR z)2(3RxN)A7Pux_hgxds?=CJI!6alYi_(@$2)@d4$rlGT3JYlR)Rx1?h5>i^&xms945A0$*rk`qSOsQ?}~ z)0Q+LJu|%Rl{mK707fxw>}!I1AVX_OQ(8L`(a)BgYBm^WsLQrRA9m%`g}TNY2&OIX zTt*sZLDw1ft-)1pRD%7S?TYv+8E_=!)YxPp4Q*|NcGZI=hfx%n49OL5f zJj4VnF2}^b{)mwAS$yk`<}9*6jiA4)Hg6>v;7G&td5lh_sc!z3!#hlOpzGSq{bWFI z!_7KHUzFKZ1+KzrG_07vMWZ^HMZzyPP_Fl&avE`8R~k*R(OX>=M!oQ#v`-zS)1HL5 zCh*!6I1;xK#{7HH6~so>bUHf}l-=}v6ek(buC8nrN(QgAd7HISbK>Qgo(TC-~9ydsQo7}(x7!RDAaapbFHfQ zi_+1uCz%FMFzNj@e8)kh*67)yLJ@UvgHS@0QLvbqSzb*!F>g(TP_vT z`SBc6!-ERx#Ai+OhdZ)H##<(o8sVo{()O3jnJuK3+(*sqS#-KIhhj&aSzv<3#iTz^ z05mDVbF|hQn2mXuGqVc?g{4l_6^7E8O+pwT=xMNU8ojhag=zn$=t!jstP&U%Aa!`@KM6B%&;KARBF<*SLf!{eNzO)A-JQ#}$+^}~r9MFm>{kWVnX&S} z=?6?KZf=7m^mN2;?h+CeHlvzlFkHIi^CM9R^#p}FQPI#Oz#GH1^Xf0C&U5-uFfqk} zkG^TAo(JKnMgg8gi;|8~ANEH=gQ0z>O9`yPSX+y)V0LT&@WNod@O^bC7E)^NTZOvnUd=8_v} z5e;7i?_@NzT!G!u&&iGRp$d7TiPI9JvlKv-R@BceTH*bh&678{GW@*#q+$1Y`R_E2 zK_A5=q7Kp2A_<&_)_{Xg$B4b#M&!C4#gwU0;)6Vv%}65VNfA+QKpj~$qk-XElPZc8 z@iZaY8z)R~Y9W{HY0WhGq{xXYqmB=PmvNTT@8A(VvwMxq-8Of1qIo$|ID_jZ+Lgr> zh0o=^=yd6DW7}1Z5>Hz6Ql$Am$d!ScwI*A3>K1l&l1p}Y$Bvku<7wDW?nzSkE~6X7 z3;?Drz5Uw_y1h#W@YhbFY$a6jffqt4A?>O}hVk^~Ttf^EZW2$6VC81$3;f&>QKXT(p(FMFeHCukKzg9%sgsk_i6{GXCpl!8UhQOg7c30etVp zZA3?jG{i-xT{Ly*0wnZGGd?jweTQZZhZcfW2wuY$Oi9|Oo+OEe%ubO_< zB8}?#eV>gL1*_)(yhgQ?Nq~3KoCn}u!`-Xzy3xXLriq*02nEcc+X?0tGbQm6tkiqi zDFp)NswIpLqXWK~1ZSERk?Asv^*Vorba0z=B{ek)1QQ8Sv6a{e6w-zEP0`aecV%fZ z=l`M{M>1rld~lAPK};Jsn(m0P8BLd|)5rI6+^lK@siP7xIgkx!{Z`xx;~s}RPnwI@ zMS^O}jjEB%WbDo_Mt(VK0OyTpJ8F%8)qKQ)8+(w6-0-3rX6bU+_JWq5&QbP%BzRYT z=We0Yh?67DpwrtCWCo{{Q(+X8{uNI>wnIx5^v1^a7MG?XuHG@-{7yyWgA(RXz87iV z*O(`@;$DvBhu_Hg=+qw-a!QT{Uq(^kFlo-bp5ol8ZdfR~v#n#P{0p;s zo+L;6ujZlUT=SP^R;50^?a>-`>4fVm!`Fvo4!@X3jf(6O?e%n&#&U8qXHA5eEXfXT zbq`Q4B(0{@{p$a>&N<6vbJB%M&qTA9q+|H1b~m5^N5j zFtI{|l2CN}9bswayxb#!OI!&NH_Y^Q;_VfhU-b_I1wN<7fZ2us`z)OPS$?!P)@eYL zDKbacj4;>FGFcHSKD)Q8)?f4PJ3IiQ+ z?mv9iygHGbEM&U{Sc#_iM={ifA3Elo7&4B9*}eRX5>BOEi#?$|lsM0S?o_1todLy# zip1d0R=P)9CI&z5tHs^aHh){!qxUNo9CFcls;{?~UknPSm=_-p_9apt?Zam?t(=68 zAaPc_)B?@v5Y&7|r@5TqNS}cVJSM0}7BwKi?mM=7iPg`u8+_y?eq2wd7EDQM4s`*I z@MC$${|`Q8FLNkGA_F`vvr!mo^;e%OGGxVSG3Ve2_c#4=!;M>MZZA}CExs!ers!a~ zaZW-;fxZ8xe!j-|+G3IBg|gpyOKE@NI?p8S4>$5|1d!29&cG7XMtq^7Jl5IZsQQ~B z=IGA1EN4yq;Yg(1(GVX(gTCKqDReL?K{($$j=WLls`ia)@X7e_MxZqPt@L!Y>8=wY z8jBQz^wbW9ne{eQGOS-N1*jPgD84c@;7V24Lg5$5Etn+^*y!Oc$W^qsWBE|7qhDVB zY;%#oC+KO`Ox*w!%%uclDA@=84Yk6)5NyDlNHlvh3Umw?Ld@{Qum4gt6MnDOzSAG4 z^p6VxG|073L>z@KXyeTx$gd{=GQ+?TU4?nGL3v&*eS1nsZqpP~%#R`ghhC!OIFxwr zb;Nl)p+Er~05LUt``#jUTn}9mF3+`@;_$HTSfqRfM16y|8NZ5j1plL{!vP~!^kx{h z`t%kyth4*>k61{~I!GVWkmAK$#^E0(!y3$l+r{LN$e|R95H=Zj{uX`2AVdsOLsP>( zO671}^67oU$bLP|?1(B^^PDF_sDoDt~r%4xKsPEKnpT1nVJ}Kdc?v*s-#3Zc$A5rUmjZ4E7d9wd$pB978IKSw`O-vMeIS zEhyCCblI@ESKukXKH0JyuVzDzn&FcPCjZ%*G3DvcRLU~`m+YT}R6fJ3&cPNa;BUlz z=Opp`9*5gu09ZzgX10q!q@(x|EuiLAVd*rRbiW(nb@)G)D7aKQfyq{=bj4s97zvc`2qB#_uz>Q#xbg8#!=Zh#7<%dGJV>u%*YT%CU zuw_Y_B8z!DC;$jm8r6qmKzD~26PH!&wF$x4!nTS%qxhGsE z5~NuJcaE9*%+*%W&e?Y*mz8D_u?(CyMf(&oqC!>SdWV|vZ%km;<%>cZ$MB=;O`Hr~ zLzBH8-l!O)lkJ2@J3m3}C?zh-mM|}Y#qy!n7N2=)%hDKzbPD_^#~mzC&E`rp{O8Se zZhSl^Ib1sDgZ$Mty%tedw~#K4c6m88hG0-lS-hBMdX?jHmsU6fBz=*}Wxh@x(owzj zvT+H?eEKuUVa>(M>+PCfYHBqM0-)QUw0RwYk}^|FCeswBMe@`qy+Ywl5SIw(@z9~h zqWrzhO~9-Xw1g5NUqX0ODDPFqeNm2tI^IB8hraME_4#8S%okC-fD(tq_u%?U!wqdq z-iJhKX#6!UOugG1+JEp5CvqVpi{ojetS^D68qs;o3u_5?my~z za{~-gIhVBWw<|us`MT!rmDr$yg-P{~)HN18k_3xQ$yiZL$_n}W&J|qx(cq5=q%y!l z*<^I?N8@wh-_2up9P*@6AkYn;Y@U_8@GwZ4WC_++_y1AOBqgcT|c&UUe4o-X2u9FU3z`%fmcSJp%H)E$Gp(ST49KjN&f3~jILJ* ztjss7HLux|CJ(p})VLHEIV)4BDk64^%nnK-t@LlyY(pR?%Sc!H2m!BDnTep0mIJH8 zx$iuPL}!#BM^`oo`VAntJh#cNqXKAe4?__ou{m7~XD9NGtVVGmpsz4Wv6_hfvv*%SY#BI*?*J=dvQcN)Zoni*dL zC3Id8u#gG4cp9Qu-hob=JC%f4)gx==pF*R<7ue1;uFr@CJ{CW(Bt%|)i_na!O3Q~4C*-8Unf1-h`P*=_B|_^ z+3c2aB%eZ?-BZ(2+?SW z@kpjvVQSK7PC$xl5Jhmr6GxK|>t#6;#ayt2-Ltf|BDKZehxAIbq2!xaf_9fX(r{ao zzkQlw(}P&FK9x^(X)@H}aoKM5VJBD7NIi@B;o-l9r(K4z;5}Qe{krJL9@=r3xg``E`>&xr+_3 zzPoc?W%LqwE{48SU&6TmM*KL>+Me}N5C&{+CkroJT$BKVUDGRoTA|F|O#R{U@^@E> zy4k*uJPI{Wf*YL$$)yThAu7V1S(rinPu+w7apbD2#NZ`tr{dD4G;l zGrZeztwRN$xfZxQL*ysPz3pD~F5wrPSYfG%2$k>yQ2*^!d}l zjYm?Fwj}Vnya+X-xJEW;2trnKqA6$u-M>_FW+!jTs*`hK)@$sTPob{?NuP+iVS`MJ zJkb-lBoI^20dXW?+8>`c+yA&fK7IbX;mj1c889L}N*>ren>7~@pe2cTU2v<0si(u< ztvlDA*lvjojQHbhq(TzjQ+Bk4qT1Z3Bw!eq<)N(hVI74HX^(TQ%5NBVsq%x;d(IK- zn`WIttv$Cs?t3H!(QGl;k|lebJ9i|dPdJb2*=o)u(TT1DL9a)M#o=Acyx?z@eIomJ z1;>TjagkXR70wZ{;|xSIDCw<}+#k!U1q&nt+pc#qwGmiMA+8FAOav8&rUD`5&*TJN z`P%B}=<&&O33LmHzJy-EV?zbWJKCR?_ngRi=TXOpw*iX#K6SMWT>uEzdTYk~xiDkE zl+c+T2p%VTAbXh1U0Bc@iSWzd7>X>R8;=;M*tl(r*3^#a*cD*jaPd)e#T z^@dV|5M$b0xl$IPwNW?kMwQi@-Qv!2o@4@Zwo%JSjng!#nX?1loT^|`P-aHJyxUH| z+Y_Y?#s*_bUW*(v+}*b$c6gb|O`Xz0Gfjpdki9jGLiIW+$2uXH+yND7#eIT*JL?zH z*UK4bYQj&zA~icdO~cw$d`)D30E+xocMz_=hYc~av#eihf28}X9a5!4$WoPpZ=-8n zO;9ZJqrl2l?n82fbRNd-j6u<>WnLIys73-tffsUw((y~G4ziPq_w%Y=?+OHwK*znoG zjgr@gl;gZ&>HEf-Q!m`~i0)GIve5V9uryCTH6(n3ZxI@2B2|HdpO(4A_KjWGKZjAz zwt6yEFLRf8n!0K}MD;`Z!G}hn)|ulY@dM&Hm(db;@8Pdo4IV)S0lx`32*I8mPZgJa zDtOv>L2BBEz4vl2{Iqk7zS&iO&fHv1Rrcj0#AQapNS3m&%x=#MI-1zo(wAn5=f}50 zvJ5&6#HnQj2`%L`7g`?ce*{#yX6T{cXj}N%Oj?;Rz4;==Ycn`nz(&NpuF#(RVi75` zqR?Mp6EHbt)>r0s#m|(R$bB!sZu$xgWI^qEczbr4wlyD&Bz<#HJ60GO*o9j*gD05@yh_W zHX=}rLU?<{TKBKymI>j%M7b;BWPYe_%WnJ6l@F)W)zWv$N?#-fQX!bMYp$=_+2u<& zzpBD&!M?^<{pZ0TOQYF(**#&cmk+yQCxZ>qptuVXD=m9}ZMDlM;A3=mR8S@5cbN^} zj`~|Ib8|X|BZ3y!w-csVvcG6qXE+cG9Ri^J)b0fD(13H+{;qITr)R+vw>yXO5*}fzfmyOe0*g6sse8@}0jd^U) z4G7DJ_&w9h^HN?H1jd4W<2*WS;(IW5pX;ADJ*!v}}e|kg8%B4JYl*?=k?OIf2FuByI#y{pQ<>b(o1_N+cGsR7jAdyUAV@$W}_PrE*r`h6n;ea&P}Ok5JG zZ03`p#u9%xMi$tvlj$8NRwwyupSk3D56lidWU#$4zJ(NUc~Fjz`j2DaD~kr}R`^(P z1&5xG1BPsfM7VgmsAGd!UmmC*)Y8H_kC`2EQ02}np}&{Zx^$*wa5faSgdyu6MX@w| z9Pb#vuD8zSAN(BrID|HMOU)3fz6^M%W-+ih3)s5U>i_%s#w?W3|EYcYK>K(BTk_*V zPVaE(D+XdjJW7#)#<{U#?YZ;UU+R>)lqTvwiqIK~ncd_S9cLDi#B9^Dv%hYQn$#}9 zdBjM`A>Z#(mb|J9(@=$g^(H?pKKWR@+tMU$<`;O_4VA$a5s#@deXtgv!!Ws(5tx}x z(Pbo2pm!7ki|g+8RPzESc2=A5jUB=heG@=8Pz;K|`@5=Z7MEEC!JPJZOWr6-7Ch34 ziNGkWxAu}T=eSNf8`LZsaH2AYjHi@Q^*{7m31QkLW1QHxKivg*H~QE|hJY@!ek;sQ zYj_c?*_k8gM_Djj$3LfaMm*rL8@JqRH~A~6Dw^!0x04~39z*r}MYy0ZoDrU>jj#23 z!4R-*s@KM+3e4V%mrmQ)#zO9$OhrmdVM&c36+NUIza5-mwY2s$>j~heZzuN6_b7CN z13E!Da%18tBZ)LFD@~;LzPL*Xd`lY6^epI}#$4$Ne#qf1A8yVUkuLV>t%s2cG>gJ& z4g%nxqK=zu5(Z?D?-;Q?z*6x3;kPR436Im2zIwNB%8As;LwnKaIf+)86KrnJjDqv; zG~tvdrJnv>2Ti@S3{6pn-F#BoT>(+fJ9HySvRgqhvipNvyl3hz`Wdt73D=yvo7r=z(Z_2aELeL zMO~OJY5Ms=Du#B;zwc%?_>I)~i};!yQ!0n5N&I|#cxb-)9Q1E}Q26-#?$34oIk^Om z6ZR?v|8(Re`aucxPCX>(!|%JsGew7Xd;`_Cbk>qxi)k}w{aAYuF$%AyfHQ@=7`ing zwA*;2g7r@Rdrk}6AIJ@^VeBuy4F#Y!E%D%0E2jKKa-Z|-SlxWDk01uIsx)V_;s(vw zs+&7~0!=#WX?W}L=s~OH+$3PE$3o{fvn&TZ&fOnBmu!apWT~y}-QQf^aoegt0G6J_ zC3HDh-+y*Vj~T5_saa8ZBUm>%po8s!DC%5hzuD0uU$>qY+j$oG7gmoS=g*Pfh^-SR w@~q9{CjOyLmB`KH#d({zy;+}a&vy{|YH9!Ze`tY$fqi}ktaOQh2|$7U5Bka2Gynhq literal 0 HcmV?d00001 diff --git a/assets/linkerd/linkerd-control-plane-2024.10.1.tgz b/assets/linkerd/linkerd-control-plane-2024.10.1.tgz index 247540609dc43fd54d726d6e524bb51ade495bf1..d58e6f7790b10f7691fbfdf22a2ea8121b0206d3 100644 GIT binary patch delta 30252 zcmV)JK)b)__5tGd0gya@TYDR~wjg+(`73a!ecDo*RlMk8o4a$m70F3-VmsQFoPEyt zcp|V0BoP%06#zw2mfWN(7ullzae|XUQr~bjy-k|ri zzu({gr(XYX|LNe7(o}z?hKf$~Bt++G5;oSm&PODe6D}xAhv><_e%TKPgRmF$o-`Kc zBq3N3gQjt=w{S*(umIIT`Kn9!530U{>-J);q4sv3=m zK>z!H{x5VxG=6UeAGKQh@L+^>_3Z0+<%Va-t)m=eDHMi?CDXD96ass zAMPJLAK})7q=aLsHk9_DH|T!{{Xx(>y6pFd2ZP~ZFMRs!U~tgeKYSka4u`#7`?Fth zpVy~({m*fd6LDVx;Og~%w13#E$$v-t2aoIjAwE0kl#FqnNTkOc#0a}%wsz3vlnO)z z!stJaU%d>*jL)!?BnDof3Y?NC!JMEu<`j<-B9LTgL{O%Lg&5IPG7x`DkR-D#!IFru z)!IQpfWFH|gr`Ijflgmvpi`!V0AN50L@r1xN^&6y*KdZ%{8alAP7ILCDY4H{O5_dW z*SZZiQyNXJ_<>?7A~q*{q1uuWuG*m_A84MKvOI}fJBX%HlE(zeDM1;FjeMmcSl}Hr z$|Xt(iBZaAsY+bC!oFwS%e13p3PUlz_5CM&Pi=&8Ss&CKE z=SS%6%VU8sC#@YMG7^DMjRZq-iY4Miuq0PP2huQTisT}r5l;MmCFz`Umd;2jMQFS8 zwZS_??S3zW|GLjQ{a!CTI)ESjUZ?+b5cZGsuR*8(T>W~ce;$8z#&NGV9Cn|z^$?u0 z=$dduXLv$TmM00ySVE&k3!a?kNpcRqhv;nln#prc1WBc?dtq88bO+|M5#fl95ldq9 zhJa*sK_tv6PLzPCzTqTcH;A(&8R6(UY;iKDY76?73bjwYq%$gqsNd5lUa|>F$ebiF zEfgBV>k#ld6tRC<#!}ToE%PEF{3V;bRCR`krejtB((`{yNMA#xp(;gF4U43Dt&{;s zjw6~*Y;913F7>k^8skI|U0baYk>LmyiXds+00$Og6QtL+av=x*gvo?(4Z94EXS3bhQlX7vexo5g^xizynDEMb2OHA9h*YNMYlTE(*q^GNBY zsy}Hud7H&p67>L~8UFA##dAy()ty5$IQ$p;{37QQ^Q6?{YS?l?)FgY6#u=ljyhzjn zR|CywgbO#iF%gocAlh3t@YmLkfmEt&d5B_sf=D$ilIH}mG+7{8#q`}XfyM;O92WOP z@d7FkOIv?UkcR-N+y>2?Bt>{Urm0f?B2F}&EcJR+H)TpEQ)D^`6i0*SoW;kfq{jwE zX@)iQR+e!#M#K=O=v_Abp9qBG8BBH6ZG;PpQGr;Br)a|%S{PHob5M-YD32$^G-v6W zbFDgc6~BUdC5$l@8YO4Br0GO6Tgg>dMv9H%IHrGqR5H!4?K?T;ET2pjt*sq1^>?AR z1qH+HrX#`vnxYB@s*BNl5blRP;P+1MN@;5c&HLd&*xPFv;uKIb?j9#mQy!Y2l zuE~GCH`1!OR9h~aQK?7$^^40Nk56Bny+#qv%mjtqY)a7i#d&K7x(jyXq9awOfVBYK zOi7Ap`jcWx0Nj*Q3)L7nG#;nv2(bj71p#Nc6sAAQ=cvJ>$MW%Kej4sFLXG8Q~)Hj^bR%NvRc7CBY5zV!x z1ekMxGpg4v8j&&M1ZKaKY6L?7pf-eel3f!u_o8bek>b=SQJXIq{dN$YWeHI;50-!R z``resO0f}iqlA)F1{2mDC2Z84_Xi+v5owW<`-)<&3KSWlLC?qu$7bE*1bIeLm?Uv*#12>wtxPe_!fc9u`LzZi!6T9^ ztNapP7WG~hg|jSK*y2jY1B+BEVzYl4ORLp9IWOasaVi%l2^K z*8oF#ZK8;Hm>hyp&syem>7Y^?pr02~>2ly6R{=6ib$`WGBw8quc>->`UEqJb#FIPW zDoayPz?oW9zZ*1l@wTbglCnH&D=Y1((3&`#8MP_nY(zl&@RTK02`W~#nnID`L<{Gh zrUDbc0Hnd)OPR`$=Jk@{O6PC+{4+DEPkP@wNn9(`1ekb8TgA71Jf z!yet6i94XB=?bjoWdqVRIE|2_rcw%Gmup>NIpRd*iPVyfKx9rMu!AYC3F-@uro?Oc zsjYaTUc3dcj-vLVXm5W(k!Gg1(^A) zR6;q`bISFfpfRYA#fXj;3Ob1E6p&y9?EyU%M79>PD8Dyg&JEI2!0G5N&EdP!ZF>sf z-Hq(CbQ7vKlYtcS)pCz3v0T=%yya8LHygrVBh!@loG2ha5vYGFrn!vSO{z@`&JN)i z+=Y2>ttXYq(I6(7ZYxBi8_d&=A@NHkCv~PYx@LUwCE=WLAC$2J?p}dS?+P)Fu6`0M zz1nMnUp4?5FuPZ5Jk~X73SNA2wTI5eb_&Dm4!WTrK#@6UXs)l-G6zTrn@rT4{Pyzl z98C$12^XOc#sPotl**tP2DMk!Cwk7$2_IoeXCZpcq}dtmln1T71WqxXlqms^r38t5 zJf;!VYNREsgz&E(^|sHo!i*EaJj+>3MmZ>%37aSY-|G59)Mn#x8;lrS3UA#U!;DZ* zmrY103lnFE4*JjgMO_?e)E=1wHR|wih%-Cn5Tu3&f!WoTzQ7Umvl^`MU-e}FlFpo6!yQu=m(*IEE3&_r4h*_d@*rg#n&LQ&;o$e-6>wd zgFS!1qL}AQHCk=m);*!+5eGn%q6odgRDK1W^x^|8RIy%poI22YFUHF^J*z=cJD`x5 zOO&UQCf;5E`RCvZm=XW3&A}wGtz2ZQg9R-gz}=*ch=4|C|%O1L`8^ z;??Cj+8rEr4xc^UGY*$vOu3Mzz^nhb_}hO=w7b9GJ8FFY4NeHhX!qdY;GnU*5x3qv{6bh2yOsLglw74WeEF-C>tO_*6bM3xLh$L~x zn>jGC>{5fp4rr4_2So`JYBj6ob27s;Rlhv2YHC};yd~;SsY`He>S?82=|)@7Q5V{! zk}`C40i$z;1W8CF1;UCAgb00~D#?Fgh}t+w0-VdKn#2*7ByM*A3B1VD$}7}14vT7? z;zdK9n4}B!7w0jRx(&WY(TGYZV!DW1Rz`nWQrb7KeD~r!czU>x6q}n9$CaU!i-t)N z`JiS7csCO3%>^Hj^E!E4^+3Sq>&B;t=>|r znD#l8Ok*1$ZnC8{Vje6-Y&v5d08M%3Z*RIjLSsymoRiBbCt}Kyc!>G~y=$Bpa*04X zY7sa^M!2Lzl#B^as*xXt$7z50S1TGuNAQ4Zo3`57j?d4OaGbGJ5G17HgHRXQA0?qq zEqL3xR>J_6i*ksi@N7mtQK5lhI;b!f?Thv@@FOB`h-P$3O@!H~k%)Cz;)HnSu~`kp z%!sD3nGf1ORqY0}OG6S`#!ICY(Ht~ROnc}*NW2$1v2{#T8-}RepSFJstC{Xcy-nFZ zRbtG*{_qG?DifdML`h|OLpncu{f%~ez@`=JFs7MOu9afj9r)v}Ki7n0$7+F{8E6ot z_04laP2qVl{)TInmNl-a#s~REOTFqW9iA5ZYIg zw|?u6a)!)X^pv&gyP$uCs%if$rP7)Af54n#ttQb-S`!#{Q&`6XNag?$8+a0;lbmys z%4DH8U>~cF+u(VM2$fT%JEiDJI+jlm)87*^!O`Lgnz5K@w z5lt~)INBlzozT^%Oqfszk!MO&1u#&Z%n2{R+eWGNW?KA;#cF>MYMPcw!PGOlfK^Id z(+tfic3`Ta?cveW&cWf)Go>leNy<2>2;8p3Qpwvl)Z7-SGiPs#bvd$nER-268xN&D zutY295u45OR0piUSs=xSJpn~+C|cZWA!H&(^lwM%!G7oH;9%cTdctNi90;NW3Z=v* zQ~=2$AEiWs7CV2(360Uo+36c=Fx582B3AC2W*LdmXi+kms>c@^j4!w@vEjlzuL*|W z=k~3;WjLD}aGQZ!L#}7r1@N0&^eb^p>ka&tkabr6YJk)yG4(G;GB1wOg$H3DqHUNU zf5+7NKQ2h*>)Gd=&S^pvw*|fc8i{anf`*@Q77-zIa5;ZXr-V}-Szu4U>A7zM$dtIH zq{z`C!$N?v3hK(CXJLRSnmzqb%oW_rGm&L=N_K z(S5q#d-ku233^>v!VGGawn$T<``kv(x+>}oRQjv#h8rpjbzl&*+ey!&QBQ~H=bbKT((GskeX7ZA4f8Yu0mL_poLkw$L7+-y;hey{ zwgIm$;KshdK?X`z2vq#j$=*) z^k{!!Ag+Pc^8`ytW|=fHn-UvKCr*s3-7tR#w?SIjwjgZt#d^1Tw0i{xqWW0)S6Mr^5=pX1_Yc-F#-tVMSHTqug#+f;fgx!vJ!cs{-Nb6OoYqId5VRfeC=7J-?_fu<}llr4gUO=ucuw5B0?w^O{AYW`>f z9Ti_pMTV6+Wp%zhn{ceQM03XA+rfWZctT2Da~!L+bbfJO1SEnGLetnpjMR?|UFbF* znFKOFS!nTLyWyQ7*>(l)B*Fc9r_V!U-j zMpMSFO<{LP3p5o4s0f8S0|9oKKjkW8*SK-kDLH=%1`FGR za8XtC1POJQadh$R@t$Fp#i6;%X)Q}bSS9KQKfG4kQ{6!bt`DPWwF}s9c_1?ud*IB` zHQ`P_fQ)i>y3N6{w`Zr|!rX6d>A>6o&9-jLf~s#6RRIJn`omroOO*QRy!VbAk$G$f zW{MP6RB-;^f}a8$Gi$>#w3vTL#WBM&8E;$}rJtU^?VwlMMXqqYaIWVI<9aSY+Ef@y z5%8O}tMFe{2)F_YL_P|}lq9j(Ywa}AFf7vshv)8vKz|k66Sh9lil5(t@G^nJR?B-= zj@_RTF(vW0Qf7k_Fv~%l+bADviT9e2>_;%I4V?wqnCP6rOjLXX#dd#IFS2hQ-Arjh zexz|ioE!DNV{k#7tW0Kjc4GO>#%C8Cs0|c+E5)wR?JMB!U9H~~{<>2MmiG@mKe~VX z%DxXI&xH(>5-g05;}ys^-Z=v|0`EI1qE}j#Pt5 zQR$vYT$3AXFvso?klVd{ zH((z^(_} z_xZ5DBgL|&x5DF~8GJ44g;*5m+_Aqe?6JR3z%PT3x8KG}1LK{#*mUc%bxRxWT?lI0 zR~>=dY^t_WZAX9IK~sXc91&dg2JP6$@o!auuT+5`Ko{Ooa>=|{Be3!npg2o^Vxv|S zMCtUZ=CN+#)oXjiT|`q7=W3sA_fQXgq5dnpSx$jy_GsyM!>Z~_Q@f)VCrXLucR-O^ z;)wv4E-36)W3pa>9fw#4+*rT@kq;4Qnc5_4)S9uc)>wa*5Vjg-va>~>>OR(cj#i<$ zC&-rdDBDtt&zTgY2@<1T&oC3G`txIJwZAVyB8vmpH*+b2ifkvgPl!rhTQS{)i;(23+QLFV?TC`?1R~ zVIqfs7`=bSa6F?zK-!X`*IYV_3sc-CcaYKa#fOX&sNv2BUX#VpOuf+C;vDF}fVMHD zEF&CDk4m{dOU+ZA?#42Gmlq)Rk(5P*8Id@~5{HW3tzg56YOxTK%-l17++5FnKT=)4 zVYe|TyhWdRomEQr6gb7O)~ZuR#A_yBe4s)u1C@W$z^;(h^_}O?+wGc76R^P5Qgj=i zV&v*UZo=Q(6f}#}m{3WIz9q>_YqU0X7-Bliq_iE^D7hxf3?-k2n$m7<4z0r?XJd47 z?281#%eCTYvfQRbR|+ouW$dBTL{=^|C-y}UmvapeSJ@Tx;*}$y^193#t~^Gl&tysG zgz0}EpVM@ZF~--~kIxr72n$GL>5*&A7mn;A5ZSiOamaTk$H;N+Qx}^vJ_^RVdeg)YHUEs$+2bRV2Z|N(!9y|i5t+}aTzm$2nUL(1&X2o2VTFr zRoxI??X}q-uhPl%RSnkz>*kP)w7#mgK|_C6R04s*%&HRF=cYDMKp_)>qdd0+R&ZXtj9 zmH<2ozjqOSKRelXm4vo*j{Vlc+5;2zyOP^Vi?va7E0=hb-X5j5N9pa4EWNpOT}x#I zczp*EpguWq1(gDiGQp!v z@F)}fv1J0aA+gwPE;h+`$F=F*ch7$=T01CaQQnZzbxlTxLb~W;A?PH9$cmK3q`Ra3 zwL9QmtC{vz>d`hd&g}vp6X1}@KbV$WoG%q_L{<`PJ~u;FiSmujSYD&bW+6q+B})i5 z=Uu9!+S-9}z0If!?IKn)5;D)Jv6YynGQepZNQbn$bWC@OLIt&I65531pPGN%#;F+C zl+^c^1OiXy%EmP zIg4Mhls3ui_C+OGWIeNb6Wn(N;G#PVssbw=hB2AzjTkuF-+s>}c09BB1IDtHy+>DpIDs_w zfOzR49gHQZm@^h5(-2iODKar5R8G*ouJ?-(tiyoA~FN?%P%N=qwjyz3kwD2*I&IN zHqdWQ|IzT&+%)0B+Fnu4*)2QHM*L|QsO-e9_Myw9x;-A)ZkLVDZ+(ByT|dqDKe@Yl zy05>#d~p%V5AqH;*4_WvJ36e~|Max?^yu;ar-%4ldO70Drv+}XKq8MKA_OEKDlSMs z|KI=n|NP&r)+Iwzl4O5yOQn`#^+it>oVCl(h?qj52&WbZEG&2J=gTw5C8*EF4wbqQ zsSPy{FWpUyJWqW?h6VExiD|2KoWQoLPYrY&u9)4V3B&sK2!%uo^vMDa()$#cdqM@u zAhNrKHo5`Q*6KoE%zQd02zN+m{KxqgY7AZXiB2% zRtwH#(tm(Jk%B46u9@#8-0_`jAj13tpht*--IcmLtG$O^p1MaD8-a&L|vk9}y){>I@Uf0*t0g zQx01QebGgMqlJ!jA0`7bt5bJ>{O?9`@eSx{MJgq>ivIkuwS+R z4EleEN00megM8Hfzq7NW{zs=?5`p5xzqPYMF(WGI&HTF`{|z4!o&%3*n($ z`}2?Ko-!OiiFdT=g@K{HlEqp6X5o0_ybI>e= zIwoyGEQ8k)qlZAJP*&eEH?C%*wbQckR_b4Wtt=0^_}@sGsA60LD<$NFkw1kmX5YVunQ9A*&`NFQ$Po@s`6U*Tvt#xR#5`c(km(Xjx07O zL@UP|5Mm1Y%dKe*+gV{lAdBQd?WM345P#0Q$ZwMqvDvh5s?&7xca7_$6lQ<4;i@ro z7Un^-f*D7XpAaywaN5h8z>wx)D)^nQu;; z54=X9`|(F$WcG-I5>b}VR!#&?GNnfB%5M`6uu8k$+b$epfPzd9)k#vUbB>}7x=Uh__q}LRvv#$xr5ACZP}yT z_c_abjpvsd7(sKndz1Pq;Fk)0&E@Vz=Bs#R9#-V5Et-wQz7@wP_cklGjnKCO%xz@8 zwcu8Yd~4fu2Z?V(*nd`mueNpFR_Lqr^Cy$}ssw*Jxo`D?+`RCokouOK1K)tx|88YI z-IA(rq9*!%QIqq`!S8>P%@=@CBFwv~lo{LsV;`8iAj+3E*q1XRrZN%DFZG>&C1mAS z;+E~7U`cN9A~dAYbmBWIHt&a8TPHk=+=FK6cgr|P--5nwo2+nHoMmBINK)cez{W!x zlK#79#NG-h2G?Z~Fe%6@L#EzjEY`!N9Zv4~gveHLl1LOkzyW`?3=hsSu?$m8vV<*W zaOJ{MgpE*Z3v?NZo_A)YRuI>Bl{RW5kGAgv&y9u?{DH|!#U2r#6ZC%V8`3?V^ z-246=%BC9&r!jxzsA+Z^uXf{Z>N>vbnFdXRzN|TLK@%H!uK!$<<(6B$@j>5$_uO)H zw_Ep*1OJJ*M2S7rdijAE#BUvR`5Aq-i2waW=l>3Rhy8=<`M;yXgU9&ahxpto{?|U) zJQPdFM_2z(~sQ!(Nd+~q1tcFOHL32v3wJXU{?lTttcmU=Tp&w9^};HSiV zLgabzuojiK)f@<>1jh*xkB+rlPlm`&17o-Polb^IOvB@3_*^+dE%-!Fii3mw+MFmA zy~EsaI``wO_}#FG=e-6N@w|8UY4FGKu1S;HnuMH>&XoU{0p3ZBDV$6w{~ zM7ytxxzvA9pfs;Eiq+>s9!1hS%%~au@HWMBOcOO;rBH<8(0-WJhbb)A)P#w8O6!+i zk8j`Sm19N_i6%KAY3WGhEgW0ZtbI1x;m{C=7?EZn#UFsY*8`>1>#av#ABG{pPle6JCzhCZl*Rx-iwQ+ZKf6-O-i~Rv5Cv&R$?prD({n5~0;JXkPjs6l|8o1$CSdeopr>NbWE}^{# zM2jgN93F{$<|jRKsalWKQfOY6pHGX~i(JeI{Z0_J%t z>5QBtSP0duVoa-VG!sQ1(a$-PUb)(2sIUVs-?vLRQ|T_-n zyAoJMfGEpuHJNP%N}EF5jB_(aH61Zc2^YiVG*pBbtmMF^*%QK>mCdPuQnMLS>*zqq zuQ{8!1Ym7_mr=t5lyJ1N}}G4X(UlQ<}7QQ(>(3tmoM9Udo^aDw3L5_`Ky!n zUeK6Cm=~3TRot{#UXJByE_lw#n0`RJoMZ$`^c1yGdv67w3J~U#Ql9gstt3DJj${7i z&>6(d(?U8d5=DNwW|Ig|pluz&bP(j(gyR_Ml|jd5~N0FIq66lgqg!Z45_+&Qx(3 zgQ1Ve%yhH?0xOZQ4F8;y0IXRad_5)gOW>HHj}+iA0h&!nzG*;G=|P0xM!a)Q=QJS`@a2ye)H@!QD1cM{utxxl-qZK*U+Dsy`o zU=`APAS9JM|xGr$%Vbl6*#9u{DAf1J(Px0Qpp*}nH;L1b<*JSZ!(`a=~j+|xnBEqFuUNhpd+_lCKXpGsS zZVG&D-c&l)Sp)Ci4tOi;q_ck>YCmSpZrEgTuRv&$U^O&fjW&X;*Cgv<`jVz&*15qv zZ8t#PUe3LXL9{W;jn|A!ZDDq3tENbJ*)%2Afcc1iVl+kVPP@LJG+F_d!o4>;<5CQF zHZa!Y+!_if0m*1eGVhXd^Lv$jmmtYp;RZbSEHA4{4MJCg%-5v3)E7P8gNVg0%Do_Y zwdv}4Z+p{Ky-Gu;)GIa#-?a!|^uRK7<8a=_YFQibhZeUR2=HPVOO-Z}xmSRDl)N7$ zlbS6(8_q?|qT};3G=i9Gc%uU!s6eWn4uxdq1t&k}lkzPk0=_qs87@8u*Od*hjRw6> zlV2_+0k4yVE-rrusp^_o$~#XgZ%VoQ7t7;x$*xIy&e>0z;cZH@qt`$Sum%@M1@B&{ z-weNP)^;d=>s$`E`K-(TF(sJG5yA2fSAeg%|M#H3Kd9dS*MGYInE&G;K6O@O42$2Y zf&WTP@W33SvuQ%UwNnDU`Re!t9^X&4Ejt(8oV(uxn!kVfMSq{-qVG?Z4eJju2t|gf zhTKz4?c5}h)z%lEE$ztr%3Zfv9$KG_&u*kPTrRHrnyw|h=X)e?wY0X%Gx=GMNOkS3 z%I^3XE}^^K9QcWNpLbTx$MAWKc(Yi%?X7_xz~5T3dHihh*;xL+b@sot^8eFbP5$o< zp7tK)|A&A0+(rJciT-fuw6_~_mi`+XeKJP7ENeoUxqcQo6FxtFf4?cGSQ_P=lQddb z5Ahq4B{(9js;|KH#6>hEah_Nsq%c2+s9p4Tt?;kEwp&%pf2k&lu_R~d|G`p%+PwqR zKSW=s|JrCbWjE*}n&m>CVo6@Hn2r~y{a^dNS$lsEwclQzv9z4;^ZuYY8NibC3b&hV z>qy-qcfm4x{lP<<7|=^(-P(qZ8jrI#wsZM0eYC|V=cxn#QN85xAHNdKDked*=lIO099YT%qL#QE!2yGrmgx19pq3z>|&~0Oi&@F%B zidOXWHt|Jh?S{8x%X_rn{K-D+>_0C0{`T(Qb@reAUcXoM|Mm`_KH7gC;^P~3&dgXh zT>enFdh70hjeR7`?Lf_9hdcUl3j@1X_4BZ|H2b*9xB2;3U6$Nc5dXsA?$L^`N^8mO z_pKdt`TgnlyK}<#&>JEor;$W*N`-$7Z8XNN!p;_=3qo2u5R5H`-R^|SX+BbIbfKf> z@1RSC$cgAa-#>b~-c3j5B$dr{c9cvaqp5MPE%ll`&Z*z%rnYsxwzcoh>$Hb(-7Q0R zZ=So)ZW7#&W&9Yc7Ak6_O#8 z(JmgiUcMF?459P=j7*{auTEVIWz`koXu&h?XhkK>0U<>;gXIa!DxHw=$qr>=PzEF z#_d5fuF2vKxKYOG9803WtVVx*O%`R;_Ra`>n7Hte*XOpqOZnv3pQ9(k{xU>S_Ew75Ir^KwyzbiVPmT*87Lbh2P4{!tN z@8g!)Pm@$NDgvMAlYlihLRYvX_H7iJdp6!vp_Q}hW`87uiqS#H90A}bnAgv-Y zu7KIF2em7c-}v!^<&tBLNGuWN7q={T_64mOJT$l&z z;&IV0ze2!w{EDdEPrOKzFgGqM%Z4O?0s8SrHEVw?cJ?1L7XRpcb3bN`%O6$m_+E=h z`zWpn$x5D^3Hh*-i8mg9QO?p}NE4cDo|z zi_6abJp2Q|{Ai}mkCgprrp}Krb$%??=BH*x%`4%r1&{j6@0v+zi`?y)lVwbbcYI3G z$0bmFi;aQmcP1CLB*&3x@@L@FXdh6T?4^xlA!n7 zGb&ekE0n5_RL$F9%viiNuG)A&Z~pib8{LM2>t{k$^{B8F0Z+_X!$59J*fQudd{^MR z;eXxxgtV^$e;4BK6>bR_vI9PYvl&1BC}){h_AmV{(Uz+(Yr?IuE*qoG(B7sA0N~#9 zbFQ`j8F&6qus_{@E(_#Z`(N*%V*eWq_WO_azlZo#MA8onbY{l-w@LX}o^Q7}!d?UL zd7S^;^op|$b0=C&?ff~yBRsC~03ri{f)AT0p_J}&`>wK}Mc zGjsQ0321T7(x+b#{WHd7#!~xBNG!=XPvG}0npCD|WC~S(FKXm0{fUjB2>jg$(QlLC z@{hWNwoW}+YsdNolzt-3c6+;P@HQQeO;UB_cP>C=&c{rHq-HI|Gnl{mKVQ)s|*Z}1{G@FSDMqjKOz$M zwf?0wW`qL7GMnFHh~A<0$(t9)moM7JYFyWUPvKbwxPD&OT$KW;=Z!FBM8wpd-FCA8 za?A)ClNaML=pQ!!VAE0I#(u1vH!hCD>l^HTOZ(4u_P^W30ItdZ-QPdjuipQ%zyFy3 z`$0a-?SCe*_ve*|usj__k6`s-{L>{;k9p}oR7{0a+lj^z}!mwNu%dqB6C;=$pO z$Yd;x*!ir;zeyRB2+L25cqAgi3}5y4Ui zP%@O|($9vc6Gz_Q1!7}RDsG{FDg2%j%WW>DZ=x{>iMh-(*b~m`0zez>AKo6|IpLJW z4%8hWeO=i-+i1}HNL$Db~fU(mp1H_JJ=G>i~ECJ6k! zCJ4O4J(z#)faH5}cy8d40EfhVUZ7g*(c0CS4SlW^Dyty+cW71$|FXq@O`65*yN}y6 zA1CA=`DV?AX?Cv%C;uRyweepfyF=zr{aKU$^Kk#DlK-v$w7>tD|Ls9OWgXaX-;48F z+Rqa`KhU|FAL#tzyq1o{v0Mn@Eco<=k+-$sb^GIN<@|3AY|F^)p-Y5`lWdABkvm{& zA+Zte0sauRjceC>>D$|XWjJ}5Q*VaF7Cwu*J{=`YkiTOpFP)XK7Ia2s2sW!Xj2SQK za_f_^oB$Q>dW-eOs?zSV#*k<8&XywX%GpN^N)n$`?1=$-{o?Y+d*G($Z+J3lEuI6pfr9tiT1ruhedJxO?;Xyx!&9H)zx zZ+>hwD7n=(S^%$dA>VjbO;?wA7mUc&T z!D>6D9DZn(y=9z#z)DPlOveF=*-d(bd3=0+rr+v&C`c-Q0MI81rZd2| zyFwlp*{8@u_1hiqf1D>#)W~;sP zmP2Mwtp7nru6o3~@ocwl;U*`yw?3sF6Cojh2W<4~kEqvwEoUZA`L_gf`4z!Z3vZiY zpQ=hDg5{>Tt*vQ8_{;7&Zv_A8&hd=>K0D|fOG$VNPDMTB=w?b%G|FkB_&&;Tbd4uOgsmNPIi&(bIB?pDDM=DEN!UnR zX=pm>K&n80N#_KDExhMAjaxe?B@BWy1l5x`d{_n3}yt!y8ja2b`^ux&oiYXVZa6)Al{?)B$g`&)Cy@# za95Y(?5E!qhiP8_Z(baqzIqYP;(Niddi_5=I_e))*8joNgM-KQ{}7)Y)HnlLEt`OL zLgz%F11+~;DJ4k^Lh1;|6Vf#m0#`nusSZJf zc*_4SwF0PQYOP1u`r?ak*^Fd(LWW;_f&QC+#Zt)F|JrKp?4ZBpG`faB02s8GML8(r zAb+<0gXJi~DdKtRQV_Egt|0UxOl)8|O%YZcUVUd{H33)}ix6E9xNWiZ&Vu-cNC;5B zPl*#QN-42*ka!QbY z#n*~iB;LPs61MskLhH{tf$1iw^!@8R7HT$f*=p&7qKKwK;v`W-OSR|0+YZV=w6t#l z>6H)V$`-tt(rDV!4ikZF*^@V?`UY3{<-8RFjX9g?XF2CeO93!;X*AJZ+&f9Qq+^J| z7p+$1N=k!3jgB1)cdd{xgOXYtqwyNC#bs z#kJ^Kl!4#T-96PvM@>p@S}au}QtLQ@6b(uON){b7Vrp)BoeTZxMyTGa0?qIOjYumd zoX$zCrv^>!Wdw!oAVe=dPys`Da*TF;Bzxsq@x>RjT*xoJfLLd}YOmZ;mn#Pm^r*O) z&`t3oS7Ga{f#xO*I*rAZhT5usL)C4+3ei`pkBYO%V#@L)MnpBv2B(!arzfIi7hrKc z9Xd-9<1yiCU~)A#QVl})Psh!F7eO~77K{}_uUxE$&82m6{H5eMxeC!`9jduYv$R?) z7So84;}r%+tH7bFha#Gi8Tqo7BkD>`rbZq`oK;vJO|)ilhu}_t;O+!>cZc9^!Cli3 z9D=*MySqzpcX#*T_6`4eX3q3gU-VTywQG0PTWd*)4bX5YqhU3LY_>KkY3Bp$PcqsV zhOLnp{O4<}`r3;ARp|<&dBP+ZXkr;cY!2Vrc)6rf$-!kIxeH|k|LQVAFr`QDF8dow zqm47J3#F0Sc*x7J5-d>QL4*rqhaqOY#1sd z*)Ch_>FGt*q|g$Dm0C|Ti_4vS!nMV8BhnY&jF;22!*hcVeBJ)c>j+MZs%v=U+*^FW zh@W2;;*#8@ANXBQUa1fMsu~eVv10#Ln<=t*Us&&O34}dBOWevE49p$|G#9 z%d*nVE8{wHk4V)P5qE(;o8zt75q7Rc7A%r%x>AYh6u2J4=sDeq#%BkAixI5j&P-$4 z6?k$?swLmKo~IBVx~~l$NwjzC)J3j$Su(jo(Ky&?lw>=u$Vp!E6Q4tCe}i(0eav} zr-lWI?kB`(F3GTJ*fVAPnM#Dhz}@r{LL>&C|C62l%^DgjWJL&6`zf|*x2(F7w&fkhkZCFHHxq9Fg#S15%TUtv46RPe#k0rHxN#&V0qljM7_13Ev zs*V8?)7MsP8)UTE1yI?SsBCT0F%qK{`bSu9-&7h=T7fzIHhXHHTqaKbZjoE`xj~FUy6R3jH)Jraz$*VeTh+ z>hh7aKm;XWaZO|+U%%qWWxyv7pFuac?_G*}&ZS6ZTQgmTLc9C6pHT0^YK!%2X1an+ z6oKlS$+o*1Pq!U>?+oU7zk^&5ZjeG{EX24{_Sb@Iz7ta9dQs+hw-ATBs_tu zMM}{I_q!xcn=DsX?pJP%6a6#9J6c6@4g_s@U~AmFmch8&F7fwlJ337=p(J}|LdjQ`Q3pT&Rh7ZY~dwzlk1t#HxMy@Msh#u zrAYv0^T^~R`epG2Zf&_{4Y|JxSy`Mo_OTJ?q5ta(oSIdvkkNY-wM%k@TrL|G*S1bB zAoFA2wL&p5TodD-tj#)I)2Q!TMnmNUmjF$)Kco@<|{+PcBBG3$Q{AHhSBDe-X~6 zSf#tDI*wnp*LoUw*G9u$@=E(OinF*&DGI4&Z^Iy__*@t2*@Z;kQbMCCamua7nYzo8 zQg9GNk|+?7X>Z1v@nPVkQ17g8$7c0O`>-XojT4$g*mAxx7O*dk`M@07d_!mHrfUe zd$;*d8a8-RA=fc$W5T7uqGpo;t2^9wmj6l_ zLZaeX9CJ}P9)7Kgt%p&i%Exuvv7B0`w~*fe?i#Dzm!EUtu2?tSTMVbOiSCK0f#DcN zW%++G5f)DzpORUBY-cUfzh+`Ib8!?YMMBfEoWiUB>VL^u=a7oZ;<3vA9S0A-V_fTN z{P9Yw`sgY@!)V$Bu$ng3jFN1<{BxPUx}fv3Pi$%!QB$iiW*w!v3~Zi!01qo$nqVzy zvHl%-8}|KH*3pcyF*Le1&K1g6>@);E(I8wbz6NulL%@3sPkG)gnu@@`x{!*#UXp{4 zJ+ouNm|of&?(OzdmNEOa2{r^YdpVCw&G&)TQo;d)m1O$`$Q{eDgmXN5Dlp70+^4!H zAN@Gj0XLHvNEq0XNkvv5v3TOPh>N^+^pKZ&Ak)wi@s2R3w%+!B1m8k6fb9l|r|pZ_ zNd;$dA28Z^1GbDguALy_<-J<)t(HlUbWt-C{Eli2=x!9-trm1$c7li3OZEexQ>!+? z{%Md*I-$k@IT_NCFkO`K{L;CQH#1#q+C|A{hB&9%LiFlBo3_PTJyANLmj8rXh#w3s zZi1>k1^M76ii*UEz3I-xMO?8HtqCduP2aK+6iZQNKYaVd_cqN3&bm4C>3rn-&b%!N zD|eqSQ)|3<(x}mN!fH#G66|5^>*4=8&Z+SPGbp(lz3DzX(;e% z5>R@A7}n=7zS-p1#Km!6(|v-<3v?>aq{3~SM4>KyQL|^`aN&%QTv){^UftlW0(9Fj zSsFHhT>S5{MSV}r8a8nU`<8SwsoV%B3#hg3DCKU9z1L#L`|`}{3+x(j1nZ^pp;JQ? z??odQe=^$fhnn~E*@{)ha4Q+Ojb`o#Ia>WoBj(DQSdQVB-=axRkV1Ra=nl2t0tD2V zV_GP`Z}&nUHPy%CCAPsgzvMG_6_`LMjir16iaLL=J%}*C+G|s2^i;TA=;>g7v&Vp6 zZC)=i#A9+^yLo^i@D|6PHh+1j*|=HN4_4bPcT&VB!#6tA97bT@)Qx5(IQ zn*o8$>b21s>eegSfs@B}vOY9fYSTcTPZT1Hc1p=X@)m_zr!9&*jy*iqB9EV;WMFm+ zeCjjq2DZP#eSM+vVC_jXx#WLddmg0Kx^9ax^y;!J-Gm=3K{in5fXqZ(Ri*Ec=FeyK#U+vKgpbaI6vBRW@jY$#j z3p5iu}BHD*Yufcm>gZFt}z-@V0z z6>ZQz>yIu~d;R*O8m!vRy%OJ)V^s^}(or%_`?D-n@^$5jBmO9(#8pKTg-tO8p!2WO zg#86Yobmhava{@+WAAu9h1~>sWL-ic?3jcpvMTIE8a_;#@Y^SPr-PeSTA7I&TDHgN z5)(E&Z#fyp)}N-l)PBuhlPW0SUTQUcPc+v7Sqvc;UPo;@@3cYUn;0IJKl2kQYaCHA zgu@PGs5%@(S-9p%_%FDy;420=VC+sxIDb2BrAn9-H_m!;5Js1NEr~kp=5{%lw;H4G zKOBOD5`dqc^spq1-)f0q?u)ddmtbkvQz+;5|G7s@2g{}pvmOG`uKKHVk(67*-}Qe6 z#D(F8*-}VUT&BI6KCuKk=!^sO1DE7MKU zIHNpQ}qqus?tcY z>MuqPO|gH1kd}>)|6K|JwW)(B+S8n3TOB9L2J*iS=)|bu0@`XO&T&r`cO&)EK0~Z}7l41|!!H63%cy z-0<|iT5XyCXoD-@^|($Hr|SLjPTI+^ zr@IO`zItm&{$&`C+er2M`q!L*!PAUc-SzkycEoe9&-%wn+_bi8BBiSvDmT3qdJR^6GbTba;&gMacESaRX4>-8o8p!-wC?|uH45h)jo2zBh+cJOfD{DRoxtv(yikXaD!p5E5@Tu^_$F{Tz?J23H2 zN{rBAe;l_m{YQd##0B+K=sr8`3L?0|I?{&|79<}V(~TDTmUeFWZ`{w$AJgdf67ICg zWo9=ct1&Ul+{wm--xxQ`AO8p(W|8V~EDs=Cxqvf$ibU4kZ!j0oI9gqkNH!PkU1Uwy z%8p#Y)_54dpMS`q?L#kf5mnmu|Ma?0@a8&ySiQ3SOq^-+xw5hj!6fU&m_&-OhgAlu zs1xNaSe)5SpLq!6V#VWlP+8n=gq_PT{yJ4RSRnqL^0rBoqkh&{K}K7Fh!|XheeU@7MbO(a~D$O z@FmlbnaTdy*5Nz*8XFdnlAcQ7kcwlyo2V%7X%6R}T|En_N{P6qGuq<$^UL6Kb6r39 zCr8-;AsWE{Yn$Nl{0E7xOM6)?irYJ#ke;^{k@&+o309Y4eSZICkKBUrN8*Y@PyNn^ z`%hg=F-J405CehUvb`k2k;`+Z(v{vdjuVc)I znCk0I;>FZS*1fPgZM#>_)Jh+k#Ky!TmMWgQds;+cL2Az}7stq3@#=kbrt>Ouo(zwK zLD5G@-><@I0mMel7zBF+%M&GHmD!@vmwnc=-BDssQ+2jK5?+oyV+V7(i4FbcJe9#C z**2?owPk^sQ|-S2RQ7N1?JGYowYpW}uMqXm>i7RPagd~MJ0W(2-NGNaxc?2Rgh4|Q zGE$z0S{7s=S{B|ihi9ihyl4~E{Ot)1wOx-xA} zbE2|L@{q3xd|_a*u)vR(U#%`G7xRME9(83@Uk~C1gMCzp_9~$hwvzVV!Nsu74n4=> zgYBj~Ar{HjRK-1s7!o9)E|NsP=yg12iErB>*kA7g-gGmv4~NdlN0{=g#op4m7c_wPhb)`azFCm?q=hCnz!I=BVZyKB% zQysIR^WWAi!1!>&q$~oiJr_T>jRz$G*wJAcKe(ruV6iKSOM45AM zY@Y-0xJ6V&E?R&y`=xfhC7(Ba&Bl$z@y8D zlo9oy35dq6Y2=+HY><;@p$>Oj|A;D_go+YgO~4PLdbx&{e77)_HXClp+@u zlj4&pNjc3_P<8Zlx{Ot#+McJ3_qhAF+` zV1Jy6NPCE zNIHEK-!2C|ukRd)Pi|`{BvTNHD&>PTkl6Z4yI4lDHh{o*3`XA2X5iy2xr7)c>kQ0* zNPj_?l3Ko$pQrOC;>$dAG$zY>jJ`+;< zhK$XSg=IA;>2ieua&WZ_ju(-9axwveO(t}rfMXZR08vrkpVwNbdA3J&z`hs-miu#4 zb8vxT`xUpc>-~^LMCHo!Wz9XeNYbTm)4&jrzO}>Yo!t+VPkdR_E;%ruI{tc>{pdQ~ z;DvNVpCoOnE~WAMXypIP);??) z`pqUBxECw^TdSzDz|DSI0WtlI_tFD1po9)SduG0c7TmV(IEUJ32)i1e^FJ3;k`1>Z z*d!ZK6z>rG2zP6S(>D?<2ecU8V?aI0tkf71r&NnRd0}3!nHCK9bid2WWcmtO*Sv6H zF#!3GPm*p5|54=+1?Lfk5qaPMVgUts&8tiTDm{Bi*lhhdAxr** zwAk^w`A9q0>*4KSx~9~$beXA1BgnIkxqw7%R)MEBDQOpVF)e{VFITt;LgE{WbSjelH^y#|`wHK0{1=3ZgY=P4DbN3y zdFmf~-H>Q&cxxmK)A$iO9PK6; zeY^xaWm2@9Y+nHN0FKKte&Rsb+{H=jq?SmbbjDwUyVh=Kti7?EG9P~2gIg32Lu5lYU&uJq4@%t?qwx)*zkkinCY9F>x^DlvQaPTFf1Nf6-Ljz) zFN2XVt}k+#NeI~=7)BIZK5u056)X_t~(1tf3onAxhk%YT?dx3TK4c%{k zP*;&dSm1aAL}A(vHhb#|gcqHm|T1y?ge&p|7!;t_k01@l7Os@XnQN4A1(xgxbs9)IG~Yqav`7&P0*4Uf4u#)c zJ=gh0s?`_PD;!Uoljh~D#D<=bQmWRmem~)hV^XLo;!9HQwcmJbCM7R;4=np=7XoLJ z%u;4da$8CLEHh8_^x}k8D5Dm7Yqz$?MyH0O30u08G({OoTyrs&oRPyz31;7xUYyL3 zw;t-tLarw%kZ)HhSZ|DmU7u;Ps0iu&h!ijeVE4KG{w`8^RmxpcHy{pAud;)iDhq<*4@Ku zV%qGfRzc1{nU+cnX|Ur^&tJ^fs~{t{Js43LQ>qW-+Sz^VNB5#bK!dsD zF)#kvlqihgi@8a*|F#$&-wcIf8FBQ}vi-cxyajwqs_(=LK@F?_nr!$Gl-Dy#)I?_`ztK&pDqY8`pM)^xt zf8hH+^s^j^E#<>O5~DvXYrSdjV0|@fkeP1YgHOeOzushK`ADg++Hcq-F?tpgnKFMV zxc$d`%&=_{y_EJi+N;Za?rFhO4s}12dQdcJ=xcP?TXp|W^v3#hR@BBXlMGVn|7o% z6d3FQ+5_D13S4+;WlmD5p)X^iAHVl-U%tE@20=m|^G-MGh05Cs*}GmFQmH76V|yjt z=HmT3kf8rcYy}R5opc5{*2IlXvfw*1K|rjSsG)meNu^eHj+#!$fX6A{Va6RdWhmb> zDUMvVl^{iF4zD_=UpXQm!)ZJg`l?(SwG*8MkO2QA89*nya;})XTp-uBVyYj{fR9^S zGN|2SH|x?0rlnpa+4c>QeI4JhC!9aWUeb+{S98RA4f2I6T?Kb`U}JQ_g-cp*7iULt z#0!GRD{Yp8#6|{X3mP2tbLzsD*xc%7cjSKG@?vr7sx$Yr?NDnq4t@3+v{cH%a?u6i zXwC4bBK!B6OVjI9*?+eiu3FSS#ch-!-jKFr{OMMyOyw3XbLGf*^+ANQ{J9dOHwh<= zSQ~7}@IHX>KI43F^;B{oxa2pBoOG~*y@4m-$v_c7Ck{>Cz5(;A+Ko^6{Cv)WV~1 zY-#sqk%Tnz_A0NPr(C>ufWj3UpP5QSvXvxO-l)3S{((ByR;E5ndErGcYrFDnra_P; zUr{-d_4E;FuHOP(9hR)Jzvn({)&wsByd#qMc9Xl zStyFs>j&)6UOu*|4JSUBFx(L{Qm(W3g%*Z4d}ia(3!)oaME50-*Mc=n^#jQ%5QDvl zS$7Z{&*=koiF8mFtnNE$JQEDJ^&Qx!acN7vl>i=hlGnrM4?H+Y72iWoPqKbJbTw6{ z5!~Cz`|lK)K#2X^!G40iIN+&Yj`uqVb_Nm|>~UI;K9xq22Xetm)XW5nW1*fSp)R#9 zQf*qS6h@|b41Fi`{Jmjf2yEItkU-2$>SfqJl_ixEC+-dHWklPv$J8#iC$yjKfte)$WG#SP72By^ zpSvR@xlOHz>uaU+fjFW9+=RQeLO4xoXeD2t^TYxfk=XE!5~-{qSoA^4TqRjNDQL9` zl_^xRbjdP%Ile9XB}Dmf*f(rrxw-*;LHhL}Oyn7e=(k_Ec}l#7IDR?6QSh(@4*Gy^ zF^O0+>UVI7ZGo=yzq4lTAM3Y#kBj*;9yLh_6}=C$*BA|hRjU%^i3hwR!TQmC9P^DX zC6TAkb+dU7Zw4Yventz0*#c(&K2E4{9A$CnUY$_WV*z1__h4M z=6_A=bB8$SH@c*_iUGK_B-s8xBB(mfmSV#>)BOCkT(X1|;M7PR4Q<61rId`a9`(L`k|AB`P0no`7&eIPfM#_ zD+U7JZ#(NnN(Dz&VONt-XbqEeU#_f$P{r=o!O|tQ+JbdsR0Vnh;SuW4I${=~{tlHjaqo%dev5=C-w-p5Z=H|UIB|$X>LS>1*$(;! zHutd}QpkLRDL2`cH!c}wrxXA1x3r;2H|hQNuQ|f!gS=n41T(LRf{o%(MAM~YP@cxa z%_hD1#>qqKV{9R29p}L+IZ$-6ywlsm%W+jTT6*Y{jQ|fzqZ*<1G-ggL4v*i)!dPzK zzC)*!#HHq{4S2Tdlo@d=NS&o~6q`z4BjH40AkePKB*X(S-POuaLHB<+^FnfUGlT@X zTY2{e?xUnZXRaf`+KNY*Rs!RhZtY8FZ*j5|ccl%Px`e{rUg|$y$~Y2L1S|7w<3E;o zPcj-JPJxxP_qcb)r5IQWh68mdKP-Z=?!8|*A1~2_xb|CFe?R6%hCt_8E^V*(pOdfS zqjg_pXbQp>6UvZTtEr&_>a;!AmJWXazi6&zXaMtC|E-=Dz!=c;y*z>u3g@ z@2{AH%zB@ly)fc}Hm%t&43Sls#FSjE=_dytfFn^VErOf-tBE1ZS1=j4xc(NgnB1JC z*uAB(`hk*`k$2-j?ySL5azzaY=@lL;c7N|xttOQJLpl<49S**8pp=r$k zDr|m?$GGHHJa|o)hDO>iiEEtC@O_eKT)(^Nd}vh05wKe+Q)%!_^zM1H4HN=VU=3b= zfUrRoR8q#=;exMsZzMisy&>7soxo!HwuS!U)C-dryiNwe%0s>YX4s-jKzn_%96w1I z?8{*D%;-H1p<$$&1e+6WJUwbVs!$*Rp)HB17W*5ji!t7id#Ngaco;R@EbM5q7veYB zQZ%b}a?lyO5J5pGV}ckCcU~!FF5hgLA(;q_XdXp?j2;~$0Wop<=@q6H=!T{CVi2-K z8ksPBQls|@LDe+B7b(C6sv2UX(1ifp8fm89#Ef^{Znj^XA+Gcqds|=J1m_mW8=yNJ zzZPv4p2K}iBEZ94)siJzkj;%gbBLeCGP{$5E-b23qbJj#DNIxzq!_>}!z9TUyJh8q zGA$C6y_J!{E7fW={~nN&v2=N86iRn&A7L1G=5-%)a3(w7hOl6xKc~Zr`fr5%T>B8` zN6Ezj!g7OKxh{9ctlI&{;QAK;0}N94vA8~>ygA_K$<@tZG;Lw_Dn=}$LZT{FSI(e7 z%Bh^VT}tYx#zDY~Vv*KVWXy#?x_LNOeoAsh_Ng;U#{Sjs+;3D$C{cZjGN?bTcvdu~ zCs*L1tVWckCvQ~DwUxpP`8FBfh#E#Lx5wx?q--Wq_PSeg*jpSkY-f`Z_bn(6y+$fTm zZCNOL#%^mGB?i^38f84=XEhJyC;L5RdAj)`q*}>Bs>lB|`~x|^0Pa&ft*^uz^^+eT zM+#q0R&~7YG1>%JtLe9Zk@E!H^{D~Z99uJNj`;HxydpJFJOLS}%+XIh@c^C|YUfoo zNa?*|<72S%szrU%XVl8t$DH!-!*|yW4XlVXE9%`@3ikS{fow=oCGBOGFD})vt~vS7 zy0C3o9!V_0Y|l^%h!Nu(kiWs6kf{CnWVe)nD!PU`UE(`^8Af}cjtU2qwRPqMus(DO zd&9iA^G|FWTVaz}NHD3~>ZDeS3{)>o>K${NaN%Ta-`P`wskW5hX+NDLQ2&t(CUn|% z)q5x@*2+-zU4RXW$#&PW>hHZz|9C3nZO4oLc%M6WV!u=r%k@-5OX}QiNMVZfevI%C zBNKG>`yRf6s|x^vUhcje?Rb&J@hdGL&=&I0`^t71z)vIx&>q@*`?GG%)_wZNUAUfA zl8XBoDt~DGiJSTDL{+^dUo9c1KlQSt`8~h)-es}7>*?2WH!Wi_?-Kn|Y{2Dv*A-N# z?Jhc2LS4zuaY&%0!aW(vc64-wbRxoFg^;uuJQ~Tw7Xl!-Fq9bZ3_JXH7=rwru%_Gd zC!fHnj#fq|e&m+ETts>H@i&>DJ`34$uuC{|y~kdho&a}yOB?=JpvjiYmzAVuF)mi` zt;TNNIp@pv-~h4!waEb7^etnIt(AR%ua(=}PthDAQI}*?DqcqaCG}+ForOT9Ra(rX zQ@OI}`yMb;-diKseyIo$Ms86{G9R6$wfb$}7Ioku!zK$ZSPp^~G#bA3SI9RLOFxA) z6IXw=s@^#kN%P5G+0l5c-JI*@-i;6!wTIvrin^QB?hV$b)vtP~X52(B?&#PRp2Qi@ zs&I&$a=T;-xuTr=c=F`^aB|@%iVm(Haar&7-~|YDzZ3;T?AY*ltPyw0%FpHJ+qh3N zxb+Vx!&PG0rC_>^+(LOZnsU#au{m*^3&tY;4VdcdbGR;3vO0j8j zz&FL#)Y-?6s~&q5PGl!z>ejJ{=l~snx(aAOWm5K>fd%8 z+N)MBepxj2qCrCChFHac@gQ2dD2`+NYv^V4Ns8ofb#`exYM9OZy&9I*!)Qd~q2mhOMPHaWbgR59)_G(E@;1 zb8LCBOI!iBsq;nMbo>j>+($Hy-~{EBekcALuWt_yuT59>;==18!WqKXrwG*DIMLfL zdmpB(-n?ybocuTPudK?&JOxs&d0u2o7B%BxrzP6Rsqo(bN|t*<`30-CshONsSBPZy z(ZK^VkU5X{+|`yY66{ss!*Rpf#RE|0Aa=kha4&7@;qm<>`XAl2V>=JxAZCkh*FG~7 zDqJz%n7h#V2RfPb4yE5=Ujd3}b@5!fMslBN4{G|Zd1ni+LOMu39^|3e7#Q_a^_{#h ztx+Q)&Q;ll)8AtYHJ>oFt|k&fYBW!9v;Ot8VwsC31~&rLf?kB4Wr~VIAr6Rdo7>-) zluO@VXT{+pIM*T0wcTl<>9MFmfxs0IDC%ZCjOb#uL+n;LjH{-BA0kiK)~QM(r*Q&g z0Gkb4*u|@#TB=uW94Wd!g6Hw}b2A5)!_ArjGxtdsjcQ6n6Y2Dk!;}@EE2~12?&)b6 z;-_?{N-*EB$`@;+C=O?%HNf&ha*5`>(Vh0J+6wYuo<@aj`c94iO39PjB4Ob{=j9Kb zlZ7Uv)rtMa4-&!)iNbc+Yte(}qeBg>-UK!?KH-CDd(%%FBxG`lpz(xpd!E z%_q{};95l>DBg(83z+N9ibWQ0(la3my+caNi=OU=pRq^sAyZ%RAThBFVeYF8C0Dps zjz1*7O1wxUiwz6z@ucjHKfs)YC_@Si-4` zij2^(;TRWVPCucPZ_{Hynpn+?V)smowh0Okf04;Bvn8-T1jz3nqn_iDU;x~oWxnwJ zUkLIBn^Gk>7vrT@jgvOq$pdN2yO^6--chwVJN$Da%2qzVG|+vp`2K!l*f7XglBb`_ zG3KZnyua~yB}QwuJnS;+GagJB(Dm3xxwzzZVA$zZ#Tn)7KG#5@Uy$q zCP#ZE2vY6>wiAZrApLYyt8y&(9k$Sd8r2w=)l7}fG%#O{HAv$Xke#ZA*`p<%FRX%v zRQz`)lDr1JzB07?8qL$jNvBcC2X<+Sp{dR7FVAJKoGiI2A^5g0yxH z_-Kq}tTGHQ2RjD|_%Kkoi4ZqRF5Y!6(K5~5E_fEICCz-ZoKI%uU+#TlNA_j8$>_`t zAqmai_nz4+w)Lgn@A=$OE@0EugjRNL3MetKBr#Z9WXX!{5VcH{!d3d7US`KGY46iQ z{gT&!1CbS7T9@(yL&A6|F)-TlvC6aN8d#&4KHCx%jh#l?54H>TtlP$_0wfx~Vp*#! zpA7Z-c!61LXOgIbwf2(WW=}oEe`)%M>ipx*>QYSM(b3v)C*Melo`c-&`3(z;Uj!=t z8eErNfw~{~0ufP6FY(#mwTTZ1LaLtQ1KCm=%tlj98M{T55@yOw1JSlvaNX7 zN(k6XJzwJy(7{yw3%11c!(D-A<;mbL6;*tO8v%G+e2bekaAY-$G{a;)58T2uHN8d0 zz>0n)=-Ne4Y6J0}nI3?iSDy7hu6C6NfrPe{5yz7tgkqVOjFhU!SYi;m;`=kPHm8sN zTlJm-=ZDT?L;Du!VqbX!6mt=+h(+_rmhSsc#2$G%*}Xwj{D(+U-Tui6H zrr0#4E%4Bp9&nCfglb7~ScjTHfBDSV)UeW_U9pWAoicNd12FAr6;vAwih68*?pv!w zuc?W%MJj1w>|GJAb&skVe5jIbIqwR(tzPK9ZB2d-;vvl+kV$w{6p`AGWxQ`;RqHjy z;5ESSsCNDP9-Xq8kzfOQ=1rOUsvJ{%QrU!$F!8|&Occ((K^eSh1_Fi(6uAuQ6oLfg zOPdk;9$LbJKapI98WvKKmvJw1UX`g9rZkekulJ<6BJy7L&rxn*J}o&SNQBU&8SU9Q{Vs1H>lDL%?=S2{+C5qj;7CB2 zQecs}zWk@ZD@chKEZMSAM8E^!29F{zp3rSkj`$esCrob!!Ry=^+!(i7#sUM`Pm}f( zfp!e9dptSIf3>`gc3*|OjW)H38*$7V5E^hmg+zXj8pnAYFahNPi*k&69Ce)93`vY) z-S1cjmW|JXmj=3>7wL3I(q;*hAfW#IxqCxk^A$MX=LXA*=eU6A2;M}Pp2XQa5CcP6 z!9}AH_QAKbMnTHCBG*Lv^6bG=0Nda1H~t|iftH^3Q2pf!ddTj-Ls5gMBxTG`S@b~_ zHl=>swDWOfjn3GQ9&AOM>4xC5`keE-szFfyOaQFGBtISN_0>`73a!eXgZkR&mf^oBQV6t4L0w6Wh_Y?b_r3qy{RRCK`oqFdsDYCt4@ty)vB)Z5t%Ye}O;|{1 zdQEs7L@bq@B|(8Bl^^Oh>;BT+jtN!g5AN2;=6?jm0@h2o}T;(zqI0IHNyVfb&5MXPNs+;t2@`2VuV#_FFN@NE(wgqC^Z^ z0n#v4H&C3Y?&2h4f=b30Lo}ud8Fss2H&Sa&biHDZ`d-)%d#wtXh=|in>IT`qnvEq@woxuG5O?5z2`>wgvhPgrz) zA2`q@lJQ_YB2ZQm`=xKa_2XXY|$^N+i zc>MGrKI$DDL{A?d_Mb!~?mxwG@9AJLK6pHO^7yDn4j%XS5BHCrj&N&2Qo^wWmOtnX z`aypX^nZ>n`~Bg;V0hRIA3r%59Q5`Np9a0dVXxQz%J#q(gy_zX))V&Da; zz$u9m%n6!fPVp!q0!fBO1Z7GTh!IUC1EB*+GJnewEQttPtsN8u=!bkncuFJ@==9|U zI%R5$2L_}-FPqi=M!~nUR68jvbMBXrdt=n)jrP0(17bvD8VspY5 zsx2AesvSzMf#!)R%agdZgJ>Ehc}$R;5|pvnNKYDq1>QlUT%wea7^O^>s-#MEGUdY7 zPJe3$eX~HZ?%ocKNbjc(%L~HBM}JI zNH8R)SRzgYOL8SrAPs}2NG>uO;l%G(lFlh->5QaOgtj|h8oWc)?)O6YuluCa@Abl? z1NhPJb^4D7VgE?~8g%+k)vqV|=TT=I_kViBVfRT}55Xymt_eqUh9?ANd6J-vB{W*J z;K_NOB%LZLCd4gs%25u0T!RewFy zGA|OspR>txRcDB3I%WkRJ^#0a^et2xs!}x7ut=)cN*RFUIHKvq)&@1`Qa>A_F-`>0 zwbdFC8IE9~2$IGPa9|-eL3(K`7gFvom`n)Qu*;Cl<{qL8LeM#9?-oj(fO)6-AcH5S zP|JX8R*nF;Sq$j9n4&Ss61Gq?6n_b+Hu}k;RXn>ekCbkz`je)U*IA4uQ4bKB;dif7 zJjXOq-8n>q!+){QFLFLHPf9(mhAkIFO|oZcoH3fpi$pDOHPC!UxNxHz6Cr5|g1cn{ ze{Jm;NTte_hbYD;h*ZNOc}@^ZlLewxOg}sk$SAU{9W+tAfC|LYRukkQKz}N?LGva_ z5gw0es#Lp(6HO;ey&ly~nbOG=nN9+=(BL^|@o_5Yv4K&VVGX^NWt@!>F~li)mregi z0^xWDQ(bi%;lg56AeQ1O+AxL|##Hbe)Lt~o;|Vd%S-R$2t4>|TZ=hZYV@!oc$yqLG zI?>Ela@CcQVxu^YDIk?h^M7mmPEI+?CsRdhYsXCeU8rqA!En3jh_HaBsDgp&Vl*Fw z`(Y3Gy_36A+S)<$es~b}_F9HG1=NhY$4S(bhbAZ$ySayy;ErcRZHB6=)TZLih89w_ zYP|z11^~an@8~R_d3-oyvCunCgi|%U^J2N7IOnR>1r?2JvhR(wDt|83mdj>T>QR6B z?DFU1(-&tiQG_!yL18zW5_EoX-r9lgf*rZ&NYyD|3qUthk|LV^qL>l@H|5kqHRcPA z$LnyECHcf|C7j@Rp;~5aTqJHqDSZZWDK5>NOP&jfIAanSD_5kJ?(Vab(~IN15S>Xh zQzb?~!koq=wq0akhkq>^lT=c<09eOqG-X_zKYKAmAAB6K7KL&pK&f%GwOTvqe^?f( zShX)6l|fsPsoe&X%JKQx5d9bR4QI4f8STHFU#Lw)bFC=><{aRR>a~kTWXw2$*)OFU z!4Lqb4dIPs*F?>|=$c5RI5kSt<_ku@9YkkYLe$KIW&L)y!GC5_Yy{mXp(K^Tgmp&= z8+GUX0mvJ3GgNgNxo1J*+;Q;f4Po1*u>)gUBzM3QBdpToDm4LZ}Vi?P1pPbq=_z#bAN}uvd91>5L$Fg&YV)hmnRw zi|aDw+KLr|c!vs3rM`~oBoER9oK3`D>J? zdV9ih*?;h1V9y3pqBRaP`Udjxb`UM?288+PfX>K_@x>a_b)h@beH*ZAh$q>U%m~Lx zpcFK>@RuTV<&i0WZ$q&aaYvTR3lgz37E1I{wQx+=mU9AS zg>$NBPVUn}iL*#3VVWk!WRtQq@HPbN+G!!Hu7A9fgr_(;H{Epb;UH7F@L*BwQ0fGAsmCdFz>DPq%t`g#3a*gg=lnx zdD<}~ey!xB&Xh*ij4!?>oHOo&GIqe-E3oNZA;!_wFM_34drk1m20#O5_lk|jx+YD* zM^CQy(An5dVR+p^HxvXYG6xOK^|e~&04ZUUiJFt&UtXT0DZw$}BJ{yH;GI$#G=IaO z_Nw|s&-ppwBP{7GL@${%JENWQptYC4DW;P$CE&4?Ad!#9G@@FKw1kxq{?()2_PJJ= zaUz&!Ig80C2PHFM69wRVU4Mw$Y&>p*5ra$Nt(#+*5$fr(2?=Fk;tbJ2|7pLdYeP=f z);4kh)bADb%}QTi-!K%Y#H9zvq?L2z)6*(b# z7EVG$$H-BrX3eAiVXrrP)IosSBXgie9Ucx*@4jSr-IaHh*8$2$kI*bGlRVG3jvu;!&f3l zgt@TR&lpQ=tlWS{NW4H;sec`cPXIhDQ9`iL;3i5TQTjS%PJZMhB6MyoqZeo2T|RsD z0tq@%o#6HmPjLX}CPN8JC$<^J{_{wnD@pjwctpPAI3nkO%;+&!o?-Ag9g}DgC7Kyb z8M_vR{jV_kK`0=LL^on-L^26qOq5sgHApP903daDidXPp53nfaIe$})R$I4qPiT3> z0nnr=0xv+x(K>>ae0n*2Zx=*Cy)1x!zCC~ zE~F{&;y*6__8jf*?|=7>8sC416T>JvcZxXe@Bfgq&~!P!13F2aSbZk(dg!d$j-f zY2*862^Nw@7Xq$+niFz>36T4oG z#HqzCEg%_%f+RQ-YBd=xE=dr}Na`u80!{H;yRQ-=N!;;f4oob&)L^j#+GNo|QNn~; z&8qpF%rH&WFAuDm+LkbHiTYFO5?q^lT4`6h(H3;ng?6c=3|(Eo=v*N|5)w&)uwnxt zLO-TTau}jEPJfaB=W?nhafBs_+Z{jxFY>hV3bl>HqFSeT(NHHQ=|cU*c}%5lgRfCE zqEd>OF5;Gz(O;I7_RT9lJUb5_AMPW?=H|q4WhmvMVNyiishI)Zjl_C$!3X5LP99hN z*RN4O96Z$w@@#BWmbimL81b-?8Ck(dP5KeIVZmmq>3_P=WL31BmnE9*JXP!|&$O|% z@DPg7DKx$%%gtdW`Nbr`Rhv|!<%_0NQk{2TKu~ z&R7RPQ=a+To34-07}F%@X{MBGrPy`{{y+IjB%Y91%^+(|v~-krkP0o;p?9k2z4s1;_LbzV&)reZka>%qvQ~W;v`{te zpMRxPI`jTdm{Y9PB$`QU0>f?!>v#ak93Wx?PeOE(b52s3Ec6EKW7TmRJWmm!a;kKv z6g^7E@)2VCdqO5ST0BBC787k8P~QNnwXnl-)g6~h9ilO!Ddr1DTLhsKy84s}6AB^n zOo^%h2C9=e;RSfxD7D^9i(jx`k#QM^=x8GJ|E~p|l5^n+N*ldOaL6ktDl-Ps{AX((2lt|EG=QyD;I)6Dk zePs=%+NM~<%3aeeBQY8+N+whF_(Fs61=l4uT$txI!4Ul1zIC?@XHx@iGjMCj^=!KU zesha{C5~ymf!`9c&dOg6koqX5{^dyK#X-67AnZf54HM+=m|FkG1&Mq;`<&A`O^D*Q zz!yLx5l&9f@H5ULB7_bur|Fb%s(&L3?AbOw_iX@~61S8TIa*{`2vC;XAvh4COl%KH zLAP@APfh%UNG%wHI|*1WESN_;Pmjeb#*7mGs8gZQFf>r>$U7X#WPz|ibgVse65U{- z*f3~p>MLW;^Q1Uth+g0YA|k>WL6J5w8HrEFp%cUu|F#U?bcmLg^*KHtT7PZMT16pq z9bQo$jzJe>bHX`|t;q;l{gS1s;ktE{he7G7P^f{EPqy1@J{pgAYsw9k{(QCjb@}+vT9_N(MZ8E$x?*%)(cEF zSCgZVBb4B&qy-o6W5ZgVJ3u3V_-2uFD|Enh4ckIw#4(=)$VkRG<4Bcx?>o{ja1ElA4KcCMhVO zR0@)eR}pUF&xQy610AdVW;lGSf32rjC|IbCUtVhnCb{n^N4s>ce`M%<}ug% zoph>3-wWP2Gv|@8+wo3VD#<%(y$W^Q8H?eBQQ=B2*R+x70Du2m#$n4=B*t30;bcOE zlb`jMdv-Ns|nMD2NR?EsW1R(zGffeuc< zR*3{nBZ97<2sH19gT6iUaB*&TR5ME2M%5e!qTNo6w{FO2%Gk9j><(#xrlJ59p>Ss) zz%CPL{c|#^#WoVX`9KuFY7%q3fK}}pH_kdGN5NoWdw&ovs*0WyTWoZbjME&H4*J^vJI|#w`VKl9F0sAcvWX56-oH@EC-0269QO-`cIXL$E>=ay> z`>ibZzk){R+E^_`+BfPh7R*sEfRQeU0--jO3RkL|!rk-~}!&i`BRQ-EV;ZCHjD z6R9|6Sbrwtl`Et4)AQFI^g_GH6|QH_^?YGm&jm=E=t3z1ezSHJ{;LWBS3rTtN5Pnq zBo=$EohBNFW!m8I+`SO!uVQ<`)+bu=^IH&JCUDqldGE@x`!gb@B>rB?Y;Xc*If!!` z&3~htDNV@FG){C)>^_#+9cPhd1{-Nhb_m5xM_krZOkbzQyh4FE`z!~g$ z#hEOU>O+BGAtWY(`Q+H`bwxx7dSiA{WVTYIk0$-Zl6(d%Q zR8P+xKr4SBZ9+Fjco8W^;uK8PJei1At05i-VvgOBYA`7(-4lsxa$^nV*c~D=+JFwm zQspkL$qfinIE}~<4SFlE6o>LvGi~I9A%EPeFZy8JqB!ve>_doLA$abbG=qa_Z&pI~ zcYWL+TJE%aJGp5U83=+#SJd1fDZ9+hbirGn^V6UrF3sUSANCKVSl0AbcpNl?uVuXu zivpcH_V<-N_V*F^W$@wl+gNE}yi*sOZe6x+X~Vq>K~4LrBXFBd)mEzQs5@v%Fn^aL zf~(%39UD3Ry(;jHDi8$d!aGVXnHOsWR=xrhXX!6&)T)9gonF;E)=j*6ZI8H%XiDN- z?X&G3>Y=aHe}y;8DG<#bE&Xm-Refn{cl6>!De?RcC{jy25#Z7Vh23gQ)+?~%5bJ;& z3s@lXE&?r6n`DhzGxpUQ%M!v?!+%V6w&+vc$9m7vDm3>5*|HvGTWaw+lY%rsA~pb9 z4d0a}O&cGtO7+7Cf0L(iLay9$7eu=ptQ3#Y2ukPzZia$QMzM}yhEqI&J}d?&7n)P- zRPpH&C-_^=X4*iu{Jqw+uk_R(k%ZlV%iQk8`gL_bb{Qs2}*BFjxRDTFaTT=9z zOJ{LmireH4GMYYnmvI6$-1)$3vKX4F7kXQq105L9HindCgoEi(Dc5JId8*UhSf=mt z0>nO&vWPGv631BLP|>>;Y&cOZ7DAGld*+Xu>$x9Cs_QrGHU@>a=rgagO6i^grx?~+ zb;^i%$>g(lRLEtZQX1G5vVXe1^Bj7+U9)Kd7Pwl9ZsSvoTs_E5_?w%8W|0~bDoN4z zB$;WA)}{_aOoy42w&NNl*JPQYSHyJ;21G+mdV@43+KryvIQ54|7>sPm`8^Wu-Hv8jMI+?zz;d)@* z9CDG?SJgIX=!!}pP=A-IUyMbna@yx)il2X zo}kvcs$myTokmcef|znesp(mkmWV9L0-tYmb@$z3VC_c#agILURgI{KrAk<7?Q9^Z zmpGTNN8Gm>(O`Vv*+!!%5!#?uRE~r%^%tA>b#Lqzl5YvXgMaXQ7vcAdlYLi7XiMkV z=N8sJF=4+exvjKV8%4Kri3jQJL3(?T-u}qan@iWVR7QZ;cMuWE^=~5~lp%Zy8KHu) zK}uLr;z3R*S#m1V>vM|-pN5{_kyKD!T{WSgQs6-*c#sJmWP(4oOrSO-7Q4;GCi(8T zHof`b$wg}i#eXcy8#21C$>>l>7hNm_oum+1k+PU{chtXj2i$8l)80xw+J?rtUEpH^ z91{6E(~^txrNWKKN`lRoX2>d0zOfn0YgE}Rq{z8s3E}3vOLbIRJ20-d8C9WO#A-%D z<~cRC64O)$IE@48kam}j=}u9opjJ&nn~?ltliN5I1Am)ReL3B!N8`{;xtu4E-o^?J z8D}#hrz96TMk9>~+AYPTIA{A_t0?@MCw4`i7Z83l!WlYe@e7vHCYjy7s3eQ5XI5{5 z`=$U~bZ0?TV5P$_CUf1f_DL6Kw7WCYb!j>YBgP36a2#mf4-2?^F1oyW?C7j^FnC5J zr%@@Vet*Pq2EJMStvK`B@43W|XEuMpSeCN)=qeB=kj5SmFFmA#u_P69#$sd|qKYO( zCT4`n3EJ27eldcT7~R00;q>~+L^&Fmjyc1n59+%;{a|$ijqh2Jq8~iOI?mqajWj7D zT|8o0sX!l$un&p_=qN=*W`N$mN8u}dV_sM&Fn_=O<`uDleslVdhNtGH2^ZG(f^yDo z*>N`FPs2cECw8?DT_)A-@xXSwY;->N{XKX6G~fT^?&|5j{PFVHMJV6NJK$J%|7Y*$ zuyX&?)2m2mz$`iTlEn{LD$bSF9oXaKQ?B<}w1ncl<4eb(`R zEoTONgri$u2e|J3&&PwuW&S_t9qu1I@c&Qo34)+>zcCE7y`(`K4z8boLN)KVu77D7 z578@@kd_UG92Vj*NJmR!4B?`b_jT#f2#@dI2in9L{-p1o^zS@Dzy0?9J(BD{@GLu6r(E$_)lzgv+(aNpX3cS0iuWj!x4ZTvKIcE}#7Ht%2Ao{cpc_#xW zCkM9KfwykPbmAN6hs&j8o+tX2RezjO$QvMr=uNx*wv_4?y=iNpGn@%{Hz#}q&nHBd z3Tycsy=j-JX}{f^LvObJ?{*XDn)N?8JgVOR`S@t?u>L>EN3DOotlc53@_pz1(o(P8 zj=lNh-;hr@HEvkF_va78S{&c>F4GU-8u;Sk`qI08*b93BiQz<^amsBkZ)v45(B*30J? z=$b5wCku1Pysx;-Wh0s@B6gXPw7^xX|CQy5Z zv$kzOXphZ=`cPCT6JctZhJXI7+L)(;$dz^4+85V$2-VoFM_&tVTZg+=;r58V(U z^-A9sWyMFo7HOsYdbGQcSfe&h-sNLn27iNv$C;7yOFDo}I6`Da z2}r1r?G6HEpo7{sSVq(K+bYnJd0c_|3me@ETpd!zVxcOy3xU-Sd+nI|4vyX1;3`I{ zj@2NrSD)Pm{0-yR34g1WMLa1ZXCd4v$EirlsbP8qlEpy{) zHd;F^8*iol?YAmT?)tE$1i1kP5F50+gFJ$(ltKpggh=9OHfzCCJPK~|4Tale9+=8D zOob)n6@lCmc)Vl}%yLGp!^lEbf+hM3ARa<(QvnN#>LA{6te zy`*0OPJ|Vd2}v(VGQOabl*A{5OM_rnv6emkM?cy_`$vbaJ!7<+GU+H@b8ul#)w8n) zLO3^`HGZ>#>whOAkcs$HO`m%)amYnRs^{lbN7_D@iK--_GhyKP0_~2D4oDiIU7+tT z5f0V-*xReTSULrCAgd~`bDJ5G}ouk{`%ob3(Loya6GmpugOj*07xwHUzRr z9@Jh6TLJOsyo>xcIT4#p`=&ZgCx6$tPD)`$8?G8dXMbTHG%J{Kw7aw~{Mf|34a<3p zy*6tr;?YVtHiBh!sH$H1o5L%uscpzHk*ymMWtjQqwE4hm6uKXO1V(0$I4BWi`E2#n zfaS+5JoC=dPOep5VgW+tE(^W1iYqi|+b-byv z9=9l6T7Q*(1pR&TdINM5Zf}bsZ;rW%J}xIeegEFVX-bZ&`HbbHugIK|8^d8iJ(~BG zzBBKSh{S!ZS!sfRM&QpW^sPLYatE2O+JCYKx$jGs`x?(LH86taa`z_nRlqM5 z`kKq#i_BN?%6wXpueNA568lyhqukr9*fv7n3NW{k`PPD4De|pt(;Xzf4PpOT1-{zW zbz7mY($61F=BpC?@#MbM3v%%Abkt^x^1$;VR4p)Wg$t4R{nh|>|pcq`2MZlyWuMC-b zld)J2mv%V0=My4Z#YrMj`~U~kGCVlT#D6kOG076Pn8B3`OA$6gtu4@HD3-6phWWW> z!L3=W7x+xk*OMk4T;fKSDU zS8$iBDA_5u?UTOBDlrWYli^F{47K1BJt+3oy#B$E!Q!024cO8F|#}nM5zEt= z?6E52#Sy++Aa`2q2b#uh)Gqu+Z8&PYw!WjVT?Ep3q;3f122=SB+?x389kn?}+o)%1 z!x~DNth&XQ-tN3t1n5DZ(0_@dloL@3D1WzrbdF*@JO^$~UjT-`M6Nhj#b<<1$Obsd zl=1CwyW(wy)l@Naq!cujWuh<~p1R>KaguvUFSFWKsF_ujk!)yFtQT{6C5m8&@=eZ$ zbvi$kc=;$(;1b1wWjwUhkxO%skLSxOngvn z0_%mQ=V`lXRTaZ=)D-bnFv|HV9ZQ0sN_T6`tT|N?xbAAhF5g z-A3(0u@z9mkbhRgeA=r5HMz9Z=MwIhiBU>Oth0tk5y_;ztO7}{=0eng$lDu&BAh;w zh?8W2Sc>EnOT;*xz{E-?=CX={m1>RMMt+6n#aG=e+Gv=s8y&@Z+s&+Zo34v+hDS7^ zk}8RMH>Qz9?U=KyZBFyFkDotp@9ou?fznbM=C4lPdw)S=5@B9c3RZE`VtF~1r@7!c zCu8~!?Q)V4EYV}sM(w>7d@4YgPfB^to3@ew1vrlR*F$FzH%|-cut*g7^_op0K!LV( z1k*u~XA_QNs8h0od_Q=t-;^sRY!W17PLi*iB-H0@@?5>F*U?uPEUWY_ylo`WW&{az zN{||z$B5Zr_(V~+Zs(}gU{u= zv(r7)D~}Z5FaerPNWN=8Qt3g2;6}W2PUkcs6Y@+%IDzpfE_3pFTPe=xI@>_G3$-Wm zl{P4UoN89NR0wa#d+~YX-#dwIzFgp4)V5R_D3!Ur46p*#N7?x|CHo%t`#<4^{rHv} zcJnZOnvJ?~8L!=`ZREgONKHHT<1cW>e!RuNeCnOL=>o~y?bMBs9(L+K)J~1ioF(~; zykL1+Uc@u?Ip$rSr|#A)oleJo+=4EDKehu^>ixQ85CnQXgFWv3`;yREm|)Ov zzx6`+@BMp35<$>!zr7g_->P5GX~U;apY}>%D?Xwvta*V_BkoL)3#7A9^(o%FH`HgR z9$cA-;F>JHZW^tw$&s_HUPQPQ%WFnlmb=y%0*x_S)J=ge&6`TcI&0wl+W~K7opjcJ zL+!_`*$ta4?iC1460C;itIeKXIzTm&IZPsoLfTyB_J71N#zB$JgbJsZJA&7$M;Gc}FJfG#cpJCm<27Jo0A z;cZH@qt`$Sum%@M1@B&{-weNP)^;dAcP@w9eAeavm=et8h+uh#E5O&>|9jBiA5`!E z8w`36`9D6zr_O4OVexx4@ZYEj9++cvHciO)c1oaE-yEO7I=p=~}{j zzDM#_OKYnFrW3lcwT z;mhOq_nUHxrBTi~Nu!1J5WgZ>f+NzZ`U+f6Ttrh6=ZQ5!3iES_+C_iY3jg+7yH&OP zmujLIOLCU}A1o!P-8(@2L-dvUuZ?z7c7r~kSuW%$mgEJC>3D(K|Fz$nwf9i__2o&s zfbMKYB99^>#5hm>jg3S((|<#+h0rf-bXm$T;2*LsXC6Qe*#}U=S@+w`sfL={oLX<3 zUK<}a?+==j0W3+caJ$L2j?^u37c8UKA3U^)0lh@lt!?P2@i=>9JC`5RM_U}#N6TE8 z8y(q4TOZr+_cm?pHs|-NP*?b{SG!!-I9*qJA)1yUC*TUQyznKN6Myb|)NB4!Cwa!QI`@ZGjCBLak# zTzFpDb~9_(t?eQ!PC}sNXA}B^$~;}NcGjR?aVX+mke7pGb+5M_{&w}vHpkZMl{Y7A5q~))xp>W!YF8*cMS&paNjaFYsM&yO@GG z{YNO~QMfdmbojLQwAX;Rc}6t}Pt9TaXq&L123VC1auWhq^4wLiL#Q!+2sOkIq0Qrn z(7IS6w0%4gx@}Amxkik{vkz6h<|@Rn?O5B8fs*=L>o$A3lN-`@SZ&i=FC>-Vbu z-+u4l!T$3pKE7e+%#3xzkWDj z{=ZN1X^iHrx%^g0hEPVkc;I^ZT4XSY4tx*ol3(j#!+-i^D55Euc}8E#x-t>%Js`wx z2#Qy2zYzo)#h+(CxEIHs?bC?MFe5WXyuG5IlV5YnNsQX(&={0)Hm9++$GRD$dmTlD zOFD)GqwS@mZ;p$fKYL*sw+GF*CW|}ZMj5AbEQtcM8uc|$m^jEuDWZw$Lh(Q?y+)9`=eie_{W|L_i?S+z0HO9Tijc9e|J_raFaXD zpfB*&D%auOZex}DFX_sv;y~QTysye)xtGhTnty?z`@5-X34$_Be~N3WN^Ikch`0O# z8QGm!`S0#_s?q>FTupUbvd>M?B_N}OMc0A2CN}{DW~nMGphEGB zYkzWcYzr@et8L*cAn5|-+IPxS9-u%;Vgb&mxen&nOf(T-@(P8z)Zfl8RstF2T*&oc zzEQ>2a>R|V@hHU}ZxDBEV~(w0rf*Vjkopka+!1 zm}T8hA9$MtgKnaKnoN>4*1y3uC?6}A4hYp~1iNwiT`JacO)^w~-ox>D~GTu}M%(PjCb2@8g!)kCRU|DgqzrlY2EcLKnCs_H7iJz@mHb*bp6!vp_Q~^;^fgBd zs@P4H0A}knDdyx=FfPXOGcTHw6x_t$Mb2H;6!c?8I95o`3w&e7-9}TI znYEOIW^&SW0^xrQg0zarxB_Ow9@MT(e&f@-_iWcoVcd6!S#ty{h#i&Wvj^b1p1rUk zX0SVDNfWu=B&yXbxiAmb#p9y)zd^uv{DP?6PdrPLD>p8G^M)jV0s8r8HEVw^cJ`k$ z7XR#gb3bQ{%b!*6_+E=h`zWpn$x5D^33<2V{ zou4WD*-V{(pJD3!T&&HH&5W8?!e0v>^_Sl@lhPKs+c780m=y2$n4*tMp!mRh9(d0u zm0c=p^0pl2)@&{n8}q6Ev$R_N>Out-pZe>vnZA^Fp*IZ#yGerHZqKM(<*iVvK2kMr zgE3?A*0^fp0loS2FKl!h3a+0BRn?=yRs=jTXAJ{?xh-MKpwIAKf$xU@b?+n6z6$(Z zh`(33C1A)7_zccw{QR?=WnS68^tVJ?uD+}Zx5m0`j5b4inXCEPemksw?JoRtUpi6$MSr;#S!)zfG^|x=cZSjZJ0Z8 zi<{DaI;d?2?+3c2{^3PL2aCwyAMl1i*uGf z{etM9F(xyX+FwFqNyd2szi-i`GCd$_Zk;->BJ&k@lmDrv(7o7zbVz79GDG#H?Rb;=t`w!QYqQ+}eSe8?sAkB2 z-d^QJ^CZxD^i<(;YL&)PCJBMgfwzW+AIM@u5_CSjbtITlsGMo7ws!4IFi|<72{xxJ ztwk&wv9+2h#Rm3pGNF*(q3Pn*7r7e3bn+5!FX{ft=tQ` z>Iwdqv)SGzg}lXGo1nEg>19ByT`wYkTn00o;tAnJbX5@HV9eR95<0yaSS`oJMuh0r zY(|b@*&9;jLtdVL;}62BT*z80SUEwxfVbs#Y5$;bV>j2m@s0Gg5Mm&(Z3(_yX(?=d zcw8@3bMu~-l&l?kjW}eBtl!U&JBr%wwp|-+zS~tiuClr}Em~UR2t`;QfV;lmENFf3#n{|7HL1A^-O$`7F2pnZ({- zRvyCgbo{v42uo}DUQ!aSfOwC230GnH6DB8Y*!jPR6op@?EO{?>q~Be-!dff;F!=(b zDT%H{KI>|wbm*_MU9e}Nzl8P*>+l;a$T^l%)L!cOYwrQwVu}ZcM6Kqd_CdRYyi0Fg4r|6yfxdM4TiGo$duo#5kSM z6pWXMLJF9I8);`1GKo5WzNAbrf8^{fo<`9yO-uQMK61*J8b_+<4PCNteA4WpR@B@k zb?BWEUam9CSF<)QE43osVkr$}JvH4*bQMbPCrRYyq~8VSL-NQ&@9}MtN0u#zpC*Ik z5+<-VkL1C@z6X9Ktfq{ThqcO|KcnQ~7K8Jt(@K`G-!Zr35?Bv^2__#BOm?07+J5xn ztUTU6on#GS)4SDRbsS0sO6i%MK&4snJI{T$b;>(PO~(mjl~X+;Sn2>uhO%7x+3 zdLLaK`Ew=qYZQflYU%wpNWoX(ybbL5<7M&-8o2CcIR}@95u%3#fxp)Tfp@qE^UocS zd`}L~4LlOykhsqaRBJt2yE?O>&$U8j6-56I%}U|-Tim2s%)a}$P4i(w{*iCiY?x;E zdT{a&@>v`IC9*qY{?wl}`9BZ$k1F}!`j7iZ5Bc9d$)~J;0~_vpab8RNd7|eBI#=@p zonM^S(vdip3n82ZpT02iwl=(Of1ItH|E+;-8M!@li7;`JO>rf12TUy_Ho`r?AELH# z?OHE=d%FxLpXSt?VX=kJqOMOz2@~Y+n956MWvm6AQ5k~G>J?+gOS;_pWGp8@g}dHj zy|JpayR0#PoDHHOgHsut}P!G?}Ps$I@&rXX6f;^{b{!UL4o+ny4JQm04qUD<(TMbHXwT%|Q zi(JT8o>kM;CEf)iHC)wBFRYTc!mXd-bV6KynHf!ghp6A{S+B(mzXL=0)2B~wMWV>F zEFs$QWa73rqGWATJW~5Utw)E4`-hFB+8QfLyI6O>SHEmhJp+Sh6@Xu`+D<8lA6jK^ z87Ht3lOWS^fMRx&-e4XdpP%Ws`W_0B%AWxANrLGNHiwPRFzd|#PR*{6$3^xr@=$%g zawUJ9F-T0mmBsuXi}8Hquranoc^9Dp1ln zfnW>oIZor&4ob-cSRLBUz{X5s&B_0HFGNaRKrDrtiXRXiX4baH`W%0(-jP}zllbt_uo=pVcb|Jn!BNmu=2e~Nk9EdY&hbe(5N zsfVKVRVZ$<)>q*OU$?#r%($w+(Tql%+2gh7fB(<_rPq4OP{d+_qN!4voT47KTL1jU z38#bJ;2`Yx!v5Rcsg#)*cDr;o3B{C>BnBaMgyRY6nhJp{AJ9~Xph7(5e;0Cpk&v&) z36_EQHOHLnwf_0dCAdX!=F(!VL88hBUhz$E9A}wp42dTs`1gMg|2_QoHJFN80aP-z z)+20v_0{)mMlw7h!>_(V|IK14WbA)!wRU#U-*OsVLm&VQTFjyxlyQ(hTmQjw6yX%{ zJas9ESqfJWdJ!fzu$-m{D-N%JzO%8K04$9~h%N}+w%B@OL3~Ff1gKvqyd*~7^Wbd>OE`-)>1m{cuEgS6bS=uj@96HH zYNVqkB{waWDiNu5oIr{OB>^Ri4jM5vH@(h<{&XW$?^S_jc!5TLq!klR=OorsgQoT} zg2HwXqG#`@fFV3NM!PZ@5U_U&9Rt*1cO zO($j1Adra&0qQjs$|6pn88{K$9UP=gl7OXwoKmHqV=fngm(53Uf9yc8B!|_u7q(h2 z8LVOK;t+vTRMvr-&m)4Kot$1AmtJXpcpQUzVtV|M&`gGtj0q|kU$k0h+M6B2ZMm?y zsGdxSgqZq3;A_%Bqg>k2n&LS@IDznRG$JHLI9AmalPV_g2n%wBZm=kZHf*)7uC7K{ zOqGtrR5fUrBBpfDe~8-CmE@#$5ix8{EyYm7@;*C8>a8E>p(-mp(E2lfgCchKQVbCK z&2m6^=l7~&Ki6a-%rqL2*v_DglZZf<3LVqbX{o~MmB2HC$h(Z{Ly0I>Q%lK&xzOz1 z=gX+hAiVy8CfnuPD0`wHbzSkFErfzV5E&@F%<)Y)ws#Dye@>h~d+~LI!-&gerR_>H z$<|Z_^JK$HI#-#kbWIje$;Ko%3(zo5#WYu)Wp-Xrw4DH9WeYnB(A7mYcva6$vsOvo z(DM)~>jiOPHuUf5WEvdnm;w{ulk0-P z6zj4r=qP>qe{fDXhhl=w3edU&!oX(*QLCJ$6QM+nJXJgzx2B3n>=B7XL{g<+E0F^y zY@!rx6Wx3j1XFy4m|=QpT}}vF+8ByN9!(Wu1)p$~=ChHOPHirNj(s&FGsYL)D9ceo zXG)I2Y1}d=SK%H;PT1QK z0p(B-6|5V61Q4kp_3_zt`Ws zH6rl;FmKTXjKOlaei{jSw5Mz3cqM*)|nxN6Ol3S ze>*CjU$=zdXbSdWIHp33LZ{Y90cNOH?2o>sYS=<<76)_sk3t4sG3&acgpIm0Ow;b1 z{-X=sB^=*SkDQ5guk{srktdQG1+9c{=DpY!v0t}JLFrwIluM2ynodeo{DR43d;Gdq z6|;Hj;Z$?(l@@J)5w%){sc49<{`KpAe>fO~y`Xp1YJEVjoP3Txz=hH119C@wTOR`N z^P%)deQSMyZEV=>hGEx+sG<+Z``QcpVGn%(sL?4y30kT(3uk)@U2j#Eb=cKflMX1c*kg}9!L|6epto9d%f`J0Dkm)o&MuN*gw+02A%#>_3MfLdDI!lz20!xeF9X#;xFfe(2Gj1 zZeyfHvCVU!mTN}%nDH5jL*w_+T9SwG{X#u7CG5cs9K5dtKgQILVus2b%0(u%{c?qJ>d#W}KyRB?!{ zI1jCDVA`E+DTp>G6{0;YECYNL^^o?(t>M6DvVcvO#hcU5eFzZ&rV0nrp_=_|x9 z@H;xoXP(xQvDjFQm9jA+e<=4V$2oMHM`f9S@6JvO1OZ_9G1EITigF>@j0&yLn;mt+ zS)QS@Q)rxLcQYOB8LW3p#cybmDB{$DP^*)UQNnJBf`L=i+pEw8`5h{JlZVM6h*aJw zWP2&IBK(v^*M#d74~{%9cBX7s^(bvXU8I)qC}{iLlPq-bDZ-Ywe?;Db)kIw43EE{G zU3`DMXH4D&AF6bq#T-`1aT!s{v}6gUDG>CWO_28dtRIsaXvok~hD_5jbATbe%eHWB z*1pQreOXhq3z@A9SuLzG$k+Zn9rSzq3gBy{Ep0Lt6|9(y@`*d)t+RbVqUv?C3@Wag zV55BEjr>wvnM*C=e`Bm<9YG(E`e8!lmm<+5EJZc1&)#xI6t&&s$wuI7=?Tm1Q4J4G zC$F;@OVSvENj-_O zKl@fdnGrE1@%K_@gA>RZe$JU>qkJ4*6O#Rm6_(K6q8W-BfB4>gz&FI#!SCM(^qVP7 z$j>x}{lxCh;I~)}yqv&flOC={8a4<67epr|;5qEqO8nDqS~VA4xFIq(D*0eRrmHu= zycLME90VjNXHuhqugPRjQs_W@wC{|T>E$}ug}N3HOBJ7Y+bI^X;}#;?d=T!3J=j@% z;cMOx4??r4e`(Rj-pYEBP@P4k+6F5j8ULrkQ>ufsf1hyCxVIVc`mfFC3SX1(`W_lb zt9X8RBCMW{CQ8IsVr=R)<@>?wY{GHeG?k8FOH>_1wY+6C1l8fG$S{}|zQ4RY?+#E7 zP^|n{94u;>F~@O?Fo?;{6REmp@{e}o83?Fz;e3+=m!NyZ7JrbB|J z5kc2agc`d+-zSO1$El>pCSTzy=~nAHk|LYj5P^Fi#HX|*20|DEolH^5zFk7vAeSyh z46S#l#?6wcF#fF-n`AjT+Dde0jzW4hMC_fzs+~(PJQ6y26HHY#jTOQMcWM*jvvEnk zX>vOwf9I}-@h$o2%&F8eMr%t>Saf}HO>SW7;6if2GUkJ6Z`O>xP|LxaR*4lbt6h877KO;$M1uA$ zH!4`h%iMOny}`y_kp{GxzCCQWJ8f-!SKnc;fB(C-B4~6}XuqK4WYuT~ee%SLwM%dt zr$B>@UUx5|UGNd_h3HH=x3P078!gFb$Kg_hx=9TPe;|dd)({4>1@ba(lLjZ$SDAd1 zb0Ix3xCerVehQupaOIeLPyTj(u?iNvE+m+quUo2jLNRK?S5?gbXH+j-G}7@;YU`9z ze+hp&oa+tbr$D1Tx+W5Vs~4PRAWzx@UFAqR&&pVcfL%>sFk#x#IPVX@UX@FlbjJz1 zG5n=#2q58v?UkFltyt(PZY}O?nEIo>QN9)gy)j!9GPRKIL4AhG9=R%YSUChFW|1&q z8Iie;iUb+cUMrB~z2}u|BHf+F^df;ie;XDQ$oF7ks|}^NSPLdA!Lc<8SUFzP@Apf^ z2@5)ykRM+$3%eGT?hxYJapO=hovO5OnQ0Z$|n2~1hSo-d$FiCq*oyF zE`!6M#-^qHb&y6bnu1v$Lv|M>f0`R`DU%&U!b#Xs@A6SXBLy6qt$!Kt#*pvq`=$`4 zJec4tBXLm>0`d$dh!h?4dcA(Aghe>U+Od2IdZZu1e?uswo#Wd5(SK{6DLkMYs+U>| zbn7Nrgv}$OMdFKc#;^u{ZvxE_u4WgrK7jf-DW0qFHzQ8q!0o0pp$=Wwe;0b(e$9!n zF~(F1l8l#iqwzBh5BdjM?R_&GzSX~O)qhEoc@vDAWz**F6+FB`jH9bx1WT{<##C?E zGBh<)r?z@E**P}^YQ%%8Cr(SuCeecBXLXQcOtp8#JaX=`N5Yo2OOwv+o|LlKzf{kc zz00xz6YZg5OZhu3e!ui9f7<9h8-|bG{P5(W967&I=7?AtkxUk12UO`|A?PFp2}IG^ z-BJJAR6TmQW;$}-om7BERqo-ad!mkA@@qf02k2mNZ2eN;2QlE5`m{VqN#WjV2J(WX z)G%FZ4kInhPAVw^BI9NwMx!vgMJmGopwC#mAy zrfzLM=`4HqGL>R1e{u6X5)sE4IWtDUhfh`03{-4fZh>UkZ&wvNjUyFXI|c>y*~M{C>gf0|yq(;g1Hz4luhGE;=g zD2}J6Il$2@(Tk9&1+o;eD@tY4nT%X`3UHAEj?E;Y05#ISwdtY(LXqRWWYo*@_V9fh z)Gck=GXf*n_Bw5nP05UKoCHELjwfVgX&qC&q6o0n`hYpZzmrz~iw(+N-I_4U@(@Zk z2+CF|#m>HZe{%jB<*AO^v4>CU(;TNRE^7^DLvE9hz8y~2?lnkj!?8uDi=9wxVRyuF-REi~i6R?x7P5=H)HF4eo|!d!_<&Gjjtj^FmF$@~J7$4B_tcReE5` zWMOh3p*a6mb~qrC>VsBbXt2i*eB+)y3#5&1e^)iq!LEM=sB15+qsX2eq{8=U zc68Vsn5jC*zcL#RcsAVsZjFnAD6S0Y@XIGyb=;C8*_~Z3H5O7bFq{(6IdRn zCYk?Kf4ly*b50vZR7uC^%hdl=*st`}XQB2AQsGSjEgkAZO4?LepIl~LT=^r9tZIhQ zNG}d}xqO2~2~tCjVZ>^OD-Ky+=~Gcx=$h!$6Rt*$Hjo*Em~us- z>1URfh$}6O&oj=t%WgHqOC7F0m%Ao4_2-jvx+XhKIf7V5(`WB8P6Ql4X%FALZ(ox| ze|y-jr)tOXj6$)%%plS3w5|Q3J#4>Z@+@t4+WO>Ld-$epf}i5{+uz=5Q=hZ_SlgR+ zaE%toL3j5@LW62|V>EcUix9nfaohVg=Hc8~(R4E1-=|bkqrD`SRNwwt<&x%J+E6gD z-be%GBd^=lLv|+-r2=|e8Krb-+((p9e@b{7K8i6WvsPbE#f=yEEMj!P|Y8G}wJBqw+#LK-K{j+MiiJEtj~b6MU%fGbM{e~EI4 z@X6sQhMzFZ4?+o7Vb*uiH6q^^HRQGj$CL|c(B1-T(ir^OpE`UqV;YN%pIHZlAbtK@ zDE6cPpC$6z%Ke{;|@S=jA;v_PEY`Z#-@72ODAgy>l~2@xHm!j?@1 zdelGc^=6McNH?S)Z{WAG>3(*O?-2oG`k^v5i0T3K3F~FGKBF&ZXNYL1&BGBu9v~WrF^tlC$;4C$q1<-S- zM!vf&^OMnU@5#Sw1I$?z!;H<%Dq^|+zq&hW)h}gf;HjT3TWA%}#Wa^OyGdMZQn|~^b0tnI9H9@w;pmjgm^7wPpTuyP36^wb4(fs5 z({43jLMefQ7CwSevSI!;HeJq)!|hgWP;L^+N0AOKYK@A@JJEE4e2F>i$Q@p z`f^cyM|b)Bf7)T^@X6!O{(kSMb8v8Q&^bKVA9RlPA3yCp-S71}{r;fe*PD|OGr`U^ zMjE2NL=*++;>G1T+SSnZ%;~{ED;)uP@gEm|dyaM$lG?lPa6&jny9#;j7Ly(P^_(ru(Lqo>`W;z zqlDN@S|d*IweaLKueXh8_L28GNKRBzahGpB?b*ln^p-%3bHU|CPz-3liZM`TUGz*PoBCR$60*G;0nsK!9tZ^^J ze^_F3UJ^z^NW4H=5&*leLwi?i=8pS^m41f8TxHdgze zCksOgLM82_6KiQH4q;u{NkExDS4{(rv+B)rIwsK~N(cfM$j0ZU^k(9H4H63}07%`P z;uSooIHpj^?~s(q@FwE&`+t|sBdDRTf52M4nH(G*J?kQx5G(&TW z5zVBwzEahGu4We@6C7!yjg zE4J(trBfjCJVk^;ieZ|fN9kBT(qT5}kw*Ur%~(vd>qdRk7_HQ*8D1`RR-O?}F<&^E zB7L6&RGl(m+~(%SJ6)B`3HQL-hLn5AoS4_%lcvdiu-`d4IM{ER+bgE@${as%xP<7f zKVq|4o_hE6sPXl9?P#h$uY32s1;MZ zgCPQq>i=i&+MC<9wfz3gPk~FfYbzsC4?oh?Zg$7Dl|~cA@=8j2J4r{SNl0Qt5iCL3 z@m0K^eFrZRBtemM9Q7r3CY4Fx;NW!toO5t~IJQ}`AsvLsh8VLLR<6H80y*zu)<^%zSh#aBl;Fzasnk{# zObMt0hf%{NM>r6hf=~icXASA1bqJ3Bt4j21sw2Uz=f~~u{yV!?#JKKH-UO6rQ40_u zFj?RDPI1;xshIKLvw(64%cT+DBxmnITmx5X-8he2c-Ha-e zGVv*TLrwzMR_vi35l^M^t znM$AjzCNb8_NjXFrKB^T#K)?zhrZCIG@<*q@+U3G@^^D4-P&?{PtrfXC#lrI_3ydt zSgzH+vY*QR$8kGte+s&3?aT^B7U@XJX&E^hungbh2(I*|E{~f>`L(K=n>9}T){>ej zjmQ|E0n?ScL=a!0h@yn*N#n?5d^aA?+w!t{j~JVet91Pc2C3|Y>DzKRCK`X1rHCWV zLHVp}TfPlFOdU*_@|(*!#gr2YXBraCrV;s?vP|S!U#_g-f7^am^$^~=q(NS}L?+%3 zxh_A&^Mqpsu)}GB_<%eI@EH3O81WEZnn=Wy*4R=3^n8nYyTrUCJ- zE&)p%$3?*qMrzn$MbMf7E)k^L2!ztvp$38ETdgCtUo#UqWw1A;Q3I$Lw^?wlYYekHR~IoL^gU z@|M5>ZSi~!ZTI-^CHVj50!6F9`?4~&|?qBi{dYCgmRSevf#+N4(!7-tQ6bcZYbdP(Fnc0{(>UCbwzFsG#1KE>;r@P1;L@ zqF62WWcoj~{x`jjd}$fm^}p@z+4JL^{`d5Fum9b}b0E2{v5hg^HVKDBoH(8cR4RHm zj$K}TbW?%r%a>+E%>q6?iv6JICnyp6aG@{c1kG?r`!V_-dxOBcn>TkgmPIs<#C<~ z-zjkCUP1BvEd_nQc4k-9d{Fc0kZ{{V|L5;qn%!@QZ z!Wg%MHTwaCVYdf5?e>cCPmev~J3aZ3se z;;#VR!EnCz;z_ZBcxlFmFw1dpd|+w%v zkc=Oehx`S{G4${G%?k$x(08D3yAYe&fZpoh!A_){m@V`y<$W{e%Z*q(KGFgREG*Xt zmThw^K&tzan>Rk5Dy_KE(N3sT*&#MLS~6^!c*}AmpTU}dor@Y=zbTPS%o3)iyYC4>xF7b=-r(`{W4n0lj8W1)mhwp*_ zi0%W}15`G7u20_3n{T}sIbT_`yf$8{TrtFazG5^e&k8y&e@T_HjFZOU@!QnR*-RS2 zT`=vlSbWKD)rI&FTujDasn*P#Al14W&V9ZG1hlp6!Y*foq=i^Ru$F#gg?{h3@>hJ+ z@}Fx!=?2U4aEtB?AH5co$p3ctBqRU3?bGgF{_o_m0+)MN_P}jNOHJ&`AHf7rFgmq`x~`3O5a)BxS?A07r)WG@d78C`6GL(R8VuqVi2?N)HqHali} zKkvWdQ*HiB>fuL}Q8xd{@67yvesZ>-|GRjq^?y9UTUVoLe_}?Tq8eq?@BeOhzyIIO zQ@8(T+*|10j4EFXDe3=ir<<|=b&tDe`~Kg_v)KR#f6iSWg7{uwfE+{gvJQ-g2QA3h zY%~CZ5YAy3Lg$j&u_pEsI&07M7wl#hf8GB?aVwBdvKZtDCumGzxQZ<@Nf1;|5- z``3gefANQzc5eO`q6ZoP?x4F^GE)H;C+z^pOKIV=`?nB>5xsleO}I$=o7MIRW?#qR?G|&%k$ma-0NRcH3xc zsp$eqVs{Qu7?+?lXsXL61gsRdyj)IoJIT0sG3MP}G*!(l^~;o#V@^pv)9hvR`On{5 zr0t&?Pwn+zj*L}t4^X!Md)_(Atp6vSPJ5G|WoUo@Jgfifo}PC0^M4nQa>&v?W@D2^ z|0Fv|F(~P`3lXkR3ZVM%&?`xmgd!EYQIR~2444d*E4%t}(4= zlj~+@e?XD|dT!VyV}*EftT%iaK;I8A8z3kbe(oAeV&%!?oi^v#C; z_3)r?HuRQtcuz~vb#Ua9Y^;n%W;HMR{gnM*d;Z74w4O}=*Ez}A|Bk!Id;R}T9_7?Z z;_hLS1@v%?8?FYC^+)k1s$vq$t?jw*ax48&e-OHUG>>%)^r|=b7VF>$9HkcOM&*4% zqfuiAE>|j76ShZ>&5p@tLyc=#x_yywP7$^(4~7|qAhzbvh>$^{dwODVmN-fRP#Ab= zbx+SyOG!v>XBdYY{o`xVNsewmd1; zf6B`8-8sbpv9M;bAO$o4!5#IHq%M}6#4k92wkbl$nN)E(q}=?%uia6os?};8F%LoC z;Z)|9>w$H!2rY*!Da8u|2X~`H3wnC9F~zln*RJn8JkUOmEA$oR?H}!_E&qKOk)|^e zX!FvApv?YrlH32Cc8>S{-#dAfGbq=`e_Z9BIyL1I< z2sfKV{T;VMd^tnUsEU#+YD&WZZ<+*|pF1gBq-;~EX|7{eI!$?{<_ ze;gWRS_2@fhD&r?Q!aw ztJYLX{kV#@P5NK&q;t|Ps%NkFbN0JjLmrg0lvfb|R%|T)iu-~3>pyZ}ynTBb`%fnu z|Fe72IoYrOJ9*^wKV|k6eVka^6Q_d$Yr7QDdYiTVuQrAL)KBgC&kj)Rf10ad`F;f% zP^$lZewv;CXJ>o+&rY6g_Fop9Kc_b#S?H}s(+<`k^+E(yr^e!3Y=1slPNKrC+&ilb;}b6oDi7o5GhO#jIeFYm%9g zG1gVT_4(yQ=y33*5Bj(GgPtIXG?tUMuPVrNWDMkP4I!2fAvBCSubIWb0gb+ z)Q2L`nr?7=_JXMgB=JDM_%>R({(=Lnk;-UBPGyn>Viy94P(bTwfhtmvz}ICGEa%#F z6d4&pu`Kc2Iaok&#}g2255s6(S?%eB1bgUB$P*56Kq7tU`VuNP^oLhW#hv` zQ~jL+>pwgsw!L@&e>JIrL($nP_+4R&Y&4i*kdEM0Ai0!oBS4KIdUmXAhuckhxTr-k z72X2et7z;(UX*ynoEd)THfS2-&T=CILmO+Uqk1XyaUE__x}uDpsi4$UmWpM>Dy6hC zsD6XVXlvVifa|^;3Pyfs_1QFjV9O z%E3|CS_xt;e@!Rb3feh4fgmjz3fehd%1jGNv6RQ#g};F|84Y}yr3Q(u8FTy>7nBA! zu2T}rnRiYuF~L+eqttawOa>d>L&R-Qu@lgf5~|`Z%OBuXAvoPp>mpXg=40t|y*ljNwc^fz!ewbN7HC06qgsAkWe_)Sv4Ttt{6Ey%&

Aoa%MkJFwR0DG&KS;xCpi6^3BVLC zYK9hmJS7U_ks*g1cvY7@>M0iIRA2Q$A>`*Be^%OXaP_)BzU-;ds2UCypY|5rrFYvl;$TwO625M17r*Q4R!;-?y| z_#bUWD>BU5bo-HnzkB=f>XG&uj?SgY_n94Tbsy_J{hK4cSTyt|&;#U1@2nMUf9R#+ z<+A_s{Oxec%PSt_d_j!G3fK5-=l){&b~5dcpSI&KMpx7EXgHfp$Nlp+v%%G1IyfKB zrh_;A(c9ECJvz#E2i;;fOdN&KTH%ICVV5jVpjS(l6TLnom&5)exo|xABrFUEFZ+ap zdc}M098z%Vg0fXB8du?8Ft<6ue|&}I>|%6v)xVgk8mdYOm6u$hQm@Y8=Ihb6G-u1^n6^_CB7pyn%(YqW*ZzaKoEMECJCUkfJXPkJTXrj?80Z+SW`Dgr~8~% zx>Ha)G4r>ywz3|NDk9moe=EI-oA0S7bOkCUdvr1KcQit{=&8Wa;CfQ;yd7E58k+%f z2G_XKxlk66Aj_QsjmsZLaHqVdRjVO0LFCUQ zrkm#%+95)5{4Awya!-t3TSH^tNSH^AOSIS)S zH6_8Agc5wqRg)w|?oa8Dt-I~O`fUws>fJ5}lk@L~ee!KOf4UeA`Sxlsy4te6mI|t) zd6T6P*@X4~IjwZ;7aCgW1AkMl6`(J%RbMU4v1ZO~8?F85Dy6^nPG$WyZJ?YwMQR3` zo~q{^Di7t1vf6%2pK(R*>~bJ2{jFOoY=vt-zU3xV{VnJ_MjWGmJH_ev?PNMTzq)ue z8c(?J(XNpbe}mu)Sm<9Q1Z^vX98l(0Xh%sbZaO{^cq}5Z#07736OpQuRJ6*#qL<3S z&DwW72<9PLrHV5|WsKyaI{t;DU#+ZwL*;Og93MrRFyFX7N5Zk0UyXc~J2z=OWI5C_ z@;&8)j1MMx-&ldP!X@Lz7GGb(dujM&JcAUx^Mo{9f2M62tlp*_QWv7cks&=DHbxx6 z6X@3rVn;@zj`7swHkG`Nim&mj9A3(&a58L0ulrXsvZ2VfYYYUDoOxK!HO0t14tg z;oG#ae{n^Jql@$5?CM`k*!csQD2F(tZhTh zoTUEVF@KW5;CEw9wJ%}#VMDaoHq*$)dNN5{%(DBAgivMG7v?s*A41E9*D!QZHQV41 z ze?Pt_GIa7?!8btle3+~|%VhyNA}fs6!S35fE?Ct%%*U5XwQ4j{X=&~`1Gk+nLx`8i zb4mzglb7F2$i_+eq7W;*oJU1WDUB1%y|}k{gJ;4ar(>ZTwY`7KJ)+ahu3e}4^{A}R zb1q%FNx!}?GMRiSXJo|;Y=EPze>|Ute-+#dslT4*&Y^v8lL{z1Jf75KqT*;m26t)X z)NKK43`$W-7++s{(Osop6A|!YyId%nONDNg6pUjMi3mVtb-8i<7WNDqQvY&0R2&(+Vel&msh_7R5JfNC!K8kuj7;F`}iL_d6e^C zI+Vph&|$EID;QedBtoIJfS~t+ld^Vdf2V2E4AC!Y)W7ovwzm9_kOxB^8@}QSP`dv+ z>*V%-os+%%-^HVf|0s1aljG706;74(IWb-DBR~Erp8E4Yv~2ja_+Q7JZ2Y(G>FIv| zx06S8|2vigq^os>A(Ic5Ycf`*p=G<^OJ;!uUU?=;+u%m4%%llIYS6dl~>Mf9SaDRS&$O z8l7zT#RB84H0ugVrV+A4>7Q6s+)UwMBV4SM0o}6E!s@`piGsO7+2GEW%mS>!LCV;O z17>xG)aWj$KMkNTQ47O7b0jLD$giM$3S4%`j@^B}J3DE&0l$%S0J>s(-QNb5{n1)LY-$JmRu2n`jsadm&jSk&-2e*Y==zH$2%$%P zNT^Vg-dnz-9RMFLs1O53K?vvWC+IL8|34Zg82R2kjj0wemOubQe7jD#||MD=$=FPvt7X4SeST0)RAMq!?^;-#{8_WK<4k-39 z)}ER8F3_HtH`Yh(nHjAD?b-in2jHC*x@e8T;IfZ3lgoIGtc_NSr3=xoe?~c4ZT^q@ z=a+B#=E`|g8Kv|8e=K|cZ?{kP{vSJe4uI%nO*;p#ptl0F^M!Xg5dcFrMnp;wp9Y$m z0|V$g$rZyxKAsNg!SFC3v;UA$#HObG*GU;1NB-;;@4PE0Gh4`4|WD+u1@X{k~!(Fz9E0uEh&TQYuScLn_jPnd)7wtCRR<+gP3 mbQg7giBJ?b;P2hR`)B{`pZ!zt{C@xd0RR6>%8#o6`~mDc zVQyr3R8em|NM&qo0PMY6dmFd5Ab6hnD{!cN+ESWTyy#+^yK}k~$w_o#JKC0#1PWB8d^A`KUjeC zK?`S@`$^&n2?hsYzZVW#G08|8lQg143|j%xFjY5DoT%>NBx8a~#ur00rU@B#yJ6V% z3OKrZVL$A(Vj?0=GpUYyIs>o zA!RKZDY{HUun7;c{7B`H?&_9NXU`E8WrN-@t#$lUbno3Ml!l4$K zVVVq4lt$yg;)%)pe|NX;-lWdLG=9TVgFe~ z;{J0S_nr?19d2uL2v)?dC)r?_ImBlVpaWqKF#ZYj+2~-`w{?Gum7X{!(Okt{*U$#9@qave0I<& z8RI;WNRK&)3U*g)?V!sk6^IIi(SIDjdKruvpJ6FU47@-UI3-bnIYD#GDIO(6Aj!~( zpiBt_F`}ttAbKE4W?6zI5n-#fgMt8kmyZZfi6jD@zP>=GOl|bQfE0*akXDrBLK3du z43YV%_9dJcAeU2OpQDt>8^*778*ZjFnpzP9#Z*LWPWVE#B_mw5LrFK#JTYZ?61R2` zO`{}_36fKSG8P*dN<*-~J7|*4Tb^5(tcys_i`n^v7=^*SM>0g6R|GE10 zO#eLUjN@K!IP5-a>mfL0(KX?S&hUhwEKd@Yv4lp87Cbr6ljIzJ57F89HIwI@2$D)& z_rkPH=nl+hBf=3IBbLPI4FT!tf=HNCoG2kseZxt@ZV+clGQ!by*y3bP)fV(E6>6V) zNoQ0JQNO2AykrxUkU2?US|~Jz*CF6_C}OjWrK*Qo=0!sIOE!6_>I@N0$E*OP=l_7D@G5DFcukM>L(-+Motq>SseV#)%-hwpt@1!x1bLLDIMZ4lKkbNUv?> zLe~8WlL_G(b{Ue{+(UFh2s-EN!$K()Fz-|!WbnikY8i0N$`JrJive91Q#2-7!WL?V zA|cgAKUuVjXBXy?(oI!=(sc4Ri?Jl?0YWqU;cbfNm?o+_hiGv4FZTIG&L`$csmIl@ z<$|b5_9BflMpJo_s0FSDn$HLqZggWJBuznlw`}0AtsMiYRN3+n#rOn~YFH%C31Vro zK(vbKyJrF!MYgqrCW;qOfmqsVf;B|SDUN;9mXx3Y}0F(QUIMenld|3n}h&tR&nZX;Y+j0(h3JVhJE(88Ds zo`dp>MtM9Tra4R3oNLvotN0bvD`AYO&?q^}B~2%q*-EauGE!_5$1w$@l4*Wz-^nRw z`DChSZS9z;zYDc3C>U-x9T67L6jd-#U5w^~a6jw;zjtz1N?SW<-VYDL-d@WPr+}Jq z_c)1~^3VjOXgBwe65R2OsLfDymD*Ii+0a6&R;_nn#Q@+}_ye8gGmj5vEEamliEyfB zcU~+v6z5#Ex}c(QP4>N!R>h^-a@mYZJ?gJtT>f}``s(a8ig0EoDC}lag3d3_TRYHQ zup<{8sX7HL0_bK+Qbg0A6jK7=rkq-+#)zTucpZ+iB%j!=gcBSuRLhKwi^Q!cr7vJE z#if~Z$#WqQXG|hv<%-nO-FBFLnA4cVwu=nxutj5%N-7rs>o|?3 zjEnOZuZHNOk0aKiP_6_hHIBAcYX|)g%R&{a_Qj(zXe%>1TvZ(j6D4b=m|GI?1^3Xox{`zx*@(L#yL6L8z@ z0_P>3+zD4%nt}q()S~*`ps9&D&L@bSk5`9!H9MiSsoIqLOoa&jA`?OHvED}nXrin4xq$~}*4Z%8iTF9y^ zA0*)^PR>mwE7?@W0QLa8gdIZx$|OTXNF~IHDZ(jYxg4=PjnU=FIe>{+nrhv!h1}Z{ z{qRz^820GiOxyu2O;=zwFB_1q!D)mXHI-5jyIkuE%Mm9cPo$P?1R`@9fgMb7O;BHO zG$mfkPi@5$_2MmnbriJ^MSDAfY`eFn$5dQR&huVD&)=0u?P;-{LT56=B3ZgN^nfL2z@XPc&Ahb%`m9Fsy@+keopuZOF9eDYbMRkXs0}A?Im!E>7+~vcq}DI z$xPTp0r*zeAEGuJkK16x;8J+&<``y# zdb(^vLRpwNLv+x8-Y@Ffkdw8wja&frdqsV-(%08F%th5d*e~i^2Dcu7<){Fm=S%Qc zQI>}w_*{Xpej*^VY4}Ryh%gt{`Wa)1jg=el2#FU6E44%M34n(sN(dGj+(aoPN?)hU z$&Z{wgwCyH^y2KB%NK86Awegq6Wku+DGuP=WGG?j#5Tj&f1U_*B?+GykH|M1N8}uk z89nC8GYr0@V-hW*L^FdaW7ndv{}o0*2nA%3=teA!NG9QniS;VJ28o3h0Hp3t@d_U7 z0T#tPXR6U^>$dI*Esr<=niNIo4W{xd=%g1PXrYSr%H!05)_ZYWzUf&FirN8%#9X30 zl{E3D3)LD2*q2)fVTI5b^^rAApBbC&_o7H@81Y^pDGzDJ$$Hm`XqTT)d-cjTGZ*W35M!N?G2M3J>&Y6%CP5{c` z!TzAJ&>Ip{fp(AfpFVGV|02Oc(&&O<9!=5i^Zj10nOZUf%_T;={r;fe-!tY~fnugT z?n2~hi&`kD2+u|d>6oQD;sjrdLcUkZ81$FzRozJ))e{}n+Ky^XN0Ho7^mG8B>w1{s zc0H-dHBk@7d1BYAkvO%ur3ECTP>=*?LaipF#U%-18A&~5RiG)JYxh+`B#ArT%z=qz zml`Z~K$|Q&C`y=6t64RllNqL|`sIODQ`-{eEm40;U4m;Xa3`X%azgXfw-o{f#l5_eDtBOW#~BP$rGNk0NNEZ9snT^E|Hik9=b zM6;cziaq6-HntWXLJ>NJ#i}rVGk<&2^${9ln&g~ZPB{@%mc&EUALw1<#E?q_(ou`RDKf$( zC8A_Zcv6l0Fg#Anzgp2SI)VpO+qBirc6@%OgyW2*f*>IkAB4Kd{wN7`YQfviwHgMn zT$DpBg=aJJi3$x2(?Nx?XkWCKfgcfhLo}mPY9h==jYO=&5+}qnkIiZ*W=1rP&3w@Q zscJW%T^f?mGF~dJh~}ViV%kIhLE^p8iLGOz+Au`z{t8Gi2VP zr>s@q1uaxf`)4VY&bf$C&VcmduvO0753;#VwIi%`?FObVu+(FLqh;+ke?PO$@16>SfX zo^}onkDe(_flgA!Nk!mxC6-FwzM@F8)nlQ|VA*&m?SUm)L66vMmZv&k z1PD7O`^IG|NbgMvIckR6V}XV0^)Ki47O#c}*|`Keun)EyLN=fZGh* z8gf0`E`Z%tOd zP^+{>nhM?LHgeWgQE#BqUv)R!P+_P8gP`3`dKQg(Iz&f@hx-TjgXS9;ks2O&Tp;=& zU$H!u=U7fnh_d^Mx;#(4g>EAfixm}o(7ZiJSahwV2NPMN87Y>m8d+sDQm{<26k)yf z0+Y?v)Wx9u5LkDhuZX=CuuYbpba<-o7Em80Jop z7;HaS_`~JQ+!PH8TB=hRJVPa>Zl7$**Vp4{VC^Nh-EkaqBA`bL191(ko+nsJGRvfq z*_7B=I&orLEoVBA!5PBsaTY4T$N&~%eWnKN6EKuGnu4hoYrhedp0S{VNH_^Q>Rmoc zXk-yUz`lNBP?)19?nKJjxmKzu4<;BkW>*k+puv{VYk~&7UawymG-jDxbgb0{dZ!=4 ze?uq;h~DXgBmMX0nZgAT*6O7Wq$WZ&n9fPEFuJhnHPz?-23{M3djBhFgrsKTn@I`^ zD3yXF<5h&4__N_b|3JrTzZ(wU>tE|B)_AJ~Upn;|mPwu5F{U~K)I1`d)!i;wt9i`z zekYx((f5Kk&dhlv>~_2pmP+zLTCYMKcgA8kVN|%%%QbBzI>7&$aoDmIiLsV$IGIo( zIVGZlJjEfJl6e%7mit|Jly8aNo zd#|W6{B*Vm%tQ_}Wr3k=5hQFv(?Fv&4bi)u;=NS!M-%9%_+lzDtkfy1^X1uuW3?rk zGX~!d-og`7>YC$Nt)=se^CBP-gb

CSs(1WavV-@z^v`d)`|+0A-35UnOv$gA=e- zB0&HLe?Z_hkjoZB7MjFPrdHHU#{w-e*78#092h|FUI?EZ|1DT%+8G8>$LSq|ddM)_Dv zyw`+eKZ0p(=q$*_MCS}vMN)z%UjT7SBsP`R%3*uyDGQ+bI%WpP5 zyWl`=px|36c7<+V0eA0e{ig8Ool3C0f9Uzq{o_~meIR)*WT2E_VSF5~a0Yu`aVCqT z`cNQP2#JYcJ~?)KT@ew2-kF^gnXMG*qe(xoB%c8b`AHjXS4JU7EUqE$K$};CjOoM( z&?Vk;o4CeECf%LNg8+~Rb3h&x$h8il)~8{EAS0zh5*%9|Zu=TQw2+m8OtUW4({l&V z${$FZ(2WsZM2e9(1yeOoCZg49h{u7LV|Sz)Oo~ePMBNShpxnyaD?VB3B4rIw#HGVA`9Nko{dB_lK4{ z?cPpqT15tepwSgIH%Q7Zvol@r*5~{*sEA8*xX*|E9VwPIy%in@&ERWUFT|oi=Z^h- zVUPWN0)82My!|#-8W``?#im=Aty|h~??O=1zUm0vW>dA5YCGxXvap5 zf2#_7r3wTAy6}#YOXkHIft9ZS#aa3j8?~w+N~c#fk98BTUfUz?BASvoSNm+chkED> z^O#sU_Ie275H z)FxS@){K3%#kSn*`1<@`CE5&0pf)cubo1tKnQLH1F;S^7x4~xOch2|7HReZX{3I3Y1 znKqCuf3G#|D?Rl`Bw;t;GPirNeqG&hGy!8-WKOT2L`l_A!QliV0u)_^;v43>U1}j>ASoDv5%xIBFu=y zF_t(~^lk+kPE?D9kYwhb`Qzq#?)#DI`VG5{LE$a>%b7&nFIUA#sV_zf?Ual2KljSxgx>9iIFJlj#CbDv&Ik7K- zxSVT%xXP}e7q1)vmDgp~aOE*VeI`pfCrk(VoTh_}F}}`ze7@L0SU|E$k6dfMaAX&O z$hKvUL%usXMvilzvd9Zd_RBQ{CgZ^N{a!iLSP7Aor7*(`EB8lLV*^S~jx8exQ#3A< z=1s;=+<@+m%a{>FI8aP2P!t6?@cPxQ>W1)Yug(5=l}@IwYPcR)H-}uL^;NYE8oHtq z2oz>k6&V`b=;Jsp%*drZ`Ep8-Ka;>kYsfNdPDsW<<}*}aHO;SpC#bcqYS_h7rxBE= zAf{YVYI>HXB_d0*z;8FYy8CW1uy&*WG)JHBszy}AQYEakb~X^yOPtHsBko&`XfVF- zY@<<>2yIX+Do4VX`isr`x;J(U$+raHQTV-!@cY@xzN;j(rE~1J7S}LWloLvpoXYh2 zt;K_fq33rb6;xMOO(>`oc$5hqWr9bU;Eyd6s11q5Zga6ozB{f>@4kC>(b_>Vi}Hqy zu4^(n6w*Z(3qdC-L{_9MCfyzNuiXLnTFtb#QjfNwac&p*m;i@F{=u~5;(V!aBeIfU z^SK$aN|bMG#_}3fHVY|oE?GjjIqy;()z%J->up9=Xcw`Xk&t;#jjhBql>tuUKsuz| zrDM8N6e_4ylh7t4|J39*PQ}2cR9{Ya>d`nfQ!eKTq_?qxL&n*R$SKK%j?qXXf_6(W zDbCrx*D4CX<%wO9=LLlCjc|s}S^SEnv`J>SFDl6*>zUP?;JzyW7u{J<6a#9Soik$!S!|sULBifp1oSE6)7( zdoHo#nav+CmZj`Hx(dVzq_GFYOAqN_EJ?+ju^5?#sG>=ci5a1Cg7$U2UyNWSMmMl$ zIK6%{QH}*l!$4&xcC`;(Ce`in zz;?TAbbjmmd+z#azW>SH)zf|b{pE{`P=1hiz_ITB&)(5t<^HFqy{AWy_dh+v=hDj& zUp_5xg9Q?K6cHgH`A~5|0{Z{{-~Z?TZnZ8Mnvx`gn<%vut1o)8;H+JKM#K~fML4xU zU}3pyKVP0fE){eQKcNaK-E3(AvXnRS6HXK|(1BGhdZ(Y+g9-=oaAuSsWIV{9skdBtd7{Wy< zztp8iBRu}{OQ21h;Sc)mN&n6h^y{y`{DLI=4?Igyh(038=?r~DDNSRNN^}4P0wv#T zVYG6qwF2*M>TBD(OGB?zXwI1gqeUBq8i+ovLq5pB$;p9jcHpg>F`f7Z`r&dZndgbV zWff->@&laF&DQEzeF)1*$K-Qwxyb4RjB&~(E9h| zH?PlLfAi1i7;@*Ng2G9A@JE?5{a9ip_D_}2dinAKU6VzT9F3D1o0}NvMB z^HdPIvQAt3;@S?O8oTxAYoTrHaMvo_9D!{L_~_Rnt(0Gnb{7(B)W*rX zoNmvnpmBN_QM;i=L4WDyyCp<4w4+#{?bXFJV_R2BNIW4$8N)>E>qb`c*{M$J_J8jX z_^p+I)%*Y8V83er8T1d29{2wT`KbMWXJ<$Kk50WL0>z1cYiEUGMpV$t4-|oom51eG zMDyMqcvJ5d!b7?C=OH~b%l|kta(+n%un9+qtSA8q6|&typbT_S`v%Ks+J0XJIx>$d zP=8{hTY;-X%2+H^1$QB^`eCmfQ{Ta{dmCKENY$|#1orB)+kn4e{5oMc4p-r^jyzlV zR+u8jcx>jNSqODZ+JsmJuO&tgfli^UzGZG)%|>gdW#g^Xzy4aK$z30|lpr^t0Aho7 zcaTSLl~Tyyo)AeK&1NllibugszM^oO%p+6ThN-ZGydjW##g6ofPHQ1l=i#^LJCSSO zqT*&6U^$gl4Q9FPN(y6RHx=`v0(fKXbOpwHQ&B(12?30urjbHImmtfN#Ka7VwnJ7; ztY+6INWPF#a`>gv5K}ou&er57a|-`Ogkm1Gm-H*ZiLin)A?XE4#us#wlK6yhX%Orx z*0QJn=tp~K|LD-QXN-1JCLP6V4leAedUp0e2;se-O zrB_n&9a(Hnh*pj_AjA~(ms`^swzI;9Ko-e^+Dl<8ApV?pk>4gKVzX)ARHy0W?;6)h zDa>fYRb%KZ%!6hHGmdtb_JtptxVK?BZ?V^AZACm<3CBjTtPWMxD}Qr%r8Tt;IVQ4o zBccp5-<&odc#T5$=6egqAZ`So*JXSj{>2|m6+Cj$QkD$L#UT=VI!tHHQ@?ty&5gxr}DOoS@X(RA&DfF#8m~sc1 zuiCOlx$kq9`x?(LH86taa`z_nRlqM5`kKq#i_BN?$~>&dS6eh2iG3@MQSNP4Y#X6( z1(@5&d~3n26#3S+=?)U#hOqyv0$*+Gx~E}--^HmA{baLP71-W_QPa*X!IS0N0 zum9c3e7Yr7-$YIH`=Tc2nSBM(bY~ByGwoZ5!xd+YC@0M|pz6E{VHd*1YILpGakfg+` zfQ^SXB>i{Ih`kk146e%}U{a7*hD^Q5SgeOjJDl9}36ZVhB#|h7fCFk79-L)j8K#(I z30utI%7vu}8==+~=rR<`S7O8bT(jWTEY|X}TeCv%rEixm(`CKU(B9IDyeGOg9-V@o zu8>&fjWlGRs0)0Q<({}LF%3@bWn|P`+xOS|4G!;RRA{$%6KbtfHd3Oy;BKtix|lce z8~!=D_x(GRO*a-!W5`j{>^5HQ#@*C)eAhD#ng)GYbKrs|Hu7BmxhBgkw|e7)z6I~O z<>+p=?jHyK6LEu>FObLz?A|4%Ux1J1x;dJiDS@FAJ5zl)KEaG|Z?$h9rP5ds{gc&SIAG3x{l!`VUVmW8=DHS}2yN0YK%4g(t%#DBcSe5bO2tO>4J1zDdP2)Cd7k;BQ95r5B-%;2u0_i+b zH-vJ7sr(9VO?>fz+MJ_p)HAhV4W&$0-Qr7ccit-k^q^1ZL{Z9#C(<JIqO0l``vXc&=2Z3Fw^T^R7cc3I zO21mu`%lC0*3?=v5GFpTHi7j*)AO|5w5p2XIBJS`E12bl6n!>_O)=U7fryE$D#dk=^f zQ#?3468X$en0gz|v3|@v0Byi+d+J#QK&j(179STC*LC`{YNwm7t6e%_ZZr>QI%0Wh z1^Xdt<0J|4)C*`JaobMi(sH=%g1F0)DAl!6z$Vr1yq4CD(Pj*?VR$TyYXr>mRMHta zNw5&AS;d%E-)JU^KBAvSjmA+vnPZ%E1OdRrDijv*3p5IUvoBd z3BcO=#_=tnWh_3^t6S-KqK(?mde4qJ&w9^$oo5FJ`<>_T&-3R!_0N&|=V^Nz1T2>T z{?xh(PjECPZ_`|m*yQnUqxPZL3aDX7t6@IxRe_pZTIzEN_shg6B_!5a!=s2~(q2}9 zBv*4G>Okb}4M7o3pGd?>vOp|Fa*8EloK9e3r4w^mMZrq7#%?3OLi6H_?iOt{%-4;M zV!iEV*1JvDML5GFnovoVM7U$*!5YRo`sDGl>iC-1$WF^MoQ zDg~>!X|cQ<%hO!&oRcyAfOa{_2$tw6YNPhv3O*Ge%qOKh=S^ElfC3!H{L7&;h?}Q{ zbXX*c{Bq4E5uiZZI)dpS$g>H@G1Mv9LB1Wl)o;ob6E+DFGAGHGO%m!$HhHOD*6Zji z43<^;8s0XNXfuKYIweSr&T`U`G6*w=gBVhE`N(T2yj&fd`YVu%LDj1^qy|GDk(ude z0|ZtgVHy58CjnTqJotJ_>X*RJ8heFi^P?|+`Ncn=X70y2JD(plR>?BX#JP-~Ue={Gh7YAp?bt|Iw5OYgX5U0XE-_L6H#sgh#&Wbh|L`E7Bjen7<*?e`L=9bu)d< zq4yl@@JbN#9xI8J;^dShcu`zx)bmPgINV{0$i1+9QIbDk^-Gkh%dK&on@wZ3VWoZC z3EAgmSGEtx`LY_TRC-BQ!SRfyz(C!rrYoZK$DB60oN^+jEQyEc>4pQRU@q2=+@|AF zCh-#tOwIh`s3?rM)n#2@u%4xMC8V;dyNWRg66KuAh3X6Pq14yD99td(CCrwe1nBtX zOYe#5&+pS@@rE(^HBE?E2uWt%tv#k#o*s+WELFvtU%nNDH#45MXQ#DJr(>kHHJZu> zpUXFAr+cVZ9x1?K0yLYDeA9rW(t`-Wjd6qwt;dN zYER@FZBRJXta7Ok-jMg=w~>GEB)0i-fp<~cQfZ)6=Jqnc3RItD=iijlK#yHnf9fwhpDcI>C0;g0=ui-CFQox14)$=mJJjgTI9>Oa&@jnJGW z`HZ|`d0Jk?Gxg+LFNHbgU7n}z)-0V)$9~*`E;J%c^&mtRUkXJLXt zzy8__;lE#gK_n3b{rc;>;qbls1)Vm0{``5b1h(QM+QOO_C^h2F1i3&u3ss-uy?aA_ zcIv^Ei3qOA;>)Jd>Y5xm%j!jhOR>CW#AUf_jUmt&vqjw$_}aXwbgZ)m-oG92R@O;p zJ=A{8n%%I;;$DH!B*AKEz8Y-=S+7af!}KLh$E6@Um%2tO4^8{lsXB+MRZNKWVfAE`@tvP) z`z}F}xxx*2?pa<|l^TSu2AQu(bEz-92N8>1lzTz)YSY#8-u9-edXZ_a*^qq^EMaSo7Xaq6W z@J0tdP=QoC9SX_J3r>E{iIAd$1Vc9j;p7G{1QORYQ`H5rm>{Un)ZZeK<1D2Twdo{f zoP2MBVN9$|tsKPu9-p6GfUpjwHW(ME9;o5I%Yf7avc_A)du$SV0=E$78Sv_}I{R;< z{lnV>JSUv8*nzqOq^~O*U>gm3pFFUox&I3)DFYtwV*HAtwRe?_;?bnHa`!Km$LW$?lk}XkpESeUlx9b-ffis5E|3b|y->dye%q|=Q2y4r z9B%Vjm;Yl*Fqb2OpKM!pF1k5)zXvpb^NapI#YNwrEF0DzU=WH7RSmhPn%cQZBCD-0 zK3m$6_m#VDvplpu8K2!qZMa-q_cdKhc+dAp-fC%Wm1pv^9+B$WS(V-KGh9MB-f9vdjYvuo^y_)>r8$9hj%Ks1Xxr_W? z6aC@RX>T{=Ed4h&`eclDS=NLybNwuGCVYPU{(e(Vu{6p#Cuy{>9^yA7OK?P5RbPSY ziHm4T;ykfNNMU{sQM>5xTH#-RZMUkH|58m9V@b}^|AVCjwR;Dse~7+N|FzL>%5Km{ zG|PoN#ge>YF&!^Z`@i;kv-Tcpzr8$Z7to!}NaRsOgc#?^zp;@hXL{(h5c-LYE=&0Z z{6p5|%mb()`v7V<>wddA)lhSrQ|pb>YvaS_{XugwfFtp-<-lmP+=KOvY>IxtBYM1L8r|W7j zMAI_l1YALu7rrKQ!hMf=&7X=quR`;>e&A?#blZq`R6U#EH|^!w>+fE?IsNhU?Be*V zmoH8$qcB&%ho~*5r050TZ5uNpKv>Cz=ap?YvxeQ;F0$ez1X_MJp+Bh1(8)|@6 z*&sI|a3#-O6+46)+C=Ky?(Fi|Lq++ku+J z4tMn976x{&>gQo^Y4&lIZ}ao7x-7Y?ApV8J-J=y>mDZBm?^`?Q^83^8cjtufp*KWG zP9urrlnNW#XpCKjoh?KcgtT@b7+Vax-3gV`e5BgwLPyQtL6-`V6VZLXfAn;{n~uy$ zDx2x-D49e?Q{!G+>NR_uQ@_zoZR>h%Yu}yMX%FGLTZZo5Ja?bnB)A{P-EX}QJ$`_fA+OJEdzbRbu|HK^BHdfeR-N*aGbTUXC24=~DT{*<`wPsxuyNdFF*Wa&xQNA z*6iNq!Y^CgTXlbTRy}f)JI$ca@YX8V;ofdzmHN-=%Btc(+^4*+%3`^f%c`1zq5He3 zY6*feO@E4Os!D9*vxv9+3>n#-So!bncB;|E4^W^au>fb(TnF=WCYlH^ zd4)n<>Tl;4D}ju1F64SJU#VhiIpW6Gc$8v~H;6m7F~?Rg(>JL_upy$68nm);xtQwh zI^V5Xh#w^PdV%Z{Bwqg$W?A>s2i_*ZpquCqlS#71`Zu@+f^8M5ShGW&;&)X{aacj2Vvz zx_o(|FBJ9AnKNsj)2*S#eSi7#;`_8=FdpCr(%;7|v!5h8IE9vEN;no0;dG$^X*xi$i?eef&JkXI=bvaa!n;<$vn;4r}q>gU9oK5A!j5EBU!_Jli9G?UR>h?OG_fJx1nC z`rfI);@R5hxD`Q5HMghdTBE6A$U|h3RK?3l~EgQ>pn*u&!|xJ1~+6h zW$ap%klZbZp!-F!n<@d!=s^OJ50a!YiAy#ah@%&*D3xgwL_8renz5J^0$;}BzzQmr zXbPhmLQg}GGS}fHa4=BmZSBljHsW^EF0JEy9`}Pk_Gcac&saQTDV2=hegjy||NFh8 zr?vclhl5A{{~#Yw7&8{X(u1rtM=yB5KJ~)(6m#+_7#CytnHNn-3U1=>BIhn^3i>`H z94jQ}1->!kZlfv9%v#DpGdXEGf$%>DL0Uy*TmiFT4{BE?zwznad$#MPFz!3VtT_V2 zj!N>I2jIG%y|5u>usdZ*6S>|bs?{sGFb~$n4lqpI0 z94A1IKaoYmaYoL}>q05h&yD$RNiFl%i;N*K0yM2$a}K_pmkmh(1N7sMYS#W(?Cd{g zEdJ5?=6=i=mp`iB@x2z2_EB6Dl9fC+6Y^on{cm?6VF`Bb(m&ddj-v-8L*#;GszJ{i zau}mtzoMM8`(QFw=G6ev?krCvwbz60eHyM~O$0N*`N(-5mh%8WoEDdz{dxEYfceo( zogXRt(M+8mVe0%?tj$l&jG9-%Uke`fm)|v$(iXYfF(=EI6z}+yqK`|U_{e)6dC!B& zE|oQTTMlz;HkXQx`PBbeS}lKdp@ND}{dL()U&_1Cy9R>YBth@DXH>58Rwz{;shYRJ zn6Y?kT($9l-u&?=Ho6T3*UyBi>QP}U0-l(&hJoCcuw~F^_^!Zr!~eSX329#i{w~Dd zE8G$=WCwf(XET2MQO+{2>|gp@qAgcn)`VMQT{cFWp}kEL0KmQH=Ui+5Gw%GKV1K$@ z7Ra^szurN`{x=xx_aE(l5Amspq#qXO%#8JKlk%}V-)?b)y$0a(IRCln6=xgfPTbPro4g zXN<{=rS_MQSdwv`!0%f$sZ7tv6slg-$XWUm8$l8HyAh(_Cd1_)bqQ^qda~Az^$95b zM4IjPcGuu-Ivks%>b!d*%+-y*w~Qg5>0G&=q?k4-$6uyQNHqKsWt^sRT(O?G)`$Nh zLNSlpOFCDlu)qq=grpZF8DG#zO5zj3r9lCa%X=n(86NGS{i8$A?zHR2)R{0jgWV=0 z(+$`|w@#f`k@)!ZA`dSDv5ZJZ^U#_$iwmv+r7pl2= zPfJSH4!uSkvPIVKXUH8zZFk$Q4L0BHDjru^-J2FIt#O1RtPjB5<0fGsuH7bVIp5LZ z7LPg6TR*66rsLQCd(E#bFMb1885kZ7D%8BMG^crgL?rHO{Yz`i2nC2`HowOZy+iGj zH!qGaU$l+YxUQeVvkGwiyso(_1yau&VakYzsXe>xW&z}w5i}+*#$(VwZ2rNfqr#2- zSUGQ89EaC8*!`CFpY7~_w~GN>lmENFf3#n{|7CywG5`02e3sk)Ok(fPD-U6LI)2)0 zgrzlnFDVIEK)lDigsZUp36m2x?EIfaio(xSmb@1`((f)^VXc*an0$fJltkAepLMlT zI`r4sF4(isUqX9@b@&w)YA^NtwfBH-F~x(!BazR_iAetN$q8A8f6hsubL^n@ zvx9^E_KM;UmCLYEzj@4P_?Xe~o-!IX30^C(-ZHP@#>r&ruR@);?Q_a6b8xWVdH($Q zVS8nMn2g0mA`2WvB$LQ!&`5ICkx>Us4L1ZuIDH}!C&@ymd%+ShPA4=4<0Yby0;b?b z+F6B6qK?lg6U-kudyA)0G)&V{{-95s@}Ul$#>>Cf7J=BVt+oTS?Q^L!2X8CH? z#$}~eq+2Ydp{%E-TZyhh>HQ>$+?@2g;CxITdFVa9P4dXHz@Kpp>532~?UDzw_L8Tc^B()O4IcRyoxpf~5|iWGKs}pAAnZj=aGO#Kxdh+(J|M zJtvmiTuR?WV-ON^nP;#koYe(@HrhYDJ-~CqDT^JbJ3#unvU|4Cp!dnukv~^rzeZ80 zmfmlJ6nquV+rW-LT_(Svfy-`|b8u-GA$m*@_ly*>@keX+BQKKl06*4b$vi4^I9;K5OH@M0SVF zpZc>V|L5WUQ6>Ld|7m~!G5_0xe9Aho;l3B=wX~lndVZjDH9ye##d$3qiDS7C!ddX? z3nOo9!|V3P*~*b@Wv`o-ms$EUB(Ub|m!j{jazU98ueB+sXoh-t zc79TRaDH}LJP_n1P4f?WlJGpy%Hgp%P8TiT{Mc$xa;t5$0AA%nzVWP@t}gK|7^&f^ zc6wozycKT!45t&~^2^LKPb3s{s6h)pklb{Lm_U%Q%6Rm;{-Q0~E8H^ak_z z`20-2)%Q@4RQ>>=u7mUqTd*>~O%$`{PgN|JFh(N+!VS&~64c zW)f>o{?B_MQtAR?Db!RXDak`EdJ?w6(~BQ3B;%y@{oh}|cyrNG8mR#kJL|;a`RIp} z3lvi>TH%DsF8r%o(F#ZZ;9dCFKA29r>L2@4%+qcGXoREdJVQ!76s<2pag(*a2uJw3 z^+hOWS?i1ctF?oEz?`yNptI8#q7@pksTIy8s*lPXrJ13kDdV_c4GMMAzDCs+pJ=Nxmg*ZSvom*5t` znM;ec28k*kc*QrtahzqYF(jUl;NSl}{P*zR*I+7Y1yIS(^VFpvW+_}j=tY>=z;c=* ztT?>-&cpnjq7k{ErH)0n(}H_?v+p&!48l6Si7k zGmd6zFN)YK<7BF|r#UH;+d;Y=FsbB}Ad9aRvq-#u=Ok?PD}>gca{|*%Q0e>Ec`Vdy z$*|H~ZPW270@XL8C z1R8TT)6a6wm6ifv?9ynWy|{Oha7o7ygD+aG%9WG`ff^k<7VcUhVFo475Y~==gwtrs zc*_H+mo`q3zBtgwru&^rfv(8{B8~)s_#`Dsj3BybPGb_cBtzelWQIlyXkso1N4t5N z&}$=VT!q!;>%}p3|8jC9pwN;0z+kO?IuT&ou zXOYE}^>*V-L$#ZfQqRTo|bC+gmwOA~s5hKSd431WTLst()G$k|gWi3b4m6}YAJdlWp zQ*fdpDr^tEb8DfrM!E5ov?joE8z*|$w{yL;o&sGros>m`KqexHIDuy1M09s>kTOXE zmIiW4m41%7Tm)V=AH}f)!IB(S+g{jey=Jh6v5P|lPElD0YCew$dU0}kaa?+(`QdR4 z>WS&`CqgqBPBJE_WPH(TooR1&47cUN=AwEsArfNh1A(te2aR%RM{A1b1mOh2!_kP4 z6yaD^S4^syz#}Zk6}rKq7}~Jay1Kd=VKG%Y5>wTnVTzd2JtJyQSCW(3MZ~Z*wG=}Q z%lqsYskeThhpMdbKOxlMO5BTxGV>HCaF<8jR~OmfRXsP&S|xcy&qJuJ7sQ3x(7&aVX>hD#DnLG0QjMT75rDxS zr@5MI^Wg%|k}J@AJH=G86G$jdt_ucJtjo5bqx9*+IpG|N2{tQ0>k0@1pA|%{a+*$r z5;gKv@o3zdDk8B*BoYxxm42;64xF%wQnXEU^HmT`@fBi*>7{i!A#7=5C=z)zRfrXQ z!cm&fMp`Y3%bZ+=dl)%^GsARD?JB_%Iw~wA7nrz8Yg%H@!j6ywgh#%3#aXGbY3h^BLv%t_p8eSuD^!|`Zq>Xug*IVd}o*f(@v<6g^HqHiT54!E+%u5u&gKuWcx*9 zGJmh7@^?5*S)S_T^DiRMePIIn76Ke@$hK2CaHad`v=$FiNAbLN@8DZ$Y(utJHNH zR*uQMRaPLEv`?+CIVCqm!^~iAhzJU|Ouyh5t|e5(nYJ98dVleI8I?3Yk7vBlHCW536?omiplp*XND9`M8?4HsC0ha5`v>C*oWbm3NZ?uS|bIRp<1!u`y8pO>dr7tyL0-FE_9c0d_z5QCeppu7wA=snRJ=BbBM&AB&Pv;jucY89rUA-ek4FZaq6`Un?BqmRfP^=*9&ywAtdAN8&E5w@{mw;P6C8={InBJXQ2?1w${5vbB4fx`M7 zQRprgnL=kyaKN`hm9og|Sc4K#t&i6Jb;?vfp^r#Nt|sb7bk#Pm!h}UQXSVgE?~8g%;4)vssz=TT=I z_jCObQyAHa>*+OA?K1tV0FnEV(dR>h9c+n2{xDNQgf zrEy~QO{5{H{cMpb&DI|glFlh-Da_kY4@42I^AU|0OVkKJ;Fsz~2#|C}K?YKzYLp8| zD-OT9gLUT@=g2Bj#UZxhJhZlfX?M1j6ZJ(?g{@9Kb5cu6QI_Nr1)h28s%L3{hWIfN zA5AV+)tFy?RV^_u6of2G78+FInPD^x5Rf3~(=e8$y+VX7j zGGv;LnF9>zUABd5v-VY{?(3SOUC3-@$ZBDgLB93p>7d`+R{-BCZE2IKs9?opluz6V zZ=LM}5>>C8Wl(X|1RLcOZ{(Na%3Nv@A7dr!2>OWB4-+cC6p1EbDXMvW_LeiEsO=t4 zHUeKuPgrJ;YItZmd7H&plJ*ezPeLS*|!49jEE_Tzm+l@oIuX-bIv3i<>T<0knBgSu!Qy&%}~_9_wEC} zA-)cN|30AKOld-Xq%rI#c6SE9#cJT?1SXsGa5d7fK^V9oIw=9qVZT=5pLWx#x#+?T zk-1UH2MaP?y#eN}K%C_uAVE2k8V!6+CVP@X2jZiBXS7T&*TF8-wSZWv_`KUrv49=7 z5Ygs?a6jz9&f*JS^L}^`noUiMKK54Di-hVdD%Cbv3CZ|B6`oQZr2YGZi^jdph}VB@ zMpyWngxB}bI9kQ?-7{hJbTm;Swi07guPNUS-ewbyTrfF%ZHS=wymY z_U#hV2Dx-8VracXHExznh4F8#*d)uz(N>}}a}?66A!6?wR_$DZ;fc`6n_#M{X{-=7 zxKo=DpN&iUO_SRhId?UTZ^=hzPNkMHT3d3$qU(!masyKrr&VoZ&=auvA4Ad^5QC{! z%(eIjeX3v}aZPT(gA2}WXD2f%brWv&M`3(P#{{63F&|8Ovu5mtS`OZ{O00lc?b^Gx zC`8^S60~o*QNc1^=C04d`VM>j-?bG%qoYFm1uZA5Mmy+} zCswRog4;L+8f5gkdlBt|k9aRcXVSTiom1IpNk%&kmm<_nYC!lMDP*;VFqkcnmvNgk zIHA7E50KT5Ipo#@MM51$J~4JxATitu;6te!SsCHQoR$3Q5(LhY6du?df}px zj(<{Hr<6+g)8Sn2AU_2f<HO ze!pKT9>0dA10|4R;rFv%0bbqiS~bXOw6Xr_cu|>E)>Jc(_OtP8CeJxh>!hw6W}XgL z0%flb{0Kfc1?k;;Rr_nk(YY~c#u}2jjf@h}L0%eN6VsCt5|cPY=#4J6Fg#ORJ0TEN z$6e?k6OpOWoD*k;HKVR~;d@{+e|+vz)1d1+rg;ZW1(+0NQOKy}x>v_O!j5{Ej}jUw;LvRS%YZkAd}rS` zg)rs81ZNqEi-Hi4XD~se=%Cl@^+P2r!ZFs4)W=EjT!p_GaRLW!H=PM}=(@hp!WOejCl zZnXc@&IE@F{AlXCWgzalcxc0mLgCkknL+HZzF`}aUTIss_nd;iwEH-l5jiEfK;Od^ ze~hDdMV}V4G;;+5W(tNend|v#pLB6XyE`*oSBVx8nuUMt>5UD$hK9_>j1WOTyEI?nIgywuyHzC+lJTl+MV`r*zL97+mM+eR7P<; zJD%FS?OublHXK_t-ql5>?mcuuot{m) zWGhNG?HWDzw&)LC;T}4{U|!zx+u&|!wr46ZH#0ZjGB4D`E1#P3%nwT?zkGsK$1ORM-Pz?*v(dYgV|OpE5&^suqt#36D=HLr zd1{(fq_BB-m-#+UJmM?cpVK|-gQ`?^^+2Dqg(Hl*o2@IRGOF%07fVSqf#q>(lKD@y z>t8$Pv|&V*bd0`C{SSrxN?&~zYOf#_-W1T%p+2OfO_lY@W!A-&Kk~?`W*Ck1;((XS zr@1O=hs|_a4U<3FwB2G=2|J&61tDle5_YrK+_8S8Cf^sl)@R9&ZEHX_!Q~cs6Xg@m z>F$mTTMZ%{fWo4v39x@!I%-eN`t_1T4RzIAQs;aP4V)k~%~A0hIRe-7oEHvS<(6^;GRR zo>3?km>DG6owl`Kw1@52OrE9fPFtT`YY*SGP4H9Pe*f!xZR&HjA8UKl4zAGxIq2^G zNN7;)Zj1&GcM+mjFK&C^#yp%mE1FKG`}>qiYP6TclIq((t6b9DOB)I%)*ES{eByPx zddTi1qEtX{E2ESyjr)WWN(oPce6sZYa_OYnsefMaWK~Z*$|rve`J_6=TMH<^Eyw!< zh$`02^Oh$K-JbIVtVgz|it;*ID2)i(ErlMsc=J7rz}*zy;Klb=qL=K=KdGliqKIhE zQ%Msqx||B6<5CM;#-I}l$qAl`kj6=~W94w>&S^^LT$VQw;L1`#q8uW8ayW|NCk*q0 zP{LK1^<8w0$oEAJx$VI*?x4@b-2EX>F4&Tg}#$w}V)&U_%pZ^w$Jt;tFmxd&? z?sh62+vCKvi~fVedu2*E@l4}Ai}1=>jIUr3UO~Yt&ntFKG6>udi!{o7#0x*uXv=>THxNb0!(iq^1mA=}Q`~%n}w5k`spreGljGhZ;c{ ze5V;}2ieon_44*bL!FqU3jmqNRJQ%5n^PmE>6}RxvE-CU63Jqg*QCC`tCp37cXz`86Y-#fjtac`&=cP%+gzou=aQ0E;GTB&dfnQ@O#>=223a=P!I#plw`tE zf`ZBN&G_O= z!a3v1Vo)lBQocZX`JVXQi}T>=;XcykVM~rM7dl#-3auDsgj0QEl0CZ#CnsEX5O4qd z*Dp~&96Z+nzB;_BgG^AGQhRiI;};*O3mz$AxFNlSa4{%QM_(?g@8~X{Upwp^K6~2P z-|roD4h{|uI)?}QgU-?Z)90P%`@LSL-yih*dUG;jCfK>gNJG?@h@t>pyt+I`yBgY_ zIXxI?r6WME{^R0rFVU_-QhWCeP6)?nS0S&xJZC~qIDy)Vuv&pPB&GuGDtc@0UL;sZ z8eI^~qbb@|&8bsHX24=%veXiApN&@@;PoNuPG#bE4|%jn5Wav-90y>vM!G-TQ2bjW@r;ZT3Eg|5lqHthG?f zzfRCS=s)l4plS6O&RHyz$f}U6_V2?2{o39VxfL|KuY1rA_OnR@`5N9>5 zP2rVe?lzGb2FpZ-H)T+p%M6Ca+cUu5r%utYG34STudRB2A#%Ep{9vdC6t|6q(>hZr z+NlElQw6=PZPxuqx2$F)Pr%J z7{C^aD12;o(U1gZf(XYWlLWC$TS@KSpq&;r*LU3UC>^}> zBW;xY0dtD=?%{?6_77_ewU-CDGzK;?Q;1G=w2lwO(R2M(7Iz4b?IHp^4*o*p&69&bE8KSP?h3gLG> zvRj!)HQ+Ui3vj!oCY2^AnZ1PEJ2?h+6}4iDcmF?o-`?D|&Gor|^HboV+qIPusf%x2 z?PhmeTWK^=EU%=bPbclDGzm#;D1s#@JAM?upZy)&NRR|Y(s9(A*qKx&frEqF0dUU2 z`Oz+-Cn_Aj6M)TLA<%Gd?8H1^`0{5S=zj1F$0qGr6QFrJFnf7Ejidv(wY#6L!uQ z&Tnz(9}#>kft+_S>!bh8Sh#mFl;Fzasnk{#ObMt0hf%{NM>r6hf=~icXASA1bqJ3B zPnGD`R7Zka=f~~u{%>}zh;iMYy$LAMq81=RV6wjTq4L0YiB>Diz%a0wb0fXfhUNhC z9InrtP{8HjYAoh1)4nFRKtH-P_5vTe8C51_;#2gNoCI#HXlbs*uQWTYaP8}gt%jU6 zztCneecj0T#AKb}A^T&FV8)B?ui<96Bk(ARi zax`EWe!vl2=}lc8H&60wRW&zjocgULHB%aqF+KyPD|dw;zD5y63DuLvk;(XOJf64Z zW%V90HlJ4M`VkCL*$dOR<#0?i{wzxoN1B83S=Y9F8+w>Jm@?%zmvf3KClt;!B$`bl z@-=0d$hE#)S;M#etm+}Wb4i1|c8N@U7;;^HisuQ(3SfuR1n~iR4&X8NCotk6yvX4& ziAozH&%3p3-p=9LC#-I}-!*1Q08InpTU`Q{IF5^igXEG+dRV4Jgx=dI3|&n<-N))w zbR#-qN4(!7-tQ6b_lWm<#QQzs{T}gtk9faFyx$|< z?-B3+K9h2fc)v%y-y`1d5%2ei_q#*9S16xC2?2k?c9Yw*V^mOYOBbt&g(mG4LQ$-i zdp7-_TK}6~N4~U-?fTz#_w4*Qr~mDq?e)LAcn&1jHMTLP+a}?Vh!e*Xfl5X1#<9z* zuP>ORt#$z3VQT?<+5rF{wY4(lAhRja4uD~ROXeY?Lc&b+A_V}__bB}6AAAqHVP%dkyJkB%WI|c6C zD=417rJ&C}&^`T@Gel1BS?p9YFsk&HoJsW50R_K_-;x*c&Ah}qsL^+nc`-;B<94uS zKY%do_CTlIUNQdZu}6HTCm&Lk_FFfbrAyvv2N}!*sr)<)dJi0@-U_zB|4iP_Vs16Y zs`}&14%V8)qONPI3dz;URVGeM-$)q35@#=zoM{KL8eOimcs-WeoK{0giC3ciuHIsr0-$&DUNal9f}- zn@Tx`A}dBhQj|>ylJUdxkiXzKhW-P;dEvkS`VRDM7h+Qz&|4im*ol-AvxT0ed}zje zxe<%UM_K@Zh2{FdvTcq9NOfOw^Tx+hr4?5?+6k2^JH#eOONLDoZ&{AyGguR_b5Voq zHzksZS;Ew`S8KA5l8x9h;(k=BWB8*d$lv@?%YV8!Qys+)&VQZm=}A`pAD^A><^L|8 zxTkxX0q(5OWgGtj4YvjuuwoDB+mW5g&Q-G7_JBUlrWA%Wakp|c9Zpi0_(k|rvYtSP zo~CpS2%D0_cR>I|4*~1}Dw{mlCvWJ@w_c2#udG>K8!uI^7-BwOF&dO-1s#{9N?FE9 zgH@Fjo>br_E{{xWVh-KT6STVGeXirtRYxS zKe0l8^j!HnK5F^THK25ZWqG(ocZN@13rggFyL*z6|K0Y<`Ck6-6h<0IBuRJMcdFuB6jC%_`m{H|xAtn9a?Q}EtzwUAOc;Ej!c{Us1z`5%~5Z?<7kYk8m z)`9W(s0A6DjRrsv!Z{2>=v+}d*2G>yXYINEg5AvGult`UZUyp57K0q&1dS;SSFuHg zoIk{MNbwSY>`lnzi$RVWJ-~RU?srx0MgoTO4jvz4LI8*>k3BH(rPpl1>q&1I0)KM9 zAf^(b0C{Nf@P@D?{xH+d&Hq94Km))%bQeoz%8|}Mb=pwbSVc|sYz?Jsrfee>G*PO7 z((STDI3jyLZL=`|^c~>_ksXpga$sgmrp<*Ue}sOrRvs{!Tcjx`0G~k=x-0M*_^wZm zlc39P8*ME$T_8#9&H)PJ5|jo_b@_yVmEx9{%c*WB85hsIyNjl(xut%Ya&pWm$!D6q zj6VPQM~k%mQ{$<<{>zcED((Tw_J8M{v&{N`(mp%hum8Jv$h;MDPjojA7cciT6M^y@ zBK9*vC7;c-9EU9fmg9&V897~$D<`o}7$Hf}RAImgQNYrYU)5Ql`6}=rej02IDQZj_ z*(zTGYgWeDW}{?lpv)*(%WzP?|7*{GhN4h?^Iv8DpJ(-d-P7*Le*W*`Q4U$!$82oU z=$~W z+x0?|;sL*f7?Uiq*AEM~F-1ePz$3pOhA7ky*aaZy-?<_3*@Xmg-zf;uEyPWL5x9>p z`?2({Kes&3z4d4`9;~GTYp}gE`~+>WtG3Z@l0{C)8n#Eqi9(d8BYfS5f zHVHg>WsHn13uHo0x;{mVi^ET{P%T_X!@dZ(i| z^=?;h>ZhlAQ$IP;HD0_zNMXXxgqAaOag;iwEh2E_K_47Nh@}8#qXF7+l5bdu-QG)( zBmkcQB}s?@y_wMa#yRL=y8NNCJJcp?^I->YEL{ zWgR}y5_BCL`6L@Fqmfz7i+(?6|JR=XaWJiC)Bkl&a`wODZfCFm-^rt#T1nhJY_fnJ zj&aM?AhP}_{zO$wV!5?F_kC`qKMF$EkLIy%fnN0n-(npcfuqzy-Ke}zXf$fC9rw<4)|My5T3K1XJEu4x z7S=2lq<{t>xTijn)WwpM_!S4xHbn?IlPWHUl$&4qwL1z`wOXws<{{`ioXXsCJ+KZI zq2-VzrFdcB;BJ&?K~HZsrnr{y#`T@YN80Ccg}$P^{j)u_<-ZRj(sV`wZC<(%l-Yky za{Is2PG|4`y^}{dgK~Y$Rqm-%Q!Y{dte6F~O&t-RB3i-rqhTS=ZTX3Cvq{w7aXZA9 zGxUtAD7m7hGz{>jNs#$DgfaJmCx=(~iP}eS`V~2@(GZU@j6t6)9~Se+p;4wa0J3Vh zM7Ko_dKbeXH7!}r$oC$`2t}`453-1+v9nzgdA|o}5PR{C2hL9?e1~C}q{GlAl9B^H zvtpU^9uG6g;VfjEfOH%+Kx>V|mgnB)uHq`jloc*8%ViiIS{N+Qt|p94MGc;ySWtzX z$V~wzs$^y;6>(nfmTFjz6Vm!-%_&(DJi~?Kgo4Vp66NHd!S8DnL18_kjp$)07blR< zZ|=@GalK>G|9V}rq1MwmMVb$Dr`_)LI=|#n34JPUCl^Q1uU=J_zG_XS)K9Bu+ob>X zPC6&;qI&jvzhuA5HRM4_OL-LmV8zDr@3a=#d1j%TXmeoJXA+jH{IDORh(^LyGnasE?tc2x~<$^1V%JIT)fJSeTZ6<+e?Jg78rUj^OVKUy2m7f<>-LW=h6bSN+cCmlL7G!Iys4 zzr{c636fZj;?F)kKM3DQ@Zo1t@1ON1_?egWv;K=-!WQR7w*9CNMWQv`;O^`tQx8bu zfqwCAv~v9g2UsJO(TtqRBn!kY1Q4Ns*3kl0q#%K>%OqINwd*J{GK6AT;<*dMXvv^b*NV%=$H%7nI|bH%d`xV6@c?R4 z1BarsRq(sQ6xnDn!yp~Ot3Yxo-9~^KL-g!e*$%gx^l(v&WGcJ`xL48Gg}f;7ia9g< z&~4B(#=Yf628K4)Qb+Yt=;J!vq;y3YJySucsVo)Ch*e5yWmItqafT`d$S9G#3=RRA z>Cck9l2S%0R;}61ASmaxyLlMm3i{h3nB=-%J!JX%61A>EHJjJ;mJGyvG6}nu`9&6L zd$|HOt=%eD4yUwTc}+3*!vw$p*Zt}2;_B_-TKao@@uN!Vr}jjoi&N#)i7#le52iX( zksD^FvQ_z@{*x)zb0cKC&!(AT#VF<_>! zL0U2tv~#?anHH2{DUY`ce+O+c8u&6x4H8>3=J+ozC=G60rzDm$@0?s>f~jmqsq2`S z3^uxlh}|-Lw@=MbPD8Z@STRa3;rlLK0a4+YG#P`>E%53S00fN=CU5O=3TZ{?t zvOH|9Q886oty12k^p$y&^Kjmh&M(g*Qtrs%EAu?<{QsQ(-`%rL?*2#jth2xWxsyk_ z_Lg4#gszXwE6aB>J0%A9GjSbgTbV`8Bzty-Db@ev#)ys5`C3=eppHJuoHo@!()g(u zIsm(?wHH}FL~HCl=;{qJJv=R~%tA_b)vu@1o7WWK41*);uBy8}-RnUe=x9FIfvzW> zWsKoWK7rH1B6IhEAOJoCN+8eDH`Jf&3au>H2fde)%bV=U#lPqGy4;_PeQ(g7f&N`j zGq_lq1<0Avi$P(idd?Wmg(o=un+d=aE^3AremW%zX0xawa|2h*R5`P*Kg%(t{`6!JYCPQH}o>2OPH z78avqw4mI{>vz+u(T~@&{`J+(XmCB9^{+3!ANH?`%jM2B%XQ?Sd%y2H0b-lDL5KA(~VDhy(cJBWqHnLNO~)5>Y|~Nb|#nVJYIrUtXg5y!m0n4F~LR-WrdO`W6;v zuSVmy7t`YEC%TBz8ejD%)4}z{bTGP}P2OM5F0QV|GU3=a-9xtJEfJ2)-goWq&h(u7 zuHoRwAeHkV#^$%!#CJCNA5U(M8Q_zdKqVK5GSZ}ymwsk?a(~Q*RBjT{SZ`FT>CJfb zYB222uKUv;N8>lj5zM)|W-cJOyeV%+!@=cGHCpk1wH2+%Fl*E8M-u+w?Z>M}+G{wv zkS5<}cDU7jtoQV9j`(8H(3?OHkR!dbRhkn;sG7Asuivz`0P z;k(JSKYrehzZ_jp$D`qFG9C9X-p&TsgX!R6IGYaM_DAnh)AZ;l+Z}X^-7s+!LTiN^ zCWT$HJb_*rn-ZBFuk`|4!61aT6+x#7@H&7YhCH}p(I}7@odE3mHiyDL#Ne)LcDvu1ZE(Z@ zLFi$cB!JEW8r>7~#5`@V3!i0UP2C)w?m4Y=r=WIX=5J|jWj&r$M6zvHdJ{K4P*3Oz zR7&>fV&v~=gmBSQfuX_8q~3WuvZ6IM1LO>DaHVshEFeLaSx0pSEIL}d_y;S3_trxd z8S}%%wEyG9PqWFpSFZ;DP9N~a4x8_%b@jfv!n%S7{vw39GY=6r7#&V#HP4eFYb=h=6}=VKi*R7=R`6_pA(s;;nsAc4P$_E)AO!B_90%?Uy#*Hn$zJU+Y@X2@vDR}1z zX}C<=GFZJ$JESf|i6cXLI&6$MgeTB%7{rc@L>=R)$!#im9Ti{WS2?_tPvKZPyqGB0Ynq=p*!RLi8I0-$+$99>^HlA&hVBU_=OqP`MmS=)x1IZ6G!WBw$A!5_w&YG1eZMq!jMIHfVu0N~b? zE9hAd+;>D_EtLy46dQW8N`$S@)L90(3-H7_Ecdw~t(~s&$x; zFO_Q5Xr$88+;awQJ6(nlFOlbz5XdGkznPGYlk!C&R(Ls2ikMOwCzyM2Z}A4tghNip zLN{uA|CW11r83y(S{y<#xGHHkS(BDk&JpBoYyT z%Ib3K`Yr517^H9;s+3iDt&0ClJB_D&tt%-*3eV|MnkOG;)$F8?w8b2VBkA@os^M*3 z*VDYFmw8nW^IR3ui{j&>7DBoRh-rS|-CGY>>8ZXC>+u(S>ihq%JM%p<@}cpWpNO67%brmhL$&pP-rb6=)I(~{1Y&N9)C12`^qxLbkdin zk4!sQH+XEEBOZz;{ySHa_(FF)^e4Z|9EaIS5#;x8?O>e^r&DlCmy<}d!N0SYwFqtJ zAAnq2l~OObO3Z65q824Jh~Fq!kzyP%{5gn=nlqL33mP;-=XshmL-dOp^`E?ftu6l} z|GRip@gJowW^!D5p~9(>J}0K@edNc##8ZF%hn5YW z7ys+Hla2q@J?-xIe>-_p_rGH~K)PC27&7@_xgld^8d|pN3+u5#^B6YrSSZ++@h?-l zbCu7YvU1@}9<8Egk|8*yi zYW=^5w@ZXRn!KxBX|ERn*QpC6HY77%nxST!N{su#^8!uutB zi8q-FDc%+|@f@TJ0WKySH$k+7e#~eyRmEmOokf_7Tqh{{AjO-C(^M^~DKOg_xti4D zHdWC~BNW!e_&dk;ukzHF|J2C$ocNEOb~_jUx3ic3yLk%Z|CpkqV+U0hc7{lzD>v+E z0IZxx6-UDD49mc5~Y7)QE@YcgN<;pQU-L(MhmM06DJDh24#ag zTQUo<3I{1;BMz9=8B(LWr2aI3!bB|$^URT`fFi$w@+olHAv<>W`R?qb-3I(d(gEn6 zfF)Xom|ZMlxvaJ0Lf?kH*caXOP94)l|7fANf8wW_{5O}-Td^RrPbj18{C}D||F_TE z`}6-!o&#`WMP#o;(I8nDgL|@tx?Q^--QNb5{n1)LY-$JmRu2n`jsadm&jSk&-2w{a z==zH$2%$%PNT^Vg-dnz-9RMFLs1O53K?vvWC+IL8|Gye082R1PXpO<(s*g33%Xp2fjaG}L3(;?X zMLAk+{*U_?S8w~~%6U>5rStzRd;V{?kN5r`J9!R(=wwa10I#990<`mmcR3LNLpDZ4 zN)Vq0nwkRx=sU?3!$Urv4(Y-0Fd(!4kWs{@rv2-~dx5drHalkfm!oAA1-RF0xvPbV zmoD@idL!)Cau%?~6B{(G;rc8nJH2c1|8Vr+!IyK-iVXbw+6rMq(~Me=cCn7o0{W1_ znA1CstnMP5Ay{Kl{|{vKGaO`NaMv+AU77EN8!gwjrj1rDABFb_Ilr~y{)S07~;=2Q}9l8P2 z3z}RRluO007=2GBaxtywA%G=GtRQ%wr=?1{L@O9r3pjNBZOQnR-4*mBJYf#P+v-6N qm)p|C(_Pg06+%(mfPZuc@1Om%fA&wo^WOmg0RR7blPA{z`~mDc zVQyr3R8em|NM&qo0POwUk{h{|FN*tGPl3&u*(%9J)`!$BckMmf|FXJ!S~1;fg(SCQ zZ`0!fGeHugWFnnNR*CNE9sk>NbFR+)dAIWf=Mhd|EdYs3=Enk6r5VQ%5e}zV&CY@ce6P-D7qjz6snAI&iwZmH2DXy7LbILPGPTg6yyXj- z$!d4XN|8zbA3RT)7Rk1h)s8JyXW-W>P(piRqUe2-jLv`po>M&%#-n75VDX2eG?T zWeU?`KR(?Ey?$gCS-ly$9UhClhnMyv~>o-RD|M|1a%RT=8?Aek3e~xzl{8FxjuCAC~ z^UE*3y!wrJe!2WA`6_+RFVo~Vzj?O2c(MHIdHUt~^XJJ|FTS|=O(N2ZuXuX?)#c^# z`HRJGUVM2jp1&|#;LEQT{LxC}qU4pieJ2zR1LPRaLxI z+e+vwR+U?EJVgIlTI2jzVpC+i68h}*kMF;EH>*BY_wkLf^Z)$fS?m0Narwph@%(>| z_I@oIa<@@F%8K1_&Ga@&gx1S#mhG6#b;Ywxr0oCwzyHtw(oE{?!*BFVsz0yFA}QgjAj=7Z=l|LHvlo}=&GUcx?8UR=`Ts2K z=bxucF4^oS6#d%b0Q=>aN7L!FVP)Zk6dx;*oBz^wTb$iqJo+H>^oqUQ>Pl_i3e?}f z7E75+P{%i-;wi8A)g#7QRwrg?PI*z3>QwEo4e z1p7CmoMna&PJTUMlRr<8Dq{hkYp~R5t_|gVMhfpi2c^p2%Z<<#-xOCY-)5P&=L9Fe zcY+@2LL_EDt5R)?tNxj^RPEpsUWt_|rTgzG3sw|1;17=&(}^m?74y@P)@m(uXv%n+!Y=07n^NYLC|{~V0!DrLUfC*%&yY;R#2M6Xw(K`!NXdhpM; z7d$K0{1S(sti^_3+2>Uu^6NLRetPz<@iSu$o9Dz&uDQN%Whyk|?2hluEe|2>tqSP$mIa>&})hKS5RgueGu#hN>XtN`ju0)|{0o~v6{X)&IvnDSAL9+$+s#*Q%=USA!*1S` zs#1x{-tP)=6VNns$#{~8qHE7#Pkz4yIH*X zcHleg*%kZ7 zvh8~CMX3r=R$gkcr=}K_gI`;h>SJ^7S}`s)GBPk};iL|8Il!H4<_DRjC`zH-3^WKc z^AOLOTKua>su_DHN<)U}wc2JzBhPO|S+PPsre1&cEfS$D*vma3TUp9qyFFUKvW}C}uheD}bY%5jjvsB!Q>`cqml$Xg`RwAjk zr8qMh0dze_@p+T}U1^mH{kYNBJt+zsNQ?t3U?fK-jVyz&;wb8gHb0r!dHc<~_so47 z7Nb4;Fz@w?x?Tb^VKQHe5*HCpyP+xav`{j~gOy}bs!x)wAlHDfP9p8&C@ zNa6BhuX6U1Z$$Re$ny`q0A{B3)J!aG2||^x{V>j2c!gQbp=Z6`6(VUIl~ib1n$2AC zN|+%?s)6KeQ!aFSq*+aA1pSS<|S+S-#>j-#bstifE>npa@ur6@*if znH|If(XmoaKJ~(o(ABJiC`jAzWjir%zkSIrE-s&8XOTA>4&nQXyz$a7exvPo&=emH zTLtyU@W6{1d-X;$UJAG@xRKG!=DVD+>zb*wGfO~%;?b-Q@KEX3Ab2q8?h-Ok$8Fm?yi=yg6w_DU4Lfffa9;OZm}_?mf(`;JN#pWy{O`ZPmr1U_|%^ z%-Q}dqbzi@RBE>Ww+@mb73p5@=$f}YdK zRjwcsE!>h!8usd6@?GlMs!uy+u*n7M5$(@-2gU9UdD^u}VGyr>gn=X~*D@7lXD`hT z;cgqzmuGO~jpZ>%CAWO2)>M;HR-%-g@rAk-R{Ls9P6yp^P~7Te=2F{N^6+A9DSj>U zfomm~S{Pm8vD5V)vzK1MvuD)^Tw4vi8??O}=c7whSqfd4=R5B}7|R=8ioALUH0nzl zXY=Ix2`D_fLV$vXzp8R@CX5Il+?~9+RIvBG?#Z)K@N~!4hHvD+?)v)4PJV}-SqsY- zprt3bic%y} zi~0UCns&FA$r=p{;c_?|llcUmNDd~3R8_R4Vkcs@nz8xB2p+-hIG;Q*EOI_^1D{V$ z_dC%^7CP3RS}pTcwx@~V$6NRKldhu(hw-(ltc=SwD@18_)y4UzN*$&?DC6eT@T3IJ#f+S=Ym(2DDx}! zFDLV-^VyT%{*h1rdOrQ?PbYtz+J8NDKRx;F$$U2W_a{&PzDv*PHre4S%yvG5w@ZU32oo9nZm1 z*3zeE!FI$?*e|BG$6b<;Gx+5~q(GBf&y>`)aT~q?9xD8(3yJDF7e;h;BRRGDpVd-o zzhCQX!3SFQYuBuv?##p=WR9Xq9Tw&8MwMqf{JUD(ar;sB*=pt!b6w3R-ajC<>#Dsu zuHU?JJlgv;WuJbz+*aEX3?7bN;En~eVn^Q~5N&Pvh{`*aR+Q1un+QZutc1?W{FY}D z1Vg{-;E_p1j>1Oo4%ny?_Ds%HZl)0lc97d_vq~13V5!uV%#(^)aj?t05cqmEaNp)& zPyJvoy&S9EOWe$)Zf$ zGPRj+2YU^iCSCG&rs0S~AJNfYa}~o70+t59C8g53K8Ia~0kzFjUP_^zWzh&o&cV;h zZ6@@Ly)<;Do=(6oyLwsLgO2-D!r9ot&w=yY-d$!L%{o;O($ITq>rZ=H&uU zyj!xh6{oK8TfO$Sr4(6;H}+dMvVSUhUWL&nkOU$V7j=SBYGCi^)8QPWOZsN7r$?i^UvE!*l!l>ZH{+)`}|*mvLwG%s`# zU6@U?G7P8`ZAw-Wkbx9qB?0(ur*PQskHUtLbDe)OJ8{XkSv4G3*ZpE6qzlGw`6PVM zU!ypVYR3Ms7CGDI-ni9e+Qc@W^!8>x!CTm{3&S+q9PT+v>VZbt-s5W1q+d@`S~6EMSAf%wUo7LTo4m$#oA(*amR(Es~? z`%c7J>_5E||8P5+ zFmt3q!);9;IbQC;@bQOErq(<7kl6)Xy^fPnMq${a-Vt*UwuYeCC+4*!NU-1Zl5B~V zfgm{~F7~+7upKNk_EK!F#JK1<#$#BwNJ$bPdr6K6mIN_!Xx$rp?z8fv-h1L;PBg?f zTJo_q6u<^Rfq?noLTjn1c)1dlHd=N6E=P$tboZumi6=SR)eZ=-sO}0;OOU-Jon#5j z@DI-6(iV%sY-%^7Wdydry@Yv|c`uW;|1x{rcCU7B+KJ#5DwIPKGIN2_ZWF@Pogk

^8cA?+l`%vmHxSvIQ&TTHT$=WiL^8^n)`CqyE+!Op9%4*4}&&{cERSdiPe& zUcyp`nsJ?(YW7p6@|APmw2v}+N&C;OtQ^)ww(Buu)W_N|q*53jne_J*JumidO8n@o z46!lS=UZ>8JgslYe)UR)F+s1E?7~dnWk>(4OPDa7J`mO2W8Rf{T8lJ3`lEB^d#n$p zIr|#)HdmCMx*qKX*Vc{Fy;NAso*&?V#S~jth`0IizgwO5D$MlzAAOhjQk5HCU73yl z?6Uu&mz(Y8ihcRT7tg-vzv=OzVd>c%uvHH)(lz&^UDyG;Y-5TG z)lOatEIZAQ_8-t@uvdee4Nb61d{qa27^3|v-nuYO!UcZPzCT*`#Hh48et)#@iC&VC z_s5vQjro)54?Ac!coBq`2^!WLX7r(P@A~hG)+#sdg`pGKwmr41Ggc^r+`GW=Hn25C zUdd7fTl3*=B)M$HxVi%*Lt%4NLUlJ6lhyHF`p34XlPr)+66pUn-#(E+``y=XozA8%1ID>h)Y%8@iKL3TJAGOt89AV7MRQZRxEXAz|xpQCU~DF zPyMcbp)q%skWpfr>Er{qfzAH1xqJ(=0M?fKEtlE06kbhdKoar%`ni?L;a=YGe8<9m zHpCp5U;h|~oHBH14Y8|NOZJp!*;8}bmQtA8e(w{Ojt>AIut>sQ&$Kd}+HLL75D_Mk zn=^ZAzh0Gmxs=JsMOa5X8X{(wW3Z@5guI0ik(=MYzW(X@)%VxG`~I67D;x~7Yax8t zc0KMejMBvop~;so)V5-G-7yTL`wdvdl$F=r z*aoF_bL>^=!dvS+%X$QL=V2^n1pOyZqT7TR+6w@ha?()Il`+z9SKK z=s$a8pkC6}flTr$g41~*%*0KA720c(@Fq_5u>970A!FOSmfM^~Xqc-ochugD{WHKA zZ`{rOM{n$I#Aey^&?D_T(!sRg7$7YWSaBw9UEU}7>P2GC)gWO8Di>_!Y-hb!UL25` zEri8{Gn3*IEJsMXqwD%-uBsVj%Z$)HF-Lh(DoFkHX5FQm!c(@@c#F6R0{7O~`17X3 zHtThM+vkV(9JX$O5WD5KUK>Magr*B9w4oR-TsCFtwrmS>aNX!aXOnfX#p&O$O10z$+{~h&Ty4DJdoUwQ2;E~nEXxt2&-zIOxa{TEwd;2DM8~lkm zQw4^*ownAW$~juyazP36366a}@tVMljinCnxB3d3Y<3{bc(O9Lp;+@t5Z@J~Sk5Os zi6HIPn3XVt5m36!jS29fW`DV$LK0oeJW2d{m@{IF*(Yo)WUt+te04k!k4Uz;=Bz&? zuQPwHyX~1_%@+bg>?y7n<>*xNWlC?j`oF-J;iRC^oO%8tXP1s`rpb;(+On zoS7j@Zo5s9A&{Ol+nn@ZZ!&4K4H}Qz%?e}R0cOt+AZ3X%UM_gsMJ7ZQ0%R`Qr3dlQ zc=cIv6zO@;D2p%z_accT$>9*T*o%^*nDhEKC%-+2%QW zl^5IUiv80!@7dW>DUTjVro7ork>(XM@6U7gQsqmzx`O3lt_F+|1nq-8na*7e25eql z@bYxQ|2m(T5B#{T?zPjWmO8axB!#zbjlE~OisvLIc%h`^eBpm*61b>^J~z4pU&_y9d)F1H}9$C8j2Pe z<)o6gV#ZG13E?61Dy1?#lcHJz+~&I4WPrDM`7FfSyd)|?bwi(tH*Gt&iGv(A*XS+J zhWzE-E#MfKS!gj0%m;QZ;XRUO-5J(E1`3?q%LsuJn+Mx@w_Rw%hx5wM!Y6k#n1wwY zqe!Y>Z-u)q%vPD!TSZnoKmmkrMN+lv1Aq?m3GjsZGTFrx|Jw{)^Mi%kirNmb${n#(UQzVs5!^C*dCKryLh_X`l-<7NKKE4JWe{ol{bfB!YmTq1Z4>`C^= zK)bn^PfkN^=h=MnC#uG5TCZ}`9>4=>D+e&$&%my<7)Ud1wstgn1(5uArL05){dhRG zVXwn2-eJuIPW`VL0bR+r41=`S>Fd{0!p+3pqZ0lA3i!iq<)h;5+fng8D&FjP)?t?Zr_? zucSg(0K2PltXSv5<}}@?fLQu9A&fV7@c6^^qWW8`h*+nj9HwIhLBt_G%n%-Ece8mc zuwu3*U}K>i!h4M5>B1mb;>#T^)i!sSJcRUyb_;+&Ju>h@u(VV~5tWqJZtnrd3@WT< zF0)tUdTT9A^T}JGRdy>N0VYC$tMSQgETpZGfSBY`JLIw({DscIEnq*EBEaH~a)sTM z+6O(4d zOKCZX=1A%b{dhHS1gP8m5aUQxxGf7&3@0&q*@Fe@vIhy)W#oX}D3Uc2=K(>x?9eDh z_U{zD%MR70VuE;CxFutcZXejD*@^*2h?eA70GhlPNbCcI1NharojK3h*EnR2kgGL} z>z&!OjVf!=qzzvzbDn`s($)-jxEN4HQ`5vGeGp%62 zRsz?238I%xql=wU@I$`*>6_{0`Q^p*@{1SG&k;bt6)Y_`aQ#G@a@&ce@4ox-_uqdF zStTyFF5DVXwCx7f9f_tV?r(7(DF%`)LKPzV+L|}_?h_J7>-bCru(*eJ6*}7JUCixy zNGbq3+ywR@DFN)z+aT6?^C0N~>{Bk^1DE08*&4+A?P^pE;6s?SLnPS8K#z8zwK0Pm zXy_p{a1_-$M0=>odSF!KDITpjifW^mA+|zGHIAE7)Vihi=4Pi6dOOcyYZa8_;Q@`u znyI@SP521s6h}3z4>a?b9-lA)4iAlc2oTf>M=QnkH)?u@YyYmiI2ww$s~yBwVkfr2 zQUDv!9Rgo*+?jpjTy2I_zTGTvS8lZk>qb~ax+sbcXVo96JBMZL4^@Py^v9^v`CL)T7fs(RqM;LkmA~aKhn3I?Ikphje$|G3l_s)5oMkc8q;I#y1#y6>spYAOERvtt4ahHM=3-Yev3sdG?c5Hl1RQ(rMR*sAY5;-V3Gukbac2v?JJjcLk~*{ zB+&V!5!i}g?+~C+@Z=&@;#GvqY_`y%w!`#;jX2zdra^l(dP3(*Aj(wk2O-(vq7{ z;WLbCOnnl`Xv?)Kw&5B9L}c?ZN3$Gs!R`Enb~c%Er~nU7Zh7# zVcJCHx1wA@f}zaonra;K5J@DxWZ&B9Sf=za;TcMSXj?thFO92{u+L&>M*!EOjuCHe z-K8oqEy2zat)pRWwyk!xTp9%*Fy@Kf7)IV-^(t&mkhj^6^F~>X`2;IQY;~nJ(L5kL zG9AYOcc>*!n}NovTZRI)W6Y}ABvCAuKsPD%R0;_yeV|s!>zGyYCD@!fyh`hg>(Zu0 z(xd(?ov^Hj{veA2>aFIw5@zstSHRescBS>$AXNxTHk%WJ$$Umi&{2@!4WFegV@HCNuGvb#9HBXq zpxK*rIYKr}$-JjDOKM_eJ6UpsY+ownV0z>T%{qDV{t_Z1Qy}ZK#<2}Bob))B$QVJL zmbyr}8zPbw=_xT}^VmJ6AQE}gxVz>a6AL4lIC;t<#z{yJq^1P6)BHwuRc8|5SYqD@ z%{uhrzEb(9$$K3Mc?3?_nXcELf;Yypn+baNl5|H)vm>O=Jve7LFd>e3R>qUwBGTN# zJgqSyq%X0pKUr;5ZSbjV_mrMSOh{`bnGuL~r=azxm5uG?AnEMW6UpeQV-d+>#Pl#~ zLYS?TO_Q^SKiRwm{s4qqJG{H}J56}=1*B_^RhO`5@6DQ+9jP`2p>Q?VcI0O#db=^5 z;hC?`?(M%d;+=-DzfqacY{p#W)4z&R*=(Rw3&Lhg7DK6gQD~VNW;q_*XvQl(@}vsq zF075sQc(!>NLZ}0q7;cF)LG_v+jeH0T%NGcb& zj#v=?;{2R&XTMrvg>jXO8r&?jdzz2RimkcfSNO>hlB-hi%E`~?r=}zS;G`2*Vc8t= zVC#)86tC*-_{t4Ez>GUL{4J>8On^CCh@cCe!$W`xe4`;8kp`XySU?xEcHR7%v$0za z@gYzcdQ7UwJrtk#SXpSwtrqD>V8j9Z@!}jBjYAGUM&pp zua`~M?A$`u)?SzK4m?G?C^9*`?>*+IH6B#S+DahX49&Uk4f9$qMN)w_uS#>j4hT^y z2-9+wb{i7CEzLEY?ZPc@xqdPbzLczaz7kH7Mn_d$?0hLiYL0AJ1)pcdnlo)!T|c+C z0i4z}F-0E`gLrPK(Ipi6+ZyH72X{*CQ%9#YyZ-+BhOf1D%>=HwUXpy@|BI{TEEL|m zI}81YL(Zod4`#1xvVXlAP9^j{PIYjf;W%LUr^9mhxMJWb-y}{VLp>iQuY6JqAJM>`s zeqih!h+$}~)#&X_yN8Xr_6dSl4^Z?Uhb^|P*5;pym8+_fS7IfNG-&=c&E!T_VAlp2r-c$#YjM{vM1vPq1I}suF5Jw!vHB7;E-7_l^2zR2n9*WQ!2@Uso z(O4tA%QWQG#!@@C+bG^CVNE9Ay?_4(?wW~NALlkBz@x^Yaz#by-ZL6v#A?toNbVW$ zFmfwLO(l8kv?zxu9@UX&%*GsfWHhvw7${M8g_y+Lnw>E!htvY;1s6hTD8Lq?qUMbo z`{`E-2}S53@Pi_dgB&6df$At`P#X(~Kywr=s0FA)AW6ar>cIb@ktQV3Mk4=^QxEA$ zhc-KeK$DH88sqYm^AE7%^M!mB{`UuHSD4N}0P7HfTVNx6fPewNKT;K zE?GWOikv`kzgRh?2sweUjg6s}AE$IR-$fT5k5i;0ijBvX8GoPxx1whJ|YnQ_h=Q$eYm$;W2s%@94ynX6rz}IHVwVeEHXCGsgpz-;U&@ zbaVFu6x%-FYKorX1Lh;5sCFcF25|!q7t(HHXdECoG)ia>U};bfb^~$az6)YMKq+i; z5$uRX8%5%1Vr>wqegYzgYoDEuePZeA$P-I1R~?JsL0qD-64iT19z?ob#i@G{J;*0D z#QhjU_K2E*HvY$_7n!D&mu^fE`K%sZSUSF>^Z~`BBg;s~6_BR;N{CJYviF0U>_IFM zO?E28mxX?ag3ytrpsDE^_igY$rfiJ1W6H)cK8Vnc@j>0~7$0kSos?J4L=ao~2AdmSs~N^m&03cZdOaUG%ADDg@y-#W&1Y;o5IDBK!Z zvXz!1NGsObF2p)Qbg)coe+kx6t17ub>v(C_gNm{qQjRsI5NkvUR+4~9sTna?RPXcD zj6fxTSTo`WeApjem;0n^d}?p17~)suHWQ4mxXg8BSgqQaH&$=oybLmBzv0Q+7LC9dRqlUE`#|m)?}>#h;rpEr}nCbk`W70-I=Sh?k32$9#4Egn0;d|&=kZ}Cs?7=!G)Y5^Rdxj z8825tkJj;1OW6KT*~>LAd4ghK?ktgJ2)W9qcQQ*8UZ!lVbcNw#{aMPrl!BLgAL^y5 zU9|8(SCQqIN32W0ZsNh}EU%WZW=vOxZ$qHno^X##b6S6?@M|%=%OKjf66FRo8JS}p zB47F9lXjV1xc6(pRF;~xM&;ITLp>I>d7DYjiZx$| zN+vwBV*nNPXPmNnQL2PZ-b=GyiO%Jzj|$W+@pb%Q zWW7W^AvjYTAu3;@X`ya~U#?z5b4*p8NsGC=xLjLLFO>awWTpMZEH%4XDm9dFZ$toDHKl<1n!mlcVb00f5~v1f*0K?b$=^VY zMK32gmxvd;rlUT>`NVd~d2!7z7wE&ixw+}roM_HU*Au#(6#1_XQdAm?u@2euxB;iN zZ(R&@*%n_;q1+SJHX79|u_u9$V)kSM632}j!p7d8((0e4gE z!38H-&H62mYAErva~pb`YyF$zIvzI%Vw;jjIAw3eYMb%$8>|^f%Yuzs9kP?2;Gq9> zJ{fmVh|c-QlM*p~REIpt?@V*Vlb!Hn2RzmJeyHP}F!;k9?pC6uONc+f3jvpC$?H}e zK10GI3twWUIG4%XSVuS9fi8ALi7R$`1ybQx{QY=ftB_nLl<=gttp! zjt15?=gHc3&SEj4;}mWDRmH)-2WDb?s>{ROf`zsCcR61<12qmF;9_~2f=K~F#Y`$0H>y_>iEpdHkel~OTsD9fCOkf*8hP)H5)G~0v6v+s6LHPjNG zqY0`|#Wpij5TYtucpneztk2qew|jDTuu*L=j$CAb69jg&YX=Ww`t|J66ZSz6J}IZu zQsd$kaj4h1m2F^$Yy{84jj-n0&XdU9_U)o+5i=Ze_5N+pYkqByuop>_s7Yws4g;~!58|`8jt~6eF zck7*HEkUey(*PchqkmT|8E>gJ;qqh9htxH1$nJ1~I}9?l1iQD! z$^d&aKD1nRB|?B!QLz*a>KRWySX5WHthZ82JXHe=2H@~{l5JD$QyxSN;M~HMW@P|S z+&;p&>EE$VoCt|X%LO4a)pLNLv#A;|wt#^KPthJ(*#vfMlI?e{D}gt~n%@e0epsdM z$5&qiuX~rU1vrGu)oe753{nk6b9PFtUM6_!!S|-qDSK~z)>XM3)J0&r0*v-lmZle5 z4Y{o5-Z2t5v#W#lv4RgUdd6m!dDc94)&d%zW6(7FRw;W)Vn2T#pn7)3-qxAArZZ|` z)Wcf7;cTgtVT$1d4OuhJ&e%Wa=91{>G4zj@;8(xK+b9$B$tjyp-jr$u3R}J!&csLW z)7N5Ea>&9kAN+M;H2fb#xf1^@cK-;U@jt(-N?wW8?jJYi@54R+wYjU_?+Wpc8(#Py ze&B^C8(iLh{L@BM{Ptqze;Xiv^RHUvSMy0d8>ebxc6(9n<`dTF>D7D!eRaRPfnCif zrVoR``bDWKwb(AN=99&)68iMwv=qguIk^8=e|tWGn9s8_oA89mP6K3r`P8t5jO*%s z$-xDw^7nGg1>HF5`!72ei}?$LR5^w;x)7#So|cPLG`zw}H6R%(jKIX>4jRu0$wi>x z1f?qK>m*t8d?nHuL)iyvg^bWNeDi}jOIG6WSs*xK|2?0s<~}k)*T{Hq6Pn{UY?*Wr zl}6c{ny(TJB%_v;4Hn#p*Z}qo)b-cf4Zz3q)bzjp8wy0@c1U+e)Kxa>{a}~e-2Fxe z%o}wUhNmj9oIbmJ@nxTBCu*jU8;kUxFs^nmhYcj9C95%drOxJV5CL70c#R3NrJIhu? z@KP5ym%yszn+>mIQm5pOr`Wk8Ymr`ntTT-GRe7u}pRbSU2;n!SO1Fs-r`57fQLL94 zqbb}tZ-B><}&-!(F;c-RWM z15e-uI`F_qLC5<{N9~h;H!^qr$%CAq?4XFN!I8yAS=Dy0*8`!{d$y|J9aLoS1f3PU zTHDR!?1X6A9mp4K1!1?nf_Ei)0Kiy{<~9a@wI<2 z(wO-f_&t_?QCe96zRN%K@c6N{CA}Uk=d?nFVT>q_1gL(qP&hiuapyU+!y<& z$n6bTvet%1fE>YdPyxMd0=<=af2vfb@|7rAE)v7t$}S%vHd2Krg6K&sFf)Fi%+Klz zV}3TD&i?$r|KY#<{eOLY^5p5SPygFLUiC+ek6s^zbBB?5OYJ-hj<-!J2>xiZ`iwR- z?52SIw(oL9YjU5?)7M3t9%?Ped*YPLA{lt;m`qM_?&1530Y*!<~%qQ$5w0Auj#YQF9 zkRsP-`&

Ng~`>aZtZ6?UhL0g{}~2cPUS5!4`}`wBII05VDgWtM!Ok#yPz7VDKKb z6d2JMaBt-cN$Wb60Y}SxJ8Z%3<&+R-l{^`vbqXV^6B4U8b`>Rr>SoRp-c<>3(3i{V zxPn$`!pg@8_``r<2ZpQqTXItHb6kf(4!UQ}|*drTo6Bs~S^$Kkn z^pQzG_z;;e2ZNHr*?7*q7{LHXN3WerJ(d5j0OLTGI{LD(cH zykL2}S_HHu_(qaWURBP7CG$#@MJXzg*2O=wT@%s8TK+~1KaFTeSiL_uk7w(Ts7|}c zr4jaE#*1TutQr@crtQDXnNWE%`FyyeIAOeUfpbMYg>J*bRGvWiEF^~yE4QY>8&78J zRrMGHXiAZ&%?4viDwHE{%=+E1ZJt3?&4^T4OQ#+LFN7F`_#Rwx3?MFwY&Qnt$7^N^ zgXWs4qEHBrVZ*Y`~5_z7K1$L48pFP^}c$KIV}4^Rcow&X{PZVLX&&dlPIhE zE8Nh49{XIN4E#TJup&&t7|;d7Zq>7h#^ok9q7A0`;rf5FWUb63jLfRrLdf*mVZr-h z$Th6$AX!^48(d#qq4HpLFgkph?K~XT@HL?B&g9ZpB@NEL#|?qgx-HF~0AC#Fi^Ge= zT}bi9Rw@k~V|oiAWXo-4_FAU$731Suzs)W%`av@Z@#K}{S+<)sqp2vjV9h$Pp1tAC zNoA!3dnYD-G*+J33~#5MJ%fgGoYpt@DN|*D+4O43F3faZM)uQ|A`YgvUH3FG{9z>e zl!aneS4?QVN=9n2;o+v&!wgFKcwRz}-39dt-Ao1cteylHR64Bi2V#Un12#YYcWVc@ z5+4guN;sg|{}>W7s0CojWnW3fUTI+gy5_KSfg)tfEscpgiWXvOblGg}-&z28)rNzs z%K(S>!LUT!;8K=%)Ff?CuH6P#?0dTp2Wh^BBiXv7PQp#_r0dQaz5<$c+G%&z@TKbS zv$#8J*iz;0Gk<5{LG?@ow76E$<`GfSN5^^al2g=MI`1dQ@jPtxYmqWgL0cBE({V`+ zvTMAS;qsp(Ch6F%yMGf7uRh+A)SEDft{)Zva^Vl5>=vZ!o3VKx4qF!YxHjcJ9A*G` zS4Q54gCs9wZkNV=I4-E49&#U!9fQBc`|xvHxbDrH^NE`Gn6rNn>tn>PK16%k^3rxb z;@wFde?F8uxCK5Qes*w4Q_ zs)N2zVactOC7mMgzqr@WA7#Wu^%F21@% z_TIaZ&lcM}&BU|@@I0Trm|cv#l&pE4i|mSp@-@8k^Up59j!mpquV=wHX8^$~(&=J1 zVKXzYjAeWwGCKonk!@yrZN6Y`vY&ruvzO+dGZ5H+`DI%FVpoFw8!JVT@kFr6uP1Es z=Lu3Z8aEtj=rHotKb*;Ny&rk}E4MFTGBv9awib@k89-;Ku9V5D`Ykx|PW@Hv7%7_OQq z!}I-gq>ns+J#=Wwc#52uXKzZ7;a{q3yUBfb|5dB}4L9P#%*?>d$%gK}!5RFn_3Pfv z-XP?Y6809RLG;?k3D z%^>HxPVnED^NY4zEV08%+-go~gkbVF_|vw4BswE(-(D<4#V=6M!(q7&;j$%bvElA! zRfWi}-@N+i*}KNi9pyl=_s;#pxO44bqHxijJi--Lp!t8rAv-lidlf4$*cDHV*l5^UXLknUX9F6{Pd+qP}H zSKGF2_iFcQ+qP}nwr$(i*Z2KC``yo1wSQ(-QkAM)NoK}1j&lZP)&46&=V>z(B6!OM z%C+&VL6-VR&42CrxQ0me++YzZ8iwJeE7!b}fauqHjFjNk2=eAHk^wlAjFc44vdiD3 z0X`|ga|R`*&cM}<9qRI2uE|@1BsalBm@Y~Ys$tAT;h)AJ^p-2sW7K7> z#`OU%`5*mPp-kJ9NcpHvX(QrNbZ9X)ZbU;Bn{w%6a>a7u9+lif`pHE{&U+Oj@?7xo zi5_zV*&+vfCCJVo*)Q85Y4hhDCSkMI-6dEV@R&zzwk)|v3SAgsRgJ$mE0miiVZvHa zh4lII(Y<|TL?T%1faz(@zYsqRDgnEU=o-%xum_ZZ1xZr#ubiDZUq`gM(RFv$qq}NI zfxVJKF3HIWt^RmD4W&+Ox5W^A_{ZfwS5I$raZ*;0NL>%n^08N$Wp&G2U)j*@6Tm`K z6Ox18@Fq3YxdOaCQx2x&&?mC%On};`q>1pL2x-cTnUk z5~9@#42U8-#Me!}NL@R-=8XgtXkmVFnGu^T7N2wKHYeC;0`s1pXQq}fuL0Z6&<&^A z60nT}$8zpaQn_^-(b4geoh(-oVqs)@p+bFUx3fKSMIyPztE4lcqPU* zW=dpHc5T9V^4Nm(X!rO{O=P(MYyx=8y0wvg57o;F&l8TxM!$nIdGt2N}AzOoftc)W+%9cZAL7+aJqmj+Pj(Rc+Cd<;?SKr@ROu18LQ_~U8%Ezc& zqCbQuwJqL5b44F|X%oj_Ra>jdQK)G;=oMzg?Uy_i`V&gOEv@Xdfs-}>@VFuDZymH+ z`&H4V3OJS5Q$L{z&3R*iqRdz{+eH-$=9X>=T4z$>hw{Hp3YAMfAUpK%uIW)6CI$ zV#+*3`X1uvYa-&~0Xzqpu*57E<8rwgt4Y_~F6*Z{*R)|G6&|5k9hQsY1f!90?@?kj z7Ay5o--uP%0IR%B2KiF39+s9~vFvkZ^$BIrACqc1o_m5gLk0ta?vX;+XR?XbPV3rjR}a{d&!wkWCBD2XqFrXHZa{O&ZH` zC!a&qfxI6@A}X0Av)Q>HJ@qEz92Fd1Q!F>`8e5w;!mNYho+*BYFB)|Ik`>-u(3NkE52C^A7`zq7<^nz(^42F#a6 z?#SA9dmjOP`rE-G5HPy!e2-s4*HXmqVHAgkTq&j{qj-=^N9ZjyT-7!Z^f6WHf7BZ9 zo8%d0@_na}Tm$!7@{DL~>3N=Tv2liMW#{cNYV#EAkV(>0if9^3zTlFfp5bx$9*w~Oz5 zu&`Blu|9F07hp_uD(YWy)JS+XEhdtGW9hWU(AqxXxV^YfkU(!XU0|>a`8~1_*!{msc(|fW84T!-F64Fa{ZPqst3&sPkW=F3E zNZ+{CI}D5hq6hN1aSIRw)bL}nxS@0O=*dp?a%+?KK7o<2AtmVLB(C}S|MEv*Yq%;b z4fx;Wn*sc_A1MRuvS&X5@L0^AbpqJo?`Dm@1gP-?%i*Wfr<~!3OX=w$zy!uX2SGe3 zUI(V9hb5fh1J&LEVgLZ@Ou*^^iroSH+_d(E+z>@P%7sW-0$^-Wd4@x`gIDtf1vw$X zghQT@^1C3B0)aS@biF9%f`p%me_*ds|J4ilhJ^dBY5|X~NA6scd;mZWz%yI>Z3gNK zFe@I_sYJ2Kh2MMY9rsBQ`c**uJqz-Ed*Cf-@ZBr^=`V&IO!@$qtAH0b5e@O)Nt}=L zO0mQA3vimB&Ru-Se<~sjDdFIA3gk1_9tr7r{kd-@l$hkwmH6m+j+ppjdpUA}HgGvL zhL1A$iS!Kby71fcdG5GojN2{mGbD&317sTs&*^*g68e%s`xeR!V)MO!K}6R1xnpOs z?HY4Prek;U4F+WQfg9}NJ1i4sSg8Y)3vp@03078YqUS2{ErG`RcSdVIdt1pf8~!BJ z5f0-~J@2MSILtIvY7P%oh)BROSFov~f`v0LIj4t#DQX^)S6EiXN+^yv9AO>CwnCz7 zht&C;&n>ox$7fTq%esjcqS^^i#0+Yv&Dm9GFoF$U`^^7QBVp6QO+KtS3q8)_1G6Eh%Tcsl9Il@9_aBT|0L-v$kY@~H@uKz*|*kPQqYndtROfTJ6-62Lhl0#z^ zSPaIblR%NGAykcELMW7APrf1WMSm9@wUVSR1d#U5V#Al9z z&gz-7L5(aNc^Ruc#5a3#3dcffMtiEdH(2a~k(3v5MD~>5^8P&8mlf0Fk`M~@f%JL) zI3H%4{O1Ht#p{nV8+!G!Yg{Wb6RElhka3os3~r~Sx5$*T>98#nK*cNI@~LcvEvtGw zzO$3Tm6~D$Hm^J@Lz?Khr+x6&0Krgo(&}wA>vuRCVr_D-z5<*7<$GRFe&2M|fp+rX zPLnIA*Hovxs3i!p{l*GXEJ{(41af1kM3Le!yq?%Jp#y>|N01sI7h#jP%2%j|;7H|x#`3ii%J@~X{ap{?1kqbmR+xn$ke1G&0@1?1YS%w&05CY4xpRGDgd+8 zxxR13)i>-OSWG=HA{lDSB^H7q2%tFJj-NpVh7Sn29KVu36a?h@8=%xDNE)Z1&et&B{T<`GEkI61d+DmoOComegq> zE-8su2t&;K8s);UOXpT>*^k7)=eMJfnk6nzV_K$_Sy?XaqC$(r^yy=2 z2vjs}k}OP8Vsj#KyJUMTZC{gggxPtxs%D)1iE0NO?&l{4egw>wOo}I7e+6v`aLzny zN*L;1k>nZHeRKz~-;M;tv>B@b;+Ea^7c^Xx^!8)Cera|Dr;y+|COC%#aNr znaqLTqC+W^2L8}1^yvG})#n@T`|);Oce=RV=k@+$ zKl%9ksr#LZ*|phB9~Wy&C%B%AAI$Y1&-1uB%-BJz<9cGi%lCc8RCy#YkDE`YM-={Y zWv>Q#cP}3X*d&k=nOp5NSozQxJr6L>6W^9*VSAE9-NjJ+K9cKoH9IxTh4Y13jbJX2o0Hw3^{W%g6`1AwB%{fO)|sYm&?-&tjtJk&^8akUOTy0bu?U`a&W+7INL$a=1nnpvgsb zY>WtEclR=o>iohk+*OUqPx0IGH^1r~O+Wsn^V?fvf*q6nb4dW7FVL5r=4*-D`%gE1 zbQl{K<(BB6$H8L$p4UIyKb+_362AEeu8w+f_e#psYdTWAD@DUbDyPWbLeWc@lKV zlat+ARwbtP|8qQaKaS@ z7q@onpOC6mSjILDu{`g`@!pLam;FzA9#*LRQpZ}pLd{Eh=?P=uUpI#U{%d{MdBaFb za19VgUh6yY%ij%AwDg^tT`G%M@-{}wp-#N|g*$2R1Q(d*OrYrj-d0?!idSWu;4Kc^ zjMS+oaDtXycMPg*yL%fT#>BttDblQG$v2#-6#Z)YOG{cNtO!#kr8JBTkc`zggBwq# z>^MS9@Sw9NopbT3f6G8Sr{fu5he9?R6Flt_|EBY(;n#k`?`?~~uE7$i8@lGkH%rFB zEFAgD{Oh`!+omK1PY2a(bTNDBf5NQEume6DhYgjJ^b8d0;D-cQ= z!F)QI(wpQvsM8vD!;PnyYQ!xHE@qf>P{}q=jn>AOm-#&VySzVP;aA3#mQQ(8J5Z#o zsc7a~S{vujc7h1(w*mLkJp^f!8COm0Nk#dq*^(PO|3~xe`2I)p0O0-F^5&6|#znaJQzco)y^#5p{^*Up!^kAPnthE#xcgWG*5IOUcoS-=% zzKDEG%!gb{tX7TuNVSB!rL_<^V`9LtN=+Aj=MZ&ANNRIcB7sDgE_N{8wZ$O<>1WLf zG{&(+)KmEgNo}nGH$qtZ@lKRdY7s#LgUl!n(VZ?W$0oZf8?x!afru45t&5cUb6&Tj z-2P_n3EictB@IL~qX+Ahq0XRq%0pB&^vzV~PhOjaU>b@8Za+A%zYG zLzm4`W%%ea!y$(h1g_uiuUZsSa8aqNHnTvJ@NY)#jpZ52=a@CY$(}?2=)-SRBbMN& zgIrKQbC=Dmm_K=};1H2^3Y{XI?xBJlphAezs#n?+p<~XBhE%tibF3Xx4M)kgf8Juy^!&U*JvPPhvSyv(f9+ z{-xo{eXYmLsOV!K0D!yTP=U$AenBz+^f19yy0577)2opad$(BcU*cA}kLHQY)sj#J z?O3*B0p&zjY9Nbu_et|%!1d}L$JZAsn8NSjnsWD^t+3CvJ&W1$3V4o?he65TGhARi zoFPGTE4L@L|MF?naz(aiY2P)QOtM)Fe-=%IXdn_Lrb~6%bZgbN87CDJ2)$|HIj>#v zlQ*t2fa>^bGi9SCuf+oSv1nz7!F-{qJZfy>QjtsfsJ}ZFS$W1;xjKoVOUzdM@@>jy zA4V~)_-;U%#D?0IV4A8q(l1kSKG!!$oU$5-r}!MHH3-V!WAX(_hch9+eGNGaU{w_^ zBeJFZw35u^qOB@0sKAYi9aF4?%(R@t+d$K)5hi7K`55pMH^{9RdO+6Uphv7fd=nrs zDcrR=U@g5m}iVzx`Uec@Til!}k(MP?-ENhQ(UaVz~y=Npht@o6?| zxNl8>DEupp*Zr|BsEK931}F7tMJ(TTTUZ_BcwDSEFZ@i#+I-ZzYj|~*M<+vZBHTVi z)aVR=)Z=8Xmb-r~HOL=~>YC$(T+d%=lnW6P88kO{acnei_8wH*t(y7nxj&g67P3mz zmv{CP28VXGKVc$qS9*(6W?*kaa1LO?p8^IwdSkM&Ly~u@N$hI&d={U*FA%&+Ji4v@ z8gZ;SQ4QEB?~LpHW8w_Un@HCjCDDUJ(K?4>9U;= zyTt-NcBrRxPInJej#XTrQxWhNy@ZovFNZv9#G( zU&W`GN4T?rdIpsQm$G)7Ey9pJ6iN`K6vK4*xX5&}XnZXB%-w3maMh3beS%ma!uDJqwjLZi(jcbzWod?pk{dV{fRoE-fYHo zJ<85h9LzQ!m<>ZoB+NIv;rHS+b4APi#edl(q6Hgt={=HgPvqpfamp*`>gxIizBw5M zZXgO$o8=-5&qWx5gD~*#HpBA^f&lb7Lfbp|rdPn#&(3(c?a?!vq9<4Rdpv7VVXjjD z&W-+siq}8#8JCZ8Yvn6n&{a`Uk5fU{i1My%h{b-D?j(^ovOysNO{6Kk*3#n=|7++m zT@`)Yh*np5HfROcaJ;}T;M{D)J7zTAzu-3G`S2}^+NO9a&YSaeuGjn zsbnq>gP*-@u&U71_ot}iIX7aRElUqAV4?DVy&@p4t!U`UtI<$Z{Y4HuY)HPHots<@ z9vY@%O7WKEMNwE2;K}@HQJ8QuM`o2Jjw0l|2qA}U-$HungZ^BeFjeFTQX|c4*vh!X zD+CH|Tr)!{kDDiRk^i}#JQ*O)oDD0}Hm}UUL}I=qp$FBSQYvm&-Rw$?q05>3)Wh14 zN%@CL0#z&$LaUKZaj^ryRTb!i3-oU0gjtS}hXZ5$PqSR(svKi=v38=9)Vh}qW4)s` zFzJvZ&^%kutV!RG9AG=!ZrFTu*0bfUM!w3_FxlxD$W4`zMi^!ka%eWWG=Lm@|o+L_4adG^mt|uXN2(^Iw{P5%r&pUbDyzUu-&b zmn!7YnC8Fs4e0n)?&#rSc`Hahp0@TOaPa=<2tH!cSwus)zlRX{gt2dTF>)7bdMVBm zj6!T(L^cLJk+0uU*sxVlPcyf>Kfh=MHDhq2jXvcmcbg`xRQDSF+|e_^^&`;dS5PKf zet{Xp<{QhPtn(_;WWI}l2>}lQp0d$kqY5pj?#CSY&5!WvQ?4TTm9O@{^Y83|H|xjR zkDyU=G0!C9>=uEoBiNjQvpEN(bM{FKaP>+5jJ@e_rsU)97Dd@9inf#zZ6w%!$LQ$7s;fH}UK3kKv|f<;MAb8h`x`2@(N-qqsoRhkEfGd=ELc z?cmo{67MP@^sK7cT8YI^+_X%b!^-7QFsp8M+X7#$Y1raP9M4A`u|(^{B3M^Nw5^%g z1fOgJ-}*#p3a2(!O)kb-2k0L>AA+0{kt1vMz2aI&}(bd z%GJ>Qe!6aIzwY!5Jvhj5hj?4@(Q$6*fsSIpZNvsoTaipmLL8oM$kLm8@OS7|3g;S|q#U}rS7KDZjKouBaG_~~2Pn#eL+>fIGQE&0L~EA0 zb)mieozR$0(dG$|G08y5lbSFruSGHfmiiZ5;?lAIc+0(?4zt?ud&j=aPm58dtjmI7<0N?Bh^|@qC^2AJ|FkQ#T^Q~7UsFRi97g0cFK$u+o35c_ zRJRBq<#T!TaJnzQZid4h&6r_1KF}kDqS9x6&%uD3F#YYdnou$k5_)%EHJYT=SOxQ4 z>WvlvV4@3?g1vq>$;fwP$M|EIPT;xZ(cb~EjMDH&IqltDAjylU49 z&F0VeW4s?oo6+Qb;*HtT39}!MwacYK$O5+daWq)L-wHLyBAD{?<0sa@l{C^K^t1^8 zd47usC7S@hcRJWmiOC9BsdT;NZJ%v1z#DaMeWgEi;$7K(^iYPI&;G&wVy`-7?+6c_ zyZ4ndhdOcac|VCuLDu>}r!y{lyAz9C<#AZKyLD#jMjm;I?`*1O znQ6x{*Skp&CXa>$agfKzdHZaj)dz&<+dz7@2;BCo9D771=CoPNAzw_YxGb=9Pp1pN zoj{g;!c9?4{QHdS=-{9;sp%!x%7MAU2P#-5t__iWT~1Ub8GFb5^1x)0g_Gh&BL}j4 zhxA#Qa%R@Cz|PR4CQB$MDc|c6X=Ux4o4gW_VjgYFnOO|L=p55M^fUh)9r%hyRlP(N zTwE8P_+L*SiM|5GqRZL5)aoIsfw$u@>64P|c++~5hLD@4YK0jk8~Kw|Yj*Zy zY=LK~{$4s_{T9j>B)x}JgbGtQA-Ls3Pj8l^1Cfj*CU?|*&z-~rBkux!#j1S3WKx>D z($7EV#TbNp#tRN9vTkJkZU6;xQofU@D3Ax9=q{=$>@Dp76;EkF5&N$Ojku+r2#;<1 zGYKu%_&2TH>@2+7XUNPigb+MAiUB1^e@V}JB$bk0BF~F_c-6j~N=7q7)-K{+JkzDm zfZIdoG5h~=P$IT$5F5V#aL`2zEJt{gY=DV}xgtrxepj^Xls@bOh)9h0U=k;Hbjn`I zaoC3*M9)3m3d%7kN&JhChU|+_}jI$y*$Dpp8AT;g{f_e&$7=f#lAGD4{auf z^Zk#)_!3a`TKf8xloyW&f!dbEoI=5ke7>+j+ryGl;^<7&Eylro&bx@!6r$*eJVRL@)XT_Ch2k}JhKV4HKjZ@>_sBGDOln*Wn;IWcgXMw^P*gFn*+1BAi6~$%7^z*ja$f!=Hx1 zQ+A5adkHKt!z0LiWP+=ohVij-qp$?rzM@Nk^uLSN1qreGP>JTD=|_U(2S<>3-d2Ej zLUDYFUEqUOiVM}Y;B3^KP8^X{&=E*3=G~+|5Jm9)acX|YDqxjFNZ zv-n-;kzKo{|0_Y4EJPD8{#Bv5KS1=ihpW;k(3sCXrFw=YsQm$~UGYvhPmKk0iLp~Y z0M50@EE8I>aefpCST}zR^DGih0TVuXFqFcqOzVL%(Xl>u|LQi_t(>7#t=aDWu_4JT z=UrFSlV}JhRyZJmUch`{Il&yK#v)DM#298IGaREYxv+_?lEK`tGgRIU8@I{`~w8Q|s8 zp=13=t9qB_vjT`8n+O^p)6lzQmk)WvYuqQQ*4gxpb`r?_m1;t?odgHo9H#=wup^-7fR?@^;R1pMP%-9jy6@kxctaL|G}<2zq0H4tBOu2c=dR}^(d-D z{uaTr)lBn~`W649UFj`<@hg@5Y6ol-1XCnX*bde@{iU4CbYOFmNNa~eI4KXFL^=W) zdq&1z+w!#fy5a{rr>B(d#Amy`jz+1cDCNW z=gz)>4Xoq(Ck5ZiG!cAgAQUxyne@&21{|sKU;&1nO*ufF$|k)0iVm@LMcaWN@jOgI{AB6c0Y+fLW%Igfk1x^s z(WIqqt~Uf+OV%tW9h$PH8BG*cOBA zxBCx`LYU95gjkh*dQ(&o&?!C6X;9|XzXHV` zX9yXx{fcKL`-GAGOQAa8$;@h?rBuz)-imC{d{1f41e={6mwh*>js>4AV3qtn0|aT| zw4EX$82$3-2i{4QJ(g?Z|wsNq?S3GJ12@bAvPEkpUn<5Rxd!-(eD4L=;}z z^2mZYnQ-M%=4vTVBmV7l4^i#&?K!rs;V; zq3esRY!)!VoK>y`SMLfOA_90^Ov`OCaHCJP-56Yz9FD0kJoESHn)l(Ak6S5GQv-Jy zfGC2G>Q0Z?x->YO;l|8+d2o*-HAqci%&1uX4y0cP`)RW!q=v;Ub!`S7GUxo1H{8G7 zgEAMwQnmpeVQ_$DQS}6dR0?ruuvV9Fz?t8}M4nDzK;k^o21BO!TM;yFUi068VwVvm zxt~rT8$6Byojyq$ z5MP0GR$|UQoLqrK`c}hba54Biew|*(zqN6x59~7)l?RiB^D`b@AXJC5f8#!G@NnUE zzZDn2$fCiIcsp(EWCOXci0Dt3^D;Kf9Crn~oB3tK`SNsJ53~|J?3!^2;^Eq}f?tNz z&u&JsV~J)&5={-saqU?}JY9v0}X!|K0BA$`2VM}PXpxlhQ z{NOEc&DGn^;ct9!eIqx6R+lHlv4gWpJx=VD)(%>Q`D_jtG0H^9kUf_1$q!neOJn4NG430d)hPh2=`Oe%Jd12p{!~%*&d+16q8N(nLo9nP zaJRq{x`GznX7s%`&EJeF5DRWW4#_KkV2{cpow*Uqs%A{B2w;tNorcX~5OARP&ZA{B z{ZP_8S9b$PaMQDS!@V!Qr>%xg>w_`0?B!Qv7AX^IE-m8LWMN09Kgi9QOGtEWb)1gZ z0bZISIbwuh^3VVhCUp0!-?EvCSo}Gt5)N~(NVaV>alaa~K0l(~kKT~1eitaFdHBpH z)+0UFDZ*mLG?+&O^<}b{-8CO&o?BHYhP|`~o;sQU3{w??%*y zORM<)MD)gmWCE7fq?+XS?5YJb+*ox)?Q}sF1YGMe{MzurWwcGgTE5-5d0)wV$ItxMPqyo7W<5QSQ zVV1Kz$NaCJcjOX2%V&><9H2zHgB3W51zD;37$zx~_*qh-@(@%o zk|t6sPbMs<*mjo0nE|+ijdywJk%Qp^?iounidBSN@0|7Mc=&m>uFj)Ef`|OJ{khWU z4gQFOl8=)5Y$W<442RFVGTmSRS|fT!BB+GT!Qaf-_4#yC))}g z*k1PD0$Vv8gHUw`uJB`hPT4wToWB0y7TQ!Zh*IGDAD60na?}8ly{VP13}m3oq6nA; zEVTy2@x4wOtza_74uvKxI8sIaxed=r$f_y&#@yLhust^Ft%1t+cb2}(8K?(!2YAhW zT^^I>5?}m|8pIXEB-;z^wVR++YT}l`T_AtP+$AX=zN*I~lGQW4s;hZY<$K%Qpsw@3 z)gY)ECQjgC)l{qoRtBn>NGI?kMj$3}>>Ml9l7#AW&z-YKoRTEH3NgcA#MK~g`B$xF zNF5~NA=!jh`~r#E5o^SX{FCv_6=Z)YPz*`Y-nt^gM#9~=A2w*UTy+nCA3MfTn~Nhs zhw~8Gs&yWe{u#6^Fznivl-H4KrO50i@mUYK2cfS%3Xh_~f4E>0V{BGIVw^-v&q$)< ztCCa^D43tXyO!vtK7p+|?edS=P=%@m4vf77x2Dr>ynMS-BU0h`gZdiqO%k6y01!naSDK0^3n6w(E%%WX690%(iTeTdKm(M|kV-#qdSe@)NbVi-q znt^qI_mR`i@WJf&{cX-!quQQa)CsjG74C{0g!e$_OebOwDygwRIWas^9$x;u90Y%Y zEvilsjx<1=)z|+1v!F3|pFEm!$IBJp3X#r(%y`IFsIcAOGh$_nW z(pk0;m6ni@u^Gc@f_#2of|gJMB4-wV+hLXAAM5w0G36l629hea5QoYezl$iMoaf^G%@pb35(&qc6;Vv(&9sq$vz%M? z1JGKj;%U0`f<^QpuY=%si!pa{NZ| zXcX`>Od1d=c(JOwdW5#mmWZ%2oE~5U{di$IAGU&)MY(>Y(WR7Df%dU)p+?UewK+Ji zLUnbIOzzgN-?0Gjg_PJWp3h%<-_WCn;pNG~H>8`RT$3eo?tSEUtt|@%TLGt`s)h~_ z@-hlPtBwetWd$JEa!Od*U}KcXoi(^~9ORVaVoGCyZU@X>E%80jz*aejmpej9f)mHG z*xWu^$8InioC@Yg2^4DTH(K@DkM3YL&Ac^wSuO*ScI!^AL3Xq;n0L*=ZPeMSCb_DC z`}+>PMy3SLb80w zQ^exNj@x=}znmSOCof;gToT>wZLT-d>Ar|{ws&;7JwJ6GYc8uE(|KOEb9Z~+I`2#vn-FZ2Do4JSVg#z21!16 z(v*T2;0t*Vz4p2ibCou$UCb*_PqDYeE zNw48f4d0v_LYMg^pUe8V7U6T7_rTFj{dD)rIMA}>X#rrnFyPzoPHwx4W? z@SG}8R0pfh;>Yl|a_X#S8DO)GQ|#akgF#6g_ac6U!6gxcW16{7yf2X9*^(b zPx?kYI-e(BiU&K3K4R5f&S*ktKDNu=dIH=*8AeQJ= zr(WFPcqG>hWLt=mYgs#4s3w1pS}-VC7X#_7a@zMrE3;m5wTM-rZ2EFfYlWI>JqYA> zuBWUhI`9@Z*vhq{XplL?Rq1eO%T)qtAt(UI*PB+&)~W_Hv6D-mtmpFU{p)$fS{ts* zmXQ{n)ZL$L<_QTdNt}vNHL}vpNH*i zskwuogB;bY_kWU%21tnJ{mN>xVJ9TY&u`i-#3p4bPEVR78nZ|{B-a`g$REMSA@M5E zv|QxuO++3xWWnZzZ2sMyYc$oW7xo0yda*ki@BslJ%lR96 zKc55{H8Y=iY}JWApiaGuoZ)hHll&LbR<}WT9HGOVk)U@cs>>Ue3hhev%9HC2=I8OV zv$$o`%9jlZuWR(jvY?8#?ec{yRojw}o6vGv1xd&E-DTL~!;=v<(CnZ4Q$@fGV5T&v%(vOrN2c?=R+{w|Zj98c?&P#r*Awl< zzyPEvQUy@ZwIeu2K5e!FsxswoZ3S|VJ>lmQXiHWb51V*YWYI4ml*TARkbM%BEHw54 zl3hSL1dW(8&>RMUJI-*WgemG^Q$=FxskX*eLbW9%G^o@#;~Rtou%5MOy=;JpViwq# ztr(^i+r_g7i;~<WLv!g-fv79*~0LxsV}>R0%Jt zj72^J*L^z1AoY*4WA}Z9j;>{NfZ$aJM*Hy4E5jiPYRFG5M9!%haF{-7Ue3nGm<{pE zv5DMOvy|ed(=E>kJk{@<;=!HMrbD%f37c2(XT=vtP)43+l+{&4%I=C1@I(*8DBH!? zjr@?)3q6nxCK^gGBoX$e8l0g~L=!r4sFJ#KP!vC)QnA7y$2$OV(Iz%JW+Qi6hGdLh z*NKn}zHHo{E}71=w|PH1xq7fi6xu!4E{p9~(seL?@+HS&I%(OgLRMUOWylb|HY9Q4 z-gx2ZoPT})HUcob^P&QArnfUET0bXO6Ayn!T}lOoAgqY4WwsxJ(3O5T=0(M?Xk=?x zK_nub`7+yPr>`R^iD0WL>Vy3AcX}b(#fBk`uZf84M>JgQPQYPc84<(otb9Pb5UK`qztCy;9%3gYr~fLy3&6czWB` zghF?=!mY84OxDNep&4ef*Y7*2YNb4}_+>^Vkz1a>pD5}ILX>1KKu2ZmUDs?dE zPvrJ_B@vJ7u&VJV7z{>-01^a*Vjd=lx1iJIldTe0Z8Hu^2NeSlz!arZoBs(LOvRh| zd5@`Mnu7IC;9W=8h}r+Lb zwzL~fl`WGC8;9X>IQ3fe&_}FYl2THBvpdO`Xd+jP^tZ7^xf*v$3o{f#zfm7mlN`qJ z%u5mr#RPfHcBCi?gsN5r`vt7`WUXp7=UO3YCXcOu`c#xw+)9fsU~7w>~l`XRZKM(1+P2tM_KtS zE83pl{cg+}p98m1GpstU_V%0rV-}#yP}|CJq!2NA^Yf~sVEsqcGuq+YQoZgd0YSoz#bFuPKTrf|_ z>t04qo4Rqa^4&LbP`&oU1ui))dZqH-#u{}lXH89lXbf+8ST0W$>&xIgLu*O49#EvR zc1YqlODn>=s}QRQtU3#B<(ye@TflUXLhuLfhJzHoPW62y9B3$}31oZ`%I-OfXop^E z5)JBeiMzyAQis7!WBwGe)&0mxc~nY&)3jSBv7O!^W7lw=p0zvJ*_lQF6ehg^MYWx# znnfInG(tx_A@q0!A!l;>W`r^0Px!>QWE=@v_>Q`=b3n{#O|NGj1g=5 zB?leq8rns#hxH4fdOXTF0p35Ev)tQJ>8nZv3NtlPAc%+{wlWr_Bx0#4C#zy!L)zZV z>tkHx?87r+R|LC-Hr|}1XpRnqN%zbS8SM5Re^`bJ-b{28$8bD``)OG+(G+P@uQ>3VZ>(D%B@*-7&piZ%e%nd*jj?WGD_VHZuXQ25wC8OYr(IbXOy(A zSa^_{r0yoqf&@qf3mT1}XQQlOI&9u?K(I!Wc?U7p_`L3wub@F{HV(}CU}+(zonHy9 z{GFg58^zt$9yinZPEI03lAEY~tpWg9M5n)0DTXz=k`Qb&y$8Dt8yjo`=3B?8fXgYK zH6)fC#Qi{Z*6($YdyV;leYjivWakxUatN5zOt*4P&H6O3sNEo1Np5|t>cn2UKi{LV z2m4q+C$-I^#S%tJcj@^~>nG1-(RfcK^}+2AOaBs_mh99!HIi{umv7aWY7S9AUOrU7 z_wfMr|B-c1;gN9Bx~OB@wrwXJ+qTV)jgC6DZB}ffW81cE?)+=*bI!%Ns(R{~bvyCR zG2d~EQlYb`pF%{bf8*1jZ01XP_p{}iDb9`>^cafxF5@BWc>R0@ZF!rH?$hTNGgp{JPi4l zQLj!YHA12ID7%zWFp@$gr4v+GpaVMDoMDHUe`Hqn)A-S}e8Wy2iS>dguU=?X@?e@yrq{EF7d{F$t&e6duaCh0E2QEwQ@c*SH^F^!%pg9;Gqn zjZUV5EDwFI$!Ng#@8g*r8XKrv=g`5<|-hfT`Acv2)fBD zUya~yar}8%ocv4?$Z@mE)~f;BxQ}RucAg`N%uKBPNQ>C{_}+H8N!iZ45>S1?plxy| zyxe5c=L=&VCl%;(0T1LbD@kX&frGo1CPEU8dqKB4ZhI37R@1 ztBV*AIG#Ms9xYBdDg>{{xH8qlv?5tm1OBpUo_7fmaBUK6O&j_KuwVZ_%nH6pp%v>0B5&gG) zaf~+myw6hX8o*~Gt~yLY!;46TdZ$`2+FX7zm1SU{O?OtU3|LLeiWzN-ta#w!eBV_z zS}TU8S4o)19v_{ZY`C3NklVS~@+ zqkLTXEbXBo4_oK{`~YN^RUOq{wkD_~{deMcIWT)n7IP1OPT-QuUwoPHwV}zZ``alC zJzbzQ1~quh;RF17#s@Zft9XPT05%-_72-5-@v~@98%Mw*ElnKe%miI8(wZ6Z#cmu_ z3fXwC&})|+&?>5Xx-+-+L(p$&BXN)#+WetA@xTuV@bMua?j979S&4Ga_04uget%5$( zkZP!~$!a80K+79ORY|R3D573(|HD&;TfCP>wrUUDn)n(a6aLFwm^+0}DPKlMxvYn} zi{6#K+h<@Xl6kiUFmdWdFEAew(kwGr-#}m~{z)!(SKcw*HsP6I9xhXo@j1D!_s=Zt zAmmCVW)(DsVho&7+{;}2_rrW`HyC8wxuO~1%pSU0$A4L7X*Cf?Jzv4Zu2B?&FV_zV z<)OK9d96E4eXUo~5#a&;oP|aU*H~=Y^i8}JRtbi&)q^_p~GqsBd}m$~4`j#+qDG8akq#C%lmNJf!GZkgx+?fQI^|gkbQwr8*D#D_ zt`JPK^eUh6UL{&=qkbH{tO0#Jk!4h*HA!nnpn7|9pEq3m=2MShn|}gm%Aqwsd{xqM zNoro(+pK@gn<)ClM`aQ4fr!?oxJosJFZ$xOK@LV7hZzW*43Hb`ebFq})$M6f;eJ?b z<~i4XuD0@>@LKA!*2>p!N<9#81+*6akOwxJpNpQ=oyB=s#R^I-XOkjMiQUn=XC8k4{TXtS7NrQz|RF4 za(ksmAW8RuGWS{ucg(C1^$r_78R zB#z4Ys!W>_D2~?g>aPv)&ts8=@e3VVQhcJRF0Yrhsjf2~vrBWv*_Vtd^CoG=-CnP$ z?y)4l_ATwHoHw*#BiALzr{$7|>!gOzd9}k?nK`8%Z2iPJ|0clNF@pb92+`oLz1**IJAo@#uZFV}0hp-U@LJc6)l!10HIH~}vV2eM%NQntQ4!LIWkO5t1wqOe7 z!9uGo?B;XobTk3YWJ>1~IQC#n*sXwJcHG*D%wi5ypZbXN_z<67Wu6?wAP67tl4ui7 z=CgXG6W3-Lv!>3Eu*Cke?;}sCj0~FiEMCv#1POz;>2I>rV|Rg8H+6dR9(0`SYDSx3 zmM5^Ww^$^7-SFy6prP;MG7~5Mz8-_U8#Cp!WzMg8q<*csdl)GRN@-ral;1P=5wPOb zQ?8(?W7f&E)enl@T@0rii&6xKMN(lCwX;M{j|t>-9q61F_xmREGc0EE6Z6ker)=h| zCcHh$;P>=S@_VmopV;cE10L7f<*t z$2{1{lg%N_Z&+a^(9sHCX}EaVujF7tL@k+&w9H=A^$XhOlG4*n z^f>ho&B<_ik!XI*@kPp^I0O$hO20ro7()ru!p_984)*<=wy=6UHflvsR%gp#ViZ!v zdX+d8*~*K)1!OL%FN!BGc$hToq)oo zUZU)FGv0VXMyb=xf9Lz>(C9N%ux8l?+PKvSW zJn)n+&kTfcCF^e_J<@TAO8OJt3|sXPu9;&mvq$DWpyA@tiz(bc{eU<&pXSh$$?+D&0om+@;U*3f( znm{Rrg|M8+Gj8!mp0)PKPpDlE-3%yC^DCSVf!ikf;ruDQPG%p`*AuM5p-2yMjuS!M zCjn~>xdA`>_V}@tyE+;@(kQiHb#w(53!A2=!pduMq{Q+N#-+@+sE^x2_VfvE$RGw~gHzn_qSA=($+Le-#v2 zywSu+j7Hh4*JOpricQc;wqB&43->!311T=yaO$?|nYq2D(;yZqxu+`~ht6KpQX@y} z^$!!Ba>5S3izlG5_z80%aDodhej-hQacjIjE&$W1GYdYh&pK# zDmDlM{-hxUP|8Bq+dKl)O@PuVK+$k+WVSBE;U(IxKVyYW5reH*{zWpDMkZFu zO71*?f>6_{F+GV=yO8^H?*O)H)(7LqP=rG*?8ptcBdEF0&56gRpX|wv^!InrVnFVM zm?C?PG~3LQg%nv|^Ay1M!L??NEM0E3QrL+HB=e_TQ5tHX-?NFZEAam9f~alkV5wwJ zK+@mRZ>^sKZt?i*f=YG2%@p{X)PN-_uYsW3pPp2gZUYo&H`XxV*Orn1*47(0))wTy zOgy;jpxw*Y)4rRZ-yr|J8+x2u_);7 zlE;;Qr(OIUb=djUKFD#`Ao>@U%l`*uV(zJ zfj?#0cSQODWgK(=*zk4hB92?&&WuUmxb(P-orujsIhW8)llyr);_)v6p=GFiMDHN8 zjy#)tcg>UKy`EJ6w&cpi*RyO3i)p}0sb2e?0^l8fH4>Ics2lOA5Ihsc}s-Vwe z_;B~;H8cI~zlT1P-~pTOHu-)1Ntkf~!rcCuZ`oDw0mNB$Ha)z$8cl>PH+8jn~zkrZR$PM)Mr9;sPS zXJ7uPk;q^-i5AS7eW%8KZ-yfyRV)$1r;g4NL0}YynwAazWDuLc1!X$2<=8<#p=PTa z60Dh}O14cQXOpF$(>1x+(S|lvtq)#gw;N;t(}^T=y1_JYxD5}uOCQRH+AtVkb_nyk z7l4x4`q&8(Fx9j79J$Vf@#8C&EXBDI%p}1IQ9C`nBehm&}GG))AxkHO~#1m^`md5qVH^UjGr`F!oD&CwN zBU$jv`Ft9)J`kbDQK0F+hH=>?g;K>+>!_U31ohi60Y;0!S$rX~L{&H9+R{_7^bGa- z`mgnCZ|nJLWX%ABZBQ{#L0&sp`**9;`%uUl81*V&-I3z1gKK6SmzxqAI!|S{vO5g0 zmO%xS11@lv>2fxa5n+QhBBzY^Rsy}u=EfJ*#;myMyb2Y9M6k3FBz+RbixHmMdOo6v zj#(u6TbNe*rZnMgchrDzo!UA=83MC60f@}nBiIiX@ihZ!u=e;uEa#rPLS?E-MbA=z zrP0n687_K(n$lrxrCv`K7VZjhg!bnz%;e}$n_7nl1BHcX$^Kq%lEL#VEh2jNq2F!2 zTZ{TUe)hYO^#mw^arx&78TgHG&(VKaMCNRPD|M8qbTYb+-@hS66Y8xn?#f*(RMEn- zu(pfiftXo+0k!b^LKE}mT+5K55P?;{HNB~`V&IE>ay@3Cq4?W~9sc0Ey{h2us?;-C zQ?Y)H|HUHY{=*`8!G%z2H1b8Lp&2XMHv|_LvW}+g*1FK00J{}Mc=&Kp>V<%{Un>ev zaNbF_+4I3&YX`4p14cx=HwAJ$a^#%S!$JfQ6NG&jeT2{p%na8^(= zJcIbN6Cy#tf2-@w(P2`mD^6B?&L!hYsKK|BaH8_a*oVGskIH2kNk^)FF`3=tLhDK2 z>)IXoajL^xl{ldcob?l`JjMhLlQa7pf5H4(%PiD)SOx&E*k;I!jnQ~sjx%#}>M7Qt z$AUo?Sy4r#d*%IVwEbb}vSy{%p^sBBGs;EpP_=29P`nL2L>eM$jT<6(Gqi9Ko8zBF zZR)87&^{QZ)F}Q!eG(CshS}3VoEkQ2_b>FU=F%L|kQ~@GjoJ+AX0V1A=+?EX_a-0j z*qN6ni;~Ue6-tgZTT`@ErZs_A-R2qm8#WeSIiYQe1DaVkCQWW}bza#~lWzke(# zdlIDP54`6E_EKNoikdbJzf`^BJ{kG*RI|?G!Ed{XUpy)dl!W1YgP8|o;0-Usu?;FE zRnzAco<${fxT%!ulzYR4sDw5nuf(4i+v|hnuu`Z(_1~q4N|((O-uAHhc%ol zyfe2dQxrC^Z!vo^Is<#XN4fLQ_tjS~&jXXOMeKeZX<|qVIp(|)rR`bd@~7g5yA4Sy zPcad@OOZybTX}DWYOe=B$*SL%7-m!?Moo~#r&?@yqV?-ptIa>pxWfqp2QS{QOhg@;|D!$-yh4@&%C5f|a9d4nimnzshxSHt?V!wK(phyXlG)>@>0O7V=5sKH5S zI?4RAN6r|h9L?UJ)W-j&=mvk+)yyd{`x{cCir%jxCHdd?5)nthl^stG9l+BvhMu=n z38jW$4(At>pVVC$2TEeyyZ^OV*F@C|W(PNnQ}0yAQU0g2I=CcXQYmdO10QKOzY*UA0Bo@g)#h&WIC;wI4d zk`mF2$|3jxH;1Y+=%OucS=N^LGBD%lqE2hU<(M+%^F>yd8mJ}O1Ak=;C zKUlas9u=;Qk=g)hG_DEbkNp3<2vK{m>F)Udyoga#;6^#-nPDP`Oxuc#8XU+cUjo{SVy68#aD*;3gttlu{y6Lfk zkbtt5>)wP40n_uQ+8)M;3UfAiRM_@X5Dea4V$C@naq}p2Q@y)jHFT$-9Umd@-{dly zZsSm5vA}y3>uq5|Xx?|Rgmj3v$WBP4cZed9#~{v#q|V`lq_G~~5i>K5eaNQ^rXc>S z$&Q%!%1MvRJ&KxILOriXXOHN@I$*y136B!#!I>AO~Kkf)Z{d!(jJpsV>6#(vD3(~M{EtzZ5@-DN30 zN^&o%Cj8sUP}UvG*2Ty9r&f*2>wME9OZHXIf|qx~xCc#{Tb?6NO#{x&ZTB;5ayJCk zb$X_>yz@Cz?m!!p=RWYKBxQe_@?hiPk>!s2b#TGo$p~wcb%`AAI&ukXg>=DC5%ufC zJR#V;VC^oK?3a(Y)v_lyeBjsk*yL93^R??kIE>CM0T{i|yzAAEEz0+G7v_cRcSw`- z{cFYGK-qje7Ap;PT045T``x0Av<-cDzS5EgLG@oHCi)FREo9z#943FF2el{rLBiZx zP|h6?kAB)G-7`5|hZ^n%{6%K^`)4OKpNrpJ79g9KbLnTM0`q~1WS@QGIy&fP8kS## zV%DF;c^FmCrEZPmAK0LsCE2a*@Ug?JDeu z1*;#`Z9$%@Pu@yEuA<)*QG;c4PBRYP@Q}J3@me3tR({!}vKk`DWo8p9mDQ<;uuWF^ zkwc?>QPfS;P(37iMIcOxD!l}d9azTb#wA0Q4cAp`D!^fEHEfN&aKOz-Ox)iGO7~@^ z>>Ozc#?*GTEcuz~&Dpi)V2DBoY5B=8$qSq2a%2A*6MdI7Cbk##J0aK9#^$&eTH3|z zhh*@;q0N8CfcwucF!RocxC{Y^EfEmOaF-Ku_RmTFv`Tw7bQ8QO8O}MQ}DVrLPh+ zW3KHr34N!}0VTmyI;%QEoJpJ@ir*!J<=Lz$5ww+ivjM7cHK|Fefs2pM-de(RdZ?tb zaufknacXJh8Q4ld==lNAVbnMB7m2AtABF3GvsYFjc1SL#Gjm%7iJ2S&6i-Kl5x z5WWs?KD4fFsbmMk76KiH3goSw{pzfaRR59nK0MEZd@!=H*D8uphIlbX2jckoI< zRosM)Nxat{auL+mm9re>m}pH!?RjeZ{SvNP4If>0ny_(g3^o2EBXm=K$Ow(VWeX-9 zS78B*9vu-x1rhkLxdeXFT3}|!Y;|<>5O^ZMUgLAjK*Gz!g#ukk=0Q;Ai+s#UV6g?Qk+^thW*$YI)-@fT$My^wF0gdD2(gE?=U zRB#*}%M(bAQP&eUlrNwJv#c}Z5MPi5s-P3pi!aIr$j^Z6#DnQfi)$+#tOPnws#DUU z@5QVR{nxuj@1x`QN;xXuLKl}A{6U>zL@rAH#cthbpyKEg@kKA`xiA*&e`bWUQ6%_$ zBh$!6nQ|O*5@JHcY^mtq+nq@CRNUjePefM|*`Ldz>Gq*~NGv>FAFhK@4Ek>O*7H;-W>C5e!itB$o6xfUMv z#qI)%h4>aUTeaEdU+?QOI!8M>SHGZ?D4m&!!0C3}cI|5yOe-touw?WKm5z|%h+xuJ zGeNB9aFRjNP=3qY!`;uBwX213=-xf9F$lz;%2_^9c9zNH9LJ4f%`Xu;8&;DoouX&{ zT+k*rQ8))8sgbl&wvSpneZ;&?YUJlf-Sb)TXD_ z+hHBV$H)Tfp-MLsO{;2NX#weJjX<`@t4SVk_lUq2>OEubVU>AvwmQEH>%#l$Y;-si z?=K)rGZ*~72^5fDCC>E|FjR)Wx)^={QD$Z>T!ZDGx^r#zyU?FJ&N6EI3mh1$hmS{LQDA0L%uyc1;P7~mddIIJfiJi zkixKI|8~#(lk)g^d_Ym&p>QKWsgBQ%)yd}&tX@c0F%VgnahT`E;aI)hrM(i&Srcv@ zk2lj?GP^*g%G&1sFT+=xTC`O3VmXJRlUXj<6>TX2qCrXcvVR9d_z(EW0E6(goyfc` zJ*s4LDX^S_O8Re&s_f@WdrDNvdA4k5OET2(GURD+Af?dP_^H9D)ZSfjYTFP0;!%Cz-Y;!lMhn4_k6?R z4~G;M=tP(Tq?pd15kM6?s75T=)(cG9JfYZSi5qo%gv33641W9w%Qvn-B!MseAvCKT zhf$YW!1<#K(CDu{@*eIK>KjEeU_!9=g3+HqfiN>^V5k)?kU@|ns%zL!&yXn#9Wb-702ZAW>Zk3Yh}ulF zJZwXe!e;`fpVwgjbaK=Vn#5KiQMf-D8W_8k3!MJ@qlSc1)gsH08ac>P$J z4%g|F>k+@@jGK9JO9<|I%ilTzEs!i?y~dOC249##Bs@^f7@MR}}o6TBDx$4pzUOmBc%5 z%-uuVT}YKFNFbscxYV4p@6uh*^+UC zJjd?!25izIn7BcENOr0Y1AA5( z!2nj1b~jL}eR}nhFracXJJT|_Nk_e?)8(m@JWN;P-2PBxv!PXc>_S+7quvSlBt$D; z#?^;d%(l2{ar_B6sO&3-Z_DT0QMhjb6t6`bM+bii%F*J_hCz1u1hOVnu3_ zf{^=wqs*^Tvs1wyOro=H=YvdiuW>ei3HLO}yec~Mcwd~t`gj+<-6+DAmJx)JrBNBf zhS8C%D;+=ZKS08&&W3$VtS}fS3}xGHCzxXyh#VHAGNPECe64^*5@c-qvbuHguWeUo z%%PYXYX$;*J?&9KKL$hjGXGC$m?C`1ZBGC7Vcu@?|IG#DkbjePF{t`eC}`xwTo-s& zIJ7&t@R4O>^ZCAV>-+7DY@LoyLbs|sPlr2i>-q;yhPg;PU;hkJ@7E8mXT0dpAa=zd zy_;M-r=@dz^qDpH0)8uB-dIU$^Kpzyu?~F)%G;nBwABSzBBPEO2rlYT68eiB!6XH}Vp!Kk>tp#6bJ0(7SvC9x;06{{K-A|BnFiF%QZO z<~#d~Z@Ly_3k9k1E~KKU^Afk1#`OHv`LsDNL}$!5@u9+koPkba}m(luXN-4EjUq9xt``g%tq@{FT2=a7YMM@7&Xll}deNopwYE7i;s5vki znL)Fi-qX|Z^KraVKf;OejMqM!2Acp(E9NYghPEBKu$%bUq35hP?WO=DsG(kPG+MWo z)ydmyz6h>Uk3pg*gM!X6{AiPEF0_zwig5&&t<*y(1_5aP2^7 zqpY4!7`O;B?(D*?a?wGi7iV*aAvmqorgOuFfw<38>oE@`nZ!N zhfCK~L-3SSd5x+_9Wk^FF#%P_{vuA-#!QFE@3 zaqclg$%W0LI0#S+xO+^P(#$4jOLY$V2qJXh49%su`Tivb`DFb(*XS;kWpx|Ve-rdo zd{sFW6SwT1+ey-!7J>KK?dpyJ{FJ(!wmKbXd0eiF6K(q+K3{M~;f zmrz{x%w0wU4cDrSgjU5N)n8%VJ$g@{?%6?ERV{ftfZJAuAA$W-x7)93+)$k}-da1%`XPa%XPTtE2 z$qwcyUs*KWykd_IrYh37w}F8(>W0MKtlrEyjx>b>NO>baqT-o5Y)W(L`Zu3)kd69j z7;`wMg)6z913SHqMz^dCA*t4;Y8PGhxv0@cR@*sTBM)5GDR7g~VNDK#y+Uo=&e2iH z_qow6GJC=e6V*@*?fCB2N>C`>Ln%g6OeM_#5ZOCG@{J5w z=G%r5iS-W-f))2el3F;c<8n_dj*BeUA=K;gaxAIY*xcM~&7vetF=uDoT}!?f-E6OG z4SZU}{mafovkHDPz)w`K1!Wr(Bj`BrpJlSrk80@V$4=P(@bf8>el+r zo8@pTVrh1GWaBwrttzZ$E;)Rk#82kCLcQ?bON9bdpc(?2dc9@vkxTqDu|Fn2Z58o) zmSUqzD`1HUV5VwMWHRyJTFWvJk4Z_3&&Nn^CNk~GNmxxrlY*j4XR9;*#dBE{DYPow z$z)pFeEZuy*wf_55fBY+m(h5*$J zar%+J&nbgFL41ut&hv2n4Q=W*ANd@q(`)oKu0hui1hKYR?klR_>HYq62uoP*p1O>A zz198fbN+Vr5pwODdc4fojnK-cZ@#P0^*FGUc?}zphw6`}*R^KPwJsZA*R~4?2JTg-Zu&w6>Le-N&VoE@$DzwxJE9Sw~prUU?h+zUu+8_it%P& z&1auNnsipke%b{x|F=-6G;w!bC?!S(`bRrS;D-v9YG0&ZPlZ_D5@7K|r{S<;@qh+V zLxoD!pG$b#D4#sP>zSNh1KEJ-W$}-Xc{2FxUFM6{^vyFN0>A(GY9+UxP?A@&iu@8tCgJy=QK@F&0&+Mp^Roga1@$)PlT ze4x>dhUmV?dqv@&3{?xnx6x6JuIL~87B46UFURN0O(Vi(y7*mSm-xf1Q0@(jxJZh` z8SAIIYN+jny^EH1JD~{wldA6$6yafOqY%ChhEu#fc$#tX?0KU0C2Yt)%_}n~KJJwf zhb_WqV|Lp28R)KM7W&y;!D^dY?~8px-wkdvEoeb287eBS6?|{RDRP={p385J9_K-l z%`WtZi#^LsditLTvA#%?el>o%!vax&;Yz|y{|LO!H^kG$mMh~QR{3%bk?w@I_30a1 z?_Ft7zUTBc)ca~mgKN1Z)*f-NdP^Z1_Ah-mj#c4k37DGBhq^&eZJ?;Ef{QON*V5K3`w>l0Z%i2^Qvcu+wR!e1PBbDjWg z1u1qLMIpn@6*aq(kD1OxcW-{Hqt_3oR2k8J;90%SG8@RCI>aDP5apavV)*>Whz3@N zSF*o-bJqiBV79s{t$$?b4@P;t0>^oh+Z5iJ`c73Ni3@#m8yczWM z_MjE+VwYD?(;1xqR>&ktLzO0w13tj|EKJj&p35E5TN*I$QL0w`VF#%uBu7QHL#cWH zNP#I6fcWJ5ds#`7A#szUdAN^P znbME6^K>RX@x3W5X3b{Z1iAzH zPzeN|rFghv=6Uun3tQ&M%Ht}HjW)Ri%2`_9ks*XE<{lDqaWq&rT^z@l$w$5JZs~+G zX@VP5c2=J#m7njYnIiCx)Nq)QPh)U@fpd~LcP2upBF8u;c?o|9?xA7-yN0cjvZ#EH z>`2XWzr6pyG4OZP^)Ced!tal62CGSo_3f&G9T zZoRsUt(+(kA|8h??b|(D9;Qm>16s$mTwlw~maJRTrY69l&59#aF}R zhb>QJ1LR!6Vt}!vkY;&P2|0u1s75bskveDwu>>7Z=M}LU80&cNDjGHIeN~hl6-HCh zU|_LHx(?aEAI2w=7YacTsb~>W&i$yzcead9ukgRsGq-{$5kI)Noe}3JD@jyWyoXJ| z_|SQQc3nk5WEv=u|DWbBr-lM>5AFPR1OHH%_-)=2Q?P8u@Mp8BpdtJ9iW?3rAujS~ zWi5o><5B~^+2gfvZR&#|y1_LJ&V$jZg3GU!s|>OuehfIeVs?DS2X`Nh;W_Gq(QZ^} zmP)hVb`2PnRAegZs_d;-zQc}N+(=YW;^m1Bqod`2EY_3h{9j)#J>1*BY;M+#Y#6Xb zi9>c|${V}2)l>dj{w3*qkPhB#0+jXqevj4ABEI-wb;A2S^07H81GE>xrS$?@=&D2v zhC!}ZWtmN0ViHP-VW6j#ZVqRfY$AF+mMDGa=`6<|%qWv%kCHEc&s`TOdcc88#uMIN z1hV?G@{dZW(#07!xWo!arDL$0Pz!IQH^=1fg(YCR4BlZj8b|mO zJBuj&a5=sEf$5o??Z|k`E8%qh-loD6+wjxfzUH6z>!m&JkZGV=)~N~|pKJ);^R$K2 zGm6;t%ZH)x$m>(Xr)2%P-sK|7+mL(3S3BEbaE7wo4k3965Da#v-uOQUAjj=~o(3YJ z;78^ZiYcz$%J8p^VUXaar%((X;{mWW!b@C8@n*2(+o45OP2y<*rUE%EG&xoZX8dt2 z_0+}Mo`P7txzG=4{Ic(f$BFtwjQ-9cjfU)Op8HU=SSK}wg?6#=Lh}mc)(zy zV$g;IqplzZUnNY&^m;u8r)u8T&?RaY!D4OW-mgU6&#ple<7M)VQr-}sT;!Tp=Z{|q zo))mi`Db>lpeKdncrY-z$S{1z-b^D3DK{?#6S(3ysHr7QKB_lOzNGNh{rleG`>oR7 z-|69DwdU{lZAZgbuw>1PX60{9BnRd`)^jh~IJ5hFS!VR5I9^%cV>`}+h^>R}IJ0eL zxLX7U>29qKG>PmTYOTM9q<8JnzdpourH^Cn1U@8g84me_G0#0{OVG+bqU4OmKC{Mp zU1oSIPJu*#oz;csKG-#Oe^H8A!npf+5)ZqBb!}MwL`5Y*&w=}7wmiKvB{(lC&s>g2 z6;46Ey2n}xi?2%$zcUd=;xDhg&g}HI%9fn9aQfhFCLTW)V`EnXC?rEr$8lX4iY4I$ zLi|zQON8fnj~Us1E}h5@JAx8|MrS*`P94X~0yGZk!WuaqV3++MctA6BUwt07ofM`e zzN=c)zIxUXks52dD=KQOD?T|cgzTkuDj*mk23+>l!T$9w)$b6l+3f4a;)~NZ>}5pD zdkEhT;chgi!)V8@;~S{P1a!ltxe>Kiq$JqCW6q`{`z^s)4snV}%alQT5ewj^Ps`?H zB-UbK6h-_ArKxmPbg#!^pLF)4)G5A0ugnf89%#h26}?pZN{f>+biApRTDMIgtB`kEi!v ztV~64CiH3N)qKN_8pm|+Y9W~ovQSkyD=!+QzjFJ3H%I1df)0WgHc4mcWRj~wVx-(b z%~_~1Hx4gC^mzQh29Kz+d36=Abxv&*oW|ewBPAoml|zMUIG3uaH>-+gaoa&UG0+1) zwOWt)L`wf;jpiCje7cUpFzM#&2lohmUUY0GXux&5Eu;tA5n%f+B0H}tstjoxl90>JN;O`6?@7 zkXX9hv~TQj>OZ;_aEQ3!d|ivjf|i9=Zp^wD52fvyd#@>0v#2%Pep<+6}QLwW$GC|iHNa`P}ZrnqoctV07W8sYQlXWgkDhwYO%gYZq<%q|iQra`t47I8{ zDc?XUJW6l~Mn6oadV{tKl=}D}y8K+l;FOx}{aPqE5;+y|Jq`gycC*L22859Q-}O25Iq&nl%&-jQ=ER0Wc{@xX6IIe@7o1TkyrLaND*Qri zPd*)Xs?y_NzukL-edOTFts9f_&T^P(=i($>HIUm~35rZhNgM0WH(><(9>^xz(X2?Y zGVW$BwKjIwi0)=4ffUun$3!Sb=P^&`Vnckyyjx>_B?hULjA|_4{PG{#Kj|GE)nrSSkj&K0lizL?tXKv zAuR#wf*`UjG=ci1`ZX%#h{i)3Jf!qxe8S*Wm34#lI_j4b|5&0diO$yd7~ki8Rbb}S zrX#P6(y-Tb|Nh)clFWzphy&wJ7Ux|K{|iqm6s4v5$7)FMs>=I>dvw=m0KIVY$+mP% z;>#E==P5k&IOQNpbc#{>y+11BS?12arp2sTbLrsWdE|Zm; z#%}rp@mjd;jvpKLQ0}#LIt^MA;aK*~{iyrmx;%wgwLnni1ctYj&HrF`na64tA_^co zWzb{$tz?mRI-FrT)v=kv1BU?;@$+{DuR%P3(DYQPS9M&pEy?PGPQRBU>Z*`?gQ1fU z+I(`n?uK)Q4EEy);7`2`F;(}tqZZK`7`Qu7tlqd5gLxqGPM7Tm+K%OkVD!RxGMmjC zr4^!Yfs|f=)ns>#*MF(M93Kxr)ShVvmtRQ;eg4}JJ?04U?3fVN(eQB9RT}lUw*KY% z?wjn~H5?5#D^GCl@aiis-^0nz&t>)M8yzFy>2ve#6@EPXA@FvBo5>HD;z7WN|Df8| zUi1ZgeL9naCXXGOs5c!R&k{Uvrr6|6h0dU6-Ldx25^cTvA7>=pzI-(84Uw@55=6L1 zso^S>MYawZw0yM>^x*`u{sp%wq&=zxv}<#OW}m;wk(LOt@^mW79V^#ZTa}zc4?nAp z(dAKRq4(`xxWJavDgr00UQvg3jk`eVfQD9keoQxWe{qA|l;>S3jmzNJuA+n2)OV`i z8dbUun~JZd4A^9Dg13~fwqqv<%p8EyC~po85J#Z-w$nu57gTy=NE!0Vq+F|K)2Yw? zl8qwsA$AekV#0Y*&lXA^i<+l2#&#+iHyR9rC!zCaa!34P=ezlzj%9FTS}e}H#tNs7 z=0Iyb@h=MlIubJvBax?A3o=No4NOF~^p_h6>uqJ~pZOEFxW#ZWX$hk)vFNx-b~c6z zsWDqE{<8X^(Bx6(3N2+jY4*Hx8!!=u*p{j}13=7fLiEdaw0dI&6NjsyRljP|Br$Wa zz9l%N@!wzOgXd?9!E_=b#%J7@w!J9B72Y!Eoa0-RSV`SDEdYEpJAop7RUqJ2k-`W zN@SkI!r zwBn=~+&S=v#Z>bcr*Gr;O9D=l_)>IV*=cTRhRen9usyQW4b1hf>!K_L5$Hf@?m{I0C@lWPRjp3eW_u zTVT@HA^Btr3<4YmZdF-kY!c4mJaciRRt0Lct>oZRb=?$+_U`8`*|u781zOGm;vB=F z0Afl0QcrFI(e@`&?Hr6ncNy*6*dt4#-dkXB`)`HoucUSj1J|yjrw1GH6kdB91!W!2+AqxbTz&GLU8x|-kKatI2~sq z_`y|p!{E)*2SZTGSvo{lMPlJ_+5yJzrlaD{)KtC-zhY94Xf*>u*bQ#IaAOO6<>~gC z;zcRtr7phOYP7Q7r)DYaZ%(!JTJdV$wF9XbM!Q%@UAEZzXdaqGQzm2QwVT8eHl3IW zr@28u9C*BF@gCfYe{v9lI|5GNzppB7lh7hEFKL-OJBLO+fV{BHjv9%r)x!gv9X~$) zR0jDx3TM_4Z)LvqZJx&Vq9{Nk||BH8JhxE#`0Mw*`b7r?7li zD=gx{=TTNFpg_)|rr2zH6p>$ zja9Z{%=^V^&ihrHk5SKC>}flL#oDBo%?TtX;jtcPV9zvHo>A`afN98D;8pv-?}}l} zio0SG`kzHq_KE?8rR$(cHO7W^LQlRc^oEl#Y6@}wB_r%ZaBQz|gpt#X*Iq<*KF!uV z4><(%dS@iyosDJ#iYk-^@~iJq{wG7Jg-7NzT52q08*iDqeWD1JWI-68cF&%7UYwUI zSEJXxU6g-bl9z950vrJy5d7aZ6upg+a{6i+L_4*yQ*%p9X{%RKH#3$jeMX~R=2RwJ z6O47lg+12egpRzrygbC<-?1&s1Qqfeo^Kxul8OgyN>BF*Nd7i^8iMyYlp;Z$CJkyFXwh;M<-tNn*9* zE5f+j@l8}%g*Fx1@#oJj<>=3{TuC>&db?v+1cSmuL4*QrfW0rRc-a8^nWsU)0PqVv zy#QbHZbS#KFlY3?7EjY@18;(@X3zXx&vLG0L}f~z`w2qWs@DfNLA%0R*Gs`2_qiTa z>v%K$ab-X93Go7@*IOApit;vBv_2x~B|%V+peq2RQS*JLY_)8a zjk8dpjR>^rk;XEA-SrDH+*J*dEkSZs{EG||;r`D=V)xE!MKa1#CednYHV$#-$M760 zfV?(Pc@UfMv-da#Acf5Q)qoSELjpqg3^f-^0FBJ5J=yB;SKtWfGqOUTm-l;`QQfjW z9apJKODxQob6Oe53h>!kOvlJt1(~GyFGbFU(;^Yh>o#PmG~PYj-r6stb~NMI&;L^a z!DeplxvMfU2HW3;sxS^IKz{uiPL-r=(XR8Kvm(4QcMiWIC-_LL_X(#+Nk1Nq{cSSP znexjn(SqjWl=zRCGoA%7viT88H3OJ2F5m?9IN4zr-l4W-9KTp=+DLcOv&KDA7}3Qn6Tvt{pv?%{*} zD7lr?6%Y6z{FyL!nOvmqsk<7eD(Y<0DSoj_i4ud+z~7Ar#o%p}|4)en0tXjX$GiI4 zG=N7q-9q#OABStQVF=46CO9Px;Q=G-vLho#HKZf}i!Oxa?bC@+|Hf8D;3PLB-s7az zpET3m#T0K#qXVN(#`?;qoBbV%76n$Ybm+4A;HT~YD%>EOU*PGM^L}tk&Ff?B_dE36 ziG&hqy_b*%{e&vFGxu=0k=cZ3{Nfalw$O+PgdV)zYASA*g)BzXLgw)zr^%z&#Q2b@ zR?VFhm%`xPw=#FE`1D9gw7JzLVzK?1Vb7UuvGjQ0q_@l;g8bJj6NgBErP)N-kH&#p z?LUpfzs}#qCF017qm}=c#^J%O<3EkVC`$DIOXC2+i0Gw3s@5hDOV5c1q>zfBzx&PM zL37;&fgl=QU9wx{_{_QaYGny}_|!13`0Dns?)!OI^L4qM!~6c|#QNpCEhpgP@Uj2> z;97j{<1e><6fkG)>+)=|a~i)%6p#{~tr@&LbpEtCF&*vu9_I3=#_ZWO>$iZsXue7%}a{z5S#Zf?ba3ihRYID8Xp|5j5U|||3nT6=BuA4YZ4*p zHSY_MDu;iFA)#K^;X|tFyaw!SSUwkv{pxe6ockqUyxWrS6Xw#F$mIBI=PX&M6dJ|< zybXNkbEP2!H#gmT zalf!H7^5rHILv4Fl4#L*GHxpLR#P82m}it^-6;NV5c^|ta31E;-`W~W{{L-qpa38h znR^e-Rhml04sT)2sDil&r}g!hVT~n{eW>wBV~}JPZpMJBgufSraH=gG`V1@J2=(SR z+53V-x&sycXaoSZlwS__=_bA31IWH!DUvv5OlV$fbCp+p#dB=EwcY)bS8 zLp1Xvi}pMR^9(arRMclUe57X0ESPyca|HceJz#aUQM{=`G=gnQJ2ue%Iw86`?Z#EWR^Z>j-`DYCa$S)j>RdFAgJim}Qwx#!r&0qfw97Jlcszk%0=7Ll z2&9~vf!TsK!=Wmlt)KWM+_t%cqF27KjgrpS8kHLvYTGQTfgtPETCkW>+rIsb15CsZ z#M$@5G3$?U%$)%{OG-}8T1fUiycMHxhij7u;z9!UcG<@Fz|baaI>m+bR>=|8gr(+- zK2yoVuNnc>|0V;c;xm56CUaqQ%ilmy*dL5$e}eQ%{63$|Kmn30VT)iDu)ea3JTUk} z4MM*Yli@Pu?nwIfrEcOsOKtU0m8AA0=5JsuV=j(I;?8rT1Vp=Z>S$j^VovTgrej1m z9M8uEhU1cH`#+=I;tSb&qg@9Xgc3+kJx08jn;sE7@!xAI_@>^gDjpTupe}_*22G*! z6WLFi3>arCP!(K`OTQR8S|0>Vj%#9K+4||of%ZMN=+Em0-v|6ym=w8D|Ghcd&^nAVS= zApN>sj!iE)>`d74%TmHxy$@7|pLo8SPpc_J|#UH0OUcij8%427<#Tv9e zNy+Wgrt?dAaoH}xkU86YOBSz^&CY1HA4Pyl;*7LG{h$1k;dpR9&_wV&a>2@*6IXc|n`zjbS6*^zM@=*(hOF_xLe%3l6S*hb{vDX9%6zZlTrs&LO*f_+a}x z(j4((hhGS(l&uoDOsC7g?IvISey+N~1 zD2(@=Ky`l0pmnj|>p%uL{!m8vL2NWM2N{w#{~y%*9B8+d@j~ezq8g{scB#oKXQf;QoVC70~!nHo}# z)MKYzDS#=}J*9W)!E0VZcy|NrN4I>QW?8}Wo&j}y+MhxWZBI*Ts;1RKu0bmTdfZ>Hu z%HTbn_i~}=wd92`WD&C0Aac8!_fomfg__fr{c|tibGr)sc=-3tQP7(!xBDm6zK{ZX z2FnjQpd;{~2Ph$6*PF4EPk`_L@&f(f@1LS{#{Yru5sPr^)joZtrZckE@+Tfyb|VKL z-zL|aJ?rApUboxV2D9U)%k?74J`-7_Ygv;@yxEcR!_CCjPoCGoe+tNFP>}*GA%MvK zFt7G}dbXDv0QrftiE+IXPK}PH62pF0R#%T47sTL^a`E7)K=O@#-@k_#Ch;+Qs~ks zKA#Ft{1o-q|AVyGO8q1%;?#XK>yo5N= zmQvU2U2-+=i6v`73A%Fa8=&R7Z%f4VB?zdf+5=br$skHNZ!7?)V|VU$t1>BZ2TEkY zh#)22>OV13sf$qoeog#6k^@5V0|MoUAZ1@eHBL~m$&OjaI=yE>0A&}%5q3h^bfl!BblwJNkHfe5{l$V728P-S zw{+&ID|fBHrNqOP;3|+2HoSHh!iQ#zi0fDf%<=8>+k1$@xinALRCiEitIRH*GeSa# z(5jY@C=NoV-g%zh0i0iJLo+g_JMfZ^t?p$T9gV#w_+B0FjF-symQK-nfXPYwB6vPG z+43s4$nx+|4;U2+A*Rw0YN|CfWU#bLY?!6E-o8C$PVG?~PWYwWZRs8R0WqY_xNe7B zh!KlFvG<%OSh(B^;_a3QhqkdS%*KD1o<{7hM|(oAxCgpsGTdkX6%opOWO8AIOg9rA zYF&_U#v08gu?Quvk5xgL$;6s@Xrb-$Lf4CCDBMC}A$uN(UnHU3G7^3bmmNtiJX9?BbwmL1OE?Ows*{&IO}pH`tqw51TPRt54ks5wBRr+0FDkHS z7c_2=oWd(_`KS)_J7~l^K6c@H`AhDx)i{U!*ytta3A&HdbZ~#yC|$dc$gIyq#H2Lu z7hSqp@#wEbr!;3ByIH|DKDk-poDA;(i6MmztAwsmP6!H69prTk=7I|EbCR99z-Cdi z29qYjY+{41oyEUF`M-w>5%gYSO`lNT;+XtaR@T6a&VP2|mgy`x&d$n^U&I zKS<;4hI$*)o(O@#uP{9LG8gzgq}Bq8=_Bu7*HiA32~n=c#p}H(qjJbKg}aAy`>vIp z%170=x~C8PMs(emvn=chwOqOONh>`^o8d>YMG!ZaT;cR|O?B}Fyh8F?L7EyZjdGp3 zgxQZ($!=9u7Oxj{t3)>+b{zd;l||nshtH(GmZCK~(kBnC!YxZJ^q7%GdrJ39sqrKz z%C|F*d$x6)3sbnsHiRnW2PMz;E9d50c-$*OUqHt z!Ey1ixhySPg?&tNxP1c5ZQ{ycmmcqVSUz5iPmUReDE#oNa_#L89?=;GT*@83^rLff zp!3py_5@@q#8D2d{@&W_2G+x6s}jS;-yyV9v3pKy&N9$$dN98se%UB;>; z2``YT*l!^BLc(w2ofQ)`MyhiHpk(d^H%>#tekSsGE~~2Iq7^P$`1h^|3E^!W zTI+%v1j0=QCtwtqiAjH}JgS&#_E5MXrAPlRoMp^6u#&+{*sjOxV+P~&3IRKSNsv73vt7T3%@lcAx=h5~73aD}gL>*^#X30y zGXdzLbxaKd2r_ikr?eA2&&v?&B&}T^hWwtj5OS8vT*FWqCdweCN>uHB(WCru2jkU) zjuUK^h={ut=!c`37Rw^zUG|iQdsY=5iK7sR5waB-Qm(nVMChcwdk3 zYP4o9tIk1(H67?~)TwJ>M3LCUJ}o;(;Dy`F23cXkT_yK;8nG(bRli+WXx5N6Ji~|P zcA~1^tZhP{{FSDPa8%uxT-Aq0H8gdm3$0I>J@r>|9+?s0!DIA~6SMXN!=_y=q8R^0 zG-OHP+Q=?KTzIDkOlM@UqHkuzSb9z35mN`*P2)Ou(KZuLKm&3Dv{co#N9G#6qn<{A zegx?ol6CvPM_r~w?DjpV#9cp_cKm`=n*7*^^a}}^y>L@XA`JW2AgzT}$ou1b zI&}LyWf!yAmBz*scZlGrUzyDNxp&ET+07lvT17e`MJ0e(U&xf6pAwj)>=!UtjH@Zq zILj>(%U<%I#$uZpkd;M_n(2$=j-H;JK4IDqHuo zd^Q`R<5nEsOk_N!klTG$r+YF6<$q?X87Ay+glD7HR08J4?8M-c1=f$m*1ZVY1sG`J zCG*-RFN+xpnPB(pNJ0+kVf_3!_^f;Rc52(H*g-D15m|yFIm#Se?@ako*}7rta#Q0R zq0y z2|Qxr&n@-=7FJ3o=vo{&1}r#bGz8!RnTiO~6)~S5l>0}kE%?bZub*dz8u|KTesy-> z>pK{i>oj9bE$XrW?9`y(0)tga`+ET7NTjvD{=B*F=T&uh)OtyI6tdCRW(K2Sf1vmK z(Z{)8jczx=U%k}Y@#~Q8+sBOSE!`fhm$~!j>#Z(#KGL(#!^fd_R|1G`XK&{(kCXr5 zGc`TlZctguklep=ZM$Q1?OA_?v)4R5NmgLi9oqa+D*u(v$d3WLffMVSKLy>3`AqXy z)@y=+5a(BUU6e!#iOzc){h?km0v^6o4aB5z(-T1ScG)Dgvbhy1dS9Q%`JySoxM7ZV zX@Km{Y-OI*gyppfrvXu)W8!VSLZ=2Fr%W`LG$O{`G_RWrXoFPNyz0RxVbEra`L zh*v?>)py@#xwr23P!P)y<4fS9*nHQd2yzue`qA&;CxlmBy|kXkH~#ANRrni|_H3O$ zkI&D1kb2XJX>*r>h92YJkx8BDuE4Fo+>}RlFs*U`jn}V-4=M8+q}TT*?`dBWZNb_R zJk92PYIK+e$hQk*9hvpSNO(T^OG`b)s5Ok~v`8A>BcoiF=-Nb;6 z(YJ)??)>bKGnzY>S$v@$&MXPqUwqt=Up(BA`FAtEi}z9X+W|FD(RMi-_+jmX4Y!NK z!2{{p;$v~<^8wpym#$6L22bmTsm_Z`p1*-;eo94ybu4U>^5Zj@kbR`>iFPyF;{B>{alBG(aT1SwklP& zR{uy61-IOV-!`QmDMyuh!j8q0b+AS1B#F(P&NcEUM`svL_E)e}#Qj-5o>yxL#6xaJ zI8}a+iKW*}akx%Qt#C+h4uzt*Uq>jDPG?r^<>*L0m#Yp2`a}B&!_4btZj{};Z2P=p zYm|33#$i~YBgqOgEr(YISguG>uXV=sBzi(vEl!8-@TjJta0n_LFYWo27!|xv3X{RM zx~PBPG)H&JsNrFkB!|lKsJwBlzMtx8`bWX>oaDOf?&*n?;o~!UuVZO@=JzbkpA)5H zxuM53GWsXyfhZ?C3GJ*~b>$3qATYi%%$|L%sbejCVI1`})*8|Zc6-c5QGv45P6l21 zit%2!g}pK~QW&MTz+ep66sM2Exd2}>^lpXL?b1eEqu>U_3Yr<-YNw^v%~gU1;vl#Q zLd=x&yb|z5?i%(8v1HR&D7dzM6H)R&*ENI3vByH8Zlsx72Jnn1IP?LVgIj)S2Aqy< zF;$slH139HALy^brK`a#s~LPC)$8eAf;AeI0ozmjT|d{J4Zxy*c?F5W__f4$xi+Id zi?dkyCkQ>uXKK&oF*=s{ozMFOy~_cJdPvJ#4o#!wjAye1FRPvhIj^}2+fTEo_aW~q zRR3n2*3892$tP&=1q{PHmtB#%_5M#i3%1a z{LP7$>!7fEXcbrOBE7s*jq0QHFLQ z2CVhODd)tm{Of@b1=*Q9rRs1TL@eiW)DOFx(&EabD^x9?CCHztTKV_MceC%ximN>) zBdH@W5MZ5UxT^ZnPRyOghoRX3zPES+ zyXWmMX~lYt`q{C1KKDR%i}medc+F!7aNNyfi`VZh1OktdF9Ki9u=MS&)b>Ts`(tTz zi-tIy{5svTtlH`pp~4CAifMBa%V(QGY!iESoHCcv7#XecS91q;oXM7^(qV?-BF&h^ z;jghSPxf}`C{3eba6C)Rx9P8^8DYOnjYsEEq6~HP<<;2zt~_WLUmIMZGX}+QGgNdJ z$A5W7W@*TxMKX0l)#I-)Y^sGt z;-Sn_`=Pg~+#l5B7)bdun_4aDE?vRy(lxj_+QRiD$-4&5O6eSXbW%GipS$g+UXJ~>NYO3CLb=*mwHJLAg58KP+$bNW0eIey#u1b`X1TPwV7p>rxaxedugR2p~A37dhLcOkKG zJkG<4Q;^e$#BzS7g%UG)FfVGblKDn8`-!fT4VEIbJwx^p%`*MpV%g_=ER14HTTAB( zv#adRP+`~p4so>-EQE<2`9rJ)0eFKe4sZIAFiBwYeI>nn+heAsNC^Z3>(i=n0twnl zV{F+9-)VNVbD!7B;!n3|8j2R}9WB$NUVWvz-ymKkYRewVI3Plh*)l%6Q0#GUXk3GU z{a&@&P2H=ZTp{P{=x2@14oLXMGYGR&2Nk31E@S;g<;1;r;8#goo|f(Nx*LO1qFXG$ z>-mOrZKr^k3!p6hITg<6O=-%*c@f7Nw#c&7Lx1VtHEeym_#sVFF^}|tm76s*IaeB1 z6l?Dzx?o9TFJJ0Aw|B%KTxZIHaVclvKn#f6ecvg{vpkogako-1$$%`-xsP^FTwnufuFCyp|JUzkVQ}0j9P*8`Fb&LD6{oZtRI1=?X}@=1?UZ2s*G@^?p71R=W)kZA z?Q{J;!Zp-o@PF;1c-A$wUjg;Q3nRJL*KXO5I`Ta&5rX%uIjL~mExg5PymDsBS>*MK z94BY0TVZ$fD9x}UR8ZWXSRV$2T?ns$M@vjpQWUKR<(=IzUjuVP z=JT{mv@@B7I6VTmbyVf$xm3=hD9{_d(9RX@87LSkH((9H^Nik5^I3zTr13rV#L8b` zb3ddBE)oIqJx1RHFXs62#R48?!~Cl0Tgms!i0{j*03Vn8+XcqH@7Gyn53Qe5x7XZkeos{E=V3(!a`fq%Y6=hf>X3kRl zSk?Ea$oG3CkQ#j58YDb7&+N5Nd&a>VKK%xHx(Ya~OegdkGpoR0hK)*5roxxr^z7@w z_9g4-H-dq&)IDorqdcheD^In@UTHiesDH8piNAxqo#suz(+b!KD03HkP{kZ)oY{ch z$AYTMo2a%>T$`+0_d5PWZA5>c&jQ+3MG$^xbBMZ;fPoMZ!0fNp7Ko>RU3yB3aVY3z zK0C)vWvN&jJvg~BgFW8CIs{0OgD%{L4i2;d!rYY15sUBO`d_IjsBK=gX{VfA#ebwb zs&74T!+8b*sJ4^{m^E^?Gi&g9vnz~=6tP5>XWkS|-8SxL3w zZ6usgbr_7nSTV_S-^*?m1W2&&K+f~0JjVC=s|~yWkK0xrUI4Tq%?)TA$UwC#*}&u@ zB=z`{D=1*41I^o%M7J@`9h&ZlwzIztl4*;u1O1fPWS~I*T~3T_%F29x=Jn!*i%ffK zurunWFQ64pv@{cwP&!auD>Q(!00!6J(Jg+toENKFg9t+#UIkNxWmHNTDh0~4Jf8E2 zN;fSnY=+$K7Hz9zV0Kn%LQpk058r#O?;YYc&!(1eBZrnyZ)PrFGie^Lk~MR@eZXjF zPPBL+Qcp6uP^_ko&J7fIY1U!@I1R*`QFyKpYl3{3r3R!0;7C`Px)MC*x40cd)G7vG zq}LL~gd-+_AOD&c3zMX;2{F3=5lYiz{B<_qJL{9ia%)952FGssRYOD)ARQ=D+)EU< zJ(HiFG+*l!(62F0myw1OhOOahzjhP*1ot;0KS;qwZFxli(ceEqTlySlkGr{)*#$s?bJPnA?_6C{Iz)P=;PMOd{AB%H#AZJ8*Y(L?zw> z*#mme2sHPX3yS$>a3c>^#<7v&RrOMFW{45^UkkGXcTCh*<|8Mo%#eZLH@BR7drO=T z4PHcnmY99RsT0Vp&Jg3IK94cKT0_aFLNwE}kMPG}*N-Gk`cf9B4mKjbIPA&qrRBDg?-ZPbaJjLvx5mUS}fdK|9+;8n__*wa{1WAONa^o_ohp`qAr1aS5jhXxnOQ}|Gicw=O znx?Al2@%n`e7lOjA~~$~HK7DDV%P^9!4OnB7xfas!JT>aHfCIi*^?c5KrAY@MClWQM^uzk}r1 zE~ST5A)NDCdK0}B&$q#;P=01($a>-}VowE0zr9Lnk00rO;nTXag&O`c#@`CJb9O*o zN6qFnVd+jPGSsSzMPPqnuP7n#1^3$$tya$CiAxEF?_g}2~)SuJ`8m0G3Hd%XmCX2_%N&L%^wEs&it z|8idGGuLK-u>E}K7kSZaW?{bMGBb_SnO*i}yL$PgSJGmV0yC3Y&F@qCCDamoct& z$8<4=0#nk|7c@ZcC?ED=owFDmvN)%*TC}@1#f@?-BqyC(yJlYt&FOf$#f?VYf1-#0 zH8%@`@m6NHx9B5YPBF{A>8$bBZyH&17n9~=;}D$@);tI3^ZM^zJ%_9G$WChMws)x< z4)e%PtaB5{ht|PVBi?otSyTHkyB!JP*Y-_iH?n%G1c^@18ilXuR`M^Gp309&uE}`;4H( z`K%sis2<3yVM6|5;MuK$9w0p~nQHodj>$T821_UgQ9R`8VO7{1v?+j#8;SQ=fk<(U z{7wrU1;L2$qry?pGUF9?OJ2j3UW0XS^lyd=&yqVOYbQ9jlz&@Py$=>_gi%avfCNvbRzM6)`GUvjh9^ij{& ze-Umne;ar2IH=!MqFm)*T!i_7yX^s-CWD=V@HiBy985aH;gwGj+IZR=5;x$mvBR4- zB0;gTY}vc?kKsIxpz$!SA0|uFxC*l#6=f<^3K3EWR+hpWn=fk5dERUq>BZvJ@=N$} zvikMWIU4rOBcy>h5i8b}wdTzuvMjT2)i=j&9uk2WB2PQ^T^_M#snD^P@HeSxZ2#1; z{JXhJCO?T&BqYiU+;dqA|%di zC+i%+QF_%LauxnWg7`+#+#ZQ+2n0=+a$|b_}Hw@Sa{uQ z<%i#=WW6WV>;=L&D!Zmm!@XoSQSQxzQ-)&AUN1CL=?KNU3_&4QVP(V&QP0nQG*ldn z4a!h@hMTz)ek!|N#y*OST+0pZg59b`2sVk4)e0Jf_hUu$lhr@rJ_tPiq%kC`!_7CW z|4YaRb@9t$^hx<|i8KHu{Gy(Z?`#vM(XOGvWPLSd>7;xj#*GqS*3p@a1~TY}Vm>LO zAK`^#Q$sIxx~@-dEqBCapuvafSw&kQUA=~`mEuLV7PN-sCH9+GUj$>K*qpblnC6BzBWn^kYhQdHCbXYpgsu79lIvK25G%ua6D?3 z(ysy=xWar4pI>{xDbtX8F%<7pTz zxMOqW>$SLC>~*@dHcwvEO8chkd7~b4k729)P$#^ZGz4*nOiS{8OMc$C)RJ725k-&o zo->F!Pm!A{@{23n1VUs#FCWubXd-)vk@0U=f#+XgOzAK|C%(<>A%=kaU(_D%k^U)= zHTwPk;<)i>ZC5*L$z&DL^%mynbx)Hz4TQ!EDi=1!+9QhEw$59E}y{G+-rac~ED&YaHhRw$77B8g zxy`#@3>0yIh7{ul=tM-pHK@SfUU-uH6|bkmHhC!Ui&#UmJWU-yR`hV58R|7nTB1ps zxBn}Aj9yz1(eHic>9ByhvH`COq4mv|Kvythcx9?s4ZD)HcriNh=N+jWwWVkh;2=uO z1Fi%h(;&d(x~7IiOC$4W4k-);lA_QfN=v}sQy`^tAGmlz{0uWSSsri?!Qxwe zYlG~t$wJ!AL<9{~3xrhUzdB~ARrJ&7#6KGF)MlM;s^7&O9KQmPCk3sZvI9wuioB6ZKjpdxpVelC4T3uS_-DXG=}3Lv~k)LM1S_#W5}HicFWXbPzRM1X zMoPhVW6zDB+PzOrp5_J~rIV>FRfSb(Ri|HvfQZYo*^8w?B-pZ7$(gtGdRS~zlE(5%r+OPrzn^ zrPwFt#yR5R39eXT{ocZcz1{%s4wseSH^Q{|AN}a#kCC7AqMgrTe#?RpZSE$$LX;^! z9t*rH4FW$tQ#MzD?RIytq%d&8jd>Rxm&eI-sIVTd*E6mtu%yd6joZ9>+K!Ne*_il$ zPOtt|x;I)W+p7lv>dAV~N|wJGfA8sm#vkP``uaWqZ}Ee@7XqpMRso+7^RtP`WjxP# z(;{43elA%pVaWM@Aoz64+*CjaIhdV;uNw3#( zZR&ITv7BSY{*3KHO;ztH`S9;+nM!o@ib#dLBSbcP!)Kf^s^0U7Ow~nUq4!dx{z9Ng zbCl=K7OJSnaw(WHL}DHG2t~nC6r8!AW{(PcazR`$OyeN&%&G=QMt_C!Ub3QGc@($zSaO!OV0h z@-)&Ie>hJ)1=uGruVV1`ShZ5#^?cT#KoF|L5GZiSrQlw+2l2DC z)1~NUatC5xd2CtP)c2y!8myveTxwsr%Ndk>LQkm7nRarc2!<-or$MmK1ZF8jC@Jbc z8(}HVi)6s}$PAz*+h$Y49x94uldz(pS0Cq)m?#_%{mA71m%wZc5KnH)YF)iDdZctHJO>rl;=P>lxJi#E~6Ym=u@ zem=1Q?%|V=@|ZCNehuvhTGh>d@#$*sTsqk2+pO)z93@`a80R+Xy zMz!a(wcFi*URJB>x^zRQ-GPP9f>qt$$J!)j*a&_1&92maHt*WT*CSv1XD#}y>(t6u_67u&G<-rOO7CXO%MVx~wwxcqdhBL>zxo-H=brde z8Z`r8)6AB;^??xPYJaIizkEnJ-)h1N|!E`|y6vNA?7){#!X~c3Au;rzDI?oy>lzT)@ z-CeZ&V=^S85f2iuM683Dw^}F+E??R#SlY*v7=(C$t?>HnZ zVA1ScPeu#zj*QAL2Znnu5RWMEInnhP8VQFYv8rcTe+W?MZ^EN+SElS5%TFHcAnZ^} zo4UL!OfI7rcD?{uZ9hU4`^~5%iZ%%(uh?_&FnvSvQv^X3Z^h;Pq^u#ovy8eWZB7tm!sM-YRLI3F5{%hv#K||e?`sA?5wBg1# zzX|m7)&b?kuLla9Lf?Sob3C@IbFa*j>bW_TLfE z_WF2B<({RRnnwP?tvA~UIz$OBHf={1orE*;_A#TvJ=CiR6O9(jhjlb)MT`h%M^IV% zhrcx#aMmw|PZ$aEKleddd(A?$M0~h{deMO+_47hls;G`~#O>m=bYfQRbi;+%xY=WC z?0`YqxH6pq?{JVkZ(g2Gl#Q7qbuYygrDO3uMpb{XzYrQ@J9cFV{N=67fKyH@aNtiZ z)5Iv{-~u1czdtRSooRkZ7C81@_a?`lFe>!eZceAW7QUu#<+_IYp=^IXy1TT$I0n6S zA1s}1%+!Tq>hmXvUb{KI18y!IUwQWXM4Qp_YEs+G^mxd!`H~}P(kv^7Peu&FJ=t}p z(0`8sdd&y+eHQZyn|uGUh_O&d0>Gw!ET(jysCl{2@>%kY>^B(Rt<}9=s(CHn;YQ2| z%>X|0``)b~JstgecM$RZp5Kj_O>#bg^aP&s_jnkIc)8o3ivD|6c~mx{%#tJ_z`lY+M}l&zqp{m+^uu6LB+i?0w0f?t*fI)pTH%O2OENt5FDSWiiWOc z0*;GY1QcxZUDQwfo1>Vyabk@z)imo_w7CrMSe5!1vbu#Aw)hWl7$2p18UY>{Cw7b6 zq)D;Vkl3GAQwcG@lQDNu7dEIeoEsu0#gtsKPdtn41n`6N$Rro1Bv4TLoXrdhhD}P% zVEp(pO-jWbG6u}kmzfF~wMgS!#CJ@Lsq`tW(;JCUkVT0($a=_{=aKxm44#g2pBW|Q z5~K6JgVe+WhM0@giY5;ti)u(%<+p7pqSQZO7`))!erTxDIomYTUW>TXKpT`fsc>2W zWhd5`XZmkX6LrqqXEr0QyD&RY{!BkzfbR%u`T^Kyv~E;BvMxJ|pDxe@M|nHN`7TPQ zLpF{htmsUJ&e|s#C%YCkzs3FUU{q^=WRzsPhd42vol`$68TKwk8_Si6flV#Ms3OA& zxIm{v{3*}KGRI2+yB!~{)+6MVhd1kZjqDsgHrReI{d_`i*a$6Ay??s{0Ep#k6(~+9 zCYODa4SxLXEB0`qwoyzgs&Jy2v!+!5O9tGdR)08DRV!+t=3(m&gCSJtnC=oym2{^|P1+m9 zWraMKaqk9uxJ$);g7^##YD9;qkFd5gA*t>=w>YP1aJA1?2s-M^$aGZ|mu6XkpDJ9o zmnpydvXLEJspm#N2|ZfQGI5zbBAY&SO@n*2|1y}|qcs;}qd>mRbns10cgOsw`FX&s zm}3)bBhcP5jWXWqInWUK)KYkmhqg{*Ok)tn?NlC`A3ZQ?@sw{4T8mCN9e%w8y<3{C zwZHP8eN`?najCZH2RgkcAvUUxP(vI<@~L0riZa=2U|kNMXLsjw8z~s8KY3)ZOkX-_ zg)GM%tOiv457Obaxe+}!B8FT?IU|p5o?Zc5^x0$=_hct<8SC^mo-<-B=iu_jz%WiM z=I$BZ?jGE?D}z%q=39tDkIhcyYi$iZCxq@T?^G8k1y-&R`le%(*7*>89`YqXHTkEg z2ybv%LN4Z_a1!bjAapV50tbE}zN=?Xgv-u7*ApcyEfI{rv%nlLcWW z*#}7 zA0?a&b3nOA$mU$o7&}n{49nnwZgEFM+5X8N2D~=4Kf=LH@H#LG5z<;<9(#a%!mmt7 zZ9B;BLq1lUoBKl_Mn2)`w>vYY^1w?%W<3|nZDR}77rl2yRwD$~2bl zEQaQpY$o;90Tns1p4sr9ozv7oI;m)MJv4tPHKcooleSi;KNr|&R;Q+-v{6hvKG*8* zz!KV21lvt(#1kMqD8{K1M7g0JuaB%2AJRKgUW;|+%F8@pvHMUmDOpNf;5!keYQ%#a z1BtflIWSgsy4#o?m3E|TlgzzgvW*@^A*(;_AT~?4H)|hUb!nKIEHV)+d7&M z1xAMT%VSI`8;nS-ch9)Vfhc0kJGlgkK`8@-#ai6ri@4S#)E5>;)LZbx?&4_0wvX4) zceQi~NP^(`!sBx}_ED3j2tH}m+N@irjPt;-M%~6hy1KdmO;sCc6rcP<;Ywrk#@{&C z^xT6gb#fsVU*u1cw!Z`w>!MaOG9XiSQI;I2dw9{bi--`qd9({Mx+2Ag;hcP{^&+F0 z|;Y4%zB0aDxFQfgq zi1OS|<*E8(9aVAM!V2iJ+wDvAfZ9T=5cR2;R%G3>b0oJqQllj4rcpPAcnVnuMhF5u z8ycQOin$uYuPoVpgJ+8}x7}`f?ZL|Gl7|H3k|!?`Ga7!kee)Z61P`j)IQqB719(+V zRM6yXcU^%~t;2i#jRLrQ6aO5G1P@0QRj#VsV`Dsrw8p8_N*fL4Y^aBR&cf;bFJepU z?6luJubftv@aXkU8X4yc7!7eA#yt`eQamhCdE98Xvt^xw^}|}UpDbm#(k$k5nxMdn z;aN*<$ejYG8NhMHWO}%#Pw^+G2#vQ|?K^q|;a;nb@L$4BF#~wSONLL223T-;Uz`|8 zY`RoahAvXO<}J>WJ%%n2rex&iaT?)IoW^R0$dzK|XcCVk$+~e;H3q8;PWFhD1E5Pf zykc8FMW)c$7-Cdx(Im))s+;aDOG_INhLKw0qQjF6=yrvQF30oh%+39;VPUg~4h@F| zkLZqgtz7{t1zO-MM3xBuz|;G>cjM9U-a(<$Z)Qml&vlNxf5{{V?5v(xp)o+6tlA>i!wJpk-fPTs{1Yp5BG2&SSIyu(7J#+=sS0hX*L<~K%PxR z2VHd3H1kQ z`|v+T)$Dk^9KTQXrs(wezFbdT5GmX+)G%!Kd@$ZtT~s`*2;X$@^!R*U4G5nm#!vYJ zIX`$GuIKv8H@Y{q{LpX?q%+NkPz?6-y=zn3-S$&Pa+U?cZPl$b+&A>8TJe*I6XxN< zTVtMbrn;$jI=#*HWHUprXi_CPZ^R!kYH}8^!+lvVGpxx%%}6q-!>7LqH-VEe5c4D$ zpxVErz?N~z3VI>DXs-4e!34A>gJCtL>xy6xi3l}_eb;_Dc#cW&9pYF!{Xw`^y*hYj zpwFZVu_vx%NWZqmk2mw4W3^>zbR9i8r@pURd9mM`w(%oac-l;_=;^une(F&?nP@`+ zwxIcCO547K3MHV~o4^I(ApW6T;61}o(v#Uu?4CogG4sej&bFwrS$70p-P`*b|Eq+4 z?I;l~?DQ6;srieoXgcU@LLwC4f6)++Z9P#Sd5f~1sl|#tqA486F6THsqCN2_>&CT2 zJb!y1I^!{*JDJme+?mryO$z<0$hHmo!1ofh^ZGb^7GGRSjjCa1$4%a0Rg7l6!~4B# z(^H}SQNIH*P+1YZW@#wXx03#AjmxkCHEA<3taNp(c>R`V2b;XO{6fo-Gyt!YQO_|N zuBUPAg!xJ5JO&SWZ>327831<(Wrp_eQ$eJbA z6bq3pP5ETnwJM^Ka@tdwl;S6S+f6XbeyuF^sK-{mr>b_c%iAGm@sxGnpvms`eUB1s zt*C{@AuP4D9T)MR^NIc--D^!+whnAysfJ~$v3Zj$Fb|DgE*+4rFfczc%7E)Oh4K~L zY$W-9cIb3922>5K!qmBrvIqZIU2@bu{6!<8E%q6lYsHF7p|DyxR{c!;8E+#I+BWZ5 zVFeOhma^~Df<3ZHlHnPzN#HIg*xW+lzIWq_y3_O(ViTd0CLF_MOI^J}Z(mn~V^iqK zJ%1kA62DFgOn53W^olp*z&CS`$XGjH>`tcMm)*BRv!ol9+r2kG0iL`h1Q0%GtE87pYr{ zCKrlpY0ycaS65$%@)?~pY$B18yER~U9_XCuF@ z`CCR~f4yv&y3~$Q@d&*}&QT%Z?mg67>(gh7fYP%|kTkMQ+0dv2R!gdn$abc?| z|0);ze9xkC)c~{6_7UDe3-{DRSIF-M2^C5T540noDs=48lFafb{q1zBmKa)RB<|zn z2~b?Sh#ahhNFkH6@DuUoj0OS@z{Fs+{b|`mkvedC7t&22&K|Do!|_TBUr~wgiGyNa zY=p?Qak6r2Ne5=~Q*jTHiLTS*dsak6icw#P!8Su;*Ejy--35EIiaJ8;@89vI+ft*1 zbnezp>l0hZju)oH46_*Cnp)}Hp)Hhq9x*JPt$k_6HSav@J}rRujFw-QAPDwf_noeQ~P0f@J-RzUy-(;wl+Z+9*$-rk&s$D zpN^mwpDfudpDWj>WV%agwpd&=&DNQ>P(fedD_hoCSrZRSI2Tv41_XU^RRAZ$gX*-- zJ4aNBkpU~V;!=Qo$N*(AO;}k*7Mx_(Tw$h^K z0|#4X0H4({wbdoMQ%|%uNs}|SUQwu*%iY2 zWrR;V=KMvutUPhW%fqsVrO}zEL%8PB(^x!0V@2F%*#dQGED7zWj0DCMdKR32KQ~Xp zJ)P&>ynpgF{&(Nsj{{CE9RnM?D+emNiBV0!wo2nqa8=GI0IgZy>>D?7V^=cTQ;I%8 z!;qtgteVllD-#)Et!O3fZ~unzRxU6bscwxsE-74tNqM6!YxS&M2!p7H!D&Ey|H8dR z1`J?+)#4ZT!8(Bzlg#Vs5(0m>bNBFX?qH-18q(Y4C+wpijSE!1AL zHLoa`$Oxx6Z#1Xplq#|B6pj8P1~nk$+DU_W%31G#6X_RgNWe`7P?lQP1Nft6eB6#d zA3{rdpj6Qje_EvM0Mh&Do(qnKE3>OwE;SQTm?WipvBe9s(R+Etq}tJoQUk#KP&k4a zA>E?>8Km&mq@9U^@%N3kdsXV3f{R;5#y*91HVW?q0-z^8U!Y^_yZZb4vWG$fvUD%C3H_}` zQjR_$7?@iFW!Vk|!b}ifk>@@)_!X`;8(a==y9X(OIU8n~5PtLsH(#V!2Nq1(STqQt z4|9KTouG03-pTcW_cM=*gk})&E*B0&q0lYJ&;s>}U=9GC*hya zzPBzF$F?UA4>H-}`rQb{4lW0X{TAzkX$1kiMHgd@_@b`XLT|}83Kmavq3PKF^%^VQ z{;l|=?^~Nm$#rjP)-?G7|K|w**T4*5*gLjh+JpJ$LDlp#sWxzAWIbq7ynP6Kwe!k) zwrPui4L!CUE?5|=cH3p3K3%4QqH?VTmTJ3iL(yiLXkf0`w%QmFp*GJ(BM?oKZIE}? zQ~L8I+cn?@w-*e*j4=;q;cVh?Xk~gQmd)$%gmsc>E8`bEkp!!ya?s2z?w-NfI3>;d422@%Jb`>RZsk0MJ*vS~9sm^|;KV_ya6hh#a_N{*N&u{O5a~ zov?kco3%sWvdy=s;gCEYe^@~!Rn}c9KV6=z`iOU^W5`6}xC*q8$voCl6Ap_nn^i!n z-dqnL(n6_xvY4?ZsS<-z!Ezp@lC%L{`4hbYU3(48n(HvN=}1ixj$iF&11N}3MU_!K z`}s7}b9_9WdSL$4=eEieSoBKlVFWc7LpoE{1un)9jW8OlS%WGfI}MTZ`#LRNb$Mde zi74XtVaAAxB!su;-+$_jsFny}Bg@r=Fa>N(`L0bg&TkOFujO$)t~=`e_vQ<$35~m( z(69uwb>zX@JZS6PcUh=#n3JW3JCywfA+SdrXkPR(aPa?2A6jTFiJ}4#O$ez*CW*FQ!G-u!1jz zWMx6ao?Cfg2^CDc(UWS1 zFGKM~;<@5#=>H*rGL-3J5{&Rul>pD#1Uz{CVKQ62RiO$QxB?FW-_`)9>75vK};3t3F3KBQ@*eXE5e?xV&TCKhHgjQmteLU9@|dZgdY*gf09Q9Jzo zwp@P2RQMP}w_ic~DdePkLI|aPWb9tZR~MPVL7>!JKGdFGzjJ?BK&c3GeHk{ySt2S` zXYC}-I_oN@?tIju(r_GVpN&|yiVpyhk#q{;SwQ0H+FZU>0TOAuu^gZpe3&=$pOYg zLR_o68HaRlc#o#IEL|4mG9BezwsgJKkq7zZSE6h-7wf zv8*h(3ir;#p!1UzVson`Wo4{XB~R5E%_v@Fe%qv0Yaqy!3N1A(xaD%bA9;rGEVJ+P z_N<(#RM+Oa8rXEp2P^efid+l$EHkWL9G-XkM>JNA)oIGAwj0OU;cF?CvGS9>gA~TP z8XEN&N-p;5XShM>_RexD5w}N)S=?n6vXF~fYFsQR(k-|$-*X}|vo?7$wt0q>xjraL zozo)dXKfEs(Q#9K>f4du`gQj6C<%Nl%FVi>O@Gd2@$c+csX;NP_{jUY==2UU0G2A= zOR)<&_b-(%2sKtQrmaP-Wk=xI;4K6VlT}W9fw~U0Su)?3QyyJYcyFgN-J4X#;LRQ& z8;0DS$}-0Fk#+kMKpkDUNbMy>?l{w_-%vEA>-H=+6*Scwam-*7IByAXaeYNDTGqs9 z3uCWXFI?>2*GGUe?8%_*-{@@+xVC(XxqNr2EJ$ziE$=IbsAVhbb`3CBuVZuATfm6= zSc7bhMP4vc+rAUdInVP3lMP=*M&@|z|gl2jrg>{?% z<{(WodXa`2Lw3*mPA5qG=aZyoce1+!XV*23TPCE-*o@>Kd~r zdj{X<6iKUJVD(Pd>|y7j5pj6Ny9vsI)Me;iG4G$3P66nN;~_&xtg%j}CA#a*a0?0v zB9ZWW4Ap{%7iEg!UGEu9FgU2vO-&a#HGO#URJ9En&?E+|u zS-eZuNu|Vl&q-I!cTM~eS#_QE;Za@uT2>&K-SaMDQLe$u;as*j{@v(PlszE3j4u=sI{))eLjr_H$04;OqOzOwg7&)tcp*TNV_ zW|LejC#2Fne@2%Vf;!sP%kEOKNLMqrnY03-ihVt^xclF@50|Y+#Fc+{v8(wcy!HU26pGYo=Z zkcJhp3aTzAeW13#9nh$*T_MBzDJQOFP2*gAx*O(Jx-a&Ag%zw87|A6tmq0cYhq4qy zt<8IyNIz_|M9b*x15E}b+J?R1el#vRz zHSKndCNULsJ?e6uBrzIrJ?(U@n;Har`bB%9Qx~{41Bx}>6#z-?|K5=CG4n?cO`cM& zRn;gLzrb#iE_PS|BtS7nvVHF&Sd4=d*bK4CsX8Fx+-n5>TSY07B$nJsYfhj4YsD32-` z>59Q{z*r`CV9TW89;AC`jdvi;ETW#bJ^+Qc-i_MxtxJz?yf7dCyismXNc)rF={h;y8ozhrRcW<33R)~YPULLA8wpv zn8@5u?Bb%_8R|lRdh|=InFmvJT}m1koxGz}+%UfaP;^rri6XBl4J&1DPc3c>oam>G zi+Bcfb^dv{Y-@VzY$7FKi~YZ?JEe|&Uw+?fOeV$FhUf6#gh5k!fD<_IlDse|^V=_e zF9PCfwY!+qj5<==Z%wn4N=+>llDD$k76e{(oltOm<^z2yf@vUCBz5o?id z8YBs|!He@PEznVF=QQ(td9`V^2n}tR_cD&zkTE2zT{3jQqimX%jLqlqwfgHX{4IGN zMW1qgT_HT!8#9G)%Jln;VN`Y|vY7-Zx?U$jPA+vyHLZ8CD??x$_;95BszlRL1wd@@ zvNR7`co`L{xI-}Rft#h-8n-p;$L9z_mLw9wG^z%*`9%&qr;?>%dxd*GS9c>Cn;TJ} zc6#;UGJY~`qHA*ru|&L&Ee5Lfz^HFOFtd#m$y8sz48+d9Ln5{D+`LdmGH#r*leG#| zZx~q>N-dYb!B8DFyr;=IpW$Egiy7c>~|EkBO_9k8V=EL`!fjQs? z5h9i2%HwA4gb(-a*2LRv{^}XCj0*28B(nI@(h8@Q@^WPN7#DGEG=_Y}22stNAM-M_ zFEp;iJ@qAh&`oAwEPNH=kSOBxgpf|6(x5Sh66+6JI z;@8?`;7*bk(6^D~ptn8$N;KTt*F2}=c|U2h;!m{s3H?K%4{2<34JBiK1WD8?8@95P zxJaloUW3-g(D82mf#w|;rKnD%5XihRO6*9vH{gsssEY{2rym6nq#kwUkRyegtBAx( zRo_qr&0M|8`Qh0J=VKJ(@)ZQ#l`pfuJ>nDlAY`S8;B2valKvhq4*&BWi4_EoI3*nL=mjl|+RER6rdFOD;enH&`O!wB%>nKGKDw#N?&rcTxh|CWRc zRrp_>bl^2eV_kYPBjrSY%%l+6PVm!Yy$L#Yga z^0Iao=)c8sWqUk-M3{d-U-#wi*x%9y{Ba$vwZB~1SE}Nz&M2oS+2Qp(9l@B{%QGJx zVB|25F^hD!?4_LKWAoc-Yei{$U_^kecqK))^E8IJQW$U9Ed)XPb^TUp;F$N^txZ0# z9AK)$!8-OR$cOJGn+TDaf*ig=Cw}x-nvh0Y0%8%VU4;lT5oM`nf&-C5;0n7vgU`@w zsH`cCLSrUeD0IIlR8<;`t#?x50-?|Re)|Ff^)}0;NBeJYLT5Zl-h^vDUkIB~@Pp=q zYQO{L&RjdZd`^>Jn|J8m89BPpLu2e*=^1#M$B9Qx9MhH%f-K#Cp7jOlhXdsY@i!Ce zbFyS&M6>6vj51J-&lS=c6@j;0P;wQi2ew)dz@GwkywS^`B#c&|4b9DzwZjT> z&rQCNFW&A0R-J&ghlJ1Lu?IXgtc9^MANNaLb3xlV><*X-NI8U1g*(hy?&)3F9sNcm z&_Ee10hoaKIMv-iELQ)S=PKgLo?A}o$?&Rh>RKd^+f|X*m;%UKB(dUPRxZoF612sD zh|Qj3II-l?V3hNgt2tzsTuiGunsFP^Q+?aFUPQB`GERn(-&mzK!l0{cW))C3Y5<_v zxqGs@(gUt=f7GohC?6urc1UI>h&y-#&*s#j|7B1hgK!Yw9p*$GcjC^x#Q>(ueIGL3 zvtlt#P8J>F6q%kb(_EW1d_T=8F>*iNmZwNcr9~w7vzs^S0mIoJ;=hk3RQ+#NKf<;u zUST_oHxQ_vcqNG!IQh}{O>OLc%u{g%KrW!Q6J+cU(h!QE33#|r6ki?&BBFnmB{SC) zr8IIB9+$xWLcDj-^Xs6?pMi;`@_W>VXhl zQkW*SdKWkljhkwrGB3ZpDnE|7%bV?O56)tRXG~wOcl{@8KCwRZU{;PI@8p$fsO{6+ z;mV)ehMYeK{JieZ5r8};bSslk+>vQe2spA#t2{(`vD(?7n&zR2r;`4-kS z|9^c8%zbvbj>wAt@GUgW&^J4~5aqMrY|h}X$Qf6BOTL|^cvUfqTW0b3R!OyDw}R^Q z6YPO}xkRsMnbR#KIeopi<7;2CggA|R{GK>_P{V-fU+WFlbhG&KM#(% z!+`%}tQIU3>lj-2R~!59C)pR2)gjv|=g2r}VfRd}_z#w1@{2s8HnfHV-Tb&ae{ZO@ ze3N?|Lo9!^;kORz^EgxVcN4{W>wJJ&Mp(;t+z%|~^g$F%~5uNu7gr27({tm01s0;+boGw<9S%%R25CmoF<~E4w zmrd+`_xlI~sb_N`Bv3(MH@Ib7XUnr)OqIKSGjT}0;Cb~dr{4J+b^eE7ZC;*w1hTnl ztNQw-j=U5*4nUXU0oT#^wJ`ZsF8$V5d6rB_MN5Ka?Sv;_9F*s(k}8_SLsRT-2r=SF8mFU zf!C&3t)4{g=Y6G#BhQMBtSziqJ?^BE6`x%{Yx((kylLAygrtSa)rpmPrSHON_*Uk< zy93McAO0&+{WD)bIxwHq@L(eMI#|w+a^Qu+HgYz@$%+c)E8M%a6ejEaku8mSa{9f+#fn!Ea`pV&Ef`2G%nVR@_ zv|C)|(%<+!f}j%Vg~y2S2q1pnL+}w(u`?YSRq-On`|U~$5WmNocV|0n(zUbrL8Ws! zt@w#SzGy=qLV+tV3{(tLB45K0Ab!6g z28iE_f^tcP2_wFaZiF^>j8k#Drrry{TR=;=acSi&dihldg07_yV|3PM=R8cnSk8%J zJ9e_WU-}Hp@&w$sPf<_PkFJmM;Cze!nW0G0XB8e3+!+%gct#GAZbD?4d@DnSX(};B zLyG?4<69P8QjfYsUK3@!aw(CCj?`2%!WOBAPn0@*6yAZ4`89zfJP<`{VCaYjpnbxv zinVGpZeX<2$rZmfZi)=GEWZC*vrA|`(97BJP%Rw!Nm(bD2vrq3W-BKm5EMYGpAG-p z_R2YgS_IbLT+TsxS!VTMb7p?wlQV`TmN5V%kaMS7{&(0g~RnXz`mfOo$I$yc@ z`D3U*Lto&1m;$KWGc3>d$EP4wmxL@95)Ktw5OgX-!89mD8lE;?kfDSjI9E46qdHft z(Bt+yI%7JNG?u7_H{g`N(fhk`XMW#((RT{7vTcQh>gf^pbL^}?x4NY-x$yYNsCl4N ztrQ>*!yia+Uc2LTEb8P&12ipA_U z?o1jz-Z-#ZxBIM(-B9qG*9L&Xy{+VB+uB@;5)3k>TLp;}8;jQ|j`oZ7wct4Gu?L6$ z;&v&65}NS_HgNRbMo!Md!%BaCC3nfso#e@V)O3!5pc6&YU3s76L(I{15min_I=8<_>v}W zR;eueTe!zL-vbox9sU;XLH{Y-7d*w3G87vEvJT>uLA=sCgJ z00G1IYro+i$>Lwq1rZOx(fF%s{5>H4aV;|N{+<>uy>kCpdVo^|pzmFwu>D#@PK};V zp+ytD`Zg~81S3W!!COUk0N7}mRqyD1Nr<=gb_9ORTqcYtKDYA>j3Yo=Qb#SRvEF^Ygt%kdmXk60+pn0%dS;sXdAJo*FW&= z&;*0tQ^L|A#UfZ55Vyk1SS_x?qFDpahAzOON!U1Y$}Dh&poT<{&cmN=RML{c7Re;A z8wur$9~J|?Ol5ftjvqx)CADd8i{rPO2A&eSpysSdT*)L2dG);z z?f!L=^He-*<|RXG3Nr+m+;tV}_#(U!2$`G;5qCrJ^6J3=a?Dls|FABmHRDuU9S4;Ez$k$Wi`6^cf^a1QN$E0+JZFKjHEg z>$^eD8q9;bF2r>U0_QO!al4sHN`fV44*M!?S8We>S zQJ+g4YFZLg4EL*$X)yibf0rRD45k+!V0QqKdezC`k-Gnk)Z3{3jno_V10wYi zzItX$ai%e~|40~ww&(N<5ZO(UZGP-4G|Fq}=anP>NEq|`+737W;b3gTpcdOw^ZDBX z8ug8k@&7dHHLCw<)ZbP(WW{R%8uk6EG8k}rsU{-EW#ltf0Xl78k8VW|SDxsX)Y-+6 z4W2sad2C6mAdpQzd+T!xF5yL>UWjq=>kSRdLU^h7{FJ%IZsEi11gN8Q+*|B;{j(UBTR*r0vg$K@cSrqwJ#GXqxAmwsNQg~FkQI)|4=4ryWM zwGZ|EC@9-1zaXHH`%XR`>bpBByS0&T>07pP+-Wt-CQO$Eaa1Eh{oqU*zQgMvqN3y| zUjXPBq4pV`QCk&jth@oFdT|O6vg{e5RAU)IOzdRc59|>gC|raCSWfAAF{f<-<$MSx z(F1)ha-VSGdFJQTf>ELGcshf5TKsrDL4bpiKwat#tAGYOs3q-i z6;L5TD2`XEaat)x2yif-pmPe~{Q(X}1)@m@*|$r5(Qgf<&|v@JV9*H={-=XcHb_|B z>IZNzjKOuPvBc z3k5hBxWx#$L{SukQHA(Xe;o`PR)B*+DTW|J@1dtLH-H?DpD6igN1FfF!T2SNAdBT; zRzC~65Ogi<`q#nu0qtSOH5-WHkDmzg7&pp~Ao1a@);|-d=#8I!_<(fEiy(LDt|mDX znBb0|Jp3>VmK|Dj&BJJZvJ+bUpzwIv7ZF@i24&;B+B?lDrrCkh@rk z?>`R4Oxk~QFvi0q_y0N=zcTVEGl)miVWCg}4u)C!zZ{I%t64Lb|8g*TsUXSO01n2Y zGLD!9z`+1XI|q&hI2eP%|K(up5rXR#{L8@rJwOcY2RIn0s{y%X_wITyjSUS1%|LAG zGdUE2f^1&=V^kF^pmLrW`#19~>k^g%UXgj#19AcZ=Jn%36qapc;0G-{G>b&00S-RY zPHe`uZuN`PBb5f~ap6r|OX2N1v*X1E=e3x(=LZgoYR!5x*>?sXmsknGyjD*}k1$ng zLl>1or@`uT_Z{~!`Jx(DT5C~PoBY}h0b84!t8DtkD>-;La*Sz~Xoa57;jHGluKAVB z>Wv8kH#*Z|yftl}VYcUJRq5p;xkx;HVa$#eC%rIrkKrPR-!b>;JRR*nuQF&@IG(y5 zRnnGQb|u7gop#p|Onalwr{K7KUz(7WDu&-)KR7)6rdPKnGKvp%+Rk-KL!rd>0}*)} ztD2RyARXVWTZ=kF%RRDY%~%scbD`@^k@ngplibZ$L-(+{;Z+xv!%xRWRzT_TLde+RY zNN6!C+FW#^9oAI%g-q>~M?N4M7Q&~Nl1AIW^`StR!w*+CctF9>ppl40FmOK}9`!E& z$%V3%sGUrVM5PyM&KU6JBGlgouL2ytFx+b@@EV@dVo_k8@7y+GC>KE5C^01mB|L^NGI6@*Ena0UP_M-&4I}3n$Uj zqv*=?sutQPvBQ0szjg$;ZaA8yVpc$q_aP&XE$xdzCv zzYc?Y^p^n4OwkA2bKYnu@5wH|@(1T8ks_~(99{Ap;(3gtg8Dq1!8W3tGunaz2LIKT;X(4E2#{3 zf3tg^aM`U$PUj13VpA9(^X)G|nq$@nA4uqz0Rc;DsN{73#|Liy2mut=|~ z2*MhW(C~^3FTF^cbFQ4r>Bqbm%C<$e>d7SZUE?^i>bs+=xb}Mm`7x-Zj7G)f9t4-~ zo&smoc@G~+fMi@(BBu z_|Lv$U2hj~8S!~05T{*_+Q{I@Z;cw@JnRrRC$4(q^b5sp&p6m_ZGe9<8RJ6^G&oYZE7`~fYI{zzavAE)2^SOqCuY9qp-04w3N((T1ZKN_f;HK z6^ZY-kRyH%H=C~`j5?*sAI_@eKRcy4cQ5TGw#E2A0JT6$zwHt9i_>|;TF#@x=)a@G zC@K&AS3Tbd_dWQE;Q02*?UAUfF&kfPY&a~xX`~!!;yd`Q-F{cQ_GP~fhFMn~v)9I& zg0D3ZvvtN+DJr=s6H&2~O|{{9zBNotRoA)ZNCZ20VZi1b8!Bv*&t>Yp)E_$}!mmrA z>;WW_;>l7sPFEg!4n3WArgN_FTV2-!B+M=9Qs%kk58?&CHQ8R+d9V$E8m!Qvd0o@o zAri*z9^2Cpj*;_ zZ3>UDtLM7N5m$)1jQR^f*=RUUqOe($UF}8sCEbz^bEWrI*#sO@FU9?CHIBJQHuogA zKJuP|Y;RBU!r$*GzH9vr-4?wvhaPp_R9vrJ;$mMn+(`F!q}3U3CACQcK+uzl@jIU7 ze4gbYU|^+9^GdR61BXFN^plFo`@-e4x(v)f*_>KIq7bFeJ$SKjNykqrJ@{8*;roR9 zjY>=BW$5*=x&qDPN@tDRo&7N@Qpmsz;%2!XdRkDe^J=qLWJv~zz>q6EMi4=Gr~Os0 zTu&P08v(idQn1;`z$VN_9z~<{va$PJM73mDp)-5$m*7uo?M~d82ABcx@BR!_pS?0Q zLYD3k9(ec5tyV3lx;pZ-{C@PWss-aUQ&*(gFW@rMkNMkvZjs?T@3+tFVn^Cub$F}) zxk8Hu6K8wGL(`>a!XqJ7bCzP>SI(1;a2Bl<{WF313L2wIEdBS`FYeHkE#4}(U5hIdx+KY zFv;%@a>OQAr=sRrjt8t-Y#fzjpeBTMTdvkFxY9@RluafRbig5QXh0$inV}t)CDUNU zfaC&12w;UXJwq718o<_>Y6a@_?zD|1r>6ZIDfKCdjr?msBw!<*p0X>)(V&_m=ane$ zoR!1bLQ16?{UHk7ijCag1M7ZA!=a_TgtYZ@JeYDZ8-={$v(aTKZ%fRln~lagU-D~l zTk;gtsD9}$*6P~+R+P8m_hS3i0K&FsQKNCsaw4_f39S4HXFGi8vp<7y?a|5$(cC1fAc9Snq&=*)B=1< z*q!7Mz%!h|zyh9Z*7#>i-6g5wR+px$8?4yg=X{9s3C|}vPrY^N>U*^i%uJ%nlQELI z-@3o|3!90XFi#eZNiB1u-n;I>xUYLCw+4IHJuwdPb<7erO2>QGz0o2eyuZ_r$-FNv z_P1Hz*S(vj6^rz`NCldV(nnwK8z>NBo?OKkylGiKG$lH4@lG9CLQon7Bn}rU9#W$)DE=OJ%Bn3$Mq5%2fmb0H zR9~ky*6~s>W7D6>rl31%fh+hxpqAoZHtWB1S{fk`4n(gGYMoX!){JnDCtVJJdPC|1 zrs)hvpp6yd&wi6kQ@aLD(-1sjDhpM=*;^Hn! z$CU$tz&lBk!Ufvd&61XuNzS`Z@4fPL+pobN`-Qm(9xDZHQ-GC(R*=M6fL1UX#H@td zU87O*vRTJ$@;Plg9J2QOF)?Id>u|E<3mI321reCUcs9cc^|OpIZI<=y$|?sp0IQWJ zW>=nYh3B(t+5-4IW(O3HTDCHB znLK zblPkn9H1VIsqHD3bd!!t+cCYA&Lm}F-^e<%KtY6T;wcfx^Vw`@es4noLYjMnqXo*y zgcMAQHx2}Gm9?PN_NGk_A^k{@k!>Vt8WEMuGak_-#__^ZqP0;C9H}&A<2002JH3bn zq)h3y`YK?)S=A>SSebnmjYI0|_%0SFIFdCsP)sJ|6QYU9K+?*RZUzzG+1Y(|nT`TB z!!&w5ONLv2-ux-WAt?Dz@r=BlwFI@;tWt}mFvAg>_bi|yhH2rK_wNQ7a`E0j-TJfj z+tvzDjZ4<6vS8Ejuwrx@o`{=MsSXq_Yj|LFX}Ie6-x-ax4Ra|2DO$=b+&HtYrr=C3 zcG}=TR?=lz??^#L-k_mMIS@-W2y}^3{ae3LMc=cctlElJ+miZeAjz9!7x(R8~jOwGfLKaO(j3VL->=swq z5oL2K(&fNMy*IMjuHW zc(f@xFpqz~6Mbl{A#|9f^#yl>#NGL_Enlp2J-O^G{`Sj5)`xTAS3c6H(W%UAg2MmK zOaB9n09Avn_FjvQHdWtSWhd7&5V*B9hc^b6SR3@RX@49g**r?wAN-Hnqy54Em~B#j zHw&>&`_$&N?v^O!XFT*={?9^`!+Ok_ZM&l^8G-3?(?8khXGV$BCA} zX_Sz79uw(^J(lMnT;wuPYQ;s1+?sRv%2L`{&V2euDGg}njAqGG%uLM*0)?~#4p)Ea z9EW!NQ1d|Lg5gB_2F$^^(g)y7Hw=@;9I^SFsS2XlEbb=X zLU&WfWd)1PN4 zp-G4!akwxM8I2I9>~2WMNTU(!?wdS=a9h(@oCz=`0K40~NmzSLLcv22x{Y2x%Sb8C znvi`EZa?}(bRmtm98qwYO(+h-MWKXdJCBAe)Zv3YRp4enQ5l1kpPg@Jqv%(2gvDr~ z?x4UN{fv_J5sR(dw8vw#BbIZw<2dES?d3J8pS07kzz;1Bc1Yc%TDP~#yrE*$%?OGa zmqmvWYXWtTVFpBHG&PH${pK2BR;7UuU;d}k%j}U)a}raypy8jIm<-pNHO|#)oa)rL zSv7fvVci)D8!Z=jW~?Eqyt=L1CW*Ag031h!{KN)z^=*342sn?W6z<4CD!)T@4EE58 zI){xgPvJ@yh}5Qi2)3$dRx=66XEAr9Si;wO^vl@XKdS+;ryr>3=0M{-FPe#C+ zSxMvEW6}urr6R17K0z$$a=V|glsO@!LIP<73IPNr8A+2VlGs>8!hmCN{SlfjjHX{H@D?8G|Mv%K*s7sC>wlnJeW$0nsHTX5s z!^hTftV|hwPszK@R@oR&*kkf$RvHpc4lyOlLZB zX@LIDS#%DG#XT_|PvajwCt087`@*-S(~|>a{PuKRgezSZAqRBdn5`u^6JIEQzTFv- z1k3vbHTSTdBAb(F|NQvJXP3FJE3%PDw4gFMafA`X4lxxrQ>bDD#!wxyVQr}-*>mMx zktKOBne#^rgSPwN(%&~3Us-GiqT4t}79r!7mq%b1mdWLBU5fLc87X}h-I7?Uj3yENhk>nis3^oqIT0Qld9jGV5K2G18D6O1D3nGP zJk2w{VKG588nY~I@PsDb$3K9f*Jra?8qs7i1S~~IX~JSY49G1Bhn!9ZIQFMBA%2p^ zWQgZ<07H*t6vQm}#@yH^6= z44iF&STGumiFRq!l$1oloY6?R{)V)yTH)zvMiXuqnefno3Eh=3#Q}&xnGe@PZvbeE z24Z2|wm_q^y>>J&g`B4N`8n}(S0x~v0z0*I^t{2?ZSnI4iJJjnP`R?Pfsw0PRi`M- zDu?OR`Yfx_kfoWz76wk3#$q*kEmKWOdD=_QGnKv@?d?+fJW1dX20d ztE&!Z)e=Lx;?XTZgn|&C%O45h>*h*HkqqBf9a-y@MC`8}>sm2d7NeV|xv#1ukcx>v zb(*y`$EqdmHf=rY#^YrUixk51D8#{Qn(axm4K&o=4SP0`c`Lz}u99HA#VEx?m3Mps|REU@DSA|-CLRxwxqxdLv)t#jKINn)K3gh< zEiZ0l*3AT!LUunH-4?LKZMV>-DhXbQd%5myA*c(Z=bqJewFXfM76w*aT~4D(NJ@(g zofj}!joWfAa}(xhPGWJecDA3r05l-}-r0TDM;JW?=uhR2sF<5dm~4#1v595HEvSzf zr85#!ANg4^Qx>BqgC|PBhbqMhmVOnLKuHvsVo}u~J#?zAJo7a2lhnkY>SJ7W2wHW) zEjnN;vgP{ewYT->2T%bws(zQsCTBS(J7#ecPv&!ak>zr@Db4>Kj${eTyx>vFjHG)E z)QBrZQKck_2nl55zp5@pvm9QQtwMI{GjTVnb7TnSLC>VG_+yh_OPfOqy%mfhbp)r7 z^ax0;wkMhJ3CKyN-L?wWu_|U(+>7g;pjg*EV+5r<%fNG`^Q0&=O|-`Vt*gd7P7{bR zu#Bpif)i9RmF_z{^{3!~Rasysmp2Q5NcKfJ?m%D%XnTzz6Gtiz*~el1379b%4iO<1 zfsq~nR)90b_5w&xEik&++?*fQ=T&}6U2cMW{zW= zkZ{pBUKNs3cfGXN8Vf@_=QTO@3SLH>&59gZ6?_3YGqua)E8-I21g4;`MYa@KjdW#B zuj0cC26mGsGM1MmuajWhMmn`2)ZhX+B65sXXy1{GGnh~9hKY!W>_Fl=DIKgvf0dNW z9EB~D2(iG<>x`0?)?Hz=7QnIc&uqgP)fl1@Xa}rO#u3%Sbif?ywANm$ z!sKn&ynmSTgv9?L5jMn$2uusQ_Zle+$^45GaeQM^gp}n6u$(NI>9>-#XbYNY44CO0 zEb}mdGEJs*Co}qE1jn?R#+!m-90OvO42FRPtXa3?Ht6?9<|wUqACJcvTUfzIGBL8 zpdo%Am}!**GhvW!&>}9%S+DkO?dGoiQ>>)T>R2?Tf53Kl^d*UJsqty0JmbQg#;%Sh zmr(4V>b<`rme_8!GL5BRMho7V^$@HTmR-*1WC{#GKw^5U{Kjfu&n=W;k8-(xx|P^- z@t$__oNo1+ZugjW@RnZMQ@Zh3EbArRbX1q|kd|K1wIDltN4rGyEEUZIqo@VhJ(8!j z%!-RgbfwpG)4UzMp^F~RwIE$Rp)0(dYhgNgL05Y^*B?v=59oR?=UT9>-p?%_&b5GB zB7y3?o9pR+V-!%6pKvY6h6o^cujZE1FQb1tdoC_&2iNuZz}cbSiQBjYHPms0_0|wxz)A$Ox812B@g>(tbA7m zjlxplSw4VnS}~)b5#1WcG)`tXN~kXt?#7!HNAP^*^mNTc6O?TgE7(*kE2*;OPfHWD zsU}lt(Q4DVjHDxOwcVp)w!Ob(FXY?+6(AW?YX;eWn{p+cK*-m6Zx4CXR_u=&iUFFSfU{iWmXNthFF7 z2{9fF*^F%?yEZAwng}xg@Lf~kiW&YWeK)1Kwg6dghhcwk;fW?r#Oy&~irf&Rm?UW& zDW?&A1{=6KoG8~K@DBkV@s4sL%T-8MbXA%~8*J27s6S7~2XPO~q}Is*w$$YpJ2tGd*-sKODdvZ(D$-J0un%;Gy72bx?O=jwVr zj8nG$){I=1_Pf`dVKz5y7vq9++$KUj6|(MS$w5@;K+h`+gj$o?0#ve_edLP+w|{=D z#tHXjOyamL^wBv+@bU70IcM-~%K>I>ySjVsd*5vNuy(y|)6Mnhi7oA^f%H6dD8~jW z3iCCnIa@&H{G*+Bw=uEOa%r&dmp;sSo7?MNJ5{`P%ahgNJ~%H~hk3SU2kUM|X=Phv zD*)kueJIV0n0NGp-GTsN@#keIAjtL2~%>%Sx9I)y`DbJ-Am@rK9 zmMkwPEf-2>l5^AY1pnL$krbwtFTE^_G0E~CU218!g?&H5wO=Zyn)5|yUxa){(MJ1} zZLn$EusSPMy)~)@qGhYPw@oTr8wbl&!2;y~wAwyZZ-;6DXtx=^CNuURoeUlR2lMK&4H_P}v|b_!IUM zd+nqs6WDqvD<`4!s&B8&Q}R4C6+k_tc29?gXrZzxHNFO_$~??rcMI!;q_~+@v(3UD#Wlj6&a2o$xy(wCQgp-Z57Qt@C?!dMH@3Q;eVDs%5+SscoA1jej1naWTEhq82_fx-!yP(h%@UxSd& zpyY!xm>4XL=TOya|NOWWrl}`3^jQSREs`>$zGbBh$E_e0Ns`y6jr(xZJIbb3|9eO? z@dlQa#O<#YG2KNK7&{>bB$aUhtCYlQrt17jcqZS8N{Yc9SO(dgbB^iOWd)J+o_Bk& zxNiGFAYN8VT6#+&HMvc`g*GAekt1AXhu+GVV`aD{W2OpsOPjKXj@y_6YhrUSZc2;G zA}biL3wxQm|IQFioU+PnBK=dYBXk_i(_{~QcXWk@W5xi(4R^d|S;KC##X!Q`L*ji| z=VeSMd$2vqOJNUP_soNh1%dNT8Tqe!BOLcf_#f9j(ZN}otaQ+Q1>JRAP82R{C0Zx% zt6i$J$rqryeV^?kpiG%530v51fi7Mjbb$D3_gRDatJu2URoU9rvc=})`rZj5Qh9z% zil33rI}&(O5!~voP~D7+6XsA5l|a$6TjHV3OF~Tcr-ZSPdz2(&kHwSWG?|6NcNzVjhOxDf`ItLs1DW$hKY|9v4ZWhLn; zROItGbOdU$K3t|FF7R-am4LeUFs)T6CDiB$^)MxxT!^DG$c_q47LdRS`sxT(?GMD& zU-wjX`PcIATBV`^*2<7p|&qjymXKlhkW@boV3RbcOCDf>-WqT@hXtu3L69pKt&1k#=*bWp6J^ zS!|7|U#lL6t#E$cp{8W9HRdg7>ZPfqWU+NGFJ z9hAUXGf4s)*nCsQ+8HVvBQ-#<_~hJFZQ|>GWAk|;Y#5Rjo?Z9eyGqQW)e1Mo2|SRrvINq71a!qotBG5;Vi;F~*e!|gVw#xLEb{W! zrhuv(Z~=EHHGvlYGeqDnkAUlnD|Z{d!<2B11Om?orzQ4lxa%F7p!z$h?A20 z<-j!K{@^A~9ZSBP@Ka2+o24~p?G7+mgK{p)S=wMj@!{r#NrV4QSJG)*ucd2&ie-V| zm40rhT_N6xIqTtMZv4hy2OOii=pj09G3pi(V7=5GT|Y{7ExUE53{8>V#a7HPm`pQQ zAROZv0hb$9T*zJ2WPxDAWtxd(s?P+Cd^WSH3VF2&^=g4q$h?|N)%A)@-6O&CC2wM<3CKo_a;l#e|BzGla_Q7N?tdY> zzsUrlP&ni-2ZDO30SBHDiLNt z@M1v5y2y*EfU_(b&_f!jq6Vx zecX3l3w_x0SbkmYao%rTt&eIEii7TAlSQ(eR}NmWgP~ca?qEwt^*`;Dd4K9Ue{+Pa z5mv$P1l5cM4Oh5V#fd85tJlO164}QjB$yk`&;I$b;pjRtb2!m{?DoJUdj#Qi z>8u-HK#Q4qQZSP7G*(V9Y4kB-cin7IYKV|cGhzwyamoq8$d56Xg~i@34>hY(855p{ ziRSF`GwFs!NMg$4>WW}iK`@ntEjJGTgF=SYL}G7XF5IA~I9TRgOGJ8DgwoZBGH?rIvd7cGAmWl)Lbr4l9YuS6~^m9y=Vv^Y|2MlY}dVMlFYAr zPVTpFe-5@;R5rm_^Fh)XA-xeR18gdOeWb+Dd)x3{&Ufz5M>{ z?a86OJYMBda5s|hyf(S+7`O(T>ULt!v@#{Pn#SqbmHVm&L54qc`VvVfpJ+7jWJ$wQ zmVMpF++4DKq~Uf2D-#w8WF@fo^88QjRL+kU22>Qe1{x~^B(%*{hV}`myx>L>{_)u4h1!U0J1$ev$G* z-9O(;6`Ti1_@Wa2ES>SC3)Wv}ebEzJXMK@vo%N-zt%J|j!Dsol4nA84pRI$>*1=~L zZ5@2p)Yidgzx?2{b=H@4)|YkGmvz<`hqli8vd;P<+gk88Z7q1O1#h$#yw`$v%d2a_ zdo6gc1@E=sZCa;AbPa*22z{XeiIS{9nT~#uR!OIsCJf>EJY0BaUy&VIj&A?_So$&v zA_`$J*wI9Mu_&N}dm;gdIHASG1kn|aK3!^+>G1*f^cl2mvr7jvHpT#Oa4Y;EM z2cO375g--^dfm%qE4l8OT55Cbf5a0<11Iq&9=fisE^^)T(0&*$<-!4e6uK-C6dzWF zi9j407^|^fDz^jRzMOigoZ#k{QxC0TNnyF1K$<0eL*tmiQW`gDT}+5XK1*XfaU5mB z%z_d%#KNN1RFZN-I=ajeXq9kGvYJ{^fQ+ArSS!a0RkGcZC}3iQ$I2TUV$Aw_iH1Z4=!HoPCp3P}8OLu6s5_M;(J0te^6P z&2k5J1s6h|Q4PG{fhExel-&~h<^~hW>#17lKx1h2r81|_5g&jEiL;8DK+W>2B59(J zqlme&Gb6~V#ll-%j#;Q*gif;)T5fbV0 zWfB`W`wQBGi-}L@EkRgn42ZyyIbTF4h&BGlEAvBq03XB-{)eu?bB?};9es%(!jE|Q zh)`Fz!2zn|WE|hD^0@2Lsm^8S%yl~nV6I}9Q+%j1x9=<{xrj&YQ)m%*9ER;M;I^T* z6d-LXJ!+v}i-i*63T;kdm&dd^y$$6M5ejJHYDy4+$PzAY5Q_uScxsrXs?~gj$A(G#q!ttfx`CMWoIj)GeNa5w@(wwSUrpJZ9D@)#2i~S zR>`M1@e{d-s1Aa(w94<^OSN-7^I0WjeV&#$? z!Rdv-S5+<=l40rieFcu;##kh`7RDGcNx0zf*1e&~=67v8@u z=%X0S;Q+H3?tv0e5#iadtUzcQ#R0K_{8G z&CSHwd8Dh`$nvS?Yg|P-PaVm-Q0pX;bNg_H_?Ye?t9J}>atT=maDy{Qm3xOX+=3fO zlVgW7Ov?eJ*`>o7qH+Cr0B4RR+&GqU;J9DSfYmr{boLwQ}uDndeSe?t$=zQ;0#Q z-~z{6=@eFAg$p=rHPGo!LxQP7o_16_F`(3O?|eW2o>t1SDu+Jc`eE%mwjBA*XX z-gEVZJy%=ObLGW6S6jw&)df6PTe@?_MLU0%F%E`5eQwJo}rEpWHl1&|oHR&Qu4m(g+rm3Tqz;#z#itV_S*>S&% zjySxXVeFc4DoZBSG8>0fQ^hn=t>(L?BvUmBq*`G*=0ifG1;pQUh~lctgVc~Vs`*g1 zAIN3WICRUx;Dj|?(iSwbDvy)4Kq))x(-uffR`c_q)u<->cT&nK&%j~rQ0!a!Mk#4^ z5+BW|EAtZ+!PH)5O_ViGLxS)G(?}3GZIrWJp}B{Sus>DGN6Hb60x}m=ElTPcE$R_3 z%f%o?pUfu((J^}Z6i17vPZ5g@u~nN<50oR06Ut@kh3lxGcf}t`p=hyIW#_JQ{dQeP z=;r3eoC&?X_U;&ag7#eF;OK*AjG4V+Nxx-X4g8FfS!?`k6K^CV} zr_TWM6^Iz(a@vk2Bgl{?;Op2?l#O_%1gd zfN(y=Ba%=bhiYz$tNaX(x^wK4uS59zt1=O*^{$0#?}Ip|N(NRsIDw`FCV=E~@@!{o zUQfT9HfRDVAp(6zq`!9SDFr@YMu^ce;t{(gX2W2rAd5##VSrYU8QIJ7>+#h03FqT9 z3>OF|2?l;c4RwxV5+w~-)e`p=DF7j+S|or*1C!e}T>!de+x`o(2JY9uZ6omI~k`P6=XB z*kpL3W0`0tBd$Oc8#q1PUjxt)3E7<-k79`O0e)gkqGy_Lk>NJ?w0|Ca-OOvY2C`Igo8sG@>z?Sco~3kiJkx`5S1L%N!!5_M++Iv= zniRLXnG}w#P5}~=(&?NL9Ldx-EgxC>+&m$t zc&wUOER7+=k0Zhj`|2`0WUhpyc8d(@SL{yfu5@u)bPdINm@q8o5UgBil@sU(48L*? zz3Nh^Lj?x`GF(yY)kDNxb%?og^~-aMx9V8;#5vZ=j-hhhePE8Tv2<`0lQ{u_O7N9Y z?$Wv$x+yR^ZAqFD29!5tcW$?9O1T=Hj1m=#{2d5?VYuiEJn;z*F38SKASHV*-4YZs4wed|1N1?{Wnxs|<-$ppuN&3c&49T#oDBB}oPcjD4h}RSzs%=dikt;aV#Vr|V?#b}yEpOif3h zuv7Bj3S&pcl_>I=)1WyX`a+YDq%^ggmU30MvxEtb=eI%1T961h2}N#jvKaj3KS z#&QZenWId{dJYamj@KCn6^=4bctLXrIr5b*!ub?rS#i~nSDd5U^_&mNJH6^V>Ky9Y zEzH%;z>7MDxONY3?T9NMBrCZ?(7(B9Ni;y)nW3>g{;m~>HRm=Mpzn|N4_h8N zKWoX5FhJ*T+nzW)Iyt&JYI*43?DX{Lpbga7`PK2+>1E4PR~P#SZT+3^UmbjZe-pY( z$YzUyI^UmjY*33ST6b;TkwV;HLD`mBshSf1%62@KcLQ8S1f76%;C8T%wvXAdUM)aX z8sgrtXTmh+F}tNf8}V@0YPfN%hF|Rvr}YpltBC^wa$L)&_N{Tc@T_he>+1Zj+_<4Z zm(^Z|aq2+(9hoL`PMYr^s^+e2#Te{z@r1N^q&ez}TzYfE?)wf zO8YCgW;WHQ0^C`4`pk=i*Ae>9iL8CJM?TF-Oab?Wf2zY+E-cvy`yWXZsMv$1-ObPc zFS++}Y6rCnYF5n*a1_v68l*Th47o8Xs;Nq+DK$*QNqkG23bKiIwU|>MhvCA+ANef$ zdl~`Dr3~0=s)I8O)W(xLmRBszM#T7_`@3 zc8(b7bPU?|Ka1yS#!C$OAth0g4}0jNfO0$v<)SNQvgC`_3_0hTngv4WLDDh8y6?>M zuo)!&C}4#wn#hV%5!%^CocKDQp{}vEr=uCbm$D6W8vJ8+0qtz_?1GN@9`Za-#~e7Z zt8Ec>t35w0Xu9#|MiN$sx@#b+fcM;^xnnCM9CN5!)fRQURSQ6}_zUu98}m5^jif@(N{Hxqi0-s(>cg7BGL! z**p!!5=b|8b%JzNQhhLo#j{(zxC=O_Dh?QGcaE8qyZ3cey%^WCT?5$In1K1=X=PEGA-0Y7u3c$&|F*RW}LkkOvbI#N8nEJriUG+D0}SNfp_+2N0JE@nS`xgw z=|Z6viMlFWVeNU;pQc5> zi!0u=U1}$+I?rOy0_j>CV*eum&$jiJaw>0C!-k2&qRQpMm?A5HORjB}SrS7$9USr| zr((@c*g&Ylf{^6EU;t~d0c(i9vWiugz(NF`3F|Teg&F8tsG>^%4S`Ma4xxmtCcY@k z>SW?q0+L`FN&+hm8Fr4#~2h z)(mjrNbQhx5NJtX<|zc4;a#tou2XFLYsM6nl!N@-020#A4TtC=D}y73!$zFMw;7j% z(U>uT8to-&(j92HKSY9FR16$Oiercj+LweWB-gzr8T7h$9 z_YPlLWdGg!8ACF--8xC!%Q(U>wROfLd=t^7(>7U zi>_#!Z8L`n$}ejTlK2Ib0vch-Nw(>X4J;kyEpUnAe1LmoG74Uz1D61RktGDBQ9$Bw zp+e3z3Y+3+LIO`Y4&hb}ibUCvZm+Mi$Lo+(n6c^4B&^Y$w7?a7AW%zjFPpW5M)!de zG7!BwXwF+L1vA1qo^&|?>J6z6n5Huvfx%0RKl@EGP3=YsO+)aAsYJusc`&J^7uv{e zg6It_cLm6Euc1Trk8IVnhK(aJB|716}JJ%OqMoM3Nao@u)}7T=*x z_MKp)Nut8g)45nhLAhwe6BmzsI<6cD#5PNs6fV%tZk89iOmg0RdheB|+kOrH*e}dQ z@K`Bmn*yvPw1Ono0_(T<>6wlZ>?BgA~v9Y&KBL-qm^$Rx8_QCC-TgwX+>k?;U>qVbnR zZjw}3A`sv>XXMsuWOg<$m!h`bZ)V|JANqUmpIRT^Z~eJBc*_x`R_VQqEqB=Snj3S5 z`dZk%ic`{;d1Ko!oywluywom!?LENt#APLJ%u#{+RR6|<9Q%=TdC<`Nd5erC}(rxusPLgI-pKRdB+%S5no`pxXO+wn^PS`2i9|CH4m?c8Ns+7UJtwv|NFb&{Py3U zY;HaMeg8kc-K$SF&`Lh$+GOU0TQUQib-i@~gX~9@ZcRu-&87@EZ)LNrDp*)!)~q{* zF51CK%+h(YJC*W~pRU*mkM{ouLx3=c+#@Ib; zgI+f6kE0};M=AS*|51CiKlmTBP3rGvA=YW1+Tw!Ta#8(^r`~Z@ofiX)mfcoF+BvOd zkzW+org1&M(<_a#K)6j7=hVepI(XhLE7%A!WIhhd+(9RjnlBbxNniIrgY6l#y{?ch=?GVl8fyxELiS`YeXG^FtHZ0{PcnIpy%@$1o zys_n>@$-H83WL1`3%(?HAJP#Y}frxSj0D+(1{803~qAIbSV zT(o6q!I^FtCXG2_^Ep#Rnz32jO}>Thri{xXL7SC+rddu?2)QjJ$o#RgkljXzFsy79rEW}maTWX_-|YVl`BNqqp=DL| z5t0VvqUU4T(^5U(X1J5!q~^ZL8yJKpA%eu=!UVlFLY%U@Asr))My$JU+~?u8rm;8^ zU`haXw|SGW_L_v6vLJLDy?&PTSDZB=`ykwY^o!_18gDtG;4+&~9EOWRmEv|D4Oyte z2Yaf(&3>YivMWD3-^@nQujU}O(L&upfjRmaCF>&=Tj{@#$7n|^=WfSw%8A>{YXV`k z)3Cq~Ee>`_-K1K#x60JaV${tDiW!$hhY@Q6b&p{NL?w+ji=h4H8evw2&vXx)LLJJ2 zITr+TDh1|d)#Mq5b!RASv|Qksv4*Hpm$z=4B+?cGa2yrmY&7cX+w`Cja2`u3+>wD) zeuwH9?4c8N4jW;f!j&u#sZIM3Y*o>$W)hGu6yZj*nu%(bf}#`6Y6NQNnW0(oq8cOu zT)QMZ83Ai%C5>~B$<*4Him*!h1mXJ2?S95m=7f+638WDy1Q3{z3mxJ?WgLP!x@Ah( zy!(<$x>7>Rfw-9gh={p_w3?C5D5K{d{Z_`>F7&V&0Z3ZeksdaJ-0ebLa`dpBQSUE9 z58JN6uaO=;wvJA(}B=}KQWsqO~+q(TLHf3TN_;J9837O49oDe>g2AJWD@M#kA z0Zx;t;1*L&Jb$&lyZvhC+0L_n+uq%M zvHj}b(Dnn)+q9G?IR3Zod-qkG+^?h!27?Ver$6daF?ddi5Ef--qK|(7OZe^1hD0vX z2&0WJhh$76>4&fVdIctuB?i^e$)6nVRay2R?iX9pm!CiDI4jgsnh)+-PkB%Piv)ww zqK7>6_3H*gAs&%Xy+0-4%;VFcKgELDfBuZT1M#N^Le1B&gX|kMar6bnvTi!+{l15K zA9@lhLfJ@%iiQp5A&$sE;LXpUy$b?~nLJ}|`1*B2kO46gY4EJHW^$hi>R{dq)WYR( z`5VHgS0|VIxi!q8_v!%_G3m}#mZXG6kVC2FA^FUd#fc;#=$-XgB#6YVCJ!4ZEAxYH zcc5gL=5|Unt%|CtD&06Em26I;{qy4=pIsJys3rA=+@g14dEZ+<)!Cl)HrOqv2>4UE zPG;qjo8$;tk^*ZnNuYCP93PftFq!Ac2wpm-{YLb_V)_s0;2ciK4M+$&14jvx&!R|) zMLNIoEKMLY!XQ5!>6o1?bb5j6DyI9Vf73F$`bVdr)c`2r#&KSET_I-L4$byBiu`y3 z6UQQQR^bIPu(v%M)O)7~7Z+q)dbG(;A?u(un!V!Wz>=y>6%r(DBG25c%;L_WdZpPT z$*@-o@0&Qw3yf|lMsKc8F1I!+pS_wAbo2B^XCcm9O#>@WU>I7nL^bLy?Xd?E zao+{)gd^6y(h)}|GV33`TsH6gUSEu=&a@cd&vK%at#~g|LRpP$p4iOmF544Bq00u z?HB%aH35~2@2CkV0aGi=mrw_k#cio`0`SGuPz z61je-yEL{Ec?-SsX%LsS4Q<1gO}x7bHb@Be2gipOdM~vLtUOB1VzfQuM#hbN^2xlx zC)a(r`{rgGpPLOF;vk3#=PHYo9J<2sL7g5#4c?UIzY!~X(>BfKgx;-HMt%)U+X`DV z{|7id9$*_eb>;rr_`lsM`_Jy~&YJ&wjP_vspFBFble6ajI&puOu!1?pAjkVvt#EzV)Q|5Z}UIE8+ddI5c%|12T^Z@DRCY_1Ba|f5mYG9*(`zx(#)wRVyR- zl??iSK#smD2qThI1L*zQ_|pnogG{$ROCyz4lqOSjq7b|+a~`OTE_pY)@o@6xzUr_G zCnw)r)~<4_GYxS)exnQ%cRGut8nakA^3^&-=57PTk5IzBYMaVg6fSiBmmAT`4Pr66 zkuI$)zR@utMgdiC%BbZxYfN9LXw?$kSF@sn{1(ZvRXy6qvo>i{^U0jE)ZG}}$lG*d z(q9Rgrqz$EksCD%kGXiq8u=rwSfO9L~zFX@V^?Za+KY>pp`taDa(rkdv8m|nvr zni?#6Cl=jXx;IqJjRDEy;#)FEWzwL5%nq5u*);>oDmFQcs;%~pLrFmAvOv}q`A8Oh zf!AYPb5FA7UdZnwS+tjv>QG`yk8hCnSEt(VW!>uBtVv&8X6TzFJO|6Z&w{2O(!{(X1Cj?l-zkXM;N2K&RW+I<7Rz zDGKjRe=`=h0NG}F9jF+2$uS(-YN3sjGwrAHl0&{wz(qQ+z;OCk7N zom^U~?B=*AP?($3B-SHfprc$6o$Vg^Vo%4gX7$>~X74fGy6n>u-eisNl&4uIuQJ_M z=Ut}TioDDWxchjU>9%6F)PX0nB%RIcr(c>~j2wKBss$pXByj4JecxwkWofRg{j7&n z4pU%t7-!vSt%vZl$`5_u$u=lK(*!R3c~?18&VrWHK{xwrw9Bvco@>2l#bax|=UVUC zu{X5Vd)BqJ-m|i;^`2|J=UVSsYHPjcTJO2mdp5MS-gB+@)NQTzL~Ffg?J(DR&$ZsO zX`*YrXVog>K<2l?;dufbqw z&T%r`Lmr<3Hcp{QsZ7c$N46-+A@y**gC7QQ8Ch|F2#C z^_*+m`{9ecM}M^wzx*=iw;$iWuZbo2r^pS*NHqcQEl-n*U|2JPw8f2hR7N1_M`P!J}*V z9E}5RTzsohz_l*AlQF=Vx4gd*z{LRYc&f*`GCEGF%4CvunO7x7Q92uu*h6npo**KY zL6%yXvj9+F)m6`31sWv-77ye|Yc2qY!{;$en9ssx2Y$e!F`c9_0r40>p@4Fq-I90# z3N;#ySQ-VkDy&97cbU#f%t@fC+}-#9+onWpj(>&vexbH}Ny zDf5~#uPO7-OPSrZisv?YaMLNO+IvR1Nb`05YBh=$B{IFMrS3Wcy+fuexOY z6`ad%N6zKf&oGo&0+$@d7HiOw#F%_aNF3qtuPpu;GF@tqzSm zFg`dcbh}0lx~-AJ8aez@ki%L^SxYJZQc}t@2Px&37!&u;ETl*`8kzF8o-1j;6#|Q$dj3g_$7AZFfDs-&(RFHZv@mIQ<(qLDR)s;W#j)ao ztU0c3Q(1FdzjBUiEsm{`L-iAD=3|eDX{6;$Obi`2VYDq#j|H?|NqBmgTY|q zn{U1m|JNZy0y&6XM+X;&@Y{pM2V^IV|7!&ZsPw!m$X$C7WKTUs#Z}|$wpQ) zfn_~ZEf1PQ(3f-K>#BV|oCj0<5Mbustkzx)P|VV#P_nq5RSkG@c1z-z235RV6aUtv zJX1k$6=9nLbVul9TIR!RS->u$++P7U2@VC%#t~MXkpSTkq_{*7K%UU3mUC(2>dn-e z#gzsYT#l*k_0F868dkKZ3mp)PE(axestKtJ%^!5ivh;s8uYdn#u=VH7&3D^_KfeF{ z=CucZJl*>9)))QZ_gh<=o9}*j^WD|?(R;e}_l`ie%B4;vH!3*6 zj_0=JpjFO3CP}>bOBzf_#lAHj(5725qtOLPVoLZqi7$!IDhd$~WZxI!yjJ{}Bw^{> zLe?!aa`nSVariU*iO$lQ5_be!7t6uOXiYw4X&6AMDb7zKteoWNmywp;l`+hNXDthxvJzMOaC5XK>^%pi~?l_Fd75dy5d(xd8z6E8%^Kv;Cf zIe{4ATSHu`5Mfj0?12y{rL0!@YfUD%Hr#4}-a{!>IQ>7RgePx6c*!4s(-%i+6cCdF z&?KgiOH>z~?V|jd<79e4Cgf9-X2VHiGb72AHPpCv1cSqxb8EwR%p?da$RLNKM*Z5a za!wIz%+U0!n-k?ghVUq?P1(?%v#2SvMeFHL=!~$mc2!&7j|rc%h?9d5b6$VvA6Zph z`$RK-maTv&t@&A)a?0)?L#+6kju!}Ya;`) zIiKFjnYz$~7KOB-7!}LYoYliUpGynMmhAykCORyyY%4%}vb7*|dvO0GGj2imOAKyh zL*offQs<KfcX5M&$-v3)%gG3 zsX(Ej4p7}z!STTT4jgBWjRQ`NId6L7NrQImt&f@P5dBq>vRk=QRXg?}VIL9W4 zX@$hBJldol@eoDo0Z+Dj(TQYhNrWFwqio2Zj*{6GGjsqES8d9z|~=@llL_UC?=&2l!o(! z=ZbHk<3yKQsev|Hpg9p7al+7?#DW17w^afVI8L8fvG7wI1$>G>*2tnW8l8}6l1%r| zPW1!$lYU_L#j}b>WL(&3tzM?vVrS5_SyP5N=9gZ~@bL7qW_=__Y%io(vfTS(w{oS_ zQeLkzy*xdBn8jP#W>i~cYG5s3;m3J*BUx@|;Qbu#6*NigjQoXsnzL-FE0*KVre}7m z70vHc%h^E{o|_&VGpMmQA_zz5c>i?&!{v_$A5Qn*96|7V8quE`L}h`^)Wwqv!b#$x zBkWHBb|6DKRZ+Q^j7c2V-f*BzqlFf8YRW9v#SkM$sZiPe_Rz~0FP^=qdx%Ezq3RRv zB2CU4!iG`lnCY<7{CR@Osu<@HL2nPwQA5qftAle-XLDQmM26jO zX*QBYVR?_f(Xi1jT$^}|eNryqIm4fhVF3#_uXge3;_DPcW;1;i`n+1O^}CTN${)v| z-F7ZQ%#-t&jmQ;stnr_FLo*!WOE48RR?M3c941qLO8k$AM8TZVC_#6!j^n7lN}k5c z0Zzz3bh0c~5~I9|al~N zoo6oP;1n~NO=VMzoQ=^{oRU6zEu_~zQmV?jDx8pzq~^B)>IqO)ltTRseboQ{HkW3i z*xK!!;sKWh5f7G^gGT58&q#QHIV2cqC~`Yy%p;%hY#tKNXS1PsuWs8dj`-Qm%bJHQ z_p-*CknOc%hu~GVKlmT@-MfML`-AuX>DHgE-?oa*WzOpz6I_zwYgSx7YLnx6%qB6O z&2U0}#n_K&gI-?M3#QQowoL)l#ih+IKH+eq>lsXQeLZv@vmo__M9Ie5KghSQ`eIHv znl)J20y3r%5j-35g=jC6?Z})_1VM+qST+CM+`&{YH40vMKZ2U{mxZmcH@cf;7kR8hq07jH!Bb6KJMDc{-NeO}L6 zH;a$*&D^!MIBwLZQt`$y{5dW2_$b3Adw8tPf;TRTl>I1;BY0A-u{&E@n4 zB*8S~2#;8r=p-)YOu}x6eE@N+79MPa-a-eQv-|4hAC_68CTU!fm5Lt(MEJTnQP7~2 zheok%UO~>6O4#H4m!)Cnz-eWm)TAqt&l5bG=V0!eEtB8`Row8{BFMS)EnWC8&ADtHs5&qzZ>76A8|}s%F*%R5#R9UF#~Z@;8Hx4 z&&BNTzbfRGyZ;wQ`-g9iyjif?K3eYo^XJ>8`@ggOe0~2PqkV(y6R@#yB0r%Cy(Jti zSc=$)llT^oXh@RO|_p#Ms#|52R01lBNMemWzOjBwl7_!~<>of)SQ(i_4es9f`diQYD* zXejJ71C$9u7GzN39=aq_-||j__)eNt(WU5@1n9ez2IT#_iTrxN<=5{)nwqjZZ)4*% zi_wgMbTpgCWJ)3~FneyeeI(}rdn{OO-QPyQeE$BOK40+3gW2x~Kv>jsPdNIXgfkSA zIpZ{8@nU1+=H_OE`BYFGCRki0kIoqkPEUvgaE>4bkMC_vH57P5^^5ctKwO{|&?jCN z{lJKhBc9+e)RM1#ClCY@Zfsmh=U{kF)t9m#yOGcJRqh8SXxUsGQl7}C4=xUs=3Eb7 z-2m=wZ0wKaPFka&TtgJMFcPw80+o%Jehzjw8-yL8s76y==1-4t9(z|u?R z%Pj|Zu=Ok=Q6k2v_XU<(4U?4*^2c~EJ(=dm0^d@{q#DH&EcuRtfji=}U zG@wF)%T9{QV+e=@C+OXGH2FRqnNzm=-rIPJ{%=Mj>z#KgCo!5~3M(5@o@A#|{KVh) z(Yt`$l90`_2RBgR(SY2(mniQYjv|&uJ`tCI*Fe_Kz=&S6Fl2Y=-T$S2eg7`GqvFQC z7Z>|V{%wYC-y(DwV*lg&cO3rlHa1H4bq|%X%y4&Dcx3M++`C}o9WmQJiMXSRlc(~ z9KuICR@ZD)23CDzuNs`+3wfX6P;6{un0gQ0{OQ{rZ+F+*9&F!iYEgazCiB;27>c}Zg;$$U2i+1<<_B&SbWD=@b{s4e5mQgP`$VHtK!#J z-KzP2Z^Dw<{2nFWa;=5`fA;+4%L4xoCE?cm|0A@|pOMb`fqHP$yeYu}iB)ceir+1T zt$L{HDU~YVFM^S-hm|bmq~#GjpZ{2fRrTalao#61GLNl!?KQ8x=C#+n_L|rJC*rj$ zaDQy^-j}jUbQ5s`p1A2b!!K$=_L{N8P{p5{YOk*4_&+?K4`PCY8Cj_gxXu3a{AE%9 z`+Vo+n*V#0_KhL%yOL@iND8dKr5xc1rC}0d6w=8w>8lT%&gLP}pXTh2#N#y7PRKF< zM#J8~LBNfoxL;H$3p8)3l?Bz!Sg$@XJIai|AqZqhKG9_1DJ}t|UOx?SEIAuVi-9FD z41}JHn4sXa(lE^PRS4f=8iJPrPFiu`&%I}>Y`OanYsZaFVJNet-LLq!!~NfVUcCP= zU%pt^|9+Ha=l;9h*~mHLJlVIel=3UHgbA&2GGvqYQ9$M-3NlapCr{J~d-4R5{RQaB zlQ~ZO>60fCF89!r4e2SO&)vqY9uerV{;BTUFReA+f5|4@8v(T4fAM#r{{Qx?SL^%# z7_D*tvwX0pXIDp;Uh*kfrjO41zq|eH`5ON}N^{)*4|oi@UKd`{T`kf7TAxJZj`oe z9hxis_wih+XDH!ad4M+l@72!BV*dZ#=R0fq{}@f&TaEWjw*7g`J}o?Z%Owi5zY%D^ zfKc6B@2>CvW3%<$>P7)rMVrY~wD_x9?8C4RZ z2fj@zmLK(YcKW-!{TDC#&!6|u9SuV?BEGm9y`7z2zqh;F>-S!~==FQgpZ7LY_Z3Kr zi{V^CKPQwYIU#M5pv{m(Xft8*3FK{Up>6ZXZ)N=2-nS@w0DVCKQUF7}eg^NikiKH? zTg20m1S? zI3#gFA;|HV3=%dVx71JeG;y{@l*B1d1~FsFfKT!6ii+TzPoPdTA!7sjUaJd=UHKK|yeU(s_UrZ~~-JKyPV~V#`?(&2U7=gbU)p zH?VX#osyWKJ4lLwL(Vja8%RRHmHyHL#pMZ%=0+~SZ1SZtj;A!xJz zl>EPTpY6U}$NxV{tGq#_%~mS+oYYi$s4Oem*s~-eE`wT8vuJ38>?jddR-H5nt9u1i zk@*2t8V1zT{AliqRO??V2RI?Tl22eC;rXwGxQ4@!-JQqumWE_Pjs*F@(jP~cP%Nt9 zGToLC^!86qz_f&evnX6#FqXWgA>j+2keSKH9jDPg|4vq@eEH(Vv*-G|Qx=I=@(;e{ zB+j1W#21)SmD82o%G53wX_U|zQK4nFO~4XI2WXh`co@=A$ql;VOyPK9{g|b`Ofq0x_R#Hy)XW5&rqCEmbM=v^&HZSJ_g~6Q zK8wb5GQd&P1qZb1e_y>Q^8edAYx~cmv?lv6Y<5|1B3^+2RL`HMDECE7eo6^Xq_J4O zUXs22c{)(f0q?H)002aUFm3@1>5R66gQv>C0Ns@Sl7MGq#^Ocw=o@;IudQ@~Tfu{mX-w{L7!F1>8q9Gr-58*rhBFY4<{#tumef8Azbf0N zk{}|MpiS~qg)c>JuzH9}lPr~tMpykdG8JD{n&0c*@A!2O0^_S8UPmB5Xx~Wm?pn9$lmj}c1Ue}J z%`FLx5oW>%2^*+Vtu!VzZ&gV>ys>Fcf|< zrpT==X&8hP3^|Bh0Dv*1S3E1lH_p@s$v(3ku3M49gli#HE_Ur${E%_-S4@*DDPdm{ z-wZ|x-2-@LaEEC!;Kb(}IZ?d@RJYOObVUU{Q%$eAR~-8=Dy6(Ks=f#Ff=dVdBb{HS zqljeN%H_wxezv@8DP^o~t2MjwG&E>;tp{#hTziTy-OH;-kgxlwbt_b}Wle9(K`cKu z*NR>37g?+ARSMX=cB@@EoYQudHO0yg6QKb*J-Yg^fB5G3)cSm}|JN#|U$rM95GUuS zGhfhpAI$2P>fA63lXV>j_)q4BUOFMoKAT={D1-X36#Z0Jd2q7NHAlsMpz?6kt`_M0 zFBntGbK6$1U9uBs(3YWKyEK+I(?TU$GQXoQNH7DyMQ)4JpvWv3BpP2VjlaGlcwniX zXB}XL1 zUzZ_E(lgVLs&V_L#B}AEM`6Vz0&jaq(weG4wN9&bY}WJ6W3%5;W6L(b{T2P>BRPB( zS||DcLHxgWU+$FRKek`JTE~ArO0&Y=^3+f3`oz7$QBdHNB1rLnNdw~J0#Wk>&;A!O zW-&SXLv;Y3v zhl8_=qf6as*;7QmUL!4*dsE*1x=7AhloQ|w^}{$m{ma?g)58zvXBStOA1;pm>+SKy z(TC&1qtmP7tH0Hcuen2e+!ooW9rxAA<$Z@NYdtoPw%kqSKx_KF{Qm9L;n`nLKOCJN zo}V3`UVS(^-T%wU(P4eR%DHBmCIP#PjcTLo3w)ydg+8PJmIM+@Lzzse=8R45h^ zN`^`V0_nf|EOV*yukXKQ<8lApXJt5$pVex7{n~37;)mB~7jO2j>ZhOSB3fsBcyxJn ze7b*ie0B=eiuVr>FKocZH$7xN4yTMK-rgU!|M0R`a^D>UJQ;||g@kkOciiK*zW7Hy z?p?@4q28&wB#|MAwu!?`&u2{u6F!K5J6A%9E>!+qC*6ZYK-@1HXq;T7dcyF)w z+f79*wt9Wko3p_B4$sI|uNA!<9=+awdvc}vt3Tw5AR4ryG(OFvKR9`Nd3AKL+KoRr zJH5I%JNa;Vb#b)+=EL#n@zwGE$%m`sH%Di0bJuipv$!3gM&9yx5)(Y*TON(5;JB3F zZ(B}!-3M}baptbtx4P9vX4OZ5|uZg;)i-9LESXfq)5kS#!% z77vhMLI%6fz31MGEgA6HcGjwwV`ujjOnRqgcKYTwtajx*mg*v7+bg|^`|rRL+5t)n zkFHPtBb^Y1dK?CHe16$Y-iBJU-kb%;=iEsyv=JmK4mPNg0qaC-%D=-2xx)(=9P{1& z)zM$~|MubX?d#Xa|D6}`HHWSE>0UM8>_AueaWshuZxNEeyEwYM{P5=N&|-Q_q7!5b5oMj=?VGZHaBy^f_2Gx3qx1cf z;~%Z{*xBCR-k#N-s1oDT9YkRaZ!eE7$`t6?w)+t3At=0j0N#9QOptb(!BK#W`^y~1 zct#Qu^FAWp!~=(+@2{@Thr5s=o5bAHk@Y%u9G3rwzWU=w&=LmJ2mK^KEn2H}&pq93 z@d5q)mOkZ3_r-lSC!#O-<3|~2dnm7}fw6$Y36n!{icL+NqbQ?oEd>7(_bk=vf* zpHk9M?{;{6x&N1wBk|kS*}>U~Vy}+RP8-;3tD`QOHyaxXChX|Hubjkwt)aDkP~Ws` z1>j4LyQ_s&n)!X-XK9q2=JeO$3tN8;3sh34Sjzy1Oeu0d93ESw ze|U@IVVp)L%1x{Kha?IHs?K^F#H)+9mscP5PY=F7ySP-yXXBg&TvwaXC24N5k~0uN zE%+W9{hjzpmWvzChx(RDi;E8MW}`$*T~^9Zd4ezmm7`G_1tF1j*m7lf^kfEEpgO-n z(#d&-=c>p)pF-$%#F7ndzM&Cf$&|zpbxuAdb|`o0(u52LU>W%fj6<9ciFx1Pxkcf! zbK~n@e;^C%_!K;YD#orJgmjrc9>{rnehe-|nIl8~I(#0O6rQMe4oA!+`w^?9JIbx8 z<#kja#$V;|(td@rV{`Vy(dh@lP!!iycUibWSL`E+&SgDo6=z#M$ej2wN%$}k5A$Jp zImP#t>s10#$c7-tg5_9-863yycF<*4X<^L-Y82WJs*u&4H)&(dL{H8R_D?>X?%O&x zg<3h@@-oEi<(D+u_G)D4bw+h!$@AkVPN=S{2O3$?woyGeOa1-G_Tg-}lM+V4Q^~IIV?za;);6>K7*nk!*<{~%6Fwhbsv5`cLl$vBk_uB{YLlI?t zIc~jn(YY{ei6Re4pCeIx&T}@yFriySBtb`pSeB=|AD?Q&O`{_*zQU^wtHUTOuD(Vj z${BtiGR#97`8^fXi}yz+)Ok|2qF7PwJc==;mnT@ExI56`H9BOI3*Fur{o9X-HkHkZ zKRi6Dj(J`yXAbGN$08TTXMm9#EN}`A>iBqNh6CV*07MF$!uyfo^&daV#^<0Myr)6-gW(VVoLy8-}#i z8djygnxJt5Ydz>?Nb5SiQs&Xi*=BXjC2hL~dP&+nMH`^aH$|Fnh%z6FFkkC}c~kuI z#bQ|81hko7M7QXkHzL(XT8|%42IK$pD6*Bce0Bbx)A<_z&wS+n*@-m9|BLmSU7hm1 zioY;O_?Gg#k-k7gQFUgC87Y9i7a3~*<>UAxVt{(=-#vEg{9o>3KJtI;L>leCvM4J_ z&~X~#7&84&ZBk@@k5kiquPkcYof{;%h5o&RliIvbz=b|Ovj-=!ZY z=6tVVBU6Fq-$f|F?-}w)qIZvNagFWKNK(O`m)~F|=4$qc0ln+Lc|HHT`}}m|f8B{R-T!a#Dx~xVsyQb#*?Y*Yqjz(l z#1XzkuNjS}wcqls(6qEq$)Zp#q0oo*OG>f_nuTD60mqfZUPhK5t%q0$4bY`H>>-IG z>{N`hF1>_GMdK3ZS9m@IbiF;QLab2rdU!Ow--BNINUcK+M_Y#Y8kmg$!V8U$Ko;Vp zRP@N`;!#VVHO!da{|eMn`Ld(ApFGzs&7FL*&6@veDwdjkyid6sAs$cs7l(I!V_H*c4h$(W1r;l8F(w+=+x;KTQ+YiR@c(9 zV93&~-$_>7TI1lehFCQcy4BgjHc1nw8&(_2wgOwq9pI)sNVPrURPH)svFToU{b_@S zEo!|nFM&iYHL4JlyOhX9b_w@+u{fU1fQm?(fcY^9Y0kI|ERt8D+$T8k@L7pPhtY`- z34PK|ZdZQAHt|DV*?|L*B*F|Pl2A`|cqWyQ0S$Ob9r8r&9-P^+9o z;`ug3-VF*cht@sJF zd`<4KFW>P$n?mqw65R_^H9+Wc{h0~avyW+5c1p9I)p29V;#aQPOZbgtqHh7 zjL@8eUoKy93o0LP757Hu$a0K+{1N?Vr~Uu->f-Y4D;WFRwb5(;i`x3%UCd`A{$nRH z0eZGA>jM0YqZo*Pfku}X4&aUakLZ%1ToxQzK2CAsKZF?WtN+u!SQzf7h4t^t8acGA zXCJO~j@=n_;q3Q=Fw0VY<~Sq{AP)(Sd=U}0LVkc9RoE6~ZIVb*b`fjwf1ce(`20FT zna%&q5yMl z(p5}_?8Z3B_)-FdyZRv(mtEybbJu--O=(sR;J-b=ql_}jC@u0&00030|GCeyQvj+A E02y?4&j0`b literal 0 HcmV?d00001 diff --git a/assets/minio/minio-operator-6.0.4.tgz b/assets/minio/minio-operator-6.0.4.tgz new file mode 100644 index 0000000000000000000000000000000000000000..b783ed24324e2aff65aaefe00a0223919a15da45 GIT binary patch literal 24348 zcmb??19K+98g6Xcwr%H&xv_2A8{690wr$(l*tYGv=Uo1P+g05&H9a#`T~pQXqalof zLIe6w`=JJ+HI!6hGM1F%koDwdH)2&|GEru?)Kcc=P*79jkW;s@GPE=CRQYAkFKKFH z3v}7->AuPFOq9`kp=^+q!`jkWN#-f%qNfn2rG}!=b=rRT_{Q%}A)Zi1(0pere`u;{{1$ zuBj`?8XqJOL0041OA-$LBR%GS-yIGmHkv#XMl~qHOv2HFp`1?s+A-@OjWE9vSTXmJ zSi#}zkP|2Q69^^6%?tQB@caHUaJaSg`|-2!(Too^keXOdwQLDveOF$Z8BQXYX?V+J zg!l+D?@k+&oRd8>mpFw?ETW>J!jEaEivRuP8+)0I`CInS#Npnyp7fgkJwZ&Q!YCVY zn76lvbitwCo$NI|DeKs3k-K~iV|)0KVQpN|K8S*3ZQSdrAeqwFThQL39y7F{ZCVhT zatV_u;8a{P($Xp1$my=v#T{H6YP#h8>7zG)h3?!o3xC`h8F@>Vy#!iy(T6SE!>Vp4 zv%9K>)hXN|g`8~xFrQf+pFX}pv4Q|H82Q=TCnaxU06s_egP7Cn<5)-YlY1q2arh(G zx1#U2^?~zyS0~@usrtx}96BcJFNSa}NxX;zS}xHeJC6|*Y(OnCA?W}^*)AQqY(6X< z6#+SbWcXKT@po@VqURvS*U-c|j-%I4G%4kWXm@Fk63}roh={+0=Nbu-X>R$ezPA|3&+ang1{;$Qd%L`T zo==}T&((w36z~cle#QJf0K23HOwo(o*79J!$VJ!D}e!Op8 zy!3Vn^1nH_Jbw=|5(@P2dVjeMhTX6Zgevo>A({nYp#%!d9-BRU{s^i?^m0nSS}+a| z_dOdCjPnmLyf$3>^2woA%##aib3I0Rx$B?Xd*4^dH~sI#fUgGrGvSOAb>Npe`1M3<6C zA9gMJ=Y(^8m$MmMl6R4%I3Ag;_2ZS2p63SK?H|pOi+|DNjw&6E)Ems3jSmqTnzYV z={?NmCJF8` z+w6x(iD#og-X22^g^heu4>l}O95F8U3}&go=%KP`wHZaa@=nnq6^C0CSDuQ5C{@9D z^wMlnxyKb}#*d4b3tU)jk(8^aNmryz?ade2NG6mjKobAOfUb~0gi7Sll(DVBlMbNWD@ZHRhj|b~2Zp8TWYBDJG-;UHh zH2ab}Iy(ZX@T~9q@tJuyNvSZlXudN93F+}j|Mq;8bPB|$FC(h4AZwlRJn91gBaM_K zlOkiYoq1B4S72`SG9t%;%^`_q5oW9-VTEVU&6v%_^hjV;dKN_~xI&@9tb&+!R3Q;l zW+^M0v&(EMTs}+ zRD0@BYf;ea?+{YJ9RC0pGnNM1fW1^ZKaP%!{0B@-11Z?F-X%)%_jmM28bv!%0}=w} zun|4Gaf;rH_!^i&BO~!Zo1|l+MSeRUHf@v*2A6^a0FAXZdO(&p?byQb@Zhu2OGlhV(bNL*aJ`&l(U7C24g<-7b znv4iW=3lDV2NT&OzzgkIEq6jOe=A>_(yV11#R2nx?7RR$T+~^+c;Q7m1YJvh<_$Q;Vj5_sncgE2Wm9T)4wy}3^^n^IVNqEV% zUhhzvU8!c^UT5(pP2NfP9Xsv>tdnvw<&o5>c-doWN`g7@#rpZ#C*(WoglgECJ@>w? ziJGjOD&IpkTx5k0bIIu&k$#H}LMv#Wilo7#B+_#Uf9$9}X<3Nl6K>83MNKo6=mWj%rN*iQ5dtX(#$5Dcd$+29Xhsj2a>O?}CWq^8* ze*nmEC&|J-6N=!Y)1BA2t$KIg>m=y*Ec{6%i}c9IhN(H|Il`p?XjNpWhss?5eiZn| zl|hos~cRXnL>} zE6Eb8vQHmX7Dj~0E~Wi=$BATshBU#iD!6eZJULFJRlNBL{5eJ?u?1Yyp^jUIhJypjBpXBvBb9{IR5HrbYyDNqM~_nxia>6PrWwVG*z71 zl9!c`u!c=Qq^i{0$V4ew4(V-chX+XqU6XzOX4FVjN(DDRptn#}S%dMGI&Qu^PY0Ia z#*>kPk5>E4JP^(7*PRc?kC!e7gV57jAhRV&NM+g#9GD+CGbLjAndtMwfb85)4mJ^l zC4<^jqI4qYxD=}F+i;dfQ>O0goJ%q$stOdEZPTu#19hrpo+2suovc*iG~FUdtq4b6 zI3?e}I$K62e}(}Jp<#VKNUar?c&s^}fKem?JwIUGq%d%()=7BHgiHHm1$D$cPN7D! z$WdPfhsT$zuz3wpYYr{h=idk1YFIbd4Hn>`TnQ^nmY-yb>MUHbxsoW1R?lRWtGNW3 z@l)bEfX>zV(Rgf^6;x(WB`3AU8<{odqt2jHtAR`RYLpdDtccUxRBsf=d>f`pwnf#P z-|YH{@jaOUOM4R?ltscTG@dC!(XbZ&DW}4{lG(E8uTw2-WhaFoW*rM*UVb~u6~wZa z!1#O%EkWbK|5L;=nQIhEStQ8%z0$RPS75!%O&=mjy^g-gWd&Ya7GwWXn=9Y(ZsPHpn~s_KD;&bp_Xi+|!?^wGpmkp4$r zssdD5A*a_vX40H2Gcg$|O9dJ-?DXyXTf3tpsJG##QZj>F1G)W0hS&wRRLIn}HPH4= zkTJJcW9{en-RGKb>yJ0;?Z=IG+&s7(qHA8Kg9{Ag$xTRhR3SAtAnxV+vr)ZkiMM^C z;?)^FL|N6qZH{*5qA)EQHsZm6oVn!n5cvE@bJgI;I^-f4g5s#E&U=n9gmskUalibV zQZDSxL$-DzAY z=)$mto2!w?Uygn*wm9zwPCXEVPR6aDdZ*Rdy;(^Yz4^U5yI}a=`1$<`W~g2qX-oK8 z56$0jUvH(?LVjJ??N3W(be&fG+oCH4PMX_vRpalgF{$fyT%q0&ndY%9#yW-8U?X!7rW-fK+Av8uRDOFDEdH@mqY08kbA+%u;tF6wjpYRC3vIRh1}OEfcKQtk$7RO$Uw6skDYZ{2Qy69C^6*Om2U=E5 z&DZcd9g|u!x2xIc)gbyiww9*m^F!_iBW^mIX?lw79iWPkX}Z0T(a2{jkn;?WdXZ^oPJ~qGCp^Q$FZ8 zorB&Kz;%nWdf_hbYqhu^tM8ed;`m;`t1ogTc1XB>W*1 z;yDJ1L1%1Hml6&%jR}DP|+Mbq2E5f#x28f7qA7ZP+yE zw2|<7%_D|wgSAKl0qyaRfj$lv%XXm0g$9+sT3ns}Xc|f6Jrmh2MQ7N}KUK)%+9X-u z7V}Bfsj$794-`J+?+=I+I8<8D%|;@JvJJD+p*24gUS~(4(b6B~3IOi|MG+3PA##VZ zOj-5%y284dEV)8yqx_`6-bYS67-SlAWhilYP9D@1p(%SJz`F2qyx$F85#7N00Psb3M0U@3QsaM;H|_^;_!5*AoS3htxdzNVZ_ol8IKi z0~*e_H0p?sqG=d_v_bu`LV!y>_@*{E6;HB)o@H6)7_RAM(j(?pvTBF=d zv`r|GxIQoV{)sp5Ti#A*$By1HiL}qEY z$co-5g0aHi$UBEf1bCXko_Gp}=Pd$GN3FNx+jG zA=V{%K=qT;&ypteNsju#2rR!Kx?cOJhj;u%3wnWbU4D)j@gbWV$MGkTc7gnXTaAGr z>;NeNh!Ax9E`<)yvIy2;Q62!nt>mHtj> zGQ4!rS`kE4QmRXtBJ;_PQL(79i;WFK5*9zM55yl#wxmt@RbZ#23MVxnjJoH0b4a0hPquqLNg$R6DTI!^}lg6n> z+o}cj*g-XUNO__XgMUYj7Xm<))i?HVXV-$wjKNRGVkEkGo!Bp)^k7Wu2QQYB7^8NH zr$vInMSW%enAuSZ^T1~sbh#gzev`ILxR2p_|`LvOl_ zKE0r=_F3z~H4UuJf@X;#>DPg{Yfk{N{kDF~gjW|A>Qk0`Q*f!HUQRrSF`j|}S4!Dd z@lw9$jn35A7G~<*Gs`q=T0+aqyhKmAU+BoBj~j`Q*O^crk6x96*yOz(t|t%ltQv2vm*-9wGzBCGa zoTdbcLnX)#;~m5_4mrX=Fi*Ym{lt2#!*YnFK;|YFQ7VU0CbkyZT#+Wx#LEJ*YeWgc zmPe8G7&@VXt$c|Zo&1UNsrwoO0>4?Ak=yR9VUJf!Ew6%LvW0zoJ0u!=bA=`imLny%n?UIu2MwHWup0>HosMg9S;| zX4+`6^0jco9^mK!M-|ea4MB$_h<31iTZv!jEDBtyLMq9F3+Y5P8gEm?LecJ7WDcCk z%<5Y`*RzW?Ww}5@Oevp2F%2occR`jt(6;Hpre zU>b;Nzsl3?9D>&u(WXs%gp@8cn?6?jZa!lqNiNo#qv#rFb(+O}lAE~9;61~uP$>tI z?T(;(@wbk{)1{jCWwzM*kK78*O$)Ybfb;ohltwA2Jaw)Y^*Nr z`cszo?5xP)dV4O_eFi}*E+Qsx;I_9$fJ{2hAupa3C8x6BNH+;oT_D6gF|R@Q0{3f~ zjd}M$e%YrSG$U(42*9x%lpQiRQqkGMxozan7l!v^8j)c4Wld7{>x2-k?rud8=$XE{ z?k>(HN8KXMkn!63g`tD$F!!e5{J9noGaz@YlWHGN>zzk01O@bId!*WtzK|;ngFu?9 za7Cz8hkjQ(#S!63W3f}^08h)QRN`%f+XLT@W9~Zq!3mdsfXV&1tuY`kEC>EI**9yj zTFQKMAl`WudGFGC)eqRLgLQ<0_IQ$=jyJa(n(H(yDxZ8sRZ$RSOkh`Ky}VmRxV=Mpy^R6XWw7PBk5J}1(}PBBo|;zg(H z`pZgIT#c=2@SY8G0Qz(1lPs|?g-S)=Nj{ok8t@c%7zL<4wPvy8mPnuq`$5VIoG&qz zc68v8g6)B%L?mTE?F7ZjdM?7+ajG*Y(+Tn7S*I}?>*};ITC0m{?XlM+FLCX|A7uHl zix*xxNJ@1@k&ItFUtF z4Sx7)zr$t~vdb%02KLE7nHeQ{jqQy3ge!i2USTpiqG0b6lqdU-k>Tr%)8pk%>w+)( zFWb$(IuQYV4ahWs(J*`c2({bk4|>^4O+dC)CDmom!)5`PYQbhPu<3FUM7(}@PG;Z~ zY#j(*zK+FL^z_VhGIlay4Atd!L`L;5mhF{bb25#I);4+Hi<&gc@qqTc^Y=7Xu^Num zqG__&q+tCV7%yQ|7Gg@40q7b=UUSq%uE|)y#Blkpv6lPP!i+O?oI`;OCwp^{!B8>I z+VZ*(Ye-sFO=x>XaWs^<2LM$|5b@b_z!7v$>&gYmScHy^agq+B%W%@7G@-T1M$J)q zdVe*I3YE`m@}YyDd~%F7^8)nboHrxBB;Fq$HKCDo&A~eLxA)pH<{81Zqng16$Y@-1 zz}7RB^nGZ<=lO5td;@<;Qp}?M51{zQ-BwyC+dXG%P>hy@|L7I26@xs=sma5iN-afW zQZ#qQn|b%bC_KJiu}(lUT@Wc`!sd2eRT#0BD0s+s_1@1gaey)oH$Q zIM^&QlWq#Fpa5f31;$+aF~b65;6NSMRsXcgV1tPx=0f`yi87)5^oW|7reBz^EYme3V0 z8V+VPaT|`$G|!4vb@rB9bxPcC8}WkthmOOmWA>U8{z)$S);3OG-C1*XyyaYX$lUqq zZnRkK3?q!mKcg3mz4w9Xy99am<#iM4C7r(5G(I3aR@4a%#QYo519B+Xc?PC?$Zx;5 z$pSx27i(sWyDh4-OCjhQsZ$vAZ2-1c`3xBNj9KK2?);d!hlS^tPc~~Z(xSaTYai$G zL2j8Js+I%%VheQrk&*`rh)NR>$v;LKiU>818Er51y}i9Z`)jOUKVM&8M?bwj&yT}N zsrvYQ-t9joKS%wGLFW2bg4|pl-;cCSy)nSGA`Ivl`d6*j)~*ijVDDeP_W3#p1K8y1 zkxaS}ZVuluc#1vlj&r=FbOM0Ub``!aMW;bpmSxOnhh>?F0cN$fUBoFYb&vk{2rlJ7 zN@(OSXv3g^9GoMzh={oubzS{SM1&l~=O;>Z;S{j8+l8q9@4ULX<}v`fA%l{&LdtR? zw{mETFD-hR@D$v+O^rUx$MtAPn0*#^F6=$7IK_8P&_AQ1%m4|x0D3pN1VEEzCPPmkm%-{Nnxxc{*O{h z@7_n(6)vs_^5Zk`*C>y>qUTvPg;0QvMMb&T{bDx*bIhps;uHzSemHHs(u^MxAyT>NOJz;FS@|clS~Pn5-I*8>)|4x;F5;6p4pw0pYO|QvdPzMozYu`>J*P0}x#y2pZ+z@f~ z31P8jOfzeHma!Wu;A>H(4{b$>#9d2k87D4+T$Wu^VQS&CcM!HxeR|y)nkNu^J#a^R zNd#&UbBG3OE$@l6olC0wBOMZb!y`tPxx9l2p-DDo=+&1%Gq*X&LeL$zuo_FZMTMvi z*cbvB6bVU4=b3{OjY{r9N@ihfd$A4Nw1r=7`XITrWcjx?(wI8(XK-4yhm_pL(pm4$ zXrwPk;SgCv@sZ;#lh;{M_@4*n)`MgNK`0S`-3r)BcaBe>BXtQ(LfWT5z z2{poU6Tl&_`CB?;y25i-1s#UwrEKWgFCd!mQIx(> z`I@V@wS%-BWu*L0M|7x`C=G|d-i3wOlwa-KzS_&XNch;om#-d-vTEBL22Lh|SkHRu zH7|*u)y1+aI(J+NA#LW_GTn1<51G|PCvaE3eAPt*zRq#zv^KI{0P}Glf`?8rX#Lvh zNirPvFG}z571Iv+qlB_3SGuP*UpGv3W`77TXKB2~T$$z%3t1<*DkZ!-{_PexRzgNz zu&o-b7|c8t_aC0XV$K+h*u>pC+{+)#aTuhj_tJB}^6Q6dyo1@4E58?6Qp&h=Qn4#O z^bfC0pE|?Mah7P5CHJ1ec)s0;p!Fkh&oc%&$Q@fSXAm4-52T z2N`q(8lBx4&4N-DNp`(_QE*4r*w?poZzpZ`P4y$m!rNUr?wKrMuY1?P;z5g|{ihCp z5;s`K?EIIPY-=U+N8=NO-+mRC4+V4IqotiMXsmJG^7&}cNDDRf1`qR*r|j|H$Vf^7k~HXs6<6c4o!-lwQ9*Q@)7fKeP~NpXs)Ujw+Vi~VJlDWj zm97gc43>E%3}y7$EMv%N+%wxU@rO#t^Ve+ThK?g=Bm3x;Wg4D#VF;}2Cw?5aUJ&I9 ztqnCX43Mi##PP+@Ecq4PT>nge3|2AI$pfr;G;@jejGh9PeM~SCP@5E$rNcRZ+y*C> zWcAs*l7^!-41HCz{)TkB)01AK2%P3KrTgsKbem!uccL5RXU9yKhM%pBM7XTVfePx( zaxu+Uvt9N(c;Vmgmhhrl6+6|(h-OwPw~2TvYa_d#Cf^{0t5mL61~U%lS>KG4@fM|a zF;MrZt@OQ1{wU=dt_^;5&YpmWcQMNChmnwuLlPkq$CC-E&2%s5^xa|mC*8|SW;vk_ z^|_#o1jmY50K<}?GY03%fTJzGs^_U_SQcXLBg{@0Vw?_G?)TGX3)Vi@4ohsL&DJhJwrxtCupv60JBrG`sL z$Gd8nhUnZYk7iuPbkF;2;5AxPVnM)X+y134A=XvP>o5$ud;P+oyks%iDfuxyAb)q$ z2e;6TZb5ji-h~OoT#t8cBX}{^Ew>7D=iwO#8zb`y(YLmPS#O6c$#WY7V4=KN;w8#+ zxji1@mEUr?xd`f6cD?7U-mDo@zYy>`SddOn{{Xix2s^j^dV^x1Yl_^d4wrCGdLl^A zM|d62fW1`TyT(z^4qNpMUq<9XL|%TK@eH3-pUAm$2D!Dyn~XnZCbyvt`9dO5$42ik z`Uh-%4$zx3ft(`VD7tnFjAibYH(2IL$O8u7`WWdYqs$>q}2s2#LZScSoXC5`H6#Xu?&=89zx-UJPT;DMV=>CKfG`0p? z!MR=8WLUUYFCSlbS~p|pZ6u;&pVw6Sw~nl@Z9-{opXbfY938mh5IS@l$2;>rlvIUS zipF1rOqBrQv$;iB8h@eS=(Y;{)Gz4ufj5{YgYji8#A6s~ZkG^PRYGyLXfj?)c)G}Q zp!1eBBig7eofj4L|G>vtDI~6e=Mp7_%96vv~h z?1mYF?7>Aj0}NFeGIfipwW8vqwNKv%S*`jnfM?RcTcETNB_S@=)Q8ElQ9F3#|J8YL zkP_p-1;(uf`s@W-caH1^)ps&BT^1^5pasHK-1+5eztU!mUD!n}-b2g8%4iuDwsv(~ zsOe)0=J5+F#8nL1;^<`+Gn?-w!?MGQ_(U%5kx@XI;WR`4)#_9Qagp)cs~L4c)_@&| zw!DD|w6fgd=|!wa0r@rI^6al^IN?_ZQv^4PB3B6uOWC@KkWK>*;34&!P~QUXWhoT) z2fJ1ooF$MzYzX*uU||kv!}9PHc+RK-3La*|*R3^619r6}=@ll5ui<}IJq6dzi>(EB zGp-@)L>W(w&uBadRFo7wwALwV*T&x_?8|y&ygRnxCrsIEs%2czT%u@0f#j_VU@w*! z!(T5c86rgxcr>B?gT*y+q^XUX2+W9&#aZ=^+|t0@w%{(h@J-x}pp5Rj9*U#&P5)$e zo)l&Wt1VOdy$~2X8?mj~z0T^Y(RA<8VOJjg8;6SR6T0qE==W^+M;s^zt?jGm&*d~k zADHhE4@4X+j=8fF^3%sgea`24%^FF_$Nd8|G*W)bmFA(XaMkR%g#D_Sev5|YATDfH z(9MZ0hnY~vT-XzC2mGvq-A#yNIQ^P2Fzm%jA_g3)m{#rStLozvvbg4(k)WDo>Q?b{ z|0^;V*@BBQfhm}dp+FgS6%96m(NHC(c9LfG`Hq&5%l-;6hcf;H3-wiM3uLV&G~mWb zmGVn(?`p!-_8ceZGWZ}1#JBs_b#&YGY>l8#iwK-`M4Y)K@#=amY`)&V|@Lfbdh zm=4efF1<`&(kakd=Y6&ZZ2OcLbbnCjYeTRTA`xpsU2$cUPc2ufuji+%FqA(m#6wyf z8)6xf9*%@73jz$mz`4^Xdy1$P1vX=a54?H5dxVy|;R!&yQ=nN?x)P9iX&W0^QXMa= zrd&^}raD%5X`O-H^i^He%#4Gw|Ey`IcTRNhTA6C;OPzun0w$FEC8`TbI8f1i3*b$> zKGMnz1 z&t-sa!kiw8g7Ku$;%!0^iFULjYIjc0_M5J1HNcO_`FB7eT=&C6@ubNB4U;_g)OOJBPWk?ZdXqghD&_ld?oqT#a!xe{1 zQZI&h^J*IF&hR3Wmq#&R`y6Gbe+?*GteJMUIL)gfWLQZ=(KjjP5_Qm) zWsTWk-#oI2u(jzTYMp2#Qemp-5;~WRsaDdiI3(UqDho4Oh)^5?#JS4bOAXNlHw=xl zOeIK;_Em0~ZE5(R)an1DwzNWC+LBDSZ78sX;8#Ra^l*pNUq<-Vt9YHieMvMuj!9%bQ!lqW^YD1S-*SbS@HHQ_RP98y$ zW0tL?8^k32l-Q7_KjELnBt)iiD&(5}9IcuD}I0 z+zM(^XXD6oxfu8|a&4g)_|-73gAM3!F|dmzkS>l8|K%})9C%-rD~h6iL<^=z&;|`W5GkW>kkhn+lpNffO@i3E{HXCp_hcc z^#&U%(G2-Q;4+l}XpMIc7(&u+81Er8)vXcGjPANZ?;*;_L(`+{Bo)OF_$$g%?iNm= zir1G@F7V+BSkgGYQ=(8u(o0x?i_MymBRejzT6}GJT-6Mk64H1Nn|+HLp~dieqVHd_ zNtwe_%(`@&<&4wwW4HZdILL#KfiD@Spmma9#MtTYDnu2&%CZ-wNc^j+p6oGGMk1F2 zRc2QXlYqC6lUTtfL$XjkMyg~~e=OUocn>{hyb-!30;STr8zx47K2Hv!7R0~BtL$P~ zR^;`;)1K-I(eo}cla^XKiEX63BeVw}A?bTJ<2LCz~<)UgnHi6S; zmH8g;8iI7EjQyOY2ZIzecSnak76@bCcH21Z?iDs7at2bXYLX**9xP5$iC#d(>eYfw zzY_B;!a=Y&!Uv7gs*uqK-C|PyHyZW5YDpP>&A0TwR7BO7Ogo7=c+_Vy-MwwW@N3-jySf}UZ;K?Z$^znB7e!#P!V}K z;nxOzk)3tprVtLh7duJQ(CdqK48dg(aWRy=$k2$7K#@-4p%8(WB0FdB14e7Kt5QVF z!~2T#1Dyt2QFPkk5X_>M#YPq#JKBBrbn3<0BwE#pCiJ1^n!<7J>_nr&$iT$fL@I*l zwd$xxBN8`I_a8i7@cQDEO!XJLSq@5img&9u>rVt7iRE%2}gda z%b?lfQ=r|h&%4eHybX>IGbez9xK*Zo&>{E;e1L(&c)qNGc+$2r4~C8JqPqQ7tp~M> zc@5uJmkW1sTs!MavPKZ;0z8SKU)~^mk=hridyb33IE(TeiQfYW2RsLR1zmt+?CF^S z8QdE%N8E5osEVVUI22$BVg5)-Qsla_2mc_!`%v}--->y?)$hM3GV&NGy&4N~x}bCD*wZm&-(julrp9CZ1+xR##Sr(`!E~n3K?ehhSPjfwND@P`9%oPz zmA1p?Bia(J5Nt{k)dwc#3H0cl^;SWLz)@GI7@h4rn!;z@oPN%+)PhTGOL2@dNvjkC zQu|*w#PRIX+41I=1xonLP0n`b7LVG2D`Qg0lsTxCCVPdAmNoZ3Uy6$X*|LRTizT+e z7d60tQT#1zEG*FTi0NCoK~+gjQU|}}&1v0g)Okpg=aQFqMz3>Jj9i6xYamyTR;APj zH->@M#Q<)TZlx*H_knQ9adV~!Q~6&Q6R*cDzb0#9OVi{elYk@raVNJZ99p3_Z9)9b zP-KraQ{t1ELQv`9*H|K(cMYB>KFu~=}YQSYNVe=;~$ z$_3vx7;_&^CB9b=o>&S~i|qaQ9gyp-DP<%|kb=u_d(L{IIctk7;d?dA;Accs!A zBG@QE!;ITwiPi!qEom4ca)+x0M&Z0+$O(xmCrC%Oo*uPno4BcnQM47uGrOrAD4ypc zk?kU$VS@xy^&dT2Q ze)C~mGy7<=^CU(!DLY5dbzfF6|Edx(|8iMY0EN*n!Mdr+#W}6Yoq1o=yeMVPaS>h} z$-X>xt!)hhlDg#J9joxdZ|M)B6w*jBindIIb>ct=$a^ZWPCQFMQ;;RgHx^a0mdQ23*;JDHOHV2vlZr3ZWe{Yq&$6T^(#zK6-p&2 zhi1-HZSw;P_tGp`%-VpI&7fs#{Mt>m7BJxQ5l)Pi5FF~!v>@2MA5M<4JY*iaK3eKo1? ztToCroy##LJmFlzv65p+v>!cc&pe2lU8R?*Gxy5BlU${2-MLBz+OkOnUs3ok{(?N< z3**K6l;ZRa7aQDPQTVz^wd)sDdgI@VpJ?ei+KT8=H+pm z8?2Ld;iN=z#hawtF2Y5!P3LRORwPKa_}D|Yv(orEb`4kHD(yGwCb^mWNb?nb`RxYF z*3D$FU4zPQVt`<4BM@Uy&D3T$+h@GGInQ+hV=^cYDG0?BUXh;p6V55xp7<$R{@0gx z4HR#sI|6U3|8|Z$9H6#>!>db_8YC~UyK8e3G5J+xiMuaQbe&BpFiyP zs;gzg0LVTo1h~KHE7-r_S{~0p0?vdMnqs zrgAar+Rq&H!U4IuFpvIg?nY z4?d8~8;>Cp``lG)K;DM^#q);MzeA_!hpn#Kg!t*b>v`Vfie>1GFOaag;J+onyF3r# zHxPFCWIx4r`ed8^yMv>9{pjM~TOc~Vdf88(fBfgJeyW9Ae>lS!^h+mKgmru5sSe>> z-o4;?e!~aL>(>gG)}GA$_mO9HdtUv~cNnv1+TX)M^p5S!Oa|Fil4Ac85}+IfR$Lg* zptV=P8wpQ=W|4i~tIWY>#6xo@Aj{X$=NKVXGk)v0{9iuP!%Ap1O2#)Zo-6}yf!fX# z=F2Q=Tu18{IkKL>B!WD18&2_;!+vgUxL%bBsJJ>vu_Hmzi0+(WBzrI$4~LGue*b#p zD1_OS!s9XJq>9-AA%j%d;WLMPg^){qXFhn$x?Iv2gcwfrpN0I^z3X`pDO%eYJbdSx zd&5OLf?@$iNN(wpKJdSpPNR5Cm=1uwok)u5jqcSB#yi+)l82iO!pKajAiPwwRAq%I zTB*B;?l_f&h*DN5A`UzPS{aRUu<9)5NelqY+O_@I8P7?a0zkIy5^z<{-lME-33{wGt+q6$^Sn-0Ps~Z(2(M#qz#g zrMcYpZmR+1KJ)K93((`9lGWw>rJVINOWz5tMt4ECgJ#~WPtI0cQLp{7x_-6Qp8fwZ z$S6aqMQ=9;Ij<{x^sfecl%~!z%s7`=NXMemnI`qL$~VGc-JS0%xgw1O6YMm7=(>6E z4cmyE*SzZ3{>8{S9e}z9{WtW)xEcl@W8P%IC3~ijzfTxuSx_%5;|H+N@I9@rTtkMG z9Q|{gAKYFUJ`7AT#u>a^e+RAGdifH;oPt<7zZQU4CWgb3SV6*Y%K#%A%9wZtpyF`a zue|({E*eTQ!hs77mj*1dse2^@4aL&bmP<@>jn>w&3ja{WK0d{iz_F>SCN zqb<^HHVXX2t^K&4=dhQjG`jt`lgE8GW#>F?Jh}8d8RLva zxVmJ78gYs9=Wm2a-vgNMJZJCUBQUUV^UY87zI$)R-;uSUCx<9i;q)8gTxJyFzaPm|;xvta!%eN3@ zhHbsEKOEJiusMfbF99XyWYZ{BR;92l&O&}9B7qIY^vb^S*hILq3zE`kvGoJOiGo+q zvyJNAY+=s(WJ1`{)PvAp)%_b)yUz{0nGe!5tJ&NkfQ7!V8F}YT3!4oTY>-C4zXG;% zzuJT5&f#tW0?EQ-+%xbKR-1iKdE;dQKMCC32DXSyxZBA`L`yH?U-F#My) zG217_*VBN^uC<~_BlxcUMAll$cG{F%+|y}$RWDuc&qoXCKyW7*yb_np^`P_*>Wmt)Y4 zTcraY4rp=AUmC2kZEcfaNAF~g{EHm%ZWJEUf0GaIf7=c3ooE09XqI zFOc=xQERRcm?n-k3MNlHldTxtKjamWB2-A$cN%VfDlD$N00?TOfTAjl+&@H@x^+Fc zt9eG@B@Mjyn9Ls23ETJwzEqOoJzadGNFHaLhg&4IkQ0!-x0bRrn-)Oj zpl6rV$~z4=O(Um&)x0vV0Wjsn9V|=m#E@sxom%=QXLpv(dO2A|htdzBu~Q^h@3(bD z&ehhN6&F~n|E2Yf4VN;U{9mX-`$6(weFl z_t0S1mAauTlf2EvMOMWoe{B|aP@6{WKyPc{Zu)PysSmBC$#3spN;tufS-hNqYzdv? zvk`6y$&PR-{3Z6fHOQ2_n}X6=Nf3p}RjI3n;~GtFd3N89rk2{LS0cLH+-LEqY9|=6 zEPUANz+7R^-D}FE)z1!iwVOm^VkODzRDs|NCn~{I={N-DEt)5tRq;AZm5+1dr7jKx zvV5`#KywfGq)m29awm@f`;~o#gjYV}2Bb{f)>%{5Mg9^}2b&p({P!+{n~>;ikAizw z=W1d;cJp#%+)n3m$kMir4%I}qHn5{f+|`A)ck?y2`ZI+b9||!;OG!p}vOt@AI*Clt z_VK@5BcvQR+p##FTAJQ&}Ufq=o~pO$0>9%>NAR)VG}uMP;1J zF}<*}c?qP*jv*xs!^x$(C8rC*tyD*cT7vT&B7|=tB0{Ms#{QSR?LL13o@ zFC$I==f|)7!(Oe3S(gBOhI;wUTF;RoxZtmJ=o*h9;PT|g zteJm;yaSey@@OhlWqP|iaTs2tonH%(yyPnDjCpZihfu=T6N6$Cf^MG0N_Q@U;$QGc zy19Q{(sjm&-zA{nzgKzy+czL$OPTJZie%wMy~rPLoq72=6}})Zk&W?ahjT4mL6roCv#~{2zs!g-=|4yRM77%i!)>+}&M^ySqzq3KVx3 z26v};i@OweC|ca1xD}b%yzl-_a?Z(4_CK()k|lY5_jBEs8|gHE#{8fnvRhFK5?S|w zK(j0^Nf*(3jbiK`VS34zoASnh$)eTpSJA|$a@~Yhay~^)C6v+ zM{eO_P}o$@FzucZUv?L)Lidmm_fFX`q7LRu$CMN>Qz0dWLqYv_QnkgjYa+{_x3%@>NoT$r3k^F-hF)# znPo^&>tqv~NV!td$-Lz`yUz)S&hfnE`|~o~zn?7|@jBr!_MZfez8L!}-yi;#PfB4b zPaqcih@s1Oo6nOo(ol~7>!!ASW6P%*D|&#Bo7g5?l~J6yMIuKDY??AK*w&6?-*|!H zAnPS$1lpr82Rf?bz&;Tz`zTTJFi^xj)+08_4lZ7=DW&C z5P$uO2N&Z(c>?!$dqwzsAU+T`aA}-Zt&X$LN7{{pqhu(6l9r<68VmbBsXQ?Vv4OwE z+CJCr43|%>j<#xnt=lOkR|g9TFBwxGW*-)jT(62)dL488p~w-%=VISUsn2U_tohl| zO$_b4;E&ZsUTZUAA$x$Nb*qz5t5XIb{>0Bneu*p921&=8`4`y3dv>X_@RM-GR6s(Z ztY)!WJRW*#-xz@|!S}dJkV{trYVyB)5>$&v=sN$j{8}p(wlLKgY4$>>O}M?X%}UQO zk`oqwNYj37sJ^6J`M(oatDH%#PbKmW2dpvfdHQ6IhB`F0M?%ngM7eIstjJ33ITIdr zQxEJ4xAzM4eXo?eDr@Kjn^2g$3oZ=muVV zm!)zaqdxE)g*r_vP>0vm7#pMR$VRO|j)!9yFl>}UJ?s+t|&+d3lo2Z7QqxdA;;f43@u zOjnAx=*<6T2HWTF*OW}e3XO8K@RUkGU=Qybs>IMS)#Ud6AL(%9IHcjGkMDpHa3lsTV*-cDt?2x?T<1#h2P zjgob>^P>vW5#_YT=_D*kIDkhIWqxzpBN+AJKLD8`6vX}L`a9+^q_R0nsrshRPdnb2 z&u`P3PwR-TPX{a#9n%A8rL9F z@2`Ms$Kqn4oKR0AO6@t_EHJn~+4wB4h9j7>9uu#MepwVpVd7;vbYw+mh|AIFrFHZ% zBw0vlMey6QR}$WJQl@uxw{)TOnws#A(A!;iZx&zkVlFaw14ldF;eG_c8!@}LPu4)$ z)#kJQWTjLf3QAy@EnV}U#b%ME7{F#@=x6TZY9_~51b(PkQrnPCg-_86GlAt&2xInr zUy)@eVKY?>sxrSg95~Bt9BTaOOjU+LEwIbCn^@uKwF2o4$yFp2)lC;R3}mL#z`OOR zts@5NcoGWFi`{=TTVm-7aG$!%-Pt#r2*u%FA7z0t4ISeX+qn6iF&5}^E#UPs7m83e z@}9$kU|pkbu|{v>VQ+-!zxW8PSB8B!qMe0iyhx6yR$r5WI@qoIEg^>*fu_La?Oe40 zv&l%oG4%ydD!#jT$9EH1zGwi8Lle9ak(gGwst>gw`K>RS{=FO=Z37}!6d|q-h`7U} z#N!TJlX1c0u_^dmATANC_*=hafZ0WR`!nK10Ol2pUPCMi-Z?nCO*_T+=g5g!ha84# z$&XJDm3>*CcI0fBRz#Z6J*qKHuu7qQ3x;dArQl3-M8AKKu2J1^albkpn(Bkk@XYK* z?aAnu68wQdz^_AARY*NaOreYcx3juHY6Im~mWCWC4>0*#8s?LM=7Dith;L4|Pkt)V zd7i*3RhW!%gR|%Y)M7dwt)wpTDG+CF(B7sd3u1Z?@{Ht$Fl1md%Ah{JCKO%F}^KZREHDeXL|x)j=bf5X(02ml@_B=J!u zNbx(>;aO*-cxU2YB6G0@M3g#xKevc0aVtcM;;JM>@;YHT{^6cX)ceJAJ@s{yq>o!J z4{~4c`*PwJ{A$tUc!V8F zCNCpoevHDHskYMhb6{aI_fg@b|hh_!q!acM9n?Ga8#H|5Nnd2uec@r2Hg7vib>W~$aW85RsrILTJDV0;r-Xcq)y{JW>(pRW3vo7B z2<{I|=w+wc)G=JiAmVnz|B1S8Us7epgT`wau| zfKc``@s zQsbZs;IwN)CiR`_FAo<`s;B!rZY|MTrbKJ}fIIK3h(&@w* zeaj$doftvRPC3X)J4gc_E(&RbyPDeV@!l}bS@2i>=cEotP>9!`W4eGBx5q%&V-!fF~W8RtU z@1~n(Di)Qa+sJfm#X}n?Z{O;HHw(81gKieiDFsb|*XNz0JgKSt@QtOsR=S zHr{cUr3tgCkJ!<$;2R>%7{ql)_P-8XJ+zn4qpUBZ+HuJY)ip(CdQt3g4Yd79 zG39#l*N&C47HUc;ZT`1$jz7ZX>}j3K66P~_KDH5NoG+7~Bdh>Hz^v`|$WKtI{J?up zVuols2NtgyL*W6ynS(9i^T4n^Nv34yMSA|as@Q3$rz}tR3m<(#f4=Gijrm#aH666$ ziwaZKj^#U`HvCt36!}xvbEJFOiSf7qvZc)3bQrV zRJd{&d9kt{p{n}HESwH*Jh}Lj_VtVPB9&S|IPM?TGf>pPj zgS>CG5T1*4T*nm%Qo<{H{ztn5)lW!<~U z+qAiK?z!z+Bxo&CCO;YMz~60YTP7B^(&}Wc?KoLyFXt`)V-De|)dSE2sK09=veR*y zMP}2ljGTcTIp0Gc@7EcW~`Se9K-G5B=>GCZDaI&=~B&8uElP6_Is>g@WX z6P~E8cfh=$CFcADy#Skpee=Z%Dd8&8&zUZZ&LbvPbcB1rVZpyqcur)w!S+^j&*<8c zN_(#^t_%S-no;JxyCUL3g4n#P>mZk$V~Qe`JR--p)9A~++H=VsN=Hm=|HLu= zl|mT}Z!`Vt#z*L&<*%<_wyi8PN_*RFh=Rq)=+m9WtGowUygIeQaCm~0N;fh?);>lZ zPVB&It=<&z4#EhsymQjW{_@2}>fS+*qkV?#cq#tojSf1+UEm$AZ@FD&d(j-7Q_&?)`{8U0N4F& zo7e=mNa|__Y5y03$Ue}>`sME4VNsO5>D(IWSJ@@>MkS{QMEUDgp9XWG0HYl%`4C4Z zB>zcdY{c)E8@#yq7c37xoE-NksVBgLB$Os_ zcM?NfsxaMg|4j|d?KBLxcnF28zH+AI%xpo(gLFOt{0VjL+$G#hGhy%D989i;M;YQm zS)!7YN?%Aq=d<N6%zs__z7sj?~9F#F)Ym6;t)p%FC$Q4hjXNge&tb&bodcS?m+MN_s znW(IdFB)2W#Y&4{d9?w@e@@LT5%k6>0Fv^fFPE0INQH1AiOcQ9H<(~MF~Ny5SiyZA zHfJr$W=(LnRtKpp7&6D6!fT8YwcjmAH)S@Bxx^#b(n`2yLk2Pkk78(00x{EAc9u`D zU0HB(Oh}uh)4LcgF4JZAv-0%`)>M+&FvTPmDm@MN}M$H z!lar0ez=(@o966icY_XCCkVmdomvtGp?gMp%pgV{s4z;$FWgcMB_vz8yeIoxd+(&El(3zz`Q0TpYT&%Cj;$IDsKV)U$xD_j!EQ!38UM><%in51@u<`%$ zVgk9C7QoC+uQrZ?H2Xhy%5wiBXa!bb z)J@}`IHK)jHeuUOnOs${<;twyCbx=a+ME*Y<(b~&CNE=(YiRKk?`$|5nx55q*^!B5 z++o4YkVfw!3|!BM7R#cUpB-0>do-C->il!7q>iTo9smxC>{l;f0VxIfO(XBLGC*wy z>G^gBp@ttl^3f$m;pK$I*-d~Y zf$zQa5f)7|`y}gOQt&XTzpu%hm6l4X4pH>O*8bFxwP}dlOx$N>PG$4106qu^$izGnQAyi z-_J{c7S$e**Mv0g=9NecOpcJ502%|$H&-$)7P8T8-Mx!@}Qas_t zEU zBf=^IQevbS8p>bK(de}QoIr@~0>bB9Ez}^b{vY$s@gP;;bbyoV<}9MzkzeFbZpx;| z&lK#ofMV?&?u!*qf#%3_Q zuU_3;lgiV+7)=+==jeAixS z3@xBC3o6R1O(aqW@#3Nt6f^Aj8LgrMyM@HbX&Ixc+EN_t49wD5&7@cL%&Mfxs*I8c zG9?+=qyZ90{b4{(RQlyu*`_G{E;}H;3!dzM{FSq3LAu=Phzpqv$~f31nR0%LnMeu6 z%1H#q>I!(z+_VLt>}*CS0_ib91=--r$b!ze^{U>oIWe8Y$4a(M`PB zZv{_YdOa0S0j)^OAP{W-ce58Iq({uNSckV`qF`!l;%jT{2(#;{nC%mB*Gze7M{I@g zM6Z2OEajB0LkrE~t0t|A?157bmso)K{)vSlHhy=Ts~0!3<-*@x6YD}jED zkFrSQf6Cg9HJhbkE;l8)lHh%RLhH>z_$Qvjw)ttHoIk{YL%`>&3!h#fe{bpYz`aOM z{xa{v)U!}XNevD;mi9Lklwx_qb!sVA|M=z$&(z`~< zyY=;R{nU3jSYE<7Ub5`+T4U2 z2d^elHfEV4RgtKnN@;c#Qhp7Kt~{o~yoThy2c(&9i?my0756wx%6t|AkhJ^klUzAVt%?U<3`_M6 zj#`8?lpJ7C*058YWn$IHq4O)+QT?Hd6BPwoTOl7*EDC>s)ZWp|I(y;Yb3zJ+>*Nob&9&o2rVqx-rQH_6G{G%=Yf|GCj3Yg>1D z_!iAccbd$M7kPD#+|xZqCVpS$yKW*@P$%S1kHl$^EJ4R%yEt_}J1v$>MH$vNjk#rN zyh}&Lv9d-=@MG`vVO;tZQt>xki_VVmaFhCFAyqrCL^3fjvmh@F5BI~9`?UzW8-pk- zD`?MSPxb|EFTylq@$L@mxxz;if6Ms$BWiygRVbMln^2G(+Yzbh?!J)<+zh?e-pi}gMvSX7KGxhVL*vz>n~6Rp zjB-iWRW62|E}SpDU&R@*yQ!dtd_3P$mBxRv&EF_*PAb!wx~^RMTZuW_j6_n>Zk(j& z$T4fu*dE*t*VeFfo4>7J`_$XYk^?ARptRT7;7*tnOXGN;hz&x+12;+5GcU929Xj)B zGB-r1%g^Dg6YJ&8RC7n|m5!^VRe0A{EKPIEJsbws!FG<>oB!x9k5bp>(ZVp{L5oFp zjZz#SkgYa!^EAPy6__CV)0^EUJ#m@t9$QIz(ppADyWJ&=0zjN z>uF6v7yFTmE#vdPoe_UDUNz9r2;JD7`e9s!#8~9Qm4WFX9g9F#7+BoyVDf3oHJyh8 zs2^7U!xJB;oI$lzqb;}5f)$zNNl>Z~vMbDc zVQyr3R8em|NM&qo0PMZ%dfPbCFxY=rSAoxYciZlQJcE+#I0^NmJ0`(G0Vvc7g(`~t2!=j9I9Wi- z2P?P?zT5V1I2;b2JbEPmKO7G8|35l>^5nb2M^A@G!>5N251)KDJUn{(`0;mOxOGfQ zelg>aemC5>ul(S?kRJ>~!Xd{bWTPGcka9eO9$&=M0VW4{3FnB7z^5Jn0Q5l!muLhG z&B%uU$VMaJ6Ymnyfq6Ob$nwDa;X@9SKSozaj|NAB#~GN@n60MdCJRzO90iag#*63$ z*h3*hBXAr+Z-M$pgJD^t@Uk$37sQK~C{!cYoyIg6fd%Ig8yy_@#ABJUWIo^d1qDm6 z`{Q50!@=QjFx=ZIgRwxta=;c6)&UMVB?mZU90tKb4*(Bx7?AnEgPaFQVCo@(IY#~n zM3C|j(b8rElFeTB;VbTNueFXJidUm?mc2}j`jAOCVVI6CYPzb|b}QGg&r{oEqM z2>)&%Tpjgb6j^_&h4fK`LLY@5Mr_pU1CNA0=CX-LLPi2KKp~t4$nOC?gZg<70E!~Q zFeh}C&YUNhQDOe=feZ(a!JiKY!|w~-g~;QCva%las|`9m931IxeZ)M9Bh{^01b`Xf z3j`>FL7(F#0w|p05P=z?U`c#LLja?Q4SLuU-_3A;)& zOV)1*amXPK5tS33U9!H|ZoM2a&avDOVpkG6PrH$g4vF^k&b7!^cB^ zI2)p;4`66FabAS4L`26`3^!U+}quv~ah(a!e z?atBg=uv<8ynpoM;^=5}_;B?2@!;9xN5jLTKMjvY!{N@?%dnFDe+7dWv0E_!YWM%) z0hG&mW4 zg9%e$WuKgY|0J;}ej&ha@oJ>LO89iN|`@An>nznxzE^6s|_@VDdl?~mVJ zoW48<@7{xxcW+;uUYx#rdk)^c0>^Lv6a0Gm_QgIxm@g0o=q929e?kEk(};YrqK147 z0)jfk-z-8No?#CJFr3G5j=-E;AsPzeh!9<3CKi(c82Y^jAiztkjosp)20ckRW;q2# zLmV=o7^Cd*3Q{a)QOxcPQ51T}2Qx~RK(I~u9TO8OpmMZ~q}>X9Or`u=4dnW~A{5MG zDhF#*H3@;VD)onA1Wb?Gx2;tG`A85(sg)^Z>Dcr=p2yfnnzfH5dIvp;#E(DzsKzQk zFvP+X23qujhl3}Bp;(AHMUW#3{`}`Z_a2C8Iw8v?2?0Y~;K?M&ejmKMLX=`3fk`6F zg$^)DCSxEi4AX1`c6KU1oW((q|JXb$0(gODFb+8QHJ&0GA~Ee=5Ho?aPlT~F=;^;- z$UjHswa|EBpnx2w>?VLy6fm(rpf9%x3<4WCnf?QLoDKAPq8qr30<;e%%hllW85=M} zudrv?Qjf zej=<^JP-R3@%th1(ZK`pUo{d!_Xa)j=ehnf9q;jMhC|F(+Zd_X*5H4U=`9X9#j204 zuvb2CsK?ZYq2Grg$9?l;Z_qRUOsC*N4Vn`$6#^+xdZ=L3_ic#<2jp^88cp$VZ_rEs zVk7Y3V^57M@q)aNu0Z9*OPIuj(S z_tA8JVMEp&Zy;X^S);o8C7z0@S15lt4g$cql%l#lOXqYEPX`(Y*>!p62OQ4Xo&+aI z_k-XnakwGSzJZ{it3mvqzUGMiKA0%mKK0y9L>mt0l7CwBA!qh14uUfhU~i=$ozB2S zO*x12i4gtYD}U_w`${tBkr?kjK(6Zv5 zQvd1q#XIv%3KT&e)&@y&(2b9Rv@|>%azq82*PYAf=Ar6UwiCSHa*!Jhx%6{j zw^VyQ1%&1UrO<+@P^p)QOO;mof<#M*ci z`6%QVDp{%+Lb7c!VwP&R9^>MWU8YBM=BiJt{K|){rOF9n^5+;BWEc-~QF?)la{&swcR+g@m4o!_)?h?t6)N;zYFh|GfDM=W#~t0^DS3>^|$>>B6NvXec4T4!|G$!SK#$39LGN9 zARzO(*dl5NnGqWeZXYaT#=!z!A)tN!fI$|>0m-MrRK0|=O9%qYI0_L3ERG^Vm69#n z#(W_NRlBPnsJ=42b0Q7X0eDNe5z7ejm`Zbqgux2HD~JQh%f;t3CtVo$@h{-&=;7eu zU^wVW;I9?zL?*tJ_zRWW$4ve+gTuar8&TrNT3b|8z`!*EES}F1U|`kx~(g8@Tk2)|}0TF}70u$IM? zK@KptmTQuo_BV(xh(D3+o)a(;9Zr-GQcAXFy9PMh*CseBzSAAE*joU|z(h+33C^?` zC7j$Ke;RT$M^xE-LaJbCNs1oAcsWH>Sm_a@9BU(zX#*RC=sH*lekWBqwQ8J1*psp_ z`CWPc=rd9*E_ZW4aO&V;6_&Uwgt-Bc9QyGxAzZr59i^@#zj@8QnJ}AC=&hs^Me41Q;4KSCeQVi(5cyNc zg(V^8!s`E;VlK6rq_x1|pD~Kj3t<`wdZbq{c*92E@o-o+5leW3m+=z7C5b~h^Gmc8 z+O(uiYg+VVsGg>BbOLV#y@f(K={hs|GepnD+YvY%K6>`}>60=fC`yj{zzhn5Pc!SX zZ4r>U-Wu8kVVfMvSB04DMe-@FbmhL497<~)KAuT$3|HhOS{vh^P(Y-oMSYa%iYeBj zaFDu|00sk&#Lk;Zj)R$$5xLIU0GumzRWVh?E`$`&D#1W#%`kl~U~8SoS6n&KeBEE* z7?s4@D$;wtS6Qqc;d-Svz0A)pRXCkXli)*%Du+K}jknFtPoh=SfZ|AMeZ& z-%&m`%N?vYK2chT=v(?dl`k~0CBzGs`EFmUupCTuZ^x>$f#Ps~;WS1QNoW%~g`SB) zQO~P&CSiLk?;yBFLD0Vp$#rPY6DMjuHMbS>bNWJ!;$6m3Bsr#5>eLE&G2>*ZrXYnV zz72_wj*}-N!P-bb=Bu0)DAu!QJiN&oov0Jy0tv&^H7;aPmbaV6Spv_4Y)9frcL(~= zS{s9cp7oQFJ@H~Ggq)X+mM|L09jw+bT^6;u%isAZ3dl-eSpHstmMo(%ZExg;^u<{9 zp}6Hl-@*hMpzY>Rjp!g9SYPqg11})4uepe{t2KN*x%#hB8DTfg5=X4`jWPUe!@!AA zo*$pT-k3cyE~HpVpDPt`iV`(hpCIZv zyIv5cJeu;@RchUS16fF#lLA4aff+!{h_B2XTF|TDC~AZOMbKXE@K2v+7e8~M_Jz;fl1XVTrS;V4xlu^nJCIB8OH z6e_a`a^upw7D}8%S35K`pdCvgltCOM2oT-L4aY(!4zmb_7EPJHG(9IFR?4?16=6d} z8SQyThaO9>bwBA^ZmxZ$$cb-+n!aNOx}&BvY5W^QbflxO6Ba0Ujd4n6P7LH59dc1J zR%?`Ht1C=8xRk-gwbQ6ATtdL?Fl=t9_ZfF^eT}=<@>EU@z%ePOXBk zEm%d}K7cch=(RTNbHOTkh!blLRe$pQI}b(m@zfu--{KY`N+S zQqii!#q0A*{UMbmqSe-fiA4-Nkh%l6+*n#+5IxQVGL>s9y(NL=+SHa0^cJa0Q?g_n zDo+{&C+fO@CpeH24;YY&P;mN*Xr}2|o*+)7x-v=6TPNwj6YS+h z1UZD{+d+vYpL!j|1ZL0_wz$GxP_`Vh2SZE2hG_ti_2Ktwcgqirhs+@LJuAf(q_~Rd zm>7zaE=4gvBU?Aa%(xr`?d8`okrhNb!&ZexoY;sP6pV0BN0<9f4@)jy{dCJAC^WQ( zHp^K_*0zi&>TBkNd~nKGY_O3G%J(H%ral-PCc%aiEL%&BBPCPyVe+cD`O~Wh3cWrh zg!k14HaEbbKhg-vM<*~898y0a6r3pWe472z9%CZY_`-~r2P#I4?dNz^7T1JN@qpRh zqQr^pYcjoFAnBtdRI+eOJ6n*zPaGd!x|Hc0DQ>_31QQPqJVAPwXf;qyn~C&0>}zd7 zn{nFz%#y>A1Q?Aj_fwrBfhYKa)i=08RQ*%BYePTf6e`@&fSYJf%~*9f77Rm4gpdGq z69w4AT;j;MR1PL3om=Sf1;W&BFC*F%ei@vE*{po*7TQeBNs66fK^2o@VIns~$vh;G z8s@`o9#XtY=R>NJ=2-iC22PH%W7D5|@MVrWDxki0AdJAHhtGz?bd7Rqxb%lvKD*@P z#1GX5W?=X9rNm}|pdTnFrt-UKWhy!KwBnWa44o>w#ShtA0c&Eu$&i;28v9B!VzJOAiRe=FK=&blW&FRn$Sa+J`E*STJkNu+p`a z+O=L<@oK37*=MOT5Hv`9JX(b!3}pp9NYLx}Yibf;D`ByE&*qt8 zB~Nr?iTdcz@ImN#u18RB5x*w%QuUemuJIM-tBq}@FoA9TQ%0P6RyV?gvRR})+tUX= z!k%Hqpiy0@36$;*MW--KML^npD!e35l#YKLdI+-qU03{Zvqr{YwF1rUA z8^w<6{BdAF6l|A9Gciy7VtEGOT^Ovu#7v@gS|n5HA*zg9J@e{>_<`~gX?LvhgaPPZ zi9O3umNjYbt~pnfN{~6UQRb;wXQfmn$B=pQg2h>t{($^zv7FLhq}u%r%F8e#a|j`L zoINzQulbU6K3t+;B{(IbSXz(^JQoxaKrX{v#KhoG^eBcHLGKcA5D=!l6=nv3Jf&6Y zl-Bt?$dvr0D1nBBFpVfC6myBKx;Ad0sMAg3PFGja0fpfl>DY|SQtDN-ZaPVBnUIQr zEqb)au1<3$;P(QqaUo|N`6_hQURxQ@qNu}B#||lI4#{-_7H>VuNmTl;@5gQJgrWiS)(Boym))ABxbT9 zlPT4UhNXbhaq7vV+)6OhPtvan>4c$n&5L#lWud3yFw4diMu`V6nNy*kpesb-T(O^s zq8Yxq(3hFS5?jRK!N7|H=_~hRssb%AKQW33KsU&Xd2&S|nFcKkQ$>B4e{h(8Ama~n zff$K<%DT*C9?3J{!JLqJfTSc32=x0?y@&d0)9x6pV<$PLQ_O0Lcs{HgUbB7~j4+t? zipQm9qF;n;U(ukwg%cSl?V`|AQ=M!%H9&p6G!tSEOq9I*U?_&EDfE>0H6ZiXqK}chikNCvp$}pvZ|?{K zVH|r5Orduvx=ZilKn~OJTJjlb0>l;W*63Y7n;r!r% z?4X}?AhjNey5LI*UB682@d=GCwWctZ4aXA11VofXh$>N3Tum)>Q-$sHg&jO+_KGrd z{gG6s`YI`kdZ?HFO@jNt+&7ivnwR6cojx*G4A6udpHZ?DmTb)W?;=E@Xh$gc9eV;Y ze1kZ}p7o9sz&r{gH33WYdeBR!u{451ePTjTN8sU52%R9kznD%elebZi^gTWbBeB%F z9}}~#F&=>5m^t}6WgL_58CYJtKDUp&pd>$Oj|c2T>P?EyRD)kcU)DBD8YL_XzQO?- zfdj<71JQL~`rr?w_d@)05GC#!@n?B!@!!6;fH<_8<4~URpz}){{Vwd$Rfa+?(W)HS zC0a=+`tA(z0YzG;NyD`hieUOSD3e#9XIS1i*3ETzv%01*UFnDsX`C71WEyCN%Y3Si z=(O+^eaWadhB(t=FzG|{8NoI6dF{j&)GN3Qw3?j6QR#=twP$tN`NF!KWpo>gba1dQ zI1h=W(+!1Jn3B-U!dY_1LGwxTap>!SUXO$f`{ov+8ky!T$QS0T3G*b0d{>Q%!NMBB zIuqDlu+4)o)sub#P{v-OB-@ga&;33)Ir}Z`w~5!@GLjF{TUK5ar!OSS^`h9anG+GQ zgqKKOlaQ(?;0ubNFQeo=LXk{~6_f@0=s{ryK1>5LPtng{E?yn*$m^?ccD84O(!rvT zk#IjnD0dV;$5$u>vsf@-LXCgtfd=!I2&ruhSY!F9miy9Z^O1a}a#2vkOt7~XQ$b_F zDr+^G<4(C;KV$w&JXJoNbbyr!wvs!f@&k78@bPdji>_uJ%GE5`=|5w91p^s=L%^ip zXUjVg9P0|7LfVNckV ztMuNEWGmR4NJ3W>M?oa7jSAkT%qipTQpd^qiq4Es-G{wLfEkhY56S_kiP2ESimP+i zGvcQ~#Ce;@IPs7$Ax*hQvn$v81|v<4r}Q$slUk_}@no+aVh;yuYu ztrfa$nDiTU;U?+&-mqzP6DY^2)x&~=lbL%%0r4(%N$FsMU;5bBuyjv zpIpH~0#SOADxvOMG@!xBevlZS{Voev%Rdb-J^y`!LwNyGf21z|Bo52m!ltL*r!zp7 zm~-u_1(PKXC+Uqnjf{5HF5!)Nx2v&2878hQ2&pJ2GTuvjYEa8cv@yMrQV?Zo*Wpkw z%ADRMomn^>DSluc*{9)e^nKBm)Ah0nX{}>9p*#^d7nMaIc9o5CMxix6mNYk%31P^c z{Ap#;rXVKtPBA#Si*50td(b>J;Y>0sm^xn7T+Pqir=6}0^Uf+s+FlpvDxwlCHB~6R z+QLW~qL#}S#+)pLt_Op_u*Io7V^JBQ4DXR33bFM`+=9VE2e5GEgpu8fM;Q^5n)pFr zk_{N0*I<*NnBHYcl`xq$fF>8fTnS01vWp-p)24+UQq~jOSN>mh15wR)Ko}F^TG&n_OSBj6Nvq^uB#o@J zc$V1N9MPpbt!S-ezg07XVL8u*8UbOY^X6dEI#_rd>Np+?v$ig70%4a!u7qv7xk z20wt|;HVMOK2WXy3~s=m!Qs!?fPOdt@2d0*uzS6LTrhCJmcmTXb4Jk;;*jknf?MZv zPg${=(SoX`A?H}4WcpJC0&*=g@xic4x7tnFjot&PtQCS7&(hn~N^QEvEDg%2`x@Tt zRWUiE=hXAGXH{HSso7%n3v4(w7!-#w6INL46x?yRGPh-?RW@*F&d(t*OZ}*6r~vlC!$QAfP2L&qQ&5Q#tDV0ukg3W5+LuI!ck@KndY~&m{Y>&inJ{yTYE7SF2uNIssQC zh}AVMAuI-kLt*JMnnY%9`0uiPCNf@_Rr_F~ksb)V&LCe*q?#TQfTR*GK$}c}ulT+PAO2CBYeDd&)HeyILae>D3F>xZqrjpUI$9xmf1h*a$=|vWz3U zfP@ki-hwa`g57y^B*^OcZ|D1faWP#~2y!Faeto$w-huxEyo*qH&Y^c{E*M(4=v6f| zTbh|tT@D~=tP}Ff7glfn%+XB|axT+ZYw-E}XQ^{4IYn1jlgvKxB+;1@0~NR`Ss|7g zI1E=vNk@NZj$&rI6$mH6T+KB%5b07RlWpFD9m3Rwf~k4oBik7ln4dCYz%V3^Uar4VE*C*h25( z1QBgx$~qecs!TY-5^x2!qbXTw{1Q5=Vuun)GOeQowO;0sAv7YL&Y&I5OPX>9vZaZOBMX?28A)uFw0F{)~Z1=jYphZMcNJwg-h*ONN zOnziJVnbYMTCVeln)Q{7hnD<*r@xc2@3$oZwk!i0q(Frn*s3Hb$b#)lgQ7ez2kz-L z|0KUoCcr@u65?Qz-6d(_K{qs-wy zOyXZtYEhVcc&B`a28*-geH{u#qO_>6nm+f;scjmaq!;36dGlKym8cLeq)*{;lZ0n- zESWrI#@CSwyCkN-#IRYnfY(i@%=Xe-8bn( zScwsjhTv!X(>VTL; ztrwuojZ&4N6#RpzAna^78UP6#^S2850*A?;#^L$+@aPTJPgQ@pPmT(o91f2j>2Gr3 zrA41Yrkp|#2%|3vux{fpk zSjIt8GiQmotQKK|oDAein0;|4aSJWrm1H3Q8w^*#N9yLZpUWIsBV%Vm?<&y+TOaGbA^%!l&vs_61d+GkI0pdcHIPec zC??81C9kbUluXsd=_N83YeR(m#*pdFiscA~5)kOKgNUgA^aDIY-pUJ*jKfp2&{yb5 zIWPT_adal0sL2u148!0B3gGG-c_j3c0M8l3K}^xbf+DscfjzT^%4aSYW>k{*nOhAiVFxAge4!)$B7Jip zjnYZtBc|j^d-6-;5t-GQiDZ!CLZ#D_F!bGNd1@`wOsV9&<~C0fX4Om2g5{mUBsV?u zC}GUnD*IOapz$^qPyanaDe}0v-YXB%(|`>V?U7s&5q;tiL;;jX!5$P+=RL}X;}v@` zX-#A#pHjrQAzd>MY9|)LDbgAkCc@G>{eNJ);C7b~3khaPg}wYF7}S=TpcS#;9M2a# zkO53lU=CZ4eSHxoSw6E~@-m3wl6W4POy3Xe(hszMM*Orw8I1!}TAM6U^Kz{G_Bc&L zc??CpyebSluP< zOtwU!2n%!FSgbli&@4j8ak3DWdromKnTGpUm2^mZ#f@|8BK+#<4B#3(oiq*pil-G_*QBpy-*@3E>B{JV5BQrkP2a^S){$yV|2vzo;0pzyblL5|rBE62mR+Vbc) zTwTLe(F-vGXVPhD#Fg!RkRF7bVJ0|xp-rm1ei(kte=+D4tvh8Mu%9W3Bf&G(SZN#{ zGnv0Rd8FGYMrz7Pz6;+I!rx#f(=`b2*heSOSec4Y{w518CHDi05oT#nLB*vI=5iyX z%B?D|!6o6|gYr8d;GW$A0k?1u1l-z9kXG1=^{`P@mqpjYGX<4HvJ7Sd`}S|Zf?K@< z3!HDku21S~Uy9XTq@ID)eN^pOLN}a36|nL~27rygr@m3Ilj1+J6-aZr%i+^F6n4Jg zJ07G$H)TdR*3P6+FOL)B*aDn}=)I7B2vuxIprTuhq+L+)Qs3uefGvq&Ow5CUO0;qv z0umvs)>+~(NIO^F4;GP-VN6sbs2O}*yy$_ANSXG=0>QIA5|?w|dBQdpsq7hnNHKQNo^_Y-v`MfU9HiQ}hL<}%IM??9nz z#x3YiKG+ACgBkR2fH~wz2|i29w`P|UVX5we1%d%ztn}%}by~PVW=7O??!-$)5=(Mr zjLrh70+3YlRzF!v`s!$KGy(dFRQe* zuQGP&nj|>cuz8)J5R%X-1sSE_%MrKtAHz-|xVH*{VvX`><5;DA8-bnCv*EMHCiGUP zva;SjA3i%WZ)qH+ys!__<8QSA1)ECjk4#!WW(*?fWP`FoXAO%&HxcqU@?V{gz|D+x zjB5+l%x7W;WdvHSm-0B&N!q#v|0WikA^rk#_yW^+*Md(haFkj7)6hjJaBak$qoOXvlIqWaG=}|eHcVIMExmbi@q1rp#P75j%3DC zZhh*J_g-&2-x`r z1pxtnBQ)^;$4=fhI89wFwhv_*v(=Q`D76sIM?j%o5`w9+aB(6NaVh6fT5=!_pEO(P zWa+;WU&ynw2Wlw&ejGA5L;dMW0O`-zD)f>=Mwu5yMH$U0^pdDN912^Dgucv%DR1ZM zcp{xTA9?adD@Es=L|{S4rOMj9z}^BxF=rrxlw&UrptaQnsqgAoqJw0)_f)Lo5{fkr zWyXu8Fg_*3pHzifhB%jX#jitQpjyCHMvX`X66Zru>m=!Dev~tibu{&lfM>zX5_7sUiYu?gS%EQ^G*$5|=CI115IAyfGQ9wC&ket<)ynTraB!@j_P%m7a*=x2e?nH?UO24}s0`AW@@<7u&G80kOLpv=BN zj~zS^|Ld!%p#3DbzH=w_ai5aQr$dvq&T9rb0?%dA{tQ!8d{ftKkj23T3+-jNs$r;Q zUz)4!Lh2lKP;9w zUlv}6qh%wh{iJ9{4rWa-`bDnDZyp~MW(6;XVJ12ne^W0=w}nY2tMKfD@FQi5JP&M{9bFHib?85BE(o}P{OXTSaw zi~V!*o++oh6gVm$JCP1Wpd;)O=CALziJ?l&3MOE~;!98eB%2SraLGKIe_DA?GAW2; zP2Dt4h$?oL%TaC>=o$1?rY1d_IA4WCnPDl6k>#k6 zog}`BB-;Zwhm}f0ou&t56CQ_X3^5s_D-?33qU!9b!ms2>rp$MrzlW@eqTLlgwJY@h zqzhWj$pJ&btiK?PBj3KAY}bH}L)2H7k4!937W?$xo(g(jg&qTMFV56%5^cSJc$bRo z^9hJgk|o%g!XSW*??{ghV5$QAzPdx4sshAEfW{#cq$((uMbJYj50DEWPblSVX_yKm zC&_v#C%@7wWm;*AxOHH;5~vy$R994`wuC%FeWR1cx>B)3Be~9*Zogy>G$yhbVSW+> zx0fkWOxFJ#;z^yIRPsCkHo$SDvZEYaL3$A2X_{_bo=lpV&2*UQf#E+;30QT1bLa49 z{8RezuBpY#G&?j^s{QgGW=rPsu#|F(eubm3H6MOjC&!=@N4A zX9e}g(VwrDKaT#a;r*yt$if5&(&$nv-r0M_h7l^uLW^#@3Vedc={pl&iu5(EbF!58 zCeng6LVMhqd(p@{>YH>Z{lh1t@M?*KRRyov2tOR$1dz_rNHb#<&UlT2V0;;p>u`)o zCSlV>CX1xr)Dfg`i8!KZenDOH&d#Knah{6l&fN?!H&!Lx>AHmWBOkNNaWd+{n~=zR zSgh~@(|_8}W{gw3w4ZoUZ2!rwVHC-WH}+FbVaOsVgvNLg&rt+(eR*OG@iOX}azm!H zo+Sr+4`kAK8QiG@JChK2t5luJHkd69-+N$}udObck=DT5VwK3$^OArUJT>_v&GY9k zaR`pjPSeVQyYj{)3DuQrdB~UxzK;myX~Ni~Hm4wwwB(yEOsN$VG1R0loy~|)J_665 zJbIKuPYSc)ka3#MhTMvv?__sqy_EH>`Owb}9_Z3{vSvy|2`3&2Oo&Gmo#`i|5{&XC z8B;0&Ri%mFTAFq8xtV9<70T6)x8@~{53#7wjxbM3ZY9YJ#iGdNlS)CpE083i&xU&D zmo{6)F9Yg(R;cP{Lw_yviG&(X?jD0tt(lmXgof;jdArw18HELsD*zlC5TG)!vl5WDv>1m{vYV_2U6cSGRf%RDthNGQY`-bUDQ6 znSF}>@UVRQT)aL{E_LlDrUjlE(#e*RQn_j^G_4AWD)$O0jd2%HOf@ReE_I$(1{B*{ z;>0T5D>WLiGy>+X6iPCF8Nf_4X-i58FXOM~GWtQK?w5s;5w((vtLfDHD|0Y7(u~JcHrYcTaYL#UwvrE(^e|-a^)VC|=_(X1r<5*}(8GG$lIJ<-yJ}U|9QarBW zt_fo`<)c%Un&F_s=MOamKTYGY!ywaj24O7JOs?798^jkxCq%sMB`;fnnwcuH(E@XH zV_*q2<#<(b3NzFA$O2bVl`zv+B`c6inpWR6WwR=HL+#!kK0n$T6R9GOIs#E%g0mA# zH;_96GZ4ze*QS?XrKO@UnC1SXk-h=1CimgPLoLqk8ObTXoVP$rsQHNuvbVM^ZF?;D7HO^b0KB}3 z5an7Ek!30=5}LD5;hco*e@Nq13Pr2vg*NUPxPlauIJIKZ3VgO-NvT>(xROptY2QCc zlPd^i2->*{bSTq6UG3FAeuiw5d8rF#0!EeyP|PlsmHnHt4eZ98=sUdl50v2h-a4j9 z9WmOw4=GZ01qA`?f==?7g(WgSSFK3~1cU_OWduEL0&}xY9%1LA1-!z98qL)jv$|N# z^m%}qzF$zV6gIy0@KJrhs@y{Y!KplwRN3y6G-EN1h$;bT`d2e3AF5si{-^57{CnRC-TSnAtZTSs~U{Jlc$HnXV0EIsvX&r zN1tV2OL#MG99(@PD<@^u;2s|yeU{NlrE;9w!($3L8p}{NJ+zt@GLy$JVMQN)((b#E z_-Jn}u9(AE`Q{2qf(3kw6P-}V79b!bQZab?&9RQiBl-K79+7p)Ile+N;)($i8!6B8 zJPA&h^Clqz3la<2FQqr;Of~3p3T5R^v1PHR?}n!J7cZ3WNFWeVb#j?@Bh&oP_3#rZGW4hQ~-`MQ3TwmEV}gGJEWsn*rc0kauZ{aHZ!yP_AG$(e)4Dof#tv zV8jpu42SxhQ6AYz=t=7fbDEjUt&0P+pB!|_0_XeE&ml8ED#4PKD?+2vPb9qbPc3YW zx|8WzYb;`qDMuYnZ&Ce!|Ih!cYVC~EvKKfltY+?#W`=K4-f{vS>qqZjz8ba4xn3mG z2XfBFVnxO&P39ktz~i1y&t~>E%lRO*!>SE7VkY{T#pyGdCh{P0V~h>_v4U@DR^Wk^ zO;qg;b(dBsj3zQd)qYdMPQTMrIZ7r{)wN*B1G{MeS72AxxC;WTLm>CGzf!+l9TQ-gn%w1t>cb$x>OY$1$GXPo(_hC z;oxxe{K=z7JLR^1@h7h&P*Yi3o?Mfe0xDx%5FJUZb8#kV*JBvrF%Q^C&8)D`moQv8 zb$#*ryrfEs>Rg^-)nG8-flhdwoTiMGy8uRb1l|hcx!nYinH3@t#nS+@1xjMtb)-?g zOG^ej_bXFkbJ-2dPrkfIB)gV}53BGG2NYz<|F_M=^$T&4- zT>&Opb9Dmc*gHsXr%T#5QFu0F23erbrktT>AfF$fzs{XiNqSO?YK2|MUM*U&_s;P7 zk<;F(*f%Q23!OnvMqDeJwXhItZX*1%XsA8ZVnsC?<$EaY&8)NREl;gGLpko@=-Kd@ z!?-QN)g#N(Z%Hq$nM2i>&JwTyMyd#n*a?P5SgR;QJsg(t0XRJ?Zb5l(`Rqh9pIkrL z(QLR%xn5WtAsRDzhqf&tWR8{+K!S175H1nx^|&btls!WJuKRrvzvP;O(hLU5nKt+b zBjMKi5Q^uMM~~$Hhr?m^|Bs(OJ$yL)?(osm;nDEv;lslx-wh8RJ$ich9T;v6gPLE= zIHcbVH|{GxxG&`QuO0w9|AGCTkqXjaql1Gv=8JfmNzd1pw_p}1SoXaIq?{e-|K;ds zXJ5ioRAj>x1l8BXMdsj?>2o; zO)FPuvZaiBet8p7Wu7**Zyd-vNa*&LD8Gc2P5CMkGqA(BSf-uEPyW5%+`UO~`8jdW zJJt~c*OgckVJDO=xR6q~a+rsP7LA=I9jb%7`W_pgxg%c-NNuB67zKW}gSs8m3gvHS z2UWhS>B14!N(eiu8ce;oG=1o-t(BdWKCkH70rAo=o946Rqf&jtfC=LuD1nlD^08Ob z$BwzvwZ5{{z{z&(>M$3GR&L4~t*dG#fZImzbf(;|gkVno4w317X zP}>ctS#-*6`C69hciWNa#k;e%+wE2~q;_*$zqYQrL33XY>b0EoU(srt8g`orzAIBg z7ohw`hAYqcBj}+{j@C8rnlRh1T&P&(t(ynxj(>OR>B_v`%Coxi#s);3Oj9QBuVb(dQatqwZGXAyHPj9#aG;5>OQgQ_K# znlZJq<-eF=wX@kf*_8WrvZ<3z^{_hGR0-*`$R5R7gWOT&I>j~pgS+9!2Mf4FZh-YqPuhVPL39vcXG7ui%yP~cizd- zEbiaB9PQ5CH^RR=cX#>nUN}g)bN8y2-PwkL*_~~ygK~Ga0lKq|wc&T??q9*Mx^wqT z(@r*ZvZ<3zb&bDt+0>o8cjxZ;w~puTyo@S` zr+79)^c??z@~8Qgo&h@|Kqs}W`gTf4fM8hr?aM0^@{3he*di5{bHTu_-a8FcSe>q* zgi>;i3s_WBhrRY6%V*+7)tEn{IP`D?3*7hHn~Dn(Vei|W29tHaYGdWm&qV1!%B5f~ zOrO)1{%4G0^nyYhn(7m8HUN}iF=vRLFCeXC7q#FhiUOTq{uL~-9bAc{*5kSLHEqeo z`ND;J%NqVIg0H58aK^ zxc~U@=u`UF(c>q3|FKgmqN~(}5*aOZt15ifffqr>u1SG9H-gEKM-l%Ot=^+q<=i!E z&kaVUleSf*Rn<)6#;}R5FYf}spetlLXszs3DTy2AEXo}Zlb6aO*5HseAXilgaLYx8ZzII8TSfm5~XrPYT1DorqR##bQfWP97P zeNF4Fv=b%CdpXFpI)W||^nxrQw$B?&mpl20ESDrKICh#{I2A*2M^t{3aR6FhE4#rl*Ug7tshp`1dR6F-K z9MP-;vU28iMbdBh91?~h;jr}R$SK&PW}NLerJwh3)b_BoLupMgFN#x8w|&<316NMb zZ8)WD_XkBYd~<=8Q2+~a&S{nzqF1<3`|#_UB}QWEq4zMHf5Tisf16!p+tdDsJD z-_lQSiI0TJlk>4xlT?A9m+O_e^>kAjXM|=bw4BV6)|UE5v0wUOnRgX0;XKngSEBWI z84d|zri#7$Xof>ok=-L9hd9i=Q+Os(*DV@%+#RQ5b!^*7cWkp`+w9o3ZS#$7+iz^! z$-DFY|9SS=`<#n?yKm}Z)mpR0MLjiY%{9lEqUe9HcQ4S(g6rj*=m|0=jEc^~cZoPj z!5`rzxExxvX@C5;z%&}0leFtnQxGf;ifN=;+oUQcz_P_4XEUEhR3K|=6V*o?MI`Ud z!!+g|u0L}IwbGOkIdHRM@4rO(RD~H-?KBmabMLfCQ9J_ks>@Zghm18jYtPxVLSn!3F=Lhu@YI!vDv?wCAsxOC5oXt*J{4k8b#zzh%e^ zoap)U^ez3NV-4Tu)o#W2^XAI;$#>=LZR=Z;@71UC!WQu3Y{cVH;{6En9Av)%s`(uL z-v8-%XS=E`XlK*?)W5l@cktVHt!e9B0(^`&-Ws$w?`xYjo){n0*{)ef*qUu>|AR7# z*RU0H@ONHO=-xHLJKR;7VXj|HPRfFKDIK}3t6uJ}iQf8DRbW{O6(vcYnBHv!e^O@vJEc+FnXRNENA`iJAwL6-Yjc~-6|F+!wq9&yxc6eHkfH=WuL(0mk%T~!tba$a za5Ss~gG6MeG(%KgE0DF+cdwOQl~Rj^87{`N7E`gHj~{x)RpJyio19N_UE<5RLv7GF zYdYt5JSNSDMVdJMP0Z&*sqM6+w>xrWyv=pCMYHelO#>KhYt&>7ho-sm9%hAaHK%0w z5=NVC3?$N)=&AwcTj#jgi!iL!2)fOn3BVDKA;6~9H{{=_A|4JLlTd!17->8*vHsMI zcAp{31&@WrB4}A$hRxQ})8VqHJj5bv2)f?$+M$St#hh3rFkX$&vY-Bn9J@`}+uXHL zr@EMRQ@&I|Y6*U$Mol2yRr05_8k-^CanxyG2F^|~KW7@@<*9$e+5lUS>J^~(D68pENQ+7@mXBmFf z+Q@xRpmU7s3!Be^Med$#w$D zV=yD83bWqvWeK7N;g;&cBulC*%di#o&yo5i-Z;F;5&SvcI6fOt&7$0Woh#XP7;R># z&I`^o<@!t13YDT4)zI%9>AV1#Ea<9@p|-b!gE+}te_-S}ayj~(=zCV&$jNf_%<}0< zTy(~a+p2Y39|=G;SD^_T7d5JZu%`%Vf%3iL+hsPFE9x&@)9Ts>$2HX39+$#T){E`$ zaCCBwzT7>siM~w#NNBXT59YX}xI25_`E~5{c|AqA`O@D&$K&g!F+UaH4&qDA66h!( zFQMo0eNMUhe&sd$1w+s2sOmp3I+C&&JpLaTa$B_wZ38DAt$JzVy0|qC6nbZWU2dE9 zdNi>0;J;n&pK*V9QB|yuE{osW9FZi9rGj)RCc2-#wE&ZfFC`OzjXWoGZ_aAz@Yn66 z+9Akow5n8*mv(H{tN7K)Y!}h}mmqs}*OoPf1f>+<&Z$e~*`-4)bh{%qhu{_7kOu*G ziU9%{cgW4f!(CD3C4P7#!_r@Ed#=(K@)_04iB7zF3};+r54UkrIweaD---;eMf$Ui zzxE6vMpXVdWm*3wjtnXa2Xu9SQ4@LvG>Kc-s~*syioyaqA~-&MJCRV?QH+VfUD5b+pKgGj>px#l$LeGcx{!>y9Z1~TP;k12?}1>GG} zc1I@7n<@2@i_Q9b?YM#QOG$7ZDq!a+=}5F%P&O5LLbxcZ>eu_w?AMU7dxJA`ZI-UX$gMgqXRK@3;6$1l5I)(2qOv|lw^x&E_nQV-ME0u0ozxE}+{VHp1edoTL4q;i4!n>69v;Cto5PPl;(jf|PGiY{$6YGSepmR@JgSB8Xb1^%U3b*hm-8WAU6MzU3## z9%Q+`8URQEesTa(4$*Cb^AXQH2JU>Xnrf{i-p=pC7$`S9dWJsafx&Io(26j1iJVn{ zMR0X3Dd;o1HD@DIGX}!mSK3Z!B|SOS&7U?^2juE6WHH(}7 zZTiI8Sp3^KtQpVWwcvLMPpNqMWM}Jtw49OtX6-}>@WG!%X=UurU$j;y1K9Ukuao~Y z0kW1lT4M^;oaeS3Hpm`U$Z@A_jlLHq$R4^fgEq(Bzr;%g{?Q4cP)1#^i*cg>y!nr7 zPG^cly<4~gZ##yjJCIXJ0#M`6WyB?IVaMH@5BI9D>AI+1yNXJ$f?69^ep}I9ue)AT zy8d!6JE~^Cy4IU!*YQsCQ<;-PV?seI12>oEraQ&&h8Ev5hsGeiy$DQd>vt@=>#K>k zVAYJ_sz5x~I+{@{r#c!S*V0FS70+-zcPraq9nWw%sEcR#)IhCm1w-wh&UyHQ4#l0; z-qNU7#s5T4?@|<@Lv_DASZzeq#sz3wNn!&FxSW`Tc5yvi%4!96Qf*|lay@`HY$BZ`BB+D zOJdIp&e*f)K)2vHU1%Ic)LGl zsb#$x-i;_b*77^dwMt$bu_TjE&rN@CWBi)Dv3(72K2Li*Sm!uF-q<5O#=LhaaciPo z(dn6NwR82~sQRe_upi>-r@X!jb@&_T`#VvE&{o;U9V?K;bQe)IIbf6DK@UAoe&EZK z=l&EKjy&!TgU!}LpbH`W<_5#$qTeQ6Ni*eREvT=Nr;qMabFjbCPrLZXXD#S`FUJM+ z`Q-P$yxAT676RJT@o9U%Kb)V=q36%?e#P+h2oU&)6wuk0Gj+SF8AN@F!mlR8+3!*j zG9H>%ETyBIwCaxLO6ql~{HOa|J>ScXUx`m$Rl1zFNax;+tI0Va+;n_{JUx+)WPv^; z^=-CIB#y9mCM3#VRMq3`Owu;GYVSX%=BFi9@^k{<%7Q|gT{evl{!FM*knJB25#Lt; zB}fq=9K6MEFpy{PI*kYr^<`j{28r+iZY(<avibS%5gA6(21;MPla1y8l_2K%r)+#5cXou-7Eq=vXsgZ2~55-MNm5!uIZ#wcG6e#dE;Y*7PoXCkNkfNgI$V+tHjGX`rW*yCBRm5QDJ_ymBKttR#abhgOBgLx$ zrWNfw3__nS3e*) zWfPsifKK-N^0h7J7$m8et+xaJ@Z(B2OCND*<*km+hLU;Od%VkBhJq!a;JO^A6X&Q` z4c|k>pU!1 zyTS6%y!gyaH{nIQtn=JSlZDwid&8!tEY=m~45a>5O?!+z+2k;m{u*Pq$>w3zSNoa! z=DC=FkL}IrwGKeEs~TEd0n)at=*9iV8(_+n2V{>9Z5Aes3_1E>!Ep;*XtHsPYUgj+ zn3U6m955FHXc{+IWT{T%1=)PROu-6M&xdMM^RJTRGJf|e9Ls)0S4 zCZDPvE*$&7$tTT+vY@ih)&t$qdBxDEnRMHkh4k4+=zkmI{=^N3I+M;;(g#1Z zQVMjkuA=@grzPg5+Iq|LA!>`IPCjO(W1aZbb2i;w;h!mzpg1J3AUhm%cyY2VOowRG zuFf6wF2tH!!j$$u@Hc{sxSbkxWi>4awM}D=9}6k|8;IvLlI4(ocxRFBWSKiJxY!@z zs#mjCTAyTCS+z**7KzZV%eY|+!A@6ob(=d!yTdGz5WW!=$X`^MU%9rd;r~`VPCRS} z^RhdR6;o`rQ$fcdrT8(MXLN|EHZ-i3+N$0=xvIZdGk6l!5BJS(Hd@Dk#HI*B`=qql zo?IonL)KTLJv*4U`#oytD<5`6mThROmpx!K3XFWvbC#JT)b=Tkqf15 z-LbULk?iW_8lwwlQ&hd~HY8PJJ=wEH7BOb8F(oz9=j?d~64KPfExYlJmrMG_h#1QE z;y0GU>g1qMwDlgq)T^2wD9+ePd=!yqu8(_PmKU2AcF+11T#t1UIKJ35lqXlc zO2-0tiSI=V_d<6-47j`PUkkUjwd{=GY`R6-!qN3matm$ZmH zt1Qjo%~~dcYa{0cvSy~7E8tSwIp$#FG^(Lp67B{guDQXmM+2(S1;R=Uw$k{}w#d{~ zWE1FBqmrYUdYYqknZ!%ieKQYL#bqvD_0w7pY^0MGo7u8>tMq(JyL?2)xb`X_5$JHN zl6&m*dl1SOqk4P+D1QSHDitIjWkbluVw- zy1d=~b%?upP&RLYbNRmbzp$?ZOWidsgE~k17}+zl0T2S116^)(L5~O6EK&Dmnc*WS z*9{m+P!};$+N)|kEiKaOpa+};Z7@vy-$TEb^2a&^dLrR{=ld$N6XH~yBD)290|<)H zBm!}R;7K03s1xNp3k>{ilN0D3^k@z>%$3c$Sr11`1g`C2boMGLQ`K05RlJ&k$y)q$ z_?l7V4Hdpe?2!jcv?ZI?qSZg5C|mmw6YTJt0PzMDe1#TSm8KVb*;0*Utc1Apf_Q7c zI-(=B`^p>D&NQtvL<5v_RyXFd%mG9>@g+9mH>kGlfr}hG?NO)VAFW}zcf4;afB01L z4J(_^IEglkuy=;o^IJ1or&Q_p@J838HxcVCuS~+R^VN=JIHp}&YXIKiY2o9K4r>Zk z=xaI(g@8G7=%O9zxd=%e#aKkTL+odWglB6b(!|V$=GsoYrQMY~2i<9gez#jnYKfa; zlT{nm5{wLyyo4)bTypHa|F{n_?l()0Dt0UzJbl#w!*6%gnq^SD=(y%=*xSrGNlJ?~ z&r!?d_=R6BCZ`X5;x%#O>hxu73A;ht6D8sh{aQrCP6C+dSq~B(rOmQe z3F;Ql$TtUO!RRrE1gn&OTXMZRHOu-XWr+l5z zh+{}Wi!bacw_5pV!OsXII|$NSItU~h+j9Yj(+w?K3(VU3qH(@ca6yhv5S`F#ZVFv_ zaQpV^JN2){rskv)_}et@`)=Z+jY%%d0i2;!ZR+v^m}I4V)pp@1DBO_2y$I+%i(I#V zj+Z4_C{j`KQ=ctGv_wMaaK&_o4o#~uPof(2-7mQ_;0oa>SgW_xl-oXe9|+lhMn3cI zx4?^5sp7Ecre}5GgUYM!)?^D9VmwAU;>T zR8B(b#A}Fplq7r7)}gG6AqnRl`PG*>WVV&$b1rD;TM;(|!0gk`(#yj~a2YR<&l1Sv zvK1EV3Ot=>E|H(EVIX%@+FW1UJh8Ycoo-v>(YeT~ew4j+Og$`&p}%SunyM?hBf^WgSqp)R{NLV9=IDF`f{DG{yP*z zNkyj;NKDPsRH^4{q*({Be>`cl^y>t)D!U_XaT3dE$(~(;w2xb_9COr>g@T`Np|Xxpm7nCUR_B0AmP2TR`oQ&(|fmrahq6K){t7 zl!euHC+v%%d#t&2+hYqp<-V8#Ta&7hl;ZreO$Nv}}Jd$qY-);Sxxr+HNSa6T6Vt(nK<1K>%qM8}1P=9XL3$yE2s3syIIit>@( zdpPEuY}N38jqrdBP{fb)Iv75yrn=RSk7SR!?-*P@2Wz&vS1O+8=x9Sl#`a1h9^P>b zskri`@FXEWP2u^RR9OgZz>_nfLX(%BHad1qNYOTh8q%<>ir(_mNE5GS+IXWZA!Raq zv_dkgh1sl++DaAt$KOi3$M^g_;--_Ht54kx*(f^ps4I%`#@)$io6%62Wr^v_%H6Tr z_2F!%7-k>nXg$3BvhnVll|4HJcWj9R@EU$rmzG%^_EhgWUjE13^}p0kizQh5bUTL{ z5@Lj|w6;NlDV)5E5uR>(r5w>-BePs3u?6lGZE_fGzAk>72}C_R?;NY+C9XRN=tR2B ztPkKDmZ4g3HJzd72Oedmo;n(ut>WX+>`qQkF@S%|dkV!`lYR{r1u0D& zUOA~y3n%^^QW#O;eZ{=W@PacAC^v*z(+O+2ItUSN5xuJZ(OKLg|6W#i*Z1X?_nRv6 zG$3+qZ%qTDd;Gz-Q+q9IW|}mqM9aSehbiw#{b|1IHE)b_k~G#;u&>i? zEfX?{86JN-r-w;)aT)JVAKLuYHW=qNqm^3+5ZpXa&y}d5K7+I}ZG>JRNKForbD|ek9WgHHg z5!w5-%Y1o-ws$_i5fN@nJuy!g8xxZjE4p|3&U!XzW#Xx@Ya=}yZ+9cm0tB0Fn<`JN zx_ETS*qiOzzCrg$F=EG6gGsdtu%-JOY8rZDj|UC)YMAwVyP2o+rzaU=97SRg(<8Ld z?yt6SUE2nVa9&go&K~(Fxrm%~d;+n%(|_%BcE~D_CoWAK!G}`l4z0@RLh45mQ=IIP zrxgru%_zsg`#xG-TeVZp0fj@l0L3TsA{-5|3>}>vR$DwZf~oic;%+-GLwJc${xlnb zJmUd12F8!Xryc;m6E%$9g8RK6T1EK-FhJGkVhB7Dne<5~1L%osqEO^ZxN+5LcKgOd ztUN|y*}-qwTj3hp-V2mZDRoH?ko@kB@-pcZqYM4Y*7cbP`9R%fy%Q-wBf_)V?a##qC*_qnb1PrVEZ^~Am%D9QsJl&h%H`z($e0vI(YPo0SOAA{Cz3P9-OwhofCE}*g;Q)DRkG#4-u2VoQRt4# z19Vr%1MR#=DKRLcPT(#oVcN-IB|`E$rvI<*75&ahh&vCiN*duYv|)3m*c$rkmX!V? z_UAOx;iK~ht2RxvUofeQ@Eok_; z;B&YZO0RlYv`0rO?#)*Uo{STO2hPkMb&C0d}5e%q$Rk+K762byA* zggHBFAPEVr?)^@<;&5Xhk*5LJVI7Vf47F*oaa>j=w9LxdnW4HHQ?qkZb)R@~zNiov z%O%bv`fJ$gy6&*oUfP_2(Bv?xqfFj-Y(bGBbtRYb%*Ha3vV~byQrp%(SB242Zg{)& z&*DlHuq>5zDa6t07hzX%#m|waUV)>A=FOFMWD}+tB`Lw<$+D1p%OvG%PdVcAn2X6`CW#?bY)zY2b4G2pk;01Ml8h zKQ;W{TPNV~`#b}83QGD5cINv-Lgcz|3HUwkpO1MMH!vZbyHoA|bmQ7=sQK9Gja=!0 zxS#W$a6BoEM!sc&bqQ{B`foz`IWq4p$C6x!59BfY`nAHx@7wfkcjh;G><@6^-gx-430UYdDfn$W z@ngk2!C5>-!Vt&pI5V*uuU_z0WEA87IMZVpfF0E!Vj}*@trw8(@r_qEv_(>m@g+PK zUEVfhJiiEs;dx!0+5|z-pa%TX_KUUq!D7@a#z7Fy*+YCi!VJ%d$Y%tTC`bsl+WJqh z`0KDlkPA%Eq{jk==n9UYeVZ2tA5U9P?|bfmgWy*|CF1G!!^!A4;E3T3Vt&*1?>}tF zVC#Sr_?|x|n5i(ZP}iEY3ED`l1DsIH=#F?(PvG;G8x6}OSwsQoCTWAOpjFSOE_Mea z@cXL_xx9HpSvz+2m3^j!hRhG9zzMtHAN1r6?XJw0qJT(Ga{zZd;$OI}kI#Fnhjwc~ z6bq#3G*sK7qDq-Eb<(My2$;zBIa1F~54gZ367sj{ocE9G^P}&C(>+^HvT{$+)5zap zw)?48Kz8qs*XP&$H(*|F-yWkua6VkTK5uwLIZ-I!$5Nu4=c!;h3CQk1igcCx?M$ra zEmq-bfm@v)J=YHK3@9xF%b|8zP@RaG4X&58ixhmVH;{E3jSYXZqQ#H*OOMbA+|OXm1nIY1 z>sq{!;=tN3M(8yM^W&oq6pI@~>kBHpXUpUhXNZI2JQ|FaLgR;u?Z-xcz+K$R{A{D8 zAwdv`jBpxAy$IU;)Q!$OaBBv~YS!)<>K@#t=7uM>^xNb+!^rEPsb-wiVk5Jc*3+(M zq0L>2qKEZYJ7l15nD0K4+oT$jCTgAwJM%?AJLl!~7R$1KABU}K8gxEw1g zCa{ffo{ZWd#LhoEAo<%*^nnDY^ZI`-zo@JRm=s1Leqg+)EN@^mu45D`jFTG}J!7J< zjujwWDQFZx-(n^iFyG8)5^5&aq3r$3pVn7W5Oy)A&s-ZzOeF;kWQNci=_{%HRFrR` zYc0lnHj-TR6s6z$0Us6Ng3C4%mafW=JpB%rk0?t*F{x#}eccf7nNP=DSVt8_*eE4# zg-b2oRUJs?Ix+)9#L9bcaKuJx50rb2h6dNakbKg6r(uBk^btXg8xxi>RFkCOBj}3KzOor zum{-Fpv@>hHQzVFfn`>4`USEco~PspbGa;c+rP!I=ju)6yLBCfYCE`3Sr7Zu1B*AT zi+OX$8}F!k{ksd{rzQ+=d?`&4XG}GDBUi1idJd}5i!R=aCba!trG-##yq|XP*WI9I z&9H{M5Fg8>I1?!kgG<-eCIOFR)*Rhh$M^@|@6)pA2nsYj{uLZ=v!BG_>_WjlLICGx zn{O~Fsn1rt_WvAfK`ymNrNk^rjW>YS4G znAG&2l-|_k{Ogt1*v3s?M3_sCVeQ}xI%X8r0uBN8Ov8djz#<6&KVjj0t-V;}R z&#--h60WHjG7xae(|C#HD_L%2}CQWn+$m)P=eUx=1M-`2g+8 zRvIY?Jr^G|x``K=6QwDb3rg8z8~INGj|&%$QbRh7{)NmZbkn93Hka8Rsh@Ub0eolt zWY%}T^_cpkvL~PGu3_E zp03O^PPFjh9w`}*B&By#XwN)@sfFL9tW4HAh#wmy(f*7L_=Jl))5p+o)U^Q8qTidQ zfmD0{5}5QTpkkZ-4>v^w(gl{s-ph*P`;%Bg#+iOE)dtYd8~jxK*-{=9Y}_BI)=;l9 zCXxYcXmW704#j}dNnWk7Z%F0uFfYRn<+KttdxDRy&gJ@7Ig=#eJ(9s9>ew|w5KV?N zS|oo-8BkL{C6k;J$rXa(CUD~Dji9$WY%dgxa$hAgta+)w$3kQl2n(;X?-xOZmc2SB zzC$HWw;GMb`&eW}lqz>BLo_H5KZmYDDKGSKv%k?jtY4<08u@)8E4KW@kUE7M5 zxQ67qwK_uE*!0)YPS8)0K2;Y`!^iF7xbER+$$5iD$$G1$m9fF0_>&x_w5gY7s{qp#IAAc;c;09pk6So>-V&=IYd9d(Y9)@yvz| zq$a8b(;n_vnH2b`RplA+u}W@13FoTueOIX<8T?_>V42oUdJOhnohHtdsBRq-zJ{}W z<>~(75c$TKf_2SeYpNn2VOrC~pHM11ALTS>%1(FG9!H9n-gpJ^h=_Q`2H4DaFPE`I zab^nS2iddclKHCp><2MDXClj!h~v*##^mvm6=rC)S+AMm~s}vx{Hhv{dFo$RpHqr!`pM18Qo)Gi6-U2 zq_fPri;lECv&V+k5EbITW!IUnjfE>^4pcMkzrzp9>!uSnZ z_#tu;rOFr2IeU3_h|wP^N8;bTAT0d;6bM)<%r*`*-Vw~N;P#F`rZ$;A)vZG9Mz(AI z;Ru+x5E`SOpQ2{k6=<4d^E`(Y8Vml&+L^Lz=cW*!ic=Ty|ZmrdmCMlw+{^7iv6JNBiq(Mv0(+I~OM^CQSsj3Ra6 zlv`*>-0&=yCXK&Z3fdswwkm~%-(L2nl~ zVp^omPaghq`~1}_r3snu|hPD*WlC|B=VgLHy^ zO=m*?p~>l>$Yf%#_hp(#TzVN67s~^QYq7&nb!r*SI`uDCqEoVFS_L1jisaSTyI(X+ z+SK9Dl(sl*mc~ILanmm)3i`$Q zULj#ORcE>mVJkd2@-Df^0>Tzc0E0gq;MgzGnb_dPueidDA?&HH!~j-nzpP!?=xVx4eBv{3;Dy*w3e{hE9FqeJm0spAM4{k7;Q zhE(HQ|3X`Z0dqmB@9{bz!s!{#S-^b8zn(&@!Sy9BsxEL2Mn=n_<3$r3O=L2t`I5#_ zKyg^bF$xN~l!adoQeaa}H_4;)a67y86;=nlW0lT>J6eevb5_?#p)^JP5h&-{EKL(+ z4>hS;KEdEl;px!vlNd&Oj(A#GE^8WAt_`i&4;47>pYVf1{|ZHRe={%sh|j#PIU}c+c%lXPciwdU9V&Wa@S z4gVs|D`YFs*h?sU^#Fo)dUjX@U`J%lLybHnGK%==M48h^jGI>pm8sEmCTnF%*PO;t z4f(3=X-vOI*Pw*Kc0HEG7>A9n$=a5L?o!#KTzm$ugjkBoItdt@V9=P0`lh1ovJ0U} z+k}9-)a;wIx5%0WpN&nmw~7>v3x#H2=S;IB7DC?Jq4$hy`mhbr&D=9?<98@+9file zb|P=)C^PGybLV(MD|)Ay*emncYsGgKrw_WWr&fJx^RJ(bGsT96Dn~F++iP`{V)&`C z5X6Qhw+{6U_R44P%?W|N2#-21&5l%$5?W|4#a;!sr|tM_--7Y8BcbG6^KVW15W*UF~gK-AVGfHcWEUEEFPg2Qn2g}mneclzFTVE~JeYmkK)@dP+f z`zXyAHi-Je{o=sC_~ONh3c+xi zLnePs3Z|kJAWX8gqs!{5c|xFfJZuQUlJ=tME3~6C>TiDbO`JQ7`zhBVDUoMDKmB%f zTHQWO#R6KJTc~dOZDdqU(6?!-MQ?0C3x`xE-HkuajSlt&MjQ?Qans-;b1Bp=!>6DCjbmtFyU}@2cmH5nF^E z*&5a8bJ9;K3|f-z^)R#DHNWpkrm7_F$?oVQj<*;D@6jind|O42u6#;8^A1#JEHpUO z1!x5$)pgYup7T7uF>J-%*6UY}m(c~&EeYP188tOJIxTE~`|$Jdq&Y%jv#9d4>o}eq zTm01(nYwR2qf3Q=SWIN`7azxD>AXlwQN=is?na=By`e-pjXQzjJ*ziB(pEuWw@H;i zR(704MkPyid?7!1&P8a=Byq-cbgv(L4XkLbRBF_Eg}9pR=sAmBxbK`H;UH!6=#8IK zTr!SJ@FK+t+Zb@lcu&d5*JS{KRvrI5gnSSi3BCWW;VxLv?mu7YKS%WBSq!OcRWx`A z{;;T!)|!=${ox&5agM5Rx?0FRC+2d&J+oNWVBv=FYe>Qq@?fPYJ}H}RZCjHZ7h)L~ z-3?no;UG8Y%pre(|-}> zKZp)Pa=U?BCtrS{$SXzzIhj9LZ@a;c+NNL}U}(@vl2UVVyMB=k25({j(b_^8@y|;R z1vDt$)~|JyrM8vc&+@^+akj%s`erkPNLPGA6@zB!@J~w6W?$9MOu}NO zHYhNFBg@kjzdiqQcF;ua5TlqC+58?hHV>hHHWV998#kolH;w~d!r#I*_rN=Q*r`MV zOe0_Q1d8wpT)Ub12MRScaKe_A65SML|&LGzEe@2et~UwO($Bep*== z=O5zh6@dK?MWk2}k=4SGl03PZm)9*ALQ5@{=_092wfOp09hEb*C$L`eeXF7p3+!&3 zj&1%fgJ-5+KPuN@WQ%9%Pd}UT6x+JzHut%B5*n+5EW<-k22+2UKrQvkn@th%)fa(O z%&^oH79Ky1P2>EWCpzV|enQTi?5_m$&)c#UjE3H~MMR5)cX%LshGnf!+ZMbu zGlPl2yt`7zw1k`RE)zm>swSvIY zoQ|6|v0_Qj)8Tni%}XCO<0N+SO6BPeHPeYy6*X3N#nf2d5mR$;Xd$ChEtk1n4_a7a@A z3ODdH*L`>YESj-VmZEt0CX`qfd9-EgTNANm+=TeH<|P&cPy8SfOb>_XKuM`IkaUy^ z^Q#F)Ywj??3pg&NUwR6hL{U7Sa!WBfJlH!ysb%TD@fM;Dy@a`#vjq4MqhGLC(rot6qz302W{W>qIX7 z3`3;O{jHpm&^4L0AZAWey43)wV7g!}4IzBu>3xQY^00UzgswYCbT~8?+cT2Bc)98s z>svoU#eG>g9PO7`4MAVA0YczV(0wM=LA{&^ijbr&;|)6HGknnQvT{*cA?=Uck`?(p zrv6B_=(Tc~a=8H)`%IOO-LG;jI40b1!_tSVk?#HcLZJfpYL zg4C2u8Jf6S+gV!M8)%t-`p?J-dR+`RDGg-d50)^uT=U&kus?Y;=d%4K$m{HI+ErG4 zZ_j;?5i&)=Pg~rW{qlZeH9;h=gPQg3nI8qd`d56|VhFgpYE5V3z0ku`-GcS^C0Q`| zUt;@#6V&1U`Qa8)l1FjN^l!4Wx1BvTn1BQ<1Xdq{JT;es9{J}DLop)SkC98T4l-C7 z`4Ka$KNOWr5W|F1$WPyUM!x^Jetrq_4dk`kYq&vUf23;Z-G`541h4bPd)|Rf2!ry= zmHNZmHKBtCL?8BSsIB#VyW`?LgaZb~8J%{4dxrp^CX)V7zwr2>N7^ z=vd$o;2k^jWF{igb%YS~mLJ!*T)7s}IV+ARXn!CN<_C;+e)Rm{^n|qIwCjoS4CwE@ zqwp2reS7I2X1RXqoS*O9Yv>OEf3|~v6u|4|FNE zclHYuWpe{^3H(_kLX5fJ)g{k>|L_jBQGbRINJ8TuoSrVZq~ zdeyx)x&i9;>Hz7D%JqKuPC%%*f(-wpQo47b7L0~Rzd(ukQGUE*edFv`PA2o-#43%L z@A?363pb`DjQAKYm8k$NYS&>8uoff7At{GzRx*EGG!aO-bwZmdv5M_)Nl(e>3| zOc`MJMl#6QYY}I7TSrvb6)~lseuS>Fym>ye=8~#PEuxKHX*DcDDC~|#7+|kl(jz;e zZv1!`i>IgAV9+FEP>e7-^1~XP;;8+DYO-%khgN4;qad$Fv^|ROysSpV?Xjp$Ax+Mi zXg0u9dGhJvxPBy8=OEP3k32+~>U8qeN)vCnO|Q8zFWl4ko4CT0g@@mtk!9EAVJ&Bx zr=>Q))XCO&s(`!*hfA83 z3~i}!bkFLD5@M~2_I^y6p5)M^KV74LF84h#{{0ejKUJZ0GyUo@z{RH`CtXi%1fDx7 zb+Oj^!&EdkvXCam|GSH|w;MzFeWw!r1L+7hN#6C!$MVDB88RL-x<{f>V?@_g=hoFl zakUiGVN_%b{h?5z^O`#RQId=XjB)>MpFAk_{91vA_@Uk3^8_ZAU?~bOJZ-^1$J8Wq zg=5*IGq9>!KbDM2TbHde_a_X0@wRtECVqyuc5Z9qQ6Xb+ZmQd|&)6fTJk5AamxAq% zrnwJ0uyVav3`Su}`OlqZb|#CXSUzmIgVM!Ndn1^#-|YTC4nC5!Q%|~d+d+Y~DO7q= zKJ&3#GPD)mnBj&~ZKy0)W|*YipM7p>R&tIZw%YPVEz*HEPr;|S3u}S_F6G^rBGR(! zxdnohBH2T~=%%t|+cBQT!ZV{}I@Yk2Dn9M@EcgC8%W2|O(;NY%i*5*0U^RIge3I2) zZLE-q?{wQz{-s#7K9&RhP~zRzGg}Nbyua7C zV-t33t_zaW$je*;($r&~>FlmW?6XD`uBmDq@n~c**a;}{XK{93#Yiv@*1>-io zZ|3T{vSC4_lvJUYc%0M^9Kil%w~oR))8GLYBH_lI-LAUE@it7sSbuFz6WcQ)GwEs(Mc6;3!Qmx8?DQKkCs?8n)6E8qaqN>o>WHQ+fVFe z%4%a^aaZ*Ae?i4Jtj2S>8|vZ8<$!oUci4Sy4A#epvoP@&HAni(G1yk-%<$t;8>q={ zCdg1dX(gclR1%!+Dpo>qZ3_~*J9v%K>bu?v#Pj3&CKefx@{*cTG^$pCTbvNI-Ny zj*TFlZG?5BfRHNwV6^Q}?m_%U1}TLusgm}HKzmNal|F6Sph5Id8XM~QFz|WV=O6tn zxbt7I#Rm^kBJ_tG_mfpyG$MG~XnVJCriResY}R&p2ZSu^nk1yMwn!V)5P!pzyYBW6 zAHWvy(kh@vuU8Myz7EtiUDpUd)3*5w5Mb1BB?ztL>EEn<`u*!n7BDRFB4~60iW^wbI#V$l@X%EnCzPMm6WQ8W91y6%2E=z|AG+rAv9x9He-&ri5fc&ovd)nu% z2ue^&Bh^;*zq98@L`W*YezShh*8(3*w_$uptFQC+gdLRL%(Rg-lG?KmR? zjtUxixbzmJ_xab>RaK$DyI$bN;Cd}xrjrE+nhb_z1Tu8#yTTNC0+~CuCRL|yDXEH#iGS%Y zw<@wVvj(7UP?UVcs`H>>>rN1Z9%K+Wfl9rSPE(QY*t(`PP13z-7|Ke_=fV!d5UcdK zGb3PqTZVZmQ6w2e2P!Lh+LR4gXrRpG>-%&g()PS?9M#-HM+EdOsK$$u;J|L*i( zyzHm*|L(ketpBl+pU3(ikM%$Pto1(x?;m`LWYG@X#5n+n`4i_Mf zPOZZ`E`d@ts|RRl4x;+7a>{@)3MN3E?*9U0N>cTA7F_;CH%R4aEv(;QCv~j@rBuEC z2`51*ZN)N>tio4`z7K(vOF$uL%wmyMp~yqPp@dr98hJwWSHYn z%_h0IJuA2+@y*;%l4@{zf|wiu0h58nWZ zlPPT$LpfDQef^QoN0J59O0rcbXiGv<%Vby{HLM}4rVG-brT`PfNu|ls#5FNlRTPrq z6GnbVma>%pb= z^^U0TtiY=S!D8c!d6*z~3`3tzQUZy;bbw>Mb_V;Wd+$4gpZ7X1dwnM{59Jduf_~7! zd@?RAV?QAwT?fS*$V$eF*6^5pCE zcRIaJFWY7Dm;HWcC;puO(c78v`@a2szth{!{XRy@9|>Jb+}!*OsWe+kOxvoNY$y{D z5B3H}T>sKbULPMd2u4d*=T+o^0KqE?RLUA{WeM;l?Sd1Lq7=AejQQaogy;ql(*+)x zZo7^Ja#h;yT#lHAbQ*C+MP7#=MLKE}yWyWQD#;&C$cjm!M=(~|CWgBq1r<6vmVPq&H2*J2oe ziKJ#X9r;-lMz^UR1mIY_ONjUqB z!kI5Ko16WN-+QyL=g8~kR#?WTd^!BlZ<3Gu%j4q)<-*P)a-oD7zI1MUHpWxdk!q1q zvtz&0Qk6pqzpf2LtjDO036o;=C;MU1A(3liC}h4XEY0r`8{>EyfDLidsmPwKT=iZ% zvzG2p5%xOTb)@5_gJg^5F)!x2)^Vi7U>L(>E{NxVtT^zuIr!u;K-dMQBR#4Z0;h61ipg z(8*8zQR!Iu8C<05U1MYy@_|98lL7^FI#=jcKe$4-3O4({NjUXX=KZCCsBtP4HkycF zhFu&K&AQ0VyNsDP#1cc$JaxVXMqAIGK<^q6=2PT##IaMlTu^8tc=G&-x?mHn;!}&fck?NTum>>lgp=jX7=^qs5q&^$AterjAR_qM_mJ0p z^5jh1_eUX~UXI0E zYOV#t>Er?tc~laYp7JJC6w>ZKQPpdc%#fg8f)T{PZ+7LeT)s6+<5w6^dC>1_3nPD& z#b2WKs7gyF^#zyf`9XUQSpr^@WW?Y_@IUed5S@02EM6i#NS&?ujj3T2l%MTBQOU; z@Iahx$52I8%kw;fD7BvN=??egE5khk_auubr+NKpSM`RHGu2X$6MK>A1TSmI_sR~1{nn%iEHgeeJxn7Mirm#oj?#0V4&+|HZO zVscbMVu50YE*_y||I<#1V#Lx-(5D^cKT>50=Gw7sHaGhp;yYhNe2R2eeBVnKKFDpa zb76_*m6r?%dBRYONQW=u#QMA-_)7Uci;X9KrF?t!UiD@dOhe`eU{h;3b|w|GTd26H z#M;wi>;f1?97OXZk!Z=|yrbql?^I%WM6}wbod&S%!;Jm8)s`Jp@qvajhrV0So~Zp; zyJ!g`Cj}mg2y#XJcNN&;kAOQR1cl5zp+L-T_P#lfDXgQGs#2g{2tL!(5r1hRl6~3L z;2NBQ+%HtKA=fS|tfLuHm}Gv%G(jOFw>gxlCX42M+xVWKiy6I`K* zzIuc-!s+M57>i?>alvH#B(6Um3IA})1lrHFqqK0xW74irIP-JSBArfu^~6xulORBs z(7gqeVIq9?d_<5Z9ni8kt5zM^%4C%{n7gCPGOP#k^D}FV*-__Xq|vsY74I(qkmw4C zguN)d_6ZIra>GzQc2AxFX-CSn2$_?;iwQw4%kM+EYYK)E7w{L5N=I}yMo)l!VQ%i? zJs67^aDn(>Q;NJChso%wqwWCA&>b^$fzL$YEl`0S@bu)D;m5(jDd4}H>sh{{G?gZR&BV%c`qxVGPHS3hLEO z#YqP^phK@GJD}4M_w$_&L0mQXR=pJm`5#;%t4Te(^+ymiy?eli+1Mrilbr%%qtoq9CnkM8-SPoKh14sgot#KtV74&@yk7?m^=ibODH z>Q!toOgxqFdK)Kyd*8 zgzu5%_#$F-LKDDZZV+;|H_<_dchDi(8hzP&hO+H0r`q4b?sORlvi6CGj?`MtPhR}r z1Whox?Ox)BA^^+d|F&QC`rGOFzgN8%kMV!2_>o3<L)jP%l3w>2Y|h0Lh6ZIdmP@+wX}@ZS1jdGnT9)cwX5b-#2` z_f?m9t67n1x8d~~54q4n&05RTK&#c3naRWw`96Pv@gLX+fY zJ5D+EnV3`K_S}(Ao#GJ#7LV9}`Kn^f`1;1SH#i~PfM z#{YCyM~N){3#O9P%dh#87HcN#GimDz#A%%HW+HCF=S*$al$fju<~pi5DvPuFx zCg=G^fAY@%A!dj+cl@t7|M&a7o!9B}|BDy>$MgRxehSY2nguG3|9^)<;H{>9?2Q_% zB)4DdMjrNSlmm*U3i#S}V%26T#&GQ2&j41Iw@o)PH3pS7cK+;{0_54VH(-OFivbp{ z=@$>zT*_UGWNV_oB=RkY?bA+MyBMe~ZqGZ8`Ii~M$B$CiUg20q&hxY(O z4_v4bOqL^Ys}6x1;HjqrDadm>5t5p_z`sJlEf~XV1mKk631q$tgW$GvX>agonG6~PJM0)c7diB9|wVB#Snc8=QY^AxTd*X<28R#TJu58^@OvTFMny?wta!M+Ww?~ ze%T&uZk%!AbM_@62ZW=i5(ROEWiAyiv2hXEeJWDP2>nFn%9kOK4)`kkm0rE@kc&M8 z?(d(1{{`~p3ih&?jOkqslTxx~9W%16OTtCxUw<{HK{=*W&4LMm&7B7Ib`?6s67UkP z$%S}bq1zSfN=2Dz7T^FbfweewWpc+(hr`{`Pyd?Ow59vxglq4bpuCG5Y6?1bbuah# zPuubYzWfE55cSq>8&W%Hg3nZtL3-8X94Ub?hFzZeG#769M0tqTBHfjG4p5SR%U9Za1sSbpMH|c zWg~26vL{a|A{kbyO|-rJqmL93*<1DWa2$W~uVs2(KC+#;dm$)lLeSt`{iIeYjQk?o zMr{Q4gDGW*9EKxYkBDaa7>;~*?s3of*RxFCTSQ&rU&sj*W6zJY7+iN)clZFYCI{!; z&B8RbE%1t6n)4USthE)GMrSlppL0D6x`ABTN>`iQioZIY5Z!blNa+nG9&pDTFtKl& zw3js}kITLHajML!xofagU2@r#gkq*D_I+6 zO_-w#3<7-9;Y-H#BN%|Ea)mrKuS6<`r_cBU93djhp1>dgosJNC;3-$SD$aBE9NEJa)$bLpJVB=fy$V1d8$g>}zFA;JX@=mZv`2#*) zb!l`5M*gq5D1{T@z;|!Au6qt}uKdt*fRig?+U*=N6w|5>X*TV|jSb%Wi5|rriBoiU z;^>-x^@c4f`j;BG9Zz@lEYNsCRX4U4kds_ae9WXQa5BO{RV9B6HF=<)eEpBIj&cL- zC_lQ+zwyPqN?=9&$Ih#luTuJ7ulM5hqyD#wpF;hQvY}#up<;odWPu7L@B(8-8G+G1 z;Uv)cWyt#IfhfGLr)kJ+S}L{HetZ$%-J=KL^{vs19V3WjZEoBUWxwTe@S|v~vq5BJmfUUQp%$M*!z&0y*jeUenkyPQ=PI&v!}3 z`h1H`qOA)^k;>w>Wk%}qksRQ3I(W*WscEd*byE%7qFYCDYyzd~Jz3Opj``D#rX}h` zCNO47*$E^xN1Jha+uIYz)@LRGjM+OsK=hU}G;!n-a>z8?qsKVpZ`CsniOgtdl4MGs zyE=CoEZH*rv!?Gkw1cAS6X3jxhCPt{JGJ+Qexw#^fx!i zzZ`R2rt?w?>ADzMc(m);Cmv=oWyh|exbw5rrSA$fPWVzP*48tGiLht#axPamRp7p) zm9FCok25P?@Mg}6Y!|OaExPi2z3WU>t+=?H{>6lax$+~gxp6JG5$?X+RyeEaZwlac z*+P`5#*ef-skQJ*8AS_l?4j5auSc_=0tb#pe(19@9orxp#VXeS;fuZa%Zj;TI8ZKA zwQQ)#<`sPt&fA2YXaRYQt`R@~W!3u1aqE;}Ob;)#n3HJ`NGpN>SkH2DRy6t3U+_*s zpY7Z8DOLYUfQt+}m3ys-D(3q6Kn5P~xi0_f3}2!64C7`YYUre&Twv+ry*OgmnXRTF86q&K?>=UNnGr#ui)1eHSw(YN!`$qm7AU%Tgbw>yJZ!BQLvdfR+oXyrq?4zV(iUOn@B^(5J*sr&AAap-C3g_?BJ zNvyB6cXhdd?iC)5j{J$woMK60H(R!Uj6Loj-9JWYyIHrAKcWvzMj$XU4PCJLa@$1C zHX|b1MJ_N8<^fY;%uj6Cg~t4puS=dO`=LEnR(4O;jBm`6y-;FpNqM1I>)_3XHH8^R z=NjQku(Fa(p8v^(A8uVhI_7$pE0#IAoWUu`()#}oUkqI0M|HdxYI@y}=&HhUS*X~5 zVFVt8*EWZs@LC#kE5CXt&OobjIk6#FXO|O;%M0O;9emOrDwUAEm8-R$Cra8)qi*jt z-7)g7-5b79%dVR>IX1VbfF~Z{oFWD~=p3A%XW+O(x6f6#_I;{!m+0zrZl-HCiH2+% z1y$E{Y7KFn0lGQdS@j{Le#p>e{1qLvokLQ}AfQS|ZSb?~6}q(sEV-lB z@V$_ignGiAMBbLAfJtL8#h8^)YEdOJ1!#9j>XVS2NOXuevr8C97vh7&&=jtD}-i(7_fpUv-6v-v7Ln|dO@U*?+5 zM@ER_8YTC2auN0Kdp~?f5c*Nkqkx{7%p!?|!382=`59St(Ze@+MZ!dVs<^ES_Yq;K znrAKQj*+Y;=ZqPPoY~+%3}wZfv!g-xkQNtWQ*d@!5ZA9|l-Bir~~=O}DLJ3!wl?US4R7nZx8E)KP zOb*o;e^dYN3d~`Lpi7@Ja_bmc)W__tC|pz>eZ6TA6oq2aIj|R4yXXE0{02H6a6|

1jf@rW6sn<$&M+2e2^;&%rqWK$O*S-Z-YP&d0&Q=}_eBH5qzMPG0a=@Yl^tf+Eho zt<8}idLU`rv2RAiT6YGq`!}sSjoW=*H($Ss zi`{d&;N&9K)1p2|5g4!uXg$`)Aj%R z{TGk^KdbmD@c&UPP~r2VYDJvlReAr{s|im^%VxWzZiK+V_mB(8ew;_fLU>l6edF=Y z$Io$ccPl*H-PpZdc2TTv*)C6FBIkB;j|;B5Kh?`6aPPA*zVQ$;zr$eUNO7|xpi;Mh zi{ngE1pRsW%ap;TB15GYVPD*=I_Mh7UqqTnu_N=pB0j79)Xe0)svAImB3_6b-r}FF z0AC7+2V)4bvaDI25TB=*LFyO>5GYAvJ*mg}b5-7(b<--ps`b(*8 z!AXQ;u3+;qT>PjX&9#4-Ni8N-jfu{-ES$&!6=EqlNgO)8_&0KEWy3AQOTA0_FwOw; zJkF2R-tS9OB>&tCeT|jPHCwDHO8rR|+?@LBjJiif)#7q9)|#lYTz|tPsl!#KbvF9l zY@f-}si!~g?ay-)ut4Y^O;1IhuBaMy5+|!aRNbjRvh^W&NT8woSOx9!`|Wbj^dAk`%!SOT5$i#wf*%M?(3%Y=Tq#@ zqWv#(OL)}YA2)$Nf%g8eYWqW#Yh5qR9!3$(SEjASO1D&gl8ic?Qk++$=TjXAF7GcN z@)4=+dML)(w?CcV(=Z7@Lzt&~Es8~39{cT^YPh(%=$?h`i2e!#-{YTE z{^k4C588o_NQ}Wo&umD+|#`lU|-kK#B|@> zDLhA1uF26`VY`fy-?Jav?8BL)*=n=!Qbs$0wVORuZS5w{dHi2?8}ZZ4hX{V2@?T`) zr?=LGChMn(G9L!Pt$29y;jQSw3dr97czQJaczU$!Y*6RCE_rk${>Rg!YL1ausMM4cOeyjJ z8xuUe9OEfV!*cxL?ZNQy?QsA7+g(S7wRfl=ppfav_6-VJcN*^dt?S-ah&?n^75vWA zvn~M;?ceVm9-kc??;Ys}`<)P~>F5*Gw z1~?mcW5%MPi#>GjJk9I<aAs5JAK<40tK%$%CeRNV3Pn2K zEQJypMT99EFi6;7Y^4ay=g;rJ+1RIm0}SXGPXiBJAVB?zA3(x4%@8wyzCf2L4y2q# zAq8v<85rSd=m9^J44WvE`y5b&!~h~c#+$9JOP`IW7hM-m;-b2o>&;(V7XiN5LN9yX z%Zt~eJ{rA#<-P2^+IHb~@8Wy+HT>QkZNGl`!;aVg;o{X6CGOTG-n#mpZberjU4^ua zt4s^sORU#l1lbr|pa9=!94A~+R8X_A+9o}KB_@{T_8gqcZo$?yBwI!#Zy8x22Qf7N z8RILk*#>tauY<_T_(e7WfZ?e-2BNNMqP_S9dAiv&WPSkDGTLozDo(K0)jjwMM2?9L z22Vc;7p|f2eRAIX_OIvnzdw6wzy9rCZ@}-*T2I^m13avfO#naxgd(ureJP%JI7E7M zh>~@>>nK!8m+^fL_g@fvg$Uh>2d!8T z9Fp$<1TVI?!59$)Zsfcp7z&p5!whB??SBJK>rUR5z3JRLU>7`f`rF&iQ}8?Z`Zf3U z3;8-pWYHv^!F;su+hwzo)L=z+Hl1dA%En!O;?wsJiE>%-TT|#Pl~}_T6J2z?RhS@?+<#09OV6cK^PlGCSHyl1-EZQYsQ-*h(U{W;&{E=8^LF;_bv z4IHk=xnmgmbi%c~{nNeoox#t0otM47lhsq(f~QDy1)v-7J&*u-fs@Fa0y+_}GN*Jp zW(Z(`bZ_#f6rB(jnVeEt^Ue=_Iu^p_K1Xz&gYz_86-tr$JgpZcV6*v-paH|tn?OJ+k@$^K<;R2CrdPPPu4(f~2m%$}sQyW9;asrfaw8&&QswYLrhVEMk0&?UsE zBen9?xDH?Ejz1`6jCJ`t&u|*Qi_Ny%#=Q`sl?H8izCRz*NEH> z`O+97o$O9pWKxM2`KoE>+a+T$UAq71R%Z9HsCAx`UUjj~D`!OtietVng#3I84COK5 zdx0j7kQ>i|E3TD6G-Ut+xvcrL;EagrI>lS{ytvG`&&m$6yR7MWjz~5+PV@G~_-->dUCOr-CiUya;8(E&eqM6{3o}MmQLBXWYiRse)fgsRY|w%--|Pbl`=KO zH3{BUiK_XFt~qk#4Ou3mbfZjyTV4G|bT5pQ^4ADbdV`6Vmq)v?am$C!;9MhZ_I$;9y^8x|Me>Yml%KaV#X@?iVj;4tnFU7CsnJ$bYJ8~V0W0~Ltwt&O^v;XTfm=G z`?JKunrnNGo_5FLfTqJK@?5gkXnU#?2@!+-FonJoYrURtK|&ws^8XaDa=V89WtL2Zm!9dI2J! z^*7KuIy^o&{_qqWoSw>ti6-VoL7M6g_`5e?v(;+@?7CAzkOv?G0T*|zz7yY5#WfDW z`FFssxiUsDU}Jt70qBd*K#0T6e-Oc35c%vW1ydni0K>rZVW13sv@5Qcq;Crh!5Bsn z3c&~yFoEGMAP7<%QgAV4;0A#ZT_XZ+V8{R)`xL0M1`Gq2KspAH0-uS_8$fUYJwSan6)OSUU_wz>baNO|hM@Nx{Ci3nxPd+su(2`H zt~h*fkt=p89E1e!9Ph3%g#I1+;>Lu3sHw#;Kd=!5y<1LQc|(vx&W>DLpwrcQ$qc0pnbTbrBhJ5_Z_MN(8v;(J|}Y zCPeG5*U2NseWK;N!=r;;2oPA?DTi}0E69K@GN)8XL+z|&Jv;+W%o+GAfKb#bY+pRRF_HAgT!3XL zr8e+4pmmoTBt^tLaoS6@5J#}YGfNi8nK;Hbd^Xe!aKJIMf)ns zr|E7Xs#r|1*K@N*zzvtDg8jV&f{?}gZIVRR_FH4(nwT_$2iNPtUqLHY@M4wH)?^dC z{`Y@_)?J2l_t|xlbQ7b~2oZTz>YCs@kwDqL5DI(=oi3+l5i|l5ec!C<$wsd^E{qRwZ~ zK?$gIC%of(+x51D7{)6yZIMad;?HkqF&=w@hztV{cflY)DDuNgwKAn$$PY(;=(F2G zPrPy$4L-KGKhC(&Sx~Ky4_zX>`y05};Zw6OPl<@ot`!CTFqb=zcO~&%$%uBYty}?I zvM~a-!RCt}jK^Vf*C*fD{Ykmhu=$wF4RsCiBbksl!E$rC99-7#{n#7@FT_I!d|hKbs1xg>ld zOnUz%%2v1T^kDbKs`tbk?UNmN7*Q1~!*}iHLRIj?ONW2JwT9l4k)MHr!$xl@LleMB zDgZFZZh9loIRh;X1mJ5^RILudU;5xHfHzm*>7C#~(CXhmZ9kFFJFPp_i8dqNrAe8C z5QhaQU}Rj6yv2w+lSU@=C6XI-UazIt`Xiw4h?JTK0iPj327&t%>3nVxeyeq7=JWoE z(HYCzf&Tx-LBsze@oW99ZK$J_8bO@xEGb-ZyToTx$_LFx&%p%ViswQnmMY}$`Iq1g$$FMHZ?z$EJVv$_q~ zWUyl~i<^{IFHAHw%DoIL}12dBpeX9oirMJV6&&%yc0hquEIr*99B z_l|a3clMXxefO+$e-4}qphQ_yW5@?SC8PBZjI%4xX2j^}iqm3>gMT&EhUvsf0$GCUW7uKbbU8a{)^~)YR zLXfgyzdzg=ZqHI$a^Yzb_-o;1*;4rP@4zu;GUvw#6QH35*ZqEXr@Q@^b8t?gE6`EY zvFQOcj<&VT;H?5g`3Kh2iPOB^FA~o|V$V1S=l{=q<5GmYAw}expLL)9_WM)N>5MR$ zKn4^$jQqkQ<`o=W!9nOpk&>vD(@Qfu!!NuK`JjGgnnfl#)56BW=A{bbyf9*eRM*E_$=c9cF6_F*B=PC|44&@UX>#9y9}y&ofTyiZj!^xM8NNbc z8#vlX*1EIy1}*-7{xCSZf0O&_S7x?`b6-a_)Y-e<;tBNg;!KNF1!@WR0!Pt6 z6cdPZ!aHKKaIy^ya-MFQ{MLM+!Irah0*M&kVB=)LD>Wf2*&d5SBj}C}2WJPz2dBFm z^jt4S9jTEx5jc8+9N<7XHBQN_IT0qzi6i?pnzSou(-qlolpRf^;xZ8Ng`Hl-ISZXH z&kfpzhN8m_I)st`+xG9kX=${a^ITdMOh`Mm`z;)_oW>e`k>o0iUbcgYWb1t{@s+o| zZkAq}x-CcJdHmq7n?l;aSEhGd2;XVuLq}Rhl7K+d`|b? zzCAq{3=Rgnn|$AxMiC;(Ws^wdW(5PQJO+nCpmE|!zunDR=_WF>Avl)zk|1t^k(=S2 zME5a&pJ2jD!`>6aqt7cEzE?mgvy+r|m&TzuRM(DEkO~-m z&Vb=K#USp+i{6P75$KUqqZZ|!UQCe4bVS3mgZC##duIps9+!gF-hc|k&tG;oH)xRr zGTo}FY!}7U&lN|%AQ=|jQ8zrkrQQ|L%J-q(SxK^mojt1RBdZ06zR_j6n`7R5ndB*~}NbOO_nQ3Y` z-xLGYCFt|iCul$LQONeDY-|ZR$i|8Dh;UqB0o`&DVRUPQc3kn<1J`2J;F)X04I1AM z>IWQG`Q!@S>IYZo)=_v`|DDmf*N|x@9vX;C|NXra$i@w@Q6p4y=E1*w>1&afJ~6G0 z1ZW`$#c?xp$j%%SW^7+W!_ zUmL>Tpo~{)yK6m^7Gl* z$qB&>yEs^zU0E#8hf>LB*T{vl*lcR~OnuMR^$e3QO75-6oX@PeZqPSdTVkE_|Iur= zyFuS);kwpu^m)C#ae%0IVrRu-Ge);m%WBvD4{M;4Qe-|t;v{;~` z5PY1iPDyPMTk`EmA{8lQu<05MT|C(`{ExO@UsVE;;J61g*>Od@wCgwyS-*8+9NXaY~srB4~TU4vC20U`>ZnW&Y*WfsDfd|JF_pot2h zu|X+wP)`@~P#Qo^(E+=^-E{j{X|$Uya$0ISsMw(qa^sj)N0ve~T?80%y_ff;uY*MsD=vGE>Cygkum>q{#r}>duPP&&rr;i%p#*Z?|J!sh)Wi9=$KmZihku zOfLeTj*l@rMbNw5)8;xya=PPMZI5v%qzVc|PK{dgsJwp$TwX|Y=^*~ThESgl$-{0PO_4@Jrzlxvo^M9HJDr^8p z*50YMnf199&MRtWZZfQzW_hnQIdrp?rW(^XDQTeimIEA{=JWUrERX`t+*cnDn!Z^w zU5B(xJxWy{*1K^#w;-8RRO-2P%%GdZ6purp)ld#Wk!Ng2N=2}jRH8nQ+PmukxX|uz zjVTvtS!jUqEEdkgHC&I=OZquz`TS$yzC2(k0-Kw$AGrMItGrmP)4yuk`Z>;5;bD$Rf zr2=eC+11~(xBMLMYzbJcdv?F*L|h!0qx+X0IRzKqf+_M>zCCA-{;uPNvK2Y5vj4zs`BP6z9vf@GLgtdzBiJEJmPybWqM24O68?jjxDS-OjR|~GK6z? zlZ&N(=0gp~f_HXh_di^O@EKXI|7Wkaz1`3Ff4<&+y#HCnPsRO@#R3&~KgVjnF(UHu z+Gm;9KAPMszVcZIdz@jpJ>J2Arb}74h#quy1=grh;`Sp~ZEMCZUabDsiHI{`#&+?d z4lAR@*4gYAmFmx$3XVmPZ_fH=*juC?eq`@I413ow`F%s|J*VZ(aQDw=XD5%${fA-h zYHQy&#M=uS-C{S5L{E?W{)gfBIwrpd=J>RKN-h5roqSJ616XY;LjlrW36I|Xt1QB) zr?uf2fCnr)wkosb+}6isJLy;1GmR18(SiT*XTF~j`>!gWw5avBGXB5!y1$*a|L*kr zkM`eH{FK{&V-~2e{;CaSPqtqx<8Pv%cmm9>ti-!o3+e;uL5(OhW_s5qicvw-d@$n@ z^_YBKOldc(+RaPkzshE@bou{cr}r`=|6e`c|E=VwT>i%_P*47=DBQJ`|9J^oRw?{Z z=tbBMD~e?sVJKqhuVIjzVTQT{Mlu)7H4K0giLA5EmN>q+!wF)c6F}iZ)BK|HxqkJp>{R>B%UHyMXR8G*-|4I@U(&S_j*CeV5rzDgpuXU zO!@>LF;aMB7m~^e{QwB?5J6n)T~H8-0UM&4@a?G~ff}XQB#&M-SNFD6v2zKs0}1dN zBd-;uSBo)Q9vUrigGH5GyCfE@-LZ#8jS~Oh^E8no8y1uPVtIszp_lTgifNyCevxaZ ztVcVsr7mSvpwFCet&8T?MS$_u)UGWZo5M_w4Fi8FxS$PA7=?u2XvUXmWc} z#|~!{V8~v*a31PtXv5-%YXr%I!7<|kFgfKK*8L&%LxwI%VmDbbQ({uc47pSDAUq=W zw!-BjcDGT0F)@!G3fMJaqzDpOueEjel2EGUW-zf~4&u)P+0m*IvCO|`|EJ0v%^+rZu|MG`}W^9uf9&czW@5u*R!uDUw`qxzW2ZWleN6t;T2a`42z5?DbytU%$3KIT5dV{g>bW@WT(=ufBiL ze-(e&R_vPgs)@r7vRP~Km9TzU)7L%g$FHdi1GzINoAkg}EgIUHHQ&Nl6{~d`UWNE3 z1RPwoQU%K`81EvPSFbk-d~-VvQJc;1{gkp3zWuCZ+p!4WU+U6I?Wnmzrkt5_xuwq; zDu-JVaxvLHm%Cb&5vwki3vMdZJe8^6(rhE~gzX2Q9PAm-;k}z?M*amfMwLvj++uYCy zZspL<>wr-vfrNwRs-@4)w14d#`p<{(rAtJ;wj6=I5>;{wKi#6~R9=4st(L&kn+Cr=hKSHtS@u z54S4Z>10ZI+O^*u;0PP@JAx;*yst+-3cOR1inn-Z(db0R=Qycv)no0--<3dVKj^s- zI{EN+D5?rR3@UPK=tkJ%KrDpG&mRV7Ykn(Vn(S|Z ztW5E6T^b>`tD{J|R)k1dhNd}uf$9x8$6C3o8{yf4p67G*69#(K9L06sQVx_wrH-x5 zuBf}b1gDC0ZvE!Jq=y3`O^4#HWSE` zU=EdH%c5{jn2&+q`TyDb_wKfBY;hQ#zx^q2SY>MUHFa^~q;-$y{8Za%{j1}6Sx)E7 z+s>oFBqU)>kt_h(R+BuR{aLt?;8oPsP9n`(Q-=hBjg5_seZ$`7T;{wFwC?Lk3n;?r zOKRmb5MycGXT_5{Bi3v1|NPE~7a8WiUwlS9&o?VRBVMfJjCd{?w$}PuvHa<+^_-YF z>{`zXLs41kkO%|!TF<~MJ09|b6`u?F&WdMPz;;u2JHxG}6y1Tr~ zGs`?i)|@~s!PzQr6R(e>_sl#owb**Y5orM4!0>pCoLd@A))UEGZ-3>0NhV}at!$OP znCz$ztfCn$yf>?pS1w4!^~bD4$hy)-%>;Hm0M;h+-vTe1Y^W^wQ1P}(iDZ6Gm~09; zmwMeF2a`$Q$J4JpMxBkP0jWxatJ*a4ujVqH%{IPJD<~2TAEFBRz%!JMP7%4#6R#)*R-j*>i}u(2N<+?nza_ zjj7g1rIMf34W!6+R1%m~&PQBEIKj1&PZR;R4wzOzQeCRB6%i;)M=eZIb-R617|?Lq z_mDYbv?2sl_S#I@4Y(3na2#PDv*W;L5R0TwL;4%^u*-3oFG@Zin|o?p?Zpq&9#Z>G z&u>K}SlMl9LUE3#!9l%~>pV`$bxk75`Ya$wo?|uAc$FmYDwXIsSOvn`0!y#@Dxd!{ zN9IhVX%+W6s66ru_XK)i1pcN6H}sCBcEU`MX;w-*fegx%V3tCZ05*78kEn8kU1LO$ z%ZUq)P>oT`NoeqLRRlD6xpd|T-Q~(;>GD;yFLA_Lm^Gh9t=ZYYn zR)`1{{6}FZf0Cp@tOa4V(_;_fN^hj)@D>+2-=_Ik!I3RSi4@X5| zkvw5RTZuDxRbVSIV6URmq*-h+;r*2mi!=CsxvBOMQ>Ko$_k7SXE{FrFJ@4;VJn!$z z=l#QS^M2j`EwSw`Jl`KyJl`M6=iBWpz0he{j*E&bTJ~;d#dzp;N)fSWuZv^uIOU3} zZ?#<`sBtFgf5C~Tqa@Z2+%ooh^E9b#vd_4&gato+G!;*-?h$IvZXMRE!b9bWoTb?+ zK1_he|APh)2Lp76{L~G~&!UW5BD(2Y(6pdVgqGjbidc98M`;i2;WMMCn0VbHC=4iO z0jZ-wU&EQ=Lz8PolL_=){r-LX2K!t?8NUbbZRb6BPr_TE`viPx0Q9`~qL_sf5zMBX zy3j*C52^!0c!NF6us}+Uk}7TjTK`}D!PRO1?Ypbv)AzE#M@aA;_Rt8qx`-=@{2qNr z1t-!%`pXy1`lMJ^M* zh89K4R<;p4h!?v0Lcs{TCFw#GQ;J(gg)O@UEjN6Y6;FHS(N;=mXW28a<`)c($_}>p zSku6~cgDfJ51zS)&s<<%fnwv;dx>?vNZYfaK1XVS*?~Mq>fEL4bzH!9$GP_ZfmHvuBLzFV;{B z&X2uR3XGzK8qKp%+38d*(`dSNb{wgG)}9v3$-aT=I1BO76c}L(H4hvNb%FM zJJ9j_Ca@qG#nm&@!Wttm1QvS040J4TeR}ogM}QuX1B6B>!?S7IoMBt}L)+#u(=m8P z!Qa6>#0)h4>;2qhqEb`8?l%kVAT`9hSRu@QTW$Z|ik`DpW+NhJ!s>HT`tMhI1wAd% z&Lr~pt8wgaK%zDmZSzK$Szf3oc8Yzup`Gi_*15R-CKDFsa3ZmnH0ZpjZP0m9Y|wEO zsV))-tI1s4u%FH(iPC_t^@o%_MjXxjp-een^dwl3D}4*PFpRODmR5YVBCVgz zyokZ!NRV%(7>R)KXx=^w8O9@!h6LYilWfEC2&$zb9v{PcSA8T_3s#S%%e=40sNd(b zocBV@sUi1o!~{LLbuj^U2%ga&LB<{}pp5A)*6WjJd3&^`z4>jNGiYGLa#}j(<%x)7 z8>VnW(a7FNucK(xN&z=>cRXI~L8-pqIDUKa`t0X-SH0`ESA+iX)!F4Wuo@rCl&_yG z{^ZwpKb>A(oL-;y2N!Qo;x~!%-vk!&@9JpnB)mQK?|y@&@k4XnOiw*2n2yeks{P$s z@iS>4R{YF|EjpejNki(%6HS>L@08cc5b40%BwNR?Xj<4n;;-cG;+brV=OHTAgo z=E@9hZXPC(s*jTGuFz3n8P{>^WT^=#>oZ8|#o2Quxn4m23>AF$KLPfE^@kt3T4G;3 zo}eINz`g^|T);m8_5(;?G;YUGw|I}cyDq*1yF~&5Lu7(|k)QNu0v&XT2o~`=f$!49 z6SAB5PnyPG?>Xms58l6T#ww2$64YnGtmKVP3|$iD4Im4A1KdE=FcYy$(073YBZ>eU zBM=5IU;)s>WH2jY9{8F@;Ux)fW|8l@v0sk+_Y^T;Bg4{qb=rS-etp!~bt2*c+osq< zJ_EKbkYL{edjbx?Gb+Mh+U;kweb;SEb+b(nbf;FcjxyxxT)^Lb%?|<>hFR&}oGMVM(!y+Ge+TY7xw~em%CKt=bd2S;MEPQp}&- zu{yR%#r&{oh#;k$K7s=M$hrv>2N-cWbb>oXrh`e~qJawLeXsOBjZ0Ofzzg;jvZSzh zm^I4PxgGIT&}NMp3v1CYZ@6Oe6wjl=yncWr3nHz2;=D-gw-qNXj(*c*2#6Vm!_OKkX_Qu($j#GDa* zWO;ak4O5&GMoBPJ+^pqpeH`KFZ&Gl35|>sOuS}xCV@Xeeo?GXZaO#S_bU}u%-eu# zI7Skzt&E=YcL=sr{S>JBCu3ci|H1}9-Y!-~vK5`RIFCp>)lL@j#rSSuXO zF-w1Cn~JD;a)%uh*Yvld(1i^38G#Iqrlw^*-~L1{@DaJfy^17*T%I$ahHKBzw0OC)xf?vof_k%n$Ns>qW4!x z*t~olhudc{S@co54Y0z%eIrb9T#2|0JnT#@U|m82Jr8+SibiT+Q*?_Ru|}7CDXL-{ zQe_Ktb;UKadmGecepIzqaa?D;-#aeof!*$a+IZXPi86ycx{bl5Ned#>23>!rn zzbSXO@kLW!l1fz{oreswg|KHq>?}IaJcHb6U3P)nl{LC&K^S|@%rk{~^UImSLOOe&q^@HR;)y={3iw&>K50N^M_4NBCD`43h%EYZLm{%+Nn7b4 zcsA%(mrIO+DOiUSohZGg=9`Ult|2Ywm2D+`WkyBQlgw=Vdg|UjM;O1_d_2% zYo3Nmn-DTGI6*|D-z_;fV#r((Ck!mBY%aTK60&LjLlw$_=&BYcb!h^nC}^pEDMsitJ=?DWUficY5~i##4MKej7#pG#=~1?<6^BW)m@G`R=}hOSp`7F zea&Q@HLw*1Zf)3%wj~;@(b+<%S{jqk?pW(TnGuqcn(3Cm#|EvRv$j}6=F(ht@ zwvxh$@uj?;h6!>{B7*%<-x(t}@~}TT8~H)}`1Aoek+PM}3dq!UqhHZ99haGUQEOJo z2g*j>f5N_&^rgoP!OyjhG#IkE*D)k$h{!4z@*d&QSX{+6_t`Zf6RUi!o7t}mP1)Ib z%f?Bv)fqwdJ(~fi{+{!^Sc)sp>~VEg7#MfCG8wPR zKKMjLz5E@{YQykm@4+-gSnRy@z4gx{YoS@exC` zg@ZQlU{%%5iu%VsWzcs}!Ht=s=1wpP10VTpWiT~oQ>Vn4k;HN`34F=8b3X1F{>joY zj9zMbo2#x~L6P|IP2i&V29tG#p!-kW!CT)!b0-kZXERV!v1ZSW;=d3uGMLYlyvzDg z#SuM7X_dHK<8xryC5K*k=P3KW*sU|Q++S>{w<7TW3vw{qU{ zdC3Qg^Vdh#&)I6oDmz5|MSbshLF5k9i-D-uJm6x;`(}|K(xA?ud$34h|LltPjq`gR zfU~lU1ZZVKN|CfBhA2^*D`gn@;Zqe(>II-Z5$VLdyj0?FPuZjDxlA@~k;>w04>az~ zM3-qFV#%81a8l)GR+qA7n=&Wxp?{0+g)K8{FtqN+$baWk$S@sZF5#u^i1D|(jk}im zN0KE!ZDdT_5DPkP+_iE~bH>KZVwYyqTP&Y!&F!dhyTbc!f`zCIgNm0wl?_-|KHl8n zwHW6Aw*5VwpC*d7zNA9i1GU_vpv6LO1!HtNozBY_FT{U4olg3{-Gk=`-Gje%U%cw< zcV2a$cVGUk(>-|Eefc-gS;5#de-UMn{H?R}SlP*aCO^J2+uwnok&g&u$OW8nsN6H0 z1T64fyMkf%A{VpsU^K%1sC7-CPvu3YB!Z&+vUQG~nj90;ey@M7tQqNM`)jz4t%Q=C zxo`gK#m@)N>s&A1#97xs2Ku1yf(DGk3)2WL7OfS2EXWsG*GaPCZu98Mzgg$>bUgHK z1GXFwBcHv24?ji2AtHVJ7t->N`p<6n<*Qe(_PZ~2s?r)$mc0%p@L_Nx`W1>9m$Irx zEER-eX#b2*gig3HDRQvhLGKOCf_u>E%mJzBap3YU2Uztvm{197#c(xYO-=I>k^UGG zH;3TPi|-F!&4XVFbq2kIkpCg#L_jS7X3rsngkc#hn1y+N4sg9-H1MOzAn8s*nCre8 zq6XCWPWd;lp%9=oK=Uj*hsWq?Foa4Csu-ahv=IZlv%-ZvRCE(D<|?OmNE(HW1dI#K zO!YTFyu$(GJz6E>tYtb6qMdskgxFbnE~>Ku6TMkQ1FUlrmjwF`4xzWQiG*>FR@p#L zOReigY}`6C54>6u%2LvWGLOX}-Y}CeYhJ9VTLkM!4Fxj^yH<<$Iiut1MiiMSO)K627BH zum)*ceiR}iK(aLOs|;7K(sjHwS%=E?l!hwUd3G}BR{8{LT=(HC4@aoaAfqkaubaB= zlNDuB!&@Z|0DXw4wgb#n2;;-2c35bQ?kX;5@iSs??-02p!5yYJ@PCtuS(Ei4>pMcc z8WMo^ehuDW&%+A3-1-udl<&w&0xw?(`CY3VqW=H9E5RSHC%f|!M6D(r+#wR`zn-B?)=m&3^Bp&iYi(+Zq{=bcouQ2 zn~s;$erSssE}WWrPu*MUnZDN{k?S#3or4Xm>n{OSH6Yf`p~j)uM|zGK0MZJS^#6~; zX6kd}>()5?T~>!K>Z2gd;(HwnrTU%d05^asu%1y1+(Zmy8pVTS3dA_?4anjimaToo zL0>rm6jxEJvG|pC`wh536aHJBgJanPhx6a!1IMC_V1E>c3ng(`e6xzXkJ;l$hV{5H zqMPY!^o3`UJW$Q~rcNUllfizzMK`5viC*R=IMMZdoXzBkYZ5&T1|#7kJU3ms#a>2=&*q%;~FNn_cIH$F8@~ z>c4NW|C%85)0CkNt!#lnP*rF=U_~vKDbsiG{N?wrIzM#x6WhoR28z~d)7hneL=BFDQ&R0m3*O6c5 zYg$(%a)qx+E@_;7($u>mUzSXXSGYk7)v{NQq?X0CG$t_o{TcoDGioKOnk53JhR{La z!zV6ai|H(7H-42;$|m`@-JI0i2yPdkPn~ya4w6&!aT{NKm}Ko@rrWM@3mSJ{LTLYa zT($g|AjnW3A-9jnUAj6@xeK=u*9s_&Sskik7p38<4V)^uo^JPi4O_VQqK@JD$GlnO zGwk&l3OT3lq(kIBDt@PDum0VY|ILm$$3+;q)LgMkwyVsxm{eM|o>BXm+v2-5L2d(Q z@hGzK5Ru2nYmv|~E7F4|_%g1hB=p;JC)nrz{KDvVb@yAuww4&mdxSMQtTa)jXUHiD zay*-~v>u1C0ql%5Ggmc~d4$)$rVW9B)Y}(d7pF>?k!DAS&s-~Bf-24gb{i)Bd|`~} znnaXwg$XHhVJ&{dymgf|btZjP-ndYF6=gOmS{TH}XgwcB5iW`@Q+s0CMWSO!g8v|g z;lQsqVlqxkBK);ZyaS;dLsH)1vx#Tj}TEoMk7cv`mzH zZ8KYGRs>%cIjpt%ioc4uzlv&(ajuw>6iRV}nAT+ymNZO^AH`H1`75>i<)|(-}bFj`YN_!SOs zVQmeeb<3NV>Ir<*Dr#Yr76_cPfsBnw^?(#MkqnT{4S@N}_4Q?aD94P2j{s!f8KVij zLL*EWnbrrFroO8HyzWk9D|L;^;5B77zq z=lx?u7}p=)M3nuUD$qYE=Zkrp;OZD-d^G;>SSS2MO>ima-47|}or9$LGu>dO|1KY3 zZt?ZPL+n6?z_UMrsD*%h2f2G9w48S`3?knJSQhAK9&Pc_DVT5#w^4DgvNj#^{#HnZ z=}W2czfS!-Oagy`e3L3~%Biy0TD>yLtgq>m*nQ@_oqHADrcjWh)0SY1 zQ0mFm<>05cZ?F5;SG~)@yZ-5wrE>UKz-sJXUH&Q_HV@_Bm%V;p|K0EP&j)W#kALZ1 zob}%{g(kB~U8d~bat*RrX|&Xhw8||W6s0>@M*wt^t=8s>0|`72kyXYzSJUTbv_+TL zA(HO(#&}JF%Aze9!_=>6dL?d{&dCb;`s<1;m4)0un;aILYMKYEFulM{8pK86OS7HD zA^jP#H^>=7AJfT9XxGQr(qL?Yx1m2dOPc6GGuQ8H@}2(iRqu`6|D|W|AG};saJ>QK z+R$IH%O0PnH9SyenDYq zeJhaX-z)}k3D!N&z9_;;!2+6aEfgax(%sC2tH9=;GoHH$g~vfC-AK}Y+|<;Q0M~M$ zPO-SKcp>FckG91i?Ps*@z?MUp6%V(jYyo^+NwA&*Y%H|KkGqVu#1$ckG;oGPtO>P?N+pl6i?#yG%>7!jS2IB`>pgAO$Y{OJFQ^fmXM) zUW?-`6R%oOGCiTIMIssJ+l?YTwRd@T8Q+ez+7q7%zS$NpVTcW)FaiWw8vAMQOQNV` zMvz$0x8tOjG$GlB^R}rzQSpJx<051^(J8`w1M2 z8Okq6N>J~HMe&BXKJORq2{9qbdP;6ZFP?B*!(A`c_?)zy^j=Js^>=bW*1nr-_Ftl8 z6!qRp)~)<*L^bnpln`Bytm;ePY3Pcg%a>(avEU}yhB(OwL+qiNW=%curZ}nVeJPJ@ z<4YyK=yHfKs&p^bDK#U}mKTh&g*nVimKylEmampMq>{$I$iv_XUZ=~P1aV5l_3A4r zbDfk*3ru!%-yJhXH2bS$--A7IxxD!5e!|a9U=+94*Y*vj&wFa-SpS#D{!^A8%~mQ` zu==2wYkBj-Jp!j#?Ongpbzi$Sw5e!|xXz)vCY`W?QBG|#gtt|itJ0TQ=TkWw6jE=k z)e%=BgU_dwrgn-s!6KtW44%aW5#%#n{&s@cIB+dsjTs9EH;`h-D!DEPC-qX1RufWs z{5N9w>Uw!%+_FM>GbbiKFPV{XNj9sI6sZZztNWaY>m3mD>-wIeqU6qRks?1^jh~CI z;z5_At6JGD)<9R^m(tbDiHXmv>8gIZym+`TBH3LDt9}ADlra2?4Jct)Ns(drn5L8Z zoN;S8sj!^XUgNFJWNS0w%s*UZnY@aGGf%@_Qk;luYc_dQv&m<|`nOh-)mlx;mVIk9 zSsjiu+0^E=n(*`Yi!_(iFy%&U+&ZKEUjMwDV?Ys=k{80}vb%5%yFxRrl@)3Yn(+_I zSzLZ7nUT!bw>g80*Z`lC#btA(IootIgEYIHN21McXF0P?w^K=-Rfn=@@g%G^3X-)S z6;HrwlVKWPo#AF)vU~*d%^ZAoYrmkU~9?QT5`UmQ($Y#S*(nusA zP{nGm3G}H48CrjR+HC$wXNgR&OO)E5r%G<#K8YqFn}Wt&$)=oLJ@@l9LtO;!BT&s6 z)+;GcThCOwZ~%qnnAIq{#lCw+fprrE zo|S4@zpsksyDaz@oOo&Umu-eGW0M?v5oL&cF8jo!uIFpr3v3#q;$qY>^<}L=W&7eF zyDy%n3Q^w-x-SY^baOlBU>3FWo@y$K+XDis;*wWr*y_=K5D^E}(+@Wzy3Jj{cBPda zxxAezZKb4hB5F~sx=>WI7H9M~=wbIMErpPx<3!(D9;74@2vd7WqNv%-KbDo=S1KK2 zM3CEO0f8fQOpuFwhM`AWJ$mZj{RUG}6O5KK^M~HnA&kkpkhTCzrj8liuL?{O!AwLI3*gRqyB1LGSqZwBH~6dit+S5%)P}pB&+J zr!VVP*K4JVqSZ;$MMecpFPG*4b$03+R_duNRPX=)?&@^V|D|_zdh*E2RYOCs zt#QN%Ta&m}Mgwcty^YhVR=UKs9LvQgGS^xm_ECY=wCX^PKRbQEl+o;&{HjbUsg>1l zgVQ&}(jfBLd`M6q6{Fz$6bj~1eR9Z6541jYM(&SejwbyGI%Cwwe{I4*W#Fz>hKu!3 z$@?^wI2-{3ivL3I=OT^ZHcJmbr07Ag>w+fToW-aS+-}wZQkPqcDXf_m=QEHt9D>|+ zg%TM0`h*|i89Po>IIOZm?de0UUc_M?>q4Gp#iaS@1$W0)u#gwrBLa45bVC_gFxoW{ zMy!0itKHQzRYsRW>!!k?04w%KH=a?e?Bk`4oqXrc(uEh{hE-x?S%#sMF-yW#~~&upLbvWt+U_Rf6@IL z=&X3Ig};b0NdDGYdaUf^K9k>v5AE-E&as1hid?_~z{UvlLcUi)KNzxmNDz1(M7}F7 zwt(GU|8)~YzKaM5d;|glCILY^T=paQCSm~rp6m|55kY8zd`4RU^brz$U%b6OJ3a+N z>>=P{DnCLlxW{a~!^W6``+(enVL$+MUCalC9>D%EAQK4!K_f_9zKfk8oDw`5GZ5VS zh|n<(TRYc$0{zz-3JOH0Vmuare+7|(-k7MG{~q`a5z2?yZ*_Kdc>_zmvYJ1FX%K-4 zoB}T0L=+kQq6Y_s3}7E{;m*U*caWY?+WIH>`PuR5MgP?1knX(mJwz!`ps=6sD=g3VZ;4VDX6&o z(WIgW=d{58O+)11A$EWV{ZRx*2#kU|BpG^$$OKcqcoab2-SO}QGeIvjKb_XjcWuGD z`T53GmzFqYxNIKtySNrAU+#kUE(*P1%Bfpj>}diiA}R?}$aCsD^``wDxFNwUA{6NH z=P6}hm(MS<;ZHmYpA~tVkffo1(CJ|+?)j29a03g@z5hn+JN~Iqg zp>>DPT;AO-_L+vi6$kIP#8)DQtJze*@!s@&6Ri9e&zv8qoQ#1bpQ$5UJOaQxQV(a@!HuI<*x8gX}a!Ipw z69k^wnFI490PSLx{#DT_nVQ(Om5oi5ZMKR;xMAdZ(stJ3^33AEHVwd%zx7}8zs()J za_E5(_*>vb6O^Ss^W7V+#TPd?_3sQqFWDe*OZBA_OeTEWr90%ZWmfdbRyS8 z>SxVLydD9yDA^Yl`2Ba#C_&TF5%|OEA7Ay}*!^F6_Wr@kKP>R?e}ljOy$mbVA#h^T zG31SZwAK#NL3h7CNC(~hg+VG>PjihH?9~|unW@I)@DI=qLY3o0>i~8LDZLMf+a`|f zBszXuKVM>g$T0`J!M^-!poSih$ZzpIT(IZ$!KR-SjKG?(@6@xEC ziF!8^FRER2{{<*g?^cJW3GYzek+c%VYRQ+JlfU)7sl17*5VFG6jJJsec4waRA2|@d z177@~Ko=oECzz;3ZkEBf3VbdHX$r};nT3^~5ElzF^WcvPge>J-EM!@O*JtOaR=WM2 zG#yzb{3-=Yu@EZ_rukR9Go)L!F><1}Va`%FnA2m3Ove>caGpu1 zS0%zC09GQ&xn`{CtN@~v z*Jc(hym0{(W8_VKQxQUCqqq9ejWdRXnH}ajh*Q5D^QKnuS1s`pSXanHka8}d{xT+K z`V*`keFH-)8Ai>lnSY|Eq$)eV#F@?Z5laUv|40`|tk# z^XFUp?l_eHgsWT-;A#uFzYJ+Bcd^e1vo3l%$YpIiaM_Jj# z2v{z#Y6!$B1jdlcr@TFv}2w(=rh#-J{$`EvUr#?b1azVK*TfkLj z$j$>D%NmNxRM4_v142GSBqW$3TeY!33jp!qH{b>h1A^l1?~I{8LUd1VlzT|U&Jm|E zUoohr%4rbXBQS!3AUJW3u`>n^7dBWRKiK(3P=O!ZgTVKue6IHhjNu&uFdonq{fPE^ zU>w||J4DpzeAnF|PPCZPNRku{CTQmyKr!E~vO_nB=bChTkHDLE{c8X{s-OYT^YlVt zh9uRZ1z={{xoJGtJ&8N*B)28gCcFs zL;`q`xXrsxi*jP-YQpz~E0S(M^LdrLE4D!mVK*)1ngFKcS}Av;;LPhxQc{cg)k3T%>1HPPS%&At!(`cxYH*yJO^RO4StrdC zDk&aLh0zokI*!e5@{uMjc@Hc0KFDB`Qev-gc=1sZEl>@Yo<-AWE^&};F@a&)^q1d7 z`OWwShV$(uO~sWPitpqZTZ%WyZK@ngNVZi5T)ngS7g|$`ztI|-OlNbULeZN$M)1;{ zd+=C~UbPL=`|W7;gJidN`#W$F>t0K3yb71~QjWmQy7N}%%=@+X`qy5@J!U+My&=Z4 z#oTyB9UL`26g^J6@Rosamh*05r(GJh<6lnS^sY{SKI>m!{VRs@s8Im=vJSAq5j74{ zBkG6Cju=Od_DnqE)jov>~ciCs<%_@)% zg=gmaykEti=L<4PmXsoL$MqE>1SAtSWRM9WB98|b#B^hwtBb~6#gFudwia;W47dg= zpV4|THTmwFN&k2#flJn3zRQn(lx--JAH+Q=v}r-Y25&AzHM4WIm?D}-$ zRd4@v@1HRrSRWV2uU0~u`FG`fAtMyc%_h>hEjP|D(!+m|jAM~0R&$Wtnys3ZKzD-u z-sM>p2N7*n%{WA-TYgc%FP7hG0=F>4U*sm6Z*tY!OZT;gjg?s2)Am~FKPYmx=yhlr zO1sgEX?;{?`Mwd64oswJoK=itE9y@I$YoNm%5OxA_!Iu0f{7au*nBI%Wdt%bn&w;TH@sCC zxINzwl)E?IHvL|GaSm^gSKL^>il=@Vd7j)(1C*dLL6okBkZ$$FCF|)!@@S>>j>DKBDxJ1UD%EMe6mA;+weQ zgYsyPT3}Md=HVbO<}y;(SBDvOnI-B6)$fnE^;Or z&+CU}W}`=&+52Vd7_=n*vcyHAKw6ixbD>#f8J?cm7&*5zn%G*DwS`Zvt$mHVrswJ- zP+5#W0y>8K2QO(f0nOY32v`%W%m8<$Xa1z1rzO1eb)ABx4#(`wQoj6!o%tsQ)s@XW z_9i}V3~539C-S+58U}cQP|w0&b^K?id(hcW$A5NTc3*AdKR5E@Hvdbv`(n%gH}TuX|8Kef zSIzy?I-THsX^l>lmW&UHSssr1A#W;C84R(axI{^4_ zf)0UY+-fUySAb8S>y2>y%$raTg!uznpX-vp=PWKcd< z%hQ%KGfINb&&R%td9P-rXhsX{98Do{eLOi7~aBbbdc4B*1@pJ?>G_7P! zf3jKj>7n>g>Dsff6lYLXNV3(+fA|3O`E0Cwvg*oCFUFROY{J+gC=4iOf$+i~7I((r zDAkv;$Q-JF+Mpd#B62e@JV8Ok;ultTzhlM!x`A{Y|HF3TKR?DElgMY-10=i!j;tyq zxI6g6a3R^YPLx!KYYOHGmoN|EtdPPFDVZvCaRunV*pV0a$?sAWyI5bpQZXp#=c2Dm?&zm1qJ0ET#(p zurrr3Alk1&Apl@`l>mU1DFq4jETa|xP){*ve+L8!@pVOzMMTVZ1erwU7~aV%te&PA zu0&uavN6hQsa*UAO8nmg_Xt2rqluUS6<6&fRa0^CbAtFnLkdDj7$*XXn7kxwFko*_E`l)J&oV+AKCHQA7H?SR?)&+X@Sr!0y~hB)yl8WCJ^AU#-{Uc)D0dvX@* zS8cY6O|@bJK7cPkwW&~Uvg%Dn!AYq&X(b1U%iQ(@GM)sUJ5U?@sPVyWw}1bC9{$}n z^$kJa0~UnX8E_OFS%Y{M@|_oq%rsZ%Aw&*C?tn86$xx0A9HlmW(nKX`)4y*dvy#5y zh{Rzs=1l&755|MD*Zm{w(28%;rS@-lYb(>o9VUU#&wl$363jV{+FHr&IV-t4hnUlr z5iT@$ht3#VXQi*?T>EynJpNSwt}cJgU&_lrJhW2?)pv#B%XHu)h{6yN@F~@MTofuj zroQ5pAGr9dG*#iIm_mBKw^A*wm2!=RKV1959 zNF=isumHG-@q^h%W+DgvPRenzgey&x=s1Wx7r2Nz1mEypLhJ~>6+{dmLPTVa{*mxj zwTM4xe8}#uPelWa5EGE-odskDD6?+?-BDvV8AN!9J_13~1>>0XE4FoGSEk=oWph6Q zcz+AN{UDP|G`gR@HNP;ncJ+7r>F@Yr0ju#rfM9|DI^zGx!Da!qcB$lfVi+sNft;m? zT6O~@6M0M^bH?eEd*}f(&@~^lr?9p1F!{BNCugRK8| zfB!{iYya8AZ|ncv`hU0n-x;=(g0diGLBO?aBS|T}Y?TmQvMn7NY-U<*W`{0{m`#V6 zCS9HcEJ>D0BwNn7UzEuGWW))u}@F&4Y38jHP5 zIhJhCb?UJQ`E0kU7K;es?lXe@k&fE7lel>sG}QcL6F!~dIx6!S>t@>ObgJ-!7qQtc zSprjzcp{MrKv?K(IlF3bbGE+PUw&0)!Ot?@0r_{PK~TbRecm6OUi5xCKRq$DN3kcx zunQ+pNzpYZu}R)wzrDD%(fE@Q7=na0`&=spr&m{|jVAkgw+TMvwQq67#AwUUZ+?Et zV53xfCn8>YA^8(K2=#>|@adD5ax$uJTwp@px|P>BGKWbzl*9PQ_>=FCOBvK*lrsDu z3G-0_%$0NGGU(?u!yLp#^Gn-(KaUBvb>W(~SA&b*o735o6c(({gg~>iYv+LfRJ_lX zKwDbkA#Kc+dGYdg{+$det$we6uHBA@K;Fw70i&jd;BIvc`PSBn@EJJ~_%z=2Pp^)w zY|lF5-6t#4{Ib{Y=bP({b-Cu53FJPEU!}fWsdK~V;{Wz~{lW3ui`QpA5BhK4T^*ku zS$|m4YTHt=iV}1Gfsm@Joqt$|;14SxBdw-O0iB=cfgj(KZi!N0tv>(%^I(MiH-Q^@ zC{futu?p9~AAkJuhxLagiHPI*lX?Pl;hJ<4j$7U2$3Lt+t7Jmgy{n&3ula-+BqPK= z%Lz#-C(E)>F>Pd?Hn_xnEgTt#M?kAuLTnfO)#fVKE`h##5ls-m4tU;7lUU;KQCX2c zd@y@0Y0Fi&980}Mlz|DN6pqk;S>U75J|uw~IR%{?o%BzS-(8(u|7&o0_4fMh@!RvG z%k$pZ#r5g`UKe}o@|(>9fB!pZ7y>RhIsz6W5lY;7spB#~rZ^Y|{r-8%Bkj!?cCOCj zX%!8zEc9u>(=N;O34An}?Awj2-o?q=H>S)C8Tjx22H&2(ef=%?2WYcN*yb(yMr!?s zrlhH~Fr5eyLUuTe%UY=ct-W0HAs$(WnQqLET8;-PBV7wHwTXlcX!%(0|@R7jxrt#(bnRAQ3mCy6-Z_$)5-5nwfk;;XQThZ1} zQ-*qkK(76(FLNCW1$I4M%emP9PSigA3~27d_bqZ(-Neq&MPVd z{qLa2-x~O?!0AENmo)x#CVbh`pL#7uBFZQW2x_ruC^qlq>6@~tE%a&is9qp<8vneY z_MXU#)^?!I;WsB>OZJ`@qAD6lp=8$Vwa5{YfCWzAamaG~eD*XK?50TmOEPI6O7+M% z;AX-xtAo_{pGvg8)3>j8QgVg&Zv%ARdQriA5%$3X{g!-XZbvxW%1l@^Ruwb6!QS*L`n60x!%y){YCQl35*rg47+CX@Zd>SJ!DTGk%>7x1mH zn)}SYo`&d9`%!tLHecIsfz|l%?&|!L1#B1mpMu3NRu}?bM1L!0k`<`9wA{@bUQQ5Y zB$%#XUjGYDPR~!TPc`)IxQ4i5442pwK@96l+OVjzw2a*KmMW(0PoG-!&f$~ZT~e1RPN1n`-7@>T z*^~(|xw_NT3Xf88zEqL4TK}jfBtI!~||L~~sKiMJAhUvaJ=kx>L{tJ-+?BW(`X=uO@Vh_1Z z36;JC?FTH=BSD<|yQ13(e87`v0{m!l!w=x0#?D@RyIS`SM-Zn&AXLyq3_Y-Y1Ue!N zMD+sf5d)p#01CB8ps~A~GzVQSE^Aa-nGcXhQRdM%;0m#b_!%UL_(22u{K)*91oYJV z)FopTCX-y)Xz*RImsF9`H!6|}QZY$a*Md}Ya>jw+MMC~SL~;u;h{-17FI1oC&*B7sZK5vNRbCu^kb995ukFPv7noKv8?G3Y4JPYo$MuYn8_}AFbq)Pb^0$oh~VH)<_D7 z<%TXB{1C``tT4psjViDC7^cYOG7bgVn7L(1ax+A^cCys? zOz3zUPH;r~D2e`oB!o&8r^`|l=xTl??U{=2pR&b0r|dA(Z}j;LP>LPQkAg`+D< zV@nmzXgzOn>^VahYFn90Pl~O5d23&OTA>Uptv|6q`H6T_Dv38UvcX%#n_9BJ_$s-? z0Wwm$IjT`7KT!gTE*i_yfHDa-rT`}A%Mc^a1vCKn2e_f1sJ*KwXOl*6;teK*I5mu;g*?kNp7qYX=MHg7{QZ%G#ugwV707zrQodGBre~cWHU|);9rwq za+nEAK%RSrhKHG82J!q7vhg9%`%^4Nd0fr9ic=t!q|*x`x6c9sN9eT&M}kXP7Dzax zVabrqY=#j*uC3BifY!&vpdq>&sD^`7=Bbk5j(}x5fFOo^kwD^R$`C#Jz5{FrP&DEa zgnITuJTodWPXfj%6uL)@M5yQ`Kk1NoYvog9)=!o-yLQL6O2%iG;OYrf$tZTKq6bVF zEiExInGPtNgq{);X4H?6;8+dWsVoGM>7gWPPGTuZr9H|H|KUT?u1=u@6f5W;t)zoo z8XhB#3v;$4A?kKIMgG4_PT;bj7Q9C^n3Sbf%1mGuMdYE*U+m7}#P&f~FIOR8`T8g_ zWuYvH;y_>Du$CoLc%QrXNLMNG1J*2rM}3r?VV*UNAuS+-th}0WWLFkGS&S-Wr}I#y zTx>Z;f({uzd4rHfoI6i#lKeJYVP%jdEly9%VD#7qi|ucvzdH6m#Wrol>sDOYTEQ|lu=QBIs-a(n5o`v2X4}MyI#(90TF`HeHuD;7 z>gfMs=PeNTuYa@R|6lFzXY~K>^HjbLMewiOTu?t}V2(#G zo;`4DEZ7Fy%isER-Uqa^)%>=a-_z3k3ROSocrx{T>{I9enp>HZ4W6f6@aYLEOPS53 z9GR%3qA_$ln*$;_BC6HCq^Sn2{9{=etL8|uv5Tlf@J;>Z9J#s1GZ$cms@{&tw7+0o zujp5;|0!`(WMNo58T>5$@8$FC{g3_5%dP)+BfqWw_Z0QNt@8Jjls`;0BP`ba%F@JZ zolrf$)ahj&F{Sl-RM4VhV*NSnKeub&Vi*$nJ^GF!atK}?96Ucr9{x;%C`_JyJ{sr* z`wV$)H*jtdv7r}YAK6?dv_*>e|NMC<iwPp2q_1W-EPLfVf-{!pV4x@YU5&Y**&@zB$(-0js zcI6!CXEX_$fS9GKB@`KzO=bIj%+KH7e+P}!@~K3ofB!q!wHl(*qNoqciDICtZGw*< zf%(pA3MJ7^7tBu+MPqjtWX1tqkkbCYaC~QUTOGt*6UD{x+@Bw&T608}=WJ7weQ6n) zvoTTI4!JGs5#p?8>3>7yOdSu|T&EA`sQF<2X6FBT^&;#4dvUO>|FDtYR{wj7`rp?7 z_Y~rP*Q6^cmilCie3^=np&*s(M_WhT()U-l^~dmiPcad;pWE z*j~=~Ui1YK{7j&OE)l_j+n2@J!G0#JH|sroKxO_z6BJ}4Il0x;^LZyS{5y?|r{m43GZpEHPIjvN_l0Im zdG~W_&wm7rM7{$KI>IbyQ%3D9B7n~6_9k%AA?O6JULB-Z<73ON+u!oP8TwxU-5cm} zd6wABTTK0%mH+KUr<>FN_MdO-KX2qG^gjSrpaDubX?YzGfK_OL0IW(61YjkaAOMT$ zf&lEyr3{Mpt5665SY9OrU}Z{SLOsiqg#1M^(u+Tdv|E1E5d&kFb-(6fE33;DHejLVW^n-)8q7o>nB;Om?ultw1FJ0&bHr8$HwcKsiH)HTy1ANx zmCh7%4$vQ=qsA^jD?lS2#0FgxivbrApeNDM*rn)C&;bqcZL_#vbuqW_9Y1j}KP?+( zzbW@vW;&N|PX;Ha{o~jnXgg3AKKdY6_7kw}F@pRYvU(942L%5mc-JBL2|q=Tfm)K)btE@eW$=kq7+gbr!R($4#iq02x!&h5$CVV}YT(c;wN<>avSIP%_Zj9c(N;x}^VKb!n=&hE z4{oON;5>A?ETz__)m2ezIlVpx#a0tqor;8WlUGqy!FARY+)~pfsHup!Qm@PZ0ltt@ zA+~K7+amfYmAb$zF;l;;bUfSl2#?0>5LkA%qi!3n$}ydt6S;woxVjb#->uv4g+>_9 z_A2nuPuO>{Kl-euN&*k56i6_{D#W;SzB>RU)2%x@8r}Q{IZRB<28G1IL9dCa8YZa% zs;s$!pV!hw9#TlvOGlGxSW2}wF0tu1Vc^pEA6mx~5AG1TF&d5#+u1QW?PL2Qw!h8) zs{Ma{;39rlF7EsLTOI%3^H{eK(zZT){+|KHaCw|@WMMc^WNo$qmce-n3<^EbcWZxvp@!uFN^zns?(tj6uP zMyKDBE-F)?qS39NZ%er=q}%iZkKzq{%8R)PpWxOd_!a%C z{eR+BNP>r{jeS##ovRqcjQlUJUc5NS`2SvXxA|W-^V{Zs+2()w%JaX}Ndd}NBh3P< zib3Ry+DWA^*KM_#rJ!fSb*PSUv)Dv>JhQPjagGp6xh|!dQ}>l<#pXDhE`V8m=seY| zIolE!PdjtY!f8jh#VWSND%Ml1f@9}h|Mcp}l9=LuAKF>q`O}Nun^QAulKl3v*YE3Z z`QQ0(`O|;Cy*f#MJ5P~}GK=eiNjvpp=y|rVLsDSdlzKKnf4V6{o}$cvlviQ;Snt^7 z>x_Jc9l>1RAT|y%OKC?SS%FW72}VEVK+2Ip9gAt~0M1x5KYS=SdW#LFg=6cWh{B^) zpPemN6yTNAS6p&eph+1?+czY*MTBk_`)gQiQGp!G=fktL`9gNqt0Db=SAt$371;JzOlvKrp*OUNX!4SmHdj|4E>)3 z6U4?SqBetMgcd6RG)wN@mHw*k?c}2F%gDtm>*}l;;-O;rZAAjWJa|cBt7mn!H1m`aNmHd$QS2; z+9i8}@l$vwPaFZf6Syez6<6;LW2dZvavZeXz@f&Yw%m;EKO;n@*dK`-+o|rv(txYe z{=4(*%}{{4G_KB)|Dg_nA-W6#??~x|Z{*olewVz)(bewAJL2EA__5c54#RioS`PX9 zzgu!^fRBJ84>@eNC91?mq1F5rd<6Fnusr~pJ9+wRNK6?ovUlZNaaB&-_wRz|oo24E zZ;a~r8t^fZk z_y4b={%>tPKFv|*RN?EX?MlrrR^PuU<$W!x`&0Lp$9HvOO+J1S=T|eecU91)z^KJ( zu@@ii6>%xC>v`XPZg*z6o@;y4a=z|a_o~tfmv&t|ihVp5u;O@J3k;!0QU0P+vm{bC zn`J`vsX}vg4z2}9*_w*A0G11Io@cmzHI5lir`#n;O^6#x0XYrpun z_3civBfiS*w?U{Ru8Q2%B)kP0A|QqVs#_5e0c?95P*%)U7o9)?u_Unphj&b^BYvZ-)LC^27cn8re6I?|Nt*^?y6B4qoK^ zzuj&A@6G(S`rlUn`&#wC9Toflz|J*aOOa~Si3mYH^QK@3u}8rTav)#rULf!=k zI^(3r*3KLbX_5J;jv)Ws?ur=FY?NBv$a2*tqNoq4(yMr54q_t}iYsI2(IjM3^(IN6 z+LXoo)}v@=j;@8hPawiGR_^aS(EmyBWth91gLM*;LLZ4BTGo0f_n0Nkp(e z>N{iPMjrM@XCps|AD=!TCla}j4d1gsZeMtX0&w0#oE#ZRwuf($K8z8UG_Gu~By6uFtmjI?!dC-y2PC`& z;v59>90Ybyx}ndLj!+iOKEbOz%bSR2^q+^D9zQ3$JX$xf7SLM!Kk9p72zLis{htG zc=0^v|9{cl`u{ib+uDD&_MflV{!=>vWaf5XUeMh&YQH5?V`A&DXfQ#x5VI{=0&Xq$ z1SGRoj9U!$MH@c0R|M7{X&?k(t}$>SnBfTuB2)DixxS2l&sFmcZ8hAlQ^U<&E-{~c zBQHw;Hik^_ZLxO1!;}FRyFfBI;{$O?U_cO!JT^cNm<^o3MMq{3?){jb)W81@8Xt;V ze*(6TKu2iSnP74AgQLbSSE-@n38*AcDzpIl0YB8#eowbCo1LKSQ-Nm-z=LQ9@eZ@}btpLg1~Cl{!_reCc8wfNbK zg=K!#W6aS1IxjmJ|9|&+_h9S)-^lM9a0wYh#HT_t5bH0Un>P{mgq9UT=N66-ZS8ym zgrAf~VJM1J(J}HoF!F*M>6Q^11wkHU_zr;(va#`;OXc4HAB~hE84@(a4@&a`|J7`P zx4t(ON@XZP;zB*}u#Z|ht&{$s&$yy_b=o_5bK07?tx>=xp||r5I1VP0zz4q__koKE z-D!<5Ym5Jv^VwcP)A!?tIs}fww!~ zwb+FJ9S}U)`R@PS`3C$32@WC(&Q4D0PAeqAe~`m=TG&OfEt`|zKRc~E%GrH;XXm@t zDA?ihE|>4yI}UC?GMkC_zfvgIF-GX=y69>;O83o(Cof%4?tuk%_P&aFt9Npr|lGL=`; zLt#Y1fFhb;HC}MNMwaTu5>ugI7dPdn!95~-{M2(hv58ebs|0^JRna$l4tMnm36!}bGAA)J&;A8 z!XBq)t*YOP=K?VVO(0GjydfllQaE13G$x23Z^{*gTYa;RH4HqKjK2L+FS@ zV$V1uW2EMQ;@CmKFj@6u?c>6MU%2AgJrHkMW4suFYQyQXG=_tBmRb{FxWY6_#jGHc zUj?KT_&sA&FwXS@A9|i<+cdhFV5XRdmOEsvVGg+fPi+M;kl^Dvu|lu1IPNM>3sX?x zTv-gy>HP+cp*IAgEg{QTsT(n>6AnMmI=*hq>B3~Y0}xtKZ;6{oxyaU%Go5+na9I9_rz zp$CnG^jtMPI)P6^>_kCCy(ySLa?4pCNu(n!av_RGzTo|d-?D@fIkU1Z0tO&3_iBFhnl1)g_pOK6?$G#JgFp$SJ z7kG{BCmGRx3;fK*Dn9ISJpI_m+?Q2&HLVsZGsZSExw42mHxL9k3%Qv}DUNFAIph*v zh*$(YO@8+Q@!WgNWeq>@ZL#tc--&)xjwXAOj<`f43rT1} zD5W;bBfNx@?Io&^KuAJb6NKa{4+GB&?&bNedDr1itXDPVOe4y`h{Mallllfh4h}Km zOv@B~12b$tH&HWGDp|1~#WAYKyfMaSte^1NJh6*pV1Am&EoH1}bU_uake1|2cHwZQ*xLU>t%GMRZl3q^+Lxq zZt@P@XWVePM6b0H8m{7x* z;MxfEGpUMJ!tkTX%u_^0QsE4y0Se$@!e{uAIZ95zeE$L2%VQa8S=B66|V7!%j#lbptD;|FBI6=p72AV^vwtF#C^@Ka={uwn+ca^XR$(y@^bdWQ1K zC6qKcYHtaSHBG0B*2e~PUH&)W`i@DFMlTw4g`qk-VNYV8;#8K)Ki|%bDeA0>MT+Z{cPV)+%s=q#Qt^Ed5Eul=&?RQIu#ELTnYrdMN;83}41l z@J`e`OppTtT+F4`l$2W_!6&A@0+*5O#_$yd!vbjbl5Habq5WxzDq>pa;;kh5<3k(P zyaa%pw<>iC$5OY9WL9*PGRwr8N=6e%Ey#gTc9bVT>Z*wpNLxBfIbSsN5PI0bT>TY2 z8V-`!zA?>8k%lqLFk_XPt`bR~kC-*&NKx;`v_8+Hnkg|$fN2nn>_UpJuJ%64?=J$z zKZ?CK;(WOYq*BJW?MSG1{1_3S(I`ZOB3H%R^KD=(i5f^s7t%n=P(BJj4qz7=84~wy z<1Ho_Z;X&6#6G8cC||(K7P!^|2yMx@5G_Z$0g^#!LgY3)LLBkRp(e!_?Z$u;L=B0C za)nSfTjlcOO~Q{!Oxp_mV(fe7A~OBzuYOdy#GXs{1lL>+=})KbJs z2Oi99>C^!Nnre3wc38q4Ik~vBL2?@u`v{frrzup3c(fjd&sl87VPE?6Zs4S7#SLpT0T0xZVSAPOpxC>0Mm+emXlpyZ)CTq1R{E7pHw0KG0KrT=uT6 z&yL@n_pZR@yQ|B${Zo0`N^hZuJg%$JFz_iBUI*csky>GzTwoZIAS9TJ=VHP`5D8nU zpudFU8un6YZKO1s2wg?9YfJ@ar-6fGHCZxsZmw@ap6WBFOi?;EHn2okU;JO_mikQ=95 z2y<_tL1u*dnP@GDZUO08+CF$n&h?Z<;F7E@0x-37O2=gzzWiFd1QgBz5Q|b6*}~Wl z1F6{JRf1Gt(54&GNO!6wv_GMeL@XsV#XEDki<`Y#nO%V1p-! z&!Sf`=>o%>0`V-F43JR9a(q%i?TnQy32J)m$C}0RtV=#yW z&7ey9&4BONG!8Sf9?k7-q;V(wJW^ID&|A7v>`2WQuUa4{UZ&4ip(tJVFpvDiujEMx zkCKL9Ku@dVVtnAy5=Yi;h|#&#wFnq-)nh403o#1#f~Hg4q7)LnuoPKrplrhO%oL7L zKFbA<>m6t_GPDWUi0L%`6CMQ(rgNH3K@w@@+EB4r&Uu;^w`Iz5Ood>nTt3Q(+OFG; z&u2>6C6ewtFl=&-*8!ffb;DQXiclbi?t4(fj@P6m`c<=DV{@?p@3c*^CB+;xP zx>3FZRIbcj5+USt#ShxbjiPK#&}uagBbH)V5uWDS#Yuh?vM3OQ#eT#E3jOnx`WGw{ z#C`kDEe@6AOh9O@AP$l^pJ!AZ)nwX&0HDGqIsZ-fAi6^~t@W+r+w)>o_NtZ-R@ z8&ZvlkRQ4bufzf(Ww0yvit^2;a(w*~-@6*~Okw1psXqxXwWKUA6W`8e zv)McH7Vzey>MiR#Xl`PLSBj>s)zFe%+#sNqR0=j-E2NfOGpv@}RWYqQsit+8<+Sdo zp4PI0TA$mw`RmWpALIXT;wtVQ#zO!9&8JT{pY*E!|MH)&{{Q#z^MIV_Jj_3_Xi9b` zG|k9Bi2?MC?Q}YhwRQE$%P_{fFcnWnE+N*hy2rthLS-xxdcQ4$le%!`0R-ni->Vqdtw55gctJeISt0Fs~UHpZKq^q|EtJm5qmz0Xx0(G=QL$4@}F-{ zX9??T@huxJ0U+CVtmdo0*h!KirhjYO+wvYSfl_?YQ6DUY<6yc(bpS#7lk?c|Nfu~xT_u*`D69m^2nZ4H5L4VgD?bG>feUZ&b7{@#?rPglHllG zVo}d=Uc$*)WNEI#GI&fTs5;BXXfOzjof7c0?E$K-+!j-~A}|KU@DElY7y@k*aAntK z=eGe%B0d8hvveU=&@$k@@JxKZBq@{>!wI1z(-qnGeK&cAx^k09S@_V>Bp`)P`6H<2+Cb=g$=7DGvpT@-!LB*b@WT1k<2lDVI7tY`Kxj@g}fMqm{ z!19l)=xs4!^Oi|DA1CmV&trLX5ZwZ!4!aCtsduRm;W+Lm0u4WtGD1BiUeV@59M=z%dCtNp!i587_7E(EXjZ}xidAeaTu^M_g~GE&Kv*4%s8=kQ`=Db1O;QxD zn;@o4IffX+oKF)eP0+@o$t>DNfeWSn2^C$2Z8Egv6_bA#!I;B$HHySx)J%_>oLDbG zYT#Oq^Ewo8ualUEQq-!ZsBS?gz;6~Ur0BTzKvC@7%ODYyHNXrWtYL6^X{>cv8c54= zelG8%F`c5@h7Lf?to?Xc-d7J;HsQe#QXXZT4COi=qW;6)D|u^)X2pKiNV;N+TPyJjFfGTCo9CFNcs5e8Tk1}{*k6h-BoR<1keFRXGXkmK%te+x{U@N-Dl)ewA`IJz|J|%f#%BCD$b^=@TQ2GW^;2gS@ z^n^=4AZ499P$O$3OHD~zD>Z7+Dnzi}lMysfXMm=q5b?2E4(N_m4qvZF#<1#lplVF% zOzy^otE2Jo)Wy!s-7|hv0;65Q3SUkdWlXzaL2VSc11$pW`v?a9xD zEuMo5x^j1H7sf8osI<@=YSDKFFwQJmo+(oj%3;lHt)DR*crUOracLjCfj19Q>%3$fuHrFdLGtCHrdYYe{jz^&qS8ec1;RZw_oIC#MGv37ys?QefOz+ zjM6y`OK7cQo*KZw8iv^+^ql9Jwix1S#XD-<9&-rl+c#ZN9qz4h+&{C~2^-mKA)4u1 zIu-X70;ig1?ZO6GEC@;xD#R5}0~6+~L&y;h=KR96s%kfOE%RZK!`-bQZ=sOKWh7!{ zzQz7Sbg?Z=i4b6!@wB*$S4~}I5QHSB9Rm&~-Eu6rU^C+CVYzeoa{(JJXP6=-<~^}a z0T7J*tZJ4iQgkYhFU>jCIXO}nFj93Gmc~51X2Q53pwInGgH z+|Go`W2Hz4svHv*F9{>Wwc@Gcz4R6WVQqAZE-fkp+T2x!;eYB;EgV)q-hCC@qDS7u+Q|zR3nl#p57(pKMcfm^A8M|+)wK*-Jj}TUB%St@yTVBMG-W5WVe($tGU?Ls2Zfo=RPZ80+&+xk}16okBVyKMy4o- z5wMZPoP^T^9g4LBf^~2Ohy4k?40)Gu&q^Us|+jovr z`u=PYHjf`YdG@sT{pMEb0E%?=6yeq*RCMnx$9cP}WcqH2MUD*@E#ePV@U{y+DlGO{ zx8Od*H`b%pG8yVg7FpAnW!G}RKc@VGrDOyCzR|Fi=ZPLOgik%`oAlxh`b z0vmKp*0G3>Ltmbd1O=3srG65H+;PS$3Jf2ka1HKDBIefd(=I%b=Wtq$+VP2Z1r9w;Mn z&?$y9_vBr4fk$peGo~(08*WiECK}pRc6`CtqK?UK?OEAXZtLY+>)Xr)ba!J;$M2QF zW4@&WUZXj}6qs%z{fZNlr8(0#*o$X|#TiSJG!%C}IYrNKm!|(98~Q@IHRpb$Nau4M znvYr5fwKz>im=+hCK1g>Je@u-Zb%-O5fm797@B_P&5!EP?YnMU|1l{113t_lsi&H* zkF**>%W-txrGmb78@oFn$HBU8(-we&?FBAeOsM(=o2mS|a3oe^l21dSZtWKs)3w9m zosU8FD>+&FL{i^pLM(NUIb_)tPcL-xawXiu%P^bW`VufUeOtdmOo?xSnJaZ_;sUNM zq`WA-`P6o^St6PLkO%CTr&-B|LDObkSM$~Wi<@~?nF>rr;7`Z^M}i5Jd>WICkH?EX zF#fG!Ooql0*87Xj1}53_2hU*g7u}?zULa=mYaU6y8l6<9Yon9u9~Kv)Pos!m!BsV; z$CiAAHy)~-G3Gxh=u_~RNr;A4qPl6a%qsH+yLRTNz%fh`Kyn{+dxqT)?~>uNsPKz2 z1J|RK3~#tcWFeYw@S0WIdf+On%2GPvk=3~!@}#=o&?~9?n$zG%8qqjlX$#yD(X?pL zRTsl4#iA)VcP34V9`;I%CkM5*36PyPh)4NYRahMAK`Z|cGjyM&L(F@oZz181K9AK^ zzRs^3T*||OU_s%lUU&v5l@2fewEhN#Az%_FChEJ!0JJPGFpqQPm9cSpM;_LlJFtlOIJS3NKhRBkX;`(h#)INjQe|Ni+ioY)pnNp$W*e;$N@~l2ds^Qwz=7 zD%}eX&!>V3wN2`tLP01=(vYW^!l$zH8_}(~LKksAQl12N%^21GTaKfDCBs@N`Jt%~ zzCdY#%Hns8Cv<9`AYO3)Lhc0ed9k}U@1RK@MaQa6yt_X-NnWN{(vPKEZmeK&wk z%bU9XqlBT`b~8Gbil)8CVomh|+FFQU^{>3XOksI^3afI6Z8JI^N}l^x&Y8%*ZI|*g zgn|rrqANNR4SroEI+aIQ&}=;;Ec$Obj+$tzQa#)ZsRCD=NOF|#(rwmgzGa6U-2?VqV=BxvK}}8z$#w;8B@5$0C} zcERp^eOg`1rMY)}vbVc)y7z)umIM1VXq|Gud^3W*iRpnNgPf&zf8ee|C{wh0xek76-wqEp3{pZ zX}X_#J_n~MIF2i&TK=xKSov$A5KGNYxc#?}HlJ*7ziYcvi+20pKiPiVcC$!;36RN0 zMOU9beX`nZSKDbYQjdXbCcEG+MXg=j`&qtd#p^|+HC?pn0hP6pr>>fO# zr(sNXj`s@#*#^XM^0;;*XN-zprmUJzMsHn4<9TrG=!dHLXvul=4hgyfK|BTSz6hh? zwH)VArGRbBLNIr`ycI>RK@cyy`(T7sV5(!B9FA=b1D9`|q%LOZx1yjKIywuFU^`qoUe81h`}x@haRZ zBq*L8pqr?bw@b&Qi>hsKSfyM7CdLpmI5auaR;Pa6w9AgxJpjThxBOZ)}P zIg5lRJGut~0Gx_E+m-7UlAJ2LfShwV`VBBWPif{)2rV^(vzo48j7N1H=c0i$1^a0- zEh0pXfcHU_8qk*G?2ia&cB)EGE;2ZDn*8Tw8CR{h4}^uY)d5Ww2htV@$$_qKxU%1t z1lgb$lpMO{|(rAJ|1GM_b^MT&l*!8j<{PLZb6=P4Y+^+9$=7C9$XnRnuQ_@eL>Et z4`u#~i*1_GdDkHFI{|l-=)-g;0pL>}!$oI2?mhqj9Rr{#{Ms*I1zqI z6P$r5zFy|UshsgKb%l<4m!0SokZ#|7)DtDYl65)&EqDG|+3_dl0UNN0ts^g@-M2ib z^MDZnf2)icx6L=do;3623<|Xb^YZ^fk7~iSZNf!%rpiy8{ga=2>q_Q77tn&R{@OQd zaw44vr-qvCRayHe;lZh9WynHF*OK6NRk-DZHr5NPRv#J=B_o@{pMT@$*I^eMc(j%z zJu85mo4aQnqZA3d^CQGkfRKJn&6c~k) zJgPmqe!V@AZODL4snmzXyNw6(t1upSgnri2wTGqrnjgP}u0>MKmV45r+kgA6?LsES zzAMMqQRBnRnvlC}m&X}<4_R0~y=#7K?NurDFLthI3RRBpdIn0J%R`*hkj#UnK^~Rn zxAhmX5@1TiI#l<(Jd{Ie0aE_&m^JVA-HazZ;^UcD-c~iqd0hgx5lG8%ex0zG zqNdJ!%e8rWEjZVL$KmXaJnVGjssa9@`Q%4NFu^`95G^EqZ_J$3b8@Tgzup+6)Y1mKRA1p-DX*zP9quQAO1{!)90b(gTfiuPx9hL zV+J@)*hXr3@OrH@LlAbL)RbN@xF&<>QIbtkMgyoMBAb#a4_MSl*-((T=MlH8b|v!3 zSKTb}J6KdhC=Y+7no+@HtMr1(uL&x_IRgnAlTjW;fP`Gohdg6_6U(WC?eI0m2L=qD zNm&F>b)^TDnJk*wfr%zA<5igbl%JDOhw$5?LGmnO=<^{q?nzvVawSfi#8R-ap-A!hSsTFr7$-y0gY2JF`} zpRJp=1tg<73SAK>;*fo^zRq-+Ej*klm$ozf>P&srSMl9szZT(}siPy!)UDLktI#S$ zWF)LkB3#M!tCo~%9SV}s3n>(}0+I2IM*1}hOu3M#KOttYSPH~Cx9U2Jf;{VeV=6T3 z=HD7{)~!-oVt=WtdZbKb2IGMo7EQsVH4_<|l8uzfgD*oyZj}`$1R_Z+m%Wtg18z}A z@=HOLdbl*Ylgcs1LY}-0y(Ux;io36{fRg{s2SDTmGy2Z_f{c zZ-%2?2-Z`nWEGh6Zb8qPT)n87Sp8rNqMZcpqLfJq%QecaW-#R-_hYE!2HT3=e$HjN zM{IdVQ{}n?Rt34)4F^^q^2F0GbM=u4Op-}-fka$J{7KFYkNH^!k zVjgkN^I*&}xkJB+P4WA6lDQFJ%{^kX30E+v|H7ku$_}IyS}Qx$fYoqpmQvPt_l4i8 zsD*Ku?P{fLf6ZBPRt8*0{yZ16bN+tSF{~lm&2or!tTB7ha-@YlFL0!lBeKu4Xn4KWVYcX^a+0;=u}i!eR9k`E?f@)<k*Z zf+ihs$s>P>A?ccw_>2N=C46os*qXZj90G139$y9BzmA|g4Oz;9LB>-$X1mm%urFzu zT^G9>FS;dwKGPCh6|1ic@?T^@W_cXOZ$!f=Pub}tWn#jkwW{QcA=j3~qvhC3CJkxyf<<&TU_Ot7wXTV!!0Q(lz2$>Q zSQ_%+-qA0CT@mqhhDpzZbM2666N6cDdqT%6`%^2Z+T?Z~+K`7jck~ELlHD=~BP#4ntz~4GZ9BNw8I19~_>rg$;!uz7U1qz&KER6qU z2#-~A=!~!s{AyUBLYA~?#H3({pqV-i+CCQHk;5iaNF(`3&#^Ik6m)gnm^4R!n{YuQV?5?vx_FK zVYPuA(-0i+uqk@3YW>a>kE(p82tQ$I-MMF_#pPKfzfXEtV3o6!^+dVAKsGnBYvpCh zI1veitWZDYLRhg@Al}<#=l_T{WUS(`AT0CiE>Cl~Y9(5&p%~XPcrC|4|Kjq3ldsV0 zWhnS48@9<%E{7qkQ_Vsic_UcCP?ZG2B8OZHhP9ejv<}K^X6K=*FjprsEX`F&ii`I? ziHZFq{Th{JXG`z`|3a-8Gpvm#*Ub83!K zMbzkal9aJ278-w`AA&_@Q5htA;BpfVKabI43Fy_V9+gh++3c|#`f84vm45Ec?y(5& ziiVF$7b1u7(9gj@RnV)F9!ndn7g2=Ka-73_dXDuKYJs&IrIe6GAYBootgF*Pn62sP zil-MWMa5Ywdg@|)wKY@`%Il;=1yspzyibmyc)vb=RyW7$$5KPCwJCO}x4n1OFXrrO zBk?Nbc_L4qn{E9Up6^V7(WCf;^XwoLP$Ix>yJ;Tph&O_z@Y%dgOoRd3rN+tfSNSo! z7YDY*kQb)cTcw-(yg6DGhZV1m=5%*2cSp-$f4w~VvI9xKysNE$n<{WZ3G&tT&-S2yu(!vI(G%tuY$yy1F#lD zuFvGp|Z{W}Gd(XC3AI-h1e|5-Tl|S+Y>Q`SLMqf3) z&!h1bD>jec_TJsUpa8ISNk^k-bvgH$bk%wASJhNAnr3+d8p&Eww&1{B(?4@vKNW1F zut4CZHIYq#pQnsv_$+2DSX0f3E1q6NoCczsaQt5<3P;SJ`4NNMZzxeZh}OJ}Z&e$+ z+uz*kwcQ50wcFopyCr+D+uxk)myxk_8pbf3S1I+`@qHPv7Xp_1Y4M(nWdl8rVN3+J zf-G&})XMq`GK%?m#z>N~LBhuJYX(V}8K+5BQr9`p=I+w6?#M3E} zOH9h%JQ=4nV1%dUQOba`rRb(Aw=QxkT%P)n7d((^M|Q=FTyK5yU6}&rlM*_O10>%O zI?5n(oYjH(#`H9yaS$<_oKYS{GcwqJb-H(QK%}xjBSL|5Qm<68rX^0QRzHnS zs`mSP^H7yDoq@An0lt>2d0rMH?JYF`cc|UM3HNR9oj0ZL2N&#Wy)&~M{%RL#3wydJ z@3d8MXg>R|Se;;HfL9Y1zljCSLNN;0ohImdnADZX0s6(Vop^RdXN~$~p2#g?kjdpb zUcVPz1GqZcC%D1AfwmUb5XyG<*g>}~$2n%HfGV0kTUww-eRb=Uzr_(;^*A>n{Dh0_ zm}V2V@4BGHA+8x-mO+8exn(V|uBTneP8XBAO2dp{mm>T_{uX zraX_cQ}mN&(~Iu|?w6`N)gZ3K|-F;^b9 zas_`Y2xNI9P)}N@|d;kgOhgH&Pt3Bjq#47m1D!xNd zBx6n(_a$IS&8_{qo8>oz&aJVr3+RamPlucNA6^dr6 zHJ9>UUR&obgir%}*Ql~qr`_c+SNGc0GtxL^i;DZqMPpswy9>dsr64FLT(FpIjFT<7h3))0XcLji@uq=%@apHiwtPzdiyS2^ z9%R(NSnQdLBvI3fs>8bIUIHTNjQpn3KopT=C%Poxki{8GlQa~}i$b5pg8j^9kTl$S z73g|<)UO06wbSq=N{L_RjhT?)iD^nA^%y=GA z(;`>&R*$?2f3!*ssX3exGvU`{)PhmwbH{_ZW2y;@f-SByM|GC@9CKC2qUAWM#vZ}i zZCc=B8v-$cr4tlvjWN3-8BaoAeCC;I7*TD;%C1Y-rP5k;mTRK1Y__1$pJ%#oOm{S2 zpK(FSRrCrC;8@LaLNitPNK|B<)EVWD2pcrHU{Iq-xsU{3#N;$Apo;rki7e~3SX97V z+i+1KKS=h~6~NDNU|j+9J)T?VVYA-j>td+)bBdjZ!+jjdR)KwulbPFb|LiBT49Y&P zNz|7*U+DUr-967|z|g0!2TLz9WSiR_(zN@JU1vXw7Mzb*nhCf6!Bz7O7InI38wx+Q zUG_d>X-uQ0w^h5MeZ0vc;Q@p-5EVOaInHZ&{-jYvcICb|3bB;mgr!XJyh@yF?X^@J zt$q8WZ-uHD6k`Rj2-YT4037Pyh4&ZzD>VMW)2Iyf{LZ2D%?aE@P)~KYHo|HEkaZ*! zT9*N5$%14+1CN{<;aqtwrFKDUO}Vx;6_qcnIcTDJr$Y0lYQh!r%_W^@TCSal1t`c{ z6(}Cn)w`q$&ofm$(ob1NCOisEM5=EQG>rWy511g741MbPlJ73q%p<=_PS>Tcu&yOa zhk*D|$l^>&n%tidDoC1Kv@yK_l%~`D$fJY}>yoATt2}3*f2x`gtN}k%9$jY$;Ed+k z1k>@voUr#v6#8KXIEf4tw_yWN3Op62cDu7t7%{}BgaaR`vDjz|J$6)M=M3J046}3J z~Ba%g;a`?<+jG;!CY|us~jHHk+=7Jer zt)L?uofH}6t0|$8;Oa1i6o|9|LD98bH$x0ivV1+)ltVj3hX?73J&hzl&!9BirgkV z&*0P!u}WeV`;(N%JQrmDh+qIFn4LmZ6CLm7lz)3D$T^d%n1WoR;Q6frA5;tzta4F! zrGp>)1(Q3#l*Th6!f765G-e895e+3s!i5OWBi5FZMvehD$CT&eNs?zC!94(2oa5Dh zD3mA(+N!=g7>VT0nWW)m7%|u$ifZ5cBMdCjr)H9*Ty8`~NlTPd5{N0lVr(+FQ=4G3 z^O;dxhLwrHgq2$6$mKWXDQj4RiaoDq1qfIY@tOJuLb8w^UBRMJXTn9s0^3Gln+Ecj zbuhtA-9}(ZIC6mL%!(9en2b^*qjum>DvVgjh7yRGkUWOhz$zgcsDR%J0`nNn2z4-2 zV4U(ihFqv`|28-}B$!d{m}dUu-P?<2!uzM-@ich{o9|mYbDQ#D4SoE^vAz-0a{%aG#IkmL6p zr$b&q6NuW=Ux_?PcnUR`I|R%X*f%kKs~mIZGeSuohrj3Q@*pnds2dy{lMUvLJ%^BC z5e_kIlOc;Qhpl?bI(hmIr(r}>La$~L{1McBMetgIk<)-xh9m}NINu5aQz85bo6<_> zvMv-jnTZ__x>VRsY?5+To7+!&TfL{7k2atD zM{o1V_U86~klr1Qap6xcGMfHJ@7A!YgZq>GSQmDEhmeYf2ZHaJ@I-ix2X%MH+y1&f;fz`ly}2eWHgGp4o$*e zSSmsu_sQj!LzATVQ_(J9!cRj`pZbN~sx1q0h&eTGRk<}JjE0WNeMp*hP$)XtEMa}PHBjak=TZ-% z=WTkMkN&*d+5-8HXSO@o02a&tN4@Q>URC}-*?#g>{@=&X1M(V0WS|Y;C@IN+kFqPN z8NZZg9W**_>s3%)5W>NyXHJniiaUTRE)vMouN z8HchNI0kFDiVAI_#1oM_#RIY-o4D$w+xj0kS5N5-&I@Qb)jhNKK1<;6;PYt`g%JI2 zhGigl#MJHJ=U|ASFbwUY`dU*ja~?Pk-d2H!$U446b_UqM_#8c~F|0f>;_kc|f%qfIXVH zI|H&maLJE5gZ)9XM0t(5x>Rqfv69B=gn%wP9de{?xx-=`fzX$s zA&2MaP#D>;Ph5Awr=vWIs-Np;^)8zIuma$68by|MLYaAlr>2A9?O~e?r!xsx*U)pHeE5Vw7n`^>0Bt;T9^9`9+cL-Z$=i1h;#}mG2K^ef?ZV9Lp!V$$ z0Yl;^fH$8gx)~jd7IX(jJjpNwUB)TU>`(@aWW#nlr=ex{=fst-}*WN&avc8>SeB_HHH zWAH$QwJLoD^N-0TcgYA02^WCKj(M8($+OsO2RZL#8OOn zqc#`ZHDuHM-;wxVhx~Fe+?<@7i6ef#Ui-!1RB8utlibr#^wJ9(aT`w$vvCNXR30 zoU&2)-hQf9Q0awPO2viU`3&~j5tJ`T1H9V8IYMhX&E&og%y>>S*iOdia&oQ{V&QdP z#*0f$@}q1jpN3N@e}EgzO`DWw3I?Iz~+qWbr_FX zdNAmdO*ymZA&qm|FbTTe1TZbQimHPK6d43pDTv0wq1Ppcr#QpdK3-Be`F&;2QVNB6 zOGfb8DCm4N!rSU3^gZQwaw3REbw}t`A zv5PigvB(Qp(>%(;B$@+7fWtyXK>^8V^dZ#}%ql$35a@^j1n_}F0Vn0Gq|Z3zd9we) zwgKzJuu{VTNyoSLylMX1SdRl>S7i@NIx~W5vj(oU#f>i)CQ%b(P8%kZU*%C@An@=ubWqPkK zY#8(HE`y!H>$?kG5>!N%+eEje?a!ky6&Zmvqvd%6>0okF4RoDG*;?cYOLKuyYx;~$ ziy^Y=v8_0;$ySnUBtCQHnPDedCfk(x6B>tNs>^K|Wl1CC5zJVl%hUQPop!{8cD5cr zK_6r5+2hSEB_T}5eNuW|V6&q|8*C89=n9^0FjGJdc@(FG*jV6fMudV;-ol z6}_xF%I7n3obstWKjorxq$*O#L-sGB-1Vn7 z2~@Pdq*0$d>PZbFDh#8<4g*$CKp#k`&jzYoKQbweXO?9KjXf|udWr_x+tF8r-ZX2P zC1Bli7v7S_JP08h!@>cnnsXf8?2ma+V-`XxO%=vcr9ajlntQ^hkveE=`k>W}2Swui zA_2X!2I+ff)c?Vcv=I4+`IM!huQ?H(S%h zK?n~qReyiw_AmgjPG~3G38M)nQUP~*DgDoxxfaMKG`4*FiXs-CDiVM&luY<1y`%^9 z{ZEW0csSpB<>1p-yRZ3pPqUi~^mHAkm^@s#C;CL|SE`8nG-BjM;cF%v>*KFewFJtS zyHN334hv72(n4=WQjh+Lg#H7j`737g6 zvj{oQgE3QFFs1L`#PpJek)#El^Q%`JtJQT5MFrjZ%2XZSAh|t!T-s*kgU^-ZUh?@R zGbKQgk`3AH`((2R@2Uy#`{WTkFJ-znt*aG9aaITzl6amK%^f__hpS-nWF974*TUpc zBPNfX2DV}GWtj4KimvhcI#UZ(yt5(%$|>%}mx`w!7`LXAo!y_$_Fup=f)Waai3X*O zj|}^m2TyLU%32Q_CVqB6lM?usDW6&>So^+0fGD)4vktygEq&dcY+P@PuctI|Y?GiC zc2EGostEuVVNysT6B&@Cd<=Kh$~G9v)1DFuu?PdE3J9Dtm|+&6mD}p6D29QSM)`Lb z=SKA8v z3o$etc;t|0%JOao3t!_70KGAhg;Tf(2=q}O&8uaig@Pm$6Mz!ana0vu5Iv{an9QR< zOa1}Fb4toEkV8jkNlKnm|Dy1sr+BJ?W6A^BFbIX*-t$mQ$T`cd7>kS0xIb9RRlHnQ zWQxTt8}mv06pD zpSt-dljqC{O@m<@Qf>O6!45UXZyf@LElcE}B7*+Lui{3Es*PY+p_`|> zR6((pYAbOm2JkBbXFNHvh;0)TjqD2(w+4vGkHB)WOZ{BV$QK~srUi8oxQ^Po(_s5LL;>9N=sTy`bz1 zN}y`-ls+jJOPOaj8i`ja&l4%T5Nw*qJK~LCY4J$4L4l?{vX0^t&a;D1Oljs%_sj(@gh)&R&jV`3hj#a3qMXn9w&Sp&-nseR2S18*PUV|6oe*eXQ(6I%=n* zuGc!*G%;Oc8Gc1^`TH@=CVkSyHgi69l+6!3es+9cepj-diP9@$$Q>wUy~tTYtG$Sc z)+<#uKF_iUl}vX#70XIsd~nKLE-$e*F@_6%4E3)J&aFRBO%&%H#`EKeaiN!jTnhBlPlg% zz&G#v?cVmEH<0IsKMUf2j0b!7%(9=4xtAr^3kX^q|FhkD^k}mj|FgBVx%KpG{Lg*- zeE85I-S5aNv&_IW=aweiCEs;P=hG+0k*(3Ck+{|(EVLUJ+R0`Q1D=uobFvY}0eeq8 zN_s8xG6j|W;Tbdl_tDMb<-@a3oTV(wF^r@C9L00-UR{jzp92u@7mQQe5eGCejlvPx zkm5u&_N)P+NSzDsIouDJw;Ms|XT(iivf*Jx>|EFn_T) zC_v0rNq_>Sj%!3}lZWc)DMwr%&-}hu01wb(pJpces+y42g0EVt&Binr86>hO?)4SD zl#=C=9&s%V%O$Q$+?o~zk6Zd%xJuMV3U>jNRsk*ZCm5RHl8rIT@ctHNXG14{vN`sc z2c|i8L0vT{$x|)TYPIB~%U`U)Y^a&g)ey-?62@7pGDO|Tde}H--LCdZLT@!PQaGxz z>k7;VTVS!&7R;KtRypQrCg-j-=go%ZLyM-`%iRz~?zS#*+&Bj42qKvpC;{&hd*BVjywm9{TP)^F z5D`+$Ri-J!O9!bMtslm&lsfVp7JiI z98HC={aDu)r!1Yi^SPo`{dxr|VACcjU-|JG{CJlvi6+~{Ou0g5*iEAhUgh_d)yf4* z6w4rh(2x*R*O14j;gpGtPLrxuN?ODf3G>YtqL}1zLsuW~+&hF;WY%hEDjO^37}u~D zJfvAJ>_;o`W04-km476nd%5Wn_ack~m$>$Uq}6H|-~v@(g+Z5egH;y8OJ${4x)yYu zOR@pEw2D!$2xP@2*TDUDNe@tZ)x^%H)R)g%MxQ_*utt$;;-lO-P6?K>YYU6!#zqBf z@)(!{zuvG!+s`eVEy^~auV0oXeXSC02_vj&t=si!mnEL)TdsiU=wMK=hI zqg(g|arIs8O5AEYMl=Gm8;Rx~YKh$~GbKHy~A$O77N*JbhLYBPxqt3$$`?b&1KgV+ewc2Xp6$@g^0 zI#|9&CRvueV%fr#o>Wa03C$)hal5X5XIow%0$#GsPp79~k+Afl2G`W)O|LXaui>-8 z9#-;2U8T437lkRMESr}1Q~JPkQ}vl$rKjpQrn9QM?kb&CztNomtCie^KQHqXi)4Ll zR37iG`KZ#}%^9iE(QP=X($y_lsnXjbUIL4!t8JsDePlJm8xxsmlE_6+hiWBd-ZWg+ z7~249mJ)Hmgpk{XV!D7`cCELah>zXI_G)W!UxsjJV0#*@Civ|ynl!H37688lu`r-j z(bJb>QsB_D+7;I~goQqMA;rboHe#t2eL?X2a*T1V+}^z!HmY!B~8` z!X4P$0S|V6+B?`eJK1}+KR7-4$Jv{c*9(VQ!*%}s*Sb;HbMHK~A{+lHmX(ep()=Np!zqSVIrhdmt-q+QE z_6zQ;?`vvKUk~aFwlHj5Hj7!E)5VkxtMl(-Nn7;bQ_n;k+TzxyumS6FyO@TUecnEY0T7k)fAIK}nS(Wf>`p9zQoR zUk}c9-kkmf)NCRqOEX1ImS%TE&T?@OWP&wKx9Am#;|AuTW1 zYyl~+;mx;jIJL*~Er54?n3$(s-_Q9X3S(wFi)r%9W2{GmOO|G#U;#KhJ^vE?Rh%9)o9BxsgC=jmAILBF7*3#z{@nh5X5S;ltKl*&^pKGO_!2OXKQKzcDR44zkX zH$4)Se#{y@X0Y>2X?>oA{=BbCjXeC)>I#E(ZqgNgX?3N7y>HMJemQ@DCY2JVJOo45 z^KY63eDRHGS|9b2{z2fZ2msnHrR!}+P$Tw|{;xlRWz%`v5!B{*N&nX$!E!D#**rbW z<~dh*G<<^jO4UTy1yXH3?f@3{S%+1l+#SGDSs`n%bhcP8f^@OoRLt$Xnpk#0XON@T z6X73hX>TU|ZXw7OtyK(eDxQzRh_zL2ah0674YsseQ%^SaASkm*a8IW^_A1|aFT;r8 z9(t@Exuugp6P@im$@&aY-5eL`LeN5ML-kRV$EwET^Qoum5dG87MaJTDp2`83ZAo@Q zuY@-!eO?(`ji={=O=wD|>YRh&@2(5JQrf@pofjsc^`1ba8ao=c;W~*8lPS~h?F{|({3coLoNVtQe z{l696OH^p2yliquG@pC=|92vJi3p7p2eZdQg5Qf3`(JcY3M2L6StuKq7ul3=ZL}$< zIL~mSRcLH^$2OaaU%~zCp^#Q#*%o>)e6BEA#OB!KI$Z9Wv=L>qq5ZhaldKEsm-bxh z=qrqFmHV#Em3N_m+$&`oHu`1Ml3SDL`gH9o!RH_Z?z=0J;2!qq&p`v&30EV*;!X4R zGTMx7H4%-{^rnLPb0=2#ll-if|6{_UM4o7ChF{2h%-J@pMO<%U4!gw+%){bllX6?0lQc4gFR-&(;P(B}rw;vQgjqkTR-jV{ z?88;m)pA?odehN+_psttjwmn34y&*bRVNxY`qhZOtC}u}aid96$(M+E#IdM)**zk$Y|`drX|_X+~?DT#}Kc7XIQnY zQ(95F`)*l9t&n?Q6D$QJKW!3u_GVN3tuiFs>*leMGAO4@-2Zlod*&+4*Cl}mY1tg|lW8*`yve?pA8;Vv_E%)wD<8|%=Lj9;hv z#l1TmR%Dkiich|%>0blQK_+}Dw9e>w-U(+XNz^`53Hi_H*tUIwI}jG0?LQ~(|GnJk zeSEvw`TpH+zXjj5e*4W^`1i(N`<;!AzxJ(XALakv(#{_{o&VE$_qNyhUjGiwWe+R2 zZ++Kl{S`j??+yFSe`80bN6_}6TR-DYbCI2}F?)XimAp$smJ}?Va)F#98b&H)Q<4j- zt3kM^uIKaZ<+qR*`kWC;E}=ezz%B1~R$9R4F4 zc-zIt^+wywOhHT)fS8nTnpqS2-&an2eU{=5E zz0Z=2gfWrl*eH|-Up*kxyGKlABz_Ks%P0&$=fr=lsg^koA!L$eNx$2@y1LR{hCCg2 z^`N@1_jmUW2YVffsq-d|m=HwgO(o|usHqeBkW4tDS8|$QHeiawm|Ue{7RKW?5o(Sd zdoBtBX{16?nk*g@8WVSCK=ubN`Eh5kKWIC@?w|g2^yZZOx^r@}b9lPHHy}qRWcTP0 zW3~t6=q1@X{0I4Y|L{fIREK(>Kvg-Ol2DS41)if>MFTh0h_T9pPa+zRb2?^Z%r6;k z1PM#0p%7T2I1U`hJE5`=)Q00Z-*rK#cfWJ?-X~D>vr?e|#Gz@|xZ{-#?Vwyu9`$z}Rr!S%RV;iPi;`H2Z%fJSgUSsSC(44-T;P7h|!i)_+l>3FC2*8RFVD zgp7z-OHcU)iw8P>0pDEI zt2ERTo)(qeu(r&Xlt=p(S?AU$|5w}p^)1Ib{6Bk-Ha8#D{6BkN_y2qOnX~^F6TWow zSE}_Fv-4l0+?CFP>t-|^vusZBr&0l{)vI6GeXjJums%WaH7eO9vXZ%#vC2fb@5)(U zf)Z9Mc;ZH!20zk>#y-2HVr8pPW?6m-`qRSW_vbBvqLz@>PualQ_8b)DJcgfv9 zzTB2WQLknud+;EP#}ON3)W2|R$(k)?*refpE5FDR}EaE|7||qdQ!FjJbk+PRsXw>pT+uLG2yGKfyzGo#b|?7J5Zxb z;lG6`=uXrLGrjB6DjLlrm1( zx})7fZUhq9eSsJvCO44$RtO=qS(EffFhCC&$Q?KrTT@1bU}+_->@DW))-wbCvklYJ z>@jOXVA%VF`QWfJOW+pyo8QTpXMOU`sXM2i8#&7=Ub&+Qko{KH%yd5Gbz0}ouwEuq z{LE$&J50KKGbUEJnO^>si^k{Eg!=ZB(R92nA7`Gc#OSD-RXPpZzNr{iCO}fS2Dlk+8>7z z0qj`HVxQgCX+O!*J0n`e;*|u@oe*rgfLtrC?VjP+wMY&YlZVs0lNU*rp1rsRTRsff zXpP$|TgJ0%V!)L<4%p~UX}|Y-P9s}d&!_zP`shyM0QsNRNDq(CtBWWl133 z56|yzQAC_yXeB*!o3>DRvHqbZlS1B zzm$X{=0(AdZmeOIO({1}eXgltsc~OllUu|cRK)p|rJ-NVpSZrQNu4;{QN(HXWZV5* zr$QT-F#dut`D}Pxa{*}O;I7qvD#AEp;H*Jr)8s76lZc&d!a$dRHP)Y6wwom%7N)-1m-x3UR}pci zF6nu_-X?J`T(Ys*>ls432kL?S>{ap1etcSbY`;0KzOi5a9KzeJBI)-5KG}Zu`00}Z zC_a4p=;`+6Gpq3_KL7sv$D5l^ww^wU%tX@om-xydH^s6|7)z{Ep-v1GO8@kPw9Vj|I1D-~GomWgsz zI!LwN5c#{?adhd}vx8h@$8!6*mu<%){MK5RR%J(R6f%pMsgYZ@BttcDOGz%4+c$F8 zLy@JH7b+xbc42wT6)jh=T&{9q!uo?H2TKgrlUzAfOs(Fe%s_cjk`+}s(I6w5<-=Ur zP!bDOiO?Vnn&rSe5nzol4BpG(bvCP97`9a|5lw{B>G^lE@le?0-%zt!JgNYBP9BEW zSXm!#Xb0DZPYJTKxuSdl)cXW#+iGcWD+yDiiu*>mw%VYWxn(YAfLkTDcadnUDuI5% zQl9rKeIET8rO%^lN}osbq|d4x0tZa8;WNpP8`C@*)pjI%Ev;jF3Zp3eEF7}^XXKFW zYjVi;8aSlND027kdN!l1n|I=XrJX5_!%@ZeB#CUcDc`V^9T7`Rqq`CXOPC3TP8;31 znsO&t8$ju(`}SQJXDl62pOFurTnl6)8k)14n%QKs0z-65*er{lY=oHADh?sPL#NYm zK73I59yan=$g$%;MOz)R&}#DJYc1J6ZyK8Z_2(XbR`dT;UYIuv|6At&-Fy1Dmj7#O z`)mHMd-?g$?Ehybe5v1ey?B(7X8xLXa6v_+pg{+AfdL=ulI4P>hnSMH@w4Y>!7e>( z>SxOQ35`QBZQZsft02$~?%l24@75!DrS)&syr0qOUB~}!KJHcHKQ_wSqkuS2S*w%XC6C{9X4dnlm&9D03z5INY z|6k?*SNVS}`EMtu`uC9kI!D4yl>e3Fe=Yw{ulM+?{J)Q%uk!z^{QoNduOW=vO5b;~aLQ^gXcTo=n(|bT4ksPbxgx*0 zzx@`YQ_b^lKFGN~^LfBNk#9bvEC^HPXJ>gDeIg?KgFXM|gZ$?#;8$_PY4C|iFwejF zApbebct)d7L@q!UXPs=8u;;)1_M7|72lePoKKdjd{q|e@n@ikgcU7G~O$vLv)M^pX z+9#Kr&P5mpeR9kLM<@R3I|QnD^vQ=0q$xdCQ4h!?pFY7RB7vySAT$=fZODQ3k^G+X zjFC^D9HJ`Y^Z{Y0m}7vID*AZXTDJ1YM-qo|z~YQ-S4w&iVr3DNV<1J1^a)L4?l~0`>siOQ{`hEqCq%G}blx+^dX%L!Aq58wGRcg4 zCnt8B>g$ab`Cz>!g!vOr{0Z|fthQ3%&^REt_Db!g2#{>3^`5FwkbI@Z@*GYtRi%;b z`;x7HnVL|K3BtMl_*5}68MrN=xczt%TxBJu1;r`&@xqJM2XaCT( z8dSC~nr9RAxKedqP!^Vi4XZr(@Ao#u{g;F1eUdU7kWNYz<<0<)H-o(sNkH=R&dZ;7 z@Y(UsVDRhF$%}GJgE9FFdAKnOfs<-;z#D+=q=LbIE`G7rt&7V)3#WCzrf?_din6DzD-+xgbf( zK~Fi=RllI43)nxWJoW_h^EAw6p72vT^#=0)ulYEP z4|tGAtWet}UE~fe)wkc=-`vX7YZ`r0uYp!qJPnHW4Rq73|K~Ti?am$Q>CVZky;C_< z%+UWYHPlh))YOft1Yi}3qU*jjbFos7EhVUl&$CEqA@uyihX(0)p7INpp1vOFW}iM0 zd?ubZ%S)4&bHLI|mWr})tBArzNIorGQOjR9q3=_Phz=t&3Sh@)X(qZ5RHo}nxIXp# zG;>!3FSiDhCb(4}htXp7&o#%{DE&2)oxUEN?H%s?_u?j!%wGk9LnvK<;$jFolLC5Sr zUGmXtpQJp<{ZhAePEwlKb9oqkc(QZ&;>g~Ie43HJ{DpkGcl7dG@&oB+)1)g~N*V0^ zQ69H7l&QB$85pjls_Bg=^wcNrW@HcFv2@{_n^wa6ah9>2G^Mj$^JT4L zxGh*u*Ep8W4~jfW-~(Z#6q!TD&JT(};CbEgk&N+Iy+ zUFrm@FNr?~*7dW+f(EFOFPkl`Z=1SVed5+O%H{lW!)}_6MdpMCeUvqbrFdMs13nrF zmUZNM6Kbh8ZXlbb4?j80zwaHrET0qt(g}$xx)t+D)toYR7jMx;N9FN!A6EXpMn~1z z={~GKTHYPl0AWC$zdoA!uk&j6VZ*c45w7!gxkL4A6_h*guWhaB{6xOpRW~H3vxN2a z1(|Hrl`y_tt3``+0`k8a24;=p0Xdy8TRG*i$fu0>JdXkbH&6N^Y!s#7z56wDf2r2sg8X<1XC1N{CPJ>Y@(!Uj zW>n;28mYc7d6ZAt0ng(MF3WCXN$HTO?B|$flRl}KOst{cU0m^+RORi@C<_4CRY;{ zlk+@`z{@J3{skQ~;W<)82?Y^(f)z`}ghdeX?R4-cN?Am+@RE^)W)tfuppINy2a^uqbh%ck;oo`z%R|7Y*-*W0+21abKN*L@W@ZD%5S$fhWNC7kult4Ok= z6I<3waxz(u#{#=S5>d0!0nm~d$NTJU?CtH9{2mm5ZuAE~B$1NOi8yl{v57_%3WY*d zp-}bse|rzn&zMt|3ADevCp=|7{YFCR1vDbKtDAH7n-`pmkVT~Hd5?n;^VBW`@f2Q2 zyB@j3N)(W!-5kb(_|NCPC(kPD|Jk$6`}ogW`JhFga)_iir==4-*+zfI zNrw3pZEbEoo%zy&7)Mb2PWF!89;5ApT{n{O)w?6~{&=sAj`j|Z-tE5MQIFfuYIpzm zCIlPfi13Lp){!xB1lTK?AWFJv_r7{; zy%DNy9v!JDfQ5-Ggiy?566#KRNRBznMq~874*H}5MJ&u9u}TFm#%qXGqFt4>M06r- zoXIic^bde%`e}MY8B@yA8F8FQCE80dkvRfngk!V^UDuGv5;Z^*vWi3K#bS{}2**~V z)`lGXL?H+lO9)8gEN&yriTx4-(rt)P<;28l>f_`*z6=`beFFN?00Z>O*u!bYQznQg zsG3i>og?4$;=@n`+Mq4{D!U-OjdaK*M4=}7@3z_xL#zXRE#K>(fC3y%aDqo**ebXp z3&#erw%R~p_=Bm&9z)+QWiF`VCdSbQrL7`-S@kreLpfD@U#Pm?c((aX%Z6DS!rP8A zDI`u{lNMvliLgD=78;O*3~5MlT<+b$vzYQ{9G0reO6Tkfpm1ZZ+jqfGV1k;@;Z z19C}tNJTXe7x+vs0+^N>s~wxOg_|yMfy3>!{;os-Ni^DGDKQ zsu-6>n46rE<3tou?TVGvlh}M6B8)V7pu2W?fToYiFhe#;sajABkTb&^<+;5|19qjC zK6%lTCRy%;i71B3iq5cqVf?Hn6d+<>VGMFeaayqiXkv$vF91zCGpq@Y2*T%>#t^Jt zi`8x`X{s17#DE&n#ElFv|2akF(FUBGi73?~yz^Yuwm%z;xBU0@g! z!bv<;hQb*TZa@>@6J2b{OnRPtQ*9D$XOGN@T0=@vhp=HW>pS+23)D?*nDOcw$d{}G zFDIZ`aCR@v@lc(W<^(xcVJt~uR9Nb_7@vuJ+gTJ+Nqv^!IJRP2WP=HnMtE4g1Goz? z2lUKR06-weYifm^W!UcK?iQ}1qNFl_SNuL8V;m0=8_rfSwh3MnuP(5fsZb@dJpdKOtQpKAE{N~5}g!;Qgo7{SS&z)(Vn{%<+96#!4d~2 zG{H1hFUM3!(RR12Ton>iA<0CzBAf~V^>J_rd!%Whr(f-ST3g9=EtlwRM~sxXz@fIH zTSP^e3E1TU;soTSQ6ql=iC1h*MAqnCnBp}HL z(-NFw5eo8qMiLn-up#3q)7!ODc%9{^1<_W3UMsaqf!)c6pWiV%&h+MLc(u`(ah91Y zl?e{V$RQ9?B4jYtTAZ+#=djZ7QX(@PTlTwPJdQ4?(lrv6bYSKMJ%_KIaE$p#8BT19 zV>#^%IU#LCIVa}~?x)pub9;SIvfSDtZKV#TijQlOt`O&GHi&5$PZgu4F`l-ICn@22 zs}=CXC>E~W=BoL*ECyw{2C-o~2ic-0=!r8yhgb>Se}dWBFjpKg9I;8OB2j^aHi%j% z)nj#LZ-UQA8;$Wf0WHrW1a>qV4watAkRWl~HviH|%DB`Mlgk04C>yO1#Ec!8B7vTx z{K{#X#>(7eNj%k5RPK>I^A|G6zBB$bM% z^GT7^_+9Y`tDiy08N+>}*syZlnlm9fKrjS1bTXws>F;oJHO3brqf!kuCL_HGV3{Ld z=mZt1I8VUAo}dvI#?&tQaV{87?Xc{8Oh8kWW1>~DGACM<$r_`TOTfh%Gh3e3s`T!l zmZ+LN%PUw|g)PD|XTF@e=0JpV~m(tJ1}c{Tpnf7UsZ#sU0_kDy{4&Wxs2u4p%J1 z*@PyFPqg*u9?dEdm$S6$Qlp%)>WKJZeN!#kpjtLLeK{Blk&Hq+whec;l~|03(wo|jG65_qi{)mXBw@TrQ_vgW3xr|kofix?=hDdBL1T{5%c zxGXj>y6k{LbXdq4wPlWq9kAX%CQJ z3P8p24Evm!QZz@}X+8%TtbOlO!Pu6Hh9 zO3L5JOg9LoCIiFwa@}ZfK18~HEHBB zjcG`g`3pTd2PC`#e;F`sl&NJq0`pF7BY>L7Qo;p^Ouikp44f%3fV6g@9i)=fv+(2z zY``MZ(UJKQ1HqdUq)4$-vpvjN!1Dl|SOr7`IxfWO(Gdg5DYeS&oCqnxn*%kizSv_7 zJR!o-XoNBdA!HDluZ){(RZ=%DC(S9ghQdtEubM)rDZzrl{R=&%nUHLP`4q6B35tja zIUSg($c+v0^RJS#iqCB~+=F~pAiyJ2RvBs%R^W(TlixpI4?P+VLx+WDEM7%Cy z*$|!VpS;;?ql0$`o&AGXNBak__ulRuoV3x~y`!BUw+~LXf7pMsfATA^(5wBEgS}%N zKCo^2INUxu+248pX8Q;ozCSvAcf6-}TYXv>lUUhmB4vr7aOwajGukRFvkOjB&Qea5 zdJY2~qD+{w)ZDQG9e=6zHVOzM#))0hoC=Waf`v3UleJJc=d9q3bq`wW#;oSO?*jBD zC#ibr4aEZ*!{Pb9+IbNM|9)pd!XW|wsHSCyah8-~$UC`L|9iAZ}S(@Sz zX@gFXDa41E#u?YU5srshQYbgD2{uH6glsZV%I69|r zNIEp(8$wV+1RLC7y4Ne<`v7f+YEMv9u##6n-Yzz3XHonzrjVwN2xD)aT2pWen6cf9~gk=tp*;EFo=5<^%(JIvp3|gNT+Sc1}Zbo!cCXfD_j| zR)Vw;qku1HI>jkUA<+v@k;4YYC#-BHI@I!6EqJ}&fi}aOHW3+;B+_q;SsXRE&M}{W zB(lnNPQ_w5XPg(OWyW)ig&=Uf#5hsgb-(doYLty)KvPA5f~L7Lf8lVWqc-NaXa?Rp z*j4*#Qy3ilzI}MOcd)zvpM5oj;4Mhgc-oNNQ2hp|T;yj-2%(cDUuc^!in2Gss@06f zgzMWO+L~(@mi&;CI1-2?Va$XU`U8%`Ga{iXre7E-F%Io+H?_}jwKzSja`;} zo5u?{Yt(lBw-y3x9n93?Hd2mTra2*R;oh!fq~ z_(`o4hqjt;gaD0In_Zx0rgk&7N2>!;gsi{`sl`O77k#+DN+P6Wu&?%t^2w(Oeo<%= zENFfnZzyNaU32$L;pD(P9Mf|vDT~9z57X&%`VoBqyxFjN%K8zS=Q%@{%BG2`*)&xb z*GQ;Yw*1l6Qfi_rrqx7fDGhy5W=+>idF|wyH&?%l{F*1B!vScgxJLUUi6>}BaRfRx5SqlF3kfB)zI3iRRB$q#=DyLmCt5tZX?P|7RYfs0UM5>Glt0u5p|=uR+A z8bp%QcPl`9N*^^C6uc!Ma84=dISUS~Vr53tc2AqYzArIv;CZjWycUvY=I#bd&{*r& z>aq4JM7c8)Fm;^$yzNY~QMr&bj1t*Q z(Z(V60j67_uhv5ENziL#k%aLJ#-iW4dGjvU38F>Uyw~!)hY#&>;|`06=RHRM<0|a- z@6f}M*6$!!z32UuQ>Kqj|GO7#^@7dL=Bb8d_)L9yh(6#r`*Ydp*?)Lo^DARpm%12#hjqi zV%S^Ho}Yr)IW3Xmv_eyKS|L@P5IO1ANr<96y60^po$b81G=^y+v`+w-9C*p51g#G! zAA`O|_6G98uO4}~cZId%!hvVN<&kFgI7Wq3G1qgVr3RuN88`=Ij-ER%6D$n<|jyFW0Vso2$MPoRqaTllz53 zm!>++hT=s|gdn;8t+h$jbpNmqc~=-my9dYccTk~CmX}h2i)Lnm%5uA_Uul-!v*@=V zq1t-sxhR{P=j{*CX)c^jQOc+Zx5idV=`du_=?FI-H)5~4$SK;`*>0(w58Pb2ljKw< znL9;iWZDMVe%gS*snsIk8=?}CU=*O!knyx*dbl>7*CNsvf;2mwbuL1@SdEY{GObhC z^L3@zGq?nJmd+IA1+n4dD$KyAb`^ej-=s~yS|wfH0hXrnx@2DAK^b>8IF(XAM0JqHE5RSvdKV4 zwGF0Hhq!POG9C$pZ6b60rj(xASM`+<%A5-4<>(?rQtgfK=Vo(uY#=nEE;yTHAGdmY4Y zLqBYUxU`N~ew&lgx?M(10GA}KN%_gigsoY3ErU{us>whj5FP5;U`lLi9g?NQq*clN zvz&;Ogj%#f836D-ftV%{(!Ivh8UAh6z2Eokkx77dA_Br`IBSJ1{_oZ?Aa-4$-4!1(6 zD$tha!RhD(U(!i7L1ThbC@`-xSD4G!BPfaonNSjR+SIKkT%c*taQw9Ox`9V*Ui5yo?xn?-!kOt=m=aPx`eIBx?NXEBYbT&I`!GSo) zq7jk71Yf>S@-(1p9b+TJny~9N;Hv9It`#{AqK1v+8EHU>TuP4jlJm8qWPy|!f+XjZ zvjhSZ&oPIal!g7PSfV!nA3n|*!Yj_!5NS07P|Nddyb3|^!>sXeHZjN3I;L5__7Nh3T!6!^OW!movK~$+~0_zykIl(h188s`k(1~4|5nxzE z3aaryaAC-jkfc&{FBm_I8ID9ZW%{2^Oot?#hB4_r%*Aa-qt%)rIL)2YlQAb^%;L!J zKWY1r_Y=pvB*xQYTavN2+4l92OOHerhC~RbgI?R0bV67ri-t1$-Fna|KYJq_d3tq)x$hbXukt}5~ z8%@z4EFtS*hXVBuIj0a`-Ni!CQPNSYp$O1@sQ&F>ONZsQ67|k8BvM_6qiO~qJ4XV( zD?01!H5ksauP{}Dl-|rk#}&m#F&p3*ow|Teb>R4V=BQ*RH_wi+1XylzQWo9H`f=cZ z+g1|ZQRc!m*U%jh7i>iMZu!51lc<9eNw2yh6fqJ>Z;kK{EVTo<82_`-J-=~kFIYxY zmM%b*;#qN>1aP5T-?N;egj_VWvEkk{5mL!%n{rZvnCZTT3nqU5^Ov@7<@irTS*c~J zjG2&7CcN$I(!l;0^T==e7le++Qtg(TGq%CXBnKMgZSs`?sWdo9%7{*@4b+$*Zt_$& z)nV{9qgQ^jyz-hM{FrcZt+f?66u(t^IB<<)>(qG!gcuNWEn^2K_KTwhV956BWH$rx z-bUO13vMNi!002g?meExSIbaqnyyzJZUWfyyq|GQqso$l5*OzF1RKiJHab-c;uKb@ zWugGR7o=b*3V9vS1=b1WLq^%I0Ph6*z@3>zx=2aeyal=Bg^RmggN-pFzf3 zNOpFI+nd_QEViAL6Ee|P03X_ikei~eNBE7b#@UDyA$AFlVww3=RqRI}>8yB70HfZi_2&$&}TKQrD?3(LrYcc)} zUWD5mLIe2PD4s7d4JDt)Z4RIWxb8_^0`;nI<~Fgf!mbVA$zuG=Zlv49z6`mB`?E&e z;iB6ii)pxCU9|+MexA4;U*M@|+Hh{0o(7TJ zxSotnt#382l~N^0a{~8fpO^(h@tU(NT`!u=FdL*((@D>ax3$T63kzon_;u31OO6fNy%gamz&ysENUXb;=OJ_n|b}}T#l8kP_Xe>dh6ZnY5F-=DAA;hDJzP4HjWyx!f zLvna)JMvt}^&PEAgh&?KIM(%|TEI~f7TZf-a551WN&FW$%bji-o#pQDx8^BVn}Gzk zVFA8dH?kU!3a!`X7`!q&#aY0I&5ywZUml;4i#1QoVg!~tC!gEVZTZQTMWWRhsbw1k z<+=ZZCB$!bjn0L4F(%3TL|{q9kgh$#;cBSV<=nB^;E7A)`Sr4vha*>1kV>m0i{_S>uucc z`}@NKCJ%KDNx$uLk}^T1jxUR#({kz_`=x@T-}WUQK}H*gLjj$jfVU<>I1r55437`< zr%)jTnDVtcMoy3H$83OxjQ7!p?Knn4LXK2h zSGqt=p=1UM<13FaPe>{8NVLEl`hepYWyuXY?ARW3&o$Q48SrqPc26;1L0!ejCJty# zM0OywJWqWyx3~oyH#)~Q_9!dlB+@D7L4VSMC+9~>1kBAGB?fLi<{Auvv(G#nr>hva z1D$rv)$tBDw-CFt6`GihMl@LiCz_61p7(~0=Eqv1)6YIM@caG+=86BMf?WW=t_?@s zy~Y%2O!c{wNshSzl0uj3k_=6lkWh%23DQEClRi2noHKsfMyCpY^sjwT6+aZ*l zUE7FF{{=^y2iIUsE!1-9VfnOy_Y90%VZjDi%W$H7Z6QP2hU*H8Zv>;J%eclxUX}<~ zaChoG=(p-#^wNF!3Z%6zG#5x?F0|4>>dVd~^=zUI7*%%PUDx6?7wXPgoK47E1zr1x z)L(~q9qDivf~EtRw$c z--25LX+i%WYdXYR25KGkXK(2oyl;auuFMmXi1o=@r}Md&kJfrfaFvsRug#l(*M%Ie z`Dv*CAy`bh+8Z*(llbN^=GXt&>^*t@q*ni9vv*(r<2F8yZrJw_s;p%2{)j&M6Urxb zK%*$~Qs)Id@rd-%GQLa2TK)5_;6<=m2WE;e^-UcqsKM0GC^@SkwCgT(TWgZXeKa%u zed%={+!GuB{t`V2o(G#Pzo`o)%K|ah@`5Ikv#zNG(e-dji|QU*9(Id;=)sn1ra0aZ z$xIkt=_axwQ{d51H7<&TKvBa`4zYlg3<;6l6#srM)9LU#evx&bguniH@$CH{h-(sizmau^Y6CE^WL);QLh*FHlt^Qt--Sh_o8QbxY-qFSdtFZBJOAc ziSv=Cq+~vdZ~y%zvUL!?^(IOzf{#%2y(&|HnD;8gb1E?~J`$BZAtfx0iKqK9T;iF_ z<_f@7>N$9_TFu2fFY3p<2)4feN0rp;`OK34PNkI_!M$U=%P{&7`5}38Z<02>u&N=0= zOGWRX%KSqe>j70~hvll6PVFP7I(elsp%~LN@E+=fkH@bpCc>#KXlnf~RkYB1SSwq2 zotlL(tfDI3@-+(|dJnHyvQWLTijsv7S5UF=;pz$&K3qw?!iS5>6?zZRZn=ut(A08< z{rI61()sK5+czD}kx=W1>ISOi7lyW9W5g8Jd@UIhh>TEqn<*e z)2ZnLv%(9s_T?dD&*mC6F%Kc=^`?i`$a%Hc^Ii4MLTU;D@DM7(1p3H5%XeR^4c(qK zL!9cm~ta|_d+fav2r{Ub$LrCILANjsvg_WEIn?b{~ECXpk=*N5Mj>x*FZ{D;V{R_nO?4)qo*~YTKD);30(Ezb<{O@URC_*4GNl zQ&$y_0uS5w%O2Sic1Dsuk~|}xSN6j8EfY66sO>olp6#JV=1;r-dScS1`KcdfH+-2N!iiFE;q2OfhtbTC7TQ{ z2+u9`1jFCW`INe9zfA1k=qQc>uCuX!iU=SAW z%yEcQU1FRPp?Maeh_lrG-9g)L-oW3S;OJcvPgMu6XiUUZNHTG{ngPK62V2#=m9^T4vyJ2%D`_GhKL zA0;E2TsAh8vFP9sxKa_(_YfL0Aps3FA?izC`wTj!U|0~d5XZ(Ti$nkcxKuG1sfeKLPrr(0wwCivVa-&p7?mLjAq(`bcbW=oKzV~?ZZuIc zMcD=6SZV1(qbwBLDqYq|1ts*A&6rAQRGStgzfFhfZ=`nI6+w}I(&LW>Cs z(+rm6#C+E|{Q9W3_1#-)#s}#RmwW?uNfF|hCZonBGogvOF(s64i_ipLIuABC^A)*s z`2M}5G5rI$@{sUQap;IB$pEl*GkxYXyQSym$k9vMIabh$iM?oUf1VL7?PxIz?szNR z-#w1-9^Ub#?%F+dz1>+CY_40lxk_N))cMU!_1+C@L>j&I6m|$x`x^XwDjM(Sm7+TyPEp*2MX0QMBi@N%Vw~v+h5L>Zga`y($acC zf7*Wa)ApyM?VX?Ycg=!I?OQ!kD2A{||U(<{y|gxE?}b+5e-4L1nlyd zgg)vL8Fu02Zb1jDQCSP33G3YGs-VnpCdXTyl(WmJL3<}}>IkdtWQvr0D}Kx?W)@b* z1*cMy1QOnO<<_})a5z0}ZvOV1WoMGjj}I7l1Lp1DfrEKH+8 z8n(^_aq+9s)!s5?g>Sxi_RJ7%2gaf7HFDt=!8J4jKQH(<5<#J0MtMu2Nt#L6V4>W* z@pnY_bt*I|h_QaLq#@{(idqvK5oZ##ZRR~xTej-3qOE0uxL$2UF7;(?oBvbo>Z*N+ zlf3ZzsVj9)b?H@z=vK2cC#9&VY^IQO=cjlVxFcWvJ4LO+a!yh^z5S~5z_`kQM#h;* z6BJ@WoH5%n^ia~(PLqBqK-+O#hKo6|wAL25;bEjAg;eYLS&@Hl^X2){e6@u%b#QYtN~IH1|4&nZP1GG$o_^<{7>aZ^hX@p6K^} zB2)W|jKvOizYuLMny=-Ss@rtTu^{$gxn@%pZ28v{7gYTx2XO622aS|7$p+c*HI+YL zLBs7#jxAiE(Ox16PdOF2E7Q6ZjRJFg{4RGgZq!?Yt`)NpO)SW~;88J4BNj@K7r9oN3Qz!!{j%$uJg!J+65?!Q(3$%1P|;esF8 znZ!%HA5jk0!*n~P?%Om9=e!NpkENQ!cs8uT1LwJx)4D^bLAIUJQm1K&St`6(<3^Vs zy}C+okK&-lFxDGZ3>64WX(BV@L4i5C7?Z?%h;aV0$R%wqNrV|?efmgQ zvZZV}$_7>@a4Cz6wv?-RY4p=-zN0>R;(6tqFuDHrnuD096TSBlA#LFbdJcKk7|K#1 zIl&X_p)K|tEm75+9E03JR`4i6&^Wl>nntJTJ;7;hmn+bH8eD)CXAL(iK`^Y!J25Q1P zX7U*yb@iVQ{kCeZlg1)nC#=-Ztf$EDqYohPeK6~k@c#%6QqEGPO%mbv(P!Pn`r+~? z_0Hk(m$qqNI2-4@(zeeVK*IC1M!KOmO1ozkO*J?>g?wS??<|cBJgv#`g<< z=(XOT?<-xtOV9nUrEe~1Z$e#r7iwAJ&cZ~Ap=BAP*az+$^NL%h2_MWkp8EB-_LB1} zHdj{XRbFwuTvvZ@*;lHE@=dR41GxO2mKaM+U`^PVr+MBC^YG)sDR=X5G*7#WD5@+* z8vt>=cZ)0^bKh>ezfEZJh9o07_O-rL?-x>lEQwAd16N}?mYj5R)OnNjSGrc&JOp>~ zS4W*TZ@O%y%)P`Z< zU^#9AF?UFF2e!=cmKmgj;LKka4tU0}oxV@>`#0;q;c5L@^-1}=`|V5fqK_AF-GVh= zGGA}9gzH6muA$>J7WKJCKb0Cl*XW^MGUz%gTcyO%ja0Pj?5pmH_|mF&qb#2LN;$0Q z3U5^+oo>W`IwI;?^OOfI-EfM^&Y1hvlsEeNR+Afg-8509Zi<&oh|RJrt{teiX_=JN z8SAONj!p%qDA#!rP6`&hSW<=NZ1{eDoY183%-e-4ySuNC5a#t#9aCd3aF%h?UKowS z8~1T0tFyDXkA>QV^$D(O`s_K!iZE?l$?hrYk`{|t-L~U~!QRk+VEpiRXh-SnN!Jj~ zHgNX_j;*HGaWZ{3ESdW1Gn12QP*8p0%zPQ_!kJ9iY%t2YnQ%pudtPjQ6C;#Zslqts z-Mh5IufJI>Nr>e;OlG?SmYf?Wcywt`h#L%bBS&>Tw(4esv1ek-YA$eUcB`)TGTNT{ z-n743F9mx`4MDrpc?pSBch>1KK9WDM0p0SRtxpn)W^Eq$l<&0uSMrVcuf#_iGL6xOWWVA`><-Rp+5)n)TBuc`#z+Y^5N}pop+e4m z5@R|MK}?dmkgGz0%T+C;L?4K|KM_r23vFzgzg*J7paqeJ1U|fL2ks8V(pmlPH-kj2 zd}K{TUild9t+5*nwKFh%EEuu{)jV?h>jDBS&B&8X$hU-#;0#GA0mS|~ArcZ-i++9>)HMOe;c0}`+sT97b*bSHwC`iuSE%XRAhhvARFIperH9u{ZC0@Ai4at z3GoY$bWH(hg7R`+2aQ5o@7Zt4h(>gzeYu4D$S?Y@Nw`@WK;FHaq@QG##^h74uy1B> zj>>e!p{&cRMK59jE_aUO23c1fVxuiOrC3~1|7zA@RT*~#%Ux*W=D=SY{N?pD3u7nfJTUI; zRzru1AtjFZzktW?3H_8GgPZpmJzwohKq3K8f^0rV1AMi zOSEA#)94|!$_-nq8>zXGId7yzlln-TC&uwk>D$KrmlZmg0e>xI&}c&DxKc~=94;RF zA{*$Zi#DuO@=v>jlVQVtr8_iTA>S`4>a)$yitJiK5?z;~_22cp)#CeG*O06$HV=J~ zk}!Wm*bu~OL*E)3{tBTLNh%uc*5W8MH&@{ymYHxLUDdwDX)3y|k?Zcse_<=PsG{a; zZQ+Q-1Pc-z*yrWAgJS!2a_qH=NuEu$ub<8Ag0uI)94*4delh1k8k#rD&Xf%SzJgz( zz&_s|%##u|*D5v^PF*M6V+Xn`r(*_XCj*zRl`RcVvM(*Jr~)eaP%#j6vqcP ze?GveYiFSxYV9u93Z^UO2?xG@qqW?coI8i6P3_)Mp@mj{sm3}TEGPVqn_gNVwdMvS zl}v=&5RF(+Qn5iA;(rztR5H zzaby<(P9k!j>&Wu3~5ZDTvC(0({&G+T66S82N6&mxA{oGTAszNqROiJy5>?-tEXY# zys&6q%UQ!Ka=zeUzIuGixkm>et%MK2VzB{9G_J;|uU1Sx?AfANeOc zhrVv$>iK@fKB!#Kny(uy)*IAlUlTc3WT#b1rN;DxXzuQq;26H^c7}l9)XN2W!^M-r zNm3e7(9pJ^R_Wr&tR70O@^>q@MP|KRZkE4YyRb6r{c6L!huRIESv^!6+8%&)$`^|M z8D_scq-#xorHd=hf936~GeD(->u^A&i}@^&Z#~7^HYc)AlJn)a*j!}o!CMQ2F)>L7 z%6=}oyvRe%+q?lqD=S-_#3R>> zqdI(9Z!*KT3>6^M=xmV5H=_SdRjUr1N+7ELx*NO^F`M|{IzFZXoo*94x?_X?n$BKy z->YQ6`oj83xUhPfQF3#)+`jYyM0J@j;)mjTVNlHir>mP*Va#=PmSJB-Ij<^oCO+0j zK6I*O*b9lLN~Y8znmM~DK*ChjWuvnfI6LBgS&K^@8j*` zH=ho-kB@(OceMLeaoXw}!4+227lJ#Ak{z3=(s#G@+n?2WnNL?S%ZEqrPTu|S{?(_~ z`zN1%*goFh*?xcW<6m>$Ev-8vDmw#3ZJf#R*TM<)biONF<=ej;zdinGfBWsH2l6)kf`fS>k$z54i_C2;#1O+AzNN<`ky zk9%*okM>^gADk zl^PdiV*Mr6O-F>XsXvOg_GJlZ%sq@=~G>YP#DT#nc zpfffFZo!6C%D|9XM2&05M7DHniQV4>OYUHIGh~ExX{%p0`zJrX|KTsZ zY=Ep^#ll5(ywZ@!yMOYU9D`Qi*>$zxc}E%+%VlabvrnvU&q3xQMmer zy}!Hj7hc#j3cr$t?VJJI^=6PXvmwz+eIbS1u}qrKh3?StLz zPush1_YbxY_y1~+B}>>25EjJpou6LTCwm2lTJ@Q}nj61?PzVdW_k{-KC$vmfM-kndFW&wqEGHBr+|*09=~ z3CkylSxE0C(kO`A&BS&$pC$6YjY*smF0PyXbz%P3XD@oy{BN5tHlN<-f4hy(jQnrK zoX=1Grsc-hq91_Bfh1~Xbyx4>=J%HK*gI45tWWZm$W`SuHopt&^yZ!1ZWzE7&@>$vSYG ztctx^ZtGZYFwM8J*kEt2+~q5V>#|$%-CQ)hZT8vVB#j}P&%gS}|KuCw*D?V%X~|b2 z?jGqREKaiTF^MOE7;D{X3CbFdT42EVI8B4IY(RKIBoP5+-3d2urLUn& zZBm!?VJw+Kr`A19gv3c>CNQ+hd*QB}%4s9+nC6nx$#FIu(o5ub;Cq&YXyf@4d)@!h zt=gSeu>Y=S{4G)c>B)$ty_*+ZH zLO4xfT!HrsL9pJSy+qHSz!(J@kPv5rAi*XC{gewUO^qQXaU>At1VL3HTPKSOw4ul{ zCTREIShZCvU!){#1>XJ;aV^($C%KxhbvbxOCAy$-j0OZ{ipE$V49FX7Z$kKC%@~|P z{Mmlfj6i z-{H*8n}8K%%UN?ubtQ36U@S*YI(w6P+%Fv)`xAV5l&75DtfxEoBO)j#k=w`*GtNmO z-)fFpNeM7#9=hjSMW*zb`^jH8ZTfN<&u_#9vpSg*(Am^+<4n&>hQE$T8Gk~PVssl# zE8l66=V&a^r1`C)Me&wh6S+*jL1M$Z(*Ksw|7kMfM6B=p|LKe8_4EI&`}(i9@|mIk z7jr(}2H4l_zFM8%j^j@BeHqWI>EuL|m7>Wk%IfXBt1%OD$<9<$T|+INnV}TR@sd44 z%_G&L>LSoDR{EJoU}&*~fuP!*fTmrIR3G5*jHq4RPDUkHG=MOrnTlSDr|P@g%QDjp zhnY*-A*qv*eVr-V8|294|^nW|&3!;BjtFK1)e`E^kI1cvHUVvT`31_r8 z1^ZnsSoHqr4H`@l&k}$q$3zfhU+7-(I3_v_)NFjNF*1^Ks>qmnlrc$W zhpIZ}K)sU8#%5llxQdR!#+jZO*IAZRO_$X?^EsHOYuHAudK72B+xa0#*FRtpF?E3?JCww(V?en;YBMIN9*|@_*m&oH|ug zQ-hkW=}}MLef_R`h(-j4pqqF7ve++@(ld%&fDERXq(cZT%Pa|o-3)*D08g?|>^=Nj zT1gC(Z;DIDjg`}xY%JK<1Ru&JjHMN3dM1H})mTWU*_S)yeZVJ{`{Ob8-}5i*$r8Kj z2XtbMQFRveF&nXQ;KzD|Xx9SHth1X7ox}=eMFxoyFrzQ%)Bk~-ao8N1!)m)s4U!{AoHtWcS81k8W zail(NM%%u#L@p)o4WdHZ3(|937H2?;xcVSplbGEWViakVP50}GQdP=NO<$d_2S8bn z%v4xUE!KcV1J2{ycVD-?vP6LrCaWo?D=Nz{Nx&T+;{!t>m*fyDLvq$gt?yIP++=## zIg;+9`ODxf%YR_TZ~=4y^*O&o%-;{(vG?=O=9ceWw+)bgvojvpnK}pm&XoV~3bohR zVfmG+6)=U_)fw8HzsqRn->Optk{nrUwO^#@@3G6UJw`*=Cx(Ylwcwr;cPGp#jHlRU zrndE&`9PbL1vP0c?@|jmE6< zz&~A?cic5((8M)g#gb+CS_wMTp>C%UtFOvY1eIf_QmY>PlV;dLnB0Yld}l_?I#jo5-zy*j4JAV$H$d1(58>{8MSvwFJfuF*Z_!dI={bnowM zbn{+4;xTt9JT9{VW#vbfqpd>cZpdK{`x)I>Elu*LU5-V`kpY@U?CUCCg6$-6k4*|L zDqwD~gr(z7=hj+EWjjPolyE1tSXD7!Z?J?W^yyd`NeHUdagT)K=tm8 zMVX>LTq?$mo6DjjWAJR$OUHVos=nFRT~XSNVD%gQF>s0T!)*lM(BpZ3AOPGX@UwUW zUga=3gJdO4*AIjLgHaGtdvOUu+J|>vGT`N9H>_@7a-|PPxXHn5v33Xv5G6HhjQ>c^ z6}{D)`3;{z6n#uR-FtU>v=3T9(QWC$^{zsyP-L4Y`x9Xx3|0-A*#SZt(OJX6FrCaL zS2)w{lZ(0#MgP=aIjB1yD_G(~K98c*IYVdCpMq1>bgG{Kg zE_i6Yl#uqXpSwIrb#+kmYruTFm04h0Ti)*Oe-F&ZXJ5uc=`zUS^=nnqU|LgQmzG9z z(a)RtHWu=$4u!!*?$2#`fth2nh}FQ{*t^EakyA9QRPBFTJAIUYYjU)HHk@7O=>cXe zN6cra^QSuz-A-v$lf}B9-sxnmOdnFHrb5*T;4G7by|j5 zNI7wT6oIWmz|D;dejk-ppf{5NpO1SzaC_7;?CYnI9NdHxkLpvi9gBP<`QWzlF?()D zvCY2H*ZQ_9kT@q5u&uM;UgNG4deu9RZ6jCL*vjMYZq;0NtsV^O-7ln3@Pk`5ERm9ahqnyx1~;Rkv>@*^Hrz3 zC6@5K$Rj``IbGc?fhj53ft1MJZjV|7uZM4n-Ts)QIDY)vFk6$l?w9cS(EI_i(EZbN zOzgZm2_VWn5tSQH~kE@_d2T_wcQr1}^u$4ggO&=%An`I7|OiB^3*H~r`%Vpwl> z?c8q1*|T($DM=KZIwv2BXis-}_}{K$-)kw)K7E#4?xjz5lSr$Q9$eO{AMv&&;bXyG z;TBWMi0(_R^suon#RC_Z;?rx|X`RhU@AfBWg6xqNbV4KY4ca>~8wD}U z%O0KhT6Xf-&fp@NPj%F|PS)DLXB)U0>zZx|E2mMoX*e${935U;f#ON>Fy)1Uf3CES zSIy`V0oZKx`GQY3leDf*g%g?~6S@0NBalX^!RpnYTJvH_C`{KBwiYs@maL+O%UiJV z{j;1duN6I}rr2zw50W0CSDJ%TG$%pm(yh4!i81bq=tM68 zzZ$+Bj}QBPeQ1IJe0S^wfs1ePvCV>1fZorCr+g{^;nyqL=L5s%1IOn>$d{LtF7WQ` z(cARA*ulR(xiDuizT{&~3t2oz!(5;_#KsL`^iJlS=!-9eXhnO_ZV=a6bQU2IA*6}u z{3tR$4IRdz_im*xd8wwvk6jD&3K}gkgNjmaUTTua=@hb=`;fwe_HtEDB55E~x~O zKQ(Gb9e7YQS?T2ek2>Ck}B7{}fry6Yp;kUZB`a0i266Nt}%QA^y>niXo z{R|WxTEBM3_2Wa16exLi!^P{;+I1FeAghn7Fez&UwVWG=4W2UG4d?XMB+|DZB1YRE zgpmxYK;p;qw$iy|fY|xNQPkq;1pRq4eRx1%B&SHxKPS_qk)e&aqq5md8TWE09~bUMo$E$K`qS`K}ss zGUY>@o+QGF-8jdS^v5LkaOF;OWuS*BlaTr`OllP~P8gDJ&kk#H9&5txi}lDN?#lBU2-5KCc#1-ow|x75$849?|m z-iX|(!q%S*&-%yaDmO6eu04^zV-t?E2VtfEr{HTXKvXqNm{p%*l}$Luf5Kc!CDJM= zr43m%CuA6r`i6hr+C?47j+jLrISh2oW|OlRJS{IgVJ6wj$qB`%pVi2Bxi$ErcYSxA zmuu&eTCV3sS}sH==Oa(Ku9_*E{CgO<0Nb#_I%qwBrVO@oPi@g`Sz>Uy@pM*Pm^d08 zqjbUqb`bWyJ$~VQV)GHX zXtjMMA&M2q$i;EVeOl`J zb&qWXqsEW=VSvLEr_ak1(XV3{Cg9C6u;;_j;HwKm4v51UFmeybIk2_;dTUntaFGeW=oDb^FR19_zFKIvPky7uuRiT+pgR-L;q?D0@U&GG zD17Yq)U5TDtyc7t85DB@Sk7egO5~&X_ZV2~`#tOV=t~DqO#yUMPV&V*m?(g57el%$ z!1lbp-|4{iyN-0=%RSKG%TW9)yQCXPj@Q3>Ov^AwT3_DDHjmt^QjA^#ZV*jEh5OXx5RGwmp&0MR5Acb8u0@vUwlv%xDL9t=sn$d$7xS4Szha(YE zo<`m`#lnqZ;Gto#k1g)G-fs69AcvEXQ&?Q{iEv*t8$^A4m}QBg#xh_oYWe}Zxbqy? zL)r-iTnB&WFZgOS9PwIY;KALyrI!_M#o9R((kt0HGzysO9t+H==))-|ySW2C6BgyO zl+&YG0X!5vg(ue?$Wsi2$bz~$xh?y=20CE0#X1cOv$$+OPt6QKV_q+T6Uhek&cN~) zyUPi`&ve~aJ~7EK@cFnr@5lcEr5nL{I5Dy4wSUuMqo6ov$tb~)^u;t)+o>a|-h)x0 zIOD>ZAHb2Oj?kn$RT@}B{m{b(A^+y3oo8IwJW=fYfKH+~BSpK{ixbqyrZNXo5GiiZ zT)2sK*4qoQym37Y@Lv}-`QTHrN zxJQj!(ltGh63@coO{S0oFXA*+a}?Vqr2cDRWIV)g*D5}TB=DB}0(2MYA^Oqo+D}}B zT$<2Sauuy`$mtc}yC6`r0I9s}B)ADqQP>ePxTQ3Gy(AlpUp-7z(;AzA%pHma&y^~J zQl0zAbqlVWA3u)aUr-^03gq*=o3F9}yOl>o zi#SG%letd~d&5hbnS4wu=#qLEcG1HcMA5I7^>8-&!U+L#LPG4@mZe)WhAazaqItfi z3Lw6f-y?8#cPxaK02xygd&6C@EOa$z_3lU%nj=P@h(1R8(wFs;z;L06#NiVOd7)#b)K{%f1@duqWO@=3OO zZ1}wU*vnmVd}O?Grz5uMx3OZa4yei-sDxK5MCtiDgBCAB&1|_k$h?&e+|tTp7QR-U zlTCz-ekONjoSEU2-RfIDZ!URaNO?|_da<&rUao}CppQhE{d^c&h^e$^5x-y(2^xo< zYhkVo7eM`|k`0Hz7`p~(7oXJs&!C?`UK!GcJe5P@jD!UU}wsWM?^g zF*TENRA*6{VP;v%ZE&Mfb#!&Rn$@%3Kn$EXwU>z1{!Ag3a7Mr?s8$Es)``Rv^ED0? zC4NpH*oo}WB3Loh96uXc*17z{2rSaruTTCtW+NPR4Amg9Wm)9s7IHnX!fQ%chkb7I z!Z6niC|bJMU#DpbKi~-Q+a-mUbf+6deY5j2@ZgEM0V*+YgK z&WD_aV6CEt^`p67bYLCipQ87))68|cJnKYPma=^<`$8KdbC#=F4?nHg2NlA+;cAVS zdw*RvJ*(4=bQ~d&48s2Sb)j0Iz*_^sn3Pn63hOm~W63S+6^ugEuO*N!)OfKU-4aBO z_{H=c+5m#hz`wsG%&%ETI^x^J45^Tf2+Z6&9lY}1ELx~RmCeC}z7>$^&hB+)8MY&` z77*gIjwvu17}3`INU9M*-t>)JEOnaTpZa>#W-b)CT$C zWuSxjOVe$L_D6$R4HNJ6`$_Y^qo%#L$WwPtyQJ(6S4? z&}lj=b#QjoZE<_Lmsfnu9~H(XU^mmpr40A%smUZ2u@Pr94CuR zQJct7{rkQdRq_AfQ}yewWqC-xqY9#$Y=*`1t@C+08)-6HVsX;nMs)wG5?wpS1MK_vJ_nsL|AeflH25i8}~a z3?-Pm15Br2xpNhvMP)+H9xN-$9;wI7XGpju5B4z^elo0twVn z7$rywnch0$P)o8{-cc+nmw51$h}TYA1&F{c-z)qWZQU(Wq><@#Rh;uY=5$Y{m}vgmfh*LS(qn z;iB;rTnsDUrV1z6q0_<54!LG)%(Cq^_0SUIK&h0w{l|Ij*d1XthiycShz2R-2wMcw zc=0Y%2RAJDhXu!7dI!RDZEq@FnMjg!z|LvA;8={f6iyTK1DLT-R+$!jdfci7QQ(Qu zNsdk=rTAR{g=9>vu?9qLQ=VL&SfWw@XMhR zkUgF8s9o1g(=7CpCd@lW<@j3=(p{AS4y2dKM-(m&PEW?RpdIY6U7A8MITAEey z2^dHu=s9g+!)-#GS{o4}65k%c)#(zFRyHpYkf$dq-B|@BsRz2y5s~30WO~dMqe($F?(^SDqc%lQ7XNh!qUe3;CsHVR zLqfYSRFF7gRR=_7ghAxd_!mx$zjQ+nUBwF~+~~0`V!C(?FEdr$sbGOGHKX|UE&hOu zm0SFMpVS|T&&Kjs$~nymZU}Yn;3`kBx-B(l+;O^)i6_ThK7)tdltn=zA^yCH4kub% z(?Dk0??!l>i~EKIc*X0Oc$nh8QvBCz?uAe;V)&SdiVL4k*BQ?0FeR$arX>44C{D}> zSMiSgxhL(^t?MiV=C!%Qnhs)L%5Pfm- z+jo1divdo=Z90FhOX3WwkG+s`dV&5Qe+yz^!Y9Y0yn@@y1hE1o{)M=#XcLTH3E_MmXjuZ za1zeS2X}4+1#~Z^FA82p+z_pYJVqO!ck567G`pPI+7Hu0Zk!on;iuxpPXHSrISJ}6 zVp#|AfL~foL&PI>?+XJ0~Yg^RAJfg>)oZ`F(@2ka`6=?q`GXNAk zP!{rWB=3fe;j+=0J~f+?zMlCVaP{^B zmKUu{SZ>#Yq0<(E?ALk?hJHTz%)04NB2uw(DR9dl&F|kjO#dq2y~9WcrE1xTFt>RE z|6r1d$(Xrs-DfglGXGIs3!CktOb@ex9P?oP1EJ~OWhf)2nB=hP=b_bVo>6W!DV90~ zwOg247d57H)F>ApxJW)5ZXv8duqxuWDJ!VK>d)=95WN^!Do`Gc-_~7*pBSDANuEG{nmi)#j^ej=mC0`(eOXAuRSd6xjos1MQ$Q zTyIezv#IL=5A`_fuIX=h{+`QZfLEL6hc|V zBB<4Rp?J4TPPoKHWMeb-i3kaG6n#?sa#KEH)E+Sb!VnakxY5VgXZ${W!0Y4BP}|LSXgE6DmLa&$O5 zfp;0LqYx#-8tOkbE%I$%tlx3t&H!%+_K(}fuO!T@r_&D8PX6M79SS{*7~|l~g_8jB zqXZ}J%a@<|z+t}w;Xu+MQG)Y}Dbbfws`|OPVct$dmEMgbqf-NPW=`Sg@5S$qG~#G`gr0t4r-f{BBrgf)O$%J_rS)N zlTCZI^@H0NhY$28Gz9YPMAe6a-mPEqZRWbc6ka9oVM%I9ldERx(oJ$pKctAKVWk5= zKvAWzlM(`HU`ZM@_)fVK82U!qFP8PHlFX?b9h!?)sw1lvuGy}e=kh$HE7XrSv27d` zHMprqn!(Z&K_ic$bZ1}!uF?YczsCmaNQ65>Ug?Jg6@(P|AqVEs6ouYezVI$2kD3bv zT?8SY$O8U7x*Z3bfh`g#3vSg1Cd6GH9QdccChlQt6FGubCk1VczE0k3w%3oVyXcKh zCxw?!JJ1NV7gQ4CuXQGM(m*H?D z(b0A_?}k%RXn+(TyYs$xMf||%1_BfVYtvv=fL7e;+c&t&oyW3n=X9m-eIh2Uu)jX= zr_$fv-+{{B-G3Lg$#$;)fDXP{W_znql|OUZ z$03^{af9~sjs&Js%~L%&_;^o=0L@adJZQG@L$uVDf~Lshz>V(#x+Bkkx6=yX3aSiW z!<$F>M?Q9-lEx>K4BsU1wd(_sAc#=p87LZF5UvUW5}}1;04|jDPN;$t@ZTmCSRoWb z4@3C9`NCe&@aO9ye2{-2-q;+V{~gv%-(M&?FIo-nc!vDQ90iWg197cHBxEqucQk3D zeW1p-c#^h8`m$_HW_*Q37ux#^6Wxe;J@#1S8o7HgjoNxt)nq#HlcLoYX@2Neeo^NiHe2eywR2#E3N`Ao zsGH;uM8u$kd&3;D-F5$*OP^wd8Gi&nWL#ZVmXZAQk^d}y{CyjrRFnW7te^q+{v;@r z_x$RNWBIOM%kd6NqZu? zpvG58rCfl|*Z#y@yszxMh^X;3oewyGAuDX2 zW}G5XA(Z;6f5z`m)wZ_QMw-MO172VH{t=}5no9_}_}Ko55|rOce(c`d`3wX3 z4}gSsfUZ5DT*%#vG03`%cms35B3UM=Zv`Qh!nF;lA=hxam~ahlmb7B1D8_l_RYuX) zry|_E5-U!yS-KmwMqSiKA_U#gWhOev1C;Z4)xHetDU_U3)Lc{&9?wuJIdx@O)&<;! zYdQ39cX_e zO?Q$B!3nJ$ zFsZ}AN?x-N3v~R)&gyNq?1reoj@^yVz&;s6Y-~R-NDyYW9~B-IuYPCRQ1&BeuUwCp zwS-CnEaV(lqy@{`2~|HzCLq&z;5mfvaPOC)Qs1;$@sG313!=2H71LI7BeG2hS_SBF zB-w3ao~I*(PL>Hi2WDLfB|@44I2lq8o{3rBcWhGa1?;b%^WWvc2J?Lg14$)m*x1Q` zvTI+%Ya^8wW_db~=#x&JLS$}3&zRI?ya?5a=47;4F{ElZ#m$JxhL%AG3B}|Ow$Opi21iK59+#F zpDBdklCUcUgmOS_P5HnFqbA&|(sS?IlJIgvcJ4sLK3$rENnMAmm1cQ=e@DU=8%K0* zki}8yk>Q1uCO9%6m%equq#BqbRs9=%)_O~PzUHbi1U>@~Dwnlo?^%Yxsl2~f&>QI$ zSTZ&@2}89+885MZ^r?ng>{&pSLKEav6>nbcoq@6B<;HqJcj;^9Q4oTGGF0W~>e<*`dE~59+O*%xTACjuIX1@R0dG_C!nNAi3ozf;Z%3 zF!@INz}G6(n9SrZ>YJ6PCivN3ukZmWbmq2C7)zQqh84w>g?HtP_OfK=0Vl+) zXtbip%dZ-{7k=;E`lJhdRe1V z7Pen4um0^K%q}>SRHG+wjWbnpCBzG%0KjxRi|9MZz?4cnS*sr5sN|7a2N# zEN~kf@~5sfT&I&tpa=7>u%ksK#9N?r1)st|18ik4)H~~1$_OexL;S-x3!0oW_)l^Z zHGg!o{EFT`sxIY?4ev1o6#5Z2ZU>EpO{5r{RTl$o^C5Zly_9Rt=#1B_V1vq4`+1D4 z@T${BoICYyE7+1FGw<2Y*;fu>H8N;1110A)IdR!$VfrPL(@fRP8r&dWlgB&; zW{Ff`8rXof)fljbcdr%jk=Q6H&1NP9bsV`$sa54Ot=T9c9bDR(nLwNA#`mTIg#hcZ zY%%B7P$BF>^5ZklTj6v&pSQwik*^dBYqo2=sz%xQ-<7a1Srd0#fuVB60;5-4C#QTE_tuzo1&$eQy;9BMg!V29Eb< z8YYa#bl@VpJ>qZkZShz^r2zhn-WiGG!O27r%*X3wer5sJPh{Pe`7HZ<+ zuz{^1;fGFaQCGbv=@IM#GNNWGx!rMvzjHQ8vZ-j2zb$g6E)ZJFEnvNOdl#Iu7{*QP z^lC**l-aw|F=u~|r8Xo5_>t)?5eL)8wY?*7H*7^2OH0oF@{4hl*9U0}0|mWNhx9A$ zNx17MD)<}H^q>e_ikZ$rM6T%?E2;%wuYN<@8McbS2$ATZ-9@}F&tvrAIUvBkBTN(E z!+)SeO#@X?(x?~m2P_JMjuYd`1GC<`b0l<_lXdl!@<6wh5jn_10}_N2_*YVjc-@R zU%LeYZ>n2;w3T@Ep9s@c%GbT%T6Nu`uj$lmFiVQbIy zy2epzbj%pY)yTy9;kA25OZKd1?qpO?nY#b@nM5^nxUz)Py1DLsvpkW>wXT}Av-QfG zGhIt~J9^B*ef;v9&v{Iv$-bHS{>PX$uH_3zFR&}Keq;{Vp3|_H{w1}pGXg=tXxVay zO~_pr zA~9XPH-@7=eXc18@A~!k%q~F-lV(2%iEAKtRAtYWE#Z$oK7A(`E5!ss|Az%pO2>f| z5&*#LFzMKM6gnf`g%0H3gK%NPX3Ww-g~2^}e?w=bYfb53d&M(CO$NdWSK4^RRl{B6 zBOisS95+!%sJAT|+R@g(FC7yS$aP?0G@b3J+x|Q@&#Eqh~7}k56?A)2nVk{atMubse6riEt<>Jk?UERHx2S z9VO-8!4F945n++uE$T`RqA}6WfUL50RBCciX&~DQ-AcjaIL_XMo^TLN#ke83Nrcgr zK`1p^Iwf@nt!@u_6}fSgiV^#eW#A)e)%uSru$0p({N?e7b3XDTZLevX4!JND(>Mla zBNq5EPsEViAOZO78n7p!Cgu5CnLGr|$vcX;>ig21nN>Vt+29=nvp^=A@Ij~sCnnGx z?q8+w)3#Pi9Xmb*q-WY~Q(B{IRQZJ8eShK#Y_b_+o~Jb6t0LT?^lWu9huS) zfmvugCOiTyko%EMLP^>+h#N2n^?rw|WkrUp+pYwmJ=#24pxw@b9F(e<&7E z8&3cwl(=4{zJUDx@%MfFlfY+c;3ngJ-+4%5`;o)Do(x6~^ei~lsn!ohDZ{`8TskPc zXq3uGZbAcQ%Cm_SWw}V4W^#-9Cff#a1qNGxp{1qrANabs)S8l3#(jGKv|#B|YdLDN zN)aYk;X*0d4NZSIuaLBWdr(2W`QKv-Xv#ZEDt)Nml z2X)J6E5$;nVL|ZLtMD2GJkyC2fhC44V;-eeJD!6VG%I0NP11Opamfr<6W6z^=xQ&A zEMCwNq!(H2ickSq_Q5h- ziV;HRP05F{rCp-{-=W9_fKD_1vrw5DR*GP(jN75Gf#}f%+4*ziyN^QPe$GaZ6@8q< zXCqA5nx{X`a}{?ah+_#qNlH8!D?WTG_nO){9jZ85*(li^@^US^7I1rHq_ZM$2z^yPzy*H!6 zy!m6$KYcSLMZf6uUHXccoUdx_{{0L8xDW1K$*d1pkM)W)R(nq*ha7*@w|n^V9bY5| z@+Se^$$+4Pzl*P4j9~ko^akCQb6#`-E){WK66bw0UOfZqf@*d5(WrEW5vgo8RiBO5^K&`_5eFyy`vu=q(T|k zn({6b-v*eX&gQLDGdBuej>yheZ4UW46|3MK%kWAzq(;I{eLjO9jc+2LCXUU~)NLLv z$Fpm{uXw2xhfI0VUvm#?sF21!*Z^i)Fvsr};%9P(V=$G zfr;7VNT0yJ0&dzHx%h1PXOZZ9T~od@7N{^hKTGZ1&raIwp-M`0|C-O@+EA1T9*061 z6P?t5t~3!-tF}L-yU&_!bELL%$6KD#A2T34Q1FYkaC`Nj$ivSZ)el_-edTULzxj0Z z_`)3TS5Pe``2GcCOMa07bB+XiQ<8tz?~Z&yqgjQ2#(N$C-@85tCjj3UTk?LF@klV2 z`Kyi9C=#tyl=u$R;!Xi@M~opPde3eL$z}TIQ)UP{3j2>+*I7bv+T znhv#^C3Xs&Aa|A$Ta?Ia6S2&^S*Yu-z?1EH2cpmw5!f||AO)aE8hTIB_HMq3*oMOX zng36_Lq5C3HCiJvehB_36Ps_CV?~@4H8XlBLo)BrRXO8orB;o-91Us%I!C|fcrx=J2G6j77fDC@;UKl2sm~N<1YP32h;qv^Ly5#VKzs;wj%69YH9t+owg= zy-@lqD<)Ur(Xp~quE?oYUBu&3%uuKpF~T$0uC__t2deFZl4G-ZN+k>IGKjZC9hMPw z{?#T!6+GL$R#mW-tjZ6;e@ldOK=Rq}{x!owEI-I$^KkcWN_02J;GE9sq)B;PiTVoM)BK?+=``akmCBNQM+nIME7M_Zr3v>(0>mT;3?rn%xhV{!H&e3cTV4) z`JtU4&$rgRq&i8D;h|}72-R{bo^_+YIO(=P*Ug(;GW@~@!1HFgHY|zH`J^jwBB6r9 zO&2`xD+RCft4n{kXazXuz;tX=w2qQL{s!rony*n}43x2|vwSaIT4C~I;zIy7_m#ju za;M|Y&fX+LA>`JlK$l^W*=Z$4VZ;p|_P+T((=^n=z*n>#KuoV%^o{)m+544;l zn(M$Hqehy96xQQ0)DZm(EP)?;pt4^HXmH$n*&eqHSTbP8c@!c+*}@^^9TTQcImT5= zWLgnZm_OUI%AEPP7UX)TR;VObbWMY3a!GHPFl!8CbFZ%dS|0xcMOXH~sts99qc0m) z3^cwf$w? zaY#K!#Vh}KHcVE^wJ2y#ZQ1(7YVk9let%BnZqE_2;dS`p^d0^p^!F0dC)_HSff>AS*m|z1yP`8 zS|HV+PDdYCoGf|3iR2O>Q!a2dXd9EYFLn7y_k*uZG0k68Hv(L8Q? z_o%^x?MPYd;ZJ*bxB}_6y%V#w+=g58^3I5qcN4P3k}Q*HEK9MJjP{krk;794|St-T@U>t!l%vkdgep( z(@YUXh~PPEEH+DhII%_lD%hW5EX{B?KtE;Gd`o)N`y9{YywcmKEap9h6XKtnEbB}X z{rP-s&)0Q6T33?L`ZN20F*kd=r+v1FyDfL^I~~U{v3o7f(t@fbcf7u0d9hs7dCHl( zfKWT9I8%<(Y?(*|Y+KepBB8$;X9FG4jHzsotXd*@Aj3hJcpVRWiP+XEa+{fy=q zd|mjBcbsp6=Te6?z(kJ8zF?rBgbC+sAK@$DgRxKYE&qQf{d0iY;J^HGkP9nKwAVqB zUUE2#T;vR6k5Xi-CahXyErL1K1e~M`#@hEklZd2?Jv8q+vVy(jCKW3um6?ixXSs}6 z>^%{0#OLwr=uyh_WzMAb)=FVq#?}d=nu@~rq)$j{QzOXOBl!fN=lhdLd$_m5Xsd}; zhVC({K6mJ51SxNm!k3V^{P?X{AWz8rl^ia`%cDDAT~y(=Zss`zbu-nbk)Y}RoOtd^ zaaRcsTwZoALQgcx;P*zYVDb_l>Fy65yP2w6fk4&cO=uHvk0T%q9Z=HvtoWn8Z|VjG z_!0s99y_?s11`ZH0toS}+Q2W)nQOVtQ!7O#^)R5x(UL1Fn27vG*AW%u&nK)zUG2ya z#u9Fo>nG2awVbFmHZp&syywK*NT{WoaJgvryv5ANRuaZC`Rp~MrXkt+yXlBj7I?}fq8y)@f*y{H!NfgUBt4wYJA8xYOYK5vvul2DC_Gg?`qeP5Ra#jOoi0 ze5kSv&rUJ}MvD2mm6YtkZ?p>n;=dn+92tKG9Bb1O|5UGvxR{~Yxv|7*5scPzlzKNc z_9kUnNN+t_eHMCsGxG9msqg>Ofl39_Xu}O@17)t=t5oeg;hTzfe=ITzPQom6$Sz&9 zNGqMQTc9^1r2w}V*u8+$;h(CPZtESA4g`xzV%dm~BooeOBLBk;R!Bo=^{RFJbv}HO z%Deez_C+|MC6-SY#u2hDb8qojMdDT{!u3lDK0H!D$|UQbvxLv7gd>EoF}84q01T>4 zQ>G$OGv0tyijWbMFa5oEogSLoIJP)4yaI_>zL&Bdg{EO?&Rv#M<$TVg&`1({)Vdcd zUWIpoHPc4Fk@dT+>Jw-_bQU(5GfP>$%JG!CfgP@C!PtGEn4!7^L!X`@Y%$F#nEww) zk({TwD8g~bt~UrqeQ@L{ibP#x(7NpCHfh5~ed!*Z%2^eFj6_1Arx*Jls)$9FslW?I zQYA+E+^vsi^ZNa1lD%oSYZwqHu8TkT3l!|BvN$5ekU*|c%Tk1N!eN_Gks7_dC3z(D z-QV1e{;uae?^vshO!@Cmr@VL$wI9Fdd%Y~rOK0Zhf-okX&n-Ip12L4K4FiOYMcpWl zHCHLXt0ytxjwNa)|Ga{w9|oZ^C^^qqx1P{m==Ol*ip7oSi1QL44>LGgmlAai9Z0}H zjN)XFo(X76TZON~$ShDROv=|($Q!cn*hTVoeWE4S2HpCH9XFK9_rroF8hD$_gXdE6?!`FR##=I&R&m+ zN*yQ$tLc-I(1`mr`H}mO3&KwABXBV%F34;D%3Dk}0Hpj_l^C#62UBbaZcyrQPMd59 znz`%F14Ztj3O^Wzrkm~sZuLk^t)?|RV;fBy0@wLA)pi2X?one#wb@Hz8DTGj(W+II z^?cAw?;D-HOr!w2M_xrrj3w?rJqr&AjOB}o!h@F#n4mWkPRT*bE&mC?`o%~}4+=I; zhE2zROIKG!CQ!Y2b)3vG-wiECobNI*7MBSwCGw^*EgjW>0na-ZE34;*8|?yJfRp~wiBiS%xMv!)Ck4hwVWkez0cuTtC70Lx#f4VWm)&0A z`SXvyv#E?Y+yEy1&2CTs!>fzPtLIpc^gIXs-#yP?Z=om{Cwur&6!J>xz2rapJdYK_ z{}@u`SFfh;u7BLF__Vjp_4VF=EYkGE2LOIGTA!8q{nfF*T)Cth<5Wmbo2~0>^(}l_ zr4qGadVuY#L^>A;Aok;i4^R2_&lg4s8di#tkjBQhC|wckb#ozhx?SCi_uS=@29})xYP*y{{d-0mcQTPLVdx4()9@5 z9HK%t7c^auhqDva^0XiIKx0#>@zf|MowSJwyy1ZaTo{!u>PjOSu7&2ag<`-1F~jf> zPApDM*&UN4=Wli#k}fwkN;Ml3@^uY%C|sJI9l+C`lqUs}IC@$B;T)+^^*A6#8O zJFFj#nOd@8=qRxDC z#nkeJ&G(N#7FhoD-j6Dna5QJ88e12>+B|l)ef!SZo4)l=>KnIO=U&r+V*FIzaCR}k z@tARq9P&5V0eUJls|pin02r%nceyQpY=cDFg9`rfg0$T?+Ook*ffbevE?iB}{iNYB+8AZW#wALtlw@}6z@$GWXkVok_VYRA zZ)$XY5N{~Or`-@&z-oA1W~&T|&r0Kk8j%V&d~_#7d}wrWUiml5_goU{fThx5GJy4=LJx$}H!Xi66lzX6olua?) z1%Db#aud_K{MX^T?19R4|NKH@k@011nk5T@pY=e)qYm#liA1Io_HV%y#>0*21$;ne zmt|-}0~MhZ%QUoS07_oqLZbRe8eSz|Wus8_L5T*SmNYIq^!&BSI!8;am^SKI2r5x4*S9lGJW(#Go>g-y#&I z-P)Nb#g*%R8##O9eEo0BUkL<&`T5nuRrwq78sA9L_D(R>}Z`NmZsIGR8RcI? zGg;+d(?fiHAtZQ*DU41LW42m9wglKF%(pGn&T4I_H^s=m&>&y?UZ$vkb zy!6!awf3T~7v8}J^qP`p(VX6=e1H*y1JHRBkJj>LCn zl@W2i2R3=ohD#oy=VG}~h3v{DyIjuP@l3TFcRUj5!X1l7zSuuz=7`CK8QP8^9eC%uJaxU znWi%HMZ7UHYM_-0TBRk@O2v>2GPw?HB=Au%Hu(g#7gYDEDh^WAQQk)&u@ zdjhF$LLO+ynQfs^3S}4+p={U|f?^PqL4ftemTRGClBN(~`!kqN2CHnEi#cWHy@R5eAZZH2Xo|*goFqsZrGcT_pqZc; zjG}Rx!YG;~Ng9D+z~nWBw5FF)OwpA-%}LnvrYgF(ixWD(674)^P_KSzZwSYtNmI zmSE+1&L%q81LZ1Keixl3Bl4A5o)cMnsF;^vFyE}dR#RSUVX@u{uiOpAL}HN+%dDF0 z3Zz`NAd0cVdo=z=y%R;{iE@371&{>_$r>JlTa3c-X`#;RkHN)9kQ3}s-a#Rc(VA$F z%G+cR?Qs~_1o(-1wZ5?DTToHQ56q@1!^KA1XrA-gsR0jE$7`cOKbfVAJJ{mo4vd_? zMK13o^Mk3}(0ss&L(R@N!aezm;3$IP3`Nn7o*f8-lL!qnHl7^_iW4viqnHB$CUFF2 zB${MPN)ZZX7zQIPq%=Nh!>#&~g@^}Qq$LbuJy2|ZHs9C{6BQ`391Tk_<*8C?OFJ9409mMZf}7Dh1%Q&KBfIeVMwt zDT1Ieg2E93BQYA5sF(bLK?oFQaGJsqgdhooBnagNOwuqxkOWOqID^tOZBMfOK8~Ie z5=O$C${XHS#;2QuOxpNrVVaJR5%b7 z{gJGh6F?Z4fGG+$IUB8iv3c>+_Vo{(&=G}chNdYBv7zHA%#b8OGZbQvjwpuVFhP@; z4LYLIWJrRbt%Mw>2phG8iWIvNR1}dwv(ygyIy{B|?^jNT<-XUCw9mYE|LWS0?OWH| zCr|u(_ruNew{jb=8>C|iM+f)+W-yebY)GIji$9&7 zAQoe^NflZx7YckSH(tqr_CUoUQ`gqHYulf_I{fR;A8ek#0JToM(%5?Kjg^o7_1Myv zp8f6HA8j0IwtqU&CzdPaLOIt=RHRw>%Owdquc|ZHg~S}!@IY<~MQI$x5n7@3Nzg_; z(Y2+|wom=M`PN%2$JbwKy?MRyKiT~GhY050JaeS=-rfDb-a7KHt=G-~uK>A6 zaFf&}xv!DuO5-Jg6?q{GvJrWp^(!kEpImxhY`=bU<(uUT?K2xc~BubrhogAQoE3e_ng}{@K;L?dQLA>|adhfebam zH5Gb5CQL_3jr$>#Hm4Z{NF=TmSUQ z|F`tgWTk!aE!z!P`p|dp_CN2R*!=X{>{t8SYl5tMNuxukEaG>%rdMyPCZ7IxZl-Qe~lw8hHUn z<0&6LGFt5AUUnlm3R4(Ppr}2C%?`{h&WC9Ok!2?)hEkk?#3tt=K@)9VdvW9D){&db zSO2~J)9tnI*N$vnd}-~v6Q!jHjK*jLP)jSN#c>?NaRTU)?F26v#&8%zQCoE}LP=)^ z!>#IK-^fIV3>Edoef9W=2g--10;7Ww>3*DRdLW^`o7;cug_mczjZ52SUt0Tm zy}SL%%N82xMll9Q2m+@Fl*SnZ!6>AI70?us_7^=3qa;aT6oU~A%@8ytA4wWRNSH=R z7^YzfEXmkjz!f-=kCD^WT5lIHN|UH6%-J(;7)_8QL*h33he^yAOcM4Exj2eSi$F0u zi_JJg&?rqJFoQ7!2IDkhv*Q?ng8PTDYWxxHYSnGt4mLm>!L>`NIq9o1^rC=hR=|Zs zK4`H6PKPUe3LEZ#0~Sot|BR0j8i>hKDr*4|YtWs;fVI!_m3g)@Haw<*$mS+25Rl=~ zP;_=CL>uK6i>LrWTsFt$$JhyCJOnpA&|tGTAE;&WCJ~1sbO{G#ED{b)XjgD^rrGoT zis1x?18=1wUka3qEMJm#3nfXErT{BycU`z#R${+6nH!Az?aBT2oex^)zPR>m)irrEMFs7W(=4u)t~N!w0dLvvlmuBT6ypO<*cEB9E#&H zJaI$Wz(ge)Gd~*l)zF#zqIoa_JXgqcj$<+EwH-qH#_4}8-`+lZWBcuQn(J4?+i$$H z{r>g#>6fhlYV(CEVhiH_@ecO{f+BEImX`Ota?KDb`j9jkwO_l8c z)IT;}ZoT^Y$_M|wzn}I0`pdz2)I(+D5jQzv{3}j4`c@yGj;uu?vw54 zm96y7B+}XgMekVWCzVH5&vKIod1`S~d914C20EH+srO~-J=bKWNbO~Yuk!-HELcaa zs#eNBo@)%K!4e**7z~#N^8wy2eB!^>j_+?>IkR>3)b_hCAcv>>+efc$UwyUp<+1il zKO?#gv>D**$>vCON)h+WEP)+UfRQwc;3O)a2&X_Dgun?Dk;U!~RVYa^1ceaF>rUQ) z#$Xagaa?}i$=l&DNs<^090^SNPpbwLf|9JdmQ@bKZm0_ser$B>n^V!*#$T3iZM>FV zeQ*1nBkdPn-a2u0?abz#7biiiM~2tkWSs&hsC=`WDs+vV$gP}R{-J&P)aJ+UZGZL6 z)R6rmi9StjDt?IAl zBH@LEp|uNfX?>_%kMyO%ppIt61~$%66*(fS)3UyHwK!=28R16fnZf&iv6b8BnT1; z99PjPk)WR_6lG`_MNot!aGHQ|oCdHhBBXsVAVy*ggA=laKsTglZg7%>2O}t|UZI*b zrBsAxGZ>SUV_;13rz(L?54@6KnO;YOeORJ{%8WJQzF${(oP61q1VFz4iGO-`0uqj9ss8jKXOercvD5Erz2gjUtNWOfgw= z&1_;WhXsd2wSZ*=zurBv^7+b@t*>sjPQUmBy7I>I*@L-(_K&Z%zj=PPb?u|2?|QzO z7>Z_ailzx?eDa!5DU!=JMH4b<44sNeOK-N%y|Z=ctF1TRcSa==MqmkF>@W#IV3YzD zT?bS`B%xix52_bjLKK#oz)6b0F$$&`dtAavf`(xlRqjZBQN4}8cB;3gB7>4Czj<^0or8&uceda7$p#3!I4Wf4Q?=^!e(S`&X~HTNkb_owtE1%tb4scJQ`u{gPSvq4o2{#{aAz zZ=Lye^-SyZspT^px7-_-w{M>F+k}BS-Qaa#ly<(pSKrRJe*EzMnLp8^?f2epUHp0F zDBiww$#O?jb5-w-&U1dO6!vO|8x|H46GE)3AKHY~2@MGn>FG?kVWS`9>m#}wTE%cz zxLhW`G~8=(N`t4l(M&L*x~3s4&JS4>XTt;O5j&020vt-DQ5$uV;qI}yH5djZP>RAF zeMu1%!$^k4fqtvwOi`3XCPDC;oobN8a0(?bK%RFvP$)*iBt}Za45nZZ0&dH4G8jsr zc!vodCE(sHH}XpC;4U_z6Gum9v7s>UFUp7B>@k)pOr{Erxv;K|wec7Wj7>$jDVrvW z*Vq(?q?4$(7UCV+0PA^<9ZFBn2JD-FnJ}d6d8k<76}qaK-zS5CNS^nr4~>3gg&5jE zlD)g*)Lc-DveJ~@8VtS;gJbY?!|0*l z5Rz|I$t9CQiSR%Iwh+wAa}a0v@rVcVi?dTs#Crtf=tO@BiYfg_ROU7i)CZ}!FoazJJcZ<#V{mBGvrRA(#p%(j?C1X zKj+1*9Z@Jr;G`S}u{X7g)w$R;_{tZ7tsmdm`uc;-v#;%-;_^ka z1H^*Q^bF%`xV1wUgSl*b3oL*8__Lc=u58@3ei8|0Y`<9gC9uPws^%e5LBv;{9>XKE zDf5e@>cMP}MQ&)I)*P*;wLeGmBs{PB^>prj@5|q?omlJ4+t!BM7+IQTm<9U}hT1+uNhVFuiFtYeUd^E z>nDbF4rS|h9}O_Ggw-*rGVFn}aH^Uv#7kFw?cleF@W5TewyMz%lb8tObBj@}E z^!7j*X0fQs*1A)$x^}9q$Oc?7Zgy(-PdY%+qLRvd6&=y%kmTWc{iSyyG%`S?Q=^5n z-UOKgoF7Y=RugYEWadRNM$+-WSbSLCi(4@tSRDYd*!g{7DL&uo2q%k0z1AQVhc41q8hgTNHb0H-b+pG!PCBC`YP zZ9$c5@p(f7KEOm5jV*Gcq&FV4lhB3Xsj?TF*tLjG0jDzxI3sl66bd{{m9Pk-hrFXa z546fS&A>J|1;QN|*vZ8gAxIpSFb?k_#)3o%8ly1+CtzvM7}(A~h^A?bLNVN$BY`Bk zIn=wRT}B6br$}<$`J;sUVjyx%);FSKO?uAay}{N()vk^kE|&+2q-xFj)U13zqyFTg z2dc*hM~A{u0;|fLc5`&GGBUsDfoi_lsd~WV*8%t=C6x?CTl_k}hRA*$Lct(cqB~_& ztb3q$_(7=bq2A=%=*FKB1-HN*?5LRnxQC?CK)@Gwi_c52Bwv4 zb2jIdA!rPNVUp-Yqm3aXNz*ii!7zfLIEmr*S?p+-gb@M;uG~8qeTzACq#2zkGn9kz zck}#btxIQC-d}!q>*$%*izlYyZ61?^L<>in5Wn)e(3t~cAIFmt96F*I%dy15(;q_E8T`dd4 zjJGQGV1l4C(W%@>IB%!wPyT)D?#G?GZcMlZL1S4Q#f?n<_?&OD>CeTD&zcElU`Tzi z*Q}6fw!)_P0x$Bqc$}%~MprkqcD((`wbc*D+uy#n_2mn-`k`9;>Rat2@BNq70@=KM zThYSlDJFH1Z70WjE1J;=K_LW9z!*i7G_E*S7#I&4CmD%@f(e`=a0a760PI6B|$LSXZ`e16uq1K8&5 zf(d9k>aUXQ>}(~GOz!Zh3wN2vGbK*eyN#$k5*X77L2SbI7W&)v3qR#n&L+2hys~j~ z<^0+g+ZR4s{leb#zr#&L;Ut2?DC2YyAqYd^48b5y7m=;Kc7dXsUR84`Gf^?3m>3mI zu>C1i1*({BTSu?Auf4;p-(34{>)7*aNA7*Tb>mp;`q6`H=azm*uYU9EPhHHp2#(Ms zLeV&Ccl#kU1!EKeBTly;LZb+VVwiF#cZf4IgEI_HF*=)=ED!ZSBB^naR;)V~0-0O> zaP9b?Z9d7>%fpM5-6tzA!l8|u_wLl%*WOzBY5n!~H^=>3FMe$UW1^C*i;>cBv|$Hl z`^-5m{^VT$>bb3NKX1Krb>;P~k8VcVU;nrhy-rW(qon4XwTHC2Fb<tI=ZtVfb`+m6;hV29%BD?_6C>3Wx@f_;<)8m+^{376zZF`qUfOuG3u}eI zB+f7dqm0Yyc!I$sj^Sh%>>>#UC286oyAT9MQ3}BkvJ3s5NtH^WuJn8R%(t!2p5J&r z(faAf%F40zm)Bm}zWtRY$?pziy%IyYp@x_@knIGMXj+K&jAORbcr(ci*Jf;#E@H8S zj)*-cE(zra*`AarBuSt+PT2{(2*%I^LLw;L*Gar=LT6HOgbfrTvhhMjq-J0^*9_nW zps{f}H#M0w=D3qsA>Zn0>Y$?>P2&hc;|yUFoQRVIOfeMgWEN*o8pb7VduK7)jZ-j# zGBkxC6h@K=ilTN=7YIgC7>ZG(HNbYP3S**RQNXx7P=fMBn$l%gMFu?3fFPZ$CO3_b z&L%xjI9_Oo8QYxc;k3^hGYQ+|Gqf^v&g`77(d@|ay_>K{H%VY5a62MNgkdm-0Qv^I z=-%GK8yWw`xxZ{*c;nvp+n4S}H;R^(9+)#3HO#3$>`h59jNtm5*yu?TZV+d5$qS@X^x#eI8#MAz$nR`}EAna^7nUfBBft?c@Tw)eb)_xKcBZW?a*soLn&Vz_9MVhysho?b0P z*NsnPJ4-1RuQmPFE@UFmX)szoJGK4Y)vc44*H0~fY8XQrE$`TWAedg{2RlbVjn58{ zLlz#T84K=c(+W%!CRk*a4}|i>poYQlMr^Po zTDXKvU@kP03pb|fc9*^{FrFU+O6@zjiLm}kOb_Ua)h8T1V!Yc7#%c`AQ1vb zWh0giMU>bmibBaA>=6Wt;s{Dnl*IF6Fip!@VLK=Sfx{?)QYg`pXC8IVGoPh~4TkM( zL05MgiO3iprApo|>F?xKw79R? z*xo1&nG&`yKi@umarveD$5&rke|znNt)Jd|vik3>mrp#q_U7irYfo&yeYth=#eeD^ z2&2<8)3e;bcyR<}8ktc;H(TdF-aL7sb^E2(m)FJhE3L0iF2A+$&eHL2Hk&@}^VhTG)oHG8u#R7Y-Jis&irdyloI z5CZR>&aO+;p24BP%qZ&GwHXo(3E*EtsXUC1PU5nf&B#YiPa=ax1`QsZ^wwq)qvhh@ z;-o!C**!vU5XC~ZT+_l=Cg+0T{P4~!sV_Nh`7(#}z>L;LjdK_n2nC6C;Q^x4yXcx6OCoIm|4qoZC3Q@#@Bv_R(9dPcCm=`bE3R zyhHF<*H9T0r3n%xaXn@w6!So#@))8$P@-E9nxY9DLujK_GM;4%wy`iYgA)u&DLkSI zcXAYI)CM{rBLqoMxEv9$`Sh|rKejN2Pbw;2H8y7L`NsC0yBjZTzVv!?^XqT7FCI^9 zU;kkH<*&OL3!NmBL}DaRcHpE@iT}q?IfAph{t1_)Pr8r;O3NMv35jKZ! zO{MS#X@ZSYG>%aOPFOT*Q(LFcw@=;rpZVo;ts7@@n_qmm{o$LLUw`^?ok<6y3Aow(ROb$b1B>+~;M&!3rS|8y+dKK1?9YcH>#_~**0`=4(A@Md`Ri_I@D z9Nvp6l|(TNVQ8g3S?Aun5gbPmltKvDy7_*xi`a?M7*3$}f|nbiNra>*5_SxWLJ$-o z88roC$4;OygW)hRQ18`@<)0Yvr@Py+Hm_XVxU>20SKA+4hBr^XHn{rDvt25kg=Tzu zZM#5JBu4DW+1S>xPgjrKKeBdb`J*08u8u*QD2`(|iO~c@A|y`0v{Kf@E(X+ag>;x~ zDLiEOD?YwczZlHGC?Tt%DH>-G5QfuJu&5hBNrt2mS~;F}$VQMf!eBVcSdncC8Epni zvvm?54hB-)WPS{05Q-sCTMfG#p%EM>5CnJhUqE3BLs5*TdkXJ#Qy48RK8X=9!yqJv zQTDod6cn$dQBZ0kM*xcTy(_VE|mpIu-1u-i^BGzl{ZP22mCP!vHj z80kok84T39!Ft;U93g0mBw&h!5duYUhH?tCWiS{a2@11OzgWolsI!5}#sta`G)}{e z^K}@S4w;sHwvw%w7CmoS@TIp_zG+>$LHuLs^XJCK)-IG+zxf~f@z(e69B$vb+lBUG zG>+pGMcAtRFcJr~jGgL9A{0dvuyj+}lU^L7fKLm&D{8ygmC&wS9_~U|<70F6v1r83 z|5j`khlcH=9^0Q@T0gmU^M|Dq?c*PfcvBH@WH73ZvZQ*yQ+dX0|kEao8PJ z9d<{?dR1@?*T*MQVT+Dqf=BB^HrYm#q6hL1rJ|H?U^i*TypJ!vxcdf*tORsI8x;kbNym4A0W&}nfB#sc$#?rP~lhX@BW!|cNKyhd7 zgE!Hoex0EZj-e{D5+p9iVgP$bly5AiisEb~)oZ%QJjo4J$EyZYh=Uqo`{SSdOCPU% zvvGC(i;Z_zUf%xt)j$8a{q@bIms;O^mmj$Q*4DL`P*t?gW)l&UaNmCWl)rWJ`uy@& zE4SN6&;7f7@_Sv>&(7ry9j#y6x}%l8D{{$7WX7zrxVZVkk*#lj&Np1`Ge_Ikj}2|! zJ$?VJ_3zp@Ub^>H>+*YBSH9F?*P6+IL4`nci|qPU6qRI${+ z4X;e`Q#W2&`(pj{%6o~&{(bLOAhZ4X>DtmO+n*g@ePj9b_SZkHpE7;e8Sn%=dS=+l zKp>y8JkI#4Xgbh2rWphqnaAl!5Ox^Uy-PiG3S*-|axmBlUT}cAb@j$y?!VnS`_o_H zUvGW7ef~(eb?N1;mtWs{`KQ+BN4Gw{(nF^~%iptpv>5S4tb3x{SoI$+X2#;>s0T{s z>ZTWzx3aM4fr7CDVS1j5)dvY*)&mLtgh>V996#9^CngOtH5Y+(4T~vSEYHSN1&toe z3F8=yP!xkd7-HHjLM%oH7QC_H#`xm22U=v}qonEmIKs-5UjJok9PWX*cp4U!)HL?% zu)A~NYPuZIWc%#Z`{$q8y8Hds^Y4z_KgG5_IP&MQXT~SCUp%*YTXY2S+_wKA+7q&in`=GFW?)lC4PH|J65St>xPUETNp1OR_A_n!UGX-p$~#)2Yl3s z2O?(X2d6SZfWf<$F$JSD>9Y|-$U&D{b0pfEJ{!Y2!ZUqvtk_JIW<5|YFZC79G{dC< zUkvtV5DzpyJ`o>D&E_R4n8**!)#l=Z1I(NU8YzUDQ)I0Y?LAh32u}v)3o=z!67-a3 zaGOw1ek`cp=-yc}J{cPhYH!CHVZR|rGQ#A@R3M_)9v>&ha>Q5~j!Xu37aQ!k7!OTWxEAuj~bc~e@7tA50`5o=1O~N-*Wa`YQE)*Ao%;dn1 zR!OWrGCw+t+Qmz+ymiUZm17}rmFN*I6CKnkbsxxcO&-P`(gX)m94YiwQilce=*g*@j)Q8 z{G!Dd3r83jqiKr5NEpUZj0R~NoDwOMB!L1YB26$f0h2J0XWbA%prGUgK@ki>q6AIJ zRe(u~z)6NCX@a6D3MOUsl1=QMi<0+3txIiN!^}m}uH727F@`1yf&}7}jmu$#6)H*s z8QF0)mnkSJML8iDO<^=9+gJ?wy08Ch`^s0r&9A-_oK58ji6IPWTi1rf2!tR}${`vQ z1Nupd!FINklNgK=IKjXKfs!~3(}Zm*9tI|Gl!Pg3qGtr9yT$H>bme=BnoaQrT|APG zXvXnwMsM9^P%EC0X}|Dlq5aV}8>fc;d+YTZ``4duA32)8|7LUh=a1I!v_3gCy-R;W zlpzq5!f^(p5E{iOn6cJ?Mkor!5Q-oOf+9(hl!WOXlFfvMJP;-um_~?vB$Cw}@2eh& zNf(Q|D;K|5>_Gs3^0D#OrJEaXZ(O{0W9#bMtPxe2l%FH>F zxV&;E_wUWGKS5S+AKd!!{q{#6wLbn4q=QyFF(Ly-;|z?_7)jAEh7rIBr&b{$lSm|N z7|-&1&u;v5?;P>h|G9r*>0ETAzWMEE@apAzpK87anMraqgs_BZJWD^~_bJ<*$~{w_pC&)$cGY0>vo;g(;XpFq&d;8fOf*{gl`}d$x_3W6xJB{BNeH z+gQ~xANa@i?W@bzTgP8nzp#D$;_}%(2S(JNne#xb81!)kxGTo#Y!5+Gf0C5l|#YOY@CWC{0orFys(|CP1V?H7Jo`C;Yu z6V2`GXCJez0`a74>)M;ECpNAZwvXO;(wZ4OJ6}xH>=T18U0D5O`Ofy6pRIhmbgT8w zPivRgZo2lc!oJ{a#|p2WYJK``pPjVehUR_4+P_C;QgcRFOk<&lHU_2&(;Xm}uC&j+ z@a#WYm+t;``9pf+oCEYGUz?~ifyKqRz-bRv4nX?%qOrfkWUZs4_KmamKOf0FW8Ej57v?6h zp;X;|uhyyAUnO)u~hwjwk3WNV`Y z#$dbCH1?Lv4hi!^)v<@BCmSB0t`&KHc%VA%pxEkPz3X4QQGTKa#g&LP0#mHzAq5Zl zlc^Ayvpn~A4u+p|7{kg*y52+olNHN@nXKhO8l9&&`)y355v#tECP82ULp^{hY_ECw z%2m$(2H5!SPg~EQZGUuW`O?ad>(8&8SbZbWe(ST=?W?UDCreB3jc=bmwtRO7@=+WP zoBl4RO@FfE*5M?^ignxZtY2Kd{Fjx>%U9ahzSw&0#e27{Uk>Gws{Lh_Z=d>Pp?&-N zz`ZZq*T2}hs}fhI9DH(}UisfcbG)i{GVS65IuFMekSr4Uy)sfh=m{J`BD@3IuYcZp z>uhx8wH{D^d~(q{P(wSxhaF&V-93?CzWvuH*Dkled9}IxTI-!xTd%yj_RZMxwN4<5 zGY(L;KYexO!{zUW|MmCD_Gf3kTh~q`w%)k<*NvZ_KD_D27H6=5T>%AHZJgyh-;b%q-T z|G+0YeVBWAFoePlk^$$4Ej%2@qKx-*s}<$vNJWbx+PYtaT7V((AaSckx>yHcdA|$9HDFYkB#e zZZ(yo~sRxqPJ_2)+25R%I z9;95@eR<_g`Ng62rNXXH{_+oJvZu(v#^d>v3!QmUNJbT8kB#AwcGE&?pz^)7X*pLl@i%8< z13jot&Bgh|kZ7)2D}gU@JPo#?iw|6p@nqdOtA><@G_oKu1qc(KgR)8N0*5$(U}+M& z7bKI34hiRs<5=}mm9iCZltGSR$jhU@gfc2XhPyz2F+zYbj2XlLL%?b=LTw7V9LFIB z0g!kr#?82!Ugp{{x6}kYfl4RVM@i5L0e*)!+pvU|fw=+`P{-#0xy! zTsk>KDW-DXg^8FcBGo}e;9C>q8)$d_+T-j6*a6Y5r-g}ifhnUr2MEV89wUSy=B0^Y z7-K>a6(~W32?#Mc<=|~#)BQ6#sve4TnQ))onLqUC>-*pQVRZ@T_nlii(1L4s4bw_g zdl`j1qM-8HT7Wdn7~u%5Bf_u)cS7mZ)~LPCx0v~ z-8BAN_CjC&!KIBm#j`(@Z=cAW%GUXR@SXlMv9Nq|ZBO?0>Vx8$*K0?Ax7Cd31r&0iqO&AL$vHqdEC>}1mUi^J{CSxb zkG^*2_uO6oP=0W4?dWvd+%e6PfmsxiZ|}zLKmBX@#moGY3)y?5wD(>4_WA6W{QWn- z&%Zd3zy3)Cx6%sSDp^GN$v%~9$TqU%??Ct7#5%CA;7oEhXH;*>N1EAkCUP?P`!{N}dD*ChbA%D@mf$S`Ao z63i$e#pB4Z_*cQKji4P(-kRu+r=i1jaZdAS|6cTBLluGmH$nf-Ofo-ZDjej#k;XSRfLT z9Ps8!PhPGZD_%YUSKt1=`2Mc9{PfP+ne3fTN|lI#O}mqmrF!eFd>a@Nq?9T|@a80i zR6a?qm*)}TYVT(Yo)2y!Wtb5s4cenlIL5?xCWm6OxBIDM^ z!WNqtmGKV+rX#|*=$VD|{LoZN{ET)c;xW3W2EFFy-R@Jj;~Lu_-vWyDscb2?59>Q+ zkgH^MW5oe?wjgWF`BvS7nBG^HSm`=3e7K1jZ;=#U<4~?8de8M+!Y)ocTGVbd!-?p~ zoM8Eu;YuMRH)3`SY_|g`Hrj0u2246nDAHJ86jR%S!;@nP6O+6x1%%&m?o{@7ag3?Bnv@bK~RdM+*m^cgvgGbR$XDz52=*wZa)kx|z{m zUHuY?DMQL)S6iAeYjp{9X-!QMt@I&1i&5I7DD@&M3MbjE9}+&O-qZok>XsB8}p7 za6mE$y#VnPu^I-^Iu<+rqwwn3`l0fR%caNnN^j2o=9e^gc>Q$t$K2b$tS=XC9*+8V zY&9aArwq&yp%M@XID$Y^oYP3`x|neWd3?Iq)+;=kiI_OE!un0Qjs1nEuk&B76c0Wt z?7Ub$bSQu0V{G-j*O|Yh$VR>O>0LrsT%UsSw8NsK{@SJ0kA>qWiaTG%gwX1p>2FCa z2ULI@$77_#2}>w}0%L$k%>$H*xV6z)WgEfSKLo5JEk;6*(9=?QaL6$xF%UGS>{9X3 zyH4f+CIHpBHKoL_Jf=LvJX15wrI7UcTbMsv8^|@lylf) zlu|4v%+_>L-`w0Pl1gn`+v0cSV{cdQZk*Fu{DoWhS9h169Gxm0e)Y@T^M#*nQws=- zl6BmgvbdmIx{mV{@s#5P(zc9;){oBQ-u>BJ+;y>Z?eR|^@0Si=E*!g=zi~7F{#@?J z+S#8f*_Wyg%Qyz0N_|S1zyXFRW#6=~5#QvLPINu&p0qkT_kUq35|Io*bUq~QJ%)@& zfI`;R`)Kjh#kCJ>=L>f)=U#EEU%tzKIZ{6VqVRsXu@7nIqFWqb0RS9;u=PAyi`)>M zCmF*CV@?pCCj)77A`qQ))pv;6fpT{3TItf^!tM*%2j!zbt}T~8pISMReJM|nv$<^| zp~iVruilh~Iw)-c;dqJ&55+AAxw(0>IVfpBVc(bE_T)~Y!mD?sI|u*q8~Z@7=Ie{{ zx%>I!rvjk(;p#UkY9JIAjxtW^#0r3b@aCQ@PmTa6qm&?yaa}Nydlyqyf6dlu zb?m*pReXH2u>7KM?8(}p%<k^r-AFW)Y-o#gqaPSH*LSUs`hh*-v@4ko z8k{W3we>?@C$JvE5i$W{1s&x1^eJ<7n^4y08}tiG0(~KVgiyJxxd}ZQpLEEl%ms?) zzm(pcYH_5asKkpN7;$)A+PWiMGp+F{xX>*Oc*f;i=<(@s&7kPIX1Y}`VspdZ;W3Hd zH#XvPwx*&DX-30S{e3F+pay#__D##kod)`_deGaanpMlWOC!^Upmn?1SQH6NK#U_Y zj&=b-%0t4{qj2iSnphQ#Qdrq3WO(z)MA{wgjDtKcRGD&Qcya{BVJcL%?RJ`F4#EoM zk~Ck6B4uh1ZZqzGfXGdzLCz-aTqrvdeC@MPX`yq8|rb^A(vyw;OmzN$l1rFrBpM- zYf_%G2{x|x2d6xiMnN+Z6C<-GNio(o8M|g7$wh2pA%oN0D8e}~tgg5N#YH$4&2k|I z?RrVBnMPPkZ2|37mEV5M?Oeb7U(VWf{@{-ENrqG^9iQ`VmsuI$QOFZ^&* zp;m@*B|Wwh3PxG=cvh=*k{5UR?1jSKr|VDStM>~RPt+?k2}yHHg=-h(D-sap5haXp zm;zyQJwqa$;d#fn$V)B!ZzKgZ&$W$Y3q%ReaLrZpEivcSmevCVtnP)mXrJoOfBD}? z-B3xgRVbqy-v#XynS4LOftS^^$p4>Q<*|&15 z8!=WiPE>=weE^2k3}e5Hre5n_R&_qRFr_=Zh-;e8@E~KTrwjAVGi- z&jgO&lKQ7(g*|-F&o*0a3kyp8G^^LzA72Q}YNPYE>6F56)(#Y}e*Sv5aO-IK(AD0# z;)~luBmRl+{;+Z_bH2T_K+vU7&W@hqgU9(>w~BXu$nIu^!>{r;FYef4(t6Sg6LwNB zeGwQ66hnyq8EP4&!kjcfiggnog)6}?-NZ*hERy$aV}MzmCaaJXNZqfuE@ z`i(xj=sEYW=pqsf1rjdYxFZVB;s#(4n2_kx6nq}lHswhar0CVO1gF3y| z-SYnZrAx>1UzW3Hi*J`#mx>3Eln*@2-pHIPTzbEHDtm0Ww0t4|ylM|AX$b-V0LLR) zw)0*9AwvS7H79;Ma8OOe;(>hl62&|w3^$3H++AS86P6mBCqZR14~u)>efRZY{`B6p z&)J)6$JSoD|23R{`g-nfXUPM&*Y$e%v{UH-|<($ezA{q@T~eSWm| z>Ni3c9{71%bm$x9f5l(o&mh?=5I_VT@`$I57X%(uqgEBLXq|tuBNm zlV+1?T7puWy^64>*Q113x`)g>bEHG+iD4Psav-I%Aq4{9YqtuQE*DPkUjO{d^6}@t zEA4qClg8j_}DKR%Vu>qi8fL8L~vd|Iu$}` z2|fuT>7fxstZh76_US;fPvx7{OtP?S4hQk45)#M`GO7&OjZQ|)DT6xJgz3g@(KwTr z1R5|8PiW(Qck|(aMU%;F7?Z+!0oQDx279@ZQFAn4aLtX^(e6H#pby%nYhOhu7MhCB z>U}YdE9#q8$79|RS2UUoEzI<(4ADewX^*<1!RCE?b@8k$iLSBQ3u*q@W~7rrnJ28l zsMgh|vexp#+yCgUuICH#f37rrxE@w^9Z+t6!=z zsEM@Grg}u844kQ+j0uC4y|*D7Rh=X=bG~_X*w@%u8}HI$3rwL!LpZ6fL%p?;kBKfT z1HTxHS=9-D^LCxgL6&H`8hl%4n&u@`)3`!CU(NJ^)8=lNvL@(2pGrG6zF3_-!4Y4d zYDz!S*ahS2L~wXww#)RQ^@oKMH@{mwS$e;F{logcwY{Zd%aQ5)k7qLbGIx~l!msj^y4H-drx-+4pyL)VKJ6-9 z-a}S@m|cjKzUlJWodd2nq_|Z)SR!cM7SoC$-W7Cdby`ZFb z&KeJBt^M0{IS&R}PBlHKrg7K7^J^Us*U$1I*YDhb&2AnK(}buEaZwF4t_gCor$(|MBvmB=s2cy;Q#CDGn%pm5H=UjfQQelzt~TAK?Ia`H`5~HpTX?!VccOgiNcr&(EAR5BUKHMb{4Tuy zps~n0z>s0mg~a-nk(vHjr8g}!umedMo6s^zy-eOFEMMQVa<#?!(_1Dyx>1SY=V&B^ z!^DVtrduM_o}O)_blaynuqZEI2`C}}0a|gl$e#UpBv78`DRMuTg045XzAV>^Z!EErznW?&gv80mgT&~lMBo(^M5aD=2Dm#Wg@z^FcBaWth=&obkZ?>! zeZ3bDMkvSeJdz!E!~{eDs~Al(iD{S+$|_=?Vw0b;?PYD(u%33G>&!wu%&}KhJaVn@ z<#GPvwep>P#XWZh|512%dG3$4f6FhO&OOXL$)CI>WG*Qveu{-fDBviC5OEw32;n)> zViQ&EpYpN0iPG~M>u0m~yHM=7bv1wM@UL>aM@oD4t?$kqFTH+SJolz>dRO_~ss8Mz z(uq6eo6F@J?-vV44m5m>aX8n?ANo9ZUuVso&z)JjzHw*m>DsZ}u~6~Y$IKOx%@Y?_ zd--$rUE$G%^#iL13Ky1#SB|cpTt8M`Ue2ETW9De#&Xamo047YXmb!i;((Pz&<&fLj zMfr0%5F1!@0|@Wkn#0Nkk$+0xxGU~adMf|^!1_}8{Hfg2k<882>-MNIE_zaqw5o*^ zuU7?vqjPh5m(X%^V$mLS_fOcdGc-0WZ4c5XXV`*ldvNXuUHRc(2VBJ?`!nZ?udc0L zC_Fxx|8T|?EndGPEr@Ed&Tp12X#L0U^2hIeeYkNizw=b%iB80bgRo08*kW&)^K#bX>O_9D?=O@`j^Mpb!cifd7o6?i(Cv$@zf= zD>Y6HHSXwBrcod6ANBy+xMz)7$DO}W8i>vDY(Bd&(<&;YUUaxqOc>Rg`&1#5&)2`u@@Jhso$BvXIS1`( z0=(@@*0xw(W1KBMuki(28qxCF46bn6Jeo3TC2JT!JfS@02$X^yTu|Mo8ktNaXH5&f z&2K<$o9k1VHkTBWMz>(p_Nlyqnc2wC&o+Wcn`{jfNEhC8*sU|2ArT_8x#r3%u2;21#t#5|j>IyP%ouuDDCyzD+x9H*i!6S7a01jCEX%rTiHfUOerbQ1xmci!LJ2}IC{ zkBmq_jjeOiNA(<}-eyS6772WU+i9pTlpWIdM#9F?nZdX@Bu(L4pf2Q)>Ayrhy$ANl z`SUXmGDoxLLX(mFt4DC{pf<98|5q};{cWbdrS;esoAOOGbYT^|^n_KD`FI{|9_e8f zPW=Xc8h|jt0C7+$g&05xkbqztJx!d|C?pj;=Y(Sr0m@`Gf;(4zrW`qN?dVQ+j-Z@o|Ac`5Ge5;uJ#N3!~$lJJ8OO^uy;R(VmD)l(& z2oA9UDgR66W%0s^uQygc<#w(d_Lt6IE+4ruls#WOem#HVa@X?103i%1AvIFS_SeBv z!UUdxHl^^S$*uf02;w+~cwR}bnPZGFo>S7RC7eJJ5o$JZyHYq{6>dSgrP{C1!oT8k za)K@$8uzx`cEpiaIWLV^$c$rN{JeHjt8U?SN$3Q_u;4LnM_Cwii18e#@$4wgXbb`5 z36f0=1Pluh0|u35G((8;1lH7xx5!5zn742|1jemR-CDLOYAk2WzZ?KTtm7N>C(M#7;ZaSrzhM9nqcX!V&v6(d0mx0`9&i!q=)j|92l<`9nrR5P6#qivd4l=qCy7#g#*Pi3Fy zUCsefX};=m(BP7~yfgdy>y7^?y}JFkxYFArka5+Ra;f14xe7rm2J+f~y@EgpVVIGv zUmhX?k01vLM*)Te)PmUCyl8|13^orRQubqvML}(%^L2I1yA0==@Q!(eIz5+cJXc5~ zq^7DTSy3=n4Ixnuwu-t2e2s;;E!HX)5r($N8)eNP-RYRQ!m3$)#i8**!63=g6u7A= zUxcJ%WA?Vx(TZYpwID$JK~ET0%<5`kZb?D2Y7pVJo$~qD!lCQ=_wS0gKjlw-_T(;X zoKxj*UQFfgt?&KQU(08n*B%Rg{aD;}seJHs=IHv}e^^#u)HEx^j?8qZ^lD#r*ZRrq zwZG#~_FZZD!Rm#~nbP%hLhk;*Rp_qR?VEuA@*yOKZkY3*kD z-lg)n`!Ij_;c$N6&9$Ssvzgt0DBiiR7IP)NlX^eyQ>EjY(dvmdH52Sp z`KO$=pv|y7`t3n;c)H8rxYVyLh1ZW)UK_tYT0bk3WLwR>-EMr>Y@*5@8JIN+hB&i& zVpS779wK(Hu;^(KydxY$JdfJwxb?=!a9~zGYAbti^~jFgoBYwoEB6}Upcc9>I z1yARrXei}IeJZ!Z;29IQM1Tw-0aoG_TiBs_0uTjNqHDQ`wBogU2C+54Jb(mnN-=Y}#~T-Z`g9|||4QcI`X`sW{QhcP<-;NaO`^KXz}8^wViVQ z&YxcptK9`)n3#kk*0gie$|u9)?z#(8$%Qzo8BM!pMdu*}pTm~!y@3?3mK`09y8Q4< z`TC{O{=MZVH~;ENt%_BSK1%y|E!nmQyDyq3NEi28&a!H-VRl1qy1uO zXZ2*r<(~3wGfH+k;df0t+u@TQ20+ht@RR;vH^9l_qSM?NB67xc@qXyiwuT3f#5wKo zfCabVXq7i!9}%G80}FAZvpFo)DCuqBVQPadt~ah-i+VpfKI%Wd1v z&=UPzB#_oL=-oSxuycH(^8mAPZAS7o|`h*yxhPqWZPFSW5zP-=K5Vqh4fHbo6CwNXxt-aru2JLO&&_xiFSBz z#5)#{lh_(S0SSf|=VDe6uY-8$sTude%%}o8m~L?~KENf+Gjd-0HrS1&ha$7vMX(T| zJTI^cPm&Bs;xZ4{{KM6AZ%Q}qW+IrR7jhJ0KuIn3sg9Ry+)yU>LKty`RnF;B*9>NW z@R(I_5IF%kjwd|g0N;g(mLLdBzyJXRA!8U-M7!GZdI6!72s|%AxW>}aHh7C@44yuf z+B~40bwpB|o91NFs0&AZuus+F?AcOKi*Zz-7z%`kgy#f-tE4K+3Tnj)dv9zU%04Rm z_`0zB^4I4hxs&As%hGc+<^e}A$1w;H!<1D#ztMDbx&epQSOm=j>Z*NF`;cP^57UVr z7)qp*LxUbPCw|Bu1mR>nE_zI3*Ekcr_?dXj5adnPDThxE;!7^fCY-|>koIgF<^v2< zfdfKi$)3Q!RSeuP2C&KGbbDtM}`tYEybn8&@)1Jbv`{i8^ zxs{y*%3vN85C?$FG(`+z!~-Z#LDvfa;0VEdHIKOsm_tCoJmq<5d^@5YQd&n$^E30Q z0sWZBqiSnpsBQ~%+R^i$h11WAd+uZpuJ0@@zb$-jT@M0jS4Ztyv4@W_tD(LXr__Ux~Fjp~~=_xH?n#A~w3z0Z) z>{Cqy*pRn+<_gd21}0K{syQLsDanS!m+_P8vRyzHVH>y z^#hAJx&({tmi)WjrqaV*kx1#&X;yyx@~00c6QvKYOQ-KEV@I-i2CKWQ`Ma;CHkQgy zKR9&t=>Bo9V{$an65hZ1-v9NTFSo3a%ZLPlLY`w3141!h!{KY|gnmF&W9HGyk)J-l zEZu#RdHVb8k<#^(D;NLF{WiC={QOZe_oZ;+W#R0XdPA(FHLLULwPvYKy)ZOxC8DBp z7gi1#bGN_VpXZ&$+aK01{-Jn(Z@nlQ0`ZEHeY3be{HygR8$YbxSwCBT{X^;L)#%*% zo$tpgVVH8A1Uv*B08k(tLL4vfmGeZcIf+0Z7!e^bP>R6(AI4&L=8XFJD5LDN!@7x< zlW=pe|9$Q1SYZ7XEZp0hJ=pS$g66WzF)z90UG%iqIYAsDqmnRu@x+PJm%aHXFN%jA z&aIq+>z{s;Ilg|qba$!zd8gw~&fQkjPsQoRqyhh-$BCEFB!#`n=M+{Q-&tWE=r-NAg zq;&`jPcN zMy+A_Z)0Evr{=f?DG?mv7#1j~@C^U2fRoA-BIraOJ~7?h?D2*uMzad*fKRXKw@5k) zIV?b)VTQJ9;XgamEQ7k3Q|(rG;rVlSJkx*7@BW-S^wYcdD|@`w_7WV^3O`=|*u|Vo z#XWY(t;vxD=bj#x+zrk;+v~Q@FHX5N9;F5C_G!b$oiShTL>CQ7%zAiTGK52t`;KlV zI!F&$EzzNw;iSp5py^YA^q662Iw|P%^6xw{g(r!BXxyeZ*(9&NSHKAJgh5h6rT*uA zCHj<$jE*e~Pxh%CQ{r_pI5@i4*D?a>g<)b!dizuTeIi~i@;z^DG{n_`*QLw1ak-rHCkagv=BqW^N`8Q zyYvFUGfH8Vu()~vpPe>Mbk0ctJQ5JDD)KjT670dr#&un1h~p_ni1F3d*ATSS@US{) zteFq>goNznm2;}{hckTP^|{RJ;?n;7hZ`38+5v!Yv)Q<%`j{}_MQLdZkU%hIyud^a zFsH0D7D@H_cdys4m-l{IfB(~`GjqD)=>xfwxreLA|K-0o9+a+JN-UO-J(O<^!jy1; z3azaP1SKtjfP;Xi6o`{E>=WK`{iL)hKfD`SJzwEI*|s?E$59S*QfkY>v$MtB`z?O~Lu)Vk^KZ^u zSYhuY4 z=St7+{k?Sg^xE6P%lqXApKAA;U}+UuEuA?~e0QaAE-VOlcjfe@!GTE;ZG||zK!eIi{*3oOIN-qe|CgW z9s-Uha$gj;b5O9LunbAQh}^F4GH=LtnV0zkmz2K%00fQ_fOuKK*IpnHfyV$- z#gBk726+f;a)n!FAP9nh853B=i7C{-ymljPbK$_7wKt5k${O0qL<0x`L@8^PcuY9M zPyb{6N$LHS^81~oFQ5OOeOx?rxA64s zU(#ywE#}h9qRH)P(*O4$(%hP+l#UTl0EEK;cUZ?4XALaj4F_AMs-|UzZrU#p;-*qa zgLUlOvE073C&kk@vahlabEp3Ew=4Ts?*F5B=fvt#hnY(_p7KP%@>0c&@jN9QrzBNO zFb_dP-FvHfi?G0ez%b+~6abGoDxYf0bCfbdwoJ60PHN^tKIJT0JU1P7V)63nZON%! zU<%TYxr=K@I&3f_9-l7E(j7OM^3BVcd--Dz3%BP`9Woy=K(Iz;&F(!W?Hh)xl66P@E80KrK=hb@Cez#A$>OWe) z92m+TTs`uye=VHalRKTgHIx0E|KZxo6U~TCE8l;PQjQ}GwYH-_oRGExAPN!10u{Gn zyhgPnQWZXbQa84GIREs%Ztd#op>NX=?ga#3$RMdnO~~#UU}_-PGRZZwmLbPvzht6k zZp_*U`6U;E-IG)w{G~1@Q zKsd}Z(j6NBmog`Q^~e0DAJ-0l!!Z|< zP2*F*NMM*@p0b*%bIWmd(|Tc00GQ)>2)W9qqO?N>I_`~y^ZQF5PZtip-?(X7Kd{hW z)hcY;{}gx+)cxa&b}u!;nE)1jgATQSx~1!)Lw|$pz^S#@a@AVc4$_GQ3pZ|&*5ox* zPY3Pf3bol$3lUt@n_H{#pt1H!key04;YH1&qKt(j8PZUt&|0596+I{QSd)XtU8+RJ}#=LP*%$lql2ra0kq{((NI5=vda}%wVR1e^_uq+=51b!j& zRvIO{;?iORt;NNHey;TZ)A+5)g{@v-)6E4Hcm<69sWDsQYSa>&ZCtoyB9ZlWzk6tG zTApkma{&IKu=Hl-wW_pqBX=`@>dxfX=lMq`0_9I9N>>j3w!G&f*Al-RaK|L^%X-&h zJ$TvWo$5e8pq&k-1g*YFR}pXgGZu0AbaO-9=H{Ch+ik^Sk82Qe*1bh3VL+cXECzE)$q4PrW2;E*h2mUuoKTFJJ&6LaGGSBI9nB z)5-_0j*N_&CcW;eh+FL}Pv>m@mO?4V69!R@?Ww*6#U%a?L@*6*yn%pT)PKOQYz zc$4t0+|GT8Dh0Aa4lyEdn8@*C1Gu?4@`{P+016dq8`4F{H6R2~#xcxMh7hG(HJx3u z^=!Cf(TUCKVp`Qe|M=st>W@+aI-?pT3GiDV1 zAL;pS9*B6Jg4!Ck#p6K02n!9@>y}SLfiZ%4*03{w7Pa7-0OB`GCc zW^w}h%>tiQq0LStqi~_}pIFpmoR)HoPC6_9vE$H$c4}&_iCXC_Q@(jwf5YWBh3BWI z3O{}v|Go>2%9aDVgym8}zf$LF#&B2d6EGc|YQ~AyZ4}5jfrAV+C=L}kFmZ)uh!6-V z1*l?DbQ`%s0Ku5hS{1VBfj1VI3k|nmX9;}^oDdFRi%lAS;w`;9i{qtzAC++ffEYuJ z=b3^}1aJsqz!4>Axfc*hAmKS)UR4qR4l;~!xgp+l;Z>e!d8^afnsBt zc9@4p9HLkpfik}+L3y%IzCMVR@88TX?=SAVwtju(Sn>6XnYFh@uzIoh>C?ZJ&m1Z2 zyX%%~3g9?O5v=#Ffw-A!+CweTFaiMp;g+_{O8qMvM@#z-%GE>>hcK16R(zb>BB=-S z0099YaV>^vDY*8g^yotI%8#Y1dsm*VpGy61@y|*EbuN>FT-syX9hy@_Y+xL!z}w zd4WI%F=7A$iU_4#^P$ec08rq0OevuPBM9+~tALo@P3Vk8e-)Omtn3{x?%et7?LbjB zejzRTTH@3F>QE~Zq@9cTMkY<|Xb_7^3$sr9`%&7Gnp41>cI?x5rkX znQOx|HfvPRk2J1$f5_)u zjHgn1qc%C;#HkW80Nd<@cB&(B=E8z7-KTPBnYA^We*xKN+R`$+guoVK{%vOV!%gb~ zqblKW8)!usgh)U&mt|wUb&ttIRtSgEx@0oeB=+2V-2ril0>%_D%!vRFcb{rUkM~y_ z4@(Dk=5`fs?R5V?Sa|kYlfQD}>yz@~6FU@XFexKYpajTii}4h29AHRZTC5lFJYpCL z)v)ZgwV5GIIoK}h7DdisU0cq7zjvZf71Xrii~UsSQ%&j<+Fz(tMs8AXPlozbNe}NZ zZ^;1wA&)Q=5JnJg8kVeLJIQhY6wiGkzyJD@FTFTbes`k$@Z-M|bMAcU^PR%-_2S`k z#bq`?S$tkW1Chw!yG|Ks5moas055om%}wR zG*exh>kKptrqM;)sOT}@{1k1GLa2Z}^}hx!=1G4blmce)BZi65h#$lv2|3Jm945BQ zA%FqLF~BSET7<@Hx;WLjJms2l1fgg;oAK~;B4+4snaopPzl2xb6kqIAV_441NHL@of~{dz0W*P7P5^`_gd#$S9J56wJ{}1?F9=fUY(zR!XhNYG zY{gGDC@<~Yu!Qt7W|$mx2ZV1!&N^}w)KrOjRXcjJS4&UMXAi1#7xJg>>Nd`=zRx}i zu6^E7fAW^8m1|(-{5JV01&TNbC__+S91#c)+rOE1o&p}Q&DV(#FECC33_;qFr@(5$ zLsqk~Po=Lp+U?evRG+FE?dq$X_rqa9)51njWdW|5$O4qgIfEt{!Nek&m0=>NF(`Rl zvSNfE*AJGy>`#@h9scRVlW$_2l*>17av?&>cntZ9e1jYnV)^6?+sg6m`>D*q;@(SR z|6W+Wn7?*D@!!RY=;Y=vtd*J?MA>IH?q@#dkKNDwIQI3~_xYy>GjB>?p03_2UOZL4 zy0d)!R$)M&3;K9Q02t#q z47!hlM~LGf;kZ_GHn?EcJLe6&Wk!OX_6iUI3|TFVx&~6jCmmB#{Pg+O=qUD>6ylOg z`#u&g9$C4bIr)de#|!!0KbBv=QNmDVv!6t!-p10u53}F(El!nhJ<+c}D_nV1-v9EK z*`uZ~%Rjua4S2NeY^0Fmq%t6&zF~JzFTlB|-QDz#+ZH2adaS9{I}`W2 zMx#m}E1;AR0IJvM-kj zga@b=i7vMkQ-Cq1gtaAV3|O7YFWAoaj}NxIVvpeTEX=nQ?hLaT*g>=o5C9Q_jLK`) zVIY7C@TvIn07rO+s37lZ?gfl;xS~SSMZ`Hn>KKy`I)D9WeQ9;6bawYvnN7??SWDg# z2-=?rTsTrbLILh0qv@BX}UsJQ<%&Ak}2XYT!VN9pOU(wXI%!ifVb z?=#1?mvB~(qO5s_CPQ2t!pMv-*7l^%<((5f8k`%J*d8&x#hXGiZr#v~Rx$XU_G{Sq zxKi{xUlV+9qor;+ztzIoY9)F{?E09)Vj1hex~+4X4MrgPk#!)Z(3IXDi2YFV=7V`|4HZh!$>LZHXc0TuDA6i6S4d zrt4AUv(v!|+#!xU%y|8xZVnkoI(pq)gMBLJD3VCkRT6Jy<>3aVaa7ZGHJbbY>|+gj?S_zDI_zN+u`!QOyY8u-`NgI5TV~ALbk{L}C=XEu=513pLl6SSQ(QYc z*4G~2sAblm%(IOV6DUWKj361H0^|i+Avc!wp)mjn5-NU-tprdh4|oU>#Sm2Wjpb>N z0iXm?z@%bwuKqT!o5QB=_x7paLR@2UIa1bE_nSHqE)gJec1co80CyqB`R;I=s5HoqdQw?6J z?gV4=BYX|4tCh(E40t3+oT!1{rF#CQaO^?x!pYUUg+qJ)vT|i(-|C~algjU&qZC7k znM}+-A%sVSRbUF4pcu^Y93iM1DY{<71deck0RT7-BLoCFR}>*U28eQPN_2>m3Hh%d z!MBL{$HG82@%}b!ovlWIw+8#Crc5)AT4*E$#nUI()ov>&(g*UGepg3S`cd@q)kr zfEZIi5JxIgzJ>z$k|OsI|9_yR)i`~3men%O1RA%*L$YJXj{Myt*$0J_?~`jszJ4m- ze^j{kG@jZadRk5fY6vA3G$Cm%YGXPvG82-mX;hOtUO2w5eCOSN79QSS`SF)q)L>HM z2|+>xt4`1R9nwk-mY7TH(XjD&Qof5lTXiOCE1KyZs@Oq$XBbbre&v#Wp7Xo0BZ=KN^?ptL=HAlsC` z{(Urm=62!rBkA)xbJ97c#j-yt+&hxlHMsixx4C!Or7hYVn{K(}lQ?E31i>b8){jEV{EeYD*-PN1b2byH_s(Tmv$V?>3 z>4M1KvI6v}63FD4($6eLhZ0TRZrLD$&hB=LZPM?y3^e{G^0%|WF>4)e>e}JnTy(Z@ zwnx2z)VzOA3q=D4ec}O|Onp<3MN%?Sjztr(`G&h14gI_>GKu5{!?E3gpvHb@cz)0j zHg`KBi5MK4sx#ns2t7y#B|StWrGcZ$v!KgZ1UpR4sXenv&3xT}keN?)kSOYQh#-u% zvMe#BB09Ce5R9ApMvR&FRQ1DXCH1{EZuqV`$~{PS57(6D{pZ#RALPbv+)t1tKNMjuNnbRV3Y|0#27-J zvPxcTwL@IzY_48Lc@98?TAlRsmaqvn?$jRTc`OJ7BQYzMYe2SC$T5Lq1Yp`ytj?_$ zq@@xbFa!lG<^oEY48WSGy}7#EzpwmdU+(z7tUk{#J@~JUvuhtW&gXBvDV=*PDF?E zU)~Jo_Wd?{ZevgB-k#FO3kn`38FYtHo&pXqMQ0zw3^UmHh->(cZG55{cqR+>6C*SS z`1(gzJ$dVf@VIee*xHKsPs4=0e$c2RJ(~RKr-N%B3$O2I->%(SxmfwL0$(G+jDkAt zR6DN&p#VZklu-U&z(K+>zUK1S0_h=?u?l4lgOpN%9TUqIGQx)}bB$v7^?cZ6wbLgyR`wh~o)GJfeWKF$`51u@OcB;~;~ynz+2p zU=rixgwl-V1Wuq>z>0}!l9b%?>VKti-*212o)0k9x z#MkfwSw%=F00F|T_~&{l!;AqUaDWK{;UI?cw4;z?o69F`k9+Cf$z>XIE_QTqWp?K- z|Htan_p&57LU9ZN_&?w`)1bntzFFDy;!>U`n%$trL7Y9hGxbWhN}icdz#zo z;Xmar{kiaYf8pM<^_xGvJx|L^mxx-l$VMZ>p{aB&zp9?zW}F-d^ows*liS=zo3wTl z4kV`(DsN$!a#}1?E#I76THPc!H}7t*cixj4kXAeZ_2Y|HPNC|xtEJ@+<(Fqf4VWGC zdSa4(ril}2W@760Dn~fav}JTi;`v+9s$-FsBSp;UU(}ms13oAYM4F8+3`R#L%)lr; zX!M(qBN&47?FWo_OB9lBIIX8~JeLqX;cUs5u?lmGrv850x0uxu#kW3{Gq_;>XHFj0 zbab2z2P1OU_Sgj8uDu=V*32HXFS?UkTiJ7=;YCT0nZZ4xSMGAn{Pd>D1f6lpGKbzf z94S9~Q+m8qxb$Lum(Lf=-7VZawR*RB?tJb->}LxK15-`#sJb#E!-Qc#V;vi9VszC7 zdS=j?)+`K|e-0lBde^PvK<{zHyR$*dD;2^E|h#=-L5-_C=gLcm6wg-m2 zqqw783ou6@!;ovGDVSI=4@#Mk0o~kBH#bzV1-cM4BW;37%)h@DAMY!ky!+p4kAA;$ zzp($p#_8hTC$jYmgaQJogeD;@OnTy>Ha<*_hnzs_nhUiaJ0Xs%)ZeyDbEC`SyRNu>Lw6|*8 zY*^Bcc@}&OdoLlq}wRoGL6W|BnhTtiD>mxN)m|XJ2+HcdvBf&iLBN z;`5iQ*VeB1^AF$r^yNtL@!^dJjmMq255G06o?U(4SGd2s^!|o1f8=5Q+NqV}zgoXr zd#F{cVfOEE_2K%>?}IC6i%0io?tK5J#-9q8Zxt?HS=(EDc)4+}c<7$$kLA7l%7<^2 z&)wa)@|)n=@it>qE=W1Ed+p=)jm=(OV7$N}AOus&@j$2<>f4G}R_0{|Jb(;hPEax> zdwHHmw5sB&5?hl0f9C$YtBoYfABX?1SE2EAkGr~?>4=QTj7)XU{7Oh@7YHqY)YCI9 zp%t{CeVLv)Ua^ghcjJAxv5m{Sjdyd70U>xDrR`lj2Pq|GN-2b^tDo=GsdG$*GGkxv zz45u9%Na&@&`L0&D1Znh2|EK*x_RiMn`Yrs95*mNnc1tO#)f?qg%jJ7N{+sdN zix)~qo~&Of9!49p#g*bK;b!RQ;O2~&Ow(G0J?hXUBq#`I!Z{+8abmi&9(2A(JvI;4 zE-#Vk^1+qOlN(oR*X|V_7G8XPym{~I$Ku`U!u{H&%?;X6(K{hFKWjZe+K56n(DE}2OxtWLs1C#vT$slIV?*^J8DsLl_z?uihEj-0vc@w zBp${Jl_+DCGU=o{6vg#phU)#>bouGk+Ox~W<6BoN4`2R9S$c482lWsF2pQ5cWOe&D zV8~(&P*433(iBSw%aL8t`(uitX#_9>Ie;+>DQOHO$1#9VOgnB^JmBA19HJPS07N)3 zgHgy4jCD!@9D)P_niVpW$Egud$dK!dmbHGufD3PH*A^_LM-P6#cBgdb-qx-EDxCT0 z!{_wc!;u~=;T(b-i+S{CvnE+>N)^y`njB%>2a2LOp;d0&qwT1Np>*ZiOr$b*Zu8k+ zOLI>PkJsLsjp1Fuj7@0BKmch#mcI{=^Sg*h_9$F0U47IKVvO@%WljVsHv8>Un%<~l zUBatG!uQ9uev36POv&Y)ksk8U+N;8i(w)bp%O{N0XSe>Xdg#@!3v;{iT@sS7d<&=b z00aaR3PT2B%&{EgNSDcprDz&+goY3kjw7UDAO0CJnjoPN#}Ynnn1pSKgB+kC1?kSc zfjMl!vm8dGn`f!lxo%R9rFJ~l*Wa$r z%YRq8`)KvOuKMbvW%F8T{^{iAU2FN^g|Ke(NeAdycyLihj^w)Vz`c;VLyaA_+ljJu zDdWbDp73FJ)M~ct`%-1sN2dF{U%Lpu-+ENpccuK|c=hf6^4Vvtooq^-&g6IGy4IWN zjNgnp39t3N*sEheY4s%|ZJMA_lU9?@JCu}myiFZso_6O0K7#}X*&b~}klUDIzj`F2 zt#g|TQN>A5jMM1j{wB0ozXPl|sDR4WgLA|aZ9T+nBL*-}8H4H$ zGZGk4o}#ZoV>LSD`%ZXZ157Z*Hr+g$XKV3E?aSr0o0Wz48`t&}-xnX3_stfM2Dj$Q zuijUVJ+3S-7<$q}6AA;+U~}s_Um2DnfIzATPM89KV1x+S1v@lhDMT0mS&D3{036Lq zu|rdU!Vt0m&>b*gQ{cNgK0}0HaBC;>KDjJ160{`JLlfG*{5uSXxBsUR3kbt<+k0y- z{+-g9+0FCC1DUl~tG7BBLlB2C!y$$vEX@Ew8Xm{}7()gKq6otvj0nxrkVT+@z@3>1 zdBfgF(iN&_&r1*kG{ZrTq5#W5LUV-PR@EfX%)qVDj!qN5@mu+EAWdUP1H?&!n<>EI zI)4;@f7Ajud;GL&q$lo}X6gYLSShM;YP;cxM%(Hu#{$F= z3LzTRC6q4DGZr8UGc?x)JjUB80>MHkRv5FxriqYA)er)DZqgWDN!j`jGxjyCpad>L<#H|o`&pc?$5 zJYLxuPPHEE85q-e(C^KJ?agE%XxXjI`9~sLPH*`JI&Vc2$if$?917^B(^)SBDZvl* z!oyQS>hF4er>L;XD8Y%dGqj0cwT*K?OWRZmh0*R&^@1mtmJT%$$+}S$=g4GO5ir@k z@n!XX?ZtdA1Tv;EqFKOD45TQ)uyyA@UYU)0vQ{`sSv^8H^!aq~^yPoG7gVF2U^)TY@AL?R!P(slCbG<(W40#t6 zF+Mt)kZ$$E+rL?zug+c1Ru0YAJ{;bBURgS~xx9L9^=0kN`;NIr6ON&_kGOv{555%B zmrN3;D(>NKqI;b~;hW0KWtvb_(G~1pfM^Z))Kei#>(MZ-^SI0qwpr?ts@bU`w5xqk zvdX((d4t4g4M+~n=CRs=#nQd&n{Q$1!28u3)jO|#*nC+#_WHZd7K=f@dm?*!cGu3Z zUY0er{`TpH^mcDXEy=te>|_}ek&4wNZ83d*-6YtLR17iH?nuSh?2g?|TqI3}qMSKprAdW36-9#~bC z11p=?Hm=kuM5KZ>S(V1TTVb+~qim-F9LcLQ;?gE3Si59_?$Z0CmFGu(s2+P_Xcgq% zQR`08K1XMXHcKu%+C%L&dUXzkyRBanW+XkOYCXG|;Te<0Hx`A%5-N8r;8N}AYisl+ zQ*xPkDjqcqHP%Wj?bHvCTk{sVOg|INO#-nW?xZ3Z@8TAewH<2*nzWpPzk`q+54Kd{ zmj5kJ+BB1xaHMAhhG<*esf@&EK^ClcaKhg!i%FB)8+w~f* zs{t+FVv&=uk0(VLkm*$;ew~I_qS|hE>AYRl{h5i;@_#jJkj!NL$waX0`;ebb1dX2P zZmkrYAvmJ!VW+5PF1l72kO6-p#{XGg0TTKnA{3?plyr_om_UFb9}vBzJ&q-PJ@|!n z34zfgtR9^hiiE}bD1m@bEG;s7qX(vUlzH7_2>;ACm3uFpCVZEI=#^Ihw*8U@@#K4SmUn2RJ}O00B)9%Q2ARNF7+& z(=b92LLlHU$I*~5gm8qDGK}aWI<}WhL~6!soQi-&t#?aLc7|a9;z(V$=yK0zSdL`~ zMLNl}?Rx3i&X^btALXYp;RA8n?-x#YLT_teh!IDBD<3^pS^D^OapPe5{<+oTTeGE4 zZ#J$L?`_Q)i^tYaPtd)V1IKb41sk_$ok0>1gE*=&-6ah0fC2!r4OW_dRvC__5dw%% z^{^%kKvD)iNH{cc@Kkg511ypMH8kC2y~nRGWE98xAM9Rwl9hh-pF@>c}RawsdBJxDM9E z`sbbr7n3q)Egj#Rm6Rz#q)4&5F;8ts(tvDpWuo?ZU-kWxbXYk7q^S7$&!s1~Ds%S> z%Ufr^ukC+puROlcu^H18#bF2uz%)k~3bFOAOTtDiVIu1k_v!&P#~XqY9nR}M6+uKP|?Xg7+-mElB_1+&wiuY=do)#7>r_b#bSlvk7>ek?W)l0$rNnDBu^74LidMbxE8u*ubm6C9R)*I!Wsf0iS|qRgEp}PT1O5GRK_kh%TY>Y zOAj|ad3q8#PsP%MW?x=12;qmTg;&(({nhgui?Tm>sDH^8k8K>;c&8}b{C4DfPr6b_ z6OO{$njAx6Kyj!pruG8J?SOXWScX9?)0^K9vUpp}MYs#^8nh4bkaa0AoN`!T7m&+T zeo?ko$F#$w9c*UFi}7n$DsSJiYwy1Qx37=3?vyXhuCFw1S*0PhfZ`Y$(VR4`G{OPuT*Maru|O)^qAAE5|e!gOdx0U1#MO$8YmVs5b)EhCqXBv z)0gpF%3aWA7BDQ0=w9^R0}NnTio*1+fQS^LXa-U=K{VtLObd!u^3#i(Cx2DFdAWA$v_y`B z3Y#KqcO{}(seCo1XNSmN{xe-Ye5oIj4~8Sc1BCTN!u|*uONow^QTv3h7c_6-AL@%x zyLY_suJyEWAQCEGZat1|9HA=D4po<5Ri8awJz6-vb$jh&Q;lqj?5VHs{%RX4pL<>U zbm9-W!Xi_8cWvX8t@h$=`Sa2B%hfAq`5ych9{~y>Oc2E(24aK=CN$N4sS}AJMh!9q z(JZ1lj$#0z`6w;B#LzXU<9cK0#?)WGls=tgT&1^9)^2azU%y+pS$+L%<5cbL<Oo;r!?4aoR9)c&r{E-~H%|zi@1a37W>WZfZFlCzp)qSVnoqei zUCxxo5IfPMnR|a&eO6igFjIK(Z>0~*>vQ_Gd$j|1|12+GzU*6V=p^LOGEeZUX|$E*y3Y*_GcGmvgoN@=T=@W9=A*Q)BEj z)(fB+2Cczi{kCCHsdIzc(GgMQ65rBYX%9#y0=wxfonO0iPpL(~mxCrFrw#k%G7l5rIv8fBJRT%* zwI#_po9#+*S$%M~cR1hmKrsyD7|95b7_u}2=}z|2>CrKmos_m)+e3pxn!za^ z%FXYKS({dnZG`v4Xp#f$-TRyJ#aXkhw)j?G{%}iOUO2e9SbF%nbo%jV>C%h;NOC=c zKn_5}5WtZ}c58XP=W2uE#ub6WzNa*h`Zl~4nhc1h!A#LqhSb3>Wm~}2SY^B7_tlj z1P~5$G@yEcSa-OJfn;0oz=*TK#GBcW4W%&8jLA1f>!Klvxn?yp8yka(=hi-qiN$x z+AusM@Qm(xTN4|x@ewaX_ccRqN+m_`+kS&d^tz65$z@6{=<#Fy#v||GW9mp>)F3*` zWg@z8!*h?nJW1Pi)H@ipDf*Sd4WukXAHK@~KSg%SJCmgPuw0oDn_MXh(E9 z>5_gW+L8|9^&K*&m% zjdJH3CrC3bgNDU6)w=6Zc_!T*_dH(5(4Z=(v#?#aMW~&}bb7dz2V?EXVbJfO>mVI* z73$8@yrB-WF_ofSi->jt#ehOPY3#@<_49(TN_nXXwAS*|YyVn#bh~`?y|?(ddf-mw z*2O)w!$*9z=kIn1vMO|a*zw|@W+{rJ8AM|iGBlzgOYay%RTBgw)|8o^Qp;ru%ixew z-&id%okuR?S&K7fgN~n7!a%CH&0<~mp%XOrj?uz{Q}Wf8+xN8xUmU2ZK)bfKx1<4c5yNE-#>kMTsd_9&&5ZP)yK6X zPb=52Z5}LK*gU@8#Mp|Ft^+bFf0Nr}e8n+6MdiA(Uw_==d&-GzelFB{_P6bSd1_dA z_l6KnScI6)tGBwdB8^C$=t?TM?CR3$i+ttc>%i9S&4uDz_5P9H{BLFX$?CrK(!Qj?` z%9|s<`EB|2V&P0j{HWx?egyHmJXUiJE=DSNw-xLhuv@yKP<6E=rI2nx@-X=QYK z0uFLb6}T6&)o+V?TMx);oNx#fxNiZv##(<(q1K<%go!n6=b};Y=NUs%7s2S~wL1}V z4a;SmGA&3n$z{WndW%V?$a)w-x)19Oa@puapN<&R=r~o=cCiBqvDIle=tAbfR>FAR zW(!Y@N7a+9q|AiT&!vM=_fV#1Z}w}W$(e1SfAZw9L`%dbyuohx6tUVbvW{=9bddF||p+Pm}RTW?n1SC8(uxyx6d z6&_b#&K2JXGLWQocSV$WQA)@udZgn{(6@(%qB>)Uo0iM;9zk+o%r}8Mfc|?Td*rfQ zV64v^(2nSS_IUZCo)J2lo+LOdmxa=5!B63kG9Z@?33=etULu#pv6*%UZ3?MjR3<0l zoovrz#(Zizr!g97ZM}Wp6qdT~0NN3jn%WJ59PJJ$Kq1lv6c{wbvs2n(KP#8TLNRk- zss#i1d)T7`dN?|b6B7-9ZG=ZBXHqUh%rGKh@605FZS$JK;S7J9b`XlPDOfl-qhPV8((%aHM$$7vK5tMq5bNb87}G&XvN43TuZv4ew( z376kL4I>dX7s(Pp&Qg{al#{6lYXuW0j*7m6Qh#;1BEB0n|Ic4 z{IK=3eC}vre50^6}k?%b)Aj_F~%an6TlOWDR=ZkptCt^m+OCuGcwU0 zHd+udxBjM0F$sHZ)T7o>CM+FjtoW{cY~D7#dS`8xjfxlmVv%WIw!{BlVHtEaeg6l& zN$boGR^Z_j)wT$O9qqvmS}xne?GYP(Bkrg}BeijMIW>$BY6|OGW}^-_gdwFt%eish z)zWsG4hFFR(u!WChP&P|T6b$brmbm@JC>cX%n-*nI07Vts;q5rG>G|U9sjS3k~X^0 z7!!_wx&^fhC=D^785%PkMz^>F8>P){sT@udqrTO5a@nxW!L#Tz@>Ha(BMLz*Ca+w! z_G$C(`XPP!)A{n1&p&*?39K^$ zOBkB5*WwZYzvMD)WZXNfwg_Jdn1wIcqe?qF92C4DB4V}87}Z*XIx1zdPO+1=DT8tF zTd5Z)mH`kqpfysHUhNS~c$Y>n+Zm3d08KRm0rC^xQ@;LrWc79V`I)V`jrqd0)wlZE z@fWqvr;UF~%Qc0=y>D0uO@k(bPRE=lkYXSO8y5X;SP{k0kmCTxyRbGhh+*&1Yr zLEQkiOS3gS;nsvhs&J?kLs!ahodaeyZvpm4qyCUrIs)zxIbPVeexUT>akg^s zY4O?rR!`hpd$zi?e$rWb@U-})w}n=c7$p1s-zv)=f4%-%`SsoETg~@Pst#sSMAT8a za(ey1*2B%&@`-bn>g{J6OVwv53iFkt2hwW?25TQ4l%C&RoBgdcNe9A^;vj?sVv2&O z5zLi8wJ`11IhAoijW$!e>E4slpj2sl=q8r7$FJWL|ny)O<+T2>!?45(&E18!FZ7w8SzWk=%@Ez zHWvF-Koj!~b>`@|sA+dfGE3F^yHSqbnp>Tls$O_gd%QHFU7t7Mwa=T^YiIBFDT|5^ zO_-oklr}inS-Q#V!{=}@pwiQGgG#5?mI3`^!*x^k*^^keDOx!SeMTXU0J=gU`4`AgRp zYVXgN?tKWa9sc^h`u0qp0+ZG93^Z#CXc&PT`%<6pk+WSQ1_?hDK>W!s8ZX7IKdfBJZeqG2a-r+(jqDb3_PL$dR z^ZySI9opk|WT$1`K68Q~?^6#A3w{wTw7U-~iz}iZyZfVlmy`=nSR(0;)S#g~7k3O) zn(-!l69HjhQYT?^X+tYvhg*zYwR0+_P4;Nx>c{n0^2(iqe_Xp*Ir4&D{n0&8x^XAF z{$X==7Y$FblOw5EuCq4Xw<@yj=^&Ryl<`PPl&tp1Wwaw;)T@vvJx(V~K>`9Z*ybIS z%M5YV1o3oth^QZpBf_A)+)#Q%N3`PsK^mRV>U+d*ZQV097cvHj!fYcH^^P-e$FUuY z`+l)uq%%DRaqr*CulB8)kU~-Cj(Ljb39sNjQj-_c1{J)5RI~=8?kCnN<)K-pEKisM=1Jgp9s#r1}@X2LE3Pnt-o{UfVn?Yc9xQ$lD z1kxsWh6_W7aSQ5ou9Sif&h}!=pK9`a5UIOd^Ig zlAW}9uCUnoHqwQLrNb((9Vz~ZYp0IE-}mWEBlrb|H!|jzmQgqFmEW(dKUsY_uz9@p z>Gk)Or}vA8YR4D04hz=Iy@#y}3|6ooYSCet`jsCa{)K&19w5AHDi!?Rf3@o9daB>X}28i-$Jns}GLW z_AM2U|8=TgtJ6m0iU*={nco~XYIayk=BZJeZrrB!wgd0`X|2*58lN#uMbxdt(P0#x z7?&Ct9UV;s$8GU^z}<;s7$3{HVoABoZ>vXWNibUH%!ooRbJsb?5>A(LA}5y_CoH4G zHh&=NhJQCrLY=2s1b%=lvm2U(I@R$m&<}`3UFZjGJ~b+rg_SrtZWz>9G@{)(zP5pDuqjZ{P;RE1&7d*xyjdt77}MBX zo+(>9ara*O$ff|3e#%0Lq#U_SW!#;Qe*44_z$)xb9eLL@2(EN=*CDcl$q=o_SwlNA zXHOykMVj*(qV3Q!y*Up?T_Z+^%4idIta>!n_TYymb!5h=k@DcL9y<3kg3W}qxFMlQ z5yC-8Bh2)SHUj}>SwuswE85HqJ(L_W+9ZR{G;YD1Q}MJYGslc8K)af0&6}{*FI$&u zUv3qT{d#Qea^=do^;6ZG*EcS&t*rjIdAy-Z0a2AIYSK}-)Hdk7f}XpXIKKs?JuJQ~?`gyR875GIgD2=y3} z0fr#LLdKl8eWhxOlk|&K4?~WU!UbR&}9{Bg-aaeuuxO(Mvv9FK2!7AJv zoT{wwaauPusvULq4qY>79qi%zzHwx{GXM0K_J0=#%iH`=y7In!`E=>(h3di6g^#Tt z)@L{0mv6rwDc$}OW2&$2mChXZ)y_TtpTgVfr_Wpa|6IF$z0n+j>lwo`ETIsE2+dM7 z!%>_ds?CmW>lh)3AcYwOSq?x*sBaIi93Es^e~*N@OzVNy#U*3ouox4<@b2|e^dS^s zD2x~gI@eK{@ks4zjhp_lyg8N81#L49(PpOhGlz@24+Mhe~&@ zSC>{MS09zn&s7%o34NB{j02rSRP2=2lFE0o33Y=b zrTy}okjR`bgvoeSqH3#YbjMyjW-H@ij{ zNl;J~3BgNh=Rq9DLBhbEI}f|PEl~h=$yB^Uj^w^G!9|8WVqzRNJf;ujMR`*cz$`(S z>)3lrhmU+8h*$5v+Bjc+f3tS>%)b}UMM@`cCD$L9FW;@*ncHCt;uw}CYy(Kw9S#ga zLSw@Fbx66mvIwydqTO-m5X4}H#gKu3urv*u6iA&L5T+1^2&{((ZOqe=_^xFv$WYrd zEh4?o2Fx%J(75|-aQ7Y|cDfa@x-mYwfHf2!%&^JegjlE^^K=YPZ0ze>PhsKTdyfLy zt}qQb$w3%^gyuM!g6c~_=WTv++ z7p_nL&*qn(-aYt}r2Mvi?@y)WPsL~DL&vz%)7jFS2Q!D{umc)s@WMCHPTjm5%3@$nef&idrmt;(0DoAZ^6 zm&#{;uD3+r+mH`ySP;{rPH$W&rXaH!6VF{uz&D1Fqx}`k{d?la} zU?`UA70Yk{0>S`{5yG8oGQlRuPAdnqP@0L2WjPvvrY0pt0Jg2{(G>4g*H3yvG{X^$ zw>Po6s>BE4>LvhVFbf&*ZL(7m&y4RVIu&*yCaHYv2(qi40y$;W$e~o%i{l2r;GKvH zYx~Jb*#y@^Q1Vv3TrXb!U3C3X_0pyCi(`U}{qcBTDamDbSW|Wr zMf*Bxm|Lete$YQev}2<}e~CbbF%KI3Y1-21HQ`X`=&*T;?!|4hr}d|GLNDPqp*2Xw zMT|IUv!=rJK>hD#5ry&+R$)$uL@MqzG{fgE88qQwyty@eCCh0j#^ z!-JnbJug4F(F-F@Gk^w!l>kUX4ncxAEDewzfDB+5#5RmOeO5aM3E(J91CFK%VIfnu zLrK_!AORF+=+00AXgtv66QIv=4OM1r(&V*|Q+By5JCd1HjXJiK&CIk;F0;A4;dIt+ z_e;19=*Dt#Ss;pHGn2X=@P84V3mr^MuwMd5pD<2OW}M#&qaUCF z$I%4TL)Lc9A_!QPB^X0SJdLKuLX-7NPl>6N(@zQJk##)9xW@%~j`j2%VIjjp%t|p8 zVZdO9VS0p{z%+n>rJ)qz&;Vo^ilYJB1&K$jFo5B9|9lhs1HUisOh;Zj@Ui%AV{T97 z!|T=0w(vUFO$act{;pnC2}`RViG!@}#@ zfrG^#b;XayW|);Yp`Q8ccxyS=^Ey zSjeDWFZp@--o48CQ=@x4YxC9F6Q$+->;1g*XJYOVs(CNd!pO2LOK}jh%-_?~Om14T zlE3@&U%%e3JzF%yLK}Chk7g_HkFA~GIBqZWi$};!1@oSWm^=V#?YZHA7|0#Vs%&ZB zt~xTHG!IEbsW)f;y>{j9@2gKg*M2-#o}d3+<;HSp=~DU1hs`HLh0A@aY6;FHCPgXA zn68#Ov0$ax!mv9UXA=|(|#W^=mUxPO*LuL#Po^x;`5t zLos`wk?=cWjP&NIM_}VXdHLAJh02?2<>Lp72WnTI*KXc3MEmWSYM;?Wxx{JVjGh*y z45!De{=9h_bm5Z%E|}J(vnFXKliK^`!s6<@F*9~JS`rsJ-NSjs3!{)j2xleuiN2AT9 ztqc-RkWgx7GUK+nL%IL=IBqErYfLVSIv8&VhJ!%#Lq;xB5@j}*{jNKYPJFJ`I#4(N)I9fLg(sb9wV%<;M%=+O6}OUn*}_Hg8rQTw9wh%`R@7shxdax_0kx)u&6F zk3^qKqpnp+Z?Gc?<^#@9N1EHyT|di|mQnYp;p$@L>Rol^>4DWV+%9Sn;ouZAIFac{ zMiyhPBPrb7y`nJ~1|zW;qDBQtHvNpAru1H@o1PLR3-&A#NKNb2d%~7ZNr$321R21C zT>e2m1ePAXS^Kb9eSW&|Ve@osV~$jwovvKERG2F~uvAaIjuj8?qJ!C)-K>J~ak)%m z1W_fco)*YOJ7Ll%Jz53&#iqO~&NfuwB z+3TCHYj01je_6lYXLi^*`-G@rI z?i3!Zzw3AO>LZC^(3!VsL?2WpxKU|OuHrp;Y5s+=eChh?#ma-19<+ATQ@;A5ved6I zH0>2d)E?@uQu70S^uQ0!>-ak}6@}qt2c%M!g4m;ChBcq+Am_fj2k`_BZ-u-K7-|O{j zTT8X)Z_97{^*Ycb{2`kt$z&SwiV{+GGRk$ycM)l|Y<01A_Puxg{>B4cbz!-3>0s^F z>8&&6Cri1l1vk-UHV^fwk!dnzQv~fXvFMw&DpaBr?B&KhI32_NrpWd_fJZ2QDDUhX zU%|x4xI+_puZ?OY#0)y4KH7Q=nVTEEXd}@_GQJt#wB!cR29xxfjY-o?fDH#*&z2m5 znVJ5xI60`zd$B(m28mx_%35X|p1e=mpSOH|)?nFuy85QP{BC@8aqa&4=dZUbb4PsZ z$4W;Z{i=Ftf9ZWcpG?-A6-#?#bl0Au10#~7X7jGX@|*JP{KoO} z^)J=sXKRm&`}-6v+B^qjOfE_3yS7S;v>imV@u_-rrB4BVv*^*7ol%N)Hh0`O7&Gl= zj;d&{b;RpR8F!ea*|>)SHqd(3jHxi)da~P*BP;2P+Vq;u*zkWaLQ-ovYB+w(r3Y%jqSy%p~kUp>=#&ntn|_= zJ}k{YsVy8FE`55rb!+2R?a{Ns0=s&BYpzef#)s4sPVp>^PGqO12F2FOU^G1ya}5)J zzurR5jA<~KRYc{oQLkgBwNgbhOrb>zUKNidga6mmaT1sya#>2L4h6%OAuDj|B^uo+ zCo8jAQ}P#+f+ylG5$}h{`~7m^UitI0&GX%#iFPpIH*9I?>DMRgPb)7@{AuIyF63rQ zLKo{u%ET{ zSG%YQoiN#Tj*dj@*lq?gI2kl#!g5)5THKbjStFN4M-$z{B^pvi(u4(%ai^y(T8XAJ zr*6?BwanlUa2$dNqE25kI_HwhBE!*4VAMek&h+slYuxem;??CZHASvvbx5F?Ru}Bb zv#gG6+J$EsCf&TcHo45VUG7vSK4?m3e15si!02dgLRY^loo2oINx3Xy{rLfT1#xr7 z88SYY7bHX+N*jrBf+)O{6$pMG&Qe$@%)m7{Vo+P5REXao9i0?pBxVKPDLC)WZf{P# zrXe2kE;m_)GRRDT$()q;TZfNZe2g(gQ=`6yrGvl99HQVvRI3|or|sU=&8SL=roLRJ z7AW*maO{50Z^Ap2Do`PcR|kuLn!i!*`B`vq3CXQXH0^}tjP#nw9c&w?cDAl8xmZqHQJp9 zHeD#6@=tZN-97@R=&puWF3x{_U7deYd%4uV;S9w=mSZUjK?ne0fxlE2p4Z=%ge`G|h7{y@ zL~19z4Kox40LL^2NixP7!$M3qou2w4T3JL8f*ef%%K$=4JMj&090eHyU>l8})%Y?z zYKPzWTRTt#w*x5%07pUGsK|Dg>dbPPYa(y3wNlJHEDS;x)j4DZTfBlE(^*o3U^>Vz zooF&T84by0rMKq?ONY;uU%WDI9HKYQZe1amP5o*9L*wjH*uTwN|kFm>1%8s9nPP%qerxbyXoqs4-y~l z*(3SMlk@9$)8%JJep>mkd8OOmqSISKrQn3;`GjX2VqrqaJ~^uC;hS21d$+cKvG({w z(zJf2aIgI6ZRz06Z+E6>0lEA7Qj`ua#hB`webvPmrQ^>k7q9)Rt~&dg`Q2Fg;*0gu zKYiZUdb4uq-rC&O>D9&R(f#WeYM@oik22vbQ||6{l-nj`dszl!q%*cUyu@> z4FYP^&AIBqOY1AeFSQ$Y%TE^zw>KYreX_B<@!DQ}vdnky&LpWFjuMdLXhVw(1Od=oh25I~1vnbeR5N;%>4ugc3S>FVu+zbf3?I#+yE ze)F<)=2`FUU;rY5AcY8$JoUDBZ$z;Kv9QOEz_2vKVvZ-F?;B_la0p|}5 z$lX|94j_hujjgtq-$pbPg{d7KH_H32n78h%zYDIvTECGlEx#>2JyJMTJn{8@VPAij zj+lB70<+*Os_!5>x@tJaxzM=Z=^bvEC%Zj1YR|8-#f8<2TQ>yx+M-FmdwD+zTTb}g z@Q_H%1V{Wfpy({p>bHmU%xI7D)((`8-gnk!pO^1ms(jd|tX?{>dQnic$79mkL@QCs zQH0eaheTv>L#H$CC>AlGxD|V1hZwH6k_gt>O3hOlfIx^=;|h`{Lp8+QQ?tC;!~1 z_1h9D;8?;D3IUE~8u1doRWqE?&b0nEsmyND<9uWZ+&(XGPmYy3JvYDzbsmoqW$$Cr zB-R8025>va?kK*TZ_F)Xhm_HzXW48a`55)3HJpx!DVq*;Uri|aRFyboLuGb6-dvFxk} zlI;@~F#K4w6)lQ}6a$)L)W}jl?aWy;!?6xUt9Us7`;GVIOUI;@JC^1EL`|;ergAr| zHMk~>9fh(8BES)f5)_)_(&P4#jv}{i7v?7ZCRrW@DH;Jlu}DhM;LZj>xKmkrZ{H%0|Hr=Vqs6dD2l}pH%vBt36K<0%3*T#T6yvK<|l~{+!>wJ z7v+T|Tse2DHh*_*&QZ8gx&HartDj19m)7pDo>6{%BGNA#N=7Gt(c|)yM_Z@L*A8tQ zVmFqGkN#MGHv6~Yh4SZF=hl_#r%UChN9z}8|3H4Dy}zwJdbzi)8-6%jdiL>GhV>iO zQ}@b0l;FyVT@6O`9exllwwsH zpdrg5ng%q>P=IV}n&jsxijajAMNm&F3<_WxKt$m#x-qApw;)Nb`a~$^i%vU5Yu*~N zCUf4b*g^^cWB?7j45Y4z-Z-rDQkRQL4n>*b#}s@yv&i|g~=>hlZh zhx~hDx$>1a#W#QY!%rVit^Zhhe_z{QS=6hrW@=h+)Jz&P>aMrqiD1HF6-L{f8SAH0 zjs{q-GGp(d;O&+DcX{E8Y3gOYZIw<4H zzKZ6M-ZD1XU8SMU%Gk`ADP@o9Y(3g~Q2Vq}JNVX^u0Fb5dUm+_@sgk(qZVtdmOr+=z4Qb=_sCOb+f3kFIulyn2bmkl}Y6M}`cCWrB z&3K|ixzjp~X$jqK_ZOfJ6{Q`_k5X+2u|T^WMOtcjm}<)EyH;(df{`{dr;lQr$$H|0 zqiLdU?SehETPD-d`rr;tZ}vSK7WRF3`sZ|fEQ`Y(McWjNbH*-F{*IOdVb6oSRF@}= zhF~kS<*qwCVhilHzsD2d{ylB6bu@Q!#Joda_hm{Ga^6aIR+Baj`H_X+0XkXJy1v?} zD8mHvqIoX2V0%Ct;=*|AxfM#W_UN$e>-*B<+vQWQnvJhmr{mdyOv5th1calRG!tlA z-PL4vV{YRt^V`zZ`EYvULFLB&snY!wb@|BIKFz1L)e(-S2uC2=7J8_kbN_ChHsw^U zr^J-n)kC_ZDFgvvc)3eLpClZ|F%UCdW|keSEUn-cyi7SoM0uL9*68XGCCg7P73bD} zEPjmEo}K>Tx8=L9<+XDU&0BXSE3c3B7Ah%<0)S?Se8^l|`Bc7e^pDl$rJrMt@I-=YLo{pV5g6UG zh`|^#1o21#DLzF+vlPwIq;nQUK$ugEIC{^e(e#)D17*gmwd+K)YTD-?7ZsA$%&3vM zV_t0?*`wH++qyFRhaEH%hGhxlnTtE-5CtJkL4Z-uNrVZFAq#o1LBBA?^!C_sEG9Hd zAcBbLb#cXV9H21+c4KtVi~yT?oEM74R)EW;m+vLMh%%B^hrPcpube0xT)kR8c)c=L zzyI(2(&?A_a5P@IIk&cdbFs2-wjb9Z?auohU~()F7O@3tBb2JwefPna)dMeAm;dKq z)zy28m7B-^#aep%?6;*S=a^sk*1OYw;VjR-A1J=tyx+EB6c*Fv7hg86I4Y+fRPV2p zZ(lAgKdrugQn+1Q`ue_d{vN;l+BOOyr)$edQCKR^UHy;Jr~R(Y%fHVTek@+7U3t9m zasA8M>B_y8(#Oxm2kSrbUHvTv3&=nkvH)>3#Dt+}hTkdr8!QOI45=fRAfQ-C7!H0r z4|L1Be?XRxCW*xs$Rt}SXxgFcbr4YqQXEFO*Fi)B765=bu5$;mWi=x^T!bgajbiwh zQxg$oY%u%%9h=6)pxXPtg)2Mk7%Ycq79l=NY&ZOcra8iqo|a0?v4mm(yQ|x7L?Id= zL^uusmSHK#NE+HuU($sc(ie*y#Hn8?a|7i+q%^Y zl}krMl~)HjLH(vX?%lQ8n5Vlk)Qr_{$#mEO%*4_FKo2!lA1Q5wzgxkUMB@glTYqS( zAzT8azUxv!8s87;71NTRck>`>xHb>sj8GN%d~NGWZTZyqcC~x$<=4gHqsoVc%8OIw z#ScG-DH9!26E=%l2RdjILwRDV2g|P0COX0vSCTJkTjOZ}#|4CqnH20nshFIwT7;ee z&5qb!_WTUw1HT7-x*`5@$dwH6d;I{v9nc|lhA0I)gssk0HkeO(0=$D&^VRHl*K4^6 zrz1LTNTi{lz@cXRhVIhxdM~T$%EfFP37K4$$uU7DK99$5>6MKx(UphaKKflf0(HCT zt&jHP_B8*3yp5{f&y9}c>hZriJ{d`3?aT=O5az;m;!(!@{Bw|}g%IX4r5f|oQ|b|H z+bz$fKQ-Bd;qtq#qh&xwd@3^RY6g~aYb3b~w`DbUTa1=uz=VWi0b!f>n5`2eG=|)n zh%|Sh11pW+wGWROQGN)qG=nJ~wA6x8{@JvCO14>-o}{spkU=cPfI2Z==j|{<0m#ry z9g-z=a$sDCr05pF$_a-kUSV%+Tw=1d3Y#V`7mt(WZHI;s zof7=c*+wVLF}uz$e1~M~E?=#828BN+rRY8lDU0=+$vzX2S7cvP@fCW7iAL1rdfRy`wHC|gH=sGYrDI`^Tx{A2mhJ5u`m<8OMcnE?za z0wIe?_nH|%9K}(9s^3pZ;VA$hgrElHeqSx0Wgy;umrxjNi)eL>a@VS%X_kcy4Pgg| zD5QiOqThAme)lkVPh063PjLyw=vYXdX{SY*T)y$t*j?qFamKcfJfX`~FQ+Ts06P|l zGB6d+H4QF2TrV@RJ)x#uzG)Y)Fl7>^#I(*8wl%>?4EgjX($sRpy($z-9Z zKgj#n`h&?p%H7g?LP2jN+2|^{Y%n@96=_}}%y{F8ZP`lEn1>A~#*{tVkWT&4s6XVD z&L-+LGBd&KxsI+5F>yv3m}G=qUug&EQOGefwxVuTbD6-U^opr z7-XoWdMpTvvayDFwy-Me>T&5b*+P8DvMVQB4 ze7xE|OuWr1*N)z)&OR?6y!~sV^1EbnvlP4dHoc9lGuy+Wj7GMz4)VP55)SUt9_F1+ z;sWB1YiBEuufxr!r8jeH`$+lT>B_#V!f(`L@ve{7=PI+uocXVB|GRqXKzaYG+W8w_ z?^PFO|5jdkr&d)jEc0K8-MR;4gOjYsnNGBx$C!4sQq7=!l<^8nc0`8Lp-E3y>6$Er1Fll0%<`4}V?%Aqn*cFWMu~BG3 zW2SyTETkQ7MOC~tJH(X^eOWucI=A+;a`}33Vf~e6^GNOZXZ{OYeKIuP|LNUQ?bYS4 zFH46G)Q-N}_+y9==RQ<33wy+NWzs2 zCVau|StysSUf9@Ix^rcR$tLc(uvR_DB+PQz6i|4_dh`~d%yDaO8oE3BiQxbO^)P?J zZi0|NL{qX9^ z%ENiBe)U%E{Qhl)|K(iu;w5eQ$iZCo>5bZp`L%^u_0zre1p%Kl{J+H~?bU>Y9DD*^ z+>Y}sA`B3V82yt?7z!hu`Z{!1UN!dzW@s=YrFN3=kl4UVGNaIcM0j zhm=I+oTxk!l@pamSvrRi;O7{mZ}A)=b~hRXq#66a^J2uVZdANgb#K-E{q8HTeCyz! z>xW;jJleS5JbS5e`OKIKWDRUurl_bC7$aUOm&ziN>QuZH+5PK{!z(Y=UTq#|9Y0#V zx_P4U=1_R|xapF}(o(a9Gk%bSBu1fB?*RDU&7~cN#h2JzDom)NkZS_{;{KM*%%A;{>LVRe{Ajwbl-n{#)`R4H2)wS<+ z)#F?9&Al(a`zFxZcW`UD`QXm_f!4FDjXl@vhi}vlj1#5gj5nZRr65Rd))O3>P-S3K znn$qXe?FQ1#h7wJcsi42Gf(SPv_hW^Ng@$fFvuR^5#60IhrRr9_rKYATRFRVuyNzq z+Of*%^#}DIPE?+*U-PcNsP8$l_Je3l?bNywhoG9A(aOD?fCD}P+5)bad}w;-FrAWr zwfR`RxN)QMaqUsI_QONZ`r|S6fF`v|=g^1PBLYGRc0$tW9ikGO@sb)b|Lp!-{pH!l z=|xQIY(BrUb?sM`<;_=>ca2xK*Y}T`m7zfBJ%6>iTz~m^g02V`qeLJ^ z$T-P%bdny5mdNdeGQzG8q7VwE98<$>X7vq|FVvp2rv@&XEaljc&JJl8C<ATzwu8$i^dB8UqGQI`buJ9Pa08!AgV{YxSUq)4hA znf(6&Ro;M+Xs3=d7?mNtBgev|`e#Lnu!E6eEfgl3r)G0Jk_k~dH^p>S3@A$a{LeOX z?T)0^HDcnX8rM&59o=}mb-%Iqk$&aw=Di7KZiM0_nACAjiqGd)h(u#1qLW2w84u-W z!zjr}(FL6(zw8uM$(%z;4b4x0AyhkD_Rl{*MM=3(pvaWG5D#L|z)7FrEpK$pOA(2JSre&cKL)Z#>!So?xi+K~91(;Ki)ua6x))N+okkN0j#0 z_2;z{OXl6xr)wvEd^^8&t9AEo_3k9yo(nkD+IS`@6u2$ftcG746h>`SO_LmP0FcB< zlEx6?=a+^o8qI4wfYjSO!^L`_RuM3xBg&L+-d_LIy1UrA zf39}=3OYf-Ho4T})rkX~WZD(cXNODA6V?$WH;+8oe7=67`NM_k@#fp78+R&uH=qCb z`IPG0wVSPdXV-3T%(tE&Z`^qMy9p{~OpICW(&;$kNfBYrdMUqL6AHh_!If%^!bt!i z(s7;p_j2(=u`F+s^V$iG<@x&3zSZZOH~r0nOVvXHE%(RL#EesFO?oYAD{l_F|Jhi) zHPv``pz(Ho~*}z?cPcONnCJS^AjF>~nDo_dCUK#EIacd#ev?Pwr*E9a9)- za$5|tC{)Q=$$_+v9sJByFnZngjN9E)d`9sl8{Bb6$Qlo;q&>0Sfz{kwPGSB)|52tC z57_p4E5uLXS>`|UsK2bXcn3)3Opg zF-6{?(G0QW`?F@X7w{8}uRhs)lZ+6~Ni-L^{ z>o>-fX{TZ~cB#0-B2{U4)_m44(WI`F%FYM{b|S)Du%s!cMJR}hDCWvmDtXHRrKzYC z3SxHdI5Ww&<30PGwS?$Uw<`A&XMNO2V{2?bQliaVq`NO(TPC*T>Q+a8d`xvbMsr%>PGrJxi)tE0CSaPz zNn|pnX+Xjurs)*!^eSLVC{WGVT#g)!1#{baL`H5ldrDEEAZ0DNT!=*@;isBzH)BVp z>9*C|{fEH|{c{mPryQ!XF(_sdqD3QK+U3{u9ia#Qzobi~9z?H|>>5Jcj=R@dQI3Dq_ZldpF^ty8(74>|RxFR+%OPSvW}#dtK#{Z+7Qij^?~Z zRg%?IU<_JZ)NoICTH7a^Q+e~aUnUL43wcXs(BsbF%$M~xl&I3yOwquqgWD1O%HEde zhr8K^MPuPI5sT-_J9hSty-8;*8nJ)p-i(Faj!c==5@*?on=PK?h~~7H1uF|+!e((u zDxgo)X8j+6bF^nrrxd$9mPw?-QSmMwC`li?k)A2Xf7(+0Kc}=) zJjf0LdJITPtx@pQY@@(`&KoVQV>{e5q z^`8fnF{_psiQbXZ0GJV!Sy`VAVgU@kN#Pc(?c0X#ILI=Z4<%6tqLM*=`3 z-G2+kaLiz{OXG|g+UWAbGvcL7UH(25pD+aj0N~AV?HPXbPn<0(80GdDyKnnnV$ZaDW=cNW3tF z)tH(R3UoX$3{}RL_S%F32VLHlinKbK3X(RVAOpR|?av2#CROraaiKsG+umi|B2!GS z5en=|g?xLQfl!b^#N(hG(`x*SvYIb>IY5 zS=cJv#R!P`LCMQqX^gOmP8>%pa>0Ugu)?(ki!rUKA&3(5D0;g2xt=`Vg%8~ z;fw@%pa=y?8XyoSAVL5fhgACojsXNCFoL9LK#~~Q@m}PCf3P`wNOu4*UginBG^4jG zn4gHXae0@YxAT#dMOr(<2mXl31Ea7XeA5w#C{a$Eat6{pj29x!!<@PM(2lXk%Un<4 zG$e3}4=pkcDV(N|9t%K!j;1wfl7E&u!%ApFW(%m6DoCR;=5!T-Zk)eP-qw!I-iKK2 z-tDaKnO|ROT==~5pz-v@#+~Btwyw2a?5(}HL~J}PG!C6=KD@m-KN5pA4G4q+6y0H5 z;LdD_(hzUM#D*s}-A0m-ZJ_cv1Qtf2kU&Th&@@R?1ktA17{ZcJ6uDgwk^?2dQG6Gh zy5FSFxGkU#6l9Ia&TG*%Cp zk<5&v%k#!Sh{UyYlva0czDC1DI;W4LAtE^&H1!REA#{jEPJIC~Bp6BdPOQ7bpv*I# z+x_oQnMu1t#sG_SJhiPwOQ1U+1}1^m=Xd3z+1bSQu86jekGs@ect|6OYOMCycKfw+<`E?Vdbrsb1>U2u8C8wmu2f}*1A zK-BqArsKJ46N_YlK)@*!bR;h$(Fz5gbnd4CUyQQwgwU7t>Ym2k3$5peH*Pc*Zm%9u z5!LJY=9PD&VK7l&y4SF2fzR*vd9p%5_2{nd+O8+!P`ka24-RXCYFq8boOtVSBxxGj1t#h)^5#7>sRjA_I>V^ZLlFQ z;wi8SSJxKzRPXbb2p~maBn43f!2pH;nj!}!%8M$TQC{=n`~TgzRsDYbL9Fribp70k z+TyvtY%Mgd&aK|BFE6*2_V;QLkCYWN7Rai_Z0p3s>T>PkTagdZT$P4qCN6RNyC31 zQG0$^%>CSodDNy9@8_G}*FPTw)l;j-r)rO%SLW95$%E_T0wf2^lUJ42@|Fu%Ue?du zGLI?96|)(2$-xETPQJucFlKXS)clx>u|eshCe~vn8qt;54#bXVLGSTegOfKsPB^5z zwb?ka`eAFS`To=TrS<#O7xDGeV`@iaaG#VcveIm`5vQtb!jW{5edAe{#BJQF%(x0A zl}^JC_o%&o;c0w6t%z@2{zvux%9FK6^=t2n}bxe>kyuaqVzuObzAva;X3? zzr`tGrQ-!?#uPpUD=}sbL+wO^io0SZvn?Mi@>YCp-})=Mb@}M8s&9U4Yu-9tJ9gSM zrk);s8qvm3n>+!$Vs^-O*Z*}7XnPgWL-QOP1ZQH zan@=Q!7xa7SRB7#XjrbNJNk92G)P+JV|q}O9Efq&f__1>cOLkxD&m6SQ3Fra=Pneh z7xC2-)jPHc1R%5m9jlcp8ut4iFk6(68Q(zupr=ZSXt!k&0_KD)XXT1!Q+Q8~~&HNW~wx_YAVc<-13 zXNi(e#!3my%s5yHN>yB0wg>FoYIuQ0&5GJSsD**ueZzCwE{o=c0)v7HKZ;9*f{0cU zAyPg@YQd5%V0d0A$VkFrqSt?;+(CR{7}V**Nvbywc5oeu1}!k4??0NU^lUWW6Y${~ zJ6I3+93es>%++&nW63OS8RHcFzP5&GoPih0n+l#v!PcEy-)vMz5 z3j%rV!Li>9$N4&G?RuP&vm^F95knAlu))nUKHJa&;|TIs;um4eHm=;5IYxLRI)Y}q z8xF&0Nq)1ae(}l5J=6NteB$?GN;0Pd*)$uyTTZDmD(^Unpk$Z`sD&J#Z4y&Ots0@g zWhyfFWE%+Tg#w_25lpwkGSqM1v;dvuU617QRCa=ughzmTJDCG?C_D9|ul zZvn}&P!JKxKolP%yP05^7EC_{{`i~ZW3N4IZ#1rE3Y)EGccn2%7N&Yj;0Kdeo z$?>maHx4&%EW}!;<|;Sq2bb0#w=TSIzI{^pzH#h8_1+j^5tHVCfnuX(mB6C@MUxu#5s@KEw!UY#>c27Csl`yj0{y)#F5KDMv5nd zBBp5A5D6B#sr*in?GBjOC(@k@E0Q`&+9ew393xvh-abrU3}&zxbNm1LydRWAu9(c# zeheFAw8a%^Ut@7%$6zde!5LrCs2?Ou9>T;hP{Fz`m7c+w%U47%Q4Mg73~w|q)pvHA zJXnk-IoKY?1TUE&bcrDs404*Pv;@m~kt{(Iqg&kTZeP$O_WPM#9#`hRro;1?%HxXX zI92g#^)ob2EhZ1xQ`AuwgEWQkb$>uqQiw@y82{2S5NA;7q+?K=kr*<{@dJUG$!u6< zu(=pC9Nl|8bKd9<{tN+SV!dc6d>z@NR!%y*N1Y?$yX1%Rm>|APA(07t;HX~?3ikzr zF}Y9U*r@`VVb^9(c$tWkwpe0(F=jUACk-q!Fhxg1O;MxJRCekIr@fsE*AnVBXa*wN zx!{uwV6y$-;~)2|9&MgGvDLGTMn;OkD3X8(N@8vDJpw1Yt|wm_DF!6Xgnj2WX%jh_ zLC$HBO=T{dY@8MWf+TPn#V9b;vW?TV8>egUFSm}LY%YFm%sm{_KtN*vqtQ0OEP~Jg zwj+*=iUqSn2th!g1O*^Tk7Cz{kfiC}YliPm(S>B9ScFh_ZhLqc_LJ$bQlIKgpia*i zl?A6t#wr4}IH{n$cY4;@nNzMfN&%JOkXgjJ1K_CouK$>>=lwH$!5Zz_vdF7ON{mo8cT}BHAO`rrqU?atX zMj(dpgp$?n5KA_fbLk~4VVF%8BV>}5@iYo4fJ2I;IP%b%yZGaWJB?e5ttSswulxSi zx_qg*@G`P;v%06Xc(;0I?UJ%};%WWWi_zkOLK4Mss(a$j<<~|r3PS*PhM~MhCIr+YV!+fE4{n~W zey`np+&pl*asT%Et)DscOW#{(yAQvqA9>xna(eYbbME|i{nWJ=Yj3p8#YcZBG@d_c zEWT>pI^8_KxB2NDQ9H7*{-pn1?d|D}H(T?o&)42(R<@4RiymLI; z+JURx{^WPk8E7gjKOG7|5M)~_Q9#o)jZidSBpA+*JI*=~AQXn+B#t5kNdg+S`7^#e zbS;X|00jgBN31UZ!%#qA_)u7=WEfW$_|}-tiV{?4Y#3)j!5~VL2u^Yq6h~(D=;reJ zovrzm8*683FCJh!Y&0~WND3voaju2}x8o#95M(#H1784Y9D@W+kzkUw0|yYnAwq2H zE;xx3U_>~v>Frg8q##Z05Vi&8XMLDs$G|PE%g1b$C$$T&YbT!8j_>`Za%t-rz}&4X z*M59+%l9SGTuM%N=YV_|@X~tzu<`1+;Xhi3udN(H6Cvs>5yP+M63jXb^j@MqJ7og9@B%X8F48^}u;nD3t0 zuD@=)TnZ%rwEk*se)B`?*8bX~I~#AJwFhU6-!-3oU%kF|{&(ZFM}o!(8bc5qLlA_b z00F;BJGPgzvP6_LG3hB3c^{K1N{PEH(VaVjA~aGPr!yEvZKpF-!^Xhg%a+Rg%A+xD z#YsSs5JM>hr;tt*`LEKH0ghrA#HcQH%&>&3 zgI^QcFc$CsiJP60aN4G~0eXaVKnf)x#A#}Ta7+V?#t8r^Y-mGMIfzuwX0zfmJH*W_ zq+p-5pc|~L#3=wkl%PmB5Wns`S)Kp(e|Aubw@n!gr78Z64Z#6{A_zLlewqe=1{l#p zc8rxBh?5kJ5)j|Ecqo+U26f|!zK&s#1fB4m*?>7&>Ts^+_aahCUs-`NOsf3m_r4d?a*P1hs?8I%+itO2hrXb=p!H0)NCTcfc&xPcFr!wuo+&!n>^=qTMj( zeCq>3LK-FL{`v7Brj8+28m;d}@l2mas~Zjx69u`kPAm6!*gi-=_80$Q#TKU_?2%Xw z&wq$u6a~@A^xA0*A`nFZ4QQIcDI8KXzhX<_BuODedrg`=K%p;?Mi7rC653JOtv*3p zPmg|EyZWG{ZC*dI_VP>gTZgWc1GC|x79FAG3R`b3CtAyAG=Kl&-!^UlckT1Vc2tpjeBWfGnd<=5W4TRm4l|D<+kVdJ5{_2Ovj z-5KS^oAnE;dm0zc|E2lpQ}g{%MqPrg97nfCaa#)a4ObjgTqSWoy)Irh&c0}lFg4?S;ic5@I*-SU|NistEQ$oQMI>pB1%j_v5&uutA zw7n?vgk}_(NYAY#DK7fO(QG;;k|bQcM3uJGkzXd#s~rY`lbf8(_`83~l)0JipOA=^ zkfGn(b*l8FVEMS#lrd+?F96IZ6ZUAxlI}j~&HSMGZS@Hw5RBx*R!>Rh+ z7xf!wDmN-mrxUgJ=T={AonAdudvjoGab!Tm?L8lMkGr|2`;bCW6o)9vAKVRtI7X4} zjcv@vgra~X07XLtKmbVsg(z=4L==T2i9&?t!0Zd+A&`A2C=?XUm^6av?b{<%45oyF zwijnvV}wFMK^{)~b8J|>DIpXTTy|Mqs#<8u#$ogFU%!|g! z#oFahzY}ddv)A7r;o$vnltdv;00iwAzBGv2ARq|}L5WdO79EL>n$f*%FS{ZrA5h-r6T=eyrEwAgLIMh* zX_^oCj^Y5)1cV&iJ09{vrB}^A)ASxwPOM@~Gdtl32jnU=&YZyjg9HLF1O=>_R+;<# z`lZc%#+B!_caOhWeK759e!p*Z-^l4j0-DAkM&dlv3q>FeA&mllwEHxTlQaQ|_VgQT z_#r4w0vg9K6bCc`AVTr+SkNdA+r!KOykivj*8tx8K3rYiB;RS(zfl^u2Gk=$B(@uYl-$vd zsocd^<5^XC#-o+?)7m*{HF0e(g$Z&GsV2v`+m!vV#(cnbD5h*39dsvPyTuuoVm*fd zerP-F>^TfvyT_XshvHprX(X;aZ78LHE2{4JPmIR5%cQ+Ka2|Mj@(aN25?iVuvKQsq z-nnRZ2m(@r(VZ4aXl8nQ7-Z70g&ZVyFekB}35(7|m$&BT>KE^U-gp3ZWpEhK7!yIt@lenhq58CXG-aE^B3A#)Y`@9W$?_E@)`!j7cFBn2eIK zpz>ZP@uSMi$w>n$R_2?ZFE>9u^yfz5$OjN+?B5@zZ3Ng748lUNeBqD0Bi1ke$Hu;m}oT)zX&3@Z>e4%;k)R>~#e%v9P z&Z*tp{sNGMkfb4kjO(wRywshUfHloqU0G$3`?1kK>(uamJdBFq&vbKt^-=xF=hmxb zYvb&@kZAQ#{r-Hp)LOc*bv8$>?$^OFJ(CO5!HJ|{ia!dMu>N?dd26|{r?xyUq#I-- zbfgK+2mnALC_pj#>oJ2r4ZXC+GLNO__`Fz65iZxy4zh#_02-5YP4&mOKH99Oxa$YWL+5p!nw zxvT%T*nIoym#cg7n~TQk{o1+5tLN*V9yj+~Te(FwUtg)cyIegwrohrrv_2q7#7n%z zwJwYUNVJlc((bj@~Qdule+%;_1eQ|^ZfyCmi!R|YKIOuHs7}PK5gAT)O>#C z#}8N5KO_Hay*n&$m7BLe)(-5SNOG(mzq}CR55#AinYA>IJgwi|yZ$M(`9rFH^z(OP zdc;k!=>u4+!?d7KF8V@Yl#)s(Tt@24bDOuvlsN_2g&;Ca7D@X}Y)*)LIXfiYiCCh{ zTdZ&8<=RsH#(~z{9`pLg&0AaJrjFSfMr;%-iBg6w*)}lh|1?uUTnk8m&$5FOG1j=& z(|5nGU0+!J*m`)Vb>?vOz{X3ocH&6wzyVCKoAo1p^tcqsW;sb21(dOclNYVeV6oo` z)Spk8)e;T*Q<)1is(@H1NTnpup&8DKRiaqqwMxr=X2>cZGb&MP!0N&RLZu2GUxu@} z(Ga2lA;C|KiMI0?2UTUdkQgz-Yq$UUkF~`KM$%bu1OX=vk3tJ4$v~(Q!&S(5F`vXD zO}IzYqIvq|=A}P2=I0Id?_byMy=g7&sa@E+`eE(O#?soe32J9SI0;kS_&PTGOgJGn zs?&a%V-krln9{N+l|_VtU@;RiDI__!doq#Khb$$=qcteD$t9&CDfx*qst^hgDr+HG ziB5?Q7z}EmfZesZlu)2lnKY^dWbnMO0q>O0kmFJ`0E$5HZF3R-zX67is}Z9~D&t+I zjsMZQcsbU5a;5TQ<3{CW^Vz-TyZ1aR3#%I?GAI<}Xn8IoWzsiT2(3^sRq6@NC=@H9 zA`79AqyIc3b!G<41Z72O0y+cS=2Z54-F^!4RSRX1w_hp?ziHfhQag6N_4?k{!|Hwi z=8gE)@#@9;@dZn=J$!n7uoP|B4>%Y=LP+Ox*7#a|C8Nc`H} z!=;s*mBaNHADsoO-%~sEetoI-=x|S+V~K6IxUUx}bHb1C*ZB6VuzIR;LS8$uzwyJ9 z#-97l#rf6u^$+{}V>&BrPO?c@0uCpwQl+>>yYl>YUG>Ap(b~=Le^)>EY30s13D$#x zP@r|gEan>{t>%cT2ytm_5O#%DTV?$Ri)_aBGst1Upwk%%J-;ednQLCY+Bmnr@%(J_ z)7|>=t^e9QyZ)(qZ|lmKE}ac2vV6lIkAvb*6afBngT{s9ziOPiyYlv%+QO|dl}i$4 zLbS+6nY2r*K_qzCe$$GZV?NNe2dXMFDe83Ez2M5<%@&W_rJ zSa5KAJ1;N+!ygW;*oH|@;=hTAIJD@}dep25{OBs_z$JhC@ zU)uGdNxMDfwu<6u!}yMOTBV#O;{lC*e7BoqUP>)NSzV8OP0v#x!l{6Gbm`+eJ3k}i z>*;vjRF-+hlOl}iR=>k#S48BFXu3SUYl~7dZV3*_^$xPs1KMa3DJ37!#?svLs&)8Y z>(i0?$@%Zr7ytB!wTF!-&#LcQ*XQfU_cza9{ zrQ>*^$VDU!lupONDdx4y20U;*zl-W)P4oEajq7W7oGVMeL$a0Ym6!7R(*2bujYB6C zm7eu63Z#PKB!<(F00f59GzrNbl;aBlIYyD5iWZqCe~8WK$Eczv?~=(zwYKATVh?ee zia`Q_7((Mit=;|I>b~DLAD*cnxKw}fY3*6{cH`#UpDTM;&(!xFYh1WS>>ktJX%x~B zqbU@U1WKbg?D(;aLgnn@ZSb@}l!$v({U=F&p#9jPw9vU@Jm5pJ z?XJRuJ|w(y3UszVUYtfr=g{<|sv|@(2xr-u<0v2@hNE0OqG$7m+QW;*+L1>qFB^}S z+i&?jwzq|Zrm!yBgzL9M69j>h5ZwvzLz4teV;x`faY$wqMMx4QP=cliq760b{EX`! zM?(xHNxThY?uO_?OVo~d9~>Yw3cHZ19@dn@ZQ(uRwp9UmC(I`b>_z2OP zrZAL5X?z%3?;S05DKuvaMDuz(OY#VZ7)G@IQXg{EEdfUfj6i9KaOBUqbztqu*4fpg zjpGkDp4IkU{igAHZsYdm&DQeVXki2-P7*li-B%99OQBGTpvY0cSb*a=MPn2>ktj~% zD2h`6LJCK56vF^P@#BX8MbUVh*kJ^<3RDyLojz(>5Pi`m@5@V!{DiCD6a<0&-FH^TuS)mNvmiC?r8I5^UdKO-@GX` zkKCv~JC4+DTrSNvt}M0|4r}UXFKxaktzL>L{-rRa%H@sI^;7pi?cPm8{mSFk{L)j(=nC2Vyy<_ldR@Qvpn9nK zq;=$N^YFdO^Nr6Nm)EWpyR&i(4yk%5_02!m=b9Jp)t)@7eY{ycUOA{U`u?V?A3vk& z4#F1!kx(3?X@aB(3dczjLm`BNk9Nk+PtybdBn3zu0vh57jkV|C7b20mCmcMUs02l# zkj6#Z-duT8d63}% zkeHwryIdZMmc3l`y494kkR^Y~Lw79tfTqnC%rW2fCS4k5+AuLR7ft{_{xz127%Dtm zQ^sY)_zd@n%^96M$7jyyOWx2}TZT*UrVq&{wR6IyBrT$Hdg*v8$L~={W;xAPW_B=g zdVMb{LZ#p6!jsJYH(^HfYx>?PEti9Gt|^;INCP@wc!$c2AAyj`Z{Qt*Xt`J-u=1A< zgVZn1Vx~z4f+DC4jt9pNgFB9@6yY$Z1B$e4f{{owM?fFbea!$Uv*nN*aEcH3-IQ z%nmPE%{y0E<<24!!p^0QQ~Rli4RGphj)qCnFgPvj6Qo^#THCukrbRg1ZVyV37@(1M zBqi*t=r16RQUpqO_kBL)f}kM8dbS)xyRfUxUFX!X@v;;QMb2yvu?hf? zKyjJ`5aVbWtvjEZb01Qb`;Cuh8#gajmp5*&zg&4}95I9BC#3<D1hAlEp(ZKI&wT!)~O5XTT?v|ytEr7?oUF*u1_5ICSQ1Vu<3>yokz z^CDsdK@wD3^&V%IdwscV#+T&fr(1nhdwD9c@+nchw)$q}>H6}=KjRVIjhyE1*SJK!uKVNS?zSQ{PTK)8c*3!fO+B(0r_s5Udnoo|d z-}&*)we`!@yN%ON^jo*h-MKl&&TbyNwsKQy>h{8pAtTuaHA$f~AW4csPyhjq^^V5I z6MLW#&?rrlG$ctH!w7@`Uv5n&My&}DhX@S_938PFpeO=Sx<^C8SQ2EaoKm4R+;-h z8Xp$2?)v_P`pvU5n`eGoJw1AT0PQ%Nc<+dtyFO4fK_Vy(M)7`30{{RGNid=HO(OuO zaEPKP0x%2#=m_E;3bv`qXz)eMA2Ea$IZfFe4f4k2%X-kberNMiWA526s|$_$2Wl6t z{I%`1-{Jg_`nCtKyS;kb51s6_UW48l^D#E9oYLb}#MSw6d?BiiDn87O;SE*JhP33` zhw9#qldS`fYsVhx82S74fo{il$uPP;cq}dq3%4}ch{C|ytNPP3>sK2WE+^`T9{uUR zo8K=o3M*z=vz9U0`o*JaW6(HU18WRX&KBaFLyK@OBTKLx5M<$O`(LRepq-`d!$%d$ zNWs9g)BH)LJO4G78s_7eD|~j!#MW7q*DC9~7)@-F$v{pPjAN6UWr*H2-Y)YbXu^}H zl$`deH9&euAb-@xbeog0##6j+1Nh(FScc{$xA;?QK zTE0QZ27H+FOUJ=vo^%LOauYp%3`8+bbHy4JMqn;Nq1vI*6B5s>#kp9|6x@k>o*=tx z1wZq9IZF&>(wzWZJKY|z$Q8WQmuL5_-P}C--;FB=fBbZ0<5KH$Gne_1f*$jb|HU zY3~6_LmEX13`J2IMF_fmjrgV4>ZL@kWb8l9^#4+Y)R<^ygu+Ci6oO-r7|no4K?H+< z07EAP1-V-5%Z=8T%wbhFlapvz%9195P?AJQmW<7?%_$s*^mac0j@HziUtB-4`Qm?y zwa;hi9SkRkVkjg5&P%2_4N(N8AOc4jP5`6YL8}RJBEyNm36cU3C25=>NR;ThBn(r} zP#6L*q7(GIGqDr7qElxMiFUqW$4CN)kU}}90$6!)Bi=heAW@XUP!cc+HN*ZS_olt| z=veLOtv^=JR=?l8()#f7?^}DD$F5Zu8}B~<_-=Xi?8*n;deBrGYQethr*v{|H6V)O z6hd}=8#=W>5obbci~IZ@{-X~B!AJr@y3Fjo%u8wvaC65gh@u2Zl8oGeCCP2#-kZ~{ zk2k*cG!N~is;4ZCLq}Wp=W0ujg^h)4UwiXULmYu<_r!%~e$X^RBP1L?W6*-KOgDOV zBB@%`vgnrmbbLcK`1`zMcD@ zjWeyK`;C{c1oef}EB7{js2^Qgd6Q{AxiRh#VAdgXvDobcw$au^-rk=Pl%g?wI}<>+h3Jb(BVng{q+8=OXROD-|2rgz zM*&45fWT3@eMC(FID()TLYg2kw7r>6Zm8>bG|}nC;@&(}c~-l4v%c@j>cX$qu4Ch^ z^9Y^Gdl<{PLNoLU26QmW_$1U0@yxVY_1S<)p78)hUec$K9Iz-F&1LA{)i;tNYQmOv zO618*bk~rPG{QvcAaTUNVr6OPNK(FoiqAET*fF~B4AX+@x&ot$-rC1&5^)S7MJ!&J z?J2c9CegqkD%mka8u8&dhONQV!o1$C46<675R2kKmT<=OWi7uUGAU(ev~yNBnm03M z@|H~Yk~$@eL`U&wW^u2}jP2s7#^{1oa&um+NR25yrH+t^QN>Q-Q+#DINIQEcNURf` zfKk!r3>-ewSwD<#o^4z{);#}xeeZJP>e0&Q`sZVnCzZL?4;wGO8EA^G@??R;*j3#8DvI=f>Hr^qR8<+MmqXXaE- zX`bb+8`4_5QeC$A)*ti>*3W7j&3AhYTT6{=KS(y`E6Xf4)fro+EoMwY)ftf`X)DV$JxW!~CI>F-uD-F}fe0}w zl>y?x!bRZe*pBS0QxupI3V_ShxuO+gTHG5K3WAv#BQ5W&nI%2etR}Ask2{BcnKlyHoPJW~ zRjD)L2VcOu>Lw!HzozIOD3`*^Rw}6CWridX93Uux^ASUC+j4EH!|nllPY-eNb3!KF z=B^6YA^pZ=SS%S&F*1yc4Vf-qa#!8>-6+z>Hnl$1ra0wl6BvpS7~Uaguo(fb@$n=3KItZJ6VT$oVcQ@AqQ zR*@$|Due<_NhVJs+mj?M6coLss7LK)ldA%^o9v$5Viutw=GW)9GZP97<9Jl3aU7ro zg42LNDV&0UZ1){Mk?Qis<6zj`c=4om=WJ!q=BceK&Al(bYks`RVYtI+5}_alAVpv( z3Sj3VX)MDXfFy=OjD|E$V*nBzdvX+YDvF~Jq5vfbNaF~;tzLJjQz;4~NRlD|L2avX zH0-<}+JvqM0TCPr5YUhwL8;o=<9mdvYHNY`t9|H;_ARxP;`}#9aqPJxECtomKV$40Y(dbHMppKEH zjWzE!4*sF_{`KnJ*4LJ_hPF_K5Q zM`(gV5xRZdJ`Tn~(+G_N5+xyu<0RHT8yUW!M=+AYa0=xTutH=P%P?k|#Y)paXUt@h zNm?h$l;oYXpNXf{7dNrA%Jw`SL)1zdlZkRx|8+vxWM{u6*pRVp7^U#NLU#H5vgub|Zf3 zR<+!$^rr3N&W6Tda8>!8U3b#a{H+)kc6o7q$L<+T-=V_#K8_Y}H4ulVrBNGXq|vtGG;TZ1%GEZ$nYeJjy(K!F_I+O`j4hvyYlW5gt! zwX;G2M$KqCbKGo-M$5K$s^ZR|CtWeNe_|Uq0 zp|(7~`sk0}ZXIgPom9-Od}w|Dwzj-bJAA5kK4ix_Dzq9pY?@g_D_wv;}t@BT}ThOlp1C9o83EE>BQjjxKBGaf1#Vk zW*3^cB8rkIPPRja zGO39BPJ!?KV{3o)W#v=j$g!w@?X zHkYEixcqh7wJHRCaZ5bo%7!xj(6*$tRgW(pj}Tpy`UAS55!pJwcJ-Hyz2~Y&)-SFd zR*e`Pw@!o)qS1*pMe=M+E+5Ljb@klFS&JH_1P<_dnMz@z_96Pg{=x09Rsl7VVxOt@d zR#;uCFI+N<8hht|XRp0|$}2dv+oylCwGjJLH1U#4nD54&`=W7nE{uGY?9YTh|lc@$4KA3UfY+F1Ji>i){z+Wi~N z7nd32-1xtPoO|HF(dUPTG)mJD?OtzxIi0pW$fQhVEKMhmYd!U6Cu(o5G2Zi$AW0nD zJWYle=F0G9D-6{4pJ^<<*gExX^Vr$7OS1aH^5(RU`tc2bHE{j^61{fd^ z{9nn`{AE1UyZ^g>^U!W~4m+`BIReQUeu}!)hnf22M=LjK&)-@ba|bJrYtI*AYVPlq zYKO>}svKTJYPP2FNXEmY>0{weYU-=5ytJ zec^HQ$fxQ)a^udJ{EKPI2PYC#e#-gAqtA^iuh-5ruHL9ET-rSDZ@oOSak%knT)E0{ zRwOPuO59S+Qd-JeP-Rc+#=*wp_v=q8FJ^yHJG2ycuFe;K_g(AB4NYrl(YN+$TuY^9 ziy{SBX|Om%T84`GNAGXzH)}7hHb1=lN99H9(fjouR^M2Dv%a)`YupIZK|`69AkNN^ z_L)MMW~I8tK$)`tU#AN;r1b>iVRNkxItgu_yYq`*R^P2%uYA^&(9MsVdpEAiw{8sQ zlL_J?`-oh2Pp$23Jb$yf*m(T0_3>tTK2}~vCKxZHhZIE$ zyN0`vJ6iEDnwLZv2?{f1mBk{uke-n!rGXok(%Q)+pqNfaXV3XxcRL93b_~$g=9culLYw1Gz+;hN?;_30nqgf{P)rk7bUY!IcnwIB9cG8e6v5PRMbH0{`x~^0IYgKGK>yF;=0$+$w68%@A${ z#4O25kwpt=E)Jkv$1|T<8BT#Ip&)E7Yna5kGE8Yr&`F_yjv1L+%yCPd%YCJvi|7~4p9$v0rdSh8TKS2egDo%no2z{I+Bp8~FSgkRpvP)|+s`Qho9*p%q3-dxjk{Yw0 zXSD??jg+gZHt#e}oSUFB9*suFRlYRkpuMcNDkhjsc@PXBa`%MuC&c_^ z5R)KIIrA+Eaep}ZvrQc1sA0l?^^f&;zpdSQ|EK1`LqC3eBip=Ry=<#ry;OVh{rV&^ zK>|fi0{5A9iqbnf12Zrpi;mK`>u=vT_rKJ%maqS^e&gc=mCz)M!-W{imLN8wgx2}X z)<3LWso#9oSXyi??)^vO;oPqpN0wWQb6fXi&4n8)Z+|J7px{&xiE@%=0y!X4%}%ml zWSv4mi5(RvM+pVth+Kq+#w-TGY&KKmUkVCZE6QCAa2!AgAqjVJZsVq=go23JTHZFA zXVf!>l28z!w>J-`C!UN61!kK?YaK(}-nj+)GUj%SOWY1RA$`XXx1((k%>=~l5FO%e zNBm`>AY}|Dw-*z4RAF)n1DP%b27xwy!0VrI(BQ(fMX1imvi6SKe< z%-OQFb0E@%jPr58vsmN&Zbcxkh!oooKCf71OV18NvFY$k+)Oz;J`3F|%Gs|Xe4k+l z01^r^)`%$-i5t_rS8cx}lkkx3%O9xiZVc(Ben&_l*C zXT>DNUM$KT0K(FOjt&!?Zs4N;=c2P^N|uM6K@tujSqT~XnsKm+3aHl_2y+R{M5P@n zGJX&kAsrc=A4rzWnrtp%3kT8CmkvPGGHL(&+)<~o1T7i|sw#`d4@4}_Y5Y#SdA&h! zS*)?HPTxa*BvU&5*Nj1iQ@q+6fO2I_B#LIJ{GoPo;-)>GS`Ou0wH_vgc>C z()_3&4{G4Ta@bCF@Z^oDXrk~nwQw6t$qD*^h;3{q6I{srg*}_Tk2zh3c(e{~Q#6 zw%HkA4KotlS;m7UnM>Hv-kI14K)%ypkqoTIj_aB|AImugEFT@us)4fKhu~lMyf**O zZzI2LUGBvW9ErilDTqUwKq(pkk|1c4j=+CiUjyXl$X=nf=L4up)iUd2$CcTe%@_JP>@6*N{oZx z6A`9XQcy*cq&f!e+QeuezR_hKg~I=M$F_EA<4Wz)ne|7Fk8_)+Di8jZw0ni`svjCp z&;K&>=jOuWpsjjg^Js1H`tP@{)RrFCPTkx*)c?|Jt{pz6iq?-^&HU#d>X%+`ykFnH zb^iaS?yb8UNv_8K|MyiWlVm5^#Lsp$x3WoAY%yC9S}~)=fivJ450i(P89n6j&^fjw zTYeoQdKbTAVRx(Bl6N=H@A>XOJ6&qmEv|cS*Zoxc?()jR)~o(~GEA`k&Tm$3Hus#M z@Qsu8)$J%|Js`;W7vQ7>x+%0o4@^K^Z2voq3hKPj`Gv?+bh-i*2M$===H}ofPffG zzyt>~nGih%QBt02o0*I1YCO?{|%Rj5NOyHk?Hlu{IMn?8VFKa@tz0`;|&bDuzsGr!o`mny|Ui-@8+RH6>AcBGc z-b3|{Y(RjZ07?*i7>_9&?`-?%MC4BrA`t{ZPz=Wb0u!6P#W}kXib63A>bi`0-~i#2 zwZLNGj|u(PXvDCMwz@~8ovYTFFHzE|ooZY@W!xdFURXc!&*te9^~FOpnVw!__u`BhkKH(9k3D5AxxH-p zJsogV{KjE(V|l55^6ctd^Yf$Hz4a6SY`r)YT|K>iL0JCOJa!#feUhh@fQZlfoK^>8 zI&zWzLYZm#Xz6^@zJgM3V?h(dPAAUb{9&HXv4$yujOhF?Bsbt`=ctbS?6tp0v%OMZROG!YiMs}P1+pYk1jmMq*N|8X>4xZjC!`Dlgo@;+auDp zU!JeuJXE={`e1GG7p>2yL_deUn5NrK?rA>bskfd5=AJI+ZeLkR><$TH z(>ng{U|u(*07=v)&ncvgtV7zYmem=RbM2eE*N*7Q`e)eB>+{+ArKQG+7o5gW_4V5BFYo4O zSD(N?w65>2?n8$^9sJ|pXX}p^SI=tJkLl{4ZnX9-;aPFx)T0r5hl`!o{`{o={=+ZY z_ZM2n_H5t2nW6xM0SKm06vtr*fqIM81Q&=A2)Vhqktjt{Bu?}~Pqs-sFCmoF%eTS; z3Pvb`!Vx}#;F&L*17~{jDO~Dj~!_;Im7=dw!Bp?!}P@IGS3_(0shXI^G2!M8A zg&io`SRh(hy(JNC=P!1Sw}O=V0G)s4(~rD?&dkzYm>p;InAK_?t0Uo+w~k+Jzg{8? z)k_=qX_@AoVY|b`GA8t1n{3pWfDo-6Vaqi3(9xqZYxgTJ%X<|YM=KB4E+jTCHs3Bb zpPxj^j~mCHdmDQX(h3n~ipNTN<*0b4)*H@+XIZw4(vu!b<5Clxc&Xp4?`=Jsub%Y% zu5n{e^TJZ&{jI^q>PXP}QpOpC&6i4=&3UF2uQB0>;R<@2Yt1d1UT3!P<1dbs&L z{+=VOdn>)%I!nt;*L~>kJ@NM35k686K~gwObuY{q<@69Fib50uadLX500wR9`Uo}w zsAq~qU>rkH5+eu*Ub+c_ zZoGf!sP5Z1>aESUpUfTtx9;O(9kT}3e7G}zYyYkkkHO@U$J$5l|tV*Wg zkSU}qTJ$MRjy?lO3Z-zkPh#$k-TLA_hw0zz*NATvjVFhzyBil4*7jAen${ji>ksGr z`~WHd0i2>>2;u<3K^O^84DZ0nIIlm$0Zb7TJbqYX7((JGOh6Ps0Yu?2%*BI)0RjOM zU?__}g^^p}r_iC1W5ZAwMTTY#-QW0f-q-!fx+y5OAQWkfbR>alFw(Q#o?eh^nY15S~{$2%`}9kDVGweI}Kd zfu{2GqAUjlB-Cv%+T^Z8Kb6j;a!wAT5-a--Tuu;`324)#sVihF7S*7WxJgtYymvf- z2B8w=Luy-h8uL@Ay7QJFKSlIUBXWSJY!(Nw=eL2L(!-#HSR*k-I%4mC|LrxuUqql018OqmMyRNs-J_+?+ls2whiS_;+Ze0Di_NIAm zvGYu4SvBu{uFswD{jRm^l(71!dJb0DzXxyFq z#UIud!>f1JuKuxo;(Dn3X6N>hR#O;-!zfBo7zz;(LcpNo`Wn00Vg$eloFV`Yqn)!e z$ktRV8>uXyLIE1lC*tYewQ3Y16y$YwkJ>B_Fi2N$2YJ}t?@$=9NLO&j3EyQ!d10f% zmnwwpT)eAo;i`IV)4MpTkk(E}tJ>LEy4E^+v$nsr>)gfxQm~T)Pu0nrhfcL|_sjB` z#_a>mLzj^CN9`jQLfSvCd?r%5`m2RhpGcK32O=HSl@>bj;&kKu>(-%aOQ`xunDpuW9 z`_OoC$n9c9dYqEx+d$hXINL2u5HSM&bkpW1Tx`d(z^vXx=ROaj-3B z;0TpVCO1ppeNqVpl)Yo^bJ4D5q>j#6s3EEdAz%_F$j+w>2IUIDU_fFd!Url^e`eui z60JUJ-h0}9elq=^#{L_tk3x-)FW3wsc{;+4A1YKos8=2#*z7lz_wA=I>jzK&+e>2& zVgDPfp*ApYr0y#V;T3Y+MHIw|Cof4_k9D|H%GxkrIU>cD0!^ z2TS_zYv)&AldJE(YrlI_K3IQ6kG$dv@b*iJ(pg4ITxE)cO?pe%%d8U*Xr?H4a|cG3 z50Jk$Cr65Jm6n2>?>BFcqZ+vaD#*`B(Ms9*2Td{$ck8Y#S9aBoZyapCT5244*}VIF zeW|@~ag0cn)umH0QY3bH%ooV@kNVR&2P6rj1oTtJM$&HMEc?#y%O9H8j<=sat37Gn zJfx_7%(N~)ZJ&K#-Me=7mz4+O!uXY>*{PAUrJ1-x%XjYFnQSj#TEDlG{Rgp}6mrb~ z?(RGMYJI7(yr=c)EmXcfu33{Rn>0Al_|l6}PI(L#2A7OX+@_gEi_Cb>9c&C13LrqC z7>C7jm8A(NVj>#M%Q?wAjJ}QKp z8&HjWf&_*6HXW13HOV z48vg>Yi3H2_GN|zH71l?!li|mp2Zy_RY24Ui!<*ZT$pI zixp8C0f(Uim@RS9jD2JzlN3sz7)(L`%~50Gsb^v1mS^p*uyODD#;Nw)q59d~t?TzE zsHTDSjG&}muVp3D&sh!kxTJDM!&92}+b0_r8;{-v*Z0*Pd|f|(zr4%aICo^_W%cCR zqm4Pw+8cJQx#Ed~cu*G-3Y1FVgehi0GeQBGr=f-T2N|8unfk4Z|7c%4@VE67?fG3_KE2y`uyL$; z?z5+H{PF}Ht_EsWiih;)ldLo{XGCR&Vm|81L`RDUld`1F$Jh5C7TVWe?%cQp8b|h2 zjyB((sefDuSP~oajbnG(yC02aw}X#?QN7|U?-A6Wo%~~C?n?d6#q#}pjT2eu=>VN73F#`Tx=?BgexD07^XF@@4r@>+Q4O zX(#A`AnQ36%Z6;MG=*}8kRj8P&w?EM<>SHji-Wn=r<1j->(}kIV;hgwmR6TZP`x%m zp^O?A9FKtbwKAsF)cqRg$a2w?%jpw_5_ z0s?azbQ3J0ZbwKu*&3+~SsVpSjb*l235O>y`KC$QnTJZzWLlc$o)xnNSsYQ1%nXD? z5g348M9%*%<83D3QbR#mIK-(4m)|vS&o^HkXdk*>zi^`Vs`cnP+`KISpC>K zx0{_Ew_V*nyi~inc5Fv$|Ly7%YwP{lOrU=4YWvmg_PqzKcQ@FXP?EedQ{>EP=MR5v zzC2sGL)JgsuHS$6+t%IrKy|Tx_f-AnA{8HtV+-SYLIN_563H=o7%xKsSynC;3JA0) z@1I`e1E@&`|5CaX{TA2)xMmw-*89Pp#mzy*;1nlgOiQN&Is7LMLQ`5nBUmw@V~3xNDJ|3cVvSHz zMncLWLdW%WG3Sa(go2V$I&ITSl-@Dj9R@KSq!{1LGhT_)O8yKT>?j%Z1h=z6vp(Or za<_he*O*p9trC@HHWEV_sWT%mZCBdhiBSt$Ge0z^-0vGN)h7xk-8))r0WODnfq z_ui@6=N|tOx3=c)G!Gx0V4r2Fn^OW2#-^kNB$MpH(wI=G1s-}v$cHD+}``XcC2~)X#3jS1pV*JguO!o#Gr#*xv-0E`05=wM|hG( zSI^{~ez8!XmKjR3R*cCgHbtC50W{+=868Yr%#n2KMKYm4stK!Q-pNLYH%#}Snyp$b z9q3?Dm?f}+RQ9i97yJyyXv`P4#dx|Rvii1t`$*-;1kGNcbZlcFGaGYcGoun`OGZ9l z)ynggNgQLrNI~thr6i+yJ5<&LUu`POD~rFDubyr$-4WK$T~tpXNEb5Z)f1sFQIQf; zI9v{)K%|)lVh7_#aTY}^dZSQaV*&uDg@RBvJPpQ7VT}hEoU~^rp;5|c&$FlpN^s9{ z15t>@*nBkr5D3Bvq8C&%@f4@)_WVP*s0vxlp~;3jl8w?mI6H8hPDmeKDDl&Wxlhfv z-<&#AxjVs7D4N2o6l)~5)!sAC{n0*sPrUv~BX2#qUp@Wj2}+>NXd*Csl3CNyyh-FW zC3N;t+3Bb`rG^SomrKc0h@G`#)i)dGnrG+NUu#$AD`%RYm)a)}dh3UtMKS8_c%{T_ zJiu)qY@BLczr1o|eNW|{a=Lx)?#gog!$SMzr`Gke<+;YechtZCF;2(Zu|p`x%Yt!Q zk^$(+j3TcR3Y?NLsC?bk&~j;vk#u}U{1aO*CgW_m)`i!F zwP$#9|KY~Fd)1d4S1S9gtwVbn3&+|Q_uJdYpN-MSBaA1vhlS0Y9as6dV^%1b&S9Bs zp1w1eL^D~TKmiQ$F%6#`{7VtSGb+>IaR(0Vn6OK>YBqO@v8K>epeOY+SHJ#tR$jUG zoBGY`dQe&V&6u|G`(Up{V_~6ZjT);X6=3?f?Bc9M?2o`B-}!t6En`I+mM7NwaIyBZ zKL4=3FyFd;aZFKUMw7nC6ls(iz-|fUVe`=k&*1mDS z`mubj6JEEKXp17pc%GTbq^3p57$cF;X5Hh4jzK9D_@bo(-J5Ci0;5o%b;t~6PZrE( zX+MR8f~-vE^>9rvV>E9SC!{v*7%pk&_|vwqq)2B2XL3n9fmP$UqyV0fONv3z2$&Sp zS%m_tg4opTa9zx)6bg)mti_v*=DgBQ6NnuirP-GDVnTt#>9&g|N0s)@0!hp&8X^=5 zYT=CAjL|@$&Y%L(ZpjMmk3wlQ!H%)aP-#>w$$H3wtMg=s zgCSCz9LDrRkiv*@;^AH%+t{P{clB^{-$lIg$W^}H+V|f7a|HIsW}laUayh&N|=pFK*R@psC>T?EsRKBDN59dYq{9!iWfQIhE{(1Y>(_7VZ)i*n8 z^K0j;3)TJ&2K-Dl1cxCM#xM-QF_^*-z#rnjRRfHxT~Jdn`BlLjt9B|88PO{ptg2;_ zGzFc8Jc|hH=Wn!59{Td}RQdS&@wJ88jmEP_-?r}UukU(Qe(>+=Zb5b|)PMpQ0&oIg zB!Z#@26b*9=OY4a5o3=^vgJDCfS2nk5ENBQbX3V3@Xy$@V#+&eBXt=zAEw5+^rK0jH#E&A1W%_E=x2l8^0 z-*A+~ae`zP!xv=91|$k26a@DU5P=vbUSf6+L!Y*K7& zkN<1+rCz-9rgC!aim-O6aq+^Gp#JF9;I;O(TlEXe>nFY}y>B1BQ$5|h@}Rl@)A!}u zx$1$zOO5B}HjdSvH0EyB4<9H$s-3Q1-Cx<&xOe3DsruY}vVG&j+Ox)!m%aCy#06RT zR(bJH%_leh6>mK`QhVct+ehbrW&d{lRekrd=7Uef;LY!hjrVsdS90I{V&l}t(dLKw z^*!Ipzy0#zar6D#!Al{d@`v?njb|T5iC~>8KDG&DNKVf~GNUr=%ZiG{J4M1o8Z&Oikj=t9eT|3cJHF1POP z-D(j*DFnq3n3Fq+pa6pq2P+RQ?VueoLf- z#o)>3GaeM{ew^l@EWG>f*VM)?Wo6$#|Fom^`hDZr&9$o`U2E?idVvT^;&T>zA&31) z|AN*?Pv}Pa>pBO#8D*G_1^n??&cIWGjRQ16lC0V)VTuVlNwo?Yl_XK4wplw{SSiLM zroQJv`{A|q<$u+m-}YDLYYX+0w`%9h4=NvN;`64A)yh~&xLA1>Fj^W<$SV%oNhJ#} zp@qV;A(8>hOB)HJIOaq<4@LyeJCLZtD(c3ID14jE#4yEnblk^N0xUO^hK-$nqK*#9 zg+xPFe~BDR4o^n?h`Sqf4k$SEP|yH-Ga=_7 zIALPE-VVpm13iYVH!B$^^88>ut&3G*d=`&-FpdhdFAInPDjI=(A!)|r6%+IhfK)E= zkLiJ#1noYA9^fP{4{J3_BcOgt7wn*Yh@jt_0p*plxIAXuZYLP?QU!^7C+&!&*EPN) ztRA8O>~dE9eSVt1j{}_FyTU|7Z+;N5#-ibAv-`*N!3b!v1jr)o@a~UjeUNg=xSBsF zD;WygZF+?xXf93K@Rm$!e8an33X{>ys`7-d0>-zLg6a_ zm^Z7fiXfeqIr7d4N|86ai;BWl#h~I^68AboyqWbcP~dWoHLl-t{v56_oFK6NP~vk2 zDHD!Z(mk9sU4j{>pGty)L13XDd>`ik6K7>nKdZuil|dRRDp-{^6x}hUWu(U1Z_01R z)Rn+c6hjdNC1D7IFrrI%+%E01L?~5!T0Vk9D20#&ABb%VAe&80_JcNPdVXmJg!r|4 zg(l9-2qq{LqNpLFu@9c!Yi(VfYd?J6y1lo0xAp8q_3}S|UpwkrOK7j#*1Q>z>0)`O`B`|IXHHyMyhq5?u zfh850U=r!=Qy7esMDHeQ zwqui^U;rZ+Pk&Br{)kiESnRPq3LqRnC=Npeg(5hG;200e6c7+W06=z$1!J5*Ce3uH zr_?i?G>u~~|6E@>@td_X<)h^%&E?A+e>)AtIj+C09cbU%+nBpjTdeMezu7pdYMr^e zvA6s#{qOqoGnlG=?O=c-H$P`q_v%aci;WAXHXg3tUOTt)Xzlje)oj30zjoW+_%vUC z_IdTfUm3otuFss64dH0+-$kTXm)9P*KA!)%Jx@%R&)UiOuSFXd{ucYDx6+TfDWLt~ zt*LqZXk+n6uK~8@rh!QUz!U<*Fohy00TW!{OfD}CLZL7WU;@Ws581(j zhU<1R7WJrxGv23Bp|d;_9zZY!qbS6GsSUEZ&?8{fUjv2I{L?)=2m|U)b!WMb`U$Zbl0>#E$hWA z&l-DPH16z2)*iO+o~`eBQoGiEdTI4pb-wlD!rE@@`s?j^bEM`V{ni1X*ShjqqbTZ> z5+m>St=JwoDkM?D;c*@vl|fI*@)0BwaQU+0?$NtZZ%3p(zo+uP_ViD+rPYVF=F{Ec zf6*iv6?$SilQ1zRBbTQm;mCR=X?;pWPwwF~K|;YUTWA{RDUa7sUpn{Y^TW#R%G+=8 zmD{VI>IW}UM|D{|H{?wMG^~~swUQx+MC+z7WiILohQ1mxN_kAu zZg`v46r>oY$V^@)sHnY+wkFT^{P3}L^g#XX{IC$&3?87Dg3z&xP)s`LRiHj{1I zK1ed4gMa$t92iz{4pMTHSnF3m*XM3k=YMI_R^KyNtadRK@ev(R1cSz!w?fHM=hH!l z$ZC!`MR7f`1(vlKu;~nh1hP?sq-X*%Sm~rz8j3X+7$GbPhUn9&-bU$lnY4<6vPcBf ziLSN0xnU0Is6E2`Oi+#jtBO~r1c4F=24M&WbHF&K0FGk_j!-aQL1uUC7=_G=Qc1l~pd+F| zNV1umDWxD&VWA+JvA8z-!H%Sa0y*YkGH2D%QcNhwcN~dAfdrn-cc9TiK`sxX>C{;E zEJDa%_O))GdWktqqPhG^OP)6w4jqy5PUw_m7VuoZ(wOfCX)*D+YO#4ZC^)dW7GF?K%GDh2^uW0&G;K*ld4BJ} zRy~0d#x(pK!;{$Vn1bZ$cJwt?2kO7Tncew) zovwUn z9J*S0R=(Rf^lmImw!ZspYx&_8$XLeiH(xAw=gc8=|9XjomdjH^I%FjleLR zB=AigZA)aV1W5`7S;=g2rejYI@vta5#KU52IxO1p7I)dKPNOlJDiFFP7af)@j)*2h zLV>aC1~91yN_@hL6oi5u$d0i{*)P?g`&%2gc#4Lj5C#woMkx#> zF&u+Br&N1|^T07Y7)|^*;_FC&(|{VNANU^ng(nHK%ku&ZIDjBj+L%8S~5f`rQ3Sy0S_kO>=xONL~ zJwEtd?JoV#0(Mz!SAXW z<;*J^uU*{ORog?X-EW;gGbUe_sU2&7xYRy=uCZ`rswqHZLgpW&uXHTPX=9p3lH^7Hz_;Y4MwcJr@_%AR23?8{*7ZTs4VF$M5z zl?h$i8Y-&1A;u3Gk4_fUdzl2IK}7U0cpSnZ1cT7AjNPrq7=+EZ{8_az!CArT-qri% zo08_U^JD6w^;q-Fkkf?LK4Y6`WH83_P&T#xRI_#snW?`&_*bm8|9I^|>*lL5#bBa0 z(xewxFjC~c+_aA^U+q(QDLXd~`LB*&W^4OvkMiY%wPW?8i)MBw5Cnoy0O?KipNsZ8 z*ha_ppCM#&aF)Ei>qYa-v-2J^85C#Lu1-do}dykMv7YFX91!N zA*V{hE($&^$!58uyVno>V&g!td2ru!3deg;#5bH}1CQ&zA4EkL|0TY976s{B8a8LUv_ID1^r?8{wR01dmPyig-q@ z<&?L&G$zNWA#BJ(|JUixaDtDGyLzOtJlDK)TfBC-cI+R5--cJ8JLRJpSfU`NF!1D& zhSu+|zxI_E49&|Q+IK#2;GQWm%U1%%3c}0l*s((>n1$M*o(M^%FCAgmp~%s$b_ z2Uk!0roObhzBISKJVCPuM@2a?509Xjt9fE!f=ol0$cHDaY(kvO7Ah#kti+)c?57V& zyWHWn@swTrpV9ZDwrS5S9|gU=@Y!Dfu;)MDt$uEPm@hy2=I`YPlZ>-jp&*LS7FeWT zd1yvNgoOf|OkV_H8tt7ixKuV0^QKWO1}j*j3`J3#AYttP4~&mnYvJ5>{{CCEc4+Oz z+S1zGnEgkhp!D%{hMh5Yw$-ckJ;%pn=(f*dR3gl=a57%R#io2*C@^^Gild_wY>?2z z={UPsQ706n^D0HUKY+HtYYq>FObPmPW&0E%%&09Hl0t!qzGF#+f*mk@ugMApQjd!* zgjN`GKn|D^=p6n+!ZCa{q5W~hT*DmyFVHOEY;Zc5N(6Z3=lUdkF-KrFpzx38Epzc* z3ecF_=a^Z0-MDjl@wG`ZR}Y+v~k9=a{}pN2Nz_PtrAdvi$gw5%+iuvYJ6IZPo_}-MDw#P z(umx`(e7=OWKb~{tcb4xo z_wBb$(4t&0LPsWsB*+-0wZ&s;3Z6tAArfdN zBNQ0zR3OZRiK@*Wl|EsjFrh%2%rbt;`$ZAp77EhSm~(>F#SsK%5O)&67%fqrFVLRw zSa8BSLqfq^QRkv_)M6y6eXmzP2G>8g7vHrGJ!*WqBUropkIK8&^4vdK z$DVB*s_(hcyzy8&j&Lte_}MZ^bzUdaaf&6Id!Dv;y&`|mwy(ZkKe~Rcb?t5Q(hGJD zI*9YHSC7n|VQezS62Wn6#NTHaMZHs9X0tNOWmw6$lPb2Ji;=8I}3 z#!o6``rjRXa>kE|(nOx%Ql#RT$CSz0!|JbCpL7*DI~tDI@5&Uhq%% zb`e`KZ7T=`q)|VHU)TMXy)A$p3=lTJ4hCQXfF0bq0&fC<9ZF#%06SeyC~!=BlGNr( zV$y~%p&+rTnaqSVX-Ft2rDb`98(G(_1dCZG4#mBpcpq8d$(!Tqc+gCP)x}C8iuRZ= zNyJtf-VUAddo!{b3GEfDoc23GVmTM>M@cN|p*`w~L1|d7`59q&8DH0>*E<4jfR!RH z2;LCW5b#S~(qNEHV~}Mh4}GRInUJGzYHk&G>@{O5sXOEBE_pnm$A}%{&1$Ps91&!zVpv>(peW6kSugxqm&d5^v|OC$3WJtamP@TyPnvJe zHO^mOUHqjpYi_=tZ!CZMd;8YgpCdk62g~6U?b)vOsp7O}i9a#8JBKHh7|J5*06SLN zFe4&|8+HF+;rc!MU+Nd`HcozMAG_1oe_-uZWv+U@vak0dUnDUFNDQTLgg^-xL2v@= zUF*NysOf0hW|l-VTURGLRNuSjB{85V1*ln81*ZT`LI8q?vBkq`l8rZ~+8_7Uu9qLT z9$jib-xn^X>o=Cx-v(CCjj8Gs0>Lmr!Vrv8_@)Gu_z^+V{@4&*n^&2T!2=GJX7E`Q zfr+%bNA(*$g$e^0CMXie`S3}A0w@k)2r&|VE9*8MXEYw65ykSwzJk=5hbq4TTP%J*s)SNGHpp7^Hy`1$&LVSTxMFickbeLfwjwoKGcS3?>nb z3#d)t{)StK4VHjQKx$F9G6(7(};6`QkfF?;b89`R*rMq zD2hTPL_z%cO_W3lgdmX-ZlP5}2F=zy|GXikQa5ALI2lZ#9*m`%OdG=KK zY2)>6{)sXLU>HLv62o|=3Q7?WhLb(W0M}t|7{f^vM#u?+R$&}N(9Q8m;xIwtNPmv8 zCkucH3MG)v*x!;oxC6m=&?D#cu27c#oEttcPjCwaawrki)8EbH6iG+M%LgjFSU>u? z_GtaN#@U$Pz5S^1ff6wmS2!@;nW5z6^R27<2t8K4*1mUhb)o+BY4h!#-lW)?{I_wt zapwB!-9qET6MywUWocus*C5=-S(yRi{qwAVASj%q2pqvNh`_Nv4r2lYARtH_0|W$c z0*4Ts03GDTHlxe6o;ZRJ57p6K+j^}9;lqRgfDjM_6EMU#Ibi_dI6@FZyhnd>>K!(& ziP@cpYUajevBs=o3wstWJ`B}P)Zf0TeGb(Y-L+$Xs2nRFh8qu-8!r|shwBG!2DX@; zI7$MNq$uu)a+n|qoTLCBPlBW%3d10BqFoHbaR?9u0RaL=(IJ7AJuxYa!YCZ>?46U* z0E4g#j)`JhhLE>917)(&UNMAA)24A@;@#DCG#0frcdPuA zmYG}cV9Xk>K|Y zxUsl?xPIaG+HP8z^kYjT^C*d!e6&o{YQM|OE|ty_n9lQ*>o=9T)%|~H-8xu*y^B@? zD{fKP#Y~y`aIzTYARfk3DONPNE*UoJ5U-YDPj#z5Hpu;_~B*@ z!p!8cLV-O+ z_(eaaFFcL}s~pOp8YI*@U7Eif~HIjAJs2BXze+>dUEH_;n0W|)UyTp=X*Jf zMO0r%k5L=`_qcg;3px3f^if_Pyj(NLSpcbBf{yjs)UOEQ6o@{$dt6_A<>ej4Xp7< zN{X1-?hkQL$7%xtz!-`n6f)8f*)f$xAqqoq948m7^0ESS6Kq!Qd`vyn| zK`^qf`Ox&a8T)L(+=t?G8C%mC91Z&kS%RVIWkEP>ql{UG6b!>rl7L1Gujc->Kp%!Bg)o1SesP>iJ1} z%M2!u$!zLe-*V~M_<_I8`sz2IH;(P9KU`{DSZF-D*nV)WvHxSxUA;3~eZKO1D{Fs? z3o|fyv;Kh3Ccsgc!a(1kr;VT#obo4Pq=tV8DO`o3KQ*|QyLZ<>5Xvx(4g$w<00W9W ze5|W`{;}0~K}eXu0fcbgGC<**1G0a+183|txjA*HiLTDTaR@^p2uDeZgkXq-d$%HR z4HlFFB-)A0-_lwqJPhL;hT}wzo?xG~VzIQ0-)4^#?b(!{{wFbU1T|1nn~le8-&pWk z{-j&K7@7S?s(I(Yf75PXU#c8$%`N@Lv9@>R*?;O+=UcnZiGDly+0y*{qI{?K$TaQi zXZCL#Z@oWNy;(nYbC}=q>aEOQTW=4qerkNU&^mmp@}hp?Mq~e(_UAWHeb43IRhMI# za+No~X4nZ6+WQa&;}iv86ryklMabS7#T~-Rq{$J;rm>G;1daiSfC=PB*!y9h-=s71 zOyDUBpeT&L~qnQZ?llEf&yw>Hw}Zfz+V zs=Vf(y#N9zM37yE!6+UQ-Ta*dfN%B!fTMWlyTBx~cM3sB497_bryvx95rP8Tfd45# zzzDXvE`W)R`jT4`+|r^)8>jEXtFO!Fe%E^cpmPFf8(=tHfwnUkHPfPzHz<`TAlI0^ z<`e@+)`_Iw(%4tq72Q!hYT&N#ZXBJfEjM4EYTvynTDkMX>Ve7~TJEku&^F%Q_C*P` zY-VQ>v))++vc!@Qlka+1PamV)XWUa ziy-IV$w8qG%)TFg?N{p}_Asv89!gH3aKyZB%plHK3k<8s83k!umg2Xuw!+DQq&g7q zA8e!9qogx70H{vFk&E{|kXr)e9HCN@X5ewuQd&p_8MVuJM=I7`=KGE7jt!eu4dJ=y z_L|kJw}eane8yxb*%^WzQJ+I!GMRr|yB0X;e7H^vZ>LSeX`f}1R_(J7`Px)WFe>KB za#yL}pmKC3Ic!oYwaxYv8C+4d1!9P_+9kwjLk_p=tyev#fC2d+pY z@fG(J;ge?a7NU_E&OaJTq(nZ{#wXPpQgM}+U!*&^b^Xj%K2iQ6*I$mqM(U$QPOM|~ zK>1m8^~J!HG-kD5aqIwt^&z7xZitfyPj_vT!sYv71iQ0X{y0K6`zJA;qBfl-Q4(=K9GDGl| zk`-*hwggJ((;^;r<+RmB6toMgu<0e$DJ<3$hR-RVRHy7@$zFT=$KYTRH09Cp| zEJURrLzR6zWk|mTnbPeJd*g$r86}-aIf9Wf*-^qQ6hz(KHOsQue%VNp39mFEjz}kz zY~&Q-2*J`_bQjaOeO4nkNV{LuI6#jcN>0=2d+^GlBR45!F~x&e?5)o<^JPllHMzr_ zj5iWT5fn#IPQn|8lLQ5!C=0tt*@~ggV#ft|bIYT>uarHUrG%EF1jutev}FH_1i@h(#W(*1-ZU6F$!-`) zkrY9|1dFdo#S~;5wPn!}%%T-B`2&@Yps}$ajJQoGkQ;M)*H;38BOei)bvCt70Hso!s#4g12n8WsL^_Ve zNNzSD1S1fDQIrHQ!H;6>EHVsxoJ3IwCr}7b6u?M;;T>lj=ht_dDUPBDi~tBBQHn$X zPGFtO;rJ+w1chTHiUR;q5CUL8b;wauo8~rwA_N97k|YTThtX~}qp(GN#Md>+`iMl@ zZ!lV<|KwL1=)d+c-IxMwEXGn{%JK#NpQpXx9~QWON^JvVxPdj3kWKHs`= zzkcM?##Kf0_3rxpi}jDsD_2$@epi0NH)jz9Az+;BIEhCt(sa!4v7$p(3 zb1m?=3nvhgLJ%B9QG|pbiljQ;K=ypaaf(7Q1jbn$MtBPhBQZ0rL-@Ffy%D`FY+~4u zG&&dxW7ZTY?~ZlV*&d_MTAYn&Vp8WI%}2YKlEq3?dS@l2%;c=Zpkd(7=0YXr zOm0(3+H7r`$sBgq~(Xrr_XDT*B2@e8aE#W8^=HN-fAsh z(~F&zYhRX6wckBjJ-Ttf`sRn#TVHYetZ5!=YUSyd&(~`&>n~1Lj_Y?OeZM#UuC@Pj zd->LODU2{lkuXBR6a`@enn+7K2C9chv&*j&iHc#K?SF9 zwU3{zEY|NWv`#F7*5!rPf&J`1jmM(FxUVGDaQ^)tZSs}(^~>*@w?DLxoT-u<8I?#A;6tw$#}4neik_4#)bh>}SR z3WqBvpDesMWfBVo7_MdVPBNb901yfy$suNe5jfes8A(8ku7v@NkuZe(?*-T5231BV z&?_}Qq#tj;1@prorm4O^HVAhI;9m6Bp3T%=O3IJhZ{OAD4z514ubtR9(YSNGe7G{d z_K}^7OD^KfrFyIN==9g?uYbMv!C2pOef7QZ>oJQ?#v75SVzU}13k$X}*;?_aeq3Ab z*s-~1ianM*eN7Bl3ve`Th+2gLSSt&;icpB%h_n_CSqCRLrv&oBzxqo#lP(}lX_T{? zTyI(5Zr4k3EFu)pr)W+nu=xoj8T}c0S(}QI+-RHi#W5Wc2}$gtaiuq^30)yVEh(H7^XVy;dEm~DBb%~s{aW$yKC7Pruw`7T`IOqcE)3JvUElqB1sq`de?pbmu8hV;N{ch8+#A0JlnXrdS&g@AA?^$ z?rR;{-#B(>G>c(S9Xp5S%l9jH8=o#q;P(A<<=xE(4<_i@qA%*Q`CaUum84h+Gp^C1 zIAS?Ij3goW`^x*(=czwUPy~g{%t{FuEJ4F0?c7ierYj%u@=xgLG?EPI3=!QHeFO zr%(bSF$9HvKHg*h*fzi7F=Nvb6RHawN+~Lq2nFIqSgfHNsxu`Bcf@@(cMsPFT$IUT zYF%LP98#!CgF6VP1Pb5|8c?p?IqA`xgFjJkjY@2oUJZ-zX|>)ZAvhJC*2T~Nf$I+r z2sW;K`S786?Ocd7K@1t(6fM;e2_g}pAYmu- zW4hGrcT!1fSTtUJ3;{fHb#Ptsk=B+V-2rOE7zfN(R+~y3I*PxTO>7d4bNUBe*D;k+)h1b<#zr>FwXXn z8e(Hc$LO5=F?3kcu27jovmpcb)YnMXP29oUzNrcSvwn0G7`MOv`P-S*)q-A z0;eoh?QZ$N7#U1AS}_urv2#!R3vncslX2Ua%{M3Ni%U`E!JFPGUZFdGX^7`5DgMbCMXd}X$H^n>@?T74zYP>Kuo4WKA}KvHaH}j#O6Ap z6bgdLyau&w=HL_xAdS5E^TW=N4zr92JA)^IouN1~DeP>7btYB`1&S18+FX6*29Lp! zi@C*wSLE~w1(G6RbNMz$aaJ~?jYuO7Q!XAC3QDF^gn>JiNWKhyq+Mbm-f;$WYpL*qAf9Ky~ClC za?qwzW-Qp9(7ofLvm#QOn)ar*#-UkVsl1UG2FFqX)r_1gG#0Dx+2?6JdRIFmsP3yi zmZm}b`Mc(>Tk*!OBO5nZe_KqNwR1mAC?&(vaS-r!3*VHQQ~PbS~wZ zX2<{}4mv!LK@4;M2;ssb(fY+-uU{-Q&vl)ad~hKEVHAvF-24)NlNd=-5X{HnngSR= zFcQPD$pW5W2%#{FLJU<9W~f;->|2N;PEXy>?8FIc3sWmqc(LkNjt6cfbdiYeWe zz#yp)(n8VA0ga<{RLOL2c=y9vGqdG$jVISCkA5ZoeQM)G{mA>q)hk?*vCU}$K?sw| zB{HTxF^mYZWTOaxr<6eD1=$Ajx}8+-^zM_Iz1_2;)6FP44`p-UOS5Tyy59VFNX|I$kN z<`GU2I0jL@cvwy@7eqoZg5nT+BBc&;)GCJ1u zS$W#N@hCj=ZDanlkAL<63dUdvrT}MPIDjA$AutH%kMzX=2IDXePd0ZbfM75|Ap}fd zFa`ig^2GWQ7=fWUgoAFRZK%{gvDz6-{WE^u)0*O-rK|n2LUQ$u{WpKTetPXlWvRMQ zXuNp(t8sC|kckWuF;B@IQbUXg;&{N5kjA!PeB}%hk|#2_`RG+a)xLFT<@J9vDA?EE zq?i%EJAc`D`S3f?zH@u++4>^!|55jrU5+GI-uV0Z6mom~jJ@OX1|({C?MKWiu}bA# zuT|m_GZ;?yG)^-!Gc(jQp3@~2eU1@*i~lKMO3IW}?e_lnnR(Hbq0HbLac{)^{Vr2K zaJYK&bo1lG=FVNUa~GOdpHQ`DN2?ExeAkho@eE%Jm1ir5)=nT<<@)DWjeV!;cg{5L zUiee_e))dw?E~Z5-cIjq1ptgOfguDGAQ1&2W+{g4zciNciza9m(hMdDl0-D5FhOh` z|4T#{q;3$hN&@Cy8tYi-{VgT40&-82m;qE5BhNz+ff)oznua56eAb1qu*@$w;+l}F zl#7Re6b;C}nog)Pc%TfM%@G%&V{ddu99bj^^Hz>#wRGZwRje46(U8 zA|Y-F7BGM&2wI2$3?qi7Sb_o5tNs9_CjS(I2Lq7R z&K2cj5yJJ`H>$fX6#m}4^mP5xpDWiY+gIOL4w(KF+ZtBbW>}cFbM~E}Qd=5%shHxt zF$;`lizk~LdCRU&`jVU%U0!!GJ_I$jl`I3wK2#`_Mz^u;$8JX>bXBsnVLsgEc~%E( z>bcgR)?|itXQn6fu~-ap-zcF^AIm4e-4pSQQW+01_o&P*hsY7zWPM*t-Tj9x5bR2* zIFGq`TS;vkueEzj8J#R#oE_5LyW!VGoZTA`EW#8`pb`DOe(mjltS_yeUVl~Fv8VFE z3nuCAG)Yl3Vi}U60JFKlbvD4Q+9XBfPvp3V_zrISgTXl*9pC);aJ%W@cE=*5Y~HAo zjv6idCbg0U01!0GVq#P6VHl!yBeiu41wsx&4eF7PVMl>_RzYx^{qQf=DyT)c* zMPe~&O3V+eukk3Ig#!gpIahFKd2K$tQ$F?Eh3bRn8<&^&t?gcaUq80}KW8d8mrs^2 z|7Dz=!m<>`fI>9yI*TB}6ob0qKzMX5L=zAoKu^aPOaO+WC>BwWA@Qbt)m@;6S6YgO zkS0-!#;7gO2IF|fV3L8GgMtQ?_xy;B!a` zyHBe-AJ?AlsQK_|H_TSDyTG`8I1**7u*RE}d&0+}HcXSbwq$|9xF&`h$-vAD2&7mg+mNdc)QCOC#zuFJ(^o+3(6HGv@CT&Hab|wSM7;gf>;X@M-yK z<-->!(wkZw2`PePDS$8w2te~F(!5MMh=iCVC`4cuQDh4NxOGjsA3dLq3y9wgBw3Q8 zFz%eSj0zw_vowQfa^%QKfrX`SaX|3q^Qu7(wHXMR&9$|w!*aH=A2%NUb?x*_W9Qxf zRIR>j?!L8refddc`xrUJ2vC@082(ip(i8#&(~h1k*yMk}X<0 zO!70SApju@sMaDbq%O`MbX^@7UO%`}=oWQ;_`;&LZEs(HWx54dp^1 z&MQ`lR%%O6;?aq>4`N19@Xd=iD|@{4>o+-BI-_o^9FQA6(ibiFv5kLEC5FqTg=lj( zE>^FdUcZ%Zo;|*P_4AwN>7&g%C##pXH+S4>p12`ve*9tWRqf6X^R0qG}P2)-MqE8Of+&-ceKx*$Hf7{+pR$j@m`L6356kGO+`5C1>5~{`2%ism8^e zwB$)S`j_qPBEpNYq_^+c`~_U83SFVpcTD7Pe}sJ@r=siYIW=V}YvL&ieSqlu$1p{sRy+FnT8yhiEd-Y!7RVt}#@wK18rQLf3o zO_%H$ZfCP7AD+tw`@2BANuydNYaKP<>*q5+6nI^u4Z;2WORh9qzU{y<462 zQ6dfW_VnzuU+?kF=L@CxpF$B(?!5g^V1gLv6%9dL7xpqyI1_*%lz%8L#qC){6KR|=cw``$xcHK_{%5kA&{fMp1h1SDecrtQxV-HzPS zv4&czx92rvQZ>FcIRm-i9cm6YZg%JV6;LF?beG7G+o0;sL*-|+UHerl7gyiKiDX7y zx&ANpL;H1q%ui}61T4$Yn^rSPL4riM)zq!VPSU~NpR=URn-tKOAx0EIQ{C$so-<}d zQ3x?4HFCxbit(IUSY`J690N+TT5eMeaq@&FZV0-w7+s5Yi+`)06-kB}3DI000Yze!(PxNd|T9hbP`JArc}C5h7^FFpwey z!XyzCL6DpO_f9>W%mOt#YyFZFhmg?l(F~+WiXeq=23tpfGz&(?&yrfm$xXro7}XVq z25=zfU?@piayBq*@idavK>`|J zIEDzALIlN90OF|zk3oWhma!+k9~|>(-tAr0cX3$(=-&kJ8WIb5j2B`*99pY<1YYXb~33C8zciu z!)%<6sRxO{g9Vk?n98(CvFgMu1L5R|2%0yZ)8{uOR)5ekY zAOBK$QoV3w`5@7Jx>UPxcI95}>8a|AS6e$7*~a4bdeC7##gZW-KF`A|>z|Vn*`m5n z)~PZ@by4UFn6o)4vo+pMsjH}>1{7CaiV5k)=)dDgJJZ$-*U;&lm!z;>+GQ=CinLS8 zbalM3oSoQXF>_RKp4P?8nT3JINf~P_nU4TF;BVlxw4E~8-hBmWEp?uGH9;o4NQm9i zNV_t8Sxn-$%;f!xN|u-XaqV^WP_N~0@-`W^FGKS0ZXwTa~+U1B3 z(>=1;z^v3fSS00H=+@9G|fpo$~1{U+gjvdjD%U032;{IHfN;QnV1`REhtfsyrf?&Dg6U) z(dOdFTe(Fkr$QyxEYXsjgpO&+Q!}*(XcF$Zkqj3+z&7xrw-kdBua*psylR-1_mY-- z4S8c=3+$J37E@NAP|S87V~L2ugfu4Hd1e<=I`1Ol=innD1#m~f93{xa5Miq8_uAWf zAzVn$8vOh`e5}b(EEqiTZ~FVLMT1KPZoUX0mH;H%(WblmuBv(dYWcpnvLm~4wSN0~ zys~$;`Dx$U+qG*#RD6)82@--f*Zv3>A7IGVJrFM!A5EfGY-2Q;i;tlw$WVx4FbObA zvF%%p;XRkYGz8S9A}}b{S(KtiSTkiQm%*Nei9l!8`7`rkkyn>gwCD{JMpMKs7Rfw3 zteIX(LQ2NsC9%k_jWWa_Zzk(OViES|i&84OX(t+ragS4BET~j&vB;LPxV?c%q?zPq zTOmoX1VRknoF0OtnH%>~bIU)~ULCH!dtE)bw|u5?{o3cN8~cYz!7xKXusMxrl3++0 zP%W*6Uoqu|wV(i^37RDVjY&+A6bZ&~Y0i)oMKTC)T9PzPVx}FjXhwus0?`O;8p900 zkY!t!Lo=cont^R*Pm&~AhzQiqf0SgiE%zM-B<+lIelloC1m*EaocoHx7Vub{=@jQZ zBH)nCC9Iwx_dQQq=isB=w9|R(R(Ll(E?uJYXN!P!RLm(FFaS_3zuRFchctpT4cU%A zaZk#N6szVJ@n}Y$OGh~Z9`q6(PL3E+6ob2ghP%=|_xVHf{qE+?Q`PgYYfF!sXC5|o zJzlv}Ia9g%OM3Z!_;>#$B;_>32tbzRp~!_TS4qeqz$@ewAlS`yhMGdi2@)|h%U}RW z5+e*-I{QdKP6h&s1OzigxJl4Zm~qpcQ}wmFWdF}Rljz&QTpL+3-+#%ka`qo`@hC$S z>|P+m-`S5_w*>-E0uF{-P^&eB)2FdcX7J4A7UrV)Sl5aj!{eFN8tt9qkpUV{m=7fA zR4B{z=L!#5arI&_}ibV%SwUpuCCA!Or!p$*4`KF}lT+{`bi@PR7U6%4d>01lyNDbWV# z3-ful50r%|Jp192N4Y!QTcGYtxy`;HBzvqw?Vgtu2ofhb44v(sCp|g8TvDRvr2Svo zGtjp+&d#oYj3w<{J6zv=S&*HM>*W$*~socNGziS-a_p8o(wbMU# z{;KZ3)cT7{+DTP+9h}U)sTxDE$)(EdY^D@}F+o8eHVX-L%uPNngi%=Zj7SsJg)LMYLK(Mb zVZIGGwT6B9Rsb#*K(ci-9}UIi@u)i#Yn{Sl2C@*hsKdFOo&&Vwn?KlE73wC}uJ5Yv zI<~fZ<;f47pe{Zjw4 zyB}BfS8tq8m4g^jMYzjzvE^S9Lb=vr@CjUdGGZ6+UwB2n5wUim)}~}x{P*% z=;#@d(z+Om_NzJwh1R9@ViA?llw`E3dk^Y>%Ct@_!p10fm}Xc2C``hZYaw@>HuVRZ zL9i9vn{S*xzh2$RJ5u%MSN~9db!B*z$hbw3^A_S({-OGO?a#~C)6Km4NRIp!4E!FzW7xVZylpj4_5s2`nK}3*n^!3iWQ(*ps*>se4^Rvdz|Fv=MdHwz2 z<-44p`Ec;s1=1EA&Y3hsfs5eHxccZ&b>FRg_1Yv#H_xJ<&De)?X7jwcHjlrpe5js# zyYk^TjVGrXJ1=Q!KVAE4^~P4%qvLpe?U<^9gw=eAANLs~P+w$|q z$>+=a8XsR&4z0ggzh8ZSz4rV}ey)1yO!T)CYAP9cvd1JoU9L3P7MkM~KaRUMr=xhQ zCuy9!HB-NMtbX&t>f=eoZ|*t&aJ~YZz{~GU-)=lvdHMUwDO>ZzzQ&oe*0moRdyh0v zANjv)XMTQrZ0+{QJSR7YfMP*6PSw|;RTlm6zy7!L^I8~A+5m^m!IR66)~+n?sGfOT zJ9XaLymo5!S>x^9@{6@+)x(F^AFdyXG%mib9e6*G0Y3qh$>JGGN#|tg(c0*xZuhLy z>vRfK3RLctml}so`7QNb2kW=b{BrH-+Uv>=$rM#k0p*-DHk7DI#8g8`MgtSq5BDJ- zuTvx?6^o1+Z(Na`i`!CYkSMDNrPfkHEDGgxw9Nj^Xl}z)RMfmtn+lWK!mQfKNtUvG z{+RKM#RS9kfr&+-Q%=UXAefv!8I<>z(0`PBPNk$2W+tl3rUeE|y6xAMeYMLs{=Iti zY3=^g+P-I&|5HD(d;MVZz=86+=8eZwjG7-LBGQC$n8#05ii}pMKnPT1^?Bpr>y5|% zU3s80dUK!Oh^jZ#v{xx_qp<{c7#*iTc|!tB(UybWK4U z(PA|@lo~3zhm(j@x)hKyIkv}cz^N{~Ncx2;d$#dn|H?;6}C8>Q=NG8TbLP6#@Dde0+fFf?Jh+>)>4Bicp#m9M8Ig&b~M-_;C zH3_w3LU|!F!p6~O+WM7ujd$n$vT0U3CX~px&C>pV+PqvM7BLD(SUXrs$cz$VQPiah zxJ&%9K}IN(W@Hy;5J4cC?A$E;lf+}25W8aS+%fd4&u`3Xht_83!&%z@@lQ0F%|4Ve zN4lr!PN!FEr^KQ`DP1s*)Giyhd9qotC=Xq@sCS}NX^IIu%K(!fTKt9tC(&uq&e|yH zl$!~6E7?X3Y%F3;8!gW(#Clu*;Z9@ev1#Ua)f;!q*QO|dn%5@i;%EtrA-zf^F$*>6%Ey%} z&6@}Rx^lPvdPn2#^M%z*>j$bAr%|M$=Ai^-82cm)%nT*FEZAw|7rl0XW)XK=qA}NeRVedu_X8WO8l>@dv?^H?^=2BpXKAk>UOsJ;&koq$4q_i)%utS{Kk>uL@`nexg&hsn>12u8wWFfH#+PLkG z>&@(Ju;>zt5=vLXrR$2a5b>Xu?)~Yobocgugapu&4@hh-bI!ZS-^Mrd%h&2R4m9>X zsNMLfe(cOl{nq93sp{D)wHLSR2VYHUvnEy&i=>H=-aI#(Q*<@n!Tl$#j_1h2KR9=D zdJR9*dF|1$%7gN!_2Uy}i85r?7-Y&hG?1E01|@C>X{0ALl#(0s){rCZi-|?hZ{ac! zI>aKZCs+yNQp6?i4bU{HxgvYgZnppxD`@YxcBS=O2PqTf?e3J6<-VW`M8=xzmk+_`C8n*4E$fu zI`8)9h4#g{U;ks^6|>0fAusT z95>WXo~qwpnxZgAI1?R8%B0jJoX4Z3hhj953F;yObx<#VEFWwdkxN^|#dnhtq3I z>mR3?26HxzSVVg?^8=}i2{pmy!xphfPG&iQ3;2(f=87s)n0pc^Q&_A{m({@?d_$T6 z0x`2l+N89&=0;{eNiq~cvK`i#|5;ssUNuXGECb;;I2SfoA64FzCaKkaeb$npl=FUi zARSi$n_I~~ir z>i1ricTG~W6ef}#`F8Z>3J-jjrgMVv`l zN`ZSx($d#pf)_9f*AJDSL@P(Ddw%+ZqVdy>l>_R=54Zkf{ZZD^xclbY2}9<0%MIGW z5a>(}4^=R)({tNQIb&7(UGxaB#Oa>}e>tY4oMM z*`*kV6Wb{>>)avtB8TBRQRE}R{>$IK4%s!)wzoPY5`4Iqq~2mkFJv@*~D>_7{pvW1bBb%th2v`Z$R#GSL#Q8YU*x@A_cn+tx!)0@JDm^uuJf{>b6F)LJ@ zS|0UBinM|klp|auvPJEBMkN<$S-0TUp$~7lwxX5y+esiEqGYy8;!w|ztEt_;u=ay9 z(DMTG`K(-UO~{?cs$qDI5uhX?0I=D%jR#n>2)*_&V^b9wV}c)F(|CHRdHF)^_Qmz3 z+WDjFOVxeb3)RyH1`s!;&=B0lV6(;@Ic*no<3?meJL^{^RAbOLvk{AVw)dnCXT!KJ z^QN)j8;M+7h=@foQlTT9B}3bd#2^;U$FttH9q4n;*^|kR*mD3n+fd7WV`Q-&f#^^s zPh_5MD+fF%7)x?NiP*VO7>rXo@Lnw8fGYjSTctv7)3WY4*SDuxyNc#sEqY}ta*Hkv zXBB9_7_i7Q?$MV^k$~3JbzKTzik1daaO7j3d0G&Tmy8&;fWWbK{`Dn8y#DtyBu%gc z16rPEBQP6^#1w)6cPrd+zz?PP-S3kN@lXsTv)&+b^@d6;A{LbkY8@wER$_9--I`7x zcD(S*dsp{VuRQuMom~)9gCGrP3<(~0djuGQ#v}zWue<#W1T3ThCR+fHiOh^FO#(o( zh#>(DF=AN6<8eQO0HzU*Np=WV6Y=t(W2_$Urmmt_!=h|+vPEPGu}B>nM9EN+XhLd` zi$%qjlSIU{AQt69RHo%tkQIv@?hri*CNo1IieV9^Fo8*yr7>>Zsqo@tYByhhw|<1E zT--Rj{L%k;Y4v>hedUIwd;|<5Wk?cYmSG5%pj!xEh933q9gUxlF~I;5V1#J|5J}Q4 z) zz|st$84?YNfhx=-`2~S+%NJal1V;wa%5*w5&&WC1F0eL*0>uV|AjUK=pRFEygM9w# zgQv|0*Xob&)oz?@T;997XZ1ky!c8IBXcIXw4Bf&IjZl|jh!_G8{K5e#z|ss!uv36h zW=M)aBqAt)36`Kp#48#!MMF#=iW&x^5QH!oCBK+bSabelkRN*Dx01)rMVA;7cAIN~D1I%B2^Su+vQ+t@a;<)C z@8_R>%QlYOS^Keazwz$+>eBKPy8LMU;$-MZ?e?3>f%5H@yUY82{&b~s!@l;Qc5T03 zU)jHMbYbQF`pw3zqgz9lAczTugbc(aVA#!_ftm(g0x6oN5GF8&7(kYwX~+*QA?QB1 zgc!z_wARfwz$2SfO1~<)#BZW$j~3ge1ekpH`;}w0>*rVRefJeWC9U!1Im^?;B}K7F zMx_jSO&9j=Gca;mD<@4_Zgkj)GO7}b0$Lp5!WkIM(liZP!5#)sCy>AljcLGQ0XW0T z!`jnb>!1GEJpD1T(Q>dEMK&zfkDU9}FKTZON{z$l2Bezj$2C-+?OMOHw(AQ}CU$dJ zN;vvFa^2H2IYWhNZ|^F<`~A;vPcL^J{D<)&33cyJy*l7BKquQv=v)i&^#4MhL{7Jg z7K_MI6vKG;I5WetVX;V}1OiZ?NZ938w?V)}rsN$!m_U|b7|4!7OlBZW5+p_#31Li{ zyDx3r|GxU+ZvD+OSM}QE=7o=cs~tK}J@W|s*V@yKo8{BX_iA_V^A6T`zii&!y>jJS zW%c6D+JR@yPlubYb{CT04Ub$28TI@_mtDKLe5twn7zc{N{!c(rravj34XJq#SQQ&L zfBCO;r`ANn% zu1ry)YCf!lQpa#N@H+f1%-Vohl*kRb7&u&BJnM{#MIhjuCJ=WfnCcp1qOWj2y{WTC zv5<57RCm;F)-aT^U>GfEUMVRGlu~roj+|eAw{d#;arN!~>WSy;PgWoQY4!Q)37%~7 zYK1^H>D5Ec?Pu%9Kds&-vyFFGR-ZL5AF03I+dOh?<+CE>#$g~NLcct zqcAX3MJwk)i5v!{0I(r%%;BLmVg_PNkeCJRKh<|zEhLKO^_`957eC)wIZaxNt4qzp zch)ZbX8m~m(8FBq>El>+_qFoHDY|rM0?mkuIP14$X;M2)Pg@s)3xr-K77f%x6IRhcgV3mG9jlfVh^OgnozOouuh;~*LIdqHMj2= z{l>(mg0NW78wEbB94LSMKaGcv>vykKmg+~gH+G)<`P1Ev!ri?M z7o(I*5-(0O8m3gt%7{fe!~=O6^seFjZMP!Miah90VO`LdtiyXFf-C_L`v1k90x(FT zibKF3-8!+hqx|CUwWBxIuglAqsyps&+*mvNU0kzq;t#bwN2(V;j9^}6bBl_Ag+GpU z^ZKLashw+Q8&@A&n`a(2w%@6}KKl9j>hbEuYxVmdR)6~S>W&HeMM>juYUste;6SQc z!Pw=Y`B>1Q8c5%^jc0cm$Wdtt1jQnQU7FE3xL4nytXQPuI?OFP#3FLByU366ZU}b$ zaQ_Lu3sC@&KySbG`n$EG<@=M|6jaKrPdbo7CQ^BTCiR9cAdUGwVo`=wFL1S4YeAJ4 zi-@F5n@Diot%Ep<#G*hCn91jP3Zp%RcR&>EvZ9c$>Ho9@n0Y(<+vbt`jSp8UpML&y z_xtL@C)H!O%e&T2t)I{)CiP?3TEuB4rVxwFUGrOLx-9sCEfMQIY9>!GAdLbx;_p41 z`kwWX;=RtMX&{ z@PuX=!NB9ZF`rQ{7A(UBVH{?pD*l2}<(H}NlWX_ZcK-bS7+!n6wtGUEL*e}uOi@ob z2a;HK%sFf(j!s)=(E(%`v51m7xQ1d*Z+D1A(VRh_p9BM7XD82J+3Z)CqS{c=o#gGk z^(WPnZ=1JHuoF5h84tKd*Z}Nv0e+f+<*UD#kY6I`97JG9H5p%iAjJb%`8=B&E;MKg z>J!qumbc)*=LhxE@5J>NyDI0u9fx69l;kA+HNrvJbCk*6OOVXQgP2cZyvXcw4?A*c zv@)6|#3C}dxsjWosVEk?T#}H7Ufk5xEQ+F2ETZ*ZeMajtl>Q0sT@)N~?`mBPPjc^S z2Rog@zY9|EOZ~g3S;EV4=Tf*h4{?*tkaMXLouseg(WT32jp^_LnaH#Sr+w_4bEFk* zPZh4u0XL$l-@WKx2xQvPP3KgEM`FoNA4Eh+3Wwh4JN1}S?VBfo@Ey4%QmQ@ig;~L@ z##O=K_lCUw!W7l;1pf zq^-f~t~b9l&DAg5+c>a1F=i^JNP?sxMl7HRf(8r?zaXwiN#zVFWr>`&*!N*Z?Uk1= zx(FZ;P2%<`7f*Bwf@CO$?V{B=z6oKURI3>ikk8-4%eVW^pe&++tRaON0uT)D#l7fq z(7!5Qv@E|cG%mmU`NPGZ-|Z^j4O9-SylI?#UE95TrHy0~ilB)Iz!I!L1WgDC5;Jr+ z_UEXh0!vYdfb4XEtcg~zPKKocrT__mK%fc)AxRPpfkE#|E=G|hsP~Nzu}ZKMK>^SS z-_Z@R8fASzKR@3~YrjmAG++^pxM5a~+UG%_?{8hd}L zJv=#PTF@kb5Q9#{fT3BzAVAR!#R|nKfHYtzh6H%3045YBA=;b_h+r`UWLquZnHCI- z7=&7aHz|CHEQ;FN@=(Z-_@88}N7o-V_Z(loU|u^|UAj}f_@?^kUJFMtoXKKPQ6d6H zr&(v>%S-O4zJ1B_nIe$4>*hk?g#h1I^<(EJMNC19R-2vSdOFjy8t$V~<4^na!ZA}6 zCM830KTvt{v(Rd^2?bL5{p!uyv6E}B8)qM_pWV2)e(#?fLq*&Bi>Y3ITX_@;t}T7O z5zv;et{(kG`6=lAyz;vG_{GZJ&v&YiUN?W}0x}1qsWdn$=$zqF^9{_s!L*wDm^?TKGhdZ)AKIF=;YZqTO zuRgC|zx)gE`BUxayUN?&)NdU7WA(&7*XoJ#1*7WQ&XDlCQ4EDt>3C9L3Q!b70S3_o zL@Y&iB7yPx@(ogTvVf*qbkvZ56af%wowN&tV-a4RW)Q#(!ZZbd(DKA?E|-|3M)tJ@ zgINyhP=}JmoYyd)8)qmD1%0iqLuIm3B=o5gl5s^ws-Mh1V)XZSExu2D}>> zL$fr&G6WD>s{qT86o&M4k+LvJ(<}=pk|YTNun=`3kB=@^t$5gMCpeBb6q{{vDR#zC zD9Fk}kRBUgrFrvY<8R8sog{iN|75 zDdF&qycCjy&LGJ!cva zExuT=hA{WJjR4R)hD*l`^eY5PUp?PEerR#^P~}Ll_UU>IR!*(HuiiOTIa5AXJ|NpT z^6T3By_`A`iIiuk4w+myWic5?D>9q$3FhMLxNeGdVQRRoe zY%fK^B_=J_oFyZnct7ix=v4r(T%Rin6&&ULei9HQW-Hi>Eziuc;Z;2Our{SoSia$z z7QF#c>g;TA7#9LjPVY;F2TPS_?FnZwtq8VQ`$kLFtQ_eT?TUD^>apcQzgtTb6A5~_ z?0LB-BLGQR@Wvt`XYbLL>iy~Q@_f3kCvq$R(&WbCKer@2b`+;L55iUN3 zgD*)Ib#}$9-9}`2;=uIa9s_s{B^^awYP@Y7a#1c)W9n!rZmTazpzxN^8t%n}M!M*A z@Iy5qMFJM#wjD7V5@mDa0bTmg-iB$6+au7%@21|3Alcp^ZQR`8rb>=ks-+wVS#typ z5rQqJoT04{13*Ip5ww8AIRzj^vMq-2NxLA$K$@U1ARxmM7_gY(^EfA18Z#s$(GV6R zj+B_zr$)k@7`#lLG|0swk1dq2M>iK97lux;C~GDQ#W)XugN&=>q*#>KCBG4g%pnGn zKC9WQq4Qd?$eItBHl;o%(b_lH#Yqqih#=ThrU**!o4y`rcu<1_4MGLco#`U__7%1Hn{e>=dL}g2XJ` zR1O&oNl1?YY>?dX_z)s)dBn68U5X%RVf-J#M1Vtk>gam=D z6ageifQ0-Q5U2O6;yp}r5kvQ;ssluxZz+Bgz#e91UfMss5rlhC1xD7str^67giS${ z)$G)2`yn@IE{p1AoB_`S_sZkUB4Y3I0#+Z0vyDZ*9Bsk z#oiTLdrXS?sKKkXa}ryFGOMFxWZKws&F^ADd`7R54abbej(qf$U9ZpY&PFnZ_~w>~ zTM<3m^IhdunEQnTE)OHr~BBSv4zMey}%+Tj%i&+^S z&H=RoW_Pqry&|kG_OftC3?2x5s+OkB&4`JHEL+37bb%M+LaMBsQvCexP-FLpjk~LR z>nC5%e|{;hy}r`84a;P!6Nj*@7a zm9x6i0v~E-xIQM+ygcQN7IY4=$Sz$BSql@fH9bfZAGn4|qogCKQ#hwZ*ZiV!cIW2@ zsD9vW`H-3qV$&|}i!e4q2ooL4015{shPiIUe2&Z8>7A9ctIt+mEwKGp;wPzDtEUA^|=^H2Y`e4?NIpg%^D6^m3_#iDyr04qWi<`c>A07Qf$S;W$i83{rH5rJ6} zxA3og0FjM{t+=M6=#S>JC-vJW>X$DK!#$!&ez1q+^UIA>>yM1f+t)5OKORojPF&75 zo*%E>`JwUQVD1Y#*EQOwy}QO?u#Q*ejHAS&Bina`2u2tc)+Kt+25#OCS0O%<`+tZ3 zP&q3!DmZM>iA9CklD2yjtF!0RGO2SoQ$C2LT8f0?x>}jm6(;ycxOV=p4Bt;R~PH&-!H7~EpM+s-BCOG z$vL-jfBDY(ndKc{FwlYGyumRt8Y|CN9ya$LuiZPhcA)uTsd?;D^UaI$$<$*j>fkm6RFG=n~F5tl(5BkZvea0g2g6eiiu9r_ne7@tWUP^9_Wef+1& z55t8b2v|fAG}*Z#`%1X8-gYvv!U29y`0C|H8;{ox{$^YC!-WZ*?#RW3rc;+64)Ax# z!TXN&XKRzDC&`l5!9h){&2gJKFzA{)Uvw2>D(O_ya~s3&zTUifeC1m6!0ps;nkTPR zZ|scLp6#7bJ2f+XU&jI(hG}&jbXdC-c{Kep>6g@I>N3MmI`Kk5ywcZo&wmc{NU3b`|f!m@r}#}L{3TjK(fq|usj zb?4+5pXlr?)%PY-D0P1Qtf4E_|A?EkKPAoERs4b7R_|0#J=r)-t?pU7*0}a|zH#`# z^6j;=rQC$Rq?qJTUuwKWm^6k51xHf~P@a(iC1XDR5uLdC1pH{iI;giPLJqToH~Wp< z=YcJjnMMw#@4@u}SkO;_<{t zu_#jLnhpbsU5DiL%S9}*sB#DRcY=w1izN|{lJ(7obi=vMnc^CL!7aZlzcSYEp8Nc~ z&|G@Cv43O}5P&fKas8eA^Mj2i!;PrJD1-!PrfxaP8|A$e?m1qd5dx|;9Fjs zNf-h}2h>dJeJW6j=8@DX7UiIi8?DH!p;QsENER*?^ME_|vz9!9n`(SGGFgDknp z{ENobkIi?x8}~m{m!2%YS>IK?bR;=N<%S~~j)0nZp_RiRV~xty-vY+Mk!75}=OP6; za*^CXtqKmG!9R*rHXC!=BxUyq^xW!+mF>;bmzq27Rxe+uKRsvnmao%mhnjakeEw;5 z*A!hBCGyFkBwI9_bV%W7T}(EIOrRe1Bj>(b-@bmlac*bx_bYE3k9IBJU!8^( zB0u!38}1@Lu(QgX5Q{RC5dQsv7?52JYYfm`U8!$>(G0}^3bOx9iPX5~LrK4b66nb4 zPX`L(wbN7d+FaD_QZZmC)$LYTJ<_2>c|kf&muj)G$d>F{B%ihEX2l|3$gT$iI;}_) z$%sV@$=UQ2@-*jCCm@$$L965N)lU`--Y9bML^cq~C`?c*7Wv$&L^x!fFa^|Xo)b}Y zMkHb6{F5S)3+tRia{`eFF@U1~so^Ul){ww#Xxuu#`an|IyZo`S`?m9ssHr_Tpz zQF8t?H|B;Oo3i{OBb7>Ji}Sw7kknun5e$v-m!D&ew=70`0|XOdQQFIe(MIz&pG7Q^ zV|7Hk5RL1)XEQ=du^}%H$3n8+b5Ca&qewflX6ck_^Jtx6K`b(H=aU?3#Udi0OmNMH z1+!f&%KK~}qZy;L7THqDrE^LWed|7z1iF5d3Ubcg*VG2a&_p|?=<>1fX09Q^*~(6R zsO+p9U0#~d@#!gha9kCXMN;lt;H^gO%#Y237k<$=bZULaBv^E8Av74=a_BgmGS6D% z3tp-;(SBZ7a08uIEHWw}cZg%Ike@7Mfx5`fImIHt9qFVbZWD{P5!6WJIZkI0T6M9& zH;goeVCJ6yZl*_KSKt=jc@nr8QefKP734Rbcr+T1^?PwnEGjKVQ=99`HrF<>sHg%{ z0HB4#QnX&18pG_SO>K3)1o^2fz>vfiWBeqvwsI z=$}#X;gv^YU<^jVD4;$OAtww*$l-F7x?7A;FpQCK7}#v>Z&o}JF}N`?BmqOl)a5MV z3yslfu{5ZXP(zK@>wHl!mZjM-P49L+>s1y!!8vZ<2ea|{#V_gobl4k>57i}LRfO#Y zo{IF)ACrcl7?pVP`jT4gyx`Iw>BV>T+A zchCw;PPhlAg#UN-k8!B`u*w@-kh#Ncp9%roy*4E`jO5j+%eV@FkeZ@}KJ3>4YaNE5 zN28&~)xl(iTA{2u$bV@8Yn+e{FDhw14uIu-O#RN0`is5Ok^uCB3JO5r6+V4`o_1ik z{iA@kUlxTK0wRhX1-{omoh;v5ezv}2{o!Ku+4j#bs;BQODo^S+&aS+vp1f9lc(Xfy zguw8K#w zj5NOa;CMm)`#-E+E$?Y8?aY6EIH9c!i%3jC3eXG*F@u=aC5;g7e=O_~k`zl~s=d^W z!X6<&kYQ=22f6S1kvmi-o#d!^Yl^wbR$cD<}W3d`Nh7XK2`3FMt5LmBEmLl+fVLKn4MZqT6cb#NkDB z3sAuVmS8E8z?gq@Ap_eKJrh+udADvPnCBzU+-?7+Frl2y_a4&Ts!+1 z6jyGpKdGI5YpLEorS&!TpOCI!l$Bp~mf}%A>(WpDG`h1K_K zS7V)y8cWPS=&MYUEW{KbXoe*)!jPg-|D6%E(SW})g&9aP49U_2jTwZP7U6;bpj=31 zQw|2}b^YMf4Beq(B+AC_~aQ)mlVJSs`1T3J1I8+D#NdnQGC7wr2H^mN7 z4B6R*Cb6hMKoFS51ZGG;vlx(oS57HF0FprMAc_KjbDxI^tKIUkp!534!=bGK&W*}N zZp=c7dgP6coz?z5JMuF~QWDM!F{KYHUBo0*x!X%?=Yp!XA~K5J{g3LqUA4!TzvpC} zbf}#&dxt)F9I!l!EmB`t0=TJdFfXkHN=D@yLU!w;v82Y~7_fbDfF-mGtv}n*8fHZ5 zf;;1kglMyG)TS-!{4uUo<&TBHml#zZ^I{I3JFPi2uXp0f)|7Ur!4i|Js3McDF-`8lu!#`sRQS2wZ^?d1=SNG0!2D1> z<^po>Kh*7Zjtd*7-_t6T@GO?L+WC%%2U@1?`rv#bDV^N+bHIts39lrWEey3@gY`U( z-ddMNoCoOLwW>M7yvRxL$?^bXy9TC!U1~JyIk|MUej?Lfv)bFfxiss~`*1%4pjz0`d0qI{7qKde4{(Uk@PTNOeY5EKg$0Z5uf z2$D>9V76qI+l&;-%Jq`0roc&!c{SsEAw#RF2pVd$MeTDXBsncJ(rDf4)%EQwFKd@h zeqLJN_igRTsp^mW6TamS{@gDnG<1eU7-2v`1`rg$c+*DwGOHZ203eKEhxLKafWru5 z1`_OuUEU#G<<$lg5_P)g_t%~fVGK)7IFLE=MHW)JVO8+Vllq-cKQA2=)&faP(GAyQPiYBMg0cU8y0z?7~FinsIU^)jB!#W@$35W@zg$(Q*)H~B( zVucp~+Y^x)Q4aS0?Cg@Gqezo9#Q;X=U}Xkjnx$#F#{t*rThL`mY0va+bjXS3bqa(;5g1`u|(;cOd z1WA)DiD`gX%u+PJ4nG4S3uqECt$1gXXzwhnzZYJcYa{<*-+5GgRae68IH=eJg$s*rpit5pKbM-qn|2FBEz;4jS;tR!D zuFjFvMkV=_@HxSJIOC*!B+OatDnVMi%J$~rbB)7G&G#o82j4UFa;zw&-%_vfd$ z@%(oE!@dH>aE?*^&rs=F@cRxW-1*h^@|1?tC+RqyW7RWDs%KK*}|&vkli3kL=WVFFS#q#1^$ z7zknK>}LuFItW=v&pR=vj|RgVlYDk3J?^9AfO4FBw4@+P_MFpBx$-G zR#)iEATXYy?&{t0&CgFo%g@)Itlq3VsGUDiy>xWte0gW>(t+loU6YJ>Wz-yOJ0y-; z@XcEX|Fn9qcJW2!g|mKRd-;~6{9@(q_y5s)y}i9HlARvw81C-4!nr{6(87U~d&p)l zMf1^2ix7=-3msP~+(u-FZF4;{;Hm=tsA ze$w<7q$C990yv)6_~^NaYRH(f6Fj!m^oHboahA{~^5Fyu_Ah)m7G)}K40TP-sqM)? zUp<{<#`i>0(2kUNOhZjh8j54u+#Q3s)#(naCEPLaS-zzElWD7CHZ@d-_&?O^R-XyG zO>_Q5y~g8L@bx=jVQ8z}ZX<)5X**t5P=yFAbEtfiM_|Mwg3M}on!hyz-jH1sW^V7> ztR9D@eU>C(v_=zOWVjoAvv~Bw(c<%1MvN;y7;_0z*^jG$(MB4SQ5i)F)xKYcLB6|@ zoQe@t@(RxbKzGQWIOg1-fmh1y5yBn>zv2?n6>B+A(Yj5h;?^gGBBdQ2lr<+tK&7%8FksgaL*)T@p~fFhc?W z2`Hp`L6Tu9-B2UOAi5l?{-V`QVTSwrS)+ib6vQnD6s-uWR|@ z>WeYD7Y!JeKn&)$^Ds#fBqAvxOC8cApcw#|=?p!HXhhQhkOV~l$S@3Id37&HkraXq zL-jAsm4%WmFqZS4!W50WId&QEiNc~n4jej1$KR>XdXE60+jsaJm8r1MIWy@K-+z9e zTd1GE-?;o_n{G+qbLx&wa_^0kHP|>}@AAB2~EK*vmtfPk>EnrJ>;I z0i;M4V${8Jdm+*%7Eo(+bfHgAhXk#4rG|jL-?t3`x;6U}hc~IGINPqv^)%PoxTLc8dpHeU@bC@CDxBpuE_;mfy=MT+e+uhZrH-Bti ze%m~9w|4Sj_0E;*jh)JGE%p5mM-K^xO@5c(AmjsZ;;+i;hbz|V%d=}o8_$ z@0%Z9Y~7ykZNQVw`R3ALZ~4dNJB>qkI^r{)JAPaDBx5Vo@FdNW2(v7;X|zES5}l|E zlMQo302We!#*n5VW+5QQFvAN;uAEv#W&t5(X%YfVccPK-o$vt$vJ3#!i0y3*3QK6t ztB+!(eNK}e5Yfe?EU6sGzqge1r1R;vl|AKq#^rO3TPLe~u5RoTmR1rG2mu61K4E1M zCRqxwq=2lF1PvkE4S+F0Qa9IU3|NFHilAxCGD1#Mn`#MQ5YdX!FJye9kid0*M-&=M z$I5%kw;PAvEPs&v>+0d!wFg_fyVphR_Bqb(V06xoyyJvgy@B&i(wHB4N9s^;-tbH^ z`-`$tCLw6}SKr)e9N6`5&Ep>$KkRKhJh<^_{ZqcWZ&!Z(siE=d)$ceZ8FJlFHJuXx zi!&O@bCWu3?8V_KbYl07mcD+ElmBdtW@ZNjna^J!-H8r9P$WsawVGT)5gjf$D%9+k z2OC#Etz57D^p;Zt*_<^ySelZF`$mhi_Q>V?MBSbiHGhZj*ZIweIV@ld4_bm9B0o!r zp7oo@*ipk~FxLn+cfqQJ@ch4<&EZ)AoTU7YTQVC*iI5D0E z7UHFBAwAH@62FDk?ao%0bhtIQQE(i z{seOhm13$6B|JWId}juuxw(OMK}O)ReA*BQatjW6Q@MFfhY40F20~cnAk_1WU?cgtHuf%U zJQxTG;K}>vj7S%;4}}Fty3A^AH!^@lqZ$(xzyW)IN{afDCG1uydMP+D&u~Koj1Z5~ zI%!TUvQSB>%P(tRJ-Ve9KNO3Kf%HOq`6%i^FvEnIpjhM^3^QP4Vlf|*c=J9|;&SsL zxOyQ5W;%+8vZ!kxEp93tJto7>C1b#ocN0pEMq+ERlO{Z}c+9BDD5LRdgAinma=3-~ z1C+yBiWXdXwM-xaLCeJx5-me$m;;?)XcE$x=^kTs)Gv)Ot>))G*BYJQ^mQ)td?20T zWVdN=keKd71?vS9d%L~*?o8vx^ZHM_n!A?j`%YIr3K5}0mZ1O%+ac_Rv@Vj^R9D+h z1AO)oOECn^;#SnSi5DIW%@8bw5lvx+CTU3UMJRxnCRl=`SU41-fJ!?@!V?rJtP+dz z#*i^LYsgKCCx9?OB!nbj0m1;%pydS48&05k=JxWl`t9p~);52PQ7bY5Ps{*WPSxHJJ6qni zZJZyyv)rGO`T3%PFAe~fY$XanN9ULk=@c<cSf{0$mkpi`v43rWBIkGf>kR|b;AT)R1s$D;|u}jgo`$8}h07XE6DV{h0 zGZey@0W=T_&_O`7X~<6z31Ei645lDNn57Xz0Fq_+LIFSoFbye$si8;!h=szD0Jgzx zeWk#V%4;~j{lS3S$sZ;FMwDMQPCzkkcFA=E3P!=sPzH4%JULjv0`w*d*=*N99}_QN z;s0aqJG)a!&UL@fufY4*vyabMc2$S!F8SJHqC`d_6JNxyz>6N@46XfgkYeR=S%Gn0xG-8p%eJHsWKl0KCgGe>o!meK0f~=5na(8=ZxDf;IwWZ;B8>_l5K8BzE*4wE zox^bc7y|KFE33W`0?|N=93>n&z?E+Y%@Pb9kWQQDyKe7L)BvmA3f&tB9FVYdF337D z1GFAjUrMtT?Dkoy$F$f>ZZ;n^w?yV>S!i^$0Jewb@_UR?*3#AKcMr((hh-oT`sMZc z8)x>l|B@+77xa}QAM3ZT*B>96s-ACM!}JcyrbP7@hibR)tUM||tnU6)I9oga>8Eda z56k+F%GT~x_TO86toLMoC|;@EI6gwEzkl)TEShM2^(AP)5)5WYhC+~?V9}f+XoLY` z2~4sOB9>wqvR|sdr?gKt&uH5&Rx_qcztVm)K2J-$KI-uEY3z^GALul|!0gywfddoD z=Fc?F9IhNbijq8n`OOl3QN8?_A*$(a?z*yD4@-NOcdxvtKYG={+z-mTZ$h|tA7GZ^ z-UrO4{`^rY>WIz^m9Tu}yWraW(woM$*K0cq$Ey!MTIvs9{!yT?#VG4^&)X7_{+x}& znVu}Y|F4PS!J>X67j_2{bJ&nC0UAOn?0sq zOPr-Cf*}Y}NCJNIpN+N0M+&d1`wrI+?D$W#nO9rfLl$nBO1ElPUrVY7Pu7ndExxE6 zd0qU}*tTu;kiT%JsVl;fz|ckIF0Hj0eUV3Oyz=&Rez4+(GozDx6JxA8IOTK)nY`t1J@V>G2P3d5D>;AqU@X4DfIZtvw z=W$q~)R*(}zCrcWv9;~R3#+?UpN%PS&Ya812D6m}!&%;ZSD!R?KB?S(*VuKhzHdk6 zN+%wCM^=cTAx*Jl8)y8LmW^th{IbjS%WucjCYm-oEirpUEi)?zvt0^g(2T)uH>p#+ zx!3Mr_v^mAshs;!A!{m&|2Fq}>mbAo%;{2kq^&KBdcgAGvWSx2s0w+nA(8W%s550&10dHD0&*X4s_O7^P6VU!4S(g+``G;>n&ay-!H z1coH0X_o$H+B_~rX)nf}2yb;7AFkE*ooamA)!23P|72y=!*|M`zC5nK-#?g*Q{eYE zFI3N*`tqo;{d(i|uKI!dxVGYwmv9+sGoVW`nLY*^4iYYt-H0)haxN68oRD< z9#iZh=ZQ&ZqO5|G1QH7hV<_R8W9W&-6v{fy+Psl}f;hZeQg~B2zHfGUXYpd`YU9Ht zWn<@y>hoLm`^SGM92)bk8Lrf@MJllmSu7UO@)pe$udm)JJgr>3TD^0qwDq@RiqbMm zR%$TsApcUaS+sJqaAusL6L|^gkDDj&Uw$PqtK^@?OSg;194ogPw@)nS$UG4s( zwd2|E{$74kd;Zcs=0!H?xO!iv$efa^#qLp&VYsvya1OqbDdysRpUU>@f0%)Z!mS^E z%#B-Lyd+%0zkTekUAXw))aKtOl4^WRG^YPYvlU)`&GJYPHZyl}pFzxY{&8pod}*0xk%Um7=0E@AGH z6k3?&Jd;qLOOF+oXUy`bep;07cOzpy703mqMU-6PcMe*s&(0>L!qmO&oDylXzK%D^ z*@=17-wa%ODJk`|NDXuOF%pH%4ZM&-Vf*}mBTz^JJSb2|kkkYMg#^n?CQwK))Q~`- z2~LY*T5r>Hb7jRECcl(fT9_84!t#L8mNBW(1bT(7Qx1>BA94F59VrF*oE?)G$fre- zbg0Epu-bCQ?&JC|+F$*JXM6DS~2vhENpkaZx z0Z4h$!iOl|EDE5;u@{NWzXYIM-SHQNbjOmeIp__jdid!!Vz@W{+mWCFK|_qF-YVI- zv01&hw!NJw2&QHbh72MZf~8mrUk9!y1PKJyx*$mcieeEQVhZcTGqzU8=S32_-EPZ_AvLc}hdZY@En~@|@q$Zm% zN1uQM$&i3-^OpG#+AP2{WJv}MHru8V{BFC|VPPb0FkZNMyy2&oT03N&X@L=iopDOR(G)`@;z4;Wa?>%08_>aH+ zOGVlGhy^(GAC)sNEAMs{?l@N;{r%g-+D_Yd)puKpoxpqpwCsmBRz6qW-ifU|hJ|a@ z{WsRGR$e^meq6n@C0{;2weqyGXK(55^6g(&w{9<7FP?1$dHl!viM{2I<@3L(?zy{i9F+DIx2~P6y!*UzvHs?| z@XWG4%t^$M{KAY7G7yn8q=hDVl45C!=p56JnOYD-BM8?k!IA`ny7Cr-GYg3zg8|!A z`$(qT{@!h(5S*L>Sy^r*puBv+Rk?KR%az)xBlRbr2C(G)^y$UC*TI80rf@UfbsHAM zWL4=TyD^w-&Jc8P9Mt$yG-4idP$vS(I{h8Mavw@|wllX*f{}GGFxJ7HjKs(;_KQyO zR4bWMq&d|BDa{gpttLgtYLu<9GVHZ?wg3_;B7{)QtL?r8#^vSBLAcDM$&1GnY7r_@ zOFJntWWcfwmZ>$H#}pYN5ER2)TBzg%&hX~Yhr{iGFZz)BD*ZRSK>cldD`(Gl{VIY^ zG>2dZpD&)Bvn(2;-wXisGvbUoj|U1!(ClK9kULz;jH_{YPyO<%wF|{dD^CMI)StYX zSv{yHD~C^Zi;gCv-|$cqdP0V>B^pxR!B??rL1I?U#_ls zeaF_`T6Py~#ry(4pfVb2t3tF^X|v0x)Xel{2q{bw01+L|ZF`0Ob@8kqjuJwe1vDm` zB>JJ{m!=Sjn6?zn(Bg|}ikc8gNkEDqD9A9FrUAo1hGKb;lv4~~C<;=T82}PzhhW4h z$>OxgPt2I+Qp7kA@f6Ks0zrnMXojUQ4RG_ak{3m6C_R|2?t3~2g<>%Q2m(U_k_1L9 z37YW1u}~9Bi4b5gB>0f8aLgaB1|F{Kmu?&=gPUY z2bCv#Op3JwrN@n97mJrl`viL{#R9bMa`WMS35F$D1`5D_A#5suH-oH?>8m75BO0*; zWB_InweB(Up?)z!48brg7(o3(8gNm++)bf)#;`PR>-jnn5AHoI34wdNx*!|C_CkZ6 z;~3?gS?vU<-jvtX*>H_O^ipY)dSPi^XKb;qxOiTjSR3s%G7pHC)|kzn9M4zU5Z?AK zQ~$VLbjMa4~TkC`{RyUKt9;LYJfDfT{o7az!>i>rIupOx>|-rZk)Qa^sNHM#bqbyts!1?N`wpZM}@ z_4*$Ta~p%@A^=E8L(BrU3DBh&IKfgxVG>X*Nv!`8Fa*ugpdXYwjy?buN|wRV~=Kl=SQ9K`J7 z<#U@>50-cTZ)tboROQ~y@~+11os9>3SMN~eoAoW*ni$khzCG89AZUWYfMiLUp#alT zPHi6)WPe$Ja)eGPfUdi{?n0DLHICh?oOn}swS2sC8Q@<(fE}gDld4N{V zwtq1QC1%_nWYZ0vJ+{kQkot!Ts-3!5efYS1Y~}g#wZE?ISUI=4y>?*Rk6)gwJzCqf z{J4Cv^g^I0kJ1|GKB)W42?FU*Ips?N+4LQcs&W}H*Snbs!k+oK_u!P&DR&3jvo;_2 zc~L?(|2HaC{g7t}AWZ@cn!~Lh^E?F^h6XfjMh@WvJvU1lMmfhB7U>^#j4xXOhO=$du4);|3#?jyY zs`~z(qPS!EZguE{15ZXA#{uADY?z(w6~=MXcHV(9ke#J>h4ECgP( zCFcCBJizEB{P@L{Q?knCSG8BSxY>>BR;Ia>L9OA{9t)YA)LhvO5QT7hsKdS7Ff56 zT8!v5T(F>4lFQ;S<4;=^MnfNyphGTM(&&@?Jdpa?6DzmZc9ot~k8LfU7*jf$S)Ad< z?4^>9Fw1=vWL`&82+=#9-JwQ5y}^9{X5sU)UF zmPK~BDDDe|W~Kf3p`?-VyL$nAI7?w%nG~zxz+?s~3>kvLfcocJXLN{pqfWA*ciQq& zIj5Svo|{}dwDN}Y8GjggLZPAulhO-zDlD7C@Oe+fsR_?m2#=PX7U=@Xl-m%~0nY?o zBuXT6A!A>HB&%I?<-^IoQ1MfuNOI1#gr%{`dQ;Hf_kbO$4Rot9<`%H>539SXcOE#Z zM|TttmiB(Rw|sm8lRKG7OzTD|Yj|2@_s{TmK0`EbTS`(Rq`?{9$zmT|TU6?D}Z_VfkHh<ChbSP8`BPT`LxdRsjhC3LBP4sqo z9p_`HfAs>{@`0DgC3rgKI}uuZ<~C!;#uC<_?RqAqfexgV9 z;K|y#k88W-W2|ZO=UoP+IUwewhB0Z$v!1~ck-nNyF`qRcO>SBwNgFsHWs@^hATlk|1-+IDoEnc* zYz@x!B{=5ux_);iV%Ml8$UB)k69r6vR!q)s>vx!tLkWH{4+nVAe40|Z1lptV{Nr@G zc!#Kbd{n)Dy!^EEVEM($ZE}J}63=;qbbh$N#f5N8HE&eUCBsOd(3OJ|Pm2-@QAI!( zpBJz1dW{RyBEOlDg~MRIK~gG2$)-hNl1*60aG_e)78@Z$!6sycLxzHVG$&y)R7*o{ zJQs?hhq+LjHcg9`tO4scBGG!ID882Ygj0Q-rv&OgtncVec5QgE?_;^kY!%C`_L;sk zZG1r$Qc1H!-!IqSt@{PVQs0BqIcM}~(w00E6W~^femRO2kx=#r{k75|y(FVoAwzOB z!AeWdL^X1!Ymi9A7n>)`38}j{8;Zu&Qim95d&!f>hQV@Y(!CU)g`A-@Eh1H6Iv%pj zyL+wxe?Wl0*w@5~QOeUkz#CyVH`AdFO&lHuGLI9gy;5mxu zM;ByCdc2u4nZde&{0Q?-$Qcx;4JN17)|uT$#GkS2B-q-jm;haHE@weP`HT#LL;LeO ziqZ;(o$b8@1Z2Q&CSrk6@1abN3t;Qzr7ZqU!&DEwZyYE5oPgH)@$ z-mR&;x)G_LxK_IP`)_@fQ!neUUR6(zqdt;|LJZMFKw?N!EM&+|vuud^xCwV@;R03E zTFoI}z^4)qR8yrTH9`5@AhS_PWvTd3HP?2Ow)|%8P-W+_#*HIU*OY5a^$3z?Awd9$ z35F#AiCFLzBu95H-aB+*aPO`j=?J^O<&*J{9vMU;8WN~A1o=phECUz{(LmROFA6;MhynMX=__nqDw*KgF^D9DeQV9S7 zX4?2)9`Xxd7zo<&5%{!xNtQ&2Y{}A25<&;BcSW>r5=b%x3x$|s$Y+Dc=9<*F@^cbpLWV@)3c~JH=9vrZA+07`s!Dge<}&GaUINPYQQmnVJ=w zK!($aO>=UCPHRepH3S+cgQC_u1*XV>&b)HIdT-zKwsz)!;a>gVmim)j<9MNDF6PT-M=(Pf$l->@1JIRm;cS0eRyj)u zP(v#_FVs)(s9bwiJGbQ*j?TlOgVsLpUOo0h;bQH`w#K^y^&78h`%X6wY+2q_xxKgg z?!jM`wZktfuTK@O)juCBob3LrbSh%}a_h^x;+B=Y#pmA^K6J?bV?yy3-~Z6Ka$77b zUHI$T{_?x>>BfTtYuBn*UN#QzvR3xqX`6B*EKinb0{>}}WgtTUit1nxIDpB4s6j2v zBufDdFu_s)A%qwbHRS>XXr96xZyHi018Lz1ZzPKl2@oD)Zqh-l3I!CxL*1Tra)!BD zozH5xnKKloX@Vu$f#F@;3LD36{!iuEyVBEN3lH*UF*&T9K&+`TYA`G!JA0*O_D1HWkXd7t3cP zf!LQf#mkMuCrbC1Cf!8z?&XA{XTqq%?;7xhgVwNf$QAyBxb|k>um4au5~}a`ytY&Q zgT3(n%T-zF!WfsBVp+gIfG`3C#gd3&h_CYa!*XaGU6)K)v*Z}?_6@8iGf+DMl3?A} zVuk~Nip#H;FaDu$w{*C2;rVZV8>zgxKBjgwVj)daG-43}8J1$2q?(O7{EOYcU}|C3 z?gN%S>cH@3b_-foI7i-PcJ0E)F9Wr{GhsP|38Fh zOPXLvhG7|Aoeap5kYU#+dm)Di6Es0#2qp_%NK=SlA;qqHQ7k|N%koc{5FiEsNHyp1 zw*GZ4F~*OlSpr~!fGo$Yp7nSWZ6}H2%43RQShl?lX~%S;Hx0Pfbp6iR%FSIXJL_lO z79TWjJuBWWyi6|gm(Ku9V1(N-Qaa@uhl(aBk|xOhIGpoyN|hyUi4By#{Pep&t-Si7 ze&b=aDZ9R5pI(!lol^>R(kZxZW0D|QA!nWdBnt>Yz#$!%v=PQ;?Q?CV7JdmHg*1pc z9hR`$Evl#~t59;6dzvHx0T?*A-2eP(XXV3-%Gtg3M_X2&E#IlXI=8l0BHWW1np|&H z$lH^r5CJerVnR^z1(P(z5G>R{uAQ%(JP~TV zeZ0IAR}by3Zri_lD^U1U*#EC|)i?hasvSOGxLLf{LEm!qS>nsPYwxbRN_*D!eYszH z^yNnS=g-e;&yO^=KP>H?HPOqD>+cVAzy0O;eEspm$-MTN@_9w+RO9`d(*Dwo!qv+2 zE42^X>gO+gdEFLz+mOdj5D*iPp%G$e8WNZV6Fclv2-7SgX=;6^h%rgEg4JwLn8gxT z%V$F3?z0bi=H|k=xWLed>%}yWafJMP0wW3%bT>kEcjNQ_ED9v@gcFR9!-8WSGyQ!ImNyuL>9u3ZoU z22w0$h1M=e0ti{qiHSUxW6KZ}Vn~1}0SjIO} zgQc`<_26H=+$x>h{N*WF85Cg|6VNltx)Xh?j4kX_EDUTJ=**msvtx(?mma%9d8YX^ zt2Hh(|3GOAa1CFoX-NyVdJM6a^WVPE$tCseeb5H)bIft4YLQBG6WfcUH=DBc01y-2 z>hxcyg)$z>9@ZIpz?;51pVVA{W|lgKw-aCcIC_AJF;_mO?hq2Z>d6jNIg+Dv@>Gf( zb>GvC>**r;jjsW1jKKzNPqMVxL!yBf35NsGxy*>S7;k(Ol}lABKFcrpO&hiPV#ck? zswcI)E69wuy*aH*+QoBAHWe7CJk*KfGO3vq?s^k$ksXT8tT<|OY;#h|yuC#P5ZI_3AP+ZuOYHID7C9l2G% z_WakYZ}dNZIyAzOfCLF>3e$*RxRWGlgh)&ZNAQO%1tBqE1b++|hG1xlWgx+@BtcR9 z0sJAx1YlXRDQnUeBFcZwJ}_i)_IyJ*mg$sM6O-`tRKRssD0R_#p{*i>5R(8rEVmNeJ^&FWo53&#{l~_ot3Nd! zT(0iD_>cOwPyZ|2*pLJaOEV0=GAP7=WDo#Q$ZJH9z>q<0BE#5lj08qBWC@C40U{_C z0mR?bfS?fxsiw0!?gFTzwLY+$D?QFN?w?z`^{3*K@}t`E&kNI)eOrnz3RnGlQn~zy zCnGkju&JTKl;q29`Sj9Hm0h1}Tb{1oXdHPj`|Ik5l}CRVw~IAdG6rW<5})C0WdrH# zoDo^ba6))H>tFQG2<%g9=U%VAD1Fv1sT$jFZLU7J_^;fQ7LU|ET=`q$#+|iutDg$b ze_AuI_5QJKp^`-FSO2-S}|4_I~@~+L`h}_1|iz zpVUroZM@o1dS5yAs&a1U&!6`d&lWrPPTc)&_1U4u={J?j&x+66OVpTc?52(>`8TTr zJI=0(D54pL1Qbot41xq~--V195uHL5iy_1;#?5mhmTAVe-QZ>w(>k-p)qQkHHO?7t zUSR5(q96qUK_Q{3ha@q}B0Q`i%J|$1F|+Wjv!FwANg}eSv~ngNO?nAnP6@G4az-Xs z4a_%dCn}e=SFhfy?t4)?{Z6Z`zPVd`D?IBEkfd46k}UtN6a)+f5u^k!o|~5M9xRNR zb|^%X1RxD+}4hk?aZb26hx>{X>BH>lO)ho(!%#_vTOgfX1%`!<{--E?MNxlI< zZz+08hqNiN&_1Z-5j(v7sBw39?e5mTtnEu$&YdLk@g zYq}YQZUbVid6|0AHp6l@EZTHp!H?-#tKhC>v}miM19j`$Hd@6|ho-Y&O`_YX&e?P6 zP$=5jZI0A#^~NoxNZ%fer=pv>q6O_r&PLpfDd~#LTQl~YKutTA_J(^#X1xpUq(y0V zZ_Ln}xWyy48L~dPZuTo}>=-t2E`?mlTy7&qc0sF6YnjBtI+ev7RU6Y%CZ>{w$C#R1 zRaGpdcaAZzHDFcQdN#(ESTNYsyxD+-=VKlQb4rdTX@xzY$qQZ*kG65o4t-V*Y{b4g zdzS<>(zer@NO z@2k(Y{73b|xs@G_N1wi1zFaub)2>ZqmV64(FIVedGC-e`QV#0JS`1Q!%5IsT^>SY! z$@>D~>W!P#y{}4_Z84tdruUrJ2|4cArM!(XVU|sxwKvnG737@(aiOa z6vFk&(h`NquEulIBHCtat|Y+8g`r}~?6o7!W%PZ!q_Yu?}usFO7n_*#qiy8G5u zZR!eeDf_y6E2Eq=II*JcjLk=+(=jUxgDC-N-4;lLXLF1o%aSD7eCt8+(J4p+n#Akd z{r3B{y;G%m(WYbW!o0I?KJ@TuoA1j~|4OT3=%oP#9^mV&L@n{j(zg2EVJh*+kHC?UwE^Ewoqgr-Q6 zCJ-Lb&t<7OrDsS(S0$T|Fzeen{fu|rKMAShz{0Z5X;FHfT%VkmZ22%T8(AM$=K1VW zDE3X0Z_4SJs-P84i@csipIyv+BN9b}MvIo6T_4-d^-h|zC&Ko~v?y&_|8bAWwLmGS zMF9pd`DUOYPc8zdMT>EFtSR7Xou3wIEr3al)Al7P0%3x{1Y#HjA*LunY2WJI>jP4X zEC~^YG-d&f8N`yUV>tec#=e~!A{YQj3<1LsECT>Wc$BIyL1Ii&1STlNB8EhC69O06wu_Ejtr z6rc!%7%+hv^%NvX60$U6AOMgcTgaKAFc5IP*=RJN?@KZ)SKqh)%m&y)i0nBN5_2>$ zgL?-t{f9Ivo!gpLIJ|TuV(R_Enan4bX8XLHxRgOIvyd)ukFc}>Vc-rlr+b%4gftp= zdb~97d^9KXFV0d+jJOZAFQ^erwjENAHZU#k^#>kh;Ld)4R~A@iOc3e0h{Qn%e5WZh z8xHvSKW^4R?n(z|Td;(-RPAiWnUKy}yxp{BE~&O))PPKIG&65aOfC{k&UGA3UX|c^ zh0WJm$w%n~s}~ZpQE|tcBsP2)#`YOku7*oyO*vAUD-F=D~67nN(#WpXRJdcm%g zoSqw$4AvUVgE>GJb#qwv2Rpxyu>XyT!o9ZBezyAuAP_FUf-+SxtXfpe^S0t{;+nXaCxmo zQtH<)o?Sj(dv;c2tiAduH!7AtEng};FK+vW{}i?F40ZFLm4zeqZP&}^3eT3`DQDJB ztzNF({k-yS^TtGurnK)buuO|mSr8km zS=?#hf%(1NrIkUyVczJXN%;bmnNYWQ`Ay^CN3wjUvj1S|$(LKE>XFMlvc=7E1yqZd zcmGfI?e5YcqW1Vk{nE+G>lgL&5B~g@!kaJG8)-z03;T^$`p6RfGEJQ5%=K-jX7y`ZI3M$?Zg3QCnmSBL zQsuEF>G*JgK@&&Zlq1`7wEX7V>dl*l?TVE{E88Y0*gU6#3j=8eV?;4%13nRtEIBRG z=jLn zW2NT{51PLI^z_Qh?%m=j^Ga>5fs~LloHEUjSQi;C(IEEA1d422JUT&fHWx9F0+yu4 zp)sRPirvGdTWDikEKY)eP>)Nk?B3|?AlQ|Xx@nQeh&gHboX?TcDyKzD!O2G3CfqM| z%m%}Y_Tc=8(bwbu2=&TDD#Z~6(ymoE@??P zBvRuBreD5S)o66nB4>o#Gkr5)Ca;(lc@`FJ)?|E4FEY6pRe#v&5Y69bY)ckXH@s%2 z(-16$5lunzt9_HNSBy+XW{n8;>-O~ta%~MP@2PA(vHW7OaHIC&LHTgw;f31$&!q#E z1N%x>hlCzy6o}$i)z*FgUG4PK?;4*jS5BX;J-_pxf2=*-@#W=@r5lFot*fPe7lcn> zFDa4I;b=O=NnF(E65?5Dyt8ZzsUj+osr$FfJJXQAFUCx)Y(1anNmAYjngO;=fc2Zht7>Y+OHDzj$wqdE8uixH*3$ElrTYaW>mTZJHKk14*WTS|X6$#Hur) zX%SLHm^r7d?=xj?&Z72Bixj3YJ&+<}-M^WPUaEJ5Qs(hp58)n+P(9-bg(-Dl{uk(o zAr}nsn!Ix1Lu2Q|`sG)vpVv<6N{8w1sa?KNyMBC(?GVVrBjCb zsXdkVPl}%lJJ_hjF3#{zjxM`@lQe5 z4~?+~0la>%jN9S~t=r(s;%s!V5c7;KLWUOjTlwSp;tg`}7Y<@xV_s4%@XwHA;~*&9 z!9|&uyGocmUaNAE;G`|Y;yIVjEtQO$5@wC03fZkuc|15Ra-hs&u3s+H9hFk@X;Dxj z)97t-O?J#IAa+@O-G@vb>H}J_Yy2!=%8OIkup;ma418d4h21J%+xo_s)@9bt+obWB zU9A|*RjTuAU@|-t(emc(GOpaJZ@*W(T)BI>@$mVtv|~z&aCb>6&XdeEVhBP=I}J?t zQKwAsjlx*_2>j~@kB+wU8*%ghl-?D0)b4#YS3lh?oZmdorf2~NIVnMje=eM(!eCs- zR5A{q87HPiVT(QL&f$KU(x9Dz)1p-WDwY6C9<6m+l(%cgbW(pZlOEqErD9z;hA1rg z1v({mTRi+dXY6yNG$pBa8%zx||f z|3SJiE?&-}Qz>@@At%ksd5UI-COVIYKcbGJaeRB>P3_{1>aBP6E00&-6`vBx+L=4m zPX}tZul%NZ_RYArnOo9{mvTz(3;4qxP6B0&<8fU~g{{+~`TosYl$7h`Ub%HzNmh3boA>Y9WEz&N(?pp_Xbg zZaE6I1eipj781;4614raYPdhE$iec#F@ z(!Rd0(9pX;`y+i{P-?_^DwF6-31QHF;un=|2Wp>GRW_spEl0GY5=r26#v>msDI2ma zkygq#D2oGpA*Xzp|4PhLvod`j;c{A}&mc0~N6DO=g4r97Z9Es1?H&1i1?^Q8>;?Ym zgB{YObFQ=-bZkd{|X(Jzo)P&kB1%e}Ila8%L5>SDb~K)CE6IjnO$T(Ui? z$c-vHx@h*R6n^KA%qEx0l`p+22DLb>MN+!X1@D z+j?^z-P9(qk7B7IsU?lfrD`o8yezgw0;E%&(~FkbjQ;pMCv%@ntC`CMJCjydE%jFY z(#yzyuN|#k-dg^!eACysytT6JcID86;;z-!tsXywm_`&uV1neOvQ0r6Q3L@9LWn_2 z(k!G%(B`_0!#$D&10e|sfB->K41@w2s*s^b01;w)vDblnZgF;`Xc(k1!C;nPxl+9P z1?2B0w7*FZ2(W-@GrZd~L&l^dJPfZK7zUVun8kpTv&KyM7lIjLAonQ(Lkbe0Jzw=C zz)I($J*I5zvI^+BME>h3PG+0nL@0Q+XyNw87dYa z1_Oxbel;>OOPB^;qjB^__3DoD%i7`FEBC&JfgW`UjSPmRFd*qR2bE`J5P(7?qya+@ z4h_9IxnLI_8c7-~MmQs5(U6l2X3j7a$@Iw;w+Bb{*!|TV#hb-T!s7s9wkZtIz7ZQD zlCvzslCUk4Fgy$hfDj4juA=qmaX^q1OJkCN5YiYSg6c>O3`&hskfqkAVrl{+d9JnP z7+_oD%BM?uTzmT2ReQg;bfxfdmglF~s&VlBxUuuluUMY%D~-l9qvrd?eDQVV_5H?y z2fy}I-tOE~+A&NqAEb&q#IrVizsuz^aX3~fu@I5`(aHMD=e0+7RE?{LH%=n&`3_@Q zw6DRubf?Z;r~P9 z+!NGBGmIsF*PdQ3pQv3vB(1-CRlV_K?ReW(8<84@EW`k@XniGT5W`Z$#9VNSq7X&^ z00>BiMl92mMA)#@Fr=HJi3}2&00_V$76O7Dk`vJ=d`aQqpJO;KkXa6h43X@Llc7OJn2Rt<`s%BgLE5t@q+99~`6D-RqMS3jj+~ymP@6q-jhuh^2-3 z-878=z~p3$B8wr(QUt*;5V9-@a9fXmXf|MJ2GJA%cm%;4oAlAZNRs!LTdViic9$Mh zcHHp(_mAfKyN9Dxh-W-bc~0d*V$8!dhH+O`;pxF5rEa%0zqm1aX4;c7xIiotSmOBU z(xq@vExgGY$upkSdS|*We%}U>Fm$G@Nl2Otvd#(XNRDREW%T!LICyFpGp7NkZX`@A z(*!FM*v@q9+_E3vmZ%*aM-^gQXKlk9qJiB{>j!3y!H|}impp3TUkR6#pwtUs&~ao`NixFE&a58$^nbqGtnI#QE?iw`JiJR}iqES@-dP*B zFS{C-x70qpDO_uudfW9Mn@1YLL{05nFy~A!SdxQmO^Hi@t*KDcPJ1Gh>Ly6iS~m}8 zGY4W$6brK?KXY?=D~GD-O)LeKF3$i}Q=aqEbGi;uQ>XZ*yESc{mG-?>P!jb4P0l@% z%sHc1Op6pjCgW;dy{L$3k;U(qWFjr!(W;j@eV$O-F)a#6qYAeqlHl?>DF;j-mC(0i_d-c0- z2gxQZNnuEkkYWf30nMUj0b_ZfQw$<05+VvBKv578WRuw`NCag8pdqAbf?eN((If^f z=bj`<7D2$$>v^sFK27bpWG?CI4(0YGMl@t?!4lgG{%k&O%1G4I4Au9ogf%A>GyPwa z+3bCvr-OQm^thwq{;$X_nq*qRM?hV&ZiIabY-~zuQ7PMx#xTV{=+;ff5)4W45xpq_ z(2!~$vUZ2uEdOu=ixO-N==%p;(je;}!z_i@`*Tx;LQt}f!7M`%n2&b~SPUsdut;EF zQB5poQ`UXlz#<_@B7|6)At;P#)GTm#+ettg(F92hP){KXgsG=7tIMyqNJxIRsWci) zYkyG|sd^@sNO1hB%ymyZxnWpt@$aVhFCjtaUWx}Z6;x|XsgAA$)eG4*J&SOiZ0pXo+Ww% zWKmnkZ*N;&>vU@)d5;GIv8L~nrumJw?5v}g*lf93yErn2Fxm_Z*VgA<@JT$g>MmWA zk_?bFH<6oudA4Txcgu!diRJy}J=yk`Y9~MZ$6V=I z=|Oe(+xm`OKY#x4*ZR@pwMS=4@4kF)e`mF&*51$JZ0y}DZQOWT-*>X{{C4r?>WQ^; zD^J>=6;IVJJ+0l`^V`aaN7aWHR<@V6te&bI+Om2V*AHAR-;7T{_T0Sr%k$dnJ1cMh zw|?lO)kstxJ`2=tjpTZAmeJ1o%dnVbSVSYlB7`7Ifr-{%8c-}`7#1*qgn*(Ujri%F zRFj<1ali)Ho-Iw>7FQCRk^$9RQ03s`dTxZb*?w$wteLQLLawH={^)dV``*Hlsp1PB zl4i>W9n_35wr*r;G_szzzumie5N`Z3J@{gIYlC!zrY1RP*)cD%YDt0(p?wLdd8tJ?Xb{^rX67WRMt}*N|ogQ=d!3M*5UA|X17n`NdOp7!iAr8c-AvvcGQi(9drleOEd7V&(PfQKk3yn%a(YyzS9k zKRB)6jyV~o1UOQ4d^{BGrQy;&V`uFjByKOQS z#wb?k)l0U19A>Xie0ftp{h;p?KH%PxQjyhY|KF2|`S?+enAMV<7C9G9Dk5kgWmcWN z$Mqb+)uVd2jgd4i5bqHN{#gR8j7vA`HG=!6@`LL6Q=CuvnQt-DKWFzN`*7wifxL?^ z!7+IMCDUiLz0CPwfMw7x0`k$g5y zi;`*sjQ3|iQNhH_w8)&Wn~mC}KWXXvEFG~s;u;@frbQ{Ox`WdZ0!Bv@vJ~lX%X^yO z8l^;~?p%S6fK)Fm<_UlINvey7=2YJdG~ZX4iln6ulTBmiHCOe}Wl(!?vHI#(`I&5H z`5r9q`}ytd#*4Sbn`34xy#*MoORKzQMZnnL-0HJruu8g1dj4 zU^p74q=^pSle@rM)vEmeAM6^dQ$HKyt@`SX+OD0&W1cV1swdyB>;%i7{0iy z59R@EycsNb$ojeSjn|)lY`oZ$`>t}~+}ajJ{p?%Wm@-X*=z_77GPVT;2dum zuC?Q9TPp{zR$jhtTz)^Mu$Xv6xAwSQ2|HiUO&SP^Tlr7+IWypW{mQ{>Yj?*DW=YE9 z<+3JnTBReD9kLQ{5yj)bDco(mJTYCk{PU-?jY~Vn6qkhYMKbJ>a1uR8g&eai9xT%B zQ|S3e(*Bi0jVq^qSGZfh`L25D`pS*U!Mlxnhs#f@`!3fW-&U2k70;J0mR^o|n|Yj6 zMWy+1>jq((7O|AW7fgC3V@8JEMZxg{Bfl7NEp(q^(u~cn?{Oo17XL57^dx=OR9b@g zXaBW(->qFJzOU{-RJnPf{(9?|dsO4qvBtAwe_cDK^8c`Q@wc^eSI4#G&`6yzMtDoB zeY*JvN#akA>haslpR3QeEbplAx#KE4UO8Dlvv#%gars$e@5eEvh4hZp9O2@UTP#7u zZBRd%8hk4UGRu7P*rJIW#r!Mb>o>0IgFCVE#b|x!`Q@jT_s1I_?>2TksNOqVdwaC8 z{o$Vrrz%IsngjV_d?P&LaG1Qj1H6ac6zV8WuPi#gI~jk0-XgZ@7x>Mye9>FKdPi@p z9NJkq`Jl4%2>4%3_4eJ$!9$wbowM~jM}9DsK8&%AmK;kt0x~=;O4EHQCO9q1`Zaz> zf2UeP)1ruRE=Kd2I-K}s;DVL%PmA&yzgDYWZvux&ZI&$(scBJs*0t_tcxRH?X^~qQ zbC01Mwa!~M#5p2}AyL6(k*sckPa|_~bS|6hc=wdT~3iN&5oJ|>0 z{cI%Kt#zyWGFRcgPqlfgS03u;JL%FwFJf5gdq~Zwl(L*{W+c<8CAvK+(J9ONgJkQH zt$pdnxR|JCG|@>ab+^JUWFyw3!P^S{jWsbg<8#bT&M)xHcUa^jcm)9kZbvK-AQl*b zdrnIYWi$}l%q(9}gzbDN`|`Hpsrr^ zmxz4EVr{BlK1HK<#)B?HUy3Rp$YphoF%hsgk-Z&YJJMC}xp}}lZ`RBEB4T&0+|&P6 zJ$JA0y7A=J+QZ+0%Gsx~FIWDf^7dK#i$d^rhJ*x3Qi!E7gD8gTfRZ;F0Zkf?Vi-z` z<9%r|lQg63dv=p^Y&Mh|ZGfRrZ_OAaG=*3&ROihOf!yX`$j@- z@CAsGXnuqNjY!0BA@^a6Z7ID-U~xCK3zlawMIq2`yLNyzmpM;5S)EnU9wHqGeDvE< zxOZWED+>_?NUDuq=YzLmK(aJLlY{*u7Nf200KEM8b_14KIDNzw({O{rn{;MnK0MG* zHvg)6^7zd1h1H9dt6NHk|MGXX^6EzUV0)bL_7V&sL>RP#mksn0f@WxnU>Kq3c#r`E zMbfYn>wR3vG@52;2ndR1A%$qB1F9J6BQy&cj9d8mkuk|=v)h3o2QY53xuyNj3u+LP z2Y_}#I6hgD^*Iza{fwgjcPXhs0BT;mQ~!AN%ZtAhx0NpcE5nsFK41Eyq4w-TeJP$g`F$sYc~)7{OMkMX!LGc`&Rt!RcqTlb&-3Um%33H+$%`|1{8J6J@X%s0o=m_iK0GH`GV>xGA}Txpw6a)z&545jIyDrI(XvR}lDU|o zBtcLtLI}~AKky-qNQxvFw#6NA`+I#~2(E4%30417`RI>@J8Sz2*BS>NuO6x0`=tN* z-R>VZ7C4)br`kSTTUC40&{q~il6gfx7tGTPZ8|d4n1*UC>BGq6&Hq4a$Lq(R;>z<= zWbM?c%85ti9n}k$Hun`kMJ*m#vfVsw2=aUz5yycaFASEuK$;Y7H+8t^wKHp%f9fkH zut?dR+)@<7Wq3oz0ocFA;Yae2VK&nQh4)D(klCy>V4BYit0%zLez^_jbIpc&kCRiz zH{m`x)V6%UKP8)xoD;J?hsV*Ars?AYWEW$qkV4hDmzkI|?$ykL*<4RSW(;lI=!|5k z?pz|s8MiH}!}MU~m!d`-knmVwP&Oe+xH5T9e-pHY{WsVGURl(fCkI}`rk?p{8X*p( z<{Y&0HGzcG1UJmtx4^|nFv0p_rm%U^MqmtbmCkM(-waB>M41_=f6#Ap(jyvS!tJ%n znbT@I$4Vo1*vee%?o(ictz?C=Xm734X_Zvs(R=0=3k7>ZVH)uXZ)>IaS2CyQm(BPQSIxACw7;_^S5R;*A6}_ zpR8Oux_Z2F^IWIl1h$PN0VsxMAb3p+GYl4{Z9uLYrP;=Vl5LG(lsAZHrd(anmUZLrmkL z9m*!%CSm_3>ost^8%a*-$SM>t!^xaNG)rO+dlXAU7`Dc9w*b({`!ol7!*rib)ES zEba=>ccUe}E53yF1G^fJ@08B}ZRI&!y;^u${j_bAYl;y<@r@ICiQsuepKJN|GVnd$Ai<&rmRpV_XZrZ}xe9Hq*S+>`turDs z60~a&GgC>n*CS?T8BQ}!Gcz+zPcuxP)1|`eu;?!Sr$m)0WlE}^w*SAK57QN)%!tT0 zAm505p7;6u^5?5N(#844#r>U^9~!q_mi{tr*PBx$)WW;jxjBJ-E2YwXzSFvKXXQlm z;C)Z~;NjNmOaD;0?L#YPC9MbhmTnHSI@|aE+sX^dvT|Yh)$*mmksNpT+Ijm}Q^MNU zZf#q>+PZLg`QEQT-|H{mQ)ttR_v%lVZ~eEveg1Z__5GRk-OES*+PuHZ+1h!gZ>cSb zX#~+4n=8;6z;OuTJmvxR0FMvCyG>dJk--n z6mB(pU(tI?0(+#e43 zi=0PH%W;9-&8)0=sE~Pk8)iYKy3d;yBB{$H$i|>=_4445 zvRIUg_r|<08y1Vyz0p?zHcBiq7rC^1Qd3mO416GvAxVCI5KBznd$n)8>xT@I-itpG zOfiLk+3n9{Sq_1{%K%zX*pn!k)ZvOe=bl;$6~`{lpjg6EOt5P0@h^A-0N5j_-2bzZ z&krd36{U+|Efc-REKA03_gVXYI4Im&(CbX&8qqODO6QoB(~mi2jxDhI%g+8E!F1Y@ zvgtD}e*I`bP&5TFf{)Bk&^Uu23Hq_r25y_o%TFxMEaVanb)t~NLK$^sHoS%FQ zF^a~zp@ycDk7+;=41@%R(Imnc(Axu!d2TZ z23iTR$dT`Mjnb%HP{qZf1!=s(BO7hRlwwiI7V}i%F&8&lfDRPBk*HYYFjT_|2Q+Ow zTF@WR#ig@_3&1f*0Z77){U{A^j3%K_xPbPJckP3>mtM9$9!ht1ool|i5o}z0*t~jq zW$!3Q5eF1RB%(L=))a;)hMGl?5>fcZ^@ySf)U_(WCPfGUkY*?xLnNdyhJ*xyJz_s( z0L>6IMv@38a01{&FHRm!<0M1VfWR4mNDATIkIFoe13b2TMiS2TCeeWMZv%jj@K5Uu z`eKGD`L@FQM_8;Ji=-V!JjFjTF-YPh1p#lA4T#fV!%`zNQ(NSpnPs^=%S2gIvP?y+ z&VZSWC+*(8g3aJ$1u!_k$v!kFev|+# ziSz=$c1h-;tdIZa9_BZqO!iOBdd0!M9>tKPu9Z5ig;32_%&7-Iup4JtG`Fz$&lmk<#uPZg0k72uPFKa54)cTZke+W(J?h`rQ()Y0bmf2*bWn zStC+~QEBvU{?P5!tj_WeVErF!K7F5Gxz{{%zw>VUUpf!(^ndvG<_|ZNzwRes=lfS{ zw^uH-&+Y1be7e3%(Y*e){r2+eiPq^i?Q@5k*U$G{4mRiC-#oIT{qanY`NPVU&x2A| zKidEP=8$LU-M_Ve*x5e48}H};{q56lmu}S$F1=}8db56|_2JagzQ&#J8ZUon-afr@ ztXx0*%a!|$JNMUKe8Y=TVVwjn?NYR#-d{Sibg{8(@7BbgNkn4=i71HE1i%nZB4&nH z>pUVcj06a$84MwugczIrKj!MotZHN4=@yHO35?)I2k7E7`iFa6d=y6vx)-9Q>u=A^ zebu-CE+#%>T!6Jl0T&7h%Qk;OKmaZlpTJSrCKZeP3)#VU^@XBcEJ_U)m%PrkKxWJf zVv)P*4zgM0^Bdj>j*-MTub*Zxf?+_{S>fZAHxHaxI>pcHfB3ezcFORl){YzN56RCD zTuV0^?>?DJ#muP?0bT0GX-d;fQxPv`!tb?dr0pr2Bg5!Z3j z=`ts2u9+3C!AKhLiRUQ@FoMKT{{ZZtP2bm+9DZj`Lh%}6>0@PX`TFQBm28yvYS8%Z zZR7i$?fs{hPc(L2TAwDF7aT1(sE?|6OWyYT-2A`H)!#3@Zy(s%*|VeZ@^I(qyFYdw zUYjO0rO<^XoD5j7{=XS(fKupUd9f(rP2l7=<5!P{4v^=KepXV!Rwpx5Y?aLp{i%Tk zBwDLK8clN=yV*6G&XE@)eC_)36|3GBC7L!o;g7sUCGnZNi_AEdA z*u8oc zHlP2vet&Jp%8j*G%~N-mZnSqD|DP$1kji!3L2Oj|7>Cg11jevF*?1sYRi`m>B2C}hUXRKpw;Uh<`iUP=4*)fX5_VL-POM`YBf{# ze6-5{Zl#y5N0%>}>xY)Ew4XoMv_GDxKUuuQv*2+IPH3DygtVT}$oN=D$4z39GF346 zN1u^pD5)tOk&)D9l!@UtGtSg>`EgS96K505m!s7XzrgFllrgm#7pa#vB#UI!oxnMn z3wci@6-;R4(@a(iiA5T1BI2mzEa9&(0IUXm0Lv88$v`b_3-CVR@}Z^YD^KUQ$rqos z4u5LhI#)kuX`g=HzH+`Y<@=i`%Uc9@$Ji~Knc zdzG_N_64zsiuhS!U_>H!L@Wwa4Pe4RGG~iE<1iIW3{~*wMM&d~kV85>XIxnnLeV+? zxn9TQ*L=w9vI&LxS--G;VCiys{b1wi|`UVVyTKgCCPuEXZ7&y*x2ok~Ax2 zr7SkB#Z>)jZVpqk3p{=2)XvV156s#TXR7h?bnC;jzm4DR(?&@;>=E)CUVq=bccHQC z!oPJcob24W6PUq(dizKQXWB1JtzS6?i@LZ+`1{fM*!n@HB8Vj`ZCBBiQ0{kJ~C1`zb=fS1*o9%OV zmCb8U{!=z(fdj5YEE$$0ZSHC76`+W?SVX0BjDhV^DG9g2?o!FZVv)5#kZf5~zrj*< z+r=WQ-D@&cYPdeiw+b<_(f9xW#^Zjq-V?BEQeu(PLU=b8NxelL%85nUpA;0Jf55|u z34nL^xSW^(co!c%Ehqp^5VHjZ05mxk6uXD}!HCLo{v( z6`?F@EQMt_NBPOicqjAg)nPAq6V^LY?82jb4sz`LgmteuPBWV zma&=18XjxKt|d2LNK<$kiOPZ|6rMrk(o1MY3=j%PWWrBB&yoKept2%bDN=nAQHIHD z+>|$iNZCj;VilX&^iz6);#GRJJM&vLy);g#47OPMfe@z57a`meqtu9?!tk!qTzF+xE-$#Yao;>-(n#*B~f_C;~7LF(e{r zriJnsh$0{j8Js^{0-y*C zLXrTR`j}-E;i;57hNAXMSV?o_W@PBJFD=lw5I~Y7Nv6+|8t+>K0Zr2ojrDC!xKEWF z6rxxZj^zB1Q|dep2t<((QX~D^I{B=WY3+KrvZMZD>6v`>So7$K*0obBAJ#7k_b9+| zjKQg%!rfShQZ&RjOe@fx^Ed(!Vk9$Dh!heK6paCj!Z3njC_rHR^fJI;B#9%`h4oD1 zCb_)51#X1uvwpmN;L_TU?Q{2+_kByPJ#1V)+4yi|_001AY1|@LsN!Ke1z}DqUCaP8 z7852P$uUXQKec`<*1qy~_2TLkr?+pmEkwycG(}+)ps;S728eoiyIF!{kQhZX6e4hv zfegj;#Bc>jNJ5JNumY8)n$p9f&>GKB1fUQtw8SGC&@`kdY;+lj3tY}(w8~u(0D&Pu1Ck&{mW0ob8wa1aZ|`ef{k0f!{R&;Wv&BWaWp zw%XPLW5hDHo=?>$0RbDWoJMA<^>Ab3i2tP%QD5`mgUl|&?;o=YF1f*iN$qy` zb=e27etR(rNv+;fHM8@3(0*vgd=b4;S{kiCs}B$YE%-I7N<%_xj23m=3RQ*iihwUS z!jZ~)wKX1!RQKqsziXtk*-FNd^lgpIld7h;I~6Y}?C?+G@(|7e9D=nyOzPuVWb1!^ znvu?yYF^IyvT$<%0i`(1hpZ%qA zcOD2J9E29hCc}hfNmQxv zGiB!HIK&vu2qC6ea7YG(7~JSpY7MC@4H|rxzaaw8JWQIrJ^7g##S>F zQ*pL#Z12HL_F3sGDzA4d?3Mn%L=`KhOjNd?3^@!Xg6u{c8Gp$mk|1decG+;_fO(1_ zX_CPP%ANi9yUoK7n4e>)xo$NTo)U9J7!{Uv8vfAX!c zZXOA7L|~vBkZ&}S9Y*6cwc$ze%jOXzMKTlxXOPVUkiaOo;f&z`kr;+|1=+`amAFbD5B+nGh-j)uMi7jky%TYco-^nP0|2!nUq)*t=PE?m6)U|uZcw^7o0{$ zp=kmTkVfQ&zl4(v(`5$ma#6Nz+tz+~qq+BS^YF*cfeXt&c6OfZ?Egp_{*>SL&A5BY z(15^522l*P;nB>bR|%;N69JsU5JQqQNp*EDh1e)K2`LIu6hb6}QzXT}9_a*UaGYT< zfRPk~V>CuUijPKO%4~%{Vl7n?K_H+N*^QY3urB|6bSeOX#>fp1eMBuX>Ts!IDd5fu zs7AWNw2w60a3MOKL(4k>Pps76>A943}eV4tymM$&^=_F-Ut0FP9#Y(kW`W&0ghU zh*TUrKldpj8Na}9J%Wf5)EK3L|B`Ow3%$d!J{7?iiTKLZjAfYDEk#}i1T|!muo)sX zt9*8X2yn=W!I3X7IYggS#?7QOoYeOkFo_^CIR545h0G1;L&NKtV9es_dDz0N5dT6T z);mHL=7a>53}#J7ltVXpj1vNC3woPYVc7yFB$p%n1IN4H6^e8!H9QI%c7@k0Glt!o z&FpR`mJ&I=h0!om#3j3Dto?7CNlh(Z7-~y)?Zx&y%&F140ls;-I0xp2w}v&Y@W{>K zC{Z(v-cKMfyg!k1xWh&Nunakqv5u61E7e=0xeQ(~6L~JlzkfJaf4y?BasK3gm=_1y zlg;~2O|5-9x+ykyrG0CE-j$x6I9nMYZ0(R3S0OYZ0+1m#j{urwluhkDroS zK&qJuD*wLtXl;)$LnRT+4VpVI3Wh>Ke?cr-yZwvy*)z>c*WIgU*1l7%e6TK^ZGZak zyUyOXO0sk0!Z-bw1ZCWqmn`Td(UTb*6uNnALy;r_Hhe^iz!^wU1haW;V3)=7ibBR7 zVzprP_5c1BSFayfyRdX)^+)}n!ek6(q6JQ!oeST$w(r%p-d$e%xVT%~-21lq=p=tD z=5a(YIK*ij;TQ=SitJA1elui7ENoNjDErso?HExeRFYc^gePTYAw)g$IGM?K^b(U; zlo}j+gn&mZf`)XWR4ArONdeVJzavCARcwL}#5UYLM06vAu=zdnfMO7i@V!B(9Uvc5c$5sUnhnnEgIOuMuP zS_vaVZxhNPPSFrih-L_ElsARbID{0|-Bt0L_5P#P7p)%;)VH@!Kac;<%G0HD-?pD0 zSbWqxb*}Z`!|JO)cizAIcU}uO&!7Bj&$Te^Otz5m$S ziEWm@tnT_(_a7QZevGh~Q{+FNIW-ZEY|LlbP%+j-KKG(?_Lg+zT;th=#;z-^y~o<; zjy3P@w%5Pw9N5=9ba?qx)KrYW{yOII)5t=#ycBXW)G8yCa4jLgA=BikGOm={P%Y1Ii~0HicVJ5W4kD#QWY%ow za=Ma9oUULJiyjSdlS61EU}(TVF!*@-&!=`JtzO>8UA?{Xr2c6A{@U)~^8NPJTdnI) zem&*s(`hTQ+;6@-plqK$xO}>?{XqM}3(Mz6 zi&q=3@2`#N5oQ$*MRuYUM#mSpjxu0-aNI1A~3ScD9D37Zk=qVxn=5sNhG$iSXLFy(^B?+sU@3&RXl9{y=F z48B=RQcoTJ723?p%A^`i$R8-P&J-p=pvNChjb{U55h<5i<3&qJ76^`(#A<>Yk5Tbq zijKnEpedX;Dr7Lv{{E3!GoB z7_Ukb%?VWF%B~)4p1-_yv2p6)+RJ$J;Qf^=trvSb2Oln7Y2CfHbm4FHJ)@7s#|EIS zQTqZ)ibV+rNCi`xER=G7mjbaUoR9mBmNXgW{2~YOEJ+C{3y%^rqESZT+kE{`BykW6 zu$GSKEt>?UpUT`&R~Kkj_LcYViyH(q>{ zub#r|k2=RrHcwxk!JN^s3meI@M5~pNtePPS2~BF2(JXOAoi3MH6gDd{cVvcfi2*xf z$VAGltgJuiuTglKm6axa(wuX)(OcANU2NVuZAuXujTC1K>t=`oL8|q%ZVMxv?{Ony zQB+ZhMwR?S#uKqSM}1BRa15s@0Kh2O!yihxashu$EQ)D^UtjRCcg)5icffAs;c4U! z0-urGK{I3Aj=4Fp$mMt2H>PM#U632dxLD+Ile+R2xE@^fN6hNUvy>HaLt4*D%57hh z2-06}dZ$cD^JMM^57(nFArr6WW{0=?RTXXAfYaj;?QxJh?QutYvsD1;ozD~k3u6V% z05#8#$E+O}cr1np1(;O5D_1gpQSF6j#cCiuz(0c#g6c3asS$ClPOy|d+}*+lbZ_2y z{`uwlgRcQ-m#E8xkxVQMPVxl+-m;>0n9~p8=w?hBax?Hk?-*7?h7^HBtQ?|ToA0i{ zmp{zDc&DE!1n;IPf}#%oH%$4y2m^*-5JL(I0Rl*q48jO%Q~0OBt=Fr@i=`$jR?0#St!lwg(ux_Br zG5yZ0*X+)lT~@<{o-um!p22ACkL!#x#;HIh8|k3-qsO0bsa7AZ?pxm7-tkzzv~&H@ zq%I;c0z))G^P*AbNerh*8e&3S1Q5+YKr{GEXjFm*3?MPY021LiK#=0s&VU=^m>@y- zo6t0Px~b=-kHEW4tCxP!{BUFKUT4n_5uUrEWG?NJ%2a&!*7vR-Y`@&QeqtJs-D5X} zCWvGpA(f2P@9ir$>)#tYH$QD1VZQm|nhG)Z5C2*|)_Qqqe)Uo7(B72`%MVvS{9^6S z>e=R_@9+V;g)5M;?U&yg|JuB|qjma0`^DwX;me)#J3oKFa=P*1;I{q}KUu%A`F79x zy|w$xXB)?^w65P@IlK0<`S8*p^wk!S>5xDK#Bqwm34)|H#>}k9bbu2KMNx>P2?jwN zAm$68=>yGIKvpOzmA&wBt6LqKZ44;h2%Ae=xH0sE{IUfClYV+abLZEc1S z;uv6PfH2sl9QEG_e4;r7x$%~UV>t9~%9Qd4ry|pVvS^)-MjxC7_9Yg)5edR@J2nlF zZmF0&Wu~`>9>>la=h{C!Vig-F@?|^`swHE6*K&ZKWjHE{J@jlAWw6oe7^T`MP*?hI z>w6nd-qzp7V{3hcAsgetF=02aUNRb?GlnhUG zcQ9xfdTx#f6>SEXuOb!^lKeL! zk<}F!i#FE&pjecPPzxF^Oxl+6h(*cN#&GfKF?&9pbc;n^XNid9iv}$viEb>#iK01* zD@d^@Dl1G4?GJE@p(u=j8}CGdz`8haUNrUkp4O+`^*tJ`WAXLx*Y^L<%ALlZXN}h< zI=gp%Gv-m@Bn1fy1AwNx@qA`LQqv?w!i{%0f&@em>w-9V0`K<%Z}g!*8x|c0N|!BL z0ZRLlp|HOk5I{;3fF@{)Byql>Pmnal;6z_MdN}kA5la&1ANwhbEr;1y!{0!&3Irsg zC`iKo5yB87{pvvH+;P#*7C#D(e|lr{P7__}@iAwMq)7-Fn&ihtZ|tBc2yrw+h<%7~ ziU9~CA%+2l!m%FNUc44Hz7%6H!rqkN^$eT*Thu^6A2|8oS*k!-}rQB^+KL@l(gomez1X=fUuV8e1SfW znuD*dxNwDBC)pemJP2!Nuw3D}ppUUG1OTDjye29&XVb4 zrUh};v`tp+eaIEYRl7Gu#KsWSS&*}Nw*aS3ng-|5eT(OewS0z^)it}rR*-Dw_2PFc zCPS!up|kqFYf_q1VBO=vK8PBQqNr;@-`4^$vvJ9p`VYShE#LZvpLx#O=C?k6tUqgS zfBv8C>vubMPg{Q-|MSx2KeylQZykT4-x~TDCny?X5Q8L6(15|QE~R7on`vVQPEZU* z6Np3vi7^;GF)qGW9#p9)C1VqdP+%l3J~Kop_l~C62xX$nZ116e%{nTr1{uEt-*SBX zQ2_EFJ!JjPhCg2V;A_3Sv-Gfi^O1oEgxo7t0EOH-e$`h$z5Y;HtY1{MEOtnYkOCA z7FyR|wDw$WKRFQ{fMmFzspmxo3L$SvIZUgAWXPT@sO1Z?&C0o7X8nZJh@??>Atn`z z3ROq4R940H0=QQNp`w!py!*Eb$QW5H#+3{}kfIQY6XXc=mB1m!U=&UWAYZd9XFKO! zx_;g`vqPr%{A6iw#=N@o4~zTShtAgbukPlBysjQ-9X;?naiy{Ea{JLoOK0Eq`iE3! z`%Zu7`khhqtCJu4+S-1b1$CwV8Bo{FXplox1PvLIBoLV8;(3Tc8bWNK6#KP6n4;hR z@&ErQ@{@5L$cqdM?C`nlSrT79vT|qn{O5;_3%i#e=Q{UpcXnP<)(@>8YaG3+{5j_? zesG7>DjCUfmkX3u%>#3?#}s&3=_3W&V)~X`zTJAWUoV!$*LQc`UTqz}J3|A;z&e47 zTpx<+M{+SuIG+mY6Z-Uc!wN;I&t@`M1sc}8esTR_`_{$v6KnTf@lx~C_pNgm|FwQ0 z+S&QN%(!xfXgvO5hK4dV?MMz~$D>+Fc{3igFy6%D_LrimM3$9hE?Z0tD{a8TzRi** zfmhhyQgvV<=Zvs2QA<{ZoO-~x>kSLJautt&v*ft z$rv&?r2++{nm1l6==H1ZqZga!XVDz6j5ePSaihtq>6BQMk!b;GWDO zArEr0!F4Qn*zN7PF&&RQKjh!hxO?3CnGM9_g+pU0x(X72f17kRkko{ zbymOSg9f{O03qSbL&XeJW_<9ZGYO4eEFvjo9&;Co=>x|;7Hj?s#ze$qak&k0UfY#c zjyG;zfr~dfH$TlStY2MV6bhOY*e0_U;*V>0_d;8OW?d&-8A9&;P$IlOEXcSENJ-XCLrV45-qYkCdT`r9` z%1HS9lq)4I-~r?dCOUuUtBF=|sYqfljrj;fvU!l*l$!`($DI)mp{ zV?m1NMT#mbVf|`eR#@S4+CW)IoT)a8(*xZOYf&j4b*N=pdn`$cMJbcg$SvMcNVptw zu?UL;f~D`n|8 z2VO2?isGmHL%{#LwS>+wYWN?--6b!+vSVVaAn2GUm ze#z05tV%30XlIx*94#R>D{JDeCJ;-JA$f?EQ;d6}lXfzj=LA9?e8A)YY(+It4O;>+ zyyCg@YW9Ok#3ElMU@hkze9jk?<$cAz{MeTdTC2v) z+k>Xn%m3bdcDMEM{ghz@d=*?7tuSL_BWp?XOIecif2{AXpPN#yG8`%=-8m~KGg(U| zsyXP@+f_==52}zPEu#(7Izy=|8`D~`$gA~K*!*q3BABM56|o2psEa9mEW@6V(TFV| z7G+h`G{UKp)LV4Zhn7R{SGk5MtGhJ(JEWX(m`&d)#57}LOh_XZDdaWSVWnb_!RzD_dD8FqhiB9*IarJ0#rsosHCKW=DZGLtLe z>iv^(IBSl`D5(oiDpZBE&ZlrGptg+c-Ao@)NtKduA)iP->QeSGT>YxZ0;F;)1GvpJ*gr=K+ z4x%|e>(7nGR-S5ouO|i+l-@C``SX=LmQoCPu@lU%EBJ6fG4j}9hPDeo_`v*RT%M&J zVWq}Kv(2x^qQsY&pK&>Y%t%8Do}AU8`$=;^rSbFifn>p+bZoU76mZrK@RE2TJKg$; zqAN4<$O&^G%{o%}QYEEQ&AIt`UXbP~HyM>xYwx&PfMUrM{e`iDW>HhBp_Gh~Pj3SX zW*k);h*nXOp45<9)~b{V6*s9N-f}FYO?WDTbk)ta=p&Mx$rAQufk|eC`bo`6`jEF$ zTR=jE_UWftv%VW(WQ>Bk?a%dl%?BU2?745O6$sNM+KLn^38L?J^+)V0iZC7*qj?fX_gDemcDNvf46$M z{;2cr*w5DwG_Jm0`2lO(d($}jb}&1H1egejV+aQTAVd%dCwc*wx6WkEYg9fo`B5dl zO2n-5=0+YC_ju6A)6z7JAP%wdXT5f>e(6uG$J;;OYMs5>eD=O^@Zi$-n!kVg&^Ugs z)_8kSIrVudL?e=5AO;XaGc@W(-Q6mcwNNFs2D^(a^-lkI@wtd$D3W1>2$J)Fq#1(2 z0X@c$j7IWugVQ}hohir|jR_MPd;#l^8flu~RDt6JMbi{DI42rdaru+Des}en{%75M ze%vkz5sBlVzr7emuH%rR5d-@G6&~m=MRub|!#>S%3QG!SD1b0PB8mV2r$CQi%oFz; zQ8+=9-58qvnEJTmi$s|E2XEsYhcf_!6xr7(;p;XU(KsS0IL0@Qq_RojE(>$|N=DF} zVwEFZ)IM}1vG#m%N9V@z#j~piSN5!KXX;1hn&&D-%hjhCGmPl#Sx9h(VZT>LcP- zCY5BQA&aNVzAvZ`vy+jcK_Ng#t^e5EbLv;-%*xTu!5d8T{h77PovVj6ox|V#Z2dv| z$A^yEKT-#&T;KEa#<>TrYo|QluHId}5n4a@%caBppSi5m}L< zAtI|8sAVdx!l#YO3I59l>6;>X!G) zgyS|>XkjmWlHieI2=HNT;yk8Ef8x)ib)=DN?Majv9H&kcJF>`SbcyBv^E}-g&6N$% z`)vVZR2K>n0{f+bQLP?zmXU25Hn}ycnmx{Jh-=g@vuVW=9k*$z5=>7t>O`|8sL3{q z;)(HyJ-y?;Dg0fN3GKD&7*y=aYH4H!-46+z>RicU)S%#2Rt!ZQ72dkGeY<{r z@l<2a5A~0~-8QVu?2<; zX#%GaPSd<(QWC=`hVFtp$9)-+#%KcK%nTY-B!(~qNgR<70|Wzbz{e$p04ETF3^u~0 zPASr{sG(r>^H8b{p?p9riX@|4_B0vrNb+J)MQirz)jAt+PZgV*ClN^j8Zrb1ND3gP zNBHLDN0ZUDXN_w+#hs7GRvs+wA0eO31B#})5xg;m!4Xc;*f=kmO@|y zXD}KgXaY?Tn3~6NjATg2FeD8qKu{#;QHB@_(KN(x48stCNYvFco)^t;*q>k^i7^C2 z6C@3L#gDVD-Mz!g{yU!1CggURnT+K5=+~H;w5HP1pbrVru!V*{AZdnX2!dkxMn8lA zLlgnHqhHQXv@TU+-)y@5+O(5!dJHuvEwM^0SwoCR9rhD3&irUzzMf9D9=>Yad%bdK z{kZTvp%Bh=qulU{QPB(m0R{v}*N~zSr0^~$durq{NRn`4+95!aI1YO>@3Gi65Mw9` zK{&>`X21m2b=7a+=Tyr|;e=VU=^5qG=HJDrS}H`Y9=zVR#IDw4IXM_X0V>Fnxo zY_PYUK&y`TKJ;-p)fy?DHOBhDN+D7;QBGyZzF*19s}3ur+N{9OU52jSQS|xa(GveP z-DhA-y{{&HqAx>Ku+lK2TS$aR*bKg5CYxd{bJ~e=tUNo<+U<2K?BQ@4M1~FoALF`r znQAp$PwgSFH{Rw zY^X)cL%vSpE=888=}KE5V5e(?&sP0@!NRO`uUjmeIo+PDgfj7Dbu$0DchuY8W6=Sh zE1KC9q8cGz>y?;kYwYX(8)Tw_)aQrG=W5NvSNqAetBTI<@9R&RyB@fk*Y7NyT|1Xv zJ>0%_lURPxIKJKboBnluACb-CZrr=&n@-_gKis@{^xv0Xb)$W5fv-JJU?fG*2;X>J zVl<+#Uib*2SsC$zv7F<PRE5vEB$XATI^k$#Cx45X) zKC@Vqm-OI|ZcMH-`R!h@NKQjzC^D52J{T2zl2meAnVOjrzJ7Q0svsGBlg>*|r}O?} zBuoSZJlM$pO@LVaEGwH22$tZYuM-ZUwm?T~oXi5Y;2*6nkB2fv-YVB_H|~9^?^@qo zza~nqpX?mmuh`bU@wonST1#Tu#83cY2Dz53Sz0Pe!;y53w;9bJzHdL>v;MF!rCKkB z7CdDmC(jm@l$5SKCr=r1fzc)yoJzaj#asR7ca4jejO~|qvDS+l)7WKxPAVMnXgC>? zm=qhqg9{7-OU+=*==obDUOTY(cJ;yHzS_!dS^LG^&(9W5JAXU7y)zQZ3&QSzlehG3 zzppk>^hro-FsbFdjB7x_WsAsLqBw$y@bI(d;edj*T(`SAzsw-E6xuB zoFnH*MwJ-JaKZ(v$2MLw<19%MNTBZjXD)e` zZQMG$cCz*9e&^Ji_K$C7XkrDDad%uhY8O8KhrAYzRy107KrE`t7HVeyH{-XA@-`NX z#W*WzRp~d^--(0|uad1aW@Y_tPsK=E(!L43|Ec_{AXpHJ4xn4R(t2=o<;g;aaiPA%S!Ss9LZ#`m?IV+uhLjZ z+4Mrayzg1w`s>E!m-P$&#qT@sABfl9H=Z6`yuk#PkNm+oLsPQZTGg)`uT>*k(5kFT zn?S`sYd=5zzrp(1mB;eV4|~@4%}`UJvM`ckQ|97YCO49c$4sfR!Ubj-dyaAp#4}E@ zDD7Al-J^i}8DO>1lK*?*CA-u$Kr>zr&HYXpe|WW$43j5!eWeMcuSod zi}4WA=RAoBzps9}@$y>Z_z$AB4}a=kFo8Ta*slE)hM0waFaGy;H>1r%FBU&dF^4G_ zb>x%oA}2GgTJVwvFVC#z+&woZ7U?;(K)I8uTE!ycq_7lbOU&ZK^@B?|<4lzYGmH-Y zmZX%^4enNvUQ6sNSY4f|n4N_(ujy;8)9041Eq`3O(LQ(e4{O&OpH8nGYF~Pbq*MAr zVc{gLW;`Sv+aBvnBZ+I9Nt{#>$>fCq-zJVzoEGV8etj@17R9AyyG+FnJ`mMsvPH2d zM)I`wKCnSQK-3u)*{c8rKPfj+z!c}Lj$VGTw0G&=^1;t<+Xv3JcRgRelW{M9Vgl{m z=l`~NXi8J&2(FIp97&FG!dcce65+}*tOYWx4Rg-CcXM{-}BNQ{&#P;OD1*Y(72uiy7J__sPLXmJ9`|C1bEWgNsY6 z*v^$-=48iMNEl~yX|*Wv)jU@R%?S1O>Pgsq`KkHiGiU3=vBr_RofAjOOZ(eLc66?v zYae~JzQ1{S{|pvml4Lay%czT^X7d)Z8Bfw78x1oV(ALJ=Y10JFK9kl@ss&oRa=;3+ zYgd1kZ$5nD?_4~+^rZ3jRQt$|=JVU@59>cJpI@3qXO%*Q7==dnL<>>Vc#B42{IC|f z{kxm{&oo|~uRmHl*53Z1{-E*UQ0vaepUqIe+Erd~=7{u2wo4H&M`@2yJ{s34G}_yI zTY*rNE@RRKvB*QvdTU@I$vTMS_xs)6GBl<_o0oAzx+Qd>0Hqi-a(D!QQ8XY)f<&YI zdwIBwyAom%LP~?@4utvetmYJFO zQHphR!|DKgajW*1MFJ(stmao_ffL8Ac8|rTwQ7}N+&R5F(y>YkjmVsfSwU=td%~7r z%vFe#oZbk2QEzy%G^S+=RV$Xx_(z9ExQbzcYDum1{**3pX!SNrm8$9a`eh+W<8yVm(18n5oE>L=9A?@ll7RV>%$`8|3vytO>ztUvHu4O4a^w+A86C<+O+jW{ zrnz9+I;lAqH${H>fO$<-R-@v+V^)+)1HK&X$BDtq6kQmG(%t{F@fzato92K z0|1UOxFDMy5f}y;h9HM?ybpu+rX@zGuk^VAyj;kVYw&{TnPwQrz7Jv}NSdSoLyYp+ zSD&`_9Mde_=w=H*p=pYta2%uiYF4ANX&6b8I6(-heL@1G5k_OP5g;i7Ly#dUK#>?^ za75w!VxI^S6oHdn_I#gGs7Zw?(CUqU37I{uk>JCGdiWPZI$}_uKj#6B5KU7w5@NT` z6AVHGz=k2GhaI{g+>xG4B5B|f-3t=Q2&d)r;KXDoL%?EFX zvGnIfYj->E?k?Vi^&O2p7n_&wwojdJTsqhO`0;%*t@6OQ)n`@)jfadJlxejvCGmr ze`N7a-@IF5*b_9uNDL7ahEoKN;Uo<=FB(H6b1=yig#(BHMiL}JGYm#{cj#NB*z2?I zw8K)x{e)C8%tXfFpN_ELDg+sIQs}KiN)j6$ zsP)R$#>z_d$Qsl-dVIpmguo!#4GF-z#DH#`0|G#yB?e*)hG>$RO*tBDm2EC(E;(#Ni_lyj;9JvjAE?_{t`qnQ`kW2IQ! zW6$~N{OBQv0W%i53N<5V8nFKzzQ2nzeaR+H3(_@Rz8D+bR)-V%l0>66Q_-KYf5XF) zn5xLPdCMC!MJt`$>gFw7sm!`%GZ%F;1Xt4(y-*MIX_?EAha)y{hje8dofkGhe~)6; zb-#j*?NJsF*B@Y=$2XS_uAi87Q!>>f59K{0uDC*#Dvmhg6p081kR%xM#eZAB+Bmv* zZRgK3>(`p^Uag!jPI1BslBP*W5){FZ00WTh2ebU5?Sx%A()P{6txZ=P!$}5_)!T0k35fP~))1cN~U2pW#Q6|BPV1er}`kJKV6&TD}&N_Dk#R9VY&Yk*YON5`;{ z7sS%`Nt+FfAxKIn{t}=_dgJxb_o#VXP=-b%MiBh~Ia6N{kfAU{5G2V!$Uuw~2%0qy zAk9D=;9b|YFA!VMmB>K2&lAcIk4}0kMUN>oPvVdw36knP&4v**X0eEtIfm)pg$$qo zP6Lc$t>VBLHdO{bP$BJ4C&Z%0o;RxxTMu?EUR-&AC!0HO^3_V=42ekCx51#&fW?B3 z)H)Avg2pj02yWAlq|!e#*{pTjZ50{#E7Y^~cGj$IIuJUj8E^h_znqPOaTq zex|NpAzaHptlV0?+4|vj``W(3@RH9zuJ2kp)!6&KdHd>bKYwZ--5+V3`>=G9cT+?) zK0R(fe%JW^e&gZk20Lb$Q#{py>}`J3%yCpULmyY7A4dHQnsLH%R< z?Ax(z5MO{XM`HPWW%bkYcYl9-srl|vt_6VnBO={$&)p`B0ee`j-bN%`1kFEO;CcVLEM3M{z z82;ljf@Bay4?=|U1P>rFMB+4pvn>q-0dYV>3PD66K;iw@InN;q1c2^ZQfPyN0G@aH z!jg$QoX&-lD<2x)e^}f@HO^jLe$sh&8T<3;VmX<33h^B3W-djK?Qx96#K+|GshL&dQ0_%U6vZJKNVTF28GE zJJUXWxYU0BtbT@7m)ufPdt(uGUwM5Hy~yiUtBT<)JF^$T$Y9Hl?6*t`o;YQ>0Kh^Z zu^CfKRd6V_7FJ6J1_uMZB8TCEwis25QMnR^yp+9(>OEs(pdUF?urgw>QcjGw6|BZe zwR{iLAsBS4A~l%2!5HW1OteHb_I%thWvmEgA$KAW+?qKFbtxj3#9f?PkuNNv5(9y*YDig?69cNH)KUyti(Qfxr#(8Xs^*D3h8L6k zamUtnEnW5fw(;g+{mQqvx_$RR`_zet76Sq@==ezF$z_~V#ytgQc!z4vTyrxjV3{ zs;j%Iusio&0$?TqkN^WXJAYqj)wya>ul59y7bkeX>9Fq_W03- zlh3{>Jbdge+`8h+9QtA9lkC+`a)+)io?baSzjnPDEfNHbQUrLUz>0(+h6I<0z7&o% zkWe1-ywCx8n3^YuaXg{|4=^VPSU^;P6NwUT} zVs-oa1*b=WSxoHLsN%`NfMa6{xiu>7ppcr|r&1+#QL{;-3XjPd$7Xt`Hw1mmm1@g0 z#u0`wk0|ANfOrB0jGHlyW$%1n`1{wB!T; z$atWz?jV8?Bg#=CUw0D|!*0$p)Ng9C_{4NTFIjjtZO{`mj+!Q3qUla!6SM*AundJCGe z0JT6$zuB12Juz;>rNg$Itt=K(Vi~Kw-_Mr=HWXRPKzP;y+>tDVBu08Ql)84HCZ4~pYaJ;YUr%1F$E=tyg# zG773E=g}yva+FO)%p*9SG$eI%)22GUvYF)cAQ(At^x zcbwT%x5`iRXHTx&vSzP5UAwz-e(gc-{cB6_mzIx|rtJ5}hyS^7ALMVI&42N0?t@#I zi(luSez$yc<#_({pPt>!eR}@?Eq|XscQ0H{zw+tO;-x<>ez<&Z{i1#4vTo^C+P!e6 z{Br5=%7wqJ-O9Xwbz=Razh@tu&3*J)dk(bBt;d?o<>POyUCLhnCU^bZ^2GzWFE6#= zLz5AkmA7?7c!m&VJi(Z80B{g>va3^ws6YtaI3*zf2;p1up*b`vy`co*&*@E3Qz$T^ zQO))F{Ye@78CN9iFJFLCw6V+R&sdc;%*VTDm8j3Q%vcr~wslBYR=D!%%0;ukDPvhQ z=o7=0wyRa5%OyHC2J7~P^<&w?R}%}DW^-4*-B&@NiylCd_@JlHel@MWm;Lze^261S z4&)!7EId4)IrHPfy^TGgmbZk*6CkoN21SBh$U{iEnpMKaP1{pu35yzQ&!V=~z`5dQ zV!$ERkjS=?jmj7HXD(g(_vKG>SKs^B^|QV=R(@K#oWFN1|NY}XN@HP_A`F8)b2J>E z6H~IMeRe?mLovU#zI5wQzcQEEfq&rt_Wu6lqkmm`kUw)hS$J?^7DO@|%rmSg)V{9&2vG&zSg&;wcW2Af;#?H_S zwpt!TAv4gFLn7NU#0VxPAwd)|I(}PADg7w*;I@lQ?APUU*!*fk^T0I<(~!GrmMvf z-2gGj3HZjw=1mjw;CM+OV5`~OV@31K6;KuNR1L*J&8c z%l@`o3GAsaKCDg5q?IMe|62TE^@EkCxl2#YhQF_Wk$rNaodDreqjQ1!63kGinE%3W z%jYt`eDs&h+3&MAuD8kAI4!5fi~Honcrl&TW~916bz&B`yFE>B=bz!iJ$+K@5NYqE zmcCznvUt~`7Kd({6C+mm;wZ4>YUZa|okgYTioYv}QXkVY*BY9L?CeIs4 zJrZ#>>BNx^y2l0vv~`bkjb(_zS;6bznv}Ej^!KM92Ya&j5C8t#XKTNa%uly6H-7&2 zPP$l^)Tj~(lWDZEJ7hh`k{)RU`%q6TIx{a~cfS~ONuEn4nJjP^+Um9~ggD0WpnL=4 z4z0hDX#aQ}^Pgll{`$$vX9w2K<}ROFIGX+R!wkYp3J}Z<@!6% z?q!}HUOtn(c`SG0!s3;}Cl8)IT>TnlzWU;gwY%Bhj;)=}ef?zz{mWauy&&1Et9y(i zq2#Eu?qPhw)YHizSO*5@HL8GFd2Uv_y)rim6abF|L|z8gj(YJbA>p{Zd~)?#=E$$y z(!-&~4@0JSEH%}P!Q(&ei%)}@_rL#-%!LpCIl6Lu=}7j_)x}Qe=2&R7ZVytcdeey@ z?1)%S5I9VxG%AOqFF6ye+dHQ!f{pNn?30%CY1WtGx1r!CvI9_ACCSac}Zr1vsk z{;=}p^3zTlZ0t*p&RLThmCuumjw;X4DFdCiPq@AAzJ|lU02tvgC|{}B@f@qU0k;xK z((`Srj-C#9Ov<0BRoc02>+@!3m6fNt2RGKQWbZv$JDTWVh6bYX!Fov&=}4I4{Tdar zqCRcNVOL-im30a!F2*g&&{Tv%ek`3Lidh zqYtE+oP>VFIV$Hs3oFcESsr~Fl}v{lvmp;34NfMU8dZOPa)y&p1^G0p8DYF~L~O>U zH4@S3s((1${$z5dqWQMqmJ_T0(%EYdfxf5L7n6D`wc_4tY+rDQ7xWqx$N41>qjM%2 zHELA;!8uo|SLm(JT~e#bWG#fsV^3&V^{UJyg|bT1r*9nig?qHyeh?uD@iwihs9oim2h8r6_45i)O#G_bh! z>FAi*swuLTrK5h0YF>1^>=Y<-zmyEFEy-VoCA=QCCZx35mN*>G+Nm_TQE~NLY3?F6zL!)9L=(5RrX}RcBFmL2FvI~ ztFm>y?q->kBfQdsQ&z2)CR|#C4h)532W!I!YZ_;c+wZO58bHstz(uYFs=sOx!?(k7n?$A%`x7ACZ z|Ni9HwXfGd&wh7tfBxO?Dt5f4QCEnEOn?H05KxXnCUCSeA`L-ftvV#^ACnS@_b11v z$L3o1z{KEWXnHi9o~r8u932>|?}OyXFq}+{HuS;rgOx)I57rK?e)x9gi!Ya+rVD32 z&7b_RKXd+Co0fAt<2l5EV(=9b7{+W%j1_815k)*D&HV3qzyX0F#;VJ{>^DK|aD`p?n6Fe=|Utw2RWA!0z_dC+8F)r3KgFvK+k2M+ek z_vp2bVDkay`6|I{X?T0abh6ANNz1e&R5z&0KaIKz7tiO8-^iSOw0dU!RN>?Ys~56g zomx7xa$;`jlf~1EKNi0Hr1=o5AqOyG98er%N(6!tR}O(!@{Pg>1I%H{bu!Ls$P>(S zfB{4a${|@qz>MQdabhjGBA7VfmHB)dc@&C`H|L9(=%XW(#322~7L@+w7@v&v zq-nfK%+=bpzb~B0oqDj7u~loI=a2qK{e1!P+3%nH{`BhG*^j=e<@dqrN9&iz7v2pPF8rD~ zcOi4_=JL<+e_J@Xbh4aA9*ebhGJEp3?BSn>p50zQ+mpF_Vfpd1ht;=*tG8`Kxl1P^ zD+debPo_B``{=9b{Etto3I4otp>X)S?8i^CPfjhJn#^9luy8K>@X^qK`YmU9Cuzf2 zF&GWz9vv%>-)0CY5T=+=L=d423p^v`kiQQ2DAWSu1VkX<2*n(Om=wkTCZn>Zo9zjR z7XapY(2VqkBLbp`0}YZR;T#L=1E9I!h>A9&Ad?(=?Ler1&gyjc49Ue46c8_9P+^*> ziIKG<%_W3DI7AQ^&pxKD(OLK5bq_Ztr}DpxufsH(N0w)k89Fp z?VG~w)ucgTC=oL9b*&$yG=Y#ilH{7VzcLVMDjkK0dzMZN%xq;K#wZ^*)K$c1?f2p5 z8H3Mb0PMH!@3jA|$@V?(s%t7R&AOOXJFC#zn!9mFN~)`;q7${EER4_2 zwp0{Z4>h`b$5_*>%Ie}c8BtOd5B$?F6h6KBU-|pTmVW%pA4YQ@U0c5sJg^;_BkGm> z;Z6sl?$%n8))<@|tkaMJ5i&FCG$h7!b$ZftUxS7;m&%;_aQ%pC{oTxsr>mEiPh@ZY zvhrKzv(I|Q*KXu~IoC!_Qge(@%2SRA6mdM}DqM4$RS*XPk=6|zNzl4xCY-^#_Nfua z0OK)gq)SUzc&EEoKJAcADDai76^t$S{`t0Xd;MQ6JO930MG>HVf8PGt3~* z5blU>1QIGRKnTYRWaFd(%SedAW$zr%AB9jw+K=s?o-r z;V~!@2({Gv(v#Co6twKQ!_Lf=yZ?9nn(^NYH}5VSb+3G~@WXcV{>c@l1FFo4Ptz-B zZMoAw9jHDne1B;DlibO(%Rj7rF*}+6;N;3@q0!;&#jh7HH>g2Mj1}p%`wQomzFoP! zaCP~&{Jn4T2R~RkTsZp6^40v;H~E&@ks@J*8gaB31cwO10s(+8b1ihB9SJ-GK;SUJ zm;wNK2DZS~SMx|vtAgXBqo}Wby(x)L0wEYbCN z1r|>aiCSH}e{>)~WF>f52%2nj%~un~gm4@Z6onzAfafu!sJRgZLJTRcs90@Q6CxY{ zm_mXC9wIGjLrN%?owJrz3S=)Iwp(;EJ{{YHwC*k{J{~Z(d?p zZw?#%&XG2yf*9AV%pSqi&ylot$dxdRD`wM<1VJwnMOFehmpON-aN*14gNu)=TQr(D ztuHhzxM$|%g;KX^cA9t`ip4G;%3eB>JAQuk+x($ls>KIo1P`{D)uFF1$mS94h)*am zDgf=ED`rq8Rap43@WVTWPfsrVEF)1E*ICU1>`l7neRVVnbY{fmPxDUa{5m!UdZWM=RhC>6AXEA7Vl$DM~3WsrTS|Zm=1Pw+T2=|ZsWa$zpnT|E23?Tb- zSeDLKjS8rxGB@RS2)X?McjM!5GBjj0x=m(@j#}yx=ctX$CWrbut?0^o}VsrsFmLBtUx6deu~_F=>!4&V}fWm^U*o)q1(IIwY6rliEz*g&^V5e6JU zxQ=UqI)~D|4O|Oh8=)GNYe<1)VgG)O$`Kn6>{F@cwN7zDqv{=t%ZU|?D1c)c)m*4A zv@xsQ(4kRH_Zmmt?RXXhj5pdqc%Co_DbI?AZ)KW=BR8{O-Cuv#v3zX#{(t8V-d;QV z?EAG3-l~hrq!=Pzpn#*45I{)ru-G;z6H$Z_&ryLg1PF&2*NSSP$Z$plfDtBu;{-rU zj0$QV0G=m+0>%@8APy0x#FQ}P>37ZcPmeX@N+{vG3R)k4fI)(b>}d^z2pk~XMg^#R zjaXd9e&yxi9GJSyDDxw3X}$6<8;xg*D0q# z)nT|i2)ZHrz~HFlS#cy{#@dtO=*2u*(1y~02Q^Lu#>{S~F*2jySMxy#O~pgezTP>K zsv|bg3VrkSnQ=v8^s?4h%_LN$?U8<~cRKq3s{gvg&Qkh%s?S;de!@Fg_kA?I19S@c zhc|QYU3vB-bLQQ*^N+5VpX!$H7XKwBPsrZAG`INKUzd(9eY5t_-`g`C*p_}Sym!yF zdO36H{@Rn(^DQ_Iq}yVJXB1J4AtMY3m}86sMJ}lJ#6=WQf(5oAfGI}>f#8-L2O}Dl zt^`0@T^iLePS}jIt}7s{0E5gL_n1A6mtv-JSdvvDwhIy0$w)O zpWIjRwl;@0=8Y~G*r=?xyqpzW`xV^6Ijdiz3L+10o2>W{rN*(zG-K4LxaoaLe(h>i zTsIt>)s{f)d0pSI&akf()iLX`c}s5C<~cD@H0X02<0&I0Pi%eAZ}SFghvca1R}PmH{$YcjE_b&mVbI``OND3>nB(4EuZ*D z$DP-!QTbBCyq#4J1rssztTUFO=(nKlOXRINGTKup~Xcj?HM&MK%PKY z@?}%#nbq5wdp|7R&Yb=DjqHtU2UZ?O6uV^Yz03#itlXGbx$v*Q|MtbogTmE!|0nbD z`3V74uv4x|NH_IUbZ*IsJ zr!8uGGb;K+K3h~&J8Tg#@`gL;bBcjCqRFT&+-VsA03cvo{67Fd_J4#C;d%Hk5EFm^ zfgBY61#GCo_+M0DXPaL7#UdLm0nc4ledAt|pIWV|4z(okMePX1-bmT}zVd*p)ard| zwR+zlROYf@Ms1>$=11hs^0sO#?R~|s_euRn;;@tGn>lY_LqU>%~)O3#*44( zMq43;Y($#9uMJO=6qT_msT#(RZ9XQp6)V-yLPg0^6(q$}#UvWlKZ=X<4=PtU=vTcl zSq!m#qnz^_rIf`KZ~wC_nRFGb@%0r>9d5iW#d|SDcOPxDk48czBujEVR2hbhMne+o zI0Y2c%&f%=mn>xqhSdB}^bnURcw6th`r4Nks?HaSM8)u+sqG}Gh3PiV6I&=0d9ylM z^wpHz`O@Kh30I@P%N-DDr`C7cE1fjBYCbAki^^kOE?Y8$#q8=$T}1=3M|8|ZV*av3 z*Ql_IKqA@&BDy#ib`X&gj@VoP3E1uu0Yk_^1kA95i6RGG#Kj|rz}X;Y2goVXiX&+A z8KP3jXUXRJq_b&I8J%MK3Rg~zWTYdbol5GwE}Ox4&1Pm0j4KLC2gJexq{Ac*7C&zghXCsAN_+2P6xz`nlBUeb8kH zMonQcvLS~msT4e;OFsqbc*)xaA8%C^^n9~;40_We+I&%u{C&y)t|Iu$)l`B$fh0ja z@+p0%fP6~cHb9vBS`R{Xk1G8dt`w~9QPNE6n$x&_sZ`1y%X^@k;ZFB+4HuR&5h?oa zmOoIwZf)aNf7?}MkR+a5N&=!`z#5-7_>Z;Ay0owxvu=E@n0141R&CYSc@5QG$h=Ex zovGjoQFV52+Ras85msZukbq6~k?dtDZctb=QgEbJ*X966Elp`OCE~y80jW_MG1)p* z8b@`LA*lHf$e$QCr4M*QHia`@&A9hw9F>oH1HrI2y)l43Q_$H{P9cV0UsbDeWRQ{k zz#@X=7o%aXqpTHF3XcI-lO&2YrI4b(EZOjx)v8?LZLP@9Cc;28_G_IC*bGnFk7XQ0(&`uA79@C1W%`!z)jpgQ^M&$|_Am2g+j zhvn0rJr+sXgURYSxqOiQ+kuUw2P)FDcve>Z?Lg(|w{bElzN`zMF^F+7yiaMH*w+lE zD9!vXQn5FtSr@73A{AYvqKi~?k&4$;ICYVVE>h7&D)#bx=^_7oT)w4jR?bkTw?TF^xcO1~~z&_xTHk7E}t*rTVsy&c!k zMGIc$nf6Md1rA$8R09BZ9V94mH|`ipuz$Zs#ld-KvZr@*w(Sq>-*%ZcFdiIn?=`&O z73yD4ygxWJ(uEGX&_NeEc;%pjS5HpuEfnF^>))3XP$+fC3k4I3^&4Y7lS6u}QS~!R zZy?m2N9}+Hj*{KM8A?r+Qg2u0%fhMbgQGp$ggDrcT>wsmIF8tym^lD*Aqc1wP#54` z4uNOD?!b1;J1D?5r-K2A1>)i`b@BohYgRm8YD%N>2WocG*?GaG4{KD`9+arup}+Bq zO~?DR8r9?&?>1G8NV^YMRA$nv2Ug4=ZOAAwWtADzf!p23d2B@A@WBg0H>&Hd+Lk>J zZa{!2rhn~ln^CGTP;JBgXZ$2@xTzBWDmJg`Z{a-`Zd(4T@| z!>%j+R%Vykv+X*Tg$Irq?_M*Czx4gtwSjkS;9VQ|t7Zd#>BZ9CGI_uB-T87_xQqSK z^_JfglcZ+8#t`q0`MTKB9q^DBL_6=Km=|mUkDNRJ0^p&8V#F7(FsC+XBTkNqjI%M0 z6YRj@pbi_OOyC^IX?MObgL8T4Up;#>XK*!Io8vteXAtNH+8dLr)`=GO#}o`sHZ)zM zN_oA!FX*#xPp3peJ;OG|UYP*B)}9^_G*s;cS^BFYs`PsqEdAXuhOX_t8^*8=CV6#b zX^;4H6P(x8e94Zl{WQ6Hc;U?Y)s@?emw*5D=e1)?Pm=kceqK0|y?#Nmh+U#1ihX6A`c-nR*LqsUT0&PB_ z)r6xw<|!sEC$<_=0I7fxYKaE|BoLm1l0;E4?DqzW{WB^?A{!%FoH=e?f2%a*k@onP z-(5JraC-fC?(-x0cWxE#eUSU~gSBJ1BPZzm;*(kq(fVnc2!`jp0k_^8)~LKmJsFzc zS2vs5B0tr6c|Z(@gJD%H;J1Y%o??WCYRGIfXjBQ0*C(o+q9f?6JuDe!9K};=?ITsm z1Xr8YfoM?GA1v*ss-UZ=0jd7>cW)pnhFvy?sCxUK2g<2CN1hBRW5^ZW*Jchs5A-D4 zqGh+VSGr4dxkN`)qZ(cLy70-lWaiqPg|qpu&n(}~eD+)Z(bwx||Gai;;j4wi)uM~% zgPy5m^+7PSk?TfVQ;WA34zIkoescY*!olBaQm=GOau^#5UAULMc4h6t@(EYr{^twt zWUfA5Ik$RsSYB5D9O5hrr7heLvfsS_Z*Q%BB>XcRUp$@t;)7?83RgZ_dS~I&`m*)9 zxpbaoSEnPZm*bqZxykQ#ZnO4g~s1jrEN1rBi( z38mZMWmQU7M`e4lzq(V|_F;b=T7k9+zblotw}V=?Rqfv!a9yd}w*uFdg_#0ghq`#( zR%Tb+fKvlxa2uysDc^BuwT0drzU5jsV;8U#qGMdT^G08gOcgBgzk2XOkR#!6$*-eAvbMz!K}Rl zW|cO`x}of1S=$hYf=DVcDGx#^cJXLncD4`CjW)hY+QMjPx*NCBB5Ny_j$!FVI2f|I z%Yf9sW$vBM{%}2e`cD3%&lf)(U-)t1(ds)5g~tQD$JxH$V4 z=%Xt?FW$-g_{rjzh0o5dzq|Nk`SQw7zyEeL^Wf*qxkuG16nCzg??(+INGu*%eLVU0 z;&++%uVl{OUA-_=o8l!1U?yfsG*m#JyKy>u`P$!BzWle`;oI4>-^)uf1U&wvHKkDA z^!hvX1;hn@s-b|)_wU*luV&93|AT(dowX7xIsPUin13dMUp4 zD0BJ4`ocKxw5Qs`+ly()_WbQbG&)j^w+YYKC~I${8QZS`Z4S~<7C=?;qab{C3Iy30 zD-DL+CJ~UL5L3WExGw&&mHC(uwp|&gf!@~?_t>G%++M_^&)ym0VGdiZ6i1uE9!Z^p zvxt+{4#1CKTsNOgq?y*$4g@Jiy|w{C9Okwl$i!&En#6q#NXS56C=xI^6AE~UCn63; zyO7B11c|(o=J?%|=X*Ykrq~&q4Wsb}++i^iX`B`TFll3G>Ix|38JijC^ZP^Vf&M&|o*f}!%CqK}K=_`Z6bCotiQ z@%GV#mNw>y2S(EK<$ohDb~k+NGrPwIhZD2>ZfQ+4(7U&lrfr?8d&32c270&R|21Hk zH!u%UQh@L)rU32VuThzzV`L~f*yA+KMt5_aM$3*Ilfu z8@+1oVz08q+FN?-tK8GirPV@+I#6mM;kI3^Emgg=o}ES_2IIQD>sj{N&Yzmc84}>` zc$}5$q(pnXb|wCQ7H4TSbf}^6dkdm3xniSb@^klSY26^tV)#-y>3rbqf$cxIgANM zq>emcaX#kVQlWB}1B)2;N9sJ;LP2LwAnNVudf;u{15Ykzs`cxVKkRjXxzdg=&!g)v z*X4eAKDRdGY(qw4{&b&jx>q&=WnZ-F4V61f>O5otqm?-FoxBTEA_RB!K1`YL-9C?~ z#@y9ShO{xC@+osP=oB?7$VihShaxY=n@jY@ChQhOOFY=V^l7-atFwW2}T?i8MV1Yf*Ez$d8f?*@IH=d{ zOvg4JkJ{C&g;kq)6Oh-xIUX45ivW#rOz#c%%F}G8=~@jLf}Fquwu@I3sv(al<0&LU zb33aVG9K|fk1%R!a8*M@8NvuN*246vMgk9b2q4#J-0JciHyeYlt$Vj@-9r;N-H_E- z?@&rF8-cQ|dq&%vLVnvnvX%@=w34f$@} z0OTjeBSSOcZP)t)PGT|Jk>6l3zow@Bo$TFk+PTd}{{GHv{4hG-%*a1X=S=RwkgzSL z{$iiCG4&4{+M4>K4VHf0n1ZEWNY2o1IKb;<-{0%u0I!IQdM#m=o$l0^6L69DN*8(A zLvyBv!IW%vyMV#S+q(l`jEm=8oXhFJ%!UcUPCIrYju6qt>;iK+sndpRkO9%fn2WgV z9JGmcj&TU`E=s7QM&B7hdW}jyI#F><+Z;Tj3u*^7Dgld)_klm`C0+^_b05#&M}7 zZmW2K!m+q6nRG!a)yOn%v>3G$eQ)&-THez3m@n;ZjZ|Bk-G24Wd=Pz2lax=PZV!&AL}N z&^y{Q-rGNDwv1b!rwNM6)+S2bY6F|7aGjSt+-u#gf~9lj1>?lhY1#raOj|fQ_U5F< zYwq_8qZTNC-wk!?-gDZ#n_mn!bXc5^iIIACXp^Z#e4bpo;0*#W>al2gy)mZ>OY2c z9#>QR@|C(26eb~bfXW4^JAz8eP5P=`gD0iip7#w#L*h_Lx$$UJ&`O;1ew>&oW!T~EgnhFP@|proFSzUXr}lRPPF{4t z$xeY#?odY{)JOpA916wt@Ql;W>SD1D&?vvzoTj5Q?I5XWYeZ^H50j*LMN~^ziePMw z#Jz2>DPEYg4S4nvKBZEHHx{zp8`wC#L@F7mi|;pHY0Gaat{?mN%dBdA0$LqCvGTK* z2JPAdg7UQl#P&eHKNn_(XvvegHDrbX-geNe)N>`tF&PiXldnBcw%6y91WN;rL}@#M zrIos52QV~_IGuI|87~TgOCXqYI2eF-(MCliBBvc-hFo?RClbo>yvrq02XP^e@uEY7 zBCD8}c0Zu0GD%*&h^BcfkX}z%wt!E?8WOVfWT-KryCK~RGJTiUky2IqjmG|w-W`gO zYI=m-S|w{iQs&GU|>q%y`~OV194J~f=iH`!0cs?~a_$27RT z@ng;OfR3v<-m5qD81y}F_2@?j4Lzp8?ZjGJXdur~!7br`O?90P3*0;a*IXm&w2hlb z8(S!AQn6Zp_iNSm*yNs9iGz57b+YT;5hzU2O;w+aqqIh43_0|v zM4DCLLj_bVTj7Avy0aP!g14ezrbvqyf)KDht;qtExrW>YyAffA0R zgmM@Qyg(5EK%TCI(-FoIiYeg;6$F7oX|hNv;)wbpjk<$hK_M{D4aWN#W9oYwQ;yFC zQZbXZA?ci>!Ou&hibY_x;}ovdErT_xU4sy%C#&s)5No+szIW={nv{dV`jy#Dn>R(7sC zU(O(-@fXhOR_bZjbe~2Q$FY%Ko#3MW?zE}HMlj)b2OAlmYPdfn9Q17{CKDm2En2%{ zqBLnTm+uw6{$S|$U(aW+TvcUGyr0N@`0>)kfBa$LhUQQC#~0TQrSeZtYzYt9NC0Du6B?DeJ?QSQhJf$@BeHuVf&gWd5(1kK zh#CPV2s~x7L<%EHwcmNq>yZ}+7MXTE7@}ZMhyO6** z3K0((#25%fkXpN9p^#79IFi|X#S-OP0^xbe@dQJj6F3TZY3XW}nn506hAF`i@&b?Q zUju;xo)>s35X=zk#LA}AigY?+ZnTNnJq>9?6V_Beb2O$+n*6N{Xf;h#wFMJebp!R= zlIA%vp;4&`LKGtmYf^V(K3R(CE2A7+_`2}vui0bAmX5C;$(%czyML|l?xpOn4-K3; zd-hP~%rAfX{n4R+kZgEgO~p=6L>x zYnJtMtH&~*f5T^P-dR2Q?3R1=s{{YKaAYc!zjmy}pe}r&efIe8>nE~bJy<-i+$WQ% z3D&Axa)%x#)*i2(Fk~+N_UuOH_|NMf7Jj()=F*+a{bPmqe$i#`JS~5|8H;UIpO8MR z$j@Cev6kwvx9zOks>A-O2>h4o_~ovA_qlfl%@_4cFPh z4(*2FyrN+^T`ssieb-BIrHU@M=ozz3@)Ls~rBU^#{PX&l)AJgMpXUp*K&4Y=Ysi2$ z+KrzVGbnXPX~v{xQm=i4#fzFClAB=QE};XZrgpD_X&n4bT>M>6686fIhrOVXiRv1v zR&CFN5o(ALAROiq+CAGh;W^4tD6?1B+rBZz9LButh7u+BU;sD_xXRX4`Zb^tkRZ%+ z9DeT0NB9OS$o69qhzf{80CsUeAV+yYU;=J2Ae;aR00Pfi4hTkwM--D*!@=>WXyljh zn{=-zX`gk{?CEXDDmA4IGn$Ub5u*Alx$AP83fNr@In7Uu@teuS<(_O@454{jXl!V# zWj^h0DM?~9Zr9@Bk;?TdogpgKGL71CZG3!Kqwqq(xwN}lgG^$9v{HKC(Dg?|P zlVA;3V)dRMcgY<*IwP*#DqJ|S^6lEG|62LHaOr4m)=MxLHR2eCJder7@?j7PO+gsh z3{heRY6rPcfCPbXgmFBhjHfb0g>p~;6bS%O068MTTa;i9*^ajzCuAVp=Z5MEkV%7fdCRscY2Ky;t;@GTLbR!`H?nu>CqqV)(u)ag49$4bN)_(&iauwvx~7di zEvlKn|Jgql9~Um%FPuD`TD?13`1o|;+;{oUjw)vsoA-rbi|p2q%U&i#uiFzX-uz2= zEFf9%_BM<|Y7j-W&>pkC%*dYf3F?QeDKlI`TzZ=H*C7!f4la7 z@}GUSiP7Q5w4B0YopS94JtJtYF@3FO`}c2pG=~GNx_|z_`f*+6!^b1f9xi`0x_)Bu z>*Z_97Xyn|#U{f-A*BL95Xy`~^D*z1R+ii}ViCjsx@M@`Ljo_O*?&;iYcMxNMsLB~ zFIelImI|1SrQ*^mG&Aqxo;QJ29C7xVHPD8=1M>G$`@Ll5b#DRKYheM9F~lQ6xLsuG zfQaJ+MlnGxIvx_j1W0k~0Z>DM!vyghYem(ehL~}PM_7@p<7KzU>$t#ZPeWcHk~B|7 zOzrcM*smuWAC@TWVK48nI!6;#;io8@0==|eE@@PrK39L*8E-GJs)olFGK-lVib88H z?wyjoaBb{s3b_=Yml|tNkH}tDCPZJ8PpiwbWKNk&v1y?$iPIbRMv9v)sNZcXxocG8 z?nGa`F!lG22KqgEZ*w8~Un|G|l(};@clXo6=Lg|i);IEp?-lNTkh$?*{>ZQOqGl$g z_r@)$VdM0cWCABp1hIg)whNg+$YUPCR-hUb1jZA{%dN8wE17aY00?8;dL08n5IBI5 z!aA-yRy30CSZwlvQ2yZ2+=;s@XR|-QTbp2! zsM8y$TSZYZ?DqzWdd;X9iENBsah4HJDron$N>(o2y>wymVg9pEvtOPm-2DFEGY=21 zpU?mDTkiHxbz(*@ZX8u)a>iMFR4Op-bK7G54dP%TMf4Hg(Bz{~G#1u{-GRe8janUJGo)qn)_(e9=EnQEv-cay3kqX4lb$LS z86FHaYuqg8gNYhVULqKt^9I~{Z&;&>&bF4y!$y)8=NbibPcIECN@eMOsK8TKp@p;H zKs-7CQo7)fE~)T-*f!d4DC^xSiKuHX<8mLoBRMI$L`TZu6YCUlb2J!|uWB(VI%IV& zcAifZL-i6oQj;SHF$xewP~b7;ffR|{OqeU+1dcJxOAjgTaLA!iI2l2Xauh&>xVm$C zQT5QM0)8;-d^lA2_=nu-Gyn6q-1R%!+=(l!d2Q4j!IT1uuyS=cj1WZ-G-?e-G37GP zxw+nurXU(DIoxnBJW~r zEf5I+Y|Kv5`Fw_DD;19g!efrKna^0@DF777&OP3A<@6w#G?nvE8J!mFvgKNL5+(Q-X631!p*bIpE@+W@Jr$BGkCse_Fny&Ro5_aHVMpkvU^%qMmiYfxk7v$4 zSU#Ki?9;`wYmd}xw+laA*0oXanw`_)5?;FIhqUFBp3IXk*3bSM9m$_LnYs4s(qWvx zbxUzy4!gsZ`Mk5C)JZUCc2p+Dj@-Fbg&bA8#+6q>R-{jMIqcFKAKu%35ZerB?Tx5Q zZ+v(wA(!PPpy1d5UjoO5&7h@2iD7#l$+b&ywfpyLR0ex26`!6hbtTeS z(i&BKynke1)W~z;l3tw}Nr#5#(;8JwJ3AfMcSow-w%(~b9WGPJwf3fC+wV>%>7kNr zi1=OrmuF~5qjCXz*b(qdb|+P*ld9%@C+t!zucYZa;D852yJ&NWoWLB+!2~DaAz%Vv z0>gGE7O+!rAnHIObwZcJ?qmXwnCN1H6WeV-bX2Txn{&Y1kM?U+zycr0)-0?w^Fc-51d zDfMW3uRZUq2YQC=buVSklgF37(dV9gocs2C_QHn^37b3UX^pNvKB-lB!+B#^xjOq9 zSMM1ht&4u~!N0$qy>n;n7v;|lz4do?NxxqBO}~lihn1Q{dZ9LG9m9s%#x7H~l($yOf^kc`9sRt(V?)euaysMgBxb6AxcadWlv@6P@6K!R!jSZEc@J!pz`Mp z<2dMwH_xVz%~qECOXy8GE%iYtUpu^`=4how~d#TWF3(QsqmSiE4qF>z0FaJY{+>?1w}5>YtUNJHA# zna%vQq$g+UMKg7;CGK2tJsFU_-K0NPYQEkdwj*yY(LS#4@ojFHdKnM#gyKlKxp8|s zvdPhUK~x~6<9F$|h5HPhbw@LAQlskg$%6cgWjFbJnkMzJeahWb=POyseYDfOAqa+{ z4*8p8Uq1@%TB_B~c9c`CAEr~CR&}PQCPB)Gi+gtb%?XXg2YOBNSKCRdBJdm$2!gxF z;6XWr5ie(PX>c~A5HJRD8wV7~c+68sV9Og9d4eIKRO0@zHBWA~8-CoRNIXnr4(mJZ z$ISzbDWMS3c2bc|fOFgD`x%}wNPo_h8}=I-f*<4gCJE-v3{D0oOTn+CP*+aRgY zxWzlv_`KvmnXoyPt2;I+3^y{xm}ZHhSLnRf=xkQRoPnE&&C1~KSK{Kz0Ugn(dIu{m zs|xUYWN13r!&P*{_AV$G0uEvXiNFDhv5XI2kz;1*gzx}vK#{-f+w7_P*>|rl9MS#1 z+*glk5GvtjIF2vc6YKk zbc?+ahs{?;78h`oU$ArxLOmW4l zDP@ERRA9|lzMA790~GPCWiR6?2LTYI$=b0zzztDN2?qd#2n#~XsCWtl0C_;Lf;f@Q zWF`Bon1P&_<8Q|+045qtm}9G@*m4jvtRv^zk7T6+uY&z zI+0q<1WvtNlHHa7I36*9VICp?8RDgAR@CVY7>mcjb}U5Yb{zO$Z;TzNrjy3012=26 zy62*zPkK)`Lgva z^m+Z>`Z+k}!U#9|mrcxRr&2oic;lOtne`2H?8VT0udJJQ4qM1(_xik1Z@u@YGh9!% zqgJgP&tJN?{KZ86!H2mU2V?O!WBI$s@`uj+S6w=oef+q|e%!FpZe>G86!HY}lm{H4 z0>zE{aS0ZtSYVX$0PvXbSbpKY5|!5`7FThD6}(Tq1PBxlmKJB^8u63Dp-4)Dr=%QW%25g+EA;#y`3Li zEIA?bZLDnJz&PLO25$4XJ)T+ZCJIf>CKZZw7B8{j_vt<(tCQi_70g)$`85s-dQ>H z?0WA0dztSJ|7GR!!b8XM_rE`FO9BKjqyi)qx8fqD1aO20u=RNdQUp1~aj2zJA!V2` zOc<)$o-DzEO>RqMB1-2*n{P_)#V=Nl|F5Q>yW_#3G->|%(z{@A?Wboy$MW}%Ej?ZR zDF6L&UGCj)o8~tevc#i?z>qP~JkP?}%i{Qfxi^+C=N??ooW8sCQSRbThWxirHotc| ztRACKN9b5AD;CDiBv-XZT^Ylq*>AlsXD@O{CZ`MAH)+@#xZMPv45(g48 zn@MSjnwdGJxPev%@TK?pYsoVeA9Ylu_KvVj$!w;(<0n^VrrkbQxen3KZSrX=mA1F( zsYZgAK=nwXAn;~XnxJsyqvh77N%=i1Kq zYu9_N>%G?XUh8_V?NRacT6(a(pxt!Od$Gy-rF+HVo|-fgKel3|(JuJ0$y&SvgijQ> zoQ&872%UgA1cvNRUWCX7krQ(+9y$o70)m`_Cyd&#izjwFbpa{}5Hh}cztZmCxL7w8 zx_)KbWu71nlnlH8d5q*- z3koAZ0Tu{BLhB2lcnlDah@`}h5d#+)QXq42`Rbo3`-_ZWBMJ0$jJQ~42tS)Q)q;Jv&XTADC58rs*RobR-mz_rCn-0v!M1{+jN)i0F zzI57^N{5w8B$Ix9LqT>!%<3O*Uw26*(h*DCADsZrY7sM}#>_LybqF<7V4mAV;bo!% zoN_t9Ky?RI+~Dkn)O7u>rcvobL));`g}Ip##qF(s6s5-vwC-Iy{v&4t!IVZ7L%Pr) z#HN{s)I*a&L%?a8ZTv>mxyDoV`zQ;{xkj7sj`8ddpN8^Re_i=7_uCiNH*&R?YGQEuO>yGCbi0v9;o`#p657$!p&T`qsBbp3BrU@ z3V6U+yBl{Hqm1VWsoVW+My+|IZ%bRWKndZoAiD^$2{ub906^y2*w9&oVI)vqc5$mB zu?_@0WK8DZ(9R8$<1hh;hgcwx5!&vuEkdb41VQO?)wcVp$2(;iYuuLoM5mvqNB29w zcF{V^CR-&cuin|nzh%!}&s;s2dvMIP`bF)FCdhHieRSFuOf`t->Db70depzE4Z<); z69xV6@!h;JBt^l3qRb=ow~jH>Ec(7`#TD5s*d_zN7~!ptd?YAwoj<} zvq-V>l&Run_G+W$TK$B}4-@8beZ`YuM?iC#LMR2zYrDJ4B|4%S)$*5_JMUKWFEOSD zYGYKRC|!If|Jk+0BkRYPkF1_tIiGua=0Ny=az{_Rz4A%++Pyy(PTtO(dbg%;mN(B4 z>x^|)?3?fpBbIQEG!&n^@@4ka)y(4~nH%3lSMOwQo?1M%c6#CX%7y&-ZwuESLJ z`g7*ssb{~)>nI|HD%zK?hG*()KqHZ$y^qGKow2>X0(GkQ_W25QXlLFgUx89-d)rrF zM+}L3!(X7({af)DkO~w9w*lOB8`#QJoAjdiz&6gZvUNug2f`EK*VJWThx#;{@(&Dk zy#>170$p!`J?1S?WNr}Ec5h(g@ExgSpf0}Oc%?1BsqUp4vgxJqG1yUg_FB3Z>}ZcZ z-#t?$l%lm?0Tk%Adlpo>q`a)XiL~7xoekM{jTf`nd3#$g*zRewH&lXB&ucK;q(TsO zBnN_CC0&4j33P#CCkzf~R9uNnb(r@U46bSvSy-cD4!^%+!KDQzf65-1)u`N_5`Hl1 zOpONmv?ic)LXB!-Vsd=gKII@_lu!x|MoGv7b$jOZEePRyN|m^C+Vh#J-K9dYxnws;3zyd8kp ziC}Y5Bycvs3xIIg2AG{e&W;@f38G8H0<;kq51G@37>5PoM8L*?lTdr*>YB~Dc=!1d zT6cWPFdDYId5y|C><*-9jfBP0ueXnDR9JM^@Zsq&ogOvLX;e_(rbxgE~pk_pxM zrN0s|b@wjzt$W%2YSQY(phTRUxBCN$`g>tj@@q=(zrXU$>Ss%5%zyZwXOHyG!u8K$ z3-1@cKEC|%;%9|#pRRtY@OiWQLyPG9j4jls_cUJSS|mNthLNN3%Gh#^XCOB`kEx*- zw5;;8TbryB;6{3d{@!NA)?a=oFD-ZX{(r2W%v^Z-pWydLUlpz#8qM4~nmhVY?&#CZ z^~1R@?`*O%jn&wAI;%r|gVvxt+9P#qsrJKB=h%4As8LzmafR2UCzMQURJ|r2ukhAx ziudzcmqr!Qnd@E$I=G@a(B%5ojpo?r450qHN!cZ?p8ub{_wG(Cxz>mO_ov{>p~t>v z=2X>5g@1m15kd%o01+km+GC708ysdG-#Ip?reBZQ>SVbZsFmjsBD zIDlH};AyQ{Ynl_P_NlOISM6s%+imIR-EZWSCP+j8hQZ`|PnzbaA&^;PJsG z-3t&&A_gO(lkQ#5R2Me*Y?eKUq5a(;t(S z3!96xNBl$0N}o;v%mllo)L)~Dg~R!4fBzgnuUAnqdii9vRF0c1pwjRmurvYLR zLM$IazV>|Wyh=$A9UaiP!;aOIu3uo3S7?yCK-6$%>M`2tvT$f_>rW3(4QM1XAe-z^6b4t(b!H6tFCIX1+<&y60~^t;^A|5v%bO|5Hi zvwjV&``kk75N2tLqDk=anj27nMgY@t`A(p~4gON-}C^12ikR})o z0=az*zg~>r_b_9gkoa-}cui}Hp%b&a$Gj_Oe3imi-m*JfKKpR-NZyIF1#w7KQhewfX|7bgfUKxxB-ajZV%zxWt}#t4`ugDOR$PKqz#@9(17`n2gN zlt410?)#^eySGbc9v7aUSi0&dKRDH+pKC-1a7RB0Fo9T>VGvCaB;?U2OGPOx_g6d~ z_DB5Dlsmjq2yaN!GzB4n5y?`Rr3l_MP%0=20!UH>#ZVZ~P;i%KD3Zo3%~A}@F#LC$ zX87%5y2M6VI=cx(0@+>NrSsd% zhtGf0SkqT5jmBtc>^*WPM*mg3a~{mU_+#ni$@1B=g>wxq)JEl8J&jlr6OctT!xD(s z8?{f%&~{)N5J@{X`@`bv_ZO%?{e9_5_JY}vEwf>gl^1vC?iUX3TDVdGe4wjWlea~K><4e2pN6TB@<(}qV{BF8(|IDv>Puo`-b=4B>D&5;Ze`xW3 zxU%iRCQfg1wse7sh;4H9)>P0RbwrcyR45q;xjkXON|C)Xe}3*&W&h>eqwMp-vDf)q z`Db10(rew?u_nDXf245f5$~SVrd+9*=F^qV|#WmrnOaxB#4uyxCRG7V8zOdzo z|1I2n^QXDf?Bazs>YffwI@7pkX2vSmZ7CI9rY^yi8L><@*JKl6=5D@!Q#^efESz+C zka!p|3<(HKae`R6!$=7Lff-EFP<9wqcDyU>zw!Qd;peyI2WOV98GQec9v@^VIqpJz zp0wN;$=@BCKUchbB|lqxs*@NjiGA4m#bI^exei4~mj|oZj~Ml*YQc`*jPif&fx5(2AgLdE+HQ^@HY7DK!ma>1zyy5I1Zg#*Q{Ckt<%BnsR1s@MI<6IwZ0wZw8r|9u>q4?MpEzmw(LbuZqMSe(ek@DbJy}G7v7bQKKp$zCr0o# z@4S>(qmTP=MB-L&GS-_AV(e-HTK#=w%o`JSEmyuSF}Ab07@nwO+TtDe%t+i*O97pu zW5NMYlPoaOtrL%44*dE0`TUvk?9R%**V0`I2m%2>LC%r>Cjia23lMD%YMju8yERiP z#f+nSYGMp#oD$E>g!_y-mBQX*A2$w~HO*v@7^Z`+-agSqyLM)D&|t9*3hwY+9D;GN zilk&AfC%v*HXWj*#gOhs6B+!|5?=uZLVXFLwCjn@?RN}MMna+f-o&s(^EXE2xASi_ z`3JGzNjxM6kWHbfo*}W4SiZ#&eHyz*PmfC86?XNiz@c$jIdg|uDO|psjIOxk<&l8o zWiOmy{Bpy`<^|G7Y?j8DU?Jw`V_iEGR~CWarXG(agx|tjbr&E1rnLD?`RvWPo4J<@ zn{$We_u0w^E*D=|GJ}`UfPg#=H_2-NJB&x}$V3BJN=h();S% zt^dy5n!8=TcfGXd$M-L!OX&-Ogq*<K^=N}Hv-D_6hjM#?Yg@9bzojX1Exc~qD z$5p<3MqRph$X42S_fLy&|N4F9>B)r$9ey3zEybGNY>~4EM+2h)Mm92FsC#S@V85hF z0tiEz0OabTChrH~0w_Np0RJb#i`RD7tAaH{id%+zbk6VkoJi%>v-TPH@c2}c|IB)3 zVqpLxX^Mbc^y)_Am{}4N1SSX>)^|uS7!sJ|Wf76UG1ClYScpkE95W;cf2mZp(ujktMdljN#PiwyX}mrN8d`XRl!z+z2hSpJw2|L(0M6AvXiO= zg8lc3BiOG}EL;SU_T$r7#pMZ=>4owwE?Y&;$k~ zqPVE!_p&vW0kw`ZMjv zlQeF$pA%vzWvG*Ew2t6V0uoXb#uUv08nY|~IqQpLOvn6FMeccVO9Rl)UG$VJgBX&5 zn5Jo#Wcg7{Yl-7v3B3FtKnwv1j37Ty13;1?mL~$mLYAZiVH|+Mh+-+YtVsyO$uA=n zjnP07DFhK2jXvl&Xn;G+R^if^ffQl@CmNmymnJc$37VlBhcvv+6lcmv;GQdw?!CXC zeVjWse`D$930VEN(B;tBDp@C3@^W3DH+}ND!U#SO4DoWKuLV84vJy++hncVV;kAsclqEF0j$^A9DKVr& zwh`Aa6hXY9P5Ko^{E1=2V^ef$7{WHO#QkX<7|VQic;W$f*a~GK#gQJpanv#}X13ur zu*Cy#dP*I#d<7Uw0*obq#jA^He|X9~&hv*1I%fLf5#A+l5V@kJULNkaW^aCJ0OSo- zj=xA0^2cAnKYJ*0tw}yT&2T?8qEfhx!#+S(4`+;;iQ%+)%%D;XCaWiI9!E{9eH~On zl3)gX9Po1OV>f^z*o_f|{4|6f==ag2k42P^pjbrsydwMEdTkZfiAA@3#t@>sv|%W zrQA3g`4Vvm+_SEl#|v28$^KroJv}45w>I)W^Q1HuL7V|U?l6hP8MNy}SJx&;w{a#( z^%{hb&1&75#dn+6-3`4>ie4Q!)zgCb zfDqd23#CKJ6`(L7L<-l-7CWn2K}+<*I4NXSZ0@rBw1kMON?1x9o!;K(=>A?~)N4)a zEm-qi)!GH^(Ob0|yV*MYy+v!anN4b=TBFh0Y<9Cj+s35mOmfLR-Wp^#8|>(C83;to0BAel+-QYd&}9brSk~6yg}yN^ zAXOH&5Th&{cUbKR7bU+Nx443CjjG$*9pc~RLKwzNv+v3;4zE7&mHG5@!>2Kb#Vo=E z{qdSx2^fe;hK0OJ1r3i0NKq`!0NM7(EG9^XW#s@BN|Jz(W&ulc8c2fpG#rYAgtVtb zAnj$vCV&fIuSR@192+6qratw$<8DtV97=_R?o_wWC-kp&2`R)X&tK;^FP{E>Sa7|t z>*x7<`Ag;7ujk$^?fmzfqhw{zW!`{ki*U7a;a%=l`R6V91NOx&@9$Z{y}rW1o0X@t z^Jnv?=dYA^a-G7R;Pa$WcmFw9IziEPquXWFhk8WCA={LW=}XvnquWz`iPPDt_hVG(}+bZ?-_}uh=MFhQY81O7PvGe z!x9ja7z2hTF(ZV@iWDheSx8X~2R~FDGZRzh@xhU{7dGW`AruQpt_@O0r&$Hps;?kG zGZ^TAgI38^vAq3pWydU5Rt`OFE)OIbKvIAZ;^CIXF$xiMwe-*oWH5k` z6tB>p8D!%`%84Swyxordbwa0V34Drz;c0KxzPj0q?+vsPw1327uBmq3%t6ALo3lY^oVP4GrU2lVR1P)6?)8x+pu zFtlRv^$}yr2Kko-z=+(V@{y_%b#fyK?=G(z-JDd7THW6$gfB~*&2p|{6k z>`$A6O&1om6OE5KITv(O6AT+3hMY@N6LO1B59i-nZjO$?Fx6OKBoFocnpE7xjYO;+ zrHvWKy%VfW^n7AEYV>5p&ue@Wqy27AUvNNpZ*2!~liiL!Au&NM<4DFIB6UIvfe+0G z;s|5GjOHD`rBk|)k9WJn<2SP~1hmuBw|WQYB0Z+Kn-KQ^6^HR-fRpD{VrCgCx3b-{6K48oi_^(Cix;$7j+p2Gfj#S>S`uMYPQ z&!5R|DLlQ9JMS-TdCG6~u-_jS%9dPR5)ef~79yHK41pUCAW?2%6@! zZ*^q%)6U*hzYmRudQ)pzmyvJ6Kn%#Pv<$Jdqj>*m;oX_it_Q`>piQFFBQtvbp-Vj-=a znJk%M^Ju>mAA(Ae94atr9BFQ}%zRrp@O=K-((zu?Sn=}B`5!Cy_IZkXp8Puh zF!7Phm2p<+W3K8dd&cC3LL!#hno2Q;r`u%wazumnldEQ47BV8MaVhg&RkXv8B-1gKP){Udf) z`|X(UOiV~NWHKt`c&oJ{2{DBL1BK>qy%m$C!zUMBEzB0Loz6cY=HGo=c(=DQ`>6Qx zhQOZCL>ec+t&h0?00e+g>RgFOQ^Yw}!k9!PDdqVYpB_k$Cr8};b-i}56j(S{KDDR# z!05^waV`Ik1EG+77iXB2c=hMImVUjkyuMZ1YwqBmlwS@3=se* zhQI_vHaYH!^(O4LmP{JeF-gS(39UpO_I?j3X>pW}UCQ2VWp5|}i-_gro{~MqLYO58 z1`{pVH2{mqWgCr_F&Y4a8HPp#<{e{&X6j}DXGGPtdvzHM&SdOkJbRiS*!%o)>F%ZC zjYq`;_ZD_%59VJNUd|SdpLqZCsJvY+<&~S!rF(Harne2G48nCs+Kvx9;>a#*#&7y( z`O(kxrcKVune*kRk2Y<}?%K5J553uE^C$DiHgU{kaV&B(tBOoT+pwz^FO~N{soZ;9 zczH3urSS9V!udC)eP>F0&X#T;&t7E8ceduYyuYSfJl9X&~RqrE2Yd zU7!bdi>9d#aXdBrH!`A!?cI_lU&t_?)Yk3Wjg6xLA0#t+4HZb@AlF!MVGYi#M~|v*#M4 zLYzsBqzHg$#1aI_F3(npL~4d{P4~={J=Q%i)-MvWyKwsY{BCphJYUp7g^}3&3CrnMNpaa~(TT+;)HQ{^b14;>kmNaSZI#fP^>;C*{Oo z5knz{#xy}PfMun`ut#0C)vjz7FWwl39VMm`Ab8d>D;2L~Wit=4xR4qodLZWWs}v;9 z!^17#X%!SLEHjDCfdfJHcbo4VL;Z}j3_7xh{7LlHSNwf_0G_RQV{8-N@JB}ryJ>7;iM|-B| z86vtdd1C_cNsYGGXlyImGx!0)o+;TtPo(i0!fk|jsz*|6-%2`4*$_{YW88yg^zkXR zRX)};)hg6;CY7?Q(_`x#@A)4Y0=U6C>4Sm*Nl-N*kGv{WKxP=6gaQgMD&?(B~c=g0Zn_EVKC-Yy=x^zHml<(EG$zFOSAu&sRH#)P-< z^U>_~?A3J&6J$t;NIz!X0Y5`xHsGOr?f?iN+UY1DGNh0(n?30WgbU z0JG482~Vx$kDr``H-J8EiW1?G{c2(b#LyHb2`D&BS{pw*|BS=#PehVDcHmEtvY}P7 z0r!|kBlPSm6~n}Ubu_LOf+g0IDqKD3mZu8Oz6i{}$(|XUd$xF^viYZ_!`ba~mnGhi zW7ZY|ZB}asHfRb6{R#Z~%R66|etMRgKTz3!CH~Lit4IGR-MW@NnSWb6c|5;$>EObX zX00R9%%sk4Q;!IpAUuLDlZ`=0dXQq8g)9wtK-dn`P^`V9{L?99x7da)-L4*Cm=nLn z{Dm!Bepf!at#tCyx4BdECpsL8el25Bvpu5gUV}S4p7sb!3ng0>XmktRz`O=eOE)$I z2vL|Ncr====UHoUx+tNmbUo*jBasj`or0fG|6H?I6XO9*GV1UO!9V=>7j~A;zI}hK zczIuC_gQ76^yrGwGB)(>pXSbGXPcEg9+t`j(kOFNSLxQ>!sW}Qs~2)V;^Lksg-a(l zbug_)r)8(qh)%kTNysuJguLnYAz3-(Q$wUiM)*XD&Av#fa8Bw3SM<~nKPLw71D#Ma zGU4XQBAr z{rhgUO|MZq?0xGmWs5VZj^$oyOSQ{3U^D2|1K)FxJl3&UrBB5=7S?XGeXmjX>Wx~9 z+TJG=Q92~;JMI~lT)A4SeeEUt6RBnmtm)GZsI6L^-e$KBf5<0D9{F`p>smjs$vI;C zH5;_U>s2v#)X3Jm{_3I0!E6VE_!Ci5$O)q}n{`I*1`$#;J#byCm<`qho7U>oYqV;O z#_TY4I;`70L~bU`=R@Kl*Jhub2BW2Lp9=|wte~Ho0z+CjtG36YHub2#SN9C)O=^pN zJr$me2jYW7T+`au)W^|og`F>ZGJX@TdD@JLB* zL!^BUk*d3dU&hxIS8b)Z;yf;eK^z>J7|7_=DKYNd=15M8Vs@oriP{14kY;ksFD^to zV=xTpt!=Z3{36ITlyb^S>l|rUTMcCR=VMKn=~^={shbqjly+%yBBO6t%4UW0WUMJ! zo1?i-EnR!Uln$Saa};R%Q4X>|{Na&-v7p&uX7x6~{pyU5&I|{Hp)u9D-YYs`T*XD7 zzd6W<>B~nfAd*Hjq)0$fB+U>k7ZljRN};4^f+P^jqagD|5 z+yQg>#)-ni%dHfw5)c3YKu|nN1QFsKLX23zQ1U9bnp~6ua#3mwNs%-rDZxVL=W66O z;O9do9vh_q+?~B$+V@Yw&Gc;Wuj$UiEVUoG5jT5MNW^Fk}f z@8}ChX1^`myHwtPW9jDN>3_eyv+(2_R(>&Q5@;HAB#mur`%dyIHV+GJ#@i%%j+bMK z1~f}S3Q-KESeBResTmNycWgxNnR+L^^OSbHLw}sx886(swY2rug@Z4P&-c$?=AeSx zLcR~B$0DL7hM6|1n>-IRA<^T*ggP8k589f%qDzV17#T1a8sW5Dxcorf+7UtJSJ$;# zR9iTz8}!6b{bZ;;{QPR2PVe}XN)ZZlkKlOyOkM&~Pmg8l{;mx{)Hh(CidKmFx&4LX z+ZP@d9$(Gg`=NC0WOh&Xou;z+Rq^HVzf{g}l7O!4=7#$l?rBa==YtKXy98()v52J+ zLogJBND@Fa<0i~J9jcA`n?mr;l?&#HLn$5S%wA(Q}XG!CM)O8 z{`>8P@|!K?(_88J3xPzc{BGOQ&cVXoJ9AI7JM*vRPIKCh;|4+j+;FH#q_KKm_sn;K z^yi-ftRK$5TJA^6Rkc#t=bfx-15jn1rL2^$SS{2v!UXXzH27fy8}w^pt52NRO8nUR#5sJ7d{&&7rD7a}wQUSNm=kZe5@5eM^ zJps3u36KFFLjmMr{18)q6!3Z>>mdTZfZOARZjT%I>f7IsA1Sgr9zG~V6vs#M`CvZd zTwcc7dCXKWVxJt>*xNumw3Q*MZ(MM>b{v5C?!|Vf!tAy$Malpllo&CPhJeTACE<-D z0EuY;(^LD4jZAFoT4kN_A!n!qwVph`evnjr{^LbAPr zFpFq_8Ah&C087#|!%ctCa4mA7-I!gXy zur7k49lczgQ@xRh#oeQ|PMmv{%snsO|1p24a(Hj$?uEG*g~N}E&tHEVU%Vv}!3B)^ z5jTHa)-t?I_3T=I@-dNJFUahrW(S~>^xoe87f3kAuifkCNNexFWt|*pE0ulTj>Go`7vLLPX#-7?u%}fDi)plq@=v*^f+M;yQl*%l z>>jMz92s9&r5N)JJHihA=XRtsGZRr;@j4F3YO#F-aqlnGowh+OYK|~p-D#iNoi-G- zjPToTN`S_v6h-xK~H^kt$mTMwGGr!zev~G2Dax1xz-S9$Fm06 zb$6|;Hb`}Lc6EIMuNo0ns}z=z^i;r*2vu7}?TDxphAPc~p}RNHuTd$2akH_Pu z0OciEA4&Usw2yStKImmhFCtm!#iZNoXZ?QKL*P1u`r|v{I74M^WNqt9oF+JP6cE`c zTQVcnD2Ut;jd^r}d)$MOX;0zh&c*$e*~9t!mh7eZ^Uh@dr0Dr(EMp?Zoa#jo9*jhE zZXto%@~xp6XV~8}X09ogfhC+Fr*6z}dT zygKSmmd;<5E|k%by<-D1g)aX5ZQ7d9UjJh#%=EB>cu?JNxW;+8yjF8AmU z9W*H+W`>oS3dy@qC6>Gv1~*L4}gV2JE7j{-(;$DXp=hJV#ggD&@!@a-9`HNj6a z%WE|zJudTgQhKWOqL7NYlEUO#+_9|GSGGM_c<_DhPA6)?>G1Rq84`x1RchjqzJbWJ zQ2*BC=})+1q{-jta+UXA&K>`4Vb_Dg*#pHhxAG@rrPELU{>SeerQ6%*p8rO=*sx`s z8jH)6ys$raYFb}<_UK>P*~-<|#h=e~^1U+}iK}tlv`*v4QX1Tp){U8jP!$PNu<5-KR<((msBQkpkX9WK-Q$jx_YW3M{!8KsIsR2OWMaJ$R!EiBqSvde*b;V? zLZO~<`7@Xu)C{N;F+(WSBes$hieBAxrbne1?sKYX5NxLETeMko;ZlTSGTI#qONhuD z9C~+rdSEbP&`4^1fGC=w7=o@3!!ME0(8ELqC%Injdgk+WO1C}ZC6jO>E;O8Kp;|&Z zqz}z^t|f%Zi37~i4;vXbEouR$_~StgILzzw{qX=J)Oyuw>EWI*NsV{>iTwgLQQjv` z@<(b*C|AEr8h6-_Ma|?;Yr-Zb%QD4 zMzAd;9Z97>8}_{FL5-9spAipSOCcLnYZk55W;UsfYK=x~v#l@dnw%G=L%BaWdtD3B zJ{Rsfu9z|~Pp3sQG8r8m(tJl`Xq9Ei5VcP6pW$LX=eCu%U0iIK?j4~$5laJ>q5zkU zW~2G7D1snK#3Js_NPsMafTT$l5!@3c3A!s9vJ9da9xzhGdqog{Vrk4upmaJydqS=- z8-?{GNx)DPVn1GY&=3HFC`j@M`Nh4VWLcV~F^T1JuPOn}01{w^!@bin z&a*ju)9v#KcRznG?ml05`J!~?P2up{(fo;}DSMMQdYaSN#1k>^3gT0xC?7qLKT|mTX5muh`l-tCo3OCwwz;tV z(!##{vFwk3DqX$OQ`&QZ^X^(Ga7YHR7!sJJ0Hgqg`8l$G5kzc)qGPr`RxcJaH2_H7 ztf*m3d5P~i#rQ=<0D3Gu8YiJ7RCTo&@s?*Y9FI6MTxo5hJq_n38XM+XX$hx2z@^L` z@g*j(e_$jizXKvE>;>XIfLkq!Az9lFfXpN%7tSeQo)IRNZ^9O*Xw$0h9U31FM#qHb zVjQbFM1PP`of*^-kO>M?Hne3^v;JYdxifRb67L`M^-T`MjFK&wVBAP}>eg%rSu;br zU{`aiBYP{mFLyjPGEsPP2QKW=Of25~Eyo0rV&D7V%=*(hGL-U!hWO4GdG0)Vd8t{6 zQ2+!*)2J=(yteYND*+;D5+DL{XGBvzJqQ6}5o83tTBFmO#69{}E432P1cnGOSjKV! z3`=5w2u40px)NYa0g58AEN3V~BM1S_;lQgoPvheOoi5YkY}{0;?Vnxb8qsS=k|=1XHQr5UNq)r zO9#&vE}mYKZ3Yk`Aw$y$x6$1cLt~brd9;9>?w&IETiRuaATXjRnZ8y6mcW?C6d@lK zMH4K8XqLCch`JgAj1a(_vDH3LEGyP#&d@Ny_D;uaL5Z8LNfd04J(f1nK37y+f@Vac z_K7d2ds)4i9qkve45r+P)MUJkJ|+o-DFX1)OgEd0Bm|J65tNyWm}DUdFqEH*7$JtD zA;BG2911~Q!tM221p6aIlPn-;xS~=JWC*!{HvmYAWeC98!ARx!U%6&p0a3J-`#&Z3 zL~WVK-A??jc;oa$_Ehowxw-9)H&Q}tt1a3?wMYrrJ*J5!4;#Irr`^s;Gt-l7@&f1y zh~DVw#I*I!qyp~rGz)}L3d{d3J zolDDTv^i2^bpy2(HRFij_tbFa**Smr_YP_VVBDWh>NHi5w=wek1QxOZS;F=VF z{aYxS@+SgruV3-QKkF2M()^K>(`|>)rcwk0{iLSH)v$qm9BW%5;v%Z=4o=klnHv(Z zRm1)(1OZ!(^Pvx-GYq7AIKRdN{j7cx+ef*HVIq?;+8JbL8tuJGa>&pGL=?q2vf=rD zbo~?N@y6VdASul4n%}!A|E#d@?%d5p>E)~3!&RA^y7ZblrlLt?%=nQ?;dkjrtzv0e zh!J8T=fo!xiuS}J?of2){D}sL0TjnQYUTOM?AiBEe;6;FdssZP zw{+m3bSV?D{n8oza!lu{+Pq*(8Q+X+NAK{y1Mx4v9tVW^W5S8sche0*>$}9 zY=5kBVo&Ab4o;ueK5Kc+p#Y=-Ax|}#zq@qe-)}A!cAUxXT72X7S6)7?Jb9EmU3hl5 z@cdx;)q%>bTZN|w%MUlNpa3PLcbj{A13eatob=Jc=8Luaoy5y=k3iQiTCP#5QgUZ5 ze!GU?9EkarElEr@DVQZZp3nq6ow7Ow6^QrkEh<4I-K3I$8cYy^;!SFEGGrbfqLZppo{w2ds4mkLD7$psqQc3qaOi-);;{O+8$M< zk&37KCedKaff$UtB_bauQ?aCX<<#lBG^`ECzE~nOvut>WEis?E_Jlw2RTH!@W@^JG z;?7uC!yL(#)02oll?ZujV`p@qI}(aEnq-9wZe>W>S87{z)JlcqE?*ag z1p*4(cX?+3nx94+tuG}U!Dp^Tp5COTI_A? z&y%gT=iOB6?YWr^K{!IR+@lXh%$VsVZJrVFUY(WNtWWmfHSgBbZEn^*D`7kB@76Q% zF>2Ijv$wTphtq>ewcj()um6C(`$(pD&@uio_V43vll%srnRJYf=v!{$nO3{_1lvQ0 z|Fbso{|RdC7s(g&@z>tZJ{d=?Nj`ltj-Gy%V(ROF5iOcz;%hggoodXGq)8g33aYou}RS?{;G5odI+2kmx2iX#Tr} zv)1v&C$M;ZTW*)clXAiHq}wG7nycOj&WL$fY7!06u2}!DtVpFphsy7^74AJM?Er&7 ze80XOnL7*@-+YrjxOl#NZGYwMX4hYaOSdlM-Zm>=J4L25X-c+&{LXK``EBvZ?$Z4| z*?XnOH#+=m$+&-|V%SOONiok)i&*{G&?r(Vrn^zIQ6Mp7z^EPBh13>2G>|~V)sTJ~ zLkeNY;I$9(wGYNFlT^bsx}|vk)cnoL>C=l_DlgvTX3KZ3Ej;V6YmB!3kT4u&wf>;5 zN6ZJpBOAF{nY~`Pd8~Bccya&B>{DI-;Z*tZuF}b$)Vb58qi-tvcYOFzX)zwqm`|mM zjF`H`3||VxkW-~FW#8B#Js}yl#0nz9N0`IVaSV8p%)UQtfyX5%l1R% z)!xeK+of&$vnR^;_m)rYSiGEj`p0fm{P9JH?H>wSr043CS(rpZ9Ama+RwCDE= zdq(rKh5e_$@3eE57f2&C1!fGwj#&PSdmLl5QKcBP3mI{Eb6e{pGZ7-8lbqp*z$D86 z2JlwJPr&-pYB+|6(I}M`(#y3mj)O6VL;+dt7t(e2m?WDA5+n;LOk&i@x2)&LH}&LXBV}PgjuN=`YUA2bthdLBC9T=s0r(&d-wQl*Yn6IkE6D|#%pED+-tPQc z>R;s(&vV;*(hDcESIWD0FC6);baAOcnZg#|bZgHJ`E)8o9B@8o^N)fRDuhS5n?qEC!Ex?xJKsOG&(p}zk)5YsrlffFP54|ri zHKRe@Yfyi0Q`?N+Thun2%WQ2UA!Ez1V+p^8#Dd2?G?9|ZVl~^%-HzVxb$a{v-D;a& zqjuQ))?dyR{+%^QzS5p*muh`G;wWqG>ktHv6#F#IlvtZCWgWjE`4G#fD)6achJMX#Ur)Z3I9~w|7`B5qP+iN{!-!a)sgoP3wI8U zSKb^dpV|HU%GTFyu*ZmLCAbGf8%*aWlS7$DMk2wc$GIzFkoXn9`9If8$%tfGKoamH zHaH{@rdfid<+4`;$dD|iT2kl%$gXgD(3DJPU`&w^Lk=m=I%Y~1GtV_oX555WuKk?H z|FLXwXoT~Em;z+srv3f(+}`rVtD^d%{e8S4QX>HA)y5KP@r^12h?DN?8#FPIA!%W{ zK$obRREQoQZ~ajm3EY#-svnoGHWeNd&v~8?Yqe~Ho3sakqj&XSLs?hb@pyA>UD$na zvasdH?6&;o;?up_^68hkhktv2jn*z5w3Z(4UyGs!fTa+LAZ>{e$C7KE5AxHf9|)1;}^+R zii;!}hGq!@$>}XblLR8!R(gvhAx%-R1@$MOFvCCwA;D@A@EV5NUP_dJLM$Qy&ErU| z5s5j&BZ8~7mmongBtn>%slHl!cgAd1hx;X0qTK1Z);P5F`O4=W6l6vC@w_On(E$g-1PwXR{_;+;*qc%vBBB<39@)~Yw_V`18QL&2}-FvJTWijsI!SNZ79(u*_2y~oP$_WgH$f2i>KrXhcQli)c4rbMYI-F>ofuekr#?-ySz zJP!V~bpK9n+rn&a_K%A<6@_Cve)nOfp&aKh%K*qA%rcllfMO^)&SA-NsvKKNhFzZ2 z1jZ}@7)Wuc@tP3ivOkU&`vTO0De~V{Dop?MvFt(pm%1h(Z{% zl3Js5|Mb7cN6Ig*kqZw>d*00L4=tU~ova+cSw8cwmGYozhJt{g=;pcu6A(fY0(tgz zC4dkCxV-So?Hmb)fPi2q!081s_h2)QL9XrEoMmv+4~2`57iV*qOOJjk9=@%p{In~W zy~#EPJC_sB(>v|et=gHAt}?8V$nr9QCMSlx+J1*kcu#yl)ge`|%|r)h%y>p8^t!f1 z7Tg~kgpQEF2yJmd)-8Ql*V`Yok+!hVo!^WoSmrc`n~hKQBuB%;K~p3lvk$oZvT*Lr{Il};3$1PbHm5p<5K#=pv}qa)^f7=OlbGiI=z!U) zxAynOB&NB^C^@_HTfWUcqrc5QF6=zjYBmGF5)2Ix1>{TtmS!mukW7mSjWLE4gpkK2 zDo;eJq*<0FF=jDI0b+SOAxA{21j`DPT$V?$1>mehtv3JwA%GZ$N7`05T+_pGn;}4( zghp-sT?`3=;Sw6JvIzr?-fEwcG+?9o^S@ubxVTeBD3V#;l(4-0MO`LGU%xdzg)Lrb znMei#hQTZ&l4&A}9g+eqyr^uxGQYKQ;l%s<|Fd|n{PIlY<>vCcw?E|WmUdq&-hckL zX*Io`=C*If;2$N0#si{-=7UFeUIEAgnjit$<_bC!(BpJ49+sF`-4gR@+1iDWxBcii&wT6_uZI(Ub%5~ZpXs;@}Zso zC_Ua*K5^=|`D59i%U8}yRvB~2CDJG~0N z6~l%Y5a;}I=qQ6;xO^r?$L&L!nPBt9vvmG={z+x$HGjBrY0ux+ZT*A*uz`?rwSK z0g!!G*#Eq8ddK{>;=3Pnr>(72gA$MwK`!s{sph(Yf)G$7Zk5moLx3TRcxQ4gbOS>H z00}@NOfry_qj*;?D>0g(Nro1zzP)I~ZAsWVSb|ANQ6$YWw8U~ZIf00=Cd)6&kTgvI z0*dB9x1Y31u63h@OLxmh9)*{#l%C914n1uy79=pk5Rl<1;JQ@ZhGEB8Qc^5PkdVM6 z#p7wON;N&^4@s}UcNR~N8*{tn_x|SZ#lu_kM{<{axwnN2=jQHpTO1m>wj&sZAZU!F zr0j{OrDX(&fruelMl7R^mvOWqVsZATUhDjx!u^}Q3uotdw`&fxp4>DbA%-+Tx3`J| zk2WkZCA$MAqidu`a$06D2AtWWh1bu^_aB4Ywx#o0$FIwK&i-ZLZQUx`VYASg^C*$K(g1W94K6KZ~jTDAj75-m$WoFPAPE7I!9kvgcY_EwWx!b&qYv8D#pQZ=4kA6PJ3- zE74%hU4z3K=V(-Xqv{=;PA5!+%_J>HP|w{Liyft1V$Wq}MmHcO#3-^h69G9HN%Lx^ zyPi|3RcZuHAe><}I>A-vq~Jno!X4_3)OYn?MrwqHx|d*(N~r@0Z)z|&5?u}P*pS=@ zeEe0X=?@yubizb0#C)wE8$G||dKvv=9;-ueZP1ho2rjul7Vle4%FmnfeVqv$)|2p^ zs}lqoL97opiW#ofi7J+0J7s<6&20&OIP{etZY?7=iH6O+>o{aUfflFw_VX0G1&siUBO$>8pSx5y=Vw#cjR`S&V6t!h#dX zwNYR2PeJVdL?kH)qUSQeafOoM!1)j+j^_Lm4!eg;^YJ=-UILGAI+NxVwsu+%w|Uy4 zQ7JqyVjkdAX2_E(*qz!jo#2{&GA+1*Y`%#>PIvp1G*YJ~ggCugG(X{IhDD$Gi2~F0s;mj z$YO$KX}M4Vsc6)yM~VV?x&IKNSWK`0b4&S;jZAeCW>HDh2yX<}9IC6nSFs5L6PzEZ zQFWTJ2$7~w8PPBJ#6@pvLa{oiZygrd#0dg1i5;=?1J;?J*b|Ke!%fZsdq4fC`| zJeEw^Qp@{j-f)zFw!{;DTS^!@BdJ&FNS0o=kpH-58C5yKK1jHmsA|ayz8k=ym zz38zFL9i@@Qs_4qN?E%F*HF4XZL*5fGsGE5L6wkTX#fx@A!$GwA-}Y* zynR=5IT%DBl92?*hX}t(QVNm+2(SQ&Wzc&iWmtGtzH_2<=I8R+ZF3J64`=?cG^?0# zEnO;|JGykDc;jZ}{x!42^2$@7Qh=uZo~aGMGw~K-p<-HHDhIRM73Ez||M8p3l_P(d z%5KS>e*bLgG&6s^@Zv`4=QC}rqf+Z%Z5dTE6iY)4NrV9e3}V(8atB$8A{mBeSWF{C z@fOl%A$JnELPSBxF3)t%W6dzb06>ZakOcy$e;qVTkUdOG8xIhGWf+zvWn$qdnxt8p z1oFxU&@_b@mZW(>w5>vC2n+xV0b(HyF#xS%XCMNA01W2^piw{bNuFk!4|10+}UD$Q4vh`v1?9w4> zlSoEa+HMzrkQQ`;7_vE;1eBGta_iO7Mf^i{XZCSo?)kJ$ zY|zC~YqO9ea7q^plGxNtUYkyz;mV6cmD{hsqX+V{ z<+oRhH_n^|e17R^8A#CCD?Ibaz8AcPPzEP;sST{Hi=Cd!x%B2tVd-fFx>Tk^*UAmclTR3nt`?K}^gMSt7@5(+a zzq>zwy>#+$s2XS8f^asIl5OtnAH~I z=-&i#`hK;nwZi@yBBHu~T`5%Q&$uJ;u>ad|%yh~oEb|w*X_i_O=N`>A8 zu)!Bi@E*1KdC#o;^NUI6xK zsub>U&-mBT!$I65QfwG(2;zR_D?dETx2JDtCZJM8%^_PT6^zBWq&*zX$`+~B6|+q7v@;o9EZt>RBFrxy0Ue^a@6r+DuE zWM-4-on}cel?o$DC%T3CFY7sW`=`?upEx;YLxREX{K4YE?Uk!9{Tw_fCrw ztTx1%d(czfvv28UcHh!Px^VV}ap~M(`N)Owa0fz;44|l2$P~JKW5C@r(r<#o?B6R( z+h9+hw9I2bM%=&uFjzQxrTFxY^t-(SQ^QsbDN{i4`rho8zWIm0&%em+@8BC#;#{;! z1vN#c`X#Q9nlz>e)i0Ez^_+_9lgnMXvIDdYpP39F|j<8Id!Kf`z5mq{UY4OKc z`N5^a`5jGk?`Ze*gq()^zw+#%?9R&Jt$&?Z_%U}fd*+A2{@LP-7v;;ZvgdQN)47}F zC%gGtuw}pv>F&1Um^Q@cpXO(}?cz;?4G4*n7jdFzdb&5>I~pZ~H`G?xJHz&SLK8SP z!(W(NW_)cPGGsFNo$1gRY~CV_*`gh$1_tVYj4v^6$f(z7O*U?D&051lkRv!OT)L}u zm}8kJJ?T$QbdR!JX@p$Tt3K!^)X`dg6j}4|qB<#c(nE5iqGWlgDNoF1aWs~j+Ud<` zuX(CZANwxlo4~sM#HdQ}#CnFJ0FprjNh2QkY@^dzF_0t(0?Ke%Dgn(xhF}2iAqhk- zBnXB?h+*Ui;voS^09b-(JhZk*l#i2R3{VsaC<5V+*e6PgUZI|2ECf zB?(!I0f3ex3I!~IAW2i0M@rZpgRn7U8W;)>^t6qb{cO{N@wn&2AiTL*@cX5oOPfy> zAM7nZ+fqDyPgL(%Z+dE`b*&sAUcZH!8nqztttt?&zv<#IGsgKbLiLDLKj-#fAlgTc zaMZzgHv1m9Qxnq+)j z{tGk-BjuilnH(cyev>ecbmh%zZ{R+wogc&6VU()Sl5HzSH5nYwM8_f;DCz_l5_iH# z#e0YdcN8=+bOhsm)z0y|+BI`bsdkEPEvr5}Y3Q*` zNC;!19YKG);@HzBdIZIVRu>A$P?+aWN0zRZkN=e0-(B3cue9UEXz|9o`NO4Sx0g-w8i*3v5tf^0N*|cCgxvhbln?Tv0c0_QSr(EcT**^J2rM9?{fHzb zW+(zcgrov}qNcb33a-~)qbQPPm#quY;^o%L)CLL65|{?0Fo0;ex?aCdn47Qm8chL= zAWMoltTP5Zu%{(0HC5%^_WZ&Bntxc>f9w0DV+*gBW(${}m5<*oAHJX8liSx^ObQYN zqM&4^K;5)jT1J2|%OaAd#m1z?%8Nnc#A(fz&s_cg*?aHhHj=A-_w+uV2GE zJ*lT*`?Wy?0t5(v2n0!g_8K|o42Mz^=CLUQZ%b^x+(~36x#ynk zWWbTi(TD2N+v@Y%3olDo=1=!Cb^%~01OXSsUC5`)KtK?XLA|YAfD;UkXilhkpR^nX zBD4bCj0gxJ+Xuf}f)EXG$dG+ZW%0~1BG8i-W3smA+^=GT7}4F+&ICKeKq%T@{pl+a zyLE`vGM2$_1R_8eo(jEfBn`}iEix))hh~u_W^#_C8IgCJ?6I*CIw!iozWPi3+QY`p+1lH4 z^V_KUshy=GcQkx@w>*ATpuKi2f=a2mA z|IHn)?S0PHx9^|Z;VSPaovvIzUBB`Cx3z0)cO3&bu{xJIVdyj?h2Cay_K%Ba{#<>x zvwGuE`SK4hPr}CjGmK2IMJ3~gs3ULZj8NORoKXf9!Us*y(miGsmrY9rvyPskiD0x( z>-7#1{n6d;ox#Hqkq1rLBHo-*TsS2$YA#stp5m3x*KfXQJUu25(qr;@Q=&bUXQs&! zSE?)Dwh{L_^%HC4ZJil$3ArrQwt|IjdTK0C7}a`${!ZtPll0_CC)7#f)Hql>R}^vK z6WOFn5vh7kYOq{II-O>wpOkRB-ire+|=Q$1O5XL)-^AHOpkH55eq3~AiP(ZM>c zP?=?Sp` z9Q=F5=FUiJrZmbCi)n&?G2GlBU202yBw;Y}@7`A-DT;d*ul|4K2emuL{^?yfHH4c+ zvN!>0l0hUv;S|Y|0yiz}cTWZlz6okzZw*j5Lm-O4#Q-Fx660!dra%CfttpZwg-n6D zL};9pXOO6S^4Hq^9ks*P|53X4oB7+-ou`(L*0w+BAsx#=zz|Rr-Xg}%c+=4?97Q-y z;4H)CrEVQF$nBJRJyczM2dZ;z&O>E+kK@~eL}E^qmH{l!~z{lpP-hh7j$2_a50 zBuR*QcQ&KdJ=Vp)V_5={B-cJ^3h9+uJ>s_o>H6-Qf1ZC)+kYlp+j6*i?nUu=b;qmX z_4OG2a;;EJI2qe0VDtu4Pk*3#_e$|VY5T&N|Eat=qng`W*?eqaw({VvE?c{CKUdv< z^W$8FkAjIRJ}aMIy3)9|V`2Z|jryT$=F;KX|C3?@4XX4eSq%?K>K?R~jd-FP-~UsC2N4lO*t;R(+(ot);gg=OjsJ z7SSvs0K-raE-#*e@i#t-$r{jrKm^6TFYD&^NNAcSAxT4VuLo%-`gs?Cf&_t+kmzxJ z1xN;x3;-NlSTTp5TGlVi9^>HN1wpa|PA_Y57SJpX$llHc#SjRv6x-9e=;lNyVRl?T zfEVGbY@4m@yu5U%ba)s~q0gOEdhSB?;PdL$yMNIAU+H*d*S&=^r5)tr&eHqR6XBLI zEy|-586OX-W!C7lCfOAbf`({1Lg=P~;!@Iuo>G>#HBR4#!Rog6|60387)_2@@))D9p(CW?BL!EisFc)%P&e&K;?|ec#6( z8yefprW~>IBTQog4)#`gQ!|hdk_?SlqKna0xp|^-YH#Dx`+ronKb_lCdeqo^y+iC? z45K{XLiBWp2=vr)62OpvAqbKh&9>9FIO&KUAp*f@$e6? zzt7CyG;|kJ0&qkE#8L=}$eB~86+VslH4UH$5+Q;{!aE6@OD!s;wsPiNEK-|2T7K}i z%Iy8(o%t6=UAWV-9DrnUoK$LQy^W)BITmU0eC6z|-bS!kkO)<9%kxp88Eo`g1EYhn zPivBHIVo(xruLf51z~xV00D&4fB>|( z=H%Ec;xT79ffEQ&9HWk>uqYa58JuAI;IJW*M6l154a3kZqDa^qN3ENMH!hz{4`ARe zyqMcB{ol%!TXU~8^(O~R<#Uz&_nqY{=IXZNVNH20pk4@?)@gtcIt1JBX#Gek{W2iu z70nn{b2i#Vaf?BVx0m!!1DdNRMJ4VSRZj$=w|yKt045iMsOA6DB#T3a<<1vTOs>k| zo#kVtt=ah}b8ALv=b|MMMKOqE5M*fvUm=H;*JeH{) zIrh(J>C)1L4_CQ@<;|m0B0?2!S6{yV@Us5+Wa-sp<;~vGo`v1%%H@-ly9eg>Hon`x zc&bp}cdPiay7@s*xdF~DPZu1gX&RCwNekt6$nvXQy0KKH)+o<9635#bi{o;$Cl!hD z$|uIvqlLn>oKV|%Pk=G#DEK_u&jmJMjsCc?1~xQ-iB zpS=s##E%{ep`(kwC?djtr_(UgX$>3!vY!VVq2t@RgoKG`XxWLe#$5K)8pm97E@_zB zo81ATwslA8v7_{6eQ*l8lq?YQNilZquy@>V%#5WSQVd@U-1=1D3K$lUVmT9HRi<{N z^ykN0;LN-)OI^r0iWoRochrb_C9^kf9G-t)d9v%z<>QMx`Rr%Cve^Rxy-J&5MV_Qb zp(!a+E{hp($URV5&2pwGghL28C$}5$@g`O%;M%t@KF)mYn0s0}Si5qre*IAO*8S>} z%k^icEPoxM9~4QaeRSOAo#LnZtaL?Qq)<=tv(_bDVu?D1t>3;snf>`U)dx>!D*N_T z-ar3vyZUnH5Q0+SDV#qntrt7;LODC8$ouc|jq8^h`>v_S8qdFTR9;+PIP~lJ{i(*K zdzDMihY*2@@)JvzOHqO#Ec|Gx{y+yFy)MY-XX_MOq&ItDGw`!|SFk5=ax@b2_$DIa z64)jtg!8&|)!hF2?D<@6`~Jr39p#6$+egdK=g!SNZajM>x(;ZF7=oZWlKnq3 zV`q0*a7;ASTx`_3(Qs;}Wu8Dmij9V%GN*XEf&_J+M->Q}c!gS<#$`7Gz~{;&72JX1 zB(hsadVJ{mw95$8nSDJbKzUDN>-Eaj^W_(yvh~&6h5F?ue=0w2?0Nb#@jeqn1lSbW z)Mp3=&-Q28abAf>qa3rkv#K7fq3!&<0TA(;6~9>CeS(fTU$_N=6Q2>#>NB{wV6ajG9VS@aq6X6+#!AS%;7Sksl5yT=y zfSwoIG|7;N;P$l0JrPdeIA9U%MUn|1!XXJd@0^AvW$Ye9Cl=CHem~XteslfRZO%vy z5{y>*{?C7I-Q$Rat52vU&w1GUNDSL$wPvc)ZuUv4bzZo%Fd*XIg_9zjy2U^o{q}GV5$0x zLrb@)#`YU#MQ!W*^0~z`KI?!lG|P1bhiu$xBXh#Xt<;KwDl0CPbBeY06wFb1wY&Ck z*PrTp?r8-A4VV3qrajZ$B(#|F;kF_C@53?V^=9Q#%)DmdCp1}0RPGp&Vkzs$c-y2E zIZq#pXxeVtAnZdlqHvbLaf$*s&Gx_P{AzyhBxpR?uf*1p#yHUlEQ^yY3lL3E2xlo` zc#0tj!fAj5oQ5Qe7(j9|Ec;w_5)eXwBMKoJKnAkCuR1#ppRrHP{{v`>WDwI4CL8ug z6w$EVzx*}{36}SNqJ!H`Nb~d6|C?OeQG0T-dg5+zclFl&`NyT_wbz^127+U2x-1c` zdu?Hhko$b~CqwCKU}Vmt|X?dsf`X&Il&2tdY=2`G4_4n`jvAN5Q| zf&Rc(PX_>_{Gh=$2xnPoFW3g!7iU0S|yK_l&rzUdB{0T8?qUKet zkcg<=h3$HNz}oy>>aI?m;Yf=(ix}%eTEuZ3ns&QAmYkZ-#5ko*?jjhcJ49#QBU9cV zm*~!M$GAg25fYKzJ7)PpLQQ2nmaJMtBx+^5Y!U1=dv)~&-xF7~{u)ylyqad_U#B9< z6s!v2&&C;b>n}^|zo~4_n@aixzYlroq+jQXirvz~p8#jTs`5$MY0$K&O*T3?CB<}8 znZd8)C-Bv6!9vZ1Wh%cEi+D7S);-H-Qf5A6+(13nf-|J$$U}aqYxosGNBy|LoHo({ zl@ybiMwIfg<}qVju6j zgv^jZm5!KS%ur*8H`JCty63*WTwxuYd?VUKE}+(XSt%9|#f`qe=bTXV)I^#x**08H zMqMfmF;4xgc^s%{b%;BXawlR5f6^@p`JL`avVF7=w0nYf$;#I2NP8q+e@f!8C;d)) zI^~nZ?8#&{ns7-m`}k_zq&*pu*t1DVI2n}q?O{oCfFw<_0;hhA3K@Oe+H36?EGSH^ zJ#_lqVY?*Z_WF~lM82aQHJNv4e146US9i5)DwLEs?NUrNY0KDkwAxH6ls)UZm;1~b zp9%GyKC3aX2W5>jRo-kg24ZXmn%%&e4~loqXWdi814?{e~6nDm$uy0w=@gDE?| z3K$J@pS%2t6{9XMvB&)FkMw!N(@>W8rcEnar+J+#S-GEEskSy(Y?*=)C}>i=UV8{# zxm0AdN0pVqG$qM|TE#?+4|DE+rqhCi+t?tkm9 z{%OW;ul358C$pQ>71F`{s7^<#hdO2W&z)9lG2F!G3gTY--oazIYZs4JpFd9&H!p0h zyuOpGZM$E3@UQy5tMd=$ZZ8~|soc0`okKa68R7S?F*$JT4bOKnG-Knt>iW%TScZ;dVn0-o9e`{9)Uj z^J~SKW{sm#Os`zK#7}DU0R6H91*a_2T45}5&OytgQY@7iLEMn&-rky z+>ucYQgEr-`jS|gXRKOH$T-3)wiPUv@RTj8a`GNzr*vMF@kbrXY@ab3rkBQNa#AcU zDApHJs{AA=#gv&sc&wnCaP|nu_3M&Dj#>YRTo-8;2(=cEJNLNy^x)Fb>Y4M^dpj2% zHg-R39NE`+d8~Tz+1#u8?kyHa_3VSA~#1nNH=xD|Xsjw6a zWmJL+;gH-X#gsy(#*7@tL9e#_f`}C2grrJyA#~+&9(SGZgEhWNxBAcEG^Gnx< zN^8y~y3l*%rreOb0Sp2@tB&T!lGdC~%b$ZC@Uw)Tn+(wx2sR6CdDo0iR7|-yH_0bY z?aJfP{E1tsjbwzKIx-@gvU|NjJkq~w`-(hjGKz}pnjTT75{BUf*2+{`*|%nyS@*3` zW;WXlCdCGbC~}S_D)O48EGCuFWUv@Utg3HEHI{EjWM++AX0@m{Ud}!ziR+Mjr9Wjh z^SD{7k&S=bc?`9IT`PW|xejqHI`g-3nM$Km8f6x>aQbqTPxDR5Z#qvKd$p@HS=QgO zJCW+v#d5WBTxL>^YRneX^v8UH=qc?GZ(Z*Pb~*7K{LNbB^hUk7bKdlP@5U>MF6Ze( zO=F#5RHOfP%w}n>v<(oBf0n!saYhY>QJwNzxlW_hZ?s_D55(6ms6t~>$}I-d^tWcE zX;LFs%H(o`RX^lpK`+zEHvtJ=>t)IK0)+;})>f&l{EuQNt)4 z+yk)ge9t{820cEna-eo3s}zPhJUoP?u}Sqnq>5`4iFi&mo%WMjHxU~f^fNRgYBiN~ z4fG|g=#+RQ=*fK}GmY4#Bkq)$$FkU&u3LIp-Lu~koVz@~lU>7}8zNs_Ar@7?4;^cn5~gqTkhUsyb+my0M2 z03t{lQ4msymznovlYhl_8bQ;-@(d0U zB+#A}Ke4P^k3x#YX?417K#N3Hrdg*Ypw+dnj0Q-tMSvh#ia|697@Xzug^H%wT8nRF zwL7O8$DaMA`szYyb`57_zyw-?Mijlgw=y&$C;&N7!TF>!6-o*Z(J8mdF5qjIV(N&^ ztyh_Z)qO@`WouM!W%YhRWf7V=OH8LyYgN(JeiUZs(uMYoOHTyi+}Ho8J%97dg{Sfl zFXvv2e!cpx6$_tPyTe<%yQ-Zzw6JyQW_f3I-%(Tj(u2j@^#}Wk`)j+mX6Cn!G+y7R zJiIc$^Vh4t6v6u?DL^0q00b0401^t(ekt0knUN<1@|NE>4(uquEIul~Z+y42aq&A- z{q=R+_}Aam9~~;*bl0w3tRCA{zkXUo?z!(iyj?m}dh_e*>uvhV^$WcOlt7%M07DUg zC21M}AOfVEbI_|jys?19d`GEQaxh;j3v+EdW9PXox7)xYMqUX$9{*e+_AQat8Dsx% z7CN+%;q~pEg|n}Gs$l!pD6R*?cy&_{iMdBVo|t=eAw40*!g7y8Ju>k*XBlbRNZ4!) z%lV;BiuoOy6;G~(0-)XCu=|d>J;Uz#^~77~8f`DABnY$bQ)4A~x_2GEoFXlYHZ^QC zy|7xBDEiKd14PgZtM_~T@WJyPKNbs|=RX#Wn_sEaGhV)14bF)443qCwqditXqTu+I zs7!aV{X@x0`AX5M_HM^_wEq0~aQc6DJ@=W?u}N~;zp`C>=>K+otLr~5*_v&(-8;aZ zCN@06zS%iVt&r4AjLay$Kxn;fGHZ{gq?p&zBEU>C>Y129CdC}i=BOlR?DDC+6w^(a zCiE7sFXsUNop^&xytNp7lBGXS41V*o`^Vp}BcNV0nU`X|C>f7A*UrTR(e!Q?i`y9* zk}kW)4N1F$WhnU|kGg-3%aD#)I4p@K6*@Fbs|e09tdeg_D)*+s5bb%)PE1xLiAXR#3Hj^sfcyLszdvmFBaupo1TR z*%C0R~41E=(>A!Lfcq-H9i5C*ABFj{FePk7@b zKfJv^-geet@b;4Whga_wuMZ*QXxyU|f0Ngwq8-BM^0ikf7G6#udTDlUHc&tQta0bI zLA|hloSOf>e7nWWd6V0uBTFKtnN_2pOS^YgkYHZnBz4(j(!0~rtkaN=3+YCBCKF-HlTnIAsoa9)!xM7>W9nQQ5fLFU4$$abW_n%cavwF~aQ&3Mo(G zsf5oX#gsBxT&;2@0$vNJO5dbbMItd0`NqBL znP};Dc79j&$nGIFTE9>QNieTfXm(047zsNv!BIYiP|sm9`50Oy#S&VRc;^VZ7UYm( zbd*<^(*^(ux!xByxzenk$b<0>pS!VSoEq)X@#UjMz6;sWM(43-Z6BvULh>Fwn`m9JJ`y)QQmrR|NqCziI4@U>K%!%e}@ zh2+fEC)-i+O!fKc#)&;k+v<03{qXv5aVQhviu6HqDc`F)>XtOwv!QrPxF^AgGZ~jd=AQT#C7eQ#I~~3tnUE2FM{zv!hv5bziCwx&U z<~4?OqXQ}jV_?Ffu~}4ZE$@MsR?FQXTWmZKQSly4=*jSut@|X<(9xvdW=Rx$ZLE!- zV0!i!N@`PUJH_foU=^96jicYtaUw3aNDBZTlX>K6Zl#T+sgeN1B9=io(P;&J;y7!X z!D$?_J%X$OA^{{3)jP;q0vMcONS0(egT(n!))D{!#0iR_KbEJ8?zGK5QP{hL#u1_+ z4&dh-55NM31r*ESpyG`Pg)jSiO9Qg!c(4qCXq**|dmoUd${q?uv&MEz zx-#jshgy-(yzt`T_^cXR-;`c1&Tgu`emeJk_0gT$gRAwMryEC~RUT}wKYlgy=f>uf z^E)bUukd~sTHIVce!P5wGZnf9%y)}|7mITrAPAl$Aq{nR{*=fCPXhDTb3w=1s(S z%{O-ifKx0>(f|Qozcz8ru^6pPDRq|QV0+L^AdwMy$#l%_qwU-$E5U$nDK__R>2%}W z#nPT%PR^gMojJO2u>Rfo#nbce=kAvG>ice3h{bV;L#oGyC4mGBa0GF-=Z*y^Kp+Ok zIr&^EcOvYMtZXQw3A@v6>C?f$t zl7fIHNpgU}mN1Zn%lkVaKG+2ASNr;PIRSANrzp^aS`-izP5?yFy?Y$dkf9JlaPSV7 zKtuqF!68imf`kO#yT=KfK@@{JXLrJ#^cUJ0EgcKLt!bKCYMghQ#EG{~>AL>TrtSVS zOa0B(|10eU^&5BUXP%Z$iP$_HKNidN)0%}kaz>F876vte3H8LxV2Obv<`Hg1p4^MO zY_F1?F0^(R*=hxd9K zM<4#P_@e&y`=u>^Zd^Lgx0hNePz=kkkRS;X(kwwUXkb23j@d<#Bp?AnF(hCS4mybi zS2{8sTfepsk1)IvLl|XwMV!k9F(m<5ih_{gxGi0k1Rx+oP$UCzaV-&MT>W-~CdI~N z!I;i!{Fd0X$W|d2c{Q$|4)DS>+S|nBAO2MNerIF%*3^e5<=r2iC95aih3jW$%a8l% zD+!BOf`tUzgL+p&0g|AXHF!^jB?0vEeo3$pA7YPSSpa81n7@i735G&|1~fO@NokJ=1fXLQx%?5sN+=g+5_Y_J+?`A=TOBK1tC+B;VXs=Pg*~^syybTbyTATj`LJg0 zz6rKtI?jKKPq%`jQHKRl)y@A8wGlqM(m)u_r%4&$q& zI*(R_S+765yRWQVK3~86-Z^)xdTh3KVzV$U)jHPS)#z{?#zJvpH>V*aBi4GNMfs!f zC#0BR65*?!gkX(JFgBnzr3;<@!{F!=-BBdk=nQ#Jh%|CiczfY8B%s^WKeqd2k_2e|FsJ9@C@&m$J7V&t%%8yuUYoY3iW3>|pm%fYC51!|C zw>ib%wgf^Cbr?q?gaBl~KpLA}R_z21y4dhUelUGKg(7;FM?_b%;mNU3LFCN@fm19b zDI}`1D?4_5?Mu|JJXt(eef3@A$l?Dh9gS2DTud$8sh+;lxIEiebt8slAsZlP=NWk57Jh;VPc^zkZ_(mp_vR zs2BDLfHXoh3;JMfkPtCAAck?_NS0wpnxY`fG7N)5s@EU`f~Ij2lEm<~yDpt}>Bf*> zXsr9EV$)XJwD3V#EvPMS!B6QTDyzuv&2i)=)4~TS#x|WTguV8GK|eOavbVbg)@}J- z zKPm3;F72#soh@FN-!XUk7mN2RFQ1!B#~N?;)s7!uyk0y}x-*IRuQ{-EvG(qMd4KKX zsp{dooK2(qv2cfrLPLPlB*7vYu?$WSA}&gcoE#E3q;Z@k7#5NQ#oz<@AtGoyI8EXV z!4hyFy@Nvrrzn!-AIr7$PLfT+{_CG&0qSv_z_N(Oaqg*wh;hzPG{w*a2l&39ZBEh* zf)ur^>KPjEbD981hGGGOuir9HQ8C*9hIw&FBV6HO4Wv~yBd~BMbcjrM`H@ZQ71WO? zDD^N_crJ;0n&Ix+yYr>f{~KMnRX=sA`e={fh2BJBC>z{voi?Yfqx79{irC838bt)#N*BtL`P$R`G4tF?{vs&9ChyVs8 zbwOvgJ(2oj$aLP^bto+f!YLf!kRVx-ASs-4ureT4%xcqO2rLv?h&m$eVeW~-Qa`uz z!;|8{>g?0nkrTE3`{%AUUOcXCz4px?8t0DSi!ZD{yxm;8xpjUmN`K|zKslaCB!ceI zHM?>xoTGGP@kp|AbzA9Bc~4{S_WIeQ;kg&Tsh-@rwsxAg1$mc1oa)JazuQ#0RJr|K z?e-z*;+~~zzWUL7)%y=iH;YdjTep?&YD#Z(Tv;M49F6%$L?rpDvgO&oO4pVymv+|< z9$0wacz2vmE?r#MReWfnBp+^+w_#uLg|b-fg^0-zp73}QCO25^!;QsR=?HSzIEaj^4~#KD<&*)t)e&BN|=s$`@yZ`J;pwGE8fEBaDXeHm+p(GsqXSi=c9(Q_-Yz#cBE`L$qd+I-2komTiELG3t`FYPb{s z-52}pi>)aWw&zT%*cvORzF~JN;di#C(Q4e(&p0M{tbG{JoHuJ`wmsuc*u8FR${+F< zTFyJsaRk(y109clwpMCty{pHI!|rf2ksspS6dd~9VSi+;M@XDmUJJ`p%Chph)hjPC zxR~W~0c6aY^rPr=xfG*loi4?H!W!5}{Kjk=d_o^&6iEqsSg1yA+GG~jqRZ80OlBu$F(OHINHNvKzV#;?#_56vd^OX3S=vPNT4| z1^Ap)SuD5n{X$S!le*# zr&^a!zYVg@xzpCOn&xkMqY_R?F;Y8~QHR{kywz#zv=kd@a!Z9>a#K)>X+lAiRRm<& z|1O|`7Eo)fI*hK-^az-=$d|QnBHc1WB&}c=Thijt!sdPLvZij&-k3e*>$n4P*quQ) zH*mLo{oPR{wpFbCZ$sS01!j^sbQ5@%uOYJ;%=&z%|>iy1qU|3k)2jTPD!2$NIP-CM>8sq*5%c4D!C(8 zc9h~2Wiyd6ry;`mZOXOQc0adxdSWE)bT|}Kgo)DzVNENv0Tbt4nn`>*okW~6r=P&h zp}<7Ymz8c5nE41mX}1((n>(a77p6@>ikUvAX2^~Vp%>hwJSWA*H8R6MYNGjuP)JLS z{>WVG|DcZlD1Vv)>;V2W#WEZ2Pp@=O(_69IHF3AGKjY8F!VB(2H^6Q5ATm#-kw;cE%o+kM(((3~=7vPrL-85nM;52kIBnjNK({2YY zk^n3VJP2o89z-%UvfC-zPE$1Nq+Bk_?q(70^gssD?G%IIaLdh6DVDWs$Hy~~wP3}` zDWejXVyrSZ*#Shg5fJCuwIDiw446ihg%p)yq}V3V^j*Fz^f^Dpsf|wvNg9#_!C^rC zF(BMJRl&SYh>PBVS@w9g3&8dy>C~FzJ$}0QUG@ELP(D0&U{mGZ8A1$u*k&@s_|TR85uKqgY;z>FLd?rGVK(v6GJ44&3JjbK z1r2$AlH7{D8Oj=+u1Vkex-dddD|*OXJUI7u>2m$eyM;3gx5`f<3rB|d4mwG>6{1+; zw(;PMreLPr z1mJJ91N91}(cuZDn-9(}!Sd6%Y1}G?y|hsP%qdOKjsm@>9jtCXl`Eg7<_?yx^A#P| zXZrCOOq!+kK(d3Rw)2TEI4#8LY{@zyhTYu(dq3MaxVe0|eq?iH_bV?y(Yl|Ygf$~1 zCs~omGy<~Psl3|HA0N)Nn$gV2ZTt+YZAE|vrkI9>W8&5PvvVK2lw{yxk>x{KR&UPP3`Ng*UFTJ+p!HHy=^7JyY8{4n{Px*0a z#}ISaG#SYXS!*Pia*~fj*AgS&3rD)L^{BpbcSq&^MfG3jUJM}y;4k2nyZXrqBOlvu zB{S5jHfZ_Fq0Ox^0W88Dq66vr%G{mWy)Bi8Z+>2TcCP;J)?X9;rJMBw7g<+v?+^l0 z3Px;=)0QbA7QF;xO?<+Jo~w5g+9bsS4npYdXk0oeW}FD%LdVZPf+K6p?+>J;*jP+I z#Nth8%_zq53X@tk)@KE-caP}B{_|Ds!C4J6cYb8y6sD@&-v7-|EMxj9BL!7Lt{(|D zgHQN~Y2n@^!N%OSE-HCiIFucN{yae1hLJ673Dd5ifoAzrL4bQ$q?p~D6WV1q;4?}w zphiK`FrX6O#0OCz#(U^=l`5VZQUiBgjGLrbHW(TcZl!W|Y(|RdgnelRv4Ru}%9J2P z4Y3ZBz5qSRD~nojNacBjR!^MB4!6-pM+)P9gW2oi?~P{FCt2klxkJ~BFRyZGwti_x zxN&%M=}L9?<%N5VQ*Y|89+bYT?cY_tImC1xVJzMWNQ*pC$JT6!a>pswmjXCj|G%L0mfl-;B#MAyHUu*T8lpx_T+6f1x&r30nv5B(nz(VQeRTCx z#NgM+m3nih$-iFgeMdSl8Z$rz&OcIXzG$*jj=@3JTEG}%?TDTB|GHqKtzoZu$(fi; zX&vj7rYHOwJ?$Up75$}6#->M66z|elH?TNc1_y)6I+9a3+=B?)#)`9klbeQ&B_Ne~ zwLZoSxD`4f<2t7M5Qu4jL<}Hloa{7&J~diCO)xY9G~L$w34)*y(FeSSL=*`b z*c%#>AP~b42BVc{<*ZhdhB53&Yjf)FIdI**LI@fz@d-ia9lXokWO z&9F290U%j+U0A#l5)p`o3_(H?#{orrK@J4rmTKwv+nDiyyv!a}+B*sZ6H3-<52mMk zZccp9HgmWxxe_j7mfD3!MqhliN<9oC%{2QyUV3aANEZ>aox~n&T=k}RLJRafjM%3wz8Qcu1aoPn0 zo6VQI^u{s1Mcv(S7;KPp256m7#QFTn9YgJvn4@9OkhWcHhI1$0)3(cOj1iiRCIe11oXza^ z`NAryXIQH>+}-jlZt1W*KP5V`mO$phjFBI3(6oc{gkwU-UxZB) zNX};)ZbPlszu!8yuYUaC68E?@8FIU0d=ZkXh7buE8sP*(5;TkBG(~fE-0q;pf`ur8 zT)%Pv9kb9=gZGL)npRGzMEk_1u@ubwOU+i&B+bwiOOTL%&(rRk;*rXwBb7I28wU>6 zPkvw9d}oL*0xStgmS8BFWpJG3fN%C@a^cPgF@$HDpdmmE+bMT9oK1unmgQFM0NKph z@nnb$(%SKUmUgqFV~K#;7#9P2HmS2S8l{K;gmnh`rnuLp?GCOT-aNmz^5$ykSwHh! z0!Rij49(y@v3_xage)RBB*|is&J0UYIOH&l^-0N&fHgakq23>T-n&#Z-zL5MartA#DOwFSH& zEcR-9Qt4Dq?p{1n{!YJmufFSA?bfx0tE)9X?E!%Z_VzETdtWrp9ho~--+bbqyl3-I z=3naTC-43-TYLPVcJf){>XG`1ZS{A@>B`<63lDg;E3b|eUoLH#dp!SoaclM2+fnYO zFLpRlxj!I7V#fhPWfzCWXB|fj5{TnCzPyGAz_Kh0dhz{;Hq?Tq1vn&eilGRcW*C45 zLE0Y7Dj;wc5P-(f06G_tBmroWg5p{?7NE4*etNg5UwxxG8!4(@Nkp&=PBEhDbvik> zZ}I-Z^`$KzF3lgUJh@HwH2_!u8A#AXFY+*!Vi=lcI0R!N$8!WlBASH^7+jN50O1tE z>1BJDVyJ$M4hXKC?6Ez$bXGbLWyam)bgybH1<*LV-&T51IrXA)@L}b^wqKOaEbRxR zqjB!S4==BF;D@L97}x_GUFBySoe>{GH15XZJGEyACVthJy)buR?)X&Y;_3PC8?)Q0 zXLnSe+)Oo&?JeIA)UV(8a7SQvSXCZbJjuD~T*c(hnxn$vCK|UxlN>R2Tt|1JaVw@r zoEp8UeHkyxj+6C{B=Raf-;vWt6Ao>6Kd!Oo==`yzi@&Svxc{{(F?Z)Pd3F3lv*y|& z`Da|srDX#dMUWr%(_UB$FKSOOdt-lCcs9Rf@onSk&dS~E#h0PV?W3lD)*pRWzBqs4 zx5IcbG)vMfiQ^QB<2Z!)2K#wag_JTHV$6JhR)URY+6%=*|q$D=T#?p+gWRA%ZIx|^c=+i$RLt{I0f+)A8@1mKR^*AiAcz~iRq^42^>KR z;E+LG4D12zYa0|%{>Hp9mQXMvuXU-j@_eDcQ%8}Ap(qwGy_7nE6BNbvqw!`LK;tw% z48NL$0t`ctI8KnvvdcvF(duw{3xH$?&`s;oR8^n{_UizGkYZ?@5%cSUxwy$M?%I)P z*+<}#XSW&h({wy-vrST*3-TV5HycO5FEW2;@}jQ?h@c^Z_)DhEI=khs-}ZI-01jD_ zU|}y~1*ZT_;5gCytU>|+3rL!zhML!iVjxSaGo zK5lS~jaj=pX&-LXZ``SzeONlscz3?It+cItt3La5?!f%_z5O-_v`l zJwDsmdARm`SN;6y;<35Mwb?C==SO89=R$oHe^K?o=EZHY#^u+#h-!XE`Cw)5@xHE4 z{oPR}IsdwH|ABA*GT-mIS-fee-ab}6^N^ptsCSp|R(HHFZN|$_>KAt}o>{zZ`0#T6 zLgnePrL7+>SN5Fg;!yRtvaP+}UfsNBamV7_Ki0SHsqNpsc)B=SK9j4T-lO_hR|_DD zqzQ(mXoAHNO``Q(=R%xCkRl)=X^N(3IIycVh$i$Y0=yD~K3_n<6SSzNQHta}%tsWq zprN+|x9qqO#6V=s0A~6&TE@C>HC8$PwsG|2Cd1$7HcJ+6Ebgkj{Z1fYFcg{c`64-OP)ts< zGS^K;xt36c!})28Pn?NLFVD=#+HoKMK6F%mpA^ekNJWq|POXKyGu(I>S-Co5;){Z>|dG*x}GcAwh0xlsf|Ac_V!vEr7&b+B7W5CJFx zQY&U10dbCXmrTcEA$QmvN!ddyujD8X3Xn9-LP)KgPT@>vgp&l55C~@h!!RTQ3=Nmt z?r1olbf!W{VL;Jzw9`&*g`5=ZL1J|PgdALjSUYT@lYeV%@@_PvR2#OXvrL>+3KV8E z%owjw!TYzt8aG5TfsDicqlCKs4?^M*#kZws^hp42(U&7N03GM(>jAh0E7X=7gm60; zu-PX=x7GQU9SDMwoAk=DOmhLpf{Z6F#WoR}{<})LuM#1Mt#T@E5(BVZX;tFR*~77r z`?sN})80IG-7qj)u13cCz_U^v$4jk{Z_dA);H;W(d+S>seRIt1^n3iyuCS^(rPDt) znrt1VOR(5T&NC89CE_x9)ZQ-C=<`jhuoG@|A}?%B#UwqgKb7kASnE$jhx54L_frN< z;&TDDu5|P|L0bRKm&lKUb#P^Xq!eI>1XFEUxgvO~MT)rxS{oP^H%KuR z<%;W~49sY!XI52;Cps$s46vpvLWB}2mr5nY7~BN^I}E~M_&9F3)+>60oURzt8;fz; z*>g?1mC%y(=fyew5fak;=qJ<~v?+=3&x35**(ZYooK_C+s=R&pi~5e^wH;6EPmfiv zJgL9g{J#rFm$of#UO4gV4T3#&kao&JFu;XFoOTm9bWx1m322;wF4_rQ(1~c^^x#h1 zV~3Dr7#xx$AQ|LvQP9D(Lt=)5Jp~R2!@0L7tx_!PF|GxRSUS;(HUj#TJ2Ag3&?(PD z=nr5B47_p&{BZF%f}eB;I$#Sk%E_o00E|$u&`vbc~s#caonU z)A@PI(n;|jnmpq(La3x3s1&W=^?KRj&hp*rgZGVR_a|$|Ui)Qpd#bm#6!MMBr;dlut2bbD&XnLI?*d!OZ!H zUg5DuL>|f6ARo4`{~%8oaN+V>`NAXqt(Vd0e!+ZvRpxda;N;*7~5`y!r zz4BkV`m1OEZ*FU5@uaDIt8)C_+==SDd-bgsK3s+M7w0Ok&zAQMAxNH&OxWHJ1@4n2D(ogP&-?C9}Q+t|3Zw)bK6#A6<>c01U;MQLK=zwAn$|9Okf@KRiw?9BY1wV;+5OrF;zj^W65OQroVj|#5QW;Em z%wl-lnL?_|l8lCH>v z)=wDGIid#)pvHw?$=MYe4_|*%xwvEQ`^KF;jia;WUB#zF<>21Ru3aQ1+#h;l*edXp z5btsML2?xFp-=l^67yjh2Y@lo#4TF6PLM4B@d(d4jdw(f#p7}`%{QmI;b1MxGoo`% zDheLHDJ#L;e4IWB7U#1GaKNzQS*JTGYK*W55ddd6@vWb2hWRuFHY)^|=V16=`~Utv z&o@u8KJ#cMJM9yK+pa_igpd%Qcg0qxH9|pJVkTXrTW(cEh5DGYy&QSEc;@%DEn6n4 z-@T~ZeA&3XwQ_3P+}rt=#mn=LhWr969~1)Xrl6OLZBt``=!i+1@F<0TPd_|#b3z${ zDO`&Aa!J2=RGxP5zjJ`4WAt13Mu!BO^o`h5@_ddF!-Dv@6*VfwaG0_Ru{|+tMs5HT z6Iv-IHeBhr6jN)=I!zP__yxEyz0f_876-!ykj5zzk~qcD@;_1_--s4BnH56d=(UM! z`c>of*>L^AxzdB;rP9;-qnq{DZ@Ow*k>QXlkrYd_s&r5xgv++ldMUOk&z-ov(IaUM zllA+jd8K2DnIs>(xiFd^5(1jC&8WHQNE?MgsYgno>)OG6u;c66)d!XR7aK2bF5M~L z@+@A8EFCDHt{&K7%~j7nS1)X7Y&kT92{PsqBgi22W`b6$)H%MI8^l_he^lFl@_)J* z*u8v;JC{FPDa}@&d_R+&^f)Vf-Yi_M+@0k*4xHu15o2Q}x+UrnD$UM~WL#Q4Tso+# z9NbxZ{-Cz?R{i9bxi{6f+dV^cdcYDBgZKAN&#)Sea93Ut%%16WhEjf8+*i5s-EXVM z-+j0~%&IejtQ6BbP>OU9v9>HhO%73taGF=nYA2PvBCB%D_DNQXcfw#W(Z*iJd1-U~ z?D^X9owdiu>hEq;?_d4R;<1Hy<(o_Ah8V1I|7fcF6pTbbZo?;GuT#X@sRO^P9lr75 z)h{YLt`6}TG1|gEN9{Q=oXDs*S!Se|Zisn-atXbGSC+J^yw-w6L6f+0@{`Pjp4zB( z=w_h)`1HcV`Kz@Z?;5wS6fYMK)wjNz_}l!oKh}3YAI7Z|fsB@57Aj`ur$n{{OXDGj z+9}-4I`ql@xjmID&l~67{Ce?C{o?h7S97(;5h<_W0fQ<5tHf-zy-ZaP%MLp&j?U0 z0Sw6ifCvsUmjG{#W+8zyTm(Jgm;jumA%U};+;t&j8cs5hq#)7JO9O&Asm(%_olM4J ztU;E{tGLfTKb&%T*W!WF-T(dJ<-^5C|E!<5P(DyR#F-%jW!#poSI?iQ?bv4jrhN4G zYi?kXoh7-K(UCW z5kb;l4m+9Gw9PX;A!sTC97=l_7X_v1u(>%6`C>D6Yt}DliwL^o*;Gh0A+cLq4!PTJ z_j6q3mK`V4;9e%5i44=4*EGuE=Mv^FF3eJk$7*Ny*H3&`-FClreqZT*_5J?RgVN@? zx5X#F5Qq^S%P<`BlP*2oA)JxGr_`yaN%*Xp*k~>&#HG*q(%DhY2aDuh9y(jyx_fb7 z;r+$p_3Dm0wJj$rkDrxxEsRb`U2b+SE{A zw29f&?PK(K&S2^CIcm#z&u_sSC(o7dTipw{1%evcNK~1$<;j$oJb7B#O`fQckgc8~ z3w;pMU`e!&&tOf*(rK>^FNT zs=@iOEPZ^9$f!d&%o+qXW|UPaRx@Lu6#N_P=DVSB8p#d(8>^2UXGK0~w(_F`I|h3E zV}_aE@q;1AJ0@k3#KdreJTobFAuGiwua4iFeTLYqbV0405E*8CV@4SQK8<0E6J{_u zu>l7*GseHp={z^cm7sEp zx3JSSwAQyiYs}tkyxUtnwB?@*C;#xf`8%}-kIJtb7q?Uo?5v+yi{2a>@J_HCx?ZV?*iu5^lC=aLAd}YZ^fTUhh0-jK7DE%uB3cVS3hv1cya#v%!kXr z#Z#q=rKhUu`0B+l}=7u)^y)j#L9|GIwXXm!__>XUc#kIL6-S2q7& zY1`b<>h}G$Qy1v3hUhT~fmlSckU$Jgumpt$N5T79-!7A2vS`Gm;g!iV{Da>qq{w!L zK#O_U41*|&glwm?+Z8;O!3mZDUC~o%mkNST7J_wI+MwR`tF>WKUJ%hQ;JBnOp^@8YvGO%n_v`or(B49&76=h&qW zIyFJy3`5Wa%|e={s6HrVEFuYpp*p~+n<|na@|}#qefX;Y&Ju_No!G|SQ}fDNi0TXk zI6-jFlUnDZoYlXIx_7zz+a(NS=;ahVa)cBOB925munq@flRx3Nh9u^g3 z?n>jqnm+$XM0W{baL5u6lGFf8L;^{IAy}##th;Nl)e$GsW^X8CoDx|f^z;Y{>OFZL zNMP&z6hV_T!6ICAoy;ulnt!l#Y;Irez@6fw%J%cWsJ+-+yta6yaes5aMFSX$p((%( zPUkHe8bJcmkm(IW3@D0%ED4z*mW+fV2nqs(AVp9FNdl%f4FQBKwL*2!F%Jd-_M5h4 zWv)(VgO`_FKRR3dKAx;TovokUTzpb}cd>qZPv<)ZJGVnlT4+-##x%mhbUr&6>^cnj zGg=^Qz-XIMDQJ%>HYw|g6u5Y({&Mz*moM}6y_c$w4&aqbXY=E=b0-@+W_8tLXBMC2 z=gx%JZk|3raA4_d@ksUXO;EXcWukiSUSrGUrG4{TsKz}mwz}9sr0rk)w(duCnSV51 z-!;^39xrdNygGp|T>hWx!Dk;{@@mdqG|t~H?+HEko|6-^fII7_c?>e9Z35sM{nt?Q=D25?>o@Mqx zX_v4x01N~Sg#e2vd~lfdLChA;rM?KhFAW(2vE(4|z7hhbNfLlA^e!2hIZrtTQ?`gw z$J8Qx8|M&k>^vY|?o;5sOof|v$8bl_DKm?MY$DTpXfe1ucdyg`e zbJi&5oF$4%=ZFAF@HvF^7XL#6B)Y2`4M3tM*w!bpy3lpI!mV4ks_svu;Bk_TCG{#% z^;)_~)ej%)X?*~K!bk>_ijhjtI78BS4*=$hO2#k@#|BZPBuSGr!!iVg0tO?=9>xbw zu12Ng9BJ$p5HN*KIx(qSYe0u>+qBge+g-KWS898o{c&kqX|6iAt8%D$?^W&4$@=qW z%~#heS3k@y-RZd3gkb`?q2VSpnozX3Hn)mKMIWAx-O2Y!E&{U#jsVVa5m*Xd{^Ds+fS@G= zpM~hlgAgtx83moSK*Oq+|G@9jDvhEQr-RQ=baNl9wX-76>ikw0krcMI4YvwBL!Z{p zld57ds1bKsr4y=v*$4YaKiAV2viaeo9^B@R7V`xXFMdvwtNcS5-1aGrPLp(+AcBK6 zxjT;OwPCoLT2+{5VDDG2R!<3A+Y&QxOk?XZ#gH5J+_s7h_}%G{-J^n!O&o#Cxu4vIk96A9lzlU$oZJSgkIv20L zn1c^K%P#4q!aOS21K%<`Mo9SDddu)A1cxD(oTLY8#W27q5~lz|Fbp6!8emZvv-kh8 zdUpm@k`v;fLW7@14Ik-Hdqeg#b2zt`~C5{1#WN}vLW}6sN(JtPgUGs2l{?pi>%ID3^ zvxolMxv+J!gj@v9Vl2w?Zt<;&HIzi7eo>(a9H0Q_!!uhljgOL39#NT^cXyP2`1s~g zr_F;em+y9_p$#B#Si(8Q5Uzz%Ba)+1hM|BYXoeyC8JB>hSejzG!8fe7fXc7y zZ(KS-k4Zvz0xG`mP7{nFC9E{@6K<^rOQS8}BbQ?w_r{xKKNKr+MY>@0U+5Z~yrA zLgV57@{NzP7s}@-&^Crg%4L%HeNjrd|r^EF$Pc+O`{lK0YiM+ zc|nW?48|}N!%`H3tEkR@1@0VIL-p$;(&Wif^Un7BGr>$5to$xigA5HT1z$$59}y9cgwIO~;v=2PJpJP)0Fn%Sh#0qX(TkX94v~Hx|#p|187^*YoIvSkoA`NHL>NVvcJSM3QXE=YUoB@-O>D05R zV^kN(aV?y-_r#ynxu@aePxGJP@WB@0-ZS#~K9i_~uLQb-IH03M4YKNB9EURXf-*t z)PLCh@!h_Kv$dB87PgiScQ%8+EZo+aq%{l;cj1=F1N#csOdfMa9fjS(YbMX);pGQq zJ}j??50F4<5(5kk7>Wb{Y_JQE&^jY}EGZ0}IXcvTC8;#wXlz`o(7-yNRZmkRevQlO zvv@Nw6t`7hTDwEn?L=Sw?YZBSt~W0~Uf4H4rO5!sundNgIEG;ihLX&N9^ES>vIQ%Y zHVpl(4;gU9u%szZVl+zNEZHAdlx9(!1tjR=am;B9CSSHcOWq#VXVO{ah=>_Kl0a!? zBBV~nhDD?R1i>;Zbqhr8`Nq~$@pU^F_r>^1U^^BVkkzlC@byG z062}IC=N)fe~Xy+v&;?M}5!!=It%jEBEE~ zofp=B@!6*iS5MzyJg;!q@y#$OgHmia&!q_z)#m<2_q2%>8Q5{gZkU4B;q9VXmZTVz z;T`1@AF>$Aq6|smysSbzCX15{g-fG>830fkLs`22AuA&p97kD_##?aUUSwd31Pq0v zB&R|9@j$XEM^Y8BYvSBJE6D9;uq{6TrQ6?se6{7fg=5Vtx9iWIBek7JKipb)QQLpz z!)&_o@G`gD{v3%$r`jd7Gvk5r{yd0)CZ<qbp1soC`n0q5-Ec=C ze{gU;e9*5r4!-i?Z|mESPgdt{)=%uHpPwyOZYwJX^Yuq}ZMAI&T)fZ!gyVG-0Z~^6aD1=&N>owW_uJ7viPY?`zOXs6e%@(KX2|8K37_HijN1f^I>BDJ-je&iza6cG!*PlMD-Z;LrZSlzR4~^~5{?T}QwIe1+dEyL((ku>GdUZ*K zb|=5`x;s~I0+zxt7H3$7U~s^aMBm_7jKEkH0~krN41p313V~l~8Yd}=CILy4(6MP5 zLarifQIbUo056$(7~b31op zy`_b?SsOdFro_3t+4b?@^ZR|Cj2vn1eAB#ny82-2{Jn4fw!Ejg<*?TH;Z5`6tLlTD z)xAfmKipWlVro90{qObSSKUw}VXxWZm<)H8dz=_;ceXe8Ua!nmPv6hfUp`!#$^HH> znc9KZw&vWe>B_d|$wwWvwJsXx{stgclp+Rbnq(=83*>Eow_`fS#+~^3=XC?;u77OT zD1K5Q>Dp1>6pmB^_Ij;{_uYD$_e3m?n+(a5Y7|f8Oa=fwpgUxO z5Cnmn^;lm!sv2Q?x>IB z#s9n>5MuHwf56!J=<;V!GaH1Cee)9y&-OO9> z;W7-x8I(X#Al}DifMHgivKT7a$*a%z)vxZWypmV0)OMb=E9%>~{$Zl}>XAeTuUe71M#dF5fIx@AsTK3?5%txKi)ehbM?T5 z#yRx&SA%D%*srW&O@&k#31VNdV=lte&EdpV3Sf1lc>krakAUnTYzTn z%Z*c`Za|t8VjxpuP>^YR@^`f+e^L0PbZpPo>X!$oY-iXIkRa+W%8@B+Fxic2`$f2d zMRk|QVn9K6RBLm|5nVhKLv8+O#NQ6<*&lCuG@mkxGX#HO4BBEOlh90aBCpDjp}3t7 zjy2&Z?{70N`zCS|?`bwkCDbG1s=T>xXe~aiv1KUb7!~BbxtL3+vvGyr#xIXwoT0d3 zSlfU4UK{`UWfW_rV&NSgM*oFfCZjw%ud=}c4z*_4IX|yf2 z8vk=+*|w{7)S{4ju~DsWDj%Bo(OB=F$a()K?oER+-o@Q*>z5<7A*26GlHlb81_q?S ztF45Xuq{t5q;9e=9* zu%r6y!1CpV>y__2nNx^W}}^jysJVPyZ=mm6NfdHH zLDhj#moXyK?dj|M6S6~Y;E_``i)0Rv(24P1`uf2;W7=2q$?*hF<)Ss4**<;SCTlzFc`s$VXy(cG&v#3 zj{kG%P5t7b=7Wco`}He(wUxJ-#t#pgCtojYUp)D%^6f!D@_NQLIReL+XiH(0V#;ma zygAvNJGXQbF0K9J*t80DjS0E2oDQ?^+0txnZd>EsOSE)pkfurwkE`IW*t_qWhu}l+ z5?gc95@h1zBRZl0N1_(QYwPqB0-%5;NZvuto*hNZ2p2*OeEIr+aI! z=Y-v<`^RC-WG*QjYcizZo)!|}We77>fT`AP5#2)V)e*6LzWLyBWADAi8;u>a3kMpP z4wklvR-Ft0j7158ilybqU;etD;};AWcNJV}7}d?M^@Y9l!*@k; zNa2&mwUZVx{I3jA7oADJ7{YT^8hu)t@x1xZAFeiUAAl7|FFG=2GQnJP8Ddfn4PjW= z1w%_^NXnOi>8*VrnDg)@#C|Eu{WMbuzW&3nmuz**ljf`2|1&?gyt}b;N8{zWzkIj` z2R=f2G#XhT-0%fP-d?!P9#@P_bQy6BOV9*~vFK0Hi{Us{{MyMcU-c~Bkk@WrT0Yv` zvA241YvaW|SeZ6cve*(}Hxd%gh@!1cj3)x5fTgx?Va_y?XY$ z=GonUT{_&H+4Aw-tL59v2kWQaduoS-*j(xEW&j4!bPwat!L`_W!c316YD*y(b!CM5 ze9Zu0)JYRuNBr+-zB$&s^mOy`IZ)fbt$d*V@^r!KeyRG&h2fyeE45t8d9o-g^R}3K_AP8gjVUw z6Rm!XR*Njs`x?2^*vGefnveHPH{KnoTv)m^Q8~DLcX4)pjsXi72NZl%Os&fhqa{BE zue@7Nyi;M;Vu@#hu#W2-OB{AtU`h-B1DM5KjVDJdM~d^O%Cpg>1G@U*n|S5IfTDxx zVMi=C;Sh4>dyE~WUK5rh&Yak=abl4;V^!vYa)d<<#e6X2^F_r>nF2}%Xp3QFSdP%7 z+X6=q=rv2Yogvr@(8t`O580i0(m=wtp>WoKFQiKk_S9q!Ek=_m6+8>_Ms+%`j^lbGVV zjx}d@&%bS)+A98PDUVol-)!Z|;=xUgUDp=wI~uP~W&+iV7n;wmH2`}+guidzZoIlI z{z6un(`O12Z{7U;xAmtd%h#Fen`_luuYT9KF%wvLQoV7sdgTclAH*Mmhbc3y1Q}-$ zUg}B?95kTLYE*KBCJGvUFa~K*yb}6b@6z&XuSdt1A>;7b_&k59yFqOE@rhAFXlQm? zz*pK`eR^~G_`<~xkCW;8n_a5f?)!^EjVnQw7qhU{g)ury*@9Y z)|56yN_=r+-~9o;PRx(%h_JApTS=a>D_}>JWZx@HyP`@tQXEz3#?4B-cYy8}1~C(= z9jwERd6kn6=8JSPXVGG&rJRl$U`3{dlgLpeN>j>Lq{KN&IxhYeZtqogdt z8J^?0oH_pS?W5+6bN{Pv+_tNRw zll|ZOtFsrT6q_4!XKl^xuPX=ZhYmC^?ijES`Z8g!wIJ>rD7vP@E^#-N**WbLx?_7Z zr(rBN=^v6K2DPP_c91YUcjccoGAT#UF^_fBDQ53GlWwy@Ek{%%VS`$*DcQT1dc(pU zD4WA*gg-@w*tIq#re*Z}KqJToJBMPv_&6Lb4B<6(Wd3FI+WzwX0h=|?!fT;cdMuNU zIkWJ}WnG?haa7uq{^8MwL7n=+NZ#NZpAssswYhlMk&v!~^4y0fzt+qjug_kWS5KW4 zb8$%tU$R+|#+sMJ{6YF>!%i!pV@{IwzX2B{{qAi16Y(#Wf zy7c2nZ63clwDfL7)3|?Y;rRayD5Wto62ZjPi6a%wSruMu!UTgy)+I|tZBqs`A9cCl zz=wPhH&+fWyjVU}KRL7X+&Di|K2d)^+dQ(zTiyFGvV5a7x4eTugbVB*qgbQWO|Z7; za8ZsJt;UHg40`5`7$TNPnbHx;?sbMl$Bm4o0l~5?!HX~R6Z=<+iF7<5wPIdA+PL(? zhs#Ub$~X18=BXPW=BjUwHJ`p~Tsm3WQQPy1{l|BMtSL5ak|Q~F5H`gS!~)DrMw=U! zBa_MjmWFy0`Uz{iZqnt9dKD^1T;>#T=2NwzPK|jM|9Ip+7Oi)hGQ&lqTt9_8??}OPl;$)jv;-&dg8)wzD{e(7k^v5 za>)$Jv%ejn75qNTYag+@#g6BUjyRlC0Wtsl#86f_;U4bN3CX|b5n*)jH)aeI-3)h$CxtQ9ZM z7n_%FExawAT6#2qV0JCMC%fu18Ou!R6iH!S$Pn6?h3!t2 zF*?;2nFn$j~LUJUlHhDeWRmo^H=NL+;#@Dn>A2*U(8Q~jSh)D2nnXG-y#UG0L zlCDhfk6-&Tp0C%At+%iBf6ciIv;O1ti(Q=4yI_e1u zLQQ{KJZX*58iW^qEg8mgMm6TOI^*5LN`F!iaZ}U@vU#f|FaVH1$Gr~{3HNdiqe^r5IC=Aoas$*F>6lzw%LUc-9bgo-Scic-BvdoQj&LS5B}^YTvBCa=kJ^J(@VSgt3@&N`25+0%cZ^b{m*K% z`%3qj#;)VFyT{9KYI`q~AC_*^_P*lv<9jOFI*!U zGe7*HdH+rQ(f(Nd&D+L--PM;fLSeHRN|andGp?0oI#OqO2=!WtWk3O$(~O)Q!y zTJ5l@AaHj{q6)0~qQ~siz%J3&gy5SD_}E-=I1DcUTJu3R;6&k580(?$A6#8HweVt7 zWoGg8!m))xh^8_Ur!bVj$ko8w7`x$^*FowhIFh&ehlB7!t5rY43MOLK!}emUaxzJQ z4|_cl@aD}CdG++=#*w`r-ySU;S~|3Nta7>b@b1@*o4cx8o|SI@V__?j-8@L0v4F$@ zMFWz-34$g!jsgoPjKLY2q5F!$3;;_LG{6YR@NGw7#y#WQ4Hb@+I9HnuT zL1_lZNE~CRUhD;ir3ehAII;0ty0c&$!Dw^eRw#+G48_pAkn?MFfeE8VA1)MVqsbR` zLeJarc2EXq07LM?!?ju9UQt7~cJmNo{cvmHt^LE(`lBNY*A)NxO@06SKX3x+i7*f- zf}tpy5fjoE6qO7x1ctLH#=DQyj;=wAN>->HyZimuwP!p2x_o8+7+u;@e|C8BV)gRA zJ`C@^DJi5er5>>u;Q*N!o(C@JA&9dC&R_uR2XQE4DS$H!4bzv}BTzLo)#va-Z7E#@ z^2D`9pgA|`3%h_A-H^rrK>?CrM91Q0q6h-ecrOqN ziUEqk2Ee+?XaI1UVlVI}y52yl5(CdMAx)OqnVIIBa}{mQ+<1f`UzJk<-6m}y|4W7zt2B44}Ex1KC*aTUO87g zdq##-?>>VvH!ohTo|#)Z{BibmbKmua$~3lxpZxMVKT|Q8MGqbeqYt7dm-`uOeehFm_jq1N& zx>$SorZDhYYVkz#z+Tt#vCmyi5jakgG+;3jCnyFGc%F)7zuBS*w}GGuOuaPs*EN`KoBg|k4mLcjA3w^?PAsVgXAa^Pp25#rgrs7)1D3} z?INl*5-f@c02!?7Hul{1ztGhqbB!C@d#hA}#R(F}BzUkm0Z0@_v0gY>hFnF<@<8f6 zlqyNl6h%{jVgbRhsI*EYNfZE-;&`oA=@I>cU}>8>hL20-YwNesB$I(x z-+fUesFc$+%$venwnoIz?FR|g9x(CFRJDFF?AHaMvL#&&c8e#M%XkQqdnR4D9Iw3k z=GW}<7JYf=|Nd!HCWq2MjHf5WMJY=AEUMdXH}70rn)`e8(KUa0 zrgE%$2~?8K)9SW<8X***Y1d0JLo2{C*&OpPB5J{5f>q1M8oOO+He$Za-~M; z(V^HR!ATm$v78f+Y8?tr;+WRgX#f!i$tKR3AQ?hVkEO6tP6FXnb^3$oKA6hM{l4}V zSUTW?6F+V5%gk6E_N4fZh)t;>lkf$$&)xZQqCt2wjkD)97Mg@2qYSv^waE!@K=rlR zl~zIv++Mp$M))*r+rgHmq8|9-M6W%r7+|9j%okE+Jl-K%*x2Z>YiMIydn^%!kCL~k zesN9MIHDf~@IL5gHuomMi8$^CCz{i%y#*)m+VNxoQxM#b|IC&KQ!dzz%4zCp zb4NWk)$M> zX{|30u)d1uEv!nXcIGArls9K{7qt0)1!m($hVo8^`YNQo!Jy_Ra5oofmu`0C{bE}Q z6it)-K_Kn^)+d~?q#ITnZH}=Tju6&buB76_$q6mR!bgzS*DcS_e0WH?8aw%?u%tcQ z1j7;-%8)pQ5d_0h8@(wI(`AI0&Cp;F*oDzG2H8Lu%BrJ+YFe#6|FA_BD!?&dT2*K% zxMO-){jJrX@vG8{0cwsW34$bWoM14NTtz=`B>TBY>!qpAGMqvQ7H8=Gu+BJ3vM9rk zY{OY=7smj1z)7sIwIgw{0x+5-P?m-6tFGh7w>ugab~NuiYFyjCaHH|?@WK!O`}@iP zcjNHEh4af-nvd>$%e79#Po*$8pcn=R5}OG!j6n$spgq-9tOQNUX$;XqLB79$B~3nLbTXg{mJ-&&h} zRp0Zl_U>fQ{)Dk4Mlm!aaij*&ECw)~l3)6ghpz9@fuZT{@2Tu=-rQc> zalZ0oVJr64@`2&Ti5tt?ORrM@s6IMD4p%Sk33Pq4U*feltFyNXwKGST@62CYJoVx3 z;AHQJTgv z6sItTlva2&PT@F-b6ES`9MhZVO;UN*ju^e0GY@@uSljlvc6}GVc&B;eWOdv9%Ejh` zbMp@uW*U#rEN*oyJ@35f(|pz{Taascw2!l!jjmjFR1uw2(OrJW_g%H=J|U$Z3q$2g z`mKj8W>%ex;E{mKmmT8X0u}mYBh8s@<=2%5f2z#R-x;qz*gEugfdr#kGp)-ctRhOL zyH7UZ%zBk6^HkRpaFZaR6_-Dxqa9g@HaG85)Xq^@PX$DotEm`m6)f5t8yR?im$G$+OkgWk`jwZW44> znOv9l(6rC6CUh?zb|Elsvd~I&oP{1l6R2g)4F82;u}2hBNwXX=(a|8P?9`ogO3O@z zX-v zG)Vw@WvM|BG>hWh`PckeoiiC@Bt^1-C0LZeFdXM?FZbYIuc&7lV;Kq~2pq>C{xv}{ z6v?0r16GWGoPr+H04Gq4VhEPR2%L`w?+U0vS)-UjJ%MomNT9BKF2g5--WfA7a zvB|7mkl!;JAv4kNgfPD%6f0(!NGN4mZ)hPAdkq8 z(Sn?tmoJ}wv-GTdZDFQ%%I=>cC}GOZL5b)s@(@m782WchXd#lz;7 zUA6t!mT%Nfo^M<{RC|4O`KqMg6oHZeCozI035KM29i}b12a8d`XkxvRzbKg7o$iKY zUYcWS_b%3UUS51zzDm^|ovA;6-#mP}`TAaC>!tadykCjKi-Yd$2prVR=2c9_Jwd&Q zB!negaCH$TT-g#NYp-tpe(A~LRjP4s&o`AD!dC<))Uhrv*!=rQ?Zx)mr9;&x&jPjE zXY0pjmY$;Z8;_dT&ev|7te@XsIyY3Gz5VgsJI&@kzHN#fo0=e^uo<2(COqtzn}i!d z?AGHDYL_F~kY1e}QSn{TV{#-~3>cgyahBnndgP*;F+dO~%3_>jc4Fk_+LmLD8!zieA1z;N?0Z>1`F{EGP-E-O z|M=_T%);Z+du{nT@8^7m^Vt8P&5Q3oyj!|5|N1x8=V$73mwvN!X>8$U^T2-2XyRPx z)JDA>Eg}MLu56Fg=WhRR_2B{C!oJ^B=gwERUsP4!y=iRS+y2=gu;w=WhMOb~YerFv z9gJJYbraA73jrng<2@-yp?F|r;0h5(abKow=KLYTw75QNyd!<iy&1c_&3?iE{y6EnEAuGWqPH3V?@c**uv7?Ry*WPTEv9Eo@)tS?4IWHOq5 z5{Wo#j*cvO6Q_Zl%7Fgo)UHNL(Cc>v)t)0efM8cL2o3M7h3bfEB-G<>s@JaIXNh=S0hI2r3R<bBB*qD}y6XRK8!z~0wHa7nM zS`HgkyPACQj4zc;h0;D*H01Hc(`$~bh|3>w$yP4_xwC#*Ae520UFnd=mCXcYNmn|Z zOQgJVMC~7SuTrF1`O~g+ROZU1WwCTb7IMX8t)`Q$E_9%5otNY~4?IC%%q2_t0-c^fXrd_FFsf?}FUCh3oXRQcFAsrcs zsV4akeCwysJBgjsThT-y6kn;sVAd^5tX82X8uG<6?fQ`;K}!bCm-MC5iMT5&bFKRA zWtmo-muaipI;BE8xf6*%)F%t9I)P;EX-~FBwr+Xtq8<+m|3Fj>j56+@vegI-tB*Tu>Zdnqtl#pO=W#Q0&#ed<8NHc_ykEDz>KHGi#`AK788!dAJAPt! z?BIv7ABjH9{o4Nd!;3SeQ@O7*6xX z(wU14*-YaGIf712bxx&k1fZDT*;YTmg3FPRDbm{H{Us8K-I1J1iZd}(zjU#7o{H^oK%E9KFbIn7iYRC4=YTM422Z>*)vM1~bF{ZP2 z3WkBK1=S?ncrG_4g&L~wJlEK_^N*!R)noe-ga2N|VMoJ5I%Aj7@;KT3|d{8_`Okbl8J0&btb zRl1_AKRi7^4H!L+oLC&ugmGdF?zO#pr^ra`$j2@{7+JiCk5ymq`Ic<#I#jvcxbkcO zQN?2Orx-5s6$ zP+Q6n_awj~xnUv=$8YN0#g)o2n|@M?ga6y+v1g0>mTxp?PL^&p5AIwzT0d|h`Mc`z zW7!Y0a=9>GyoCA;Pmgq=@w0&fmC*o2oMK};(~_wBqdg)ZG%dhRP7v($fh)4cw!D~p?D zveJ@?XwM!&{5NfqBRW(lJ%Z@9{*)YHLRKLz9zl}!utSbu(*@EDTLnGw!I&3!!RBor zsER-$=E(}<*g1?r*HC=ak+tbywXvb7;es>lPr2YrS_oe;&fZ<#TYj8ayi>XWqsNgR zAc(9*%*0zQdpc`XhjhX~=-i_JR@yOtb7@;`zmR6rqX%T79z7K<$`OVhhAA9UKoy@O zU4%h6yrUk4VbNI+P$W&U7{-eV_@j+&+>6KHyLt$}5#R4FoosBqU*B=Ic7M@~h$B>sH{Bi$zFcxyuShOVNh(c&vsN~2dOlS#Y z<%r7T5*I-rJOf40lp!XkKc8^IsaAsD-}y6ulV=Y8g3*;&HmD0uC4{~%-ZEoQM3pm; z4rqlY#hRnWWtA+hwqvJrZ1H*R`tc7}h=nHumYsL0#XvW!C7Z^`kR?PKU}_1!{LM(? z^@-Y}%fG6f*|Tt?e*cI1!<)Xws~5{#Y?X`4+vfK!pRfy|QqoclIlEJH#mz$2Z+B{R zH0)uKAua=@8=?lcGXW0U*c&+|;u@h6wZo6*X9g5l7t)%w!$SAP%CnqV z=m=c>O)MIiHkYo~ckU81B?n{xuW>Om$;7zyqP)K4 z?a0EVLG@SG25_;Dlp&!cDqIn)`bn7>YaEZqQmoLg)5CbB6GSE>M@A>uKv;}PYOr~R z%?T?@$`MskIGhnA=T}64TaKi3B)mP+OHDe1zy{)zbPzVCWQZmQ!_s636$`?qRUf)I z6r3)YTtb*v4E9OL5O}HZ`GjQ5prdG$m5?K21!iip0B?hU@qK~SXZ!2BU)C?~`OU|-FTeV5X?S$$Sz~TX_25i%%a(=r3kMq82H8-G zgrm8FL5yvuQi<)SI{nO;pH!si9NpazkCPs2W_lvL=HHRVsBv#&{(LxUXh}E zDc36B8TC2MMJsG@e`Y)9B`A56$%uVU8;4Uq*wXK-mEo|_z1nyPo{ifV24M4|N6<(O zF_siIF*~(E?W?f3q6RyxxLZX#CX{sdhJ^#n^w+X(dp9xXl?sPlxA8*uxI8eZ*sC?E7`GX12ED@g9rsN723D&0 z<%L0IwU5}oQz|t25w%5O*9pfu&qin!lm41}&!Af!D0OP1!m8HlZFZ~kbBYnYKruk6 zYO8(2%Jp%)89hrjsGS>CFt=eP%iZ|#+vT21|NU<ks*o8y>f}#=!+j{6cjoxSZ9$Y*w|(qA;lx-zii^y-8uwZ=~{*xW)B35`NM&*!7xNp9Ky+ z4|Tsy*6%kCKIuwab>n&*290!%Tlnj(u4}`!z~NjAUNUBQ(G`g#y1aYP5a(8JJ{lS8 z>t!8DS%r@n?^jw!XtwX{g=W zUp}EK-Kjr#RJpfwtbDt6wR;M`>sz6iOez>&SET!k_<+mpA-^VM&K-l z<0wi|7|Bu;k3IX-($2+Ze8H=Q>HWOg9OX_M!T_iXyGswF^N$6kjb@F#OX7q_HCcv* z$*u6H(_Nyo=F_36q$lK&rj?a{SlV8nxm`N2uzmU3;%s%t8-c9usB?NCVHtlnS@q(g z^8Cvp6!^VIBeiFTE4OgR^0CsPr9+Mw^L4(lXPYpDa0nYnQf)Uu#}fo?POU|u6K-b( z{3@3!*iq&pFf?`cb1X-8BolHv2DHh%HgZ_y&P)#XYxLj~gCy` zmx1|H15}m_M=^|MFchO$YPHObU&SmUo73MoSolR z-E;V>=DkNtGx?>t=Kg~{EpP&7X@)`Z?iRQV&=`p^ILY*&iK8S*q7=nD&D9epj?*Xx zSPBq003^U9aRPwG08Rp$g9U0S&{W?`DH%=xcBMax0rQJiD6#z;iU0&4FhB`rW`)*8 zPf*c#PIM{OJbhC_5P;>+$isDKAmgsx*aTSYs|iG z?%BdwfPFSPY0Nr>MkftWYFz11>F`O2=qN+{SP)Z6Y62NS5GaGPDA|W5kO6`rXq;wn zMqCv*Mwp<@k?T(%Fe;T>L>Wwq6s*rsv`cLUjHo_nygFPzd9?JP_WW8e1t0?$M&c|( zl9DQbU}==37#?d&%q@bE6hmM*GZ0e*qez@s8Dk8E(F{dND*=GfEJ5R(5#0AOeiKe@ z5}q3{yFyuE>NK2`@=axZY50{IG!Zomf1R1uCY>2C{{a*_v2?b2;C)HB(7bg%UExBp`rA}S}F&)y7GAMdVRezLT$dgj{V zR)O5+fuvS@^mI(qO>UjR@3M(YZn6h-IZ4@nTi!9h>%SXU_f(&65lHEv?Ai&D`jR8L zaIz2{?Iuxts$+t35k;nCc+`Y@*F1efFA}$d`D0f9h(&nnnUf_EF{G_LuafWtbb-<2 zhqw#A&p06oB3?V}nP`<_(iSy3IAqA@o{tjNL)oqK9HllOU-cgBw_m zOia;!0c8Et+TG)XV+6E{)&~tBVKABC*a)9_;u(c&fYa!Z!8Kr$n+rLEI_rhQZ1mOc zYM6uAqqPHCJAC}MRcmn2vke5P`}^8e@3>ow8ixZ|0$J{*L`iq6jUG<mO%N&cCkjyp^b(+gdsKyXw8W)ibvn+fL3O z>Fm^fG1qH6Z%F5baR@XR8F3N(yB(6wMPWZ`8H8*EEf|wQSnsqfL+!8^jw!Zg7*=m@ ztv}e=IRB<}q;~%5!rl*$#uN+p(b8P==xM$(k#;OHD9&OOLE!{IQ4HU3FRUp$oER3~ z?F$qlYP}$J6Ey(r+!2pVsc@UP({?Bb-`i@{C=D=@pl}u*?`zeX9iZw6lqGSBqG*&N zQIsLbeqFL$6tAfJ6eVyPXYqa@=72$QoMiYmIcH@uHj&QTe8FC;lU9}LG87T^)9QrC z$|VcJ;c<2}D1B%y5GX)N0%JQKo%RgwSJ50# zXD^2;#R8PUP@ZFG&1L9@(%QekDF!218W)(VHc}H)j~k|W!+Fh@82D@2SH1G6c5qAe z&TQ?>vD)3U&D$4iyWR%f3)j;Nk3Mu_YxeLe_Ug=l#8zq$^s~;U2#h5G-&x4%%Tw5t zKM`X_`s>VESH9q%ijIo(WpfbCh!iiQDT)FZV8uJKV}9Fry?ZXsU^E3#9P8e5S!!jl zU^LdF-_p#A8sJ^C@6l~33MB~?r3i*)Pz>#(+Y&5b2omG8cE5*sJR)vB42#nOS092* zq#a}|rS8uM7%5C-r~JZ~#D*e-g;kA@OS%Dg=l*wLy|G0FWmnh~ite)7le5mpI=)#ri!7Fe%bMsd- z-!@+En}1h(bEdKHYWZ>X@a5XB6V3N8(CW4y5;2|v=<6I&`Ngk!&GZSrM3lrRmIWAr zvJ^_-tb{L7^x#n&qE6#93MibUDH5PGMsB1pG3@hOO*Tp8C1U|WU{pU7F||sT1r&T$ zuC2Sq!_xs(M62yjcQL_Yz=lqVsIH=z-eMS%rFgRs!qHom*=VTzyqD$zC?HUpVF|Xo z;sV4@8OP^3C?!C@wY`&!!nkxlPUMS8C_q80m@Xqn))qhZj%HZ?8NyEnM(rOE&`59hU{)V7Czw zopzv)2z8S_l2N(rN^KW%yV4fPuqHGl`2qFaCn|@X&ZVv2)DJwaUEB8O+O<>jmzQU1 zyRQD}+sfYh{WJBsJ@fknpJC7&tP_sGDD>`er#&>)?PENFd{j3z)@drPpK{IB+6$xZ zc89%jC~a(Qq4x{Jr#o<~Kfub7ahrWQJl#159yF_Ra%9BTv8+S6sBcn^_}AQ>BKWp| zWzB2c8=uZ#C`qCijslDz7|@%Z&T)b9W?_aPP>Lo{z_Ng30M(tG&g(Lq378;o3IMihkE z{CbNpC(n7<&gjP1TS~}3A71NWT=+Tim%py3cB6H7@(e;A=3U#8A`io7liPSO?qKHt zE;+AVdx6g3qVq;E$RIs9WN@|K*6x;y;kl$E$E@~79>J^qd_zE9L&I`JJB3v)OBEFCqj=LX`PVz72;1NV#puHRs$COq5bARv~sTI zSZ%=6%7?f^@fB^KUVDLT_4&%9q4twjJIW9&#*6qfW=c7MKj-8n`dr!==HVpC5K{n6 z8+n=R`QS9g{~4A|tS79LEh5gk94da~Assq8GLccV(^~ylxi-c>0j>G3-eDCgeNg!` zqXGWAO;+0EvjBlu`|g-DAaM0$+Q#w$+f~)#u_=0My)OacUlni@vuUMQ4*$E?4boIEMptZ->TRjiIczjL7xc9|JPNU8;Q$zhIoHc6LEFWVdAAFe2MWd zNX}pF19A+b24v?u=$uV#Wy}1Nt!#g!-W&C9VBc*YQ?k&sXBfBtQ!Go1ao%!sTsdlR zggHmHJt$IHI3L9D#56B5t)( zT1&X>lxFD1GDEl(_lefXFR|Bbq#a?7T1U;i6kR0SzTYofpAWvE8NqEsIWed)!LWh2 zflW;mR1?{dm{r04=vGDR1jRsR#cGvUER(8~HNM;XkuQ@IQNP zf8He3j-e?%Nr8>u<7`z*Yko>hhI;lHuP+%*6jn5iu-mwj$#iEzQmyCwclY_+?vwH* zqaly0b>T?R2Sg}r{nkmZ&rN4iu8c3x2I!^|(P$_ha3sC1jBou$Ppk82o2L&|4;`V> zE8VHxUE1PtT7R`f*z#TZ=Lz~ek#siJo;2hL_0Unmd{9XbuUM~)Si)Ar4O?e2w z02fIEjCFav49Zeo0;9by;2|-FaC^L7W-X?8_s)eN{0=r)we{{NYi+lhSHK~TC%nFm zrxUOK*cXTGj=rgSwAHGKXI(Tz$*U+KDTfr7j#he5#1zXo@w# zh+Xd68apn|KV7;t)x3Fq;Z44J;hOb7VMuKIb%ZYfvx0bZ;u9wpj@F)SDewBP^8Uu# zC(4hrZx&vbp8jFsUE}P-g}M5v*LeNxuIkaFf|qoMoH1AgPhCq^-(g;c6oG-k*FI4lIPwM{t zp{cA%$n%vUE{#Pmgf+{MsM9zcCmeD9t=Tm+rHmyB3MW~N-q=p-v*-e9IPM~^=8nE9 zZxa^@11O6T1kH=T{pq+&{tVx1|i8%@|p129l^<`g8BWw22Y+ za*hVOc68x#bKi~B@0!OiRjo1$Q3W^IYX(?ZlSa%eMmv zlXi!Nm|__M;P?@%cj@8Q?_H6JVlkp3;OHz|sVh6b4OXAsZ(KUMbgXu2Pvh0e+V!*F z)edfjf@Vs8hACx2^YZ6|{(=NQeDFGt?HGOU4||w0uJbcRwuL-rZm-q%{di z;hhQ%FFahjRlj|q^4_v^Q~VV=i&co~=WwmxF$>!bhQ%k1OK%s>q6@DFX$S?(Azewe zq%e3+ktF|)IOWKsHO%ifQt)LN5{f9{wv1yWl%jW{iYb#Vavrdj=;K13E z{XXjP#7Q|4&GRqV^4Q1<^@gjIXjtnCNX^y*wH>aAdNi!h9D*&7c4-rqgkDO4m0p*g zo9egDe0Y*?&OTe-+hvNDnxSKVsk~NwxV!wYbft8?a#AlSxLc>sopu%~aw-hiSM<5xE4d=WjBa@6F z6Q1TbM=?v}t9UOQkAwq4x3-!f`EtS(lr8G`ceUrY8ZVFhd-K|-*8APf2On!QPb+V# zyK0w@3Kvf4KR`GgdXxu5o2BOWN?4%ti1y(PfA#FGfcw z=_`gXoC)K!E=}6`e*(e{cuvl5Yn{2=+J3Kg&d=eJh3RZld}?`(ZKS-<^Z{$2C&uF8W2eyOFO zgkq*CLxefKq!UCC%|uF$2<*I<16%$CU(p<2rDcpEiW`-8DQNDO)NKH(}JuVF`bR#QuERV|S5g10JBnQ3h7c%4pXW|ich>J7b=RIh7?7}kQYa8QnD z0_vc}lod*XASnd~0p-60wqJnp_$*vnerneBg!dv zASOENA%o#G1>xq@<_F2OdyOX=PRWt1pAl-IU<+8}$S53(>Adlzo?9E1PV5YY(P$!~ zUkZwH#4NP+QK*w6cu1WRrqkXDyBsM5Y-mn9V4788${Cm5 zsYvlFewj3?=hI0MlXiZ7z_B1Rz~BznJP0 zF&gknh+03pzjf&1zc&w`u5SN#!F#v9}RXBnDO^=RuCpx8LO7 zJ3vHm`DL=s`LN5SDj0LEYxmtKFSTpr}+cZ9xp((GOaW1i10Qp9h{UCM0&*7U$^*?H-{>zhnKJlMhXNf=Vr4cp zsImY?QI6*Re`bz$JzJ8eNfE|SL4)Jz+ z5FFk`ByrJ&8o^150FdC&hka#z$VeQZki>gyLq=i{(kO*elIj2?4loL3IB?|xZD1&* z0Et18H9mv#2m%orK|`jXH4B@=A&+w~7;z9&b6@<$5x`sL4)9t=wTqWbwPPQfcW*YI z9+A~Aa`}?Qpud|hk2LPyn|o4yT;Kbta=vl#)89CjIS^CegWACdvrkQd!Ve4A8n;ez z#%_3QZxVwjh7l-@Q49qse4RXj7(p^9Nn;G80U&9D-OT`y#$w^NU?L0K2Vv~@3;Kx! ztVvn~#F!Pr2~&irm==(eiG-I8d|E`^tbf_2$+93XU_FP1MARKX$5~A#J=>M(r#%|2 zbPhpTa-m5^7--ri#=dGIp;7VAiflBAC}Ly1W6X%d{^FWF>*)kr*aC$cf z_~*;p;|H0z((RyB7Jh}Q#~7|7&X4s7WQ9BstMR=*;Z=H~hCyRyU1rpM%DEB)a?DrPu1B59tAp5jc%nG^r|%Z7&F*Q=>@0kFG{l(E3`Rh5IZ2`k0J&_r z8{-s{VJIL-hJYM`lAf$$CYLJ2Y67ROHhAvYGZMqyA!CB*`&Hij=jK8x#3F zM&kqxahykFw`!%QFE8wve>8uox&6xDy#4YZ00@*MX+TTynqU-z0}N%PGa(2m9LFha z7+MpOBxsDp07|0_15sL<)r3Yd8lVg-LGBcv^wuQmS!>(`qJQX9j^n(xK!VrcFrt!1 zh2u1ZF&KyIsyDg+a=wm{1Q55Wl*jH<+H($?6BkLCRnDqXhQrgE&}cR&VqUsTMnnn% zkbuIN9!xpDzs^5u?)_9hb6q}v>buI}ezql}z=}WRIyRmK&@==jAf-)9251bWNeYnY z;Kqef%dQA8D1$R3fkRx9>3@YN5ReqZGNS=A^dO^|aH?&3vsxr24-tbU_SLD)>#`*L8{1Ju{D1%bC1oz+yRV9IA6lZZ2aY)Oq z1tV#K6EE~}NH{=o98wU6G=Wk~AF_WE#ZdysSVhrZY+V5#9Ub$GO1;>Ft7w{32wqO815oY4c_K=dzC3j5w@g*hrCohHId*hkM)!dA_nw)q{W7ursC1 zu9AjG^N%?8D|C7B2;)=*g{rpXH%HO&axui;>urB}GBnE9{zg@77hLIO={T#wQogD3 zMilLc`G93zY7V5<{|Jc&BtM9QxS=lNxc4)YM?gFtLvd23WRWu(mEUR3lw%0{>z zGmMmtY#m5ejk35#J;)dO%bW9~9`|s?LaUQSH$S?(CPWTme9#IJrXjOHd4k zZFaHGW+buv=(r-U<+~OclJIK>AI%&!M#lI%Q|(c+j0IdN#k7uJqF)_0{lc~Cw)vO! z%cs7~RQLU={`7Qh|AADX@-aC5??VigjKClUQ4-K7PNI-Yb-TeTA7D@vgAibFfYe6@ zAO;}~a6aMrYVK3e4VLw!6k}Q5{p+@YMjEwipEmA({(0t5zifwq z6h)92B~g3<04}GuI6?MFc4!7t6iE?-=Q=V9Wl)SjAqpv+z)?mr*TD!JKpcnNLF$~~ za&|YTH=(LmL>bJG6iK7>AZ2111}TQ3D4Y_vpDm>=gBg%&M8!Yo z(x%WA`6$JpkYO+&UL3C6$<(gBjfamrPvvw z+OA8}^OwJT;x#uvT%Nu5tH!b8-_#%M;5}>I+`(DC2P#umPtG1$I=^&QgEo#Iuie|F zuU)=TIrE#!dCtfWU8=+|hy#)W6irhk4FFu03NH5?RN>CUIDbDs{?*$w~m;DZd@)Poo1D^B`=6`cGr-=7WI-}xI15VL6 zpiyxTTz@e0m+a!@5&Ocv`rcjryfAsR(CA%1c-SV55IeEL+06h5=)prsA` z%W3^efk~^=6CG0s_02)N+JLIlS*yd85tWvI4sN3wwg$}5W1b97jca{D{%seQj!_0g zHlku15$2;K4Wwj!Q4_(T(xC|qr|ll6Ly0_Jip?tp8uC-zgP{E@RX&G>T~C)RRmD@A zR01>vOt4p1y#y^lB|fO2;e@L=Q1|^sHQES+I<6#%LH_ctw5uEh0|;A+VdVfANZd{h zP(dfTP3!{TclGnfY^|4%C%gMxU#(-H2`Z`}K-9}W>Di9C#tjLzFQ(P` z$|HOavr2oi9Plv&ABJ-^{E|0k&eSeH{SWQpo5qcMwFBHM2GW%&3@1nmMYv6v%>y%k887GO zwpBmYF5mic=l6}X?{y3BhZro9K}ixafMRgS00tYpiZ@6?Q7T4J2w=7>nJz$@Kv95$ zL6QYP&Fbi*+7EC35+16Ykq(tP>M!TdYGaOz$lEOP?W$)90hzs6CAlB2@(S| zP4bWPsf%S>H$UiiL5+kY1!;_}wq;Fd&2j`UPN_ywhu*!XIaS%$ymO~^pqs~ULa7q9@)~%7f(+3_Ie-;H z>jyZx?5`*=P^}V>1Op((Jsrcc|BzN~9&83oxe{6!Nn|OJY2ekWJZgnctmbVW3zkLA ze{O$YyC)#PD4Gjr&Oh0MK^lVuj!M@mWq@Q*NYezzY4kIEjG}1_qX`tFX%sLtC7mV{ zBt@YN#ag5WD_16psj`i27`(#U{KL6zhU_=LTlg@4g#}X1?}h|@~(CCUj5Xg+TE+Qn>*FNvNR4nV#_WpLyDIWT|tBNImVNJQ`bIT zwbovqTRhf$J_F|NEx!4t^|9;uzV0uSfDG8wV~C^V6gDC0h!~0hD5N-7pL_3_ zpfq4;6eWAq?2O^TywJ3NJPy_NNo`id4Naw$X|>4Lc}{lC13lX^zi0Nov2wn7`&4bu zwWWRiJQ9K77=~hi=5)tJy7wvM7z= zc-P_eD%xQY$-{`9N!*+{KD%f3PV?}a%16bw3rFhLyL%?YYj5s05AOOy>%_RW4WKs zOUke(!7B5gy;J$Aap%Tgbgli}8+4pI^%%q{h9Du$Fc?k~6x*dqEP|{ha9NJ!rIbb? zfnpdZLd)h;t2C0al`nFktVj$nI1XtFWf%$o_TQ5&Wqr9=R#<9RPHWh~Y^UzJWsBfN zze)I7y5KIU*2bHS#?@Aaay9PHC1ZiiDyiJ}e_m^CLws3N%TrdFOk{HzPb9&%@1AIJ zQV?vbfZ66G_n0CJ?fCKH{@J~AFPl$ZbC0cxVXn!LEhNKFYV1me{}QK0){%kCCEZCr zSk4*}|Fv(TOAi-kS~uP-?XH}xKlbnHV^Ik4{|H#ZQF{WtiBt7m0PyO zJB{maM(T%8H;)}(cv(C4X5mw7$By|Uk;*+57$65%&X`pB49;lRQ5C|0ggue<o|~yY_)F{UtJMSh?d6tbt!vd+xxoE%m;~7mxX>0daiEHJ z#g*M_hk?+L^atb!%?`TQJhAanbSlR0+Pt=_vfAVh`ITNQY9HxKFPU3Tl~(>&=1V3L z0pIeRmLMoKC;c3D$qrsxcQj)i(6KI5l$wfTjVQTzg@;; z(Qtql42XvUyg-1DkhuD|5DMhjv4v{IYduoBH4f}7V!lV+12nc>Ip_YvXy$XHy@ORA~~7Yla2U1`CM3* z@?^7xWX3N?@Vrg$owgXQ;kDmnJ=vJdQ^?BV*{CeyiObpwldZ%rxuB2xVz(=!!jSAf z^MwO(k1P`iMY6d}iS-&WZnpXM@j~p$nEGYhzC*k+V zRzUVv9(QfPL`BVM@t0QhM42pQi8oeMrnU8cqm6cN!3dx2-`W(*rj#e05B!5^_g7e; z12S(Uv7Du6S38icJYRk^(s{DF;;SZH3}jFh2glesS+cG*EdNTRqqQD3h3x--g=_u# zjQ=b0Sc};*I_3<^kuu|(`j-mWDv;!HU)#c!@exGZWp_xlvwk6xXwH)f1vGV#i|gfx9+b-eGN*yfDHBM= zB0f)cZFsmgA%eg^IKjQt0AzC+Pc9JZY|v(su~;M#vZwr>Twv|$S=*Qz_a4@cJ#8Gh zU%kGxgCLRCrw7X+)~X?O$@Q41?y7$@J+IMVe=g5~&we8nyhu*ig&nzCU zZ$BvbS#SOc{*lj>FhWSe)SFQ@ToTfRvS=~RoLJhqaA|(e{PQ7%ny{BjeEO=+=SHG& zA#HN^d-Km)yPwtWzH9Ay&^)lKcI`Ol-Bq?5iU0&oL(Ub%P0(3#+#|(0-n{yDh%rd! z?H)(UmC%pc`8w)+ZhERfYRoQ|P0wed-0LTyoO>C~+rIlnp$S?suEewZ= z|HF;Ofita7ds=&r|9{2N`q6vUPhXxk-}8M%r%R7yU$-yS&z<@5q_y*A>&>3#p@&T4 zz>UVM)Aik-{_w{k2DYTv6vLE|CQ^oABLSn3;c7)P#;WIYWwB*5)DIpkiVi*?C_qCJ z1Dw+=>*l!P?rz!wnYdtUXF&CBp`{3#Wscg*tF067W=}VF+}}F;uJQ4G>&2Tt2+gkd zINMadNj}A5=i6B@YUg8Za`@f;t9JVgv2gC!jXnDmwe61`Na1tXA(1BwKbOUO;G&P)%`sKS@hTqWj-7OmxOfh zNM)vW^1#^a?uE;X*IOU1Xj{8q)?eIdK0NtD<;W0!RY8pX+MyhA^%(h7!XP0SwQzI( zPUWZCaED!?aH}f6qzZHz(|^Z$8tcck7%(m zt<-Y4cz5B1d+tu_?y1(y&A%_aYdn0ibh7x(U#rg=FJ1{r7<-Gk#VAImWlKy5a4S|e zL3J<=rbAPFppK5%wv>>3mql2%^X9i2kg44H;YT5>m&97His^ltG9O>OzlB?sW+uQ` z7(NI)TPE0i`_$jKbou|{TW3#I&(_~OR+_fdZ=J2(Kk8h#HiVP}bU4?iYv@W@N5jJD z-4*hW^;a)yPfk@o)^}X2T>R@0Qt41CX%QoUL?gqGrzBOrsde^w{n)kEqsOfm7piX> z=O5~4hZ?^ry-Q7atR^!QdD=Z<$l_Y%po>V5o_}4c#{LQpDEy}2h(%LW280V!cLYaf z-&J1MuY73T+s-Jhi}z~pFBJc)dZ2Y=m~c#!6*|rygn3Q|^1ZJlRbI+Q2JL7uuazTl zE*g+D=U@@wlL>{H_S$$43NbLA=EkOdSteC+enUcQikW$hfk<|gdn9JFs1BvWkw3T> zZmwhQZ2jxv%f{Uu_16z-A1^jeyr^7Uc)0LcN48GB$SiHEzqvBZx--p)g%B~X&VE#wGQ)aA1@zkPl8e@o`5I1*rbI+@@*pAFJocp`k#Mb@p~ z4S_xSD3Ib))DLv$H^jY6-uJF=HmBw%Qk|Xo-1vaR7OT3|E7W?$k5+|s{719GYIT|{ z0xHaPFzJbG4~xp{O!pATY%$qPBX;$V8m;Ze5rtK&RM>4}n=fLY?eXD+UKvG&(`vBl zwF<+J>`m8A98mF%`QaqBjaz?ID%9F>m04jE&=c`UpV}YEe#_oQm+Dt#v8})7Kql8~ zbd_T&gTkWHXstGjYvogVm1|vJ5yWHFoC>pcbH}jP;hZ6*)Q&2@()bC^9}Oy*MKx+x7)KR9Dn<=jqr$A+OqVQiXlecO zt!uUIc`|Ci4-UUJ_C7~7=-)W}$}e%ci=C4Ui%c`F2&Sp%-r_+^GA!9=lAj6sXlDHdpQ5BdGa#1SS$v%Fn^3=Y=dAd z)DE8d@_hd0AIuY+u^k#ml|)ep2*A)Ny+Yxfr!a$vj1SRnS@5C z34jNCiS9I@nK2ce78gETOiVi^MQ>a`-FkS{G{2*H^l9}@?fT=nlWBp>*6K|aT3`8MVa=D>8ymkY5P3D-n7coYFbwI>uM76j%x!pnRVlnT>{AwwZ% zBteaP&^#bV291VF5jWY3>sK@$$~t<7KU!=CZvq6T zbbKhe4%``kSE#*OGbly?hQ#^1!K*+k^ADDGax*_^j5&&A07XIyqj4Gs=w`EOpkuZW z9G?`lk9*v~l2gz;N)0}I4rL*sErw{DeUcO(!YMk-KUvX%$RP;=#~8q8=~x}a>X9La zkb;oLF_a)6#2A2s&4uYRJNR@9X>V3CJOls*%ggUTq^STx6vt^2^dML;Dm0UcesN}7 zAAY~zp)uzyhI~9C5{9a%Vqi){f-%pyH8{@Q(_CZfn0Z7j>|NUVpWjrEw~la8R?)E(l~?w1;fyHFeuGX1SB8^NRpsY zX%Ha{#Uag57=!Xs5KneAGcYl4Kl&C7V32|+P6YyPqlsf7w^yB z{Z)PY&dSY&bJgSg1!D0wXT=^Q;cFg0R@vLSes}4{;?3%#`jrc&`5BRbb%@kYhS4~Q zLJ9(s#8DKiGxx(V3WW@bVgND#rx( zdx3$%L^d{^F#87cppk$+AmTc`*%(!bDnvey5ey&!0|?P|b?MULvDUMve`ucCU;S9U z`0M(<`*SDJ#RCi5mrmE-eV)7AoVnT0=PtWDNK#OWnH&HLkdOd`^zsUEn!qvc1(rTe zm!t?1faO1thAV)%l0FxbfMQUZMUIut`6GN-%U+m$I9ePnNxjwaTGdOw+LaSut~Jga zYd-68;Rpfy*z6Uda&YwkP(LuWl*`CRjcp>gIzdDLS8{8V zy!}DbWCYD%B%mmqplF=o0)2|2rkNKX$?FGx>MlZTe?~JHiY=!I0AdVD!{PDLWHe1- zG{6{00ES>t4&+)Nz%)pafFvje$4L?=A&Zen49$!KOM>uF&DJa-5DW%XR;LA`6o1>Fk9q^M|W@|KH-?%9+}O+tod-ySrPD_RrtLtGAomy3|eG zFLfhX3?nd#K_LwZ3P(BUb)6ltuAE;LXDvbG)F}5p2n%WLOzXs*+Nqh!>)DgFTes%! zE^MnmIrHnv-o>-cYmdme^PJy_qn%Oy06A%t3Kcq%c$JYJVl>V?s6T#MJu&xU_Qv;1 zyXG#;?`#~}@#B|gOHY>e%s#DNUVJ%#AOWp&ir1tUN)bhsJ*22!8Q>#=7)VztpcDM` zGz$1i5<8lTD?KXz6eoq~jq?^_VUx)at5(PQO$XO)IX8nSgA(00*}!hH<&YaC0L21I z7eRJoNh5@EOV4kwpE&Qg)DJ%UrvB_&1j$XYrUC23E7r|&L{Qt-zOgaeHYRO$e+KuZ z`Bk#DyQ()1wyvIN-8>Z&{#Zw6d;F?-^G5UF_Qt2Z&1W;M-4AN_Km4}(EVp#xyZXBa z^|QwpZ#B=p8o*RCfwGbr=bHwcEUS4<#k_UGYn3`3DCI}oClgrg{mGjtzAYMgvr zzk71&Zsly{apUHp==}4M*8Y?A!!tk6oLx8|VPsp8=+YUovHQ}}_S%v6mDi2?kE>@E zk5!M&9%)h{Bdf6Ar`^ZPAZ zI4`NEIsf!{CamG{yrWE|hQU=^`#&28SX-8F+BwzU4b;ey4zI*7G>K_^LffmO^&sZ9 zdku`ae*sLjwj%y_kMf3K(?Dmttq*J(LvA{3+UkI`SNOcG8-_opBk@r=5{Gog`7fjUX9HJT{Zj`ASeu<`9sUTb z_i6_ZFFyNn$5uafb$$41x~LP#kzgPcb}72Cv;cLDL~%bAz;Hl&d_KZMGgy#@jK?1& znE-<_K|tU>Uw{A*#VFvz00V(1NI;Arf|!>iy63r)QLDp1kI50r?CGAaF1a#sS7Lc4 zb((&8c($&&E&u1mwQ^*NLa8$ABu}7}0CFUh_NTfdm33O=h{1tU?P&bJBfMK&nV23M zO~m+jbJ;bUxiigM$AA0p_4g0d3%h3T*LS{cp1ak$bo%F+Z9j~B6jFn6PeXiz ze_yEc3EG-BNCD7n{rlqG*71Gm?;3Bf`x=*a*57@uz57r*`>}EF@#5{jv~C?zwyvGE zaghsF(WYd8p#V-1oZZZ?k2WQZ7BiWdh|sDj$}}Pc7&CWfw08A%~F}I&r1)#sUN#vdG$^6)Qg`#UYi!EONzIOTbZ-lZ* z08ZJaBV&_#TnozLa!kjVBI6YTJhCd@M}|RV^wNGE9!i+T#qd`QBc&n}ry_Z$+G-ZS z@vUM-PLG?iQt*w<^QY$SF6~)-RzIB2ZN`lh#{VTOe-DJ|PNr!cE1O!u>tU<4fiM(eT*J?32;t288 z-3yy#Md;X=Qh3xhYo#K76R(-GX^_@t6?!1*_yNuU3d0!`-)u{eaJ^j@ZyfQOJdH+oI56{}F|_z--Z2YIgxkMr?b`zp2^NO;EM8V43I&~n5$mCgCh zDI*#f(pZyNwiM%I{K=4!q9Nof$Fot5;87ww;hScZd}PxBY&^;b#+4zAn-9`EsL2nc zPDw5PFu$jM?~%KHeAmL^#rmeq>oBH)UZnPlR0Nxj<_QHVdYE@bFw@+oyC)+ zcxZ&71Wn)&a!8{8(GX@a1wC!c6(km?;M{fW+xcBY^{BeF=cE0H*>~BwPfI)J4{Pf$ z_>*ZBCRd`n+QC=#-6#F^?PqFl-p-%-ZvOV~=C)O4=Fa`Tw*CCi@2(87`l*EeUxv8V zI&s0mHWAT9dWC)Ws1kj9@8|`syOUXG2xjDMG zljLYNIcjp{g&>|R*xQ4TqV-b;Yo`vE{qfYL(&&^Le{?OPy zOsMB_nuwT9p%TJu$`D(k2coGin_!=kw1hw}<$gC@kd!owbgS3YQugqIUr6Xu^u86yb>hU8tTfwhT$p zYE_gdje{)jflcS??N|%$@c<_o>VY--k4}gNiJJ;SM0~a`6GGFJ4wRCm;6%We6xv6h za0w>Lazv@r>%1z$H6a$wg-mKo(M*n)AztHGxda>N)7^2>Yu!qtFM;f(ST z3}uMhQszT`%aBCEHLf2a`K!$UL2(l0N0BnbO_d^(!l0aVYx!%|W=6|sfVAXsoe-dz zGml?>NihTe_DJr`*QBC5Rq5fAQTh9D8aA0tO*kG##1_rRX>r9laj*B z34w2=ziU<*O|)1At6g6a`V>yYdEoOODi3OVKj^EEr>n=8gawv9<~-`N1OrZs91$)V z2%<{oGC(6o(o~5k3G0gpVl|3%5aQ7GoBu>8s}_Q!Qfy^+j)}*ec@90w25?r(qx#UKMy!}3M-2IlH^LBO z{OicQFSZYcx2ooc87#O}ry}X*#s)(|uIfv!Qa%<-^4TK>f?W-!9X9SI{=WENTLc>z zoxvMR_$gb~m#{bsE`H6jH{MeF$HBNz>2%QR&pNbr|K=!O5VCYwlKpl-hgC-Y%-*QZ z`Cz^*m6vj)FIy^YMCm@@oHX#)&4Dy-)H&=)y*00-Qo7Ojkg69SLR~6n;?oNBQ@C@= zshbq)oN=V0QO-?*4QSkw3Q&A>gjFOFLhYIw7jS575La0^?kufOZA9Njmmr85NZTr> zJ+BE+kV$%mQ?*hZ79Bad94HfjAAI#eSRU6ZRYt3-zgGK-g=Mt-7`J0jM9ef&FzHBh zmc7QTd;^&(!m~ z*Ipe0JPnY5rXhrYU0wg`=xGE%m%{>ry;&=`nn__a4XJ)tGi88=7>xsxX1^x@FCcIT z35;Z2idY|f8p94SzY=_!jA1Z_!Wa_&<#d9f1b`$DaYTThMz7$f(X_Nia1_T#l0u~b z?I2(vj8*CyxJWk5(%5ICr`GVogNc$n`tFQ z`s|wk$HsHwL*4VQ@8RFCZ@%2lYw=YsH;&zzyS#L9wDIOa?cVKN^Wn4Vt?GxRYn7`@ zM>%hc-Txn(J=u7E93NXXY;E$Q?C!=T7uT6Ogguqqb>NBVY-2O&c;={kJyL`O(;~u^yAaAuY8IC zm+jkuxW?x%e|gy0eeS#Z^KJj9e(A#8uGW)J-^^aEoDztT%oL`>YE(>w$g~-RJ-Al* ztc_*nFe}wMm%}m^6c;rsDQLWY>vnzr>&2_-%D&pR(|@hKIA7cM=I;UlO^^^1PGRgN z)^wZ_mxnS_*eGD6f!}J^b~GMb8u{Jah33nh&E2QwpM1I5y8dx?chF@K$VR&R8zoC- zKV{JMl6rjAD24gCfzTw!Ri18%NCfnaWiF!GcQGN1$3tVWWLmFuD^SDc#N>?1ll4!h z$N0zZ+9E(*oJhwU7C(PaWTV-bR+SH<{Aiz@l4+b93D3z=ZpzH>exLx|JzV_j0s5d) znGzp8Q#NHEv~;nmbTDNY5m9?~+R21BN8>To2oPts$?`Yc){%a(bXd;XbsJG409F;? zXBPu0(WG{}lHSoQF`P0B1@Un~`32ZsN?ZqSqats%c?^@>;$zQoU&U>78Ali=duSvf z8z)K*a*+P}OKT(|Wh0Iobi;`YP&nnXW2vb@CDvvK`a&mp400Pd0F!?nr|L)Ew@w_L zy--}ZVOiSgublmE?ppPv?XSN8=p@kdxsPOs8sk?VWk`M!OpmI$^&?4$#mNamh@iMK z>xfC3-+wzBa;p^CBB~_#+mfr$L$x=1$7`=|C7P#hEZ+Y8Z^E@RubQu4*Ut_ES_w&< zq%aKN7{&ksr#Bn4atp&FjguTCgVP=hPla`SAJQHuodJ$VRTJVklv=!q^G{2xVKnVp z-1h6GBemTpTDOiReKOw=1B5|>1{j6{2BT;U#Wxp{(qBsR&(Kf|AAW>1Vy*~#V@0Gm zLXnUp0LB4u?+sK*Qz(U#L=T`!c1=?PNQ-;WtF0m?nj#A^H6ij~={mlQ8RYeV#qpe0tYeecOD(&i#7TW-t_>3?*3z0DwX%3ZM)Znps$zfixsZNaF0kpdVTx zz?kLfLoN>|fD}geK`R6lMgoS#SKJ93gM?$!YhXsZ<=lSN9T~uIg25r6**aX-i`Fbh zB90`lb@f*yO5!w%)7(kES_Z0ItDX8hx3_Wr;m@CM)wbVWxH$i+dHz}J>gV2)0F5Drz#JchqpDK?O}gxuu>r`rNYJHfC!-!5WxsdPXS-S#|ZjBkfL@BlY|JZ?Y`7J zyQ_BNdE>&iwRe8;a$)21-uV+hR4zA;?P$F_)V%e&ao}w0(6-q^7fA3cfqW@hr9c`-8I-|j93@GT zxun2-AAxbhm5IKn`ql-GkE}xY(yDoFNE| zhP0?7Ti6a-CvN|x_Wa%APrvHt&HzKBD8o>6Z*K-Ll7Tb@p|mpt1d5}8#D)O1rU;V3 zF~Cp^NizhF_48yXMWQ5uO5<*>w3$|}+75)r>B{HR;qJK*X?#teaoW8qq_BXd8qpQ> zSvJiVO-F3xq>oKmIO(%tw8zRq*b^zU>0P0;-`gz&t|Lh|LUhEbW~R6YK>Mb>?4p@u zx*Hm#-~M7wM_oNS>c#&MN|01AH>jA5Hy*MMB5EfukB76|CU$1-3C*3*{rkd)`In9B zFK5q;_^0?f@aE1q{{+RVPxw~Rm^tvP zZ!5=Q&0U|DcI$s|Ro;KOKDu~mh%^wVX_Nve$&e_9(~#QiJUOlc*1^Z25FelBSH9YA z(@c-^kNR~`i~&TKBY%p27Jqe=6xBDgm%pvtUp!j7^y1gQP1I&?4lzCiNdtnw36dr; zK+(kJrpY1Rzd_DB<_b(<>gvB7-uj7!x_N2o7fkuA15&y;Pi4F zPordCuzr$4QGl~n+qRQZmbxX7{&_D!V<>}RfTNL4x;YjIW;nq*C-r4;ilS*wg5TL> zB(`uP!cNLbH1D0S-QF{|yLs;I!lTxm=L>f$ud*R2=_r)J7?PoI5$UWw1jBGhU{H8k z!!n`OInoaC6C1NXee=h;*FQ9GJ+7ZSzzXa)oC%K?$0oGW6H5k`H3>0D50d<1D5Oyg z#Xt|{i@X)2##|E|J_{*o6tyzSh)gof<#OnfwxU`q7BmtNq8Lg6@u2bNPrGX$Ue?a< zZ$8;J_k8wV^Yw+L{UiNmA4R}rn*tKEPex)W10jR;p~_$&fm0Zb4nvgzaDX!e1!`p^K1C8ySc!#ys{E90bTlvWLvvwGbVdSMS?MuUp9Dm6uoCZ`Tr zi;`(;{pqgO>!Xb`*QZ2s`9CFup1cv(&_Bh|0Ekn zFIH|ZJmA8Bh@E0d&+cu!yXjlpw{+mk!^J0GZsmXe{G##VSZn9w#rU)yg8_;l zNs1r<#xUzkaAhPz&?F>q21NnGKz!f~cM$jHNb6Oan1a_D27!r*cquLE_5j3jVx{0b zfY)0o4FiloQE{(_s@>Z3U>;8s6>)buknoN0kkH#-E~Wjd9QTYNi_&bSb^gWty{SLd z&KzrA``mhZXzAie?e_8hCn0HyA(-W8LL$}x0HpvWAOEbf^<{9j-0EMD09xvnSCbEC%RcoB?x6a92c*l(HsHePaVB8tiG0E`(=zk2+ybu$Y_VAJyLAvGQ0U zfV<*GGygs)>+C~rVv3-qH+00@%|FyV(9s7Q&q4G#^1%NS+JlxT;YL+12M0a(u&QpK z4-+bS91RO@5Uo$okS6Q_$iL~PAl~kx7+O$H(1ZX?Z$g+lYok1;4JS zUyqi3QT}FYA3fXi#;i**F+C~ZwCo%^GAh!eN<060VvmWkjuM(%&0Tl;7tba=xVFqW zz$aOp@+fqJ5y5wgQ#y0VZss5?#T*$;V<AW?JPK4TIx>Q5R%;CK3iGz(}cbYd|{Azy2^z)}9eM44&L6pE5f|Q~yg^(ag$Z&SF#bQ=K;{agX?Xf;F zD}z!LMiDqo0gR$yzxo)%U?@#PtSd=}tE{`IZ$f=1=J4>d9~Cod)H-ccCSc}0F*z>-qA1P`VsIEr0*F&oubso7ebR4o=@`?1Ou76uw{3OyEKC`oDVokJR8CCH z0s+ZDnpn;gL`|@D<@(=RkFM7DU;cY@$EW|-&(r`!DVm@tDb`fLppYU_6i8=BB)}Lz zksJi9ex)EBV@Lwf7*5eBiQzQfrx1$~Bm_7sO&jb`#1@)c=;2gj7N3?{4=*g;`QyT~ z>XXLF&t7@$z_x{#mFp1`)XqNX*(n`YPwIi%mhIj3?AhtR)%JXDZ2M{cR_oaN(eLL! z%su&*E&O10ESsZX_9REr8j)hwRK7T2B^@v>h~vZyT9HshBUznlTzE78a`CfiTG!fn zXKVe@<+T@o@lw>nvBrmMe{S8nw{&6tQ{~0q=8jiy@m?X3)`5F|G*jkDWZuXioJubp^ZyRiG`&j%LHFK|z1 zh*iAm&yTdu&eX0xUwFX@ECwoJZQ-g%yig@tVOnEYB?*dxC{Ex6MFI@K^<2u5kvPo& zz|ah{QVVA`wNS+nM*Fyr*XUD@do;naq&t@300$_BlY_Wp2pO6tnO@AQRM_uL*$4B) zUL&a*$s|Hrr-(xy&rhR_$oEsRtY%cD6ZOGMr)pPr)~`RPA9&d~`_5pf&)i>l+s_kY z01`AqLt5%g2S6ztkO1#B({& z8%r#!*={LL$5yM~BDA@r+dH;8_xcm(LL4I*3}Y~oqR4hw%zuf?n_Iu%J!HXNp=bz5 z1`rI55)36tnaf@0Sj!WMQ78%-u$+X@6bgo*%*7zXKpbN*eC7Hw$&M#w2#KL2LEsQY zX&lltkmS=1X`>Od#p)xV%8Rd7`y@GaXZQZ4{&w%;5v=j_R`bf~+MAcni;w>FUzM3J zH(OT@b@xnGs$?pvyK})Jf<3*x^?yWJ@@3?pQl8HL>SN>h>K0V`{yB+MFEt;P4uD0kirGHA^ z$^WTDKB82UV5Ru7=~R=ffc2MVn#75XF-^9w>}(R#4t6Nvskd<9u12bQDqp3#g5 z>mwYN^|7HkbFX`%ZhsVQkqc-9%K^e@Xai?86$9T8^lrRKeF? z&2^X@aYP~`g+x0Nbecvz;Xo|!mLpTjq}o4{$o%iKw%**sxEo|hoz>?0hcFPc=R@~D zDI#Ll+1GXQ5U>4xYwKfJ5$PO?mmx-2&`bt9|G-S4_IR`N002h(Wld4ojlrCb8j|tO zzv3f>Ku(v@cm8Sisq`VeptG@@g4IzMZkGU+Kx)7J&XmQa4~Z?I`2VmabYxnW#)``m z)kT`nUvdWKrbo4#KK-0bbbU+eKN-KZJu((zq&TVL3fK6QqU2Q!OhJtrQyLVX;`CxK z=FD6s?HJ)V`1PDG>liL&cG($J#W+nRV_r&DGnYR*r_pIgOOvZa+#9FE{vT$;nLyV3 z3xt3x5-BZX#;n67M~tzROF{p82Yh3}VdqXqA6D#@Z*FdM*cp&^Xt-s|KY$AxkI0d7 zA!0D-+e^6HrnirVu$&x8kNMiiA%mK1QI7bvDgVDrtUm`fzEZ#a1t_pPf9c>1*wsgV z=L)a%I!LdLs9KIpTc_N`=u~&_SU`GB2fP8`rvZuKgqIb|HIxE-kU6GTB|Oy$YuZA5wf~d zPDfFWctSQE7B$0Br_seH+UZB8!$rbH24mns(|k6@&1BUX74qk@mF)jp^-=xe8IgCS zcx+NIGU1AlV*GL|AC>0tS$Gw9w6KcdYsNN#owz%7w*Gvxg=t?}ikFk0#J= zg-U`LC#^zy%;ksH2~UxKsim)NY$3MDktsgMv=sYIa#TOXrw0)s6yuU3GE*Vmf&MjK zT8ttw2q5QZ>pz@yQK~t2b`&8a_V(u&f3(2AMYPM zr<@+sn2`0dJ9zWA8hdsxoCth*UO)YIZZ|sn=|2{qRPU3O&*J@|e1dFtXWjs8UbxtL z^ZCct%YCJ9YL_l7ZBsYTzZFtz_BIZ;);(%Vl!67}k7URQZgiTMV9+c^wg#rM`5|U% zd@}3`4L2d5pwAEo8v#H`#4Eynn>sPp+rFD~GwVN2j! zI=QsHcKCYj)tlDU_d|%1QVcjP1Abpdf{Ze2#zy?wO`jW*l)1ITHkPg9kfR7ZuGSsAwbdS+| zhNo4E>adzmb{OWzzFn!;XmM z>#WLQXD&Y?5*xET#Di~^E-k#TA3RdKeX03o`-CA&^Aq1MozO*oSi1b%#)a#{ zSWgcxrLiU?q-cD){q0ERkM8=(yR)C`FSgC@YVNz|t2~`MT|KvSeevV$^Va^4Lr4)b zxpNbkPb>1s5fu_?$`DHg@`+wMlDkR!XxPFy#?w|I*DEW!c{AgyKf0HyUQRZ5U!47^ z_Woq+V7E+TkPPjeF;t_m2HwTl_G@7#kqp znMrejk1}#3FJvdT0Xb5Pj7Qu;BcCSaNWwaiB6_PbzM2F6cVrM%gkx+o>>PEqtETyl z>q7*{7d)0}J~v4RdV+)5!AslmE*G(^aFk=fUua}0cytP6vjx3* zBT5D-ShD*w(|lUtfs{-rhST!ss4wLAV0+X=B3L2&)$1>w~<`=!|(S~v}Jp=UK@5-byo-MIv^7u5)nuOkNqDb14JYO z5oWwcd6aX`RL)r%Wt}4eOrK+rzQuD$fI=rEilgy(tyf}qq3d?tTet4LUG@7ts9iqV zS>=bJw*(~3&;TcSfc`%+y(LNG6axXx4WR^w}Z4k?17A^4ICfdoOY2=XvXg@^?#MFEx|`jCx6oFPaC;Jj1$ zVpKp#LyCp;I@m1(u5qJkda%>dR zTfS}Hy&-7upS7n~w0{&_gw4kIO++5-{b5xqHvr7h+tS8A%cScEQFZcI81!P^Uvic z^=HSIcNdm!F7Fie$SNW>kA^^&m};hfx14jJ&_9E0ZtC`Q_`i^VdZ32CSOWP;x3=-DJ#5OPD}fYbaufM|;Y-@T_+A%GY22rE+R%7g@h} z1XWIbyl?zN`TK9`4{t0y6v=H)7d5s~c5EowvwE}Eq_9cQWVU%a)5_6e*W68|@^g<- z7ZMX0D_1L{tTDyp!|svKiK7BG|8P;%l$MjUv+>I$u5kmY9|_NkVNF>fI6_Rie*%||zu@Ba?3o_VbP zc=?yrS5Nqnd{68ungEa>NQyx$O_4O(Xk0HU%5UcOu1 z^7Py4lh?J^Z^}=~H*??4-Kam=**8W82mt^ABzurh0URJiQGK!&8O7o>1u0%$-4ASu zUgc0@S%yV4O##@4f{G<+8sRh)lD_Fitziy#IiO%Ig<-PRw1~z z1~5-BEJ;#0&raIVVm@by@G#~Htz_zy{Az&AX&`bT22dnUkUa8 zDKxKp)t}G)Mk0V7h7k=CfTR&v$pu-KpxO1Mf-J+b zE1BR*B1qGS+$cUYmIgF}U?4s;89*#a38`2(KFczgyVB?b=GyiXaI{bM`SvQKNN3*0T3%(RLw!Tsrdg+^yxk zb61-CAI=}H-+6EO;q`Z&$+k}Tcc{toa)~z5!lo|GLouaION!bDI1sG^6hDk4H+&Ok z)0_W6Egx$fd(2j!o+RogPgajVSlUrLe{r*@V=_4&P-l4RZzs#Pq(XeTl_z_prScLE zEid5`3$}cE`O>!{A*Mp4%OfR&wwnaOSZB<+&{*T{2&IWxN7nK$nG`o2Q7EXU9JWr5 zCixK+aK9V3zpnX4V#15-{IbR(>2GTxAyN2eept(lDVVT3;1+(4;(TB$gi?l>*1+Fa zJLCtppwWhp6om-d1AShzdlCgw;BotW$(js}#)TjJ+ru}Lw6jyfeNz2Cq-LNmUkZrT z9nNixwu9=Vvm``$Zxcm~3U~K^royLjm9q$h~` zAcfObjlt}i98Tr>h*B>ssh-gHJ1r4>)>25+p$~ zIMb&T07yh30>EMD8d)4s6a`oFC7NXWai`NHAQ4G%N&)SfQPkXdfeiqpPsI(CPus_0 z7|0+TFoQrE%LtrWk-H0|@qnaT<7p`-&unr=NlW#~5+qA7EP|4zviN%8IcV(P)qHqs z@!a1kPr>}`+~eB&ZT%B5mZB(jMHAgkMg|y)Vo8!jsCOo|GUpJ)nPCz!5)lXoBmoG5 zK@5ZX^6is|1rUeB^6lFSYUMO{Sr^oBnwR!3Kd61!`Bm2^WKya?p!)+FJNNyzHv7=J zw5xIFV2S+r{Hw*S$(*cuZg=zf+v>IFGv9J09<1V(*2G2zr0n0+vqDAdMnB%DU%9bx zw6^!QyRr8`{re6#@t22--?wl|QNQzD<*MLDbIa~uFFd2i7S7JUm_N_|fFV_cR6l!R{?;Eq-r_Bv1EIao-6}tvzxLn8#+mE6`s0(!JLV7mqjr1yczxSR z-ng#=1|Hxfpdmp48UhN^)Or~U36@xKIy7AI$vB`kjFVr+G6Y4EG%?60o|W|lFa!m= zaJfvcSey6qF93M@!^J{S4NUcQ!4%820)So zG(7}iD#hRoLEvb`Q<8}72hENMk|bE1!<*c#fHdwJggLN!eE;0}$ZtQj9H>B~)@8Wq zLp$vE2p-b2+_MSv+vV|cPbRQ%p>g6;_28YkyVd6h7p_;YJot;KUrE}9?i(glKu3<- zf%sOd3KQtWyxby8(r+!S6-)nh(8*y$j`?j7%A3u1?8!#TF=wWeZ3nex!=x@M$0n80 zwLS0>7@o|i$(T#ApEl9=M zp)~iyV!P_2v44WZlR`spfskPW2=tCwcSjNbWZ_*8J9a(jLJ}xsSIRNpShutx*=)vw9qDhn&;V`V&&P$%P_NMbd~VR4dW0cRUC z7pmkF?){#lmE*h?j@9@4WPo>H<(7_{zOHY*vV52NcxR$=rTY5A(z%YK8)%Mg{@zKXTQB1CN^H~LB`Jkw7Bb9w0deoNCf6Y?%tAGs%P}CiARjfwFAN^%&#Y zsFhNN;>NMgFOtbnEFcT5hKRDZcayETw^p#v6{Xc&Qk3|oR#W-TRl7!I(>O*~7x32I zWW?_i{?<3?pVD<&M6(`Yi-4BJZOO2f-^d?HuSRu6nI{!ldrwfBG};ZCvDIb5pYkO9 z9@*+iqt!+ovq+~&A1U2vO>vrJB9WTz(PmYL9;?b6a_PG_Th-`HENvWP_3VGN@c%3+ z&vY*EPXdT4qGNNpTV&)VSs6ub=o_Ly9=7jrHYsT`Y>;#+8ycQ%Y&q2s$d|9WvN zaPb)1XNGJkf_JIKuP`zBlS$;Boc2gaWSmq_C9{UnpG+>VgiutB$js!r(oWb*rd%T0 z+Cj(Vd$2gZRB@*L+Uu;({3}h};Yu{3&jh?eP1<3h_3bMyPxvEMblU2Z6M!7DsAEY< zRdcA}t2sYbC1BGgIX2;QIb2`Tv^JiH2gA}MS+$9Z$}zW#8qI&2dO;=S&~9*5KsoC5 zrw6MEOlBD8jKNwob}J1OCJ2psR53ttU_6j7^eYc!1O3YbhQdhS(!f->5J_6YW1<2< zz$#H17-83478o0_B;bi^eA7b}15yUYEGi#J$}lrUeMUuqv8#%ao)rO?e}G!RG)UV$ z{R#nbi@A3hAZ;#XQvIp`PWvhsQm+yKq50Cuf6EuB13De8W$khd4bB?zf5U}+R$Tzn z0}OIOz$Sq6Gpe62`093vRzcPlb-tYENuj3c9V;M!P9FurZAj|1%Uc(7J~ z99R`vaAxllVGsjZiXssh_J=ZvLk2>ezXN<@Da$&WDgSAC!Uo~iLLOwA6w@zovD2gT z2N!P4pZR#VdUnVB{dDuz_2#zo+VZ~T!_`AKwO>j6win%%(k8}fUnNS&XKBNTn3SX~ zr(;S(-CqrjdE3Vc}MfrrTUSZLy9MYlWtx17u3dJ#3*?W*M~BR zfH7uFb`w6EQ+n+dldY%lwb^sacN^EvEgxOFJrSL$eRy0yeeRd#vytYu$13x}NwRwX z>5wnOmJE{DX$KK8DDpxkkbW$0ZkKN+l8A{x*R1(5i;q8A36a-i*eIAx zkB3E<)j$=s34y9Nl6EdPohXh|(Vj|6mmh4dUwd7Bak>1wcKlpLOqjC9VPr7}P2*y6 z6dtKm?aKEWX8BU%(7D=~JwxhROs3O^4^BTl!X)HaN@W0)UE+S+sgYwN#ezSQp2W4? z##usxp;UHU3~4BwJ2H$`#jPzSbnZXihU-anIFR?HXGSI6Jj4kCF*MvDFTXJaKT|$M z(2d501IE>J^ZJ&w*vwadotf(KJ7@Lg5!=T{q82^KkeHHJ=-k^qL1Wx1CZy3Q=v_3vLS%_b%`57FU_4-}^WF64e(MJ5#*?yAoYNy~;)sj0Zw z=XIp}WA){^#`Z%)h-MoDVg@Z4=0+0}Vcm3ATDKyr$plOe2OmO<=XW$ix`l4$olM2_ zMma{&+6?Z>k;9p`K){W%)Uai2!etUO-F37wvv8z(^&*_R(!Ba%)8z7n`lAQcEr-N} zsNJSnL-&XF_uRmHiQaKfIR!<*VdhqA+oyMJu!x(YV ziS(9?xF;DFOi5K|1U-teV~nQ3=G2vYP(?6HaQ z^eEFikXznT-oEs<*x2&$m(8vFeoIs@y!&`}NWo#u=N=U^Ij!8%LA^LYTTOesuDp;_ z=ab-O((9uqq@Ktb?O)S>k1Xw7JW{)Pqq*zoKZYG`bHqNvie2hz`oKg+#-l=hv(`O4 zO}KKb5D2Vaa9>Ib@u+2(Mocj*Oq4bpt7OgNiTJ6@EjZHY!atx0G(j#0-dG5pnidy7SNJhgXO(TdS-tzdxJVV?+ zl`MG0oYdSw9f$VHt%XNS_3owG_cw+#QzD?yZe!xluPUMy?Cs0Ox;` zd2v**$+Zr;dH+;`3aW)jTrw;dbw~PF1cX(?-r20*;snBEPKJSEXv{xF6x@VMFP0-e zlL{Dw^m4q3Y?~%WsS+hQk!1kVG{A9+<-W^Lo!5%(pa)BOuedB5&nd-;rwn7KHLOmE z&bV?TX-Ii&>V%L}eJ!Hw#ZsDU?mR6PyhnB+;*4AUHlBfLwceJt#v)=5B*PLq(mS10 zM8||kgKY@|CXaXqayWM{l}{`_TiCB}-1xwLygt&{b8%_kFiD0ZsaJX@jB<>OGGcPy z2%OeMC#Gh!^q4`8rM!5?EiB++SPsA>sU+o?%gbN-dS@sjs?n@LMTg_VB{mSGakt=_ zz=Q@%cDi!)D$Sw9XqvWoo71PjTbm+u|G8v`|Dv~Nj=nHzPTsxXKCk=AUV{jKd zqPsp#Ajw1ua*XhgI5t^~E~ zm=67|$`O@#b56MNtoH784|}8noSgfIVQJCfCehfQ?J7hW|WNygc9A2AFYqN0Y*<>jM_{>eIQLu*%;ihaHe- z6dMp%STikL|2UY!Zp&vO3hUJdM;yh3x%xn8!eeR`!~bD_8eT>kd)w%<`^}NjU{E-f z`r$|0+#}PhO04Mk#%S5<9-kHl!fhpQtd0v~LTA9y@k}9*97@RpsV^p^GU}td2oVzk z=YBB)-GuN1Qu}lg&jqYLm%D+XeGsYS%#8jaHa3-%r}($H*v*S48fS0T?;iid$7hXw zJChxg8iIsY1_&0ikRqwRK!F=bdI|`JBp5_6T(=`aIi)BZr&&H|uoxMTVsM6p1j}tD z#P)-LAQ6JB5ZQKE8rs&bJpMB_o`#lUScWA@n*EX*p%KBdB&2)d&H{!dA;3Xz+*tr= z20@yjP!E;JAkNY>;*RLRFsw|`XBrHKRW%ceS@mM4l0o8YxyXp}C+4C3cz6DEsdnI! z;PTQXO>@WN@`Kv;JFeR7jmoK|)5*mHjmuZb`8(AkTWo*oox({WwN`Ik^YW~AAY|6% z1GRI9{&W7t+zsBy4^IR{;uK9Xh#(L_;|yZf2g6E0g28D5X9$8M0H6u{pM?}QBzlgK z@p~sCDc;0s<7V>cUpNo3Sa6Sp;!bHXmM2fuZHfc+sHwlWoc&-6H+;!^X?8iql^2YXAk*uD8Ut!Wo2~|oWD=0|tytKrci02|EjkHj? zV8mJIDbwb^FVD^$ukL(We)nfF%Z+tH8I}?WhBGlkH-S>lteNPVKEx)tf25q_C1+Ta zAaI%xag8pU9QA4@G|-So4$dtv&?&Ww-g!hg6PeKR@blX-W=ZMWpk#sx&&+s|Bf{*m zoyQb~F3qU!!cE2E2w|gaVucqirOAy^xSmJ}IUnsCqQ(C49mZu}we3GLGT06Dq2nW}G3d-p+_sZNwww z#;BT|a0Z0M$u|0fJ8g4zPpQ^7w{?2qjuwu-6_Y~ZpdnSR5q_>1NZB5W$W9NZ=~!+e zB{^s@t3N6F%-u!P>);%kDUI{%YJC}p)E2Y0$fFML$vVX5eAzA?2t86iSxYFPV%5V* zivlTU(GDU-6lVq%xioFlss`z%zsR2aRL~G}7tF&+Z44{Yma&j`8dy{|XdG1VxEFZ} zrAahMXYE?SwAC1yI>_FCP4T^Yppq{XL&S?E$^vb`hMXlUcL3QdgvA38}#N-EdG%ICkX-{11_TK&|e+M_qs zy?ZN<^*?-gTRn2RRDE?$JJg8Lh(Q#|LL4BLVcCr(V9ypQgUK;L&2Y=#Qq?dLu`Ero zEO+_q!LZJ-BufCM3&VOOoKc&`U0g@ogMuT#n$0l_;_pXpTeLDsN(ev@B+W21ElpQ7 z|3O~9xp>+5E6!bMnkot+iXZ^fqxJ&`NHd6qh)?ezW~`O@&|q4rvM!0~rc~7y?l=6jE2V4JDkI zjt^!eAqneHk&HyAT1lg5>^m4+dNQ}QdF9C5sl~kuI~TXG<%64Qr{DFn5*Z+I5>Pn9 z~7sXEs7(?QV;hag+lQOFOzP9uDAFQc`L(RQc*xH+u zOBb4#4(OW)_Wx@6PUHPuXJ^027q469%R9fSp1xDReBAx_#hZ&)g3G7>t8#$XNU8`q z|KacDJ>`RqeK!_vG*0hc*jv5+s($ay;$=a*`qf)RO|&Rf7R|I*jof3|jDD^}j? z4*X_rHje$3x3mtzZrCebsz)cIjR1*@3w`^H2M(oD5D;G!A%A6Rw<)#c`IQ@!mdBMzT0ujTVRS zi4do71_vZXQ!EK^qPI(=ah$>t=Ob7*ek&^&QRxgCuOXr)do^x*rseON7auBB&6jU$ zx3my3{h*{5ZucAxi@qlg8$%=lUz$d+0Ls-}4S3!RyF8Ynl(D`=G zWvOx})!MZWCO>87a2(xd9- zZSv;3!wYxjIyAL>vOb!jAz%ptXITOfG&3~ClnhajMkIkVG{NEwj)vfvA_$yfDaf)E z186|fB#%Xkr4hrxl^KU45>beEQ-&Z#kSwHdmSh={Vg}-va!Kq7p$##$LuIAHnNP|P zb4<0-g0OXvOm*4}!++EPE#Y33ra%&Y_iDo*a-P{nJ255wffbL+o%mebE29?g&zkg8 zAjkj9V9-bc#RCX`44`-jIyuXi28t({q5I|m#ginvaX|5FgD-*R#{3M>+=juLC!iv~l%J!X>s$`hf zjm%?qinD7~hT)E+p0|zF=E!?ycvs>Rd4H&A;{EKKf3$5%wYH?J!^{4kFdiZo|56Bl zJ~^f~x4dRlZOvL!38Nf~YUA<3zf~es$!C)93<9#d+T+H;{jH5hYcY$V(9}BlU078p^bO3f#Z7R~;PluQ_{c;etKBKF~iA#2*L(h~o(10VW9O07;Sr z>-PjnGT>u;>`FdJqF?|8NS5`peuNl`qCB*RLV)s+UVo>^641%9nSwsy>!e;GIi}Q8 z#m?9Af+}mb%CYp?_rl?T0o|I(upBGpf}K;y8vzK|F}C%A0d6e19`ClSWpk@LFS?y< z5@RTIjy07}iEeg3z7&%>D;{%_rAa0th6RveS$tBsk7NzYi3om5PNc+Ix?a8Yp}c*0 zNBJ@qUq05{yIZrlapivb`7qK>8Dimr)M)iT3^r|5&g7J#a8i71pMy&G^l{_i&gHve z6o~FZd2lr8&WoWAWSBjon9)vTB<^U#6F^!_)40~*o9H3p$JfEXDe@h z8*J>pU)%Sz`RF+ee8VBh`uReVPWfkgWA)6xkht9w<3>CsRyPR=H%PWFkHbluTa1Xf zhJiFbqlk$Q(Q@VcpX!B!%`-25_3`G%YhTY@t=+j?y?$nHXY=|VL-pFJrDOFEx0}ab zHr~G+@-+&Oin^j=NY6fK9_msgQqUV*emPcDO_r=ex7QDCW73=x>O+RvbVlLYHUMyk zM@xvGB)Z~AOi}i@LkLr_ktjd`FxeZ8b#&=s{m!9<55H@^yjpqWGmF=X-nw$7#V8AX z^rVH>0Bw+C{#f4O4~rK`42zA*u|zT^g(OwXuq8Pb$W2aIBOU{x6gsb75GPqhX(mrv zMt~4Oi+9SI;-lVl&`Ky0$8iQw>`&n=CcRT*GrjT1#;Y&RnB9#>v-SJ87mn8UZtM0e zDR?1HxOTj{x@(*EYX*J7BB-qzrr5wCuhnmM;YPbdh$ke& zH1;SIMtB2ERn=%XIAg=@LOiOCoP`QJD>bh=W8Qdw?&HnnE7gk^#_N~%C2EIetNSnh zZ}r8)`u#h#*SkIr>p@LoIKV!WaulS}a?EDY>htcf!R3;|in6GEa*Sjqg!8i3oST@T zMb}D!gwZODw0Ltcs~=bU1IQ^k69G%ph@nXe{uC3Da21`Nc&rb`_3ejZypP^0^N&Qb zBDCDrEf$}0PKiT>HE6GF!Y&2a&9ScU9%XEQtX_CtKI@x%+u>$1`B>92C?D+Mqj>atM5AX3q|ww)5UjGy1x5b?d-83ts@yADVLOBA3?B}|LUak9V-%dvT62jk zgg6a(C&GVf9JRc1CMi6E#|tyI&b?iFI7I3h7>yT`;sAZMGbPMTQNlA-J(1hiK!S~F zcT9}K%E?1dRG(k29(jr_z5SZktS|umyYs`P5meu9!V9f<5_Vbii6r(KXJNpdH&tPmB#5ye_fibemJqTuW|kr5`$57 z*SkiXUCA(;l?W=kl)8*F6z+59#064LpmFul{O%!S(6a`wRQc2|?nH*Eib6|VLti)P z;*9t)oMmO}fr=17uBSyLG{%`kTA@wLF|{gY>TZN)L>CLX4fmZAIFp==ec|FimaZ;- zsGfaMeQ>IA;KIkd3t~Es?t`w<^{nrkrk^@0xng%b3|DxH3v4EEXiV$R?6$ z?O4hbQT-@WxJYILy>LVuXNOt%#96-#vq+Hxm}UwVp&wuSY{cY&MVvx(L}KQjRd!Ww z&F}sAsAIwKjWV zX@_~?*^mLY9fVC$sZx{-6HnsRv;+B)YGHlllh9E^Nhww7<6zeBDZi=Sf9+kmxpZ&& zUhUF{>aA;mj}QM=dwA$KL&~o9s>Lbbs#iq*;*2>UTz30qRE)5cD8p!WWiE|5R#39B!^E!IPa%x#LciGy$34AoXE-^dr4JqBoM1FESO-dE>WY~lznvXDUv*$Wft z?VBhEBTODwPRcPi$rx?^$++kfPOp5}<;g>HA}IU`pROi08uZf|{_A`y3*s~bD2n`) z1^)~YO4ELT2LX4|w@)hQvd#fe69+*bQ30VRYIW@uhW($3GsEg8Vy28RBjG@g#P~P? zL*kB*!W3a3+>t@dTvtCM}FYxB~P86p}cH5_HA99r0gbREzaEGgjwVYkDjobBW!i;bO9xUWAs{H~tH=x~?5BN*Cgl;j zz%Pbl8c1XV=~OzB3CLm*Um%eYegbH3W*pZAg0?W%dvpUg9Ut)qY1*Wn{sXHk$sHm7 zeJ*y%()P+F@1LtL@0KtAofv7{+|zh*ss8j~<9de&ZwRbYNV7D};E+45e`H)ufU^t( zaRhrnE0BN$G)aKoFsA^}3<3yIy>Lz$njk4af=;1voj9lB!;~8ib4t)S4p@YLIc3NQ zmck(kNvgXtWPqe-5@#XaTOBe$K!&CX3J^W?Api&-lvAI7!V?&!r^eGZ zv7Z@nDI-*JFgyaYr6hhpXk-JxPKDlhDAa(Zz0Ff^7Pc>)THfNX9layC+c;f|{| z`*!KU!r7&#_1)JiyZMW?6r{ipuXg-n?lIoDeY$b(eSOcJ>V>QIw~yv;FC1!|{Ql$Z z`mwWrpMTOg^H6y5ec_m)eCez5-uZ{i7rYCXRh2uX(A+&iqsoqj^Z(z{o$Bsu&gFf7 zt35qk-*=ohCk6sht=@ShuUecc?Ox%@ zKZ<|aUn$N(h%qhauP9I&lyOm(!D(SNadAh^r zu|FeTEtT}jjIdVP>RlOzl!%h*bI}m(G2vHsF8U?)S@4(BxKgQE7jc3?GhEcDok_bx zN?|pmHEeE&G7u3K>-!}oIcq8_LNb+O5q4v=YzU0xrQuB-k+Bhr4rnr3XGkyn`0$x2 zXoME+XW%H?k^3B7tHS;np(PEZYRxnlCkUIvJ!Uu94B8MeKAh^4Q-uT~g$1W}S~8^8 z?J?F`gh(r)`M?Hg-aXCW1~yx?;mMRw+F(OP9QPMzMzq53QJ<-Pr@?3+E7B$5sBmmx zGEQbfXykJY!5w$e+C-Al`jV-2rLm!DcYb0x8<5)cD#yYGb#fv*6%BSbgU}Le@YioWaniq z8sVBHVSVReedP-0W*7WMhGuDkzMw0Sx^1vUWdGpSb) zf=eTUzgfyT1$$bP3@`{W49%cHVDMxlix3HLfJ>Xx&8NL=g72GZ~<8mSrfK=2hq-r8THB z&RV_}5w&sUXW}XDmlXkAC%N>v>rcZDCB!XW3+VpykMAmnet3I$ta1F%@`dV|Gqtzd z8&_@{{x*NSarAWc$#+~~2P-FzPQ(h(Cyw+igVhk-DnnkUH1>oj1&Q);dE?cCKV=%P z?#&%o=%4_8`Ql>Z!{zG3-L=D4t8XvVULGtzlJOcy)edWSUd^8rTwA)?e0_87CM<8Q z?mSn!aIL$x>O%kLX+t~Bm#DPOZTUR__@`EB#=_QuieWA!r!2clr=2~tWj2&ZsF(l|kr z1l|**vf@gwi?1S;GK2VM zKtljm+>em&qwSzaU}`WIjYE|cNqA^2g$s7Kw0bs7<+US{-noA0NZ&=C#38kc#oEL9 zf>m%@62RWh7ve0A7>Wml-fxiyD??1+h(U;i4C;eO3MhsmSQ2qCPrE^qPDcu(rO{Ha zc5NrLaIGMCimBZ7(*@-T=xT6!HwQnBcYAbXTH0MtmMJ=2^9aA$?QMV)QV>-2Vi4v>{H)l(o zJuQ+|R>(VC(yqT)gqPM?cmv7OXeKu$U3?40j57-Th?U;py&ptKF{Kl3@#6AHnNv9% z!>5-Rvh0#92ou$TiY?aM=#acK`kV(EfibC?FlB_y7Hy2d;Aq~?2+uM1W)-oHayBZ9 zY5;Qw%6IVQ{i~I|%SSoc*pNy8P&sNaBiuaN@}nAELa4}=Bc&-svVfw5+bP%F>7UD& zs)u$hZTl*V|u5hB*ickq)3`%DS!h4ACTZA_+4YcV zH#GE|a*!oxz*4;9oZSKc3B(W-3AzN*k8`WwQ61 zRRjdgN^ZdR2%8b25P@jWr({7v1mKE-hnQ0&&X5Fy(+~nk5+v*$Hp^I?WLLv%j?xDy zS?EUf=0wiGHG4q@UpXE7c>9mld%Np<4*czhcQ?P{_8_h^NS6wdaZybH!*U^y1m|)g zVauc_RnMxz@&$iofB8}4=;`XV>wl`9Ir44&%!|TT<@@o<{rNMM4oKSjYP*Y~PtPSm&Ts&2d0Ja+i6_1E`!+8>(unM4c= z0K@^LNysqt`iM~oh?5i`DTtGRBuR)ivgF{<_V#@;#2^Nc2p{CD0iYQihd3mpeP2wG z8&Rb-gZaNr46{kX13IL(L+TTf;YIWN=Z!=6L(SPIi|^~V@AQu~7(`Jl4cK0v3`mMa zG{a?DlH9*a;fNv_1cz~pBnb(?KpH_rBS2IAO1TgKhNG8m#RLS1%(yqC=+&_8e41yE zExfHheml35uAaIy|DgH$0{+e7jfI`%!@ubKe0>}zxzL!xAPNCE1SI_CN^LOVP>b3} zgIY@E7WCY6o1ThmjpA)))guS0x8GC`-dH$VfBvGnbz9@|x%tXm2U=xJGoj(6sngYeSjI-dWeVl@H6>wD{T6t$ccdGR`{XSkmDN z#dMT^ZQe?7u*67HGQZaI0Q@Ti&5|U741*935e-m3{*~IjC(Wy`Y)dy9Cr^BQZv3Be zXCEuCMoa)2APT1t1<-2RF+2qeNdgFQ#Nvn{;Yy%0I0Xw00RqfQIEAwSAYQ&HTbacx z(KiWb76P0i_;)EBr%4D20w4+^njVCK#UVQ4BFB8ArAT<{lPbjQD=ol(OhCT!$rJ;@ zV8EA^W7WIomk-ubzIAd1d0(n!`lpISX6YB9|D||7x}R zqdj>-A zwQaYb+P3Zf`puKPdHP>SUQ& z5@|@Gco}xxgGR@6N3G{qdR(|tnSJM( zW;)K}1cvJDw*~8Jj*W^#eQh6Gy?C{IdN)QG!!ZTYf6PU@S?Vb|c#8V8$P&iupyVSZ zA8Oet=sh_p1qPBXMTg|w)K12$EN(*dc zO2{w_?ny+Ykh1`Nlcy`a%jR*79xri-vee1FA}8_9y?G|H8;+MTRm~Qgs}f(KRd72QklB93E@fCsdXzW?Fo?z&CmCHTSJ&j>;*j0rPpEih>Z)BcV+)IN9YLli zY;pfatN(tA^!eN~W1{S1w>PwdAWPVC|5e=d+j2FJ|K!(N0tx%3d~adV1NgAaRX7>_ z2rJ=n#G81PV&UqG9pIf8@J@x9vZUu{A6mTjZ~6A<`5MDjYocXIyrIz|5%>PkI=iAS z+%1Bf=r@GMFbeD}=>%BU=rwd8;cpM`S$P)x+*m@51mYmtev7OdW`5i{SePJM&@S37 zE<&#A2goc(8J1>O2y;#)G8maSE-rLg3$7$SoZpoT|JsxNh;|Z<60xP%D{EsdPVa%% ze=1caUO@WcFhC7oB8bYkiwn<+rF(J&)Owya8B*j&e0y$u4juP*ABPjw^?$@wI`$99 z&=kq}P~gIuT7U9Xku2>h^z^*QfRw2pq0l|%wGX=2Mu#)8{MUz%{%nIZ zd&+(`K*+gdc;LW3g{S7WW4(7?{W->>8;@033+!AWo#I{OX^?SR8{trXl60#RG*OAF zAAeTo+}~K)ckv_#0U8LcV^oOP1B`7oeVug0PoG=k*N>0gwF_&XnVLJMu4A`oFOHvr z#2hv;96w51WRe?~9PQQb+oQe6*L}aY;tr2vxccQB-7%7KELqFf;59{pH-Puk-$x@#&+-Lg7)y)B9*qn2$>? zyaHH3;m|)8y`RR9`+$I{N%tJfBbNLqR?19V$KU^U4BF zm9Ed`pO-;)!N>H=h+ffR#0!yW)gIQaR|OUS?xo5dPER(}PD@1=+W$F-aj8xcF%jZm zU|&fYjkK+OI^Ek*nnERmM^zwc1#XFkMn}tPXDcyw634ZFImzq>0<0P5COqiz-*zv* zj{4Ti*gH%#InleedQamMd{Hq_W=9!oBOweqKUI+cSaNt!BG6pYz%s zuXYp1mbC~7`@D*CsAx*()d8p=s}vw9id2M!nT@Y01cspl$1Z&f6dG^|s-H|sxTbqW7XzZPiivthLpo=I5zBr8s@b@P zA{*UEiOB5xC!u08HAms1XNW+eLH}5HykPlo6edh!B{Egxyk5{{pZK7}B@M^ml|l3{ z4VS2>x1s1we`Je5=Vq?T0{->O?!av^g7f1$&!V=SFJIN23OHBFjCQpU%|*!O7<#`U zu1*kfs*612XdHbUN=)wHT0iI;82;ESh)^IIBK&P`e+Om*cP6Pe7Da#io9FJ!Q8D0g zLj2fuF$OQaN2Qy)$mXPC^e6Z?mGwY$M$urIrII^8D9S9MuFlrot-<4E%&T(KI^=oSOsZKX zWR9=*KX){>+N}4_`JlD1AZdy-bq4rymV>|MH-TcjUh1|9=_-AsrdGPT1=(u(>t~h5 z%i+FSF=W9KAf2lu3MXq9`M@D05)RYFpObU*#Taz(JFkbYB$3ONJliPA7=~|cZ0wrn zGBuoYI9#7SU571WXIB(G)j8Ym2!Q_l@#(cEt3v~e%9SKZX6iVD3?+W((2|k@%D^Iu zgS44ay4J)5hnXT=9QjN|6{r-RUhk>+;R0zHRUPE+KC$WDQ*X{xHi>*yCrbv5TsoaB zKc0&}nvLMf3#xHO|Lloqbk^M)%=#x~yt4BpB-Y8gitSU#C2;c}*E?^rl>9j8rib1t z?U|9#QDh_;iKs%D*2K;l-B>$rn!g^F?yN6&&x>^p$1}I?sp7Mdlr?JKRBx#_?M_KK z#+Xh5wM@p3FUP^CmYXFLkSV5r}q3Tm*{0JS++s7`?23-`SaW-xmbUDQ zGraWS;y+U~sEEA^w@HWWNcSKwP0+Qt$Q2o|?t2->$w%&exk>&|WInoD9-GLvl=|Ey=Yl=h5 zt|6N*O{xYh@*36~U8m=wIH@bW#Jd-q1kXjm^=q{7k@MxBTBUB@)ha8G)FA+-`dh=N z)n1m)oyx-Uw7SfTLeG#>tE;bAI9!cWS&;$hbH=qEHL6C>!r=;g2|}=&s+vW`BZQ4j zzOJ0ge_Tu72ZG$|Ho>YS*oplmbElW^ndeS=za8Bc5W8xg!8>718Ir6Ku<(jri z6uD^GmzQ0mZFFkqDOIQ=0lZZv2<>e(nT(zz;mWTha9YdJ!RMHbDOuUS8!W9|BQ*_F z%2cpBHVv>A(>S#3$84epB5ko;D1Ebl(XZ8XN}aO}R5c!Pcv3c>q-%tgy0jiiq6^Kf zP8jD`SuHF3tJJ)!6*3=8LsWa>={rVD=VuZfbSK=FqbosOIX~W3eG<>}t~tHyW{uA2 zIBE#c^)-*v_LimJ_Gr#8wiIofw@|9w$+NJ`s+d?MFg`;br({gqdCPI?>gCI)JRy^t zdov(Cz5OHsmR@Vf&p2U8=rc$`;}v;T+=28|aDAPt>e80S-7p zw}#$Ya@3b%?1l#|hrl9ycKqw}yspMI!dARs%89UwtT4cYt=rJP)~06r?mW~kwuYteg7)x9UwDc+5T<~I-D}Z zlzb?`d1nL#bU|e>AkLv6`xGDoLW@8$!U?Y=sA$BW`w5LeO-Oa+0Bl%MHpI9*$G?(0 z1w~4pC3zp^SQ*$1w#z-4pD*p6mg^kRsT^Q#s`m))>ZDAn1Ui3HV!!{@S2{XbY;U`> zb0MNvl-`xRZVv419iA1BNY`S_+=;onzaWjqk^ZqjFO>*1iFoXb9hHD!W|jO$Gu)2| zi!lCHS}d9H3tS`?U7z4!?(e^aL75+SNRiWmlXzMygjYJOmJANK_gThb38e?ZV@3pf zv4;Xk8S~EpULm}ley)fC#KtM^q&L; z=51xMs1&(OV=ae>_(yC-u@|v}GxfoAtNmKiRjpP`UgD~)P)T_l4>cVrO1+%yyn((v z({al({bdyacZYk=zt3!mjUrN?6pG_JNexA5LV3=e5c5lxtkyd`*`2J~NhR~rtnb*O zez4=2G#<{r{L6$Yk622I`Xk0(v^~Ns=tK6u-|Sh4zNO|f(Hh-Fr_-SA{OwfaY;+&= zGkw3a<;Vin62AXc6TqJdGM0+*()d%JrHV)?vQ7Mp*% zGu1Y(SJ7=1iCcNS60+Fh*W<0O#`QXI{w%GYD!+uUyRxwI6y7t@fuKPn;$I9T3i2bX z3#!3ND0G=OkQoyT?cr#gR`VwlHxiydLGIJtaz2S3I+nL_IAJmdYE##X7G_wHQ4jTM zLjz~xwG?LkIEUUwf8$;DabswFUFm+|-*9|a``PNba1>#HMq|QAbwQKR-(vPCcd=o{ zxPb6{$bdLu&H!avW6gjLYvEA`@ft|?EOun&@|VTtCCtp~t41jnx;Z8jIjsRn^4b~H zmx=K;#?%)2Zp-QJ8k>&I4L=vhFA<;fm^;W#gxc1QMKTti3}DnCKo_PEVT{B=W-tVh zKV?FGI#C?Eq(}p6i22`qO+n`Hi)c#mIaJ{}*i|a%M&P-I?5@;RL{4Z; zkZS`2SlKyJQiWV4c)}lz9AkpoV4*UO92(hp+JM%b2GC`^m0k%E zT=QZ&s1nBlsUT;`{&JJ3{YK3X)Yx!c>;doQ+o*!U$pIQw_+R}FSUS{r+$Y+$G=Cl!-ZP#Y7Ex}H$Dq~FKq$$Zijuz%l_xc zjw6QUoX)S^%O*R^_Zq0&E;EPiJCpT|X5;&h_p|i-#q*Zq?a2>ITdPB;+F}(p<5P*t z(Xh1`j?h@QRC$^Tgz1@{w-=$=5|7K85rrOS&W5@sk0*(UJWGaJ8TOnWG}ia2{@0@z z@utsOtJ+w#n3!ey+*}@IuiJS>;`g-~?PEylhLeV|w}~KLZB0l>wy`)?PzwnbT1lc5 zErR^0C`0I9^FS2lp`;rA>`98I_0Qw5NFj+(yFvEuNUY#k5<9xQ=34?OY7}pG>n&I> zAowt3yT2F5*;_>BsUEC(Gn^5(!bd*O7+CMKL$}7bPHA=KmQ5RcecyDS-FiN-9eShtYJEn z5yu^>m?eDwIljb4%GkG#GErfMP z1(Sd)z&CI}1Z(oE-^oc=8rWu%L#*mn#{92COe=@jsS#`j($Q#jjS;=Bj63!@%VRd~ z1T=~yJ#_QLH`n;q0W!5Sp>D^o0Sirc)S9l?K5jH)T`3|`(Uycw?q4du!FztqeJ9>d zE-dsG6R7oR2xTz2=Fu0vw=tR-p zQtNtjy`BF#wO+cx5LArB(pXEkoLx`f(ABy93;Sac`WyDQGAt>gB)pV3>&Z(rDRU4) zG803vk2##m7Q@52RTd{$WJ7rHW?IIP{-Paj-J}o4U^pUdpI|63svKh+Y3Ls~e9~}Z z)~-Sce-ep#+TRF5as7h0OoF4M?dYOw(4`keISyM^hlydy8B5YGyJj&%+^)e zS>W3$^4pK>F}PJ%T>3uVC7vG!pBH^+ZKW{BKk_n@GwA5CrkNaeliL><`r|;-%BZ~- z_^Yx~601`2sMCyHSYXDqV<3YM|plyHC2-!Nl;Zw$*& zIBf-o#O;S=L)(TuwHBzyKnNu>aC`HN{fQ8P{0ZA<N>W$S47 zRD<3y;eplT52+x4QUrnWeM1KrNr@e%V{!wmIE!z`at@Q$((%5|E`oY!^;L5^ zYG(Tb+RU<1PewM;h*gJIqErzGXy~$@7UaEqH0^6&jonw&Yz z(M$9?boxit5^oCr*o_%EVd9ur6;lt6$|gy^6;1e*w>f#U#S!5rqH^p8C?d)3tjKKAE*IMl*M|&h^UhetTLc z=*xKV-Uf@ZibAb2zqWon?v&cK(CS!{KS0tT?fNWz@bI>7K1dO~JD;rBH*qW|6_@O82*@N(_<{`lNY zPg9OL+P!J%*8W+tc>U}-HMuE`X6I}1yzbgz^w{zFyJNNCLhmqBfAmx9(-vU6-c@4q zSg+o}$~|RT3b1<043eu|x1wR?2Y}OE1beGE3&Xru$jG&SBvW7dmM+^odu4aqz^!dg z`oj0Xdmz6AG4ypT+-qD`4h`7ypFZ z8Bg$e3DEaFZb0yRIOy1Z-vju)zSusj=lY4CvK+2kK1Z{(<@#{<^#u{SA`9TZPTOZ> zRBwMBKMTBO>iax%5cs||$ba2wW1PgTubX>5nVNBqg8W554~y*_T4irP?oQVg6(3t= zze8v*X|^fewX9vf{yCkkpEzr0>s1!pis7t1sT1(MuKIn%ZBgshQgwur9+6Z(YhCrd)B#_4 z6>1Y_Xy#pq9<>pd#i0Sa?IKR=SLo()-EAoxjWuNIGPuEdrY8-R*%lUXvhsXhf0b&yMl8|4!J}6lRgZf<<<4{~aawC6D*4yX8&Oy1CmNl(8bbRc8y$t(a2iu2;@0EG zO&&b4S#eaWJyq58s&+DHRqOikG(B!jhH8BoQW933Nm6pGJK-atlD9%sN#jrB=e_F2 zN!|6UouScn`Aw%c%r%3F;z#^!NU*{D;G+xdL)o{9%~oxgr!rOQLovGpMXhBpDBrN^ zO*GLPv^sdZJGw*9U$>PZtbSYp!XGm)cml{;!dDLp7tFk((~|P<-QC*5QE)HuI#(hG z|BRyQel2=3arjA6IXq)rCOU1LBzN>$Eu2P+k&IZa>-7L^5Fo1!TFl(E@S-|CccGrS zee5`KcWX?%YL@Zg>AYrfG@i9kCYChp6$nG%ISBR(t8Spj~<4P zH-tP2JHp+&X8DHa$e#t-H|@#g5R?YyZA{RKQ9A7GoEc=`iE*8hz^h%)CSZ8ANe5y8 zuF))rc3+h&WNdDM68Nopr<52p6DuBaW^J9lrnY?7t|_EAkC_w5QZi#phl^ZoBw^uW znzff16Ty=;P1Z7?&SWd(6K-W_b?U2_=sg*(Rt-*Kn{~-9bXz*f%#|11r}q!5Hax1) zkU2<$lU@1u29v2v$J%fVzIqyr`s4r!BR1An5GdHu>o-^qL0{lk@B@rE{r|wT8~i>W z$w3Qr-Ss0T1JL`AV`3dcZ}gyh?J5DXMd8mevluy(%q4L&U41nbyyKYbygM9xet77GGNta-;hjd`_4%U6t zwy?y*V2WYQZjEN?nJ&B;d{%P1|MO$xxijxC4N4E!`e1^|pbndg|KxztQuS50jUC0k z@(*{z;W8ye`>AZbnP+OL&IC^E@~L;YI>sti>yzL0vSzUnlJ7Qv`9BUi?){LxdBXsu zWS}2D*8c{5WF1b^a3z3u9z3JDfJ%Y0AndVwEr3cHeta4t8CA5Lz)j7J4-fenV@!Q< z%@CN##C?qHMi%YUA==xBVo!!+H&6QqLQZ`Za_AW(ESl(WdR>5)fpsA5KbfOaE5U1c zvVE8TWw@5E<1}%T%(!}j+RgS=%K@5gtp2#Xlhg{FxYcdCYEAb#^0}=%W(>q^4(7Dx zBm75#kqx}V?SBqb1KJ9|^M?KIt&Xb$$?L-xinVjA+)XU7!;5gl+x@ zAPF6)V5&W7~ay)G3ehJYM#Y5X)Gw2CUP{hVnYXc1fmLqS*21$gm)6#t?BQIyf=wfmoe zRKWZXETb;cvBq3vact#4Tk;N%Gpu9>mwiFx$O#*F>C9k>i2{~p5t>8gcok)9D{=DE z2}s@BMQs!Z(x*RxN)_LVcIgW&_UAg*2Z^K_vBY*JXh9$-+42@rH^RDPCRPVCzQeewOis`6m|m33GBpdB7Lsf}(0^vM!g<6Y>e=j{vZ}cCSt9UNi2e z1ckAs1#qWs>~Dx2I{y}+Ef9B@oy#90pe;S6o90bxe!q_=y_4NWPJcV#ZtxfM9ql4s zK_u~Iw0RRNc{OOkcA!&`BA7UO!S-dCdA`R)=$&>e_IaRXa2*VL-Ch^q<)7Dm`nuoV zsRXdc$qt=c=&+UbmP_LJlV*vnSrP1O4RxA+i(dCVad)R;&2p$ej4Q! zDyp5MjG9G?NhDzhvy6s7sKXv?h(`M7;q^N($k`HERGC+5*8U7^B=h86M4NMOwM-b- zFF&PX&nfG|M`Smtaz79ClPY`uYji{}TE5$PEo84T*FQH1#UY4gWNtFn$buTXKWs(p zXCsJona`%@b@?o_yKzAfpqFzh0oa})rJztk@s1a zmoUd!PLgp(7{-$ON6{(!EAtYc*FEk<`8(4Xj=wiPGAOtzkCwm0(CwBsYI>aX(X#zM z&~<8dU0`iL5fy099GG8teTlBn`rlxDSF-CFF^i%?56G!qe1sUU7V!W1>P z>b}Txsy9M)(d?zc?{ z1osWy(+!Cnv+J9m%TN{{ad{MfHHD`(8h?3-k~5LchsGgFI|yA8-f;pot-I2Z6vIPu zFAMoQ;Y&h@+0YZi0eKobg2h&4Jn`u=Z9(#Aa>X7SgssFkYbUR-LxX7m*1HG-Mx26k z@96JQewU?YifRFeF8&E2ifGxsD3))t%{m6@&_@G@AtS?E;iNQ>Q@46nu)%=kY<+9 z-?|*qf>C(0ZQl0@qi!(9Jh|OAjLf3Ila%kx1|9vnUH8w+V$6gu7Ok3aroHiV8x^wg zEY2rC>6$GxYd7r&psXTJvo53%0YgVF#rQcvsu|SUn0P-moG7Wk9z*%7fnJuupq#D-L}i z*l8>QsT$97<(qeqz0p~GLGf4gT6EU}EXE;~tV$EI5&Z(yioMv&E>EL6`*m;)%O(Zz zs1I*H61+~9a;do_TPghX7jz8q_Jn!_o&N+4Hl>zQbuC>9AWy={q?$xly27K>m<0)L zz+P*uM#pJ2#aK(~$xK$9JwCxQs@ORGPUYH`GcyEuGkh2<@;G+Sc*9Gr7alna&ZvuiLJ;dnl+u zRUi2US`treN85;inW3*v2xK>G@z1HH7xT@rK7!?tcxQm_N*1AVBLZfy;PmngPk$I3H68VbLIL zbKwqnmg2le;mrgbhNXpMo8ul2GRcn_?=-1|Hdk%qy#+vJi#^|l%TkV4Bu;-d*iqh-4_G}P3Nr&IKZ&?stmzdByJCXv^RyLXBt72P( zv1p);Yg|F~wIG&HFcg-5#!lxEX)R|{)`=uld4GfVBzGEHqBN!lX>raIMtr%;Lp|Ft zrc#95IaV5KN+LQcR!C-QRfQ@gmXIi8s5$bGYxq(m`N|v~P8;+A;00winv*2&w`Exu}86WAPlSaU*-cEg0E76?gW_6Ei5W z>U&gUo=f}|lh`V=j}}Sl8P7O}qh9*_fpqd=25+g{rN7CUBc6RPf0*B}rd&H0>#BPC1@$LQVX8?UK{$%V9W-}5 zxgS=sq!e|RUlwCx)>pBn7C9b1#USbR_2!yMy;qAXjIqy*YDTYufypD`c7_#H?9xdM zapEQS-K|KK4X#Do2n3dqI#xzSXHIgZM{f+sN`CHD+=?oJh6j=nnG>Ii+R!*!=a9hZ zHrEP^n!NXY56iPObtytb;J9kFI)3XYjp<8BP2#7uN-4vW(rOIHeNc7~A5p*G>=Ar^ z+0~>^kP=@QHWu0nYT+jux?2dDb@8F)>wJ=nJ0@|F2d^gC27rjnI5EbdSsZ*mC3Z6$ zCp~h;T`fZH$XkJ}(4H%#Lk0?n8ZsdMOR5)p8n|d{k2mVm89r&u35)r12qPDyBDv>g z8lz`6&ZY_{RR=4Ah1~A3qolL9koWMTwst0)@;3YQ2ov)7IFN4FPcvn4uKU}9-HUF= zuPZzZu_zSA?<_x+izo$%)KqO{NiCx}6T&EgpNCiayD#)tdsFPyB|-jr%TvrxExIv7 zFqatY32^nQr7=CISQVd(;Zk>sfzz1DiPhs9vf(mBrTRZah5&_sG8HrOcjIMh3+Ba1 z$lZSp%s;_Z^itG>s9q~Qp}F6sX^NdWOpT~eqEeNb`3jRYq<-z|>dV0IlMRDk2~h0^ zf-&iZjw1rrFAa^E=4_Rs)q24rj5_^kooMxkMJ0@-u!h;G$&zenO_He2*djK0WSwmMHGe~j;3$wY?qHBNS{N9Kjl9`k3efP9Wz)DJ5gYV;Z zV96BNN(`sv!zWNl77r$^puc4^mWhch^i(50h*iXrP+&xW_2o2!gRzaEL$^fI(aOSk zQ|W$Rhcd_DF6+{gw*Qtef0G__#*wzL)A0+HP1Qb<3U^tI9A!SgV=qrLrm$8bT9x}J znPgI0&Oo-|@HjNcQ=`Xx^?;-z*1fJV-i<;M{#nByY$C$T75W#-!w^eq(O9)7H(FiV zUSQykgeOJnFff`#5DE|T%-jwuJTm~?$; zZ^&sdj7Cgtf}~tYO}~3_akf*cG8Org9actQuF}k@%SCl57uqbINU><85@dK}J^5h@fPqZ@6RSSir zzOpV58-~g*WV@MJzsiK2dcBBl-W24$!Mik*!HBG(Bu+N792B!g$m5-1lm4JCul-@aw%PbHCNvy;D%_xB=aC=i;*J#j&D;;Z%5pp$OtCtlam9;jnoP zxiQ9KK2PgNMgytV8)ljP=JV0YrBTx5^3$D#$-Am&dkGrlJo3LrlxA3GW+^PNAi9ew zg(-CEZ)j&)lbBK^Xl!yK;}}IRqiAK$5>@gIex()#hmC#yJrt1{s$N;FRwbh@sQ^00 z15g{wh=$zKr2v@F;K=#O@t9Ph(hCw(7@6U)VJOp0qs2pyYDC6q)l%&~q#7rMLSAdi zL?)Af9MDWl3}Wa^%v1aqI_-ZiE^G)Pj<=yz4OL7>Uqc+qHcA1^_ zsA)BgO-~$0-e4Ia+lFJ?qk>eTLEt9zvtS6vkV|U<52t%y)4Q0p*cAm%M;Z2?{vzp1 zU9qXYc9L%YVxup7{VPVd|B8L)Mc-`~(vHsJ8xpG|^UAj9BzkszM~yCXgZ9$oNQjdP zz#V8#u&Xa1P#QXBl)o>yriMu=MBa8;=1.18-0' + catalog.cattle.io/release-name: cf-runtime +apiVersion: v2 +dependencies: +- name: cf-common + repository: oci://quay.io/codefresh/charts + version: 0.16.0 +description: A Helm chart for Codefresh Runner +home: https://codefresh.io/ +icon: file://assets/icons/cf-runtime.png +keywords: +- codefresh +- runner +kubeVersion: '>=1.18-0' +maintainers: +- name: codefresh + url: https://codefresh-io.github.io/ +name: cf-runtime +sources: +- https://github.com/codefresh-io/venona +version: 6.4.3 diff --git a/charts/codefresh/cf-runtime/6.4.3/README.md b/charts/codefresh/cf-runtime/6.4.3/README.md new file mode 100644 index 0000000000..293aa43fa4 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/README.md @@ -0,0 +1,1230 @@ +## Codefresh Runner + +![Version: 6.4.3](https://img.shields.io/badge/Version-6.4.3-informational?style=flat-square) + +Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes. + +## Table of Content + +- [Prerequisites](#prerequisites) +- [Get Chart Info](#get-chart-info) +- [Install Chart](#install-chart) +- [Chart Configuration](#chart-configuration) +- [Upgrade Chart](#upgrade-chart) + - [To 2.x](#to-2-x) + - [To 3.x](#to-3-x) + - [To 4.x](#to-4-x) + - [To 5.x](#to-5-x) + - [To 6.x](#to-6-x) +- [Architecture](#architecture) +- [Configuration](#configuration) + - [EBS backend volume configuration in AWS](#ebs-backend-volume-configuration) + - [Azure Disks backend volume configuration in AKS](#azure-disks-backend-volume-configuration) + - [GCE Disks backend volume configuration in GKE](#gce-disks-backend-volume-configuration-in-gke) + - [Custom volume mounts](#custom-volume-mounts) + - [Custom global environment variables](#custom-global-environment-variables) + - [Volume reuse policy](#volume-reuse-policy) + - [Volume cleaners](#volume-cleaners) + - [Rootless DinD](#rootless-dind) + - [ARM](#arm) + - [Openshift](#openshift) + - [On-premise](#on-premise) + +## Prerequisites + +- Kubernetes **1.19+** +- Helm **3.8.0+** + +⚠️⚠️⚠️ +> Since version 6.2.x chart is pushed **only** to OCI registry at `oci://quay.io/codefresh/cf-runtime` + +> Versions prior to 6.2.x are still available in ChartMuseum at `http://chartmuseum.codefresh.io/cf-runtime` + +## Get Chart Info + +```console +helm show all oci://quay.io/codefresh/cf-runtime +``` +See [Use OCI-based registries](https://helm.sh/docs/topics/registries/) + +## Install Chart + +**Important:** only helm3 is supported + +- Specify the following mandatory values + +`values.yaml` +```yaml +# -- Global parameters +# @default -- See below +global: + # -- User token in plain text (required if `global.codefreshTokenSecretKeyRef` is omitted!) + # Ref: https://g.codefresh.io/user/settings (see API Keys) + # Minimal API key scopes: Runner-Installation(read+write), Agent(read+write), Agents(read+write) + codefreshToken: "" + # -- User token that references an existing secret containing API key (required if `global.codefreshToken` is omitted!) + codefreshTokenSecretKeyRef: {} + # E.g. + # codefreshTokenSecretKeyRef: + # name: my-codefresh-api-token + # key: codefresh-api-token + + # -- Account ID (required!) + # Can be obtained here https://g.codefresh.io/2.0/account-settings/account-information + accountId: "" + + # -- K8s context name (required!) + context: "" + # E.g. + # context: prod-ue1-runtime-1 + + # -- Agent Name (optional!) + # If omitted, the following format will be used '{{ .Values.global.context }}_{{ .Release.Namespace }}' + agentName: "" + # E.g. + # agentName: prod-ue1-runtime-1 + + # -- Runtime name (optional!) + # If omitted, the following format will be used '{{ .Values.global.context }}/{{ .Release.Namespace }}' + runtimeName: "" + # E.g. + # runtimeName: prod-ue1-runtime-1/namespace +``` + +- Install chart + +```console +helm upgrade --install cf-runtime oci://quay.io/codefresh/cf-runtime -f values.yaml --create-namespace --namespace codefresh +``` + +## Chart Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). + +## Upgrade Chart + +### To 2.x + +This major release renames and deprecated several values in the chart. Most of the workload templates have been refactored. + +Affected values: +- `dockerRegistry` is deprecated. Replaced with `global.imageRegistry` +- `re` is renamed to `runtime` +- `storage.localVolumeMonitor` is replaced with `volumeProvisioner.dind-lv-monitor` +- `volumeProvisioner.volume-cleanup` is replaced with `volumeProvisioner.dind-volume-cleanup` +- `image` values structure has been updated. Split to `image.registry` `image.repository` `image.tag` +- pod's `annotations` is renamed to `podAnnotations` + +### To 3.x + +⚠️⚠️⚠️ +### READ this before the upgrade! + +This major release adds [runtime-environment](https://codefresh.io/docs/docs/installation/codefresh-runner/#runtime-environment-specification) spec into chart templates. +That means it is possible to set parametes for `dind` and `engine` pods via [values.yaml](./values.yaml). + +**If you had any overrides (i.e. tolerations/nodeSelector/environment variables/etc) added in runtime spec via [codefresh CLI](https://codefresh-io.github.io/cli/) (for example, you did use [get](https://codefresh-io.github.io/cli/runtime-environments/get-runtime-environments/) and [patch](https://codefresh-io.github.io/cli/runtime-environments/apply-runtime-environments/) commands to modify the runtime-environment), you MUST add these into chart's [values.yaml](./values.yaml) for `.Values.runtime.dind` or(and) .`Values.runtime.engine`** + +**For backward compatibility, you can disable updating runtime-environment spec via** `.Values.runtime.patch.enabled=false` + +Affected values: +- added **mandatory** `global.codefreshToken`/`global.codefreshTokenSecretKeyRef` **You must specify it before the upgrade!** +- `runtime.engine` is added +- `runtime.dind` is added +- `global.existingAgentToken` is replaced with `global.agentTokenSecretKeyRef` +- `global.existingDindCertsSecret` is replaced with `global.dindCertsSecretRef` + +### To 4.x + +This major release adds **agentless inCluster** runtime mode (relevant only for [Codefresh On-Premises](#on-premise) users) + +Affected values: +- `runtime.agent` / `runtime.inCluster` / `runtime.accounts` / `runtime.description` are added + +### To 5.x + +This major release converts `.runtime.dind.pvcs` from **list** to **dict** + +> 4.x chart's values example: +```yaml +runtime: + dind: + pvcs: + - name: dind + storageClassName: my-storage-class-name + volumeSize: 32Gi + reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName' + reuseVolumeSortOrder: pipeline_id +``` + +> 5.x chart's values example: +```yaml +runtime: + dind: + pvcs: + dind: + name: dind + storageClassName: my-storage-class-name + volumeSize: 32Gi + reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName' + reuseVolumeSortOrder: pipeline_id +``` + +Affected values: +- `.runtime.dind.pvcs` converted from **list** to **dict** + +### To 6.x + +⚠️⚠️⚠️ +### READ this before the upgrade! + +This major release deprecates previously required `codefresh runner init --generate-helm-values-file`. + +Affected values: +- **Replaced** `.monitor.clusterId` with `.global.context` as **mandatory** value! +- **Deprecated** `.global.agentToken` / `.global.agentTokenSecretKeyRef` +- **Removed** `.global.agentId` +- **Removed** `.global.keys` / `.global.dindCertsSecretRef` +- **Removed** `.global.existingAgentToken` / `existingDindCertsSecret` +- **Removed** `.monitor.clusterId` / `.monitor.token` / `.monitor.existingMonitorToken` + +#### Migrate the Helm chart from version 5.x to 6.x + +Given this is the legacy `generated_values.yaml` values: + +> legacy `generated_values.yaml` +```yaml +{ + "appProxy": { + "enabled": false, + }, + "monitor": { + "enabled": false, + "clusterId": "my-cluster-name", + "token": "1234567890" + }, + "global": { + "namespace": "namespace", + "codefreshHost": "https://g.codefresh.io", + "agentToken": "0987654321", + "agentId": "agent-id-here", + "agentName": "my-cluster-name_my-namespace", + "accountId": "my-account-id", + "runtimeName": "my-cluster-name/my-namespace", + "codefreshToken": "1234567890", + "keys": { + "key": "-----BEGIN RSA PRIVATE KEY-----...", + "csr": "-----BEGIN CERTIFICATE REQUEST-----...", + "ca": "-----BEGIN CERTIFICATE-----...", + "serverCert": "-----BEGIN CERTIFICATE-----..." + } + } +} +``` + +Update `values.yaml` for new chart version: + +> For existing installation for backward compatibility `.Values.global.agentToken/agentTokenSecretKeyRef` **must be provided!** For installation from scratch this value is no longer required. + +> updated `values.yaml` +```yaml +global: + codefreshToken: "1234567890" + accountId: "my-account-id" + context: "my-cluster-name" + agentToken: "0987654321" # MANDATORY when migrating from < 6.x chart version ! + agentName: "my-cluster-name_my-namespace" # optional + runtimeName: "my-cluster-name/my-namespace" # optional +``` + +> **Note!** Though it's still possible to update runtime-environment via [get](https://codefresh-io.github.io/cli/runtime-environments/get-runtime-environments/) and [patch](https://codefresh-io.github.io/cli/runtime-environments/apply-runtime-environments/) commands, it's recommended to enable sidecar container to pull runtime spec from Codefresh API to detect any drift in configuration. + +```yaml +runner: + # -- Sidecar container + # Reconciles runtime spec from Codefresh API for drift detection + sidecar: + enabled: true +``` + +## Architecture + +[Codefresh Runner architecture](https://codefresh.io/docs/docs/installation/codefresh-runner/#codefresh-runner-architecture) + +## Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). + +### EBS backend volume configuration + +`dind-volume-provisioner` should have permissions to create/attach/detach/delete/get EBS volumes + +Minimal IAM policy for `dind-volume-provisioner` + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:AttachVolume", + "ec2:CreateSnapshot", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:DeleteSnapshot", + "ec2:DeleteTags", + "ec2:DeleteVolume", + "ec2:DescribeInstances", + "ec2:DescribeSnapshots", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DetachVolume" + ], + "Resource": "*" + } + ] +} +``` + +There are three options: + +1. Run `dind-volume-provisioner` pod on the node/node-group with IAM role + +```yaml +storage: + # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`) + backend: ebs-csi + + ebs: + availabilityZone: "us-east-1a" + +volumeProvisioner: + # -- Set node selector + nodeSelector: {} + # -- Set tolerations + tolerations: [] +``` + +2. Pass static credentials in `.Values.storage.ebs.accessKeyId/accessKeyIdSecretKeyRef` and `.Values.storage.ebs.secretAccessKey/secretAccessKeySecretKeyRef` + +```yaml +storage: + # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`) + backend: ebs-csi + + ebs: + availabilityZone: "us-east-1a" + + # -- Set AWS_ACCESS_KEY_ID for volume-provisioner (optional) + accessKeyId: "" + # -- Existing secret containing AWS_ACCESS_KEY_ID. + accessKeyIdSecretKeyRef: {} + # E.g. + # accessKeyIdSecretKeyRef: + # name: + # key: + + # -- Set AWS_SECRET_ACCESS_KEY for volume-provisioner (optional) + secretAccessKey: "" + # -- Existing secret containing AWS_SECRET_ACCESS_KEY + secretAccessKeySecretKeyRef: {} + # E.g. + # secretAccessKeySecretKeyRef: + # name: + # key: +``` + +3. Assign IAM role to `dind-volume-provisioner` service account + +```yaml +storage: + # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`) + backend: ebs-csi + + ebs: + availabilityZone: "us-east-1a" + +volumeProvisioner: + # -- Service Account parameters + serviceAccount: + # -- Create service account + create: true + # -- Additional service account annotations + annotations: + eks.amazonaws.com/role-arn: "arn:aws:iam:::role/" +``` + +### Custom volume mounts + +You can add your own volumes and volume mounts in the runtime environment, so that all pipeline steps will have access to the same set of external files. + +```yaml +runtime: + dind: + userVolumes: + regctl-docker-registry: + name: regctl-docker-registry + secret: + items: + - key: .dockerconfigjson + path: config.json + secretName: regctl-docker-registry + optional: true + userVolumeMounts: + regctl-docker-registry: + name: regctl-docker-registry + mountPath: /home/appuser/.docker/ + readOnly: true + +``` + +### Azure Disks backend volume configuration + +`dind-volume-provisioner` should have permissions to create/delete/get Azure Disks + +Role definition for `dind-volume-provisioner` + +`dind-volume-provisioner-role.json` +```json +{ + "Name": "CodefreshDindVolumeProvisioner", + "Description": "Perform create/delete/get disks", + "IsCustom": true, + "Actions": [ + "Microsoft.Compute/disks/read", + "Microsoft.Compute/disks/write", + "Microsoft.Compute/disks/delete" + + ], + "AssignableScopes": ["/subscriptions/"] +} +``` + +When creating an AKS cluster in Azure there is the option to use a [managed identity](https://learn.microsoft.com/en-us/azure/aks/use-managed-identity) that is assigned to the kubelet. This identity is assigned to the underlying node pool in the AKS cluster and can then be used by the dind-volume-provisioner. + +```console +export ROLE_DEFINITIN_FILE=dind-volume-provisioner-role.json +export SUBSCRIPTION_ID=$(az account show --query "id" | xargs echo ) +export RESOURCE_GROUP= +export AKS_NAME= +export LOCATION=$(az aks show -g $RESOURCE_GROUP -n $AKS_NAME --query location | xargs echo) +export NODES_RESOURCE_GROUP=MC_${RESOURCE_GROUP}_${AKS_NAME}_${LOCATION} +export NODE_SERVICE_PRINCIPAL=$(az aks show -g $RESOURCE_GROUP -n $AKS_NAME --query identityProfile.kubeletidentity.objectId | xargs echo) + +az role definition create --role-definition @${ROLE_DEFINITIN_FILE} +az role assignment create --assignee $NODE_SERVICE_PRINCIPAL --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$NODES_RESOURCE_GROUP --role CodefreshDindVolumeProvisioner +``` + +Deploy Helm chart with the following values: + +`values.yaml` +```yaml +volumeProvisioner: + podSecurityContext: + enabled: true + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + +storage: + backend: azuredisk + azuredisk: + availabilityZone: northeurope-1 # replace with your zone + resourceGroup: my-resource-group-name + + mountAzureJson: true + +runtime: + dind: + nodeSelector: + topology.kubernetes.io/zone: northeurope-1 +``` + +### GCE Disks backend volume configuration in GKE + +`dind-volume-provisioner` should have `ComputeEngine.StorageAdmin` permissions + +There are three options: + +1. Run `dind-volume-provisioner` pod on the node/node-group with IAM Service Account + +```yaml +storage: + # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`) + backend: gcedisk + + gcedisk: + # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`) + volumeType: "pd-standard" + # -- Set GCP volume availability zone + availabilityZone: "us-central1-c" + +volumeProvisioner: + # -- Set node selector + nodeSelector: {} + # -- Set tolerations + tolerations: [] + +# -- Set runtime parameters +runtime: + # -- Parameters for DinD (docker-in-docker) pod + dind: + # -- Set node selector. + nodeSelector: + topology.kubernetes.io/zone: us-central1-c +``` + +2. Pass static credentials in `.Values.storage.gcedisk.serviceAccountJson` (inline) or `.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef` (from your own secret) + +```yaml +storage: + # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`) + backend: gcedisk + + gcedisk: + # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`) + volumeType: "`pd-standard" + # -- Set GCP volume availability zone + availabilityZone: "us-central1-c" + # -- Set Google SA JSON key for volume-provisioner (optional) + serviceAccountJson: | + { + "type": "service_account", + "project_id": "...", + "private_key_id": "...", + "private_key": "...", + "client_email": "...", + "client_id": "...", + "auth_uri": "...", + "token_uri": "...", + "auth_provider_x509_cert_url": "...", + "client_x509_cert_url": "..." + } + # -- Existing secret containing containing Google SA JSON key for volume-provisioner (optional) + serviceAccountJsonSecretKeyRef: {} + # E.g.: + # serviceAccountJsonSecretKeyRef: + # name: gce-service-account + # key: service-account.json + +# -- Set runtime parameters +runtime: + # -- Parameters for DinD (docker-in-docker) pod + dind: + # -- Set node selector. + nodeSelector: + topology.kubernetes.io/zone: us-central1-c +``` + +3. Assign IAM role to `dind-volume-provisioner` service account + +```yaml +storage: + # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`) + backend: gcedisk + + gcedisk: + # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`) + volumeType: "`pd-standard" + # -- Set GCP volume availability zone + availabilityZone: "us-central1-c" + +volumeProvisioner: + # -- Service Account parameters + serviceAccount: + # -- Create service account + create: true + # -- Additional service account annotations + annotations: + iam.gke.io/gcp-service-account: @.iam.gserviceaccount.com + +# -- Set runtime parameters +runtime: + # -- Parameters for DinD (docker-in-docker) pod + dind: + # -- Set node selector. + nodeSelector: + topology.kubernetes.io/zone: us-central1-c +``` + +### Custom global environment variables + +You can add your own environment variables to the runtime environment. All pipeline steps have access to the global variables. + +```yaml +runtime: + engine: + userEnvVars: + - name: GITHUB_TOKEN + valueFrom: + secretKeyRef: + name: github-token + key: token +``` + +### Volume reuse policy + +Volume reuse behavior depends on the configuration for `reuseVolumeSelector` in the runtime environment spec. + +```yaml +runtime: + dind: + pvcs: + - name: dind + ... + reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName' + reuseVolumeSortOrder: pipeline_id +``` + +The following options are available: +- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName'` - PV can be used by ANY pipeline in the specified account (default). +Benefit: Fewer PVs, resulting in lower costs. Since any PV can be used by any pipeline, the cluster needs to maintain/reserve fewer PVs in its PV pool for Codefresh. +Downside: Since the PV can be used by any pipeline, the PVs could have assets and info from different pipelines, reducing the probability of cache. + +- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,project_id'` - PV can be used by ALL pipelines in your account, assigned to the same project. + +- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,pipeline_id'` - PV can be used only by a single pipeline. +Benefit: More probability of cache without “spam” from other pipelines. +Downside: More PVs to maintain and therefore higher costs. + +- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,pipeline_id,io.codefresh.branch_name'` - PV can be used only by single pipeline AND single branch. + +- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,pipeline_id,trigger'` - PV can be used only by single pipeline AND single trigger. + +### Volume cleaners + +Codefresh pipelines require disk space for: + * [Pipeline Shared Volume](https://codefresh.io/docs/docs/pipelines/introduction-to-codefresh-pipelines/#sharing-the-workspace-between-build-steps) (`/codefresh/volume`, implemented as [docker volume](https://docs.docker.com/storage/volumes/)) + * Docker containers, both running and stopped + * Docker images and cached layers + +Codefresh offers two options to manage disk space and prevent out-of-space errors: +* Use runtime cleaners on Docker images and volumes +* [Set the minimum disk space per pipeline build volume](https://codefresh.io/docs/docs/pipelines/pipelines/#set-minimum-disk-space-for-a-pipeline-build) + +To improve performance by using Docker cache, Codefresh `volume-provisioner` can provision previously used disks with Docker images and pipeline volumes from previously run builds. + +### Types of runtime volume cleaners + +Docker images and volumes must be cleaned on a regular basis. + +* [IN-DIND cleaner](https://github.com/codefresh-io/dind/tree/master/cleaner): Deletes extra Docker containers, volumes, and images in **DIND pod**. +* [External volume cleaner](https://github.com/codefresh-io/dind-volume-cleanup): Deletes unused **external** PVs (EBS, GCE/Azure disks). +* [Local volume cleaner](https://github.com/codefresh-io/dind-volume-utils/blob/master/local-volumes/lv-cleaner.sh): Deletes **local** volumes if node disk space is close to the threshold. + +### IN-DIND cleaner + +**Purpose:** Removes unneeded *docker containers, images, volumes* inside Kubernetes volume mounted on the DIND pod + +**How it runs:** Inside each DIND pod as script + +**Triggered by:** SIGTERM and also during the run when disk usage > 90% (configurable) + +**Configured by:** Environment Variables which can be set in Runtime Environment spec + +**Configuration/Logic:** [README.md](https://github.com/codefresh-io/dind/tree/master/cleaner#readme) + +Override `.Values.runtime.dind.env` if necessary (the following are **defaults**): + +```yaml +runtime: + dind: + env: + CLEAN_PERIOD_SECONDS: '21600' # launch clean if last clean was more than CLEAN_PERIOD_SECONDS seconds ago + CLEAN_PERIOD_BUILDS: '5' # launch clean if last clean was more CLEAN_PERIOD_BUILDS builds since last build + IMAGE_RETAIN_PERIOD: '14400' # do not delete docker images if they have events since current_timestamp - IMAGE_RETAIN_PERIOD + VOLUMES_RETAIN_PERIOD: '14400' # do not delete docker volumes if they have events since current_timestamp - VOLUMES_RETAIN_PERIOD + DISK_USAGE_THRESHOLD: '0.8' # launch clean based on current disk usage DISK_USAGE_THRESHOLD + INODES_USAGE_THRESHOLD: '0.8' # launch clean based on current inodes usage INODES_USAGE_THRESHOLD +``` + +### External volumes cleaner + +**Purpose:** Removes unused *kubernetes volumes and related backend volumes* + +**How it runs:** Runs as `dind-volume-cleanup` CronJob. Installed in case the Runner uses non-local volumes `.Values.storage.backend != local` + +**Triggered by:** CronJob every 10min (configurable) + +**Configuration:** + +Set `codefresh.io/volume-retention` for dinds' PVCs: + +```yaml +runtime: + dind: + pvcs: + dind: + ... + annotations: + codefresh.io/volume-retention: 7d +``` + +Or override environment variables for `dind-volume-cleanup` cronjob: + +```yaml +volumeProvisioner: + dind-volume-cleanup: + env: + RETENTION_DAYS: 7 # clean volumes that were last used more than `RETENTION_DAYS` (default is 4) ago +``` + +### Local volumes cleaner + +**Purpose:** Deletes local volumes when node disk space is close to the threshold + +**How it runs:** Runs as `dind-lv-monitor` DaemonSet. Installed in case the Runner uses local volumes `.Values.storage.backend == local` + +**Triggered by:** Disk space usage or inode usage that exceeds thresholds (configurable) + +**Configuration:** + +Override environment variables for `dind-lv-monitor` daemonset: + +```yaml +volumeProvisioner: + dind-lv-monitor: + env: + KB_USAGE_THRESHOLD: 60 # default 80 (percentage) + INODE_USAGE_THRESHOLD: 60 # default 80 +``` + +### Rootless DinD + +DinD pod runs a `priviliged` container with **rootfull** docker. +To run the docker daemon as non-root user (**rootless** mode), change dind image tag: + +`values.yaml` +```yaml +runtime: + dind: + image: + tag: rootless +``` + +### ARM + +With the Codefresh Runner, you can run native ARM64v8 builds. + +> **Note!** +> You cannot run both amd64 and arm64 images within the same pipeline. As one pipeline can map only to one runtime, you can run either amd64 or arm64 within the same pipeline. + +Provide `nodeSelector` and(or) `tolerations` for dind pods: + +`values.yaml` +```yaml +runtime: + dind: + nodeSelector: + arch: arm64 + tolerations: + - key: arch + operator: Equal + value: arm64 + effect: NoSchedule +``` + +### Openshift + +To install Codefresh Runner on OpenShift use the following `values.yaml` example + +```yaml +runner: + podSecurityContext: + enabled: false + +volumeProvisioner: + podSecurityContext: + enabled: false + env: + PRIVILEGED_CONTAINER: true + dind-lv-monitor: + containerSecurityContext: + enabled: true + privileged: true + volumePermissions: + enabled: true + securityContext: + privileged: true + runAsUser: auto +``` + +Grant `privileged` SCC to `cf-runtime-runner` and `cf-runtime-volume-provisioner` service accounts. + +```console +oc adm policy add-scc-to-user privileged system:serviceaccount:codefresh:cf-runtime-runner + +oc adm policy add-scc-to-user privileged system:serviceaccount:codefresh:cf-runtime-volume-provisioner +``` + +### On-premise + +If you have [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) deployed, you can install Codefresh Runner in **agentless** mode. + +**What is agentless mode?** + +Agent (aka venona) is Runner component which responsible for calling Codefresh API to run builds and create dind/engine pods and pvc objects. Agent can only be assigned to a single account, thus you can't share one runtime across multiple accounts. However, with **agentless** mode it's possible to register the runtime as **system**-type runtime so it's registered on the platform level and can be assigned/shared across multiple accounts. + +**What are the prerequisites?** +- You have a running [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) control-plane environment +- You have a Codefresh API token with platform **Admin** permissions scope + +### How to deploy agentless runtime when it's on the SAME k8s cluster as On-Premises control-plane environment? + +- Enable cluster-level permissions for cf-api (On-Premises control-plane component) + +> `values.yaml` for [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) Helm chart +```yaml +cfapi: + ... + # -- Enable ClusterRole/ClusterRoleBinding + rbac: + namespaced: false +``` + +- Set the following values for Runner Helm chart + +`.Values.global.codefreshHost=...` \ +`.Values.global.codefreshToken=...` \ +`.Values.global.runtimeName=system/...` \ +`.Values.runtime.agent=false` \ +`.Values.runtime.inCluster=true` + +> `values.yaml` for [Codefresh Runner](https://artifacthub.io/packages/helm/codefresh-runner/cf-runtime) helm chart +```yaml +global: + # -- URL of Codefresh On-Premises Platform + codefreshHost: "https://myonprem.somedomain.com" + # -- User token in plain text with Admin permission scope + codefreshToken: "" + # -- User token that references an existing secret containing API key. + codefreshTokenSecretKeyRef: {} + # E.g. + # codefreshTokenSecretKeyRef: + # name: my-codefresh-api-token + # key: codefresh-api-token + + # -- Distinguished runtime name + # (for On-Premise only; mandatory!) Must be prefixed with "system/..." + runtimeName: "system/prod-ue1-some-cluster-name" + +# -- Set runtime parameters +runtime: + # -- (for On-Premise only; mandatory!) Disable agent + agent: false + # -- (for On-Premise only; optional) Set inCluster runtime (default: `true`) + # `inCluster=true` flag is set when Runtime and On-Premises control-plane are run on the same cluster + # `inCluster=false` flag is set when Runtime and On-Premises control-plane are on different clusters + inCluster: true + # -- (for On-Premise only; optional) Assign accounts to runtime (list of account ids; default is empty) + # Accounts can be assigned to the runtime in Codefresh UI later so you can kepp it empty. + accounts: [] + # -- Set parent runtime to inherit. + runtimeExtends: [] +``` + +- Install the chart + +```console +helm upgrade --install cf-runtime oci://quay.io/codefresh/cf-runtime -f values.yaml --create-namespace --namespace cf-runtime +``` + +- Verify the runtime and run test pipeline + +Go to [https:///admin/runtime-environments/system](https:///admin/runtime-environments/system) to check the runtime. Assign it to the required account(s). Run test pipeline on it. + +### How to deploy agentless runtime when it's on the DIFFERENT k8s cluster than On-Premises control-plane environment? + +In this case, it's required to mount runtime cluster's `KUBECONFIG` into On-Premises `cf-api` deployment + +- Create the neccessary RBAC resources + +> `values.yaml` for [Codefresh Runner](https://artifacthub.io/packages/helm/codefresh-runner/cf-runtime) helm chart +```yaml +extraResources: +- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: codefresh-role + namespace: '{{ .Release.Namespace }}' + rules: + - apiGroups: [""] + resources: ["pods", "persistentvolumeclaims", "persistentvolumes"] + verbs: ["list", "watch", "get", "create", "patch", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["list", "watch", "get", "create", "patch", "delete"] +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: codefresh-runtime-user + namespace: '{{ .Release.Namespace }}' +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: codefresh-runtime-user + namespace: '{{ .Release.Namespace }}' + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: codefresh-role + subjects: + - kind: ServiceAccount + name: codefresh-runtime-user + namespace: '{{ .Release.Namespace }}' +- apiVersion: v1 + kind: Secret + metadata: + name: codefresh-runtime-user-token + namespace: '{{ .Release.Namespace }}' + annotations: + kubernetes.io/service-account.name: codefresh-runtime-user + type: kubernetes.io/service-account-token +``` + +- Set up the following environment variables to create a `KUBECONFIG` file + +```shell +NAMESPACE=cf-runtime +CLUSTER_NAME=prod-ue1-some-cluster-name +CURRENT_CONTEXT=$(kubectl config current-context) + +USER_TOKEN_VALUE=$(kubectl -n cf-runtime get secret/codefresh-runtime-user-token -o=go-template='{{.data.token}}' | base64 --decode) +CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}') +CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}') +CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}') + +export -p USER_TOKEN_VALUE CURRENT_CONTEXT CURRENT_CLUSTER CLUSTER_CA CLUSTER_SERVER CLUSTER_NAME +``` + +- Create a kubeconfig file + +```console +cat << EOF > $CLUSTER_NAME-kubeconfig +apiVersion: v1 +kind: Config +current-context: ${CLUSTER_NAME} +contexts: +- name: ${CLUSTER_NAME} + context: + cluster: ${CLUSTER_NAME} + user: codefresh-runtime-user + namespace: ${NAMESPACE} +clusters: +- name: ${CLUSTER_NAME} + cluster: + certificate-authority-data: ${CLUSTER_CA} + server: ${CLUSTER_SERVER} +users: +- name: ${CLUSTER_NAME} + user: + token: ${USER_TOKEN_VALUE} +EOF +``` + +- **Switch context to On-Premises control-plane cluster**. Create k8s secret (via any tool like [ESO](https://external-secrets.io/v0.4.4/), `kubectl`, etc ) containing runtime cluster's `KUBECONFG` created in previous step. + +```shell +NAMESPACE=codefresh +kubectl create secret generic dind-runtime-clusters --from-file=$CLUSTER_NAME=$CLUSTER_NAME-kubeconfig -n $NAMESPACE +``` + +- Mount secret containing runtime cluster's `KUBECONFG` into cf-api in On-Premises control-plane cluster + +> `values.yaml` for [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) helm chart +```yaml +cf-api: + ... + volumes: + dind-clusters: + enabled: true + type: secret + nameOverride: dind-runtime-clusters + optional: true +``` +> volumeMount `/etc/kubeconfig` is already configured in cf-api Helm chart template. No need to specify it. + +- Set the following values for Runner helm chart + +> `values.yaml` for [Codefresh Runner](https://artifacthub.io/packages/helm/codefresh-runner/cf-runtime) helm chart + +`.Values.global.codefreshHost=...` \ +`.Values.global.codefreshToken=...` \ +`.Values.global.runtimeName=system/...` \ +`.Values.runtime.agent=false` \ +`.Values.runtime.inCluster=false` + +**Important!** +`.Values.global.name` ("system/" prefix is ignored!) should match the cluster name (key in `dind-runtime-clusters` secret created previously) +```yaml +global: + # -- URL of Codefresh On-Premises Platform + codefreshHost: "https://myonprem.somedomain.com" + # -- User token in plain text with Admin permission scope + codefreshToken: "" + # -- User token that references an existing secret containing API key. + codefreshTokenSecretKeyRef: {} + # E.g. + # codefreshTokenSecretKeyRef: + # name: my-codefresh-api-token + # key: codefresh-api-token + + # -- Distinguished runtime name + # (for On-Premise only; mandatory!) Must be prefixed with "system/..." + name: "system/prod-ue1-some-cluster-name" + +# -- Set runtime parameters +runtime: + # -- (for On-Premise only; mandatory!) Disable agent + agent: false + # -- (for On-Premise only; optional) Set inCluster runtime (default: `true`) + # `inCluster=true` flag is set when Runtime and On-Premises control-plane are run on the same cluster + # `inCluster=false` flag is set when Runtime and On-Premises control-plane are on different clusters + inCluster: false + # -- (for On-Premise only; optional) Assign accounts to runtime (list of account ids; default is empty) + # Accounts can be assigned to the runtime in Codefresh UI later so you can kepp it empty. + accounts: [] + # -- (optional) Set parent runtime to inherit. + runtimeExtends: [] +``` + +- Install the chart + +```console +helm upgrade --install cf-runtime oci://quay.io/codefresh/cf-runtime -f values.yaml --create-namespace --namespace cf-runtime +``` + +- Verify the runtime and run test pipeline + +Go to [https:///admin/runtime-environments/system](https:///admin/runtime-environments/system) to see the runtime. Assign it to the required account(s). + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| oci://quay.io/codefresh/charts | cf-common | 0.16.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| appProxy.affinity | object | `{}` | Set affinity | +| appProxy.enabled | bool | `false` | Enable app-proxy | +| appProxy.env | object | `{}` | Add additional env vars | +| appProxy.image | object | `{"registry":"quay.io","repository":"codefresh/cf-app-proxy","tag":"0.0.47"}` | Set image | +| appProxy.ingress.annotations | object | `{}` | Set extra annotations for ingress object | +| appProxy.ingress.class | string | `""` | Set ingress class | +| appProxy.ingress.host | string | `""` | Set DNS hostname the ingress will use | +| appProxy.ingress.pathPrefix | string | `""` | Set path prefix for ingress (keep empty for default `/` path) | +| appProxy.ingress.tlsSecret | string | `""` | Set k8s tls secret for the ingress object | +| appProxy.nodeSelector | object | `{}` | Set node selector | +| appProxy.podAnnotations | object | `{}` | Set pod annotations | +| appProxy.podSecurityContext | object | `{}` | Set security context for the pod | +| appProxy.rbac | object | `{"create":true,"namespaced":true,"rules":[]}` | RBAC parameters | +| appProxy.rbac.create | bool | `true` | Create RBAC resources | +| appProxy.rbac.namespaced | bool | `true` | Use Role(true)/ClusterRole(true) | +| appProxy.rbac.rules | list | `[]` | Add custom rule to the role | +| appProxy.readinessProbe | object | See below | Readiness probe configuration | +| appProxy.replicasCount | int | `1` | Set number of pods | +| appProxy.resources | object | `{}` | Set requests and limits | +| appProxy.serviceAccount | object | `{"annotations":{},"create":true,"name":"","namespaced":true}` | Service Account parameters | +| appProxy.serviceAccount.annotations | object | `{}` | Additional service account annotations | +| appProxy.serviceAccount.create | bool | `true` | Create service account | +| appProxy.serviceAccount.name | string | `""` | Override service account name | +| appProxy.serviceAccount.namespaced | bool | `true` | Use Role(true)/ClusterRole(true) | +| appProxy.tolerations | list | `[]` | Set tolerations | +| appProxy.updateStrategy | object | `{"type":"RollingUpdate"}` | Upgrade strategy | +| dockerRegistry | string | `""` | | +| event-exporter | object | See below | Event exporter parameters | +| event-exporter.affinity | object | `{}` | Set affinity | +| event-exporter.enabled | bool | `false` | Enable event-exporter | +| event-exporter.env | object | `{}` | Add additional env vars | +| event-exporter.image | object | `{"registry":"docker.io","repository":"codefresh/k8s-event-exporter","tag":"latest"}` | Set image | +| event-exporter.nodeSelector | object | `{}` | Set node selector | +| event-exporter.podAnnotations | object | `{}` | Set pod annotations | +| event-exporter.podSecurityContext | object | See below | Set security context for the pod | +| event-exporter.rbac | object | `{"create":true,"rules":[]}` | RBAC parameters | +| event-exporter.rbac.create | bool | `true` | Create RBAC resources | +| event-exporter.rbac.rules | list | `[]` | Add custom rule to the role | +| event-exporter.replicasCount | int | `1` | Set number of pods | +| event-exporter.resources | object | `{}` | Set resources | +| event-exporter.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Service Account parameters | +| event-exporter.serviceAccount.annotations | object | `{}` | Additional service account annotations | +| event-exporter.serviceAccount.create | bool | `true` | Create service account | +| event-exporter.serviceAccount.name | string | `""` | Override service account name | +| event-exporter.tolerations | list | `[]` | Set tolerations | +| event-exporter.updateStrategy | object | `{"type":"Recreate"}` | Upgrade strategy | +| extraResources | list | `[]` | Array of extra objects to deploy with the release | +| fullnameOverride | string | `""` | String to fully override cf-runtime.fullname template | +| global | object | See below | Global parameters | +| global.accountId | string | `""` | Account ID (required!) Can be obtained here https://g.codefresh.io/2.0/account-settings/account-information | +| global.agentName | string | `""` | Agent Name (optional!) If omitted, the following format will be used `{{ .Values.global.context }}_{{ .Release.Namespace }}` | +| global.agentToken | string | `""` | DEPRECATED Agent token in plain text. !!! MUST BE provided if migrating from < 6.x chart version | +| global.agentTokenSecretKeyRef | object | `{}` | DEPRECATED Agent token that references an existing secret containing API key. !!! MUST BE provided if migrating from < 6.x chart version | +| global.codefreshHost | string | `"https://g.codefresh.io"` | URL of Codefresh Platform (required!) | +| global.codefreshToken | string | `""` | User token in plain text (required if `global.codefreshTokenSecretKeyRef` is omitted!) Ref: https://g.codefresh.io/user/settings (see API Keys) Minimal API key scopes: Runner-Installation(read+write), Agent(read+write), Agents(read+write) | +| global.codefreshTokenSecretKeyRef | object | `{}` | User token that references an existing secret containing API key (required if `global.codefreshToken` is omitted!) | +| global.context | string | `""` | K8s context name (required!) | +| global.imagePullSecrets | list | `[]` | Global Docker registry secret names as array | +| global.imageRegistry | string | `""` | Global Docker image registry | +| global.runtimeName | string | `""` | Runtime name (optional!) If omitted, the following format will be used `{{ .Values.global.context }}/{{ .Release.Namespace }}` | +| monitor.affinity | object | `{}` | Set affinity | +| monitor.enabled | bool | `false` | Enable monitor Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#install-monitoring-component | +| monitor.env | object | `{}` | Add additional env vars | +| monitor.image | object | `{"registry":"quay.io","repository":"codefresh/cf-k8s-agent","tag":"1.3.18"}` | Set image | +| monitor.nodeSelector | object | `{}` | Set node selector | +| monitor.podAnnotations | object | `{}` | Set pod annotations | +| monitor.podSecurityContext | object | `{}` | | +| monitor.rbac | object | `{"create":true,"namespaced":true,"rules":[]}` | RBAC parameters | +| monitor.rbac.create | bool | `true` | Create RBAC resources | +| monitor.rbac.namespaced | bool | `true` | Use Role(true)/ClusterRole(true) | +| monitor.rbac.rules | list | `[]` | Add custom rule to the role | +| monitor.readinessProbe | object | See below | Readiness probe configuration | +| monitor.replicasCount | int | `1` | Set number of pods | +| monitor.resources | object | `{}` | Set resources | +| monitor.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Service Account parameters | +| monitor.serviceAccount.annotations | object | `{}` | Additional service account annotations | +| monitor.serviceAccount.create | bool | `true` | Create service account | +| monitor.serviceAccount.name | string | `""` | Override service account name | +| monitor.tolerations | list | `[]` | Set tolerations | +| monitor.updateStrategy | object | `{"type":"RollingUpdate"}` | Upgrade strategy | +| nameOverride | string | `""` | String to partially override cf-runtime.fullname template (will maintain the release name) | +| podMonitor | object | See below | Add podMonitor (for engine pods) | +| podMonitor.main.enabled | bool | `false` | Enable pod monitor for engine pods | +| podMonitor.runner.enabled | bool | `false` | Enable pod monitor for runner pod | +| podMonitor.volume-provisioner.enabled | bool | `false` | Enable pod monitor for volumeProvisioner pod | +| re | object | `{}` | | +| runner | object | See below | Runner parameters | +| runner.affinity | object | `{}` | Set affinity | +| runner.enabled | bool | `true` | Enable the runner | +| runner.env | object | `{}` | Add additional env vars | +| runner.image | object | `{"registry":"quay.io","repository":"codefresh/venona","tag":"1.10.2"}` | Set image | +| runner.init | object | `{"image":{"registry":"quay.io","repository":"codefresh/cli","tag":"0.85.0-rootless"},"resources":{"limits":{"cpu":"1","memory":"512Mi"},"requests":{"cpu":"0.2","memory":"256Mi"}}}` | Init container | +| runner.nodeSelector | object | `{}` | Set node selector | +| runner.podAnnotations | object | `{}` | Set pod annotations | +| runner.podSecurityContext | object | See below | Set security context for the pod | +| runner.rbac | object | `{"create":true,"rules":[]}` | RBAC parameters | +| runner.rbac.create | bool | `true` | Create RBAC resources | +| runner.rbac.rules | list | `[]` | Add custom rule to the role | +| runner.readinessProbe | object | See below | Readiness probe configuration | +| runner.replicasCount | int | `1` | Set number of pods | +| runner.resources | object | `{}` | Set requests and limits | +| runner.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Service Account parameters | +| runner.serviceAccount.annotations | object | `{}` | Additional service account annotations | +| runner.serviceAccount.create | bool | `true` | Create service account | +| runner.serviceAccount.name | string | `""` | Override service account name | +| runner.sidecar | object | `{"enabled":false,"env":{"RECONCILE_INTERVAL":300},"image":{"registry":"quay.io","repository":"codefresh/codefresh-shell","tag":"0.0.2"},"resources":{}}` | Sidecar container Reconciles runtime spec from Codefresh API for drift detection | +| runner.tolerations | list | `[]` | Set tolerations | +| runner.updateStrategy | object | `{"type":"RollingUpdate"}` | Upgrade strategy | +| runtime | object | See below | Set runtime parameters | +| runtime.accounts | list | `[]` | (for On-Premise only) Assign accounts to runtime (list of account ids) | +| runtime.agent | bool | `true` | (for On-Premise only) Enable agent | +| runtime.description | string | `""` | Runtime description | +| runtime.dind | object | `{"affinity":{},"env":{"DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE":true},"image":{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"26.1.4-1.28.7"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":30,"tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). | +| runtime.dind.affinity | object | `{}` | Set affinity | +| runtime.dind.env | object | `{"DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE":true}` | Set additional env vars. | +| runtime.dind.image | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"26.1.4-1.28.7"}` | Set dind image. | +| runtime.dind.nodeSelector | object | `{}` | Set node selector. | +| runtime.dind.podAnnotations | object | `{}` | Set pod annotations. | +| runtime.dind.podLabels | object | `{}` | Set pod labels. | +| runtime.dind.pvcs | object | `{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}}` | PV claim spec parametes. | +| runtime.dind.pvcs.dind | object | `{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}` | Default dind PVC parameters | +| runtime.dind.pvcs.dind.annotations | object | `{}` | PV annotations. | +| runtime.dind.pvcs.dind.name | string | `"dind"` | PVC name prefix. Keep `dind` as default! Don't change! | +| runtime.dind.pvcs.dind.reuseVolumeSelector | string | `"codefresh-app,io.codefresh.accountName"` | PV reuse selector. Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#volume-reuse-policy | +| runtime.dind.pvcs.dind.storageClassName | string | `"{{ include \"dind-volume-provisioner.storageClassName\" . }}"` | PVC storage class name. Change ONLY if you need to use storage class NOT from Codefresh volume-provisioner | +| runtime.dind.pvcs.dind.volumeSize | string | `"16Gi"` | PVC size. | +| runtime.dind.resources | object | `{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null}` | Set dind resources. | +| runtime.dind.schedulerName | string | `""` | Set scheduler name. | +| runtime.dind.serviceAccount | string | `"codefresh-engine"` | Set service account for pod. | +| runtime.dind.terminationGracePeriodSeconds | int | `30` | Set termination grace period. | +| runtime.dind.tolerations | list | `[]` | Set tolerations. | +| runtime.dind.userAccess | bool | `true` | Keep `true` as default! | +| runtime.dind.userVolumeMounts | object | `{}` | Add extra volume mounts | +| runtime.dind.userVolumes | object | `{}` | Add extra volumes | +| runtime.dindDaemon | object | See below | DinD pod daemon config | +| runtime.engine | object | `{"affinity":{},"command":["npm","run","start"],"env":{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100},"image":{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.174.13"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"COMPOSE_IMAGE":"quay.io/codefresh/compose:v2.28.1-1.5.0","CONTAINER_LOGGER_IMAGE":"quay.io/codefresh/cf-container-logger:1.11.7","COSIGN_IMAGE_SIGNER_IMAGE":"quay.io/codefresh/cf-cosign-image-signer:2.4.0-cf.2","CR_6177_FIXER":"quay.io/codefresh/alpine:edge","DOCKER_BUILDER_IMAGE":"quay.io/codefresh/cf-docker-builder:1.3.13","DOCKER_PULLER_IMAGE":"quay.io/codefresh/cf-docker-puller:8.0.17","DOCKER_PUSHER_IMAGE":"quay.io/codefresh/cf-docker-pusher:6.0.16","DOCKER_TAG_PUSHER_IMAGE":"quay.io/codefresh/cf-docker-tag-pusher:1.3.14","FS_OPS_IMAGE":"quay.io/codefresh/fs-ops:1.2.3","GC_BUILDER_IMAGE":"quay.io/codefresh/cf-gc-builder:0.5.3","GIT_CLONE_IMAGE":"quay.io/codefresh/cf-git-cloner:10.1.28","KUBE_DEPLOY":"quay.io/codefresh/cf-deploy-kubernetes:16.1.11","PIPELINE_DEBUGGER_IMAGE":"quay.io/codefresh/cf-debugger:1.3.6","TEMPLATE_ENGINE":"quay.io/codefresh/pikolo:0.14.1"},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). | +| runtime.engine.affinity | object | `{}` | Set affinity | +| runtime.engine.command | list | `["npm","run","start"]` | Set container command. | +| runtime.engine.env | object | `{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100}` | Set additional env vars. | +| runtime.engine.env.CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS | int | `1000` | Interval to check the exec status in the container-logger | +| runtime.engine.env.DOCKER_REQUEST_TIMEOUT_MS | int | `30000` | Timeout while doing requests to the Docker daemon | +| runtime.engine.env.FORCE_COMPOSE_SERIAL_PULL | bool | `false` | If "true", composition images will be pulled sequentially | +| runtime.engine.env.LOGGER_LEVEL | string | `"debug"` | Level of logging for engine | +| runtime.engine.env.LOG_OUTGOING_HTTP_REQUESTS | bool | `false` | Enable debug-level logging of outgoing HTTP/HTTPS requests | +| runtime.engine.env.METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS | bool | `false` | Enable collecting process metrics | +| runtime.engine.env.METRICS_PROMETHEUS_ENABLED | bool | `true` | Enable emitting metrics from engine | +| runtime.engine.env.METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS | bool | `false` | Enable legacy metrics | +| runtime.engine.env.METRICS_PROMETHEUS_HOST | string | `"0.0.0.0"` | Host for Prometheus metrics server | +| runtime.engine.env.METRICS_PROMETHEUS_PORT | int | `9100` | Port for Prometheus metrics server | +| runtime.engine.image | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.174.13"}` | Set image. | +| runtime.engine.nodeSelector | object | `{}` | Set node selector. | +| runtime.engine.podAnnotations | object | `{}` | Set pod annotations. | +| runtime.engine.podLabels | object | `{}` | Set pod labels. | +| runtime.engine.resources | object | `{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Set resources. | +| runtime.engine.runtimeImages | object | See below. | Set system(base) runtime images. | +| runtime.engine.schedulerName | string | `""` | Set scheduler name. | +| runtime.engine.serviceAccount | string | `"codefresh-engine"` | Set service account for pod. | +| runtime.engine.terminationGracePeriodSeconds | int | `180` | Set termination grace period. | +| runtime.engine.tolerations | list | `[]` | Set tolerations. | +| runtime.engine.userEnvVars | list | `[]` | Set extra env vars | +| runtime.engine.workflowLimits | object | `{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}` | Set workflow limits. | +| runtime.engine.workflowLimits.MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS | int | `600` | Maximum time allowed to the engine to wait for the pre-steps (aka "Initializing Process") to succeed; seconds. | +| runtime.engine.workflowLimits.MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION | int | `86400` | Maximum time for workflow execution; seconds. | +| runtime.engine.workflowLimits.MAXIMUM_ELECTED_STATE_AGE_ALLOWED | int | `900` | Maximum time allowed to workflow to spend in "elected" state; seconds. | +| runtime.engine.workflowLimits.MAXIMUM_RETRY_ATTEMPTS_ALLOWED | int | `20` | Maximum retry attempts allowed for workflow. | +| runtime.engine.workflowLimits.MAXIMUM_TERMINATING_STATE_AGE_ALLOWED | int | `900` | Maximum time allowed to workflow to spend in "terminating" state until force terminated; seconds. | +| runtime.engine.workflowLimits.MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE | int | `300` | Maximum time allowed to workflow to spend in "terminating" state without logs activity until force terminated; seconds. | +| runtime.engine.workflowLimits.TIME_ENGINE_INACTIVE_UNTIL_TERMINATION | int | `300` | Time since the last health check report after which workflow is terminated; seconds. | +| runtime.engine.workflowLimits.TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY | int | `60` | Time since the last health check report after which the engine is considered unhealthy; seconds. | +| runtime.engine.workflowLimits.TIME_INACTIVE_UNTIL_TERMINATION | int | `2700` | Time since the last workflow logs activity after which workflow is terminated; seconds. | +| runtime.gencerts | object | See below | Parameters for `gencerts-dind` post-upgrade/install hook | +| runtime.inCluster | bool | `true` | (for On-Premise only) Set inCluster runtime | +| runtime.patch | object | See below | Parameters for `runtime-patch` post-upgrade/install hook | +| runtime.rbac | object | `{"create":true,"rules":[]}` | RBAC parameters | +| runtime.rbac.create | bool | `true` | Create RBAC resources | +| runtime.rbac.rules | list | `[]` | Add custom rule to the engine role | +| runtime.runtimeExtends | list | `["system/default/hybrid/k8s_low_limits"]` | Set parent runtime to inherit. Should not be changes. Parent runtime is controlled from Codefresh side. | +| runtime.serviceAccount | object | `{"annotations":{},"create":true}` | Set annotation on engine Service Account Ref: https://codefresh.io/docs/docs/administration/codefresh-runner/#injecting-aws-arn-roles-into-the-cluster | +| serviceMonitor | object | See below | Add serviceMonitor | +| serviceMonitor.main.enabled | bool | `false` | Enable service monitor for dind pods | +| storage.azuredisk.cachingMode | string | `"None"` | | +| storage.azuredisk.skuName | string | `"Premium_LRS"` | Set storage type (`Premium_LRS`) | +| storage.backend | string | `"local"` | Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`) | +| storage.ebs.accessKeyId | string | `""` | Set AWS_ACCESS_KEY_ID for volume-provisioner (optional) Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions | +| storage.ebs.accessKeyIdSecretKeyRef | object | `{}` | Existing secret containing AWS_ACCESS_KEY_ID. | +| storage.ebs.availabilityZone | string | `"us-east-1a"` | Set EBS volumes availability zone (required) | +| storage.ebs.encrypted | string | `"false"` | Enable encryption (optional) | +| storage.ebs.kmsKeyId | string | `""` | Set KMS encryption key ID (optional) | +| storage.ebs.secretAccessKey | string | `""` | Set AWS_SECRET_ACCESS_KEY for volume-provisioner (optional) Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions | +| storage.ebs.secretAccessKeySecretKeyRef | object | `{}` | Existing secret containing AWS_SECRET_ACCESS_KEY | +| storage.ebs.volumeType | string | `"gp2"` | Set EBS volume type (`gp2`/`gp3`/`io1`) (required) | +| storage.fsType | string | `"ext4"` | Set filesystem type (`ext4`/`xfs`) | +| storage.gcedisk.availabilityZone | string | `"us-west1-a"` | Set GCP volume availability zone | +| storage.gcedisk.serviceAccountJson | string | `""` | Set Google SA JSON key for volume-provisioner (optional) | +| storage.gcedisk.serviceAccountJsonSecretKeyRef | object | `{}` | Existing secret containing containing Google SA JSON key for volume-provisioner (optional) | +| storage.gcedisk.volumeType | string | `"pd-ssd"` | Set GCP volume backend type (`pd-ssd`/`pd-standard`) | +| storage.local.volumeParentDir | string | `"/var/lib/codefresh/dind-volumes"` | Set volume path on the host filesystem | +| storage.mountAzureJson | bool | `false` | | +| volumeProvisioner | object | See below | Volume Provisioner parameters | +| volumeProvisioner.affinity | object | `{}` | Set affinity | +| volumeProvisioner.dind-lv-monitor | object | See below | `dind-lv-monitor` DaemonSet parameters (local volumes cleaner) | +| volumeProvisioner.enabled | bool | `true` | Enable volume-provisioner | +| volumeProvisioner.env | object | `{}` | Add additional env vars | +| volumeProvisioner.image | object | `{"registry":"quay.io","repository":"codefresh/dind-volume-provisioner","tag":"1.35.0"}` | Set image | +| volumeProvisioner.nodeSelector | object | `{}` | Set node selector | +| volumeProvisioner.podAnnotations | object | `{}` | Set pod annotations | +| volumeProvisioner.podSecurityContext | object | See below | Set security context for the pod | +| volumeProvisioner.rbac | object | `{"create":true,"rules":[]}` | RBAC parameters | +| volumeProvisioner.rbac.create | bool | `true` | Create RBAC resources | +| volumeProvisioner.rbac.rules | list | `[]` | Add custom rule to the role | +| volumeProvisioner.replicasCount | int | `1` | Set number of pods | +| volumeProvisioner.resources | object | `{}` | Set resources | +| volumeProvisioner.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Service Account parameters | +| volumeProvisioner.serviceAccount.annotations | object | `{}` | Additional service account annotations | +| volumeProvisioner.serviceAccount.create | bool | `true` | Create service account | +| volumeProvisioner.serviceAccount.name | string | `""` | Override service account name | +| volumeProvisioner.tolerations | list | `[]` | Set tolerations | +| volumeProvisioner.updateStrategy | object | `{"type":"Recreate"}` | Upgrade strategy | + diff --git a/charts/codefresh/cf-runtime/6.4.3/README.md.gotmpl b/charts/codefresh/cf-runtime/6.4.3/README.md.gotmpl new file mode 100644 index 0000000000..96e5ca5748 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/README.md.gotmpl @@ -0,0 +1,1007 @@ +## Codefresh Runner + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes. + +## Table of Content + +- [Prerequisites](#prerequisites) +- [Get Chart Info](#get-chart-info) +- [Install Chart](#install-chart) +- [Chart Configuration](#chart-configuration) +- [Upgrade Chart](#upgrade-chart) + - [To 2.x](#to-2-x) + - [To 3.x](#to-3-x) + - [To 4.x](#to-4-x) + - [To 5.x](#to-5-x) + - [To 6.x](#to-6-x) +- [Architecture](#architecture) +- [Configuration](#configuration) + - [EBS backend volume configuration in AWS](#ebs-backend-volume-configuration) + - [Azure Disks backend volume configuration in AKS](#azure-disks-backend-volume-configuration) + - [GCE Disks backend volume configuration in GKE](#gce-disks-backend-volume-configuration-in-gke) + - [Custom volume mounts](#custom-volume-mounts) + - [Custom global environment variables](#custom-global-environment-variables) + - [Volume reuse policy](#volume-reuse-policy) + - [Volume cleaners](#volume-cleaners) + - [Rootless DinD](#rootless-dind) + - [ARM](#arm) + - [Openshift](#openshift) + - [On-premise](#on-premise) + +## Prerequisites + +- Kubernetes **1.19+** +- Helm **3.8.0+** + +⚠️⚠️⚠️ +> Since version 6.2.x chart is pushed **only** to OCI registry at `oci://quay.io/codefresh/cf-runtime` + +> Versions prior to 6.2.x are still available in ChartMuseum at `http://chartmuseum.codefresh.io/cf-runtime` + +## Get Chart Info + +```console +helm show all oci://quay.io/codefresh/cf-runtime +``` +See [Use OCI-based registries](https://helm.sh/docs/topics/registries/) + +## Install Chart + +**Important:** only helm3 is supported + +- Specify the following mandatory values + +`values.yaml` +```yaml +# -- Global parameters +# @default -- See below +global: + # -- User token in plain text (required if `global.codefreshTokenSecretKeyRef` is omitted!) + # Ref: https://g.codefresh.io/user/settings (see API Keys) + # Minimal API key scopes: Runner-Installation(read+write), Agent(read+write), Agents(read+write) + codefreshToken: "" + # -- User token that references an existing secret containing API key (required if `global.codefreshToken` is omitted!) + codefreshTokenSecretKeyRef: {} + # E.g. + # codefreshTokenSecretKeyRef: + # name: my-codefresh-api-token + # key: codefresh-api-token + + # -- Account ID (required!) + # Can be obtained here https://g.codefresh.io/2.0/account-settings/account-information + accountId: "" + + # -- K8s context name (required!) + context: "" + # E.g. + # context: prod-ue1-runtime-1 + + # -- Agent Name (optional!) + # If omitted, the following format will be used '{{ `{{ .Values.global.context }}_{{ .Release.Namespace }}` }}' + agentName: "" + # E.g. + # agentName: prod-ue1-runtime-1 + + # -- Runtime name (optional!) + # If omitted, the following format will be used '{{ `{{ .Values.global.context }}/{{ .Release.Namespace }}` }}' + runtimeName: "" + # E.g. + # runtimeName: prod-ue1-runtime-1/namespace +``` + +- Install chart + +```console +helm upgrade --install cf-runtime oci://quay.io/codefresh/cf-runtime -f values.yaml --create-namespace --namespace codefresh +``` + +## Chart Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). + +## Upgrade Chart + +### To 2.x + +This major release renames and deprecated several values in the chart. Most of the workload templates have been refactored. + +Affected values: +- `dockerRegistry` is deprecated. Replaced with `global.imageRegistry` +- `re` is renamed to `runtime` +- `storage.localVolumeMonitor` is replaced with `volumeProvisioner.dind-lv-monitor` +- `volumeProvisioner.volume-cleanup` is replaced with `volumeProvisioner.dind-volume-cleanup` +- `image` values structure has been updated. Split to `image.registry` `image.repository` `image.tag` +- pod's `annotations` is renamed to `podAnnotations` + +### To 3.x + +⚠️⚠️⚠️ +### READ this before the upgrade! + +This major release adds [runtime-environment](https://codefresh.io/docs/docs/installation/codefresh-runner/#runtime-environment-specification) spec into chart templates. +That means it is possible to set parametes for `dind` and `engine` pods via [values.yaml](./values.yaml). + +**If you had any overrides (i.e. tolerations/nodeSelector/environment variables/etc) added in runtime spec via [codefresh CLI](https://codefresh-io.github.io/cli/) (for example, you did use [get](https://codefresh-io.github.io/cli/runtime-environments/get-runtime-environments/) and [patch](https://codefresh-io.github.io/cli/runtime-environments/apply-runtime-environments/) commands to modify the runtime-environment), you MUST add these into chart's [values.yaml](./values.yaml) for `.Values.runtime.dind` or(and) .`Values.runtime.engine`** + +**For backward compatibility, you can disable updating runtime-environment spec via** `.Values.runtime.patch.enabled=false` + +Affected values: +- added **mandatory** `global.codefreshToken`/`global.codefreshTokenSecretKeyRef` **You must specify it before the upgrade!** +- `runtime.engine` is added +- `runtime.dind` is added +- `global.existingAgentToken` is replaced with `global.agentTokenSecretKeyRef` +- `global.existingDindCertsSecret` is replaced with `global.dindCertsSecretRef` + +### To 4.x + +This major release adds **agentless inCluster** runtime mode (relevant only for [Codefresh On-Premises](#on-premise) users) + +Affected values: +- `runtime.agent` / `runtime.inCluster` / `runtime.accounts` / `runtime.description` are added + +### To 5.x + +This major release converts `.runtime.dind.pvcs` from **list** to **dict** + +> 4.x chart's values example: +```yaml +runtime: + dind: + pvcs: + - name: dind + storageClassName: my-storage-class-name + volumeSize: 32Gi + reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName' + reuseVolumeSortOrder: pipeline_id +``` + +> 5.x chart's values example: +```yaml +runtime: + dind: + pvcs: + dind: + name: dind + storageClassName: my-storage-class-name + volumeSize: 32Gi + reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName' + reuseVolumeSortOrder: pipeline_id +``` + +Affected values: +- `.runtime.dind.pvcs` converted from **list** to **dict** + +### To 6.x + +⚠️⚠️⚠️ +### READ this before the upgrade! + +This major release deprecates previously required `codefresh runner init --generate-helm-values-file`. + +Affected values: +- **Replaced** `.monitor.clusterId` with `.global.context` as **mandatory** value! +- **Deprecated** `.global.agentToken` / `.global.agentTokenSecretKeyRef` +- **Removed** `.global.agentId` +- **Removed** `.global.keys` / `.global.dindCertsSecretRef` +- **Removed** `.global.existingAgentToken` / `existingDindCertsSecret` +- **Removed** `.monitor.clusterId` / `.monitor.token` / `.monitor.existingMonitorToken` + +#### Migrate the Helm chart from version 5.x to 6.x + +Given this is the legacy `generated_values.yaml` values: + +> legacy `generated_values.yaml` +```yaml +{ + "appProxy": { + "enabled": false, + }, + "monitor": { + "enabled": false, + "clusterId": "my-cluster-name", + "token": "1234567890" + }, + "global": { + "namespace": "namespace", + "codefreshHost": "https://g.codefresh.io", + "agentToken": "0987654321", + "agentId": "agent-id-here", + "agentName": "my-cluster-name_my-namespace", + "accountId": "my-account-id", + "runtimeName": "my-cluster-name/my-namespace", + "codefreshToken": "1234567890", + "keys": { + "key": "-----BEGIN RSA PRIVATE KEY-----...", + "csr": "-----BEGIN CERTIFICATE REQUEST-----...", + "ca": "-----BEGIN CERTIFICATE-----...", + "serverCert": "-----BEGIN CERTIFICATE-----..." + } + } +} +``` + +Update `values.yaml` for new chart version: + +> For existing installation for backward compatibility `.Values.global.agentToken/agentTokenSecretKeyRef` **must be provided!** For installation from scratch this value is no longer required. + +> updated `values.yaml` +```yaml +global: + codefreshToken: "1234567890" + accountId: "my-account-id" + context: "my-cluster-name" + agentToken: "0987654321" # MANDATORY when migrating from < 6.x chart version ! + agentName: "my-cluster-name_my-namespace" # optional + runtimeName: "my-cluster-name/my-namespace" # optional +``` + +> **Note!** Though it's still possible to update runtime-environment via [get](https://codefresh-io.github.io/cli/runtime-environments/get-runtime-environments/) and [patch](https://codefresh-io.github.io/cli/runtime-environments/apply-runtime-environments/) commands, it's recommended to enable sidecar container to pull runtime spec from Codefresh API to detect any drift in configuration. + +```yaml +runner: + # -- Sidecar container + # Reconciles runtime spec from Codefresh API for drift detection + sidecar: + enabled: true +``` + +## Architecture + +[Codefresh Runner architecture](https://codefresh.io/docs/docs/installation/codefresh-runner/#codefresh-runner-architecture) + +## Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). + +### EBS backend volume configuration + +`dind-volume-provisioner` should have permissions to create/attach/detach/delete/get EBS volumes + +Minimal IAM policy for `dind-volume-provisioner` + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:AttachVolume", + "ec2:CreateSnapshot", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:DeleteSnapshot", + "ec2:DeleteTags", + "ec2:DeleteVolume", + "ec2:DescribeInstances", + "ec2:DescribeSnapshots", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DetachVolume" + ], + "Resource": "*" + } + ] +} +``` + +There are three options: + +1. Run `dind-volume-provisioner` pod on the node/node-group with IAM role + +```yaml +storage: + # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`) + backend: ebs-csi + + ebs: + availabilityZone: "us-east-1a" + +volumeProvisioner: + # -- Set node selector + nodeSelector: {} + # -- Set tolerations + tolerations: [] +``` + +2. Pass static credentials in `.Values.storage.ebs.accessKeyId/accessKeyIdSecretKeyRef` and `.Values.storage.ebs.secretAccessKey/secretAccessKeySecretKeyRef` + +```yaml +storage: + # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`) + backend: ebs-csi + + ebs: + availabilityZone: "us-east-1a" + + # -- Set AWS_ACCESS_KEY_ID for volume-provisioner (optional) + accessKeyId: "" + # -- Existing secret containing AWS_ACCESS_KEY_ID. + accessKeyIdSecretKeyRef: {} + # E.g. + # accessKeyIdSecretKeyRef: + # name: + # key: + + # -- Set AWS_SECRET_ACCESS_KEY for volume-provisioner (optional) + secretAccessKey: "" + # -- Existing secret containing AWS_SECRET_ACCESS_KEY + secretAccessKeySecretKeyRef: {} + # E.g. + # secretAccessKeySecretKeyRef: + # name: + # key: +``` + +3. Assign IAM role to `dind-volume-provisioner` service account + +```yaml +storage: + # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`) + backend: ebs-csi + + ebs: + availabilityZone: "us-east-1a" + +volumeProvisioner: + # -- Service Account parameters + serviceAccount: + # -- Create service account + create: true + # -- Additional service account annotations + annotations: + eks.amazonaws.com/role-arn: "arn:aws:iam:::role/" +``` + +### Custom volume mounts + +You can add your own volumes and volume mounts in the runtime environment, so that all pipeline steps will have access to the same set of external files. + +```yaml +runtime: + dind: + userVolumes: + regctl-docker-registry: + name: regctl-docker-registry + secret: + items: + - key: .dockerconfigjson + path: config.json + secretName: regctl-docker-registry + optional: true + userVolumeMounts: + regctl-docker-registry: + name: regctl-docker-registry + mountPath: /home/appuser/.docker/ + readOnly: true + +``` + +### Azure Disks backend volume configuration + +`dind-volume-provisioner` should have permissions to create/delete/get Azure Disks + +Role definition for `dind-volume-provisioner` + +`dind-volume-provisioner-role.json` +```json +{ + "Name": "CodefreshDindVolumeProvisioner", + "Description": "Perform create/delete/get disks", + "IsCustom": true, + "Actions": [ + "Microsoft.Compute/disks/read", + "Microsoft.Compute/disks/write", + "Microsoft.Compute/disks/delete" + + ], + "AssignableScopes": ["/subscriptions/"] +} +``` + +When creating an AKS cluster in Azure there is the option to use a [managed identity](https://learn.microsoft.com/en-us/azure/aks/use-managed-identity) that is assigned to the kubelet. This identity is assigned to the underlying node pool in the AKS cluster and can then be used by the dind-volume-provisioner. + +```console +export ROLE_DEFINITIN_FILE=dind-volume-provisioner-role.json +export SUBSCRIPTION_ID=$(az account show --query "id" | xargs echo ) +export RESOURCE_GROUP= +export AKS_NAME= +export LOCATION=$(az aks show -g $RESOURCE_GROUP -n $AKS_NAME --query location | xargs echo) +export NODES_RESOURCE_GROUP=MC_${RESOURCE_GROUP}_${AKS_NAME}_${LOCATION} +export NODE_SERVICE_PRINCIPAL=$(az aks show -g $RESOURCE_GROUP -n $AKS_NAME --query identityProfile.kubeletidentity.objectId | xargs echo) + +az role definition create --role-definition @${ROLE_DEFINITIN_FILE} +az role assignment create --assignee $NODE_SERVICE_PRINCIPAL --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$NODES_RESOURCE_GROUP --role CodefreshDindVolumeProvisioner +``` + +Deploy Helm chart with the following values: + +`values.yaml` +```yaml +volumeProvisioner: + podSecurityContext: + enabled: true + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + +storage: + backend: azuredisk + azuredisk: + availabilityZone: northeurope-1 # replace with your zone + resourceGroup: my-resource-group-name + + mountAzureJson: true + +runtime: + dind: + nodeSelector: + topology.kubernetes.io/zone: northeurope-1 +``` + +### GCE Disks backend volume configuration in GKE + +`dind-volume-provisioner` should have `ComputeEngine.StorageAdmin` permissions + +There are three options: + +1. Run `dind-volume-provisioner` pod on the node/node-group with IAM Service Account + +```yaml +storage: + # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`) + backend: gcedisk + + gcedisk: + # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`) + volumeType: "pd-standard" + # -- Set GCP volume availability zone + availabilityZone: "us-central1-c" + +volumeProvisioner: + # -- Set node selector + nodeSelector: {} + # -- Set tolerations + tolerations: [] + +# -- Set runtime parameters +runtime: + # -- Parameters for DinD (docker-in-docker) pod + dind: + # -- Set node selector. + nodeSelector: + topology.kubernetes.io/zone: us-central1-c +``` + +2. Pass static credentials in `.Values.storage.gcedisk.serviceAccountJson` (inline) or `.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef` (from your own secret) + +```yaml +storage: + # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`) + backend: gcedisk + + gcedisk: + # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`) + volumeType: "`pd-standard" + # -- Set GCP volume availability zone + availabilityZone: "us-central1-c" + # -- Set Google SA JSON key for volume-provisioner (optional) + serviceAccountJson: | + { + "type": "service_account", + "project_id": "...", + "private_key_id": "...", + "private_key": "...", + "client_email": "...", + "client_id": "...", + "auth_uri": "...", + "token_uri": "...", + "auth_provider_x509_cert_url": "...", + "client_x509_cert_url": "..." + } + # -- Existing secret containing containing Google SA JSON key for volume-provisioner (optional) + serviceAccountJsonSecretKeyRef: {} + # E.g.: + # serviceAccountJsonSecretKeyRef: + # name: gce-service-account + # key: service-account.json + +# -- Set runtime parameters +runtime: + # -- Parameters for DinD (docker-in-docker) pod + dind: + # -- Set node selector. + nodeSelector: + topology.kubernetes.io/zone: us-central1-c +``` + +3. Assign IAM role to `dind-volume-provisioner` service account + +```yaml +storage: + # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`) + backend: gcedisk + + gcedisk: + # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`) + volumeType: "`pd-standard" + # -- Set GCP volume availability zone + availabilityZone: "us-central1-c" + +volumeProvisioner: + # -- Service Account parameters + serviceAccount: + # -- Create service account + create: true + # -- Additional service account annotations + annotations: + iam.gke.io/gcp-service-account: @.iam.gserviceaccount.com + +# -- Set runtime parameters +runtime: + # -- Parameters for DinD (docker-in-docker) pod + dind: + # -- Set node selector. + nodeSelector: + topology.kubernetes.io/zone: us-central1-c +``` + +### Custom global environment variables + +You can add your own environment variables to the runtime environment. All pipeline steps have access to the global variables. + +```yaml +runtime: + engine: + userEnvVars: + - name: GITHUB_TOKEN + valueFrom: + secretKeyRef: + name: github-token + key: token +``` + +### Volume reuse policy + +Volume reuse behavior depends on the configuration for `reuseVolumeSelector` in the runtime environment spec. + +```yaml +runtime: + dind: + pvcs: + - name: dind + ... + reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName' + reuseVolumeSortOrder: pipeline_id +``` + +The following options are available: +- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName'` - PV can be used by ANY pipeline in the specified account (default). +Benefit: Fewer PVs, resulting in lower costs. Since any PV can be used by any pipeline, the cluster needs to maintain/reserve fewer PVs in its PV pool for Codefresh. +Downside: Since the PV can be used by any pipeline, the PVs could have assets and info from different pipelines, reducing the probability of cache. + +- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,project_id'` - PV can be used by ALL pipelines in your account, assigned to the same project. + +- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,pipeline_id'` - PV can be used only by a single pipeline. +Benefit: More probability of cache without “spam” from other pipelines. +Downside: More PVs to maintain and therefore higher costs. + +- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,pipeline_id,io.codefresh.branch_name'` - PV can be used only by single pipeline AND single branch. + +- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,pipeline_id,trigger'` - PV can be used only by single pipeline AND single trigger. + +### Volume cleaners + +Codefresh pipelines require disk space for: + * [Pipeline Shared Volume](https://codefresh.io/docs/docs/pipelines/introduction-to-codefresh-pipelines/#sharing-the-workspace-between-build-steps) (`/codefresh/volume`, implemented as [docker volume](https://docs.docker.com/storage/volumes/)) + * Docker containers, both running and stopped + * Docker images and cached layers + +Codefresh offers two options to manage disk space and prevent out-of-space errors: +* Use runtime cleaners on Docker images and volumes +* [Set the minimum disk space per pipeline build volume](https://codefresh.io/docs/docs/pipelines/pipelines/#set-minimum-disk-space-for-a-pipeline-build) + +To improve performance by using Docker cache, Codefresh `volume-provisioner` can provision previously used disks with Docker images and pipeline volumes from previously run builds. + +### Types of runtime volume cleaners + +Docker images and volumes must be cleaned on a regular basis. + +* [IN-DIND cleaner](https://github.com/codefresh-io/dind/tree/master/cleaner): Deletes extra Docker containers, volumes, and images in **DIND pod**. +* [External volume cleaner](https://github.com/codefresh-io/dind-volume-cleanup): Deletes unused **external** PVs (EBS, GCE/Azure disks). +* [Local volume cleaner](https://github.com/codefresh-io/dind-volume-utils/blob/master/local-volumes/lv-cleaner.sh): Deletes **local** volumes if node disk space is close to the threshold. + +### IN-DIND cleaner + +**Purpose:** Removes unneeded *docker containers, images, volumes* inside Kubernetes volume mounted on the DIND pod + +**How it runs:** Inside each DIND pod as script + +**Triggered by:** SIGTERM and also during the run when disk usage > 90% (configurable) + +**Configured by:** Environment Variables which can be set in Runtime Environment spec + +**Configuration/Logic:** [README.md](https://github.com/codefresh-io/dind/tree/master/cleaner#readme) + +Override `.Values.runtime.dind.env` if necessary (the following are **defaults**): + +```yaml +runtime: + dind: + env: + CLEAN_PERIOD_SECONDS: '21600' # launch clean if last clean was more than CLEAN_PERIOD_SECONDS seconds ago + CLEAN_PERIOD_BUILDS: '5' # launch clean if last clean was more CLEAN_PERIOD_BUILDS builds since last build + IMAGE_RETAIN_PERIOD: '14400' # do not delete docker images if they have events since current_timestamp - IMAGE_RETAIN_PERIOD + VOLUMES_RETAIN_PERIOD: '14400' # do not delete docker volumes if they have events since current_timestamp - VOLUMES_RETAIN_PERIOD + DISK_USAGE_THRESHOLD: '0.8' # launch clean based on current disk usage DISK_USAGE_THRESHOLD + INODES_USAGE_THRESHOLD: '0.8' # launch clean based on current inodes usage INODES_USAGE_THRESHOLD +``` + +### External volumes cleaner + +**Purpose:** Removes unused *kubernetes volumes and related backend volumes* + +**How it runs:** Runs as `dind-volume-cleanup` CronJob. Installed in case the Runner uses non-local volumes `.Values.storage.backend != local` + +**Triggered by:** CronJob every 10min (configurable) + +**Configuration:** + +Set `codefresh.io/volume-retention` for dinds' PVCs: + +```yaml +runtime: + dind: + pvcs: + dind: + ... + annotations: + codefresh.io/volume-retention: 7d +``` + +Or override environment variables for `dind-volume-cleanup` cronjob: + +```yaml +volumeProvisioner: + dind-volume-cleanup: + env: + RETENTION_DAYS: 7 # clean volumes that were last used more than `RETENTION_DAYS` (default is 4) ago +``` + +### Local volumes cleaner + +**Purpose:** Deletes local volumes when node disk space is close to the threshold + +**How it runs:** Runs as `dind-lv-monitor` DaemonSet. Installed in case the Runner uses local volumes `.Values.storage.backend == local` + +**Triggered by:** Disk space usage or inode usage that exceeds thresholds (configurable) + +**Configuration:** + +Override environment variables for `dind-lv-monitor` daemonset: + +```yaml +volumeProvisioner: + dind-lv-monitor: + env: + KB_USAGE_THRESHOLD: 60 # default 80 (percentage) + INODE_USAGE_THRESHOLD: 60 # default 80 +``` + +### Rootless DinD + +DinD pod runs a `priviliged` container with **rootfull** docker. +To run the docker daemon as non-root user (**rootless** mode), change dind image tag: + +`values.yaml` +```yaml +runtime: + dind: + image: + tag: rootless +``` + +### ARM + +With the Codefresh Runner, you can run native ARM64v8 builds. + +> **Note!** +> You cannot run both amd64 and arm64 images within the same pipeline. As one pipeline can map only to one runtime, you can run either amd64 or arm64 within the same pipeline. + +Provide `nodeSelector` and(or) `tolerations` for dind pods: + +`values.yaml` +```yaml +runtime: + dind: + nodeSelector: + arch: arm64 + tolerations: + - key: arch + operator: Equal + value: arm64 + effect: NoSchedule +``` + +### Openshift + +To install Codefresh Runner on OpenShift use the following `values.yaml` example + +```yaml +runner: + podSecurityContext: + enabled: false + +volumeProvisioner: + podSecurityContext: + enabled: false + env: + PRIVILEGED_CONTAINER: true + dind-lv-monitor: + containerSecurityContext: + enabled: true + privileged: true + volumePermissions: + enabled: true + securityContext: + privileged: true + runAsUser: auto +``` + +Grant `privileged` SCC to `cf-runtime-runner` and `cf-runtime-volume-provisioner` service accounts. + +```console +oc adm policy add-scc-to-user privileged system:serviceaccount:codefresh:cf-runtime-runner + +oc adm policy add-scc-to-user privileged system:serviceaccount:codefresh:cf-runtime-volume-provisioner +``` + +### On-premise + +If you have [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) deployed, you can install Codefresh Runner in **agentless** mode. + +**What is agentless mode?** + +Agent (aka venona) is Runner component which responsible for calling Codefresh API to run builds and create dind/engine pods and pvc objects. Agent can only be assigned to a single account, thus you can't share one runtime across multiple accounts. However, with **agentless** mode it's possible to register the runtime as **system**-type runtime so it's registered on the platform level and can be assigned/shared across multiple accounts. + +**What are the prerequisites?** +- You have a running [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) control-plane environment +- You have a Codefresh API token with platform **Admin** permissions scope + + +### How to deploy agentless runtime when it's on the SAME k8s cluster as On-Premises control-plane environment? + +- Enable cluster-level permissions for cf-api (On-Premises control-plane component) + +> `values.yaml` for [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) Helm chart +```yaml +cfapi: + ... + # -- Enable ClusterRole/ClusterRoleBinding + rbac: + namespaced: false +``` + +- Set the following values for Runner Helm chart + +`.Values.global.codefreshHost=...` \ +`.Values.global.codefreshToken=...` \ +`.Values.global.runtimeName=system/...` \ +`.Values.runtime.agent=false` \ +`.Values.runtime.inCluster=true` + +> `values.yaml` for [Codefresh Runner](https://artifacthub.io/packages/helm/codefresh-runner/cf-runtime) helm chart +```yaml +global: + # -- URL of Codefresh On-Premises Platform + codefreshHost: "https://myonprem.somedomain.com" + # -- User token in plain text with Admin permission scope + codefreshToken: "" + # -- User token that references an existing secret containing API key. + codefreshTokenSecretKeyRef: {} + # E.g. + # codefreshTokenSecretKeyRef: + # name: my-codefresh-api-token + # key: codefresh-api-token + + # -- Distinguished runtime name + # (for On-Premise only; mandatory!) Must be prefixed with "system/..." + runtimeName: "system/prod-ue1-some-cluster-name" + +# -- Set runtime parameters +runtime: + # -- (for On-Premise only; mandatory!) Disable agent + agent: false + # -- (for On-Premise only; optional) Set inCluster runtime (default: `true`) + # `inCluster=true` flag is set when Runtime and On-Premises control-plane are run on the same cluster + # `inCluster=false` flag is set when Runtime and On-Premises control-plane are on different clusters + inCluster: true + # -- (for On-Premise only; optional) Assign accounts to runtime (list of account ids; default is empty) + # Accounts can be assigned to the runtime in Codefresh UI later so you can kepp it empty. + accounts: [] + # -- Set parent runtime to inherit. + runtimeExtends: [] +``` + +- Install the chart + +```console +helm upgrade --install cf-runtime oci://quay.io/codefresh/cf-runtime -f values.yaml --create-namespace --namespace cf-runtime +``` + +- Verify the runtime and run test pipeline + +Go to [https:///admin/runtime-environments/system](https:///admin/runtime-environments/system) to check the runtime. Assign it to the required account(s). Run test pipeline on it. + + +### How to deploy agentless runtime when it's on the DIFFERENT k8s cluster than On-Premises control-plane environment? + +In this case, it's required to mount runtime cluster's `KUBECONFIG` into On-Premises `cf-api` deployment + +- Create the neccessary RBAC resources + +> `values.yaml` for [Codefresh Runner](https://artifacthub.io/packages/helm/codefresh-runner/cf-runtime) helm chart +```yaml +extraResources: +- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: codefresh-role + namespace: '{{ "{{ .Release.Namespace }}" }}' + rules: + - apiGroups: [""] + resources: ["pods", "persistentvolumeclaims", "persistentvolumes"] + verbs: ["list", "watch", "get", "create", "patch", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["list", "watch", "get", "create", "patch", "delete"] +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: codefresh-runtime-user + namespace: '{{ "{{ .Release.Namespace }}" }}' +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: codefresh-runtime-user + namespace: '{{ "{{ .Release.Namespace }}" }}' + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: codefresh-role + subjects: + - kind: ServiceAccount + name: codefresh-runtime-user + namespace: '{{ "{{ .Release.Namespace }}" }}' +- apiVersion: v1 + kind: Secret + metadata: + name: codefresh-runtime-user-token + namespace: '{{ "{{ .Release.Namespace }}" }}' + annotations: + kubernetes.io/service-account.name: codefresh-runtime-user + type: kubernetes.io/service-account-token +``` + +- Set up the following environment variables to create a `KUBECONFIG` file + +```shell +NAMESPACE=cf-runtime +CLUSTER_NAME=prod-ue1-some-cluster-name +CURRENT_CONTEXT=$(kubectl config current-context) + +USER_TOKEN_VALUE=$(kubectl -n cf-runtime get secret/codefresh-runtime-user-token -o=go-template='{{ `{{.data.token}}` }}' | base64 --decode) +CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{ `{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}` }}') +CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{ `{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}` }}') +CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{ `{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}` }}') + +export -p USER_TOKEN_VALUE CURRENT_CONTEXT CURRENT_CLUSTER CLUSTER_CA CLUSTER_SERVER CLUSTER_NAME +``` + +- Create a kubeconfig file + +```console +cat << EOF > $CLUSTER_NAME-kubeconfig +apiVersion: v1 +kind: Config +current-context: ${CLUSTER_NAME} +contexts: +- name: ${CLUSTER_NAME} + context: + cluster: ${CLUSTER_NAME} + user: codefresh-runtime-user + namespace: ${NAMESPACE} +clusters: +- name: ${CLUSTER_NAME} + cluster: + certificate-authority-data: ${CLUSTER_CA} + server: ${CLUSTER_SERVER} +users: +- name: ${CLUSTER_NAME} + user: + token: ${USER_TOKEN_VALUE} +EOF +``` + +- **Switch context to On-Premises control-plane cluster**. Create k8s secret (via any tool like [ESO](https://external-secrets.io/v0.4.4/), `kubectl`, etc ) containing runtime cluster's `KUBECONFG` created in previous step. + +```shell +NAMESPACE=codefresh +kubectl create secret generic dind-runtime-clusters --from-file=$CLUSTER_NAME=$CLUSTER_NAME-kubeconfig -n $NAMESPACE +``` + +- Mount secret containing runtime cluster's `KUBECONFG` into cf-api in On-Premises control-plane cluster + +> `values.yaml` for [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) helm chart +```yaml +cf-api: + ... + volumes: + dind-clusters: + enabled: true + type: secret + nameOverride: dind-runtime-clusters + optional: true +``` +> volumeMount `/etc/kubeconfig` is already configured in cf-api Helm chart template. No need to specify it. + +- Set the following values for Runner helm chart + +> `values.yaml` for [Codefresh Runner](https://artifacthub.io/packages/helm/codefresh-runner/cf-runtime) helm chart + +`.Values.global.codefreshHost=...` \ +`.Values.global.codefreshToken=...` \ +`.Values.global.runtimeName=system/...` \ +`.Values.runtime.agent=false` \ +`.Values.runtime.inCluster=false` + +**Important!** +`.Values.global.name` ("system/" prefix is ignored!) should match the cluster name (key in `dind-runtime-clusters` secret created previously) +```yaml +global: + # -- URL of Codefresh On-Premises Platform + codefreshHost: "https://myonprem.somedomain.com" + # -- User token in plain text with Admin permission scope + codefreshToken: "" + # -- User token that references an existing secret containing API key. + codefreshTokenSecretKeyRef: {} + # E.g. + # codefreshTokenSecretKeyRef: + # name: my-codefresh-api-token + # key: codefresh-api-token + + # -- Distinguished runtime name + # (for On-Premise only; mandatory!) Must be prefixed with "system/..." + name: "system/prod-ue1-some-cluster-name" + +# -- Set runtime parameters +runtime: + # -- (for On-Premise only; mandatory!) Disable agent + agent: false + # -- (for On-Premise only; optional) Set inCluster runtime (default: `true`) + # `inCluster=true` flag is set when Runtime and On-Premises control-plane are run on the same cluster + # `inCluster=false` flag is set when Runtime and On-Premises control-plane are on different clusters + inCluster: false + # -- (for On-Premise only; optional) Assign accounts to runtime (list of account ids; default is empty) + # Accounts can be assigned to the runtime in Codefresh UI later so you can kepp it empty. + accounts: [] + # -- (optional) Set parent runtime to inherit. + runtimeExtends: [] +``` + +- Install the chart + +```console +helm upgrade --install cf-runtime oci://quay.io/codefresh/cf-runtime -f values.yaml --create-namespace --namespace cf-runtime +``` + +- Verify the runtime and run test pipeline + +Go to [https:///admin/runtime-environments/system](https:///admin/runtime-environments/system) to see the runtime. Assign it to the required account(s). + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + diff --git a/charts/codefresh/cf-runtime/6.4.3/files/cleanup-runtime.sh b/charts/codefresh/cf-runtime/6.4.3/files/cleanup-runtime.sh new file mode 100644 index 0000000000..c1fc5f3682 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/files/cleanup-runtime.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +echo "-----" +echo "API_HOST: ${API_HOST}" +echo "AGENT_NAME: ${AGENT_NAME}" +echo "RUNTIME_NAME: ${RUNTIME_NAME}" +echo "AGENT: ${AGENT}" +echo "AGENT_SECRET_NAME: ${AGENT_SECRET_NAME}" +echo "DIND_SECRET_NAME: ${DIND_SECRET_NAME}" +echo "-----" + +auth() { + codefresh auth create-context --api-key ${API_TOKEN} --url ${API_HOST} +} + +remove_runtime() { + if [ "$AGENT" == "true" ]; then + codefresh delete re ${RUNTIME_NAME} || true + else + codefresh delete sys-re ${RUNTIME_NAME} || true + fi +} + +remove_agent() { + codefresh delete agent ${AGENT_NAME} || true +} + +remove_secrets() { + kubectl patch secret $(kubectl get secret -l codefresh.io/internal=true | awk 'NR>1{print $1}' | xargs) -p '{"metadata":{"finalizers":null}}' --type=merge || true + kubectl delete secret $AGENT_SECRET_NAME || true + kubectl delete secret $DIND_SECRET_NAME || true +} + +auth +remove_runtime +remove_agent +remove_secrets \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/files/configure-dind-certs.sh b/charts/codefresh/cf-runtime/6.4.3/files/configure-dind-certs.sh new file mode 100644 index 0000000000..a1092eb1e6 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/files/configure-dind-certs.sh @@ -0,0 +1,132 @@ +#!/usr/bin/env bash +# + +#--- +fatal() { + echo "ERROR: $1" + exit 1 +} + +msg() { echo -e "\e[32mINFO ---> $1\e[0m"; } +err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; } + +exit_trap () { + local lc="$BASH_COMMAND" rc=$? + if [ $rc != 0 ]; then + if [[ -n "$SLEEP_ON_ERROR" ]]; then + echo -e "\nSLEEP_ON_ERROR is set - Sleeping to fix error" + sleep $SLEEP_ON_ERROR + fi + fi +} +trap exit_trap EXIT + +usage() { + echo "Usage: + $0 [-n | --namespace] [--server-cert-cn] [--server-cert-extra-sans] codefresh-api-host codefresh-api-token + +Example: + $0 -n workflow https://g.codefresh.io 21341234.423141234.412431234 + +" +} + +# Args +while [[ $1 =~ ^(-(n|h)|--(namespace|server-cert-cn|server-cert-extra-sans|help)) ]] +do + key=$1 + value=$2 + + case $key in + -h|--help) + usage + exit + ;; + -n|--namespace) + NAMESPACE="$value" + shift + ;; + --server-cert-cn) + SERVER_CERT_CN="$value" + shift + ;; + --server-cert-extra-sans) + SERVER_CERT_EXTRA_SANS="$value" + shift + ;; + esac + shift # past argument or value +done + +API_HOST=${1:-"$CF_API_HOST"} +API_TOKEN=${2:-"$CF_API_TOKEN"} + +[[ -z "$API_HOST" ]] && usage && fatal "Missing API_HOST" +[[ -z "$API_TOKEN" ]] && usage && fatal "Missing token" + + +API_SIGN_PATH=${API_SIGN_PATH:-"api/custom_clusters/signServerCerts"} + +NAMESPACE=${NAMESPACE:-default} +RELEASE=${RELEASE:-cf-runtime} + +DIR=$(dirname $0) +TMPDIR=/tmp/codefresh/ + +TMP_CERTS_FILE_ZIP=$TMPDIR/cf-certs.zip +TMP_CERTS_HEADERS_FILE=$TMPDIR/cf-certs-response-headers.txt +CERTS_DIR=$TMPDIR/ssl +SRV_TLS_CA_CERT=${CERTS_DIR}/ca.pem +SRV_TLS_KEY=${CERTS_DIR}/server-key.pem +SRV_TLS_CSR=${CERTS_DIR}/server-cert.csr +SRV_TLS_CERT=${CERTS_DIR}/server-cert.pem +CF_SRV_TLS_CERT=${CERTS_DIR}/cf-server-cert.pem +CF_SRV_TLS_CA_CERT=${CERTS_DIR}/cf-ca.pem +mkdir -p $TMPDIR $CERTS_DIR + +K8S_CERT_SECRET_NAME=codefresh-certs-server +echo -e "\n------------------\nGenerating server tls certificates ... " + +SERVER_CERT_CN=${SERVER_CERT_CN:-"docker.codefresh.io"} +SERVER_CERT_EXTRA_SANS="${SERVER_CERT_EXTRA_SANS}" +### + + openssl genrsa -out $SRV_TLS_KEY 4096 || fatal "Failed to generate openssl key " + openssl req -subj "/CN=${SERVER_CERT_CN}" -new -key $SRV_TLS_KEY -out $SRV_TLS_CSR || fatal "Failed to generate openssl csr " + GENERATE_CERTS=true + CSR=$(sed ':a;N;$!ba;s/\n/\\n/g' ${SRV_TLS_CSR}) + + SERVER_CERT_SANS="IP:127.0.0.1,DNS:dind,DNS:*.dind.${NAMESPACE},DNS:*.dind.${NAMESPACE}.svc${KUBE_DOMAIN},DNS:*.cf-cd.com,DNS:*.codefresh.io" + if [[ -n "${SERVER_CERT_EXTRA_SANS}" ]]; then + SERVER_CERT_SANS=${SERVER_CERT_SANS},${SERVER_CERT_EXTRA_SANS} + fi + echo "{\"reqSubjectAltName\": \"${SERVER_CERT_SANS}\", \"csr\": \"${CSR}\" }" > ${TMPDIR}/sign_req.json + + rm -fv ${TMP_CERTS_HEADERS_FILE} ${TMP_CERTS_FILE_ZIP} + + SIGN_STATUS=$(curl -k -sSL -d @${TMPDIR}/sign_req.json -H "Content-Type: application/json" -H "Authorization: ${API_TOKEN}" -H "Expect: " \ + -o ${TMP_CERTS_FILE_ZIP} -D ${TMP_CERTS_HEADERS_FILE} -w '%{http_code}' ${API_HOST}/${API_SIGN_PATH} ) + + echo "Sign request completed with HTTP_STATUS_CODE=$SIGN_STATUS" + if [[ $SIGN_STATUS != 200 ]]; then + echo "ERROR: Cannot sign certificates" + if [[ -f ${TMP_CERTS_FILE_ZIP} ]]; then + mv ${TMP_CERTS_FILE_ZIP} ${TMP_CERTS_FILE_ZIP}.error + cat ${TMP_CERTS_FILE_ZIP}.error + fi + exit 1 + fi + unzip -o -d ${CERTS_DIR}/ ${TMP_CERTS_FILE_ZIP} || fatal "Failed to unzip certificates to ${CERTS_DIR} " + cp -v ${CF_SRV_TLS_CA_CERT} $SRV_TLS_CA_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains ca.pem" + cp -v ${CF_SRV_TLS_CERT} $SRV_TLS_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains cf-server-cert.pem" + + +echo -e "\n------------------\nCreating certificate secret " + +kubectl -n $NAMESPACE create secret generic $K8S_CERT_SECRET_NAME \ + --from-file=$SRV_TLS_CA_CERT \ + --from-file=$SRV_TLS_KEY \ + --from-file=$SRV_TLS_CERT \ + --dry-run=client -o yaml | kubectl apply --overwrite -f - +kubectl -n $NAMESPACE label --overwrite secret ${K8S_CERT_SECRET_NAME} codefresh.io/internal=true +kubectl -n $NAMESPACE patch secret $K8S_CERT_SECRET_NAME -p '{"metadata": {"finalizers": ["kubernetes"]}}' diff --git a/charts/codefresh/cf-runtime/6.4.3/files/init-runtime.sh b/charts/codefresh/cf-runtime/6.4.3/files/init-runtime.sh new file mode 100644 index 0000000000..eb3488af11 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/files/init-runtime.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +echo "-----" +echo "API_HOST: ${API_HOST}" +echo "AGENT_NAME: ${AGENT_NAME}" +echo "KUBE_CONTEXT: ${KUBE_CONTEXT}" +echo "KUBE_NAMESPACE: ${KUBE_NAMESPACE}" +echo "OWNER_NAME: ${OWNER_NAME}" +echo "RUNTIME_NAME: ${RUNTIME_NAME}" +echo "SECRET_NAME: ${SECRET_NAME}" +echo "-----" + +create_agent_secret() { + + kubectl apply -f - < $1\e[0m"; } +err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; } + + +if [ -z "${USER_CODEFRESH_TOKEN}" ]; then + err "missing codefresh user token. must supply \".global.codefreshToken\" if agent-codefresh-token does not exist" + exit 1 +fi + +codefresh auth create-context --api-key ${USER_CODEFRESH_TOKEN} --url ${API_HOST} + +while true; do + msg "Reconciling ${RUNTIME_NAME} runtime" + + sleep $RECONCILE_INTERVAL + + codefresh get re \ + --name ${RUNTIME_NAME} \ + -o yaml \ + | yq 'del(.version, .metadata.changedBy, .metadata.creationTime)' > /tmp/runtime.yaml + + kubectl get cm ${CONFIGMAP_NAME} -n ${KUBE_NAMESPACE} -o yaml \ + | yq 'del(.metadata.resourceVersion, .metadata.uid)' \ + | yq eval '.data["runtime.yaml"] = load_str("/tmp/runtime.yaml")' \ + | kubectl apply -f - +done diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_deployment.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_deployment.yaml new file mode 100644 index 0000000000..26f3576b77 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_deployment.yaml @@ -0,0 +1,70 @@ +{{- define "app-proxy.resources.deployment" -}} +{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "app-proxy.fullname" . }} + labels: + {{- include "app-proxy.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicasCount }} + strategy: + type: {{ .Values.updateStrategy.type }} + selector: + matchLabels: + {{- include "app-proxy.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "app-proxy.selectorLabels" . | nindent 8 }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }} + serviceAccountName: {{ include "app-proxy.serviceAccountName" . }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + containers: + - name: app-proxy + image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }} + imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }} + env: + {{- include "app-proxy.environment-variables" . | nindent 8 }} + ports: + - name: http + containerPort: 3000 + readinessProbe: + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + httpGet: + path: /health + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 6 }} + {{- end }} + volumes: + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_env-vars.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_env-vars.yaml new file mode 100644 index 0000000000..c9b9a0e36a --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_env-vars.yaml @@ -0,0 +1,19 @@ +{{- define "app-proxy.environment-variables.defaults" }} +PORT: 3000 +{{- end }} + +{{- define "app-proxy.environment-variables.calculated" }} +CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }} +{{- with .Values.ingress.pathPrefix }} +API_PATH_PREFIX: {{ . | quote }} +{{- end }} +{{- end }} + +{{- define "app-proxy.environment-variables" }} +{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +{{- $defaults := (include "app-proxy.environment-variables.defaults" . | fromYaml) }} +{{- $calculated := (include "app-proxy.environment-variables.calculated" . | fromYaml) }} +{{- $overrides := .Values.env }} +{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }} +{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }} +{{- end }} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_helpers.tpl b/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_helpers.tpl new file mode 100644 index 0000000000..2d4272ca92 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_helpers.tpl @@ -0,0 +1,43 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "app-proxy.name" -}} + {{- printf "%s-%s" (include "cf-runtime.name" .) "app-proxy" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "app-proxy.fullname" -}} + {{- printf "%s-%s" (include "cf-runtime.fullname" .) "app-proxy" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "app-proxy.labels" -}} +{{ include "cf-runtime.labels" . }} +codefresh.io/application: app-proxy +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "app-proxy.selectorLabels" -}} +{{ include "cf-runtime.selectorLabels" . }} +codefresh.io/application: app-proxy +{{- end }} + + +{{/* +Create the name of the service account to use +*/}} +{{- define "app-proxy.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "app-proxy.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_ingress.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_ingress.yaml new file mode 100644 index 0000000000..d7860b3638 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_ingress.yaml @@ -0,0 +1,32 @@ +{{- define "app-proxy.resources.ingress" -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "app-proxy.fullname" . }} + labels: {{- include "app-proxy.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.class (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.class }} + {{- end }} + {{- if .Values.ingress.tlsSecret }} + tls: + - hosts: + - {{ .Values.ingress.host }} + secretName: {{ .Values.tlsSecret }} + {{- end }} + rules: + - host: {{ .Values.ingress.host }} + http: + paths: + - path: {{ .Values.ingress.pathPrefix | default "/" }} + pathType: ImplementationSpecific + backend: + service: + name: {{ include "app-proxy.fullname" . }} + port: + number: 80 +{{- end -}} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_rbac.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_rbac.yaml new file mode 100644 index 0000000000..87bd869ba0 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_rbac.yaml @@ -0,0 +1,47 @@ +{{- define "app-proxy.resources.rbac" -}} +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "app-proxy.serviceAccountName" . }} + labels: + {{- include "app-proxy.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }} +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "app-proxy.fullname" . }} + labels: + {{- include "app-proxy.labels" . | nindent 4 }} +rules: + - apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: [ "get" ] +{{- with .Values.rbac.rules }} + {{ toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }} +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "app-proxy.fullname" . }} + labels: + {{- include "app-proxy.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "app-proxy.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ include "app-proxy.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- end -}} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_service.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_service.yaml new file mode 100644 index 0000000000..4c3a93bf27 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/app-proxy/_service.yaml @@ -0,0 +1,17 @@ +{{- define "app-proxy.resources.service" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "app-proxy.fullname" . }} + labels: + {{- include "app-proxy.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 3000 + selector: + {{- include "app-proxy.selectorLabels" . | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_deployment.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_deployment.yaml new file mode 100644 index 0000000000..62588b4d3d --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_deployment.yaml @@ -0,0 +1,62 @@ +{{- define "event-exporter.resources.deployment" -}} +{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "event-exporter.fullname" . }} + labels: + {{- include "event-exporter.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicasCount }} + strategy: + type: {{ .Values.updateStrategy.type }} + selector: + matchLabels: + {{- include "event-exporter.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "event-exporter.selectorLabels" . | nindent 8 }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }} + serviceAccountName: {{ include "event-exporter.serviceAccountName" . }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + containers: + - name: event-exporter + image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }} + imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }} + args: [--running-in-cluster=true] + env: + {{- include "event-exporter.environment-variables" . | nindent 8 }} + ports: + - name: metrics + containerPort: 9102 + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 6 }} + {{- end }} + volumes: + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_env-vars.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_env-vars.yaml new file mode 100644 index 0000000000..d28d0776f3 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_env-vars.yaml @@ -0,0 +1,14 @@ +{{- define "event-exporter.environment-variables.defaults" }} +{{- end }} + +{{- define "event-exporter.environment-variables.calculated" }} +{{- end }} + +{{- define "event-exporter.environment-variables" }} +{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +{{- $defaults := (include "event-exporter.environment-variables.defaults" . | fromYaml) }} +{{- $calculated := (include "event-exporter.environment-variables.calculated" . | fromYaml) }} +{{- $overrides := .Values.env }} +{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }} +{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }} +{{- end }} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_helpers.tpl b/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_helpers.tpl new file mode 100644 index 0000000000..5b8b5eff7f --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_helpers.tpl @@ -0,0 +1,43 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "event-exporter.name" -}} + {{- printf "%s-%s" (include "cf-runtime.name" .) "event-exporter" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "event-exporter.fullname" -}} + {{- printf "%s-%s" (include "cf-runtime.fullname" .) "event-exporter" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "event-exporter.labels" -}} +{{ include "cf-runtime.labels" . }} +app: event-exporter +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "event-exporter.selectorLabels" -}} +{{ include "cf-runtime.selectorLabels" . }} +app: event-exporter +{{- end }} + + +{{/* +Create the name of the service account to use +*/}} +{{- define "event-exporter.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "event-exporter.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_rbac.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_rbac.yaml new file mode 100644 index 0000000000..69d7b6b2fb --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_rbac.yaml @@ -0,0 +1,47 @@ +{{- define "event-exporter.resources.rbac" -}} +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "event-exporter.serviceAccountName" . }} + labels: + {{- include "event-exporter.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "event-exporter.fullname" . }} + labels: + {{- include "event-exporter.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: [events] + verbs: [get, list, watch] +{{- with .Values.rbac.rules }} + {{ toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "event-exporter.fullname" . }} + labels: + {{- include "event-exporter.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "event-exporter.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "event-exporter.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- end -}} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_service.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_service.yaml new file mode 100644 index 0000000000..6fa29ec1a0 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_service.yaml @@ -0,0 +1,17 @@ +{{- define "event-exporter.resources.service" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "event-exporter.fullname" . }} + labels: + {{- include "event-exporter.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - name: metrics + port: 9102 + targetPort: metrics + protocol: TCP + selector: + {{- include "event-exporter.selectorLabels" . | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_serviceMontor.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_serviceMontor.yaml new file mode 100644 index 0000000000..6092443f0a --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/event-exporter/_serviceMontor.yaml @@ -0,0 +1,14 @@ +{{- define "event-exporter.resources.serviceMonitor" -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "event-exporter.fullname" . }} + labels: + {{- include "event-exporter.labels" . | nindent 4 }} +spec: + endpoints: + - port: metrics + selector: + matchLabels: + {{- include "event-exporter.selectorLabels" . | nindent 6 }} +{{- end -}} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_deployment.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_deployment.yaml new file mode 100644 index 0000000000..7efa6557b1 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_deployment.yaml @@ -0,0 +1,70 @@ +{{- define "monitor.resources.deployment" -}} +{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "monitor.fullname" . }} + labels: + {{- include "monitor.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicasCount }} + strategy: + type: {{ .Values.updateStrategy.type }} + selector: + matchLabels: + {{- include "monitor.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "monitor.selectorLabels" . | nindent 8 }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }} + serviceAccountName: {{ include "monitor.serviceAccountName" . }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + containers: + - name: monitor + image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }} + imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }} + env: + {{- include "monitor.environment-variables" . | nindent 8 }} + ports: + - name: http + containerPort: 9020 + readinessProbe: + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + httpGet: + path: /api/ping + port: 9020 + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 6 }} + {{- end }} + volumes: + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_env-vars.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_env-vars.yaml new file mode 100644 index 0000000000..f58c7fa250 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_env-vars.yaml @@ -0,0 +1,26 @@ +{{- define "monitor.environment-variables.defaults" }} +SERVICE_NAME: {{ include "monitor.fullname" . }} +PORT: 9020 +HELM3: true +NODE_OPTIONS: "--max_old_space_size=4096" +{{- end }} + +{{- define "monitor.environment-variables.calculated" }} +API_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }} +CLUSTER_ID: {{ include "runtime.runtime-environment-spec.context-name" . }} +API_URL: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}/api/k8s-monitor/events +ACCOUNT_ID: {{ .Values.global.accountId }} +NAMESPACE: {{ .Release.Namespace }} +{{- if .Values.rbac.namespaced }} +ROLE_BINDING: true +{{- end }} +{{- end }} + +{{- define "monitor.environment-variables" }} +{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +{{- $defaults := (include "monitor.environment-variables.defaults" . | fromYaml) }} +{{- $calculated := (include "monitor.environment-variables.calculated" . | fromYaml) }} +{{- $overrides := .Values.env }} +{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }} +{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }} +{{- end }} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_helpers.tpl b/charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_helpers.tpl new file mode 100644 index 0000000000..71cc1c027d --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_helpers.tpl @@ -0,0 +1,42 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "monitor.name" -}} + {{- printf "%s-%s" (include "cf-runtime.name" .) "monitor" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "monitor.fullname" -}} + {{- printf "%s-%s" (include "cf-runtime.fullname" .) "monitor" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "monitor.labels" -}} +{{ include "cf-runtime.labels" . }} +codefresh.io/application: monitor +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "monitor.selectorLabels" -}} +{{ include "cf-runtime.selectorLabels" . }} +codefresh.io/application: monitor +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "monitor.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "monitor.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_rbac.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_rbac.yaml new file mode 100644 index 0000000000..88204796ae --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_rbac.yaml @@ -0,0 +1,56 @@ +{{- define "monitor.resources.rbac" -}} +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "monitor.serviceAccountName" . }} + labels: + {{- include "monitor.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }} +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "monitor.fullname" . }} + labels: + {{- include "monitor.labels" . | nindent 4 }} +rules: + - apiGroups: [ "" ] + resources: [ "*" ] + verbs: [ "get", "list", "watch", "create", "delete" ] + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ "get", "list", "watch", "create", "deletecollection" ] + - apiGroups: [ "extensions" ] + resources: [ "*" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "apps" ] + resources: [ "*" ] + verbs: [ "get", "list", "watch" ] +{{- with .Values.rbac.rules }} + {{ toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }} +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "monitor.fullname" . }} + labels: + {{- include "monitor.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "monitor.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }} + name: {{ include "monitor.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- end -}} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_service.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_service.yaml new file mode 100644 index 0000000000..f6ae9bb0f7 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/monitor/_service.yaml @@ -0,0 +1,17 @@ +{{- define "monitor.resources.service" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "monitor.fullname" . }} + labels: + {{- include "monitor.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 9020 + selector: + {{- include "monitor.selectorLabels" . | nindent 4 }} +{{- end -}} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/_deployment.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/_deployment.yaml new file mode 100644 index 0000000000..e1fb9439ab --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/_deployment.yaml @@ -0,0 +1,103 @@ +{{- define "runner.resources.deployment" -}} +{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "runner.fullname" . }} + labels: + {{- include "runner.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicasCount }} + strategy: + type: {{ .Values.updateStrategy.type }} + selector: + matchLabels: + {{- include "runner.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "runner.selectorLabels" . | nindent 8 }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }} + serviceAccountName: {{ include "runner.serviceAccountName" . }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + initContainers: + - name: init + image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.init.image "context" .) }} + imagePullPolicy: {{ .Values.init.image.pullPolicy | default "IfNotPresent" }} + command: + - /bin/bash + args: + - -ec + - | {{ .Files.Get "files/init-runtime.sh" | nindent 10 }} + env: + {{- include "runner-init.environment-variables" . | nindent 8 }} + {{- with .Values.init.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + containers: + - name: runner + image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }} + imagePullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent" }} + env: + {{- include "runner.environment-variables" . | nindent 8 }} + ports: + - name: http + containerPort: 8080 + readinessProbe: + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + httpGet: + path: /health + port: http + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.extraVolumeMounts }} + volumeMounts: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.sidecar.enabled }} + - name: reconcile-runtime + image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.sidecar.image "context" .) }} + imagePullPolicy: {{ .Values.sidecar.image.pullPolicy | default "IfNotPresent" }} + command: + - /bin/bash + args: + - -ec + - | {{ .Files.Get "files/reconcile-runtime.sh" | nindent 10 }} + env: + {{- include "runner-sidecar.environment-variables" . | nindent 8 }} + {{- with .Values.sidecar.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.extraVolumes }} + volumes: + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/_helpers.tpl b/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/_helpers.tpl new file mode 100644 index 0000000000..2608cb67ee --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/_helpers.tpl @@ -0,0 +1,42 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "runner.name" -}} + {{- printf "%s-%s" (include "cf-runtime.name" .) "runner" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "runner.fullname" -}} + {{- printf "%s-%s" (include "cf-runtime.fullname" .) "runner" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "runner.labels" -}} +{{ include "cf-runtime.labels" . }} +codefresh.io/application: runner +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "runner.selectorLabels" -}} +{{ include "cf-runtime.selectorLabels" . }} +codefresh.io/application: runner +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "runner.serviceAccountName" -}} + {{- if .Values.serviceAccount.create }} + {{- default (include "runner.fullname" .) .Values.serviceAccount.name }} + {{- else }} + {{- default "default" .Values.serviceAccount.name }} + {{- end }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/_rbac.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/_rbac.yaml new file mode 100644 index 0000000000..d95b958d54 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/_rbac.yaml @@ -0,0 +1,53 @@ +{{- define "runner.resources.rbac" -}} +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "runner.serviceAccountName" . }} + labels: + {{- include "runner.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "runner.fullname" . }} + labels: + {{- include "runner.labels" . | nindent 4 }} +rules: + - apiGroups: [ "" ] + resources: [ "pods", "persistentvolumeclaims" ] + verbs: [ "get", "create", "delete", patch ] + - apiGroups: [ "" ] + resources: [ "configmaps", "secrets" ] + verbs: [ "get", "create", "update", patch ] + - apiGroups: [ "apps" ] + resources: [ "deployments" ] + verbs: [ "get" ] +{{- with .Values.rbac.rules }} + {{ toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "runner.fullname" . }} + labels: + {{- include "runner.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "runner.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ include "runner.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- end -}} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/environment-variables/_init-container.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/environment-variables/_init-container.yaml new file mode 100644 index 0000000000..6dda110f78 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/environment-variables/_init-container.yaml @@ -0,0 +1,30 @@ +{{- define "runner-init.environment-variables.defaults" }} +HOME: /tmp +{{- end }} + +{{- define "runner-init.environment-variables.calculated" }} +AGENT_NAME: {{ include "runtime.runtime-environment-spec.agent-name" . }} +API_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }} +AGENT_CODEFRESH_TOKEN: + valueFrom: + secretKeyRef: + name: {{ include "runner.fullname" . }} + key: agent-codefresh-token + optional: true +EXISTING_AGENT_CODEFRESH_TOKEN: {{ include "runtime.agent-token-env-var-value" . | nindent 2 }} +KUBE_CONTEXT: {{ include "runtime.runtime-environment-spec.context-name" . }} +KUBE_NAMESPACE: {{ .Release.Namespace }} +OWNER_NAME: {{ include "runner.fullname" . }} +RUNTIME_NAME: {{ include "runtime.runtime-environment-spec.runtime-name" . }} +SECRET_NAME: {{ include "runner.fullname" . }} +USER_CODEFRESH_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }} +{{- end }} + +{{- define "runner-init.environment-variables" }} + {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} + {{- $defaults := (include "runner-init.environment-variables.defaults" . | fromYaml) }} + {{- $calculated := (include "runner-init.environment-variables.calculated" . | fromYaml) }} + {{- $overrides := .Values.env }} + {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }} + {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/environment-variables/_main-container.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/environment-variables/_main-container.yaml new file mode 100644 index 0000000000..4d3f0304e2 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/environment-variables/_main-container.yaml @@ -0,0 +1,28 @@ +{{- define "runner.environment-variables.defaults" }} +AGENT_MODE: InCluster +SELF_DEPLOYMENT_NAME: + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- end }} + +{{- define "runner.environment-variables.calculated" }} +AGENT_ID: {{ include "runtime.runtime-environment-spec.agent-name" . }} +CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }} +CODEFRESH_IN_CLUSTER_RUNTIME: {{ include "runtime.runtime-environment-spec.runtime-name" . }} +CODEFRESH_TOKEN: + valueFrom: + secretKeyRef: + name: {{ include "runner.fullname" . }} + key: agent-codefresh-token +DOCKER_REGISTRY: {{ .Values.global.imageRegistry }} +{{- end }} + +{{- define "runner.environment-variables" }} +{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +{{- $defaults := (include "runner.environment-variables.defaults" . | fromYaml) }} +{{- $calculated := (include "runner.environment-variables.calculated" . | fromYaml) }} +{{- $overrides := .Values.env }} +{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }} +{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/environment-variables/_sidecar-container.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/environment-variables/_sidecar-container.yaml new file mode 100644 index 0000000000..3adcbe5d49 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/runner/environment-variables/_sidecar-container.yaml @@ -0,0 +1,22 @@ +{{- define "runner-sidecar.environment-variables.defaults" }} +HOME: /tmp +{{- end }} + +{{- define "runner-sidecar.environment-variables.calculated" }} +API_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }} +USER_CODEFRESH_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }} +KUBE_CONTEXT: {{ include "runtime.runtime-environment-spec.context-name" . }} +KUBE_NAMESPACE: {{ .Release.Namespace }} +OWNER_NAME: {{ include "runner.fullname" . }} +RUNTIME_NAME: {{ include "runtime.runtime-environment-spec.runtime-name" . }} +CONFIGMAP_NAME: {{ printf "%s-%s" (include "runtime.fullname" .) "spec" }} +{{- end }} + +{{- define "runner-sidecar.environment-variables" }} + {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} + {{- $defaults := (include "runner-sidecar.environment-variables.defaults" . | fromYaml) }} + {{- $calculated := (include "runner-sidecar.environment-variables.calculated" . | fromYaml) }} + {{- $overrides := .Values.sidecar.env }} + {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }} + {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_cronjob.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_cronjob.yaml new file mode 100644 index 0000000000..20bd2d56e1 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_cronjob.yaml @@ -0,0 +1,58 @@ +{{- define "dind-volume-provisioner.resources.cronjob" -}} +{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +{{- if not (eq .Values.storage.backend "local") }} +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ include "dind-volume-cleanup.fullname" . }} + labels: + {{- include "dind-volume-cleanup.labels" . | nindent 4 }} +spec: + concurrencyPolicy: {{ .Values.concurrencyPolicy }} + schedule: {{ .Values.schedule | quote }} + successfulJobsHistoryLimit: {{ .Values.successfulJobsHistory }} + failedJobsHistoryLimit: {{ .Values.failedJobsHistory }} + {{- with .Values.suspend }} + suspend: {{ . }} + {{- end }} + jobTemplate: + spec: + template: + metadata: + labels: + {{- include "dind-volume-cleanup.selectorLabels" . | nindent 12 }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 12 }} + {{- end }} + spec: + {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 10 }} + serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + restartPolicy: {{ .Values.restartPolicy | default "Never" }} + containers: + - name: dind-volume-cleanup + image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }} + imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }} + env: + {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 12 }} + - name: PROVISIONED_BY + value: {{ include "dind-volume-provisioner.volumeProvisionerName" . }} + resources: + {{- toYaml .Values.resources | nindent 14 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_daemonset.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_daemonset.yaml new file mode 100644 index 0000000000..cb463231d2 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_daemonset.yaml @@ -0,0 +1,98 @@ +{{- define "dind-volume-provisioner.resources.daemonset" -}} +{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +{{ $localVolumeParentDir := .Values.storage.local.volumeParentDir }} +{{- if eq .Values.storage.backend "local" }} +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "dind-lv-monitor.fullname" . }} + labels: + {{- include "dind-lv-monitor.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "dind-lv-monitor.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "dind-lv-monitor.selectorLabels" . | nindent 8 }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }} + serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.volumePermissions.enabled }} + initContainers: + - name: volume-permissions + image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.volumePermissions.image "context" .) }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | default "Always" }} + command: + - /bin/sh + args: + - -ec + - | + chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }} + volumeMounts: + - mountPath: {{ $localVolumeParentDir }} + name: dind-volume-dir + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 10 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.volumePermissions.resources | nindent 10 }} + {{- end }} + containers: + - name: dind-lv-monitor + image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }} + imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - /home/dind-volume-utils/bin/local-volumes-agent + env: + {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 10 }} + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: VOLUME_PARENT_DIR + value: {{ $localVolumeParentDir }} + resources: + {{- toYaml .Values.resources | nindent 10 }} + volumeMounts: + - mountPath: {{ $localVolumeParentDir }} + readOnly: false + name: dind-volume-dir + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 6 }} + {{- end }} + volumes: + - name: dind-volume-dir + hostPath: + path: {{ $localVolumeParentDir }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_deployment.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_deployment.yaml new file mode 100644 index 0000000000..9252b45200 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_deployment.yaml @@ -0,0 +1,67 @@ +{{- define "dind-volume-provisioner.resources.deployment" -}} +{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "dind-volume-provisioner.fullname" . }} + labels: + {{- include "dind-volume-provisioner.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicasCount }} + strategy: + type: {{ .Values.updateStrategy.type }} + selector: + matchLabels: + {{- include "dind-volume-provisioner.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "dind-volume-provisioner.selectorLabels" . | nindent 8 }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }} + serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + containers: + - name: dind-volume-provisioner + image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }} + imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }} + command: + - /usr/local/bin/dind-volume-provisioner + - -v=4 + - --resync-period=50s + env: + {{- include "dind-volume-provisioner.environment-variables" . | nindent 8 }} + ports: + - name: http + containerPort: 8080 + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + {{- include "dind-volume-provisioner.volumeMounts.calculated" . | nindent 8 }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 6 }} + {{- end }} + volumes: + {{- include "dind-volume-provisioner.volumes.calculated" . | nindent 6 }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_env-vars.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_env-vars.yaml new file mode 100644 index 0000000000..e1f5dfe603 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_env-vars.yaml @@ -0,0 +1,88 @@ +{{- define "dind-volume-provisioner.environment-variables.defaults" }} +{{- end }} + +{{- define "dind-volume-provisioner.environment-variables.calculated" }} +DOCKER_REGISTRY: {{ .Values.global.imageRegistry }} +PROVISIONER_NAME: {{ include "dind-volume-provisioner.volumeProvisionerName" . }} + +{{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.accessKeyIdSecretKeyRef }} +AWS_ACCESS_KEY_ID: + {{- if .Values.storage.ebs.accessKeyId }} + valueFrom: + secretKeyRef: + name: {{ include "dind-volume-provisioner.fullname" . }} + key: aws_access_key_id + {{- else if .Values.storage.ebs.accessKeyIdSecretKeyRef }} + valueFrom: + secretKeyRef: + {{- .Values.storage.ebs.accessKeyIdSecretKeyRef | toYaml | nindent 6 }} + {{- end }} +{{- end }} + +{{- if or .Values.storage.ebs.secretAccessKey .Values.storage.ebs.secretAccessKeySecretKeyRef }} +AWS_SECRET_ACCESS_KEY: + {{- if .Values.storage.ebs.secretAccessKey }} + valueFrom: + secretKeyRef: + name: {{ include "dind-volume-provisioner.fullname" . }} + key: aws_secret_access_key + {{- else if .Values.storage.ebs.secretAccessKeySecretKeyRef }} + valueFrom: + secretKeyRef: + {{- .Values.storage.ebs.secretAccessKeySecretKeyRef | toYaml | nindent 6 }} + {{- end }} +{{- end }} + +{{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }} +GOOGLE_APPLICATION_CREDENTIALS: {{ printf "/etc/dind-volume-provisioner/credentials/%s" (.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.key | default "google-service-account.json") }} +{{- end }} + +{{- if and .Values.storage.mountAzureJson }} +AZURE_CREDENTIAL_FILE: /etc/kubernetes/azure.json +CLOUDCONFIG_AZURE: /etc/kubernetes/azure.json +{{- end }} + +{{- end }} + +{{- define "dind-volume-provisioner.environment-variables" }} +{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +{{- $defaults := (include "dind-volume-provisioner.environment-variables.defaults" . | fromYaml) }} +{{- $calculated := (include "dind-volume-provisioner.environment-variables.calculated" . | fromYaml) }} +{{- $overrides := .Values.env }} +{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }} +{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }} +{{- end }} + + +{{- define "dind-volume-provisioner.volumes.calculated" }} + {{- if .Values.storage.gcedisk.serviceAccountJson }} +- name: credentials + secret: + secretName: {{ include "dind-volume-provisioner.fullname" . }} + optional: true + {{- else if .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }} +- name: credentials + secret: + secretName: {{ .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.name }} + optional: true + {{- end }} + {{- if .Values.storage.mountAzureJson }} +- name: azure-json + hostPath: + path: /etc/kubernetes/azure.json + type: File + {{- end }} +{{- end }} + +{{- define "dind-volume-provisioner.volumeMounts.calculated" }} + {{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }} +- name: credentials + readOnly: true + mountPath: "/etc/dind-volume-provisioner/credentials" + {{- end }} + {{- if .Values.storage.mountAzureJson }} +- name: azure-json + readOnly: true + mountPath: "/etc/kubernetes/azure.json" + {{- end }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_helpers.tpl b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_helpers.tpl new file mode 100644 index 0000000000..e3d3a0d3f7 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_helpers.tpl @@ -0,0 +1,93 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "dind-volume-provisioner.name" -}} + {{- printf "%s-%s" (include "cf-runtime.name" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "dind-volume-provisioner.fullname" -}} + {{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "dind-volume-cleanup.fullname" -}} + {{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-cleanup" | trunc 52 | trimSuffix "-" }} +{{- end }} + +{{- define "dind-lv-monitor.fullname" -}} + {{- printf "%s-%s" (include "cf-runtime.fullname" .) "lv-monitor" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Provisioner name for storage class +*/}} +{{- define "dind-volume-provisioner.volumeProvisionerName" }} + {{- printf "codefresh.io/dind-volume-provisioner-runner-%s" .Release.Namespace }} +{{- end }} + +{{/* +Common labels for dind-lv-monitor +*/}} +{{- define "dind-lv-monitor.labels" -}} +{{ include "cf-runtime.labels" . }} +codefresh.io/application: lv-monitor +{{- end }} + +{{/* +Selector labels for dind-lv-monitor +*/}} +{{- define "dind-lv-monitor.selectorLabels" -}} +{{ include "cf-runtime.selectorLabels" . }} +codefresh.io/application: lv-monitor +{{- end }} + +{{/* +Common labels for dind-volume-provisioner +*/}} +{{- define "dind-volume-provisioner.labels" -}} +{{ include "cf-runtime.labels" . }} +codefresh.io/application: volume-provisioner +{{- end }} + +{{/* +Selector labels for dind-volume-provisioner +*/}} +{{- define "dind-volume-provisioner.selectorLabels" -}} +{{ include "cf-runtime.selectorLabels" . }} +codefresh.io/application: volume-provisioner +{{- end }} + +{{/* +Common labels for dind-volume-cleanup +*/}} +{{- define "dind-volume-cleanup.labels" -}} +{{ include "cf-runtime.labels" . }} +codefresh.io/application: pv-cleanup +{{- end }} + +{{/* +Common labels for dind-volume-cleanup +*/}} +{{- define "dind-volume-cleanup.selectorLabels" -}} +{{ include "cf-runtime.selectorLabels" . }} +codefresh.io/application: pv-cleanup +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "dind-volume-provisioner.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "dind-volume-provisioner.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{- define "dind-volume-provisioner.storageClassName" }} +{{- printf "dind-local-volumes-runner-%s" .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_rbac.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_rbac.yaml new file mode 100644 index 0000000000..fbcbc684fc --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_rbac.yaml @@ -0,0 +1,71 @@ +{{- define "dind-volume-provisioner.resources.rbac" -}} +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "dind-volume-provisioner.serviceAccountName" . }} + labels: + {{- include "dind-volume-provisioner.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "dind-volume-provisioner.fullname" . }} + labels: + {{- include "dind-volume-provisioner.labels" . | nindent 4 }} +rules: + - apiGroups: [ "" ] + resources: [ "persistentvolumes" ] + verbs: [ "get", "list", "watch", "create", "delete", "patch" ] + - apiGroups: [ "" ] + resources: [ "persistentvolumeclaims" ] + verbs: [ "get", "list", "watch", "update", "delete" ] + - apiGroups: [ "storage.k8s.io" ] + resources: [ "storageclasses" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "events" ] + verbs: [ "list", "watch", "create", "update", "patch" ] + - apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: [ "get", "list" ] + - apiGroups: [ "" ] + resources: [ "nodes" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ "get", "list", "watch", "create", "delete", "patch" ] + - apiGroups: [ "" ] + resources: [ "endpoints" ] + verbs: [ "get", "list", "watch", "create", "update", "delete" ] + - apiGroups: [ "coordination.k8s.io" ] + resources: [ "leases" ] + verbs: [ "get", "create", "update" ] +{{- with .Values.rbac.rules }} + {{ toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "dind-volume-provisioner.fullname" . }} + labels: + {{- include "dind-volume-provisioner.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "dind-volume-provisioner.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "dind-volume-provisioner.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- end -}} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_secret.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_secret.yaml new file mode 100644 index 0000000000..f361a79910 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_secret.yaml @@ -0,0 +1,22 @@ +{{- define "dind-volume-provisioner.resources.secret" -}} +{{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.secretAccessKey .Values.storage.gcedisk.serviceAccountJson }} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ include "dind-volume-provisioner.fullname" . }} + labels: + {{- include "dind-volume-provisioner.labels" . | nindent 4 }} +stringData: + {{- with .Values.storage.gcedisk.serviceAccountJson }} + google-service-account.json: | +{{- . | nindent 4 }} + {{- end }} + {{- with .Values.storage.ebs.accessKeyId }} + aws_access_key_id: {{ . }} + {{- end }} + {{- with .Values.storage.ebs.secretAccessKey }} + aws_secret_access_key: {{ . }} + {{- end }} +{{- end }} +{{- end -}} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_storageclass.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_storageclass.yaml new file mode 100644 index 0000000000..62e910c87e --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_components/volume-provisioner/_storageclass.yaml @@ -0,0 +1,47 @@ +{{- define "dind-volume-provisioner.resources.storageclass" -}} +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + {{/* has to be exactly that */}} + name: {{ include "dind-volume-provisioner.storageClassName" . }} + labels: + {{- include "dind-volume-provisioner.labels" . | nindent 4 }} +provisioner: {{ include "dind-volume-provisioner.volumeProvisionerName" . }} +parameters: +{{- if eq .Values.storage.backend "local" }} + volumeBackend: local + volumeParentDir: {{ .Values.storage.local.volumeParentDir }} +{{- else if eq .Values.storage.backend "gcedisk" }} + volumeBackend: {{ .Values.storage.backend }} + type: {{ .Values.storage.gcedisk.volumeType | default "pd-ssd" }} + zone: {{ required ".Values.storage.gcedisk.availabilityZone is required" .Values.storage.gcedisk.availabilityZone }} + fsType: {{ .Values.storage.fsType | default "ext4" }} +{{- else if or (eq .Values.storage.backend "ebs") (eq .Values.storage.backend "ebs-csi")}} + volumeBackend: {{ .Values.storage.backend }} + VolumeType: {{ .Values.storage.ebs.volumeType | default "gp3" }} + AvailabilityZone: {{ required ".Values.storage.ebs.availabilityZone is required" .Values.storage.ebs.availabilityZone }} + fsType: {{ .Values.storage.fsType | default "ext4" }} + encrypted: {{ .Values.storage.ebs.encrypted | default "false" | quote }} + {{- with .Values.storage.ebs.kmsKeyId }} + kmsKeyId: {{ . | quote }} + {{- end }} + {{- with .Values.storage.ebs.iops }} + iops: {{ . | quote }} + {{- end }} + {{- with .Values.storage.ebs.throughput }} + throughput: {{ . | quote }} + {{- end }} +{{- else if or (eq .Values.storage.backend "azuredisk") (eq .Values.storage.backend "azuredisk-csi")}} + volumeBackend: {{ .Values.storage.backend }} + kind: managed + skuName: {{ .Values.storage.azuredisk.skuName | default "Premium_LRS" }} + fsType: {{ .Values.storage.fsType | default "ext4" }} + cachingMode: {{ .Values.storage.azuredisk.cachingMode | default "None" }} + {{- with .Values.storage.azuredisk.availabilityZone }} + availabilityZone: {{ . | quote }} + {{- end }} + {{- with .Values.storage.azuredisk.resourceGroup }} + resourceGroup: {{ . | quote }} + {{- end }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/_helpers.tpl b/charts/codefresh/cf-runtime/6.4.3/templates/_helpers.tpl new file mode 100644 index 0000000000..72f44e36af --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "cf-runtime.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cf-runtime.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cf-runtime.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "cf-runtime.labels" -}} +helm.sh/chart: {{ include "cf-runtime.chart" . }} +{{ include "cf-runtime.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "cf-runtime.selectorLabels" -}} +app.kubernetes.io/name: {{ include "cf-runtime.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/deployment.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/deployment.yaml new file mode 100644 index 0000000000..90341b3059 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/deployment.yaml @@ -0,0 +1,9 @@ +{{- $appProxyContext := deepCopy . }} +{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }} +{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }} +{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if $appProxyContext.Values.enabled }} +{{- include "app-proxy.resources.deployment" $appProxyContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/ingress.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/ingress.yaml new file mode 100644 index 0000000000..56ab5e95ea --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/ingress.yaml @@ -0,0 +1,9 @@ +{{- $appProxyContext := deepCopy . }} +{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }} +{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }} +{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if $appProxyContext.Values.enabled }} +{{- include "app-proxy.resources.ingress" $appProxyContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/rbac.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/rbac.yaml new file mode 100644 index 0000000000..4db87dcb45 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/rbac.yaml @@ -0,0 +1,9 @@ +{{- $appProxyContext := deepCopy . }} +{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }} +{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }} +{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if $appProxyContext.Values.enabled }} +{{- include "app-proxy.resources.rbac" $appProxyContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/service.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/service.yaml new file mode 100644 index 0000000000..0b9d85ec0d --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/app-proxy/service.yaml @@ -0,0 +1,9 @@ +{{- $appProxyContext := deepCopy . }} +{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }} +{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }} +{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if $appProxyContext.Values.enabled }} +{{- include "app-proxy.resources.service" $appProxyContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/event-exporter/deployment.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/event-exporter/deployment.yaml new file mode 100644 index 0000000000..4942882407 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/event-exporter/deployment.yaml @@ -0,0 +1,9 @@ +{{- $eventExporterContext := deepCopy . }} +{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }} +{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }} +{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if and $eventExporterContext.Values.enabled }} +{{- include "event-exporter.resources.deployment" $eventExporterContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/event-exporter/rbac.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/event-exporter/rbac.yaml new file mode 100644 index 0000000000..6a9bf5c65a --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/event-exporter/rbac.yaml @@ -0,0 +1,9 @@ +{{- $eventExporterContext := deepCopy . }} +{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }} +{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }} +{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if and $eventExporterContext.Values.enabled }} +{{- include "event-exporter.resources.rbac" $eventExporterContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/event-exporter/service.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/event-exporter/service.yaml new file mode 100644 index 0000000000..c5d856dfe3 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/event-exporter/service.yaml @@ -0,0 +1,11 @@ +{{- $eventExporterContext := deepCopy . }} +{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }} +{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }} +{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if $eventExporterContext.Values.enabled }} +{{- include "event-exporter.resources.service" $eventExporterContext }} +--- +{{- include "event-exporter.resources.serviceMonitor" $eventExporterContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/extra/extra-resources.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/extra/extra-resources.yaml new file mode 100644 index 0000000000..1a9777c649 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/extra/extra-resources.yaml @@ -0,0 +1,6 @@ +{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} + +{{- range .Values.extraResources }} +--- +{{ include (printf "%s.tplrender" $cfCommonTplSemver) (dict "Values" . "context" $) }} +{{- end }} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/extra/runtime-images-cm.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/extra/runtime-images-cm.yaml new file mode 100644 index 0000000000..f269c84b2b --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/extra/runtime-images-cm.yaml @@ -0,0 +1,19 @@ +{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +{{ $values := .Values.runtime.engine.runtimeImages }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + {{- /* dummy template just to list runtime images */}} + name: {{ include "runtime.fullname" . }}-images + labels: + {{- include "runtime.labels" . | nindent 4 }} + annotations: + {{- with $values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +data: + images: | + {{- range $key, $val := $values }} + image: {{ $val }} + {{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/cm-update-runtime.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/cm-update-runtime.yaml new file mode 100644 index 0000000000..46a306c560 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/cm-update-runtime.yaml @@ -0,0 +1,18 @@ +{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +{{ $values := .Values.runtime.patch }} +{{- if $values.enabled }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ include "runtime.fullname" . }}-spec + labels: + {{- include "runtime.labels" . | nindent 4 }} + annotations: + {{- with $values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +data: + runtime.yaml: | + {{ include "runtime.runtime-environment-spec.template" . | nindent 4 | trim }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/job-gencerts-dind.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/job-gencerts-dind.yaml new file mode 100644 index 0000000000..4a08a229c8 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/job-gencerts-dind.yaml @@ -0,0 +1,68 @@ +{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +{{ $values := .Values.runtime.gencerts }} +{{- if and $values.enabled }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "runtime.fullname" . }}-gencerts-dind + labels: + {{- include "runtime.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-install,post-upgrade + helm.sh/hook-weight: "3" + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + {{- with $values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with $values.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ . }} + {{- end }} + {{- with $values.backoffLimit }} + backoffLimit: {{ . | int }} + {{- end }} + template: + metadata: + name: {{ include "runtime.fullname" . }}-gencerts-dind + labels: + {{- include "runtime.labels" . | nindent 8 }} + spec: + {{- if $values.rbac.enabled }} + serviceAccountName: {{ template "runtime.fullname" . }}-gencerts-dind + {{- end }} + securityContext: + {{- toYaml $values.podSecurityContext | nindent 8 }} + containers: + - name: gencerts-dind + image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }} + imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }} + command: + - "/bin/bash" + args: + - -ec + - | {{ .Files.Get "files/configure-dind-certs.sh" | nindent 10 }} + env: + - name: NAMESPACE + value: {{ .Release.Namespace }} + - name: RELEASE + value: {{ .Release.Name }} + - name: CF_API_HOST + value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }} + - name: CF_API_TOKEN + {{- include "runtime.installation-token-env-var-value" . | indent 10}} + {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }} + {{- with $values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $values.tolerations }} + tolerations: + {{- toYaml . | nindent 6 }} + {{- end }} + restartPolicy: OnFailure +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/job-update-runtime.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/job-update-runtime.yaml new file mode 100644 index 0000000000..955e882d77 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/job-update-runtime.yaml @@ -0,0 +1,77 @@ +{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +{{ $values := .Values.runtime.patch }} +{{- if $values.enabled }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "runtime.fullname" . }}-patch + labels: + {{- include "runtime.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-install,post-upgrade + helm.sh/hook-weight: "5" + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + {{- with $values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with $values.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ . }} + {{- end }} + {{- with $values.backoffLimit }} + backoffLimit: {{ . | int }} + {{- end }} + template: + metadata: + name: {{ include "runtime.fullname" . }}-patch + labels: + {{- include "runtime.labels" . | nindent 8 }} + spec: + securityContext: + {{- toYaml $values.podSecurityContext | nindent 8 }} + containers: + - name: patch-runtime + image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }} + imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }} + command: + - "/bin/bash" + args: + - -ec + - | + codefresh auth create-context --api-key $API_KEY --url $API_HOST + cat /usr/share/extras/runtime.yaml + codefresh get re +{{- if .Values.runtime.agent }} + codefresh patch re -f /usr/share/extras/runtime.yaml +{{- else }} + codefresh patch sys-re -f /usr/share/extras/runtime.yaml +{{- end }} + env: + - name: API_KEY + {{- include "runtime.installation-token-env-var-value" . | indent 10}} + - name: API_HOST + value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }} + {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }} + volumeMounts: + - name: config + mountPath: /usr/share/extras/runtime.yaml + subPath: runtime.yaml + {{- with $values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $values.tolerations }} + tolerations: + {{- toYaml . | nindent 6 }} + {{- end }} + restartPolicy: OnFailure + volumes: + - name: config + configMap: + name: {{ include "runtime.fullname" . }}-spec +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/rbac-gencerts-dind.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/rbac-gencerts-dind.yaml new file mode 100644 index 0000000000..4907dac380 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/hooks/post-install/rbac-gencerts-dind.yaml @@ -0,0 +1,37 @@ +{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +{{ $values := .Values.runtime.gencerts }} +{{- if and $values.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "runtime.fullname" . }}-gencerts-dind + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "runtime.fullname" . }}-gencerts-dind + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "runtime.fullname" . }}-gencerts-dind + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "runtime.fullname" . }}-gencerts-dind +subjects: + - kind: ServiceAccount + name: {{ include "runtime.fullname" . }}-gencerts-dind + namespace: {{ .Release.Namespace }} +{{ end }} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/hooks/pre-delete/job-cleanup-resources.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/hooks/pre-delete/job-cleanup-resources.yaml new file mode 100644 index 0000000000..0e3c7659f1 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/hooks/pre-delete/job-cleanup-resources.yaml @@ -0,0 +1,73 @@ +{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +{{ $values := .Values.runtime.patch }} +{{- if and $values.enabled }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "runtime.fullname" . }}-cleanup + labels: + {{- include "runtime.labels" . | nindent 4 }} + annotations: + helm.sh/hook: pre-delete + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation + {{- with $values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with $values.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ . }} + {{- end }} + {{- with $values.backoffLimit }} + backoffLimit: {{ . | int }} + {{- end }} + template: + metadata: + name: {{ include "runtime.fullname" . }}-cleanup + labels: + {{- include "runtime.labels" . | nindent 8 }} + spec: + {{- if $values.rbac.enabled }} + serviceAccountName: {{ template "runtime.fullname" . }}-cleanup + {{- end }} + securityContext: + {{- toYaml $values.podSecurityContext | nindent 8 }} + containers: + - name: cleanup + image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }} + imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }} + command: + - "/bin/bash" + args: + - -ec + - | {{ .Files.Get "files/cleanup-runtime.sh" | nindent 10 }} + env: + - name: AGENT_NAME + value: {{ include "runtime.runtime-environment-spec.agent-name" . }} + - name: RUNTIME_NAME + value: {{ include "runtime.runtime-environment-spec.runtime-name" . }} + - name: API_HOST + value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }} + - name: API_TOKEN + {{- include "runtime.installation-token-env-var-value" . | indent 10}} + - name: AGENT + value: {{ .Values.runtime.agent | quote }} + - name: AGENT_SECRET_NAME + value: {{ include "runner.fullname" . }} + - name: DIND_SECRET_NAME + value: codefresh-certs-server + {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }} + {{- with $values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $values.tolerations }} + tolerations: + {{- toYaml . | nindent 6 }} + {{- end }} + restartPolicy: OnFailure +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/hooks/pre-delete/rbac-cleanup-resources.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/hooks/pre-delete/rbac-cleanup-resources.yaml new file mode 100644 index 0000000000..468ec2212d --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/hooks/pre-delete/rbac-cleanup-resources.yaml @@ -0,0 +1,46 @@ +{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +{{ $values := .Values.runtime.patch }} +{{- if and $values.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "runtime.fullname" . }}-cleanup + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "runtime.fullname" . }}-cleanup + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed +rules: + - apiGroups: + - "*" + resources: + - "*" + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "runtime.fullname" . }}-cleanup + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "runtime.fullname" . }}-cleanup +subjects: + - kind: ServiceAccount + name: {{ include "runtime.fullname" . }}-cleanup + namespace: {{ .Release.Namespace }} +{{ end }} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/monitor/deployment.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/monitor/deployment.yaml new file mode 100644 index 0000000000..00c9fb2f91 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/monitor/deployment.yaml @@ -0,0 +1,9 @@ +{{- $monitorContext := deepCopy . }} +{{- $_ := set $monitorContext "Values" (get .Values "monitor") }} +{{- $_ := set $monitorContext.Values "global" (get .Values "global") }} +{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if $monitorContext.Values.enabled }} +{{- include "monitor.resources.deployment" $monitorContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/monitor/rbac.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/monitor/rbac.yaml new file mode 100644 index 0000000000..f9812d565d --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/monitor/rbac.yaml @@ -0,0 +1,9 @@ +{{- $monitorContext := deepCopy . }} +{{- $_ := set $monitorContext "Values" (get .Values "monitor") }} +{{- $_ := set $monitorContext.Values "global" (get .Values "global") }} +{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if $monitorContext.Values.enabled }} +{{- include "monitor.resources.rbac" $monitorContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/monitor/service.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/monitor/service.yaml new file mode 100644 index 0000000000..f99706614a --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/monitor/service.yaml @@ -0,0 +1,9 @@ +{{- $monitorContext := deepCopy . }} +{{- $_ := set $monitorContext "Values" (get .Values "monitor") }} +{{- $_ := set $monitorContext.Values "global" (get .Values "global") }} +{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if $monitorContext.Values.enabled }} +{{- include "monitor.resources.service" $monitorContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/other/external-secrets.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/other/external-secrets.yaml new file mode 100644 index 0000000000..dc24e24e51 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/other/external-secrets.yaml @@ -0,0 +1,2 @@ +{{ $templateName := printf "cf-common-%s.external-secrets" (index .Subcharts "cf-common").Chart.Version }} +{{- include $templateName . -}} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/other/podMonitor.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/other/podMonitor.yaml new file mode 100644 index 0000000000..4319b722b9 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/other/podMonitor.yaml @@ -0,0 +1,2 @@ +{{ $templateName := printf "cf-common-%s.podMonitor" (index .Subcharts "cf-common").Chart.Version }} +{{- include $templateName . -}} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/other/serviceMonitor.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/other/serviceMonitor.yaml new file mode 100644 index 0000000000..29f890fe2b --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/other/serviceMonitor.yaml @@ -0,0 +1,2 @@ +{{ $templateName := printf "cf-common-%s.serviceMonitor" (index .Subcharts "cf-common").Chart.Version }} +{{- include $templateName . -}} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/runner/deployment.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/runner/deployment.yaml new file mode 100644 index 0000000000..85777c487f --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/runner/deployment.yaml @@ -0,0 +1,9 @@ +{{- $runnerContext := deepCopy . }} +{{- $_ := set $runnerContext "Values" (get .Values "runner") }} +{{- $_ := set $runnerContext.Values "global" (get .Values "global") }} +{{- $_ := set $runnerContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if and $runnerContext.Values.enabled .Values.runtime.agent }} +{{- include "runner.resources.deployment" $runnerContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/runner/rbac.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/runner/rbac.yaml new file mode 100644 index 0000000000..d5f8c13233 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/runner/rbac.yaml @@ -0,0 +1,9 @@ +{{- $runnerContext := deepCopy . }} +{{- $_ := set $runnerContext "Values" (get .Values "runner") }} +{{- $_ := set $runnerContext.Values "global" (get .Values "global") }} +{{- $_ := set $runnerContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if and $runnerContext.Values.enabled .Values.runtime.agent }} +{{- include "runner.resources.rbac" $runnerContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/runtime/_helpers.tpl b/charts/codefresh/cf-runtime/6.4.3/templates/runtime/_helpers.tpl new file mode 100644 index 0000000000..6ba04fcc3e --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/runtime/_helpers.tpl @@ -0,0 +1,123 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "runtime.name" -}} + {{- printf "%s" (include "cf-runtime.name" .) | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "runtime.fullname" -}} + {{- printf "%s" (include "cf-runtime.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "runtime.labels" -}} +{{ include "cf-runtime.labels" . }} +codefresh.io/application: runtime +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "runtime.selectorLabels" -}} +{{ include "cf-runtime.selectorLabels" . }} +codefresh.io/application: runtime +{{- end }} + +{{/* +Return runtime image (classic runtime) with private registry prefix +*/}} +{{- define "runtime.runtimeImageName" -}} + {{- if .registry -}} + {{- $imageName := (trimPrefix "quay.io/" .imageFullName) -}} + {{- printf "%s/%s" .registry $imageName -}} + {{- else -}} + {{- printf "%s" .imageFullName -}} + {{- end -}} +{{- end -}} + +{{/* +Environment variable value of Codefresh installation token +*/}} +{{- define "runtime.installation-token-env-var-value" -}} + {{- if .Values.global.codefreshToken }} +valueFrom: + secretKeyRef: + name: {{ include "runtime.installation-token-secret-name" . }} + key: codefresh-api-token + {{- else if .Values.global.codefreshTokenSecretKeyRef }} +valueFrom: + secretKeyRef: + {{- .Values.global.codefreshTokenSecretKeyRef | toYaml | nindent 4 }} + {{- end }} +{{- end }} + +{{/* +Environment variable value of Codefresh agent token +*/}} +{{- define "runtime.agent-token-env-var-value" -}} + {{- if .Values.global.agentToken }} +{{- printf "%s" .Values.global.agentToken | toYaml }} + {{- else if .Values.global.agentTokenSecretKeyRef }} +valueFrom: + secretKeyRef: + {{- .Values.global.agentTokenSecretKeyRef | toYaml | nindent 4 }} + {{- end }} +{{- end }} + +{{/* +Print Codefresh API token secret name +*/}} +{{- define "runtime.installation-token-secret-name" }} +{{- print "codefresh-user-token" }} +{{- end }} + +{{/* +Print Codefresh host +*/}} +{{- define "runtime.runtime-environment-spec.codefresh-host" }} +{{- if and (not .Values.global.codefreshHost) }} + {{- fail "ERROR: .global.codefreshHost is required" }} +{{- else }} + {{- printf "%s" (trimSuffix "/" .Values.global.codefreshHost) }} +{{- end }} +{{- end }} + +{{/* +Print runtime-environment name +*/}} +{{- define "runtime.runtime-environment-spec.runtime-name" }} +{{- if and (not .Values.global.runtimeName) }} + {{- printf "%s/%s" .Values.global.context .Release.Namespace }} +{{- else }} + {{- printf "%s" .Values.global.runtimeName }} +{{- end }} +{{- end }} + +{{/* +Print agent name +*/}} +{{- define "runtime.runtime-environment-spec.agent-name" }} +{{- if and (not .Values.global.agentName) }} + {{- printf "%s_%s" .Values.global.context .Release.Namespace }} +{{- else }} + {{- printf "%s" .Values.global.agentName }} +{{- end }} +{{- end }} + +{{/* +Print context +*/}} +{{- define "runtime.runtime-environment-spec.context-name" }} +{{- if and (not .Values.global.context) }} + {{- fail "ERROR: .global.context is required" }} +{{- else }} + {{- printf "%s" .Values.global.context }} +{{- end }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/runtime/cm-dind-daemon.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/runtime/cm-dind-daemon.yaml new file mode 100644 index 0000000000..fc7f92905b --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/runtime/cm-dind-daemon.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + {{- /* has to be a constant */}} + name: codefresh-dind-config + labels: + {{- include "runtime.labels" . | nindent 4 }} +data: + daemon.json: | +{{ coalesce .Values.re.dindDaemon .Values.runtime.dindDaemon | toPrettyJson | indent 4 }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/runtime/rbac.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/runtime/rbac.yaml new file mode 100644 index 0000000000..a51b125262 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/runtime/rbac.yaml @@ -0,0 +1,48 @@ +{{ $values := .Values.runtime }} +--- +{{- if or $values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- /* has to be a constant */}} + name: codefresh-engine + labels: + {{- include "runtime.labels" . | nindent 4 }} + {{- with $values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +--- +{{- if $values.rbac.create }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: codefresh-engine + labels: + {{- include "runner.labels" . | nindent 4 }} +rules: + - apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: [ "get" ] +{{- with $values.rbac.rules }} + {{ toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if and $values.serviceAccount.create $values.rbac.create }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: codefresh-engine + labels: + {{- include "runner.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: codefresh-engine +roleRef: + kind: Role + name: codefresh-engine + apiGroup: rbac.authorization.k8s.io +{{- end }} + diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/runtime/runtime-env-spec-tmpl.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/runtime/runtime-env-spec-tmpl.yaml new file mode 100644 index 0000000000..baf7265116 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/runtime/runtime-env-spec-tmpl.yaml @@ -0,0 +1,214 @@ +{{- define "runtime.runtime-environment-spec.template" }} +{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version -}} +{{- $kubeconfigFilePath := (include "runtime.runtime-environment-spec.runtime-name" .) -}} +{{- $name := (include "runtime.runtime-environment-spec.runtime-name" .) -}} +{{- $engineContext := .Values.runtime.engine -}} +{{- $dindContext := .Values.runtime.dind -}} +{{- $imageRegistry := .Values.global.imageRegistry -}} +metadata: + name: {{ include "runtime.runtime-environment-spec.runtime-name" . }} + agent: {{ .Values.runtime.agent }} +runtimeScheduler: + type: KubernetesPod + {{- if $engineContext.image }} + image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $engineContext.image "context" .) | squote }} + {{- end }} + imagePullPolicy: {{ $engineContext.image.pullPolicy }} + {{- with $engineContext.command }} + command: {{- toYaml . | nindent 4 }} + {{- end }} + envVars: + {{- with $engineContext.env }} + {{- range $key, $val := . }} + {{- if or (kindIs "bool" $val) (kindIs "int" $val) (kindIs "float64" $val) }} + {{ $key }}: {{ $val | squote }} + {{- else }} + {{ $key }}: {{ $val }} + {{- end }} + {{- end }} + {{- end }} + COMPOSE_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.COMPOSE_IMAGE) | squote }} + CONTAINER_LOGGER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.CONTAINER_LOGGER_IMAGE) | squote }} + DOCKER_BUILDER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_BUILDER_IMAGE) | squote }} + DOCKER_PULLER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_PULLER_IMAGE) | squote }} + DOCKER_PUSHER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_PUSHER_IMAGE) | squote }} + DOCKER_TAG_PUSHER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) | squote }} + FS_OPS_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.FS_OPS_IMAGE) | squote }} + GIT_CLONE_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.GIT_CLONE_IMAGE) | squote }} + KUBE_DEPLOY: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.KUBE_DEPLOY) | squote }} + PIPELINE_DEBUGGER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.PIPELINE_DEBUGGER_IMAGE) | squote }} + TEMPLATE_ENGINE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.TEMPLATE_ENGINE) | squote }} + CR_6177_FIXER: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.CR_6177_FIXER) | squote }} + GC_BUILDER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.GC_BUILDER_IMAGE) | squote }} + COSIGN_IMAGE_SIGNER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.COSIGN_IMAGE_SIGNER_IMAGE) | squote }} + {{- with $engineContext.userEnvVars }} + userEnvVars: {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $engineContext.workflowLimits }} + workflowLimits: {{- toYaml . | nindent 4 }} + {{- end }} + cluster: + namespace: {{ .Release.Namespace }} + serviceAccount: {{ $engineContext.serviceAccount }} + {{- if .Values.runtime.agent }} + clusterProvider: + accountId: {{ .Values.global.accountId }} + selector: {{ include "runtime.runtime-environment-spec.context-name" . }} + {{- else }} + {{- if .Values.runtime.inCluster }} + inCluster: true + kubeconfigFilePath: null + {{- else }} + name: {{ $name }} + kubeconfigFilePath: {{ printf "/etc/kubeconfig/%s" $kubeconfigFilePath }} + {{- end }} + {{- end }} + {{- with $engineContext.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 6 }} + {{- end }} + {{- with $engineContext.affinity }} + affinity: {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $engineContext.tolerations }} + tolerations: {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $engineContext.podAnnotations }} + annotations: + {{- range $key, $val := . }} + {{ $key }}: {{ $val | squote }} + {{- end }} + {{- end }} + {{- with $engineContext.podLabels }} + labels: {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $engineContext.schedulerName }} + schedulerName: {{ $engineContext.schedulerName }} + {{- end }} + resources: + {{- if $engineContext.resources}} + {{- toYaml $engineContext.resources | nindent 4 }} + {{- end }} + {{- with $engineContext.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ . }} + {{- end }} +dockerDaemonScheduler: + type: DindKubernetesPod + {{- if $dindContext.image }} + dindImage: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $dindContext.image "context" .) | squote }} + {{- end }} + imagePullPolicy: {{ $dindContext.image.pullPolicy }} + {{- with $dindContext.userAccess }} + userAccess: {{ . }} + {{- end }} + {{- with $dindContext.env }} + envVars: + {{- range $key, $val := . }} + {{- if or (kindIs "bool" $val) (kindIs "int" $val) (kindIs "float64" $val) }} + {{ $key }}: {{ $val | squote }} + {{- else }} + {{ $key }}: {{ $val }} + {{- end }} + {{- end }} + {{- end }} + cluster: + namespace: {{ .Release.Namespace }} + serviceAccount: {{ $dindContext.serviceAccount }} + {{- if .Values.runtime.agent }} + clusterProvider: + accountId: {{ .Values.global.accountId }} + selector: {{ include "runtime.runtime-environment-spec.context-name" . }} + {{- else }} + {{- if .Values.runtime.inCluster }} + inCluster: true + kubeconfigFilePath: null + {{- else }} + name: {{ $name }} + kubeconfigFilePath: {{ printf "/etc/kubeconfig/%s" $kubeconfigFilePath }} + {{- end }} + {{- end }} + {{- with $dindContext.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 6 }} + {{- end }} + {{- with $dindContext.affinity }} + affinity: {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $dindContext.tolerations }} + tolerations: {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $dindContext.podAnnotations }} + annotations: + {{- range $key, $val := . }} + {{ $key }}: {{ $val | squote }} + {{- end }} + {{- end }} + {{- with $dindContext.podLabels }} + labels: {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $dindContext.schedulerName }} + schedulerName: {{ $dindContext.schedulerName }} + {{- end }} + {{- if $dindContext.pvcs }} + pvcs: + {{- range $index, $pvc := $dindContext.pvcs }} + - name: {{ $pvc.name }} + reuseVolumeSelector: {{ $pvc.reuseVolumeSelector | squote }} + reuseVolumeSortOrder: {{ $pvc.reuseVolumeSortOrder }} + storageClassName: {{ include (printf "%v.tplrender" $cfCommonTplSemver) (dict "Values" $pvc.storageClassName "context" $) }} + volumeSize: {{ $pvc.volumeSize }} + {{- with $pvc.annotations }} + annotations: {{ . | toYaml | nindent 8 }} + {{- end }} + {{- end }} + {{- end }} + defaultDindResources: + {{- with $dindContext.resources }} + {{- if not .requests }} + limits: {{- toYaml .limits | nindent 6 }} + requests: null + {{- else }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- with $dindContext.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ . }} + {{- end }} + {{- with $dindContext.userVolumeMounts }} + userVolumeMounts: {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $dindContext.userVolumes }} + userVolumes: {{- toYaml . | nindent 4 }} + {{- end }} + {{- if and (not .Values.runtime.agent) }} + clientCertPath: /etc/ssl/cf/ + volumeMounts: + codefresh-certs-server: + name: codefresh-certs-server + mountPath: /etc/ssl/cf + readOnly: false + volumes: + codefresh-certs-server: + name: codefresh-certs-server + secret: + secretName: codefresh-certs-server + {{- end }} +extends: {{- toYaml .Values.runtime.runtimeExtends | nindent 2 }} + {{- if .Values.runtime.description }} +description: {{ .Values.runtime.description }} + {{- else }} +description: null + {{- end }} +{{- if .Values.global.accountId }} +accountId: {{ .Values.global.accountId }} +{{- end }} +{{- if not .Values.runtime.agent }} +accounts: {{- toYaml .Values.runtime.accounts | nindent 2 }} +{{- end }} +{{- if .Values.appProxy.enabled }} +appProxy: + externalIP: >- + {{ printf "https://%s%s" .Values.appProxy.ingress.host (.Values.appProxy.ingress.pathPrefix | default "/") }} +{{- end }} +{{- if not .Values.runtime.agent }} +systemHybrid: true +{{- end }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/runtime/secret.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/runtime/secret.yaml new file mode 100644 index 0000000000..2366d3ccf6 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/runtime/secret.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.global.codefreshToken }} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ include "runtime.installation-token-secret-name" . }} + labels: + {{- include "runtime.labels" . | nindent 4 }} +stringData: + codefresh-api-token: {{ .Values.global.codefreshToken }} +{{- end }} \ No newline at end of file diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/runtime/svc-dind.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/runtime/svc-dind.yaml new file mode 100644 index 0000000000..098edb4e87 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/runtime/svc-dind.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + {{- include "runtime.labels" . | nindent 4 }} + app: dind + {{/* has to be a constant */}} + name: dind +spec: + ports: + - name: "dind-port" + port: 1300 + protocol: TCP + clusterIP: None + selector: + app: dind diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/cronjob.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/cronjob.yaml new file mode 100644 index 0000000000..db955bc771 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/cronjob.yaml @@ -0,0 +1,11 @@ +{{- $volumeProvisionerContext := deepCopy . }} +{{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-volume-cleanup") }} +{{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }} +{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }} +{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }} +{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }} +{{- include "dind-volume-provisioner.resources.cronjob" $volumeProvisionerContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/daemonset.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/daemonset.yaml new file mode 100644 index 0000000000..39927149e8 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/daemonset.yaml @@ -0,0 +1,11 @@ +{{- $volumeProvisionerContext := deepCopy . }} +{{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-lv-monitor") }} +{{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }} +{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }} +{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }} +{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }} +{{- include "dind-volume-provisioner.resources.daemonset" $volumeProvisionerContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/deployment.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/deployment.yaml new file mode 100644 index 0000000000..522fa8791f --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/deployment.yaml @@ -0,0 +1,10 @@ +{{- $volumeProvisionerContext := deepCopy . }} +{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }} +{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }} +{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }} +{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if $volumeProvisionerContext.Values.enabled }} +{{- include "dind-volume-provisioner.resources.deployment" $volumeProvisionerContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/rbac.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/rbac.yaml new file mode 100644 index 0000000000..f3ae9609f9 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/rbac.yaml @@ -0,0 +1,9 @@ +{{- $volumeProvisionerContext := deepCopy . }} +{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }} +{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }} +{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if $volumeProvisionerContext.Values.enabled }} +{{- include "dind-volume-provisioner.resources.rbac" $volumeProvisionerContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/secret.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/secret.yaml new file mode 100644 index 0000000000..accf601d13 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/secret.yaml @@ -0,0 +1,10 @@ +{{- $volumeProvisionerContext := deepCopy . }} +{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }} +{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }} +{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }} +{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if $volumeProvisionerContext.Values.enabled }} +{{- include "dind-volume-provisioner.resources.secret" $volumeProvisionerContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/storageclass.yaml b/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/storageclass.yaml new file mode 100644 index 0000000000..77a7602da1 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/templates/volume-provisioner/storageclass.yaml @@ -0,0 +1,10 @@ +{{- $volumeProvisionerContext := deepCopy . }} +{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }} +{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }} +{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }} +{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }} +{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} + +{{- if $volumeProvisionerContext.Values.enabled }} +{{- include "dind-volume-provisioner.resources.storageclass" $volumeProvisionerContext }} +{{- end }} diff --git a/charts/codefresh/cf-runtime/6.4.3/values.yaml b/charts/codefresh/cf-runtime/6.4.3/values.yaml new file mode 100644 index 0000000000..0e8800a609 --- /dev/null +++ b/charts/codefresh/cf-runtime/6.4.3/values.yaml @@ -0,0 +1,951 @@ +# -- String to partially override cf-runtime.fullname template (will maintain the release name) +nameOverride: "" +# -- String to fully override cf-runtime.fullname template +fullnameOverride: "" + +# -- Global parameters +# @default -- See below +global: + # -- Global Docker image registry + imageRegistry: "" + # -- Global Docker registry secret names as array + imagePullSecrets: [] + + # -- URL of Codefresh Platform (required!) + codefreshHost: "https://g.codefresh.io" + # -- User token in plain text (required if `global.codefreshTokenSecretKeyRef` is omitted!) + # Ref: https://g.codefresh.io/user/settings (see API Keys) + # Minimal API key scopes: Runner-Installation(read+write), Agent(read+write), Agents(read+write) + codefreshToken: "" + # -- User token that references an existing secret containing API key (required if `global.codefreshToken` is omitted!) + codefreshTokenSecretKeyRef: {} + + # E.g. + # codefreshTokenSecretKeyRef: + # name: my-codefresh-api-token + # key: codefresh-api-token + + # -- Account ID (required!) + # Can be obtained here https://g.codefresh.io/2.0/account-settings/account-information + accountId: "" + + # -- K8s context name (required!) + context: "" + # E.g. + # context: prod-ue1-runtime-1 + + # -- Agent Name (optional!) + # If omitted, the following format will be used `{{ .Values.global.context }}_{{ .Release.Namespace }}` + agentName: "" + # E.g. + # agentName: prod-ue1-runtime-1 + + # -- Runtime name (optional!) + # If omitted, the following format will be used `{{ .Values.global.context }}/{{ .Release.Namespace }}` + runtimeName: "" + # E.g. + # runtimeName: prod-ue1-runtime-1/namespace + + # -- DEPRECATED Agent token in plain text. + # !!! MUST BE provided if migrating from < 6.x chart version + agentToken: "" + # -- DEPRECATED Agent token that references an existing secret containing API key. + # !!! MUST BE provided if migrating from < 6.x chart version + agentTokenSecretKeyRef: {} + # E.g. + # agentTokenSecretKeyRef: + # name: my-codefresh-agent-secret + # key: codefresh-agent-token + +# DEPRECATED -- Use `.Values.global.imageRegistry` instead +dockerRegistry: "" + +# DEPRECATED -- Use `.Values.runtime` instead +re: {} + +# -- Runner parameters +# @default -- See below +runner: + # -- Enable the runner + enabled: true + # -- Set number of pods + replicasCount: 1 + # -- Upgrade strategy + updateStrategy: + type: RollingUpdate + # -- Set pod annotations + podAnnotations: {} + + # -- Set image + image: + registry: quay.io + repository: codefresh/venona + tag: 1.10.2 + + # -- Init container + init: + image: + registry: quay.io + repository: codefresh/cli + tag: 0.85.0-rootless + + resources: + limits: + memory: 512Mi + cpu: '1' + requests: + memory: 256Mi + cpu: '0.2' + + # -- Sidecar container + # Reconciles runtime spec from Codefresh API for drift detection + sidecar: + enabled: false + image: + registry: quay.io + repository: codefresh/codefresh-shell + tag: 0.0.2 + env: + RECONCILE_INTERVAL: 300 + resources: {} + + # -- Add additional env vars + env: {} + # E.g. + # env: + # WORKFLOW_CONCURRENCY: 50 # The number of workflow creation and termination tasks the Runner can handle in parallel. Defaults to 50 + + # -- Service Account parameters + serviceAccount: + # -- Create service account + create: true + # -- Override service account name + name: "" + # -- Additional service account annotations + annotations: {} + + # -- RBAC parameters + rbac: + # -- Create RBAC resources + create: true + # -- Add custom rule to the role + rules: [] + + # -- Set security context for the pod + # @default -- See below + podSecurityContext: + enabled: true + runAsUser: 10001 + runAsGroup: 10001 + fsGroup: 10001 + + # -- Readiness probe configuration + # @default -- See below + readinessProbe: + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + + # -- Set requests and limits + resources: {} + # -- Set node selector + nodeSelector: {} + # -- Set tolerations + tolerations: [] + # -- Set affinity + affinity: {} + +# -- Volume Provisioner parameters +# @default -- See below +volumeProvisioner: + # -- Enable volume-provisioner + enabled: true + # -- Set number of pods + replicasCount: 1 + # -- Upgrade strategy + updateStrategy: + type: Recreate + # -- Set pod annotations + podAnnotations: {} + + # -- Set image + image: + registry: quay.io + repository: codefresh/dind-volume-provisioner + tag: 1.35.0 + # -- Add additional env vars + env: {} + # E.g. + # env: + # THREADINESS: 4 # The number of PVC requests the dind-volume-provisioner can process in parallel. Defaults to 4 + + # -- Service Account parameters + serviceAccount: + # -- Create service account + create: true + # -- Override service account name + name: "" + # -- Additional service account annotations + annotations: {} + # E.g. + # serviceAccount: + # annotations: + # eks.amazonaws.com/role-arn: "arn:aws:iam:::role/" + + # -- RBAC parameters + rbac: + # -- Create RBAC resources + create: true + # -- Add custom rule to the role + rules: [] + + # -- Set security context for the pod + # @default -- See below + podSecurityContext: + enabled: true + runAsUser: 3000 + runAsGroup: 3000 + fsGroup: 3000 + + # -- Set node selector + nodeSelector: {} + # -- Set resources + resources: {} + # -- Set tolerations + tolerations: [] + # -- Set affinity + affinity: {} + + # -- `dind-lv-monitor` DaemonSet parameters + # (local volumes cleaner) + # @default -- See below + dind-lv-monitor: + enabled: true + image: + registry: quay.io + repository: codefresh/dind-volume-utils + tag: 1.29.4 + podAnnotations: {} + podSecurityContext: + enabled: true + runAsUser: 1000 + fsGroup: 1000 + containerSecurityContext: {} + env: {} + resources: {} + nodeSelector: {} + tolerations: + - key: 'codefresh/dind' + operator: 'Exists' + effect: 'NoSchedule' + volumePermissions: + enabled: true + image: + registry: docker.io + repository: alpine + tag: 3.18 + resources: {} + securityContext: + runAsUser: 0 # auto + + # `dind-volume-cleanup` CronJob parameters + # (external volumes cleaner) + # @default -- See below + dind-volume-cleanup: + enabled: true + image: + registry: quay.io + repository: codefresh/dind-volume-cleanup + tag: 1.2.0 + env: {} + concurrencyPolicy: Forbid + schedule: "*/10 * * * *" + successfulJobsHistory: 3 + failedJobsHistory: 1 + suspend: false + podAnnotations: {} + podSecurityContext: + enabled: true + fsGroup: 3000 + runAsGroup: 3000 + runAsUser: 3000 + nodeSelector: {} + affinity: {} + tolerations: [] + +# Storage parameters for volume-provisioner +# @default -- See below +storage: + # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`) + backend: local + # -- Set filesystem type (`ext4`/`xfs`) + fsType: "ext4" + + # Storage parametrs example for local volumes on the K8S nodes filesystem (i.e. `storage.backend=local`) + # https://kubernetes.io/docs/concepts/storage/volumes/#local + # @default -- See below + local: + # -- Set volume path on the host filesystem + volumeParentDir: /var/lib/codefresh/dind-volumes + + # Storage parameters example for aws ebs disks (i.e. `storage.backend=ebs`/`storage.backend=ebs-csi`) + # https://aws.amazon.com/ebs/ + # https://codefresh.io/docs/docs/installation/codefresh-runner/#aws-backend-volume-configuration + # @default -- See below + ebs: + # -- Set EBS volume type (`gp2`/`gp3`/`io1`) (required) + volumeType: "gp2" + # -- Set EBS volumes availability zone (required) + availabilityZone: "us-east-1a" + # -- Enable encryption (optional) + encrypted: "false" + # -- Set KMS encryption key ID (optional) + kmsKeyId: "" + + # -- Set AWS_ACCESS_KEY_ID for volume-provisioner (optional) + # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions + accessKeyId: "" + # -- Existing secret containing AWS_ACCESS_KEY_ID. + accessKeyIdSecretKeyRef: {} + # E.g. + # accessKeyIdSecretKeyRef: + # name: + # key: + + # -- Set AWS_SECRET_ACCESS_KEY for volume-provisioner (optional) + # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions + secretAccessKey: "" + # -- Existing secret containing AWS_SECRET_ACCESS_KEY + secretAccessKeySecretKeyRef: {} + # E.g. + # secretAccessKeySecretKeyRef: + # name: + # key: + + # E.g. + # ebs: + # volumeType: gp3 + # availabilityZone: us-east-1c + # encrypted: false + # iops: "5000" + # # I/O operations per second. Only effetive when gp3 volume type is specified. + # # Default value - 3000. + # # Max - 16,000 + # throughput: "500" + # # Throughput in MiB/s. Only effective when gp3 volume type is specified. + # # Default value - 125. + # # Max - 1000. + # ebs: + # volumeType: gp2 + # availabilityZone: us-east-1c + # encrypted: true + # kmsKeyId: "1234abcd-12ab-34cd-56ef-1234567890ab" + # accessKeyId: "MYKEYID" + # secretAccessKey: "MYACCESSKEY" + + # Storage parameters example for gce disks + # https://cloud.google.com/compute/docs/disks#pdspecs + # https://codefresh.io/docs/docs/installation/codefresh-runner/#gke-google-kubernetes-engine-backend-volume-configuration + # @default -- See below + gcedisk: + # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`) + volumeType: "pd-ssd" + # -- Set GCP volume availability zone + availabilityZone: "us-west1-a" + # -- Set Google SA JSON key for volume-provisioner (optional) + serviceAccountJson: "" + # -- Existing secret containing containing Google SA JSON key for volume-provisioner (optional) + serviceAccountJsonSecretKeyRef: {} + # E.g. + # gcedisk: + # volumeType: pd-ssd + # availabilityZone: us-central1-c + # serviceAccountJson: |- + # { + # "type": "service_account", + # "project_id": "...", + # "private_key_id": "...", + # "private_key": "...", + # "client_email": "...", + # "client_id": "...", + # "auth_uri": "...", + # "token_uri": "...", + # "auth_provider_x509_cert_url": "...", + # "client_x509_cert_url": "..." + # } + + # Storage parameters example for Azure Disks + # https://codefresh.io/docs/docs/installation/codefresh-runner/#install-codefresh-runner-on-azure-kubernetes-service-aks + # @default -- See below + azuredisk: + # -- Set storage type (`Premium_LRS`) + skuName: Premium_LRS + cachingMode: None + # availabilityZone: northeurope-1 + # resourceGroup: + # DiskIOPSReadWrite: 500 + # DiskMBpsReadWrite: 100 + + mountAzureJson: false + +# -- Set runtime parameters +# @default -- See below + +runtime: + # -- Set annotation on engine Service Account + # Ref: https://codefresh.io/docs/docs/administration/codefresh-runner/#injecting-aws-arn-roles-into-the-cluster + serviceAccount: + create: true + annotations: {} + # E.g. + # serviceAccount: + # annotations: + # eks.amazonaws.com/role-arn: "arn:aws:iam:::role/" + + # -- Set parent runtime to inherit. + # Should not be changes. Parent runtime is controlled from Codefresh side. + runtimeExtends: + - system/default/hybrid/k8s_low_limits + # -- Runtime description + description: "" + + # -- RBAC parameters + rbac: + # -- Create RBAC resources + create: true + # -- Add custom rule to the engine role + rules: [] + + # -- (for On-Premise only) Enable agent + agent: true + # -- (for On-Premise only) Set inCluster runtime + inCluster: true + # -- (for On-Premise only) Assign accounts to runtime (list of account ids) + accounts: [] + + # -- Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). + dind: + # -- Set dind image. + image: + registry: quay.io + repository: codefresh/dind + tag: 26.1.4-1.28.7 # use `latest-rootless/rootless/26.1.4-1.28.7-rootless` tags for rootless-dind + pullPolicy: IfNotPresent + # -- Set dind resources. + resources: + requests: null + limits: + cpu: 400m + memory: 800Mi + # -- Set termination grace period. + terminationGracePeriodSeconds: 30 + # -- PV claim spec parametes. + pvcs: + # -- Default dind PVC parameters + dind: + # -- PVC name prefix. + # Keep `dind` as default! Don't change! + name: dind + # -- PVC storage class name. + # Change ONLY if you need to use storage class NOT from Codefresh volume-provisioner + storageClassName: '{{ include "dind-volume-provisioner.storageClassName" . }}' + # -- PVC size. + volumeSize: 16Gi + # -- PV reuse selector. + # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#volume-reuse-policy + reuseVolumeSelector: codefresh-app,io.codefresh.accountName + reuseVolumeSortOrder: pipeline_id + # -- PV annotations. + annotations: {} + # E.g.: + # annotations: + # codefresh.io/volume-retention: 7d + # -- Set additional env vars. + env: + DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE: true + # -- Set pod annotations. + podAnnotations: {} + # -- Set pod labels. + podLabels: {} + # -- Set node selector. + nodeSelector: {} + # -- Set affinity + affinity: {} + # -- Set tolerations. + tolerations: [] + # -- Set scheduler name. + schedulerName: "" + # -- Set service account for pod. + serviceAccount: codefresh-engine + # -- Keep `true` as default! + userAccess: true + # -- Add extra volumes + userVolumes: {} + # E.g.: + # userVolumes: + # regctl-docker-registry: + # name: regctl-docker-registry + # secret: + # items: + # - key: .dockerconfigjson + # path: config.json + # secretName: regctl-docker-registry + # optional: true + # -- Add extra volume mounts + userVolumeMounts: {} + # E.g.: + # userVolumeMounts: + # regctl-docker-registry: + # name: regctl-docker-registry + # mountPath: /home/appuser/.docker/ + # readOnly: true + + # -- Parameters for Engine pod (aka "pipeline" orchestrator). + engine: + # -- Set image. + image: + registry: quay.io + repository: codefresh/engine + tag: 1.174.13 + pullPolicy: IfNotPresent + # -- Set container command. + command: + - npm + - run + - start + # -- Set resources. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 1000m + memory: 2048Mi + # -- Set termination grace period. + terminationGracePeriodSeconds: 180 + # -- Set system(base) runtime images. + # @default -- See below. + runtimeImages: + COMPOSE_IMAGE: quay.io/codefresh/compose:v2.28.1-1.5.0 + CONTAINER_LOGGER_IMAGE: quay.io/codefresh/cf-container-logger:1.11.7 + DOCKER_BUILDER_IMAGE: quay.io/codefresh/cf-docker-builder:1.3.13 + DOCKER_PULLER_IMAGE: quay.io/codefresh/cf-docker-puller:8.0.17 + DOCKER_PUSHER_IMAGE: quay.io/codefresh/cf-docker-pusher:6.0.16 + DOCKER_TAG_PUSHER_IMAGE: quay.io/codefresh/cf-docker-tag-pusher:1.3.14 + FS_OPS_IMAGE: quay.io/codefresh/fs-ops:1.2.3 + GIT_CLONE_IMAGE: quay.io/codefresh/cf-git-cloner:10.1.28 + KUBE_DEPLOY: quay.io/codefresh/cf-deploy-kubernetes:16.1.11 + PIPELINE_DEBUGGER_IMAGE: quay.io/codefresh/cf-debugger:1.3.6 + TEMPLATE_ENGINE: quay.io/codefresh/pikolo:0.14.1 + CR_6177_FIXER: 'quay.io/codefresh/alpine:edge' + GC_BUILDER_IMAGE: 'quay.io/codefresh/cf-gc-builder:0.5.3' + COSIGN_IMAGE_SIGNER_IMAGE: 'quay.io/codefresh/cf-cosign-image-signer:2.4.0-cf.2' + # -- Set additional env vars. + env: + # -- Interval to check the exec status in the container-logger + CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS: 1000 + # -- Timeout while doing requests to the Docker daemon + DOCKER_REQUEST_TIMEOUT_MS: 30000 + # -- If "true", composition images will be pulled sequentially + FORCE_COMPOSE_SERIAL_PULL: false + # -- Level of logging for engine + LOGGER_LEVEL: debug + # -- Enable debug-level logging of outgoing HTTP/HTTPS requests + LOG_OUTGOING_HTTP_REQUESTS: false + # -- Enable emitting metrics from engine + METRICS_PROMETHEUS_ENABLED: true + # -- Enable legacy metrics + METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS: false + # -- Enable collecting process metrics + METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS: false + # -- Host for Prometheus metrics server + METRICS_PROMETHEUS_HOST: '0.0.0.0' + # -- Port for Prometheus metrics server + METRICS_PROMETHEUS_PORT: 9100 + # -- Set workflow limits. + workflowLimits: + # -- Maximum time allowed to the engine to wait for the pre-steps (aka "Initializing Process") to succeed; seconds. + MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS: 600 + # -- Maximum time for workflow execution; seconds. + MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION: 86400 + # -- Maximum time allowed to workflow to spend in "elected" state; seconds. + MAXIMUM_ELECTED_STATE_AGE_ALLOWED: 900 + # -- Maximum retry attempts allowed for workflow. + MAXIMUM_RETRY_ATTEMPTS_ALLOWED: 20 + # -- Maximum time allowed to workflow to spend in "terminating" state until force terminated; seconds. + MAXIMUM_TERMINATING_STATE_AGE_ALLOWED: 900 + # -- Maximum time allowed to workflow to spend in "terminating" state without logs activity until force terminated; seconds. + MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE: 300 + # -- Time since the last health check report after which workflow is terminated; seconds. + TIME_ENGINE_INACTIVE_UNTIL_TERMINATION: 300 + # -- Time since the last health check report after which the engine is considered unhealthy; seconds. + TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY: 60 + # -- Time since the last workflow logs activity after which workflow is terminated; seconds. + TIME_INACTIVE_UNTIL_TERMINATION: 2700 + # -- Set pod annotations. + podAnnotations: {} + # -- Set pod labels. + podLabels: {} + # -- Set node selector. + nodeSelector: {} + # -- Set affinity + affinity: {} + # -- Set tolerations. + tolerations: [] + # -- Set scheduler name. + schedulerName: "" + # -- Set service account for pod. + serviceAccount: codefresh-engine + # -- Set extra env vars + userEnvVars: [] + # E.g. + # userEnvVars: + # - name: GITHUB_TOKEN + # valueFrom: + # secretKeyRef: + # name: github-token + # key: token + + # -- Parameters for `runtime-patch` post-upgrade/install hook + # @default -- See below + patch: + enabled: true + image: + registry: quay.io + repository: codefresh/cli + tag: 0.85.0-rootless + rbac: + enabled: true + annotations: {} + affinity: {} + nodeSelector: {} + podSecurityContext: {} + resources: {} + tolerations: [] + ttlSecondsAfterFinished: 180 + env: + HOME: /tmp + + # -- Parameters for `gencerts-dind` post-upgrade/install hook + # @default -- See below + gencerts: + enabled: true + image: + registry: quay.io + repository: codefresh/kubectl + tag: 1.28.4 + rbac: + enabled: true + annotations: {} + affinity: {} + nodeSelector: {} + podSecurityContext: {} + resources: {} + tolerations: [] + ttlSecondsAfterFinished: 180 + + # -- DinD pod daemon config + # @default -- See below + dindDaemon: + hosts: + - unix:///var/run/docker.sock + - tcp://0.0.0.0:1300 + tlsverify: true + tls: true + tlscacert: /etc/ssl/cf-client/ca.pem + tlscert: /etc/ssl/cf/server-cert.pem + tlskey: /etc/ssl/cf/server-key.pem + insecure-registries: + - 192.168.99.100:5000 + metrics-addr: 0.0.0.0:9323 + experimental: true + +# App-Proxy parameters +# Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#app-proxy-installation +# @default -- See below +appProxy: + # -- Enable app-proxy + enabled: false + # -- Set number of pods + replicasCount: 1 + # -- Upgrade strategy + updateStrategy: + type: RollingUpdate + # -- Set pod annotations + podAnnotations: {} + + # -- Set image + image: + registry: quay.io + repository: codefresh/cf-app-proxy + tag: 0.0.47 + # -- Add additional env vars + env: {} + + # Set app-proxy ingress parameters + # @default -- See below + ingress: + # -- Set path prefix for ingress (keep empty for default `/` path) + pathPrefix: "" + # -- Set ingress class + class: "" + # -- Set DNS hostname the ingress will use + host: "" + # -- Set k8s tls secret for the ingress object + tlsSecret: "" + # -- Set extra annotations for ingress object + annotations: {} + # E.g. + # ingress: + # pathPrefix: "/cf-app-proxy" + # class: "nginx" + # host: "mydomain.com" + # tlsSecret: "tls-cert-app-proxy" + # annotations: + # nginx.ingress.kubernetes.io/whitelist-source-range: 123.123.123.123/130 + + # -- Service Account parameters + serviceAccount: + # -- Create service account + create: true + # -- Override service account name + name: "" + # -- Use Role(true)/ClusterRole(true) + namespaced: true + # -- Additional service account annotations + annotations: {} + + # -- RBAC parameters + rbac: + # -- Create RBAC resources + create: true + # -- Use Role(true)/ClusterRole(true) + namespaced: true + # -- Add custom rule to the role + rules: [] + + # -- Set security context for the pod + podSecurityContext: {} + + # -- Readiness probe configuration + # @default -- See below + readinessProbe: + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + + # -- Set requests and limits + resources: {} + # -- Set node selector + nodeSelector: {} + # -- Set tolerations + tolerations: [] + # -- Set affinity + affinity: {} + +# Monitor parameters +# @default -- See below +monitor: + # -- Enable monitor + # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#install-monitoring-component + enabled: false + + # -- Set number of pods + replicasCount: 1 + # -- Upgrade strategy + updateStrategy: + type: RollingUpdate + # -- Set pod annotations + podAnnotations: {} + + # -- Set image + image: + registry: quay.io + repository: codefresh/cf-k8s-agent + tag: 1.3.18 + # -- Add additional env vars + env: {} + + # -- Service Account parameters + serviceAccount: + # -- Create service account + create: true + # -- Override service account name + name: "" + # -- Additional service account annotations + annotations: {} + + # -- RBAC parameters + rbac: + # -- Create RBAC resources + create: true + # -- Use Role(true)/ClusterRole(true) + namespaced: true + # -- Add custom rule to the role + rules: [] + + # -- Readiness probe configuration + # @default -- See below + readinessProbe: + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + + podSecurityContext: {} + + # -- Set node selector + nodeSelector: {} + # -- Set resources + resources: {} + # -- Set tolerations + tolerations: [] + # -- Set affinity + affinity: {} + +# -- Add serviceMonitor +# @default -- See below +serviceMonitor: + main: + # -- Enable service monitor for dind pods + enabled: false + nameOverride: dind + selector: + matchLabels: + app: dind + endpoints: + - path: /metrics + targetPort: 9100 + relabelings: + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + +# -- Add podMonitor (for engine pods) +# @default -- See below +podMonitor: + main: + # -- Enable pod monitor for engine pods + enabled: false + nameOverride: engine + selector: + matchLabels: + app: runtime + podMetricsEndpoints: + - path: /metrics + targetPort: 9100 + + runner: + # -- Enable pod monitor for runner pod + enabled: false + nameOverride: runner + selector: + matchLabels: + codefresh.io/application: runner + podMetricsEndpoints: + - path: /metrics + targetPort: 8080 + + volume-provisioner: + # -- Enable pod monitor for volumeProvisioner pod + enabled: false + nameOverride: volume-provisioner + selector: + matchLabels: + codefresh.io/application: volume-provisioner + podMetricsEndpoints: + - path: /metrics + targetPort: 8080 + +# -- Event exporter parameters +# @default -- See below +event-exporter: + # -- Enable event-exporter + enabled: false + # -- Set number of pods + replicasCount: 1 + # -- Upgrade strategy + updateStrategy: + type: Recreate + # -- Set pod annotations + podAnnotations: {} + + # -- Set image + image: + registry: docker.io + repository: codefresh/k8s-event-exporter + tag: latest + # -- Add additional env vars + env: {} + + # -- Service Account parameters + serviceAccount: + # -- Create service account + create: true + # -- Override service account name + name: "" + # -- Additional service account annotations + annotations: {} + + # -- RBAC parameters + rbac: + # -- Create RBAC resources + create: true + # -- Add custom rule to the role + rules: [] + + # -- Set security context for the pod + # @default -- See below + podSecurityContext: + enabled: false + + # -- Set node selector + nodeSelector: {} + # -- Set resources + resources: {} + # -- Set tolerations + tolerations: [] + # -- Set affinity + affinity: {} + +# -- Array of extra objects to deploy with the release +extraResources: [] +# E.g. +# extraResources: +# - apiVersion: rbac.authorization.k8s.io/v1 +# kind: ClusterRole +# metadata: +# name: codefresh-role +# rules: +# - apiGroups: [ "*"] +# resources: ["*"] +# verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +# - apiVersion: v1 +# kind: ServiceAccount +# metadata: +# name: codefresh-user +# namespace: "{{ .Release.Namespace }}" +# - apiVersion: rbac.authorization.k8s.io/v1 +# kind: ClusterRoleBinding +# metadata: +# name: codefresh-user +# roleRef: +# apiGroup: rbac.authorization.k8s.io +# kind: ClusterRole +# name: codefresh-role +# subjects: +# - kind: ServiceAccount +# name: codefresh-user +# namespace: "{{ .Release.Namespace }}" +# - apiVersion: v1 +# kind: Secret +# type: kubernetes.io/service-account-token +# metadata: +# name: codefresh-user-token +# namespace: "{{ .Release.Namespace }}" +# annotations: +# kubernetes.io/service-account.name: "codefresh-user" diff --git a/charts/linkerd/linkerd-control-plane/2024.10.1/Chart.yaml b/charts/linkerd/linkerd-control-plane/2024.10.1/Chart.yaml index f6c30ccb1b..887dfc4faa 100644 --- a/charts/linkerd/linkerd-control-plane/2024.10.1/Chart.yaml +++ b/charts/linkerd/linkerd-control-plane/2024.10.1/Chart.yaml @@ -2,7 +2,6 @@ annotations: catalog.cattle.io/auto-install: linkerd-crds catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Linkerd Control Plane - catalog.cattle.io/featured: "5" catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/.helmignore b/charts/linkerd/linkerd-control-plane/2024.10.2/.helmignore new file mode 100644 index 0000000000..79c90a8063 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +OWNERS +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/Chart.lock b/charts/linkerd/linkerd-control-plane/2024.10.2/Chart.lock new file mode 100644 index 0000000000..a0cb7ec8c5 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: partials + repository: file://../partials + version: 0.1.0 +digest: sha256:8e42f9c9d4a2dc883f17f94d6044c97518ced19ad0922f47b8760e47135369ba +generated: "2021-12-06T11:42:50.784240359-05:00" diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/Chart.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/Chart.yaml new file mode 100644 index 0000000000..919347265b --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/Chart.yaml @@ -0,0 +1,29 @@ +annotations: + catalog.cattle.io/auto-install: linkerd-crds + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd Control Plane + catalog.cattle.io/featured: "5" + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-control-plane +apiVersion: v2 +appVersion: edge-24.10.2 +dependencies: +- name: partials + repository: file://../partials + version: 0.1.0 +description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' +home: https://linkerd.io +icon: file://assets/icons/linkerd-control-plane.png +keywords: +- service-mesh +kubeVersion: '>=1.22.0-0' +maintainers: +- email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ +name: linkerd-control-plane +sources: +- https://github.com/linkerd/linkerd2/ +type: application +version: 2024.10.2 diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/README.md b/charts/linkerd/linkerd-control-plane/2024.10.2/README.md new file mode 100644 index 0000000000..adb023f7b5 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/README.md @@ -0,0 +1,321 @@ +# linkerd-control-plane + +Linkerd gives you observability, reliability, and security +for your microservices — with no code change required. + +![Version: 2024.10.2](https://img.shields.io/badge/Version-2024.10.2-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) + +**Homepage:** + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Prerequisite: linkerd-crds chart + +Before installing this chart, please install the `linkerd-crds` chart, which +creates all the CRDs that the components from the current chart require. + +## Prerequisite: identity certificates + +The identity component of Linkerd requires setting up a trust anchor +certificate, and an issuer certificate with its key. These need to be provided +to Helm by the user (unlike when using the `linkerd install` CLI which can +generate these automatically). You can provide your own, or follow [these +instructions](https://linkerd.io/2/tasks/generate-certificates/) to generate new +ones. + +Alternatively, both trust anchor and identity issuer certificates may be +derived from in-cluster resources. Existing CA (trust anchor) certificates +**must** live in a `ConfigMap` resource named `linkerd-identity-trust-roots`. +Issuer certificates **must** live in a `Secret` named +`linkerd-identity-issuer`. Both resources should exist in the control-plane's +install namespace. In order to use an existing CA, Linkerd needs to be +installed with `identity.externalCA=true`. To use an existing issuer +certificate, Linkerd should be installed with +`identity.issuer.scheme=kubernetes.io/tls`. + +A more comprehensive description is in the [automatic certificate rotation +guide](https://linkerd.io/2.12/tasks/automatically-rotating-control-plane-tls-credentials/#a-note-on-third-party-cert-management-solutions). + +Note that the provided certificates must be ECDSA certificates. + +## Adding Linkerd's Helm repository + +Included here for completeness-sake, but should have already been added when +`linkerd-base` was installed. + +```bash +# To add the repo for Linkerd edge releases: +helm repo add linkerd https://helm.linkerd.io/edge +``` + +## Installing the chart + +You must provide the certificates and keys described in the preceding section, +and the same expiration date you used to generate the Issuer certificate. + +```bash +helm install linkerd-control-plane -n linkerd \ + --set-file identityTrustAnchorsPEM=ca.crt \ + --set-file identity.issuer.tls.crtPEM=issuer.crt \ + --set-file identity.issuer.tls.keyPEM=issuer.key \ + linkerd/linkerd-control-plane +``` + +Note that you require to install this chart in the same namespace you installed +the `linkerd-base` chart. + +## Setting High-Availability + +Besides the default `values.yaml` file, the chart provides a `values-ha.yaml` +file that overrides some default values as to set things up under a +high-availability scenario, analogous to the `--ha` option in `linkerd install`. +Values such as higher number of replicas, higher memory/cpu limits and +affinities are specified in that file. + +You can get ahold of `values-ha.yaml` by fetching the chart files: + +```bash +helm fetch --untar linkerd/linkerd-control-plane +``` + +Then use the `-f` flag to provide the override file, for example: + +```bash +helm install linkerd-control-plane -n linkerd \ + --set-file identityTrustAnchorsPEM=ca.crt \ + --set-file identity.issuer.tls.crtPEM=issuer.crt \ + --set-file identity.issuer.tls.keyPEM=issuer.key \ + -f linkerd2/values-ha.yaml + linkerd/linkerd-control-plane +``` + +## Get involved + +* Check out Linkerd's source code at [GitHub][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +## Extensions for Linkerd + +The current chart installs the core Linkerd components, which grant you +reliability and security features. Other functionality is available through +extensions. Check the corresponding docs for each one of the following +extensions: + +* Observability: + [Linkerd-viz](https://github.com/linkerd/linkerd2/blob/main/viz/charts/linkerd-viz/README.md) +* Multicluster: + [Linkerd-multicluster](https://github.com/linkerd/linkerd2/blob/main/multicluster/charts/linkerd-multicluster/README.md) +* Tracing: + [Linkerd-jaeger](https://github.com/linkerd/linkerd2/blob/main/jaeger/charts/linkerd-jaeger/README.md) + +## Requirements + +Kubernetes: `>=1.22.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| file://../partials | partials | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| clusterDomain | string | `"cluster.local"` | Kubernetes DNS Domain name to use | +| clusterNetworks | string | `"10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"` | The cluster networks for which service discovery is performed. This should include the pod and service networks, but need not include the node network. By default, all IPv4 private networks and all accepted IPv6 ULAs are specified so that resolution works in typical Kubernetes environments. | +| cniEnabled | bool | `false` | enabling this omits the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed | +| commonLabels | object | `{}` | Labels to apply to all resources | +| controlPlaneTracing | bool | `false` | enables control plane tracing | +| controlPlaneTracingNamespace | string | `"linkerd-jaeger"` | namespace to send control plane traces to | +| controller.podDisruptionBudget | object | `{"maxUnavailable":1}` | sets pod disruption budget parameter for all deployments | +| controller.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number of pods that can be unavailable during disruption | +| controllerGID | int | `-1` | Optional customisation of the group ID for the control plane components (the group ID will be omitted if lower than 0) | +| controllerImage | string | `"cr.l5d.io/linkerd/controller"` | Docker image for the destination and identity components | +| controllerImageVersion | string | `""` | Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage. | +| controllerLogFormat | string | `"plain"` | Log format for the control plane components | +| controllerLogLevel | string | `"info"` | Log level for the control plane components | +| controllerReplicas | int | `1` | Number of replicas for each control plane pod | +| controllerUID | int | `2103` | User ID for the control plane components | +| debugContainer.image.name | string | `"cr.l5d.io/linkerd/debug"` | Docker image for the debug container | +| debugContainer.image.pullPolicy | string | imagePullPolicy | Pull policy for the debug container image | +| debugContainer.image.version | string | linkerdVersion | Tag for the debug container image | +| deploymentStrategy | object | `{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"}}` | default kubernetes deployment strategy | +| destinationController.livenessProbe.timeoutSeconds | int | `1` | | +| destinationController.meshedHttp2ClientProtobuf.keep_alive.interval.seconds | int | `10` | | +| destinationController.meshedHttp2ClientProtobuf.keep_alive.timeout.seconds | int | `3` | | +| destinationController.meshedHttp2ClientProtobuf.keep_alive.while_idle | bool | `true` | | +| destinationController.readinessProbe.timeoutSeconds | int | `1` | | +| disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob | +| disableIPv6 | bool | `true` | disables routing IPv6 traffic in addition to IPv4 traffic through the proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni v1.4.0) | +| enableEndpointSlices | bool | `true` | enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on | +| enableH2Upgrade | bool | `true` | Allow proxies to perform transparent HTTP/2 upgrading | +| enablePSP | bool | `false` | Add a PSP resource and bind it to the control plane ServiceAccounts. Note PSP has been deprecated since k8s v1.21 | +| enablePodAntiAffinity | bool | `false` | enables pod anti affinity creation on deployments for high availability | +| enablePodDisruptionBudget | bool | `false` | enables the creation of pod disruption budgets for control plane components | +| enablePprof | bool | `false` | enables the use of pprof endpoints on control plane component's admin servers | +| identity.externalCA | bool | `false` | If the linkerd-identity-trust-roots ConfigMap has already been created | +| identity.issuer.clockSkewAllowance | string | `"20s"` | Amount of time to allow for clock skew within a Linkerd cluster | +| identity.issuer.issuanceLifetime | string | `"24h0m0s"` | Amount of time for which the Identity issuer should certify identity | +| identity.issuer.scheme | string | `"linkerd.io/tls"` | | +| identity.issuer.tls | object | `{"crtPEM":"","keyPEM":""}` | Which scheme is used for the identity issuer secret format | +| identity.issuer.tls.crtPEM | string | `""` | Issuer certificate (ECDSA). It must be provided during install. | +| identity.issuer.tls.keyPEM | string | `""` | Key for the issuer certificate (ECDSA). It must be provided during install | +| identity.kubeAPI.clientBurst | int | `200` | Burst value over clientQPS | +| identity.kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) | +| identity.livenessProbe.timeoutSeconds | int | `1` | | +| identity.readinessProbe.timeoutSeconds | int | `1` | | +| identity.serviceAccountTokenProjection | bool | `true` | Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token | +| identityTrustAnchorsPEM | string | `""` | Trust root certificate (ECDSA). It must be provided during install. | +| identityTrustDomain | string | clusterDomain | Trust domain used for identity | +| imagePullPolicy | string | `"IfNotPresent"` | Docker image pull policy | +| imagePullSecrets | list | `[]` | For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts | +| kubeAPI.clientBurst | int | `200` | Burst value over clientQPS | +| kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) | +| linkerdVersion | string | `"linkerdVersionValue"` | control plane version. See Proxy section for proxy version | +| networkValidator.connectAddr | string | `""` | Address to which the network-validator will attempt to connect. This should be an IP that the cluster is expected to be able to reach but a port it should not, e.g., a public IP for public clusters and a private IP for air-gapped clusters with a port like 20001. If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively. | +| networkValidator.enableSecurityContext | bool | `true` | Include a securityContext in the network-validator pod spec | +| networkValidator.listenAddr | string | `""` | Address to which network-validator listens to requests from itself. If empty, defaults to 0.0.0.0:4140 and [::]:4140 for IPv4 and IPv6 respectively. | +| networkValidator.logFormat | string | plain | Log format (`plain` or `json`) for network-validator | +| networkValidator.logLevel | string | debug | Log level for the network-validator | +| networkValidator.timeout | string | `"10s"` | Timeout before network-validator fails to validate the pod's network connectivity | +| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information | +| podAnnotations | object | `{}` | Additional annotations to add to all pods | +| podLabels | object | `{}` | Additional labels to add to all pods | +| podMonitor.controller.enabled | bool | `true` | Enables the creation of PodMonitor for the control-plane | +| podMonitor.controller.namespaceSelector | string | `"matchNames:\n - {{ .Release.Namespace }}\n - linkerd-viz\n - linkerd-jaeger\n"` | Selector to select which namespaces the Endpoints objects are discovered from | +| podMonitor.enabled | bool | `false` | Enables the creation of Prometheus Operator [PodMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor) | +| podMonitor.labels | object | `{}` | Labels to apply to all pod Monitors | +| podMonitor.proxy.enabled | bool | `true` | Enables the creation of PodMonitor for the data-plane | +| podMonitor.scrapeInterval | string | `"10s"` | Interval at which metrics should be scraped | +| podMonitor.scrapeTimeout | string | `"10s"` | Iimeout after which the scrape is ended | +| podMonitor.serviceMirror.enabled | bool | `true` | Enables the creation of PodMonitor for the Service Mirror component | +| policyController.image.name | string | `"cr.l5d.io/linkerd/policy-controller"` | Docker image for the policy controller | +| policyController.image.pullPolicy | string | imagePullPolicy | Pull policy for the policy controller container image | +| policyController.image.version | string | linkerdVersion | Tag for the policy controller container image | +| policyController.livenessProbe.timeoutSeconds | int | `1` | | +| policyController.logLevel | string | `"info"` | Log level for the policy controller | +| policyController.probeNetworks | list | `["0.0.0.0/0","::/0"]` | The networks from which probes are performed. By default, all networks are allowed so that all probes are authorized. | +| policyController.readinessProbe.timeoutSeconds | int | `1` | | +| policyController.resources | object | `{"cpu":{"limit":"","request":""},"ephemeral-storage":{"limit":"","request":""},"memory":{"limit":"","request":""}}` | policy controller resource requests & limits | +| policyController.resources.cpu.limit | string | `""` | Maximum amount of CPU units that the policy controller can use | +| policyController.resources.cpu.request | string | `""` | Amount of CPU units that the policy controller requests | +| policyController.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the policy controller can use | +| policyController.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the policy controller requests | +| policyController.resources.memory.limit | string | `""` | Maximum amount of memory that the policy controller can use | +| policyController.resources.memory.request | string | `""` | Maximum amount of memory that the policy controller requests | +| policyValidator.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `policyValidator.crtPEM`. If `policyValidator.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. | +| policyValidator.crtPEM | string | `""` | Certificate for the policy validator. If not provided and not using an external secret then Helm will generate one. | +| policyValidator.externalSecret | bool | `false` | Do not create a secret resource for the policyValidator webhook. If this is set to `true`, the value `policyValidator.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `policyValidator.injectCaFrom` or `policyValidator.injectCaFromSecret` (see below). | +| policyValidator.injectCaFrom | string | `""` | Inject the CA bundle from a cert-manager Certificate. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) for more information. | +| policyValidator.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. | +| policyValidator.keyPEM | string | `""` | Certificate key for the policy validator. If not provided and not using an external secret then Helm will generate one. | +| policyValidator.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook | +| priorityClassName | string | `""` | Kubernetes priorityClassName for the Linkerd Pods | +| profileValidator.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `profileValidator.crtPEM`. If `profileValidator.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. | +| profileValidator.crtPEM | string | `""` | Certificate for the service profile validator. If not provided and not using an external secret then Helm will generate one. | +| profileValidator.externalSecret | bool | `false` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). | +| profileValidator.injectCaFrom | string | `""` | Inject the CA bundle from a cert-manager Certificate. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) for more information. | +| profileValidator.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. | +| profileValidator.keyPEM | string | `""` | Certificate key for the service profile validator. If not provided and not using an external secret then Helm will generate one. | +| profileValidator.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook | +| prometheusUrl | string | `""` | url of external prometheus instance (used for the heartbeat) | +| proxy.await | bool | `true` | If set, the application container will not start until the proxy is ready | +| proxy.control.streams.idleTimeout | string | `"5m"` | The timeout between consecutive updates from the control plane. | +| proxy.control.streams.initialTimeout | string | `"3s"` | The timeout for the first update from the control plane. | +| proxy.control.streams.lifetime | string | `"1h"` | The maximum duration for a response stream (i.e. before it will be reinitialized). | +| proxy.cores | int | `0` | The `cpu.limit` and `cores` should be kept in sync. The value of `cores` must be an integer and should typically be set by rounding up from the limit. E.g. if cpu.limit is '1500m', cores should be 2. | +| proxy.defaultInboundPolicy | string | "all-unauthenticated" | The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated", "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny", "audit" | +| proxy.disableInboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value | +| proxy.disableOutboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value | +| proxy.enableExternalProfiles | bool | `false` | Enable service profiles for non-Kubernetes services | +| proxy.enableShutdownEndpoint | bool | `false` | Enables the proxy's /shutdown admin endpoint | +| proxy.gid | int | `-1` | Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0) | +| proxy.image.name | string | `"cr.l5d.io/linkerd/proxy"` | Docker image for the proxy | +| proxy.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy container image | +| proxy.image.version | string | linkerdVersion | Tag for the proxy container image | +| proxy.inbound.server.http2.keepAliveInterval | string | `"10s"` | The interval at which PINGs are issued to remote HTTP/2 clients. | +| proxy.inbound.server.http2.keepAliveTimeout | string | `"3s"` | The timeout within which keep-alive PINGs must be acknowledged on inbound HTTP/2 connections. | +| proxy.inboundConnectTimeout | string | `"100ms"` | Maximum time allowed for the proxy to establish an inbound TCP connection | +| proxy.inboundDiscoveryCacheUnusedTimeout | string | `"90s"` | Maximum time allowed before an unused inbound discovery result is evicted from the cache | +| proxy.livenessProbe | object | `{"initialDelaySeconds":10,"timeoutSeconds":1}` | LivenessProbe timeout and delay configuration | +| proxy.logFormat | string | `"plain"` | Log format (`plain` or `json`) for the proxy | +| proxy.logHTTPHeaders | `off` or `insecure` | `"off"` | If set to `off`, will prevent the proxy from logging HTTP headers. If set to `insecure`, HTTP headers may be logged verbatim. Note that setting this to `insecure` is not alone sufficient to log HTTP headers; the proxy logLevel must also be set to debug. | +| proxy.logLevel | string | `"warn,linkerd=info,hickory=error"` | Log level for the proxy | +| proxy.nativeSidecar | bool | `false` | Enable KEP-753 native sidecars This is an experimental feature. It requires Kubernetes >= 1.29. If enabled, .proxy.waitBeforeExitSeconds should not be used. | +| proxy.opaquePorts | string | `"25,587,3306,4444,5432,6379,9300,11211"` | Default set of opaque ports - SMTP (25,587) server-first - MYSQL (3306) server-first - Galera (4444) server-first - PostgreSQL (5432) server-first - Redis (6379) server-first - ElasticSearch (9300) server-first - Memcached (11211) clients do not issue any preamble, which breaks detection | +| proxy.outbound.server.http2.keepAliveInterval | string | `"10s"` | The interval at which PINGs are issued to local application HTTP/2 clients. | +| proxy.outbound.server.http2.keepAliveTimeout | string | `"3s"` | The timeout within which keep-alive PINGs must be acknowledged on outbound HTTP/2 connections. | +| proxy.outboundConnectTimeout | string | `"1000ms"` | Maximum time allowed for the proxy to establish an outbound TCP connection | +| proxy.outboundDiscoveryCacheUnusedTimeout | string | `"5s"` | Maximum time allowed before an unused outbound discovery result is evicted from the cache | +| proxy.ports.admin | int | `4191` | Admin port for the proxy container | +| proxy.ports.control | int | `4190` | Control port for the proxy container | +| proxy.ports.inbound | int | `4143` | Inbound port for the proxy container | +| proxy.ports.outbound | int | `4140` | Outbound port for the proxy container | +| proxy.readinessProbe | object | `{"initialDelaySeconds":2,"timeoutSeconds":1}` | ReadinessProbe timeout and delay configuration | +| proxy.requireIdentityOnInboundPorts | string | `""` | | +| proxy.resources.cpu.limit | string | `""` | Maximum amount of CPU units that the proxy can use | +| proxy.resources.cpu.request | string | `""` | Amount of CPU units that the proxy requests | +| proxy.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the proxy can use | +| proxy.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the proxy requests | +| proxy.resources.memory.limit | string | `""` | Maximum amount of memory that the proxy can use | +| proxy.resources.memory.request | string | `""` | Maximum amount of memory that the proxy requests | +| proxy.shutdownGracePeriod | string | `""` | Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections. | +| proxy.startupProbe.failureThreshold | int | `120` | | +| proxy.startupProbe.initialDelaySeconds | int | `0` | | +| proxy.startupProbe.periodSeconds | int | `1` | | +| proxy.uid | int | `2102` | User id under which the proxy runs | +| proxy.waitBeforeExitSeconds | int | `0` | If set the injected proxy sidecars in the data plane will stay alive for at least the given period before receiving the SIGTERM signal from Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`. See [Lifecycle hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) for more info on container lifecycle hooks. | +| proxyInit.closeWaitTimeoutSecs | int | `0` | | +| proxyInit.ignoreInboundPorts | string | `"4567,4568"` | Default set of inbound ports to skip via iptables - Galera (4567,4568) | +| proxyInit.ignoreOutboundPorts | string | `"4567,4568"` | Default set of outbound ports to skip via iptables - Galera (4567,4568) | +| proxyInit.image.name | string | `"cr.l5d.io/linkerd/proxy-init"` | Docker image for the proxy-init container | +| proxyInit.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy-init container image | +| proxyInit.image.version | string | `"v2.4.1"` | Tag for the proxy-init container image | +| proxyInit.iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will control which utility binary will be called. The host must support whichever mode will be used | +| proxyInit.kubeAPIServerPorts | string | `"443,6443"` | Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server | +| proxyInit.logFormat | string | plain | Log format (`plain` or `json`) for the proxy-init | +| proxyInit.logLevel | string | info | Log level for the proxy-init | +| proxyInit.privileged | bool | false | Privileged mode allows the container processes to inherit all security capabilities and bypass any security limitations enforced by the kubelet. When used with 'runAsRoot: true', the container will behave exactly as if it was running as root on the host. May escape cgroup limits and see other processes and devices on the host. | +| proxyInit.runAsGroup | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsGroup will be 0 | +| proxyInit.runAsRoot | bool | `false` | Allow overriding the runAsNonRoot behaviour () | +| proxyInit.runAsUser | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsUser will be 0 | +| proxyInit.skipSubnets | string | `""` | Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy | +| proxyInit.xtMountPath.mountPath | string | `"/run"` | | +| proxyInit.xtMountPath.name | string | `"linkerd-proxy-init-xtables-lock"` | | +| proxyInjector.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `proxyInjector.crtPEM`. If `proxyInjector.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. | +| proxyInjector.crtPEM | string | `""` | Certificate for the proxy injector. If not provided and not using an external secret then Helm will generate one. | +| proxyInjector.externalSecret | bool | `false` | Do not create a secret resource for the proxyInjector webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). | +| proxyInjector.injectCaFrom | string | `""` | Inject the CA bundle from a cert-manager Certificate. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) for more information. | +| proxyInjector.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. | +| proxyInjector.keyPEM | string | `""` | Certificate key for the proxy injector. If not provided and not using an external secret then Helm will generate one. | +| proxyInjector.livenessProbe.timeoutSeconds | int | `1` | | +| proxyInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]},{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system","cert-manager"]}]}` | Namespace selector used by admission webhook. | +| proxyInjector.objectSelector | object | `{"matchExpressions":[{"key":"linkerd.io/control-plane-component","operator":"DoesNotExist"},{"key":"linkerd.io/cni-resource","operator":"DoesNotExist"}]}` | Object selector used by admission webhook. | +| proxyInjector.readinessProbe.timeoutSeconds | int | `1` | | +| proxyInjector.timeoutSeconds | int | `10` | Timeout in seconds before the API Server cancels a request to the proxy injector. If timeout is exceeded, the webhookfailurePolicy is used. | +| revisionHistoryLimit | int | `10` | Specifies the number of old ReplicaSets to retain to allow rollback. | +| runtimeClassName | string | `""` | Runtime Class Name for all the pods | +| spValidator | object | `{"livenessProbe":{"timeoutSeconds":1},"readinessProbe":{"timeoutSeconds":1}}` | SP validator configuration | +| webhookFailurePolicy | string | `"Ignore"` | Failure policy for the proxy injector | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/README.md.gotmpl b/charts/linkerd/linkerd-control-plane/2024.10.2/README.md.gotmpl new file mode 100644 index 0000000000..19da2a82d6 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/README.md.gotmpl @@ -0,0 +1,133 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Prerequisite: linkerd-crds chart + +Before installing this chart, please install the `linkerd-crds` chart, which +creates all the CRDs that the components from the current chart require. + +## Prerequisite: identity certificates + +The identity component of Linkerd requires setting up a trust anchor +certificate, and an issuer certificate with its key. These need to be provided +to Helm by the user (unlike when using the `linkerd install` CLI which can +generate these automatically). You can provide your own, or follow [these +instructions](https://linkerd.io/2/tasks/generate-certificates/) to generate new +ones. + +Alternatively, both trust anchor and identity issuer certificates may be +derived from in-cluster resources. Existing CA (trust anchor) certificates +**must** live in a `ConfigMap` resource named `linkerd-identity-trust-roots`. +Issuer certificates **must** live in a `Secret` named +`linkerd-identity-issuer`. Both resources should exist in the control-plane's +install namespace. In order to use an existing CA, Linkerd needs to be +installed with `identity.externalCA=true`. To use an existing issuer +certificate, Linkerd should be installed with +`identity.issuer.scheme=kubernetes.io/tls`. + +A more comprehensive description is in the [automatic certificate rotation +guide](https://linkerd.io/2.12/tasks/automatically-rotating-control-plane-tls-credentials/#a-note-on-third-party-cert-management-solutions). + +Note that the provided certificates must be ECDSA certificates. + +## Adding Linkerd's Helm repository + +Included here for completeness-sake, but should have already been added when +`linkerd-base` was installed. + +```bash +# To add the repo for Linkerd edge releases: +helm repo add linkerd https://helm.linkerd.io/edge +``` + +## Installing the chart + +You must provide the certificates and keys described in the preceding section, +and the same expiration date you used to generate the Issuer certificate. + +```bash +helm install linkerd-control-plane -n linkerd \ + --set-file identityTrustAnchorsPEM=ca.crt \ + --set-file identity.issuer.tls.crtPEM=issuer.crt \ + --set-file identity.issuer.tls.keyPEM=issuer.key \ + linkerd/linkerd-control-plane +``` + +Note that you require to install this chart in the same namespace you installed +the `linkerd-base` chart. + +## Setting High-Availability + +Besides the default `values.yaml` file, the chart provides a `values-ha.yaml` +file that overrides some default values as to set things up under a +high-availability scenario, analogous to the `--ha` option in `linkerd install`. +Values such as higher number of replicas, higher memory/cpu limits and +affinities are specified in that file. + +You can get ahold of `values-ha.yaml` by fetching the chart files: + +```bash +helm fetch --untar linkerd/linkerd-control-plane +``` + +Then use the `-f` flag to provide the override file, for example: + +```bash +helm install linkerd-control-plane -n linkerd \ + --set-file identityTrustAnchorsPEM=ca.crt \ + --set-file identity.issuer.tls.crtPEM=issuer.crt \ + --set-file identity.issuer.tls.keyPEM=issuer.key \ + -f linkerd2/values-ha.yaml + linkerd/linkerd-control-plane +``` + +## Get involved + +* Check out Linkerd's source code at [GitHub][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +## Extensions for Linkerd + +The current chart installs the core Linkerd components, which grant you +reliability and security features. Other functionality is available through +extensions. Check the corresponding docs for each one of the following +extensions: + +* Observability: + [Linkerd-viz](https://github.com/linkerd/linkerd2/blob/main/viz/charts/linkerd-viz/README.md) +* Multicluster: + [Linkerd-multicluster](https://github.com/linkerd/linkerd2/blob/main/multicluster/charts/linkerd-multicluster/README.md) +* Tracing: + [Linkerd-jaeger](https://github.com/linkerd/linkerd2/blob/main/jaeger/charts/linkerd-jaeger/README.md) + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/app-readme.md b/charts/linkerd/linkerd-control-plane/2024.10.2/app-readme.md new file mode 100644 index 0000000000..351eac5f0d --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/app-readme.md @@ -0,0 +1,14 @@ +# Linkerd 2 Chart + +Linkerd is an ultra light, ultra simple, ultra powerful service mesh. Linkerd +adds security, observability, and reliability to Kubernetes, without the +complexity. + +This particular Helm chart only installs the control plane core. You will also need to install the +linkerd-crds chart. This chart should be automatically installed along with any other dependencies. +If it is not installed as a dependency, install it first. + +To gain access to the observability features, please install the linkerd-viz chart. +Other extensions are available (multicluster, jaeger) under the linkerd Helm repo. + +Full documentation available at: https://linkerd.io/2/overview/ diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/.helmignore b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/Chart.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/Chart.yaml new file mode 100644 index 0000000000..23cfc167e3 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +description: 'A Helm chart containing Linkerd partial templates, depended by the ''linkerd'' + and ''patch'' charts. ' +name: partials +version: 0.1.0 diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/README.md b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/README.md new file mode 100644 index 0000000000..10805c9b94 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/README.md @@ -0,0 +1,9 @@ +# partials + +A Helm chart containing Linkerd partial templates, +depended by the 'linkerd' and 'patch' charts. + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/README.md.gotmpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/README.md.gotmpl new file mode 100644 index 0000000000..37f5101061 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/README.md.gotmpl @@ -0,0 +1,14 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/NOTES.txt b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/NOTES.txt new file mode 100644 index 0000000000..e69de29bb2 diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_affinity.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_affinity.tpl new file mode 100644 index 0000000000..5dde1da473 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_affinity.tpl @@ -0,0 +1,38 @@ +{{ define "linkerd.pod-affinity" -}} +podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ default "linkerd.io/control-plane-component" .label }} + operator: In + values: + - {{ .component }} + topologyKey: topology.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: {{ default "linkerd.io/control-plane-component" .label }} + operator: In + values: + - {{ .component }} + topologyKey: kubernetes.io/hostname +{{- end }} + +{{ define "linkerd.node-affinity" -}} +nodeAffinity: +{{- toYaml .Values.nodeAffinity | trim | nindent 2 }} +{{- end }} + +{{ define "linkerd.affinity" -}} +{{- if or .Values.enablePodAntiAffinity .Values.nodeAffinity -}} +affinity: +{{- end }} +{{- if .Values.enablePodAntiAffinity -}} +{{- include "linkerd.pod-affinity" . | nindent 2 }} +{{- end }} +{{- if .Values.nodeAffinity -}} +{{- include "linkerd.node-affinity" . | nindent 2 }} +{{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_capabilities.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_capabilities.tpl new file mode 100644 index 0000000000..a595d74c1f --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_capabilities.tpl @@ -0,0 +1,16 @@ +{{- define "partials.proxy.capabilities" -}} +capabilities: + {{- if .Values.proxy.capabilities.add }} + add: + {{- toYaml .Values.proxy.capabilities.add | trim | nindent 4 }} + {{- end }} + {{- if .Values.proxy.capabilities.drop }} + drop: + {{- toYaml .Values.proxy.capabilities.drop | trim | nindent 4 }} + {{- end }} +{{- end -}} + +{{- define "partials.proxy-init.capabilities.drop" -}} +drop: +{{ toYaml .Values.proxyInit.capabilities.drop | trim }} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_debug.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_debug.tpl new file mode 100644 index 0000000000..4df8cc77bc --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_debug.tpl @@ -0,0 +1,15 @@ +{{- define "partials.debug" -}} +image: {{.Values.debugContainer.image.name}}:{{.Values.debugContainer.image.version | default .Values.linkerdVersion}} +imagePullPolicy: {{.Values.debugContainer.image.pullPolicy | default .Values.imagePullPolicy}} +name: linkerd-debug +terminationMessagePolicy: FallbackToLogsOnError +# some environments require probes, so we provide some infallible ones +livenessProbe: + exec: + command: + - "true" +readinessProbe: + exec: + command: + - "true" +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_helpers.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_helpers.tpl new file mode 100644 index 0000000000..b6cdc34d08 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_helpers.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Splits a coma separated list into a list of string values. +For example "11,22,55,44" will become "11","22","55","44" +*/}} +{{- define "partials.splitStringList" -}} +{{- if gt (len (toString .)) 0 -}} +{{- $ports := toString . | splitList "," -}} +{{- $last := sub (len $ports) 1 -}} +{{- range $i,$port := $ports -}} +"{{$port}}"{{ternary "," "" (ne $i $last)}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_metadata.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_metadata.tpl new file mode 100644 index 0000000000..04d2f1beab --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_metadata.tpl @@ -0,0 +1,17 @@ +{{- define "partials.annotations.created-by" -}} +linkerd.io/created-by: {{ .Values.cliVersion | default (printf "linkerd/helm %s" ( (.Values.image).version | default .Values.linkerdVersion)) }} +{{- end -}} + +{{- define "partials.proxy.annotations" -}} +linkerd.io/proxy-version: {{.Values.proxy.image.version | default .Values.linkerdVersion}} +cluster-autoscaler.kubernetes.io/safe-to-evict: "true" +linkerd.io/trust-root-sha256: {{ .Values.identityTrustAnchorsPEM | sha256sum }} +{{- end -}} + +{{/* +To add labels to the control-plane components, instead update at individual component manifests as +adding here would also update `spec.selector.matchLabels` which are immutable and would fail upgrades. +*/}} +{{- define "partials.proxy.labels" -}} +linkerd.io/proxy-{{.workloadKind}}: {{.component}} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_network-validator.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_network-validator.tpl new file mode 100644 index 0000000000..276056395f --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_network-validator.tpl @@ -0,0 +1,45 @@ +{{- define "partials.network-validator" -}} +name: linkerd-network-validator +image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion }} +imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} +{{ include "partials.resources" .Values.proxy.resources }} +{{- if or .Values.networkValidator.enableSecurityContext }} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault +{{- end }} +command: + - /usr/lib/linkerd/linkerd2-network-validator +args: + - --log-format + - {{ .Values.networkValidator.logFormat }} + - --log-level + - {{ .Values.networkValidator.logLevel }} + - --connect-addr + {{- if .Values.networkValidator.connectAddr }} + - {{ .Values.networkValidator.connectAddr | quote }} + {{- else if .Values.disableIPv6}} + - "1.1.1.1:20001" + {{- else }} + - "[fd00::1]:20001" + {{- end }} + - --listen-addr + {{- if .Values.networkValidator.listenAddr }} + - {{ .Values.networkValidator.listenAddr | quote }} + {{- else if .Values.disableIPv6}} + - "0.0.0.0:4140" + {{- else }} + - "[::]:4140" + {{- end }} + - --timeout + - {{ .Values.networkValidator.timeout }} + +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_nodeselector.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_nodeselector.tpl new file mode 100644 index 0000000000..4cde0ab16e --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_nodeselector.tpl @@ -0,0 +1,4 @@ +{{- define "linkerd.node-selector" -}} +nodeSelector: +{{- toYaml .Values.nodeSelector | trim | nindent 2 }} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_proxy-config-ann.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_proxy-config-ann.tpl new file mode 100644 index 0000000000..9651b3bd1a --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_proxy-config-ann.tpl @@ -0,0 +1,18 @@ +{{- define "partials.proxy.config.annotations" -}} +{{- with .cpu }} +{{- with .request -}} +config.linkerd.io/proxy-cpu-request: {{. | quote}} +{{end}} +{{- with .limit -}} +config.linkerd.io/proxy-cpu-limit: {{. | quote}} +{{- end}} +{{- end}} +{{- with .memory }} +{{- with .request }} +config.linkerd.io/proxy-memory-request: {{. | quote}} +{{end}} +{{- with .limit -}} +config.linkerd.io/proxy-memory-limit: {{. | quote}} +{{- end}} +{{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_proxy-init.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_proxy-init.tpl new file mode 100644 index 0000000000..a307b14073 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_proxy-init.tpl @@ -0,0 +1,98 @@ +{{- define "partials.proxy-init" -}} +args: +{{- if (.Values.proxyInit.iptablesMode | default "legacy" | eq "nft") }} +- --firewall-bin-path +- "iptables-nft" +- --firewall-save-bin-path +- "iptables-nft-save" +{{- else if not (eq .Values.proxyInit.iptablesMode "legacy") }} +{{ fail (printf "Unsupported value \"%s\" for proxyInit.iptablesMode\nValid values: [\"nft\", \"legacy\"]" .Values.proxyInit.iptablesMode) }} +{{end -}} +{{- if .Values.disableIPv6 }} +- --ipv6=false +{{- end }} +- --incoming-proxy-port +- {{.Values.proxy.ports.inbound | quote}} +- --outgoing-proxy-port +- {{.Values.proxy.ports.outbound | quote}} +- --proxy-uid +- {{.Values.proxy.uid | quote}} +{{- if ge (int .Values.proxy.gid) 0 }} +- --proxy-gid +- {{.Values.proxy.gid | quote}} +{{- end }} +- --inbound-ports-to-ignore +- "{{.Values.proxy.ports.control}},{{.Values.proxy.ports.admin}}{{ternary (printf ",%s" (.Values.proxyInit.ignoreInboundPorts | toString)) "" (not (empty .Values.proxyInit.ignoreInboundPorts)) }}" +{{- if .Values.proxyInit.ignoreOutboundPorts }} +- --outbound-ports-to-ignore +- {{.Values.proxyInit.ignoreOutboundPorts | quote}} +{{- end }} +{{- if .Values.proxyInit.closeWaitTimeoutSecs }} +- --timeout-close-wait-secs +- {{ .Values.proxyInit.closeWaitTimeoutSecs | quote}} +{{- end }} +{{- if .Values.proxyInit.logFormat }} +- --log-format +- {{ .Values.proxyInit.logFormat }} +{{- end }} +{{- if .Values.proxyInit.logLevel }} +- --log-level +- {{ .Values.proxyInit.logLevel }} +{{- end }} +{{- if .Values.proxyInit.skipSubnets }} +- --subnets-to-ignore +- {{ .Values.proxyInit.skipSubnets | quote }} +{{- end }} +image: {{.Values.proxyInit.image.name}}:{{.Values.proxyInit.image.version}} +imagePullPolicy: {{.Values.proxyInit.image.pullPolicy | default .Values.imagePullPolicy}} +name: linkerd-init +{{ include "partials.resources" .Values.proxy.resources }} +securityContext: + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} + allowPrivilegeEscalation: true + {{- else }} + allowPrivilegeEscalation: false + {{- end }} + capabilities: + add: + - NET_ADMIN + - NET_RAW + {{- if .Values.proxyInit.capabilities -}} + {{- if .Values.proxyInit.capabilities.add }} + {{- toYaml .Values.proxyInit.capabilities.add | trim | nindent 4 }} + {{- end }} + {{- if .Values.proxyInit.capabilities.drop -}} + {{- include "partials.proxy-init.capabilities.drop" . | nindent 4 -}} + {{- end }} + {{- end }} + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} + privileged: true + {{- else }} + privileged: false + {{- end }} + {{- if .Values.proxyInit.runAsRoot }} + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + runAsNonRoot: true + runAsUser: {{ .Values.proxyInit.runAsUser | int | eq 0 | ternary 65534 .Values.proxyInit.runAsUser }} + runAsGroup: {{ .Values.proxyInit.runAsGroup | int | eq 0 | ternary 65534 .Values.proxyInit.runAsGroup }} + {{- end }} + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault +terminationMessagePolicy: FallbackToLogsOnError +{{- if or (not .Values.cniEnabled) .Values.proxyInit.saMountPath }} +volumeMounts: +{{- end -}} +{{- if not .Values.cniEnabled }} +- mountPath: {{.Values.proxyInit.xtMountPath.mountPath}} + name: {{.Values.proxyInit.xtMountPath.name}} +{{- end -}} +{{- if .Values.proxyInit.saMountPath }} +- mountPath: {{.Values.proxyInit.saMountPath.mountPath}} + name: {{.Values.proxyInit.saMountPath.name}} + readOnly: {{.Values.proxyInit.saMountPath.readOnly}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_proxy.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_proxy.tpl new file mode 100644 index 0000000000..4dcf12dee2 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_proxy.tpl @@ -0,0 +1,271 @@ +{{ define "partials.proxy" -}} +{{ if and .Values.proxy.nativeSidecar .Values.proxy.waitBeforeExitSeconds }} +{{ fail "proxy.nativeSidecar and waitBeforeExitSeconds cannot be used simultaneously" }} +{{- end }} +{{- if not (has .Values.proxy.logHTTPHeaders (list "insecure" "off" "")) }} +{{- fail "logHTTPHeaders must be one of: insecure | off" }} +{{- end }} +{{- $trustDomain := (.Values.identityTrustDomain | default .Values.clusterDomain) -}} +env: +- name: _pod_name + valueFrom: + fieldRef: + fieldPath: metadata.name +- name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace +- name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName +{{- if .Values.proxy.cores }} +- name: LINKERD2_PROXY_CORES + value: {{.Values.proxy.cores | quote}} +{{- end }} +{{ if .Values.proxy.requireIdentityOnInboundPorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_IDENTITY + value: {{.Values.proxy.requireIdentityOnInboundPorts | quote}} +{{ end -}} +{{ if .Values.proxy.requireTLSOnInboundPorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS + value: {{.Values.proxy.requireTLSOnInboundPorts | quote}} +{{ end -}} +- name: LINKERD2_PROXY_SHUTDOWN_ENDPOINT_ENABLED + value: {{.Values.proxy.enableShutdownEndpoint | quote}} +- name: LINKERD2_PROXY_LOG + value: "{{.Values.proxy.logLevel}}{{ if not (eq .Values.proxy.logHTTPHeaders "insecure") }},[{headers}]=off,[{request}]=off{{ end }}" +- name: LINKERD2_PROXY_LOG_FORMAT + value: {{.Values.proxy.logFormat | quote}} +- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: {{ternary "localhost.:8086" (printf "linkerd-dst-headless.%s.svc.%s.:8086" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: {{.Values.clusterNetworks | quote}} +- name: LINKERD2_PROXY_POLICY_SVC_ADDR + value: {{ternary "localhost.:8090" (printf "linkerd-policy.%s.svc.%s.:8090" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} +- name: LINKERD2_PROXY_POLICY_WORKLOAD + value: | + {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"} +- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY + value: {{.Values.proxy.defaultInboundPolicy}} +- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS + value: {{.Values.clusterNetworks | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT + value: {{((.Values.proxy.control).streams).initialTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT + value: {{((.Values.proxy.control).streams).idleTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME + value: {{((.Values.proxy.control).streams).lifetime | default "" | quote}} +{{ if .Values.proxy.inboundConnectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: {{.Values.proxy.inboundConnectTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.outboundConnectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: {{.Values.proxy.outboundConnectTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.outboundDiscoveryCacheUnusedTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT + value: {{.Values.proxy.outboundDiscoveryCacheUnusedTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.inboundDiscoveryCacheUnusedTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT + value: {{.Values.proxy.inboundDiscoveryCacheUnusedTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.disableOutboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +{{ if .Values.proxy.disableInboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.control}}" +- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.admin}}" +{{- /* Deprecated, superseded by LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS since proxy's v2.228.0 (deployed since edge-24.4.5) */}} +- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: "127.0.0.1:{{.Values.proxy.ports.outbound}}" +- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS + value: "127.0.0.1:{{.Values.proxy.ports.outbound}}{{ if not .Values.disableIPv6}},[::1]:{{.Values.proxy.ports.outbound}}{{ end }}" +- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.inbound}}" +- name: LINKERD2_PROXY_INBOUND_IPS + valueFrom: + fieldRef: + fieldPath: status.podIPs +- name: LINKERD2_PROXY_INBOUND_PORTS + value: {{ .Values.proxy.podInboundPorts | quote }} +{{ if .Values.proxy.isGateway -}} +- name: LINKERD2_PROXY_INBOUND_GATEWAY_SUFFIXES + value: {{printf "svc.%s." .Values.clusterDomain}} +{{ end -}} +{{ if .Values.proxy.isIngress -}} +- name: LINKERD2_PROXY_INGRESS_MODE + value: "true" +{{ end -}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + {{- $internalDomain := printf "svc.%s." .Values.clusterDomain }} + value: {{ternary "." $internalDomain .Values.proxy.enableExternalProfiles}} +- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms +- name: LINKERD2_PROXY_INBOUND_ACCEPT_USER_TIMEOUT + value: 30s +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_USER_TIMEOUT + value: 30s +{{- /* Configure inbound and outbound parameters, e.g. for HTTP/2 servers. */}} +{{ range $proxyK, $proxyV := (dict "inbound" .Values.proxy.inbound "outbound" .Values.proxy.outbound) -}} +{{ range $scopeK, $scopeV := $proxyV -}} +{{ range $protoK, $protoV := $scopeV -}} +{{ range $paramK, $paramV := $protoV -}} +- name: LINKERD2_PROXY_{{snakecase $proxyK | upper}}_{{snakecase $scopeK | upper}}_{{snakecase $protoK | upper}}_{{snakecase $paramK | upper}} + value: {{ quote $paramV }} +{{ end -}} +{{ end -}} +{{ end -}} +{{ end -}} +{{ if .Values.proxy.opaquePorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION + value: {{.Values.proxy.opaquePorts | quote}} +{{ end -}} +- name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"} +- name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +- name: _l5d_ns + value: {{.Release.Namespace}} +- name: _l5d_trustdomain + value: {{$trustDomain}} +- name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity +- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS +{{- /* +Pods in the `linkerd` namespace are not injected by the proxy injector and instead obtain +the trust anchor bundle from the `linkerd-identity-trust-roots` configmap. This should not +be used in other contexts. +*/}} +{{- if .Values.proxy.loadTrustBundleFromConfigMap }} + valueFrom: + configMapKeyRef: + name: linkerd-identity-trust-roots + key: ca-bundle.crt +{{ else }} + value: | + {{- required "Please provide the identity trust anchors" .Values.identityTrustAnchorsPEM | trim | nindent 4 }} +{{ end -}} +- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE +{{- if .Values.identity.serviceAccountTokenProjection }} + value: /var/run/secrets/tokens/linkerd-identity-token +{{ else }} + value: /var/run/secrets/kubernetes.io/serviceaccount/token +{{ end -}} +- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: {{ternary "localhost.:8080" (printf "linkerd-identity-headless.%s.svc.%s.:8080" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-identity")}} +- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_POLICY_SVC_NAME + value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +{{ if .Values.proxy.accessLog -}} +- name: LINKERD2_PROXY_ACCESS_LOG + value: {{.Values.proxy.accessLog | quote}} +{{ end -}} +{{ if .Values.proxy.shutdownGracePeriod -}} +- name: LINKERD2_PROXY_SHUTDOWN_GRACE_PERIOD + value: {{.Values.proxy.shutdownGracePeriod | quote}} +{{ end -}} +{{ if .Values.proxy.additionalEnv -}} +{{ toYaml .Values.proxy.additionalEnv }} +{{ end -}} +{{ if .Values.proxy.experimentalEnv -}} +{{ toYaml .Values.proxy.experimentalEnv }} +{{ end -}} +image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion}} +imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} +livenessProbe: + httpGet: + path: /live + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.livenessProbe.timeoutSeconds }} +name: linkerd-proxy +ports: +- containerPort: {{.Values.proxy.ports.inbound}} + name: linkerd-proxy +- containerPort: {{.Values.proxy.ports.admin}} + name: linkerd-admin +readinessProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.readinessProbe.timeoutSeconds }} +{{- if and .Values.proxy.nativeSidecar .Values.proxy.await }} +startupProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.startupProbe.initialDelaySeconds}} + periodSeconds: {{.Values.proxy.startupProbe.periodSeconds}} + failureThreshold: {{.Values.proxy.startupProbe.failureThreshold}} +{{- end }} +{{- if .Values.proxy.resources }} +{{ include "partials.resources" .Values.proxy.resources }} +{{- end }} +securityContext: + allowPrivilegeEscalation: false + {{- if .Values.proxy.capabilities -}} + {{- include "partials.proxy.capabilities" . | nindent 2 -}} + {{- end }} + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.proxy.uid}} +{{- if ge (int .Values.proxy.gid) 0 }} + runAsGroup: {{.Values.proxy.gid}} +{{- end }} + seccompProfile: + type: RuntimeDefault +terminationMessagePolicy: FallbackToLogsOnError +{{- if and (not .Values.proxy.nativeSidecar) (or .Values.proxy.await .Values.proxy.waitBeforeExitSeconds) }} +lifecycle: +{{- if .Values.proxy.await }} + postStart: + exec: + command: + - /usr/lib/linkerd/linkerd-await + - --timeout=2m + - --port={{.Values.proxy.ports.admin}} +{{- end }} +{{- if .Values.proxy.waitBeforeExitSeconds }} + preStop: + exec: + command: + - /bin/sleep + - {{.Values.proxy.waitBeforeExitSeconds | quote}} +{{- end }} +{{- end }} +volumeMounts: +- mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity +{{- if .Values.identity.serviceAccountTokenProjection }} +- mountPath: /var/run/secrets/tokens + name: linkerd-identity-token +{{- end }} +{{- if .Values.proxy.saMountPath }} +- mountPath: {{.Values.proxy.saMountPath.mountPath}} + name: {{.Values.proxy.saMountPath.name}} + readOnly: {{.Values.proxy.saMountPath.readOnly}} +{{- end -}} +{{- if .Values.proxy.nativeSidecar }} +restartPolicy: Always +{{- end -}} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_pull-secrets.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_pull-secrets.tpl new file mode 100644 index 0000000000..0c9aa4f01c --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_pull-secrets.tpl @@ -0,0 +1,6 @@ +{{- define "partials.image-pull-secrets"}} +{{- if . }} +imagePullSecrets: +{{ toYaml . | indent 2 }} +{{- end }} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_resources.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_resources.tpl new file mode 100644 index 0000000000..1fd6789fd7 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_resources.tpl @@ -0,0 +1,28 @@ +{{- define "partials.resources" -}} +{{- $ephemeralStorage := index . "ephemeral-storage" -}} +resources: + {{- if or (.cpu).limit (.memory).limit ($ephemeralStorage).limit }} + limits: + {{- with (.cpu).limit }} + cpu: {{. | quote}} + {{- end }} + {{- with (.memory).limit }} + memory: {{. | quote}} + {{- end }} + {{- with ($ephemeralStorage).limit }} + ephemeral-storage: {{. | quote}} + {{- end }} + {{- end }} + {{- if or (.cpu).request (.memory).request ($ephemeralStorage).request }} + requests: + {{- with (.cpu).request }} + cpu: {{. | quote}} + {{- end }} + {{- with (.memory).request }} + memory: {{. | quote}} + {{- end }} + {{- with ($ephemeralStorage).request }} + ephemeral-storage: {{. | quote}} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_tolerations.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_tolerations.tpl new file mode 100644 index 0000000000..c2292b1464 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_tolerations.tpl @@ -0,0 +1,4 @@ +{{- define "linkerd.tolerations" -}} +tolerations: +{{ toYaml .Values.tolerations | trim | indent 2 }} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_trace.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_trace.tpl new file mode 100644 index 0000000000..dee059541f --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_trace.tpl @@ -0,0 +1,5 @@ +{{ define "partials.linkerd.trace" -}} +{{ if .Values.controlPlaneTracing -}} +- -trace-collector=collector.{{.Values.controlPlaneTracingNamespace}}.svc.{{.Values.clusterDomain}}:55678 +{{ end -}} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_validate.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_validate.tpl new file mode 100644 index 0000000000..ba772c2fee --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_validate.tpl @@ -0,0 +1,19 @@ +{{- define "linkerd.webhook.validation" -}} + +{{- if and (.injectCaFrom) (.injectCaFromSecret) -}} +{{- fail "injectCaFrom and injectCaFromSecret cannot both be set" -}} +{{- end -}} + +{{- if and (or (.injectCaFrom) (.injectCaFromSecret)) (.caBundle) -}} +{{- fail "injectCaFrom or injectCaFromSecret cannot be set if providing a caBundle" -}} +{{- end -}} + +{{- if and (.externalSecret) (empty .caBundle) (empty .injectCaFrom) (empty .injectCaFromSecret) -}} +{{- fail "if externalSecret is set, then caBundle, injectCaFrom, or injectCaFromSecret must be set" -}} +{{- end }} + +{{- if and (or .injectCaFrom .injectCaFromSecret .caBundle) (not .externalSecret) -}} +{{- fail "if caBundle, injectCaFrom, or injectCaFromSecret is set, then externalSecret must be set" -}} +{{- end -}} + +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_volumes.tpl b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_volumes.tpl new file mode 100644 index 0000000000..9684cf2409 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/templates/_volumes.tpl @@ -0,0 +1,20 @@ +{{ define "partials.proxy.volumes.identity" -}} +emptyDir: + medium: Memory +name: linkerd-identity-end-entity +{{- end -}} + +{{ define "partials.proxyInit.volumes.xtables" -}} +emptyDir: {} +name: {{ .Values.proxyInit.xtMountPath.name }} +{{- end -}} + +{{- define "partials.proxy.volumes.service-account-token" -}} +name: linkerd-identity-token +projected: + sources: + - serviceAccountToken: + path: linkerd-identity-token + expirationSeconds: 86400 {{- /* # 24 hours */}} + audience: identity.l5d.io +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/values.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/charts/partials/values.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/questions.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/questions.yaml new file mode 100644 index 0000000000..4ae27870a3 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/questions.yaml @@ -0,0 +1,19 @@ +questions: +- variable: identityTrustAnchorsPEM + label: "Trust root certificate (ECDSA)" + description: "Root certificate used to support mTLS connections between meshed pods" + required: true + type: multiline + group: Identity +- variable: identity.issuer.tls.crtPEM + label: "Issuer certificate (ECDSA)" + description: "Intermediate certificate, rooted on identityTrustAnchorsPEM, used to sign the Linkerd proxies' CSR" + required: true + type: multiline + group: Identity +- variable: identity.issuer.tls.keyPEM + label: "Key for the issuer certificate (ECDSA)" + description: "Private key for the certificate entered on crtPEM" + required: true + type: multiline + group: Identity diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/templates/NOTES.txt b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/NOTES.txt new file mode 100644 index 0000000000..4bd1be9fc0 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/NOTES.txt @@ -0,0 +1,19 @@ +The Linkerd control plane was successfully installed 🎉 + +To help you manage your Linkerd service mesh you can install the Linkerd CLI by running: + + curl -sL https://run.linkerd.io/install | sh + +Alternatively, you can download the CLI directly via the Linkerd releases page: + + https://github.com/linkerd/linkerd2/releases/ + +To make sure everything works as expected, run the following: + + linkerd check + +The viz extension can be installed by running: + + helm install linkerd-viz linkerd/linkerd-viz + +Looking for more? Visit https://linkerd.io/2/getting-started/ diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/templates/config-rbac.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/config-rbac.yaml new file mode 100644 index 0000000000..5f5c34203e --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/config-rbac.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} + name: ext-namespace-metadata-linkerd-config + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/templates/config.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/config.yaml new file mode 100644 index 0000000000..a9cea5f421 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/config.yaml @@ -0,0 +1,39 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-config + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +data: + linkerd-crds-chart-version: linkerd-crds-1.0.0-edge + values: | + {{- $values := deepCopy .Values }} + {{- /* + WARNING! All sensitive or private data such as TLS keys must be removed + here to avoid it being publicly readable. + */ -}} + {{- if kindIs "map" $values.identity.issuer.tls -}} + {{- $_ := unset $values.identity.issuer.tls "keyPEM"}} + {{- end -}} + {{- if kindIs "map" $values.profileValidator -}} + {{- $_ := unset $values.profileValidator "keyPEM"}} + {{- end -}} + {{- if kindIs "map" $values.proxyInjector -}} + {{- $_ := unset $values.proxyInjector "keyPEM"}} + {{- end -}} + {{- if kindIs "map" $values.policyValidator -}} + {{- $_ := unset $values.policyValidator "keyPEM"}} + {{- end -}} + {{- if (empty $values.identityTrustDomain) -}} + {{- $_ := set $values "identityTrustDomain" $values.clusterDomain}} + {{- end -}} + {{- $_ := unset $values "partials"}} + {{- $_ := unset $values "configs"}} + {{- $_ := unset $values "stage"}} + {{- toYaml $values | trim | nindent 4 }} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/templates/destination-rbac.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/destination-rbac.yaml new file mode 100644 index 0000000000..38488cd048 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/destination-rbac.yaml @@ -0,0 +1,327 @@ +--- +### +### Destination Controller Service +### +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-destination + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods", "endpoints", "services", "nodes"] + verbs: ["list", "get", "watch"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list", "get", "watch"] +- apiGroups: ["workload.linkerd.io"] + resources: ["externalworkloads"] + verbs: ["list", "get", "watch"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "get", "update", "patch"] + {{- if .Values.enableEndpointSlices }} +- apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["list", "get", "watch", "create", "update", "patch", "delete"] + {{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-destination + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Release.Namespace}}-destination +subjects: +- kind: ServiceAccount + name: linkerd-destination + namespace: {{.Release.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-destination + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} +--- +{{- $host := printf "linkerd-sp-validator.%s.svc" .Release.Namespace }} +{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }} +{{- if (not .Values.profileValidator.externalSecret) }} +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-sp-validator-k8s-tls + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +type: kubernetes.io/tls +data: + tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.profileValidator.crtPEM)) (empty .Values.profileValidator.crtPEM) }} + tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.profileValidator.keyPEM)) (empty .Values.profileValidator.keyPEM) }} +--- +{{- end }} +{{- include "linkerd.webhook.validation" .Values.profileValidator }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: linkerd-sp-validator-webhook-config + {{- if or (.Values.profileValidator.injectCaFrom) (.Values.profileValidator.injectCaFromSecret) }} + annotations: + {{- if .Values.profileValidator.injectCaFrom }} + cert-manager.io/inject-ca-from: {{ .Values.profileValidator.injectCaFrom }} + {{- end }} + {{- if .Values.profileValidator.injectCaFromSecret }} + cert-manager.io/inject-ca-from-secret: {{ .Values.profileValidator.injectCaFromSecret }} + {{- end }} + {{- end }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +webhooks: +- name: linkerd-sp-validator.linkerd.io + namespaceSelector: + {{- toYaml .Values.profileValidator.namespaceSelector | trim | nindent 4 }} + clientConfig: + service: + name: linkerd-sp-validator + namespace: {{ .Release.Namespace }} + path: "/" + {{- if and (empty .Values.profileValidator.injectCaFrom) (empty .Values.profileValidator.injectCaFromSecret) }} + caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.profileValidator.caBundle)) (empty .Values.profileValidator.caBundle) }} + {{- end }} + failurePolicy: {{.Values.webhookFailurePolicy}} + admissionReviewVersions: ["v1", "v1beta1"] + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["linkerd.io"] + apiVersions: ["v1alpha1", "v1alpha2"] + resources: ["serviceprofiles"] + sideEffects: None +--- +{{- $host := printf "linkerd-policy-validator.%s.svc" .Release.Namespace }} +{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }} +{{- if (not .Values.policyValidator.externalSecret) }} +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-policy-validator-k8s-tls + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +type: kubernetes.io/tls +data: + tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.policyValidator.crtPEM)) (empty .Values.policyValidator.crtPEM) }} + tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.policyValidator.keyPEM)) (empty .Values.policyValidator.keyPEM) }} +--- +{{- end }} +{{- include "linkerd.webhook.validation" .Values.policyValidator }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: linkerd-policy-validator-webhook-config + {{- if or (.Values.policyValidator.injectCaFrom) (.Values.policyValidator.injectCaFromSecret) }} + annotations: + {{- if .Values.policyValidator.injectCaFrom }} + cert-manager.io/inject-ca-from: {{ .Values.policyValidator.injectCaFrom }} + {{- end }} + {{- if .Values.policyValidator.injectCaFromSecret }} + cert-manager.io/inject-ca-from-secret: {{ .Values.policyValidator.injectCaFromSecret }} + {{- end }} + {{- end }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +webhooks: +- name: linkerd-policy-validator.linkerd.io + namespaceSelector: + {{- toYaml .Values.policyValidator.namespaceSelector | trim | nindent 4 }} + clientConfig: + service: + name: linkerd-policy-validator + namespace: {{ .Release.Namespace }} + path: "/" + {{- if and (empty .Values.policyValidator.injectCaFrom) (empty .Values.policyValidator.injectCaFromSecret) }} + caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.policyValidator.caBundle)) (empty .Values.policyValidator.caBundle) }} + {{- end }} + failurePolicy: {{.Values.webhookFailurePolicy}} + admissionReviewVersions: ["v1", "v1beta1"] + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["policy.linkerd.io"] + apiVersions: ["*"] + resources: + - authorizationpolicies + - httproutes + - networkauthentications + - meshtlsauthentications + - serverauthorizations + - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["*"] + resources: + - httproutes + - grpcroutes + sideEffects: None +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: linkerd-policy + labels: + app.kubernetes.io/part-of: Linkerd + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - apiGroups: + - policy.linkerd.io + resources: + - authorizationpolicies + - httproutes + - meshtlsauthentications + - networkauthentications + - servers + - serverauthorizations + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + - grpcroutes + verbs: + - get + - list + - watch + - apiGroups: + - policy.linkerd.io + resources: + - httproutes/status + verbs: + - patch + - apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + - grpcroutes/status + verbs: + - patch + - apiGroups: + - workload.linkerd.io + resources: + - externalworkloads + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-destination-policy + labels: + app.kubernetes.io/part-of: Linkerd + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-policy +subjects: + - kind: ServiceAccount + name: linkerd-destination + namespace: {{.Release.Namespace}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: remote-discovery + namespace: {{.Release.Namespace}} + labels: + app.kubernetes.io/part-of: Linkerd + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-destination-remote-discovery + namespace: {{.Release.Namespace}} + labels: + app.kubernetes.io/part-of: Linkerd + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: remote-discovery +subjects: + - kind: ServiceAccount + name: linkerd-destination + namespace: {{.Release.Namespace}} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/templates/destination.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/destination.yaml new file mode 100644 index 0000000000..4be0d21abc --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/destination.yaml @@ -0,0 +1,435 @@ +--- +### +### Destination Controller Service +### +kind: Service +apiVersion: v1 +metadata: + name: linkerd-dst + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: destination + ports: + - name: grpc + port: 8086 + targetPort: 8086 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-dst-headless + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + clusterIP: None + selector: + linkerd.io/control-plane-component: destination + ports: + - name: grpc + port: 8086 + targetPort: 8086 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: destination + ports: + - name: sp-validator + port: 443 + targetPort: sp-validator +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-policy + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + clusterIP: None + selector: + linkerd.io/control-plane-component: destination + ports: + - name: grpc + port: 8090 + targetPort: 8090 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-policy-validator + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: destination + ports: + - name: policy-https + port: 443 + targetPort: policy-https +{{- if .Values.enablePodDisruptionBudget }} +--- +kind: PodDisruptionBudget +apiVersion: policy/v1 +metadata: + name: linkerd-dst + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + linkerd.io/control-plane-component: destination +{{- end }} +--- +{{- $tree := deepCopy . }} +{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}} +{{ $_ := set $tree.Values.proxy "component" "linkerd-destination" -}} +{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}} +{{- if not (empty .Values.destinationProxyResources) }} +{{- $c := dig "cores" .Values.proxy.cores .Values.destinationProxyResources }} +{{- $_ := set $tree.Values.proxy "cores" $c }} +{{- $r := merge .Values.destinationProxyResources .Values.proxy.resources }} +{{- $_ := set $tree.Values.proxy "resources" $r }} +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + app.kubernetes.io/name: destination + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: {{.Values.linkerdVersion}} + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + name: linkerd-destination + namespace: {{ .Release.Namespace }} +spec: + replicas: {{.Values.controllerReplicas}} + revisionHistoryLimit: {{.Values.revisionHistoryLimit}} + selector: + matchLabels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}} + {{- if .Values.deploymentStrategy }} + strategy: + {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- end }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/destination-rbac.yaml") . | sha256sum }} + {{ include "partials.annotations.created-by" . }} + {{- include "partials.proxy.annotations" . | nindent 8}} + {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + config.linkerd.io/default-inbound-policy: "all-unauthenticated" + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + linkerd.io/workload-ns: {{.Release.Namespace}} + {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} + spec: + {{- with .Values.runtimeClassName }} + runtimeClassName: {{ . | quote }} + {{- end }} + {{- if .Values.tolerations -}} + {{- include "linkerd.tolerations" . | nindent 6 }} + {{- end -}} + {{- include "linkerd.node-selector" . | nindent 6 }} + {{- $_ := set $tree "component" "destination" -}} + {{- include "linkerd.affinity" $tree | nindent 6 }} + containers: + {{- $_ := set $tree.Values.proxy "await" $tree.Values.proxy.await }} + {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} + {{- $_ := set $tree.Values.proxy "podInboundPorts" "8086,8090,8443,9443,9990,9996,9997" }} + {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} + {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} + {{- /* + The pod needs to accept webhook traffic, and we can't rely on that originating in the + cluster network. + */}} + {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }} + {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} + {{- if not $tree.Values.proxy.nativeSidecar }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{- end }} + - args: + - destination + - -addr=:8086 + - -controller-namespace={{.Release.Namespace}} + - -enable-h2-upgrade={{.Values.enableH2Upgrade}} + - -log-level={{.Values.controllerLogLevel}} + - -log-format={{.Values.controllerLogFormat}} + - -enable-endpoint-slices={{.Values.enableEndpointSlices}} + - -cluster-domain={{.Values.clusterDomain}} + - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}} + - -default-opaque-ports={{.Values.proxy.opaquePorts}} + - -enable-ipv6={{not .Values.disableIPv6}} + - -enable-pprof={{.Values.enablePprof | default false}} + {{- if (.Values.destinationController).meshedHttp2ClientProtobuf }} + - --meshed-http2-client-params={{ toJson .Values.destinationController.meshedHttp2ClientProtobuf }} + {{- end }} + {{- range (.Values.destinationController).additionalArgs }} + - {{ . }} + {{- end }} + {{- range (.Values.destinationController).experimentalArgs }} + - {{ . }} + {{- end }} + {{- if or (.Values.destinationController).additionalEnv (.Values.destinationController).experimentalEnv }} + env: + {{- with (.Values.destinationController).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.destinationController).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- end }} + {{- include "partials.linkerd.trace" . | nindent 8 -}} + image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9996 + initialDelaySeconds: 10 + {{- with (.Values.destinationController.livenessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + name: destination + ports: + - containerPort: 8086 + name: grpc + - containerPort: 9996 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9996 + {{- with (.Values.destinationController.readinessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + {{- if .Values.destinationResources -}} + {{- include "partials.resources" .Values.destinationResources | nindent 8 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + - args: + - sp-validator + - -log-level={{.Values.controllerLogLevel}} + - -log-format={{.Values.controllerLogFormat}} + - -enable-pprof={{.Values.enablePprof | default false}} + {{- if or (.Values.spValidator).additionalEnv (.Values.spValidator).experimentalEnv }} + env: + {{- with (.Values.spValidator).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.spValidator).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- end }} + image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9997 + initialDelaySeconds: 10 + {{- with ((.Values.spValidator).livenessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + name: sp-validator + ports: + - containerPort: 8443 + name: sp-validator + - containerPort: 9997 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9997 + {{- with ((.Values.spValidator).readinessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + {{- if .Values.spValidatorResources -}} + {{- include "partials.resources" .Values.spValidatorResources | nindent 8 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: sp-tls + readOnly: true + - args: + - --admin-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:9990 + - --control-plane-namespace={{.Release.Namespace}} + - --grpc-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:8090 + - --server-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:9443 + - --server-tls-key=/var/run/linkerd/tls/tls.key + - --server-tls-certs=/var/run/linkerd/tls/tls.crt + - --cluster-networks={{.Values.clusterNetworks}} + - --identity-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}} + - --cluster-domain={{.Values.clusterDomain}} + - --default-policy={{.Values.proxy.defaultInboundPolicy}} + - --log-level={{.Values.policyController.logLevel | default "linkerd=info,warn"}} + - --log-format={{.Values.controllerLogFormat}} + - --default-opaque-ports={{.Values.proxy.opaquePorts}} + {{- if .Values.policyController.probeNetworks }} + - --probe-networks={{.Values.policyController.probeNetworks | join ","}} + {{- end}} + {{- range .Values.policyController.additionalArgs }} + - {{ . }} + {{- end }} + {{- range .Values.policyController.experimentalArgs }} + - {{ . }} + {{- end }} + image: {{.Values.policyController.image.name}}:{{.Values.policyController.image.version | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.policyController.image.pullPolicy | default .Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /live + port: admin-http + {{- with (.Values.policyController.livenessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + name: policy + ports: + - containerPort: 8090 + name: grpc + - containerPort: 9990 + name: admin-http + - containerPort: 9443 + name: policy-https + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: admin-http + initialDelaySeconds: 10 + {{- with (.Values.policyController.readinessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + {{- if .Values.policyController.resources }} + {{- include "partials.resources" .Values.policyController.resources | nindent 8 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: policy-tls + readOnly: true + initContainers: + {{ if .Values.cniEnabled -}} + - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ else -}} + {{- /* + The destination controller needs to connect to the Kubernetes API before the proxy is able + to proxy requests, so we always skip these connections. + */}} + {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} + - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{- if $tree.Values.proxy.nativeSidecar }} + {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }} + {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }} + {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{- if .Values.priorityClassName -}} + priorityClassName: {{ .Values.priorityClassName }} + {{ end -}} + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: linkerd-destination + volumes: + - name: sp-tls + secret: + secretName: linkerd-sp-validator-k8s-tls + - name: policy-tls + secret: + secretName: linkerd-policy-validator-k8s-tls + {{ if not .Values.cniEnabled -}} + - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{if .Values.identity.serviceAccountTokenProjection -}} + - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/templates/heartbeat-rbac.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/heartbeat-rbac.yaml new file mode 100644 index 0000000000..7b127543f4 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/heartbeat-rbac.yaml @@ -0,0 +1,78 @@ +{{ if not .Values.disableHeartBeat -}} +--- +### +### Heartbeat RBAC +### +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-heartbeat + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-heartbeat + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + kind: Role + name: linkerd-heartbeat + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: {{.Release.Namespace}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: linkerd-heartbeat + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["list"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-heartbeat + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + kind: ClusterRole + name: linkerd-heartbeat + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: {{.Release.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-heartbeat + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/templates/heartbeat.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/heartbeat.yaml new file mode 100644 index 0000000000..9565376239 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/heartbeat.yaml @@ -0,0 +1,94 @@ +{{ if not .Values.disableHeartBeat -}} +--- +### +### Heartbeat +### +apiVersion: batch/v1 +kind: CronJob +metadata: + name: linkerd-heartbeat + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: heartbeat + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: {{.Values.linkerdVersion}} + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + concurrencyPolicy: Replace + {{ if .Values.heartbeatSchedule -}} + schedule: "{{.Values.heartbeatSchedule}}" + {{ else -}} + schedule: "{{ dateInZone "04 15 * * *" (now | mustDateModify "+10m") "UTC"}}" + {{ end -}} + successfulJobsHistoryLimit: 0 + jobTemplate: + spec: + template: + metadata: + labels: + linkerd.io/control-plane-component: heartbeat + linkerd.io/workload-ns: {{.Release.Namespace}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 12 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} + {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 12 }}{{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end -}} + {{- with .Values.runtimeClassName }} + runtimeClassName: {{ . | quote }} + {{- end }} + {{- if .Values.tolerations -}} + {{- include "linkerd.tolerations" . | nindent 10 }} + {{- end -}} + {{- include "linkerd.node-selector" . | nindent 10 }} + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: linkerd-heartbeat + restartPolicy: Never + containers: + - name: heartbeat + image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.imagePullPolicy}} + env: + - name: LINKERD_DISABLED + value: "the heartbeat controller does not use the proxy" + {{- with (.Values.heartbeat).additionalEnv }} + {{- toYaml . | nindent 12 -}} + {{- end }} + {{- with (.Values.heartbeat).experimentalEnv }} + {{- toYaml . | nindent 12 -}} + {{- end }} + args: + - "heartbeat" + - "-controller-namespace={{.Release.Namespace}}" + - "-log-level={{.Values.controllerLogLevel}}" + - "-log-format={{.Values.controllerLogFormat}}" + {{- if .Values.prometheusUrl }} + - "-prometheus-url={{.Values.prometheusUrl}}" + {{- else }} + - "-prometheus-url=http://prometheus.linkerd-viz.svc.{{.Values.clusterDomain}}:9090" + {{- end }} + {{- if .Values.heartbeatResources -}} + {{- include "partials.resources" .Values.heartbeatResources | nindent 12 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/templates/identity-rbac.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/identity-rbac.yaml new file mode 100644 index 0000000000..6efdb4e104 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/identity-rbac.yaml @@ -0,0 +1,49 @@ +--- +### +### Identity Controller Service RBAC +### +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +# TODO(ver) Restrict this to the Linkerd namespace. See +# https://github.com/linkerd/linkerd2/issues/9367 +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Release.Namespace}}-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: {{.Release.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/templates/identity.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/identity.yaml new file mode 100644 index 0000000000..070cadd1ee --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/identity.yaml @@ -0,0 +1,272 @@ +{{if .Values.identity -}} +--- +### +### Identity Controller Service +### +{{ if and (.Values.identity.issuer) (eq .Values.identity.issuer.scheme "linkerd.io/tls") -}} +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +data: + crt.pem: {{b64enc (required "Please provide the identity issuer certificate" .Values.identity.issuer.tls.crtPEM | trim)}} + key.pem: {{b64enc (required "Please provide the identity issue private key" .Values.identity.issuer.tls.keyPEM | trim)}} +--- +{{- end}} +{{ if not (.Values.identity.externalCA) -}} +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-identity-trust-roots + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +data: + ca-bundle.crt: |-{{.Values.identityTrustAnchorsPEM | trim | nindent 4}} +--- +{{- end}} +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity-headless + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + clusterIP: None + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +{{- if .Values.enablePodDisruptionBudget }} +kind: PodDisruptionBudget +apiVersion: policy/v1 +metadata: + name: linkerd-identity + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + linkerd.io/control-plane-component: identity +--- +{{- end }} +{{- $tree := deepCopy . }} +{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}} +{{ $_ := set $tree.Values.proxy "component" "linkerd-identity" -}} +{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}} +{{- if not (empty .Values.identityProxyResources) }} +{{- $c := dig "cores" .Values.proxy.cores .Values.identityProxyResources }} +{{- $_ := set $tree.Values.proxy "cores" $c }} +{{- $r := merge .Values.identityProxyResources .Values.proxy.resources }} +{{- $_ := set $tree.Values.proxy "resources" $r }} +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + app.kubernetes.io/name: identity + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: {{.Values.linkerdVersion}} + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + name: linkerd-identity + namespace: {{ .Release.Namespace }} +spec: + replicas: {{.Values.controllerReplicas}} + revisionHistoryLimit: {{.Values.revisionHistoryLimit}} + selector: + matchLabels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}} + {{- if .Values.deploymentStrategy }} + strategy: + {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- end }} + template: + metadata: + annotations: + {{ include "partials.annotations.created-by" . }} + {{- include "partials.proxy.annotations" . | nindent 8}} + {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + config.linkerd.io/default-inbound-policy: "all-unauthenticated" + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + linkerd.io/workload-ns: {{.Release.Namespace}} + {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} + spec: + {{- with .Values.runtimeClassName }} + runtimeClassName: {{ . | quote }} + {{- end }} + {{- if .Values.tolerations -}} + {{- include "linkerd.tolerations" . | nindent 6 }} + {{- end -}} + {{- include "linkerd.node-selector" . | nindent 6 }} + {{- $_ := set $tree "component" "identity" -}} + {{- include "linkerd.affinity" $tree | nindent 6 }} + containers: + - args: + - identity + - -log-level={{.Values.controllerLogLevel}} + - -log-format={{.Values.controllerLogFormat}} + - -controller-namespace={{.Release.Namespace}} + - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}} + - -identity-issuance-lifetime={{.Values.identity.issuer.issuanceLifetime}} + - -identity-clock-skew-allowance={{.Values.identity.issuer.clockSkewAllowance}} + - -identity-scheme={{.Values.identity.issuer.scheme}} + - -enable-pprof={{.Values.enablePprof | default false}} + - -kube-apiclient-qps={{.Values.identity.kubeAPI.clientQPS}} + - -kube-apiclient-burst={{.Values.identity.kubeAPI.clientBurst}} + {{- include "partials.linkerd.trace" . | nindent 8 -}} + env: + - name: LINKERD_DISABLED + value: "linkerd-await cannot block the identity controller" + {{- with (.Values.identity).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.identity).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + {{- with (.Values.identity.livenessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + {{- with (.Values.identity.readinessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + {{- if .Values.identityResources -}} + {{- include "partials.resources" .Values.identityResources | nindent 8 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + - mountPath: /var/run/linkerd/identity/trust-roots/ + name: trust-roots + {{- $_ := set $tree.Values.proxy "await" false }} + {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} + {{- $_ := set $tree.Values.proxy "podInboundPorts" "8080,9990" }} + {{- $_ := set $tree.Values.proxy "nativeSidecar" false }} + {{- /* + The identity controller cannot discover policies, so we configure it with defaults that + enforce TLS on the identity service. + */}} + {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }} + {{- $_ := set $tree.Values.proxy "requireTLSOnInboundPorts" "8080" }} + {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} + {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} + {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + initContainers: + {{ if .Values.cniEnabled -}} + - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ else -}} + {{- /* + The identity controller needs to connect to the Kubernetes API before the proxy is able to + proxy requests, so we always skip these connections. The identity controller makes no other + outbound connections (so it's not important to persist any other skip ports here) + */}} + {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} + - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{- if .Values.priorityClassName -}} + priorityClassName: {{ .Values.priorityClassName }} + {{ end -}} + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: linkerd-identity + volumes: + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer + - configMap: + name: linkerd-identity-trust-roots + name: trust-roots + {{ if not .Values.cniEnabled -}} + - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{if .Values.identity.serviceAccountTokenProjection -}} + - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} +{{end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/templates/namespace.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/namespace.yaml new file mode 100644 index 0000000000..61461c1327 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/namespace.yaml @@ -0,0 +1,18 @@ +{{- if eq .Release.Service "CLI" -}} +--- +### +### Linkerd Namespace +### +kind: Namespace +apiVersion: v1 +metadata: + name: {{ .Release.Namespace }} + annotations: + linkerd.io/inject: disabled + labels: + linkerd.io/is-control-plane: "true" + config.linkerd.io/admission-webhooks: disabled + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- /* linkerd-init requires extended capabilities and so requires priviledged mode */}} + pod-security.kubernetes.io/enforce: {{ ternary "restricted" "privileged" .Values.cniEnabled }} +{{ end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/templates/podmonitor.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/podmonitor.yaml new file mode 100644 index 0000000000..fd2b5d6ceb --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/podmonitor.yaml @@ -0,0 +1,128 @@ +{{- $podMonitor := .Values.podMonitor -}} +{{- if and $podMonitor.enabled $podMonitor.controller.enabled }} +--- +### +### Prometheus Operator PodMonitor for Linkerd control-plane +### +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: "linkerd-controller" + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{ .Release.Namespace }} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- with .Values.podMonitor.labels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + namespaceSelector: {{ tpl .Values.podMonitor.controller.namespaceSelector . | nindent 4 }} + selector: + matchLabels: {} + podMetricsEndpoints: + - interval: {{ $podMonitor.scrapeInterval }} + scrapeTimeout: {{ $podMonitor.scrapeTimeout }} + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_container_port_name + action: keep + regex: admin-http + - sourceLabels: + - __meta_kubernetes_pod_container_name + action: replace + targetLabel: component +{{- end }} +{{- if and $podMonitor.enabled $podMonitor.serviceMirror.enabled }} +--- +### +### Prometheus Operator PodMonitor for Linkerd Service Mirror (multi-cluster) +### +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: "linkerd-service-mirror" + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{ .Release.Namespace }} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- with .Values.podMonitor.labels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + namespaceSelector: + any: true + selector: + matchLabels: {} + podMetricsEndpoints: + - interval: {{ $podMonitor.scrapeInterval }} + scrapeTimeout: {{ $podMonitor.scrapeTimeout }} + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component + - __meta_kubernetes_pod_container_port_name + action: keep + regex: linkerd-service-mirror;admin-http$ + - sourceLabels: + - __meta_kubernetes_pod_container_name + action: replace + targetLabel: component +{{- end }} +{{- if and $podMonitor.enabled $podMonitor.proxy.enabled }} +--- +### +### Prometheus Operator PodMonitor Linkerd data-plane +### +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: "linkerd-proxy" + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{ .Release.Namespace }} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- with .Values.podMonitor.labels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + namespaceSelector: + any: true + selector: + matchLabels: {} + podMetricsEndpoints: + - interval: {{ $podMonitor.scrapeInterval }} + scrapeTimeout: {{ $podMonitor.scrapeTimeout }} + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_container_name + - __meta_kubernetes_pod_container_port_name + - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns + action: keep + regex: ^linkerd-proxy;linkerd-admin;{{ .Release.Namespace }}$ + - sourceLabels: [ __meta_kubernetes_namespace ] + action: replace + targetLabel: namespace + - sourceLabels: [ __meta_kubernetes_pod_name ] + action: replace + targetLabel: pod + - sourceLabels: [ __meta_kubernetes_pod_label_linkerd_io_proxy_job ] + action: replace + targetLabel: k8s_job + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_(.+) + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + replacement: __tmp_pod_label_$1 + - action: labelmap + regex: __tmp_pod_label_linkerd_io_(.+) + replacement: __tmp_pod_label_$1 + - action: labeldrop + regex: __tmp_pod_label_linkerd_io_(.+) + - action: labelmap + regex: __tmp_pod_label_(.+) +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/templates/proxy-injector-rbac.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/proxy-injector-rbac.yaml new file mode 100644 index 0000000000..c2c84c5c17 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/proxy-injector-rbac.yaml @@ -0,0 +1,120 @@ +--- +### +### Proxy Injector RBAC +### +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: [""] + resources: ["namespaces", "replicationcontrollers"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments", "replicasets", "daemonsets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["cronjobs", "jobs"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: {{.Release.Namespace}} + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-{{.Release.Namespace}}-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} +--- +{{- $host := printf "linkerd-proxy-injector.%s.svc" .Release.Namespace }} +{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }} +{{- if (not .Values.proxyInjector.externalSecret) }} +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-proxy-injector-k8s-tls + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +type: kubernetes.io/tls +data: + tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.crtPEM)) (empty .Values.proxyInjector.crtPEM) }} + tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.proxyInjector.keyPEM)) (empty .Values.proxyInjector.keyPEM) }} +--- +{{- end }} +{{- include "linkerd.webhook.validation" .Values.proxyInjector }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: linkerd-proxy-injector-webhook-config + {{- if or (.Values.proxyInjector.injectCaFrom) (.Values.proxyInjector.injectCaFromSecret) }} + annotations: + {{- if .Values.proxyInjector.injectCaFrom }} + cert-manager.io/inject-ca-from: {{ .Values.proxyInjector.injectCaFrom }} + {{- end }} + {{- if .Values.proxyInjector.injectCaFromSecret }} + cert-manager.io/inject-ca-from-secret: {{ .Values.proxyInjector.injectCaFromSecret }} + {{- end }} + {{- end }} + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +webhooks: +- name: linkerd-proxy-injector.linkerd.io + namespaceSelector: + {{- toYaml .Values.proxyInjector.namespaceSelector | trim | nindent 4 }} + objectSelector: + {{- toYaml .Values.proxyInjector.objectSelector | trim | nindent 4 }} + clientConfig: + service: + name: linkerd-proxy-injector + namespace: {{ .Release.Namespace }} + path: "/" + {{- if and (empty .Values.proxyInjector.injectCaFrom) (empty .Values.proxyInjector.injectCaFromSecret) }} + caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.caBundle)) (empty .Values.proxyInjector.caBundle) }} + {{- end }} + failurePolicy: {{.Values.webhookFailurePolicy}} + admissionReviewVersions: ["v1", "v1beta1"] + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods", "services"] + scope: "Namespaced" + sideEffects: None + timeoutSeconds: {{ .Values.proxyInjector.timeoutSeconds | default 10 }} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/templates/proxy-injector.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/proxy-injector.yaml new file mode 100644 index 0000000000..34b1d3ba42 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/proxy-injector.yaml @@ -0,0 +1,222 @@ +--- +### +### Proxy Injector +### +{{- $tree := deepCopy . }} +{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}} +{{ $_ := set $tree.Values.proxy "component" "linkerd-proxy-injector" -}} +{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}} +{{- if not (empty .Values.proxyInjectorProxyResources) }} +{{- $c := dig "cores" .Values.proxy.cores .Values.proxyInjectorProxyResources }} +{{- $_ := set $tree.Values.proxy "cores" $c }} +{{- $r := merge .Values.proxyInjectorProxyResources .Values.proxy.resources }} +{{- $_ := set $tree.Values.proxy "resources" $r }} +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + app.kubernetes.io/name: proxy-injector + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: {{.Values.linkerdVersion}} + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + name: linkerd-proxy-injector + namespace: {{ .Release.Namespace }} +spec: + replicas: {{.Values.controllerReplicas}} + revisionHistoryLimit: {{.Values.revisionHistoryLimit}} + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector + {{- if .Values.deploymentStrategy }} + strategy: + {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- end }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/proxy-injector-rbac.yaml") . | sha256sum }} + {{ include "partials.annotations.created-by" . }} + {{- include "partials.proxy.annotations" . | nindent 8}} + {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + config.linkerd.io/opaque-ports: "8443" + config.linkerd.io/default-inbound-policy: "all-unauthenticated" + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + linkerd.io/workload-ns: {{.Release.Namespace}} + {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} + spec: + {{- with .Values.runtimeClassName }} + runtimeClassName: {{ . | quote }} + {{- end }} + {{- if .Values.tolerations -}} + {{- include "linkerd.tolerations" . | nindent 6 }} + {{- end -}} + {{- include "linkerd.node-selector" . | nindent 6 }} + {{- $_ := set $tree "component" "proxy-injector" -}} + {{- include "linkerd.affinity" $tree | nindent 6 }} + containers: + {{- $_ := set $tree.Values.proxy "await" $tree.Values.proxy.await }} + {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} + {{- $_ := set $tree.Values.proxy "podInboundPorts" "8443,9995" }} + {{- /* + The pod needs to accept webhook traffic, and we can't rely on that originating in the + cluster network. + */}} + {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }} + {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} + {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} + {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} + {{- if not $tree.Values.proxy.nativeSidecar }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{- end }} + - args: + - proxy-injector + - -log-level={{.Values.controllerLogLevel}} + - -log-format={{.Values.controllerLogFormat}} + - -linkerd-namespace={{.Release.Namespace}} + - -enable-pprof={{.Values.enablePprof | default false}} + {{- if or (.Values.proxyInjector).additionalEnv (.Values.proxyInjector).experimentalEnv }} + env: + {{- with (.Values.proxyInjector).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.proxyInjector).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- end }} + image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + {{- with (.Values.proxyInjector.livenessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + {{- with (.Values.proxyInjector.readinessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + {{- if .Values.proxyInjectorResources -}} + {{- include "partials.resources" .Values.proxyInjectorResources | nindent 8 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/trust-roots + name: trust-roots + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + initContainers: + {{ if .Values.cniEnabled -}} + - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ else -}} + {{- /* + The controller needs to connect to the Kubernetes API. There's no reason + to put the proxy in the way of that. + */}} + {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} + - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{- if $tree.Values.proxy.nativeSidecar }} + {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }} + {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }} + {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{- if .Values.priorityClassName -}} + priorityClassName: {{ .Values.priorityClassName }} + {{ end -}} + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - configMap: + name: linkerd-identity-trust-roots + name: trust-roots + - name: tls + secret: + secretName: linkerd-proxy-injector-k8s-tls + {{ if not .Values.cniEnabled -}} + - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{if .Values.identity.serviceAccountTokenProjection -}} + - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} + config.linkerd.io/opaque-ports: "443" +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +{{- if .Values.enablePodDisruptionBudget }} +--- +kind: PodDisruptionBudget +apiVersion: policy/v1 +metadata: + name: linkerd-proxy-injector + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/templates/psp.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/psp.yaml new file mode 100644 index 0000000000..db91fea675 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/templates/psp.yaml @@ -0,0 +1,119 @@ +{{ if .Values.enablePSP -}} +--- +### +### Control Plane PSP +### +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-{{.Release.Namespace}}-control-plane + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "runtime/default" + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +spec: + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.runAsRoot }} + allowPrivilegeEscalation: true + {{- else }} + allowPrivilegeEscalation: false + {{- end }} + readOnlyRootFilesystem: true + {{- if empty .Values.cniEnabled }} + allowedCapabilities: + - NET_ADMIN + - NET_RAW + {{- end}} + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + seLinux: + rule: RunAsAny + runAsUser: + {{- if .Values.cniEnabled }} + rule: MustRunAsNonRoot + {{- else }} + rule: RunAsAny + {{- end }} + runAsGroup: + {{- if .Values.cniEnabled }} + rule: MustRunAs + ranges: + - min: 1000 + max: 999999 + {{- else }} + rule: RunAsAny + {{- end }} + supplementalGroups: + rule: MustRunAs + ranges: + {{- if .Values.cniEnabled }} + - min: 10001 + max: 65535 + {{- else }} + - min: 1 + max: 65535 + {{- end }} + fsGroup: + rule: MustRunAs + ranges: + {{- if .Values.cniEnabled }} + - min: 10001 + max: 65535 + {{- else }} + - min: 1 + max: 65535 + {{- end }} + volumes: + - configMap + - emptyDir + - secret + - projected + - downwardAPI + - persistentVolumeClaim +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-{{.Release.Namespace}}-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-destination + namespace: {{.Release.Namespace}} +{{ if not .Values.disableHeartBeat -}} +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: {{.Release.Namespace}} +{{ end -}} +- kind: ServiceAccount + name: linkerd-identity + namespace: {{.Release.Namespace}} +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: {{.Release.Namespace}} +{{ end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/values-ha.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/values-ha.yaml new file mode 100644 index 0000000000..e3b8cbc070 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/values-ha.yaml @@ -0,0 +1,63 @@ +# This values.yaml file contains the values needed to enable HA mode. +# Usage: +# helm install -f values-ha.yaml + +# -- Create PodDisruptionBudget resources for each control plane workload +enablePodDisruptionBudget: true + +controller: + # -- sets pod disruption budget parameter for all deployments + podDisruptionBudget: + # -- Maximum number of pods that can be unavailable during disruption + maxUnavailable: 1 + +# -- Specify a deployment strategy for each control plane workload +deploymentStrategy: + rollingUpdate: + maxUnavailable: 1 + maxSurge: 25% + +# -- add PodAntiAffinity to each control plane workload +enablePodAntiAffinity: true + +# nodeAffinity: + +# proxy configuration +proxy: + resources: + cpu: + request: 100m + memory: + limit: 250Mi + request: 20Mi + +# controller configuration +controllerReplicas: 3 +controllerResources: &controller_resources + cpu: &controller_resources_cpu + limit: "" + request: 100m + memory: + limit: 250Mi + request: 50Mi +destinationResources: *controller_resources + +# identity configuration +identityResources: + cpu: *controller_resources_cpu + memory: + limit: 250Mi + request: 10Mi + +# heartbeat configuration +heartbeatResources: *controller_resources + +# proxy injector configuration +proxyInjectorResources: *controller_resources +webhookFailurePolicy: Fail + +# service profile validator configuration +spValidatorResources: *controller_resources + +# flag for linkerd check +highAvailability: true diff --git a/charts/linkerd/linkerd-control-plane/2024.10.2/values.yaml b/charts/linkerd/linkerd-control-plane/2024.10.2/values.yaml new file mode 100644 index 0000000000..2e42beb038 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.10.2/values.yaml @@ -0,0 +1,664 @@ +# Default values for linkerd. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Kubernetes DNS Domain name to use +clusterDomain: cluster.local + +# -- The cluster networks for which service discovery is performed. This should +# include the pod and service networks, but need not include the node network. +# +# By default, all IPv4 private networks and all accepted IPv6 ULAs are +# specified so that resolution works in typical Kubernetes environments. +clusterNetworks: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8" +# -- Docker image pull policy +imagePullPolicy: IfNotPresent +# -- Specifies the number of old ReplicaSets to retain to allow rollback. +revisionHistoryLimit: 10 +# -- Log level for the control plane components +controllerLogLevel: info +# -- Log format for the control plane components +controllerLogFormat: plain +# -- enables control plane tracing +controlPlaneTracing: false +# -- namespace to send control plane traces to +controlPlaneTracingNamespace: linkerd-jaeger +# -- control plane version. See Proxy section for proxy version +linkerdVersion: edge-24.10.2 +# -- default kubernetes deployment strategy +deploymentStrategy: + rollingUpdate: + maxUnavailable: 25% + maxSurge: 25% +# -- enables the use of EndpointSlice informers for the destination service; +# enableEndpointSlices should be set to true only if EndpointSlice K8s feature +# gate is on +enableEndpointSlices: true +# -- enables pod anti affinity creation on deployments for high availability +enablePodAntiAffinity: false +# -- enables the use of pprof endpoints on control plane component's admin +# servers +enablePprof: false +# -- enables the creation of pod disruption budgets for control plane components +enablePodDisruptionBudget: false +# -- disables routing IPv6 traffic in addition to IPv4 traffic through the +# proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni +# v1.4.0) +disableIPv6: true + +controller: + # -- sets pod disruption budget parameter for all deployments + podDisruptionBudget: + # -- Maximum number of pods that can be unavailable during disruption + maxUnavailable: 1 +# -- enabling this omits the NET_ADMIN capability in the PSP +# and the proxy-init container when injecting the proxy; +# requires the linkerd-cni plugin to already be installed +cniEnabled: false +# -- Trust root certificate (ECDSA). It must be provided during install. +identityTrustAnchorsPEM: | +# -- Trust domain used for identity +# @default -- clusterDomain +identityTrustDomain: "" +kubeAPI: &kubeapi + # -- Maximum QPS sent to the kube-apiserver before throttling. + # See [token bucket rate limiter + # implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) + clientQPS: 100 + # -- Burst value over clientQPS + clientBurst: 200 +# -- Additional annotations to add to all pods +podAnnotations: {} +# -- Additional labels to add to all pods +podLabels: {} +# -- Labels to apply to all resources +commonLabels: {} +# -- Kubernetes priorityClassName for the Linkerd Pods +priorityClassName: "" +# -- Runtime Class Name for all the pods +runtimeClassName: "" + +# policy controller configuration +policyController: + image: + # -- Docker image for the policy controller + name: cr.l5d.io/linkerd/policy-controller + # -- Pull policy for the policy controller container image + # @default -- imagePullPolicy + pullPolicy: "" + # -- Tag for the policy controller container image + # @default -- linkerdVersion + version: "" + + # -- Log level for the policy controller + logLevel: info + + # -- The networks from which probes are performed. + # + # By default, all networks are allowed so that all probes are authorized. + probeNetworks: + - 0.0.0.0/0 + - "::/0" + + # -- policy controller resource requests & limits + resources: + cpu: + # -- Maximum amount of CPU units that the policy controller can use + limit: "" + # -- Amount of CPU units that the policy controller requests + request: "" + memory: + # -- Maximum amount of memory that the policy controller can use + limit: "" + # -- Maximum amount of memory that the policy controller requests + request: "" + ephemeral-storage: + # -- Maximum amount of ephemeral storage that the policy controller can use + limit: "" + # -- Amount of ephemeral storage that the policy controller requests + request: "" + + livenessProbe: + timeoutSeconds: 1 + readinessProbe: + timeoutSeconds: 1 + +# proxy configuration +proxy: + # -- Enable service profiles for non-Kubernetes services + enableExternalProfiles: false + # -- Maximum time allowed for the proxy to establish an outbound TCP + # connection + outboundConnectTimeout: 1000ms + # -- Maximum time allowed for the proxy to establish an inbound TCP + # connection + inboundConnectTimeout: 100ms + # -- Maximum time allowed before an unused outbound discovery result + # is evicted from the cache + outboundDiscoveryCacheUnusedTimeout: "5s" + # -- Maximum time allowed before an unused inbound discovery result + # is evicted from the cache + inboundDiscoveryCacheUnusedTimeout: "90s" + # -- When set to true, disables the protocol detection timeout on the + # outbound side of the proxy by setting it to a very high value + disableOutboundProtocolDetectTimeout: false + # -- When set to true, disables the protocol detection timeout on the inbound + # side of the proxy by setting it to a very high value + disableInboundProtocolDetectTimeout: false + image: + # -- Docker image for the proxy + name: cr.l5d.io/linkerd/proxy + # -- Pull policy for the proxy container image + # @default -- imagePullPolicy + pullPolicy: "" + # -- Tag for the proxy container image + # @default -- linkerdVersion + version: "" + # -- Enables the proxy's /shutdown admin endpoint + enableShutdownEndpoint: false + # -- Log level for the proxy + logLevel: warn,linkerd=info,hickory=error + # -- Log format (`plain` or `json`) for the proxy + logFormat: plain + # -- (`off` or `insecure`) If set to `off`, will prevent the proxy from + # logging HTTP headers. If set to `insecure`, HTTP headers may be logged + # verbatim. Note that setting this to `insecure` is not alone sufficient to + # log HTTP headers; the proxy logLevel must also be set to debug. + logHTTPHeaders: "off" + ports: + # -- Admin port for the proxy container + admin: 4191 + # -- Control port for the proxy container + control: 4190 + # -- Inbound port for the proxy container + inbound: 4143 + # -- Outbound port for the proxy container + outbound: 4140 + # -- The `cpu.limit` and `cores` should be kept in sync. The value of `cores` + # must be an integer and should typically be set by rounding up from the + # limit. E.g. if cpu.limit is '1500m', cores should be 2. + cores: 0 + resources: + cpu: + # -- Maximum amount of CPU units that the proxy can use + limit: "" + # -- Amount of CPU units that the proxy requests + request: "" + memory: + # -- Maximum amount of memory that the proxy can use + limit: "" + # -- Maximum amount of memory that the proxy requests + request: "" + ephemeral-storage: + # -- Maximum amount of ephemeral storage that the proxy can use + limit: "" + # -- Amount of ephemeral storage that the proxy requests + request: "" + # -- User id under which the proxy runs + uid: 2102 + # -- (int) Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0) + gid: -1 + + # -- If set the injected proxy sidecars in the data plane will stay alive for + # at least the given period before receiving the SIGTERM signal from + # Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`. + # See [Lifecycle + # hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) + # for more info on container lifecycle hooks. + waitBeforeExitSeconds: 0 + # -- If set, the application container will not start until the proxy is + # ready + await: true + requireIdentityOnInboundPorts: "" + # -- Default set of opaque ports + # - SMTP (25,587) server-first + # - MYSQL (3306) server-first + # - Galera (4444) server-first + # - PostgreSQL (5432) server-first + # - Redis (6379) server-first + # - ElasticSearch (9300) server-first + # - Memcached (11211) clients do not issue any preamble, which breaks detection + opaquePorts: "25,587,3306,4444,5432,6379,9300,11211" + # -- Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections. + shutdownGracePeriod: "" + # -- The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated", + # "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny", "audit" + # @default -- "all-unauthenticated" + defaultInboundPolicy: "all-unauthenticated" + # -- Enable KEP-753 native sidecars + # This is an experimental feature. It requires Kubernetes >= 1.29. + # If enabled, .proxy.waitBeforeExitSeconds should not be used. + nativeSidecar: false + # -- Native sidecar proxy startup probe parameters. + # -- LivenessProbe timeout and delay configuration + livenessProbe: + initialDelaySeconds: 10 + timeoutSeconds: 1 + # -- ReadinessProbe timeout and delay configuration + readinessProbe: + initialDelaySeconds: 2 + timeoutSeconds: 1 + startupProbe: + initialDelaySeconds: 0 + periodSeconds: 1 + failureThreshold: 120 + # Configures general properties of the proxy's control plane clients. + control: + # Configures limits on API response streams. + streams: + # -- The timeout for the first update from the control plane. + initialTimeout: "3s" + # -- The timeout between consecutive updates from the control plane. + idleTimeout: "5m" + # -- The maximum duration for a response stream (i.e. before it will be + # reinitialized). + lifetime: "1h" + inbound: + server: + http2: + # -- The interval at which PINGs are issued to remote HTTP/2 clients. + keepAliveInterval: "10s" + # -- The timeout within which keep-alive PINGs must be acknowledged on inbound HTTP/2 connections. + keepAliveTimeout: "3s" + outbound: + server: + http2: + # -- The interval at which PINGs are issued to local application HTTP/2 clients. + keepAliveInterval: "10s" + # -- The timeout within which keep-alive PINGs must be acknowledged on outbound HTTP/2 connections. + keepAliveTimeout: "3s" + +# proxy-init configuration +proxyInit: + # -- Variant of iptables that will be used to configure routing. Currently, + # proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will + # control which utility binary will be called. The host must support + # whichever mode will be used + iptablesMode: "legacy" + # -- Default set of inbound ports to skip via iptables + # - Galera (4567,4568) + ignoreInboundPorts: "4567,4568" + # -- Default set of outbound ports to skip via iptables + # - Galera (4567,4568) + ignoreOutboundPorts: "4567,4568" + # -- Default set of ports to skip via iptables for control plane + # components so they can communicate with the Kubernetes API Server + kubeAPIServerPorts: "443,6443" + # -- Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy + skipSubnets: "" + # -- Log level for the proxy-init + # @default -- info + logLevel: "" + # -- Log format (`plain` or `json`) for the proxy-init + # @default -- plain + logFormat: "" + image: + # -- Docker image for the proxy-init container + name: cr.l5d.io/linkerd/proxy-init + # -- Pull policy for the proxy-init container image + # @default -- imagePullPolicy + pullPolicy: "" + # -- Tag for the proxy-init container image + version: v2.4.1 + closeWaitTimeoutSecs: 0 + # -- Privileged mode allows the container processes to inherit all security + # capabilities and bypass any security limitations enforced by the kubelet. + # When used with 'runAsRoot: true', the container will behave exactly as if + # it was running as root on the host. May escape cgroup limits and see other + # processes and devices on the host. + # @default -- false + privileged: false + # -- Allow overriding the runAsNonRoot behaviour () + runAsRoot: false + # -- This value is used only if runAsRoot is false; otherwise runAsUser will be 0 + runAsUser: 65534 + # -- This value is used only if runAsRoot is false; otherwise runAsGroup will be 0 + runAsGroup: 65534 + xtMountPath: + mountPath: /run + name: linkerd-proxy-init-xtables-lock + +# network validator configuration +# This runs on a host that uses iptables to reroute network traffic. The validator +# ensures that iptables is correctly routing requests before we start linkerd. +networkValidator: + # -- Log level for the network-validator + # @default -- debug + logLevel: debug + # -- Log format (`plain` or `json`) for network-validator + # @default -- plain + logFormat: plain + # -- Address to which the network-validator will attempt to connect. This should be an IP + # that the cluster is expected to be able to reach but a port it should not, e.g., a public IP + # for public clusters and a private IP for air-gapped clusters with a port like 20001. + # If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively. + connectAddr: "" + # -- Address to which network-validator listens to requests from itself. + # If empty, defaults to 0.0.0.0:4140 and [::]:4140 for IPv4 and IPv6 respectively. + listenAddr: "" + # -- Timeout before network-validator fails to validate the pod's network connectivity + timeout: "10s" + # -- Include a securityContext in the network-validator pod spec + enableSecurityContext: true + +# -- For Private docker registries, authentication is needed. +# Registry secrets are applied to the respective service accounts +imagePullSecrets: [] +# - name: my-private-docker-registry-login-secret + +# -- Allow proxies to perform transparent HTTP/2 upgrading +enableH2Upgrade: true + +# -- Add a PSP resource and bind it to the control plane ServiceAccounts. Note +# PSP has been deprecated since k8s v1.21 +enablePSP: false + +# -- Failure policy for the proxy injector +webhookFailurePolicy: Ignore + +# controllerImage -- Docker image for the destination and identity components +controllerImage: cr.l5d.io/linkerd/controller +# -- Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage. +controllerImageVersion: "" + +# -- Number of replicas for each control plane pod +controllerReplicas: 1 +# -- User ID for the control plane components +controllerUID: 2103 +# -- (int) Optional customisation of the group ID for the control plane components (the group ID will be omitted if lower than 0) +controllerGID: -1 + +# destination configuration +# set resources for the sp-validator and its linkerd proxy respectively +# see proxy.resources for details. +# destinationResources -- CPU, Memory and Ephemeral Storage resources required by destination (see `proxy.resources` for sub-fields) +#destinationResources: +# destinationProxyResources -- CPU, Memory and Ephemeral Storage resources required by proxy injected into destination pod (see `proxy.resources` for sub-fields) +#destinationProxyResources: + +destinationController: + meshedHttp2ClientProtobuf: + keep_alive: + interval: + seconds: 10 + timeout: + seconds: 3 + while_idle: true + livenessProbe: + timeoutSeconds: 1 + readinessProbe: + timeoutSeconds: 1 + +# debug configuration +debugContainer: + image: + # -- Docker image for the debug container + name: cr.l5d.io/linkerd/debug + # -- Pull policy for the debug container image + # @default -- imagePullPolicy + pullPolicy: "" + # -- Tag for the debug container image + # @default -- linkerdVersion + version: "" + +identity: + # -- If the linkerd-identity-trust-roots ConfigMap has already been created + externalCA: false + + # -- Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token + serviceAccountTokenProjection: true + + issuer: + scheme: linkerd.io/tls + + # -- Amount of time to allow for clock skew within a Linkerd cluster + clockSkewAllowance: 20s + + # -- Amount of time for which the Identity issuer should certify identity + issuanceLifetime: 24h0m0s + + # -- Which scheme is used for the identity issuer secret format + tls: + # -- Issuer certificate (ECDSA). It must be provided during install. + crtPEM: | + + # -- Key for the issuer certificate (ECDSA). It must be provided during + # install + keyPEM: | + + kubeAPI: *kubeapi + + livenessProbe: + timeoutSeconds: 1 + readinessProbe: + timeoutSeconds: 1 + +# -|- CPU, Memory and Ephemeral Storage resources required by the identity controller (see `proxy.resources` for sub-fields) +#identityResources: +# -|- CPU, Memory and Ephemeral Storage resources required by proxy injected into identity pod (see `proxy.resources` for sub-fields) +#identityProxyResources: + +# heartbeat configuration +# disableHeartBeat -- Set to true to not start the heartbeat cronjob +disableHeartBeat: false +# -- Config for the heartbeat cronjob +# heartbeatSchedule: "0 0 * * *" + +# proxy injector configuration +proxyInjector: + # -- Timeout in seconds before the API Server cancels a request to the proxy + # injector. If timeout is exceeded, the webhookfailurePolicy is used. + timeoutSeconds: 10 + # -- Do not create a secret resource for the proxyInjector webhook. + # If this is set to `true`, the value `proxyInjector.caBundle` must be set + # or the ca bundle must injected with cert-manager ca injector using + # `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). + externalSecret: false + + # -- Namespace selector used by admission webhook. + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system + - cert-manager + + # -- Object selector used by admission webhook. + objectSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: DoesNotExist + - key: linkerd.io/cni-resource + operator: DoesNotExist + + # -- Certificate for the proxy injector. If not provided and not using an external secret + # then Helm will generate one. + crtPEM: | + + # -- Certificate key for the proxy injector. If not provided and not using an external secret + # then Helm will generate one. + keyPEM: | + + # -- Bundle of CA certificates for proxy injector. + # If not provided nor injected with cert-manager, + # then Helm will use the certificate generated for `proxyInjector.crtPEM`. + # If `proxyInjector.externalSecret` is set to true, this value, injectCaFrom, or + # injectCaFromSecret must be set, as no certificate will be generated. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. + caBundle: | + + # -- Inject the CA bundle from a cert-manager Certificate. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) + # for more information. + injectCaFrom: "" + + # -- Inject the CA bundle from a Secret. + # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. + # The Secret must have the CA Bundle stored in the `ca.crt` key and have + # the `cert-manager.io/allow-direct-injection` annotation set to `true`. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) + # for more information. + injectCaFromSecret: "" + + livenessProbe: + timeoutSeconds: 1 + readinessProbe: + timeoutSeconds: 1 + +# -|- CPU, Memory and Ephemeral Storage resources required by the proxy injector (see +#`proxy.resources` for sub-fields) +#proxyInjectorResources: +#-|- CPU, Memory and Ephemeral Storage resources required by proxy injected into the proxy injector +#pod (see `proxy.resources` for sub-fields) +#proxyInjectorProxyResources: + +# service profile validator configuration +profileValidator: + # -- Do not create a secret resource for the profileValidator webhook. + # If this is set to `true`, the value `proxyInjector.caBundle` must be set + # or the ca bundle must injected with cert-manager ca injector using + # `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). + externalSecret: false + + # -- Namespace selector used by admission webhook + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled + + # -- Certificate for the service profile validator. If not provided and not using an external secret + # then Helm will generate one. + crtPEM: | + + # -- Certificate key for the service profile validator. If not provided and not using an external secret + # then Helm will generate one. + keyPEM: | + + # -- Bundle of CA certificates for proxy injector. + # If not provided nor injected with cert-manager, + # then Helm will use the certificate generated for `profileValidator.crtPEM`. + # If `profileValidator.externalSecret` is set to true, this value, injectCaFrom, or + # injectCaFromSecret must be set, as no certificate will be generated. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. + caBundle: | + + # -- Inject the CA bundle from a cert-manager Certificate. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) + # for more information. + injectCaFrom: "" + + # -- Inject the CA bundle from a Secret. + # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. + # The Secret must have the CA Bundle stored in the `ca.crt` key and have + # the `cert-manager.io/allow-direct-injection` annotation set to `true`. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) + # for more information. + injectCaFromSecret: "" + +# policy validator configuration +policyValidator: + # -- Do not create a secret resource for the policyValidator webhook. + # If this is set to `true`, the value `policyValidator.caBundle` must be set + # or the ca bundle must injected with cert-manager ca injector using + # `policyValidator.injectCaFrom` or `policyValidator.injectCaFromSecret` (see below). + externalSecret: false + + # -- Namespace selector used by admission webhook + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled + + # -- Certificate for the policy validator. If not provided and not using an external secret + # then Helm will generate one. + crtPEM: | + + # -- Certificate key for the policy validator. If not provided and not using an external secret + # then Helm will generate one. + keyPEM: | + + # -- Bundle of CA certificates for proxy injector. + # If not provided nor injected with cert-manager, + # then Helm will use the certificate generated for `policyValidator.crtPEM`. + # If `policyValidator.externalSecret` is set to true, this value, injectCaFrom, or + # injectCaFromSecret must be set, as no certificate will be generated. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. + caBundle: | + + # -- Inject the CA bundle from a cert-manager Certificate. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) + # for more information. + injectCaFrom: "" + + # -- Inject the CA bundle from a Secret. + # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. + # The Secret must have the CA Bundle stored in the `ca.crt` key and have + # the `cert-manager.io/allow-direct-injection` annotation set to `true`. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) + # for more information. + injectCaFromSecret: "" + +# -- NodeSelector section, See the [K8S +# documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) +# for more information +nodeSelector: + kubernetes.io/os: linux + +# -- SP validator configuration +spValidator: + livenessProbe: + timeoutSeconds: 1 + readinessProbe: + timeoutSeconds: 1 + +# -|- CPU, Memory and Ephemeral Storage resources required by the SP validator (see +#`proxy.resources` for sub-fields) +#spValidatorResources: + +# -|- Tolerations section, See the +# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +# for more information +#tolerations: + +# -|- NodeAffinity section, See the +# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity) +# for more information +#nodeAffinity: + +# -- url of external prometheus instance (used for the heartbeat) +prometheusUrl: "" + +# Prometheus Operator PodMonitor configuration +podMonitor: + # -- Enables the creation of Prometheus Operator [PodMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor) + enabled: false + # -- Interval at which metrics should be scraped + scrapeInterval: 10s + # -- Iimeout after which the scrape is ended + scrapeTimeout: 10s + # -- Labels to apply to all pod Monitors + labels: {} + controller: + # -- Enables the creation of PodMonitor for the control-plane + enabled: true + # -- Selector to select which namespaces the Endpoints objects are discovered from + namespaceSelector: | + matchNames: + - {{ .Release.Namespace }} + - linkerd-viz + - linkerd-jaeger + serviceMirror: + # -- Enables the creation of PodMonitor for the Service Mirror component + enabled: true + proxy: + # -- Enables the creation of PodMonitor for the data-plane + enabled: true diff --git a/charts/linkerd/linkerd-crds/2024.10.2/.helmignore b/charts/linkerd/linkerd-crds/2024.10.2/.helmignore new file mode 100644 index 0000000000..79c90a8063 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +OWNERS +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd/linkerd-crds/2024.10.2/Chart.lock b/charts/linkerd/linkerd-crds/2024.10.2/Chart.lock new file mode 100644 index 0000000000..a62a030631 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: partials + repository: file://../partials + version: 0.1.0 +digest: sha256:8e42f9c9d4a2dc883f17f94d6044c97518ced19ad0922f47b8760e47135369ba +generated: "2021-08-17T10:42:52.610449255-05:00" diff --git a/charts/linkerd/linkerd-crds/2024.10.2/Chart.yaml b/charts/linkerd/linkerd-crds/2024.10.2/Chart.yaml new file mode 100644 index 0000000000..ecf06b6f66 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd CRDs + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-crds +apiVersion: v2 +dependencies: +- name: partials + repository: file://../partials + version: 0.1.0 +description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' +home: https://linkerd.io +icon: file://assets/icons/linkerd-crds.png +keywords: +- service-mesh +kubeVersion: '>=1.22.0-0' +maintainers: +- email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ +name: linkerd-crds +sources: +- https://github.com/linkerd/linkerd2/ +type: application +version: 2024.10.2 diff --git a/charts/linkerd/linkerd-crds/2024.10.2/README.md b/charts/linkerd/linkerd-crds/2024.10.2/README.md new file mode 100644 index 0000000000..1800c7cd6f --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/README.md @@ -0,0 +1,71 @@ +# linkerd-crds + +Linkerd gives you observability, reliability, and security +for your microservices — with no code change required. + +![Version: 2024.10.2](https://img.shields.io/badge/Version-2024.10.2-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) + +**Homepage:** + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Adding Linkerd's Helm repository + +```bash +# To add the repo for Linkerd edge releases: +helm repo add linkerd https://helm.linkerd.io/edge +``` + +## Installing the linkerd-crds chart + +This installs the `linkerd-crds` chart, which only persists the CRDs that +Linkerd requires. + +After installing this chart, you need then to install the +`linkerd-control-plane` chart in the same namespace, which provides all the +linkerd core control components. + +```bash +helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds +``` + +## Get involved + +* Check out Linkerd's source code at [GitHub][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +## Requirements + +Kubernetes: `>=1.22.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| file://../partials | partials | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| enableHttpRoutes | bool | `true` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-crds/2024.10.2/README.md.gotmpl b/charts/linkerd/linkerd-crds/2024.10.2/README.md.gotmpl new file mode 100644 index 0000000000..88be739549 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/README.md.gotmpl @@ -0,0 +1,59 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Adding Linkerd's Helm repository + +```bash +# To add the repo for Linkerd edge releases: +helm repo add linkerd https://helm.linkerd.io/edge +``` + +## Installing the linkerd-crds chart + +This installs the `linkerd-crds` chart, which only persists the CRDs that +Linkerd requires. + +After installing this chart, you need then to install the +`linkerd-control-plane` chart in the same namespace, which provides all the +linkerd core control components. + +```bash +helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds +``` + +## Get involved + +* Check out Linkerd's source code at [GitHub][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/app-readme.md b/charts/linkerd/linkerd-crds/2024.10.2/app-readme.md new file mode 100644 index 0000000000..59010a6b21 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/app-readme.md @@ -0,0 +1,9 @@ +# Linkerd 2 CRDs Chart + +Linkerd is an ultra light, ultra simple, ultra powerful service mesh. Linkerd +adds security, observability, and reliability to Kubernetes, without the +complexity. + +This particular Helm chart only installs Linkerd CRDs. + +Full documentation available at: https://linkerd.io/2/overview/ diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/.helmignore b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/Chart.yaml b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/Chart.yaml new file mode 100644 index 0000000000..23cfc167e3 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +description: 'A Helm chart containing Linkerd partial templates, depended by the ''linkerd'' + and ''patch'' charts. ' +name: partials +version: 0.1.0 diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/README.md b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/README.md new file mode 100644 index 0000000000..10805c9b94 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/README.md @@ -0,0 +1,9 @@ +# partials + +A Helm chart containing Linkerd partial templates, +depended by the 'linkerd' and 'patch' charts. + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/README.md.gotmpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/README.md.gotmpl new file mode 100644 index 0000000000..37f5101061 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/README.md.gotmpl @@ -0,0 +1,14 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/NOTES.txt b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/NOTES.txt new file mode 100644 index 0000000000..e69de29bb2 diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_affinity.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_affinity.tpl new file mode 100644 index 0000000000..5dde1da473 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_affinity.tpl @@ -0,0 +1,38 @@ +{{ define "linkerd.pod-affinity" -}} +podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ default "linkerd.io/control-plane-component" .label }} + operator: In + values: + - {{ .component }} + topologyKey: topology.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: {{ default "linkerd.io/control-plane-component" .label }} + operator: In + values: + - {{ .component }} + topologyKey: kubernetes.io/hostname +{{- end }} + +{{ define "linkerd.node-affinity" -}} +nodeAffinity: +{{- toYaml .Values.nodeAffinity | trim | nindent 2 }} +{{- end }} + +{{ define "linkerd.affinity" -}} +{{- if or .Values.enablePodAntiAffinity .Values.nodeAffinity -}} +affinity: +{{- end }} +{{- if .Values.enablePodAntiAffinity -}} +{{- include "linkerd.pod-affinity" . | nindent 2 }} +{{- end }} +{{- if .Values.nodeAffinity -}} +{{- include "linkerd.node-affinity" . | nindent 2 }} +{{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_capabilities.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_capabilities.tpl new file mode 100644 index 0000000000..a595d74c1f --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_capabilities.tpl @@ -0,0 +1,16 @@ +{{- define "partials.proxy.capabilities" -}} +capabilities: + {{- if .Values.proxy.capabilities.add }} + add: + {{- toYaml .Values.proxy.capabilities.add | trim | nindent 4 }} + {{- end }} + {{- if .Values.proxy.capabilities.drop }} + drop: + {{- toYaml .Values.proxy.capabilities.drop | trim | nindent 4 }} + {{- end }} +{{- end -}} + +{{- define "partials.proxy-init.capabilities.drop" -}} +drop: +{{ toYaml .Values.proxyInit.capabilities.drop | trim }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_debug.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_debug.tpl new file mode 100644 index 0000000000..4df8cc77bc --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_debug.tpl @@ -0,0 +1,15 @@ +{{- define "partials.debug" -}} +image: {{.Values.debugContainer.image.name}}:{{.Values.debugContainer.image.version | default .Values.linkerdVersion}} +imagePullPolicy: {{.Values.debugContainer.image.pullPolicy | default .Values.imagePullPolicy}} +name: linkerd-debug +terminationMessagePolicy: FallbackToLogsOnError +# some environments require probes, so we provide some infallible ones +livenessProbe: + exec: + command: + - "true" +readinessProbe: + exec: + command: + - "true" +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_helpers.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_helpers.tpl new file mode 100644 index 0000000000..b6cdc34d08 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_helpers.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Splits a coma separated list into a list of string values. +For example "11,22,55,44" will become "11","22","55","44" +*/}} +{{- define "partials.splitStringList" -}} +{{- if gt (len (toString .)) 0 -}} +{{- $ports := toString . | splitList "," -}} +{{- $last := sub (len $ports) 1 -}} +{{- range $i,$port := $ports -}} +"{{$port}}"{{ternary "," "" (ne $i $last)}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_metadata.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_metadata.tpl new file mode 100644 index 0000000000..04d2f1beab --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_metadata.tpl @@ -0,0 +1,17 @@ +{{- define "partials.annotations.created-by" -}} +linkerd.io/created-by: {{ .Values.cliVersion | default (printf "linkerd/helm %s" ( (.Values.image).version | default .Values.linkerdVersion)) }} +{{- end -}} + +{{- define "partials.proxy.annotations" -}} +linkerd.io/proxy-version: {{.Values.proxy.image.version | default .Values.linkerdVersion}} +cluster-autoscaler.kubernetes.io/safe-to-evict: "true" +linkerd.io/trust-root-sha256: {{ .Values.identityTrustAnchorsPEM | sha256sum }} +{{- end -}} + +{{/* +To add labels to the control-plane components, instead update at individual component manifests as +adding here would also update `spec.selector.matchLabels` which are immutable and would fail upgrades. +*/}} +{{- define "partials.proxy.labels" -}} +linkerd.io/proxy-{{.workloadKind}}: {{.component}} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_network-validator.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_network-validator.tpl new file mode 100644 index 0000000000..276056395f --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_network-validator.tpl @@ -0,0 +1,45 @@ +{{- define "partials.network-validator" -}} +name: linkerd-network-validator +image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion }} +imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} +{{ include "partials.resources" .Values.proxy.resources }} +{{- if or .Values.networkValidator.enableSecurityContext }} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault +{{- end }} +command: + - /usr/lib/linkerd/linkerd2-network-validator +args: + - --log-format + - {{ .Values.networkValidator.logFormat }} + - --log-level + - {{ .Values.networkValidator.logLevel }} + - --connect-addr + {{- if .Values.networkValidator.connectAddr }} + - {{ .Values.networkValidator.connectAddr | quote }} + {{- else if .Values.disableIPv6}} + - "1.1.1.1:20001" + {{- else }} + - "[fd00::1]:20001" + {{- end }} + - --listen-addr + {{- if .Values.networkValidator.listenAddr }} + - {{ .Values.networkValidator.listenAddr | quote }} + {{- else if .Values.disableIPv6}} + - "0.0.0.0:4140" + {{- else }} + - "[::]:4140" + {{- end }} + - --timeout + - {{ .Values.networkValidator.timeout }} + +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_nodeselector.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_nodeselector.tpl new file mode 100644 index 0000000000..4cde0ab16e --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_nodeselector.tpl @@ -0,0 +1,4 @@ +{{- define "linkerd.node-selector" -}} +nodeSelector: +{{- toYaml .Values.nodeSelector | trim | nindent 2 }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_proxy-config-ann.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_proxy-config-ann.tpl new file mode 100644 index 0000000000..9651b3bd1a --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_proxy-config-ann.tpl @@ -0,0 +1,18 @@ +{{- define "partials.proxy.config.annotations" -}} +{{- with .cpu }} +{{- with .request -}} +config.linkerd.io/proxy-cpu-request: {{. | quote}} +{{end}} +{{- with .limit -}} +config.linkerd.io/proxy-cpu-limit: {{. | quote}} +{{- end}} +{{- end}} +{{- with .memory }} +{{- with .request }} +config.linkerd.io/proxy-memory-request: {{. | quote}} +{{end}} +{{- with .limit -}} +config.linkerd.io/proxy-memory-limit: {{. | quote}} +{{- end}} +{{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_proxy-init.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_proxy-init.tpl new file mode 100644 index 0000000000..a307b14073 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_proxy-init.tpl @@ -0,0 +1,98 @@ +{{- define "partials.proxy-init" -}} +args: +{{- if (.Values.proxyInit.iptablesMode | default "legacy" | eq "nft") }} +- --firewall-bin-path +- "iptables-nft" +- --firewall-save-bin-path +- "iptables-nft-save" +{{- else if not (eq .Values.proxyInit.iptablesMode "legacy") }} +{{ fail (printf "Unsupported value \"%s\" for proxyInit.iptablesMode\nValid values: [\"nft\", \"legacy\"]" .Values.proxyInit.iptablesMode) }} +{{end -}} +{{- if .Values.disableIPv6 }} +- --ipv6=false +{{- end }} +- --incoming-proxy-port +- {{.Values.proxy.ports.inbound | quote}} +- --outgoing-proxy-port +- {{.Values.proxy.ports.outbound | quote}} +- --proxy-uid +- {{.Values.proxy.uid | quote}} +{{- if ge (int .Values.proxy.gid) 0 }} +- --proxy-gid +- {{.Values.proxy.gid | quote}} +{{- end }} +- --inbound-ports-to-ignore +- "{{.Values.proxy.ports.control}},{{.Values.proxy.ports.admin}}{{ternary (printf ",%s" (.Values.proxyInit.ignoreInboundPorts | toString)) "" (not (empty .Values.proxyInit.ignoreInboundPorts)) }}" +{{- if .Values.proxyInit.ignoreOutboundPorts }} +- --outbound-ports-to-ignore +- {{.Values.proxyInit.ignoreOutboundPorts | quote}} +{{- end }} +{{- if .Values.proxyInit.closeWaitTimeoutSecs }} +- --timeout-close-wait-secs +- {{ .Values.proxyInit.closeWaitTimeoutSecs | quote}} +{{- end }} +{{- if .Values.proxyInit.logFormat }} +- --log-format +- {{ .Values.proxyInit.logFormat }} +{{- end }} +{{- if .Values.proxyInit.logLevel }} +- --log-level +- {{ .Values.proxyInit.logLevel }} +{{- end }} +{{- if .Values.proxyInit.skipSubnets }} +- --subnets-to-ignore +- {{ .Values.proxyInit.skipSubnets | quote }} +{{- end }} +image: {{.Values.proxyInit.image.name}}:{{.Values.proxyInit.image.version}} +imagePullPolicy: {{.Values.proxyInit.image.pullPolicy | default .Values.imagePullPolicy}} +name: linkerd-init +{{ include "partials.resources" .Values.proxy.resources }} +securityContext: + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} + allowPrivilegeEscalation: true + {{- else }} + allowPrivilegeEscalation: false + {{- end }} + capabilities: + add: + - NET_ADMIN + - NET_RAW + {{- if .Values.proxyInit.capabilities -}} + {{- if .Values.proxyInit.capabilities.add }} + {{- toYaml .Values.proxyInit.capabilities.add | trim | nindent 4 }} + {{- end }} + {{- if .Values.proxyInit.capabilities.drop -}} + {{- include "partials.proxy-init.capabilities.drop" . | nindent 4 -}} + {{- end }} + {{- end }} + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} + privileged: true + {{- else }} + privileged: false + {{- end }} + {{- if .Values.proxyInit.runAsRoot }} + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + runAsNonRoot: true + runAsUser: {{ .Values.proxyInit.runAsUser | int | eq 0 | ternary 65534 .Values.proxyInit.runAsUser }} + runAsGroup: {{ .Values.proxyInit.runAsGroup | int | eq 0 | ternary 65534 .Values.proxyInit.runAsGroup }} + {{- end }} + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault +terminationMessagePolicy: FallbackToLogsOnError +{{- if or (not .Values.cniEnabled) .Values.proxyInit.saMountPath }} +volumeMounts: +{{- end -}} +{{- if not .Values.cniEnabled }} +- mountPath: {{.Values.proxyInit.xtMountPath.mountPath}} + name: {{.Values.proxyInit.xtMountPath.name}} +{{- end -}} +{{- if .Values.proxyInit.saMountPath }} +- mountPath: {{.Values.proxyInit.saMountPath.mountPath}} + name: {{.Values.proxyInit.saMountPath.name}} + readOnly: {{.Values.proxyInit.saMountPath.readOnly}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_proxy.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_proxy.tpl new file mode 100644 index 0000000000..4dcf12dee2 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_proxy.tpl @@ -0,0 +1,271 @@ +{{ define "partials.proxy" -}} +{{ if and .Values.proxy.nativeSidecar .Values.proxy.waitBeforeExitSeconds }} +{{ fail "proxy.nativeSidecar and waitBeforeExitSeconds cannot be used simultaneously" }} +{{- end }} +{{- if not (has .Values.proxy.logHTTPHeaders (list "insecure" "off" "")) }} +{{- fail "logHTTPHeaders must be one of: insecure | off" }} +{{- end }} +{{- $trustDomain := (.Values.identityTrustDomain | default .Values.clusterDomain) -}} +env: +- name: _pod_name + valueFrom: + fieldRef: + fieldPath: metadata.name +- name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace +- name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName +{{- if .Values.proxy.cores }} +- name: LINKERD2_PROXY_CORES + value: {{.Values.proxy.cores | quote}} +{{- end }} +{{ if .Values.proxy.requireIdentityOnInboundPorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_IDENTITY + value: {{.Values.proxy.requireIdentityOnInboundPorts | quote}} +{{ end -}} +{{ if .Values.proxy.requireTLSOnInboundPorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS + value: {{.Values.proxy.requireTLSOnInboundPorts | quote}} +{{ end -}} +- name: LINKERD2_PROXY_SHUTDOWN_ENDPOINT_ENABLED + value: {{.Values.proxy.enableShutdownEndpoint | quote}} +- name: LINKERD2_PROXY_LOG + value: "{{.Values.proxy.logLevel}}{{ if not (eq .Values.proxy.logHTTPHeaders "insecure") }},[{headers}]=off,[{request}]=off{{ end }}" +- name: LINKERD2_PROXY_LOG_FORMAT + value: {{.Values.proxy.logFormat | quote}} +- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: {{ternary "localhost.:8086" (printf "linkerd-dst-headless.%s.svc.%s.:8086" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: {{.Values.clusterNetworks | quote}} +- name: LINKERD2_PROXY_POLICY_SVC_ADDR + value: {{ternary "localhost.:8090" (printf "linkerd-policy.%s.svc.%s.:8090" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} +- name: LINKERD2_PROXY_POLICY_WORKLOAD + value: | + {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"} +- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY + value: {{.Values.proxy.defaultInboundPolicy}} +- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS + value: {{.Values.clusterNetworks | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT + value: {{((.Values.proxy.control).streams).initialTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT + value: {{((.Values.proxy.control).streams).idleTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME + value: {{((.Values.proxy.control).streams).lifetime | default "" | quote}} +{{ if .Values.proxy.inboundConnectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: {{.Values.proxy.inboundConnectTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.outboundConnectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: {{.Values.proxy.outboundConnectTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.outboundDiscoveryCacheUnusedTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT + value: {{.Values.proxy.outboundDiscoveryCacheUnusedTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.inboundDiscoveryCacheUnusedTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT + value: {{.Values.proxy.inboundDiscoveryCacheUnusedTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.disableOutboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +{{ if .Values.proxy.disableInboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.control}}" +- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.admin}}" +{{- /* Deprecated, superseded by LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS since proxy's v2.228.0 (deployed since edge-24.4.5) */}} +- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: "127.0.0.1:{{.Values.proxy.ports.outbound}}" +- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS + value: "127.0.0.1:{{.Values.proxy.ports.outbound}}{{ if not .Values.disableIPv6}},[::1]:{{.Values.proxy.ports.outbound}}{{ end }}" +- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.inbound}}" +- name: LINKERD2_PROXY_INBOUND_IPS + valueFrom: + fieldRef: + fieldPath: status.podIPs +- name: LINKERD2_PROXY_INBOUND_PORTS + value: {{ .Values.proxy.podInboundPorts | quote }} +{{ if .Values.proxy.isGateway -}} +- name: LINKERD2_PROXY_INBOUND_GATEWAY_SUFFIXES + value: {{printf "svc.%s." .Values.clusterDomain}} +{{ end -}} +{{ if .Values.proxy.isIngress -}} +- name: LINKERD2_PROXY_INGRESS_MODE + value: "true" +{{ end -}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + {{- $internalDomain := printf "svc.%s." .Values.clusterDomain }} + value: {{ternary "." $internalDomain .Values.proxy.enableExternalProfiles}} +- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms +- name: LINKERD2_PROXY_INBOUND_ACCEPT_USER_TIMEOUT + value: 30s +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_USER_TIMEOUT + value: 30s +{{- /* Configure inbound and outbound parameters, e.g. for HTTP/2 servers. */}} +{{ range $proxyK, $proxyV := (dict "inbound" .Values.proxy.inbound "outbound" .Values.proxy.outbound) -}} +{{ range $scopeK, $scopeV := $proxyV -}} +{{ range $protoK, $protoV := $scopeV -}} +{{ range $paramK, $paramV := $protoV -}} +- name: LINKERD2_PROXY_{{snakecase $proxyK | upper}}_{{snakecase $scopeK | upper}}_{{snakecase $protoK | upper}}_{{snakecase $paramK | upper}} + value: {{ quote $paramV }} +{{ end -}} +{{ end -}} +{{ end -}} +{{ end -}} +{{ if .Values.proxy.opaquePorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION + value: {{.Values.proxy.opaquePorts | quote}} +{{ end -}} +- name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"} +- name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +- name: _l5d_ns + value: {{.Release.Namespace}} +- name: _l5d_trustdomain + value: {{$trustDomain}} +- name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity +- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS +{{- /* +Pods in the `linkerd` namespace are not injected by the proxy injector and instead obtain +the trust anchor bundle from the `linkerd-identity-trust-roots` configmap. This should not +be used in other contexts. +*/}} +{{- if .Values.proxy.loadTrustBundleFromConfigMap }} + valueFrom: + configMapKeyRef: + name: linkerd-identity-trust-roots + key: ca-bundle.crt +{{ else }} + value: | + {{- required "Please provide the identity trust anchors" .Values.identityTrustAnchorsPEM | trim | nindent 4 }} +{{ end -}} +- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE +{{- if .Values.identity.serviceAccountTokenProjection }} + value: /var/run/secrets/tokens/linkerd-identity-token +{{ else }} + value: /var/run/secrets/kubernetes.io/serviceaccount/token +{{ end -}} +- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: {{ternary "localhost.:8080" (printf "linkerd-identity-headless.%s.svc.%s.:8080" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-identity")}} +- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_POLICY_SVC_NAME + value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +{{ if .Values.proxy.accessLog -}} +- name: LINKERD2_PROXY_ACCESS_LOG + value: {{.Values.proxy.accessLog | quote}} +{{ end -}} +{{ if .Values.proxy.shutdownGracePeriod -}} +- name: LINKERD2_PROXY_SHUTDOWN_GRACE_PERIOD + value: {{.Values.proxy.shutdownGracePeriod | quote}} +{{ end -}} +{{ if .Values.proxy.additionalEnv -}} +{{ toYaml .Values.proxy.additionalEnv }} +{{ end -}} +{{ if .Values.proxy.experimentalEnv -}} +{{ toYaml .Values.proxy.experimentalEnv }} +{{ end -}} +image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion}} +imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} +livenessProbe: + httpGet: + path: /live + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.livenessProbe.timeoutSeconds }} +name: linkerd-proxy +ports: +- containerPort: {{.Values.proxy.ports.inbound}} + name: linkerd-proxy +- containerPort: {{.Values.proxy.ports.admin}} + name: linkerd-admin +readinessProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.readinessProbe.timeoutSeconds }} +{{- if and .Values.proxy.nativeSidecar .Values.proxy.await }} +startupProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.startupProbe.initialDelaySeconds}} + periodSeconds: {{.Values.proxy.startupProbe.periodSeconds}} + failureThreshold: {{.Values.proxy.startupProbe.failureThreshold}} +{{- end }} +{{- if .Values.proxy.resources }} +{{ include "partials.resources" .Values.proxy.resources }} +{{- end }} +securityContext: + allowPrivilegeEscalation: false + {{- if .Values.proxy.capabilities -}} + {{- include "partials.proxy.capabilities" . | nindent 2 -}} + {{- end }} + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.proxy.uid}} +{{- if ge (int .Values.proxy.gid) 0 }} + runAsGroup: {{.Values.proxy.gid}} +{{- end }} + seccompProfile: + type: RuntimeDefault +terminationMessagePolicy: FallbackToLogsOnError +{{- if and (not .Values.proxy.nativeSidecar) (or .Values.proxy.await .Values.proxy.waitBeforeExitSeconds) }} +lifecycle: +{{- if .Values.proxy.await }} + postStart: + exec: + command: + - /usr/lib/linkerd/linkerd-await + - --timeout=2m + - --port={{.Values.proxy.ports.admin}} +{{- end }} +{{- if .Values.proxy.waitBeforeExitSeconds }} + preStop: + exec: + command: + - /bin/sleep + - {{.Values.proxy.waitBeforeExitSeconds | quote}} +{{- end }} +{{- end }} +volumeMounts: +- mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity +{{- if .Values.identity.serviceAccountTokenProjection }} +- mountPath: /var/run/secrets/tokens + name: linkerd-identity-token +{{- end }} +{{- if .Values.proxy.saMountPath }} +- mountPath: {{.Values.proxy.saMountPath.mountPath}} + name: {{.Values.proxy.saMountPath.name}} + readOnly: {{.Values.proxy.saMountPath.readOnly}} +{{- end -}} +{{- if .Values.proxy.nativeSidecar }} +restartPolicy: Always +{{- end -}} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_pull-secrets.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_pull-secrets.tpl new file mode 100644 index 0000000000..0c9aa4f01c --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_pull-secrets.tpl @@ -0,0 +1,6 @@ +{{- define "partials.image-pull-secrets"}} +{{- if . }} +imagePullSecrets: +{{ toYaml . | indent 2 }} +{{- end }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_resources.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_resources.tpl new file mode 100644 index 0000000000..1fd6789fd7 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_resources.tpl @@ -0,0 +1,28 @@ +{{- define "partials.resources" -}} +{{- $ephemeralStorage := index . "ephemeral-storage" -}} +resources: + {{- if or (.cpu).limit (.memory).limit ($ephemeralStorage).limit }} + limits: + {{- with (.cpu).limit }} + cpu: {{. | quote}} + {{- end }} + {{- with (.memory).limit }} + memory: {{. | quote}} + {{- end }} + {{- with ($ephemeralStorage).limit }} + ephemeral-storage: {{. | quote}} + {{- end }} + {{- end }} + {{- if or (.cpu).request (.memory).request ($ephemeralStorage).request }} + requests: + {{- with (.cpu).request }} + cpu: {{. | quote}} + {{- end }} + {{- with (.memory).request }} + memory: {{. | quote}} + {{- end }} + {{- with ($ephemeralStorage).request }} + ephemeral-storage: {{. | quote}} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_tolerations.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_tolerations.tpl new file mode 100644 index 0000000000..c2292b1464 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_tolerations.tpl @@ -0,0 +1,4 @@ +{{- define "linkerd.tolerations" -}} +tolerations: +{{ toYaml .Values.tolerations | trim | indent 2 }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_trace.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_trace.tpl new file mode 100644 index 0000000000..dee059541f --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_trace.tpl @@ -0,0 +1,5 @@ +{{ define "partials.linkerd.trace" -}} +{{ if .Values.controlPlaneTracing -}} +- -trace-collector=collector.{{.Values.controlPlaneTracingNamespace}}.svc.{{.Values.clusterDomain}}:55678 +{{ end -}} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_validate.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_validate.tpl new file mode 100644 index 0000000000..ba772c2fee --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_validate.tpl @@ -0,0 +1,19 @@ +{{- define "linkerd.webhook.validation" -}} + +{{- if and (.injectCaFrom) (.injectCaFromSecret) -}} +{{- fail "injectCaFrom and injectCaFromSecret cannot both be set" -}} +{{- end -}} + +{{- if and (or (.injectCaFrom) (.injectCaFromSecret)) (.caBundle) -}} +{{- fail "injectCaFrom or injectCaFromSecret cannot be set if providing a caBundle" -}} +{{- end -}} + +{{- if and (.externalSecret) (empty .caBundle) (empty .injectCaFrom) (empty .injectCaFromSecret) -}} +{{- fail "if externalSecret is set, then caBundle, injectCaFrom, or injectCaFromSecret must be set" -}} +{{- end }} + +{{- if and (or .injectCaFrom .injectCaFromSecret .caBundle) (not .externalSecret) -}} +{{- fail "if caBundle, injectCaFrom, or injectCaFromSecret is set, then externalSecret must be set" -}} +{{- end -}} + +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_volumes.tpl b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_volumes.tpl new file mode 100644 index 0000000000..9684cf2409 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/templates/_volumes.tpl @@ -0,0 +1,20 @@ +{{ define "partials.proxy.volumes.identity" -}} +emptyDir: + medium: Memory +name: linkerd-identity-end-entity +{{- end -}} + +{{ define "partials.proxyInit.volumes.xtables" -}} +emptyDir: {} +name: {{ .Values.proxyInit.xtMountPath.name }} +{{- end -}} + +{{- define "partials.proxy.volumes.service-account-token" -}} +name: linkerd-identity-token +projected: + sources: + - serviceAccountToken: + path: linkerd-identity-token + expirationSeconds: 86400 {{- /* # 24 hours */}} + audience: identity.l5d.io +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/values.yaml b/charts/linkerd/linkerd-crds/2024.10.2/charts/partials/values.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/charts/linkerd/linkerd-crds/2024.10.2/templates/NOTES.txt b/charts/linkerd/linkerd-crds/2024.10.2/templates/NOTES.txt new file mode 100644 index 0000000000..4ff5c1818a --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/templates/NOTES.txt @@ -0,0 +1,6 @@ +The linkerd-crds chart was successfully installed 🎉 + +To complete the linkerd core installation, please now proceed to install the +linkerd-control-plane chart in the {{ .Release.Namespace }} namespace. + +Looking for more? Visit https://linkerd.io/2/getting-started/ diff --git a/charts/linkerd/linkerd-crds/2024.10.2/templates/gateway.networking.k8s.io_grpcroutes.yaml b/charts/linkerd/linkerd-crds/2024.10.2/templates/gateway.networking.k8s.io_grpcroutes.yaml new file mode 100644 index 0000000000..0050aac88b --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/templates/gateway.networking.k8s.io_grpcroutes.yaml @@ -0,0 +1,1507 @@ +{{- if .Values.enableHttpRoutes }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1923 + gateway.networking.k8s.io/bundle-version: v0.7.1 + gateway.networking.k8s.io/channel: experimental + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} + creationTimestamp: null + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GRPCRoute provides a way to route gRPC requests. This includes + the capability to match requests by hostname, gRPC service, gRPC method, + or HTTP/2 header. Filters can be used to specify additional processing steps. + Backends specify where matching requests will be routed. \n GRPCRoute falls + under extended support within the Gateway API. Within the following specification, + the word \"MUST\" indicates that an implementation supporting GRPCRoute + must conform to the indicated requirement, but an implementation not supporting + this route type need not follow the requirement unless explicitly indicated. + \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` + MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, + i.e. via ALPN. If the implementation does not support this, then it MUST + set the \"Accepted\" condition to \"False\" for the affected listener with + a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 + connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` + with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, + https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade + from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). + If the implementation does not support this, then it MUST set the \"Accepted\" + condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". + Implementations MAY also accept HTTP/2 connections with an upgrade from + HTTP/1, i.e. without prior knowledge. \n Support: Extended" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostnames to match against + the GRPC Host header to select a GRPCRoute to process the request. + This matches the RFC 1123 definition of a hostname with 2 notable + exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed + with a wildcard label (`*.`). The wildcard label MUST appear by + itself as the first label. \n If a hostname is specified by both + the Listener and GRPCRoute, there MUST be at least one intersecting + hostname for the GRPCRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + GRPCRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames or have specified at + least one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the + other hand, `example.com` and `test.example.net` would not match. + \n Hostnames that are prefixed with a wildcard label (`*.`) are + interpreted as a suffix match. That means that a match for `*.example.com` + would match both `test.example.com`, and `foo.test.example.com`, + but not `example.com`. \n If both the Listener and GRPCRoute have + specified hostnames, any GRPCRoute hostnames that do not match the + Listener hostname MUST be ignored. For example, if a Listener specified + `*.example.com`, and the GRPCRoute specified `test.example.com` + and `test.example.net`, `test.example.net` MUST NOT be considered + for a match. \n If both the Listener and GRPCRoute have specified + hostnames, and none match with the criteria above, then the GRPCRoute + MUST NOT be accepted by the implementation. The implementation MUST + raise an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute + is attached to a Listener and that listener already has another + Route (B) of the other type attached and the intersection of the + hostnames of A and B is non-empty, then the implementation MUST + accept exactly one of these two routes, determined by the following + criteria, in order: \n * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by \"{namespace}/{name}\". + \n The rejected Route MUST raise an 'Accepted' condition with a + status of 'False' in the corresponding RouteParentStatus. \n Support: + Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the core + API group (such as for a \"Service\" kind referent), Group + must be explicitly set to \"\" (empty string). \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified, this refers to the local namespace of the Route. + \n Note that there are specific rules for ParentRefs which + cross namespace boundaries. Cross-namespace references are + only valid if they are explicitly allowed by something in + the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It + can be interpreted differently based on the type of parent + resource. \n When the parent resource is a Gateway, this targets + all listeners listening on the specified port that also support + this kind of Route(and select this Route). It's not recommended + to set `Port` unless the networking behaviors specified in + a Route must apply to a specific port as opposed to a listener(s) + whose port(s) may be changed. When both Port and SectionName + are specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY choose + to support other parent resources. Implementations supporting + other types of parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose of status, an attachment + is considered successful as long as the parent resource accepts + it partially. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - method: + type: Exact + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: GRPCRouteRule defines the semantics for matching a + gRPC request based on conditions (matches), processing it (filters), + and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive an `UNAVAILABLE` status. + \n See the GRPCBackendRef definition for the rules about what + makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef + is invalid, `UNAVAILABLE` statuses MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive an `UNAVAILABLE` + status. \n For example, if two backends are specified with + equal weights, and one is invalid, 50 percent of traffic MUST + receive an `UNAVAILABLE` status. Implementations may choose + how that 50 percent is determined. \n Support: Core for Kubernetes + Service \n Support: Implementation-specific for any other + resource \n Support for weight: Core" + items: + description: GRPCBackendRef defines how a GRPCRoute forwards + a gRPC request. + properties: + filters: + description: "Filters defined at this level MUST be executed + if and only if the request is being forwarded to the + backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in GRPCRouteRule.)" + items: + description: GRPCRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for + a filter that mirrors requests. Requests are sent + to the specified destination, but responses from + that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource + where mirrored requests are sent. \n If the + referent cannot be found, this BackendRef + is invalid and must be dropped from the Gateway. + The controller must ensure the \"ResolvedRefs\" + condition on the Route status is set to `status: + False` and not configure this backend in the + underlying implementation. \n If there is + a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: + False`, with the \"RefNotPermitted\" reason + and not configure this backend in the underlying + implementation. \n In either error case, the + Message of the `ResolvedRefs` Condition should + be used to provide more detail about the problem. + \n Support: Extended for Kubernetes Service + \n Support: Implementation-specific for any + other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to + CNAME DNS records that may live outside + of the cluster and as such are difficult + to reason about in terms of conformance. + They also may not be safe to forward to + (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with + a type other than ExternalName) \n Support: + Implementation-specific (Services with + type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace + of the backend. When unspecified, the + local namespace is inferred. \n Note that + when a namespace different than the local + namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept + the reference. See the ReferenceGrant + documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + supporting GRPCRoute MUST support core filters. + \n - Extended: Filter types and their corresponding + configuration defined by \"Support: Extended\" + in this package, e.g. \"RequestMirror\". Implementers + are encouraged to support extended filters. \n + - Implementation-specific: Filters that are defined + and supported by specific vendors. In the future, + filters showing convergence in behavior across + multiple implementations will be considered for + inclusion in extended or core conformance levels. + Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` + MUST be set to \"ExtensionRef\" for custom filters. + \n Implementers are encouraged to define custom + implementation types to extend the core API with + implementation-specific behavior. \n If a reference + to a custom filter type cannot be resolved, the + filter MUST NOT be skipped. Instead, requests + that would have been processed by that filter + MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource kind of + the referent. For example \"Service\". \n Defaults to + \"Service\" when not specified. \n ExternalName services + can refer to CNAME DNS records that may live outside + of the cluster and as such are difficult to reason about + in terms of conformance. They also may not be safe to + forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName Services. + \n Support: Core (Services with a type other than ExternalName) + \n Support: Implementation-specific (Services with type + ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace different than the local + namespace is specified, a ReferenceGrant object is required + in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations that support GRPCRoute. - Implementers + are encouraged to support extended filters. - Implementation-specific + custom filters have no API guarantees across implementations. + \n Specifying a core filter multiple times has unspecified + or implementation-specific conformance. Support: Core" + items: + description: GRPCRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + GRPCRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For + example, "gateway.networking.k8s.io". When unspecified + or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter + that mirrors requests. Requests are sent to the specified + destination, but responses from that destination are + ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where + mirrored requests are sent. \n If the referent cannot + be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure + the \"ResolvedRefs\" condition on the Route status + is set to `status: False` and not configure this + backend in the underlying implementation. \n If + there is a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: False`, + with the \"RefNotPermitted\" reason and not configure + this backend in the underlying implementation. \n + In either error case, the Message of the `ResolvedRefs` + Condition should be used to provide more detail + about the problem. \n Support: Extended for Kubernetes + Service \n Support: Implementation-specific for + any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". When + unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to CNAME + DNS records that may live outside of the cluster + and as such are difficult to reason about in + terms of conformance. They also may not be safe + to forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with a + type other than ExternalName) \n Support: Implementation-specific + (Services with type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the + backend. When unspecified, the local namespace + is inferred. \n Note that when a namespace different + than the local namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept the + reference. See the ReferenceGrant documentation + for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port + number to use for this resource. Port is required + when the referent is a Kubernetes Service. In + this case, the port number is the service port + number, not the target port. For other resources, + destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n Support: + Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations supporting GRPCRoute MUST support + core filters. \n - Extended: Filter types and their + corresponding configuration defined by \"Support: Extended\" + in this package, e.g. \"RequestMirror\". Implementers + are encouraged to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior + across multiple implementations will be considered for + inclusion in extended or core conformance levels. Filter-specific + configuration for such filters is specified using the + ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged to + define custom implementation types to extend the core + API with implementation-specific behavior. \n If a reference + to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have + been processed by that filter MUST receive a HTTP error + response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + description: "Matches define conditions used for matching the + rule against incoming gRPC requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - method: service: foo.bar headers: values: + version: 2 - method: service: foo.bar.v2 ``` \n For a request + to match against this rule, it MUST satisfy EITHER of the + two conditions: \n - service of foo.bar AND contains the header + `version: 2` - service of foo.bar.v2 \n See the documentation + for GRPCRouteMatch on how to specify multiple match conditions + to be ANDed together. \n If no matches are specified, the + implementation MUST match every gRPC request. \n Proxy or + Load Balancer routing configuration generated from GRPCRoutes + MUST prioritize rules based on the following criteria, continuing + on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + Precedence MUST be given to the rule with the largest number + of: \n * Characters in a matching non-wildcard hostname. * + Characters in a matching hostname. * Characters in a matching + service. * Characters in a matching method. * Header matches. + \n If ties still exist across multiple Routes, matching precedence + MUST be determined in order of the following criteria, continuing + on ties: \n * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by \"{namespace}/{name}\". + \n If ties still exist within the Route that has been given + precedence, matching precedence MUST be granted to the first + matching rule meeting the above criteria." + items: + description: "GRPCRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a gRPC request only if its service is `foo` + AND it contains the `version: v1` header: \n ``` matches: + - method: type: Exact service: \"foo\" headers: - name: + \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies gRPC request header matchers. + Multiple match values are ANDed together, meaning, a + request MUST match all the specified headers to select + the route. + items: + description: GRPCHeaderMatch describes how to select + a gRPC route by matching gRPC request headers. + properties: + name: + description: "Name is the name of the gRPC Header + to be matched. \n If multiple entries specify + equivalent header names, only the first entry + with an equivalent name MUST be considered for + a match. Subsequent entries with an equivalent + header name MUST be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: Method specifies a gRPC request service/method + matcher. If this field is not specified, all services + and methods will match. + properties: + method: + description: "Value of the method to match against. + If left empty or omitted, will match all services. + \n At least one of Service and Method MUST be a + non-empty string." + maxLength: 1024 + type: string + service: + description: "Value of the service to match against. + If left empty or omitted, will match any service. + \n At least one of Service and Method MUST be a + non-empty string." + maxLength: 1024 + type: string + type: + default: Exact + description: "Type specifies how to match against + the service and/or method. Support: Core (Exact + with service and method specified) \n Support: Implementation-specific + (Exact with method specified but no service specified) + \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - RegularExpression + type: string + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the + core API group (such as for a \"Service\" kind referent), + Group must be explicitly set to \"\" (empty string). \n + Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) \n Support: Implementation-specific (Other + Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified, this refers to the local namespace of + the Route. \n Note that there are specific rules for ParentRefs + which cross namespace boundaries. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +{{- end }} + diff --git a/charts/linkerd/linkerd-crds/2024.10.2/templates/gateway.networking.k8s.io_httproutes.yaml b/charts/linkerd/linkerd-crds/2024.10.2/templates/gateway.networking.k8s.io_httproutes.yaml new file mode 100644 index 0000000000..b695c51d50 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/templates/gateway.networking.k8s.io_httproutes.yaml @@ -0,0 +1,3881 @@ +{{- if .Values.enableHttpRoutes }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1923 + gateway.networking.k8s.io/bundle-version: v0.7.1 + gateway.networking.k8s.io/channel: experimental + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} + creationTimestamp: null + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and + will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute used to process + the request. Implementations MUST ignore any port value specified + in the HTTP Host header while performing a match. \n Valid values + for Hostnames are determined by RFC 1123 definition of a hostname + with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at + least one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n In the event that multiple HTTPRoutes specify + intersecting hostnames (e.g. overlapping wildcard matching and exact + matching hostnames), precedence must be given to rules from the + HTTPRoute with the largest number of: \n * Characters in a matching + non-wildcard hostname. * Characters in a matching hostname. \n If + ties exist across multiple Routes, the matching precedence rules + for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the core + API group (such as for a \"Service\" kind referent), Group + must be explicitly set to \"\" (empty string). \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified, this refers to the local namespace of the Route. + \n Note that there are specific rules for ParentRefs which + cross namespace boundaries. Cross-namespace references are + only valid if they are explicitly allowed by something in + the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It + can be interpreted differently based on the type of parent + resource. \n When the parent resource is a Gateway, this targets + all listeners listening on the specified port that also support + this kind of Route(and select this Route). It's not recommended + to set `Port` unless the networking behaviors specified in + a Route must apply to a specific port as opposed to a listener(s) + whose port(s) may be changed. When both Port and SectionName + are specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY choose + to support other parent resources. Implementations supporting + other types of parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose of status, an attachment + is considered successful as long as the parent resource accepts + it partially. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches), processing it (filters), + and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Extended + for Kubernetes ServiceImport \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for + a filter that mirrors requests. Requests are sent + to the specified destination, but responses from + that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource + where mirrored requests are sent. \n If the + referent cannot be found, this BackendRef + is invalid and must be dropped from the Gateway. + The controller must ensure the \"ResolvedRefs\" + condition on the Route status is set to `status: + False` and not configure this backend in the + underlying implementation. \n If there is + a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: + False`, with the \"RefNotPermitted\" reason + and not configure this backend in the underlying + implementation. \n In either error case, the + Message of the `ResolvedRefs` Condition should + be used to provide more detail about the problem. + \n Support: Extended for Kubernetes Service + \n Support: Implementation-specific for any + other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to + CNAME DNS records that may live outside + of the cluster and as such are difficult + to reason about in terms of conformance. + They also may not be safe to forward to + (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with + a type other than ExternalName) \n Support: + Implementation-specific (Services with + type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace + of the backend. When unspecified, the + local namespace is inferred. \n Note that + when a namespace different than the local + namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept + the reference. See the ReferenceGrant + documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" would + be modified to \"/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a + filter that modifies a request during forwarding. + \n Support: Extended" + properties: + hostname: + description: "Hostname is the value to be used + to replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n + Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" would + be modified to \"/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource kind of + the referent. For example \"Service\". \n Defaults to + \"Service\" when not specified. \n ExternalName services + can refer to CNAME DNS records that may live outside + of the cluster and as such are difficult to reason about + in terms of conformance. They also may not be safe to + forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName Services. + \n Support: Core (Services with a type other than ExternalName) + \n Support: Implementation-specific (Services with type + ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace different than the local + namespace is specified, a ReferenceGrant object is required + in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or implementation-specific + conformance. \n All filters are expected to be compatible + with each other except for the URLRewrite and RequestRedirect + filters, which may not be combined. If an implementation can + not support other combinations of filters, they must clearly + document that limitation. In all cases where incompatible + or unsupported filters are specified, implementations MUST + add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For + example, "gateway.networking.k8s.io". When unspecified + or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter + that mirrors requests. Requests are sent to the specified + destination, but responses from that destination are + ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where + mirrored requests are sent. \n If the referent cannot + be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure + the \"ResolvedRefs\" condition on the Route status + is set to `status: False` and not configure this + backend in the underlying implementation. \n If + there is a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: False`, + with the \"RefNotPermitted\" reason and not configure + this backend in the underlying implementation. \n + In either error case, the Message of the `ResolvedRefs` + Condition should be used to provide more detail + about the problem. \n Support: Extended for Kubernetes + Service \n Support: Implementation-specific for + any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". When + unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to CNAME + DNS records that may live outside of the cluster + and as such are difficult to reason about in + terms of conformance. They also may not be safe + to forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with a + type other than ExternalName) \n Support: Implementation-specific + (Services with type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the + backend. When unspecified, the local namespace + is inferred. \n Note that when a namespace different + than the local namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept the + reference. See the ReferenceGrant documentation + for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port + number to use for this resource. Port is required + when the referent is a Kubernetes Service. In + this case, the port number is the service port + number, not the target port. For other resources, + destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname in the `Host` header of + the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify + the path of the incoming request. The modified path + is then used to construct the `Location` header. + When empty, the request path is used as-is. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" would be modified to \"/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. \n If + no port is specified, the redirect port MUST be + derived using the following rules: \n * If redirect + scheme is not-empty, the redirect port MUST be the + well-known port associated with the redirect scheme. + Specifically \"http\" to port 80 and \"https\" to + port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway + SHOULD be used. * If redirect scheme is empty, the + redirect port MUST be the Gateway Listener port. + \n Implementations SHOULD NOT add the port number + in the 'Location' header in the following cases: + \n * A Location header that will use HTTP (whether + that is determined via the Listener protocol or + the Scheme field) _and_ use port 80. * A Location + header that will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) _and_ + use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Scheme redirects can affect the port of the redirect, + for more information, refer to the documentation + for the port field of this filter. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause a + crash. \n Unknown values here must result in the + implementation setting the Accepted Condition for + the Route to `status: False`, with a Reason of `UnsupportedValue`. + \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. \n Unknown + values here must result in the implementation setting + the Accepted Condition for the Route to `status: + False`, with a Reason of `UnsupportedValue`. \n + Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n Support: + Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations must support core filters. \n - + Extended: Filter types and their corresponding configuration + defined by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged to support + extended filters. \n - Implementation-specific: Filters + that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior + across multiple implementations will be considered for + inclusion in extended or core conformance levels. Filter-specific + configuration for such filters is specified using the + ExtensionRef field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged to + define custom implementation types to extend the core + API with implementation-specific behavior. \n If a reference + to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have + been processed by that filter MUST receive a HTTP error + response. \n Note that values may be added to this enum, + implementations must ensure that unknown values will + not cause a crash. \n Unknown values here must result + in the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter + that modifies a request during forwarding. \n Support: + Extended" + properties: + hostname: + description: "Hostname is the value to be used to + replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" would be modified to \"/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" + value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request + to match against this rule, a request must satisfy EITHER + of the two conditions: \n - path prefixed with `/foo` AND + contains the header `version: v2` - path prefix of `/v2/foo` + \n See the documentation for HTTPRouteMatch on how to specify + multiple match conditions that should be ANDed together. \n + If no matches are specified, the default is a prefix path + match on \"/\", which has the effect of matching every HTTP + request. \n Proxy or Load Balancer routing configuration generated + from HTTPRoutes MUST prioritize matches based on the following + criteria, continuing on ties. Across all rules specified on + applicable Routes, precedence must be given to the match having: + \n * \"Exact\" path match. * \"Prefix\" path match with largest + number of characters. * Method match. * Largest number of + header matches. * Largest number of query param matches. \n + Note: The precedence of RegularExpression path matches are + implementation-specific. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within an HTTPRoute, matching precedence MUST + be granted to the FIRST matching rule (in list order) with + a match meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: \n path: value: \"/foo\" headers: - name: \"version\" + value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType has + implementation-specific conformance, implementations + can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's + documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is *recommended* that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, + PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the + core API group (such as for a \"Service\" kind referent), + Group must be explicitly set to \"\" (empty string). \n + Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) \n Support: Implementation-specific (Other + Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified, this refers to the local namespace of + the Route. \n Note that there are specific rules for ParentRefs + which cross namespace boundaries. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute used to process + the request. Implementations MUST ignore any port value specified + in the HTTP Host header while performing a match. \n Valid values + for Hostnames are determined by RFC 1123 definition of a hostname + with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at + least one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n In the event that multiple HTTPRoutes specify + intersecting hostnames (e.g. overlapping wildcard matching and exact + matching hostnames), precedence must be given to rules from the + HTTPRoute with the largest number of: \n * Characters in a matching + non-wildcard hostname. * Characters in a matching hostname. \n If + ties exist across multiple Routes, the matching precedence rules + for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the core + API group (such as for a \"Service\" kind referent), Group + must be explicitly set to \"\" (empty string). \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified, this refers to the local namespace of the Route. + \n Note that there are specific rules for ParentRefs which + cross namespace boundaries. Cross-namespace references are + only valid if they are explicitly allowed by something in + the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It + can be interpreted differently based on the type of parent + resource. \n When the parent resource is a Gateway, this targets + all listeners listening on the specified port that also support + this kind of Route(and select this Route). It's not recommended + to set `Port` unless the networking behaviors specified in + a Route must apply to a specific port as opposed to a listener(s) + whose port(s) may be changed. When both Port and SectionName + are specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY choose + to support other parent resources. Implementations supporting + other types of parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose of status, an attachment + is considered successful as long as the parent resource accepts + it partially. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches), processing it (filters), + and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Extended + for Kubernetes ServiceImport \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for + a filter that mirrors requests. Requests are sent + to the specified destination, but responses from + that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource + where mirrored requests are sent. \n If the + referent cannot be found, this BackendRef + is invalid and must be dropped from the Gateway. + The controller must ensure the \"ResolvedRefs\" + condition on the Route status is set to `status: + False` and not configure this backend in the + underlying implementation. \n If there is + a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: + False`, with the \"RefNotPermitted\" reason + and not configure this backend in the underlying + implementation. \n In either error case, the + Message of the `ResolvedRefs` Condition should + be used to provide more detail about the problem. + \n Support: Extended for Kubernetes Service + \n Support: Implementation-specific for any + other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to + CNAME DNS records that may live outside + of the cluster and as such are difficult + to reason about in terms of conformance. + They also may not be safe to forward to + (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with + a type other than ExternalName) \n Support: + Implementation-specific (Services with + type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace + of the backend. When unspecified, the + local namespace is inferred. \n Note that + when a namespace different than the local + namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept + the reference. See the ReferenceGrant + documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" would + be modified to \"/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a + filter that modifies a request during forwarding. + \n Support: Extended" + properties: + hostname: + description: "Hostname is the value to be used + to replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n + Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" would + be modified to \"/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource kind of + the referent. For example \"Service\". \n Defaults to + \"Service\" when not specified. \n ExternalName services + can refer to CNAME DNS records that may live outside + of the cluster and as such are difficult to reason about + in terms of conformance. They also may not be safe to + forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName Services. + \n Support: Core (Services with a type other than ExternalName) + \n Support: Implementation-specific (Services with type + ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace different than the local + namespace is specified, a ReferenceGrant object is required + in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or implementation-specific + conformance. \n All filters are expected to be compatible + with each other except for the URLRewrite and RequestRedirect + filters, which may not be combined. If an implementation can + not support other combinations of filters, they must clearly + document that limitation. In all cases where incompatible + or unsupported filters are specified, implementations MUST + add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For + example, "gateway.networking.k8s.io". When unspecified + or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter + that mirrors requests. Requests are sent to the specified + destination, but responses from that destination are + ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where + mirrored requests are sent. \n If the referent cannot + be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure + the \"ResolvedRefs\" condition on the Route status + is set to `status: False` and not configure this + backend in the underlying implementation. \n If + there is a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: False`, + with the \"RefNotPermitted\" reason and not configure + this backend in the underlying implementation. \n + In either error case, the Message of the `ResolvedRefs` + Condition should be used to provide more detail + about the problem. \n Support: Extended for Kubernetes + Service \n Support: Implementation-specific for + any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". When + unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to CNAME + DNS records that may live outside of the cluster + and as such are difficult to reason about in + terms of conformance. They also may not be safe + to forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with a + type other than ExternalName) \n Support: Implementation-specific + (Services with type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the + backend. When unspecified, the local namespace + is inferred. \n Note that when a namespace different + than the local namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept the + reference. See the ReferenceGrant documentation + for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port + number to use for this resource. Port is required + when the referent is a Kubernetes Service. In + this case, the port number is the service port + number, not the target port. For other resources, + destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname in the `Host` header of + the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify + the path of the incoming request. The modified path + is then used to construct the `Location` header. + When empty, the request path is used as-is. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" would be modified to \"/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. \n If + no port is specified, the redirect port MUST be + derived using the following rules: \n * If redirect + scheme is not-empty, the redirect port MUST be the + well-known port associated with the redirect scheme. + Specifically \"http\" to port 80 and \"https\" to + port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway + SHOULD be used. * If redirect scheme is empty, the + redirect port MUST be the Gateway Listener port. + \n Implementations SHOULD NOT add the port number + in the 'Location' header in the following cases: + \n * A Location header that will use HTTP (whether + that is determined via the Listener protocol or + the Scheme field) _and_ use port 80. * A Location + header that will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) _and_ + use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Scheme redirects can affect the port of the redirect, + for more information, refer to the documentation + for the port field of this filter. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause a + crash. \n Unknown values here must result in the + implementation setting the Accepted Condition for + the Route to `status: False`, with a Reason of `UnsupportedValue`. + \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. \n Unknown + values here must result in the implementation setting + the Accepted Condition for the Route to `status: + False`, with a Reason of `UnsupportedValue`. \n + Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n Support: + Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations must support core filters. \n - + Extended: Filter types and their corresponding configuration + defined by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged to support + extended filters. \n - Implementation-specific: Filters + that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior + across multiple implementations will be considered for + inclusion in extended or core conformance levels. Filter-specific + configuration for such filters is specified using the + ExtensionRef field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged to + define custom implementation types to extend the core + API with implementation-specific behavior. \n If a reference + to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have + been processed by that filter MUST receive a HTTP error + response. \n Note that values may be added to this enum, + implementations must ensure that unknown values will + not cause a crash. \n Unknown values here must result + in the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter + that modifies a request during forwarding. \n Support: + Extended" + properties: + hostname: + description: "Hostname is the value to be used to + replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" would be modified to \"/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" + value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request + to match against this rule, a request must satisfy EITHER + of the two conditions: \n - path prefixed with `/foo` AND + contains the header `version: v2` - path prefix of `/v2/foo` + \n See the documentation for HTTPRouteMatch on how to specify + multiple match conditions that should be ANDed together. \n + If no matches are specified, the default is a prefix path + match on \"/\", which has the effect of matching every HTTP + request. \n Proxy or Load Balancer routing configuration generated + from HTTPRoutes MUST prioritize matches based on the following + criteria, continuing on ties. Across all rules specified on + applicable Routes, precedence must be given to the match having: + \n * \"Exact\" path match. * \"Prefix\" path match with largest + number of characters. * Method match. * Largest number of + header matches. * Largest number of query param matches. \n + Note: The precedence of RegularExpression path matches are + implementation-specific. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within an HTTPRoute, matching precedence MUST + be granted to the FIRST matching rule (in list order) with + a match meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: \n path: value: \"/foo\" headers: - name: \"version\" + value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType has + implementation-specific conformance, implementations + can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's + documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is *recommended* that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, + PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the + core API group (such as for a \"Service\" kind referent), + Group must be explicitly set to \"\" (empty string). \n + Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) \n Support: Implementation-specific (Other + Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified, this refers to the local namespace of + the Route. \n Note that there are specific rules for ParentRefs + which cross namespace boundaries. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +{{- end }} + diff --git a/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/authorization-policy.yaml b/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/authorization-policy.yaml new file mode 100644 index 0000000000..7d86520e2e --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/authorization-policy.yaml @@ -0,0 +1,99 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: authorizationpolicies.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: AuthorizationPolicy + plural: authorizationpolicies + singular: authorizationpolicy + shortNames: [authzpolicy] + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + Authorizes clients to communicate with Linkerd-proxied server + resources. + type: object + required: [targetRef, requiredAuthenticationRefs] + properties: + targetRef: + description: >- + TargetRef references a resource to which the authorization + policy applies. + type: object + required: [kind, name] + # Modified from the gateway API. + # Copyright 2020 The Kubernetes Authors + properties: + group: + description: >- + Group is the group of the referent. When empty, the + Kubernetes core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + requiredAuthenticationRefs: + description: >- + RequiredAuthenticationRefs enumerates a set of required + authentications. ALL authentications must be satisfied for + the authorization to apply. If any of the referred objects + cannot be found, the authorization will be ignored. + type: array + items: + type: object + required: [kind, name] + properties: + group: + description: >- + Group is the group of the referent. When empty, the + Kubernetes core API group is inferred." + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: >- + Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Name is the name of the referent. When unspecified, + this authentication refers to the local namespace. + maxLength: 253 + type: string diff --git a/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/httproute.yaml b/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/httproute.yaml new file mode 100644 index 0000000000..6d2e8b07ef --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/httproute.yaml @@ -0,0 +1,5328 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: httproutes.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + names: + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "port" + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + type: array + items: + type: object + properties: + name: + type: string + port: + type: integer + namespace: + type: string + default: "default" + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations must support core filters. \n\n " + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "port" + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + type: array + items: + type: object + properties: + name: + type: string + port: + type: integer + namespace: + type: string + default: "default" + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\"." + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". Defaults to "Service" when + not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace is specified, a ReferenceGrant + object is required in the referent namespace to allow + that namespace's owner to accept the reference. See + the ReferenceGrant documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\"." + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta3 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". Defaults to "Service" when + not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace is specified, a ReferenceGrant + object is required in the referent namespace to allow + that namespace's owner to accept the reference. See + the ReferenceGrant documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\"." + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + timeouts: + description: "Timeouts defines the timeouts that can be configured + for an HTTP request. \n Support: Core \n " + properties: + backendRequest: + description: "BackendRequest specifies a timeout for an + individual request from the gateway to a backend service. + Typically used in conjunction with automatic retries, + if supported by an implementation. Default is the value + of Request timeout. \n Support: Extended" + format: duration + type: string + request: + description: "Request specifies a timeout for responding + to client HTTP requests, disabled by default. \n For example, + the following rule will timeout if a client request is + taking longer than 10 seconds to complete: \n ``` rules: + - timeouts: request: 10s backendRefs: ... ``` \n Support: + Core" + format: duration + type: string + type: object + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/meshtls-authentication.yaml b/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/meshtls-authentication.yaml new file mode 100644 index 0000000000..58ee815f59 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/meshtls-authentication.yaml @@ -0,0 +1,87 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: meshtlsauthentications.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: MeshTLSAuthentication + plural: meshtlsauthentications + singular: meshtlsauthentication + shortNames: [meshtlsauthn] + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + MeshTLSAuthentication defines a list of authenticated client IDs + to be referenced by an `AuthorizationPolicy`. If a client + connection has the mutually-authenticated identity that matches + ANY of the of the provided identities, the connection is + considered authenticated. + type: object + oneOf: + - required: [identities] + - required: [identityRefs] + properties: + identities: + description: >- + Authorizes clients with the provided proxy identity strings + (as provided via MTLS) + + The `*` prefix can be used to match all identities in + a domain. An identity string of `*` indicates that + all authentication clients are authorized. + type: array + minItems: 1 + items: + type: string + identityRefs: + type: array + minItems: 1 + items: + type: object + required: + - kind + properties: + group: + description: >- + Group is the group of the referent. When empty, the + Kubernetes core API group is inferred." + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: >- + Name is the name of the referent. When unspecified, + this refers to all resources of the specified Group + and Kind in the specified namespace. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Name is the name of the referent. When unspecified, + this authentication refers to the local namespace. + maxLength: 253 + type: string diff --git a/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/network-authentication.yaml b/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/network-authentication.yaml new file mode 100644 index 0000000000..cef15d3c40 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/network-authentication.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkauthentications.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: NetworkAuthentication + plural: networkauthentications + singular: networkauthentication + shortNames: [netauthn, networkauthn] + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + NetworkAuthentication defines a list of authenticated client + networks to be referenced by an `AuthorizationPolicy`. If a + client connection originates from ANY of the of the provided + networks, the connection is considered authenticated. + type: object + required: [networks] + properties: + networks: + type: array + items: + type: object + required: [cidr] + properties: + cidr: + description: >- + The CIDR of the network to be authorized. + type: string + except: + description: >- + A list of IP networks/addresses not to be included in + the above `cidr`. + type: array + items: + type: string diff --git a/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/server-authorization.yaml b/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/server-authorization.yaml new file mode 100644 index 0000000000..33fb659002 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/server-authorization.yaml @@ -0,0 +1,266 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: serverauthorizations.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: ServerAuthorization + plural: serverauthorizations + singular: serverauthorization + shortNames: [saz, serverauthz, srvauthz] + versions: + - name: v1alpha1 + served: true + storage: false + deprecated: true + deprecationWarning: "policy.linkerd.io/v1alpha1 ServerAuthorization is deprecated; use policy.linkerd.io/v1beta1 ServerAuthorization" + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + Authorizes clients to communicate with Linkerd-proxied servers. + type: object + required: [server, client] + properties: + server: + description: >- + Identifies servers in the same namespace for which this + authorization applies. + + Only one of `name` or `selector` may be specified. + type: object + oneOf: + - required: [name] + - required: [selector] + properties: + name: + description: References a `Server` instance by name + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + selector: + description: >- + A label query over servers on which this authorization applies. + type: object + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + client: + description: Describes clients authorized to access a server. + type: object + properties: + networks: + description: >- + Limits the client IP addresses to which this + authorization applies. If unset, the server chooses a + default (typically, all IPs or the cluster's pod + network). + type: array + items: + type: object + required: [cidr] + properties: + cidr: + type: string + except: + type: array + items: + type: string + unauthenticated: + description: >- + Authorizes unauthenticated clients to access a server. + type: boolean + meshTLS: + type: object + properties: + unauthenticatedTLS: + type: boolean + description: >- + Indicates that no client identity is required for + communication. + + This is mostly important for the identity + controller, which must terminate TLS connections + from clients that do not yet have a certificate. + identities: + description: >- + Authorizes clients with the provided proxy identity + strings (as provided via MTLS) + + The `*` prefix can be used to match all identities in + a domain. An identity string of `*` indicates that + all authentication clients are authorized. + type: array + items: + type: string + pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$' + serviceAccounts: + description: >- + Authorizes clients with the provided proxy identity + service accounts (as provided via MTLS) + type: array + items: + type: object + required: [name] + properties: + name: + description: The ServiceAccount's name. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + namespace: + description: >- + The ServiceAccount's namespace. If unset, the + authorization's namespace is used. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + Authorizes clients to communicate with Linkerd-proxied servers. + type: object + required: [server, client] + properties: + server: + description: >- + Identifies servers in the same namespace for which this + authorization applies. + + Only one of `name` or `selector` may be specified. + type: object + oneOf: + - required: [name] + - required: [selector] + properties: + name: + description: References a `Server` instance by name + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + selector: + description: >- + A label query over servers on which this authorization applies. + type: object + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + client: + description: Describes clients authorized to access a server. + type: object + properties: + networks: + description: >- + Limits the client IP addresses to which this + authorization applies. If unset, the server chooses a + default (typically, all IPs or the cluster's pod + network). + type: array + items: + type: object + required: [cidr] + properties: + cidr: + type: string + except: + type: array + items: + type: string + unauthenticated: + description: >- + Authorizes unauthenticated clients to access a server. + type: boolean + meshTLS: + type: object + properties: + unauthenticatedTLS: + type: boolean + description: >- + Indicates that no client identity is required for + communication. + + This is mostly important for the identity + controller, which must terminate TLS connections + from clients that do not yet have a certificate. + identities: + description: >- + Authorizes clients with the provided proxy identity + strings (as provided via MTLS) + + The `*` prefix can be used to match all identities in + a domain. An identity string of `*` indicates that + all authentication clients are authorized. + type: array + items: + type: string + pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$' + serviceAccounts: + description: >- + Authorizes clients with the provided proxy identity + service accounts (as provided via MTLS) + type: array + items: + type: object + required: [name] + properties: + name: + description: The ServiceAccount's name. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + namespace: + description: >- + The ServiceAccount's namespace. If unset, the + authorization's namespace is used. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + additionalPrinterColumns: + - name: Server + type: string + description: The server that this grants access to + jsonPath: .spec.server.name diff --git a/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/server.yaml b/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/server.yaml new file mode 100644 index 0000000000..0af41224a0 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/templates/policy/server.yaml @@ -0,0 +1,319 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: servers.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + names: + kind: Server + plural: servers + singular: server + shortNames: [srv] + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: false + deprecated: true + deprecationWarning: "policy.linkerd.io/v1alpha1 Server is deprecated; use policy.linkerd.io/v1beta1 Server" + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - podSelector + - port + properties: + podSelector: + type: object + description: >- + Selects pods in the same namespace. + oneOf: + - required: [matchExpressions] + - required: [matchLabels] + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + - name: v1beta1 + served: true + storage: false + deprecated: true + deprecationWarning: "policy.linkerd.io/v1alpha1 Server is deprecated; use policy.linkerd.io/v1beta3 Server" + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - podSelector + - port + properties: + podSelector: + type: object + description: >- + Selects pods in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + additionalPrinterColumns: + - name: Port + type: string + description: The port the server is listening on + jsonPath: .spec.port + - name: Protocol + type: string + description: The protocol of the server + jsonPath: .spec.proxyProtocol + - name: v1beta2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - port + oneOf: + - required: [podSelector] + - required: [externalWorkloadSelector] + properties: + podSelector: + type: object + description: >- + Selects pods in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + externalWorkloadSelector: + type: object + description: >- + Selects ExternalWorkloads in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + additionalPrinterColumns: + - name: Port + type: string + description: The port the server is listening on + jsonPath: .spec.port + - name: Protocol + type: string + description: The protocol of the server + jsonPath: .spec.proxyProtocol + - name: v1beta3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - port + oneOf: + - required: [podSelector] + - required: [externalWorkloadSelector] + properties: + accessPolicy: + type: string + default: deny + description: >- + Default access policy to apply when the traffic doesn't match any of the policy rules. + podSelector: + type: object + description: >- + Selects pods in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + externalWorkloadSelector: + type: object + description: >- + Selects ExternalWorkloads in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + additionalPrinterColumns: + - name: Port + type: string + description: The port the server is listening on + jsonPath: .spec.port + - name: Protocol + type: string + description: The protocol of the server + jsonPath: .spec.proxyProtocol + - name: Access Policy + type: string + description: The default access policy applied when the traffic doesn't match any of the policy rules + jsonPath: .spec.accessPolicy diff --git a/charts/linkerd/linkerd-crds/2024.10.2/templates/serviceprofile.yaml b/charts/linkerd/linkerd-crds/2024.10.2/templates/serviceprofile.yaml new file mode 100644 index 0000000000..ad12c96a3a --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/templates/serviceprofile.yaml @@ -0,0 +1,274 @@ +--- +### +### Service Profile CRD +### +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: serviceprofiles.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: linkerd.io + versions: + - name: v1alpha1 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + description: Spec is the custom resource spec + required: + - routes + properties: + dstOverrides: + type: array + required: + - authority + - weight + items: + type: object + description: WeightedDst is a weighted alternate destination. + properties: + authority: + type: string + weight: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + opaquePorts: + type: array + items: + type: string + retryBudget: + type: object + required: + - minRetriesPerSecond + - retryRatio + - ttl + description: RetryBudget describes the maximum number of retries that should be issued to this service. + properties: + minRetriesPerSecond: + format: int32 + type: integer + retryRatio: + type: number + format: float + ttl: + type: string + routes: + type: array + items: + type: object + description: RouteSpec specifies a Route resource. + required: + - condition + - name + properties: + condition: + type: object + description: RequestMatch describes the conditions under which to match a Route. + properties: + pathRegex: + type: string + method: + type: string + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + isRetryable: + type: boolean + name: + type: string + timeout: + type: string + responseClasses: + type: array + items: + type: object + required: + - condition + description: ResponseClass describes how to classify a response (e.g. success or failures). + properties: + condition: + type: object + description: ResponseMatch describes the conditions under + which to classify a response. + properties: + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + description: Range describes a range of integers (e.g. status codes). + properties: + max: + format: int32 + type: integer + min: + format: int32 + type: integer + isFailure: + type: boolean + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + description: Spec is the custom resource spec + properties: + dstOverrides: + type: array + required: + - authority + - weight + items: + type: object + description: WeightedDst is a weighted alternate destination. + properties: + authority: + type: string + weight: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + opaquePorts: + type: array + items: + type: string + retryBudget: + type: object + required: + - minRetriesPerSecond + - retryRatio + - ttl + description: RetryBudget describes the maximum number of retries that should be issued to this service. + properties: + minRetriesPerSecond: + format: int32 + type: integer + retryRatio: + type: number + format: float + ttl: + type: string + routes: + type: array + items: + type: object + description: RouteSpec specifies a Route resource. + required: + - condition + - name + properties: + condition: + type: object + description: RequestMatch describes the conditions under which to match a Route. + properties: + pathRegex: + type: string + method: + type: string + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + isRetryable: + type: boolean + name: + type: string + timeout: + type: string + responseClasses: + type: array + items: + type: object + required: + - condition + description: ResponseClass describes how to classify a response (e.g. success or failures). + properties: + condition: + type: object + description: ResponseMatch describes the conditions under + which to classify a response. + properties: + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + description: Range describes a range of integers (e.g. status codes). + properties: + max: + format: int32 + type: integer + min: + format: int32 + type: integer + isFailure: + type: boolean + scope: Namespaced + preserveUnknownFields: false + names: + plural: serviceprofiles + singular: serviceprofile + kind: ServiceProfile + shortNames: + - sp diff --git a/charts/linkerd/linkerd-crds/2024.10.2/templates/workload/external-workload.yaml b/charts/linkerd/linkerd-crds/2024.10.2/templates/workload/external-workload.yaml new file mode 100644 index 0000000000..2e6e43ae60 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/templates/workload/external-workload.yaml @@ -0,0 +1,303 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalworkloads.workload.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: workload.linkerd.io + names: + categories: + - external + kind: ExternalWorkload + listKind: ExternalWorkloadList + plural: externalworkloads + singular: externalworkload + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: false + schema: + openAPIV3Schema: + description: >- + An ExternalWorkload describes a single workload (i.e. a deployable unit) external + to the cluster that should be enrolled in the mesh. + type: object + required: [spec] + properties: + apiVerson: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + meshTls: + description: meshTls describes TLS settings associated with an + external workload. + properties: + identity: + type: string + description: identity of the workload. Corresponds to the + identity used in the workload's certificate. It is used + by peers to perform verification in the mTLS handshake. + minLength: 1 + maxLength: 253 + serverName: + type: string + description: serverName is the name of the workload in DNS + format. It is used by the workload to terminate TLS using + SNI. + minLength: 1 + maxLength: 253 + type: object + required: + - identity + - serverName + ports: + type: array + description: ports describes a list of ports exposed by the + workload + items: + properties: + name: + type: string + description: name must be an IANA_SVC_NAME and unique + within the ports set. Each named port can be referred + to by services. + port: + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: protocol exposed by the port. Must be UDP or + TCP. Defaults to TCP. + type: string + default: "TCP" + type: object + required: + - port + workloadIPs: + type: array + description: workloadIPs contains a list of IP addresses that + can be used to send traffic to the workload. + items: + type: object + properties: + ip: + type: string + # TODO: relax this in the future when ipv6 is supported + # an external workload (like a pod) should only + # support 2 interfaces + maxItems: 1 + type: object + required: + - meshTls + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + lastProbeTime: + description: lastProbeTime is the last time the + healthcheck endpoint was probed. + format: date-time + type: string + lastTransitionTime: + description: lastTransitionTime is the last time the + condition transitioned from one status to another. + format: date-time + type: string + status: + description: status of the condition (one of True, False, Unknown) + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of the condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last + transition. Producers of specific condition types may + define expected values and meanings for this field, and + whether the values are considered a guaranteed API. The + value should be a CamelCase string. This field may not + be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + message: + description: message is a human readable message + indicating details about the transition. This may be an + empty string. + maxLength: 32768 + type: string + required: + - status + - type + additionalPrinterColumns: + - jsonPath: .spec.meshTls.identity + name: Identity + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: >- + An ExternalWorkload describes a single workload (i.e. a deployable unit) external + to the cluster that should be enrolled in the mesh. + type: object + required: [spec] + properties: + apiVerson: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + meshTLS: + description: meshTLS describes TLS settings associated with an + external workload. + properties: + identity: + type: string + description: identity of the workload. Corresponds to the + identity used in the workload's certificate. It is used + by peers to perform verification in the mTLS handshake. + minLength: 1 + maxLength: 253 + serverName: + type: string + description: serverName is the name of the workload in DNS + format. It is used by the workload to terminate TLS using + SNI. + minLength: 1 + maxLength: 253 + type: object + required: + - identity + - serverName + ports: + type: array + description: ports describes a list of ports exposed by the + workload + items: + properties: + name: + type: string + description: name must be an IANA_SVC_NAME and unique + within the ports set. Each named port can be referred + to by services. + port: + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: protocol exposed by the port. Must be UDP or + TCP. Defaults to TCP. + type: string + default: "TCP" + type: object + required: + - port + workloadIPs: + type: array + description: workloadIPs contains a list of IP addresses that + can be used to send traffic to the workload. This field may + hold a maximum of two entries. If one entry, it can be an + IPv4 or IPv6 address; if two entries it should contain one + IPv4 address and one IPv6 address. + items: + type: object + properties: + ip: + type: string + maxItems: 2 + type: object + required: + - meshTLS + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + lastProbeTime: + description: lastProbeTime is the last time the + healthcheck endpoint was probed. + format: date-time + type: string + lastTransitionTime: + description: lastTransitionTime is the last time the + condition transitioned from one status to another. + format: date-time + type: string + status: + description: status of the condition (one of True, False, Unknown) + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of the condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last + transition. Producers of specific condition types may + define expected values and meanings for this field, and + whether the values are considered a guaranteed API. The + value should be a CamelCase string. This field may not + be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + message: + description: message is a human readable message + indicating details about the transition. This may be an + empty string. + maxLength: 32768 + type: string + required: + - status + - type + additionalPrinterColumns: + - jsonPath: .spec.meshTLS.identity + name: Identity + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date diff --git a/charts/linkerd/linkerd-crds/2024.10.2/values.yaml b/charts/linkerd/linkerd-crds/2024.10.2/values.yaml new file mode 100644 index 0000000000..362145168d --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.10.2/values.yaml @@ -0,0 +1 @@ +enableHttpRoutes: true diff --git a/charts/minio/minio-operator/6.0.4/.helmignore b/charts/minio/minio-operator/6.0.4/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/minio/minio-operator/6.0.4/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/minio/minio-operator/6.0.4/Chart.yaml b/charts/minio/minio-operator/6.0.4/Chart.yaml new file mode 100644 index 0000000000..b41e6aa5d7 --- /dev/null +++ b/charts/minio/minio-operator/6.0.4/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Minio Operator + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: minio-operator +apiVersion: v2 +appVersion: v6.0.4 +description: A Helm chart for MinIO Operator +home: https://min.io +icon: file://assets/icons/minio-operator.png +keywords: +- storage +- object-storage +- S3 +kubeVersion: '>=1.19-0' +maintainers: +- email: dev@minio.io + name: MinIO, Inc +name: minio-operator +sources: +- https://github.com/minio/operator +type: application +version: 6.0.4 diff --git a/charts/minio/minio-operator/6.0.4/README.md b/charts/minio/minio-operator/6.0.4/README.md new file mode 100644 index 0000000000..c7e73ec3e6 --- /dev/null +++ b/charts/minio/minio-operator/6.0.4/README.md @@ -0,0 +1,45 @@ +# MinIO ![license](https://img.shields.io/badge/license-AGPL%20V3-blue) + +[MinIO](https://min.io) is a High Performance Object Storage released under GNU AGPLv3 or later. It is API compatible +with Amazon S3 cloud storage service. Use MinIO to build high performance infrastructure for machine learning, analytics +and application data workloads. + +For more detailed documentation please visit [here](https://docs.minio.io/) + +Introduction +------------ + +This chart bootstraps MinIO Operator on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Configure MinIO Helm repo +-------------------- + +```bash +helm repo add minio https://operator.min.io/ +``` + +Installing the Chart +-------------------- + +Install this chart using: + +```bash +helm install \ + --namespace minio-operator \ + --create-namespace \ + minio-operator minio/operator +``` + +The command deploys MinIO Operator on the Kubernetes cluster in the default configuration. + +Creating a Tenant +----------------- + +Once the MinIO Operator Chart is successfully installed, create a MinIO Tenant using: + +```bash +helm install --namespace tenant-ns \ + --create-namespace tenant minio/tenant +``` + +This creates a 4 Node MinIO Tenant (cluster). To change the default values, take a look at various [values.yaml](https://github.com/minio/operator/blob/master/helm/tenant/values.yaml). diff --git a/charts/minio/minio-operator/6.0.4/app-readme.md b/charts/minio/minio-operator/6.0.4/app-readme.md new file mode 100644 index 0000000000..ac0f1294a8 --- /dev/null +++ b/charts/minio/minio-operator/6.0.4/app-readme.md @@ -0,0 +1,78 @@ +# MinIO Operator + +MinIO is a Kubernetes-native high performance object store with an S3-compatible API. The +MinIO Kubernetes Operator supports deploying MinIO Tenants onto private and public +cloud infrastructures ("Hybrid" Cloud). + +## Procedure + +### 1) Verify installation the MinIO Operator +Run the following command to verify the status of the Operator: + +```sh +kubectl get pods -n minio-operator +``` + +The output resembles the following: + +```sh +NAME READY STATUS RESTARTS AGE +console-6b6cf8946c-9cj25 1/1 Running 0 99s +minio-operator-69fd675557-lsrqg 1/1 Running 0 99s +``` + +The `console-*` pod runs the MinIO Operator Console, a graphical user +interface for creating and managing MinIO Tenants. + +The `minio-operator-*` pod runs the MinIO Operator itself. + +### 2) Access the Operator Console + +Get the service-account token to access the UI: + +```sh +kubectl -n minio-operator get secret $(kubectl -n minio-operator get serviceaccount console-sa -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode +``` + +Run the following command to create a local proxy to the MinIO Operator +Console: + +```sh +kubectl -n minio-operator port-forward svc/console 9090 +``` + +Open your browser to http://localhost:9090 and use the JWT token to log in +to the Operator Console. + + + +Click **+ Create Tenant** to open the Tenant Creation workflow. + +### 3) Build the Tenant Configuration + +The Operator Console **Create New Tenant** walkthrough builds out +a MinIO Tenant. The following list describes the basic configuration sections. + +- **Name** - Specify the *Name*, *Namespace*, and *Storage Class* for the new Tenant. + + The *Storage Class* must correspond to a [Storage Class](#default-storage-class) that corresponds to [Local Persistent Volumes](#local-persistent-volumes) that can support the MinIO Tenant. + + The *Namespace* must correspond to an existing [Namespace](#minio-tenant-namespace) that does *not* contain any other MinIO Tenant. + + Enable *Advanced Mode* to access additional advanced configuration options. + +- **Tenant Size** - Specify the *Number of Servers*, *Number of Drives per Server*, and *Total Size* of the Tenant. + + The *Resource Allocation* section summarizes the Tenant configuration + based on the inputs above. + + Additional configuration inputs may be visible if *Advanced Mode* was enabled + in the previous step. + +- **Preview Configuration** - summarizes the details of the new Tenant. + +After configuring the Tenant to your requirements, click **Create** to create the new tenant. + +The Operator Console displays credentials for connecting to the MinIO Tenant. You *must* download and secure these credentials at this stage. You cannot trivially retrieve these credentials later. + +You can monitor Tenant creation from the Operator Console. \ No newline at end of file diff --git a/charts/minio/minio-operator/6.0.4/templates/_helpers.tpl b/charts/minio/minio-operator/6.0.4/templates/_helpers.tpl new file mode 100644 index 0000000000..53e96058c7 --- /dev/null +++ b/charts/minio/minio-operator/6.0.4/templates/_helpers.tpl @@ -0,0 +1,37 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "minio-operator.name" -}} + {{- default .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "minio-operator.chart" -}} + {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels for operator +*/}} +{{- define "minio-operator.labels" -}} +helm.sh/chart: {{ include "minio-operator.chart" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- range $key, $val := .Values.operator.additionalLabels }} +{{ $key }}: {{ $val | quote }} +{{- end }} +{{- end -}} + +{{/* +Selector labels Operator +*/}} +{{- define "minio-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "minio-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/charts/minio/minio-operator/6.0.4/templates/job.min.io_jobs.yaml b/charts/minio/minio-operator/6.0.4/templates/job.min.io_jobs.yaml new file mode 100644 index 0000000000..64f9bafe2e --- /dev/null +++ b/charts/minio/minio-operator/6.0.4/templates/job.min.io_jobs.yaml @@ -0,0 +1,1203 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + operator.min.io/version: v6.0.4 + name: miniojobs.job.min.io +spec: + group: job.min.io + names: + kind: MinIOJob + listKind: MinIOJobList + plural: miniojobs + shortNames: + - miniojob + singular: miniojob + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .status.message + name: Message + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + commands: + items: + properties: + args: + additionalProperties: + type: string + type: object + command: + items: + type: string + type: array + dependsOn: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + name: + type: string + op: + type: string + resources: + properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + volumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + type: string + kind: + type: string + readOnly: + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + type: string + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + type: object + type: array + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + execution: + default: parallel + enum: + - parallel + - sequential + type: string + failureStrategy: + default: continueOnFailure + enum: + - continueOnFailure + - stopOnFailure + type: string + imagePullPolicy: + type: string + imagePullSecret: + items: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + type: array + insecure: + type: boolean + mcImage: + default: quay.io/minio/mc:RELEASE.2024-10-02T08-27-28Z + type: string + securityContext: + properties: + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + serviceAccountName: + type: string + tenant: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + required: + - commands + - serviceAccountName + - tenant + type: object + status: + properties: + commands: + items: + properties: + message: + type: string + name: + type: string + result: + type: string + required: + - result + type: object + type: array + message: + type: string + phase: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/minio/minio-operator/6.0.4/templates/minio.min.io_tenants.yaml b/charts/minio/minio-operator/6.0.4/templates/minio.min.io_tenants.yaml new file mode 100644 index 0000000000..d4a1f9fc5e --- /dev/null +++ b/charts/minio/minio-operator/6.0.4/templates/minio.min.io_tenants.yaml @@ -0,0 +1,5673 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + operator.min.io/version: v6.0.4 + name: tenants.minio.min.io +spec: + group: minio.min.io + names: + kind: Tenant + listKind: TenantList + plural: tenants + shortNames: + - tenant + singular: tenant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.currentState + name: State + type: string + - jsonPath: .status.healthStatus + name: Health + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + scheduler: + properties: + name: + type: string + required: + - name + type: object + spec: + properties: + additionalVolumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + additionalVolumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + type: string + kind: + type: string + readOnly: + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + type: string + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + buckets: + items: + properties: + name: + type: string + objectLock: + type: boolean + region: + type: string + type: object + type: array + certConfig: + properties: + commonName: + type: string + dnsNames: + items: + type: string + type: array + organizationName: + items: + type: string + type: array + type: object + certExpiryAlertThreshold: + format: int32 + type: integer + configuration: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + exposeServices: + properties: + console: + type: boolean + minio: + type: boolean + type: object + externalCaCertSecret: + items: + properties: + name: + type: string + type: + type: string + required: + - name + type: object + type: array + externalCertSecret: + items: + properties: + name: + type: string + type: + type: string + required: + - name + type: object + type: array + externalClientCertSecret: + properties: + name: + type: string + type: + type: string + required: + - name + type: object + externalClientCertSecrets: + items: + properties: + name: + type: string + type: + type: string + required: + - name + type: object + type: array + features: + properties: + bucketDNS: + type: boolean + domains: + properties: + console: + type: string + minio: + items: + type: string + type: array + type: object + enableSFTP: + type: boolean + type: object + image: + type: string + imagePullPolicy: + type: string + imagePullSecret: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + initContainers: + items: + properties: + args: + items: + type: string + type: array + x-kubernetes-list-type: atomic + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + restartPolicy: + type: string + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + type: string + required: + - name + type: object + type: array + kes: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + annotations: + additionalProperties: + type: string + type: object + clientCertSecret: + properties: + name: + type: string + type: + type: string + required: + - name + type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + externalCertSecret: + properties: + name: + type: string + type: + type: string + required: + - name + type: object + gcpCredentialSecretName: + type: string + gcpWorkloadIdentityPool: + type: string + image: + type: string + imagePullPolicy: + type: string + kesSecret: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + keyName: + type: string + labels: + additionalProperties: + type: string + type: object + nodeSelector: + additionalProperties: + type: string + type: object + replicas: + format: int32 + type: integer + resources: + properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + serviceAccountName: + type: string + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + required: + - kesSecret + type: object + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + liveness: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + logging: + properties: + anonymous: + type: boolean + json: + type: boolean + quiet: + type: boolean + type: object + mountPath: + type: string + podManagementPolicy: + type: string + pools: + items: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + annotations: + additionalProperties: + type: string + type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + labels: + additionalProperties: + type: string + type: object + name: + minLength: 1 + type: string + nodeSelector: + additionalProperties: + type: string + type: object + resources: + properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + runtimeClassName: + type: string + securityContext: + properties: + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + servers: + format: int32 + type: integer + x-kubernetes-validations: + - message: servers is immutable + rule: self == oldSelf + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + volumeClaimTemplate: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + status: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + conditions: + items: + properties: + lastProbeTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentVolumeAttributesClassName: + type: string + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: + type: string + type: object + type: object + volumesPerServer: + format: int32 + type: integer + x-kubernetes-validations: + - message: volumesPerServer is immutable + rule: self == oldSelf + required: + - name + - servers + - volumeClaimTemplate + - volumesPerServer + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + priorityClassName: + type: string + prometheusOperator: + type: boolean + readiness: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + requestAutoCert: + type: boolean + serviceAccountName: + type: string + serviceMetadata: + properties: + consoleServiceAnnotations: + additionalProperties: + type: string + type: object + consoleServiceLabels: + additionalProperties: + type: string + type: object + minioServiceAnnotations: + additionalProperties: + type: string + type: object + minioServiceLabels: + additionalProperties: + type: string + type: object + type: object + sideCars: + properties: + containers: + items: + properties: + args: + items: + type: string + type: array + x-kubernetes-list-type: atomic + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + restartPolicy: + type: string + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + type: string + required: + - name + type: object + type: array + resources: + properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + volumeClaimTemplates: + items: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + status: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + conditions: + items: + properties: + lastProbeTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentVolumeAttributesClassName: + type: string + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: + type: string + type: object + type: object + type: array + volumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + type: string + kind: + type: string + readOnly: + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + type: string + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + type: object + startup: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + subPath: + type: string + users: + items: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + type: array + required: + - pools + type: object + status: + properties: + availableReplicas: + format: int32 + type: integer + certificates: + nullable: true + properties: + autoCertEnabled: + nullable: true + type: boolean + customCertificates: + nullable: true + properties: + client: + items: + properties: + certName: + type: string + domains: + items: + type: string + type: array + expiresIn: + type: string + expiry: + type: string + serialNo: + type: string + type: object + type: array + minio: + items: + properties: + certName: + type: string + domains: + items: + type: string + type: array + expiresIn: + type: string + expiry: + type: string + serialNo: + type: string + type: object + type: array + minioCAs: + items: + properties: + certName: + type: string + domains: + items: + type: string + type: array + expiresIn: + type: string + expiry: + type: string + serialNo: + type: string + type: object + type: array + type: object + type: object + currentState: + type: string + drivesHealing: + format: int32 + type: integer + drivesOffline: + format: int32 + type: integer + drivesOnline: + format: int32 + type: integer + healthMessage: + type: string + healthStatus: + type: string + pools: + items: + properties: + legacySecurityContext: + type: boolean + ssName: + type: string + state: + type: string + required: + - ssName + - state + type: object + nullable: true + type: array + provisionedBuckets: + type: boolean + provisionedUsers: + type: boolean + revision: + format: int32 + type: integer + syncVersion: + type: string + usage: + properties: + capacity: + format: int64 + type: integer + rawCapacity: + format: int64 + type: integer + rawUsage: + format: int64 + type: integer + tiers: + items: + properties: + Name: + type: string + Type: + type: string + totalSize: + format: int64 + type: integer + required: + - Name + - totalSize + type: object + type: array + usage: + format: int64 + type: integer + type: object + waitingOnReady: + format: date-time + type: string + writeQuorum: + format: int32 + type: integer + required: + - availableReplicas + - certificates + - currentState + - pools + - revision + - syncVersion + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/minio/minio-operator/6.0.4/templates/operator-clusterrole.yaml b/charts/minio/minio-operator/6.0.4/templates/operator-clusterrole.yaml new file mode 100644 index 0000000000..7428beb4ae --- /dev/null +++ b/charts/minio/minio-operator/6.0.4/templates/operator-clusterrole.yaml @@ -0,0 +1,183 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: minio-operator-role + labels: {{- include "minio-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - update + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - update + - list + - apiGroups: + - "" + resources: + - namespaces + - nodes + verbs: + - create + - get + - watch + - list + - apiGroups: + - "" + resources: + - pods + - services + - events + - configmaps + verbs: + - get + - watch + - create + - list + - delete + - deletecollection + - update + - patch + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - create + - update + - list + - delete + - deletecollection + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - statefulsets + - deployments + - deployments/finalizers + verbs: + - get + - create + - list + - patch + - watch + - update + - delete + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - create + - list + - patch + - watch + - update + - delete + - apiGroups: + - "certificates.k8s.io" + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: + - update + - create + - get + - delete + - list + - apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/legacy-unknown + - kubernetes.io/kube-apiserver-client + - kubernetes.io/kubelet-serving + - beta.eks.amazonaws.com/app-serving + resources: + - signers + verbs: + - approve + - sign + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - minio.min.io + - sts.min.io + - job.min.io + resources: + - "*" + verbs: + - "*" + - apiGroups: + - min.io + resources: + - "*" + verbs: + - "*" + - apiGroups: + - monitoring.coreos.com + resources: + - prometheuses + - prometheusagents + verbs: + - get + - update + - list + - apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - get + - update + - create + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - get + - list + - patch + - update + - deletecollection diff --git a/charts/minio/minio-operator/6.0.4/templates/operator-clusterrolebinding.yaml b/charts/minio/minio-operator/6.0.4/templates/operator-clusterrolebinding.yaml new file mode 100644 index 0000000000..ad4add53d4 --- /dev/null +++ b/charts/minio/minio-operator/6.0.4/templates/operator-clusterrolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: minio-operator-binding + labels: {{- include "minio-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: minio-operator-role +subjects: + - kind: ServiceAccount + name: minio-operator + namespace: {{ .Release.Namespace }} diff --git a/charts/minio/minio-operator/6.0.4/templates/operator-deployment.yaml b/charts/minio/minio-operator/6.0.4/templates/operator-deployment.yaml new file mode 100644 index 0000000000..5ffbd31786 --- /dev/null +++ b/charts/minio/minio-operator/6.0.4/templates/operator-deployment.yaml @@ -0,0 +1,67 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio-operator + namespace: {{ .Release.Namespace }} + labels: {{- include "minio-operator.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.operator.replicaCount }} + selector: + matchLabels: {{- include "minio-operator.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "minio-operator.labels" . | nindent 8 }} + {{- include "minio-operator.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.operator.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.runtimeClassName }} + runtimeClassName: {{ . }} + {{- end }} + serviceAccountName: minio-operator + {{- with .Values.operator.securityContext }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.topologySpreadConstraints }} + topologySpreadConstraints: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.operator.initContainers }} + initContainers: {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.operator.image.repository }}:{{ .Values.operator.image.digest | default .Values.operator.image.tag }}" + imagePullPolicy: {{ .Values.operator.image.pullPolicy }} + args: + - controller + {{- with .Values.operator.env }} + env: {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.operator.sidecarImage }} + - name: "OPERATOR_SIDECAR_IMAGE" + value: "{{ .Values.operator.sidecarImage.repository }}:{{ .Values.operator.sidecarImage.digest | default .Values.operator.sidecarImage.tag }}" + {{- end }} + resources: {{- toYaml .Values.operator.resources | nindent 12 }} + {{- with .Values.operator.containerSecurityContext }} + securityContext: {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.operator.volumeMounts }} + volumeMounts: {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.operator.volumes }} + volumes: {{- toYaml . | nindent 8 }} + {{- end }} \ No newline at end of file diff --git a/charts/minio/minio-operator/6.0.4/templates/operator-service.yaml b/charts/minio/minio-operator/6.0.4/templates/operator-service.yaml new file mode 100644 index 0000000000..33f25fbbb1 --- /dev/null +++ b/charts/minio/minio-operator/6.0.4/templates/operator-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: operator + namespace: {{ .Release.Namespace }} + labels: {{- include "minio-operator.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 4221 + name: http + selector: + operator: leader + {{- include "minio-operator.selectorLabels" . | nindent 4 }} diff --git a/charts/minio/minio-operator/6.0.4/templates/operator-serviceaccount.yaml b/charts/minio/minio-operator/6.0.4/templates/operator-serviceaccount.yaml new file mode 100644 index 0000000000..8ae899da6e --- /dev/null +++ b/charts/minio/minio-operator/6.0.4/templates/operator-serviceaccount.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: minio-operator + namespace: {{ .Release.Namespace }} + labels: {{- include "minio-operator.labels" . | nindent 4 }} + {{- with .Values.operator.serviceAccountAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/charts/minio/minio-operator/6.0.4/templates/sts-service.yaml b/charts/minio/minio-operator/6.0.4/templates/sts-service.yaml new file mode 100644 index 0000000000..51b06a5903 --- /dev/null +++ b/charts/minio/minio-operator/6.0.4/templates/sts-service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: sts + namespace: {{ .Release.Namespace }} + labels: {{- include "minio-operator.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 4223 + name: https + selector: {{- include "minio-operator.selectorLabels" . | nindent 4 }} diff --git a/charts/minio/minio-operator/6.0.4/templates/sts.min.io_policybindings.yaml b/charts/minio/minio-operator/6.0.4/templates/sts.min.io_policybindings.yaml new file mode 100644 index 0000000000..c1a3ac2446 --- /dev/null +++ b/charts/minio/minio-operator/6.0.4/templates/sts.min.io_policybindings.yaml @@ -0,0 +1,133 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + operator.min.io/version: v6.0.4 + name: policybindings.sts.min.io +spec: + group: sts.min.io + names: + kind: PolicyBinding + listKind: PolicyBindingList + plural: policybindings + shortNames: + - policybinding + singular: policybinding + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.currentState + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + application: + properties: + namespace: + type: string + serviceaccount: + type: string + required: + - namespace + - serviceaccount + type: object + policies: + items: + type: string + type: array + required: + - application + - policies + type: object + status: + properties: + currentState: + type: string + usage: + nullable: true + properties: + authotizations: + format: int64 + type: integer + type: object + required: + - currentState + - usage + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.currentState + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + application: + properties: + namespace: + type: string + serviceaccount: + type: string + required: + - namespace + - serviceaccount + type: object + policies: + items: + type: string + type: array + required: + - application + - policies + type: object + status: + properties: + currentState: + type: string + usage: + nullable: true + properties: + authotizations: + format: int64 + type: integer + type: object + required: + - currentState + - usage + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/minio/minio-operator/6.0.4/values.yaml b/charts/minio/minio-operator/6.0.4/values.yaml new file mode 100644 index 0000000000..a86506cf55 --- /dev/null +++ b/charts/minio/minio-operator/6.0.4/values.yaml @@ -0,0 +1,187 @@ +### +# Root key for Operator Helm Chart +operator: + ### + # An array of environment variables to pass to the Operator deployment. + # Pass an empty array to start Operator with defaults. + # + # For example: + # + # .. code-block:: yaml + # + # env: + # - name: CLUSTER_DOMAIN + # value: "cluster.domain" + # - name: WATCHED_NAMESPACE + # value: "" + # - name: MINIO_OPERATOR_RUNTIME + # value: "OpenShift" + # + # See `Operator environment variables `__ for a list of all supported values. + env: + - name: OPERATOR_STS_ENABLED + value: "on" + # An array of additional annotations to be applied to the operator service account + serviceAccountAnnotations: [] + # additional labels to be applied to operator resources + additionalLabels: {} + ### + # Specify the Operator container image to use for the deployment. + # ``image.tag`` + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v6.0.4 tag. + # The container pulls the image if not already present: + # + # .. code-block:: yaml + # + # image: + # repository: quay.io/minio/operator + # tag: v6.0.4 + # pullPolicy: IfNotPresent + # + # The chart also supports specifying an image based on digest value: + # + # .. code-block:: yaml + # + # image: + # repository: quay.io/minio/operator@sha256 + # digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983 + # pullPolicy: IfNotPresent + # + image: + repository: quay.io/minio/operator + tag: v6.0.4 + pullPolicy: IfNotPresent + ### + # Specify the sidecar container image to deploy on tenant pods for init container and sidecar. + # Only need to change this if want to use a different version that the default, or want to set a custom registry. + # ``sidecarImage.tag`` + # For example, the following sets the image to the ``quay.io/minio/operator-sidecar`` repo and the v6.0.4 tag. + # The container pulls the image if not already present: + # + # .. code-block:: yaml + # + # sidecarImage: + # repository: quay.io/minio/operator-sidecar + # tag: v6.0.4 + # pullPolicy: IfNotPresent + # + # The chart also supports specifying an image based on digest value: + # + # .. code-block:: yaml + # + # sidecarImage: + # repository: quay.io/minio/operator-sidecar@sha256 + # digest: a11947a230b80fb1b0bffa97173147a505d4f1207958f722e348d11ab9e972c1 + # pullPolicy: IfNotPresent + # + sidecarImage: {} + ### + # + # An array of Kubernetes secrets to use for pulling images from a private ``image.repository``. + # Only one array element is supported at this time. + imagePullSecrets: [ ] + ### + # + # The name of a custom `Container Runtime `__ to use for the Operator pods. + runtimeClassName: ~ + ### + # An array of `initContainers `__ to start up before the Operator pods. + # Exercise care as ``initContainer`` failures prevent Operator pods from starting. + # Pass an empty array to start the Operator normally. + initContainers: [ ] + ### + # The number of Operator pods to deploy. + # Higher values increase availability in the event of worker node failures. + # + # The cluster must have sufficient number of available worker nodes to fulfill the request. + # Operator pods deploy with pod anti-affinity by default, preventing Kubernetes from scheduling multiple pods onto a single Worker node. + replicaCount: 2 + ### + # The Kubernetes `SecurityContext `__ to use for deploying Operator resources. + # + # You may need to modify these values to meet your cluster's security and access settings. + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + fsGroup: 1000 + ### + # The Kubernetes `SecurityContext `__ to use for deploying Operator containers. + # You may need to modify these values to meet your cluster's security and access settings. + containerSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + ### + # An array of `Volumes `__ which the Operator can mount to pods. + # + # The volumes must exist *and* be accessible to the Operator pods. + volumes: [ ] + ### + # An array of volume mount points associated to each Operator container. + # + # Specify each item in the array as follows: + # + # .. code-block:: yaml + # + # volumeMounts: + # - name: volumename + # mountPath: /path/to/mount + # + # The ``name`` field must correspond to an entry in the ``volumes`` array. + volumeMounts: [ ] + ### + # Any `Node Selectors `__ to apply to Operator pods. + # + # The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Operator pods. + # + # If no worker nodes match the specified selectors, the Operator deployment will fail. + nodeSelector: { } + ### + # + # The `Pod Priority `__ to assign to Operator pods. + priorityClassName: "" + ### + # + # The `affinity `__ or anti-affinity settings to apply to Operator pods. + # + # These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes. + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: name + operator: In + values: + - minio-operator + topologyKey: kubernetes.io/hostname + ### + # + # An array of `Toleration labels `__ to associate to Operator pods. + # + # These settings determine the distribution of pods across worker nodes. + tolerations: [ ] + ### + # + # An array of `Topology Spread Constraints `__ to associate to Operator pods. + # + # These settings determine the distribution of pods across worker nodes. + topologySpreadConstraints: [ ] + ### + # + # The `Requests or Limits `__ for resources to associate to Operator pods. + # + # These settings can control the minimum and maximum resources requested for each pod. + # If no worker nodes can meet the specified requests, the Operator may fail to deploy. + resources: + requests: + cpu: 200m + memory: 256Mi + ephemeral-storage: 500Mi diff --git a/charts/redpanda/redpanda/5.9.6/.helmignore b/charts/redpanda/redpanda/5.9.6/.helmignore new file mode 100644 index 0000000000..d5bb5e6ba6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/.helmignore @@ -0,0 +1,28 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +README.md.gotmpl +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +*.go +testdata/ +ci/ diff --git a/charts/redpanda/redpanda/5.9.6/Chart.lock b/charts/redpanda/redpanda/5.9.6/Chart.lock new file mode 100644 index 0000000000..b3c6c0a2a7 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: console + repository: https://charts.redpanda.com + version: 0.7.29 +- name: connectors + repository: https://charts.redpanda.com + version: 0.1.13 +digest: sha256:3023f8ca61cf80050d0f0e73f9e86b73ae796717c651be8765c9db90996e5462 +generated: "2024-09-26T22:13:55.854012+02:00" diff --git a/charts/redpanda/redpanda/5.9.6/Chart.yaml b/charts/redpanda/redpanda/5.9.6/Chart.yaml new file mode 100644 index 0000000000..8eaa3e06e6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/Chart.yaml @@ -0,0 +1,38 @@ +annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v24.2.5 + - name: busybox + image: busybox:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.10.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda +apiVersion: v2 +appVersion: v24.2.5 +dependencies: +- condition: console.enabled + name: console + repository: https://charts.redpanda.com + version: '>=0.5 <1.0' +- condition: connectors.enabled + name: connectors + repository: https://charts.redpanda.com + version: '>=0.1.2 <1.0' +description: Redpanda is the real-time engine for modern apps. +icon: file://assets/icons/redpanda.svg +kubeVersion: '>=1.21-0' +maintainers: +- name: redpanda-data + url: https://github.com/orgs/redpanda-data/people +name: redpanda +sources: +- https://github.com/redpanda-data/helm-charts +type: application +version: 5.9.6 diff --git a/charts/redpanda/redpanda/5.9.6/LICENSE b/charts/redpanda/redpanda/5.9.6/LICENSE new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/redpanda/redpanda/5.9.6/README.md b/charts/redpanda/redpanda/5.9.6/README.md new file mode 100644 index 0000000000..ac2fc3acde --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/README.md @@ -0,0 +1,1214 @@ +# Redpanda Helm Chart Specification +--- +description: Find the default values and descriptions of settings in the Redpanda Helm chart. +--- + +![Version: 5.9.6](https://img.shields.io/badge/Version-5.9.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v24.2.5](https://img.shields.io/badge/AppVersion-v24.2.5-informational?style=flat-square) + +This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values. + +For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/). + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) + +## Source Code + +* + +## Requirements + +Kubernetes: `>= 1.25.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| https://charts.redpanda.com | connectors | >=0.1.2 <1.0 | +| https://charts.redpanda.com | console | >=0.5 <1.0 | + +## Settings + +### [affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=affinity) + +Affinity constraints for scheduling Pods, can override this for StatefulSets and Jobs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). + +**Default:** `{}` + +### [auditLogging](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging) + +Audit logging for a redpanda cluster, must have enabled sasl and have one kafka listener supporting sasl authentication for audit logging to work. Note this feature is only available for redpanda versions >= v23.3.0. + +**Default:** + +``` +{"clientMaxBufferSize":16777216,"enabled":false,"enabledEventTypes":null,"excludedPrincipals":null,"excludedTopics":null,"listener":"internal","partitions":12,"queueDrainIntervalMs":500,"queueMaxBufferSizePerShard":1048576,"replicationFactor":null} +``` + +### [auditLogging.clientMaxBufferSize](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.clientMaxBufferSize) + +Defines the number of bytes (in bytes) allocated by the internal audit client for audit messages. + +**Default:** `16777216` + +### [auditLogging.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.enabled) + +Enable or disable audit logging, for production clusters we suggest you enable, however, this will only work if you also enable sasl and a listener with sasl enabled. + +**Default:** `false` + +### [auditLogging.enabledEventTypes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.enabledEventTypes) + +Event types that should be captured by audit logs, default is [`admin`, `authenticate`, `management`]. + +**Default:** `nil` + +### [auditLogging.excludedPrincipals](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.excludedPrincipals) + +List of principals to exclude from auditing, default is null. + +**Default:** `nil` + +### [auditLogging.excludedTopics](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.excludedTopics) + +List of topics to exclude from auditing, default is null. + +**Default:** `nil` + +### [auditLogging.listener](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.listener) + +Kafka listener name, note that it must have `authenticationMethod` set to `sasl`. For external listeners, use the external listener name, such as `default`. + +**Default:** `"internal"` + +### [auditLogging.partitions](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.partitions) + +Integer value defining the number of partitions used by a newly created audit topic. + +**Default:** `12` + +### [auditLogging.queueDrainIntervalMs](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.queueDrainIntervalMs) + +In ms, frequency in which per shard audit logs are batched to client for write to audit log. + +**Default:** `500` + +### [auditLogging.queueMaxBufferSizePerShard](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.queueMaxBufferSizePerShard) + +Defines the maximum amount of memory used (in bytes) by the audit buffer in each shard. + +**Default:** `1048576` + +### [auditLogging.replicationFactor](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.replicationFactor) + +Defines the replication factor for a newly created audit log topic. This configuration applies only to the audit log topic and may be different from the cluster or other topic configurations. This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, Redpanda will use the `internal_topic_replication_factor cluster` config value. Default is `null` + +**Default:** `nil` + +### [auth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth) + +Authentication settings. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). + +**Default:** + +``` +{"sasl":{"bootstrapUser":{"mechanism":"SCRAM-SHA-256"},"enabled":false,"mechanism":"SCRAM-SHA-512","secretRef":"redpanda-users","users":[]}} +``` + +### [auth.sasl.bootstrapUser](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.bootstrapUser) + +Details about how to create the bootstrap user for the cluster. The secretKeyRef is optionally specified. If it is specified, the chart will use a password written to that secret when creating the "kubernetes-controller" bootstrap user. If it is unspecified, then the secret will be generated and stored in the secret "releasename"-bootstrap-user, with the key "password". + +**Default:** + +``` +{"mechanism":"SCRAM-SHA-256"} +``` + +### [auth.sasl.bootstrapUser.mechanism](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.bootstrapUser.mechanism) + +The authentication mechanism to use for the bootstrap user. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + +**Default:** `"SCRAM-SHA-256"` + +### [auth.sasl.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.enabled) + +Enable SASL authentication. If you enable SASL authentication, you must provide a Secret in `auth.sasl.secretRef`. + +**Default:** `false` + +### [auth.sasl.mechanism](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.mechanism) + +The authentication mechanism to use for the superuser. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + +**Default:** `"SCRAM-SHA-512"` + +### [auth.sasl.secretRef](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.secretRef) + +A Secret that contains your superuser credentials. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/#use-secrets). + +**Default:** `"redpanda-users"` + +### [auth.sasl.users](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.users) + +Optional list of superusers. These superusers will be created in the Secret whose name is defined in `auth.sasl.secretRef`. If this list is empty, the Secret in `auth.sasl.secretRef` must already exist in the cluster before you deploy the chart. Uncomment the sample list if you wish to try adding sample sasl users or override to use your own. + +**Default:** `[]` + +### [clusterDomain](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=clusterDomain) + +Default Kubernetes cluster domain. + +**Default:** `"cluster.local"` + +### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=commonLabels) + +Additional labels to add to all Kubernetes objects. For example, `my.k8s.service: redpanda`. + +**Default:** `{}` + +### [config](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config) + +This section contains various settings supported by Redpanda that may not work correctly in a Kubernetes cluster. Changing these settings comes with some risk. Use these settings to customize various Redpanda configurations that are not covered in other sections. These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, and therefore should not be modified for the purpose of configuring those objects. Instead, these settings get passed directly to the Redpanda binary at startup. For descriptions of these properties, see the [configuration documentation](https://docs.redpanda.com/docs/cluster-administration/configuration/). + +**Default:** + +``` +{"cluster":{},"node":{"crash_loop_limit":5},"pandaproxy_client":{},"rpk":{},"schema_registry_client":{},"tunable":{"compacted_log_segment_size":67108864,"kafka_connection_rate_limit":1000,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912}} +``` + +### [config.cluster](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.cluster) + +[Cluster Configuration Properties](https://docs.redpanda.com/current/reference/properties/cluster-properties/) + +**Default:** `{}` + +### [config.node](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.node) + +[Broker (node) Configuration Properties](https://docs.redpanda.com/docs/reference/broker-properties/). + +**Default:** `{"crash_loop_limit":5}` + +### [config.node.crash_loop_limit](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.node.crash_loop_limit) + +Crash loop limit A limit on the number of consecutive times a broker can crash within one hour before its crash-tracking logic is reset. This limit prevents a broker from getting stuck in an infinite cycle of crashes. User can disable this crash loop limit check by the following action: * One hour elapses since the last crash * The node configuration file, redpanda.yaml, is updated via config.cluster or config.node or config.tunable objects * The startup_log file in the node’s data_directory is manually deleted Default to 5 REF: https://docs.redpanda.com/current/reference/broker-properties/#crash_loop_limit + +**Default:** `5` + +### [config.tunable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable) + +Tunable cluster properties. Deprecated: all settings here may be specified via `config.cluster`. + +**Default:** + +``` +{"compacted_log_segment_size":67108864,"kafka_connection_rate_limit":1000,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912} +``` + +### [config.tunable.compacted_log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.compacted_log_segment_size) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#compacted_log_segment_size). + +**Default:** `67108864` + +### [config.tunable.kafka_connection_rate_limit](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.kafka_connection_rate_limit) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#kafka_connection_rate_limit). + +**Default:** `1000` + +### [config.tunable.log_segment_size_max](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size_max) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_max). + +**Default:** `268435456` + +### [config.tunable.log_segment_size_min](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size_min) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_min). + +**Default:** `16777216` + +### [config.tunable.max_compacted_log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.max_compacted_log_segment_size) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#max_compacted_log_segment_size). + +**Default:** `536870912` + +### [connectors](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=connectors) + +Redpanda Managed Connectors settings For a reference of configuration settings, see the [Redpanda Connectors documentation](https://docs.redpanda.com/docs/deploy/deployment-option/cloud/managed-connectors/). + +**Default:** + +``` +{"deployment":{"create":false},"enabled":false,"test":{"create":false}} +``` + +### [console](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=console) + +Redpanda Console settings. For a reference of configuration settings, see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). + +**Default:** + +``` +{"config":{},"configmap":{"create":false},"deployment":{"create":false},"enabled":true,"secret":{"create":false}} +``` + +### [enterprise](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise) + +Enterprise (optional) For details, see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). + +**Default:** + +``` +{"license":"","licenseSecretRef":{}} +``` + +### [enterprise.license](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise.license) + +license (optional). + +**Default:** `""` + +### [enterprise.licenseSecretRef](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise.licenseSecretRef) + +Secret name and key where the license key is stored. + +**Default:** `{}` + +### [external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external) + +External access settings. For details, see the [Networking and Connectivity documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/networking-and-connectivity/). + +**Default:** + +``` +{"enabled":true,"service":{"enabled":true},"type":"NodePort"} +``` + +### [external.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.enabled) + +Enable external access for each Service. You can toggle external access for each listener in `listeners..external..enabled`. + +**Default:** `true` + +### [external.service](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.service) + +Service allows you to manage the creation of an external kubernetes service object + +**Default:** `{"enabled":true}` + +### [external.service.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.service.enabled) + +Enabled if set to false will not create the external service type You can still set your cluster with external access but not create the supporting service (NodePort/LoadBalander). Set this to false if you rather manage your own service. + +**Default:** `true` + +### [external.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.type) + +External access type. Only `NodePort` and `LoadBalancer` are supported. If undefined, then advertised listeners will be configured in Redpanda, but the helm chart will not create a Service. You must create a Service manually. Warning: If you use LoadBalancers, you will likely experience higher latency and increased packet loss. NodePort is recommended in cases where latency is a priority. + +**Default:** `"NodePort"` + +### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=fullnameOverride) + +Override `redpanda.fullname` template. + +**Default:** `""` + +### [image](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image) + +Redpanda Docker image settings. + +**Default:** + +``` +{"pullPolicy":"IfNotPresent","repository":"docker.redpanda.com/redpandadata/redpanda","tag":""} +``` + +### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.pullPolicy) + +The imagePullPolicy. If `image.tag` is 'latest', the default is `Always`. + +**Default:** `"IfNotPresent"` + +### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.repository) + +Docker repository from which to pull the Redpanda Docker image. + +**Default:** + +``` +"docker.redpanda.com/redpandadata/redpanda" +``` + +### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.tag) + +The Redpanda version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + +**Default:** `Chart.appVersion`. + +### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=imagePullSecrets) + +Pull secrets may be used to provide credentials to image repositories See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). + +**Default:** `[]` + +### [license_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=license_key) + +DEPRECATED Enterprise license key (optional). For details, see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). + +**Default:** `""` + +### [license_secret_ref](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=license_secret_ref) + +DEPRECATED Secret name and secret key where the license key is stored. + +**Default:** `{}` + +### [listeners](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners) + +Listener settings. Override global settings configured above for individual listeners. For details, see the [listeners documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/configure-listeners/). + +**Default:** + +``` +{"admin":{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}},"http":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}},"kafka":{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}},"rpc":{"port":33145,"tls":{"cert":"default","requireClientAuth":false}},"schemaRegistry":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}}} +``` + +### [listeners.admin](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin) + +Admin API listener (only one). + +**Default:** + +``` +{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.admin.external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external) + +Optional external access settings. + +**Default:** + +``` +{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}} +``` + +### [listeners.admin.external.default](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external.default) + +Name of the external listener. + +**Default:** + +``` +{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}} +``` + +### [listeners.admin.external.default.tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external.default.tls) + +The port advertised to this listener's external clients. List one port if you want to use the same port for each broker (would be the case when using NodePort service). Otherwise, list the port you want to use for each broker in order of StatefulSet replicas. If undefined, `listeners.admin.port` is used. + +**Default:** `{"cert":"external"}` + +### [listeners.admin.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.port) + +The port for both internal and external connections to the Admin API. + +**Default:** `9644` + +### [listeners.admin.tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls) + +Optional TLS section (required if global TLS is enabled) + +**Default:** + +``` +{"cert":"default","requireClientAuth":false} +``` + +### [listeners.admin.tls.cert](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls.cert) + +Name of the Certificate used for TLS (must match a Certificate name that is registered in tls.certs). + +**Default:** `"default"` + +### [listeners.admin.tls.requireClientAuth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls.requireClientAuth) + +If true, the truststore file for this listener is included in the ConfigMap. + +**Default:** `false` + +### [listeners.http](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.http) + +HTTP API listeners (aka PandaProxy). + +**Default:** + +``` +{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.kafka](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka) + +Kafka API listeners. + +**Default:** + +``` +{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.kafka.external.default.advertisedPorts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.external.default.advertisedPorts) + +If undefined, `listeners.kafka.external.default.port` is used. + +**Default:** `[31092]` + +### [listeners.kafka.external.default.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.external.default.port) + +The port used for external client connections. + +**Default:** `9094` + +### [listeners.kafka.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.port) + +The port for internal client connections. + +**Default:** `9093` + +### [listeners.rpc](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.rpc) + +RPC listener (this is never externally accessible). + +**Default:** + +``` +{"port":33145,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.schemaRegistry](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.schemaRegistry) + +Schema registry listeners. + +**Default:** + +``` +{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [logging](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging) + +Log-level settings. + +**Default:** + +``` +{"logLevel":"info","usageStats":{"enabled":true}} +``` + +### [logging.logLevel](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging.logLevel) + +Log level Valid values (from least to most verbose) are: `warn`, `info`, `debug`, and `trace`. + +**Default:** `"info"` + +### [logging.usageStats](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging.usageStats) + +Send usage statistics back to Redpanda Data. For details, see the [stats reporting documentation](https://docs.redpanda.com/docs/cluster-administration/monitoring/#stats-reporting). + +**Default:** `{"enabled":true}` + +### [monitoring](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=monitoring) + +Monitoring. This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. + +**Default:** + +``` +{"enabled":false,"labels":{},"scrapeInterval":"30s"} +``` + +### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nameOverride) + +Override `redpanda.name` template. + +**Default:** `""` + +### [nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nodeSelector) + +Node selection constraints for scheduling Pods, can override this for StatefulSets. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + +**Default:** `{}` + +### [post_install_job.affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.affinity) + +**Default:** `{}` + +### [post_install_job.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.enabled) + +**Default:** `true` + +### [post_install_job.podTemplate.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.annotations) + +Additional annotations to apply to the Pods of this Job. + +**Default:** `{}` + +### [post_install_job.podTemplate.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.labels) + +Additional labels to apply to the Pods of this Job. + +**Default:** `{}` + +### [post_install_job.podTemplate.spec](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.spec) + +A subset of Kubernetes' PodSpec type that will be merged into the final PodSpec. See [Merge Semantics](#merging-semantics) for details. + +**Default:** + +``` +{"containers":[{"env":[],"name":"post-install","securityContext":{}}],"securityContext":{}} +``` + +### [rackAwareness](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness) + +Rack Awareness settings. For details, see the [Rack Awareness documentation](https://docs.redpanda.com/docs/manage/kubernetes/kubernetes-rack-awareness/). + +**Default:** + +``` +{"enabled":false,"nodeAnnotation":"topology.kubernetes.io/zone"} +``` + +### [rackAwareness.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness.enabled) + +When running in multiple racks or availability zones, use a Kubernetes Node annotation value as the Redpanda rack value. Enabling this requires running with a service account with "get" Node permissions. To have the Helm chart configure these permissions, set `serviceAccount.create=true` and `rbac.enabled=true`. + +**Default:** `false` + +### [rackAwareness.nodeAnnotation](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness.nodeAnnotation) + +The common well-known annotation to use as the rack ID. Override this only if you use a custom Node annotation. + +**Default:** + +``` +"topology.kubernetes.io/zone" +``` + +### [rbac](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac) + +Role Based Access Control. + +**Default:** + +``` +{"annotations":{},"enabled":false} +``` + +### [rbac.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.annotations) + +Annotations to add to the `rbac` resources. + +**Default:** `{}` + +### [rbac.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.enabled) + +Enable for features that need extra privileges. If you use the Redpanda Operator, you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag to give it the required ClusterRoles. + +**Default:** `false` + +### [resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources) + +Pod resource management. This section simplifies resource allocation by providing a single location where resources are defined. Helm sets these resource values within the `statefulset.yaml` and `configmap.yaml` templates. The default values are for a development environment. Production-level values and other considerations are documented, where those values are different from the default. For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/). + +**Default:** + +``` +{"cpu":{"cores":1},"memory":{"container":{"max":"2.5Gi"}}} +``` + +### [resources.cpu](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.cpu) + +CPU resources. For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-cpu-resources). + +**Default:** `{"cores":1}` + +### [resources.cpu.cores](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.cpu.cores) + +Redpanda makes use of a thread per core model. For details, see this [blog](https://redpanda.com/blog/tpc-buffers). For this reason, Redpanda should only be given full cores. Note: You can increase cores, but decreasing cores is not currently supported. See the [GitHub issue](https://github.com/redpanda-data/redpanda/issues/350). This setting is equivalent to `--smp`, `resources.requests.cpu`, and `resources.limits.cpu`. For production, use `4` or greater. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. See https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy. + +**Default:** `1` + +### [resources.memory](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory) + +Memory resources For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-memory-resources). + +**Default:** + +``` +{"container":{"max":"2.5Gi"}} +``` + +### [resources.memory.container](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory.container) + +Enables memory locking. For production, set to `true`. enable_memory_locking: false It is recommended to have at least 2Gi of memory per core for the Redpanda binary. This memory is taken from the total memory given to each container. The Helm chart allocates 80% of the container's memory to Redpanda, leaving the rest for the Seastar subsystem (reserveMemory) and other container processes. So at least 2.5Gi per core is recommended in order to ensure Redpanda has a full 2Gi. These values affect `--memory` and `--reserve-memory` flags passed to Redpanda and the memory requests/limits in the StatefulSet. Valid suffixes: k, M, G, T, P, Ki, Mi, Gi, Ti, Pi To create `Guaranteed` Pod QoS for Redpanda brokers, provide both container max and min values for the container. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a memory limit and a memory request. * For every container in the Pod, the memory limit must equal the memory request. + +**Default:** `{"max":"2.5Gi"}` + +### [resources.memory.container.max](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory.container.max) + +Maximum memory count for each Redpanda broker. Equivalent to `resources.limits.memory`. For production, use `10Gi` or greater. + +**Default:** `"2.5Gi"` + +### [serviceAccount](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount) + +Service account management. + +**Default:** + +``` +{"annotations":{},"create":false,"name":""} +``` + +### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.annotations) + +Annotations to add to the service account. + +**Default:** `{}` + +### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.create) + +Specifies whether a service account should be created. + +**Default:** `false` + +### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.name) + +The name of the service account to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `redpanda.fullname` template. + +**Default:** `""` + +### [statefulset.additionalRedpandaCmdFlags](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.additionalRedpandaCmdFlags) + +Additional flags to pass to redpanda, + +**Default:** `[]` + +### [statefulset.additionalSelectorLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.additionalSelectorLabels) + +Additional labels to be added to statefulset label selector. For example, `my.k8s.service: redpanda`. + +**Default:** `{}` + +### [statefulset.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.annotations) + +DEPRECATED Please use statefulset.podTemplate.annotations. Annotations are used only for `Statefulset.spec.template.metadata.annotations`. The StatefulSet does not have any dedicated annotation. + +**Default:** `{}` + +### [statefulset.budget.maxUnavailable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.budget.maxUnavailable) + +**Default:** `1` + +### [statefulset.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.extraVolumes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.extraVolumes) + +**Default:** `""` + +### [statefulset.initContainerImage.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainerImage.repository) + +**Default:** `"busybox"` + +### [statefulset.initContainerImage.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainerImage.tag) + +**Default:** `"latest"` + +### [statefulset.initContainers.configurator.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.configurator.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.configurator.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.configurator.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.extraInitContainers](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.extraInitContainers) + +**Default:** `""` + +### [statefulset.initContainers.fsValidator.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.enabled) + +**Default:** `false` + +### [statefulset.initContainers.fsValidator.expectedFS](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.expectedFS) + +**Default:** `"xfs"` + +### [statefulset.initContainers.fsValidator.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.fsValidator.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.setDataDirOwnership.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.enabled) + +In environments where root is not allowed, you cannot change the ownership of files and directories. Enable `setDataDirOwnership` when using default minikube cluster configuration. + +**Default:** `false` + +### [statefulset.initContainers.setDataDirOwnership.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.setDataDirOwnership.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.setTieredStorageCacheDirOwnership.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setTieredStorageCacheDirOwnership.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.tuning.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.tuning.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.tuning.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.tuning.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.livenessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.failureThreshold) + +**Default:** `3` + +### [statefulset.livenessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.initialDelaySeconds) + +**Default:** `10` + +### [statefulset.livenessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.periodSeconds) + +**Default:** `10` + +### [statefulset.nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.nodeSelector) + +Node selection constraints for scheduling Pods of this StatefulSet. These constraints override the global `nodeSelector` value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + +**Default:** `{}` + +### [statefulset.podAffinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAffinity) + +Inter-Pod Affinity rules for scheduling Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + +**Default:** `{}` + +### [statefulset.podAntiAffinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity) + +Anti-affinity rules for scheduling Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). You may either edit the default settings for anti-affinity rules, or specify new anti-affinity rules to use instead of the defaults. + +**Default:** + +``` +{"custom":{},"topologyKey":"kubernetes.io/hostname","type":"hard","weight":100} +``` + +### [statefulset.podAntiAffinity.custom](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.custom) + +Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + +**Default:** `{}` + +### [statefulset.podAntiAffinity.topologyKey](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.topologyKey) + +The topologyKey to be used. Can be used to spread across different nodes, AZs, regions etc. + +**Default:** `"kubernetes.io/hostname"` + +### [statefulset.podAntiAffinity.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.type) + +Valid anti-affinity types are `soft`, `hard`, or `custom`. Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + +**Default:** `"hard"` + +### [statefulset.podAntiAffinity.weight](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.weight) + +Weight for `soft` anti-affinity rules. Does not apply to other anti-affinity types. + +**Default:** `100` + +### [statefulset.podTemplate.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.annotations) + +Additional annotations to apply to the Pods of the StatefulSet. + +**Default:** `{}` + +### [statefulset.podTemplate.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.labels) + +Additional labels to apply to the Pods of the StatefulSet. + +**Default:** `{}` + +### [statefulset.podTemplate.spec](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.spec) + +A subset of Kubernetes' PodSpec type that will be merged into the final PodSpec. See [Merge Semantics](#merging-semantics) for details. + +**Default:** + +``` +{"containers":[{"env":[],"name":"redpanda","securityContext":{}}],"securityContext":{}} +``` + +### [statefulset.priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.priorityClassName) + +PriorityClassName given to Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + +**Default:** `""` + +### [statefulset.readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.failureThreshold) + +**Default:** `3` + +### [statefulset.readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.initialDelaySeconds) + +**Default:** `1` + +### [statefulset.readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.periodSeconds) + +**Default:** `10` + +### [statefulset.readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.successThreshold) + +**Default:** `1` + +### [statefulset.replicas](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.replicas) + +Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster) + +**Default:** `3` + +### [statefulset.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.securityContext) + +DEPRECATED: Prefer to use podTemplate.spec.securityContext or podTemplate.spec.containers[0].securityContext. + +**Default:** + +``` +{"fsGroup":101,"fsGroupChangePolicy":"OnRootMismatch","runAsUser":101} +``` + +### [statefulset.sideCars.configWatcher.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.enabled) + +**Default:** `true` + +### [statefulset.sideCars.configWatcher.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.sideCars.configWatcher.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a memory limit and a memory request. * For every container in the Pod, the memory limit must equal the memory request. * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. For details, see https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + +**Default:** `{}` + +### [statefulset.sideCars.configWatcher.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.securityContext) + +**Default:** `{}` + +### [statefulset.sideCars.controllers.createRBAC](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.createRBAC) + +**Default:** `true` + +### [statefulset.sideCars.controllers.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.enabled) + +**Default:** `false` + +### [statefulset.sideCars.controllers.healthProbeAddress](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.healthProbeAddress) + +**Default:** `":8085"` + +### [statefulset.sideCars.controllers.image.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.image.repository) + +**Default:** + +``` +"docker.redpanda.com/redpandadata/redpanda-operator" +``` + +### [statefulset.sideCars.controllers.image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.image.tag) + +**Default:** `"v2.2.4-24.2.5"` + +### [statefulset.sideCars.controllers.metricsAddress](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.metricsAddress) + +**Default:** `":9082"` + +### [statefulset.sideCars.controllers.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. For details, see https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + +**Default:** `{}` + +### [statefulset.sideCars.controllers.run[0]](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.run[0]) + +**Default:** `"all"` + +### [statefulset.sideCars.controllers.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.securityContext) + +**Default:** `{}` + +### [statefulset.startupProbe](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.startupProbe) + +Adjust the period for your probes to meet your needs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + +**Default:** + +``` +{"failureThreshold":120,"initialDelaySeconds":1,"periodSeconds":10} +``` + +### [statefulset.terminationGracePeriodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.terminationGracePeriodSeconds) + +Termination grace period in seconds is time required to execute preStop hook which puts particular Redpanda Pod (process/container) into maintenance mode. Before settle down on particular value please put Redpanda under load and perform rolling upgrade or rolling restart. That value needs to accommodate two processes: * preStop hook needs to put Redpanda into maintenance mode * after preStop hook Redpanda needs to handle gracefully SIGTERM signal Both processes are executed sequentially where preStop hook has hard deadline in the middle of terminationGracePeriodSeconds. REF: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination + +**Default:** `90` + +### [statefulset.tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.tolerations) + +Taints to be tolerated by Pods of this StatefulSet. These tolerations override the global tolerations value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + +### [statefulset.topologySpreadConstraints[0].maxSkew](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].maxSkew) + +**Default:** `1` + +### [statefulset.topologySpreadConstraints[0].topologyKey](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].topologyKey) + +**Default:** + +``` +"topology.kubernetes.io/zone" +``` + +### [statefulset.topologySpreadConstraints[0].whenUnsatisfiable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].whenUnsatisfiable) + +**Default:** `"ScheduleAnyway"` + +### [statefulset.updateStrategy.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.updateStrategy.type) + +**Default:** `"RollingUpdate"` + +### [storage](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage) + +Persistence settings. For details, see the [storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/configure-storage/). + +**Default:** + +``` +{"hostPath":"","persistentVolume":{"annotations":{},"enabled":true,"labels":{},"nameOverwrite":"","size":"20Gi","storageClass":""},"tiered":{"config":{"cloud_storage_cache_size":5368709120,"cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false},"credentialsSecretRef":{"accessKey":{"configurationKey":"cloud_storage_access_key"},"secretKey":{"configurationKey":"cloud_storage_secret_key"}},"hostPath":"","mountType":"emptyDir","persistentVolume":{"annotations":{},"labels":{},"storageClass":""}}} +``` + +### [storage.hostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.hostPath) + +Absolute path on the host to store Redpanda's data. If unspecified, then an `emptyDir` volume is used. If specified but `persistentVolume.enabled` is true, `storage.hostPath` has no effect. + +**Default:** `""` + +### [storage.persistentVolume](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume) + +If `persistentVolume.enabled` is true, a PersistentVolumeClaim is created and used to store Redpanda's data. Otherwise, `storage.hostPath` is used. + +**Default:** + +``` +{"annotations":{},"enabled":true,"labels":{},"nameOverwrite":"","size":"20Gi","storageClass":""} +``` + +### [storage.persistentVolume.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.annotations) + +Additional annotations to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.persistentVolume.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.labels) + +Additional labels to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.persistentVolume.nameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.nameOverwrite) + +Option to change volume claim template name for tiered storage persistent volume if tiered.mountType is set to `persistentVolume` + +**Default:** `""` + +### [storage.persistentVolume.storageClass](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.storageClass) + +To disable dynamic provisioning, set to `-`. If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack). + +**Default:** `""` + +### [storage.tiered.config](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config) + +Tiered Storage settings Requires `enterprise.licenseKey` or `enterprised.licenseSecretRef` For details, see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/). For a list of properties, see [Object Storage Properties](https://docs.redpanda.com/current/reference/properties/object-storage-properties/). + +**Default:** + +``` +{"cloud_storage_cache_size":5368709120,"cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false} +``` + +### [storage.tiered.config.cloud_storage_cache_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_cache_size) + +Maximum size of the disk cache used by Tiered Storage. Default is 20 GiB. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_cache_size). + +**Default:** `5368709120` + +### [storage.tiered.config.cloud_storage_enable_remote_read](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enable_remote_read) + +Cluster level default remote read configuration for new topics. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_read). + +**Default:** `true` + +### [storage.tiered.config.cloud_storage_enable_remote_write](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enable_remote_write) + +Cluster level default remote write configuration for new topics. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_write). + +**Default:** `true` + +### [storage.tiered.config.cloud_storage_enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enabled) + +Global flag that enables Tiered Storage if a license key is provided. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enabled). + +**Default:** `false` + +### [storage.tiered.hostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.hostPath) + +Absolute path on the host to store Redpanda's Tiered Storage cache. + +**Default:** `""` + +### [storage.tiered.persistentVolume.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.annotations) + +Additional annotations to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.tiered.persistentVolume.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.labels) + +Additional labels to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.tiered.persistentVolume.storageClass](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.storageClass) + +To disable dynamic provisioning, set to "-". If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack). + +**Default:** `""` + +### [tests.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tests.enabled) + +**Default:** `true` + +### [tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls) + +TLS settings. For details, see the [TLS documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/). + +**Default:** + +``` +{"certs":{"default":{"caEnabled":true},"external":{"caEnabled":true}},"enabled":true} +``` + +### [tls.certs](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs) + +List all Certificates here, then you can reference a specific Certificate's name in each listener's `listeners..tls.cert` setting. + +**Default:** + +``` +{"default":{"caEnabled":true},"external":{"caEnabled":true}} +``` + +### [tls.certs.default](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.default) + +This key is the Certificate name. To apply the Certificate to a specific listener, reference the Certificate's name in `listeners..tls.cert`. + +**Default:** `{"caEnabled":true}` + +### [tls.certs.default.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.default.caEnabled) + +Indicates whether or not the Secret holding this certificate includes a `ca.crt` key. When `true`, chart managed clients, such as rpk, will use `ca.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use `ca.crt` as their `truststore_file` for verification of client certificates. When `false`, chart managed clients will use `tls.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use the container's CA certificates. + +**Default:** `true` + +### [tls.certs.external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.external) + +Example external tls configuration uncomment and set the right key to the listeners that require them also enable the tls setting for those listeners. + +**Default:** `{"caEnabled":true}` + +### [tls.certs.external.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.external.caEnabled) + +Indicates whether or not the Secret holding this certificate includes a `ca.crt` key. When `true`, chart managed clients, such as rpk, will use `ca.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use `ca.crt` as their `truststore_file` for verification of client certificates. When `false`, chart managed clients will use `tls.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use the container's CA certificates. + +**Default:** `true` + +### [tls.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.enabled) + +Enable TLS globally for all listeners. Each listener must include a Certificate name in its `.tls` object. To allow you to enable TLS for individual listeners, Certificates in `auth.tls.certs` are always loaded, even if `tls.enabled` is `false`. See `listeners..tls.enabled`. + +**Default:** `true` + +### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tolerations) + +Taints to be tolerated by Pods, can override this for StatefulSets. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + +### [tuning](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tuning) + +Redpanda tuning settings. Each is set to their default values in Redpanda. + +**Default:** `{"tune_aio_events":true}` + +### [tuning.tune_aio_events](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tuning.tune_aio_events) + +Increase the maximum number of outstanding asynchronous IO operations if the current value is below a certain threshold. This allows Redpanda to make as many simultaneous IO requests as possible, increasing throughput. When this option is enabled, Helm creates a privileged container. If your security profile does not allow this, you can disable this container by setting `tune_aio_events` to `false`. For more details, see the [tuning documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-tune-workers/). + +**Default:** `true` + +## Merging Semantics + +The redpanda chart implements a form of object merging that's roughly a +middleground of [JSON Merge Patch][k8s.jsonmp] and [Kubernetes' Strategic Merge +Patch][k8s.smp]. This is done to aid end users in setting or overriding fields +that are not directly exposed via the chart. + +- Directives are not supported. +- List fields that are merged by a unique key in Kubernetes' SMP (e.g. + `containers`, `env`) will be merged in a similar awy. +- Only fields explicitly allowed by the chart's JSON schema will be merged. +- Additional containers that are not present in the original value will NOT be added. + +[k8s.smp]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#use-a-strategic-merge-patch-to-update-a-deployment +[k8s.jsonmp]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#use-a-json-merge-patch-to-update-a-deployment diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/.helmignore b/charts/redpanda/redpanda/5.9.6/charts/connectors/.helmignore new file mode 100644 index 0000000000..2e271ea0fc --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/.helmignore @@ -0,0 +1,29 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +README.md.gotmpl +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +*.go +testdata/ +ci/ +examples/ \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/Chart.yaml b/charts/redpanda/redpanda/5.9.6/charts/connectors/Chart.yaml new file mode 100644 index 0000000000..0dd2396e50 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + artifacthub.io/images: | + - name: connectors + image: docker.redpanda.com/redpandadata/connectors:v1.0.31 + - name: rpk + image: docker.redpanda.com/redpandadata/redpanda:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.6.0)" + url: https://helm.sh/docs/intro/install/ +apiVersion: v2 +appVersion: v1.0.31 +description: Redpanda managed Connectors helm chart +icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg +kubeVersion: ^1.21.0-0 +maintainers: +- name: redpanda-data + url: https://github.com/orgs/redpanda-data/people +name: connectors +sources: +- https://github.com/redpanda-data/helm-charts +type: application +version: 0.1.13 diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/LICENSE b/charts/redpanda/redpanda/5.9.6/charts/connectors/LICENSE new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/README.md b/charts/redpanda/redpanda/5.9.6/charts/connectors/README.md new file mode 100644 index 0000000000..2cb1438568 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/README.md @@ -0,0 +1,574 @@ +# Redpanda Connectors Helm Chart Specification +--- +description: Find the default values and descriptions of settings in the Redpanda Connectors Helm chart. +--- + +![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.31](https://img.shields.io/badge/AppVersion-v1.0.31-informational?style=flat-square) + +This page describes the official Redpanda Connectors Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/connectors/values.yaml). Each of the settings is listed and described on this page, along with any default values. + +For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/current/deploy/deployment-option/self-hosted/kubernetes/k-deploy-connectors/). + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) + +## Source Code + +* + +## Requirements + +Kubernetes: `^1.21.0-0` + +## Settings + +### [auth](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth) + +Authentication settings. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). The first line of the secret file is used. So the first superuser is used to authenticate to the Redpanda cluster. + +**Default:** + +``` +{"sasl":{"enabled":false,"mechanism":"scram-sha-512","secretRef":"","userName":""}} +``` + +### [auth.sasl.mechanism](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth.sasl.mechanism) + +The authentication mechanism to use for the superuser. Options are `scram-sha-256` and `scram-sha-512`. + +**Default:** `"scram-sha-512"` + +### [auth.sasl.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth.sasl.secretRef) + +A Secret that contains your SASL user password. + +**Default:** `""` + +### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=commonLabels) + +Additional labels to add to all Kubernetes objects. For example, `my.k8s.service: redpanda`. + +**Default:** `{}` + +### [connectors.additionalConfiguration](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.additionalConfiguration) + +A placeholder for any Java configuration settings for Kafka Connect that are not explicitly defined in this Helm chart. Java configuration settings are passed to the Kafka Connect startup script. + +**Default:** `""` + +### [connectors.bootstrapServers](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.bootstrapServers) + +A comma-separated list of Redpanda broker addresses in the format of IP:Port or DNS:Port. Kafka Connect uses this to connect to the Redpanda/Kafka cluster. + +**Default:** `""` + +### [connectors.brokerTLS.ca.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.ca.secretNameOverwrite) + +If `secretRef` points to a Secret where the certificate authority (CA) is not under the `ca.crt` key, use `secretNameOverwrite` to overwrite it e.g. `corp-ca.crt`. + +**Default:** `""` + +### [connectors.brokerTLS.ca.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.ca.secretRef) + +The name of the Secret where the ca.crt file content is located. + +**Default:** `""` + +### [connectors.brokerTLS.cert.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.cert.secretNameOverwrite) + +If secretRef points to secret where client signed certificate is not under tls.crt key then please use secretNameOverwrite to overwrite it e.g. corp-tls.crt + +**Default:** `""` + +### [connectors.brokerTLS.cert.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.cert.secretRef) + +The name of the secret where client signed certificate is located + +**Default:** `""` + +### [connectors.brokerTLS.enabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.enabled) + +**Default:** `false` + +### [connectors.brokerTLS.key.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.key.secretNameOverwrite) + +If secretRef points to secret where client private key is not under tls.key key then please use secretNameOverwrite to overwrite it e.g. corp-tls.key + +**Default:** `""` + +### [connectors.brokerTLS.key.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.key.secretRef) + +The name of the secret where client private key is located + +**Default:** `""` + +### [connectors.groupID](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.groupID) + +A unique string that identifies the Kafka Connect cluster. It's used in the formation of the internal topic names, ensuring that multiple Kafka Connect clusters can connect to the same Redpanda cluster without interfering with each other. + +**Default:** `"connectors-cluster"` + +### [connectors.producerBatchSize](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.producerBatchSize) + +The number of bytes of records a producer will attempt to batch together before sending to Redpanda. Batching improves throughput. + +**Default:** `131072` + +### [connectors.producerLingerMS](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.producerLingerMS) + +The time, in milliseconds, that a producer will wait before sending a batch of records. Waiting allows the producer to gather more records in the same batch and improve throughput. + +**Default:** `1` + +### [connectors.restPort](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.restPort) + +The port on which the Kafka Connect REST API listens. The API is used for administrative tasks. + +**Default:** `8083` + +### [connectors.schemaRegistryURL](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.schemaRegistryURL) + +**Default:** `""` + +### [connectors.secretManager.connectorsPrefix](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.connectorsPrefix) + +**Default:** `""` + +### [connectors.secretManager.consolePrefix](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.consolePrefix) + +**Default:** `""` + +### [connectors.secretManager.enabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.enabled) + +**Default:** `false` + +### [connectors.secretManager.region](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.region) + +**Default:** `""` + +### [connectors.storage.remote](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.remote) + +Indicates if read and write operations for the respective topics are allowed remotely. + +**Default:** + +``` +{"read":{"config":false,"offset":false,"status":false},"write":{"config":false,"offset":false,"status":false}} +``` + +### [connectors.storage.replicationFactor](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor) + +The number of replicas for each of the internal topics that Kafka Connect uses. + +**Default:** + +``` +{"config":-1,"offset":-1,"status":-1} +``` + +### [connectors.storage.replicationFactor.config](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.config) + +Replication factor for the configuration topic. + +**Default:** `-1` + +### [connectors.storage.replicationFactor.offset](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.offset) + +Replication factor for the offset topic. + +**Default:** `-1` + +### [connectors.storage.replicationFactor.status](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.status) + +Replication factor for the status topic. + +**Default:** `-1` + +### [connectors.storage.topic.config](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.config) + +The name of the internal topic that Kafka Connect uses to store connector and task configurations. + +**Default:** + +``` +"_internal_connectors_configs" +``` + +### [connectors.storage.topic.offset](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.offset) + +The name of the internal topic that Kafka Connect uses to store source connector offsets. + +**Default:** + +``` +"_internal_connectors_offsets" +``` + +### [connectors.storage.topic.status](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.status) + +The name of the internal topic that Kafka Connect uses to store connector and task status updates. + +**Default:** + +``` +"_internal_connectors_status" +``` + +### [container.javaGCLogEnabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.javaGCLogEnabled) + +**Default:** `"false"` + +### [container.resources](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.resources) + +Pod resource management. + +**Default:** + +``` +{"javaMaxHeapSize":"2G","limits":{"cpu":"1","memory":"2350Mi"},"request":{"cpu":"1","memory":"2350Mi"}} +``` + +### [container.resources.javaMaxHeapSize](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.resources.javaMaxHeapSize) + +Java maximum heap size must not be greater than `container.resources.limits.memory`. + +**Default:** `"2G"` + +### [container.securityContext](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.securityContext) + +Security context for the Redpanda Connectors container. See also `deployment.securityContext` for Pod-level settings. + +**Default:** + +``` +{"allowPrivilegeEscalation":false} +``` + +### [deployment.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.annotations) + +Additional annotations to apply to the Pods of this Deployment. + +**Default:** `{}` + +### [deployment.budget.maxUnavailable](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.budget.maxUnavailable) + +**Default:** `1` + +### [deployment.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.create) + +**Default:** `true` + +### [deployment.extraEnv](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.extraEnv) + +Additional environment variables for the Pods. + +**Default:** `[]` + +### [deployment.extraEnvFrom](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.extraEnvFrom) + +Configure extra environment variables from Secrets and ConfigMaps. + +**Default:** `[]` + +### [deployment.livenessProbe](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.livenessProbe) + +Adjust the period for your probes to meet your needs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + +**Default:** + +``` +{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1} +``` + +### [deployment.nodeAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.nodeAffinity) + +Node Affinity rules for scheduling Pods of this Deployment. The suggestion would be to spread Pods according to topology zone. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). + +**Default:** `{}` + +### [deployment.nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.nodeSelector) + +Node selection constraints for scheduling Pods of this Deployment. These constraints override the global `nodeSelector` value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + +**Default:** `{}` + +### [deployment.podAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAffinity) + +Inter-Pod Affinity rules for scheduling Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + +**Default:** `{}` + +### [deployment.podAntiAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity) + +Anti-affinity rules for scheduling Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). You may either edit the default settings for anti-affinity rules, or specify new anti-affinity rules to use instead of the defaults. + +**Default:** + +``` +{"custom":{},"topologyKey":"kubernetes.io/hostname","type":"hard","weight":100} +``` + +### [deployment.podAntiAffinity.custom](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.custom) + +Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + +**Default:** `{}` + +### [deployment.podAntiAffinity.topologyKey](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.topologyKey) + +The `topologyKey` to be used. Can be used to spread across different nodes, AZs, regions etc. + +**Default:** `"kubernetes.io/hostname"` + +### [deployment.podAntiAffinity.type](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.type) + +Valid anti-affinity types are `soft`, `hard`, or `custom`. Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + +**Default:** `"hard"` + +### [deployment.podAntiAffinity.weight](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.weight) + +Weight for `soft` anti-affinity rules. Does not apply for other anti-affinity types. + +**Default:** `100` + +### [deployment.priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.priorityClassName) + +PriorityClassName given to Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + +**Default:** `""` + +### [deployment.progressDeadlineSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.progressDeadlineSeconds) + +The maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deployments and a condition with a ProgressDeadlineExceeded reason will be surfaced in the deployment status. Note that progress will not be estimated during the time a deployment is paused. + +**Default:** `600` + +### [deployment.readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.failureThreshold) + +**Default:** `2` + +### [deployment.readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.initialDelaySeconds) + +**Default:** `60` + +### [deployment.readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.periodSeconds) + +**Default:** `10` + +### [deployment.readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.successThreshold) + +**Default:** `3` + +### [deployment.readinessProbe.timeoutSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.timeoutSeconds) + +**Default:** `5` + +### [deployment.restartPolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.restartPolicy) + +**Default:** `"Always"` + +### [deployment.revisionHistoryLimit](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.revisionHistoryLimit) + +The number of old ReplicaSets to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. + +**Default:** `10` + +### [deployment.schedulerName](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.schedulerName) + +**Default:** `""` + +### [deployment.securityContext.fsGroup](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.fsGroup) + +**Default:** `101` + +### [deployment.securityContext.fsGroupChangePolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.fsGroupChangePolicy) + +**Default:** `"OnRootMismatch"` + +### [deployment.securityContext.runAsUser](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.runAsUser) + +**Default:** `101` + +### [deployment.strategy.type](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.strategy.type) + +**Default:** `"RollingUpdate"` + +### [deployment.terminationGracePeriodSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.terminationGracePeriodSeconds) + +**Default:** `30` + +### [deployment.tolerations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.tolerations) + +Taints to be tolerated by Pods of this Deployment. These tolerations override the global tolerations value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + +### [deployment.topologySpreadConstraints[0].maxSkew](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].maxSkew) + +**Default:** `1` + +### [deployment.topologySpreadConstraints[0].topologyKey](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].topologyKey) + +**Default:** + +``` +"topology.kubernetes.io/zone" +``` + +### [deployment.topologySpreadConstraints[0].whenUnsatisfiable](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].whenUnsatisfiable) + +**Default:** `"ScheduleAnyway"` + +### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=fullnameOverride) + +Override `connectors.fullname` template. + +**Default:** `""` + +### [image](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image) + +Redpanda Docker image settings. + +**Default:** + +``` +{"pullPolicy":"IfNotPresent","repository":"docker.redpanda.com/redpandadata/connectors","tag":""} +``` + +### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.pullPolicy) + +The imagePullPolicy. If `image.tag` is 'latest', the default is `Always`. + +**Default:** `"IfNotPresent"` + +### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.repository) + +Docker repository from which to pull the Redpanda Docker image. + +**Default:** + +``` +"docker.redpanda.com/redpandadata/connectors" +``` + +### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.tag) + +The Redpanda version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + +**Default:** `Chart.appVersion`. + +### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=imagePullSecrets) + +Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + +**Default:** `[]` + +### [logging](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=logging) + +Log-level settings. + +**Default:** `{"level":"warn"}` + +### [logging.level](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=logging.level) + +Log level Valid values (from least to most verbose) are: `error`, `warn`, `info` and `debug`. + +**Default:** `"warn"` + +### [monitoring](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=monitoring) + +Monitoring. When set to `true`, the Helm chart creates a PodMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. + +**Default:** + +``` +{"annotations":{},"enabled":false,"labels":{},"namespaceSelector":{"any":true},"scrapeInterval":"30s"} +``` + +### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=nameOverride) + +Override `connectors.name` template. + +**Default:** `""` + +### [service](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service) + +Service management. + +**Default:** + +``` +{"annotations":{},"name":"","ports":[{"name":"prometheus","port":9404}]} +``` + +### [service.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service.annotations) + +Annotations to add to the Service. + +**Default:** `{}` + +### [service.name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service.name) + +The name of the service to use. If not set, a name is generated using the `connectors.fullname` template. + +**Default:** `""` + +### [serviceAccount](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount) + +ServiceAccount management. + +**Default:** + +``` +{"annotations":{},"create":false,"name":""} +``` + +### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.annotations) + +Annotations to add to the ServiceAccount. + +**Default:** `{}` + +### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.create) + +Specifies whether a ServiceAccount should be created. + +**Default:** `false` + +### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.name) + +The name of the ServiceAccount to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `connectors.fullname` template. + +**Default:** `""` + +### [storage.volumeMounts[0].mountPath](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volumeMounts[0].mountPath) + +**Default:** `"/tmp"` + +### [storage.volumeMounts[0].name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volumeMounts[0].name) + +**Default:** `"rp-connect-tmp"` + +### [storage.volume[0].emptyDir.medium](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].emptyDir.medium) + +**Default:** `"Memory"` + +### [storage.volume[0].emptyDir.sizeLimit](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].emptyDir.sizeLimit) + +**Default:** `"5Mi"` + +### [storage.volume[0].name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].name) + +**Default:** `"rp-connect-tmp"` + +### [test.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=test.create) + +**Default:** `true` + +### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=tolerations) + +Taints to be tolerated by Pods. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_deployment.go.tpl b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_deployment.go.tpl new file mode 100644 index 0000000000..f785c1ad92 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_deployment.go.tpl @@ -0,0 +1,136 @@ +{{- /* Generated from "deployment.go" */ -}} + +{{- define "connectors.Deployment" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.deployment.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $topologySpreadConstraints := (coalesce nil) -}} +{{- range $_, $spread := $values.deployment.topologySpreadConstraints -}} +{{- $topologySpreadConstraints = (concat (default (list ) $topologySpreadConstraints) (list (mustMergeOverwrite (dict "maxSkew" 0 "topologyKey" "" "whenUnsatisfiable" "" ) (dict "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "maxSkew" ($spread.maxSkew | int) "topologyKey" $spread.topologyKey "whenUnsatisfiable" $spread.whenUnsatisfiable )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $ports := (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "containerPort" ($values.connectors.restPort | int) "name" "rest-api" "protocol" "TCP" ))) -}} +{{- range $_, $port := $values.service.ports -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" $port.name "containerPort" ($port.port | int) "protocol" "TCP" )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $podAntiAffinity := (coalesce nil) -}} +{{- if (ne $values.deployment.podAntiAffinity (coalesce nil)) -}} +{{- if (eq $values.deployment.podAntiAffinity.type "hard") -}} +{{- $podAntiAffinity = (mustMergeOverwrite (dict ) (dict "requiredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.deployment.podAntiAffinity.topologyKey "namespaces" (list $dot.Release.Namespace) "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) ))) )) -}} +{{- else -}}{{- if (eq $values.deployment.podAntiAffinity.type "soft") -}} +{{- $podAntiAffinity = (mustMergeOverwrite (dict ) (dict "preferredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "weight" 0 "podAffinityTerm" (dict "topologyKey" "" ) ) (dict "weight" $values.deployment.podAntiAffinity.weight "podAffinityTerm" (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.deployment.podAntiAffinity.topologyKey "namespaces" (list $dot.Release.Namespace) "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) )) ))) )) -}} +{{- else -}}{{- if (eq $values.deployment.podAntiAffinity.type "custom") -}} +{{- $podAntiAffinity = $values.deployment.podAntiAffinity.custom -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "Deployment" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") "labels" (merge (dict ) (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") $values.deployment.annotations) )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) (dict "replicas" $values.deployment.replicas "progressDeadlineSeconds" ($values.deployment.progressDeadlineSeconds | int) "revisionHistoryLimit" $values.deployment.revisionHistoryLimit "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "strategy" $values.deployment.strategy "template" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" $values.deployment.annotations "labels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "terminationGracePeriodSeconds" $values.deployment.terminationGracePeriodSeconds "affinity" (mustMergeOverwrite (dict ) (dict "nodeAffinity" $values.deployment.nodeAffinity "podAffinity" $values.deployment.podAffinity "podAntiAffinity" $podAntiAffinity )) "serviceAccountName" (get (fromJson (include "connectors.ServiceAccountName" (dict "a" (list $dot) ))) "r") "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "connectors-cluster" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "connectors.Tag" (dict "a" (list $dot) ))) "r")) "imagePullPolicy" $values.image.pullPolicy "securityContext" $values.container.securityContext "command" $values.deployment.command "env" (get (fromJson (include "connectors.env" (dict "a" (list $values) ))) "r") "envFrom" $values.deployment.extraEnvFrom "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/" "port" "rest-api" "scheme" "HTTP" )) )) (dict "initialDelaySeconds" ($values.deployment.livenessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.deployment.livenessProbe.timeoutSeconds | int) "periodSeconds" ($values.deployment.livenessProbe.periodSeconds | int) "successThreshold" ($values.deployment.livenessProbe.successThreshold | int) "failureThreshold" ($values.deployment.livenessProbe.failureThreshold | int) )) "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/connectors" "port" "rest-api" "scheme" "HTTP" )) )) (dict "initialDelaySeconds" ($values.deployment.readinessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.deployment.readinessProbe.timeoutSeconds | int) "periodSeconds" ($values.deployment.readinessProbe.periodSeconds | int) "successThreshold" ($values.deployment.readinessProbe.successThreshold | int) "failureThreshold" ($values.deployment.readinessProbe.failureThreshold | int) )) "ports" $ports "resources" (mustMergeOverwrite (dict ) (dict "requests" $values.container.resources.request "limits" $values.container.resources.limits )) "terminationMessagePath" "/dev/termination-log" "terminationMessagePolicy" "File" "volumeMounts" (get (fromJson (include "connectors.volumeMountss" (dict "a" (list $values) ))) "r") ))) "dnsPolicy" "ClusterFirst" "restartPolicy" $values.deployment.restartPolicy "schedulerName" $values.deployment.schedulerName "nodeSelector" $values.deployment.nodeSelector "imagePullSecrets" $values.imagePullSecrets "securityContext" $values.deployment.securityContext "tolerations" $values.deployment.tolerations "topologySpreadConstraints" $topologySpreadConstraints "volumes" (get (fromJson (include "connectors.volumes" (dict "a" (list $values) ))) "r") )) )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.env" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $env := (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_CONFIGURATION" "value" (get (fromJson (include "connectors.connectorConfiguration" (dict "a" (list $values) ))) "r") )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_ADDITIONAL_CONFIGURATION" "value" $values.connectors.additionalConfiguration )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_BOOTSTRAP_SERVERS" "value" $values.connectors.bootstrapServers ))) -}} +{{- if (not (empty $values.connectors.schemaRegistryURL)) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "SCHEMA_REGISTRY_URL" "value" $values.connectors.schemaRegistryURL )))) -}} +{{- end -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_GC_LOG_ENABLED" "value" $values.container.javaGCLogEnabled )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_HEAP_OPTS" "value" (printf "-Xms256M -Xmx%s" $values.container.resources.javaMaxHeapSize) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_LOG_LEVEL" "value" $values.logging.level )))) -}} +{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_USERNAME" "value" $values.auth.sasl.userName )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_MECHANISM" "value" $values.auth.sasl.mechanism )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_PASSWORD_FILE" "value" "rc-credentials/password" )))) -}} +{{- end -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_ENABLED" "value" (printf "%v" $values.connectors.brokerTLS.enabled) )))) -}} +{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}} +{{- $ca := (default "ca.crt" $values.connectors.brokerTLS.ca.secretNameOverwrite) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TRUSTED_CERTS" "value" (printf "ca/%s" $ca) )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}} +{{- $cert := (default "tls.crt" $values.connectors.brokerTLS.cert.secretNameOverwrite) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_AUTH_CERT" "value" (printf "cert/%s" $cert) )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}} +{{- $key := (default "tls.key" $values.connectors.brokerTLS.key.secretNameOverwrite) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_AUTH_KEY" "value" (printf "key/%s" $key) )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $env) (default (list ) $values.deployment.extraEnv))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.connectorConfiguration" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $lines := (list (printf "rest.advertised.port=%d" ($values.connectors.restPort | int)) (printf "rest.port=%d" ($values.connectors.restPort | int)) "key.converter=org.apache.kafka.connect.converters.ByteArrayConverter" "value.converter=org.apache.kafka.connect.converters.ByteArrayConverter" (printf "group.id=%s" $values.connectors.groupID) (printf "offset.storage.topic=%s" $values.connectors.storage.topic.offset) (printf "config.storage.topic=%s" $values.connectors.storage.topic.config) (printf "status.storage.topic=%s" $values.connectors.storage.topic.status) (printf "offset.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.offset) (printf "offset.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.offset) (printf "config.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.config) (printf "config.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.config) (printf "status.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.status) (printf "status.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.status) (printf "offset.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.offset | int)) (printf "config.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.config | int)) (printf "status.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.status | int)) (printf "producer.linger.ms=%d" ($values.connectors.producerLingerMS | int)) (printf "producer.batch.size=%d" ($values.connectors.producerBatchSize | int)) "config.providers=file,secretsManager,env" "config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider") -}} +{{- if $values.connectors.secretManager.enabled -}} +{{- $lines = (concat (default (list ) $lines) (list "config.providers.secretsManager.class=com.github.jcustenborder.kafka.config.aws.SecretsManagerConfigProvider" (printf "config.providers.secretsManager.param.secret.prefix=%s%s" $values.connectors.secretManager.consolePrefix $values.connectors.secretManager.connectorsPrefix) (printf "config.providers.secretsManager.param.aws.region=%s" $values.connectors.secretManager.region))) -}} +{{- end -}} +{{- $lines = (concat (default (list ) $lines) (list "config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (join "\n" $lines)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.volumes" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $volumes := (coalesce nil) -}} +{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.ca.secretRef )) )) (dict "name" "truststore" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.cert.secretRef )) )) (dict "name" "cert" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.key.secretRef )) )) (dict "name" "key" )))) -}} +{{- end -}} +{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.auth.sasl.secretRef )) )) (dict "name" "rc-credentials" )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $volumes) (default (list ) $values.storage.volume))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.volumeMountss" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $mounts := (coalesce nil) -}} +{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "mountPath" "/opt/kafka/connect-password/rc-credentials" "name" "rc-credentials" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststore" "mountPath" "/opt/kafka/connect-certs/ca" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "cert" "mountPath" "/opt/kafka/connect-certs/cert" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "key" "mountPath" "/opt/kafka/connect-certs/key" )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $mounts) (default (list ) $values.storage.volumeMounts))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_helpers.go.tpl new file mode 100644 index 0000000000..49b7115382 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_helpers.go.tpl @@ -0,0 +1,131 @@ +{{- /* Generated from "helpers.go" */ -}} + +{{- define "connectors.Name" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.Fullname" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (empty $values.fullnameOverride)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $values.fullnameOverride) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- if (contains $name $dot.Release.Name) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list (printf "%s-%s" $dot.Release.Name $name)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.FullLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) (dict "helm.sh/chart" (get (fromJson (include "connectors.Chart" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/managed-by" $dot.Release.Service ) (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.PodLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "connectors.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (get (fromJson (include "connectors.Name" (dict "a" (list $dot) ))) "r") ) $values.commonLabels)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.Chart" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $chart := (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list (replace "+" "_" $chart)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.Semver" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimPrefix "v" (get (fromJson (include "connectors.Tag" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.ServiceAccountName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if $values.serviceAccount.create -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") $values.serviceAccount.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default "default" $values.serviceAccount.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.ServiceName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") $values.service.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.Tag" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tag := (default $dot.Chart.AppVersion $values.image.tag) -}} +{{- $matchString := "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" -}} +{{- if (not (mustRegexMatch $matchString $tag)) -}} +{{- $_ := (fail "image.tag must start with a 'v' and be a valid semver") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tag) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.trunc" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $s))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_helpers.tpl new file mode 100644 index 0000000000..89c888eeef --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +Expand the name of the chart. +*/}} +{{- define "connectors.name" -}} +{{- get ((include "connectors.Name" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "connectors.fullname" }} +{{- get ((include "connectors.Fullname" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +full helm labels + common labels +*/}} +{{- define "full.labels" -}} +{{- (get ((include "connectors.FullLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }} +{{- end -}} + +{{/* +pod labels merged with common labels +*/}} +{{- define "connectors-pod-labels" -}} +{{- (get ((include "connectors.PodLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "connectors.chart" -}} +{{- get ((include "connectors.Chart" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Get the version of redpanda being used as an image +*/}} +{{- define "connectors.semver" -}} +{{- get ((include "connectors.Tag" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "connectors.serviceAccountName" -}} +{{- get ((include "connectors.ServiceAccountName" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create the name of the service to use +*/}} +{{- define "connectors.serviceName" -}} +{{- get ((include "connectors.ServiceName" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Use AppVersion if image.tag is not set +*/}} +{{- define "connectors.tag" -}} +{{- get ((include "connectors.Tag" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_pod-monitor.go.tpl b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_pod-monitor.go.tpl new file mode 100644 index 0000000000..4e12b20084 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_pod-monitor.go.tpl @@ -0,0 +1,18 @@ +{{- /* Generated from "podmonitor.go" */ -}} + +{{- define "connectors.PodMonitor" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.monitoring.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "podMetricsEndpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "monitoring.coreos.com/v1" "kind" "PodMonitor" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") "labels" $values.monitoring.labels "annotations" $values.monitoring.annotations )) "spec" (mustMergeOverwrite (dict "podMetricsEndpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) (dict "namespaceSelector" $values.monitoring.namespaceSelector "podMetricsEndpoints" (list (mustMergeOverwrite (dict "bearerTokenSecret" (dict "key" "" ) ) (dict "path" "/" "port" "prometheus" ))) "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_service.go.tpl b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_service.go.tpl new file mode 100644 index 0000000000..54a7ce8a05 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_service.go.tpl @@ -0,0 +1,20 @@ +{{- /* Generated from "service.go" */ -}} + +{{- define "connectors.Service" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $ports := (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "rest-api" "port" ($values.connectors.restPort | int) "targetPort" ($values.connectors.restPort | int) "protocol" "TCP" ))) -}} +{{- range $_, $port := $values.service.ports -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" $port.name "port" ($port.port | int) "targetPort" ($port.port | int) "protocol" "TCP" )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.ServiceName" (dict "a" (list $dot) ))) "r") "labels" (merge (dict ) (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") $values.service.annotations) )) "spec" (mustMergeOverwrite (dict ) (dict "ipFamilies" (list "IPv4") "ipFamilyPolicy" "SingleStack" "ports" $ports "selector" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") "sessionAffinity" "None" "type" "ClusterIP" )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_serviceaccount.go.tpl new file mode 100644 index 0000000000..31b5ac2acd --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_serviceaccount.go.tpl @@ -0,0 +1,18 @@ +{{- /* Generated from "serviceaccount.go" */ -}} + +{{- define "connectors.ServiceAccount" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.serviceAccount.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ServiceAccount" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" $values.serviceAccount.annotations "labels" (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") "name" (get (fromJson (include "connectors.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_shims.tpl new file mode 100644 index 0000000000..e3bb40e415 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_shims.tpl @@ -0,0 +1,289 @@ +{{- /* Generated from "bootstrap.go" */ -}} + +{{- define "_shims.typetest" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs $typ $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.typeassertion" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (typeIs $typ $value)) -}} +{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.dicttest" -}} +{{- $m := (index .a 0) -}} +{{- $key := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (hasKey $m $key) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (index $m $key) true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.compact" -}} +{{- $args := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $out := (dict ) -}} +{{- range $i, $e := $args -}} +{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $out) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.deref" -}} +{{- $ptr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $ptr (coalesce nil)) -}} +{{- $_ := (fail "nil dereference") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.len" -}} +{{- $m := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $m (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (len $m)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Deref" -}} +{{- $ptr := (index .a 0) -}} +{{- $def := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $ptr (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $def) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Equal" -}} +{{- $a := (index .a 0) -}} +{{- $b := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (eq $a (coalesce nil)) (eq $b (coalesce nil))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (eq $a $b)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.lookup" -}} +{{- $apiVersion := (index .a 0) -}} +{{- $kind := (index .a 1) -}} +{{- $namespace := (index .a 2) -}} +{{- $name := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (lookup $apiVersion $kind $namespace $name) -}} +{{- if (empty $result) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (coalesce nil) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $result true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asnumeric" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asintegral" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.parseResource" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $repr) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (typeIs "string" $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}} +{{- end -}} +{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}} +{{- end -}} +{{- $reprStr := (toString $repr) -}} +{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}} +{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $scale := ($tmp_tuple_1.T1 | float64) -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $numeric $scale)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MustParse" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_2.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_2.T1 | float64) -}} +{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}} +{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}} +{{- $idx := -1 -}} +{{- range $i, $s := $scales -}} +{{- if (eq ($s | float64) ($scale | float64)) -}} +{{- $idx = $i -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (eq $idx -1) -}} +{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_Value" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_3.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_3.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MilliValue" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_4.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_4.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.render-manifest" -}} +{{- $tpl := (index . 0) -}} +{{- $dot := (index . 1) -}} +{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}} +{{- if not (typeIs "[]interface {}" $manifests) -}} +{{- $manifests = (list $manifests) -}} +{{- end -}} +{{- range $_, $manifest := $manifests -}} +{{- if ne $manifest nil }} +--- +{{toYaml (unset (unset $manifest "status") "creationTimestamp")}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_values.go.tpl b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_values.go.tpl new file mode 100644 index 0000000000..9b304d4bf6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/_values.go.tpl @@ -0,0 +1,15 @@ +{{- /* Generated from "values.go" */ -}} + +{{- define "connectors.Auth.SASLEnabled" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $saslEnabled := (not (empty $c.sasl.userName)) -}} +{{- $saslEnabled = (and $saslEnabled (not (empty $c.sasl.mechanism))) -}} +{{- $saslEnabled = (and $saslEnabled (not (empty $c.sasl.secretRef))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $saslEnabled) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/deployment.yaml b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/deployment.yaml new file mode 100644 index 0000000000..ee78b69ebf --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/deployment.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "connectors.Deployment" .) -}} diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/pod-monitor.yaml b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/pod-monitor.yaml new file mode 100644 index 0000000000..42c1457546 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/pod-monitor.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "connectors.PodMonitor" .) -}} diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/service.yaml b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/service.yaml new file mode 100644 index 0000000000..0b8825befc --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "connectors.Service" .) -}} diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/serviceaccount.yaml b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/serviceaccount.yaml new file mode 100644 index 0000000000..eda755fb14 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "connectors.ServiceAccount" .) -}} diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/tests/01-mm2-values.yaml b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/tests/01-mm2-values.yaml new file mode 100644 index 0000000000..c369806c8b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/templates/tests/01-mm2-values.yaml @@ -0,0 +1,176 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- define "curl-options" -}} +{{- print " -svm3 --fail --retry \"120\" --retry-max-time \"120\" --retry-all-errors -o - -w \"\\nstatus=%{http_code} %{redirect_url} size=%{size_download} time=%{time_total} content-type=\\\"%{content_type}\\\"\\n\" "}} +{{- end -}} +{{- if .Values.test.create -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "connectors.fullname" . }}-mm2-test + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: create-mm2 + image: docker.redpanda.com/redpandadata/redpanda:latest + command: + - /bin/bash + - -c + - | + set -xe + + trap connectorsState ERR + + connectorsState () { + echo check connectors expand status + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors?expand=status + echo check connectors expand info + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors?expand=info + echo check connector configuration + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME + echo check connector topics + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME/topics + } + + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors + + SASL_MECHANISM="PLAIN" + {{- if .Values.auth.sasl.enabled }} + set -e + set +x + + IFS=: read -r CONNECT_SASL_USERNAME KAFKA_SASL_PASSWORD CONNECT_SASL_MECHANISM < $(find /mnt/users/* -print) + CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + if [[ -n "$CONNECT_SASL_USERNAME" && -n "$KAFKA_SASL_PASSWORD" && -n "$CONNECT_SASL_MECHANISM" ]]; then + rpk profile set user=$CONNECT_SASL_USERNAME pass=$KAFKA_SASL_PASSWORD sasl.mechanism=$CONNECT_SASL_MECHANISM + SASL_MECHANISM=$CONNECT_SASL_MECHANISM + JAAS_CONFIG_SOURCE="\"source.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\"," + JAAS_CONFIG_TARGET="\"target.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\"," + fi + + set -x + set +e + {{- end }} + + rpk profile create test + rpk profile set tls.enabled={{.Values.connectors.brokerTLS.enabled}} brokers={{ .Values.connectors.bootstrapServers }} + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + rpk profile set tls.ca={{ printf "/redpanda-certs/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) }} + {{- end }} + + {{- if .Values.connectors.brokerTLS.enabled }} + CONNECT_TLS_ENABLED=true + {{- else }} + CONNECT_TLS_ENABLED=false + {{- end }} + SECURITY_PROTOCOL=PLAINTEXT + if [[ -n "$CONNECT_SASL_MECHANISM" && $CONNECT_TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SASL_SSL" + elif [[ -n "$CONNECT_SASL_MECHANISM" ]]; then + SECURITY_PROTOCOL="SASL_PLAINTEXT" + elif [[ $CONNECT_TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SSL" + fi + + rpk topic list + rpk topic create test-topic + rpk topic list + echo "Test message!" | rpk topic produce test-topic + + CONNECTOR_NAME=mm2-$RANDOM + cat << 'EOF' > /tmp/mm2-conf.json + { + "name": "CONNECTOR_NAME", + "config": { + "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector", + "topics": "test-topic", + "replication.factor": "1", + "tasks.max": "1", + "source.cluster.bootstrap.servers": {{ .Values.connectors.bootstrapServers | quote }}, + "target.cluster.bootstrap.servers": {{ .Values.connectors.bootstrapServers | quote }}, + "target.cluster.alias": "test-only", + "source.cluster.alias": "source", + "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "source->target.enabled": "true", + "target->source.enabled": "false", + "sync.topic.configs.interval.seconds": "5", + "sync.topics.configs.enabled": "true", + "source.cluster.ssl.truststore.type": "PEM", + "target.cluster.ssl.truststore.type": "PEM", + "source.cluster.ssl.truststore.location": {{ printf "/opt/kafka/connect-certs/ca/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) | quote }}, + "target.cluster.ssl.truststore.location": {{ printf "/opt/kafka/connect-certs/ca/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) | quote }}, + JAAS_CONFIG_SOURCE + JAAS_CONFIG_TARGET + "source.cluster.security.protocol": "SECURITY_PROTOCOL", + "target.cluster.security.protocol": "SECURITY_PROTOCOL", + "source.cluster.sasl.mechanism": "SASL_MECHANISM", + "target.cluster.sasl.mechanism": "SASL_MECHANISM", + "offset-syncs.topic.replication.factor": 1 + } + } + EOF + + sed -i "s/CONNECTOR_NAME/$CONNECTOR_NAME/g" /tmp/mm2-conf.json + sed -i "s/SASL_MECHANISM/$SASL_MECHANISM/g" /tmp/mm2-conf.json + sed -i "s/SECURITY_PROTOCOL/$SECURITY_PROTOCOL/g" /tmp/mm2-conf.json + set +x + sed -i "s/JAAS_CONFIG_SOURCE/$JAAS_CONFIG_SOURCE/g" /tmp/mm2-conf.json + sed -i "s/JAAS_CONFIG_TARGET/$JAAS_CONFIG_TARGET/g" /tmp/mm2-conf.json + set -x + + curl {{ template "curl-options" . }} -H 'Content-Type: application/json' http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors -d @/tmp/mm2-conf.json + + # The rpk topic consume could fail for the first few times as kafka connect needs + # to spawn the task and copy one message from the source topic. To solve this race condition + # the retry should be implemented in bash for rpk topic consume or other mechanism that + # can confirm source connectors started its execution. As a fast fix fixed 30 second fix is added. + sleep 30 + + rpk topic consume source.test-topic -n 1 | grep "Test message!" + + curl {{ template "curl-options" . }} -X DELETE http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME + + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors + + rpk topic delete test-topic source.test-topic mm2-offset-syncs.test-only.internal + volumeMounts: + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + - mountPath: /redpanda-certs + name: redpanda-ca + {{- end }} + {{- toYaml .Values.storage.volumeMounts | nindent 8 }} + volumes: + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + - name: redpanda-ca + secret: + defaultMode: 0444 + secretName: {{ .Values.connectors.brokerTLS.ca.secretRef }} + {{- end }} + {{- toYaml .Values.storage.volume | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/charts/connectors/values.yaml b/charts/redpanda/redpanda/5.9.6/charts/connectors/values.yaml new file mode 100644 index 0000000000..f230a84d37 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/connectors/values.yaml @@ -0,0 +1,311 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file contains values for variables referenced from yaml files in the templates directory. +# +# For further information on Helm templating see the documentation at: +# https://helm.sh/docs/chart_template_guide/values_files/ + +# +# >>> This chart requires Helm version 3.6.0 or greater <<< +# + +# Common settings +# +# -- Override `connectors.name` template. +nameOverride: "" +# -- Override `connectors.fullname` template. +fullnameOverride: "" +# -- Additional labels to add to all Kubernetes objects. +# For example, `my.k8s.service: redpanda`. +commonLabels: {} +# -- Taints to be tolerated by Pods. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). +tolerations: [] + +# -- Redpanda Docker image settings. +image: + # -- Docker repository from which to pull the Redpanda Docker image. + repository: docker.redpanda.com/redpandadata/connectors + # -- The Redpanda version. + # See DockerHub for: + # [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) + # and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + # @default -- `Chart.appVersion`. + tag: "" + # -- The imagePullPolicy. + # If `image.tag` is 'latest', the default is `Always`. + pullPolicy: IfNotPresent + +# -- Pull secrets may be used to provide credentials to image repositories +# See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] + +test: + create: true + +connectors: + # -- The port on which the Kafka Connect REST API listens. The API is used for administrative tasks. + restPort: 8083 + # -- A comma-separated list of Redpanda broker addresses in the format of IP:Port or DNS:Port. Kafka Connect uses this to connect to the Redpanda/Kafka cluster. + bootstrapServers: "" + # A comma-separated list of Schema Registry addresses in the format IP:Port or DNS:Port. The Schema Registry is a service that manages the schemas used by producers and consumers. + schemaRegistryURL: "" + # -- A placeholder for any Java configuration settings for Kafka Connect that are not explicitly defined in this Helm chart. Java configuration settings are passed to the Kafka Connect startup script. + additionalConfiguration: "" + secretManager: + enabled: false + region: "" + consolePrefix: "" + connectorsPrefix: "" + # -- The number of bytes of records a producer will attempt to batch together before sending to Redpanda. Batching improves throughput. + producerBatchSize: 131072 + # -- The time, in milliseconds, that a producer will wait before sending a batch of records. Waiting allows the producer to gather more records in the same batch and improve throughput. + producerLingerMS: 1 + storage: + # -- The number of replicas for each of the internal topics that Kafka Connect uses. + replicationFactor: + # -- Replication factor for the offset topic. + offset: -1 + # -- Replication factor for the configuration topic. + config: -1 + # -- Replication factor for the status topic. + status: -1 + # -- Indicates if read and write operations for the respective topics are allowed remotely. + remote: + read: + offset: false + config: false + status: false + write: + offset: false + config: false + status: false + topic: + # -- The name of the internal topic that Kafka Connect uses to store source connector offsets. + offset: _internal_connectors_offsets + # -- The name of the internal topic that Kafka Connect uses to store connector and task configurations. + config: _internal_connectors_configs + # -- The name of the internal topic that Kafka Connect uses to store connector and task status updates. + status: _internal_connectors_status + # -- A unique string that identifies the Kafka Connect cluster. It's used in the formation of the internal topic names, ensuring that multiple Kafka Connect clusters can connect to the same Redpanda cluster without interfering with each other. + groupID: connectors-cluster + brokerTLS: + enabled: false + ca: + # -- The name of the Secret where the ca.crt file content is located. + secretRef: "" + # -- If `secretRef` points to a Secret where the certificate authority (CA) is not under the + # `ca.crt` key, use `secretNameOverwrite` to overwrite it e.g. `corp-ca.crt`. + secretNameOverwrite: "" + cert: + # -- The name of the secret where client signed certificate is located + secretRef: "" + # -- If secretRef points to secret where client signed certificate is not under + # tls.crt key then please use secretNameOverwrite to overwrite it e.g. corp-tls.crt + secretNameOverwrite: "" + key: + # -- The name of the secret where client private key is located + secretRef: "" + # -- If secretRef points to secret where client private key is not under + # tls.key key then please use secretNameOverwrite to overwrite it e.g. corp-tls.key + secretNameOverwrite: "" + +# -- Authentication settings. +# For details, +# see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). +# The first line of the secret file is used. So the first superuser is used to authenticate to the Redpanda cluster. +auth: + sasl: + enabled: false + # -- The authentication mechanism to use for the superuser. Options are `scram-sha-256` and `scram-sha-512`. + mechanism: scram-sha-512 + # -- A Secret that contains your SASL user password. + secretRef: "" + userName: "" + +# -- Log-level settings. +logging: + # -- Log level + # Valid values (from least to most verbose) are: `error`, `warn`, `info` and `debug`. + level: warn + +# -- Monitoring. +# When set to `true`, the Helm chart creates a PodMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. +monitoring: + enabled: false + scrapeInterval: 30s + labels: {} + annotations: {} + namespaceSelector: + any: true + +container: + # + # -- Security context for the Redpanda Connectors container. + # See also `deployment.securityContext` for Pod-level settings. + securityContext: + allowPrivilegeEscalation: false + # -- Pod resource management. + resources: + request: + # Numeric values here are also acceptable. + cpu: "1" + memory: 2350Mi + limits: + cpu: "1" + memory: 2350Mi + # -- Java maximum heap size must not be greater than `container.resources.limits.memory`. + javaMaxHeapSize: 2G + javaGCLogEnabled: "false" + +deployment: + # Replicas can be used to scale Deployment + # replicas + + create: true + # Customize the command to use as the entrypoint of the Deployment. + # command: [] + strategy: + type: RollingUpdate + schedulerName: "" + budget: + maxUnavailable: 1 + # -- Additional annotations to apply to the Pods of this Deployment. + annotations: {} + # -- Adjust the period for your probes to meet your needs. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + livenessProbe: + initialDelaySeconds: 10 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + initialDelaySeconds: 60 + failureThreshold: 2 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + + # -- Additional environment variables for the Pods. + extraEnv: [] + # - name: RACK_ID + # value: "1" + + # -- Configure extra environment variables from Secrets and ConfigMaps. + extraEnvFrom: [] + # - secretRef: + # name: my-secret + # - configMapRef: + # name: my-configmap + + # -- The maximum time in seconds for a deployment to make progress before it is + # considered to be failed. The deployment controller will continue to process + # failed deployments and a condition with a ProgressDeadlineExceeded reason + # will be surfaced in the deployment status. Note that progress will not be + # estimated during the time a deployment is paused. + progressDeadlineSeconds: 600 + + # -- The number of old ReplicaSets to retain to allow rollback. This is a pointer + # to distinguish between explicit zero and not specified. + revisionHistoryLimit: 10 + + # -- Inter-Pod Affinity rules for scheduling Pods of this Deployment. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + podAffinity: {} + # -- Node Affinity rules for scheduling Pods of this Deployment. + # The suggestion would be to spread Pods according to topology zone. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). + nodeAffinity: {} + # -- Anti-affinity rules for scheduling Pods of this Deployment. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + # You may either edit the default settings for anti-affinity rules, + # or specify new anti-affinity rules to use instead of the defaults. + podAntiAffinity: + # -- The `topologyKey` to be used. + # Can be used to spread across different nodes, AZs, regions etc. + topologyKey: kubernetes.io/hostname + # -- Valid anti-affinity types are `soft`, `hard`, or `custom`. + # Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + type: hard + # -- Weight for `soft` anti-affinity rules. + # Does not apply for other anti-affinity types. + weight: 100 + # -- Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + custom: {} + # -- Node selection constraints for scheduling Pods of this Deployment. + # These constraints override the global `nodeSelector` value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + nodeSelector: {} + # -- PriorityClassName given to Pods of this Deployment. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + priorityClassName: "" + # -- Taints to be tolerated by Pods of this Deployment. + # These tolerations override the global tolerations value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + tolerations: [] + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/). + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + securityContext: + fsGroup: 101 + runAsUser: 101 + fsGroupChangePolicy: OnRootMismatch + terminationGracePeriodSeconds: 30 + restartPolicy: Always + +storage: + volume: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + +# -- ServiceAccount management. +serviceAccount: + # -- Specifies whether a ServiceAccount should be created. + create: false + # -- Annotations to add to the ServiceAccount. + annotations: {} + # -- The name of the ServiceAccount to use. + # If not set and `serviceAccount.create` is `true`, + # a name is generated using the `connectors.fullname` template. + name: "" + +# -- Service management. +service: + # -- Annotations to add to the Service. + annotations: {} + # -- The name of the service to use. + # If not set, a name is generated using the `connectors.fullname` template. + name: "" + ports: + - name: prometheus + port: 9404 diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/.helmignore b/charts/redpanda/redpanda/5.9.6/charts/console/.helmignore new file mode 100644 index 0000000000..04ecd888b5 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +README.md.gotmpl +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/Chart.yaml b/charts/redpanda/redpanda/5.9.6/charts/console/Chart.yaml new file mode 100644 index 0000000000..dd51b48d8a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/console:v2.7.0 + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.6.0)" + url: https://helm.sh/docs/intro/install/ +apiVersion: v2 +appVersion: v2.7.0 +description: Helm chart to deploy Redpanda Console. +icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg +kubeVersion: '>= 1.21.0-0' +maintainers: +- name: redpanda-data + url: https://github.com/orgs/redpanda-data/people +name: console +sources: +- https://github.com/redpanda-data/helm-charts +type: application +version: 0.7.29 diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/README.md b/charts/redpanda/redpanda/5.9.6/charts/console/README.md new file mode 100644 index 0000000000..9bd93425f8 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/README.md @@ -0,0 +1,353 @@ +# Redpanda Console Helm Chart Specification +--- +description: Find the default values and descriptions of settings in the Redpanda Console Helm chart. +--- + +![Version: 0.7.29](https://img.shields.io/badge/Version-0.7.29-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.7.0](https://img.shields.io/badge/AppVersion-v2.7.0-informational?style=flat-square) + +This page describes the official Redpanda Console Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/console/values.yaml). +Each of the settings is listed and described on this page, along with any default values. + +The Redpanda Console Helm chart is included as a subchart in the Redpanda Helm chart so that you can deploy and configure Redpanda and Redpanda Console together. +For instructions on how to install and use the chart, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/). +For instructions on how to override and customize the chart’s values, see [Configure Redpanda Console](https://docs.redpanda.com/docs/manage/kubernetes/configure-helm-chart/#configure-redpanda-console). + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) + +## Source Code + +* + +## Requirements + +Kubernetes: `>= 1.21.0-0` + +## Settings + +### [affinity](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=affinity) + +**Default:** `{}` + +### [annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=annotations) + +Annotations to add to the deployment. + +**Default:** `{}` + +### [automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=automountServiceAccountToken) + +Automount API credentials for the Service Account into the pod. + +**Default:** `true` + +### [autoscaling.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.enabled) + +**Default:** `false` + +### [autoscaling.maxReplicas](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.maxReplicas) + +**Default:** `100` + +### [autoscaling.minReplicas](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.minReplicas) + +**Default:** `1` + +### [autoscaling.targetCPUUtilizationPercentage](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.targetCPUUtilizationPercentage) + +**Default:** `80` + +### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=commonLabels) + +**Default:** `{}` + +### [configmap.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=configmap.create) + +**Default:** `true` + +### [console.config](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=console.config) + +Settings for the `Config.yaml` (required). For a reference of configuration settings, see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). + +**Default:** `{}` + +### [deployment.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=deployment.create) + +**Default:** `true` + +### [enterprise](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=enterprise) + +Settings for license key, as an alternative to secret.enterprise when a license secret is available + +**Default:** + +``` +{"licenseSecretRef":{"key":"","name":""}} +``` + +### [extraContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraContainers) + +Add additional containers, such as for oauth2-proxy. + +**Default:** `[]` + +### [extraEnv](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraEnv) + +Additional environment variables for the Redpanda Console Deployment. + +**Default:** `[]` + +### [extraEnvFrom](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraEnvFrom) + +Additional environment variables for Redpanda Console mapped from Secret or ConfigMap. + +**Default:** `[]` + +### [extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraVolumeMounts) + +Add additional volume mounts, such as for TLS keys. + +**Default:** `[]` + +### [extraVolumes](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraVolumes) + +Add additional volumes, such as for TLS keys. + +**Default:** `[]` + +### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=fullnameOverride) + +Override `console.fullname` template. + +**Default:** `""` + +### [image](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image) + +Redpanda Console Docker image settings. + +**Default:** + +``` +{"pullPolicy":"IfNotPresent","registry":"docker.redpanda.com","repository":"redpandadata/console","tag":""} +``` + +### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.pullPolicy) + +The imagePullPolicy. + +**Default:** `"IfNotPresent"` + +### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.repository) + +Docker repository from which to pull the Redpanda Docker image. + +**Default:** `"redpandadata/console"` + +### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.tag) + +The Redpanda Console version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/console/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/console-unstable/tags). + +**Default:** `Chart.appVersion` + +### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=imagePullSecrets) + +Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + +**Default:** `[]` + +### [ingress.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.annotations) + +**Default:** `{}` + +### [ingress.className](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.className) + +**Default:** `nil` + +### [ingress.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.enabled) + +**Default:** `false` + +### [ingress.hosts[0].host](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].host) + +**Default:** `"chart-example.local"` + +### [ingress.hosts[0].paths[0].path](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].paths[0].path) + +**Default:** `"/"` + +### [ingress.hosts[0].paths[0].pathType](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].paths[0].pathType) + +**Default:** `"ImplementationSpecific"` + +### [ingress.tls](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.tls) + +**Default:** `[]` + +### [initContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=initContainers) + +Any initContainers defined should be written here + +**Default:** `{"extraInitContainers":""}` + +### [initContainers.extraInitContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=initContainers.extraInitContainers) + +Additional set of init containers + +**Default:** `""` + +### [livenessProbe](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=livenessProbe) + +Settings for liveness and readiness probes. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes). + +**Default:** + +``` +{"failureThreshold":3,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1} +``` + +### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=nameOverride) + +Override `console.name` template. + +**Default:** `""` + +### [nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=nodeSelector) + +**Default:** `{}` + +### [podAnnotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podAnnotations) + +**Default:** `{}` + +### [podLabels](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podLabels) + +**Default:** `{}` + +### [podSecurityContext.fsGroup](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podSecurityContext.fsGroup) + +**Default:** `99` + +### [podSecurityContext.runAsUser](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podSecurityContext.runAsUser) + +**Default:** `99` + +### [priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=priorityClassName) + +PriorityClassName given to Pods. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + +**Default:** `""` + +### [readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.failureThreshold) + +**Default:** `3` + +### [readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.initialDelaySeconds) + +Grant time to test connectivity to upstream services such as Kafka and Schema Registry. + +**Default:** `10` + +### [readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.periodSeconds) + +**Default:** `10` + +### [readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.successThreshold) + +**Default:** `1` + +### [readinessProbe.timeoutSeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.timeoutSeconds) + +**Default:** `1` + +### [replicaCount](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=replicaCount) + +**Default:** `1` + +### [resources](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=resources) + +**Default:** `{}` + +### [secret](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secret) + +Create a new Kubernetes Secret for all sensitive configuration inputs. Each provided Secret is mounted automatically and made available to the Pod. If you want to use one or more existing Secrets, you can use the `extraEnvFrom` list to mount environment variables from string and secretMounts to mount files such as Certificates from Secrets. + +**Default:** + +``` +{"create":true,"enterprise":{},"kafka":{},"login":{"github":{},"google":{},"jwtSecret":"","oidc":{},"okta":{}},"redpanda":{"adminApi":{}}} +``` + +### [secret.kafka](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secret.kafka) + +Kafka Secrets. + +**Default:** `{}` + +### [secretMounts](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secretMounts) + +SecretMounts is an abstraction to make a Secret available in the container's filesystem. Under the hood it creates a volume and a volume mount for the Redpanda Console container. + +**Default:** `[]` + +### [securityContext.runAsNonRoot](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=securityContext.runAsNonRoot) + +**Default:** `true` + +### [service.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.annotations) + +**Default:** `{}` + +### [service.port](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.port) + +**Default:** `8080` + +### [service.targetPort](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.targetPort) + +Override the value in `console.config.server.listenPort` if not `nil` + +**Default:** `nil` + +### [service.type](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.type) + +**Default:** `"ClusterIP"` + +### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.annotations) + +Annotations to add to the service account. + +**Default:** `{}` + +### [serviceAccount.automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.automountServiceAccountToken) + +Specifies whether a service account should automount API-Credentials + +**Default:** `true` + +### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.create) + +Specifies whether a service account should be created. + +**Default:** `true` + +### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.name) + +The name of the service account to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `console.fullname` template + +**Default:** `""` + +### [strategy](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=strategy) + +**Default:** `{}` + +### [tests.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=tests.enabled) + +**Default:** `true` + +### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=tolerations) + +**Default:** `[]` + +### [topologySpreadConstraints](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=topologySpreadConstraints) + +**Default:** `[]` + diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/chart_test.go b/charts/redpanda/redpanda/5.9.6/charts/console/chart_test.go new file mode 100644 index 0000000000..0e652c13e1 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/chart_test.go @@ -0,0 +1,158 @@ +package console + +import ( + "encoding/json" + "fmt" + "os" + "regexp" + "slices" + "testing" + + fuzz "github.com/google/gofuzz" + "github.com/redpanda-data/helm-charts/pkg/helm" + "github.com/redpanda-data/helm-charts/pkg/testutil" + "github.com/santhosh-tekuri/jsonschema/v5" + "github.com/stretchr/testify/require" + "golang.org/x/tools/txtar" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/yaml" +) + +// TestValues asserts that the chart's values.yaml file can be losslessly +// loaded into our type [Values] struct. +// NB: values.yaml should round trip through [Values], not [PartialValues], as +// [Values]'s omitempty tags are models after values.yaml. +func TestValues(t *testing.T) { + var typedValues Values + var unstructuredValues map[string]any + + require.NoError(t, yaml.Unmarshal(DefaultValuesYAML, &typedValues)) + require.NoError(t, yaml.Unmarshal(DefaultValuesYAML, &unstructuredValues)) + + typedValuesJSON, err := json.Marshal(typedValues) + require.NoError(t, err) + + unstructuredValuesJSON, err := json.Marshal(unstructuredValues) + require.NoError(t, err) + + require.JSONEq(t, string(unstructuredValuesJSON), string(typedValuesJSON)) +} + +func TestTemplate(t *testing.T) { + ctx := testutil.Context(t) + client, err := helm.New(helm.Options{ConfigHome: testutil.TempDir(t)}) + require.NoError(t, err) + + casesArchive, err := txtar.ParseFile("testdata/template-cases.txtar") + require.NoError(t, err) + + generatedCasesArchive, err := txtar.ParseFile("testdata/template-cases-generated.txtar") + require.NoError(t, err) + + goldens := testutil.NewTxTar(t, "testdata/template-cases.golden.txtar") + + for _, tc := range append(casesArchive.Files, generatedCasesArchive.Files...) { + tc := tc + t.Run(tc.Name, func(t *testing.T) { + var values PartialValues + require.NoError(t, yaml.Unmarshal(tc.Data, &values)) + + out, err := client.Template(ctx, ".", helm.TemplateOptions{ + Name: "console", + Values: values, + Set: []string{ + // jwtSecret defaults to a random string. Can't have that + // in snapshot testing so set it to a static value. + "secret.login.jwtSecret=SECRETKEY", + }, + }) + require.NoError(t, err) + goldens.AssertGolden(t, testutil.YAML, fmt.Sprintf("testdata/%s.yaml.golden", tc.Name), out) + }) + } +} + +// TestGenerateCases is not a test case (sorry) but a test case generator for +// the console chart. +func TestGenerateCases(t *testing.T) { + // Nasty hack to avoid making a main function somewhere. Sorry not sorry. + if !slices.Contains(os.Args, fmt.Sprintf("-test.run=%s", t.Name())) { + t.Skipf("%s will only run if explicitly specified (-run %q)", t.Name(), t.Name()) + } + + // Makes strings easier to read. + asciiStrs := func(s *string, c fuzz.Continue) { + const alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" + var x []byte + for i := 0; i < c.Intn(25); i++ { + x = append(x, alphabet[c.Intn(len(alphabet))]) + } + *s = string(x) + } + smallInts := func(s *int, c fuzz.Continue) { + *s = c.Intn(501) + } + + fuzzer := fuzz.New().NumElements(0, 3).SkipFieldsWithPattern( + regexp.MustCompile("^(SELinuxOptions|WindowsOptions|SeccompProfile|TCPSocket|HTTPHeaders|VolumeSource)$"), + ).Funcs( + asciiStrs, + smallInts, + func(t *corev1.ServiceType, c fuzz.Continue) { + types := []corev1.ServiceType{ + corev1.ServiceTypeClusterIP, + corev1.ServiceTypeExternalName, + corev1.ServiceTypeNodePort, + corev1.ServiceTypeLoadBalancer, + } + *t = types[c.Intn(len(types))] + }, + func(s *corev1.ResourceName, c fuzz.Continue) { asciiStrs((*string)(s), c) }, + func(_ *any, c fuzz.Continue) {}, + func(_ *[]corev1.ResourceClaim, c fuzz.Continue) {}, + func(_ *[]metav1.ManagedFieldsEntry, c fuzz.Continue) {}, + ) + + schema, err := jsonschema.CompileString("", string(ValuesSchemaJSON)) + require.NoError(t, err) + + nilChance := float64(0.8) + + files := make([]txtar.File, 0, 50) + for i := 0; i < 50; i++ { + // Every 5 iterations, decrease nil chance to ensure that we're biased + // towards exploring most cases. + if i%5 == 0 && nilChance > .1 { + nilChance -= .1 + } + + var values PartialValues + fuzzer.NilChance(nilChance).Fuzz(&values) + + out, err := yaml.Marshal(values) + require.NoError(t, err) + + merged, err := helm.MergeYAMLValues(t.TempDir(), DefaultValuesYAML, out) + require.NoError(t, err) + + // Ensure that our generated values comply with the schema set by the chart. + if err := schema.Validate(merged); err != nil { + t.Logf("Generated invalid values; trying again...\n%v", err) + i-- + continue + } + + files = append(files, txtar.File{ + Name: fmt.Sprintf("case-%03d", i), + Data: out, + }) + } + + archive := txtar.Format(&txtar.Archive{ + Comment: []byte(fmt.Sprintf(`Generated by %s`, t.Name())), + Files: files, + }) + + require.NoError(t, os.WriteFile("testdata/template-cases-generated.txtar", archive, 0o644)) +} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/configmap.go b/charts/redpanda/redpanda/5.9.6/charts/console/configmap.go new file mode 100644 index 0000000000..c4fa382915 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/configmap.go @@ -0,0 +1,61 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_configmap.go.tpl +package console + +import ( + "fmt" + + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func ConfigMap(dot *helmette.Dot) *corev1.ConfigMap { + values := helmette.Unwrap[Values](dot.Values) + + if !values.ConfigMap.Create { + return nil + } + + data := map[string]string{ + "config.yaml": fmt.Sprintf("# from .Values.console.config\n%s\n", helmette.Tpl(helmette.ToYaml(values.Console.Config), dot)), + } + + if len(values.Console.Roles) > 0 { + data["roles.yaml"] = helmette.Tpl(helmette.ToYaml(map[string]any{ + "roles": values.Console.Roles, + }), dot) + } + + if len(values.Console.RoleBindings) > 0 { + data["role-bindings.yaml"] = helmette.Tpl(helmette.ToYaml(map[string]any{ + "roleBindings": values.Console.RoleBindings, + }), dot) + } + + return &corev1.ConfigMap{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "ConfigMap", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: Labels(dot), + }, + Data: data, + } +} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/deployment.go b/charts/redpanda/redpanda/5.9.6/charts/console/deployment.go new file mode 100644 index 0000000000..47537d40d2 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/deployment.go @@ -0,0 +1,535 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_deployment.go.tpl +package console + +import ( + "fmt" + + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" +) + +// Console's HTTP server Port. +// The port is defined from the provided config but can be overridden +// by setting service.targetPort and if that is missing defaults to 8080. +func ContainerPort(dot *helmette.Dot) int32 { + values := helmette.Unwrap[Values](dot.Values) + + listenPort := int32(8080) + if values.Service.TargetPort != nil { + listenPort = *values.Service.TargetPort + } + + configListenPort := helmette.Dig(values.Console.Config, nil, "server", "listenPort") + if asInt, ok := helmette.AsIntegral[int](configListenPort); ok { + return int32(asInt) + } + + return listenPort +} + +func Deployment(dot *helmette.Dot) *appsv1.Deployment { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Deployment.Create { + return nil + } + + var replicas *int32 + if !values.Autoscaling.Enabled { + replicas = ptr.To(values.ReplicaCount) + } + + var initContainers []corev1.Container + if values.InitContainers.ExtraInitContainers != nil { + initContainers = helmette.UnmarshalYamlArray[corev1.Container](helmette.Tpl(*values.InitContainers.ExtraInitContainers, dot)) + } + + volumeMounts := []corev1.VolumeMount{ + { + Name: "configs", + MountPath: "/etc/console/configs", + ReadOnly: true, + }, + } + + if values.Secret.Create { + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: "secrets", + MountPath: "/etc/console/secrets", + ReadOnly: true, + }) + } + + for _, mount := range values.SecretMounts { + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: mount.Name, + MountPath: mount.Path, + SubPath: ptr.Deref(mount.SubPath, ""), + }) + } + + volumeMounts = append(volumeMounts, values.ExtraVolumeMounts...) + + return &appsv1.Deployment{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "apps/v1", + Kind: "Deployment", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: Labels(dot), + Namespace: dot.Release.Namespace, + Annotations: values.Annotations, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: SelectorLabels(dot), + }, + Strategy: values.Strategy, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: helmette.Merge(map[string]string{ + "checksum/config": helmette.Sha256Sum(helmette.ToYaml(ConfigMap(dot))), + }, values.PodAnnotations), + Labels: helmette.Merge(SelectorLabels(dot), values.PodLabels), + }, + Spec: corev1.PodSpec{ + ImagePullSecrets: values.ImagePullSecrets, + ServiceAccountName: ServiceAccountName(dot), + AutomountServiceAccountToken: &values.AutomountServiceAccountToken, + SecurityContext: &values.PodSecurityContext, + NodeSelector: values.NodeSelector, + Affinity: &values.Affinity, + TopologySpreadConstraints: values.TopologySpreadConstraints, + PriorityClassName: values.PriorityClassName, + Tolerations: values.Tolerations, + Volumes: consolePodVolumes(dot), + InitContainers: initContainers, + Containers: append([]corev1.Container{ + { + Name: dot.Chart.Name, + Command: values.Deployment.Command, + Args: append([]string{ + "--config.filepath=/etc/console/configs/config.yaml", + }, values.Deployment.ExtraArgs...), + SecurityContext: &values.SecurityContext, + Image: containerImage(dot), + ImagePullPolicy: values.Image.PullPolicy, + Ports: []corev1.ContainerPort{ + { + Name: "http", + ContainerPort: ContainerPort(dot), + Protocol: corev1.ProtocolTCP, + }, + }, + VolumeMounts: volumeMounts, + LivenessProbe: &corev1.Probe{ + InitialDelaySeconds: values.LivenessProbe.InitialDelaySeconds, // TODO what to do with this?? + PeriodSeconds: values.LivenessProbe.PeriodSeconds, + TimeoutSeconds: values.LivenessProbe.TimeoutSeconds, + SuccessThreshold: values.LivenessProbe.SuccessThreshold, + FailureThreshold: values.LivenessProbe.FailureThreshold, + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{ + Path: "/admin/health", + Port: intstr.FromString("http"), + }, + }, + }, + ReadinessProbe: &corev1.Probe{ + InitialDelaySeconds: values.ReadinessProbe.InitialDelaySeconds, + PeriodSeconds: values.ReadinessProbe.PeriodSeconds, + TimeoutSeconds: values.ReadinessProbe.TimeoutSeconds, + SuccessThreshold: values.ReadinessProbe.SuccessThreshold, + FailureThreshold: values.ReadinessProbe.FailureThreshold, + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{ + Path: "/admin/health", + Port: intstr.FromString("http"), + }, + }, + }, + Resources: values.Resources, + Env: consoleContainerEnv(dot), + EnvFrom: values.ExtraEnvFrom, + }, + }, values.ExtraContainers...), + }, + }, + }, + } +} + +// ConsoleImage +func containerImage(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + + tag := dot.Chart.AppVersion + if !helmette.Empty(values.Image.Tag) { + tag = *values.Image.Tag + } + + image := fmt.Sprintf("%s:%s", values.Image.Repository, tag) + + if !helmette.Empty(values.Image.Registry) { + return fmt.Sprintf("%s/%s", values.Image.Registry, image) + } + + return image +} + +type PossibleEnvVar struct { + Value any + EnvVar corev1.EnvVar +} + +func consoleContainerEnv(dot *helmette.Dot) []corev1.EnvVar { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Secret.Create { + vars := values.ExtraEnv + + if !helmette.Empty(values.Enterprise.LicenseSecretRef.Name) { + vars = append(values.ExtraEnv, corev1.EnvVar{ + Name: "LICENSE", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: values.Enterprise.LicenseSecretRef.Name, + }, + Key: helmette.Default("enterprise-license", values.Enterprise.LicenseSecretRef.Key), + }, + }, + }) + } + + return vars + } + + possibleVars := []PossibleEnvVar{ + { + Value: values.Secret.Kafka.SASLPassword, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SASL_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "kafka-sasl-password", + }, + }, + }, + }, + { + Value: values.Secret.Kafka.ProtobufGitBasicAuthPassword, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "kafka-protobuf-git-basicauth-password", + }, + }, + }, + }, + { + Value: values.Secret.Kafka.AWSMSKIAMSecretKey, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SASL_AWSMSKIAM_SECRETKEY", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "kafka-sasl-aws-msk-iam-secret-key", + }, + }, + }, + }, + { + Value: values.Secret.Kafka.TLSCA, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_TLS_CAFILEPATH", + Value: "/etc/console/secrets/kafka-tls-ca", + }, + }, + { + Value: values.Secret.Kafka.TLSCert, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_TLS_CERTFILEPATH", + Value: "/etc/console/secrets/kafka-tls-cert", + }, + }, + { + Value: values.Secret.Kafka.TLSKey, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_TLS_KEYFILEPATH", + Value: "/etc/console/secrets/kafka-tls-key", + }, + }, + { + Value: values.Secret.Kafka.SchemaRegistryTLSCA, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH", + Value: "/etc/console/secrets/kafka-schemaregistry-tls-ca", + }, + }, + { + Value: values.Secret.Kafka.SchemaRegistryTLSCert, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH", + Value: "/etc/console/secrets/kafka-schemaregistry-tls-cert", + }, + }, + { + Value: values.Secret.Kafka.SchemaRegistryTLSKey, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH", + Value: "/etc/console/secrets/kafka-schemaregistry-tls-key", + }, + }, + { + Value: values.Secret.Kafka.SchemaRegistryPassword, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SCHEMAREGISTRY_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "kafka-schema-registry-password", + }, + }, + }, + }, + { + Value: true, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_JWTSECRET", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-jwt-secret", + }, + }, + }, + }, + { + Value: values.Secret.Login.Google.ClientSecret, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_GOOGLE_CLIENTSECRET", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-google-oauth-client-secret", + }, + }, + }, + }, + + { + Value: values.Secret.Login.Google.GroupsServiceAccount, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH", + Value: "/etc/console/secrets/login-google-groups-service-account.json", + }, + }, + { + Value: values.Secret.Login.Github.ClientSecret, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_GITHUB_CLIENTSECRET", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-github-oauth-client-secret", + }, + }, + }, + }, + { + Value: values.Secret.Login.Github.PersonalAccessToken, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-github-personal-access-token", + }, + }, + }, + }, + { + Value: values.Secret.Login.Okta.ClientSecret, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_OKTA_CLIENTSECRET", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-okta-client-secret", + }, + }, + }, + }, + { + Value: values.Secret.Login.Okta.DirectoryAPIToken, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_OKTA_DIRECTORY_APITOKEN", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-okta-directory-api-token", + }, + }, + }, + }, + { + Value: values.Secret.Login.OIDC.ClientSecret, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_OIDC_CLIENTSECRET", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-oidc-client-secret", + }, + }, + }, + }, + { + Value: values.Secret.Enterprise.License, + EnvVar: corev1.EnvVar{ + Name: "LICENSE", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "enterprise-license", + }, + }, + }, + }, + { + Value: values.Secret.Redpanda.AdminAPI.Password, + EnvVar: corev1.EnvVar{ + Name: "REDPANDA_ADMINAPI_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "redpanda-admin-api-password", + }, + }, + }, + }, + { + Value: values.Secret.Redpanda.AdminAPI.TLSCA, + EnvVar: corev1.EnvVar{ + Name: "REDPANDA_ADMINAPI_TLS_CAFILEPATH", + Value: "/etc/console/secrets/redpanda-admin-api-tls-ca", + }, + }, + { + Value: values.Secret.Redpanda.AdminAPI.TLSKey, + EnvVar: corev1.EnvVar{ + Name: "REDPANDA_ADMINAPI_TLS_KEYFILEPATH", + Value: "/etc/console/secrets/redpanda-admin-api-tls-key", + }, + }, + { + Value: values.Secret.Redpanda.AdminAPI.TLSCert, + EnvVar: corev1.EnvVar{ + Name: "REDPANDA_ADMINAPI_TLS_CERTFILEPATH", + Value: "/etc/console/secrets/redpanda-admin-api-tls-cert", + }, + }, + } + + vars := values.ExtraEnv + for _, possible := range possibleVars { + if !helmette.Empty(possible.Value) { + vars = append(vars, possible.EnvVar) + } + } + + return vars +} + +func consolePodVolumes(dot *helmette.Dot) []corev1.Volume { + values := helmette.Unwrap[Values](dot.Values) + + volumes := []corev1.Volume{ + { + Name: "configs", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + }, + }, + }, + } + + if values.Secret.Create { + volumes = append(volumes, corev1.Volume{ + Name: "secrets", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: Fullname(dot), + }, + }, + }) + } + + for _, mount := range values.SecretMounts { + volumes = append(volumes, corev1.Volume{ + Name: mount.Name, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: mount.SecretName, + DefaultMode: mount.DefaultMode, + }, + }, + }) + } + + return append(volumes, values.ExtraVolumes...) +} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/examples/console-enterprise.yaml b/charts/redpanda/redpanda/5.9.6/charts/console/examples/console-enterprise.yaml new file mode 100644 index 0000000000..dc3f29197d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/examples/console-enterprise.yaml @@ -0,0 +1,94 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +image: + tag: master-8fcce39 + +resources: + limits: + cpu: 1 + memory: 2Gi + requests: + cpu: 100m + memory: 512Mi + +console: + config: + kafka: + brokers: + - bootstrap.mybrokers.com:9092 + clientId: redpanda-console + sasl: + enabled: true + mechanism: SCRAM-SHA-256 + username: console + # password: set via Helm secret / Env variable + tls: + enabled: false + login: + google: + enabled: true + clientId: redacted.apps.googleusercontent.com + # clientSecret: set via Helm secret / Env variable + directory: + # serviceAccountFilepath: set via Helm secret / Env variable + targetPrincipal: admin@mycompany.com + enterprise: + rbac: + enabled: true + roleBindingsFilepath: /etc/console/configs/role-bindings.yaml + roleBindings: + - roleName: viewer + metadata: + # Metadata properties will be shown in the UI. You can omit it if you want to + name: Developers + subjects: + # You can specify all groups or users from different providers here which shall be bound to the same role + - kind: group + provider: Google + name: engineering@mycompany.com + - kind: user + provider: Google + name: singleuser@mycompany.com + - roleName: admin + metadata: + name: Admin + subjects: + - kind: user + provider: Google + name: adminperson@mycompany.com + +secret: + create: true + kafka: + saslPassword: "redacted" + enterprise: + license: "redacted" + login: + google: + clientSecret: "redacted" + groupsServiceAccount: | + { + "type": "service_account", + "project_id": "redacted", + "private_key_id": "redacted", + "private_key": "-----BEGIN PRIVATE KEY-----\nREDACTED\n-----END PRIVATE KEY-----\n", + "client_email": "redacted@projectid.iam.gserviceaccount.com", + "client_id": "redacted", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://oauth2.googleapis.com/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/redacted.iam.gserviceaccount.com" + } diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/helpers.go b/charts/redpanda/redpanda/5.9.6/charts/console/helpers.go new file mode 100644 index 0000000000..eed4aa7119 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/helpers.go @@ -0,0 +1,84 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_helpers.go.tpl +package console + +import ( + "fmt" + "strings" + + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" +) + +// Expand the name of the chart. +func Name(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + + name := helmette.Default(dot.Chart.Name, values.NameOverride) + return cleanForK8s(name) +} + +// Create a default fully qualified app name. +// We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +// If release name contains chart name it will be used as a full name. +func Fullname(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + + if values.FullnameOverride != "" { + return cleanForK8s(values.FullnameOverride) + } + + name := helmette.Default(dot.Chart.Name, values.NameOverride) + + if helmette.Contains(name, dot.Release.Name) { + return cleanForK8s(dot.Release.Name) + } + + return cleanForK8s(fmt.Sprintf("%s-%s", dot.Release.Name, name)) +} + +// Create chart name and version as used by the chart label. +func Chart(dot *helmette.Dot) string { + chart := fmt.Sprintf("%s-%s", dot.Chart.Name, dot.Chart.Version) + return cleanForK8s(strings.ReplaceAll(chart, "+", "_")) +} + +// Common labels +func Labels(dot *helmette.Dot) map[string]string { + values := helmette.Unwrap[Values](dot.Values) + + labels := map[string]string{ + "helm.sh/chart": Chart(dot), + "app.kubernetes.io/managed-by": dot.Release.Service, + } + + if dot.Chart.AppVersion != "" { + labels["app.kubernetes.io/version"] = dot.Chart.AppVersion + } + + return helmette.Merge(labels, SelectorLabels(dot), values.CommonLabels) +} + +func SelectorLabels(dot *helmette.Dot) map[string]string { + return map[string]string{ + "app.kubernetes.io/name": Name(dot), + "app.kubernetes.io/instance": dot.Release.Name, + } +} + +func cleanForK8s(s string) string { + return helmette.TrimSuffix("-", helmette.Trunc(63, s)) +} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/hpa.go b/charts/redpanda/redpanda/5.9.6/charts/console/hpa.go new file mode 100644 index 0000000000..3b0458cffe --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/hpa.go @@ -0,0 +1,82 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_hpa.go.tpl +package console + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + autoscalingv2 "k8s.io/api/autoscaling/v2" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" +) + +func HorizontalPodAutoscaler(dot *helmette.Dot) *autoscalingv2.HorizontalPodAutoscaler { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Autoscaling.Enabled { + return nil + } + + metrics := []autoscalingv2.MetricSpec{} + + if values.Autoscaling.TargetCPUUtilizationPercentage != nil { + metrics = append(metrics, autoscalingv2.MetricSpec{ + Type: "Resource", + Resource: &autoscalingv2.ResourceMetricSource{ + Name: corev1.ResourceCPU, + Target: autoscalingv2.MetricTarget{ + Type: autoscalingv2.UtilizationMetricType, + AverageUtilization: values.Autoscaling.TargetCPUUtilizationPercentage, + }, + }, + }) + } + + if values.Autoscaling.TargetMemoryUtilizationPercentage != nil { + metrics = append(metrics, autoscalingv2.MetricSpec{ + Type: "Resource", + Resource: &autoscalingv2.ResourceMetricSource{ + Name: corev1.ResourceMemory, + Target: autoscalingv2.MetricTarget{ + Type: autoscalingv2.UtilizationMetricType, + AverageUtilization: values.Autoscaling.TargetMemoryUtilizationPercentage, + }, + }, + }) + } + + return &autoscalingv2.HorizontalPodAutoscaler{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "autoscaling/v2", + Kind: "HorizontalPodAutoscaler", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: Labels(dot), + }, + Spec: autoscalingv2.HorizontalPodAutoscalerSpec{ + ScaleTargetRef: autoscalingv2.CrossVersionObjectReference{ + APIVersion: "apps/v1", + Kind: "Deployment", + Name: Fullname(dot), + }, + MinReplicas: ptr.To(values.Autoscaling.MinReplicas), + MaxReplicas: values.Autoscaling.MaxReplicas, + Metrics: metrics, + }, + } +} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/ingress.go b/charts/redpanda/redpanda/5.9.6/charts/console/ingress.go new file mode 100644 index 0000000000..926c286f18 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/ingress.go @@ -0,0 +1,88 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_ingress.go.tpl +package console + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + networkingv1 "k8s.io/api/networking/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func Ingress(dot *helmette.Dot) *networkingv1.Ingress { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Ingress.Enabled { + return nil + } + + var tls []networkingv1.IngressTLS + for _, t := range values.Ingress.TLS { + var hosts []string + for _, host := range t.Hosts { + hosts = append(hosts, helmette.Tpl(host, dot)) + } + tls = append(tls, networkingv1.IngressTLS{ + SecretName: t.SecretName, + Hosts: hosts, + }) + } + + var rules []networkingv1.IngressRule + for _, host := range values.Ingress.Hosts { + var paths []networkingv1.HTTPIngressPath + for _, path := range host.Paths { + paths = append(paths, networkingv1.HTTPIngressPath{ + Path: path.Path, + PathType: path.PathType, + Backend: networkingv1.IngressBackend{ + Service: &networkingv1.IngressServiceBackend{ + Name: Fullname(dot), + Port: networkingv1.ServiceBackendPort{ + Number: values.Service.Port, + }, + }, + }, + }) + } + + rules = append(rules, networkingv1.IngressRule{ + Host: helmette.Tpl(host.Host, dot), + IngressRuleValue: networkingv1.IngressRuleValue{ + HTTP: &networkingv1.HTTPIngressRuleValue{ + Paths: paths, + }, + }, + }) + } + + return &networkingv1.Ingress{ + TypeMeta: metav1.TypeMeta{ + Kind: "Ingress", + APIVersion: "networking.k8s.io/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: Labels(dot), + Annotations: values.Ingress.Annotations, + }, + Spec: networkingv1.IngressSpec{ + IngressClassName: values.Ingress.ClassName, + TLS: tls, + Rules: rules, + }, + } +} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/notes.go b/charts/redpanda/redpanda/5.9.6/charts/console/notes.go new file mode 100644 index 0000000000..1f652dbaf8 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/notes.go @@ -0,0 +1,67 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_notes.go.tpl +package console + +import ( + "fmt" + + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" +) + +func Notes(dot *helmette.Dot) []string { + values := helmette.Unwrap[Values](dot.Values) + + commands := []string{ + `1. Get the application URL by running these commands:`, + } + if values.Ingress.Enabled { + scheme := "http" + if len(values.Ingress.TLS) > 0 { + scheme = "https" + } + for _, host := range values.Ingress.Hosts { + for _, path := range host.Paths { + commands = append(commands, fmt.Sprintf("%s://%s%s", scheme, host.Host, path.Path)) + } + } + } else if helmette.Contains("NodePort", string(values.Service.Type)) { + commands = append( + commands, + fmt.Sprintf(` export NODE_PORT=$(kubectl get --namespace %s -o jsonpath="{.spec.ports[0].nodePort}" services %s)`, dot.Release.Namespace, Fullname(dot)), + fmt.Sprintf(` export NODE_IP=$(kubectl get nodes --namespace %s -o jsonpath="{.items[0].status.addresses[0].address}")`, dot.Release.Namespace), + " echo http://$NODE_IP:$NODE_PORT", + ) + } else if helmette.Contains("NodePort", string(values.Service.Type)) { + commands = append( + commands, + ` NOTE: It may take a few minutes for the LoadBalancer IP to be available.`, + fmt.Sprintf(` You can watch the status of by running 'kubectl get --namespace %s svc -w %s'`, dot.Release.Namespace, Fullname(dot)), + fmt.Sprintf(` export SERVICE_IP=$(kubectl get svc --namespace %s %s --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")`, dot.Release.Namespace, Fullname(dot)), + fmt.Sprintf(` echo http://$SERVICE_IP:%d`, values.Service.Port), + ) + } else if helmette.Contains("ClusterIP", string(values.Service.Type)) { + commands = append( + commands, + fmt.Sprintf(` export POD_NAME=$(kubectl get pods --namespace %s -l "app.kubernetes.io/name=%s,app.kubernetes.io/instance=%s" -o jsonpath="{.items[0].metadata.name}")`, dot.Release.Namespace, Name(dot), dot.Release.Name), + fmt.Sprintf(` export CONTAINER_PORT=$(kubectl get pod --namespace %s $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")`, dot.Release.Namespace), + ` echo "Visit http://127.0.0.1:8080 to use your application"`, + fmt.Sprintf(` kubectl --namespace %s port-forward $POD_NAME 8080:$CONTAINER_PORT`, dot.Release.Namespace), + ) + } + + return commands +} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/secret.go b/charts/redpanda/redpanda/5.9.6/charts/console/secret.go new file mode 100644 index 0000000000..d23951cbd2 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/secret.go @@ -0,0 +1,84 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_secret.go.tpl +package console + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" +) + +func Secret(dot *helmette.Dot) *corev1.Secret { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Secret.Create { + return nil + } + + jwtSecret := values.Secret.Login.JWTSecret + if jwtSecret == "" { + jwtSecret = helmette.RandAlphaNum(32) + } + + return &corev1.Secret{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "Secret", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: Labels(dot), + }, + Type: corev1.SecretTypeOpaque, + StringData: map[string]string{ + // Set empty defaults, so that we can always mount them as env variable even if they are not used. + // For this reason we can't use `with` to change the scope. + + // Kafka + "kafka-sasl-password": ptr.Deref(values.Secret.Kafka.SASLPassword, ""), + "kafka-protobuf-git-basicauth-password": ptr.Deref(values.Secret.Kafka.ProtobufGitBasicAuthPassword, ""), + "kafka-sasl-aws-msk-iam-secret-key": ptr.Deref(values.Secret.Kafka.AWSMSKIAMSecretKey, ""), + "kafka-tls-ca": ptr.Deref(values.Secret.Kafka.TLSCA, ""), + "kafka-tls-cert": ptr.Deref(values.Secret.Kafka.TLSCert, ""), + "kafka-tls-key": ptr.Deref(values.Secret.Kafka.TLSKey, ""), + "kafka-schema-registry-password": ptr.Deref(values.Secret.Kafka.SchemaRegistryPassword, ""), + "kafka-schemaregistry-tls-ca": ptr.Deref(values.Secret.Kafka.SchemaRegistryTLSCA, ""), + "kafka-schemaregistry-tls-cert": ptr.Deref(values.Secret.Kafka.SchemaRegistryTLSCert, ""), + "kafka-schemaregistry-tls-key": ptr.Deref(values.Secret.Kafka.SchemaRegistryTLSKey, ""), + + // Login + "login-jwt-secret": jwtSecret, + "login-google-oauth-client-secret": ptr.Deref(values.Secret.Login.Google.ClientSecret, ""), + "login-google-groups-service-account.json": ptr.Deref(values.Secret.Login.Google.GroupsServiceAccount, ""), + "login-github-oauth-client-secret": ptr.Deref(values.Secret.Login.Github.ClientSecret, ""), + "login-github-personal-access-token": ptr.Deref(values.Secret.Login.Github.PersonalAccessToken, ""), + "login-okta-client-secret": ptr.Deref(values.Secret.Login.Okta.ClientSecret, ""), + "login-okta-directory-api-token": ptr.Deref(values.Secret.Login.Okta.DirectoryAPIToken, ""), + "login-oidc-client-secret": ptr.Deref(values.Secret.Login.OIDC.ClientSecret, ""), + + // Enterprise + "enterprise-license": ptr.Deref(values.Secret.Enterprise.License, ""), + + // Redpanda + "redpanda-admin-api-password": ptr.Deref(values.Secret.Redpanda.AdminAPI.Password, ""), + "redpanda-admin-api-tls-ca": ptr.Deref(values.Secret.Redpanda.AdminAPI.TLSCA, ""), + "redpanda-admin-api-tls-cert": ptr.Deref(values.Secret.Redpanda.AdminAPI.TLSCert, ""), + "redpanda-admin-api-tls-key": ptr.Deref(values.Secret.Redpanda.AdminAPI.TLSKey, ""), + }, + } +} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/service.go b/charts/redpanda/redpanda/5.9.6/charts/console/service.go new file mode 100644 index 0000000000..65214bf3ed --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/service.go @@ -0,0 +1,60 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_service.go.tpl +package console + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" +) + +func Service(dot *helmette.Dot) *corev1.Service { + values := helmette.Unwrap[Values](dot.Values) + + port := corev1.ServicePort{ + Name: "http", + Port: int32(values.Service.Port), + Protocol: corev1.ProtocolTCP, + } + + if values.Service.TargetPort != nil { + port.TargetPort = intstr.FromInt32(*values.Service.TargetPort) + } + + if helmette.Contains("NodePort", string(values.Service.Type)) && values.Service.NodePort != nil { + port.NodePort = *values.Service.NodePort + } + + return &corev1.Service{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "Service", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Namespace: dot.Release.Namespace, + Labels: Labels(dot), + Annotations: values.Service.Annotations, + }, + Spec: corev1.ServiceSpec{ + Type: values.Service.Type, + Selector: SelectorLabels(dot), + Ports: []corev1.ServicePort{port}, + }, + } +} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/serviceaccount.go b/charts/redpanda/redpanda/5.9.6/charts/console/serviceaccount.go new file mode 100644 index 0000000000..c23e5c92c6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/serviceaccount.go @@ -0,0 +1,60 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_serviceaccount.go.tpl +package console + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" +) + +// Create the name of the service account to use +func ServiceAccountName(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + + if values.ServiceAccount.Create { + if values.ServiceAccount.Name != "" { + return values.ServiceAccount.Name + } + return Fullname(dot) + } + + return helmette.Default("default", values.ServiceAccount.Name) +} + +func ServiceAccount(dot *helmette.Dot) *corev1.ServiceAccount { + values := helmette.Unwrap[Values](dot.Values) + + if !values.ServiceAccount.Create { + return nil + } + + return &corev1.ServiceAccount{ + TypeMeta: metav1.TypeMeta{ + Kind: "ServiceAccount", + APIVersion: "v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: ServiceAccountName(dot), + Labels: Labels(dot), + Namespace: dot.Release.Namespace, + Annotations: values.ServiceAccount.Annotations, + }, + AutomountServiceAccountToken: ptr.To(values.ServiceAccount.AutomountServiceAccountToken), + } +} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/NOTES.txt b/charts/redpanda/redpanda/5.9.6/charts/console/templates/NOTES.txt new file mode 100644 index 0000000000..7541881fc9 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/NOTES.txt @@ -0,0 +1,20 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- $notes := (get ((include "console.Notes" (dict "a" (list .))) | fromJson) "r") -}} +{{- range $_, $note := $notes }} +{{ $note }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/_configmap.go.tpl b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_configmap.go.tpl new file mode 100644 index 0000000000..14673b0249 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_configmap.go.tpl @@ -0,0 +1,25 @@ +{{- /* Generated from "configmap.go" */ -}} + +{{- define "console.ConfigMap" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.configmap.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $data := (dict "config.yaml" (printf "# from .Values.console.config\n%s\n" (tpl (toYaml $values.console.config) $dot)) ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.console.roles) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $data "roles.yaml" (tpl (toYaml (dict "roles" $values.console.roles )) $dot)) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.console.roleBindings) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $data "role-bindings.yaml" (tpl (toYaml (dict "roleBindings" $values.console.roleBindings )) $dot)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ConfigMap" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "data" $data ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/_deployment.go.tpl b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_deployment.go.tpl new file mode 100644 index 0000000000..71696bb257 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_deployment.go.tpl @@ -0,0 +1,133 @@ +{{- /* Generated from "deployment.go" */ -}} + +{{- define "console.ContainerPort" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $listenPort := ((8080 | int) | int) -}} +{{- if (ne $values.service.targetPort (coalesce nil)) -}} +{{- $listenPort = $values.service.targetPort -}} +{{- end -}} +{{- $configListenPort := (dig "server" "listenPort" (coalesce nil) $values.console.config) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $configListenPort) ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_1.T2 -}} +{{- $asInt_1 := ($tmp_tuple_1.T1 | int) -}} +{{- if $ok_2 -}} +{{- $_is_returning = true -}} +{{- (dict "r" ($asInt_1 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $listenPort) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.Deployment" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.deployment.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $replicas := (coalesce nil) -}} +{{- if (not $values.autoscaling.enabled) -}} +{{- $replicas = ($values.replicaCount | int) -}} +{{- end -}} +{{- $initContainers := (coalesce nil) -}} +{{- if (ne $values.initContainers.extraInitContainers (coalesce nil)) -}} +{{- $initContainers = (fromYamlArray (tpl $values.initContainers.extraInitContainers $dot)) -}} +{{- end -}} +{{- $volumeMounts := (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "configs" "mountPath" "/etc/console/configs" "readOnly" true ))) -}} +{{- if $values.secret.create -}} +{{- $volumeMounts = (concat (default (list ) $volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "secrets" "mountPath" "/etc/console/secrets" "readOnly" true )))) -}} +{{- end -}} +{{- range $_, $mount := $values.secretMounts -}} +{{- $volumeMounts = (concat (default (list ) $volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $mount.name "mountPath" $mount.path "subPath" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $mount.subPath "") ))) "r") )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $volumeMounts = (concat (default (list ) $volumeMounts) (default (list ) $values.extraVolumeMounts)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "Deployment" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "annotations" $values.annotations )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) (dict "replicas" $replicas "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") )) "strategy" $values.strategy "template" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" (merge (dict ) (dict "checksum/config" (sha256sum (toYaml (get (fromJson (include "console.ConfigMap" (dict "a" (list $dot) ))) "r"))) ) $values.podAnnotations) "labels" (merge (dict ) (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") $values.podLabels) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "imagePullSecrets" $values.imagePullSecrets "serviceAccountName" (get (fromJson (include "console.ServiceAccountName" (dict "a" (list $dot) ))) "r") "automountServiceAccountToken" $values.automountServiceAccountToken "securityContext" $values.podSecurityContext "nodeSelector" $values.nodeSelector "affinity" $values.affinity "topologySpreadConstraints" $values.topologySpreadConstraints "priorityClassName" $values.priorityClassName "tolerations" $values.tolerations "volumes" (get (fromJson (include "console.consolePodVolumes" (dict "a" (list $dot) ))) "r") "initContainers" $initContainers "containers" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" $dot.Chart.Name "command" $values.deployment.command "args" (concat (default (list ) (list "--config.filepath=/etc/console/configs/config.yaml")) (default (list ) $values.deployment.extraArgs)) "securityContext" $values.securityContext "image" (get (fromJson (include "console.containerImage" (dict "a" (list $dot) ))) "r") "imagePullPolicy" $values.image.pullPolicy "ports" (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "http" "containerPort" ((get (fromJson (include "console.ContainerPort" (dict "a" (list $dot) ))) "r") | int) "protocol" "TCP" ))) "volumeMounts" $volumeMounts "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/admin/health" "port" "http" )) )) (dict "initialDelaySeconds" ($values.livenessProbe.initialDelaySeconds | int) "periodSeconds" ($values.livenessProbe.periodSeconds | int) "timeoutSeconds" ($values.livenessProbe.timeoutSeconds | int) "successThreshold" ($values.livenessProbe.successThreshold | int) "failureThreshold" ($values.livenessProbe.failureThreshold | int) )) "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/admin/health" "port" "http" )) )) (dict "initialDelaySeconds" ($values.readinessProbe.initialDelaySeconds | int) "periodSeconds" ($values.readinessProbe.periodSeconds | int) "timeoutSeconds" ($values.readinessProbe.timeoutSeconds | int) "successThreshold" ($values.readinessProbe.successThreshold | int) "failureThreshold" ($values.readinessProbe.failureThreshold | int) )) "resources" $values.resources "env" (get (fromJson (include "console.consoleContainerEnv" (dict "a" (list $dot) ))) "r") "envFrom" $values.extraEnvFrom )))) (default (list ) $values.extraContainers)) )) )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.containerImage" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tag := $dot.Chart.AppVersion -}} +{{- if (not (empty $values.image.tag)) -}} +{{- $tag = $values.image.tag -}} +{{- end -}} +{{- $image := (printf "%s:%s" $values.image.repository $tag) -}} +{{- if (not (empty $values.image.registry)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s/%s" $values.image.registry $image)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $image) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.consoleContainerEnv" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.secret.create) -}} +{{- $vars := $values.extraEnv -}} +{{- if (not (empty $values.enterprise.licenseSecretRef.name)) -}} +{{- $vars = (concat (default (list ) $values.extraEnv) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.enterprise.licenseSecretRef.name )) (dict "key" (default "enterprise-license" $values.enterprise.licenseSecretRef.key) )) )) )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $vars) | toJson -}} +{{- break -}} +{{- end -}} +{{- $possibleVars := (list (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.saslPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SASL_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-sasl-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.protobufGitBasicAuthPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-protobuf-git-basicauth-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.awsMskIamSecretKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SASL_AWSMSKIAM_SECRETKEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-sasl-aws-msk-iam-secret-key" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_CAFILEPATH" "value" "/etc/console/secrets/kafka-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_CERTFILEPATH" "value" "/etc/console/secrets/kafka-tls-cert" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_KEYFILEPATH" "value" "/etc/console/secrets/kafka-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-cert" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-schema-registry-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" true "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_JWTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-jwt-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.google.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GOOGLE_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-google-oauth-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.google.groupsServiceAccount "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH" "value" "/etc/console/secrets/login-google-groups-service-account.json" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.github.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GITHUB_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-github-oauth-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.github.personalAccessToken "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-github-personal-access-token" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.okta.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OKTA_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-okta-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.okta.directoryApiToken "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OKTA_DIRECTORY_APITOKEN" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-okta-directory-api-token" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.oidc.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OIDC_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-oidc-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.enterprise.License "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "enterprise-license" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.password "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "redpanda-admin-api-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_CAFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_KEYFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_CERTFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-cert" )) ))) -}} +{{- $vars := $values.extraEnv -}} +{{- range $_, $possible := $possibleVars -}} +{{- if (not (empty $possible.Value)) -}} +{{- $vars = (concat (default (list ) $vars) (list $possible.EnvVar)) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $vars) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.consolePodVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $volumes := (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "configs" ))) -}} +{{- if $values.secret.create -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) )) (dict "name" "secrets" )))) -}} +{{- end -}} +{{- range $_, $mount := $values.secretMounts -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $mount.secretName "defaultMode" $mount.defaultMode )) )) (dict "name" $mount.name )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $volumes) (default (list ) $values.extraVolumes))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_helpers.go.tpl new file mode 100644 index 0000000000..88b00025d7 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_helpers.go.tpl @@ -0,0 +1,82 @@ +{{- /* Generated from "helpers.go" */ -}} + +{{- define "console.Name" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.Fullname" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne $values.fullnameOverride "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $values.fullnameOverride) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- if (contains $name $dot.Release.Name) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list (printf "%s-%s" $dot.Release.Name $name)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.Chart" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $chart := (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list (replace "+" "_" $chart)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.Labels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $labels := (dict "helm.sh/chart" (get (fromJson (include "console.Chart" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/managed-by" $dot.Release.Service ) -}} +{{- if (ne $dot.Chart.AppVersion "") -}} +{{- $_ := (set $labels "app.kubernetes.io/version" $dot.Chart.AppVersion) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $labels (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") $values.commonLabels)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.SelectorLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "app.kubernetes.io/name" (get (fromJson (include "console.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.cleanForK8s" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $s))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_helpers.tpl new file mode 100644 index 0000000000..ee2ab5d9b8 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_helpers.tpl @@ -0,0 +1,25 @@ +{{/* +Expand the name of the chart. +Used by tests/test-connection.yaml +*/}} +{{- define "console.name" -}} +{{- get ((include "console.Name" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Used by tests/test-connection.yaml +*/}} +{{- define "console.fullname" -}} +{{- get ((include "console.Fullname" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Common labels +Used by tests/test-connection.yaml +*/}} +{{- define "console.labels" -}} +{{- (get ((include "console.Labels" (dict "a" (list .))) | fromJson) "r") | toYaml -}} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/_hpa.go.tpl b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_hpa.go.tpl new file mode 100644 index 0000000000..5957633d22 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_hpa.go.tpl @@ -0,0 +1,25 @@ +{{- /* Generated from "hpa.go" */ -}} + +{{- define "console.HorizontalPodAutoscaler" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.autoscaling.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $metrics := (list ) -}} +{{- if (ne $values.autoscaling.targetCPUUtilizationPercentage (coalesce nil)) -}} +{{- $metrics = (concat (default (list ) $metrics) (list (mustMergeOverwrite (dict "type" "" ) (dict "type" "Resource" "resource" (mustMergeOverwrite (dict "name" "" "target" (dict "type" "" ) ) (dict "name" "cpu" "target" (mustMergeOverwrite (dict "type" "" ) (dict "type" "Utilization" "averageUtilization" $values.autoscaling.targetCPUUtilizationPercentage )) )) )))) -}} +{{- end -}} +{{- if (ne $values.autoscaling.targetMemoryUtilizationPercentage (coalesce nil)) -}} +{{- $metrics = (concat (default (list ) $metrics) (list (mustMergeOverwrite (dict "type" "" ) (dict "type" "Resource" "resource" (mustMergeOverwrite (dict "name" "" "target" (dict "type" "" ) ) (dict "name" "memory" "target" (mustMergeOverwrite (dict "type" "" ) (dict "type" "Utilization" "averageUtilization" $values.autoscaling.targetMemoryUtilizationPercentage )) )) )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "scaleTargetRef" (dict "kind" "" "name" "" ) "maxReplicas" 0 ) "status" (dict "desiredReplicas" 0 "currentMetrics" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "autoscaling/v2" "kind" "HorizontalPodAutoscaler" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "scaleTargetRef" (dict "kind" "" "name" "" ) "maxReplicas" 0 ) (dict "scaleTargetRef" (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "apiVersion" "apps/v1" "kind" "Deployment" "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) "minReplicas" ($values.autoscaling.minReplicas | int) "maxReplicas" ($values.autoscaling.maxReplicas | int) "metrics" $metrics )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/_ingress.go.tpl b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_ingress.go.tpl new file mode 100644 index 0000000000..0df05e870b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_ingress.go.tpl @@ -0,0 +1,46 @@ +{{- /* Generated from "ingress.go" */ -}} + +{{- define "console.Ingress" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.ingress.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tls := (coalesce nil) -}} +{{- range $_, $t := $values.ingress.tls -}} +{{- $hosts := (coalesce nil) -}} +{{- range $_, $host := $t.hosts -}} +{{- $hosts = (concat (default (list ) $hosts) (list (tpl $host $dot))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $tls = (concat (default (list ) $tls) (list (mustMergeOverwrite (dict ) (dict "secretName" $t.secretName "hosts" $hosts )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $rules := (coalesce nil) -}} +{{- range $_, $host := $values.ingress.hosts -}} +{{- $paths := (coalesce nil) -}} +{{- range $_, $path := $host.paths -}} +{{- $paths = (concat (default (list ) $paths) (list (mustMergeOverwrite (dict "pathType" (coalesce nil) "backend" (dict ) ) (dict "path" $path.path "pathType" $path.pathType "backend" (mustMergeOverwrite (dict ) (dict "service" (mustMergeOverwrite (dict "name" "" "port" (dict ) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "port" (mustMergeOverwrite (dict ) (dict "number" ($values.service.port | int) )) )) )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $rules = (concat (default (list ) $rules) (list (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "http" (mustMergeOverwrite (dict "paths" (coalesce nil) ) (dict "paths" $paths )) )) (dict "host" (tpl $host.host $dot) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "kind" "Ingress" "apiVersion" "networking.k8s.io/v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.ingress.annotations )) "spec" (mustMergeOverwrite (dict ) (dict "ingressClassName" $values.ingress.className "tls" $tls "rules" $rules )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/_notes.go.tpl b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_notes.go.tpl new file mode 100644 index 0000000000..6b58b21ef4 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_notes.go.tpl @@ -0,0 +1,40 @@ +{{- /* Generated from "notes.go" */ -}} + +{{- define "console.Notes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $commands := (list `1. Get the application URL by running these commands:`) -}} +{{- if $values.ingress.enabled -}} +{{- $scheme := "http" -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.ingress.tls) ))) "r") | int) (0 | int)) -}} +{{- $scheme = "https" -}} +{{- end -}} +{{- range $_, $host := $values.ingress.hosts -}} +{{- range $_, $path := $host.paths -}} +{{- $commands = (concat (default (list ) $commands) (list (printf "%s://%s%s" $scheme $host.host $path.path))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- else -}}{{- if (contains "NodePort" (toString $values.service.type)) -}} +{{- $commands = (concat (default (list ) $commands) (list (printf ` export NODE_PORT=$(kubectl get --namespace %s -o jsonpath="{.spec.ports[0].nodePort}" services %s)` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` export NODE_IP=$(kubectl get nodes --namespace %s -o jsonpath="{.items[0].status.addresses[0].address}")` $dot.Release.Namespace) " echo http://$NODE_IP:$NODE_PORT")) -}} +{{- else -}}{{- if (contains "NodePort" (toString $values.service.type)) -}} +{{- $commands = (concat (default (list ) $commands) (list ` NOTE: It may take a few minutes for the LoadBalancer IP to be available.` (printf ` You can watch the status of by running 'kubectl get --namespace %s svc -w %s'` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` export SERVICE_IP=$(kubectl get svc --namespace %s %s --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` echo http://$SERVICE_IP:%d` ($values.service.port | int)))) -}} +{{- else -}}{{- if (contains "ClusterIP" (toString $values.service.type)) -}} +{{- $commands = (concat (default (list ) $commands) (list (printf ` export POD_NAME=$(kubectl get pods --namespace %s -l "app.kubernetes.io/name=%s,app.kubernetes.io/instance=%s" -o jsonpath="{.items[0].metadata.name}")` $dot.Release.Namespace (get (fromJson (include "console.Name" (dict "a" (list $dot) ))) "r") $dot.Release.Name) (printf ` export CONTAINER_PORT=$(kubectl get pod --namespace %s $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")` $dot.Release.Namespace) ` echo "Visit http://127.0.0.1:8080 to use your application"` (printf ` kubectl --namespace %s port-forward $POD_NAME 8080:$CONTAINER_PORT` $dot.Release.Namespace))) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $commands) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/_secret.go.tpl b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_secret.go.tpl new file mode 100644 index 0000000000..49e6289930 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_secret.go.tpl @@ -0,0 +1,22 @@ +{{- /* Generated from "secret.go" */ -}} + +{{- define "console.Secret" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.secret.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $jwtSecret := $values.secret.login.jwtSecret -}} +{{- if (eq $jwtSecret "") -}} +{{- $jwtSecret = (randAlphaNum (32 | int)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict "kafka-sasl-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.saslPassword "") ))) "r") "kafka-protobuf-git-basicauth-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.protobufGitBasicAuthPassword "") ))) "r") "kafka-sasl-aws-msk-iam-secret-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.awsMskIamSecretKey "") ))) "r") "kafka-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCa "") ))) "r") "kafka-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCert "") ))) "r") "kafka-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsKey "") ))) "r") "kafka-schema-registry-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryPassword "") ))) "r") "kafka-schemaregistry-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCa "") ))) "r") "kafka-schemaregistry-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCert "") ))) "r") "kafka-schemaregistry-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsKey "") ))) "r") "login-jwt-secret" $jwtSecret "login-google-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.clientSecret "") ))) "r") "login-google-groups-service-account.json" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.groupsServiceAccount "") ))) "r") "login-github-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.clientSecret "") ))) "r") "login-github-personal-access-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.personalAccessToken "") ))) "r") "login-okta-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.clientSecret "") ))) "r") "login-okta-directory-api-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.directoryApiToken "") ))) "r") "login-oidc-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.oidc.clientSecret "") ))) "r") "enterprise-license" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.enterprise.License "") ))) "r") "redpanda-admin-api-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.password "") ))) "r") "redpanda-admin-api-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCa "") ))) "r") "redpanda-admin-api-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCert "") ))) "r") "redpanda-admin-api-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsKey "") ))) "r") ) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/_service.go.tpl b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_service.go.tpl new file mode 100644 index 0000000000..64cef3f8dd --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_service.go.tpl @@ -0,0 +1,20 @@ +{{- /* Generated from "service.go" */ -}} + +{{- define "console.Service" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $port := (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "http" "port" (($values.service.port | int) | int) "protocol" "TCP" )) -}} +{{- if (ne $values.service.targetPort (coalesce nil)) -}} +{{- $_ := (set $port "targetPort" $values.service.targetPort) -}} +{{- end -}} +{{- if (and (contains "NodePort" (toString $values.service.type)) (ne $values.service.nodePort (coalesce nil))) -}} +{{- $_ := (set $port "nodePort" $values.service.nodePort) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.service.annotations )) "spec" (mustMergeOverwrite (dict ) (dict "type" $values.service.type "selector" (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") "ports" (list $port) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_serviceaccount.go.tpl new file mode 100644 index 0000000000..5a49ba3fdb --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_serviceaccount.go.tpl @@ -0,0 +1,39 @@ +{{- /* Generated from "serviceaccount.go" */ -}} + +{{- define "console.ServiceAccountName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if $values.serviceAccount.create -}} +{{- if (ne $values.serviceAccount.name "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.serviceAccount.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default "default" $values.serviceAccount.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.ServiceAccount" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.serviceAccount.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ServiceAccount" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.ServiceAccountName" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "annotations" $values.serviceAccount.annotations )) "automountServiceAccountToken" $values.serviceAccount.automountServiceAccountToken ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_shims.tpl new file mode 100644 index 0000000000..e3bb40e415 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/_shims.tpl @@ -0,0 +1,289 @@ +{{- /* Generated from "bootstrap.go" */ -}} + +{{- define "_shims.typetest" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs $typ $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.typeassertion" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (typeIs $typ $value)) -}} +{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.dicttest" -}} +{{- $m := (index .a 0) -}} +{{- $key := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (hasKey $m $key) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (index $m $key) true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.compact" -}} +{{- $args := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $out := (dict ) -}} +{{- range $i, $e := $args -}} +{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $out) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.deref" -}} +{{- $ptr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $ptr (coalesce nil)) -}} +{{- $_ := (fail "nil dereference") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.len" -}} +{{- $m := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $m (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (len $m)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Deref" -}} +{{- $ptr := (index .a 0) -}} +{{- $def := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $ptr (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $def) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Equal" -}} +{{- $a := (index .a 0) -}} +{{- $b := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (eq $a (coalesce nil)) (eq $b (coalesce nil))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (eq $a $b)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.lookup" -}} +{{- $apiVersion := (index .a 0) -}} +{{- $kind := (index .a 1) -}} +{{- $namespace := (index .a 2) -}} +{{- $name := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (lookup $apiVersion $kind $namespace $name) -}} +{{- if (empty $result) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (coalesce nil) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $result true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asnumeric" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asintegral" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.parseResource" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $repr) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (typeIs "string" $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}} +{{- end -}} +{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}} +{{- end -}} +{{- $reprStr := (toString $repr) -}} +{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}} +{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $scale := ($tmp_tuple_1.T1 | float64) -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $numeric $scale)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MustParse" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_2.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_2.T1 | float64) -}} +{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}} +{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}} +{{- $idx := -1 -}} +{{- range $i, $s := $scales -}} +{{- if (eq ($s | float64) ($scale | float64)) -}} +{{- $idx = $i -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (eq $idx -1) -}} +{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_Value" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_3.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_3.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MilliValue" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_4.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_4.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.render-manifest" -}} +{{- $tpl := (index . 0) -}} +{{- $dot := (index . 1) -}} +{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}} +{{- if not (typeIs "[]interface {}" $manifests) -}} +{{- $manifests = (list $manifests) -}} +{{- end -}} +{{- range $_, $manifest := $manifests -}} +{{- if ne $manifest nil }} +--- +{{toYaml (unset (unset $manifest "status") "creationTimestamp")}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/configmap.yaml b/charts/redpanda/redpanda/5.9.6/charts/console/templates/configmap.yaml new file mode 100644 index 0000000000..cffd69938f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/configmap.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.ConfigMap" .) -}} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/deployment.yaml b/charts/redpanda/redpanda/5.9.6/charts/console/templates/deployment.yaml new file mode 100644 index 0000000000..48a149041b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/deployment.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.Deployment" .) -}} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/hpa.yaml b/charts/redpanda/redpanda/5.9.6/charts/console/templates/hpa.yaml new file mode 100644 index 0000000000..9cfc4a132e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/hpa.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.HorizontalPodAutoscaler" .) -}} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/ingress.yaml b/charts/redpanda/redpanda/5.9.6/charts/console/templates/ingress.yaml new file mode 100644 index 0000000000..ef3867869c --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.Ingress" .) -}} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/secret.yaml b/charts/redpanda/redpanda/5.9.6/charts/console/templates/secret.yaml new file mode 100644 index 0000000000..aeeeba25e1 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/secret.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.Secret" .) -}} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/service.yaml b/charts/redpanda/redpanda/5.9.6/charts/console/templates/service.yaml new file mode 100644 index 0000000000..0f1621fafc --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.Service" .) -}} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/serviceaccount.yaml b/charts/redpanda/redpanda/5.9.6/charts/console/templates/serviceaccount.yaml new file mode 100644 index 0000000000..9215af70ed --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.ServiceAccount" .) -}} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/templates/tests/test-connection.yaml b/charts/redpanda/redpanda/5.9.6/charts/console/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..de17fb2b1d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/templates/tests/test-connection.yaml @@ -0,0 +1,22 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "console.fullname" . }}-test-connection" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "console.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "console.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/testdata/template-cases-generated.txtar b/charts/redpanda/redpanda/5.9.6/charts/console/testdata/template-cases-generated.txtar new file mode 100644 index 0000000000..7fd56f9de3 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/testdata/template-cases-generated.txtar @@ -0,0 +1,22208 @@ +Generated by TestGenerateCases +-- case-000 -- +affinity: {} +annotations: + Q9AVJD4: G9TEnp +autoscaling: + maxReplicas: 206 + minReplicas: 312 + targetCPUUtilizationPercentage: 41 + targetMemoryUtilizationPercentage: 72 +commonLabels: + "": 31q1Pbz +extraEnv: +- name: Z2BpO + value: 0ggF3ha7D +extraVolumes: +- name: 7iCCax +- name: meEH +- name: xYVSV +fullnameOverride: hvGoJL +livenessProbe: + failureThreshold: 1028486626 + httpGet: + host: AOZs + path: YKi + port: Q8C3tKEBBI + scheme: ćpʔS欻鯡 + initialDelaySeconds: 1713123405 + periodSeconds: -1411200119 + successThreshold: -1362510905 + timeoutSeconds: 1375594715 +nameOverride: "n" +podAnnotations: + lyW: mn + pjq6fDr: YA2w301 + uXvFB: VQ5gP9 +priorityClassName: vQhDS +replicaCount: 387 +resources: + limits: + x0StjCjt: "0" +securityContext: {} +serviceAccount: + automountServiceAccountToken: false + create: true + name: HRoLg +strategy: + type: Ò泆A +-- case-001 -- +automountServiceAccountToken: true +extraContainers: +- image: LlCU3if + imagePullPolicy: RɷVȄ×ʤǫĠ侻Ɏźx跻Å榜 + lifecycle: {} + name: l0 + resources: {} + securityContext: + allowPrivilegeEscalation: true + privileged: true + startupProbe: + exec: {} + failureThreshold: -1510490758 + initialDelaySeconds: 112782468 + periodSeconds: -738545847 + successThreshold: -1801864225 + timeoutSeconds: 1026753125 + terminationMessagePath: gCG + terminationMessagePolicy: hmƂÚÕʏ疅耪鯉瓉Ɏ煐8qĺ + tty: true + workingDir: ixD7Jq +extraEnv: +- name: 3Nf + value: vATdo0CH + valueFrom: + configMapKeyRef: + key: IRw5 + name: fa + fieldRef: + apiVersion: 93Fjhay + fieldPath: LRa2I +- name: T0 + value: trXO4 +- name: P9hPooVH + value: yii5lolb + valueFrom: + configMapKeyRef: + key: spAKa + name: U0EYAAe0 +fullnameOverride: T50cZi +initContainers: + extraInitContainers: qur +nameOverride: Sh +priorityClassName: NyOpfr +replicaCount: 414 +resources: {} +tolerations: +- effect: Mǣ鍙x奬Ø裗Ʈ唿踣ʘ)ɒâÄ + key: AWx + operator: yīÄLJʑʢ避 + value: cO +- effect: ï楡ɜƐf鱖À夹ǙȤK + key: Gk23T + operator: è6槈$_ȋ6}rvĕ曉¸顋ŀÓ + value: DCkzy +- effect: 蠯u牰ŇɔnÜȎĤ原H + key: qSC + operator: "n" + tolerationSeconds: -7696192156323826068 + value: z +-- case-002 -- +deployment: {} +enterprise: {} +extraEnvFrom: +- prefix: cfVf + secretRef: + name: ha +- prefix: i2E2Jvnc +extraVolumeMounts: +- mountPath: Y40 + mountPropagation: $寕洦敬苖ēRõøȀ + name: vn5hd + readOnly: true + subPath: oXCY9 + subPathExpr: p +fullnameOverride: xZty +imagePullSecrets: +- {} +- name: YPVBzxvx +nameOverride: vN4yH7I +podAnnotations: + 8vRMfVroYC2: QXbUbLea + VV4w: s4sL + upwTMuIqflmD: 9J0H45zXX +priorityClassName: TeCy +replicaCount: 417 +resources: + limits: + 27ywV: "0" + nMnjjF4kM: "0" + xar2JX: "0" +service: + nodePort: 292 + port: 413 + targetPort: 267 + type: ILpSX2Cy +serviceAccount: + automountServiceAccountToken: true + name: R1Yar8 +tolerations: +- effect: ǩ趥螏|F8ǻĬ嵍Ğ错ʂĺƠǷ俆峻噸 + key: b + operator: wąȹV{İ刡嚮ȜJ + value: ZuTw +- effect: D稕栥[Ǟ$焫昲 + key: NnhmxYy + operator: Xʀ + value: v65W +- effect: 岂bĤ晏#DĢº + key: MOgT + operator: 礩懜蹻ǍBȟvɸ堊 + value: 3iXh +-- case-003 -- +annotations: + 6HCwaF8XIH: uIbMN + MRwga: Fq5s + mgpV: 4f +autoscaling: + maxReplicas: 411 + minReplicas: 432 + targetCPUUtilizationPercentage: 169 + targetMemoryUtilizationPercentage: 155 +configmap: + create: false +deployment: + create: false +extraVolumes: +- name: 1CIX +fullnameOverride: 8nE +ingress: + className: EqUYi + enabled: true + hosts: + - host: bKQCmfZ + - host: djItx5GtejC6 + - host: 2wLaQU8 + tls: + - hosts: + - V8BpuMCig + - 7LqG4w92 + - el3u4v + secretName: nUlu5bMwB8 + - hosts: + - 4HLzq + - 2i4g + secretName: lSgQIKwj5 +nameOverride: w6 +podSecurityContext: + fsGroup: 1512968668502336058 + runAsUser: -2578305880243425477 +priorityClassName: HNqN9h2 +replicaCount: 17 +resources: {} +secret: + create: true + kafka: + awsMskIamSecretKey: SrYY84t + protobufGitBasicAuthPassword: Fb + saslPassword: xCc3TeVY + schemaRegistryPassword: ovCqxwz9Bf + schemaRegistryTlsCa: JL + schemaRegistryTlsCert: cS + schemaRegistryTlsKey: UMwYx4F + tlsCa: HFpsnPdw + tlsCert: hseIt + tlsPassphrase: Wc0 +-- case-004 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: -1713447377 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: null + podAntiAffinity: {} +commonLabels: + "": PtQ7JxIAdPjt +fullnameOverride: "" +nameOverride: YMl +podAnnotations: + 1iK8Ic: Qo3FCg9qi + 63SsVxDT: v + A1Q4J4: U9jygY2t1F +priorityClassName: JT0MK +replicaCount: 261 +secretMounts: +- defaultMode: 197 + name: QmzFlXE + path: Oj + secretName: 7gi +service: + nodePort: 366 + port: 112 + targetPort: 173 + type: dO7eovC +strategy: + type: ɡv?ĨJ姯ɚƟć匪cb +-- case-005 -- +autoscaling: + enabled: false + maxReplicas: 26 + minReplicas: 380 + targetCPUUtilizationPercentage: 395 + targetMemoryUtilizationPercentage: 140 +configmap: + create: false +deployment: {} +extraVolumeMounts: +- mountPath: JU4z + name: QEJyD + subPath: ZBEy2m0m + subPathExpr: S1Kk +- mountPath: RjUw5sX7NP + name: ett1n + subPath: NmZKwz + subPathExpr: QOMT +fullnameOverride: pN +image: + registry: 7iw15D + repository: RnJFs0 + tag: OQDirE +imagePullSecrets: +- name: ATcT6Hd +- name: l15Hhw +initContainers: + extraInitContainers: Me +livenessProbe: + exec: + command: + - AJd + - HZf + - YHivxIsAJ738b5Q + failureThreshold: -1921365096 + initialDelaySeconds: -1548958176 + periodSeconds: -1952555242 + successThreshold: -1289242499 + timeoutSeconds: -265051013 +nameOverride: MW +priorityClassName: KnLhcy2cw +replicaCount: 396 +secret: + create: true + login: + github: + clientSecret: R4Zj + personalAccessToken: N85av + jwtSecret: g + oidc: + clientSecret: enei1WIcV +tests: {} +-- case-006 -- +affinity: + podAffinity: {} + podAntiAffinity: {} +configmap: + create: true +console: {} +enterprise: {} +extraVolumeMounts: +- mountPath: 5uhd1qMX + mountPropagation: ȵS鈛ZQì暗 + name: "N" + readOnly: true + subPath: lbeciOZZ + subPathExpr: Pd88cwE +- mountPath: yVo + mountPropagation: ÑƇ[嫨ĸŁ幵鿯它(ȡ~嘶ƌO情=į臺 + name: Z + readOnly: true + subPath: Nrqx + subPathExpr: Q4ChfT +fullnameOverride: rzd +image: + registry: zT38Q + repository: V + tag: iSGm6MT1 +ingress: + className: XOZv8 + enabled: false + hosts: + - host: WGn + paths: + - path: NVV + pathType: 0DK + - host: "" +initContainers: + extraInitContainers: SCgmJTj +nameOverride: gCH15URsJZr +podAnnotations: + s2D: DMU7 +podLabels: + CoBI: 20aOZaZvs + e0xqmoOD: Nb5V + ylGQE: p +priorityClassName: 1x11c0q +replicaCount: 176 +resources: + requests: + PY: "0" +secret: + enterprise: + licenseSecretRef: + key: eF + name: fQ02KR + kafka: + awsMskIamSecretKey: 1tq + protobufGitBasicAuthPassword: G + saslPassword: K8kPgIp6 + schemaRegistryPassword: "" + schemaRegistryTlsCa: Zr + schemaRegistryTlsCert: KN + schemaRegistryTlsKey: t + tlsCa: CQ + tlsCert: 6xZ8 + tlsPassphrase: JpScAmVx6 +serviceAccount: + automountServiceAccountToken: false + create: true + name: nd7TSb2mNTS +tests: + enabled: false +-- case-007 -- +commonLabels: + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL +configmap: {} +console: + roleBindings: + - "": null + 5w1YcAu: null +extraEnv: +- name: qY0f + value: Wu +- name: 9zVp + value: g +extraEnvFrom: +- configMapRef: + name: OUS + optional: true + prefix: YWvtgT +- configMapRef: + name: 4xZZ + prefix: Djbp99U +extraVolumes: +- name: dCz +fullnameOverride: "y" +initContainers: + extraInitContainers: RiAu +livenessProbe: + exec: + command: + - 3Ujf + - EOmDk + failureThreshold: 1105213631 + grpc: + port: -199686432 + service: H + initialDelaySeconds: -1727299217 + periodSeconds: -579129147 + successThreshold: -1278687101 + terminationGracePeriodSeconds: 7570283898099180047 + timeoutSeconds: -603846855 +nameOverride: HWL +nodeSelector: + CAy: 19kW + R2z: OpcDywz9x +podSecurityContext: + fsGroupChangePolicy: 驸Ǩiµ慷泱世 + runAsGroup: 6873387834465682841 + runAsUser: 7937848737866681002 + sysctls: + - name: mp + value: SkIvFN + - name: E + value: RknyuPB + - name: kcY + value: us1 +priorityClassName: rs +readinessProbe: + failureThreshold: 114758306 + grpc: + port: 774513900 + service: GICRd2O + initialDelaySeconds: 457836757 + periodSeconds: -1914503008 + successThreshold: 1926018786 + timeoutSeconds: 458769630 +replicaCount: 103 +resources: + requests: + 4P1f3: "0" + DmuY: "0" +secret: + login: + google: + clientSecret: Ln0 + groupsServiceAccount: gp + jwtSecret: 2j6NF + okta: + clientSecret: 3A593BjCuu + directoryApiToken: mSSz8MZ + redpanda: + adminApi: + password: t + tlsCa: QD1x71f + tlsCert: 744Ysvi + tlsKey: 56VaHh +service: + nodePort: 238 + port: 286 + targetPort: 404 + type: Vvrvx +serviceAccount: + automountServiceAccountToken: false + name: RFjc7 +-- case-008 -- +annotations: + hfXF: v4uLEC6f8m +automountServiceAccountToken: false +console: {} +deployment: {} +fullnameOverride: GbgHqD +ingress: + className: XfqwM +livenessProbe: + failureThreshold: 1421249778 + initialDelaySeconds: 1194618095 + periodSeconds: 1245060237 + successThreshold: -641096828 + timeoutSeconds: -617099936 +nameOverride: RW +podAnnotations: + BTlN: z8t + a: Pqjhw +podSecurityContext: + fsGroupChangePolicy: ǶȚ/廻 + runAsGroup: 3241750191956122115 + runAsNonRoot: false + runAsUser: 2693812519144067821 + supplementalGroups: + - -7558357415363805139 + - -9152494874115651655 + - -906805565867492888 + sysctls: + - name: CBe8XsS + value: bh + - name: pUYyG9c + value: xPm1 +priorityClassName: 0fXQqWA96 +readinessProbe: + failureThreshold: -10750427 + httpGet: + host: yftc + path: 7MDOtCNf + port: -1919050774 + scheme: ȧ楢谚 + initialDelaySeconds: 208988771 + periodSeconds: -2096658971 + successThreshold: -233405863 + timeoutSeconds: 2042765580 +replicaCount: 475 +secret: + create: false + enterprise: + licenseSecretRef: + key: "" + name: vGB +securityContext: + procMount: ȃ蘗ʮǺ踰蒐佛桸gɋ + readOnlyRootFilesystem: false + runAsGroup: 5367218369967093267 +serviceAccount: + create: true + name: YcV5zP8 +strategy: + rollingUpdate: {} + type: 堯飉J侚桤 合w犌ŝ|#è:(蹝Ƀy輐 +topologySpreadConstraints: +- maxSkew: -722842418 + nodeTaintsPolicy: uã链掎ŏȅ噘籥邟澶N3-昃嗽(七|犘 + topologyKey: vq + whenUnsatisfiable: Ȭť'Ùt苷ŲĤ蘝 +- labelSelector: {} + maxSkew: 1436245353 + nodeAffinityPolicy: 0ʠƃ氁ʆZ + topologyKey: t + whenUnsatisfiable: x叾džʜƽ耨 +- labelSelector: {} + matchLabelKeys: + - 6T2 + - FqrwFd + maxSkew: -172720268 + nodeAffinityPolicy: 觏败TʙȎ喧5婬ȑªgȢ'!ÅWp襎 + nodeTaintsPolicy: ÛB¹]ʐ梳Ě + topologyKey: VyU9 + whenUnsatisfiable: 烹wɹȐN坿¨叻ʊ鴥/Ŭ屎釽C欼 +-- case-009 -- +affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: {} +automountServiceAccountToken: true +configmap: + create: false +deployment: {} +fullnameOverride: l1Bnpx +imagePullSecrets: +- name: x42RbB4KLm +livenessProbe: + failureThreshold: -1420734522 + httpGet: + host: fFkzqM8 + path: aVVHbe + port: TkNE + scheme: ǂɷ烷Į~鼹ǵǃ楅ǰ + initialDelaySeconds: 753838163 + periodSeconds: -444344576 + successThreshold: -1003403229 + timeoutSeconds: -172453343 +nameOverride: BKV +nodeSelector: + OBRBvRK: hMXDLGN5 + ky: sv +podSecurityContext: + fsGroupChangePolicy: 灆Zeɪ霅ǭɒ<ǖ韆 + runAsGroup: -2394155475284911371 + runAsNonRoot: true + supplementalGroups: + - 802667379359895872 + - 8316082600801371691 +priorityClassName: p0ShP6Yru +readinessProbe: + failureThreshold: -286281002 + initialDelaySeconds: 138566964 + periodSeconds: -361700659 + successThreshold: 422528479 + terminationGracePeriodSeconds: 495828610939530481 + timeoutSeconds: 352721839 +replicaCount: 315 +secret: {} +secretMounts: +- defaultMode: 414 + name: yWBr98zs1 + path: xShE + secretName: YMpib3J +- defaultMode: 402 + name: qUQ5 + path: Wnbf + secretName: Pw8 +- defaultMode: 410 + name: hpqapQJQ + path: fgV + secretName: 1JLIOjZI8 +service: + annotations: + efgehQaV5UI0y: GymqDudh + nodePort: 75 + port: 229 + targetPort: 85 + type: yZy +topologySpreadConstraints: +- maxSkew: -73453467 + minDomains: 326628755 + nodeAffinityPolicy: "" + topologyKey: zWgGRC + whenUnsatisfiable: 黚堳ʈ¡ +-- case-010 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: hu5a9Q0m + operator: Ʊ飁Ɲŗʫf + values: + - fDVpOP + - fUBu2Zhz + matchFields: + - key: zOA + operator: 豔|Ĺ霱鑕yȮM錕陰蔆 + - key: uqlr1 + operator: ʏ + weight: -157546286 + - preference: + matchExpressions: + - key: yI2tB1c6Om + operator: 槼湝@)萢=\Ɇ剋Ś>(.aC俥?蔔 + values: + - 5QB3 + - C + - key: IhL2k3 + operator: "" + matchFields: + - key: Kn1 + operator: q'ʏC効L¶ƋMʐģƥƝnĤe + weight: -1818860211 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + podAffinity: {} +configmap: + create: false +console: + roles: + - null +deployment: + create: true +enterprise: + licenseSecretRef: + key: 6Y + name: juyv +extraContainers: +- env: + - name: nE8 + value: hFfGzdv + valueFrom: + configMapKeyRef: + key: 9Sc + name: kviW + fieldRef: + fieldPath: bzL + resourceFieldRef: + containerName: ky9X6 + divisor: "0" + resource: RgwF + image: mEMnGhDi + imagePullPolicy: <Ǐ(嬘箓閁1_Y.脯鮉娇腾1 + name: ZyDivTyKOX + readinessProbe: + failureThreshold: 368214623 + initialDelaySeconds: 1711545214 + periodSeconds: -1669571514 + successThreshold: 830602444 + timeoutSeconds: -1406663042 + resources: + requests: + Ta: "0" + restartPolicy: M#L粓Ojw+ĸɊcƗ镃聆琮ǘ滂W + stdin: true + terminationMessagePath: 7hyobl + terminationMessagePolicy: gŜĶ蔓林驲%嶄ʚ轿竷 + volumeDevices: + - devicePath: zlgauG + name: Uy7Ds5N + - devicePath: pturCrgNMxS + name: "1" + volumeMounts: + - mountPath: 2ftw3U97pI + mountPropagation: ǮmW + name: NeLq9zvIQ + subPath: 5XYnpNAb + subPathExpr: rAeHuQk + - mountPath: aOj5TCBKn + name: DWFR + subPath: G + - mountPath: ovoJMYcQZ7 + mountPropagation: ɷ&娈瘱 + name: o6QaPD8 + subPath: rIo + subPathExpr: j0F1wa + workingDir: tj +- env: + - name: KO7zek + value: AE8r + valueFrom: {} + envFrom: + - prefix: T4nvtH0yCoJCx + - prefix: KaMGNcK + image: m + imagePullPolicy: 牀 + lifecycle: + preStop: + exec: {} + sleep: + seconds: -1229802121654850448 + livenessProbe: + failureThreshold: 1036399450 + grpc: + port: 1383801223 + service: nm0jd39Ta + httpGet: + host: VhafGy + path: CP9 + port: BnhNd + scheme: hxu崚奵Y + initialDelaySeconds: 141265356 + periodSeconds: 251484282 + successThreshold: 257415096 + terminationGracePeriodSeconds: 3476093234934519616 + timeoutSeconds: -1657896181 + name: UCZJ + ports: + - containerPort: 574867450 + hostPort: 156179933 + name: 0re + protocol: 頶韜»釟ţKFƂƄp錴畗~[禬B琡9 + - containerPort: -374880824 + hostPort: 1342282100 + name: OeyfSkg3EJIuD + protocol: 佃ŦŬ穷唂&2ŌĜ,gF躊貀j寝ô + readinessProbe: + failureThreshold: 978947885 + httpGet: + host: A + path: Ngfyt + port: "" + scheme: Í蠕窩獙 + initialDelaySeconds: 60101484 + periodSeconds: 1102760384 + successThreshold: 1260060937 + terminationGracePeriodSeconds: 1157546254675437089 + timeoutSeconds: -465800822 + resizePolicy: + - resourceName: P6b56 + restartPolicy: 冿÷Ý萦{[P貍ȕ,Sɕ錼 + - resourceName: azLsfqbuYlr + restartPolicy: 蒃Ký阹ǒ1T獽蛍峸伦ƨ(Ƭ-央á + - resourceName: skOpL + restartPolicy: 鸿dŶ徥w^ȏ嘳Ƙ唓Ęɸ-ɫ鷠C + resources: {} + terminationMessagePath: vmp + terminationMessagePolicy: Ƒh庛ʘ$8L藑奾ń4說 + workingDir: rgrA +extraVolumeMounts: +- mountPath: C3nMA + name: 0sxSVsP + readOnly: true + subPath: V + subPathExpr: 1E5cYdMw +fullnameOverride: ivK +image: + pullPolicy: "" + registry: 4A + repository: 0YeLdES + tag: 1a4iH +nameOverride: JFcK +priorityClassName: x0ISc2 +readinessProbe: + exec: {} + failureThreshold: 1992527736 + initialDelaySeconds: 1233698472 + periodSeconds: 1177961840 + successThreshold: -1634725396 + terminationGracePeriodSeconds: 236063688080704715 + timeoutSeconds: -1493252430 +replicaCount: 250 +secret: + create: false + enterprise: {} + kafka: + awsMskIamSecretKey: K + protobufGitBasicAuthPassword: HMiCm9 + saslPassword: dlWblwkM + schemaRegistryPassword: DQXNeX + schemaRegistryTlsCa: Xe1cT2AuIi + schemaRegistryTlsCert: gaHcYjD + schemaRegistryTlsKey: 96V + tlsCa: "" + tlsCert: WEDNhiC + tlsPassphrase: lP2w1T + login: + github: + clientSecret: vpO + personalAccessToken: pn05iLc53z + google: + clientSecret: OX + groupsServiceAccount: LB64mTpyF + jwtSecret: GQ0Yw + redpanda: {} +serviceAccount: + annotations: + TTsn5: s3xEhO + tZiUN: CtjX + create: true + name: kIzbDF +-- case-011 -- +affinity: + podAffinity: {} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - E9nCu6aLM + topologyKey: PfPCGvStt + weight: -1379963896 + - podAffinityTerm: + namespaceSelector: {} + topologyKey: CgA4 + weight: -726546395 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ijh1hJb + operator: ƏŧD續筚朊 + values: + - BOfF5xB + - 3iu4 + - key: "93" + operator: Dij%{欬ɽ + - key: NEd + operator: ÿD + values: + - r + - B7E1BoYQ4Njb + - BTV + matchLabelKeys: + - FuyLvc + - Lh60qi + namespaceSelector: + matchExpressions: + - key: w + operator: 嘑 + - key: eQ6nY99xw + operator: H辄萟蘎Ÿ塪²;暃 + - key: 8JrCFA + operator: "" + values: + - wVO + topologyKey: ByO + - namespaceSelector: {} + topologyKey: b21 + - namespaces: + - Ifv + topologyKey: F9j5 +annotations: + pJ: f0brcnhV +automountServiceAccountToken: true +autoscaling: + enabled: false + maxReplicas: 239 + minReplicas: 83 + targetCPUUtilizationPercentage: 68 + targetMemoryUtilizationPercentage: 468 +commonLabels: + JwK5MKTa: WW + v7E: 1g6JB +console: {} +deployment: {} +extraEnv: +- name: XW + value: PCPsJt + valueFrom: + configMapKeyRef: + key: Zk0vTu6kC + name: d9zm3 + optional: false + secretKeyRef: + key: mRF + name: CW + optional: false +- name: loir2K + value: Ti0q +- name: lAxIKF7cbLlc + value: 1ksS + valueFrom: + fieldRef: + apiVersion: 8i2Z + fieldPath: vD7H + resourceFieldRef: + containerName: yqY + divisor: "0" + resource: ebRDAl + secretKeyRef: + key: E9514U + name: g3Rbzs + optional: false +extraEnvFrom: +- configMapRef: + name: d + prefix: Fl1 + secretRef: + name: X8xDu + optional: true +- prefix: M + secretRef: + name: 10or1C2m + optional: false +- configMapRef: + name: BBj + optional: false + prefix: Xy + secretRef: + name: ZA3 +extraVolumeMounts: +- mountPath: O + mountPropagation: ŜQLhlkU穒´宕Ïůŝƪ + name: JeSPIB + readOnly: true + subPath: RTiJ + subPathExpr: wad +- mountPath: QV6Kf + name: Pj7R + subPath: qBOd + subPathExpr: kN3Uujt +fullnameOverride: hbe +image: + registry: gjR + repository: U + tag: Tl0EP +initContainers: + extraInitContainers: OgPf +livenessProbe: + failureThreshold: 653767212 + grpc: + port: -53435273 + service: fv5J + initialDelaySeconds: 832425522 + periodSeconds: -1810991482 + successThreshold: 1954581711 + terminationGracePeriodSeconds: 1550995604326825538 + timeoutSeconds: -574178850 +nameOverride: Cy9eHCiP +nodeSelector: + HC7: EI8 +podLabels: + "2": RgUAFm + D2V: V80aQ +podSecurityContext: + fsGroup: 4103142176308445041 + fsGroupChangePolicy: Ő6­撱悤ÅC`碸 + runAsUser: 9170579519391070953 + sysctls: + - name: 4OKA + value: P7ouRq + - name: iD9Oz + value: gL6ARE +priorityClassName: sJXoA3V +readinessProbe: + exec: {} + failureThreshold: 1745353710 + grpc: + port: -2051399147 + service: G + initialDelaySeconds: 1504484890 + periodSeconds: -846859037 + successThreshold: -1564014824 + terminationGracePeriodSeconds: 7625838354502176909 + timeoutSeconds: 888372342 +replicaCount: 65 +resources: + requests: + "Y": "0" +secretMounts: +- defaultMode: 12 + name: n4BPeF + path: 2Qy8k + secretName: auIr +service: + annotations: + "": NbuyvXjW + 2CTz: vRGLHMO53rD + yLzpKqz: uBjXvD + nodePort: 83 + port: 478 + targetPort: 90 + type: sl +-- case-012 -- +affinity: {} +annotations: + v: D +configmap: {} +console: {} +enterprise: + licenseSecretRef: + key: oG0N9s8 + name: fmqBE +extraContainers: +- command: + - "" + - 7yJE + envFrom: + - prefix: kRXk + secretRef: + name: TJsCapqoxl + - prefix: ucUEP + secretRef: + name: 1zCfpPiVt9o + optional: true + image: hwJ + imagePullPolicy: dh + name: Ody4zqt + readinessProbe: + exec: {} + failureThreshold: 1607990521 + grpc: + port: 2033135747 + service: "" + initialDelaySeconds: -889776869 + periodSeconds: -35190825 + successThreshold: -958310065 + terminationGracePeriodSeconds: 3166888730011246345 + timeoutSeconds: 806015074 + resources: + requests: + mg2KyOVo97: "0" + restartPolicy: 档媘řĖ焘傐Yʮ,+Ƽ梽讫ƭ焇 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: -2035296945120192462 + stdinOnce: true + terminationMessagePolicy: '*.Q' + workingDir: 0g9 +- command: + - ktel2 + - 2gO + image: Kq1K2HexLL + imagePullPolicy: 蟫黳jª0狫ĝ| + lifecycle: + postStart: + exec: + command: + - I + name: XmcrosJ9Art + resizePolicy: + - resourceName: 8dOXgKMh + restartPolicy: T@罞 + resources: + limits: + Qf424: "0" + UkBWyCgR: "0" + yS9FH: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - Ǐ蟯ƛU賊稁uv/u讎胗< + - 1湹 + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -281571585037868414 + runAsUser: 8469885005475493831 + stdin: true + stdinOnce: true + terminationMessagePath: 6ii28 + terminationMessagePolicy: ȊGī3慺Ŏ + volumeDevices: + - devicePath: "" + name: lqvpF + - devicePath: 3vTez + name: pD6EOo + workingDir: QEqnPlY6YE +- args: + - eiyTiCxBp + envFrom: + - configMapRef: + name: uxUzs + prefix: 0Oq + secretRef: + name: ahghhjB + - configMapRef: + name: yjx + prefix: cOCr6ajjpSTT + - configMapRef: + name: "4" + prefix: 0XtWv + secretRef: + name: oKDQ + image: PV + imagePullPolicy: d?遼gŜT纬ɷšǧ餝Ƨ + livenessProbe: + exec: {} + failureThreshold: 746140291 + grpc: + port: 1197495917 + service: "" + httpGet: + host: x78yAB + path: P5mSLs + port: Cb2 + scheme: 儰试9ȷǴ燀ǃ¦籇射,ǠöcƲ伙 + initialDelaySeconds: 1418617842 + periodSeconds: 187037501 + successThreshold: -1821323321 + timeoutSeconds: -894994792 + name: ToH + resizePolicy: + - resourceName: 7Ut8kM + restartPolicy: gěǏ* + - resourceName: gvoJz7 + restartPolicy: ł0Iɷ»u诎żȋ貏C炭 + - resourceName: VpTvtNnJOw + restartPolicy: 阠eR'k.Ơ糦啮ŋ睷N譺 + resources: + limits: + cYhO6a: "0" + startupProbe: + exec: {} + failureThreshold: -1040244189 + grpc: + port: 1921669257 + service: Me + httpGet: + host: 5fL4Z + path: BwLac + port: SKrb2z + scheme: ľ<Ƽ浳s剪ɍ + initialDelaySeconds: -1064995957 + periodSeconds: 230643461 + successThreshold: -1865926881 + timeoutSeconds: 1102271416 + terminationMessagePath: ZbnnI + terminationMessagePolicy: 阳壀ɀS强pŇȆDž鹩 + tty: true + volumeDevices: + - devicePath: pP2eHwth + name: S9Sy + workingDir: Z +extraEnvFrom: +- prefix: RyT9JuZ +fullnameOverride: tmn2Kt +initContainers: + extraInitContainers: SIhGa +livenessProbe: + failureThreshold: 666524470 + grpc: + port: 1398516128 + service: "" + httpGet: + host: bR1aDlNV + path: yDJgyD4 + port: PU8gXWTBf + scheme: 8BƔ7, + initialDelaySeconds: 1841184951 + periodSeconds: 465079780 + successThreshold: -1928046688 + terminationGracePeriodSeconds: -4709298711736612221 + timeoutSeconds: 1377323766 +nameOverride: Qr03ts +podLabels: + "": S7BNyT + r1F: Fsc + yeY4LjT: MRlwtd +priorityClassName: vMcB +replicaCount: 407 +resources: {} +securityContext: + allowPrivilegeEscalation: false + privileged: true + readOnlyRootFilesystem: false + runAsGroup: -6536894786619939509 + runAsNonRoot: false +strategy: + rollingUpdate: {} + type: 9Cɠ+餌µ骽O惠LƬɇɦ鉍挶 +tests: {} +-- case-013 -- +automountServiceAccountToken: true +enterprise: {} +extraContainers: +- env: + - name: bNyX + value: DpJ + valueFrom: + secretKeyRef: + key: r3ZL + name: GM2zRN8 + optional: false + - name: dS + value: u2CpI14PZ + - name: JVoNndPj + value: eCfRy + image: 9nkfM + imagePullPolicy: v洓p褾NJ翛Y/笸i洞偀fX綤鰐 + livenessProbe: + exec: + command: + - TzQ + - 5tBBhynsjV + failureThreshold: -1613952147 + httpGet: + host: gYV + path: 9qC2GovT + port: Gh + initialDelaySeconds: 1651935443 + periodSeconds: -1307313312 + successThreshold: 1553368137 + terminationGracePeriodSeconds: -4575724788805099082 + timeoutSeconds: -499895377 + name: aOBSLF + readinessProbe: + failureThreshold: 687754614 + initialDelaySeconds: -1880005074 + periodSeconds: 794268536 + successThreshold: -1510519942 + terminationGracePeriodSeconds: 3334702514671978014 + timeoutSeconds: -178867660 + resources: + requests: + hiWTQ: "0" + m7CDU: "0" + stdin: true + terminationMessagePath: Yj9V + terminationMessagePolicy: js$昦夁糎fț + tty: true + volumeMounts: + - mountPath: Xaoy + name: XuLXzMm + readOnly: true + subPath: NI8v + subPathExpr: nPRuyC + - mountPath: S + mountPropagation: ĜX鴮璫ȓĢ + name: c2o + readOnly: true + subPath: DEcziG + subPathExpr: 7UjF6H + workingDir: yPE +extraVolumeMounts: +- mountPath: DVlVa1jiDIh5G + name: zaV + subPath: lXnque8 + subPathExpr: aFzzfyzr +- mountPath: 7VmD + name: bNuYmK + readOnly: true + subPath: zsTvmtU0 + subPathExpr: uNyQSZ +- mountPath: p + name: q3 + readOnly: true + subPathExpr: k4yfc0H +fullnameOverride: RttlJN +initContainers: + extraInitContainers: Gnt +nameOverride: dDkIKgMwXv +priorityClassName: BDUfm1wSRDI +readinessProbe: + exec: {} + failureThreshold: -225696508 + initialDelaySeconds: 1573121125 + periodSeconds: -1561542711 + successThreshold: 1804677264 + terminationGracePeriodSeconds: 5224127779959308812 + timeoutSeconds: -1540252725 +replicaCount: 412 +resources: + limits: + f7Jr: "0" + fl: "0" + requests: + Q4O7nA: "0" +secret: + enterprise: {} + redpanda: {} +securityContext: + privileged: true + readOnlyRootFilesystem: false + runAsUser: -8804799239371185443 +tolerations: +- effect: ƞ嬂 + key: wnH + operator: Ā蔥ąʏƅȑǚ缗'r~熐{Ǎ楯&鑫咂] + value: LYZYjeFUmK29wdL +- effect: 硞撤幅娰tȬ婒ĎɕÏǜ蚭馸諄W)偒½ + key: e2 + operator: bƤrZ + value: 8ssobF8u +-- case-014 -- +autoscaling: + maxReplicas: 297 + minReplicas: 375 + targetCPUUtilizationPercentage: 161 + targetMemoryUtilizationPercentage: 154 +console: + roleBindings: + - null +deployment: + create: false +extraContainers: +- args: + - Z62Is + - Hbh02LW4 + env: + - name: YW1G + value: 0GWAuZSLomGzW + valueFrom: + configMapKeyRef: + key: G23Iugy + name: TkEMhJ + secretKeyRef: + key: BTU + name: g1 + optional: false + - name: uL + value: FFIE5os + valueFrom: + configMapKeyRef: + key: "Y" + name: auRMap + resourceFieldRef: + containerName: q0II1T + divisor: "0" + resource: HT + secretKeyRef: + key: dzuljE + name: G7WQLg + envFrom: + - prefix: gP + secretRef: + name: OVJe + optional: false + image: rJIHfr2OEa135 + imagePullPolicy: YÙ姯?斕_9xŠɏɉɬ脸埫窿 + name: AH0Q + ports: + - containerPort: 228562644 + hostIP: IoQ1 + hostPort: -1878543188 + name: Rfal + - containerPort: -894592742 + hostIP: WL1wuF + hostPort: -1156574467 + name: kaBC3xQ4W + protocol: ǀw黽Ɂ態y歳饏S鰚醭 + readinessProbe: + exec: + command: + - SSKDo + failureThreshold: 2133132404 + grpc: + port: 1749726411 + service: mXvc + httpGet: + host: pc5My + path: Xb4w6 + port: 478437545 + scheme: X甡蓸^qĠ屘g槛雍d伨ɾ + initialDelaySeconds: -966001365 + periodSeconds: 714178271 + successThreshold: -1714884162 + timeoutSeconds: 152300629 + resources: + limits: + QD: "0" + eQShuVrO: "0" + requests: + xWdhFr9: "0" + restartPolicy: 吥蓔ȫ唿瀘V輇f蓵犆Ȑ]œʢ鶍MƧ樤_ + startupProbe: + exec: {} + failureThreshold: 623319858 + grpc: + port: -1442127150 + service: C6 + initialDelaySeconds: 128345274 + periodSeconds: -1861677604 + successThreshold: 1112169900 + timeoutSeconds: 120934069 + stdin: true + stdinOnce: true + terminationMessagePath: CVFCc8 + terminationMessagePolicy: 欥ɻ斩隫0撊GƲ{ + tty: true + workingDir: IZB +- image: DOt5K + imagePullPolicy: Q燢Ƈʃǻĝ + lifecycle: + postStart: + sleep: + seconds: -2443463859616450892 + preStop: + exec: + command: + - 74I + - RU + sleep: + seconds: -3090258659267849140 + livenessProbe: + failureThreshold: -1269681865 + grpc: + port: -1568193429 + service: X1LyDnjv64JEDb + initialDelaySeconds: -1309179527 + periodSeconds: -1814451145 + successThreshold: -2073223886 + terminationGracePeriodSeconds: -7380892635099163371 + timeoutSeconds: 2123408205 + name: QbUkrjO + readinessProbe: + failureThreshold: -1858848657 + grpc: + port: 349774039 + service: jxJ + httpGet: + path: aAkRuN + port: AGGDH + scheme: Aʝ詷Cţm憻菁裰ś + initialDelaySeconds: -1986091889 + periodSeconds: -775693671 + successThreshold: 930243436 + terminationGracePeriodSeconds: -4158765076015214976 + timeoutSeconds: -1930165730 + resources: + limits: + QL: "0" + startupProbe: + failureThreshold: 79584809 + httpGet: + host: IYI + path: jpfp + port: h + scheme: ÎŲ媱5\æ}QQǤoƲ^8%嵕_踽 + initialDelaySeconds: 1384447753 + periodSeconds: 364207137 + successThreshold: 1778504178 + timeoutSeconds: 1437969450 + stdinOnce: true + terminationMessagePath: z + terminationMessagePolicy: ūJ + tty: true + workingDir: RQkvQON +fullnameOverride: htymHJ +image: + pullPolicy: 袪Ȓ緶Ð菝ȋ擮@Ŧ + registry: ulLeWQWUJdjnk + repository: J + tag: KQ +initContainers: + extraInitContainers: JvUWbM +nameOverride: Vi2vH +podAnnotations: + Tt: CHbO7BF +podSecurityContext: + fsGroupChangePolicy: A%Âȁµ郞星懐,t语Ā詘IJÊ铮Q + runAsUser: -4832235381641550418 +priorityClassName: rcxHoi +replicaCount: 424 +resources: + limits: + AS: "0" +service: + nodePort: 66 + port: 41 + targetPort: 168 + type: Oiwzbmtjpb +serviceAccount: + create: true + name: h6eHrUr +tests: {} +tolerations: +- effect: 鞼CÞŲɮȧɖņ魉**護Å岴hFʎ篅2 + key: ffSN + operator: 葓C巰qĩŹ脠~蒵 + value: fkh +- effect: ȯ绸 + key: meTpNZ + operator: ĥ恃精hw"蘄谇H潔ʎȴ豅©嫗笨 + value: uyTD +-- case-015 -- +affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 7eVqbmnw4 + operator: 屈ǧȔŗS#~¸Dd馔uÈ飏ƌĔ魼ȓ + values: + - eZapFDhb + - dBr2cD + - key: Z13Kq48NE0 + operator: ª + values: + - 03LE6GE + - key: s + operator: 箱+ʑ圼;0丢顃M媆熋熼妄瞬 + values: + - E + - jC2mNBN + matchLabels: + 4tdQRoO: Tgv + 7Apxz: EPl5 + bPvG5Bf: sCS + namespaceSelector: {} + namespaces: + - bkN0U + topologyKey: haPJ + weight: -1043017794 + - podAffinityTerm: + labelSelector: + matchLabels: + PP8DxAPJwUzY: z9RL6 + U1a: J + due4: eRc0tKn + namespaceSelector: + matchExpressions: + - key: "y" + operator: 霮ʡ`罵瀖Kʓa嚃*Q`UV邠想ɷġ + namespaces: + - M2GNeyD + - eDNVdz1ne46 + topologyKey: kQ + weight: -1134437930 + - podAffinityTerm: + namespaceSelector: + matchExpressions: + - key: SnD + operator: 6愔ȶ獧:öȰ浻珼»ǰs睑,s頀旓eX + - key: yt197hBb + operator: ȒǦ^(á咟獐赠5ĺĜ嶜庌愖V揺ɞ\Ș + values: + - pu5 + - Ywv1TEhK + - pAo + matchLabels: + "": rZ + topologyKey: WSD + weight: 613733383 + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: 4b6nMCalUl1 +annotations: + 2V: 50l + jFB7K: 5ZqGXdsD94 +autoscaling: + maxReplicas: 483 + minReplicas: 178 + targetCPUUtilizationPercentage: 362 + targetMemoryUtilizationPercentage: 33 +commonLabels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO +enterprise: + licenseSecretRef: + key: 5MWDqlE + name: UoZ4 +extraEnv: +- name: iQE + value: Aj6RWPJE +- name: QwMCc + value: N9g6bDNI +- name: U5Qg5Qc0NWE + valueFrom: + configMapKeyRef: + key: R + name: n8 + optional: false + fieldRef: + apiVersion: zg0 + fieldPath: fNjpqJ + secretKeyRef: + key: MlF + name: h +extraVolumeMounts: +- mountPath: y5BZm9v9L5 + name: mE9WF + readOnly: true + subPathExpr: 3vKqLj2 +fullnameOverride: 9RweMGWqBs +image: + pullPolicy: '&Ŕ<駄AG' + registry: FezgEM + repository: b4CZb + tag: OoX +ingress: + annotations: + "": ZKQ6I + ES: uo + className: x7Um + enabled: true + tls: + - secretName: Ye6 + - hosts: + - nNQW2NL + - g + - "N" + secretName: YQl +initContainers: + extraInitContainers: FZnnB +nameOverride: KD8DmV +nodeSelector: + vy4h: rk +podLabels: + FlwBgvWNMrbg5: YKgnz8q + TGDbR: 4egH + Xr8XMOk: 1DAii +podSecurityContext: + fsGroupChangePolicy: ¶鮬眴帘ʥb豚DIĂ + runAsGroup: 4190388773600423895 + supplementalGroups: + - 6652209348598506050 + - 5521245057591625878 + - 6754698685787706527 + sysctls: + - name: "7" + value: vp +priorityClassName: "68" +readinessProbe: + exec: {} + failureThreshold: 398655641 + httpGet: + host: NaspK + path: Bgdl + port: 1587383135 + scheme: ǰ|鬩E橴s + initialDelaySeconds: 1516319657 + periodSeconds: -635156272 + successThreshold: 1338596793 + terminationGracePeriodSeconds: 6302545905526400855 + timeoutSeconds: -905426079 +replicaCount: 128 +resources: + requests: + I: "0" + b7jbi: "0" + r1cN: "0" +securityContext: + privileged: false + procMount: d聉l蝲ɓH>狱(Ȁ胄hʍy龝Ȼ埓Y + readOnlyRootFilesystem: false + runAsGroup: 2951274493718237098 + runAsUser: -1772317555576666168 +serviceAccount: + annotations: + IH: 3W + K5hNNf: "" + r: 9cmm + automountServiceAccountToken: true + name: zmr +tests: {} +tolerations: +- effect: '#U媷ɑɥ±箑妌RɱfÈB矅蒟(' + key: g + operator: Řg~歟1ƹ,纙蝝垺 + tolerationSeconds: -9038490283678033542 + value: x6T1NM +- effect: ė{ɼ 5;^ʤàOKv泣0ƫ¢ + key: wdW6LI1a5 + operator: ú4ʫ-哖ýȻȣŦiĩġ膳". + tolerationSeconds: -5247520709138794849 + value: NXt +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: dme + operator: )\鹮İ又Ȥ鏥Ĝ + matchLabels: + Cdk: atEBel + PhEVPxOjN: QTW4 + fC0YTiwm: fdAQN8t + maxSkew: 472867304 + minDomains: 1802867157 + nodeAffinityPolicy: ʈǔ聿ŶŹ&y鰜# + nodeTaintsPolicy: '"篍Ɛɰl鄱' + topologyKey: fqmSu + whenUnsatisfiable: äƟĻ鍣ųø啼ǫǷ" +- labelSelector: + matchExpressions: + - key: BEj + operator: Ɠ墳 + values: + - qBJ + - KZbk + - key: 9wxm2wFXlY + operator: ì蠁{\媽;ě8ɠ + values: + - yiuVv9DzzRse + - "N" + - z + - key: SWu + operator: Ī½曖1șWb3 + maxSkew: 774109577 + minDomains: -110979462 + nodeAffinityPolicy: 醿卨¬婾豜ʦKd` + topologyKey: 4iskW3Hbv + whenUnsatisfiable: ǮXƞ棤Ǘ +-- case-016 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 2Ldss9 + operator: ?霏ƦxǰA7ȇ(堃R + values: + - Ce7pGgB5o + - B8EWZ + - key: pJKw3VVY5 + operator: 2wq6JK?Ȏ惙徵r儊ǒ嵀匫W + matchFields: + - key: EQvFQjoLm1 + operator: «/o咑澇ƉɑȨŞƙ|5時 + weight: -508343495 + - preference: + matchExpressions: + - key: VRoHsoMNa + operator: cƄábŊɕg追ĦǙȿ男)hŬ + values: + - tcCIpd9m + - FsoFrK + - key: ReH4ocoZ + operator: "" + values: + - bnUyPckbz + - AE + - njW + - key: fZBGR + operator: 租ǜ藇錼 + weight: -1003115262 + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + namespaceSelector: + matchLabels: + qGlBCw: zUBwqj2xV + zlHLG: TDTkLQOC + namespaces: + - QWFH + - TEzgQKPSQ + topologyKey: "" + weight: 682123393 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - 1MiHrQ + namespaceSelector: + matchExpressions: + - key: JUYumiiJFrY + operator: .ƽCDZo& + values: + - t3wDXa + - 70HCTbI6g + - C + - key: ik + operator: Œ8v + values: + - Wp + - Zf + - c2q7e + topologyKey: Sc1Q + weight: 869908297 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ore + operator: ?ɴ$瀜蝪ĪźȀŐƌS莣幮屒n×U锇Ľ + values: + - mJM + - oc + - aU + - key: SQmv + operator: ȥī+ūĬ诧犂¹ + - key: Hh1r9 + operator: h蓟x蹵D¨谧罬 + matchLabelKeys: + - mDk + - Hki8 + topologyKey: x2q0Rx1f1N + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + namespaceSelector: + matchExpressions: + - key: H1Ni + operator: Ȧ厜OŊ + values: + - UWzAFu2 + - key: M + operator: 罐hĹ;'ǫ貉yĊ啉刉DzQį + - key: zZ + operator: 颉śĴJ|@W補A篐S献;ɾ[_鶙ȱ + values: + - 4BL + namespaces: + - Thgfgf7Z + topologyKey: XBju19e + weight: 1392601493 +automountServiceAccountToken: false +console: + roleBindings: + - Q0kslM: null + - null +deployment: {} +extraContainers: +- command: + - opIk + - v9eJ + - 4V + env: + - name: 5Q + value: o + envFrom: + - prefix: eBWmLK + secretRef: + name: FedJi + optional: false + - configMapRef: + name: M + optional: false + prefix: vUvV7W8k0 + secretRef: + name: IA + image: T4SYV + imagePullPolicy: Ƈ祃ǗǤɈ遖竀壙/ + livenessProbe: + failureThreshold: 20929095 + grpc: + port: -1775507003 + service: UZ6BT7NDI + httpGet: + host: QFkZxI6kA + path: tzQ + port: "" + scheme: Ƞ揞á惗É莏6XȪ/ʡ忨償 + initialDelaySeconds: 1046895310 + periodSeconds: -1971173139 + successThreshold: -476756841 + terminationGracePeriodSeconds: 144861231583008737 + timeoutSeconds: 814968592 + name: gEB + ports: + - containerPort: 2060914354 + hostIP: 9IXWKx38q5 + hostPort: -1191426039 + name: 5Mw7k + protocol: 悛ķ鳉ɍ恽j頔Œ6Eʮnx + resources: {} + restartPolicy: 樦ýȃ梪ĵ + stdin: true + stdinOnce: true + terminationMessagePath: c0e +fullnameOverride: 6maz +image: + registry: PYDGV + repository: HV3 + tag: cI8TzaYkws +ingress: + className: JpoCC + hosts: + - host: mE + paths: + - path: znvL + pathType: u4c1 +livenessProbe: + exec: + command: + - 1aqSw0 + - A277oB + failureThreshold: 713465020 + grpc: + port: 1803086428 + service: h1wwv + initialDelaySeconds: 1849009003 + periodSeconds: 2079209425 + successThreshold: 1679782943 + terminationGracePeriodSeconds: 4331994492414219168 + timeoutSeconds: 2000039211 +nameOverride: SC +podAnnotations: + JYLUc483y: gTnWiG +podSecurityContext: + fsGroup: -1425599568169885252 + fsGroupChangePolicy: ƶ Ÿ恢 + runAsGroup: -8737472966684836915 + supplementalGroups: + - 809809813702093180 + - 6124706841582844730 + - 6159358527003037747 +priorityClassName: XtKq +replicaCount: 331 +securityContext: + allowPrivilegeEscalation: false + procMount: 垮Ř2 + readOnlyRootFilesystem: true + runAsGroup: 5797501600954334245 + runAsUser: -8444673787636983397 +serviceAccount: + automountServiceAccountToken: true + name: DdF7ALq +strategy: + rollingUpdate: {} + type: ŀ剭º(;ƍ4兖ȇ +tests: {} +topologySpreadConstraints: +- labelSelector: {} + maxSkew: 972537130 + minDomains: -499606767 + topologyKey: q5 + whenUnsatisfiable: 鳯°ôŕƨʪuɘ"h貇榧0?cɉjA蜝 +- labelSelector: + matchExpressions: + - key: lAV + operator: 嵖xߟ擱ʄ衯"xɂ + - key: U6 + operator: =换J+Ř:嫚ʥ畠餐ǒŃ + values: + - Vj + - snF6cyZ + - 0sW9y4T5 + matchLabelKeys: + - 2wCjBs + maxSkew: -324080521 + minDomains: 695322418 + nodeAffinityPolicy: ʖ[兘Ũ鬎盦İƲ + topologyKey: z5y4Q8jyHH + whenUnsatisfiable: =Y~É.J樢ȃŤƫ甶Ȍ* +- labelSelector: {} + maxSkew: -1720129802 + minDomains: 1017048856 + nodeTaintsPolicy: 龨9猶e僦ɻ髧Ȍc + topologyKey: qKf6Ef3o + whenUnsatisfiable: ʂ?$鳴寘ŧ6脹餗ſ媷,峇埽 +-- case-017 -- +annotations: + J5Z: aLYd149 + LCqYvOjK: Qsk + bU: "" +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 164 + minReplicas: 101 + targetCPUUtilizationPercentage: 355 + targetMemoryUtilizationPercentage: 310 +console: + roles: + - JlwOk: null + QUzHpm: null + ch3WnNF: null + - {} + - null +extraContainers: +- args: + - Bd + command: + - QwtEp + - lLi7 + - kxB1 + image: RpMWaJ + imagePullPolicy: ~崆Ǭe侊k + livenessProbe: + exec: {} + failureThreshold: -2101638962 + grpc: + port: -208999597 + service: jICxjA + initialDelaySeconds: 925230214 + periodSeconds: -996383814 + successThreshold: 152844544 + terminationGracePeriodSeconds: -7802949917649733275 + timeoutSeconds: -188255799 + name: qwOkQZ + ports: + - containerPort: -255758148 + hostIP: R + hostPort: 316791912 + name: 09i3b5oQR + protocol: 腴醗9-鐶 + - containerPort: 247145105 + hostIP: L4 + hostPort: 1727912240 + name: bz7Y1N7 + protocol: 暄璎 + readinessProbe: + exec: + command: + - 2fQQ + failureThreshold: -873648342 + grpc: + port: 889903834 + service: C3 + httpGet: + host: IPHal + path: 5Nb6iW9 + port: tkqo + scheme: m说Ď盐2Ƹ,约h鰥Ȕť3 + initialDelaySeconds: 1391319902 + periodSeconds: -1638942635 + successThreshold: 644454270 + timeoutSeconds: -553602240 + resources: + requests: + 0XxId: "0" + VsY2R9: "0" + ZLtS2: "0" + restartPolicy: ų蓶Lj,g珯i'Sû竒 + terminationMessagePath: Mx7V + terminationMessagePolicy: =Jƈ乚貃庪ș¯ÑVȯ6筌巨华ɀ(v + tty: true + workingDir: nKFDPLJvOh +- args: + - AV3kjV + - Gwq78lY2 + - wq + command: + - D + - EI + - fY5J + env: + - name: eCtpNU + value: jLkcq8S + - name: rynLbx + value: CdqgJabHhM + valueFrom: + configMapKeyRef: + key: uBUH5 + name: Uxei4G1 + optional: false + fieldRef: + apiVersion: Ul9al + fieldPath: vtGid + resourceFieldRef: + containerName: Oc + divisor: "0" + resource: "" + - name: GmDNpa0 + value: 7VJM2XsPm8N + valueFrom: + configMapKeyRef: + key: x3J0PMWE + resourceFieldRef: + containerName: x9Q + divisor: "0" + resource: EKFgoq + secretKeyRef: + key: lOZRvK9 + name: V + image: 1xn6 + imagePullPolicy: ɀ稤¼Mɻ«鐾6Ú{ŬtŮ鄖SSɌ戲 + lifecycle: + postStart: + exec: {} + httpGet: + host: sT2dWyT + path: vvbIxNVANZ + port: aCK8 + scheme: 昿孊卿昤軒JYƜÁ嶠şe灶 + sleep: + seconds: -3542823673709563150 + preStop: + exec: + command: + - "N" + - qkHmJ + - HupYy + httpGet: + host: 137dx + path: y3u7HE + port: -1357399425 + scheme: '@济ɉ鳛讧跕(#7NJɓũǸ]ɨ梊sj' + sleep: + seconds: -2408406850575106311 + name: J6VFtJd3giFt + resources: + requests: + 3dqK0M: "0" + restartPolicy: 70ʆ氶応爱怙鉉塼tƗhY嚇 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + privileged: false + procMount: ȚƼ提瀴t8oƥc + startupProbe: + exec: {} + failureThreshold: 1782005431 + grpc: + port: 676289916 + service: 3xqeCsf + httpGet: + host: YDL1TP + path: "8" + port: lLWR + scheme: BKō筹 + initialDelaySeconds: 134613881 + periodSeconds: 1547524591 + successThreshold: 1778605907 + terminationGracePeriodSeconds: -7593859121613942317 + timeoutSeconds: 2026260743 + terminationMessagePath: E + terminationMessagePolicy: 碓 + workingDir: kl +- command: + - "" + env: + - name: TG1HQA + value: 5X + valueFrom: + fieldRef: + apiVersion: Vhn + fieldPath: jluMkQnv9 + resourceFieldRef: + containerName: rLfbH + divisor: "0" + resource: "" + - name: "" + value: TOTyqqGn + valueFrom: + fieldRef: + apiVersion: 0CAdSa + fieldPath: LWMRC + resourceFieldRef: + divisor: "0" + resource: G5eZP4R + secretKeyRef: + key: xYOgJL + name: vMTywG + image: 2Z + imagePullPolicy: z.鎸ƦʖFNj棪Ƃ鯌b抵#Dzr + lifecycle: + postStart: + exec: {} + httpGet: + host: k8z + path: TxNa2e + port: -573570086 + scheme: oɌdǹ[M灙螮伪芛探塢庖Njȕ仸 + sleep: + seconds: 4118046687980193779 + preStop: + exec: + command: + - 6iZbF + - OeZTW + httpGet: + host: rbqq + path: sno + port: -429531729 + scheme: s璙Ȼȗ榛ǵ0ƿ.忋闳溨 + name: Cms + ports: + - containerPort: -211101225 + hostIP: 8v + hostPort: 1994344080 + name: kyMvksZa + protocol: fȞ蚊悘ū錩Ȩ龒ċŴ + - containerPort: -806313867 + hostIP: Ky2F2 + hostPort: 1605736520 + name: oe0nMMl + protocol: 慿)"Ǒ3浹襈}(VE-B³閪叒k1绝 + readinessProbe: + exec: {} + failureThreshold: 1398486074 + grpc: + port: 1157090744 + service: oFrTS0 + httpGet: + host: 5pfrE + port: TJb4 + scheme: 畢î + initialDelaySeconds: -1830121652 + periodSeconds: -1398007905 + successThreshold: 1183454316 + timeoutSeconds: 1797763090 + resizePolicy: + - resourceName: hzxTj + restartPolicy: 渣箢樳掯ȉÏǼ店喘©g + resources: + limits: + zGvF9poISMtK: "0" + requests: + lUp3T: "0" + restartPolicy: '}賩6''V霟足''È''*F÷ƙǕ' + stdin: true + terminationMessagePath: 4tn + terminationMessagePolicy: ɢ荵鯴庡ǁ婛埽猜犝笖á7譃ǁ¦GɖC + volumeDevices: + - devicePath: eGfD9B + name: G3Bd + - devicePath: x + name: TB + workingDir: iKksE1 +extraEnv: +- name: Z + value: 1PasJFATvz + valueFrom: + configMapKeyRef: + key: Out + name: Z +- name: pUN + value: QTGN + valueFrom: + configMapKeyRef: + key: BLzs5FKV + name: xsgY3vBvZ + optional: true + fieldRef: + apiVersion: 5Ng + fieldPath: Psowh + resourceFieldRef: + containerName: pMz + divisor: "0" + resource: "" + secretKeyRef: + key: IY9s0 + optional: false +extraEnvFrom: +- prefix: oK16T1 +- configMapRef: + name: GxM9 + optional: false + prefix: Hj8 + secretRef: + name: o5P67 +fullnameOverride: 9XG3SZW +image: + pullPolicy: k痿蹒 + registry: 3s + repository: kPWhaC + tag: BcBi +ingress: + className: N91gS + hosts: + - host: ucSBH + - host: "" + - host: tmOhOR +nameOverride: tPiY +podLabels: + LBQpbD: AHB4hNVL + ey1GpAHh: fA +priorityClassName: qcIlT +readinessProbe: + exec: {} + failureThreshold: 738983906 + grpc: + port: 832752600 + service: 3tLbx + initialDelaySeconds: -1729478206 + periodSeconds: 902558671 + successThreshold: 989047880 + timeoutSeconds: -402268186 +replicaCount: 173 +resources: + limits: + 0fvc8: "0" + W19cC: "0" + loZ4: "0" +secret: + create: true + enterprise: + licenseSecretRef: + key: cjqTR + name: e + login: + github: + clientSecret: jw6tY22 + personalAccessToken: JvG1jx + jwtSecret: DwgaGI + oidc: + clientSecret: MalR2 + okta: + clientSecret: mDILgPMjOS9 + directoryApiToken: M2ywAiP +secretMounts: +- defaultMode: 442 + name: 3SwG7HrS + path: TLaWLIiD + secretName: VR +- defaultMode: 383 + name: Bfv9SGjlbgN + path: dXXPfK + secretName: T +- defaultMode: 13 + name: wz4K9oIYM + path: YEOA49 + secretName: WzM +securityContext: + capabilities: + add: + - "" + - 鸼ǀɛ_Y + - 利ƯǢ謼Ŀʇ佔4銣 + privileged: false + procMount: 頿ū詁ǎTɁ¯PlFd只鶗ƝǛƤ臃 + readOnlyRootFilesystem: true + runAsNonRoot: true +tests: + enabled: false +tolerations: +- effect: 懻 + key: JifsKW + operator: 檧űÊǮȡ廄儱RəȏĮ顪ÅÞ + tolerationSeconds: 4501363800484543116 + value: KkCBzwToBMjJ +- effect: B囧ƉOß + key: Q3cj + operator: ɲ朁ß栢 + tolerationSeconds: 4944598504260379086 + value: Z5 +- effect: 敘愰ɰuƪ晐 + key: K8wM + operator: ș + tolerationSeconds: 8375376960471889043 + value: TnWS +-- case-018 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: -37659402 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + matchLabelKeys: + - ajbCE + - Y0MRgpE8 + namespaceSelector: + matchExpressions: + - key: Auai + operator: ùfƽÜQķɨ逑ʒÅģ + values: + - Q + - key: 1S2Nfq + operator: 臺瑷tƎ鍤p}滳`竦ÙǾ晖ǃʏȵ + namespaces: + - 4GTSAZF + topologyKey: NS733 + weight: -968286112 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: eyt3TPSYPBWDt + operator: e偁&蔄癳.ŚƘ + matchLabelKeys: + - eE7PA8D + - cKalkvb + mismatchLabelKeys: + - Lan + topologyKey: v + weight: -2133598054 + - podAffinityTerm: + mismatchLabelKeys: + - "5" + namespaceSelector: + matchExpressions: + - key: UrrD + operator: ƞ + - key: rkfCsnUcx + operator: ȇ睾¦棌鉝-m糤LPjX.;Ğ× + - key: kla + operator: '"竮壣祠ł9抵墙' + namespaces: + - gyF + topologyKey: ZG + weight: -428742233 + requiredDuringSchedulingIgnoredDuringExecution: + - matchLabelKeys: + - tZZj + namespaces: + - VuG + - I5XU + topologyKey: V2CZqa + - labelSelector: {} + mismatchLabelKeys: + - "" + - q9L4 + - C4YJ57 + namespaces: + - 8xRk06ngy + - WeZO2 + - 7tbTFK + topologyKey: rnpto +annotations: + "": 3E5rtKA +automountServiceAccountToken: false +autoscaling: + maxReplicas: 140 + minReplicas: 91 + targetCPUUtilizationPercentage: 499 + targetMemoryUtilizationPercentage: 324 +configmap: + create: false +console: + roleBindings: + - "": null + DlOD: null + - null + - cDJiV: null + eO: null + qlokva4: null + roles: + - 0E2l1K3: null + pIu5qwn: null +enterprise: + licenseSecretRef: + key: oqyc + name: HL +extraContainers: +- envFrom: + - prefix: EVZ + secretRef: + name: MxD + optional: true + - configMapRef: + name: A + optional: false + prefix: HuqxI + secretRef: + name: A + optional: true + image: SU + imagePullPolicy: 禵7璙p + lifecycle: + postStart: + httpGet: + host: YZMjhOUO8IS + path: nzYfH + port: Fcx + scheme: 矪Q9 + sleep: + seconds: 3463625415546708077 + livenessProbe: + failureThreshold: -560403806 + grpc: + port: 1751268094 + service: I + httpGet: + host: 0Sb + path: Utm2X + port: 395973041 + scheme: 醆蚎忨ŕ縨ƍ爋釬šÒ暺ƒŎO記岣 + initialDelaySeconds: -1011110535 + periodSeconds: -1229381750 + successThreshold: 260149510 + timeoutSeconds: 74546945 + name: e + resizePolicy: + - resourceName: XNKV + restartPolicy: ì焹.¬哄ȾŢȎȴe$p尶m`飻Ȭ + - resourceName: "" + restartPolicy: 閭I哗.寢荨ʪɛ侭ȵ(8 + resources: + requests: + 3nUsL: "0" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -8616852535795885155 + terminationMessagePath: FjZ + terminationMessagePolicy: ÿb熿3,ćp寫ʃ#叺渍ƣș + volumeDevices: + - devicePath: Xvjm + name: 7yLA + - devicePath: 1Ci + name: Y0AloAQS + - devicePath: Gt + name: ZMKKc + workingDir: Mh +extraEnvFrom: +- prefix: hg + secretRef: + name: eLM59WyoAXO +fullnameOverride: ExFU3 +image: + pullPolicy: 螣暛擂ɾ#鏲*胭8饭1胠 + registry: iCFSIwyDtoG + repository: 6V6 + tag: 6uR +imagePullSecrets: +- name: vlnGQbo3y +nameOverride: 1qyLP36T +nodeSelector: + Vckw: ifBZ9p7 +priorityClassName: 6jxv +replicaCount: 297 +resources: + limits: + QZqMxIAt: "0" + SUsu9: "0" + requests: + EMOXCuje: "0" + EzKKMIR: "0" +secret: + kafka: + awsMskIamSecretKey: 8GlUc + protobufGitBasicAuthPassword: IsvQ9 + saslPassword: Vb + schemaRegistryPassword: UJ7Zl + schemaRegistryTlsCa: T1Q + schemaRegistryTlsCert: 17r + schemaRegistryTlsKey: O44 + tlsCa: n8k9 + tlsCert: aK + tlsPassphrase: Qk8 + login: + github: + clientSecret: t6z0n + personalAccessToken: "" + google: + clientSecret: h + groupsServiceAccount: fpuCEFLL + jwtSecret: 7J + oidc: + clientSecret: t + okta: + clientSecret: 3CcKl + directoryApiToken: AZt8H77 + redpanda: + adminApi: + password: NUkb3zIpwAR + tlsCa: t + tlsCert: zttTAvj + tlsKey: "" +service: + nodePort: 270 + port: 415 + targetPort: 489 + type: 2cM +serviceAccount: + annotations: + X7E: CRSzr + lPi: bGP + name: uAvlOXf +strategy: + rollingUpdate: {} + type: ɬ搢.Ƒ躂ɻɅȄ莨qc婔Åå +tolerations: +- effect: č喅Ȳ崥ï{禙ÊÿC逻準?霘2 + key: YJE + operator: 珟 + tolerationSeconds: 3838637075734495592 + value: 1VemeDTEk1 +- effect: 艋Ƿ淛襀|Ǽ&矠Ģ凍J賜ɰō + key: ggxS8L + operator: 閞判ŏ + tolerationSeconds: -2249155605077506227 + value: m3c +- effect: 'Ljə]IŴ:' + key: 4BkJSo + value: Le +topologySpreadConstraints: +- matchLabelKeys: + - uyTA + - rJcqdY3 + maxSkew: 1887613958 + nodeAffinityPolicy: u鞝侠轁蛃6Ơfrt迄ʇQ勭ĶÇǻě + topologyKey: 3f9j + whenUnsatisfiable: µ +-- case-019 -- +annotations: + lgiIA: u + wK8: JrSfKH +automountServiceAccountToken: true +configmap: + create: true +console: {} +enterprise: + licenseSecretRef: + key: Nr8uSKR + name: nucerZE +extraEnv: +- name: pJ + value: whmTukCTD + valueFrom: + configMapKeyRef: + key: OHk + name: "3" + fieldRef: + apiVersion: TSp7 + fieldPath: mEUVMSp7vUo + resourceFieldRef: + containerName: bBDw + divisor: "0" + resource: tIcs3z + secretKeyRef: + key: jIR5V + name: "9" +- name: ZCEPmHP + value: FhwE4R + valueFrom: + fieldRef: + apiVersion: Nv + fieldPath: WMXeIjk + resourceFieldRef: + containerName: Hbt + divisor: "0" + resource: mo7F +extraVolumeMounts: +- mountPath: UF6 + mountPropagation: ĻsŸ氂ǐ钋鮠Ĺ咳渼.pɫ + name: W1LIZa3 + subPath: qdDtjk + subPathExpr: Ew +fullnameOverride: NZ7h9 +image: + pullPolicy: 韃ĝ + registry: GNXgFQ + repository: W3 + tag: 2vPed +initContainers: + extraInitContainers: "" +livenessProbe: + exec: + command: + - Vc01z + failureThreshold: -1736131786 + initialDelaySeconds: 538755540 + periodSeconds: -937262167 + successThreshold: 2014961170 + timeoutSeconds: -614674118 +nameOverride: 8MIg +priorityClassName: FERw +readinessProbe: + exec: + command: + - 96w + failureThreshold: -1936056692 + grpc: + port: 939760843 + service: "" + httpGet: + host: K + path: dIrFM + port: GfrdWiqgUZBPW + scheme: 芧ʒȔ堌 + initialDelaySeconds: -2019126091 + periodSeconds: -1696700553 + successThreshold: 398361977 + timeoutSeconds: -184667912 +replicaCount: 79 +securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 狞濮噞饅烥H}湛m=U+卓Ǭï呣8Ú + privileged: true + runAsUser: -471077223001866506 +strategy: + type: 鎦v財ɕŪ +tests: {} +tolerations: +- effect: 飝壊%ǂP胅ɂǏ趸疷擁鹒DŽ营風顺z拇 + key: Ku2m + operator: ŲǪFTǗǔȟʥȰȎǎo玼Ü + value: 1u +- effect: 雾Ź歘ɇƇ昨OČƑɎ騨Ŗ=Ì楯 + key: 12vKa + operator: ( + value: u +-- case-020 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + - matchExpressions: + - key: a23jbG + operator: yb庇ɍ闒ǰPâƟVsJu + values: + - "" + - 1lQmmGa8 + - XzVleDXV4YoRc + - key: 3Gwd9r + operator: 4Nj7Ġ$Ea狆Ö絞Ƙ殈廔as知 + - key: 7C4FjM + operator: ɩ.叧¬ʧ倒 + matchFields: + - key: H + operator: Ğų* + values: + - 0i + - qK + - key: 7ocDt + operator: 餯ǚ璗汭槰<ƤƐ評ź膹棅珢ȹ3鮑 + values: + - g5Aa1Hm + - LKNvXrtO + - key: o + operator: ŎJ甧鷓 + values: + - vJQQjLRrqIK + - Isj + - 6EBsy + - matchFields: + - key: H0oh1dBCg + operator: 鉔qƿ氵[' + initialDelaySeconds: 1994767434 + periodSeconds: 1832245274 + successThreshold: 598112607 + timeoutSeconds: 1119900418 + name: "" + ports: + - containerPort: -330026000 + hostIP: lrMGYnI5Nd + hostPort: -823142941 + name: zuZWb + protocol: Ȳ + resources: + requests: + 4gK: "0" + restartPolicy: 腼癋ğÑ;漘傩鶷 + securityContext: + privileged: true + procMount: ʍ/O9*:zb飯Gɱ朵醴#ŌKp9嬡 + readOnlyRootFilesystem: true + runAsNonRoot: false + startupProbe: + exec: + command: + - "4" + failureThreshold: -950017148 + grpc: + port: -1475121627 + service: 8veUJnWU5 + initialDelaySeconds: 2007069941 + periodSeconds: -1193308189 + successThreshold: 22288729 + timeoutSeconds: -1492112511 + stdin: true + terminationMessagePath: HIj0kQ + terminationMessagePolicy: ȔNj + volumeDevices: + - devicePath: M + name: sDeN + workingDir: V +- args: + - "" + - ihLoishU + command: + - 8Jx + - j + env: + - name: IDOQ6d + value: 12G + image: b4Wv84l + imagePullPolicy: n暨e懔)k + lifecycle: + postStart: + exec: {} + httpGet: + host: Zl2z + path: pzUIO + port: faRx + scheme: 痣甘 + sleep: + seconds: -632399399483384435 + preStop: + exec: {} + httpGet: + host: pklCf2clqD + path: wk27n2gw1L + port: Ufz19 + scheme: ɷņƑG m刡Ęj敂鏸eāa + livenessProbe: + exec: + command: + - Ar2msVeG + - Uzq6cRL + - dujaQs + failureThreshold: -1776611485 + grpc: + port: 835455646 + service: t + httpGet: + host: hri + path: "Y" + port: 1115673796 + scheme: ʟɏķLYÆŨŔ+Č`4Đl + initialDelaySeconds: -739643640 + periodSeconds: -343509466 + successThreshold: -1698086578 + terminationGracePeriodSeconds: 1800922741783400611 + timeoutSeconds: 1182031959 + name: Bq5FHOsB11r + readinessProbe: + exec: + command: + - XaJ8ft + - 57jh + - sAD + failureThreshold: -1798651306 + grpc: + port: -1714447694 + service: ETY + httpGet: + host: V5DSH + path: g8Ygrn + port: Yp9d22 + initialDelaySeconds: 1612392972 + periodSeconds: 1418157100 + successThreshold: -1106593780 + timeoutSeconds: -1970400805 + resizePolicy: + - resourceName: 93At9v + restartPolicy: 涭ɍƍ蕂 + resources: + limits: + 9g69: "0" + h20A4o: "0" + jh: "0" + requests: + h: "0" + ub364wL: "0" + restartPolicy: Ǎ\ƽţ(鄑鴋Őńy餲ÍwWÅ + startupProbe: + failureThreshold: -513807271 + grpc: + port: -788679788 + service: 3vt1qVexq + httpGet: + host: As + path: gG3Jyf6fQ5R + port: 1058443669 + scheme: I?ʐɡ湚犭檚蚗į*o + initialDelaySeconds: 2034517113 + periodSeconds: 2103822699 + successThreshold: 343263788 + timeoutSeconds: 264518020 + stdin: true + stdinOnce: true + terminationMessagePath: AAYYpB1c + terminationMessagePolicy: 贌.[ĉ熶7dzRVç^'谣蔨d搇ĺÎ + tty: true + volumeDevices: + - devicePath: "8" + name: KZo0u22qdit + - devicePath: Fahm + name: lmO + workingDir: tGNhx3deFLdC +extraEnvFrom: +- prefix: 7DB9SS + secretRef: + name: 5rl + optional: true +- configMapRef: {} + prefix: hPVGtWNNR +- configMapRef: + name: FYMIJ1 + prefix: TEtFB3 +extraVolumes: +- name: 2LSr +- name: J +fullnameOverride: Wpq +image: + pullPolicy: M鉃裹Ú&蚑ƈñĎdzɢ/Ɲ9Ws棝 + registry: 0aw5q + repository: PTy + tag: fclX4 +imagePullSecrets: +- name: p95GzFm3JP +ingress: + annotations: + aH: YQ3 + className: IPc + tls: + - secretName: Ec4sB + - secretName: txdIkdw4sg8IB4i9 + - hosts: + - ypg9XtRg8 + - "3" + secretName: DNdM +livenessProbe: + exec: {} + failureThreshold: 913752382 + grpc: + port: 1322195744 + service: iQNfI + initialDelaySeconds: -1439870739 + periodSeconds: 178258715 + successThreshold: -1591263857 + terminationGracePeriodSeconds: 2751522374216629585 + timeoutSeconds: -1117637199 +nameOverride: aD +nodeSelector: + WUADh: 2ruBNaWxT +podLabels: + Avs0UCvd6: "" + LSaZFj: "" + N3gEYOpkd: zqsd +priorityClassName: 2v89v +readinessProbe: + failureThreshold: 1842275861 + grpc: + port: -1389426650 + service: 0bSW249 + httpGet: + host: 0T + path: RnP5zy + port: -514153800 + scheme: k*x"!掫瘑Ʀ扄]Ĝʅƭȑ + initialDelaySeconds: -1077422490 + periodSeconds: 666536934 + successThreshold: 1405066396 + terminationGracePeriodSeconds: -3980601911100433183 + timeoutSeconds: 665413705 +replicaCount: 330 +secret: + create: false + kafka: + awsMskIamSecretKey: 48EJ + protobufGitBasicAuthPassword: U4TfI + saslPassword: xbKdWIc + schemaRegistryPassword: C + schemaRegistryTlsCa: vACi + schemaRegistryTlsCert: l2SQ + schemaRegistryTlsKey: QXTWL2 + tlsCa: sxqA + tlsCert: MZR + tlsPassphrase: Bf18k +secretMounts: +- defaultMode: 278 + name: Vk + path: HIDtODq + secretName: ycVDxFmgC +service: + nodePort: 413 + port: 310 + targetPort: 265 + type: uvupqC6hE4 +strategy: + rollingUpdate: {} + type: ü +tests: {} +tolerations: +- effect: ƛ=åM綁塈'Ʈ7 + key: X + operator: Y葞ęŊ6ùųŗQ膼芏棔ĿF綩 + tolerationSeconds: -7958891124471630696 + value: iw +-- case-025 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + - matchFields: + - key: Jdk + operator: '''妋ū摺wȋ½骭枰ux' + values: + - L3vrBo + - key: AJyvPdo + operator: QBǏ揅饹\欤ĩ# + values: + - KA4X87 + - kAynjW + - key: INtaCgB9Suw + operator: '"' + values: + - sT5QAUbIK + - matchExpressions: + - key: B1ivFyT + operator: ıD芌ʪÌʡ6坨LʞQ蓠kl + values: + - ZM3ncD + - MaDZJN23 + - nQDH + - key: j1 + operator: ^{Q唤涭 + - key: FMwYRC4 + operator: 構ÁHƲ)ǹō + values: + - tc + - 5w4tJ + - gNCNm5J4 + matchFields: + - key: pIsVqr + operator: j@RUȃfǘ·ɏ!Ǖ灃Ņǟ + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + matchLabelKeys: + - oNBV + - ZW2Upd + mismatchLabelKeys: + - XpmujYp + - zQUvv + - o + namespaces: + - xAojOZ + - 53d1p + topologyKey: wupaWwF + weight: -813250565 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: hRMf + operator: 璢ɂo豢埆o + - key: gByq + operator: '|藐Ç钃[qȂřÜ{南湹裻ßŗyŪ赉' + mismatchLabelKeys: + - 4aBT9oEi8 + topologyKey: "" + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - matchLabelKeys: + - qDyyFpFgn0 + - qAR2Fz8Jbiq9oz + namespaceSelector: {} + namespaces: + - NKeVvij2 + topologyKey: 7OPEY5MMS +annotations: + 7YN: WjRdnTY + J0Eg: alDk +automountServiceAccountToken: false +configmap: + create: false +console: + roles: + - BU: null + - {} +deployment: {} +enterprise: + licenseSecretRef: + key: 3UhYW + name: Ooxn6uesqBg8 +extraContainers: +- args: + - zj + - Z5D + command: + - QfnH4gn + - B1xl + env: + - name: 4X + value: Bw + valueFrom: + configMapKeyRef: + key: Pdqw0Fl3V + name: v3KgbGdzsLvC + optional: true + fieldRef: + apiVersion: NUZjeNE + fieldPath: 9HRTR + resourceFieldRef: + containerName: p + divisor: "0" + resource: shkxnjmC2 + - name: 2i + value: Zxb + valueFrom: + configMapKeyRef: + key: w + name: WzK6UiO + fieldRef: + apiVersion: GnFqZ3 + fieldPath: W + resourceFieldRef: + containerName: 7JDYpnHIpM + divisor: "0" + resource: vt2RbP + secretKeyRef: + key: yl + name: 36xB2Q + optional: true + envFrom: + - configMapRef: + name: V2xmAgfwBn1 + optional: true + prefix: seW + secretRef: + name: Nt + optional: true + - configMapRef: + name: IluKDPq + prefix: N6Uhe + secretRef: + name: TvN6Z3p + image: 3fh + imagePullPolicy: Ǜmʥ薑ōB愌熹g樿ƒ畬ʙ襫,PD + lifecycle: + postStart: + exec: + command: + - wIfuPiat + sleep: + seconds: 6128979882442257912 + name: 0U + ports: + - containerPort: -975012330 + hostIP: nNpK2 + hostPort: -554886438 + name: aE + - containerPort: -2098096147 + hostIP: FeG8 + hostPort: -651932845 + name: xKI1Tv + protocol: :鿅Ǐ!Ʋ卫_ʕȼʗ壷薮蒰NJŌ + - containerPort: 520035268 + hostIP: GyA + hostPort: -1998834660 + name: PR61 + protocol: ŗ蜥aɝWCb锨ȐsO忷ODž)Ŗʃ觃輘 + readinessProbe: + failureThreshold: 1975710195 + grpc: + port: 8949492 + service: USXa + httpGet: + host: 6J2Mk51 + path: FL4SJXOTR + port: c2vVT + scheme: B哰Hȼ涪Ÿȣę + initialDelaySeconds: 1164971701 + periodSeconds: -1267122769 + successThreshold: -102609571 + terminationGracePeriodSeconds: 6799552209277780019 + timeoutSeconds: -995107635 + resources: + requests: + 2j: "0" + restartPolicy: V牜(p + securityContext: + allowPrivilegeEscalation: true + privileged: false + procMount: '@' + readOnlyRootFilesystem: true + runAsGroup: 8605999305673537166 + runAsUser: 1347603438902927360 + startupProbe: + exec: + command: + - JZX + failureThreshold: 1080874840 + grpc: + port: 1467429214 + service: NWBu1S + httpGet: + host: 4ta7S + path: RcBu6 + port: RapJB5x + scheme: ']襰騊缜ă4蘆Ȓ0礓厨獸枓8D' + initialDelaySeconds: -2008822207 + periodSeconds: -614674587 + successThreshold: -402818223 + terminationGracePeriodSeconds: -7949916801988602426 + timeoutSeconds: 209096121 + stdin: true + stdinOnce: true + terminationMessagePath: KRYz + terminationMessagePolicy: Âǚ凍ʄĒ(#Ñ狶8脍ÅdɅș妙觶.祍 + volumeMounts: + - mountPath: LdSrOQ + mountPropagation: Ɗ?ǚ[澆槱ɢ丗7鍚6A + name: sqOobya + subPath: JZEkD + subPathExpr: eJU + - mountPath: K4kwb + mountPropagation: "" + name: YNNb + readOnly: true + subPath: Z0mne + subPathExpr: ngxE + - mountPath: E2GSzT0 + mountPropagation: ȝ註鴔 + name: fRhgta + subPath: y6Y3BdtA + subPathExpr: P0gcNQL + workingDir: rCAtq +- args: + - tJjzGKfki2 + - "" + - furHsPXM1J + command: + - DK3Wlo2n + env: + - name: ud + value: FOyG7u4mv + - name: YM + value: T8mzKDDU + valueFrom: + configMapKeyRef: + key: "" + name: YlrM + optional: true + fieldRef: + apiVersion: TysS9Olq + fieldPath: RX4 + resourceFieldRef: + containerName: o + divisor: "0" + resource: HVzew + secretKeyRef: + key: moOz + name: 9IePG + optional: true + image: hy6X7dY + imagePullPolicy: 秊q魷讍暳ɁiitǦ梒Ʀ疗ǘt + lifecycle: + postStart: + exec: {} + httpGet: + host: 1bv + path: 3IXIEBTRQc + port: dHTyBrOPT + scheme: hƉǤ\ɯ竔}gŘ + sleep: + seconds: 3802753693240438477 + name: mieVkOhQ4 + ports: + - containerPort: 1406294206 + hostIP: XrMHc + hostPort: 1756733537 + name: xrlM3Cv9 + protocol: ^箅瑦|ȭ,Ī憘ʓ焯 + - containerPort: 1867162726 + hostIP: p8Zguos + hostPort: 1052086554 + name: NCa4 + protocol: Ǽ丝等I塸)kɹ~颁!跼S薒SrM + - containerPort: 1770363328 + hostIP: WPUeJ + hostPort: -1882733223 + name: gAUfp + protocol: u舨[ķ獚m灑朷ƶ慹Ʀ + resources: + requests: + CK: "0" + c6WG16NOR: "0" + restartPolicy: 欣ƎȄŚ&廚FË倔Ŋ寬Lw秮x捨 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Ƶəʣ饅ōǧ营Sȑ粴ƞȜj嬷俋箊ʫ + - Yǻ)Iƕƺ:檂躡J勬垒ď%ɦ + drop: + - f{2Ƭɢ~lĕ猆å~? + - 曣晜Ȅ笛 + - 牧 =鄅銣閦ʜ(lȏ + privileged: true + procMount: Âȼ + readOnlyRootFilesystem: true + runAsGroup: -5895892166477051871 + runAsNonRoot: false + startupProbe: + exec: {} + failureThreshold: 1512924080 + grpc: + port: -55537357 + service: 9KQ + initialDelaySeconds: 1472203720 + periodSeconds: 1367361112 + successThreshold: -1486557603 + terminationGracePeriodSeconds: 2382050275815801400 + timeoutSeconds: 246291848 + stdin: true + terminationMessagePath: E7wMC + terminationMessagePolicy: h僊冢ʐȑ + volumeMounts: + - mountPath: "" + mountPropagation: uÞ揶椬=L>ȕ凭Śȅ3džȿȳ + name: xYM + subPath: nMMkHAUoYIsN + subPathExpr: 579Yn2LXk + - mountPath: 5z + mountPropagation: Ƀ陪7k惿Ɏǚ霤ƨƱ«ɤ»ȣ薥頠媉fʠ + name: KIX5g + readOnly: true + subPath: CGOswgk + subPathExpr: oxiB23ZW2KX + workingDir: IzOAr +- args: + - jrZTvs + env: + - name: jxl5Q + value: fm2F7DzZA + image: r7sTpTP8N + imagePullPolicy: 眒弿 + lifecycle: + preStop: + httpGet: + host: WEBUk + path: "1" + port: -377365982 + scheme: 娖阋顿|儴Éȱ鋦 + livenessProbe: + exec: + command: + - 2j + failureThreshold: -1631622345 + grpc: + port: -188887701 + service: s + httpGet: + host: "6" + path: 07rm4AD + port: DCtZ5 + scheme: ʼnK襡5殛鯙ȋʛ稲(C姓 + initialDelaySeconds: -1011676147 + periodSeconds: -1141844037 + successThreshold: -1528778970 + terminationGracePeriodSeconds: 422553046190448128 + timeoutSeconds: 99607263 + name: rhg + ports: + - containerPort: 1265703793 + hostIP: lYiq + hostPort: -931710582 + name: r2OdlKyZ + protocol: ŌK4Ʒ霖R婧,Ģ墤ʠ_Ƒ亽vĨO + - containerPort: -1093198499 + hostIP: xHuDhI2 + hostPort: 1423992590 + name: WdH + protocol: K嚜pn犓ɯ`劮ƫķPLm + resizePolicy: + - resourceName: M3EK5NW + restartPolicy: Ɲ囩 + resources: + limits: + 4zeCyo: "0" + PgUjG: "0" + requests: + IseC3: "0" + WHgRSz: "0" + yzZn: "0" + restartPolicy: ijƞ墫噌L诠=脳%Ɗ + securityContext: + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -1074724161449891976 + runAsUser: 8255497511479977438 + startupProbe: + exec: {} + failureThreshold: -1172398717 + grpc: + port: 1919051215 + service: "" + initialDelaySeconds: 2020291403 + periodSeconds: 450860281 + successThreshold: 193397000 + timeoutSeconds: -665894379 + stdin: true + terminationMessagePath: MCVu + terminationMessagePolicy: ŷÍ:+壩ùI賎Rɜ卮cɣS惕mIɭ + tty: true + workingDir: 2L97y +extraEnvFrom: +- configMapRef: + name: Es + optional: false + prefix: sb4Y + secretRef: + name: 5boSPUJ +extraVolumeMounts: +- mountPath: "" + mountPropagation: ė1)ʩ瀚汋跁撯 + name: jFvwz + readOnly: true + subPath: JP5wgP3 + subPathExpr: J +extraVolumes: +- name: Jq0CSftnp +- name: QMHGzzYC2HW +- name: 1PkbzhfK +fullnameOverride: Uo +image: + registry: gFOwHIo + repository: tdq9GJrg + tag: J +imagePullSecrets: +- name: iA1C +- name: ZOdo +- name: qTOK0W +initContainers: + extraInitContainers: UHL +livenessProbe: + exec: {} + failureThreshold: 1473046311 + httpGet: + host: z + path: qQEf + port: -1047428780 + scheme: ȭ龙ğ疹ǜ"ȹȫ怆Ȉiʊ泹牫綖K + initialDelaySeconds: 272400025 + periodSeconds: -1682707125 + successThreshold: -2007433775 + terminationGracePeriodSeconds: 7823760182761119586 + timeoutSeconds: 2024118005 +nameOverride: Mh +podAnnotations: + bHXzf: nOiRsvEXH +podSecurityContext: + fsGroup: -6946946538076897241 + fsGroupChangePolicy: 呆ɔȂwijà + runAsGroup: 3944693697856007637 + runAsNonRoot: true + runAsUser: -732766343758518304 + supplementalGroups: + - -5691922089175975080 +priorityClassName: 0bGHQk7gL +readinessProbe: + exec: {} + failureThreshold: 1554150391 + grpc: + port: -2094102439 + service: 0dg5DO + initialDelaySeconds: -564389480 + periodSeconds: -266349500 + successThreshold: -428571163 + terminationGracePeriodSeconds: -4351299803972335390 + timeoutSeconds: 1803246595 +replicaCount: 345 +resources: + limits: + LxNMXlMD: "0" +secret: + create: false + enterprise: {} + kafka: + awsMskIamSecretKey: SDPuUt + protobufGitBasicAuthPassword: nq + saslPassword: TLAP + schemaRegistryPassword: AFn + schemaRegistryTlsCa: KbZhZV + schemaRegistryTlsCert: dGfweV + schemaRegistryTlsKey: X2B + tlsCa: Zmu + tlsCert: Lv4BgewmU + tlsPassphrase: bCygOn9yJR + redpanda: + adminApi: + password: AE + tlsCa: CEhIkvxe10u + tlsCert: mjaN + tlsKey: j2mDL +serviceAccount: + automountServiceAccountToken: true + name: H5TDAALUdD +tolerations: +- effect: 媄 + key: IQD9Yww8 + operator: bǾå鱍 + tolerationSeconds: -7454358062612206872 + value: odxS1Q2Sd +- effect: Ɣv璔}oȡʞ¤ + key: ySGX + operator: ƪ渺¸貗ȹV廋ȉňu増嬎Ë韍ǘz茩Ƹ怯 + tolerationSeconds: -1083807005557333468 + value: bAy +-- case-026 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: GP94 + operator: 駑Ŀ峇[ɕdž0 + values: + - jjNFKv8 + - uG7Rs + - ApO075 + weight: -549077137 + - preference: + matchExpressions: + - key: R88 + operator: Dzv)bôȏ磜覐橮波赘T^ + values: + - DscaGMdgXV + - uy + - N3d + - key: "" + operator: 誮Vw!/毴Z匌忶ª渆 + values: + - 4mX0s + - key: byy + operator: 鿟y馡錥HJ鶟b左Ő*čt顭塶 + values: + - 6oQ + - 9r22TM + matchFields: + - key: fNLkt + operator: "" + values: + - tW + - M03GnpfhQn + - key: WQQs + operator: 騡(Í芝x焍麅ɰ窓ɶÜò鵹 + weight: 579622465 + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: {} + namespaceSelector: + matchLabels: + IYAfjz: GloAc + namespaces: + - hfFjlR + - KWIdaP11Y + - 3Dn + topologyKey: UB + - labelSelector: + matchExpressions: + - key: B7LSh + operator: ɉ邦夝ɷ1傹Þ袳@ɲ鉴 + matchLabelKeys: + - "n" + namespaceSelector: {} + namespaces: + - 88M + - fIEJUewFK + topologyKey: i +autoscaling: + maxReplicas: 86 + minReplicas: 445 + targetCPUUtilizationPercentage: 362 + targetMemoryUtilizationPercentage: 8 +commonLabels: + "": h0uSAPIi + kuKPk7: "" +configmap: + create: false +console: + roleBindings: + - null + - 9T: null + fxu2XaR: null +extraVolumeMounts: +- mountPath: q + mountPropagation: 跐ʩ4鄧SD炿ɜǚhU + name: "" + subPath: SCLzbAMUW3x + subPathExpr: nzFw +- mountPath: cX8U + mountPropagation: b幈簇@艭K + name: b + readOnly: true + subPath: u5fY + subPathExpr: TRymQ +extraVolumes: +- name: LeIYAb +- name: 176OvjD +- name: b6NpMGfVo1N +fullnameOverride: qhaD +ingress: + annotations: + Lftu: PjroKEh + qvZJNWSzR: Jpoyc0 + className: cAir + enabled: true + hosts: + - host: o + - host: i18Wi + paths: + - path: apsXYvp + pathType: 7q5 + - host: 8eBXg + paths: + - path: cMbMbCQl + pathType: gJT + - path: XvfTwH + pathType: 4se + tls: + - hosts: + - fqD + - JDOgIG + secretName: vzUD + - hosts: + - M6H + - T + - twxgtsi + secretName: lg5siLdo +initContainers: + extraInitContainers: 9KiOC +livenessProbe: + exec: + command: + - 0gsq + - "" + failureThreshold: 1372450161 + grpc: + port: 347104155 + service: Vtf + httpGet: + host: 3Is + path: mFQXEnm + port: -207107285 + scheme: u + initialDelaySeconds: -913177144 + periodSeconds: 912808843 + successThreshold: -765941931 + terminationGracePeriodSeconds: 220495921853460964 + timeoutSeconds: 1174210794 +nameOverride: vLjrafvp +nodeSelector: + ggwC: SQ + rIwToCbB: tUBM5 +podAnnotations: + LtAjph: 8Q + MiPvJub: 0x + j: xR98FRh +podSecurityContext: + fsGroup: -2594082004410587315 + fsGroupChangePolicy: 'ċV1鯍E ' + runAsGroup: -880388195249084168 + runAsNonRoot: false + runAsUser: -9051010573896129766 + supplementalGroups: + - -2777109499517677979 +priorityClassName: JnI8 +readinessProbe: + exec: + command: + - GZAhRFJb + failureThreshold: 1666039794 + grpc: + port: 1689867278 + service: eUJ + httpGet: + host: 6M6GMp + path: hr5gg + port: -751083361 + scheme: 戉窻¦ǃ楓Ëʆ張ǛȤʊLȉŐX5 + initialDelaySeconds: 989921147 + periodSeconds: 536392931 + successThreshold: 1020018972 + terminationGracePeriodSeconds: -955330372102946036 + timeoutSeconds: 1790731281 +replicaCount: 78 +secret: + create: false + enterprise: + licenseSecretRef: + key: yi3 + name: "" + kafka: + awsMskIamSecretKey: J36kR7z6r + protobufGitBasicAuthPassword: xf + saslPassword: jW + schemaRegistryPassword: Z5gF2 + schemaRegistryTlsCa: eGSsHDQm + schemaRegistryTlsCert: NmVf1RW + schemaRegistryTlsKey: DKqtW + tlsCa: 8WuqzUG + tlsCert: yrd + tlsPassphrase: swQ7r + redpanda: + adminApi: + password: mN1ZSR + tlsCa: hrjyEhM + tlsCert: YozBWkwcZ + tlsKey: 1p2 +secretMounts: +- defaultMode: 45 + name: ooYxXE + path: U6f3w + secretName: LyH9zvv +- defaultMode: 429 + name: Hmms9 + path: qzOMXCl + secretName: zvR +- defaultMode: 39 + name: "" + path: dXa6uPxR + secretName: PC2Ms7 +securityContext: + capabilities: + drop: + - ɿX齀蹪 + privileged: true + procMount: Ƚ[孠犥ƶʒ)遷U竕 + runAsGroup: 5229411704597623894 + runAsNonRoot: true +serviceAccount: + annotations: + "": tWl + 5mzy: 4t87VKeHA + a: UqD3iv5LoNYP + automountServiceAccountToken: false + create: true + name: Utu8ZHG2 +strategy: + rollingUpdate: {} + type: I6终j2炅ȲbȻ +tests: + enabled: false +topologySpreadConstraints: +- labelSelector: {} + maxSkew: -154369657 + minDomains: -319419210 + nodeTaintsPolicy: '#Vʅ糗斬ƈ橮IJȶ纀' + topologyKey: dTnKex + whenUnsatisfiable: '@OȤ驮Ʀ琓' +-- case-027 -- +automountServiceAccountToken: true +autoscaling: + maxReplicas: 432 + minReplicas: 265 + targetCPUUtilizationPercentage: 239 + targetMemoryUtilizationPercentage: 130 +commonLabels: + Q0: "" + T4ZmAFi: nfIb0b +configmap: + create: false +console: + roleBindings: + - ElN: null + roles: + - DZcCdT: null + imlLddN: null + - null + - 0MFHoDlkID: null + Xe: null + daS: null +deployment: + create: false +enterprise: {} +extraContainers: +- command: + - WY + - F9X2FePO + env: + - name: MbWT2gynlq + value: S + valueFrom: + fieldRef: + apiVersion: 4msaX + fieldPath: XvlI + resourceFieldRef: + containerName: LEQ + divisor: "0" + resource: oHigE + secretKeyRef: + key: feJnSFqmYy + name: m3lrGM + optional: false + - name: omlZ5 + value: w + valueFrom: + configMapKeyRef: + key: w3iwXnte + name: LqORIZ + fieldRef: + apiVersion: D + fieldPath: bG + secretKeyRef: + key: UeU9m8 + name: 1asSl0l + optional: true + envFrom: + - prefix: HYy4 + secretRef: + name: Q2DTvNx + optional: false + image: jqvBPfz + imagePullPolicy: 庛Ƴ2ɥÔǦ /d2&xȉLJǸAƟ + lifecycle: + postStart: + exec: {} + sleep: + seconds: -1579243177624029331 + livenessProbe: + exec: {} + failureThreshold: 1986638671 + grpc: + port: -1841897347 + service: iUEc + httpGet: + host: CN + path: Dg + port: SYkYMHB + scheme: Ě緷8ĸ)=©ʢ昆ſ9 + initialDelaySeconds: 1029653594 + periodSeconds: 1999066162 + successThreshold: 1106634015 + terminationGracePeriodSeconds: -9022596879374385638 + timeoutSeconds: -809472655 + name: 4D + readinessProbe: + exec: + command: + - iBTD4t + - MY + - Nf + failureThreshold: -1222179068 + httpGet: + host: kgZUkVZPDf + path: hM0yLfiTS7 + port: 846109331 + initialDelaySeconds: 1673719989 + periodSeconds: 1380685354 + successThreshold: -606822450 + terminationGracePeriodSeconds: 2325612573519357970 + timeoutSeconds: 1351631713 + resizePolicy: + - resourceName: KQTh + restartPolicy: 變ȶjȤðʂȈE9ȹɵ礌蓍p殗Ɏ$蟙預 + - resourceName: BATAmUasox + restartPolicy: G寄7]^v腘 + resources: + limits: + 1mn: "0" + 8dnmgn7Vur: "0" + QUXI: "0" + restartPolicy: Ė + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 餋Ƹ + - ǂnlș + - VLJ2範足诮ÈƋʡĻ + procMount: u¸`TE擴弌/yƦ6帜ǏT鱷潈ř蚒 + readOnlyRootFilesystem: true + runAsGroup: -2334732936143374752 + runAsNonRoot: true + runAsUser: 8673583599260752552 + stdin: true + terminationMessagePath: M934 + terminationMessagePolicy: VF¾弎6a巭ġʥţƟ贯Ǐ飙卮ǥĤȸ + tty: true + volumeMounts: + - mountPath: DzNFL + mountPropagation: 单嶃ɠȕƢ砩寢烕TnǣɅƩ帳 + name: "75" + subPath: Up5FB + subPathExpr: 6nD + - mountPath: qj1c9JPX8 + name: 1K + readOnly: true + subPath: H + subPathExpr: LEVSxozubwU + - mountPath: Ll8X + mountPropagation: '@ï禺pƱ=庶ŊJĤ那[:晙dYĸ獘' + name: PGcOpQ3CM + subPath: 1eBZtMIP + subPathExpr: CRyBKRO + workingDir: s +extraEnv: +- name: k7DjEACXyN + value: Pa4mYEUC + valueFrom: + configMapKeyRef: + key: "" + name: RHdV76r + optional: false + fieldRef: + apiVersion: wxIgM + fieldPath: aBDwplYtr + resourceFieldRef: + containerName: xIL7REN8 + divisor: "0" + resource: QCgp9k + secretKeyRef: + key: ag7Jr1e0 + name: I8vGzsJX + optional: true +- name: pG + value: yTh3djvsV +- name: fjV8k4J8 + value: KHKYS + valueFrom: + configMapKeyRef: + key: DFyBHQO + name: s + resourceFieldRef: + containerName: vd0tsh + divisor: "0" + resource: IgH + secretKeyRef: + key: F + name: a34HcjMyaQ +extraVolumes: +- name: "n" +fullnameOverride: 61hunk +imagePullSecrets: +- name: jkqm +ingress: + annotations: + "": ZtbWlWc + y1ML9Hmg: d6h9 + className: Ijdd3 + enabled: true + tls: + - secretName: x + - secretName: aSf1 +initContainers: + extraInitContainers: vN +livenessProbe: + exec: {} + failureThreshold: 302661968 + grpc: + port: -418561550 + service: kQV1xc + httpGet: + host: UlBEGBj3 + path: qjxTH + port: n7 + scheme: '''(旆PT馷J溠F斃ɦ娴含Q嘱\t9' + initialDelaySeconds: -1367097431 + periodSeconds: 2073795341 + successThreshold: -1800407036 + terminationGracePeriodSeconds: -3519876905947517853 + timeoutSeconds: 1644960855 +nameOverride: h9P +nodeSelector: + B1PiWrl0VUETb: x + DhTxFTV: 3O4Y106 + i8QiXusZ: YBeiJfZK9g +podLabels: + Zrl6: 0D0M + wbG: ZcWnb +podSecurityContext: + fsGroup: 3334237787347678751 + runAsGroup: -5325418670707949502 + runAsNonRoot: true + supplementalGroups: + - -2717337443247240979 + sysctls: + - name: "" + value: R +priorityClassName: bpi +readinessProbe: + exec: + command: + - xz + - e2gf + failureThreshold: -1765420422 + grpc: + port: 879468582 + service: bqFsvC9nR0 + httpGet: + host: CrL + path: 9Jt + port: 7Y + scheme: )ǔ軛醲]8z傏$荸觖稄鱑Í朹s狑Ȱ螪;ǃ嘲 + values: + - gIlS + - 5lD7AvT7I + - "8" + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: hi0zfFEN + operator: 裧禿 + values: + - SymXRnv + - iKr + mismatchLabelKeys: + - wesfXhv + - Z78yvK + namespaceSelector: + matchExpressions: + - key: jqHt + operator: ûų:碃;ė燱5ìb-垢xźɆ + values: + - u8cOuqy + matchLabels: + "8": nCrnu + Fd: 5YhLJD3 + r5sMi70hp4TeB: KrDX7d + namespaces: + - LOH + - 9EvOI7HWh + - 5sHJp + topologyKey: "" + weight: 403248696 + - podAffinityTerm: + mismatchLabelKeys: + - Vrf + namespaceSelector: + matchExpressions: + - key: 5w + operator: '|泀ŏ咙ƚ' + matchLabels: + 4vRvwhR: Nz + T6uTCUGiwx: lS + ZuFER: Db8xhFevK + topologyKey: K7NA + weight: 249855905 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: No2 + operator: Ɗ]鿇躠骐 + matchLabels: + 7nohEoAMei: WrMV + ddLK: 2ehkh + qtrhf: EAAqHFcrjgT + mismatchLabelKeys: + - DrrBoq + - Nh + namespaceSelector: + matchExpressions: + - key: BEXHPr1wQ + operator: 傝魦voȪwć撈 + values: + - i3 + - gUU + - 7nmbvkGs + matchLabels: + Rh65F: rKR + namespaces: + - 1x9DGG + - xKj137E + topologyKey: CSNQy1M + - labelSelector: + matchExpressions: + - key: psq4G + operator: ɓƦ + - key: 3IlNf + operator: ćȬ4鏉1, + values: + - L0 + namespaceSelector: + matchExpressions: + - key: nVgt + operator: ɤ湿ŭò-ɋ鼴)箥Ȅ鋖ʄBK + - key: GD7 + operator: 峄9ƚ涙閉ʃ謩云飠:鎂玚wƁȖ] + values: + - i8cg6A + - TeOYSsj + topologyKey: rEB + - labelSelector: + matchLabels: + s0PrY366si5H: Qwj + ytBgNf0: e + mismatchLabelKeys: + - eylzvu + - q + namespaceSelector: + matchExpressions: + - key: os4H6DpxQ + operator: 5õċ鋵葿葄痄ɍ览逪ȋ`j + matchLabels: + vL3arho: gPmLG + namespaces: + - PjQTIWTFeK + - g5HCelWpMjnF + - QN3mXW + topologyKey: I5osiWTrzhb +annotations: + WVwaqt: gTMC + s6HZpOA: bc0 + sZaCXy: LXRQNTghxb1 +automountServiceAccountToken: true +autoscaling: + maxReplicas: 404 + minReplicas: 186 + targetCPUUtilizationPercentage: 200 + targetMemoryUtilizationPercentage: 383 +commonLabels: + HzuQ: mCfbHBQ + xi7L: ibI45 +console: + roles: + - null + - null +deployment: + create: true +enterprise: + licenseSecretRef: + key: 8MG + name: 83OH +extraContainers: +- args: + - K9 + - 02olyp + env: + - name: F + value: rhVGTadjT + valueFrom: + configMapKeyRef: + key: 3TA0cg2R2 + name: DLZ + fieldRef: + apiVersion: s + fieldPath: Ux + resourceFieldRef: + containerName: avop + divisor: "0" + resource: itl5J4xK4 + secretKeyRef: + key: Av9eKok + optional: false + - name: QaOLYDLT + value: FQu + image: 1MFnpZG + imagePullPolicy: 脓 + livenessProbe: + exec: + command: + - lH4S + failureThreshold: 1311534645 + grpc: + port: 1048835191 + service: p5EtELTs + httpGet: + path: Zjrv + port: Ypah5av + scheme: þʙ龠ȉ%Vę皓ŏ蟝ǙĿìɋN + initialDelaySeconds: 1980070741 + periodSeconds: -728109708 + successThreshold: 1412960079 + terminationGracePeriodSeconds: 4797597904045467368 + timeoutSeconds: -1164059804 + name: oron + readinessProbe: + failureThreshold: -1734715333 + grpc: + port: -673781482 + service: 20iHh + initialDelaySeconds: 270804414 + periodSeconds: 1240219458 + successThreshold: 957649997 + terminationGracePeriodSeconds: -7921460752123720147 + timeoutSeconds: 2069469191 + resizePolicy: + - resourceName: M29 + restartPolicy: tL + - resourceName: WK + restartPolicy: T軂>ȋ1觫蚴Ș + resources: + limits: + KS: "0" + ZDx: "0" + kIjQHQZ: "0" + requests: + BSB: "0" + restartPolicy: LJW獮 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ɺ嚹晐囕胐ƻ + - ņɹ桴O塾q6賤呋f铰}Ʒ輽ʁ[顝 + runAsGroup: 6868723237582569296 + runAsNonRoot: true + runAsUser: 433131246318901172 + startupProbe: + exec: + command: + - mB6 + - Om9w + - "" + failureThreshold: -1184477652 + grpc: + port: -1276243610 + service: m6d + httpGet: + host: VzPuwIiTpY + path: C + port: 0NYj1C + scheme: V=@彆鈂t³Ɉµs斾m蛊ɲ + initialDelaySeconds: -898287287 + periodSeconds: -413255468 + successThreshold: -1510482870 + terminationGracePeriodSeconds: 4884332649151510354 + timeoutSeconds: -1445193311 + stdinOnce: true + terminationMessagePath: DQTH7 + terminationMessagePolicy: ÈɁ;ň);ɑI×ĕ觫'ɣ + volumeDevices: + - devicePath: v + name: AZ6wCimJFM + - devicePath: ZtIx + name: GFe3 + volumeMounts: + - mountPath: tt + mountPropagation: 侮E墝調cé攊疀" + name: UJ + readOnly: true + subPath: JlqP + subPathExpr: lA2v + workingDir: OV90 +- command: + - 8jHRuz + envFrom: + - configMapRef: + optional: false + prefix: yfl3PI + secretRef: + name: r7eR + optional: true + image: m4Etaoz8Bf + imagePullPolicy: okÛļ閷YƗzƄǧ + lifecycle: + postStart: + exec: {} + httpGet: + host: zu9aQLsX + path: xIFogzAoC + port: 1MjUE + scheme: 斔疏ʟn菝 + preStop: + exec: {} + livenessProbe: + failureThreshold: -1399917612 + grpc: + port: -876522011 + service: 2y + httpGet: + host: X9nNdf + path: 8mVJlz + port: 220487349 + scheme: 兇)hr裳ǔ湟钑>ȓn厠tū晣颊 + initialDelaySeconds: -968878635 + periodSeconds: 411754743 + successThreshold: 2083381130 + terminationGracePeriodSeconds: 2736468416107855115 + timeoutSeconds: -423937148 + name: Or + readinessProbe: + failureThreshold: 1628351372 + grpc: + port: -1466105410 + service: b + httpGet: + host: 8kOz + path: IhSlrBw8tiX + port: 1Vd + scheme: qV·dƖ> + initialDelaySeconds: 735135195 + periodSeconds: -175995819 + successThreshold: 1379601279 + terminationGracePeriodSeconds: 386635447886660712 + timeoutSeconds: 125503732 + resources: + limits: + LuudLJ9i: "0" + iXpYUWY: "0" + mHi: "0" + requests: + XLnFU: "0" + mSq9e3u: "0" + t6WYwzmga: "0" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - ɭ鎣肪綢ȀNj8)屫鈄骸嗢æ憰qWTƶ剡 + - "n" + - OwkʙƝk}ɾ丧< + drop: + - Ť<嶼ȯ愉9宆嵧pɡ%ɐxė鹞鸵鏞 + - ƅgʆ炊ƞąÙ$Ǯ帶SȔ黌畕ǦƖȫV9 + - Ŏʠ羮ɍ痘摬 + privileged: true + runAsGroup: 5710532895986022625 + runAsUser: -7207500526873245606 + startupProbe: + failureThreshold: 2053062827 + grpc: + port: -1076044334 + service: s8s7 + initialDelaySeconds: 7348194 + periodSeconds: 889500482 + successThreshold: -645465298 + terminationGracePeriodSeconds: 4356974427366499939 + timeoutSeconds: 136481601 + stdinOnce: true + terminationMessagePath: t4pW + terminationMessagePolicy: ƣ + volumeDevices: + - devicePath: Df8O3UFZ + name: QL93u + - devicePath: WKg + name: nD4H + volumeMounts: + - mountPath: xs9 + mountPropagation: e羝ș+oũ蘘汉 + name: grr + readOnly: true + subPath: aUYSuUM6f + subPathExpr: mm773yL + workingDir: o +extraVolumeMounts: +- mountPath: P + name: zBgE7HVQ + subPath: hw6PBLgv5R + subPathExpr: YAI5mPj5 +extraVolumes: +- name: "" +- name: SXJ +fullnameOverride: HK +image: + registry: nZ5PG + repository: 5q2qCT + tag: z10JAfCu +ingress: + className: fq2w +initContainers: + extraInitContainers: DVbGC0v6g +livenessProbe: + exec: {} + failureThreshold: -1989869025 + grpc: + port: -580257384 + service: xF + httpGet: + host: EFelM2 + path: NL + port: -1619787350 + scheme: eƌ閽2溧估槞 + initialDelaySeconds: 56050789 + periodSeconds: 193173949 + successThreshold: -1606638368 + terminationGracePeriodSeconds: 9170924509557781641 + timeoutSeconds: -1117024654 +nameOverride: 3Wh +nodeSelector: + Jy9: v + VcMeUW2U: xOwcDQYY + wkI: TbemvxUUg +podAnnotations: + IVy: ho3qpcI +podSecurityContext: + runAsGroup: -9040107238323408835 + runAsNonRoot: false +priorityClassName: sLkcwZ +readinessProbe: + exec: {} + failureThreshold: -509957017 + grpc: + port: -1088874416 + service: kVlcoq + httpGet: + host: yJj + path: SWu6bW + port: V + initialDelaySeconds: 1816814831 + periodSeconds: 406466643 + successThreshold: 450108513 + timeoutSeconds: -1862950899 +replicaCount: 385 +resources: {} +securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 邻ȸNJ"纴ý汫篤訙铵寄貹Z[逗ą弣 + - lǀ敕ɖ + privileged: true + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 3375680259081538534 +service: + annotations: + 33Yi: tesf5 + nodePort: 286 + port: 389 + targetPort: 52 + type: sIQBZD +serviceAccount: + annotations: + 0E6ZFg: nO7Yr55 + 8JN3: B + create: false + name: 43zobnL +strategy: + rollingUpdate: {} +tolerations: +- effect: 蜆³Ə抴璖獍ä鷲炥/=霒0ǷU伀稂ı + key: EMvrrkeG3 + operator: Ȓǒs夃Ȑɉ鋄蛓m÷,旂 + value: yd +- effect: 旌;"ȡ媟窐:ljʥh蓭殰Ȩƴ邃ȬIȻL + key: n87GpiB + operator: '偵~ȥʢȈ珎ſ龕5sʠŇưT4-§Ƀ ' + value: TUaznROmQffrRe1 +-- case-030 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: i3NrGin + operator: LȜɯı偎鵬ćƾ輨ɒ诏Ƞ韾ʂɅ袅 + values: + - ceEnH + - hk + - key: NcZdG + operator: 4# + matchFields: + - key: iJJ + operator: 椤甏Q"dč膌嶁ŵ + values: + - pqbO2v + weight: -888291486 + - preference: + matchExpressions: + - key: 6yk + operator: +[`¥鯦Kqlǣ詆繉ĔNjUƆ + values: + - 9jizdnZ + - 1HUyNhM + - qxDTvf + matchFields: + - key: hCPEY + operator: Ɇ>隣,讽鬓捍+瞶媘暺ɭEƙ + values: + - Ripsc + - CqS + - key: DVFDiRmz7 + operator: U[ + weight: 1468051205 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: v + operator: 舘LJwMa煗 + values: + - 8yax8 + - acSVUNTfJ + - "" + - key: oeJI7K + operator: Ȩ岵Ư塠ŕ惆^ȹ]Ǥ(蓂心[6 + values: + - VT3avr + - 1sP4V + - key: INgeGc + operator: 7ȋ_ƫ俾NīÂ缷 + values: + - K6yWR + - matchExpressions: + - key: s + operator: ǖ鱝U9y,ijO<ǯŹ斔ɥɍQŝŘ + values: + - V7Cj8gd672O + - Jxq7EqU + - "" + - key: gYq6n + operator: J30ǂ涉Ǖ絜拃Ȃ隰韤Ko + values: + - cFfLM2a + - cmwJ5 + - NvVSgzPk0K + - key: ha1vIvxMS + operator: 鹶ƦÍR\Y + values: + - kno2LivX + - ZBSIfmJ1 + - Xy + - matchFields: + - key: cGJbcb + operator: M$铯但ƙ崍0塁7ɔ籇ȏč3ţħ + - key: t9tN + operator: ĴĹApŰƎyģ+7ɬ5 + - key: q + operator: ĂǮȅ魥ď疪@ɓ擼 + values: + - GHyvS63U + - lupcwbTbly + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + q: oY6el1mi0 + w: C7Cxyx + matchLabelKeys: + - HMg6IP + namespaceSelector: + matchExpressions: + - key: Crz + operator: əɃ笕P頔ɾ絿ɟ秜Ć冦Ǒ钹圤|讪ɩ + values: + - Dtei + - 1zhZl + - bd + - key: RjH6F + operator: æ監F箂Ñ9 + values: + - n91j6BXw + - 3RLy + - m + namespaces: + - N0Oqq32Q + - TJpJ52Je1Ikj + - "" + topologyKey: HeJdmR + weight: -259316091 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: R + operator: 麦谐ƺɐqNJ7篐瘘ƊƧR菴qȃ + values: + - 8p + matchLabels: + WW: GL0oC8Fkf + mismatchLabelKeys: + - cdHA3 + namespaceSelector: + matchExpressions: + - key: ar9Y3Br + operator: pK屨鑊聫翶鲔举腏熝ɴ鷏žŝ + namespaces: + - U9UV + topologyKey: cpw + weight: -400075332 + - podAffinityTerm: + labelSelector: + matchLabels: + hYm: "" + mismatchLabelKeys: + - fCOHEas + - uHnZlu + - zhGS + namespaceSelector: + matchExpressions: + - key: HZEOkit1i + operator: '@ÍȪ蟔ʖ' + values: + - t9Xj + matchLabels: + "": so + topologyKey: "" + weight: 2103394856 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 5LP9ZW14 + operator: "" + values: + - O4Urq + - key: f3f + operator: õǷ膀3堢ƧŸ + values: + - GJnsN0 + - key: MOJiCs9Qi + operator: Ȥ:危L昝×秲d3ğd曱窸 + values: + - 3keSh + - Uyy + matchLabels: + R: dUyJ0OOVapc + mismatchLabelKeys: + - Xjqx8f + - I5k + - wq0 + namespaceSelector: + matchExpressions: + - key: UP + operator: ȡ畅fȐiú鍿6+襄懬Uċ + values: + - NmZvVOQ + - key: P0hfM + operator: 黣`倴Ŝʪ鰷淸 + values: + - 0GsglT + - MMOe + - uU7Q9 + - key: qnv + operator: æ钹eťǧI薶瘃預ʑ歪yʖb7IwɄ + values: + - McuTAiUq + - XvSAD + - 4e9Vd4vq4 + matchLabels: + "": 4O2glzZ + namespaces: + - wblXzeT2 + - qKILJo + - lPV + topologyKey: Jnwfpfk + - labelSelector: {} + matchLabelKeys: + - tMph8mi + - Ry31wp + mismatchLabelKeys: + - tBHze4gtm0s + namespaceSelector: + matchExpressions: + - key: RpYdzfZ + operator: 攆KRɮõ涸WæĥŽ¡犇fʼn利$蘁干 + values: + - 8Pxd + - V50 + - key: I0O + operator: w"ʈö褥屑ɣAR(憍Nj松趯ĩȁ + values: + - "" + - 6yt2J + - key: fR7 + operator: GǼ舿 + values: + - gP + - LxpC1 + - brLBqM + matchLabels: + "": D5eSOeauL + namespaces: + - xrd20T0 + - GVD45 + - UU3YxE + topologyKey: augu3G + - labelSelector: + matchExpressions: + - key: c17UgoCbg + operator: -蟁楉mƸ赢UȇEŏ + values: + - cr + - CSYe + - key: FM6GBGy + operator: ;疩Ȯ慫ʂy_Ɛ碷ʩʀđ忮 + matchLabels: + Q4hS: 2Z + w: pvyR + matchLabelKeys: + - PLi + - G2W4IV + namespaceSelector: + matchExpressions: + - key: 8Z + operator: Ȩ卭閃N弲ʠǠ驯Ɩ8Ýʊ + values: + - rEFXZ1 + - oXxjjBM + - iovjqaN7g + matchLabels: + 3ZwMBixAo: QeYp0O + topologyKey: AH3A + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + 7hX7: uCFlimRES0ZJ + matchLabelKeys: + - CxxMt + namespaceSelector: + matchExpressions: + - key: Xra0M + operator: ʙƤ潯ɔ + - key: "" + operator: 8媮­Ů籌<ǫ + values: + - RsIq + - wqR2cm + - key: ottvJh4 + operator: ¢M&<叇誆戛!Ʒ"(Z氇z錉¬$ + values: + - 5sMUIY + - SV + matchLabels: + iciKwm: xkq + vPG: oQs + namespaces: + - AtM4 + - rZdQ + topologyKey: 9FnG + weight: 1109931313 +annotations: + 5ya: nNowhQY2Bp +automountServiceAccountToken: false +autoscaling: + enabled: true + maxReplicas: 10 + minReplicas: 306 + targetCPUUtilizationPercentage: 227 + targetMemoryUtilizationPercentage: 477 +commonLabels: + T: f0 + jwrBMvwfg: K6I5HsI5 + nk8eJc: nS +configmap: + create: false +console: + roleBindings: + - E: null + W67WBz: null + nYCT7q9: null + - 2S0: null + Nx24C: null + WacOKFS1: null + roles: + - i5oc: null + - {} +deployment: + create: false +enterprise: + licenseSecretRef: + key: ZJGo + name: oxACi6X0cy +extraContainers: +- env: + - name: rV6MouQf3 + value: E21XoHIB + valueFrom: + configMapKeyRef: + key: LDu + name: Flu + optional: false + fieldRef: + apiVersion: Rc8broTqb + fieldPath: "6" + resourceFieldRef: + containerName: VPb + divisor: "0" + resource: PUL + secretKeyRef: + key: xwKJr5 + name: 8K3IIl70g + optional: false + image: d3e1 + imagePullPolicy: 梅E垉丿ȁƘg/§Oaq嵌艷ɖ½飚 + lifecycle: + postStart: + exec: {} + httpGet: + host: WyIob + path: sVvxO + port: SivnsYEe + scheme: Ǖɜsk煨a% + sleep: + seconds: -5241114468416153504 + preStop: + exec: + command: + - h0 + - PbwM + - xML1a5IbGl + httpGet: + host: i8l7K + path: v0TIlzugj + port: UO1j5 + scheme: 痍´荭鲪 + sleep: + seconds: -5262918982231100330 + livenessProbe: + exec: + command: + - MAKziqqn2 + - RtC + failureThreshold: 301723627 + grpc: + port: 1522990624 + service: Y2uF8U + httpGet: + host: 8E6hLWDfL + path: ptr + port: -819495670 + scheme: 畊傲Ā5ʇġ杭ăïƺƢh]薰 + initialDelaySeconds: 975121998 + periodSeconds: 1462200965 + successThreshold: -1868145610 + terminationGracePeriodSeconds: 438373319570860757 + timeoutSeconds: -992167018 + name: xGfw + ports: + - containerPort: 1210092140 + hostIP: aXzKT + hostPort: -1118392417 + name: A5VIRuB0ki + protocol: 巔B兓汳LDŽ5ǒʛ岹璜ʂá&Ɠ + - containerPort: -1184047055 + hostIP: nLlzZ + hostPort: 1916025056 + name: CSeXd7M + protocol: 朿! + readinessProbe: + exec: + command: + - AfVsN7lM + - SoZ + - yZ2uB93C + failureThreshold: -1305050809 + grpc: + port: -1574571534 + service: vhf8x + httpGet: + host: 2zqRpIh + path: ZRe + port: 1109632462 + scheme: '*h嶳椗痢%īƺ' + initialDelaySeconds: 157767030 + periodSeconds: -538159566 + successThreshold: -909232559 + terminationGracePeriodSeconds: -1089882796882580867 + timeoutSeconds: 1392958383 + resizePolicy: + - resourceName: JCDaktfU + restartPolicy: 鈇Hƣv蘺 + - resourceName: "" + restartPolicy: 魔ţv毇俺ɚ + resources: + requests: + DA9: "0" + XdW14: "0" + lUcQG: "0" + restartPolicy: 淣遦髺tMőƤ橷僟 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 兪q6赀覱勯痜.I膴6+V旱Ő佀 + - 焤Ċʐæ舁ŕ齸Ġ + - uo妿Iǥ2JǟAŊ訖ʆD + privileged: true + procMount: Ɋ胘ſȾ鞣殦ơɧ­ǶǴU譶 + readOnlyRootFilesystem: false + runAsGroup: 5199515302292266073 + runAsNonRoot: false + runAsUser: -7335995488954570305 + startupProbe: + exec: {} + failureThreshold: -777300462 + grpc: + port: 2095052331 + service: bfVTOPN1hv + httpGet: + host: Kp + path: b1bcG9oDl + port: 1383634294 + scheme: 谳涿v衃$Ơʓȳ浲呯 + initialDelaySeconds: -1373123738 + periodSeconds: -1183287381 + successThreshold: 685684993 + terminationGracePeriodSeconds: -4093444870298300516 + timeoutSeconds: -1903691809 + terminationMessagePath: olo1u + terminationMessagePolicy: 怚PʢŸiųŞv嶷宇ƏȌ¥ƀ + volumeDevices: + - devicePath: qFB10P + name: "" + volumeMounts: + - mountPath: YW9lWgZeNE + mountPropagation: 鰛8Ȗ×ʞ + name: Tot + subPath: Ty + subPathExpr: spiOgT0A + - mountPath: SgUmz6Q + mountPropagation: Ă別Z醰棘纀C蘂× + name: ddMHT + readOnly: true + subPath: 8J3YB + subPathExpr: K + workingDir: OQ4 +- args: + - bAsse7O + - u + command: + - MzlyVYHO2w + - oRBJF + - Nafr + env: + - name: U + value: RNGsZ + valueFrom: + configMapKeyRef: + key: YX6H + name: ab92 + optional: true + fieldRef: + fieldPath: 1SR7mfWfzFL + resourceFieldRef: + containerName: C92ipM + divisor: "0" + resource: x4S7 + secretKeyRef: + key: WhzPa + name: lAvfz + optional: true + image: nP + imagePullPolicy: ǫyɮȯ + lifecycle: + postStart: + exec: + command: + - ucft + - K8XaCG + httpGet: + host: rza + path: JhnYc + port: e0 + sleep: + seconds: 6253871176572388811 + preStop: + exec: + command: + - Uiuiougu + - "" + - 3Gx5Gu + httpGet: + host: VQzMXk + path: ws + port: -474919374 + scheme: w媦÷帹ȅW閫ĭ# + sleep: + seconds: 4571098797230986244 + livenessProbe: + exec: + command: + - pHp + - MDPb7 + failureThreshold: 871873843 + grpc: + port: -422130433 + service: nC + httpGet: + host: M + path: p00iJRicrG + port: bS0X1wo + scheme: m鈎Z趟樥R%飅 + initialDelaySeconds: -604803912 + periodSeconds: 1886242291 + successThreshold: -1386436865 + terminationGracePeriodSeconds: 3067492874024630757 + timeoutSeconds: -1583378445 + name: Si46O7YRR + ports: + - containerPort: 1700510643 + hostPort: 251260843 + name: JkZyRGNq + protocol: ȅz,ǹ昉 + - containerPort: -1859013382 + hostIP: NHKaXL + hostPort: 831309722 + name: y9vWUO + protocol: ʡƊX| + - containerPort: -2125300283 + hostIP: jj3qc4 + hostPort: -278349921 + name: Aa + protocol: 耛v6]jç錛洘¶緛uȁ竿 + readinessProbe: + exec: + command: + - "" + failureThreshold: -784645974 + grpc: + port: 1390591548 + service: "" + httpGet: + host: lNyXDdzed + path: W9q4gnCB + port: 4YUq5drSLjLPw + scheme: 唡家調Ô蘓狥ć4^謋遭ŧ厑Ƕ¤ + initialDelaySeconds: -315867707 + periodSeconds: -1221044118 + successThreshold: -2057597685 + terminationGracePeriodSeconds: 8064296597671882818 + timeoutSeconds: -1128414965 + resizePolicy: + - resourceName: MA + restartPolicy: tÜ榋ɼ + - resourceName: bwI + restartPolicy: 斪4瓏鍣ĊYƞ睽%ü劘ĥÑC­ + resources: {} + restartPolicy: ǫ歩ʏ朄DŽ8Ǫȩ;毆|ȕ潆Zʚ輘殈ɔ + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - '*驲' + - 纒寻$KŞ菤Ľ恎eɈ鏽 + - ě宭`羧\LƝ攅嫜ɫʡɞǍ緭p誂 + privileged: true + procMount: 楛钞óŰ)5鞊tY榋肦Ȓ + readOnlyRootFilesystem: true + runAsGroup: -3200847944437364683 + runAsNonRoot: true + runAsUser: -5188355058620722927 + startupProbe: + exec: {} + failureThreshold: -718122732 + grpc: + port: -2045013242 + service: Zg34 + httpGet: + host: slqfokZ + path: SlStyexr + port: 101605170 + scheme: Ȅ.隊ou纾ƙŨ`aʭ + initialDelaySeconds: -467990622 + periodSeconds: 446042771 + successThreshold: -504446684 + terminationGracePeriodSeconds: 1811254130314346303 + timeoutSeconds: -1983992134 + stdin: true + terminationMessagePath: zLDb + terminationMessagePolicy: ōe谕ńg"qy暵ȵ抷¬Ʃ蔚盓 + values: + - tQP + - lAyg + - "" + - key: qaIUADOI + operator: '&Ɗ³ĵLJ鎌ɝǏ縉j' + values: + - 6ot8DTU + weight: 969637277 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: j9Rzed0C + operator: Ò + - key: 02b + operator: "" + matchFields: + - key: "0" + operator: 9Š篅)笕Õ^ɤ疫ɜȬ + values: + - "n" + - key: 96k + operator: 觱踊ĝğOɎʁ胳}$g鄈ʮ誦Ň鱝炠抡凓 + values: + - pJdgL + - 00uMch + - key: pz1WHTJ + operator: 濐r! + values: + - i4rsr5 + - PI8GPtiCkkahh + - matchFields: + - key: oTjdt + operator: $ƹȔLj硍čȒŪ涏ȰŞdų悋ĶA + values: + - KOyvX + - 6JNFdnH + - e59WgamF + - key: lu3OH + operator: ǽəơȽĬt嶫cŭ + values: + - 9SKaOYPiL + - 1ioL + - pZde + - key: Jd6LB + operator: ']洔璗3NZ貦ʞ%ȮǵȺ絥ņ' + values: + - dKyLtzFaqg + - yCg + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: siTiGS + operator: ʐȱe峫LJ鐻cȚEqkwt!ģ + values: + - "" + matchLabels: + Aj: V + P5zpV: 8hC + mismatchLabelKeys: + - 4wtTpNGnV + namespaceSelector: + matchExpressions: + - key: K2ZsAt + operator: 妗巪Wɱ鲵Ǯ洭 + values: + - jxl5gm5E + - X2 + matchLabels: + ly6r: 9k + o0G: "Y" + namespaces: + - Q + - XpXqm + topologyKey: Qrt + weight: -1221853228 + - podAffinityTerm: + labelSelector: + matchLabels: + Jc9: Ftx4sR + Zi0PNgVi: EUuTsR + dQt607d6aSO: RSEoObj9yY + matchLabelKeys: + - odAAyA + - ZUwkRz709gR + namespaceSelector: + matchLabels: + Ag0Kix1n: laC2fYO + topologyKey: izD + weight: 600976747 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - QRHiPYut + - KfMAojY + - Vww + mismatchLabelKeys: + - TTnksi7Ob70 + - gGyPv + namespaceSelector: + matchExpressions: + - key: XYpda + operator: q砐ʌƭʩ烬P§Ǩ + values: + - k7 + - SKn + - eefGAA + namespaces: + - ZYe + - nivMj26 + - OhZ6 + topologyKey: xIpuYH7 + weight: -1130732649 + - podAffinityTerm: + labelSelector: + matchLabels: + ApF: Gsyd94h39Q + H: r + mismatchLabelKeys: + - aWHz7q + - xuzLo + - 5ASY1R + namespaceSelector: + matchExpressions: + - key: Zg + operator: 篃b + values: + - vh + - Rgd3V6 + - key: PNqIEbD + operator: \Ų叢T'ɰď乁ʤ駧ɧ + matchLabels: + ugZKNnsp: bUttL + topologyKey: GRNlK86 + weight: 1964668305 + - podAffinityTerm: + labelSelector: + matchLabels: + t2lvLczlk: um + wjQbQIYB: zsr5i + matchLabelKeys: + - "" + - 7H2Kg1N + - NE + namespaceSelector: + matchExpressions: + - key: 2AEBOqKWel + operator: É$íĨ鯖 + values: + - "7" + - S6PWc + - key: c9NGgT2 + operator: Dǥž駗驕咜2 + values: + - WFDcdOBg + - 8akPt + - key: v5V + operator: 苯Dzŏ趘Ɏ蹰ƦȃDz俑I^ģ鄔ĥƁ鲎硹. + values: + - Ro + namespaces: + - rrn + - Gko + - D + topologyKey: 5GfcY + weight: 1374611901 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 9BEvWF + operator: 箁梄òǣf舢ɉ N + - key: DoJZDVpdUKV + operator: '|痤"纇繁Ơ¹Rnl' + values: + - M1FUy7H + - PmETea + - key: fZB9p + operator: 艨ë寨t^ + values: + - 6SbUQEl9IF + - grOZ + - awRdbXsbbO + matchLabelKeys: + - QbnYiVnjIDt + mismatchLabelKeys: + - dzq3fg + - EHB2 + - E + namespaceSelector: + matchExpressions: + - key: C + operator: 泤煇JĀȅs滚硚ƾĐLJɚ<嗢 + values: + - qweN + - cmGvYLL9 + - key: ftTKd17 + operator: ïǸfǛD + values: + - 3Qp + - 97WXhHH + - QLVxS + - key: X + operator: x Ƙš + values: + - X7mWp + - 4YUDIL + matchLabels: + 2pOyqtJ: X5kt + DqZU: lA7g + yydzgHSxH: mX + namespaces: + - PnB + topologyKey: O2bIu + - labelSelector: + matchExpressions: + - key: lR5v3DP + operator: 8ȈDŽG弪żf[j盠zğ? + values: + - oX28u + - fcVl + - l + matchLabels: + D1CEy: o9m2rVKHK1i + q9TAhY: UxxABL + matchLabelKeys: + - gZSueHOl + mismatchLabelKeys: + - yKwrju + - OmHbxfoV + - p + namespaceSelector: + matchExpressions: + - key: y4jen13nM + operator: '}J;ƴȳ鹓ÿ莂ú' + values: + - 4Fe5y + - BrR + - key: O47QYt11Bl + operator: ıCƾ?9Ìx毧Ƿ + values: + - co + - A7y9 + matchLabels: + "8": 7mV4YD + namespaces: + - vi + topologyKey: sRbXgEn +annotations: + lZ: e +automountServiceAccountToken: true +autoscaling: + enabled: true + maxReplicas: 25 + minReplicas: 20 + targetCPUUtilizationPercentage: 460 + targetMemoryUtilizationPercentage: 169 +commonLabels: + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC +configmap: + create: true +console: + roleBindings: + - {} + - {} + roles: + - {} +deployment: + create: false +enterprise: + licenseSecretRef: + key: qYIzRhBP + name: lkd8afL +extraEnv: +- name: 6aAK + value: C + valueFrom: + configMapKeyRef: + key: hSSIqC + name: QPNl + optional: true + fieldRef: + apiVersion: LhfAND6hW + fieldPath: g2J7 + resourceFieldRef: + containerName: BDRH4s + divisor: "0" + resource: "" + secretKeyRef: + key: LfIX + name: vI2UB + optional: true +- name: qUw9kXv + value: WEGTagf + valueFrom: + configMapKeyRef: + key: ejuXsJ1 + name: MYu4 + optional: false + fieldRef: + apiVersion: 9PzuPIkT3 + fieldPath: oa8Oe + resourceFieldRef: + containerName: IuMHr6gt9 + divisor: "0" + resource: dazyeM + secretKeyRef: + key: ludRIp + name: 1RhUa7B + optional: false +- name: UIdv4fEDhnwvUs + value: ZhJ + valueFrom: + configMapKeyRef: + key: 9CIrVsxQ + name: bYh + optional: false + fieldRef: + apiVersion: Fv + fieldPath: W3lmjz5mnuz + resourceFieldRef: + divisor: "0" + resource: 8sULBf + secretKeyRef: + key: mjbYsz + name: ZzZ4TUcp + optional: false +extraVolumeMounts: +- mountPath: TpG9eA0 + mountPropagation: "" + name: XFmsoqjlB + readOnly: true + subPath: rJznnSzpn + subPathExpr: kYhNPw7T1 +- mountPath: rhHVxSG + mountPropagation: Ħɔq + name: zucf + readOnly: true + subPath: rhOyK4f + subPathExpr: dxfS2ISRGUw +extraVolumes: +- name: Py +- name: Wq +- name: "N" +fullnameOverride: 59cQ0qKLI +image: + pullPolicy: 賅5尬Ƕktʈ漻`楾Ő抚@瞹%Ř忞崗Y + registry: gAh7r + repository: VvT9aH5 + tag: "" +imagePullSecrets: +- name: 2Ry3vDGf6 +- name: PE5R +- name: uWsoZ +ingress: + annotations: + Q: 3KXvHleq + YUY: BD + mdCRk: Ilk9wDjAw + className: GuB1VTCp + enabled: true + hosts: + - host: WsTbK7W + paths: + - path: MKCR56 + pathType: hEV + - path: "6" + pathType: pv + - path: rNv + pathType: L0CY1c8 + - host: OxFD + - host: Ojx + tls: + - hosts: + - C + - wxjmQWXDn + secretName: ESgom5IBQR +initContainers: + extraInitContainers: AN4 +livenessProbe: + exec: + command: + - 5m + - 1hj + failureThreshold: 1710421008 + grpc: + port: -1758154628 + service: "" + httpGet: + host: AbGz9Ql + path: 6HPb6FQP + port: 1834140801 + initialDelaySeconds: -1805305530 + periodSeconds: 580837556 + successThreshold: 1568498137 + terminationGracePeriodSeconds: 6055624087283515610 + timeoutSeconds: 1393862090 +nameOverride: xknw +nodeSelector: + "": O +podAnnotations: + IserdW: Y8zC + rKlqh6W: s9dR +podLabels: + 7yc3n: Cmh + bASmPL: XHGF + e1: s0B +podSecurityContext: + fsGroup: -6352604564338413284 + fsGroupChangePolicy: ¥ɬ屛ɀ裕量7ȅLJI/煿I庮\LÌ0 + runAsGroup: -629752081807497066 + runAsNonRoot: false + runAsUser: -7150506011583335552 + supplementalGroups: + - -2079681094590514497 + - 4310353567816636623 + sysctls: + - name: "" + value: 6bg1 + - name: v54yJPXG + value: BNnF0A + - name: DU + value: J +priorityClassName: mFg +readinessProbe: + exec: + command: + - 1A7AuNqZgrO + - 0Dv9uT + - mi + failureThreshold: -1374895470 + grpc: + port: -974870340 + service: rLr6 + httpGet: + host: ZjH9W0Mw2N7wDlEl + path: A1mi + port: VL + scheme: '''Z悁Ţ瘿ª簳Ʀx.ʞ鳃峚5ƫw牑諥ǁ' + initialDelaySeconds: -1507178072 + periodSeconds: 59289443 + successThreshold: 873349641 + terminationGracePeriodSeconds: 3372950661886875571 + timeoutSeconds: -77680726 +replicaCount: 424 +resources: {} +secret: + create: false + enterprise: + licenseSecretRef: + key: 8NBr7XfH + name: UG4to + kafka: + awsMskIamSecretKey: iq3sT9 + protobufGitBasicAuthPassword: TmKaYoY + saslPassword: 41jeqaQ + schemaRegistryPassword: lo1 + schemaRegistryTlsCa: 6ugJXi + schemaRegistryTlsCert: Dfxzy + schemaRegistryTlsKey: s6Wq0 + tlsCa: xiXLxgIB1uY + tlsCert: BoJ + tlsPassphrase: ERo + login: + github: + clientSecret: 6FsPPUCqFaQN9Z + personalAccessToken: mQjpC + google: + clientSecret: zEoO + groupsServiceAccount: sJYwU + jwtSecret: nN8l8K5 + oidc: + clientSecret: t + okta: + clientSecret: uW9S + directoryApiToken: UF7 + redpanda: + adminApi: + password: hkp2 + tlsCa: Hv + tlsCert: YIT6XYEg + tlsKey: gVxUg +secretMounts: +- defaultMode: 217 + name: 84iLClLVXmt + path: z5a16ev9 + secretName: DBNf +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Ò4^|wƙJ3ɀªʭ÷齹æc8ǺơG + drop: + - 罩Ɵ + - 凘~蹆縇W偓Ȓ鵇膓咰ɲ俹îS泑 + privileged: true + procMount: 'č #m繰:¿ċY3扙缗_MǮJw' + readOnlyRootFilesystem: true + runAsGroup: -3419647664540135091 + runAsNonRoot: true + runAsUser: -7389132079103631330 +service: + nodePort: 398 + port: 112 + targetPort: 375 + type: N9chrF +serviceAccount: + annotations: + 4Fkdkgg: xGzY0KvisI + WBAEgggZ: v + sCN: cru + automountServiceAccountToken: true + create: false + name: REj +strategy: + rollingUpdate: {} + type: rÂ秘鲊ơ煥ËI5ɠv蜺 +tests: + enabled: true +tolerations: +- effect: Ɍ + key: P5n9NT + operator: hKW塀Bʊ祆aTɋw + tolerationSeconds: 4112555560826291604 + value: WHYsAK +- effect: Ŵ夀D朩儿 + key: QW09kcw + operator: K嗂ɩ + tolerationSeconds: 1977367920031301876 + value: FxI4 +- effect: 虻~ƤɟŪm繒敏嗕?ʅ着é殮领 + key: nkzGJU9 + operator: M鏫ɮ噀屗pq)ɋɎN + tolerationSeconds: 1704904114127412585 + value: AgyEeU +-- case-032 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: 735732238 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cFkyLM + operator: 岊B + - key: V3cKSq + operator: ǟ濈1ɑÎ"孲ȀŨFhŲ + values: + - hz + - matchExpressions: + - key: 8N + operator: 9´敤T + values: + - amWROpS + matchFields: + - key: 7hmWbsKS + operator: "" + values: + - lS + - slkOyX + - YlwPcdVh + - matchExpressions: + - key: n5YD + operator: Əüʢ軾ŚũɳnŒ + values: + - 5s4eD6x + - WMkZIzS40rxp + - zCnW + - key: JawyIOLo + operator: 巳c習Gnƛ{ɩ¯Ĭ枺lȜʩ泿趏ǙĊi + values: + - Fvzyw13fUZC + - 4w9T3GeG + - mVj9N + matchFields: + - key: 4amyTWvhx + operator: Ąŵ8雌%ɸ*W褒卒S + values: + - cPr0Nm2WFo1dBq + - a + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: XgsMMBS + operator: ȗ諹 + values: + - foI + - NN1yiUNR + matchLabels: + Qq: VB19aUlI + mismatchLabelKeys: + - hcD + namespaceSelector: + matchLabels: + vMT90cNq3PYf2z: upe + topologyKey: RSVn9W + weight: 603398420 + - podAffinityTerm: + labelSelector: {} + mismatchLabelKeys: + - 4IL0rEe9 + - yY0RMU2 + namespaceSelector: + matchExpressions: + - key: tIka9jS + operator: 7怘xə4ÏɦW + values: + - l + - ajs6c + - hkYj + - key: Qu + operator: ʊ鏀ɑ蒀刹gE + values: + - 2UvY + - hRB1wKXyHi9 + topologyKey: ZKWyn5kI + weight: -1674108352 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: KQfZ4 + operator: ġȁAu盝ȭƈŦ齬{z + values: + - itNS0T + - jL + - key: q0HemjU + operator: e銳ȇ葁õDÏ筃 + values: + - M5yeE + - gJJY + - HInHzXgX + - key: d1LKZ1 + operator: Q + matchLabels: + XElv: QGJ + nD: kNCk5qe + wUtw34v: sCjj5z + matchLabelKeys: + - ej9hOPjp7W + mismatchLabelKeys: + - lhU9gP + - T7rMlvu + namespaceSelector: {} + namespaces: + - ii3aa + topologyKey: 8U7 + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: CkQsu4fS + operator: 鄦&ɲȅ + values: + - RVnwZ + - EVk + - key: yt + operator: 傓N嬅宠H^÷ + values: + - 1L + - rVQPs + - dUHOKQ + - key: hQ1Tl + operator: ɣë筁尻!絜辩^riʨ莠8dƋ + values: + - 4D6Y + - 5TXh + - 8RH + matchLabels: + "9": jb2X + IdL: PQj0N + iB09Upiijt: JpN + matchLabelKeys: + - rKS9p8 + - sK8p + namespaceSelector: + matchExpressions: + - key: KQ6 + operator: '篛I6ÝBŘ F媍/:' + values: + - NXP47Fm + - Z0Qh2Y4 + - JeWX + - key: Yh + operator: '!j3W' + values: + - mTm5dkO58H + - "" + - key: 6q + operator: 景¨Sŝvo/ + values: + - TrgtrP + - zqIsId + matchLabels: + 7E3A1K: "7" + 63IlVL: aSxc + W1hP: 1H9k3O + namespaces: + - "" + - 2Ma + topologyKey: FFqt + - labelSelector: + matchLabels: + "": wklJJ + C8JZ: LP + U1pz: kAE1l4 + matchLabelKeys: + - shj5V + - oU074y + - Ufq2w + mismatchLabelKeys: + - oBzMiOSgd + - iSF + namespaceSelector: + matchExpressions: + - key: fCbLu + operator: 塊衅m鑀ȣ戢ŭ阻蹯ȟ獇ɨ + values: + - B6TgQ75 + - FAHTEOSesQ + - Ms2Kw7XQ + - key: 133fMqId + operator: "" + values: + - pJc0Zu8 + - T1PEuV0uism + matchLabels: + 1rfPa2b4Ny: cemR + Np9l: lcX + SjNYy4: VZX + namespaces: + - 7W + - umFBWrpUDHv + - "" + topologyKey: pPUIqPXo +annotations: + xpNWT: MpOZ +automountServiceAccountToken: true +autoscaling: + enabled: true + maxReplicas: 459 + minReplicas: 198 + targetCPUUtilizationPercentage: 497 + targetMemoryUtilizationPercentage: 146 +commonLabels: + B19ue: 8W + Kxm5R1: R + e3Cx: MIAO +configmap: + create: true +console: + roleBindings: + - K8wnWSD: null + bwYE7: null + y4j: null + - GvFfKdgL: null + enU8G4: null + wvnJcOn: null + - td7: null + roles: + - YQBucbbDX2R: null + - 2UuDKjR: null + IV0Yus9: null + ci20SljQkhw: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: bujGpO7D0C + name: V +extraContainers: +- args: + - T + - Pvf1yAamEa + - jQE8UakuY + env: + - name: 3g + value: JexRP + valueFrom: + configMapKeyRef: + key: QZ + name: QcC + optional: true + fieldRef: + apiVersion: Iv + fieldPath: d7xQ + resourceFieldRef: + containerName: jLpJ + divisor: "0" + resource: m + secretKeyRef: + key: Quhh + name: HUhzPAEo85 + optional: true + - name: ehSBff + value: nHu + valueFrom: + configMapKeyRef: + key: v3Icanu + name: dNPJ8 + optional: false + fieldRef: + apiVersion: xO7UQDq0 + fieldPath: gAyGB6Nj4 + resourceFieldRef: + containerName: Bs2D + divisor: "0" + resource: xJCQsH + secretKeyRef: + key: 3T6tjIQWa0C + name: 8TvRbhP + optional: false + envFrom: + - configMapRef: + name: mf + optional: false + prefix: pZxp + secretRef: + name: v + optional: true + - configMapRef: + name: wosjc9 + optional: true + prefix: ehhmFeLY + secretRef: + name: Ll + optional: false + image: kZ8UUm + imagePullPolicy: Ɓ + lifecycle: + postStart: + exec: {} + httpGet: + host: K29SzZPo + path: y2bQL8 + port: Cr + scheme: 轂Ì蕏ʋ + sleep: + seconds: -3765902632580054640 + preStop: + exec: + command: + - 1pT5X + httpGet: + host: NouEQF + path: WITzSW + port: 1565482371 + scheme: ƒ塒廛鎐藽瀫 + sleep: + seconds: 1831382645860081979 + livenessProbe: + exec: {} + failureThreshold: -1525719681 + grpc: + port: 99688681 + service: xa0sl3k5KM + httpGet: + host: prjHPqf + path: RHwZIE + port: 2UZ7hXI + scheme: 瑀ċ廤ȵ + initialDelaySeconds: -1367665605 + periodSeconds: -1023789296 + successThreshold: 206844073 + terminationGracePeriodSeconds: -3901072071078889022 + timeoutSeconds: 1670691424 + name: t + ports: + - containerPort: 2046398071 + hostIP: pJg + hostPort: -1247541550 + name: DrYeHQ6 + protocol: ²ȑBŸ + readinessProbe: + exec: {} + failureThreshold: 852505381 + grpc: + port: 8093048 + service: "N" + httpGet: + host: uuaPC + path: Mpxk6p + port: -297149767 + scheme: 這伦礗鯪àe]雚腴k£ɂ闧ɦĚH鏰浳 + initialDelaySeconds: 296244720 + periodSeconds: 1237321103 + successThreshold: 722306410 + terminationGracePeriodSeconds: 7739978307238029730 + timeoutSeconds: -2129506856 + resizePolicy: + - resourceName: NBfNOBC + restartPolicy: ƞdWǝi鎠R殩杜Ś晚尒尧ǐ; + - resourceName: oDw8xEb + restartPolicy: ja侬ƕ + resources: + limits: + BJcVkW: "0" + Ub5Spt: "0" + nWi63TNlCyM: "0" + requests: + e5vcw0H: "0" + eKz0z: "0" + gK: "0" + restartPolicy: 嗈ǒɟNǭ臥穥Ť + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - $拷霒Ø耖} + - ijĸN藬?w粯痵餒薃辕5勅ů + - 幒Ƹʁòĺǂ浼GX + drop: + - 宖 + privileged: true + procMount: 凝 + readOnlyRootFilesystem: false + runAsGroup: -7000080292188880782 + runAsNonRoot: false + runAsUser: 9107304642056618949 + startupProbe: + exec: {} + failureThreshold: -208121509 + grpc: + port: 133215347 + service: pj4Kw + httpGet: + path: hGLW3 + port: -239286046 + scheme: YsÌǮŦʁ¡ē峪3 + initialDelaySeconds: -817672524 + periodSeconds: 1846655614 + successThreshold: -243958761 + terminationGracePeriodSeconds: 4190490525804645179 + timeoutSeconds: -973067987 + terminationMessagePath: 9vMe3Y + terminationMessagePolicy: 雍Wȯ嘷台厃$Țʍ13b霞两e + tty: true + volumeMounts: + - mountPath: yZbL + mountPropagation: 鲫絎Q(銞ÎÕX堙Ľ銃曅注t锋ɮj覧« + name: UFfAqsgd + subPath: wSo + subPathExpr: bIsBP3O + workingDir: DYBcINRq +- command: + - wgBryFN + image: NorbK + imagePullPolicy: 鉓Ĕʠ;兮)Frë + lifecycle: + postStart: + exec: {} + httpGet: + host: Z + path: 3v + port: W1vDkt + scheme: ŷ索gp=ŵāǼ餆嬦Ƹl媓R}豟ɠĖ. + sleep: + seconds: 1583583004300077159 + preStop: + exec: + command: + - XztEol6So + - GveA + - H4aUl + httpGet: + host: 75LDW + path: nu + port: I + scheme: 胛Uȁ¬ + sleep: + seconds: 4617693270470586770 + livenessProbe: + exec: {} + failureThreshold: 1423393786 + grpc: + port: 2097410769 + service: "" + httpGet: + host: W7 + path: PyPprD6 + port: dHwCyz + initialDelaySeconds: -1439644816 + periodSeconds: 182024489 + successThreshold: -1861505070 + terminationGracePeriodSeconds: -4166230023615503394 + timeoutSeconds: -704907360 + name: sFz5 + ports: + - containerPort: 1977465061 + hostIP: kxqRig + hostPort: 393211643 + name: DRO + protocol: ķǔȈ + readinessProbe: + exec: + command: + - mn + - 4TZCjrWPW18 + failureThreshold: 972699487 + grpc: + port: -1384519737 + service: IY5quWWV4JC + httpGet: + host: wq91i + path: Zy + port: -1192576969 + scheme: Á^_ + initialDelaySeconds: 2107832874 + periodSeconds: 1041520026 + successThreshold: -118135340 + terminationGracePeriodSeconds: -4946782594204672541 + timeoutSeconds: -1933961678 + resizePolicy: + - resourceName: MG7PMkMMObJJU + restartPolicy: §觫困Ȏ龝ƃȃɩ芴ÎĽ + resources: + requests: + I4: "0" + zLy: "0" + restartPolicy: 粛醑綇蝙Ɣò犁鶓A + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 掀ǃA颺LnFąɏ動 + drop: + - 输6sĺ宯hĢ + - ĨƨO檔暰z + - Neɬ慿Ȁ0ɳ蠈ǚǦO¸Ğ崔ʂ¢剚 + privileged: false + procMount: 翄怉DžǬ?胉獄ǙƊɚx虉F + readOnlyRootFilesystem: false + runAsGroup: -1943526545280953812 + runAsNonRoot: true + runAsUser: -7089742793545456579 + startupProbe: + exec: + command: + - hDj + - ONyz91fkTFY9t3 + - ynDWkO + failureThreshold: -5561223 + grpc: + port: -1069825885 + service: oQmy + httpGet: + path: l4sWc + port: 53AhP + scheme: ȩ + initialDelaySeconds: -6165070 + periodSeconds: 1844899228 + successThreshold: 903779261 + terminationGracePeriodSeconds: -3909221818854749789 + timeoutSeconds: 746670574 + stdinOnce: true + terminationMessagePath: egr00cLki + terminationMessagePolicy: ɯ2鰌^坪yN蠏Ĵ + tty: true + volumeMounts: + - mountPath: YOyu1MjxN2 + mountPropagation: :鸛o鮓L`<]ơ1b忙n鲃{< + name: dODfVz + subPath: ZknFq + subPathExpr: oX1n + - mountPath: 4TEsoc + mountPropagation: 帺Õ斯剅ƫf鳌麓HƸŘÂ瘖?謾軌 + name: hau + subPath: w24Wq4e + subPathExpr: i2TEix + - mountPath: uuujj + mountPropagation: 氻ʃ2NFJ啼铗"O{À-ŧLJ弟 + name: klnXhhnxKk + subPath: SEx + subPathExpr: CK2FmmyYThL + workingDir: NCvZAa +extraEnvFrom: +- configMapRef: + name: nJXDn + optional: true + prefix: g3ZpAEUJC + secretRef: + name: 5Yin + optional: true +- configMapRef: + name: spYG9o0 + optional: false + prefix: Wv01 + secretRef: + name: BxDbe + optional: true +extraVolumes: +- name: 1zZI6J +- name: D +- name: OUqOnvjvba +fullnameOverride: llK4G +image: + pullPolicy: "" + registry: mU + repository: xY76Tj + tag: AgKh6S1 +ingress: + annotations: + Lhm: f24CRNEJvs + pk6fq: "2" + className: EXqR + enabled: true + tls: + - hosts: + - xEciJGskt + - pBxfBltrqACoat + - INyj + secretName: Qy + - hosts: + - F6sf + - EHuJ + - 95my0 + secretName: XOIr +initContainers: + extraInitContainers: nNSsTt6 +livenessProbe: + exec: + command: + - poXliUr + - PT + failureThreshold: 1396135036 + grpc: + port: -224883306 + service: 3pE97 + httpGet: + host: aUivZn75m + path: ELvTnGaV + port: uLGz4AgHb + scheme: ʟ#ĭ輑槳桓ȡȰ-o廕óʒÉ帇ʗ + initialDelaySeconds: 1526591550 + periodSeconds: -972224922 + successThreshold: -39437670 + terminationGracePeriodSeconds: 2216517890191965292 + timeoutSeconds: -1229662908 +nameOverride: wB +nodeSelector: + ih: xT3Dk3PXT + xhq: vu + zLR9: wFjrfu +podLabels: + So: waKMMvnY + VXPE0: 8ExVsj + ip1RGEzt4t6: "1" +podSecurityContext: + fsGroup: 7101468120327600630 + fsGroupChangePolicy: ȴ鳁ƨ殳h`熡ƍʊ0ŀ擳琗图.AƱX滋 + runAsGroup: 4262945102741076844 + runAsNonRoot: false + runAsUser: -9214274730002703336 + supplementalGroups: + - 4135587743067906306 + - -2908166639165702539 + sysctls: + - name: Yo9 + value: zak2 +priorityClassName: WeB9y8 +readinessProbe: + exec: {} + failureThreshold: 1061708880 + grpc: + port: 241985990 + service: 4id9HdK + httpGet: + host: PcSuBI + path: X5YjgFI2n + port: -1395013021 + scheme: Ȁ/ŚDŽR²庭$ê-d蟄Ä + initialDelaySeconds: 1618839364 + periodSeconds: -2098998213 + successThreshold: -846859522 + terminationGracePeriodSeconds: -4028618433241851907 + timeoutSeconds: 1824930679 +replicaCount: 371 +resources: {} +secret: + create: false + enterprise: + licenseSecretRef: + key: "" + name: be + kafka: + awsMskIamSecretKey: fs + protobufGitBasicAuthPassword: pUSXv + saslPassword: 1tdj + schemaRegistryPassword: iEgQQMH + schemaRegistryTlsCa: TlBV301 + schemaRegistryTlsCert: fRDnVgKC + schemaRegistryTlsKey: 0yblU + tlsCa: 4tIzJcND + tlsCert: NLnN + tlsPassphrase: iI + login: + github: + clientSecret: WHD + personalAccessToken: 9B7Wu + google: + clientSecret: UZnD3r + groupsServiceAccount: 9b + jwtSecret: cdvBine + oidc: + clientSecret: rQyq1alKY + okta: + clientSecret: ED1 + directoryApiToken: p + redpanda: + adminApi: + password: CWqwAXxFtl + tlsCa: gDQRbrAC8l + tlsCert: EDjU6 + tlsKey: Zm +securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 退晦Ţ鲛 + - '}ʄ攏嫫;Mǐ豒ɇf,搅Ð貑ș|Óf' + privileged: false + procMount: D + readOnlyRootFilesystem: false + runAsGroup: 1564095685271138849 + runAsNonRoot: true + runAsUser: -3929576237300142573 +service: + nodePort: 312 + port: 418 + targetPort: 486 + type: aaIqePq +serviceAccount: + annotations: + QHMG: ur9Qr + ZQRGr8gxPSL: BzNE1Ja0avq + yKwL8DJSG: SRC + automountServiceAccountToken: false + create: false + name: zpH +strategy: + rollingUpdate: {} + type: ȁ进辫fu +tests: + enabled: true +-- case-033 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: 1O + operator: 拺5ř(Ƅ餕ʟ{鐻Ƈ + weight: -2070567569 + - preference: + matchFields: + - key: JlGR + operator: 脱?ĶA蛜頒ǽGǷ藸 , + values: + - 8zZEVom + - TY + - FSSQQ + - key: w3C + operator: sɯeM^筘褑 + values: + - Q + - i48uKb + weight: -1969968900 + - preference: + matchExpressions: + - key: ZsgVr + operator: Eȗ + - key: RfMZL + operator: "" + - key: r + operator: džɬ毿鵮V町iAÉ橁zy题ʔu7ÆO9 + values: + - uj8h + matchFields: + - key: "" + operator: :止褮Ȃ宸 + values: + - 9h + - Do + weight: 1160212382 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: nmW + operator: '%U<Ȫk7家fƥ降]:' + values: + - e4hDXWb9G8Qi + - SynNDfUn + - C8kz + matchFields: + - key: QO0Q + operator: l!m0ʒbƹ豫ň + values: + - eh + - key: VE5mZtP + operator: ~x蹵#ÂvǗRɩ啭Ö澭肞¤7跜庛Ɍ + values: + - yT + - key: 1Cony + operator: 阃 + values: + - ahj6j + - matchExpressions: + - key: TvhlZutK + operator: 5叹ùz + values: + - rog + - key: qLPNTFw8 + operator: 藘鸘Œé溇ʄsoɷƱǺȾ蹾K混īl軇 + - key: F + operator: 則Yǹ郰饉貓伜ſ0|麊 az襽准 + matchFields: + - key: VcfFwmb + operator: WJMU狰槃žiǶq挿} + values: + - b7G + - "" + - wzxeij27DD + - key: "" + operator: 殀ǥ + values: + - "9" + - 0E3EkrfSX + - vzth + - key: omoz + operator: e´Ģ桇适TŽǤʈ + values: + - TVj0W7 + - 7HjUt2w + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: nN1614M7 + operator: '鰺/堅ý髉铊ɇƴ2友凇3 ' + values: + - D0tt + - sG9E + matchLabelKeys: + - l + mismatchLabelKeys: + - vqTKCL2D + namespaceSelector: + matchLabels: + LIgB: qqC9YL + namespaces: + - BLdVDzfY + - eq + - qB + topologyKey: qwces + weight: 899210618 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: hIz8wo + operator: ĥ\{ė + values: + - ZwYh1 + - 4l9U + - Q5Io + - key: sd3eCUDob + operator: 蒴ǚ<灁Q柷娸颂嘃üĸƢı + values: + - U0 + - "" + - WXJjoBRKrfEY + matchLabels: + QSrEl7t0: hxsiSGCubb + mismatchLabelKeys: + - PiUy + - VhBWFCyx6C + namespaceSelector: + matchLabels: + G: 07tU6 + ZCO1QQK: b + uq: HISLIo9ZC + topologyKey: 87eQuI + weight: 1750437304 + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: nK0RSDE + operator: R(陛m诜ȯơȴ豨躻 + matchLabels: + CE9: u8FukDT + U5N: "y" + matchLabelKeys: + - 5I6wiiY + - JDZsP + - zGyW + mismatchLabelKeys: + - 4WZHZ + namespaceSelector: + matchExpressions: + - key: N9E9 + operator: ȅ)礯占鷨ʫɩfǡnʎə掅Ux曶HŁ遐 + values: + - JdC + - 3NS25HFHxU + - key: "" + operator: ı獗& + - key: q + operator: 髢£Ȋ泽ZwVfc剻Ţ嬊j + topologyKey: "" + - labelSelector: + matchExpressions: + - key: Tof0 + operator: ĥM:ɑȏF叆綯炩藁û漄f + values: + - jTpj + - gYZ8IIq + - key: avL + operator: ɼƌ壟.敾¦ + matchLabels: + P1w: Nb9t3e + matchLabelKeys: + - TkIx94Dmu + - 8KVE + - UEJW + namespaceSelector: + matchExpressions: + - key: gQOOR5Pz + operator: Ȁ蛝畆粔辧殤,ǔžɨʜ + values: + - MiGt + topologyKey: nn1x + - labelSelector: + matchExpressions: + - key: C + operator: 瘎%瑧¹$兤 + values: + - p5TR + matchLabels: + c9PNRTZ: L + matchLabelKeys: + - 9xrNO + - saFgUzTD530EV + namespaceSelector: + matchExpressions: + - key: "" + operator: 琨j貙ŰĤ煾骣ƢƐ肾Q`ĥ?舶 + values: + - "7" + - T4pSI + - key: u0lbHcT + operator: čÉ壶霻*ǻ蠦Źê潡%!Ȱʁr.ň沀痊 + values: + - voUu0X + namespaces: + - tX + - uDgtoDt + topologyKey: "1" +automountServiceAccountToken: true +autoscaling: + enabled: false + maxReplicas: 264 + minReplicas: 267 + targetCPUUtilizationPercentage: 341 + targetMemoryUtilizationPercentage: 404 +commonLabels: + gZ85uw3T: e + qO: F4dqLo67vKYZ +configmap: + create: true +console: + roleBindings: + - 7x: null + Ia1K2tdRuYi: null + j6c9: null + roles: + - {} + - 6Vndf: null + f: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: 9y6KmPZ + name: QM +extraContainers: +- args: + - 3OUsoZkVHy + - Gn3 + command: + - NLtY + env: + - name: 51Xcm68sAs + value: PUTq + valueFrom: + configMapKeyRef: + key: udLx6h9 + name: wSgnPbc + optional: false + fieldRef: + apiVersion: oVPbc + fieldPath: CGK + resourceFieldRef: + containerName: Ind7j + divisor: "0" + resource: 9tlZc + secretKeyRef: + key: z2i + name: aloI0W + optional: true + - name: nGb + value: I91 + valueFrom: + configMapKeyRef: + key: Ft8IZO4DX + name: 7PY9CO1 + optional: false + fieldRef: + apiVersion: DysSUO + fieldPath: M + resourceFieldRef: + containerName: i + divisor: "0" + resource: mbVAnrQ + secretKeyRef: + key: ZVD + name: 4gLX + optional: true + - name: SEd7KC2 + value: I0 + valueFrom: + configMapKeyRef: + key: 71k + name: B + optional: true + fieldRef: + apiVersion: vJE + fieldPath: nvSzEcQ + resourceFieldRef: + divisor: "0" + resource: fYaXGkFYlrz + secretKeyRef: + key: xDT4Uhi + name: a + optional: false + image: NLoqH + imagePullPolicy: U肵銨龋搁}ŗ=;ī篱ɺ頁掆薑 + lifecycle: + postStart: + exec: + command: + - NAmBp8Ijy9vgKS + httpGet: + path: GukCZ + port: umdXEe + scheme: ɭL莒ƠĦZ¢.0tȠȴF梩¯牏GȐ + sleep: + seconds: 2463489515348869616 + preStop: + exec: + command: + - RAP7lxh + - 0WRf37xLvaEE + httpGet: + host: Xi + port: 395093084 + scheme: '}Ä*諓懚泾ıɥ磀>ȃÓ愍瘞5' + sleep: + seconds: -2989387296528249021 + livenessProbe: + exec: + command: + - AondI + - CvX + - X9Dwm + failureThreshold: -1669443788 + grpc: + port: 1602861347 + service: 5dF71q + httpGet: + host: yOYLS + path: m99M + port: 1421693426 + scheme: cǶ嫙x勬´筮 + initialDelaySeconds: -348887387 + periodSeconds: -855526929 + successThreshold: -1868658835 + terminationGracePeriodSeconds: 7220662525875543964 + timeoutSeconds: -893266456 + name: 62y7 + ports: + - containerPort: 41082986 + hostIP: H + hostPort: -671022955 + name: Q + protocol: Ģ + - containerPort: -676585553 + hostIP: jdTqIIXMX + hostPort: 441858691 + name: bam + protocol: ã鯑 + readinessProbe: + exec: {} + failureThreshold: -1607827734 + grpc: + port: -732628448 + service: d + httpGet: + host: q2uSglvPX + path: 5YB9kNfy37 + port: -425352890 + scheme: ZʇįʔÌ玫Ʊ儝$緀ƥǣ鮀 + initialDelaySeconds: 1646541382 + periodSeconds: 597275764 + successThreshold: 1444783765 + terminationGracePeriodSeconds: -4224719974242331571 + timeoutSeconds: 1778484407 + resizePolicy: + - resourceName: YWwAdc + restartPolicy: 蓊ƽqs洊蛀Ƴ澠誉 + resources: + limits: + 9c5: "0" + DJI: "0" + uyw: "0" + requests: + 7livK1: "0" + PWZFD5fFpVA: "0" + restartPolicy: ǐ踊丸y苡汎0塛yM眗酊L攚dzyÚmG + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - țƒ摨1娣Q札遢ʌā4魯 + drop: + - W~ + - ȮnLv|麬O稕Ʉ幖0Ţ&揵¸ + - àPĪɉɯ鋹芨ȲƿƛĞx + privileged: false + procMount: ɉq$|ŀ蘨寱彣ɎȈORe]O掓I + readOnlyRootFilesystem: false + runAsGroup: -2438856757446632999 + runAsNonRoot: false + runAsUser: -8511671649189408390 + startupProbe: + exec: + command: + - "" + failureThreshold: 157629836 + grpc: + port: -20533111 + service: vASy4b + httpGet: + host: 94HpH + path: t70 + port: W59mpID + scheme: ħ6琏 + initialDelaySeconds: -146258274 + periodSeconds: 47385732 + successThreshold: -1646222325 + terminationGracePeriodSeconds: -5575789846018254584 + timeoutSeconds: -351943504 + terminationMessagePath: r0ZY2 + terminationMessagePolicy: 傂G嶃a橢抴=Ȃĺ庆ɏ鬹揖絴鹥ɣ¸Ȫs + tty: true + workingDir: XFFilzd +- command: + - VSuU6yfyc8y + - gLgP + env: + - name: PSOr4 + value: m2ujo1f4 + valueFrom: + configMapKeyRef: + key: B9Gc + name: BaR3c + optional: true + fieldRef: + apiVersion: OFu + fieldPath: Pydi + resourceFieldRef: + containerName: jPiF + divisor: "0" + resource: jyp8A7uPD + secretKeyRef: + key: fcGCM + name: Hs + optional: false + - name: Ax9HfRa4p + value: S3R2 + valueFrom: + configMapKeyRef: + key: ZDzzhFD + name: soDgOej + optional: false + fieldRef: + apiVersion: iSfQ + fieldPath: Plzxy53z + resourceFieldRef: + containerName: DfBt3S + divisor: "0" + resource: 757s44h + secretKeyRef: + key: bn2IGjj + name: x8E + optional: false + - name: r + value: PmO + valueFrom: + configMapKeyRef: + key: Htzib1 + name: gfbsiTcDY + optional: true + fieldRef: + apiVersion: Frhab7p2yh + fieldPath: K6XKg + resourceFieldRef: + containerName: CLX + divisor: "0" + resource: cq + secretKeyRef: + key: R + name: zPHkUHXQ + optional: false + image: bSZCow + lifecycle: + postStart: + exec: + command: + - "y" + httpGet: + host: 2cDO + path: L5m + port: yhJI + sleep: + seconds: 6222265361848815058 + preStop: + exec: + command: + - yVT + httpGet: + host: Ibt0C5XF + path: Kf7kW1 + port: Tlj66QW + scheme: 砰僮 + sleep: + seconds: 4926532563180301873 + livenessProbe: + exec: {} + failureThreshold: 982752870 + grpc: + port: -257993986 + service: XKTDj + httpGet: + host: 7vfaAybCd + path: GuTTi + port: 1952486193 + scheme: 馾耼qȩ罔磙ɮƥŴ²叇yēņȮ藺 + initialDelaySeconds: -817095459 + periodSeconds: 603211453 + successThreshold: -1693358568 + terminationGracePeriodSeconds: 3002071779676478929 + timeoutSeconds: 992801771 + name: 9QZX + ports: + - containerPort: -1838828544 + hostIP: cQQMftB + hostPort: -321659395 + name: XBD7a + protocol: '>V>ŝO随;YƁ' + - containerPort: -439290918 + hostIP: Bp0lf + hostPort: 431013681 + name: WQ5qc + protocol: 髄Ĝ估螗ȳ鎷ʫh + readinessProbe: + exec: + command: + - PjwAB3G + - k + failureThreshold: -2015478850 + grpc: + port: 156976837 + service: RSgDfH + httpGet: + host: Yi7aQ + path: 8Ql9 + port: 1150587533 + scheme: C箿i綔ȍȢ ŅŴ娒燸孆5乬瓤Ɛ + initialDelaySeconds: -486757233 + periodSeconds: -994300453 + successThreshold: 2128356439 + terminationGracePeriodSeconds: 4683705418302064343 + timeoutSeconds: 1635565784 + resizePolicy: + - resourceName: deutsepb + restartPolicy: õ崑o¾oɞø°ŮƑ欩Ʋ + - resourceName: WaO + restartPolicy: ±蜊ư蕭材y昍U + resources: + limits: + XiOokB: "0" + gxJ8zn4y: "0" + requests: + "": "0" + RFaH: "0" + restartPolicy: 7岻ðȸɉo熮燍ȉ=n + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 迠譚綞撪颫,ʖʃ佞诌Ŧ丞śɧ璯PʥT + privileged: false + procMount: 荞£DS + readOnlyRootFilesystem: true + runAsGroup: 6728166770219183734 + runAsNonRoot: true + runAsUser: 2918288689668335051 + startupProbe: + exec: + command: + - o + failureThreshold: -949081542 + grpc: + port: 220928812 + service: EIuHGNT4 + httpGet: + host: 21BmFcJ50ov + path: WC7WP + port: njQtxPF + scheme: 鲰ʌȱ卹烛橇淃ō雀)缅tb憅棔JǓ*ɒ + initialDelaySeconds: 1631334347 + periodSeconds: -785602818 + successThreshold: -1111896125 + terminationGracePeriodSeconds: -8014749222013301241 + timeoutSeconds: 795835881 + stdinOnce: true + terminationMessagePath: m08AZSt + terminationMessagePolicy: 盛P1砦ǚ瀱#Ʌ穇嘜\Ɍ + volumeDevices: + - devicePath: NdQPZme + name: uHcdGnKv + volumeMounts: + - mountPath: IX + mountPropagation: diȔiN6ļɃƐ釭卬O + name: fPg + subPath: iY + subPathExpr: U + - mountPath: E + mountPropagation: 1ĵ氓ŝ瘛o扬=[蟗 + name: xt + readOnly: true + subPath: 2KRhR + subPathExpr: Vm0HMwn + workingDir: jusEo +- args: + - Ejt + - DYgNM8X + env: + - name: HkwQ + value: fpHbv + valueFrom: + configMapKeyRef: + key: 3e + name: Q + optional: true + fieldRef: + apiVersion: lh + fieldPath: "" + resourceFieldRef: + containerName: E1uEhn3 + divisor: "0" + resource: 0Pa + secretKeyRef: + key: co85cv7H + name: KL1I3G + optional: false + - name: 5MQMJhqUni + value: 34PEKwUkR + valueFrom: + configMapKeyRef: + key: ABhM + name: qq5b + optional: false + fieldRef: + apiVersion: vCLN + fieldPath: tge3Z + resourceFieldRef: + containerName: ST + divisor: "0" + resource: qFS8 + secretKeyRef: + key: Am + name: BLI353a5GI + optional: false + envFrom: + - configMapRef: + name: KBum1 + optional: false + prefix: 56g + secretRef: + name: zt5 + optional: true + image: XgUFG + imagePullPolicy: 锄ģnj[眈例ƚ淍ƁĐ~ + lifecycle: + postStart: + exec: {} + httpGet: + host: Yp7F87b + path: "y" + port: OtElY + scheme: ǐʮŕ + sleep: + seconds: 640752187186511134 + preStop: + exec: + command: + - 4GYkI2pQ + - QB + httpGet: + host: DFjlmWGAFM + path: qLfFaRePdtA + port: GTUH4 + scheme: 罛&ĥ顱Ƌ + sleep: + seconds: -1289822532228205848 + livenessProbe: + exec: + command: + - youyR + - J + - IiK3AJ + failureThreshold: 527043957 + grpc: + port: -1790391516 + service: wFKNeu + httpGet: + host: TjItsuCL + path: Lo07CoiEpmJ + port: 1449812891 + scheme: 聗œdz_x忔8 + initialDelaySeconds: -923296146 + periodSeconds: -920279093 + successThreshold: 1372003156 + terminationGracePeriodSeconds: 4545671926845562588 + timeoutSeconds: -1730135112 + name: ouxZOTiA7 + ports: + - containerPort: 365499724 + hostIP: c3z3 + hostPort: -1622732613 + name: jfpQ + protocol: 鬍匤<ɔɟǜ鼴`ʃ荞ɗ线亮Ô¼ + - containerPort: 387750436 + hostIP: 7OF + hostPort: -922470687 + name: 20ZoNWnefc + - containerPort: -1003650010 + hostIP: yK31 + hostPort: -479225666 + name: 1Up + protocol: 郣-齡^c艃7ɑU牌驀墭:煞 + readinessProbe: + exec: {} + failureThreshold: -189409295 + grpc: + port: -880806937 + service: N1zEO + httpGet: + host: vN9 + path: n8TKqPF + port: -995680865 + initialDelaySeconds: -2090855365 + periodSeconds: 1849358636 + successThreshold: 811072097 + terminationGracePeriodSeconds: -5833095732594202880 + timeoutSeconds: -65186305 + resizePolicy: + - resourceName: 9rUpDkTFnW + restartPolicy: KSʮ1ĩ`乀_Ɠ颩紵 慒¨ƶ挢¸s诡 + resources: + limits: + MYEa: "0" + ngW: "0" + requests: + 174vfq: "0" + restartPolicy: 軵ƿǽ嚢遳E + securityContext: + allowPrivilegeEscalation: true + capabilities: {} + privileged: true + procMount: Ő\烔Z座畄睸zɩCɎx簫S悍a + readOnlyRootFilesystem: false + runAsGroup: -6410700953715650696 + runAsNonRoot: true + runAsUser: -8187102783441071897 + startupProbe: + exec: {} + failureThreshold: 1640672315 + grpc: + port: -799307372 + service: w9KE22PLk + httpGet: + host: e6Zo4rWs + path: tscGwI + port: 2071839677 + scheme: '&ǂȞ<辳)9撆ʚ6&U}P%捸`y' + initialDelaySeconds: 652003075 + periodSeconds: 1077051101 + successThreshold: 1528128815 + terminationGracePeriodSeconds: -2176015428967645191 + timeoutSeconds: -998563216 + stdinOnce: true + terminationMessagePath: P + terminationMessagePolicy: 8痃v7ȱ噣愜Å%Ġ3 + volumeDevices: + - devicePath: k8uvc + name: GL + - devicePath: 31O9l + name: ivY + workingDir: PtgSFsc1GvC +extraEnv: +- name: RTz9f + value: kK5WtZCFpsl + valueFrom: + configMapKeyRef: + key: CB1UV + name: 0pF + optional: false + fieldRef: + apiVersion: xO4s + fieldPath: n2G + resourceFieldRef: + containerName: GmnwMQ + divisor: "0" + resource: yX30Dke4u + secretKeyRef: + key: vPbHh + name: oBAn1EoZmPzN + optional: true +extraEnvFrom: +- configMapRef: + name: lo + optional: false + prefix: mSdySXyKqEkl + secretRef: + name: t4daT3 + optional: true +- configMapRef: + name: IFTvBGq + optional: false + prefix: qKk6o + secretRef: + name: "4" + optional: true +extraVolumeMounts: +- mountPath: gRGvu + mountPropagation: Ŋ4ǔ盍薟惮睌ȿ濍ȯȀüƳ$ + name: oJv65V + readOnly: true + subPath: P20XHtoR + subPathExpr: SzD +- mountPath: xhuwGvn + mountPropagation: 搛悈nj鰣*颵俠Ʀ慫灗岵ȆǴ騔Ė栢č)q + name: ebDa1q2nKt + readOnly: true + subPath: "6" + subPathExpr: N0xOT +- mountPath: xHTM + mountPropagation: 0關ɮUeŪ + name: P8noEsWy3t + subPath: y5E + subPathExpr: oP2A6C +extraVolumes: +- name: MqQb15NA +fullnameOverride: foGC +image: + pullPolicy: 躂Qʢ瞶CǁȮ + registry: JWsGq + repository: JAUpWzFL + tag: 3WF1aV +imagePullSecrets: +- name: s1B +- name: R54rm +ingress: + annotations: + "71": 1aSj + B3N4dn: hsJR8Fl + S9: x8u + className: xm + enabled: false + tls: + - hosts: + - 6PBjnokDE5 + - df + - SMIi + secretName: VVeSdJP + - hosts: + - kY + - VSdS4nZ + secretName: rR5tuP +initContainers: + extraInitContainers: DZkf1 +livenessProbe: + exec: + command: + - b5k + - "8" + - 74zV7hI + failureThreshold: 604102540 + grpc: + port: 1351493068 + service: a + httpGet: + host: pbTe + path: l3E3mpnq + port: nBQsx + scheme: . + initialDelaySeconds: 93396392 + periodSeconds: 1323534907 + successThreshold: 2044410955 + terminationGracePeriodSeconds: -5171571423145940595 + timeoutSeconds: -725304614 +nameOverride: bCPeYVWao +nodeSelector: + TDma3: eGasO + cs6G: CyEFp0L + r: xdylcKb +podLabels: + 1bb6: "" + 3U: mfPv + T: Q +podSecurityContext: + fsGroup: -4412504815274791692 + fsGroupChangePolicy: Ȯƭhjb糯妔ȂǑʜ胴}轣 + runAsGroup: 3860793197532219812 + runAsNonRoot: true + runAsUser: -1963293898483195295 + supplementalGroups: + - 2429921255984048344 + - -2773566751575632894 + - 5629450590441918989 + sysctls: + - name: h + value: zKVw + - name: D5ekUqS2 + value: 5FxU + - name: dgHyyau + value: o +priorityClassName: uHKqx +readinessProbe: + exec: {} + failureThreshold: -1216486926 + grpc: + port: -173591622 + service: CPUt + httpGet: + host: hry + path: KRRaps9O + port: W + scheme: ƈ;黷ç駵P!瘠瘀/ǹ + initialDelaySeconds: -1636119248 + periodSeconds: -1587206371 + successThreshold: 1085720843 + terminationGracePeriodSeconds: 788084162692446331 + timeoutSeconds: 1603673472 +replicaCount: 390 +resources: + limits: + HS: "0" + sspp8OAsyF: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: enS + name: "" + kafka: + awsMskIamSecretKey: 6Rpozk + protobufGitBasicAuthPassword: b9bAHSr + saslPassword: xFMbXwVAO + schemaRegistryPassword: wMc7l + schemaRegistryTlsCa: Iqy + schemaRegistryTlsCert: B2Y5 + schemaRegistryTlsKey: ooeFo3mZ4 + tlsCa: YCVA9R6f + tlsCert: b5AAaCcgXX + tlsPassphrase: HVdFrCml + login: + github: + clientSecret: JWVOWiL + personalAccessToken: B6DA + google: + clientSecret: lk1l + groupsServiceAccount: KFTHdrXBq + jwtSecret: IfZ3S + oidc: + clientSecret: 33jad4PG + okta: + clientSecret: pEYKMXqE + directoryApiToken: S5N6 + redpanda: + adminApi: + password: cNTmA + tlsCa: Ymp + tlsCert: 5Xquj + tlsKey: f2AsWMK +secretMounts: +- defaultMode: 64 + name: v1bEam0d + path: WfYQ + secretName: FOCtz7x +- defaultMode: 494 + name: 2keqwtlu + path: hpZaUwi + secretName: 1dug +- defaultMode: 354 + name: RAI0g6yvn + path: bCeiaipj + secretName: "2" +securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ɇǎȬ+丰DZ}薞ɎƐ + privileged: false + procMount: Ȧ杖煃a/ɓ<3ő+笽pȗdzSj + readOnlyRootFilesystem: true + runAsGroup: 8336843233603802952 + runAsNonRoot: true + runAsUser: 956863148985923497 +service: + annotations: + lrtdFF: 60R7 + nodePort: 446 + port: 229 + targetPort: 59 + type: 2K35 +serviceAccount: + annotations: + M: 37JLL + TSllzWgI: ZA + gOSHO: 00aEHRLh + automountServiceAccountToken: false + create: false + name: S9Bk +strategy: + rollingUpdate: {} + type: 呇弰$腕煴贔棳軀+œʃǀŖ* +tests: + enabled: false +tolerations: +- effect: 酼駘宁ì<^ʉ逐GM¼韹宅劑圦ȢN鵸; + key: LjdOPUZjJ + operator: 窃銥ɺ嘭t緯ȇw,[t捻S麨vɂ閰 + tolerationSeconds: 1714321621775966634 + value: Uvm9nY3 +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: AUro1 + operator: 聘 + values: + - x5E03owNK1 + - 61u06hoBRErcl + matchLabels: + HMA: 7iZSaiF + jCP15v: ksLC1iD + matchLabelKeys: + - cp + - CZpJKgP + maxSkew: 644443933 + minDomains: 1722624609 + nodeAffinityPolicy: ú(ʆɴȾ狍lfĒHȉ嫔7ix壿 + nodeTaintsPolicy: 遡lşř门Ǣl + topologyKey: qP + whenUnsatisfiable: "" +- labelSelector: + matchExpressions: + - key: i8xDfgO + operator: ʖĝ#烕ɋřĊI + values: + - bOA4n + - ByUsK + - key: 6fCdAFtmFF + operator: 靕ƭ錒Ĕ + values: + - JIMC2Pc + - a7wA08 + - key: xMn + operator: "" + values: + - gSa5XT + - 50IS6 + - "8" + matchLabels: + DoGCwvltR: vVXQcZcxdz + JLmhsQlh: L3AY0Pv + X9: U + maxSkew: -2038040013 + minDomains: -1884001920 + nodeAffinityPolicy: 嵋磋ɹ:ɢ慚TA烁.X幰 + nodeTaintsPolicy: 奒)ʅm=矕郔o鬻鴊ȵɯt债CŔ儤 + topologyKey: qkx4gKx7 + whenUnsatisfiable: 匊aO卞肝喚覕Ȭnr說ɉƢ/Æȧ婡賛 +-- case-034 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: -982889256 + - preference: + matchFields: + - key: XhG + operator: 萎Nc汏帞 + values: + - CY + - key: SQm3as + operator: :g憓痳ʑ^荔ĚE慮ǫ鶉 + values: + - gKNU + - "4" + weight: -2081315042 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchFields: + - key: "" + operator: '[棉' + - matchExpressions: + - key: YgpJq + operator: ës曬¡岹V瀈ȭ岅mK + - key: HKYARp + operator: '完RQ\u穩[憄籎禨 ' + values: + - 2wfWZQ9 + - key: M0 + operator: 酺縿Ȼ慭苾Ʉ6Ʀ + values: + - xr7e9 + matchFields: + - key: O + operator: 笿眷ē睡党ǎf鴋Ɗ給 + values: + - HjtABxYy + - key: TD8D + operator: Ȃ顈筻ůȳM!剢nZÁx.}鯡L颗eĵ + values: + - xDTUGq1 + - 9xI + - key: 2B + operator: ']ţ峝輴{ȳ鬻ŶøU)ŢŤ' + values: + - 8hQz + - BtJ6XJwj8 + - bB1HqX + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: QrP50c0 + operator: 2蕦!#ɺĠȿLy2ǽǃƝFʡ + - key: sh4AX + operator: '"ă粸Ǘ筽齣zƪƭŰ''鴚ǝʠƲy>A' + - key: AyAj1WrXn2nZbf + operator: 郥m,攃 + values: + - xuX0t + mismatchLabelKeys: + - 94CSmERwUUu + - "" + - 3lJqWyss + namespaceSelector: + matchLabels: + XPKK9buQTkk: hK + c6yMPKCuDUW: NaXtSSb31Vtc + topologyKey: 4IWq1 + weight: 1215591736 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: bKgv7w5BLU9 + operator: 佱$Ɛɯȳǚ½ȴk + values: + - Rc6Akw + matchLabelKeys: + - nj2vCk + - GT7VEmkOiP + - D81b9yrN + mismatchLabelKeys: + - xrrln + - "" + namespaceSelector: + matchExpressions: + - key: Okpa0 + operator: ȳɃ互B¸砂霿枹蔪 + - key: bG + operator: "" + values: + - 9Az3OOsKzxT + - qufp1g + - hPp0e + namespaces: + - ia + - wpgLWCg + topologyKey: t9 + weight: 1536631188 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: xCMZF2V + operator: p仯F寃Rm慽財Ū-宩>ɗ呈3嚱Y + values: + - 2IrEZ + - ox + - S1NOR4go + - key: M + operator: ƙ岉 ʛZ3 + values: + - 61kg + - gCY32n2G + - key: z7jqw + operator: '´鋁k透 ' + values: + - 3bI7Mo + - V15M6 + - Elw2un19FO + matchLabels: + "1": jTzLL + E3HVo8p: 8mRx + tHPA: X + mismatchLabelKeys: + - sA + - eKQcaD + - 67tHuF + namespaceSelector: + matchExpressions: + - key: CrZYZ + operator: FWɺŮ + - key: K7SRYb + operator: .ØƣƎ 對猣#倳s7Ǵ栔Ħn4 + - key: k2Bz + operator: "" + matchLabels: + r6: SsE6YhO00w + namespaces: + - bECP + - nZT + topologyKey: ATU + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: T8nB5f + operator: 虁Iɂ飇ě + values: + - bTYBHU + - PWWBtWcP + - key: BJo + operator: 焜Eâ簋@ʘ芮暸UĖ + values: + - DI + - dh9e + - 0hiMkvD + matchLabels: + 7TSrj3: t4aVDF0 + P8L: liB + TkxKc: 4k + matchLabelKeys: + - C + - Uxzu6ju3L0 + mismatchLabelKeys: + - 7JBQmr5 + - K2WwmaMb + - ZGo5q7x + namespaceSelector: + matchExpressions: + - key: "603" + operator: 溝ʫ"zNĂ + values: + - 217W38 + - DjaFqo + - 34Dd6xS + matchLabels: + Le1shqQ: q6Ra + jocxC9: 1wwizZ9OUc3 + t9v: p7 + namespaces: + - tNw7r0z + topologyKey: WB + weight: -695352638 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: Et + operator: "N" + values: + - iXi + - AZpWUZE + - bB + - key: 6e8xewD + operator: 拒D挼霘%Ǧ珕 + values: + - cLLOT + - LzhXzKVG + matchLabelKeys: + - v1hg0Fb0 + mismatchLabelKeys: + - i + - vh3C0ZF + - i694fjp + namespaceSelector: + matchExpressions: + - key: Rt + operator: 4%{ź*妻=舉佸EǩɛW杚察ű + values: + - gx + - x + - M0 + - key: S1J9kEl0 + operator: 湻膴L鮠#桽 + values: + - Lpx + - key: QzUh3 + operator: 閛V;Ĝ棱碗闃{竀%狮闀ʩE腡¹#C + values: + - qh0l + - Jgu1EIM + matchLabels: + tZ: y7 + u7: jkFA4i + namespaces: + - httsx + topologyKey: wNV2 + weight: -441999969 +annotations: + "": kBVzs + JKJQy: g8k + Zcnpm: TWUNV +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 23 + minReplicas: 122 + targetCPUUtilizationPercentage: 266 + targetMemoryUtilizationPercentage: 92 +commonLabels: + 0fz: qRhpB + blGSa: Hnim0SflkfpF +configmap: + create: true +console: + roleBindings: + - zktoFv: null + - BnTf: null + N30: null + O: null + - "5": null + up6oELWDxO: null + roles: + - 3vFSt6CV6h: null + - zwoEunAfS: null + - "": null + Kz: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: wTtzVK + name: f +extraContainers: +- command: + - fbGgvGkx + - edBIWrM + env: + - name: 8jJnT7Zj + value: Mq + valueFrom: + configMapKeyRef: + key: JC + name: sVkSiknR2xCa3 + optional: true + fieldRef: + apiVersion: wANryBKXLB + fieldPath: NyZCECkxJ + resourceFieldRef: + containerName: OZ8 + divisor: "0" + resource: cmCxr + secretKeyRef: + key: DwO8j5 + name: B + optional: false + - name: EHh + value: QCji0tC6i + valueFrom: + configMapKeyRef: + key: WAw2dVgj1 + name: Ay + optional: false + fieldRef: + apiVersion: Qi + fieldPath: gpyTLtuoWjh2y + resourceFieldRef: + containerName: lU + divisor: "0" + resource: eblZRy9ULY2IzA + secretKeyRef: + key: mv + name: j + optional: false + - name: aUVmiB + value: kpqOP + valueFrom: + configMapKeyRef: + key: s + name: bQ6 + optional: false + fieldRef: + apiVersion: SdqbUuwjM + fieldPath: 2l + resourceFieldRef: + containerName: tw3t5LDN + divisor: "0" + resource: rwu + secretKeyRef: + key: 4BhlrEVh0 + optional: true + envFrom: + - configMapRef: + name: Hjuj9nlmmK + optional: false + prefix: 1f + secretRef: + name: ZAvqr + optional: true + - configMapRef: + name: xM7XvJNDv + optional: true + prefix: a3u3 + secretRef: + name: cvRqlow + optional: true + - configMapRef: + name: bRyp + optional: false + prefix: 5mEO + secretRef: + name: axWGwhmN + optional: false + image: EszTqv + imagePullPolicy: 輧脙ĭr恐荌ǩ\ȓȫ訷鿍湲瑁u楊禅ɤ& + lifecycle: + postStart: + exec: + command: + - WMJ1Vj + - bt + - UpuoW2L + httpGet: + host: ZQUCS + path: XvmuYh + port: p + scheme: 瘿ā|^k*雗 + sleep: + seconds: -4794985278116558932 + preStop: + exec: + command: + - fNY + - Rk + httpGet: + path: vcHj + port: 94X + scheme: ʕ煤}f + sleep: + seconds: -572101244460663065 + livenessProbe: + exec: + command: + - HoQxW7Nhx + - 1vL7TCk + failureThreshold: 1202856974 + grpc: + port: -177653984 + service: dd + httpGet: + host: cFj8k7 + path: l91YUo + port: -205856494 + scheme: '''朔6嚍¹*¢ɰȯK' + initialDelaySeconds: -1838390355 + periodSeconds: -2089935919 + successThreshold: 745930955 + terminationGracePeriodSeconds: 651854435833106407 + timeoutSeconds: -451727064 + name: LUkN + ports: + - containerPort: 52213129 + hostIP: pBen4iN + hostPort: -1605812710 + name: embL6 + protocol: 隠:ʀǙƴ茝鞝剟蚓遆積ǯ槦黽虼m + - containerPort: -1355336717 + hostIP: Vq9h1OAN6 + hostPort: 1469157628 + name: DgLmxr8 + protocol: ơ阆Ƃ + readinessProbe: + exec: {} + failureThreshold: 1404262379 + grpc: + port: 617847874 + service: wZ + httpGet: + host: 7f + path: 4gU9kDN5 + port: MXWfnK + scheme: 鬮ŵVƉ + initialDelaySeconds: -498539377 + periodSeconds: 1569378042 + successThreshold: 1909376148 + terminationGracePeriodSeconds: -3310812073755566654 + timeoutSeconds: 957960925 + resources: + limits: + 5k: "0" + wIlp6Km9XNo: "0" + requests: + RaT: "0" + restartPolicy: 车WđƜ嚓Ŭ罀ǑȪ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - w}ɼ簖#s>腭hWɘnj嗠/ʜ墭呣lj + - dT劍Il捝s+;暷ƻņʖ馺ª贐 + drop: + - '*¢炐96ʑ叛z¢á5ɏeEɢ@Ƨ' + - ƭ樯Ɉ>ƈ@Ɨ + - ńɜʢnij咓ƹ灀}¿\ + privileged: false + procMount: 堲渢)#珯犠ƙYĮ鷝Ƈ蚈_ + readOnlyRootFilesystem: true + runAsGroup: 5272751894835649479 + runAsNonRoot: true + runAsUser: -777021971579066284 + startupProbe: + exec: {} + failureThreshold: 48102716 + grpc: + port: -1093646129 + service: bIKooEs + httpGet: + host: Mv + path: fstI2uQ + port: Qd + scheme: dzLBʖ飐吃ê傧靲dz + initialDelaySeconds: -187921670 + periodSeconds: -217914776 + successThreshold: -664446049 + terminationGracePeriodSeconds: 8083333456613274947 + timeoutSeconds: 399455066 + terminationMessagePath: jqUx + tty: true + volumeDevices: + - devicePath: LLB2W + name: kDDD + - devicePath: 9DhP1 + name: aW0PgFJODCAEF + volumeMounts: + - mountPath: "4" + mountPropagation: ;bŊcN啲;蜩½ǒ朒Q"EƙȌ{甐岊 + name: c + subPath: c + subPathExpr: cXqUzbd + - mountPath: NY + mountPropagation: ʋS溸呖Ä翫ɧȐ{豒lÔș:ľ玠3íw + name: 7nseZUY + readOnly: true + subPath: itHF + subPathExpr: eHexIOW + workingDir: BZZ6 +- args: + - 5cCg + - E7 + - iFP6rZ + env: + - name: qEiC5K + value: HE + valueFrom: + configMapKeyRef: + key: Q4ff + name: c6s + optional: false + fieldRef: + apiVersion: jBI6X + fieldPath: zpTUfYD + resourceFieldRef: + containerName: mzmkl8 + divisor: "0" + resource: 81k8LI + secretKeyRef: + key: "" + name: N9yqj + optional: false + envFrom: + - configMapRef: + optional: false + prefix: WYG + secretRef: + name: DFBRLWb + optional: false + image: Z + imagePullPolicy: ǂAM鳘墊šéDz!迒A + lifecycle: + postStart: + exec: + command: + - r + - RbH + httpGet: + host: FG + path: gzf4kd + port: 813947014 + scheme: '&X垮Ą:S褦慺ʛ竆閃_m鑙òó' + sleep: + seconds: -1141547218815402249 + preStop: + exec: {} + httpGet: + host: ZA8qVd + path: 9ooQ + port: -271801527 + scheme: 鏡稂;ňȓRH愦Ƚ + sleep: + seconds: -8502483422139801966 + livenessProbe: + exec: + command: + - I4WNnF + failureThreshold: -637772395 + grpc: + port: -1513640963 + service: CpWh0e + httpGet: + host: JrZk + path: YCnQ4z + port: 13mIiI + scheme: 鏘 + initialDelaySeconds: -200843985 + periodSeconds: -502259067 + successThreshold: 1719668769 + terminationGracePeriodSeconds: 6044193620909725026 + timeoutSeconds: -388757192 + name: Vem + readinessProbe: + exec: {} + failureThreshold: 1932036046 + grpc: + port: 940655155 + service: h5HN + httpGet: + host: H + path: G1p4WFvGD + port: iMuM + scheme: ŗ颁njNą筵 + initialDelaySeconds: 271733079 + periodSeconds: 1483111043 + successThreshold: -1186732202 + terminationGracePeriodSeconds: 8539189418162863572 + timeoutSeconds: 1565787262 + resources: + limits: + AfrFB6Ne: "0" + UFzEjwa: "0" + regGR: "0" + requests: + 30st: "0" + restartPolicy: Ǫ豥ɗ槻T+Ĕʓȣ+卮Ȱ + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 1蒟顨ƽėȰ + values: + - TGv + - VVtqHApm + - 7Mub + matchLabels: + PI: elzxW + Wd1Q: MYEPScu1su + i: uENdc + topologyKey: QlwUBoDWM +automountServiceAccountToken: true +autoscaling: + enabled: false + maxReplicas: 367 + minReplicas: 105 + targetCPUUtilizationPercentage: 126 + targetMemoryUtilizationPercentage: 500 +commonLabels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA +configmap: + create: true +console: + roles: + - CSJ: null + - 0hM2tbS5: null + ZhG3M: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: xLO4B2BCZUJ + name: BQR2Y +extraContainers: +- command: + - DlBCuc8xa + - X2hi8Mp + image: 00GQ5 + imagePullPolicy: 賎ʂG}Ƌ煚6ūaĠ腻f + lifecycle: + postStart: + exec: + command: + - mVlE + - cFmlozRTJ + - "" + httpGet: + host: RIzcOYFo + path: eZge9wzJjW + port: ugY08 + scheme: 讣Ɨƶ"ɇǘƓƮ + sleep: + seconds: -5362042555365295319 + preStop: + exec: + command: + - "" + httpGet: + host: hLxRfJhv + path: JA8kOIY + port: tpH1 + scheme: '''k:嘡葊佒ďȏǓɡ毫/视倴ĩ}Ɓ u' + sleep: + seconds: -915316715834475044 + livenessProbe: + exec: {} + failureThreshold: 1628387875 + grpc: + port: -119747124 + service: 3cnWKI + httpGet: + host: 6Wzb9 + path: Af + port: RAzYX + scheme: 嘾Q經f + initialDelaySeconds: 4951530 + periodSeconds: 1309655668 + successThreshold: 918641827 + terminationGracePeriodSeconds: -3073080783253286451 + timeoutSeconds: -1896420637 + name: yML27O + ports: + - containerPort: 509868797 + hostIP: XMFIjyy7MNejY + hostPort: 2083818454 + name: gd + protocol: 槏 R¨ƽT³簑ƤA$<猿.0d + - containerPort: -164866787 + hostIP: eh + hostPort: 1842390272 + name: H7 + protocol: y擫`/洄]ʢÓ7Ā紐ǟ塋 + readinessProbe: + exec: + command: + - 5MrELPMn + - 23x1a + failureThreshold: 1394382122 + grpc: + port: -96138878 + service: DBq + httpGet: + host: 60SrHkgc + path: OwZeja1P + port: 721461548 + scheme: ' `$ħ' + initialDelaySeconds: -2125734502 + periodSeconds: 66441733 + successThreshold: 130216629 + terminationGracePeriodSeconds: -7113768241875088710 + timeoutSeconds: -977567736 + resizePolicy: + - resourceName: 8VNf4C + restartPolicy: Ě} + resources: + limits: + 2TX: "0" + Yd3: "0" + avcFFX: "0" + restartPolicy: Ę<彪6 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - ūW銹fn|óOB¶őǝ:ɛ暙- 嫴 + - 韣噺Ȑ主鋥Ɣ睩熾@Ĥvƈ + - 気ʎɭ愢勈īɔ垆ŀ槌,q儇p顼ǯ歳 + drop: + - EģIJ>筡|n譌ɶd2鍇$X/ȴ偎穾7 + - "赻探ǞiN胂a + name: 79CeZyd + subPath: xMQ + subPathExpr: NvU + - mountPath: smgfnmvP + mountPropagation: ʈ + name: CuKUC + subPath: hZ8KJ3 + subPathExpr: CK4WsX + - mountPath: zm + mountPropagation: 傩骟Ⱥ|尤fŇɓ呣ɘĩŽ + name: wRtUU + readOnly: true + subPath: T1 + subPathExpr: cidBhX8I + workingDir: M0jsi8 +- args: + - rQ7QBmZ4 + - Q32wY3lGUA + - VGeP + command: + - "6" + - 5vVr2Q + - 4YDd + env: + - name: DY1 + value: sge + valueFrom: + configMapKeyRef: + key: O8RUTpJ + name: SCF5ph + optional: true + fieldRef: + apiVersion: NY0hb + fieldPath: ViZ0f + resourceFieldRef: + containerName: "Y" + divisor: "0" + resource: sCX + secretKeyRef: + key: Ma + name: 6s6lc5 + optional: false + - name: m19lk2eiDtcdB7 + value: 0JaB + valueFrom: + configMapKeyRef: + key: VolU + name: jnFjMLIQ19 + optional: true + fieldRef: + apiVersion: "6" + fieldPath: N0wIEnFmQ + resourceFieldRef: + containerName: QwDG86d + divisor: "0" + resource: pda + secretKeyRef: + key: Uc7x1XF + name: efgc + optional: true + - name: 8A + value: 1kUmljHSb + valueFrom: + configMapKeyRef: + key: "" + name: z18yxT + optional: true + fieldRef: + apiVersion: 1qaE + fieldPath: vEzPx + resourceFieldRef: + containerName: GYhSz + divisor: "0" + resource: Ttq + secretKeyRef: + key: aaGRQS + name: C + optional: false + envFrom: + - configMapRef: + name: "0" + optional: false + prefix: 5cqcw + secretRef: + name: O7Gex12 + optional: false + - configMapRef: + name: DHEYwZ + optional: false + prefix: wSbyGx + secretRef: + name: 9nM86dZi + optional: false + image: E + imagePullPolicy: 栧Z + lifecycle: + postStart: + exec: + command: + - 6775E + httpGet: + host: hIoYmpbc + path: qEf + port: rnJpXG69m + scheme: 赙¯6a腚 + sleep: + seconds: 4894208532244895909 + preStop: + exec: + command: + - mHtY + - 0hh1Tr + - "" + httpGet: + host: BuElf + path: fJPDiyG + port: PybmIT + scheme: M*Ķ + sleep: + seconds: 7544543348205057985 + livenessProbe: + exec: + command: + - z7IJ + failureThreshold: -360493877 + grpc: + port: -1395908290 + service: zV1i + httpGet: + host: GLn + port: -279409955 + scheme: ǃU螄骰褃Ʀ诐Ɯ{,ɍb萎Ɲʢ鰪\U + initialDelaySeconds: 1831688310 + periodSeconds: -280461011 + successThreshold: 84363106 + terminationGracePeriodSeconds: 7513815341722354757 + timeoutSeconds: 442815657 + name: pGthpc + readinessProbe: + exec: + command: + - T39QO5 + - "" + - DbSsPel + failureThreshold: -1901163919 + grpc: + port: 1255815597 + service: xeTv + httpGet: + host: bipPJGJ + path: nghEbF + port: uyLPK + scheme: 翁渹牯澖 + initialDelaySeconds: 1295268788 + periodSeconds: 17921235 + successThreshold: -212369586 + terminationGracePeriodSeconds: 1061046207943693656 + timeoutSeconds: -1707711843 + resizePolicy: + - resourceName: RLHi + restartPolicy: 掳?帐(Ǖčĭ纜 + - resourceName: H1Bv + restartPolicy: Ɉ駃愝ɲƁ2*ʍJ蕦ʃĹr}尕5J埉g + - resourceName: f + restartPolicy: ɧ帨y晒ʪäǗ«ǤǞugT埤X澇寿Ù\ + resources: {} + restartPolicy: 7Y熀7rúǬ轘 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - Ǒn%Aʙ]m* + privileged: false + procMount: 鼷R珍沌 + readOnlyRootFilesystem: false + runAsGroup: -287129322294347273 + runAsNonRoot: true + runAsUser: 3942212766283409661 + startupProbe: + exec: + command: + - gN + - zpmlcJ + - DeLJ4s + failureThreshold: 102924404 + grpc: + port: -1304933194 + service: 0iK + httpGet: + host: jbg + path: ZqaSpx8C + port: UPJqfy9dOO + scheme: 韼QY岩沴ì釪儇9ĩN + initialDelaySeconds: -46268668 + periodSeconds: -1126074804 + successThreshold: -2093938118 + terminationGracePeriodSeconds: -3498490773203628311 + timeoutSeconds: -736335366 + terminationMessagePath: "7" + terminationMessagePolicy: 辺OB¯悱楆3Ǫ首傭ɟ鮛ïƇ豙ǁUȵ + tty: true + volumeDevices: + - devicePath: DSh1 + name: 1OMawuQAlZD7 + - devicePath: "Y" + name: liCI2j + volumeMounts: + - mountPath: JPO9Ewk3kgaeuBD + mountPropagation: k釂Żɮ>ɸêW箁B| + name: QGO7HtoR + readOnly: true + subPath: oYudCrOqA + subPathExpr: Z1oG + - mountPath: iH6 + mountPropagation: dP帗俪Ťŷ/6¤þ剛&Ģ趽qi + name: 9Ro4aQU5yby + readOnly: true + subPath: piBl3 + subPathExpr: nfDFn + - mountPath: uU2H4 + mountPropagation: ljQ + name: "" + subPath: rj2 + subPathExpr: E + workingDir: BveK3 +extraEnv: +- name: 14jKCyMC + value: Mb95Ivlchi + valueFrom: + configMapKeyRef: + key: FMRh9 + name: VwME2dRYnb + optional: true + fieldRef: + apiVersion: NlY1uxRPgql + fieldPath: NDrKU5 + resourceFieldRef: + containerName: gPQ1TD3MX + divisor: "0" + resource: r6HOpjj + secretKeyRef: + key: "n" + name: RQLa2rQL7Y + optional: false +extraVolumeMounts: +- mountPath: pqfdKzb + mountPropagation: "" + name: 6btv + subPath: xLjoA + subPathExpr: UseM +- mountPath: EYXxm + mountPropagation: 煊`ś蠶+蓲慅4曌Ƥ4臜.魼簌m缽荈巇 + name: 6ut6g + subPath: 7N + subPathExpr: ypY +extraVolumes: +- name: 00PT1WRWHX +- name: P4 +- name: fn +fullnameOverride: Bv0I +image: + pullPolicy: 垿儣Ƈ#WMƻ + registry: XB9ke7yB + repository: EwU0pzhz + tag: SmZAnO7 +imagePullSecrets: +- name: ygWNP7C0W9 +- name: lo0PU +ingress: + className: vg + enabled: true + hosts: + - host: daRMGxIy7gKoE + paths: + - path: GVhF41Ue + pathType: TeM8 + - path: UontjIzl + pathType: MN + - path: "" + pathType: xN + - host: YCgI + paths: + - path: MPhdfahEcn + pathType: ECPrn + - host: GDOlAVRM + paths: + - path: H5pExfzke + pathType: v8 + tls: + - hosts: + - dQiMWdJ8cYKS + - 35K + - 8Kin + secretName: C + - hosts: + - zPo + - Z7 + secretName: SiZz +initContainers: + extraInitContainers: ITIY +livenessProbe: + exec: {} + failureThreshold: 724782955 + grpc: + port: -2055628426 + service: kYxAdPiz + httpGet: + host: JfFu5eafS + path: S8lsKuv + port: 45830231 + scheme: 嵋6ǞkĤ閾8_Tu鍓 + initialDelaySeconds: 1633166106 + periodSeconds: 2105675880 + successThreshold: 225361138 + terminationGracePeriodSeconds: -5739612377473505352 + timeoutSeconds: -1665363921 +nameOverride: "" +nodeSelector: + LAqpO: N7lh0C2 + RqG8qj: ltTa5 + X3q: F5c +podLabels: + Klzm: we + e: C2swj + s: vw1lrq +podSecurityContext: + fsGroup: -8750452531563962174 + fsGroupChangePolicy: RȗɻÎ + runAsGroup: 3754171381447903160 + runAsNonRoot: false + runAsUser: 2565919490422334632 + supplementalGroups: + - 2907772986244331938 + - -4686580881125536152 + - -7134026849524391427 + sysctls: + - name: 8gezWufB + value: 2Jv + - name: 4nhjhT6P + value: 32ZuT + - name: cQk5tljX + value: Aimzt8kirN +priorityClassName: F +readinessProbe: + exec: {} + failureThreshold: -1128918125 + grpc: + port: -1566880140 + service: wMGGUi + httpGet: + host: EwUYUz5 + path: qC4K0 + port: frlhx + scheme: 2鳳ǿ{ǿN + initialDelaySeconds: -116128728 + periodSeconds: -1936485392 + successThreshold: -1735161598 + terminationGracePeriodSeconds: -4458812029359989949 + timeoutSeconds: -1293939870 +replicaCount: 464 +resources: + limits: + 0PRJ1bi: "0" + JUjtrq: "0" + WN9h: "0" + requests: + TCeGWCB: "0" + x5O0IxuN: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: Sfb6 + name: Fkoh + kafka: + awsMskIamSecretKey: Bof21IpUS + protobufGitBasicAuthPassword: fIQwt + saslPassword: KBS + schemaRegistryPassword: TehF8FK + schemaRegistryTlsCa: 40HTol + schemaRegistryTlsCert: cgz0Y9o + schemaRegistryTlsKey: QUpyP + tlsCa: naM + tlsCert: cC23TMJ + tlsPassphrase: NxVcNj + login: + github: + clientSecret: IDQ0 + personalAccessToken: "4" + google: + clientSecret: P + groupsServiceAccount: oKbW15 + jwtSecret: "5" + oidc: + clientSecret: YcYiIJm + okta: + clientSecret: CtRNDaLkEFXR + directoryApiToken: pH3E2YC7xP + redpanda: + adminApi: + password: "y" + tlsCa: 4ieHo3L + tlsCert: pQ6AshR + tlsKey: s9 +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - '@晏駚T!UɎȉépg鎘Ȉ' + drop: + - ÚơĊ猴渋ĭ8膔櫔ż択ůĦ抹 + privileged: true + procMount: 偖躪 + readOnlyRootFilesystem: false + runAsGroup: -543916493751029755 + runAsNonRoot: false + runAsUser: 7772713475568767829 +service: + annotations: + C3p: uCspVMX + nodePort: 441 + port: 51 + targetPort: 456 + type: ZQQlqx7Np +serviceAccount: + annotations: + 7lpi: QQ + RK: "" + od3x: "3" + automountServiceAccountToken: true + create: true + name: HMyYp +strategy: + rollingUpdate: {} + type: Ʉ>朄崍ʡƥɼ戋\IJĹ +tests: + enabled: true +tolerations: +- effect: aƻƀi + key: 7II7D0fA + operator: 跳<ȴŤƇ梐ȸŷR + tolerationSeconds: -92963183946417046 + value: U +- effect: p鸿xś冣9ɩ揊Ů忁琺ȖP壡o繊堮 + key: 5sC + operator: XɦǨ燖Ż綯逆挤ʦ斝蟏滣ʣ + tolerationSeconds: -6405135249548565002 + value: c2m6hlo +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: bsO + operator: Ⱥ8欟慡Ƿţ6氙絿鐘黬聠ç + values: + - hbuLC + - SdAZnchI + - key: b4Pjya + operator: jɀh5湧,Ȳǣ6謉<ɦ + - key: gXEm + operator: ',k涃栏岴g橚甇ȳ0禰餝榖睌ěB縩侾F' + values: + - q9VqX4l + - zoMoc9Vb5 + matchLabels: + B0T: uiIEpLD2 + V: jdhpTcaa + pz: V1dJXS8 + matchLabelKeys: + - yoFhTrxV + - o + maxSkew: -1837539887 + minDomains: 2144009248 + nodeAffinityPolicy: 怓覷環ʤ苷疿ʡB聧!]LJƱĿGť + nodeTaintsPolicy: V~0韾¾Ȣû&嵙纠&ȠVƧ鍌 + topologyKey: GldA + whenUnsatisfiable: Ƀk纩{寍HƋ&庝僟D徼聊 +-- case-036 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: bkwD5 + operator: B砟摫ʟ]估ȽÓĖ頒ʙǯ + - key: 4n + operator: "" + - key: DDWUTPllaee + operator: ǒ@訹Ðđɤ軗ɲǃZ袓6悔ʙ[x] + values: + - bHwxZg + - iPWF3DQz + - yhiFQZ98w6h + weight: -551427274 + - preference: + matchExpressions: + - key: kZ + operator: "" + values: + - BMfDa + - key: l + operator: unɚʀɂ7Ǩ蘕 + values: + - 1vsAjW + - lEGj0 + matchFields: + - key: EYCyU + operator: 袒雬Ǐ蔡|骐pOĆƍbʌʝl + - key: e9QdJHV + operator: Ɏ鼛鏗擌-悝Ű + values: + - DToToJ + - Gq4 + - key: M4b3wwVy + operator: 煛苅=İ哋ońɢ\Głh斳hɷ韙 + values: + - fMIoNrUiyJdi + - tcNEhOds + - N0 + weight: -906035045 + - preference: + matchExpressions: + - key: 05VafuKQo + operator: ƃèĢC篘 + values: + - McUwm + - oMXVW + matchFields: + - key: "" + operator: 9ȮLǟ3V廉\5膏ɩ袴 + values: + - t + - r8d6G + - FevHe + - key: KeJd9X4 + operator: \Y#uɆɫwĉɎ卲S + weight: -773391374 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: PiRY + operator: 週畯嘰Œ铖'ȸ0Į5k,逊 + values: + - Fo9oE + - KLfm4 + - PiZJC + - key: 6HCuuj + operator: Ȋ!ʈh牅HŹ蓓% + values: + - PU34U + - bZ12kwJ4s1 + matchFields: + - key: CCVSIZH + operator: (铴Njʦ釖Ĩ鎅ƒ獞p)唓u¸::2 + values: + - DjvLD + - key: 9gy6tFM + operator: ø + values: + - lPjPu0 + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 2oL + operator: Ì溄祤BNjɎ_ )jðZF + - key: Tl1mGP + operator: r0ȨȵeēP眼饾j + - key: 98uL + operator: "" + matchLabels: + "": H0F + IGfr: 8iR8 + pTjU: 2vy5Ol + matchLabelKeys: + - l2d3an + mismatchLabelKeys: + - gomcuJ + - UMhaBnQUuSH4 + namespaceSelector: + matchExpressions: + - key: CyYjfraf + operator: 鸫ʊűoǪĞ3 + values: + - uPW + - key: vuREiHB + operator: ^ĄçȂ挌 + matchLabels: + tlcI6jz: 87JK + namespaces: + - eUszN + topologyKey: yJ + weight: 1657692208 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3d3mr + operator: 鿈Ė聭焚歉Ð(币帄Ⱥ + values: + - h + - key: Z5c + operator: ma琓 + values: + - i5Ae6oUo + - EWixIB + - "y" + namespaceSelector: + matchExpressions: + - key: XFYbW + operator: M~ + - key: lWHcsQ + operator: 铿X异~<ÿ缇ī*^ĩ + matchLabels: + s: l6sxM + vFiVA7j: WEOy1jtU + topologyKey: JW85dr45m2G + weight: 444678250 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: bMT + operator: ^)4ɊDZǸDŽ + values: + - CG9Onrt + - key: T + operator: ƞ傏 + values: + - bXs59oj + matchLabels: + 6BRwn: Pdm + Yy: aaoLnp + myN: rwJGrW + mismatchLabelKeys: + - "n" + - c + namespaceSelector: + matchLabels: + 5QMzPp: AP + D: "2" + u: Dca + namespaces: + - 8Af + - NYfxoYf + - R4G + topologyKey: yY + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 2uhHhqog + operator: Ȧ + values: + - YgsgGf + - key: EaR + operator: 愅YVǵ楔¢4Ʋ + values: + - xaEk + - key: NV5iPi5Kw + operator: ' 軕氡#晉Ʀ筜篧e蹶ʀSɟʂÊʕT' + values: + - BY4 + matchLabelKeys: + - 9fTYFH7s + - aK6HB6 + mismatchLabelKeys: + - 13L + namespaceSelector: + matchExpressions: + - key: 3FT + operator: Tğ枕Ōo*a種JU-ɶƠdz鱓fƑS + values: + - 4ISUCT + - po8yM2L + - T5Q0UARu + - key: RhB + operator: "" + values: + - Re7 + - 7id + - 91GFPdrt + - key: ShRTzNRj + operator: ʬ吇Ȭ?搰Ç + values: + - HiGOGJE + - wOi + - HmllR83Dbvoz + namespaces: + - "" + - TBCPW + topologyKey: 0H + weight: 1493754197 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: CESaz + operator: ŢaæX#暁鲸'媩俛5齗aw'ĥ煆W + values: + - "" + - key: YtpoWP + operator: 瀽LƠ' + values: + - uS13z + - ip0h + - o8m9MWnmr92 + matchLabels: + 7o4tt: QX9gjN + KScJOoR95: Dpu + wfAk1b: rH5Z + matchLabelKeys: + - Yh1S1nZ7hm + - Fwx + - 6mhp + mismatchLabelKeys: + - ihvyNa7 + - m8 + - Q + namespaceSelector: + matchLabels: + 2KH67NR4: Vy8qZyy + topologyKey: w0KJ + weight: 1592497187 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 1UcAh: h + namespaceSelector: + matchExpressions: + - key: yxz + operator: ',酵ýhȿ鲹芫澥 Ǧ_Ź躄_莯ʊ傡硬M' + values: + - Fof + - key: 8KwNEN + operator: 8炮逴8`M鞵ȍȟ蟷盱 + - key: N0 + operator: Ì崌爷矉&佷* JQȴ躀厇退ƿƍ肙 + values: + - kjlwyKc + - DDz + - Yf8Vf5Ar7w7 + topologyKey: n5cRtvXjK +annotations: + GvX4jkWw: xAyNk + MdtXxfH: "" + WyrWx: 8QO +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 213 + minReplicas: 211 + targetCPUUtilizationPercentage: 270 + targetMemoryUtilizationPercentage: 495 +commonLabels: + Nv: YHcp9u + RMi5: o4 + ViLr0: zrEw3 +configmap: + create: false +console: + roleBindings: + - cwSnKnhS: null + mzA9: null + oRCBU: null + - 4VfdtEVC: null + UF: null + - 785va: null + Cmlc: null + NyhDjFL: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: teD + name: fP2IA +extraContainers: +- args: + - gfDaDhh + command: + - Eu + envFrom: + - configMapRef: + name: 9LtiYU + optional: false + prefix: dS5JDbtZJ + secretRef: + name: 3X5 + optional: false + - configMapRef: + name: vpOLCCmA + optional: true + prefix: IJpeUVYk3 + secretRef: + name: TaghAr + optional: true + image: Nw59jHFBw + imagePullPolicy: Eźz购綗映ò#ZuS絇溾^飷 + lifecycle: + postStart: + exec: + command: + - N2F2q + - XKeJn + - CfoVd + httpGet: + host: 0u3Kgf + port: PVA8u + scheme: ȧX[噦摼鎥憈ǴńƘŅ + sleep: + seconds: 9185496374723367536 + preStop: + exec: + command: + - lrWSClt + httpGet: + host: uS + path: 51Gzg9s + port: -1680102290 + scheme: 8涒齃ɠĬ諛鰅jyr塸ȷg× + sleep: + seconds: -302278202696680147 + livenessProbe: + exec: + command: + - fmu + - wJR3 + - 60zV6s4327rKb9 + failureThreshold: 2122798666 + grpc: + port: 1914605377 + service: ES + httpGet: + host: 7LAmwy8 + path: o2XAC + port: S5 + scheme: 犘ßħɚÂ剐*鬰ȇxȺ錎 + initialDelaySeconds: 343978803 + periodSeconds: -1725283583 + successThreshold: 1055506692 + terminationGracePeriodSeconds: -737021961431151273 + timeoutSeconds: 1721351711 + name: r + ports: + - containerPort: -341996687 + hostIP: zR + hostPort: -641414216 + name: AGa7X6lnw + protocol: 阧 + - containerPort: -1616018360 + hostIP: 8q + hostPort: -2060443566 + name: B + protocol: 位ŲȟHbfp餪魹| + - containerPort: -321829785 + hostIP: S + hostPort: 850049722 + protocol: ĢŔ=ɦŊ鳺醩hĂ踻鉀 + readinessProbe: + exec: + command: + - VRq0lZK + - nCUDH3Zgc + - f2h2C + failureThreshold: -444080905 + grpc: + port: -1484737838 + service: UL8hSUw + httpGet: + host: 8DDb + path: Z + port: It67aEO18 + scheme: 蹐疒Į浤 + initialDelaySeconds: -1225398553 + periodSeconds: -1497056806 + successThreshold: -1256842388 + terminationGracePeriodSeconds: -3265344141862786392 + timeoutSeconds: 1127947387 + resources: + limits: + "36": "0" + Oaiu: "0" + v: "0" + requests: + F0olO: "0" + tvGpYtd: "0" + restartPolicy: Ě卿ɫȰLZ懁 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - "" + drop: + - Ę螅7O5Ɵ駢Ó宮緂 + privileged: true + procMount: ʤ敠æx漭fƈŸʄ + readOnlyRootFilesystem: true + runAsGroup: -1779689763650765955 + runAsNonRoot: true + runAsUser: -1786517016760367110 + startupProbe: + exec: + command: + - Mcn36l + - "n" + - OMT3J + failureThreshold: 1137002720 + grpc: + port: -2106637755 + service: OYW + httpGet: + path: K + port: STUmUBT + scheme: 貪iɐ巶ɿiɲbɎ;Ŏċ2橺汲ŋ刢g + initialDelaySeconds: -648188998 + periodSeconds: -278768915 + successThreshold: 890955082 + terminationGracePeriodSeconds: 5660177701724482122 + timeoutSeconds: 959596283 + stdin: true + terminationMessagePath: h2a2mAm + terminationMessagePolicy: pjĉ + volumeDevices: + - devicePath: cZ95 + name: wLm + - devicePath: P9RW + name: PjzHR + volumeMounts: + - mountPath: b + mountPropagation: 脣Į + name: bOY + readOnly: true + subPath: mBuB + subPathExpr: 0io + - mountPath: DYp + mountPropagation: 9鹺t"Ĭij(?NB4ɖ鴼B屈桲ȋ噤ǁ + name: O + readOnly: true + subPath: EcI7mF + subPathExpr: HKfaS + - mountPath: NTgHw + mountPropagation: (ńÆ;裉嵀 + name: U6TGXB + subPath: wjpyjQ + subPathExpr: nqq + workingDir: NpjQN3dM +- args: + - m + - fmRfLPl + command: + - okKsRu + env: + - name: y8FxBu + valueFrom: + configMapKeyRef: + key: 1kdTq + name: NGzFHD + optional: false + fieldRef: + apiVersion: WDoDm + fieldPath: HTHz + resourceFieldRef: + containerName: aWk + divisor: "0" + resource: RcTwrpd4PaqW + secretKeyRef: + key: 27uDnW9fM1 + name: diwId6SMC + optional: true + - name: NZ1pEV + value: Xq7fA + valueFrom: + configMapKeyRef: + key: cYo + name: IhK1oKNNr + optional: true + fieldRef: + apiVersion: 0C + fieldPath: "" + resourceFieldRef: + containerName: OywKEud3 + divisor: "0" + resource: E4 + secretKeyRef: + key: gGTl + name: V + optional: false + envFrom: + - configMapRef: + name: fJ + optional: true + prefix: zFUU1PguE + secretRef: + name: S7Jre + optional: false + image: gbZ4mqT + imagePullPolicy: '*罖Ē掙*uĕĥ世û煨o曁ɖ)嬫噩肖Ñ' + lifecycle: + postStart: + exec: + command: + - nxKsxt + - F25ka4x + httpGet: + host: "0" + path: 9k0yMphk + port: GJdG + scheme: 婁箅蝼đ杣Ɗ°VAƭ0ĺ钘1 + sleep: + seconds: 8039264634100238529 + preStop: + exec: + command: + - NuJoJm + - gykEI + - "6" + httpGet: + host: UnkqD3SS + path: BhN + port: 712546393 + scheme: u + sleep: + seconds: 409536667065008471 + livenessProbe: + exec: {} + failureThreshold: 204373937 + grpc: + port: 1803358082 + service: VXsxSeh + httpGet: + host: Ht64jf7Eo + path: u1jjW9Qu + port: 556487018 + scheme: 熖Ű存ŖT磇ɘ外 + initialDelaySeconds: -1152834471 + periodSeconds: -1133396594 + successThreshold: -1385193405 + terminationGracePeriodSeconds: 2915006546098799012 + timeoutSeconds: -1401054296 + name: dfD716 + ports: + - containerPort: 691082006 + hostIP: b + hostPort: 636825973 + name: S5FmEWKv + protocol: g]se墰掀媸晓櫚驟憽hbƥsư° + readinessProbe: + exec: {} + failureThreshold: 152987910 + grpc: + port: 642951905 + service: q2qfom8L + httpGet: + host: GaxyfqlQ + path: Oh0t + port: -766612198 + scheme: UÂ_ + initialDelaySeconds: -1382761032 + periodSeconds: 967018272 + successThreshold: -178373997 + terminationGracePeriodSeconds: 6605400648980208248 + timeoutSeconds: -1404918452 + resources: + limits: + 7cu: "0" + 22n7v: "0" + XsU5mrE: "0" + requests: + kyXuqf: "0" + mBk4P9DWW: "0" + restartPolicy: ʓdT>NȚks_q祈 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ȸŏ脸(Yǃ¯~垇耗A) + - T翱ĥ + drop: + - 商ʏ軒Ƣ厢 + - Ⱥãt\跋þ漙苣ű吡憕鿶0傜om + privileged: false + procMount: Ŷ% + readOnlyRootFilesystem: true + runAsGroup: -1052699124096043871 + runAsNonRoot: false + runAsUser: 3737016357651072730 + startupProbe: + exec: + command: + - jefRNS + failureThreshold: -9144267 + grpc: + port: 642233169 + service: WjvgDkGG + httpGet: + host: 8hzgS0q + path: z + port: -885964296 + scheme: ɸliŵ + initialDelaySeconds: 1014078949 + periodSeconds: 1410148112 + successThreshold: 1164669668 + terminationGracePeriodSeconds: -3385668069040237914 + timeoutSeconds: -1723583731 + stdin: true + terminationMessagePath: zbCh + terminationMessagePolicy: 4攨2õė+軩Ç + tty: true + volumeDevices: + - devicePath: Nx + name: QLHA + - devicePath: 9JAgFLSdSqQ + name: "5" + volumeMounts: + - mountPath: KXG1 + mountPropagation: ȁ捄ɺ絒馢A¥`Èť + name: aghWO + readOnly: true + subPath: el7KEVsV + subPathExpr: tdksniBM + - mountPath: 5nus8 + mountPropagation: N饢杼M7X尅扐ǗÃɱNƞeuĦg儡 + name: TS4kHG + readOnly: true + subPath: i + subPathExpr: ktDaTCGG + - mountPath: CSkt9N0i + mountPropagation: 爕ɐYYȁ<獱椂@椗áʇ憣>\Ɋ筙纉Ë + name: KIKRXUR + readOnly: true + subPath: bWYTiq + subPathExpr: cgxlHqVV + workingDir: F +extraEnv: +- name: 0iCX + value: UfKNkXj6I + valueFrom: + configMapKeyRef: + key: GGYmdb5PBtUx + name: Zl1rWu9 + optional: true + fieldRef: + apiVersion: 1pKgni + fieldPath: 8Zmv + resourceFieldRef: + containerName: nK + divisor: "0" + resource: Yizp + secretKeyRef: + key: Dxqh + name: td + optional: false +- name: bm + value: K06vl + valueFrom: + configMapKeyRef: + key: dOTjzfwtRPzX + name: YleYOzRS + optional: true + fieldRef: + apiVersion: xl + fieldPath: 6NM2 + resourceFieldRef: + containerName: jreT + divisor: "0" + resource: "" + secretKeyRef: + key: B7 + name: cu + optional: true +- name: F4Vp + value: 9q + valueFrom: + configMapKeyRef: + key: dAPalKT0 + name: UXC7S + optional: false + fieldRef: + apiVersion: bTxwQmS + fieldPath: XW + resourceFieldRef: + containerName: iqnl + divisor: "0" + resource: e9 + secretKeyRef: + key: c1WJ + name: sg2TuPSW + optional: false +extraEnvFrom: +- configMapRef: + name: 3PT + optional: true + prefix: l + secretRef: + name: zakko + optional: false +- configMapRef: + name: RdxlkV + optional: false + prefix: 9Ae4W + secretRef: + name: UiJ + optional: true +- configMapRef: + name: bp + optional: true + prefix: SU + secretRef: + name: fy + optional: true +extraVolumeMounts: +- mountPath: Oly + mountPropagation: ƈįlñ + name: QuM + readOnly: true + subPath: NPJ + subPathExpr: vn +- mountPath: xsiqpcicm + mountPropagation: Ŝȃ燩čƃʤǸ儼 + name: blYv + readOnly: true + subPath: 8f + subPathExpr: I +- mountPath: "" + mountPropagation: 犒k洐ɨ3UʓďȏUm8/x艂" + name: i2 + readOnly: true + subPath: G + subPathExpr: Wo47OrA +extraVolumes: +- name: HUa7xM +fullnameOverride: AumW +image: + pullPolicy: ǫtŖŮƘ瓧ù¹勍u + registry: ai + repository: f54I + tag: iO +imagePullSecrets: +- name: bbjdn +- name: VI +ingress: + annotations: + RX47S: lb0 + Ton: ukp + className: R3Ykmr + enabled: false + hosts: + - host: bybyr6XsLFPDg + paths: + - path: c9F + pathType: TyYv +initContainers: + extraInitContainers: q +livenessProbe: + exec: + command: + - dRbj + failureThreshold: 864346345 + grpc: + port: -568790446 + service: 9WyiSW + httpGet: + host: EbFlYW + path: HC + port: C1Fv7 + scheme: 軔ǷʧP + initialDelaySeconds: -1341055636 + periodSeconds: 2055603833 + successThreshold: -175204389 + terminationGracePeriodSeconds: -2333626465204273709 + timeoutSeconds: -589897727 +nameOverride: 9mG8n4Wu4 +nodeSelector: + U3Rfg9: WSTvjvP + hODw: LSv + iwleZ: fD +podAnnotations: + jLE31lUP: LWc +podLabels: + 6W: FQvOa + YwkBSNWK: 0qqd + jP3: iNkD +podSecurityContext: + fsGroup: 8205502301244812774 + fsGroupChangePolicy: "" + runAsGroup: -8440674019915815616 + runAsNonRoot: true + runAsUser: 4432310384984167581 + supplementalGroups: + - 7965846110903121951 + - -9174375158887062481 + sysctls: + - name: OkeQ + value: A + - name: 24y + value: fIPA + - name: "" + value: b3 +priorityClassName: gPB +readinessProbe: + exec: + command: + - NjJ7Lit5 + - 29odviV2mnb + failureThreshold: 1075627654 + grpc: + port: 364618769 + service: g1wc + httpGet: + host: 40i + path: OTDO + port: -2089902693 + scheme: $Gȇ表匾ʞG絁娚彰ŝê<ĭ + initialDelaySeconds: 333726894 + periodSeconds: 1376975278 + successThreshold: 112483424 + terminationGracePeriodSeconds: 1389336444380098948 + timeoutSeconds: 669945326 +replicaCount: 24 +resources: + limits: + 7VHN3: "0" +secret: + create: true + enterprise: + licenseSecretRef: + key: jPpQY + name: uRkzw + kafka: + awsMskIamSecretKey: B + protobufGitBasicAuthPassword: EfQbyB + saslPassword: w + schemaRegistryPassword: qiltVq + schemaRegistryTlsCa: kyT4j + schemaRegistryTlsCert: Tu4varJ + schemaRegistryTlsKey: bmT + tlsCa: UyskLmDZ + tlsCert: "" + tlsPassphrase: IdsCzt + login: + github: + clientSecret: hPt + personalAccessToken: vRbRqD0 + google: + clientSecret: "" + groupsServiceAccount: lcc9 + jwtSecret: tf0x + oidc: + clientSecret: A9RDbO6GzTtHYG + okta: + clientSecret: HktzleLAg + directoryApiToken: qX + redpanda: + adminApi: + password: 5imX8ztdqjU + tlsCa: opQQ + tlsCert: PGcfJC3zH + tlsKey: IhqyTvQn4T +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - '*·戌ɳKõʚK(懷ë蟅ȣg' + - vOpɔm&ɞ法槪ųf + drop: + - l¤0ɖK樌ŕDĪ箰ɬȓũ梫h揼 + - 躟OBZş互鹫Íʨƶ`ã + privileged: false + procMount: 9®俠ɳ屑ŏO'pe,Q+膿麣 + readOnlyRootFilesystem: false + runAsGroup: -289823929905824069 + runAsNonRoot: true + runAsUser: -4392330066259666500 +service: + nodePort: 249 + port: 113 + targetPort: 414 + type: XHYb2qmrk +serviceAccount: + automountServiceAccountToken: true + create: false + name: Jg +strategy: + rollingUpdate: {} + type: LJėwǮ甧 +tests: + enabled: false +-- case-037 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: IPWU1 + operator: 魡燸"趵p砮ƘċÈ3ljDŽ + values: + - i + matchFields: + - key: "" + operator: 廋46齄aā[傡ŤXjğ@ɫ聱昣ȞA + values: + - hrjhAJC + - RGJEJ + - key: 9XRD + operator: 鏖Ų姓萲1蜓舆 + - key: nmlhnezDL + operator: =WF»圻礼鍕4u-瘸]NJ + values: + - MlE9xcsLb + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: vxH0 + operator: kűŐ鄴 + matchLabels: + YR: ZYyx + matchLabelKeys: + - lrfi + - 9s + - "2" + mismatchLabelKeys: + - "" + - vc + - rz4SvG + namespaceSelector: + matchExpressions: + - key: ybBiR8Fm + operator: UlƜ寻眅崈O+聁ȴ + values: + - xxao + - key: UpNi + operator: v韠Ʀ.Ɓ氩諑ʊ0ɔ凹 + values: + - ECPGYavF2 + matchLabels: + 7qRB: 56MM + tcHg1: kpR + topologyKey: "7" + weight: 212582037 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 6PJt: OILe3j + mismatchLabelKeys: + - PB + namespaceSelector: + matchExpressions: + - key: "1" + operator: ǯVɳCĬ鷹儉ïXǐʐ楏ċŇǽ + - key: aFA + operator: ƣ諔&ȵ%ǼQ傠ûQ& + values: + - tdkCJmsLj + - 2WF + - nlO + matchLabels: + "": JgBcTwL + gUx2lrPlU: 2MEiay0i + namespaces: + - iUHz + - F + - C + topologyKey: 0DqLIsLvEJ + - labelSelector: + matchLabels: + D65k: m + v: Wf73pl + namespaceSelector: + matchExpressions: + - key: Mql8T + operator: Ȳ + values: + - kiCXA + matchLabels: + QJPP2Wmbc: MGiu + tm: POZGk072F + v: OdyUJaKz8sW + topologyKey: CaAJ + - labelSelector: + matchExpressions: + - key: kJFGWDPIX + operator: '`園bsN唲幈ùÄ!鑢' + values: + - x + - key: PQktimeqK + operator: Í Ho亜q毂EɌ39蓷 + values: + - rYZ + - key: L6Wp + operator: '&去鉼晆Äě菉' + values: + - BPX5 + - 7Ows + matchLabelKeys: + - PhOMWnct + - 4Iar + mismatchLabelKeys: + - SfvAwYYqtwPc + - w9 + namespaceSelector: + matchExpressions: + - key: VmRQ2 + operator: 錛ȋʤ`搲ZL婨ƅ\鴃m闬ǿ戺ƨĤs@ + values: + - Ah8tj + matchLabels: + JBFf5vLf4: q2X6daLRz + VuZT: gmluiWbT + p64cMTP: B9 + namespaces: + - Ri6BSDl1 + topologyKey: nACF7H8 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: ZZaxS + operator: 黦ƒ©瀂 + values: + - "" + - 20OCN + - IZ86eI1 + - key: RXLfn + operator: .惊ŝ4ni`ræseȕƌ筬NJ@pŻ + values: + - Fuy + - 6ZIkwShr + matchLabels: + RJHcF0aLL9: avVll8hJB + Spsji: hW + mismatchLabelKeys: + - RDiUdFmoEZ + namespaceSelector: + matchExpressions: + - key: RmcZbbc + operator: uŒ¶鱸K + values: + - 90lQUM5B + - J07lI + matchLabels: + 6hQX9h: Sr5NoqB + L0vc: i + iJ6hIS: yLkpjBIU + namespaces: + - i1uGAcY9Xxf + - DO5c + topologyKey: uVcRZ + weight: 608820709 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: Mgdm + operator: 惋¯ʢÝǒ=h佅茆接 + - key: "n" + operator: 系¦澜C2騗ā穩 + values: + - yelaWfaB + - Cq + - Va + - key: Ymvr + operator: 7 ^»ðq> + values: + - GES + - gPThP + matchLabels: + zj9Ud7LvFtg: trcgDo5 + matchLabelKeys: + - X + mismatchLabelKeys: + - peo1 + - zVPvCpJUM + - "" + namespaceSelector: + matchLabels: + "1": qRCy + namespaces: + - Eczjbhs + - F8 + topologyKey: Az + weight: -470853400 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: {} + matchLabelKeys: + - VWM7 + namespaceSelector: + matchLabels: + Q4BC: BojBLo + Vz06Yne: "" + namespaces: + - yEEmKNg + - iGJzcn + - G1bhP4 + topologyKey: pcOSh + - labelSelector: + matchExpressions: + - key: lCW5OK2A6HKOaC7 + operator: 蚿~2婈 ʝ似矉k + values: + - 5IOGWj + - UwmQ + - Ser + matchLabels: + "4": PB0Pb9 + Ykh3k: oX8w + matchLabelKeys: + - SfZ9pUjA + mismatchLabelKeys: + - i16lOT + - 8iU + namespaceSelector: + matchExpressions: + - key: ZxE + operator: 恇3 + values: + - "" + - 43TqLr + - key: ikCzWLGa + operator: E + values: + - W1 + - ZqA + matchLabels: + "": YJaQ + 7h: dybADQ + topologyKey: "" + - labelSelector: + matchExpressions: + - key: 0bZO + operator: '[ ' + values: + - DPm + matchLabelKeys: + - "" + namespaceSelector: + matchExpressions: + - key: b8XGJRAsiP7 + operator: ']眆寜眴z' + values: + - MsgI + - dhrJF0b + - key: SMx + operator: JɦĈ + values: + - o + - yknE + - key: rfxn3qvEK + operator: 綐岮~2熗昕Ñ占Wm员Ƴ橝灃Ɗ + values: + - "" + - K + matchLabels: + 2Jd: g3du2W + ZHju0: u7DvsT5e + zUssA7: ZKAL + namespaces: + - Qpqer2VPQ6oA + - zR0okqL + - nuH + topologyKey: i +annotations: + 1B8qie: FSPYCLoT + I: hpwL4TH + Z: 0LFy +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 370 + minReplicas: 221 + targetCPUUtilizationPercentage: 463 + targetMemoryUtilizationPercentage: 49 +commonLabels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + uEVMkDkYRvnn: zvptNai +configmap: + create: true +console: + roleBindings: + - 2m: null + VNrY1fwY: null + eaGm2c: null + - Ng0sM: null + Txhv6: null + e2uo: null + roles: + - Dd: null + H0QLXtA: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: HqS5hb + name: 3sA8DqHdr +extraContainers: +- args: + - UaqwQ7 + image: 9gJVF + imagePullPolicy: 5傅c諹ɕ ƅƬDr1鰹瀣n怌ʡ + lifecycle: + postStart: + exec: + command: + - EJfXoz + - pxAl7T7 + httpGet: + host: 4dtyQHxp + path: 9i + port: BmGAi + scheme: ¼ů + sleep: + seconds: 2333336810403167963 + preStop: + exec: + command: + - EF + httpGet: + host: gc + path: 5IcdjR2 + port: Ln1 + scheme: Ȱʛ{`Ɓʛ劽Ŋ劧Yǥ + sleep: + seconds: -8338094784810815040 + livenessProbe: + exec: {} + failureThreshold: -1009316117 + grpc: + port: 434468004 + service: hOHaw7yL5 + httpGet: + host: r0OfO9Tjf + path: rvqaH + port: 1861701721 + scheme: 蓫AȚ%Țx痷 + initialDelaySeconds: -1210592458 + periodSeconds: -1685889023 + successThreshold: -1513585658 + terminationGracePeriodSeconds: -2039599439532369874 + timeoutSeconds: 615837494 + name: 0z + ports: + - containerPort: 920384597 + hostIP: amIbTg + hostPort: -1446796645 + name: H + protocol: tsė歟ū$B,qʐ医枝 + - containerPort: 533680030 + hostIP: AQrcm57h + hostPort: 436553418 + name: zI + protocol: mĖ}ʘá~滬 + - containerPort: -88474612 + hostIP: 5Q7z7DzPSmu1KQ + hostPort: -894572877 + name: Ie31rl + protocol: Z尤汸 + readinessProbe: + exec: + command: + - Ig53IR5s + - X + - MD + failureThreshold: -697650972 + grpc: + port: -1408023460 + service: q3NQW + httpGet: + host: NClmq + path: "y" + port: 4KJj4nVotN + scheme: ®顫jV/懔e + initialDelaySeconds: 1925202911 + periodSeconds: 1008375062 + successThreshold: -1515262628 + terminationGracePeriodSeconds: -9135279372752511888 + timeoutSeconds: -757546061 + resizePolicy: + - resourceName: BhTx + restartPolicy: O憢%ȔnjŸƓx汮$ + resources: + limits: + 0R8h7mczbiK0u: "0" + ngcoDm: "0" + requests: + FvPC8: "0" + restartPolicy: 竴xJ飊µ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - eF + drop: + - '#泪<1饤ǯȲ78狎外龬郄晛頯6汐嫏' + privileged: true + procMount: bűƍȓ2C޵舕秗騛^ĪĪ溫Nȇ + readOnlyRootFilesystem: true + runAsGroup: -3343110605261139689 + runAsNonRoot: true + runAsUser: 7479178344552716344 + startupProbe: + exec: + command: + - 4mbBa0iSAgQ + - 9Vb + - B5u + failureThreshold: 753806032 + grpc: + port: 1382157718 + service: Sbk + httpGet: + host: bVoIiYzvoi0B2 + path: H7pGt3 + port: TTVi + scheme: 厪$dıQǵ_ƀÁ釔ɵ徣 + initialDelaySeconds: 849023271 + periodSeconds: -1908074475 + successThreshold: 328769480 + terminationGracePeriodSeconds: 5149904224053969297 + timeoutSeconds: 1277324377 + terminationMessagePath: 00uJXyD + terminationMessagePolicy: 禣儛x~靰ɿ`šŀǼŋP^n + tty: true + volumeDevices: + - devicePath: TMbZU + name: hFJz + - devicePath: yr + name: O0NQRcuq + - devicePath: UHqeq + name: Ydaqo + workingDir: TzR +- args: + - 1EEFNaNA + - U2l + command: + - CsMZk + - 4HgTHX + - Sqt9at + envFrom: + - configMapRef: + name: RRMDeJ + optional: false + secretRef: + name: lcA + optional: false + image: GQ69 + imagePullPolicy: Ɉǥ + lifecycle: + postStart: + exec: + command: + - 3YpG + - vZTzHN + httpGet: + host: cPtKCkyO + path: "4" + port: -1049236742 + scheme: 硺=ɸǖɵ恆Žd0 + sleep: + seconds: -7566729856608460688 + preStop: + exec: + command: + - y2fpvM + - VG + - hhX3m + httpGet: + host: o + path: "7" + port: nl5CZNKB + scheme: Ȉ + sleep: + seconds: -9000479934802388409 + livenessProbe: + exec: {} + failureThreshold: 115197733 + grpc: + port: 418872789 + service: mK04M1 + httpGet: + host: tYy4jqPpZ + path: om7u1 + port: 6vYh + scheme: 鬧ĕ,b嫲ʞÈȅɼ瑀\-ŤÔĞ{ + initialDelaySeconds: -1996330627 + periodSeconds: -2123682197 + successThreshold: -274102072 + terminationGracePeriodSeconds: -4086669261853017280 + timeoutSeconds: 1671175282 + name: MN + ports: + - containerPort: -581773322 + hostIP: w + hostPort: -1918799357 + name: NUQc5 + protocol: lɡFàW6ǼC7騰僮氁繸{Ȏ + readinessProbe: + exec: + command: + - IYC3M + failureThreshold: 178025639 + grpc: + port: -205038391 + service: EGqI + httpGet: + host: oGjb56 + path: mnq + port: pb9x + initialDelaySeconds: -1053907742 + periodSeconds: -777502604 + successThreshold: -350871959 + terminationGracePeriodSeconds: -6813701492426236069 + timeoutSeconds: -1712603807 + resources: + limits: + TwWe: "0" + requests: + 4FGQT: "0" + 57DEge: "0" + zBEzXaq: "0" + restartPolicy: 焂ś(Z緌挄ǥȪȑq*刾 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Ư#æ9NF犔帙錈 + - N範3>ȖlǖɥöS竾ƾÔŸ烠dk弸 + privileged: false + procMount: ı.ĔtQ+p銍/盂pJr替àŽ + readOnlyRootFilesystem: true + runAsGroup: -9023516459602390407 + runAsNonRoot: false + runAsUser: 2513546243926544067 + startupProbe: + exec: + command: + - C + - 9o + failureThreshold: -1595663358 + grpc: + port: 879782754 + service: E3 + httpGet: + host: j + path: ZwGu + port: -1183682475 + scheme: ȉʬ|Ȗ-胨\GǴ酥âïŀ + initialDelaySeconds: -320635887 + periodSeconds: -1762048755 + successThreshold: -1206942688 + terminationGracePeriodSeconds: 2874889772540953352 + timeoutSeconds: 201190682 + terminationMessagePath: D5nhSA2KK + terminationMessagePolicy: '|Áʊv~' + tty: true + volumeDevices: + - devicePath: fl + name: "" + - devicePath: Pivii + name: SAJBTs + volumeMounts: + - mountPath: os + mountPropagation: 霤ņd碤 + name: Wma3F + readOnly: true + subPath: J + subPathExpr: rp + - mountPath: 7p + mountPropagation: ʜ塖ɥw阒ɠ·閐駔址遥铣C龂ȵ槂瑷 + name: EKv9jGIV + readOnly: true + subPath: YjGj1 + subPathExpr: goeN5mMZVyE + workingDir: 9pZ +- env: + - name: jUF3n5Y + value: 5Oas + valueFrom: + configMapKeyRef: + key: NjvBzcrV9 + name: kjnqdL + optional: true + fieldRef: + apiVersion: EKxzT + fieldPath: keiWEt + resourceFieldRef: + containerName: 6ei + divisor: "0" + resource: 5SYJ0LG + secretKeyRef: + key: khTsQnn + name: R22Yc + optional: true + - name: Eqsqk + value: ZbUl8L + valueFrom: + configMapKeyRef: + key: LBJ9Co8gX + name: 5F + optional: false + fieldRef: + apiVersion: BBXJwlU6ov + fieldPath: tR7Z2 + resourceFieldRef: + divisor: "0" + resource: Kw7UxsTdNB + secretKeyRef: + key: x1Ijg6T + name: qqT6Y + optional: true + - name: 7zUt + value: 92wkXugDh + valueFrom: + configMapKeyRef: + key: JfY0lIp0Jdtpv + name: nYzr + optional: false + fieldRef: + apiVersion: IDhOF + fieldPath: aTWd + resourceFieldRef: + containerName: m4s0LUsO + divisor: "0" + resource: jJSLfi + secretKeyRef: + key: KzYvK2KKl0 + name: sR + optional: true + envFrom: + - configMapRef: + name: LuhmK + optional: true + prefix: z3 + secretRef: + name: bhwKfwEMY + optional: true + - configMapRef: + name: ZLn6PrNZ + optional: true + prefix: CZK + secretRef: + name: ln + optional: false + image: 40twCh1 + lifecycle: + postStart: + exec: + command: + - "" + - 4qZLs + - OKN + httpGet: + host: L1rE + path: zDyVFyy + port: kQZa + scheme: l + sleep: + seconds: -7109845505283004784 + preStop: + exec: + command: + - HBLUwI5qG + httpGet: + host: vM5bd + path: "y" + port: 1065237668 + scheme: 働ı愊GƜǻo4qtHŢ*獊K[w + sleep: + seconds: -1099871671561452384 + livenessProbe: + exec: + command: + - K1 + - O5Tdq + failureThreshold: 1326476911 + grpc: + port: 1266228568 + service: 0yovH + httpGet: + host: feV + path: HDTE + port: "1" + scheme: '!@ȄKh8淫~ǿ%硬睇鵤嵤' + initialDelaySeconds: 1175577649 + periodSeconds: 1877040036 + successThreshold: -1354358221 + terminationGracePeriodSeconds: -925123122471881643 + timeoutSeconds: 1464454545 + name: W8b6OOS + readinessProbe: + exec: + command: + - i + failureThreshold: 1781656452 + grpc: + port: -1606887908 + service: RrbvDP + httpGet: + host: mKx + path: HD + port: hiq5RvT05 + scheme: 鱑Ȍ¾ĵ覓{>鿼钇 + initialDelaySeconds: -1803086365 + periodSeconds: 450703172 + successThreshold: -1624696013 + terminationGracePeriodSeconds: -5286538260023923986 + timeoutSeconds: -528162423 + resizePolicy: + - resourceName: um0g1naPII7 + restartPolicy: ¹俞Wƌ甝 + resources: + limits: + EDhQ2V: "0" + OQ: "0" + WtnTV: "0" + requests: + jQaF: "0" + restartPolicy: '{鉪蟏E喧t庛Þa¦ʕ' + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Ň鰍坸Ñ霰ʁ攽$Ơ + - 蟒磁砈Z芥EDZ + drop: + - ċ6洌扼雚nj墣l睧奟*躾ƛƌ秡t + privileged: true + procMount: 蜵5>MU + readOnlyRootFilesystem: true + runAsGroup: -7704085956113873818 + runAsNonRoot: false + runAsUser: 5730999299228810722 + startupProbe: + exec: + command: + - ImPt + - cIB + - e58MzW + failureThreshold: 310737712 + grpc: + port: 1849024783 + service: B1W + httpGet: + host: 1nU5qLkMA + path: Oo7nHt + port: hxGSeC + scheme: ƇĒɔmĦɦ齋貢 + initialDelaySeconds: -1797908483 + periodSeconds: -761708273 + successThreshold: -1316915468 + terminationGracePeriodSeconds: 8128903938581944374 + timeoutSeconds: -1573011089 + terminationMessagePath: FYPtlxf + terminationMessagePolicy: Pʏɉ{ů囏Ì4鰸曘Ʃ氕峵 + tty: true + volumeDevices: + - devicePath: "93" + name: t3A + workingDir: w +extraEnv: +- name: fXB4uyH + value: GPmKm1YgQuvB8 + valueFrom: + configMapKeyRef: + key: BYyG6 + name: Kr8iKZ + optional: true + fieldRef: + apiVersion: sSt + fieldPath: 7r3LBO + resourceFieldRef: + containerName: B8G + divisor: "0" + resource: 3cRQ + secretKeyRef: + key: nQtb + name: B8Snqwl0U0 + optional: true +extraEnvFrom: +- configMapRef: + name: C1P + optional: true + prefix: KcZH45pd2 + secretRef: + name: N7Yt + optional: true +extraVolumeMounts: +- mountPath: twfjF9 + mountPropagation: ȶ唗蠤S柋ɖȈƻ + name: MMcC8 + subPath: UwT0sYVo + subPathExpr: 9ugOBQ +- mountPath: 6cj + mountPropagation: "" + name: 3iQ + subPath: SaQ + subPathExpr: QQI +extraVolumes: +- name: xbuLqNQHFY +fullnameOverride: ADIhC +image: + pullPolicy: '|í' + registry: CIzpk + repository: O + tag: F +imagePullSecrets: +- name: Yi +- name: 6XnEhUN +- name: oeoW +ingress: + annotations: + "8": SeJ + className: PHr + enabled: true + hosts: + - host: PXAcFs520n + paths: + - path: 1uGP0 + pathType: dWpX + - path: hAH + pathType: LjzFf + - path: 7Qy + pathType: vjB + - host: z9QAJ5 + - host: "" + paths: + - path: Hc0IpaX + pathType: bc0T + - path: dzn1ldJ5h + pathType: M +initContainers: + extraInitContainers: 7DdMwNg +livenessProbe: + exec: + command: + - XRPuLpEO + - nplEP2IP3 + - 9jrKdj2 + failureThreshold: 1516033986 + grpc: + port: -531236004 + service: 11bsOMf + httpGet: + host: 9PMyxMco + path: RI3zx + port: -2029405965 + scheme: G隠Ī:ŁuƠ禲oŇO鿈Ⱥȡ + initialDelaySeconds: 1774510914 + periodSeconds: 1308551645 + successThreshold: 752675362 + terminationGracePeriodSeconds: 8661862683503969755 + timeoutSeconds: 437106483 +nameOverride: u2r6 +nodeSelector: + CrYMUu1pg: "" + ftZ: dKqEwc + pNPla: Cc +podAnnotations: + dApB5noz: fJm84 +podLabels: + 9c2: 3fwyB6m1 + MyocWENxGGa: TrRadg +podSecurityContext: + fsGroup: 5618615494228351604 + fsGroupChangePolicy: ʩrXù济延唇ė袡 ʊ + runAsGroup: -3861060047548570674 + runAsNonRoot: false + runAsUser: 3602747950735365650 + supplementalGroups: + - -5665823160677538937 + - 2942720231280319982 + - -7811581565559124250 + sysctls: + - name: X + value: sWo + - name: MI521Dolo + value: ETgcRWsr + - name: 4gVCXpSch + value: csKV +priorityClassName: U7wS +readinessProbe: + exec: + command: + - cYKp + - vP + failureThreshold: 670800660 + grpc: + port: 1721771977 + service: y69H + httpGet: + host: mtLvsm + path: hd4c + port: 326683785 + scheme: X½鼅餕嚶渭闬脮ƧŗŠ#7êk.] + initialDelaySeconds: 713201976 + periodSeconds: 1611391820 + successThreshold: 604905966 + terminationGracePeriodSeconds: 8452879830155323173 + timeoutSeconds: 981065048 +replicaCount: 471 +resources: + limits: + avG: "0" + q: "0" + w8p: "0" + requests: + AZ: "0" + fGW: "0" + vom84xUd0: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: 41x + name: HHI4WeIS + kafka: + awsMskIamSecretKey: vvbXmwn + protobufGitBasicAuthPassword: uJNU2 + saslPassword: 1wgp7riu8 + schemaRegistryPassword: nKfA7t + schemaRegistryTlsCa: dsi + schemaRegistryTlsCert: 85xiT + schemaRegistryTlsKey: "1e0" + tlsCa: hEe0gyNOx + tlsCert: "" + tlsPassphrase: Jktiu0 + login: + github: + clientSecret: BDnf + personalAccessToken: MrWfu + google: + clientSecret: tkAac + groupsServiceAccount: w6hg3 + jwtSecret: zpS + oidc: + clientSecret: d + okta: + clientSecret: "" + directoryApiToken: a + redpanda: + adminApi: + password: raQeh15W + tlsCa: Ax453qH + tlsCert: 5cvfDAz7XB + tlsKey: ve +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Ȏ煣+ȗ爸詤rȱoCö:踕v;D'茈% + - 斉 + - 劝 + drop: + - 6儌 + privileged: false + procMount: G + readOnlyRootFilesystem: true + runAsGroup: 6433461052261949548 + runAsNonRoot: false + runAsUser: -8726272423258831483 +service: + nodePort: 150 + port: 226 + targetPort: 87 + type: At +serviceAccount: + automountServiceAccountToken: true + create: true + name: ItYso +strategy: + rollingUpdate: {} + type: 匏ǛǢ²Ƴ屣EǙ9Gʡy +tests: + enabled: true +topologySpreadConstraints: +- labelSelector: {} + matchLabelKeys: + - ImKkR6l + - oUu1w + maxSkew: 373901521 + minDomains: -938191316 + nodeAffinityPolicy: "" + nodeTaintsPolicy: 梄焑ȅƗH + topologyKey: Mh1K + whenUnsatisfiable: CǑ庬Kf鄊珪t忒訾Ɗ壚pv餲(ɯŕT铈藘SȂ臏閏@ȗ云Ȧ + weight: -1530606902 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: R8 + operator: 茔íȟÁ嗮敚S顕DZ躨ijȱ厎ɬɏl蜶拼 + values: + - PRc + - svCs + - key: LBaaOWdWW + operator: 0ŧĸ荕fR焌禗#ȰȶŁA + values: + - G0FXBn + - IpnG + - NM8oL + matchLabels: + lrB: NtdoEuXoTr2r + y1BSzp: ivK7CU + matchLabelKeys: + - 6ZNJrk5JxOHW + - B9Q + mismatchLabelKeys: + - "48" + - nm1WD5nM + - vLqhDh + namespaceSelector: + matchExpressions: + - key: GF6EQ8mKus + operator: B"(ň枣<吰檰戱R&狅Ɍ鋋Ļ飮 + values: + - f0plBpNy + - Gzl + - key: x4 + operator: Dz謶ʮ_ūKNdv· 壼×z朤 + values: + - zo + namespaces: + - QMv + topologyKey: r1z + weight: 1950038583 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: x3pdwI + operator: ǿLȴ8涣ÎƶǛ醌Õ纺網(đ倠樓纗Ǯg + values: + - xJlJ3H5 + - iza5 + - 4rszgB8v9aH + - key: 9j5f + operator: ǘ賊ƾA迌磡m摾烊 + values: + - EMECS8f + - oveu + - He + matchLabelKeys: + - 33y4E5v + - 5XIM + - "" + mismatchLabelKeys: + - 37I + - a02Re + - GVqKNcGgl + namespaceSelector: + matchExpressions: + - key: Rtiwm + operator: 萱J矻軚fC + matchLabels: + 8ipw: G + JwDA: 8EVkJ + oiQ2p: mYGgaz + topologyKey: 5l6PI + weight: -1824427504 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "" + operator: 晑2%·QHVJTM錈 + values: + - CTU + - X5a + matchLabels: + WdJU6: I + bN: "" + uoTcuu: w1Y3yLW2rz + matchLabelKeys: + - O80Pf1RfMp + - WRJOT6B + mismatchLabelKeys: + - "" + - "6" + - nwQikpclV + namespaceSelector: + matchExpressions: + - key: CNaHfk + operator: 蕵Qmƀʁ6鲿)żȯ+ɩ玙9 + values: + - OuxZv + - key: dS + operator: 炧踮P-.壨ġ + values: + - 6ZJp7y + - key: jiLGGAQ + operator: 蟾Ɵ餌|ƨ綁訲bǝɋ圼 + values: + - mQ + - Fk3eA81t + - YR3WT + topologyKey: "5" + weight: 1634860618 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: "" + operator: (冁粄Ƴ\Ē4ǀ9峖樾t燠熂鷸ȿź蛼* + values: + - fnrA + - g + - gptz8 + - key: 4Hue + operator: oğ魀Ʌ¦榴 + values: + - InPtpb + - rxTpo + - HXnghAhWU1 + - key: EE2p + operator: á儬倏qȼ療ƚ + matchLabels: + YvCi: 1Tg + oLQ9OhyY: pFYpYKV + matchLabelKeys: + - J7 + - VR5 + namespaceSelector: + matchExpressions: + - key: cwgATYQvdj + operator: ÷Zá磋舫棹瑗-神ĕ嘟泦猵 + matchLabels: + Inz: BpiLQXOvEh + topologyKey: 5sHov5x + - labelSelector: + matchExpressions: + - key: vLI2 + operator: 歑ūĿɒ + values: + - FiQIMCFX2 + - vqhAaV5N7 + matchLabels: + 6DNwSiVsen: 1fRK + V: 3L49A8YEn + matchLabelKeys: + - K0sPcZWy + - fqn0luLnrF + - "" + namespaceSelector: + matchLabels: + O9bMG: CvBa11UI9OL + cm56v: Z83nkLc + gLJIEvg5: tUJq + namespaces: + - yP + topologyKey: 3RN + - labelSelector: {} + matchLabelKeys: + - vMX6FV1t + - vP + - TU8VLc + mismatchLabelKeys: + - ZAaEBYk + - Y0F4V0C + namespaceSelector: {} + namespaces: + - LwoHgQ + - qAJ + topologyKey: "0" + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: afwQ + operator: X(^Ȓ蘘}例 + values: + - 2ak8Yfa6P + - key: T4 + operator: ȵë_-Òŝ/c諒M攕窸 + values: + - Vktm + - trH51Z3 + - key: in74thKl + operator: HþČ謼ijƉË + values: + - NK2D3 + - NUsncshnv + - YDiqn6 + matchLabels: + T1: "" + nQFxJe: tdqf + matchLabelKeys: + - KI + - 6LjhIKmlnlhpI + - 88DArl53wb + mismatchLabelKeys: + - Bn30p + - zjq + namespaceSelector: {} + topologyKey: LrLYm2oYCgO + weight: -1318876164 + - podAffinityTerm: + labelSelector: + matchLabels: + T837hItO1qv: mCNMYnPq + gDh4Dxx2O: JUZxy4z + matchLabelKeys: + - sTn + - 4nu + - CSgSC + namespaceSelector: + matchExpressions: + - key: A5z + operator: "" + values: + - PJ6Zh + - S + - key: VufLBVvFECvIW + operator: ʝcƘʣ]筍ġ0Ğ鎏£<艻錯瀢 + values: + - tz64EN + - i + - key: 8Q2s + operator: E1戠天:ɺ勎sȸɾ + matchLabels: + XTI: 7cIZ + jpH49wkR: D5u5c + namespaces: + - XyGPkW + - CERSWYSVu + - Ms80R + topologyKey: 57PFRYX + weight: -1558645933 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ZGO5iRhr + operator: 堭ŷz + values: + - IfLuRt6FZf7 + - 03fn3j1 + - key: HL + operator: M螎õ}shƏ檅葜0<瘼Ɗț夡J偦ʆ + values: + - "96" + - 4uInca + - KsWaAE + - key: nKr + operator: ʋƲ~uè蟪ʗƁʬȌ势ȃVÄ穵Ą + matchLabels: + DVRktk1U: 1XFlhcXH + matchLabelKeys: + - kJMI + - Js8qeQ + mismatchLabelKeys: + - lnn1G + - A4nlWqCrE3 + - BzU + namespaceSelector: + matchExpressions: + - key: "" + operator: ɍįmŐ冹?E蹣ƋH肥=ɭuR訷$ + values: + - faDMJv + - b0VUPX + - lOsWCl + - key: 7iy + operator: 0:H碼\b黵禧鐃 + - key: nbn + operator: 疬厼掚Ƿ蛬ƞÜ9懎拖ų洜 + values: + - byjrbi + - RqfcIc + - dLaAUt + topologyKey: BUfQ +annotations: + He: OemFaO9 + QE5O: 6CBP +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 400 + minReplicas: 455 + targetCPUUtilizationPercentage: 64 + targetMemoryUtilizationPercentage: 472 +configmap: + create: true +console: + roleBindings: + - zn: null + - WCQKaiaj: null + py: null + roles: + - {} +deployment: + create: false +enterprise: + licenseSecretRef: + key: 4F + name: k +extraEnv: +- name: fqLRMsbtI + value: VzzHe + valueFrom: + configMapKeyRef: + key: "" + name: 1au8QkGsYcK + optional: true + fieldRef: + apiVersion: "38" + fieldPath: rM + resourceFieldRef: + containerName: Moz + divisor: "0" + resource: V + secretKeyRef: + key: IQ7AC3i60u + name: BCb + optional: false +extraEnvFrom: +- configMapRef: + name: twq36B + optional: false + secretRef: + name: OLKXh + optional: true +- configMapRef: + name: Pyr + optional: true + prefix: nyu + secretRef: + name: HDmfly7EP + optional: true +- configMapRef: + name: 2TmUL8GD + optional: false + prefix: R5 + secretRef: + name: TyS + optional: false +extraVolumeMounts: +- mountPath: 4zQSAo1Lj + mountPropagation: 檛ȂWg + name: eeS + subPath: iaw3G + subPathExpr: N02q4 +extraVolumes: +- name: "" +fullnameOverride: j1dUk8TGy8Np +image: + pullPolicy: 谝鞛榜ɸ暐ɸ刀x喋 + registry: zi + repository: MTSoVvJ + tag: a25lJOfGpG +imagePullSecrets: +- name: OlRQO +- name: Hkuk3 +- name: fP +ingress: + annotations: + ADJxl: n5EK4WzM0 + M: Zoud6 + eWXUqq: "" + className: "27" + enabled: false + hosts: + - host: 6PclZ7Q + paths: + - path: RqbF29XX + pathType: WB + - path: npV1GL + pathType: zxvm + tls: + - secretName: Q + - hosts: + - EvjYI + secretName: gRDta + - hosts: + - zlgJP1 + - g367Bgr1 + secretName: eQ +initContainers: + extraInitContainers: d5lM +livenessProbe: + exec: + command: + - S + - eqi + failureThreshold: -574948042 + grpc: + port: -653621031 + service: ir + httpGet: + host: qboin0qudh2Y + path: 4jFbHK + port: 9APWoaII + scheme: ćdž埭]KU + initialDelaySeconds: 1217073146 + periodSeconds: 2084735603 + successThreshold: -1091703574 + terminationGracePeriodSeconds: -4975007928507132892 + timeoutSeconds: -203727359 +nameOverride: ld +podAnnotations: + Scdn: fLH1yCm + lCp: Hi +podLabels: + 6AmpBMD: yDh + lPb: vi6tx4 + u: Vai7 +podSecurityContext: + fsGroup: -4268923634359973318 + fsGroupChangePolicy: 椶'ɏ4Ŝʘþf¸ǚļţRď0 + runAsGroup: -5513988494785819878 + runAsNonRoot: true + runAsUser: 3348050323720255791 + supplementalGroups: + - -9211346208910065015 +priorityClassName: 89gnK9rXyDXui +readinessProbe: + exec: + command: + - WCCn1 + failureThreshold: 1866953941 + grpc: + port: -978078521 + service: Gk8q + httpGet: + host: 4aDbYIp + path: sFssnZ8D + port: b9TEE2n + scheme: n8鞘呷2ef嫰髡箩棔螇džNj雤 + initialDelaySeconds: -1624688782 + periodSeconds: -231284043 + successThreshold: 1609785496 + terminationGracePeriodSeconds: -564252460349465292 + timeoutSeconds: 767134266 +replicaCount: 444 +resources: + limits: + wjrESvfqh: "0" + requests: + fSPJBFEwK58: "0" + j: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: iKQ6Nz + name: OD68lA + kafka: + awsMskIamSecretKey: "" + protobufGitBasicAuthPassword: GKaL + saslPassword: J6S + schemaRegistryPassword: 8PuilRN + schemaRegistryTlsCa: "" + schemaRegistryTlsCert: "" + schemaRegistryTlsKey: LsoxQcg + tlsCa: rGkjDT + tlsCert: gzs + tlsPassphrase: "70" + login: + github: + clientSecret: BGgKCBXeA + personalAccessToken: S + google: + clientSecret: KQXew + groupsServiceAccount: Ll + jwtSecret: 95jKDcdtX + oidc: + clientSecret: "" + okta: + clientSecret: b + directoryApiToken: "" + redpanda: + adminApi: + password: y2jU08n6KI + tlsCa: 6YyBT + tlsCert: ZkxE + tlsKey: MpUTYb4y +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - Ƹłš硇¹,9菧ȉŪ転Ǹï7ĭɜ + privileged: false + procMount: 榷ŋĦƨÈ俟ţUȫ桊fLŊƐbƼɤ襐 + readOnlyRootFilesystem: true + runAsGroup: 2134851813508950156 + runAsNonRoot: false + runAsUser: 1677623433130194771 +service: + nodePort: 470 + port: 46 + targetPort: 43 + type: uqFB +serviceAccount: + automountServiceAccountToken: true + create: true + name: fP77cJ3T +strategy: + rollingUpdate: {} + type: '>Ƒ梚ǩ' +tests: + enabled: true +topologySpreadConstraints: +- labelSelector: + matchLabels: + IoAy: C6rMwI0 + eM8D7JD5PJ: "n" + lFmG: gJ3l + maxSkew: 839777044 + minDomains: -1438737093 + nodeAffinityPolicy: Ƭ氄ɿ[閾pʙ9 + nodeTaintsPolicy: j珙%!溌BN + topologyKey: 2GZ + whenUnsatisfiable: 屄ɧȄ +- labelSelector: + matchExpressions: + - key: UQkB4Vn + operator: D86i溨F'>亖÷ + values: + - pH + - LHgYM1W9 + - gO + matchLabels: + bw52WaG7: 5zm31oU + t99k: AF0 + matchLabelKeys: + - lkYaHo + - 4tzd + maxSkew: -1948819142 + minDomains: -1754532325 + nodeAffinityPolicy: 酝ʪ+彨緱Y塞雾}捋嗭0]ȰʤĖé横 + nodeTaintsPolicy: '#騅Ɵ$F圃拱鿎鵅xq' + topologyKey: z2NL + whenUnsatisfiable: uȤÝ酑 +-- case-039 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: OiH + operator: Eʤ#/7諨 + values: + - iYzfGpa4 + - PaMqxj5fj8 + - sWaI + - key: Pw + operator: Kw[o0鿚 + values: + - Gnm + matchFields: + - key: YO9QL + operator: ȏ网牙鍩橷潗D9騭ŗʈ求U縷讒Ƴ漏哟 + values: + - XV65fSG5o + weight: 144962453 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: p2uqgWn7p + operator: ǙmX窀ʄʙ婘m.Ƈ谱qŴĆ揿 + values: + - IQGwhE + - Hiut + - key: mrN9GbREak + operator: oʟ + values: + - GZkF1BV + matchLabels: + 8bOT0: pvv + VYd3OWm: 0gW5 + matchLabelKeys: + - thrYIp + namespaceSelector: + matchExpressions: + - key: sonam3I + operator: "" + values: + - a9M + - bM + - key: ZFAy + operator: yW揚ɻʖî床哲ɯǮ^DzǓ + - key: ZwHE + operator: sǍ逘璿Ǧ5u軟DZ鞏綇鏑Ɲ` + values: + - 1D6 + matchLabels: + MoK3: j4Rw + namespaces: + - yS + - F2VMFv + topologyKey: wNv3 + weight: -1334539094 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: Hp + operator: QɃ蒜§Ɩ5SyǸ鎧ȝ)ɒ獬v氮n兡Ĝ + values: + - "" + - y3ufRu75J + matchLabels: + Sbhb4LC: p + U1NMpjoLa: BC1D + eIgw: tBbWDRZ7j + mismatchLabelKeys: + - iWKlUgr + namespaceSelector: + matchExpressions: + - key: 9HkK + operator: ȃĕ送 + - key: P9rh1yxLN + operator: ŋľ&謮稠Ÿ珀胔俨ʎŰ + values: + - 16yHoCooS + - r3ym6YAoy + matchLabels: + PrnS8: K2h + namespaces: + - s + - US2hE + topologyKey: 5SbLzS + weight: 1219402233 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 082AGo10x + operator: pȁij~搣ɢDĝ偩ʣȘ'oIʓ?憏圽U + - key: CXjEgRK + operator: 颭镃Ș蠮S闬耧涐²ǒ圡窽ǹ(ǁ + values: + - zIVWI7jXh + - HE8UDiZnhVG + - "" + matchLabels: + FRgh: MUBtKVc + iu: K3 + jV: 5jM + mismatchLabelKeys: + - h2 + namespaceSelector: + matchExpressions: + - key: "" + operator: mHɻȐĪ$ + values: + - GFueB + - 5prw02 + matchLabels: + KgBnfc: t9Hb4 + SxGw: 4qCJppj + h3m2: gRc + namespaces: + - 1maI + topologyKey: UCy + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 08Q + operator: $鏪轟ſ俨+嬯呦ĄȕɓJp + matchLabels: + kSy3s8nE: Q0 + matchLabelKeys: + - bf0Tpn + - I + mismatchLabelKeys: + - 0Bm09lf + - P7 + - lyb2 + namespaceSelector: + matchExpressions: + - key: 6zTBp0G7 + operator: 氯¥+Dz睧勪娳Ƨ伮慒{ąɫ`瑛稃5绨 + values: + - 1YVGovQ + - bJ + - key: Cxm + operator: 芼 + topologyKey: f + - labelSelector: + matchExpressions: + - key: jNrAref + operator: 接ʼnĎ + values: + - N0 + - ZNwtHjxR + - key: 33k8BGf + operator: rĴr+qȩȃ休3Ȳȅ + values: + - "" + - E8yL4W + - 9anWnm + matchLabels: + WyV0Ct: 6BVL + vLUV: mvMLwn + matchLabelKeys: + - 9O + mismatchLabelKeys: + - CO + namespaceSelector: + matchExpressions: + - key: Jiyaq + operator: ɯ唺饓9 + values: + - qogYf + - key: UXg6 + operator: à! + values: + - phW2 + - BItew + - c09DZ9v + - key: hPhLpBwJ + operator: g«疻:糄Ś$q + namespaces: + - jAvA + - 0V6Uv6PU + - AOoh3 + topologyKey: d2QYa +annotations: + IJC774: 5hK + P1Py: YYAic7jN + REyW: 7LdLtJYMz +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 461 + minReplicas: 403 + targetCPUUtilizationPercentage: 297 + targetMemoryUtilizationPercentage: 161 +configmap: + create: true +console: + roleBindings: + - 6O4d: null + EY: null + oPTMvYGp: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: KvJNskb5ptO + name: vVsE +extraContainers: +- args: + - fajfbgt + - 1XG4cARu + envFrom: + - configMapRef: + name: F5n + optional: false + prefix: Prg + secretRef: + name: vq2FHcobO + optional: false + - configMapRef: + name: Mfdidfx + optional: false + prefix: eggfGpU + secretRef: + name: gX5GT + optional: false + image: H + imagePullPolicy: 玣ɟ踣 + lifecycle: + postStart: + exec: + command: + - 5ABG2Ao + httpGet: + host: D4S2dPB + path: QCCIL6 + port: wu + scheme: eSÉĝ嶤ʮ牑 + sleep: + seconds: -6736232898620818377 + preStop: + exec: + command: + - "" + - 9oy + httpGet: + host: vIPKpEbM + path: l4HaTS9 + port: -180983347 + scheme: h儷#PX盩ʋÈ + sleep: + seconds: -3654571329064470871 + livenessProbe: + exec: + command: + - zGWiFCpvJyG + - 2A + failureThreshold: 130427535 + grpc: + port: -458689504 + service: keBJI3 + httpGet: + host: fkJ + path: MFy2 + port: 1638404838 + scheme: ƵĜRóM螻作仄ĨgŋƷ蔶慅Ƹ + initialDelaySeconds: -1024094942 + periodSeconds: -1045387639 + successThreshold: 966241980 + terminationGracePeriodSeconds: 43907789703605006 + timeoutSeconds: -2115548430 + name: n65z1Le + ports: + - containerPort: -496460005 + hostIP: m9e0LZZ + hostPort: 557092727 + name: hG + protocol: 奀x儋韖ȃ嶍射擋- + readinessProbe: + exec: {} + failureThreshold: 1620135876 + grpc: + port: -1149097195 + service: 7KtLa + httpGet: + host: Mel9pu + path: J + port: Bl + scheme: 臹欔 + initialDelaySeconds: -750113074 + periodSeconds: 820678693 + successThreshold: 1708685033 + terminationGracePeriodSeconds: 6351250062493105403 + timeoutSeconds: -89282235 + resizePolicy: + - resourceName: Cm2W + restartPolicy: o^Cǐɬ醒ÛQȌ帧圷孩Ą + - resourceName: jhEz4gNWQKP + restartPolicy: DV庴 + - resourceName: EgwUKXikbg + restartPolicy: 瑚 + resources: + limits: + 2jSTU8: "0" + 7OI: "0" + FIfseL: "0" + requests: + EPF86: "0" + GcwO1SNT: "0" + restartPolicy: '>Ǥ摔ȶ蘭ɘʜɩ' + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - J + - 8垺ŭihȸ£gJĠǐ!İ0 + - ƶ害Ƈ§孶邸 + drop: + - 龈PeęIJ傮ȅ溣E忬鮷蜆GÊ霌 + - þƢ^ + - RTmī07ý謐ɩ噎 + privileged: true + procMount: (朴頲碞!0¿搻ź)磑[哈YǓěNG$ + readOnlyRootFilesystem: false + runAsGroup: 3606686082741296584 + runAsNonRoot: true + runAsUser: -9076124251416402294 + startupProbe: + exec: {} + failureThreshold: -2038237600 + grpc: + port: -992723564 + service: bMQIm4Y6fY + httpGet: + host: w0Z6WQWwn + path: Kw + port: KdZFUIvpm + scheme: L媰 + initialDelaySeconds: 266050830 + periodSeconds: -879749840 + successThreshold: 1098563171 + terminationGracePeriodSeconds: -3577990655544091297 + timeoutSeconds: -838391922 + stdinOnce: true + terminationMessagePath: bh7 + terminationMessagePolicy: 餔Ŵ婜 + tty: true + volumeDevices: + - devicePath: 5EA9lR0y + name: wCP0dl2Uf + - devicePath: IKOQwmn + name: connmB4Ve + - devicePath: hssHEiwb + name: vP68uD + volumeMounts: + - mountPath: 9Yvkg + mountPropagation: Q众XM娪08菫 + name: XP + readOnly: true + subPath: Mk + subPathExpr: LV + - mountPath: 381fE + mountPropagation: ǚ钍jǍŏh濢n1ŕǼ姕ŗđċCʏ(漇 + name: 4prce + subPath: tvkrRPN + subPathExpr: Otc + workingDir: D4 +extraEnvFrom: +- configMapRef: + name: zdN8iNs1e + optional: true + prefix: z + secretRef: + name: tGw + optional: false +- configMapRef: + name: qRSvRtA6 + optional: false + prefix: dE0dDLvy + secretRef: + name: m + optional: false +extraVolumeMounts: +- mountPath: nTxUyaL + mountPropagation: "" + name: cwkJrEER + readOnly: true + subPath: FKU9h + subPathExpr: 12vLerk +- mountPath: DuUpWysEh2r + mountPropagation: IƏ + name: YlcuH + readOnly: true + subPath: 1faJ4ypp7 + subPathExpr: ZDct +extraVolumes: +- name: bdnliW +- name: Tr +- name: cd +fullnameOverride: bbshm +image: + pullPolicy: ɴ烚庻阐狘:ŭ(M$tY炜ī崞Ž + registry: QxUvz + repository: Gr + tag: hrAYj1i +imagePullSecrets: +- name: MTOK84IL +- name: YAl +ingress: + className: qyKUEOUT4u + enabled: true + tls: + - hosts: + - F7m23 + - "7" + secretName: M +initContainers: + extraInitContainers: aSeq42klM +livenessProbe: + exec: + command: + - ajpIBjdV + failureThreshold: -1650923727 + grpc: + port: -598400902 + service: NoUl1T + httpGet: + host: "1" + path: T + port: -1011339684 + initialDelaySeconds: -1047122153 + periodSeconds: 300714247 + successThreshold: 1660165948 + terminationGracePeriodSeconds: -6817463041894309382 + timeoutSeconds: 497385152 +nameOverride: o2F37Lr +nodeSelector: + Md8w5MD: cTipUm6 + Y31W: uQ5xyo +podAnnotations: + 5oGD5: wKq + Qi815eSQdI7wJ: SwgPh + vAJU: z +podSecurityContext: + fsGroup: -1210907643611065698 + fsGroupChangePolicy: IJ鄔ȫ荪癓椥%k矜椒ʊ0宻lƑɜIɇ + runAsGroup: -4059110951032458810 + runAsNonRoot: false + runAsUser: -6169453912741831517 + supplementalGroups: + - 5292690601828357137 + sysctls: + - name: xY9WN + value: JL + - name: v7R + value: q1nexB5KTD3SE + - name: PN + value: neE5ismaY +priorityClassName: aDlP +readinessProbe: + exec: + command: + - 2xO + - BlUV + failureThreshold: -2130189853 + grpc: + port: 996585883 + service: qWavRHqQOBBP + httpGet: + host: U + path: MJdmT7Y + port: aujUU + scheme: ¹Ť碏譽> + initialDelaySeconds: -781516024 + periodSeconds: 241739148 + successThreshold: 912206192 + terminationGracePeriodSeconds: 1472699093368179429 + timeoutSeconds: -1948646722 +replicaCount: 122 +resources: + limits: + g51: "0" + requests: + Wd: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: PXlML + name: 1ZXP + kafka: + awsMskIamSecretKey: Q8ZB + protobufGitBasicAuthPassword: 6x8Cv + saslPassword: kPhPSQWJJ + schemaRegistryPassword: JK + schemaRegistryTlsCa: SnQ + schemaRegistryTlsCert: nrxxx8 + schemaRegistryTlsKey: aizaszl + tlsCa: tKnCvE97 + tlsCert: XQGOjdnSY + tlsPassphrase: UIS + login: + github: + clientSecret: RAo + personalAccessToken: YJtxt19kpv + google: + clientSecret: V0kmwLq + groupsServiceAccount: AaiW + jwtSecret: FGWF3nXjDA4 + oidc: + clientSecret: rnv + okta: + clientSecret: ZE5mxhO6s + directoryApiToken: 7z + redpanda: + adminApi: + password: YwKgntj3 + tlsCa: ywmMdJU + tlsCert: OK6C5sNI0 + tlsKey: eNdF9knNN +secretMounts: +- defaultMode: 368 + name: GaEvNh0Ifo + path: 8c1 + secretName: "" +- defaultMode: 412 + name: Dy8Ef + path: X2Ct + secretName: QRQFk +- defaultMode: 211 + name: cLEkHy + path: alMc11eGER + secretName: 8miR +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ƕE仍腽ʨLJ甴Z´:涟 + - mŠ'菴h饘ǦŃ2 + privileged: false + procMount: 麤绊噃ȳ{ɚƪ秥ȧG + readOnlyRootFilesystem: false + runAsGroup: -8188439767627968973 + runAsNonRoot: true + runAsUser: 2990782549155496077 +service: + annotations: + 4yhZo: zLVEslN + Amz4VM: QAvK + IPCS: b1R + nodePort: 233 + port: 400 + targetPort: 329 + type: dPOD9Kzb +serviceAccount: + annotations: + PPZDrdmxKV: UBjiSx + automountServiceAccountToken: false + create: true + name: 8s2qVhKEW +strategy: + rollingUpdate: {} + type: '!蘃«2狺čH' +tests: + enabled: false +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: K98063hAMXd + operator: 閃ŘDZƳwųA旰C汔§挦塳¹@ē + matchLabels: + y9: GJEjaj + matchLabelKeys: + - 4xZpqk + maxSkew: -659297182 + minDomains: 1124395321 + nodeAffinityPolicy: ʬC8 + nodeTaintsPolicy: 鱯禓瞝 + topologyKey: mq + whenUnsatisfiable: A´ʕɭNÀȜ龎q擞u貒槂轌v +- labelSelector: + matchExpressions: + - key: Yd + operator: "" + values: + - dCWo2pjVuA + - hl8G3Kp + - M + - key: VYxo + operator: _k?Ř + matchLabels: + 3kRK: xOzJ6 + KUwsC: FN5bAqvV + QPay: w0lIH + matchLabelKeys: + - gkJFY + maxSkew: 501038978 + minDomains: -2011840701 + nodeAffinityPolicy: Łdz倾僚ʒ屆9ÐE釤Ŏo + nodeTaintsPolicy: Ǩʖ#Ŭǧ¦Ûũ°啑 + topologyKey: JCJYk4 + whenUnsatisfiable: 暛ūZɆǗ絜皼bȇĀ簁搿WXƪçɗÁ +- labelSelector: + matchExpressions: + - key: gyZMV + operator: ƲƬ釒橙ȋ齸鑝鷳ĔǸɊZ聻趁õÈc + matchLabels: + T1YT: SJYt + W: ZaF + WdGxif: 3EKPjb9 + matchLabelKeys: + - ukD8HM + - mD + - Z + maxSkew: 1774410820 + minDomains: 36391976 + nodeAffinityPolicy: "" + nodeTaintsPolicy: ŵɎļ%鋏[ʞô + topologyKey: oGrtNcnUje + whenUnsatisfiable: ƓǪĈɏ荥蟗Ș鉢A +-- case-040 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 7RRFnuao + operator: 鑿梞e璺瀧敢tȱ + - key: 3qz030r9N4 + operator: 脟óȨq駥Ƽx垤R$L + - key: 4egJ + operator: 敕ƒ洀ņ+Ō轲C丼Ʒij.ƾ蚯ƺ痻3皆咒 + values: + - "" + - J66saNw8 + - xBRUfDKhiA + matchFields: + - key: Kgp4qFm + operator: 桋iz<ïŃǃ襶D齿 + - key: 7F + operator: "" + values: + - iquNT + - aFPIw + - lYMJn4Un3 + weight: -954635927 + - preference: + matchExpressions: + - key: ePHgEs + operator: 撹ł + weight: -2109244754 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gK + operator: 垭ʮȌ)"彛 + values: + - Vvo + - "" + - key: n0 + operator: 挪VɱȒ + values: + - 595ST + - sHQoTQgQ + - ZyYxnGB + matchFields: + - key: "8" + operator: 餒ơ鋦r)锟壃m汇 + values: + - H8 + - matchExpressions: + - key: nErJm + operator: Ûɟ敀淽 + values: + - sbjW + - 1l + - go + matchFields: + - key: ozzkD4D + operator: Ʌ\h崭蠒ȓ旉蹖楚_掁S5 + values: + - NrN0Id15O + - VrahPz + - YJfhO + - {} + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: qiGNj + operator: jƯȨ穞ɿPȧ + - key: HPRR + operator: ž8ƃKKDz蠽ƚ0ƻ + values: + - NAx + - Pr2F + matchLabels: + LY: ZRjD + matchLabelKeys: + - ikCO + - n25 + - IY0AqNStYm + mismatchLabelKeys: + - uO6G + - EFKfLOM0 + namespaceSelector: + matchExpressions: + - key: frBwUGG + operator: ǧ啯ʖ6džȡ衺Z莋æȘzv + values: + - 68q + - PrId4k5Nk + - 1Izg6c + - key: H5neR + operator: "" + values: + - gf2 + - "" + - key: LTEiVQV + operator: ʅďl$y韙bO儺e籾吕ŃV + values: + - LccIflVn3 + - QX + - kRZLtn + matchLabels: + lccn5: lx6 + topologyKey: AE + - labelSelector: + matchExpressions: + - key: ljGag0 + operator: "" + values: + - 3AlcF9eOiK + - key: XPoIj + operator: ĻĵN稙²x鸴ʊ + - key: "" + operator: m[ɻD«ʯĢĥɖHÃú锺N蓍!f + values: + - cwRFs + - wJtpMgyV1I + matchLabels: + 6gzmw2BW: v1eC + QI6Gl: Ckzyw0v + uRw21: 36kl + mismatchLabelKeys: + - XiX9Mrhv + - Xk2Ri + namespaceSelector: + matchExpressions: + - key: Roq9G + operator: 槓G{? + values: + - YCBJEhS + matchLabels: + 9X5C: TU1y + PG1k: 8j76iX8R + iYq9QLUSh3bk: Mvl2WRQ + namespaces: + - Pp + - z1O9mW5rB + topologyKey: U + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: pqtCgWlk + operator: eŭñZ) + values: + - 6eUrtsX + - GmGeP7 + - pBhe0 + - key: gctw + operator: L?岤紎!蠾黅誽帯÷Ʉ坏q + values: + - G + - "" + - "" + matchLabelKeys: + - IGYc + mismatchLabelKeys: + - C + - XlxD2Y5h + - Eut + namespaceSelector: + matchExpressions: + - key: QNvJq6Uc + operator: Ǔƀ閝遨垛簙UdĢ7ȍ騽¹DŽ + values: + - m4wq + - TmuqVB1 + - key: PTVC + operator: 珙'ɀɒ虃龓楼ƺ譄êǿ + values: + - w + - K + matchLabels: + GQp: tw + namespaces: + - t + topologyKey: I9Ng7D + weight: -278680619 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: IaZiqfV6 + operator: 幋x:Ȗ + values: + - XmaYG80 + - aaEScB + - DxB + matchLabels: + J3Ny9zUJ2DOTKO: eiUL0RR + lt: bqOs + matchLabelKeys: + - XYHp1S + - JKj1 + namespaceSelector: + matchLabels: + WopugltEP1J: eaGpkiS + namespaces: + - H9w9Q + - A8D + topologyKey: pvkKW + weight: 252280673 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: lSi + operator: 襚ǫAŇþ腦W[ĕ嘱ʌſœɃ槏Z岪 + matchLabels: + OzmceOBQ: F2mtk + QcoH: qt3OR6ZcjY + t5Cqg1: 1x9WW8EUyyn + matchLabelKeys: + - 0XGJ + mismatchLabelKeys: + - K6T + namespaceSelector: + matchExpressions: + - key: KoofEA + operator: ' íɀ馩Ȭɫġo娤螗暴Û漷ʦO腔' + values: + - nj + - U + - onkfJ4 + - key: 0aO + operator: Ŷű輖+¶)罩ƌ×螂 + matchLabels: + 2hf: GeFfROs4 + pA23: kqkG + rZ: DH6cT + namespaces: + - yvfsu + - L3Pu + topologyKey: BBBCjZel + weight: 392487334 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 0hp: sd9 + mwTeR: D3HlJbmoK8 + matchLabelKeys: + - MwDkniC + - "" + mismatchLabelKeys: + - VuQB + namespaceSelector: + matchLabels: + 1x: Pj + D3J: 4gFps + bQU: weT0tI + namespaces: + - y9zrYKWApO + - rq0K3 + - 5XUeP7 + topologyKey: P7V + - labelSelector: + matchExpressions: + - key: Jv + operator: 啽ŃŐø + matchLabelKeys: + - s + namespaceSelector: + matchExpressions: + - key: Fy5Deb + operator: 旉錛!荕Ɂ! + values: + - nbiy + - "" + - 6QORDbd6zn + matchLabels: + bba0KJ: NE1j + nYif5xu0Hy9XW: 0s + qAoT: "46" + namespaces: + - 4JHyx + topologyKey: 7621t +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 470 + minReplicas: 361 + targetCPUUtilizationPercentage: 160 + targetMemoryUtilizationPercentage: 475 +commonLabels: + X: zjmrl + "Y": yG0 +configmap: + create: true +console: {} +deployment: + create: true +enterprise: + licenseSecretRef: + key: a7Ph + name: zsHNWVcS9 +extraContainers: +- args: + - jlI16Xnnb0 + - x0Z + - Tv6z + command: + - 3MnkZe0L + - OK + - cKvaGI + env: + - name: 7RtgX9 + value: TQH + valueFrom: + configMapKeyRef: + key: "" + name: GE2 + optional: false + fieldRef: + apiVersion: x2H + fieldPath: iVYVzT + resourceFieldRef: + containerName: 3QSG + divisor: "0" + resource: AgMtPE + secretKeyRef: + key: BhGA6 + name: LKemd3Cs9 + optional: false + - name: 9dFxchX + value: huoZj + valueFrom: + configMapKeyRef: + key: skdmo + name: gSEkUx + optional: true + fieldRef: + apiVersion: ymAcwLzaJ00G + fieldPath: de9Q + resourceFieldRef: + containerName: ZgwwQvA + divisor: "0" + resource: OTraA + secretKeyRef: + key: Pe8 + name: 39mCZV7ERv + optional: true + envFrom: + - configMapRef: + name: l + optional: false + prefix: kGdnbCakM + secretRef: + name: JrDM + optional: true + - configMapRef: + name: 0iH67 + optional: true + prefix: 3JVMhcII7 + secretRef: + name: PS1J + optional: true + image: Bx3IW17kjF7 + imagePullPolicy: È8秏糇 + lifecycle: + postStart: + exec: {} + httpGet: + host: EeLx + path: JC + port: 638412697 + scheme: 翔ĩñɁɬj局³喪Eů磘Ʒ唡嬤 + sleep: + seconds: -2739564842418698030 + preStop: + exec: + command: + - zjNyV + - 3i + httpGet: + host: RxhMCXQN + path: Dq + port: -821303664 + scheme: 髒xD>?ǠĆ踃w¬ + sleep: + seconds: 8925361607851382825 + livenessProbe: + exec: {} + failureThreshold: -2015695369 + grpc: + port: 102189788 + service: VG2k6Atq + httpGet: + host: 0dxm + path: Pix7SytH + port: 284583441 + scheme: 畝ǂƬƜ聞|b + initialDelaySeconds: 1150668189 + periodSeconds: 1279412097 + successThreshold: 337444728 + terminationGracePeriodSeconds: -665826210809930777 + timeoutSeconds: -802810999 + name: 1KSo0a + readinessProbe: + exec: + command: + - 3cCL4 + - en + - VN0 + failureThreshold: 448729232 + grpc: + port: -174942651 + service: paUcCUtV8A6 + httpGet: + host: tSEChhvGgDsf + path: Jrr + port: 516172996 + scheme: c{Ƭ臾斡:Ɣ?Í + initialDelaySeconds: -714126900 + periodSeconds: -88316167 + successThreshold: -1820867160 + terminationGracePeriodSeconds: 272130190949654337 + timeoutSeconds: 1803351679 + resources: + limits: + f9GQWFTKPFP: "0" + g5: "0" + requests: + 4A89zLoFG: "0" + SmOBH: "0" + restartPolicy: Ű高ǙG%7BČCaďʥyď + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - H鞕ă鶅镀秀 + - Ŏ昮0yƤɯ斺R妕Je芓BɜCĵ + privileged: false + procMount: ÿʑ鎆乭cŇ陛ǼȠn + readOnlyRootFilesystem: true + runAsGroup: 5591360478943231672 + runAsNonRoot: false + runAsUser: 6381588597473822835 + startupProbe: + exec: + command: + - rV83LKQ + - 87Vc + failureThreshold: -2022114361 + grpc: + port: 1348736621 + service: Gx8f9phR + httpGet: + host: fWnW4CGV + path: yQl0PNEE3g + port: TYi + scheme: 絅xn,ȵ6ʎ癙 + initialDelaySeconds: 205090742 + periodSeconds: -1401542741 + successThreshold: -2130268569 + terminationGracePeriodSeconds: 4104437343850793050 + timeoutSeconds: 604054255 + terminationMessagePath: ec8kHaD + terminationMessagePolicy: 甎i + tty: true + volumeDevices: + - devicePath: NFjF + name: AH + - devicePath: "" + name: u + - devicePath: 0q6A + name: nFe3FY4 + volumeMounts: + - mountPath: ad7JXhGN + mountPropagation: =廄殞+ + name: qVHWCUHp + readOnly: true + subPath: m3RBekA0 + subPathExpr: 7F0F8Ge + workingDir: LmnqIVV +- args: + - 3g94Jb + - "n" + - HxatWli7Qe + env: + - name: yKfn + value: fni0 + valueFrom: + configMapKeyRef: + key: cQjxg02ud + name: DqLUCO + optional: false + fieldRef: + apiVersion: dS + fieldPath: aH + resourceFieldRef: + containerName: BVSH2Bxu + divisor: "0" + resource: ZLW3 + secretKeyRef: + key: J + name: APYyG5qY + optional: false + - name: b4i9WEf + value: Ru + valueFrom: + configMapKeyRef: + key: mzxgZ + name: XgDd + optional: false + fieldRef: + apiVersion: U1l + fieldPath: sG2pcjz + resourceFieldRef: + containerName: Vlc1Ru + divisor: "0" + resource: hZpqB + secretKeyRef: + key: X0W3QpdAhux + name: I3L + optional: true + envFrom: + - configMapRef: + name: DJjN7Phe + optional: true + prefix: 4K2MBzNl + secretRef: + name: s4GF + optional: true + - configMapRef: + name: td0aZ + optional: true + prefix: CYvFW + secretRef: + name: WaBWGCRa8 + optional: true + - configMapRef: + name: ehHs9m + optional: false + prefix: n1x + secretRef: + name: TdUJ + optional: true + image: UNJ6E6 + imagePullPolicy: 砓³绔丬A + lifecycle: + postStart: + exec: + command: + - Qs8Sd + - JGX4Qj + - eCw00uq + httpGet: + host: NNLSd + path: y4tS + port: QzOfwe3a + scheme: º猗ĥɮƅLɘ隮术ƒ赥;,ǝ髳Ĝ7Ĭ嬳 + sleep: + seconds: 1170469124057922158 + preStop: + exec: + command: + - TN62uDLAuIx + - ndI + httpGet: + host: t7H6l2 + port: RHeYpAvJ8 + scheme: KǠɀƴ杔¸Ɉ$毕削peýfv! + sleep: + seconds: -5232306180460338099 + livenessProbe: + exec: {} + failureThreshold: -1900233123 + grpc: + port: -1323381498 + service: wJ + httpGet: + host: pAHsn3 + path: k31zW1 + port: 2elbrK + scheme: 痯秿丌 + initialDelaySeconds: 537756270 + periodSeconds: 1139432456 + successThreshold: -289377675 + terminationGracePeriodSeconds: -709025030374540888 + timeoutSeconds: 254134433 + name: zWs + readinessProbe: + exec: + command: + - x093a + - v1 + - Ef + failureThreshold: 75768089 + grpc: + port: -237977747 + service: "y" + httpGet: + host: EBEth + path: C + port: 790399211 + scheme: ær堹mhʢ + initialDelaySeconds: -157687184 + periodSeconds: 1071897332 + successThreshold: 824432298 + terminationGracePeriodSeconds: -54575953702939670 + timeoutSeconds: -1190752843 + resizePolicy: + - resourceName: R9fM + restartPolicy: ?ʖȒƅƀ逎v鐰wģ籫 + - resourceName: 7C + restartPolicy: óʌF鿯薸k} + - resourceName: Bqy + restartPolicy: E吻X秤} + resources: + limits: + UMJnobyO: "0" + qJmAwr: "0" + requests: + ZktW7e51vRUG: "0" + restartPolicy: '>ŀ鎙莸鼔茷蝼薼Ƽƅ°3貦罌臣洴軟處姼' + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - 儜vƝ¾ + - 輝Ġ$琑+檂 + - 飂 + privileged: false + procMount: ɓĎʙʗG0瑑娄K坢Ö&Ù + readOnlyRootFilesystem: true + runAsGroup: 2234167178876811137 + runAsNonRoot: true + runAsUser: -1191472066985646967 + startupProbe: + exec: + command: + - KGi9U + - D6 + - HZ3aC1 + failureThreshold: -2057203764 + grpc: + port: -1203229903 + service: Xd + httpGet: + host: tTW + path: oWk + port: -1347841801 + scheme: 檸`sȝBULj懄 + initialDelaySeconds: 1386184157 + periodSeconds: 2110004457 + successThreshold: -692279219 + terminationGracePeriodSeconds: -7060466210747559086 + timeoutSeconds: -905577521 + terminationMessagePath: g + terminationMessagePolicy: 頨Ĥ° òȯǤū暓坐ƚă杋鍄 + volumeMounts: + - mountPath: FmQht + mountPropagation: 饌^ǩ朳ųW磀ĥAijƨ+= + name: j5 + subPath: aoEWb7k + subPathExpr: 0ra + workingDir: zmwmt +- command: + - oFEaN2U1 + - HuBj9vk17eCjI + - "" + env: + - name: n3JVvVY + value: U14PEXs + valueFrom: + configMapKeyRef: + key: Ai0Xg3owIe7XlG + name: U4 + optional: false + fieldRef: + apiVersion: ZyO4Jpwkp2hV + fieldPath: roNil + resourceFieldRef: + containerName: gx + divisor: "0" + resource: Z + secretKeyRef: + key: AcP + name: qMy + optional: false + - name: oSWakHA + value: eR + valueFrom: + configMapKeyRef: + key: qsSVOr + name: o + optional: false + fieldRef: + apiVersion: SeP3aPXfjLIcfE + fieldPath: 091i + resourceFieldRef: + containerName: T5hI + divisor: "0" + resource: KxGi43CVGe + secretKeyRef: + key: "" + name: 5uI + optional: true + envFrom: + - configMapRef: + name: MujT + optional: false + prefix: cVRH + secretRef: + name: mpF + optional: true + - configMapRef: + name: MeO3F + optional: false + prefix: w3C4 + secretRef: + name: hnYx + optional: false + - configMapRef: + name: NT5MFmC65 + optional: true + prefix: "7" + secretRef: + name: yl2ze1 + optional: false + image: A8o + imagePullPolicy: ?晐T鴭Xp + lifecycle: + postStart: + exec: + command: + - zaLOG2 + httpGet: + host: kA51kbv + path: LMnFclIJczBo + port: 402299955 + scheme: :踖坯(Iȷ碨劅 + sleep: + seconds: 245674034851902981 + preStop: + exec: + command: + - Tz87qO + httpGet: + host: Xr6sP + path: xxE + port: 1901089000 + scheme: 3媧ş>La芸`Lzuŀɽ坤¦.痻Jǻ + sleep: + seconds: 6906639179439192094 + livenessProbe: + exec: + command: + - yxk0313sz + failureThreshold: 385001414 + grpc: + port: 1589713469 + service: UA + httpGet: + host: ZWfT + path: vTNYug5RZh + port: -192111662 + scheme: e¢dYÜdz + initialDelaySeconds: 1708942834 + periodSeconds: 1356452566 + successThreshold: 1750780088 + terminationGracePeriodSeconds: -1272770054640188829 + timeoutSeconds: 1656218869 + name: FxzTg + ports: + - containerPort: 63673829 + hostIP: 4xjED0VKV0G + hostPort: 2007665826 + name: xbwJ + protocol: ¼vb皪螯ʉwʒR玔È覦劙 + readinessProbe: + exec: + command: + - 0S + - "" + - GkPj + failureThreshold: 1405674719 + grpc: + port: -1659132742 + service: gIFP + httpGet: + host: jYnI3ins7 + path: bIEaFAc1 + port: UHfz + scheme: ʼn + initialDelaySeconds: 1531278754 + periodSeconds: -238235402 + successThreshold: -1690388514 + terminationGracePeriodSeconds: -2788228502880198888 + timeoutSeconds: -567709755 + resizePolicy: + - resourceName: nxpzTS + restartPolicy: ƫŀMs+,ǼƞȒ + - resourceName: 61uCVQ1 + restartPolicy: /澰ɍ½鑀a帷[鞺鏨攬姟壃F$R犬 + resources: + requests: + YfM: "0" + restartPolicy: œ|F彟S崘Ȑ貸1Ũȷ+齳 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 鸎dĉç荧 + privileged: true + procMount: "" + readOnlyRootFilesystem: false + runAsGroup: 5795239965908151493 + runAsNonRoot: true + runAsUser: 2409160731771391054 + startupProbe: + exec: + command: + - D6j2Q + failureThreshold: 975103738 + grpc: + port: -2081980063 + service: Nh + httpGet: + host: vdLm3FUXIs + path: jqCqF + port: "" + scheme: Ű"ƆĩNÙ襔冠ʈ + initialDelaySeconds: 524220215 + periodSeconds: 923596095 + successThreshold: 547119693 + terminationGracePeriodSeconds: 7382309226647739877 + timeoutSeconds: -1902082444 + terminationMessagePath: 2i5 + terminationMessagePolicy: 踑ĆĦ荷ýA/ǎ桫 + tty: true + volumeDevices: + - devicePath: KlUUX + name: NWO + - devicePath: W1JLM + name: qNw + - devicePath: BVE + name: c + volumeMounts: + - mountPath: yCztpht + mountPropagation: 巧苄;钽肇謌ʭɿw刄wɰM迵. + name: Mv9 + subPath: RWmlw + subPathExpr: Oy + - mountPath: Gf + mountPropagation: ɩ + name: On78O + readOnly: true + subPath: s7p + subPathExpr: 57aJIvpEm + - mountPath: m + mountPropagation: 崌蠿Ƣ湺 + name: CXSu + subPath: F8oe + subPathExpr: S +extraEnv: +- name: cD + value: JW + valueFrom: + configMapKeyRef: + key: "" + name: 8Ri7OfQ + optional: false + fieldRef: + apiVersion: Qc + fieldPath: 6ZYFg + resourceFieldRef: + containerName: qkUV + divisor: "0" + resource: yEf5zz13U + secretKeyRef: + key: xozuxs + name: z + optional: true +- name: "" + value: gea3 + valueFrom: + configMapKeyRef: + key: hwe3l3k2h + name: QX + optional: true + fieldRef: + apiVersion: kx + fieldPath: m7f + resourceFieldRef: + containerName: 0XEGE + divisor: "0" + resource: y4ce5 + secretKeyRef: + key: hmvX + name: 18Z + optional: true +extraEnvFrom: +- configMapRef: + name: DR3hdrvZIv + optional: true + prefix: kGV4HZ8 + secretRef: + name: tR3Yu1G + optional: true +- configMapRef: + name: 6pMd0VA0 + optional: true + prefix: Csp + secretRef: + name: ceqZBJ7fdqP + optional: true +extraVolumes: +- name: iPeR +- name: ZgdCb2kUB +fullnameOverride: KchYZFsbB3 +image: + pullPolicy: -0Ź桛ɼ訚Ņ;秵ňĝ苒9麡ñà臸ʫ + registry: cwfXN2KlU + repository: qYQHJ + tag: RIG +imagePullSecrets: +- name: V1 +- name: AyLzRkaGE +- name: 3pZ8 +ingress: + annotations: + 7KBv: R6qBYfCa + aBRf1: ygsbc + yL0ht8k8h: e + className: N8nne2Adwe5AYa + enabled: false + hosts: + - host: FyKy + paths: + - path: Cgcwa4F + pathType: pcConNItFmo +initContainers: + extraInitContainers: uND1 +livenessProbe: + exec: + command: + - 6VSzmxYwHC + failureThreshold: -1894321442 + grpc: + port: 487517384 + service: INsH + httpGet: + host: JNW + path: QZgsr + port: 228553774 + scheme: 躀廗裲繄鄸爖ž + initialDelaySeconds: 1986051838 + periodSeconds: 541607099 + successThreshold: -1968479306 + terminationGracePeriodSeconds: -7878496327638757142 + timeoutSeconds: 1374945691 +nameOverride: 6sW +nodeSelector: + y63G: wNiNvOMv +podSecurityContext: + fsGroup: 2302511509023017096 + fsGroupChangePolicy: 闦ñ禢`J鉤 + runAsGroup: -2347956389924856743 + runAsNonRoot: true + runAsUser: 1720952380350228641 + supplementalGroups: + - -621944387099711210 + sysctls: + - name: CvGz + value: "" + - name: dO + value: qwZyE +priorityClassName: 3A +readinessProbe: + exec: + command: + - "" + - KEndqzRiV + failureThreshold: 467513555 + grpc: + port: -1573796455 + service: ErWB + httpGet: + host: lLC + path: HH5gzp + port: -1970119534 + scheme: 酥梕ʄE訳 + initialDelaySeconds: -6410364 + periodSeconds: -623380707 + successThreshold: 1641270972 + terminationGracePeriodSeconds: -4383611239728405989 + timeoutSeconds: 1203716236 +replicaCount: 291 +resources: + limits: + "1": "0" + MrwIP: "0" + hgaW: "0" + requests: + 1lF: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: yoQYDK + name: xU86MHgk + kafka: + awsMskIamSecretKey: b1dpxuu + protobufGitBasicAuthPassword: bNLttpx0UHrQ + saslPassword: WLiPGk4IafDZkx8 + schemaRegistryPassword: d7In271W + schemaRegistryTlsCa: JYJZN + schemaRegistryTlsCert: muZOO19 + schemaRegistryTlsKey: 7cUIM + tlsCa: NWid + tlsCert: v843II + tlsPassphrase: ks1QSKsS + login: + github: + clientSecret: Bh26we + personalAccessToken: yKlBsX + google: + clientSecret: luzCc89Wm0 + groupsServiceAccount: qpX + jwtSecret: ojb + oidc: + clientSecret: cze + okta: + clientSecret: uuUR + directoryApiToken: WOW1d + redpanda: + adminApi: + password: rVI + tlsCa: yMec + tlsCert: YYHCeTg + tlsKey: 4Qv3y5Dl +secretMounts: +- defaultMode: 83 + name: ieSo8V + path: d + secretName: mD0jl +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 阊 + - DIȜO吽解诎-曅 + drop: + - 贎秨Ůɭ懾Ù盾| + privileged: true + procMount: ʪ勪įOew\Ǡ礓 + readOnlyRootFilesystem: true + runAsGroup: -6230225082797374618 + runAsNonRoot: true + runAsUser: -2569068293811684873 +service: + nodePort: 314 + port: 424 + targetPort: 17 + type: oZi +serviceAccount: + automountServiceAccountToken: true + create: false + name: Cj +strategy: + rollingUpdate: {} + type: G阏发6s +tests: + enabled: true +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: pPoL + operator: ǭȉćŴ讶Y + values: + - "69" + - UC9 + - "7" + - key: 6toZoG + operator: Ġ+kʫȸ颷ʅÓ欽V譵; + values: + - go8adRXrn + - key: S + operator: ĕȻ*Gɝ靿暛_洳瑼Ĩ + matchLabelKeys: + - "" + - V7xIs1 + - eqq + maxSkew: 983843814 + minDomains: 854272231 + nodeAffinityPolicy: '>S篐ö抏茄(6' + nodeTaintsPolicy: e3äTȦ硷B捕萑Ǵ吷Ǿ邂Ǝièø + topologyKey: NoEcMWkg + whenUnsatisfiable: 幗鞲&渶Ÿɪ`鹵N +-- case-041 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: gRchHJ + operator: g>騿b鈐ʃB¾偡医選ȍ恋 + values: + - I + - Ei + - "" + - key: hyf + operator: 斒ʃǜƆƲ + values: + - QUyyD + - key: Bkmx + operator: ư酰姺醪芄堑 + weight: 751548356 + - preference: + matchExpressions: + - key: oLam + operator: 蟹 + values: + - ouUaVpYnKDUI + - key: vjw6GPYYTKt + operator: 竣iN¸嚿×ɮib + values: + - ZTaqp + - key: d8VuBX6qV + operator: 脼Ȩ + values: + - a8aOe1 + matchFields: + - key: twbeCR + operator: óçøG靼Ɏȸ­乷ɍ + values: + - fJAm6rm + - 2h8IU + - zE9 + weight: 291395585 + - preference: + matchExpressions: + - key: qC6uf99en + operator: 鼢犖龆醑喐蠿鯌ʛB契p + initialDelaySeconds: -879591831 + periodSeconds: 1110714898 + successThreshold: -1301180826 + terminationGracePeriodSeconds: 3872467306429462875 + timeoutSeconds: 674947774 + terminationMessagePath: bm28lY3K2pwh + terminationMessagePolicy: Ȇƍ@¦Ț'±0ž + tty: true + volumeDevices: + - devicePath: o8dr + name: XmhFb + workingDir: 5wQN +- args: + - o0cO9clz7 + - HMSb + - 6uV0c + env: + - name: M3V9WePpx + value: ysO25 + valueFrom: + configMapKeyRef: + key: UqaJg4r + name: RfxtXP + optional: true + fieldRef: + apiVersion: lwe4YmNPx + fieldPath: tQj57vj + resourceFieldRef: + containerName: ZQ + divisor: "0" + resource: T + secretKeyRef: + key: x + name: ny4NEtt3z + optional: false + - name: cc2 + value: L0hw + valueFrom: + configMapKeyRef: + key: 385Ue36 + name: mmjoQw + optional: false + fieldRef: + apiVersion: 6oECJJ + fieldPath: viT + resourceFieldRef: + containerName: gwdJxK + divisor: "0" + resource: ck7 + secretKeyRef: + key: UuNsYAQvXJ0 + name: 1NAqDCU3 + optional: true + envFrom: + - configMapRef: + name: ZFk + optional: true + prefix: bXa4IzYR + secretRef: + name: aAJU + optional: false + image: JPgUP + imagePullPolicy: Q ¶ + lifecycle: + postStart: + exec: + command: + - r1uMNf + - M + - 8G + httpGet: + host: cuhhh + path: lXMriYoe + port: -988033465 + scheme: ',轄kzĒfť' + sleep: + seconds: -8820103652541681769 + preStop: + exec: + command: + - bElmX + httpGet: + host: bCNS + path: A0F + port: "" + scheme: 砘ɁA甜猷14ʣ)ǨƿŊ\ + sleep: + seconds: 821413986956195833 + livenessProbe: + exec: + command: + - M9y + - ay + - sRaY + failureThreshold: 600887441 + grpc: + port: 1597779369 + service: ua8K + httpGet: + host: 0XuF + path: V3 + port: -703127215 + scheme: 舷$趺É螳P阁]嚂驶钋琦袳$ƸO侎 + initialDelaySeconds: -1230549565 + periodSeconds: -335663932 + successThreshold: -1184112514 + terminationGracePeriodSeconds: 9077275487127832448 + timeoutSeconds: 1992088322 + name: pz + readinessProbe: + exec: + command: + - lVaA + - E9DNIWT7reP + - NW1Cc5O2 + failureThreshold: 1119300491 + grpc: + port: 2061347792 + service: fUXdOYJ9On + httpGet: + host: "0" + path: Us3pM3OkquAEW2 + port: -1693856749 + scheme: 鞡|鬟扝}肾~ + initialDelaySeconds: 1307857751 + periodSeconds: 1903760018 + successThreshold: 612917619 + terminationGracePeriodSeconds: -4296518247806248606 + timeoutSeconds: 1025631498 + resizePolicy: + - resourceName: "8" + restartPolicy: ȯy髚ʦ=ǰɮ瓿b:劀ǴáiO3IĮ + - resourceName: 8mFXK1FTs + restartPolicy: ėv|冿瀱Ƥ鐻D[ƼŮ/ + resources: + limits: + TVwPaoBqGL: "0" + juxQS6V3mr: "0" + requests: + igiG: "0" + restartPolicy: 皷ƴȿOvJ郦'欝 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ǐ缠]館ʚƾó|őɤ + - 6 銨dN_ZɻǦ絛顆麓 + - u鹍u鼓练gʘɍK]痰痁鶄Ȼ咶嚅俊ǙǕ + drop: + - 沎闸埲dz + privileged: false + procMount: "" + readOnlyRootFilesystem: false + runAsGroup: -265773045457612130 + runAsNonRoot: true + runAsUser: -6489119899323828796 + startupProbe: + exec: + command: + - 95NULc + - cCLaGfz + failureThreshold: -414102461 + grpc: + port: 339886942 + service: 7hdbpU + httpGet: + host: bN6EBrngIW + path: Luv09 + port: plsGDEJ + scheme: ʔ垃桪抴痺MM温ǹ + initialDelaySeconds: 2135898388 + periodSeconds: 1107416140 + successThreshold: -648919802 + terminationGracePeriodSeconds: 4653203112295127978 + timeoutSeconds: 1294917615 + terminationMessagePath: C + terminationMessagePolicy: 擎:Ȓ + volumeDevices: + - devicePath: TGjb8dLs + name: QN5Dj50Kuoc + - devicePath: aRIfAur + name: wQ47Fq7W3WPNDG + - devicePath: 2Smu + name: 1Q3d5wRJf6 + volumeMounts: + - mountPath: 5Trbk9 + mountPropagation: 秮驇穁 + name: YvM + readOnly: true + subPath: pFKsUV + subPathExpr: mhIjzA + - mountPath: F3lqb + mountPropagation: 窆f + name: NJXDvoxv + subPath: zVGgP + subPathExpr: H + workingDir: IEObw8N +extraEnv: +- name: 4R567pw + value: mWumx + valueFrom: + configMapKeyRef: + key: zDKgXG8 + name: Murbi95HW + optional: false + fieldRef: + apiVersion: FE + fieldPath: WAoZL + resourceFieldRef: + containerName: KyYyulloT + divisor: "0" + resource: fqVTn + secretKeyRef: + key: "2" + name: MHnd7TscnRWwYy + optional: false +- name: fm + value: 8fbdsVIUd + valueFrom: + configMapKeyRef: + key: "" + name: 6dU18hENH + optional: false + fieldRef: + apiVersion: Z + fieldPath: yt6csyy + resourceFieldRef: + containerName: c1WXMV + divisor: "0" + resource: NJVUoKSuC7pJDm + secretKeyRef: + key: "" + name: JptOa + optional: false +- name: WjWJX + value: 9VpkkQa + valueFrom: + configMapKeyRef: + key: Rpe79 + name: os5FYjLzS + optional: true + fieldRef: + apiVersion: "0" + fieldPath: j + resourceFieldRef: + containerName: NYuP + divisor: "0" + resource: EWUuGe739oa + secretKeyRef: + key: CFh + name: 8zez51Q + optional: true +extraVolumeMounts: +- mountPath: cIK + mountPropagation: 爂 YLƝ«煘?沀#朚ń鮾+ğÔ + name: orwvhF0 + subPath: ivP1ha4I + subPathExpr: VPCFJYVRHf +- mountPath: s + mountPropagation: m椥扶ȟqÈ倕{峙刷} + name: O35 + subPath: AN + subPathExpr: vm7 +- mountPath: 7P72D19W + mountPropagation: 堂窜B,Ś贃腔Ʈ£顽ąfYR + name: 6Z + readOnly: true + subPath: d7MJ + subPathExpr: LF +extraVolumes: +- name: "4" +- name: Kry +fullnameOverride: eHZ +image: + pullPolicy: ź,Î斎殉媰Fƅ + registry: l0qIdHu + repository: 5OO0wF5p + tag: i +ingress: + annotations: + fDuBFTYK9Q: 5XXu + wYD: 6p + "y": "" + className: Zp11 + enabled: false + tls: + - hosts: + - "" + - I + secretName: yCke +initContainers: + extraInitContainers: GXh2uupW81kt +livenessProbe: + exec: {} + failureThreshold: 1618833311 + grpc: + port: -1505397275 + service: IUgXOa3 + httpGet: + host: 99a94 + path: YFX41J + port: -636645896 + scheme: ƣ[ɐ虪ǸI + initialDelaySeconds: -1510068452 + periodSeconds: -1728837159 + successThreshold: -1832841689 + terminationGracePeriodSeconds: -2499091687248362302 + timeoutSeconds: 254335269 +nameOverride: 84QIe +nodeSelector: + JDRn7n: tOGfx + lKq0V88a: uR3S + vXzm2Hny: tURxvlp +podAnnotations: + JkW1: feghYA7 + okSVM8H: 7Pau + yYrmYn: uT +podLabels: + b4I: j707zvg + eyn1: gqdp7 + sWR: MV07t +podSecurityContext: + fsGroup: 3426922926776119440 + fsGroupChangePolicy: 橣 + runAsGroup: 8316915980597683441 + runAsNonRoot: false + runAsUser: 6270039107728700969 + supplementalGroups: + - -2399342924686736516 + - 620655430084388100 +priorityClassName: 6ZbHC +readinessProbe: + exec: + command: + - u4wSt + failureThreshold: -992972964 + grpc: + port: -940292781 + service: zh5 + httpGet: + host: 1Tg + path: FfFHRfo + port: -94900838 + scheme: țcPÞ + initialDelaySeconds: 2051362912 + periodSeconds: -288287188 + successThreshold: -404266702 + terminationGracePeriodSeconds: -123318567100123885 + timeoutSeconds: 31934256 +replicaCount: 378 +resources: + limits: + 0Yl63: "0" + BUorG9: "0" + requests: + JNdWuFZf5nnT: "0" + aszsvHn: "0" + qC76cU: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: "5" + name: X2lLLdu + kafka: + awsMskIamSecretKey: RoyDigH4v7A0 + protobufGitBasicAuthPassword: 3m + saslPassword: 5E + schemaRegistryPassword: "2" + schemaRegistryTlsCa: DSr2uQnBZ2 + schemaRegistryTlsCert: mji + schemaRegistryTlsKey: EcukHN + tlsCa: HwarCHVf + tlsCert: tsx + tlsPassphrase: owRWr + login: + github: + clientSecret: 3QP + personalAccessToken: RFXhu + google: + clientSecret: KbrHoAQ + groupsServiceAccount: tSLR4 + jwtSecret: gQSZ8AC + oidc: + clientSecret: O + okta: + clientSecret: tv58V + directoryApiToken: C3j + redpanda: + adminApi: + password: OZVk + tlsCa: F4wK + tlsCert: nkKfJ + tlsKey: ewWdsq +secretMounts: +- defaultMode: 210 + name: gcTdF + path: ctE5Qa + secretName: MPU +- defaultMode: 186 + name: "4" + path: n8KpOJZ + secretName: s6 +- defaultMode: 412 + name: lBE0nAE + path: 3Ka7 + secretName: RG +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 憑 + - 贁 + - cÝ琦ŝʛD緪娥t諰ɤɼʠßʏ + drop: + - Hē粙 S綽ESFľĞóǂ + privileged: false + procMount: '>IÐ肣ɚòĺIGʖƟ穿ź' + readOnlyRootFilesystem: true + runAsGroup: -6867300864246942363 + runAsNonRoot: true + runAsUser: 972586500223089794 +service: + nodePort: 310 + port: 190 + targetPort: 396 + type: uTyclgj9tVV +serviceAccount: + annotations: + 1vh4t: 2P6FHr47JPz + JPV: tx0p + automountServiceAccountToken: true + create: false + name: gIkiPRSc53Eb4w +strategy: + rollingUpdate: {} + type: ĸ鍽3ɨ勍Ȱ¦T搟 +tests: + enabled: true +tolerations: +- effect: ć`湇Ȏ2篤螕巴蛬>@ø£鞌q + key: E7p + operator: 畁鼄瓈貔Ĕ釲ĸȚ貺|ǴĄl蔺İɽ糹 + tolerationSeconds: 3092681449541780742 + value: Zmrz8 +-- case-043 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: x2q + operator: B肖HOʀ + values: + - "" + - Ys3JeXs5q + - key: kTV1 + operator: ɑɸ&楥ÃFŎł + values: + - UQJ1b + - PSnF + matchLabels: + x3: OyQXZWg + matchLabelKeys: + - c7l + - QL52 + mismatchLabelKeys: + - upadP + namespaceSelector: + matchExpressions: + - key: ve00EK + operator: 'ɗY莶ʥV蔈ƀ廜ȶƹŀLjÓ%õɽ ' + values: + - KsFwEq9un + matchLabels: + pZaTZ4dEyKe: Zr + y2udi: nOeICOHiSN + namespaces: + - eh3 + - Tk + topologyKey: sDRodPzb + weight: 950808176 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "5" + operator: 豗ŵǕ + values: + - CXc + - lamtTG39Nn + - key: PAiD + operator: 靑 + values: + - Xc2 + - 0vCS1b + - MsAd + - key: V5SqAAs0jK + operator: tŇ + values: + - "" + matchLabels: + sN: eS9 + zyhZtMI: vk + mismatchLabelKeys: + - "9" + - 8kmgYkR + namespaceSelector: {} + namespaces: + - rttEi + - LsPL05A + - vt + topologyKey: RI9Fz + weight: 735869102 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3wYP8eoC3 + operator: Ĭ囁缯盦鍎Șe宧冸'Pțl諷鵣 + values: + - tjW4s6vTm + - dAFd + matchLabels: + MYd: Xsox8 + vdIPmBzGHW: u + vtRD: cJZSpnJ + mismatchLabelKeys: + - ysVrZBCS + namespaceSelector: + matchLabels: + LLN: an + zhG0GzF: ebgXWsq + namespaces: + - Tc7JW + - l5 + topologyKey: XvVTKe + weight: 284965413 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: snHS61E + operator: ŁjĈ偔Ĵgä缬ɏ魜竿Ȍ匊ȡf + - key: GF64H + operator: N?+痱+龟嗙糨(;籄µ_ȤP榡Ȁ + values: + - sBC5mout + - gLNrAHCql + matchLabelKeys: + - I6T + - cfQ + - bj1O + mismatchLabelKeys: + - DOsKcbZ + namespaceSelector: + matchExpressions: + - key: wabhpRnnMK + operator: 昶Ǝ傪Ȃß + values: + - 6A + matchLabels: + AWV: wH5n597Z5ZD + MO5x: gCiuzkb + namespaces: + - SE6wLN + topologyKey: i + - labelSelector: + matchExpressions: + - key: hyV52PjMCdDTPM3Xj + operator: t.卆痘惠Ú皙駼ɥ飑蝪 + values: + - df + - QinuCr3k + matchLabels: + "4": xjs7u + 26YT8Kwl: 6Fn7QaX + IyQVKh: FT + matchLabelKeys: + - 43p + - 7wOCOZltU + mismatchLabelKeys: + - 69P + - KGelm4KjR + namespaceSelector: + matchExpressions: + - key: lc1l + operator: 圼酭蟶ƿʕNȎ褷K0¢戜ŰĨ矤磓 + values: + - F5sJcyG + - gSLP4 + - key: VUC9 + operator: 伂Nxŧ}_Ť + values: + - fdEFxj + - key: TtWF1erkH + operator: 鿐ȖP薈廰ǿÅʋ + values: + - 8fCxCdw018mnN + namespaces: + - MI7v + - 4d + topologyKey: t6NgG + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: D + operator: 棎 + values: + - 20fifD + - FrMdPhx9xo + - key: UGNn3lb + operator: 佛Ǥ3 + - key: Z2RLUvJbK + operator: "" + values: + - FdkgDft + - TefWIg2 + - bpqycNdCB + matchLabels: + HS3J6YWoEqk: Z6wgyP + doC4E: kBDLOXELx + matchLabelKeys: + - AcWh + - wz1OjMAc + mismatchLabelKeys: + - TzAtxmFj + namespaceSelector: + matchExpressions: + - key: 0PcmdJ + operator: h + values: + - cUMRXCqpYKF + - key: CNiL1smGnM + operator: cSŦ胪ǟ婟魳!M + values: + - nn + - J + - DT + namespaces: + - 115aP7 + - NIr + topologyKey: pAC + - labelSelector: + matchExpressions: + - key: N5YJ + operator: '`ȺDŽ窿U澩Û' + values: + - c6b9k + - kBiQmy4m0 + matchLabels: + I7ZhU9r: mVYody9U + kY71: tu + r0veMW: zYM + matchLabelKeys: + - iswu + mismatchLabelKeys: + - CANmp649B + namespaceSelector: + matchExpressions: + - key: 9dVeM + operator: "" + values: + - j4ohdLhch + - l + - "" + - key: Dg0F + operator: wŴǂ&;计DzP.觰髬uþ + values: + - gaIEZk1 + - W + - ox3 + - key: eem + operator: F铃ø睤榺蠯ƺDZ2s瘨澌秠%晸 + values: + - gQvNAvyI + - oime + - 4Sq9 + matchLabels: + J9W: R8 + o3EOEfEW: doLp + namespaces: + - kkkj1owvoXiU0 + - yfKU6aK + - LAx8rxmN8 + topologyKey: Z +automountServiceAccountToken: true +autoscaling: + enabled: false + maxReplicas: 400 + minReplicas: 207 + targetCPUUtilizationPercentage: 127 + targetMemoryUtilizationPercentage: 234 +configmap: + create: false +console: + roles: + - Ei: null + v4ACJLz: null + - isAtO9ew4: null + yruh: null + - 51fb5in: null + ILAz4wr: null + l90: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: lN0R + name: Is29uweE +extraContainers: +- args: + - lXv3W4h + command: + - 0hlaE + env: + - name: 2R4HDOw + value: Ow63m2 + valueFrom: + configMapKeyRef: + key: W + name: K4xi + optional: true + fieldRef: + apiVersion: Jky + fieldPath: 53aQO + resourceFieldRef: + containerName: FnyzXcJW0Y + divisor: "0" + resource: CEeuoM3B + secretKeyRef: + key: d1k + name: gqHwwuuW7YCi + optional: false + - name: ixNGgU + value: zzCXF + valueFrom: + configMapKeyRef: + key: pAT30it + name: t + optional: false + fieldRef: + apiVersion: yp + fieldPath: Mh1WcPCbP + resourceFieldRef: + containerName: IswD1IBE9 + divisor: "0" + resource: Ro + secretKeyRef: + key: yFZxBVZdODt + name: X + optional: true + - name: WTnCxkS + value: pEk + valueFrom: + configMapKeyRef: + key: 11H + name: QATfCX3IsDv + optional: true + fieldRef: + apiVersion: vN4 + fieldPath: qMFch + resourceFieldRef: + containerName: uO0O + divisor: "0" + resource: N0cJGosw + secretKeyRef: + key: fDMU + name: hps + optional: true + envFrom: + - configMapRef: + name: 0OJJ5YVIX03 + optional: true + prefix: qMb + secretRef: + name: Q + optional: true + - configMapRef: + name: xbFZU + optional: false + prefix: a1 + secretRef: + name: x + optional: false + - configMapRef: + name: k37 + optional: false + prefix: YoFy + secretRef: + name: ogUiKqk + optional: true + image: 0pe + imagePullPolicy: 娒菐皎X噴粗嘍»ƪ~ + lifecycle: + postStart: + exec: {} + httpGet: + host: lO6z + path: Ocry6h + port: ZXfKF + scheme: ə朕IH尹ğ殤鍻O艚Ʃj"羈 + sleep: + seconds: 5751106255636900299 + preStop: + exec: {} + httpGet: + host: 7QkaR + path: F + port: 1848101873 + scheme: 7Õ嚎c煣擢?ǙȬžREWƿY#¡DZ + sleep: + seconds: -6692990274650219794 + livenessProbe: + exec: + command: + - uNT + failureThreshold: -829813283 + grpc: + port: -567104846 + service: LDcJp + httpGet: + host: g20utb + path: SiqR + port: hDMLQykO + scheme: Ŧ螵n^ʑ柁ɼĥh韁傧厬džƑ + initialDelaySeconds: -564429238 + periodSeconds: -1564220228 + successThreshold: 358143040 + terminationGracePeriodSeconds: -3271131206023471117 + timeoutSeconds: 1743016683 + name: 0dQgH + ports: + - containerPort: 1592798281 + hostIP: Ob6i + hostPort: 1226080714 + name: owTN2e7 + - containerPort: -909719890 + hostIP: LU4ibkw2 + hostPort: -291412037 + protocol: ț榌餬<孋蔣熰瘞;癘, + - containerPort: -1320944614 + hostIP: FALEX24mB + hostPort: -2067901656 + name: 3x2T + protocol: 鑴桄ɵ珧Ū + readinessProbe: + exec: + command: + - oc + failureThreshold: -784903530 + grpc: + port: -2046315075 + service: OUsbY + httpGet: + host: s50gn + path: gPyB + port: -2077437763 + scheme: 撫ƄǥǞ + initialDelaySeconds: 1983356613 + periodSeconds: 1988783141 + successThreshold: 2066305810 + terminationGracePeriodSeconds: 2348593211159662414 + timeoutSeconds: -418402994 + resizePolicy: + - resourceName: yW + restartPolicy: 9從O9籿c绉ȠýH + - resourceName: 9WLZ + restartPolicy: 酎!8 + - resourceName: ISSu7K + restartPolicy: RǷ巫錬$e幅"Ȅ + resources: + requests: + ZAHXO: "0" + cT: "0" + ftA: "0" + restartPolicy: 箕赳箨J顏 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 厍F>%甾灵讝 dɌ撑礙Oo_ʦ + - ǮI埁艏:řŴi/隰6Ň + privileged: false + procMount: 籟ɔ矎C趶椰ʓ + readOnlyRootFilesystem: true + runAsGroup: -1819068651107678420 + runAsNonRoot: true + runAsUser: -4446960001037568719 + startupProbe: + exec: {} + failureThreshold: 1529697760 + grpc: + port: 2086810289 + service: LFhs + httpGet: + host: y7 + path: 7Q5PcVes + port: i + scheme: 阀ÿ¼+砵S麦ƺ'nǥ恪qżZǹ + initialDelaySeconds: -2048008543 + periodSeconds: -1559576850 + successThreshold: -655600930 + terminationGracePeriodSeconds: -8913842277118830912 + timeoutSeconds: -857654009 + terminationMessagePath: 9TOoj + terminationMessagePolicy: ¦ƫʇȬ儤f^_U躭 + tty: true + workingDir: cGeaEyJc6A9 +extraEnv: +- name: 1qcxFe + value: CddCzg + valueFrom: + configMapKeyRef: + key: uetPc0pnjv + name: CvmkK + optional: true + fieldRef: + apiVersion: FHMfGqk + fieldPath: 2P + resourceFieldRef: + containerName: bD1 + divisor: "0" + resource: kcSi + secretKeyRef: + key: pUu0 + name: 31uIu28D + optional: false +extraEnvFrom: +- configMapRef: + name: sJl8l + optional: false + secretRef: + name: ULPPuBUveK + optional: false +- configMapRef: + name: r4KbQIM + optional: true + prefix: vFNhdrDV + secretRef: + name: b + optional: false +extraVolumeMounts: +- mountPath: BsnW + mountPropagation: 撾<¥燩Uáb魩2wdz携W駟c韀羸â閹 + name: kS + readOnly: true + subPath: MQkyaubVs + subPathExpr: Bc +extraVolumes: +- name: FK5aYrlt +- name: BuMd +fullnameOverride: y0pa6pm83 +image: + pullPolicy: ā + registry: frvkIce + repository: Eyf5QN + tag: NF +imagePullSecrets: +- name: kBoh0Lyd +ingress: + annotations: + GOF: Fk7wcu + J2: ViiBwn6 + WODaheluZ: jCoFdBnr + className: 4Z1r6JSTY + enabled: true + tls: + - hosts: + - hAi45 + - N3wGXf + - 2Og0 + secretName: 11BdzGx + - hosts: + - MPqkMom + - mBwetJrK + - PcEKgK + secretName: HtA + - secretName: jRYKg +initContainers: + extraInitContainers: "" +livenessProbe: + exec: + command: + - 5l + - TPa5xuR1 + - pL3 + failureThreshold: -665161597 + grpc: + port: -1993107785 + service: u6KPs + httpGet: + host: R4Get + path: 0V + port: 1160926320 + scheme: ǨĄBW躼uQ劢Z + initialDelaySeconds: -958442622 + periodSeconds: 1883059027 + successThreshold: 1933410843 + terminationGracePeriodSeconds: 6283661173054068495 + timeoutSeconds: -1835273944 +nameOverride: "" +podLabels: + ZUMXq: 1paitbyR + o5jSmwn: "1" +podSecurityContext: + fsGroup: -2194962218839547968 + fsGroupChangePolicy: Ƃ搵Ņů羁nʇ雵Ri摿TǛø!ʣa饪詹 + runAsGroup: -8349123147211058668 + runAsNonRoot: false + runAsUser: -7634316416044162316 + supplementalGroups: + - -8005115528631553908 + - 3338610853164048033 + sysctls: + - name: KolWq + value: HzqTwBK4G4 + - name: rWyCA7 + value: DXY + - name: ukO43edoA + value: EVLsuF +priorityClassName: vW +readinessProbe: + exec: + command: + - 0X8tCVJI + - Sm4 + failureThreshold: -1604827341 + grpc: + port: 42051403 + service: H + httpGet: + host: 0gB9WjO + path: 0sPD + port: -849836679 + initialDelaySeconds: -1237987229 + periodSeconds: -2089146286 + successThreshold: 1944965466 + terminationGracePeriodSeconds: 6313366685724995629 + timeoutSeconds: -421565232 +replicaCount: 180 +resources: + limits: + pWciOVB3: "0" + requests: + CokuM: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: KGprr + name: w + kafka: + awsMskIamSecretKey: "" + protobufGitBasicAuthPassword: SerI + saslPassword: GKTX + schemaRegistryPassword: 4e + schemaRegistryTlsCa: "" + schemaRegistryTlsCert: 5V + schemaRegistryTlsKey: WFfrAH2a + tlsCa: kdCuX + tlsCert: j8Y2S + tlsPassphrase: jzecZl + login: + github: + clientSecret: cRkCl + personalAccessToken: 7XzR7g4 + google: + clientSecret: 1h + groupsServiceAccount: PpzN + jwtSecret: "" + oidc: + clientSecret: r + okta: + clientSecret: om + directoryApiToken: vYqev5 + redpanda: + adminApi: + password: X0 + tlsCa: MadMnzee10AL + tlsCert: SXxHZ + tlsKey: HYAn +secretMounts: +- defaultMode: 257 + name: mbhBeHK + path: 4B + secretName: "3" +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ɓ秈Ǽ霏*苇ȋɇ燡ƲɔċɈx + - 畼#QȲȬ懹脆俼[葓箘Ⱥ¿ + - ƭ + drop: + - 鉉C餱芕鳧ǥƔʚŰ + - ǖ瞱祈)售歜ŃȀƖ厀Ʃ9茡ɥq + privileged: false + procMount: '''³編Ź~莽WS2孲j禺' + readOnlyRootFilesystem: false + runAsGroup: -7898786566866618408 + runAsNonRoot: false + runAsUser: 5048177807031045156 +service: + nodePort: 402 + port: 11 + targetPort: 465 + type: 9TsjJQkJZ +serviceAccount: + automountServiceAccountToken: true + create: true + name: Gma +strategy: + rollingUpdate: {} + type: I讗烉Ð-Ǵ +tests: + enabled: false +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: 8oHl6iWalV + operator: 嗌ƕþ]eěk歄兠惴5]nj鿵ų|暫\ + matchLabelKeys: + - n2lT + - nr + maxSkew: 565546972 + minDomains: 1026506021 + nodeAffinityPolicy: _攊v + nodeTaintsPolicy: 踠~Ë?¶嘬 + topologyKey: OZKwm9I + whenUnsatisfiable: 艽ʧj +- labelSelector: + matchExpressions: + - key: e + operator: 貙wɡȗ扊l橠,ȶ^ + values: + - "2" + - 1aeU + - X1mzNz + matchLabels: + Kw: L0rDwe + hFD: 9Kbm7CtaSg + matchLabelKeys: + - lw1gZ + maxSkew: 131623139 + minDomains: 1034504401 + nodeAffinityPolicy: NƎ乮+却ŷƑIf.L焚 + nodeTaintsPolicy: "" + topologyKey: dpa7OA + whenUnsatisfiable: 貧uƻläʯlÓʐȮ竇dʐ疮儾 +-- case-044 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: AFOKvXU + operator: ¸藬 + values: + - vIFxLM + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + ZpWVx: agTJ2kP3DWNYN + matchLabelKeys: + - "4" + mismatchLabelKeys: + - 0qG + namespaceSelector: + matchExpressions: + - key: D8 + operator: d|ɬ曖 + values: + - p3iQYi6Y + - key: c + operator: ǵmV逛鲳鈐譮稹ÚȾČXú + values: + - a + - 3C55L6S7 + - SQaxr + matchLabels: + "5": jC + namespaces: + - oDKjy + - "" + topologyKey: C9jgFk + weight: 1276231314 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: lGp2 + operator: "" + matchLabels: + "": sKP1q2 + 44krG: UrYUSMsisV + unYZqLh67: tMKQ + matchLabelKeys: + - orDt3ZdEA + - LIBJK3 + mismatchLabelKeys: + - bgz2i + - CNqlQJ + namespaceSelector: + matchExpressions: + - key: 35CZTXLY + operator: 掟0笝润ɲDGĪ1Ɋ乧鴹ǥ + values: + - OOB1s + - o4H + - key: f21 + operator: nȿqh + namespaces: + - L0w7 + - DB9 + - T1mom4CrS + topologyKey: OWKJz + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: WaOHp + operator: Ƥ熅ǒe²敹Ņ0ľ(Ȯɩ6ÿ + - key: 0X + operator: be3蚛鷿_鴈y+圚ʀF虹D + values: + - ZIZDTnyfwD + - B4NWO9ffPz + - 1jsu + matchLabelKeys: + - mXhYg + mismatchLabelKeys: + - mp6 + namespaceSelector: + matchExpressions: + - key: xE + operator: ʩ畕 + values: + - uc7IZ + - Hxl1 + - key: Xb41Q + operator: cʓʁ卡嵷韻 + values: + - pA + namespaces: + - edcrY + topologyKey: sP2BdI + - labelSelector: + matchExpressions: + - key: U0 + operator: 卢ʩ + values: + - OBtefl + - yMIZlx + - key: X + operator: Ǔ%é鵔:ß侙鞅 + values: + - s1qg3meB + - e6J6ZH89 + - key: dhFO + operator: ƋŎ頖,é襺枣Ť卩骏ɰ抟篧JɂǛȝȵ + values: + - R9sJoCz + matchLabels: + 2T: 84ZhksfB + matchLabelKeys: + - Yc41 + mismatchLabelKeys: + - zgncb + - pCwXYOK + - hViR + namespaceSelector: + matchExpressions: + - key: 3hWtuB6Y + operator: ʪ+ʜǻ拎奜跁ª4鶒鲒[ʒJi\ʝ)皡 + values: + - s + - key: xGSn + operator: 羥/Br=Z擧Ŀ泀Ą舨cïŕɘʡȽIJ鉽 + values: + - lOZtQ2cI + - Vk6 + - Ri3t + - key: Z6UDhR9VLqSA + operator: 淸c欨pɝo腛ı廓齩鄬檏繑郭>Ö呡 + values: + - s6hp + topologyKey: wZZTf + - labelSelector: {} + matchLabelKeys: + - afDo + mismatchLabelKeys: + - S + namespaceSelector: + matchExpressions: + - key: AWObA + operator: ĝf表OS厅啬児0~L槩华L稙訐\Tȼ + values: + - M39 + matchLabels: + 0D9: u5 + T1: xiLiZn + v6: nSQp5 + topologyKey: mr +annotations: + 4i: zwiMMKf + ZTKUDg2t: qHc7 + fGsx: dIpd +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 220 + minReplicas: 54 + targetCPUUtilizationPercentage: 269 + targetMemoryUtilizationPercentage: 205 +commonLabels: + BvJq2xZ: jY6O0 +configmap: + create: true +console: + roleBindings: + - UiHg9: null + - "": null + mAYLjAybA: null + roles: + - 0NpG04j: null + UxtPt: null + l5dMdK: null + - J9: null + MzWfEl: null + yNu: null + - "": null + Pv: null + tGJIDyXG: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: x8ik3q + name: K7c7oe +extraContainers: +- args: + - CCdc + - xnWsPf + - K9Lp8whZH + envFrom: + - configMapRef: + name: eRd + optional: true + prefix: jF9v + secretRef: + name: QS0dQM4 + optional: false + image: UEbFmY + imagePullPolicy: ɂǖ耒ȯ+Ǎ妸ÄĊ wʠB堯¥ƿɤp + lifecycle: + postStart: + exec: + command: + - 89MtW + - LOaqkcP + - JzjyxNZS + httpGet: + host: "3" + path: V + port: RUOELw + scheme: u*暪÷鰦ʭ,0噱D #干 + sleep: + seconds: 7312334685976474890 + preStop: + exec: + command: + - Cmo91luAq + - DTCwI + - d3Q8xly + httpGet: + host: e + port: -1761554680 + scheme: '|' + sleep: + seconds: -8572473558022233717 + livenessProbe: + exec: + command: + - 1K0Fir + - Ws + - jWym + failureThreshold: 1492079208 + grpc: + port: -1612320137 + service: wk3AYU + httpGet: + host: U + path: yLWf + port: dE + scheme: (魠ʫ倳|岺溻IJħu|æ粅 + initialDelaySeconds: -1551121242 + periodSeconds: 101556636 + successThreshold: -690762638 + terminationGracePeriodSeconds: -7606489989577612357 + timeoutSeconds: -947750725 + name: GKPhj2 + ports: + - containerPort: 690563670 + hostIP: mVXvug29A + hostPort: -1389446008 + name: pcUz3a8NWF + protocol: o& + readinessProbe: + exec: {} + failureThreshold: 816403475 + grpc: + port: 2090385753 + service: pp5W00 + httpGet: + host: sP9DV + path: cpLL + port: TNUIzm + scheme: '!敓GĜƝ塀ȏ@{8嶤ɍ|' + initialDelaySeconds: 911169006 + periodSeconds: 257542772 + successThreshold: 1702435185 + terminationGracePeriodSeconds: -4557510245814657403 + timeoutSeconds: -581799810 + resources: + limits: + 5UdZ91O: "0" + TXdC: "0" + bK0pEj0Mb: "0" + requests: + s8hZFXOGF: "0" + tCP: "0" + restartPolicy: Ǩ轡´@ǂȟ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 鿞;P粜鬌)Ǭ郑&鑉k!f] + - Ċ + drop: + - ?孡渄:Ơ廔晞!ē8瞅@rDZ_ + - cfdú¯'ƱơÅś祏侪 + privileged: true + procMount: ȝ?A@û2蝓撕%o摤絡) + readOnlyRootFilesystem: true + runAsGroup: -2314751572399378702 + runAsNonRoot: true + runAsUser: 989961539055775316 + startupProbe: + exec: {} + failureThreshold: 971752114 + grpc: + port: -1594677871 + service: O + httpGet: + host: EIXRs + path: EA1CukJtUZ + port: g9g0 + scheme: 遱O靑課淁hɕ怡ņ鲥 + initialDelaySeconds: -1020857297 + periodSeconds: 1332161137 + successThreshold: -1412285197 + terminationGracePeriodSeconds: -7087737322486666596 + timeoutSeconds: 563432789 + stdin: true + terminationMessagePath: S + terminationMessagePolicy: =ɑ_èʊâ錯Ɛ窾O亇_ + tty: true + volumeDevices: + - devicePath: 2EtZS + name: "" + - devicePath: glBRF4 + name: e8K + volumeMounts: + - mountPath: L4U + mountPropagation: '}6ʓ蓱9峖3疖售Ʉ朞' + name: 4oVeDs + subPath: RoA + subPathExpr: b + - mountPath: b3TFcP + mountPropagation: ʘʟ| + name: jg4Ya + subPath: F + subPathExpr: flS + workingDir: VZi6ElPHw +- command: + - 3xxCjTRw + env: + - name: 1n + value: cHl + valueFrom: + configMapKeyRef: + key: "95" + name: gi + optional: true + fieldRef: + apiVersion: sQA8hZeZu + fieldPath: xgpJlFJ2 + resourceFieldRef: + containerName: fLR0HyM + divisor: "0" + resource: Sanx4 + secretKeyRef: + key: XgKm5 + name: gvoS9jB + optional: false + - name: s2cwze + value: hu + valueFrom: + configMapKeyRef: + key: fDoUz3 + name: XKG + optional: true + fieldRef: + apiVersion: q0CUy1W + fieldPath: B3Lkh + resourceFieldRef: + containerName: V1gnkr8hpTmU + divisor: "0" + resource: 7PEJNYX + secretKeyRef: + key: IiBIw + name: kiXa5 + optional: false + envFrom: + - configMapRef: + name: JayMLn + optional: true + prefix: Iyk + secretRef: + name: I8 + optional: true + image: uuJKCAGoiYb + imagePullPolicy: '&mɈ{DC鹪ŘƖ暢C镯VĪɮJ樟' + lifecycle: + postStart: + exec: {} + httpGet: + host: TlUl + path: v9nd + port: Khf + scheme: 雦G'獲ɕ垑Ɠ奚 + sleep: + seconds: 3204757101293724426 + preStop: + exec: + command: + - s8505Cg5U + httpGet: + host: hAMBGK + port: LNxGid + scheme: 9?Ɉ + sleep: + seconds: -7512312074000843110 + livenessProbe: + exec: {} + failureThreshold: -1252597876 + grpc: + port: -544919593 + service: "N" + httpGet: + host: xfP + path: ByIZxFF1w + port: 465839308 + scheme: ôȔʄǽȕ$Ɨ嫸% + initialDelaySeconds: 1827740835 + periodSeconds: 1434348082 + successThreshold: 1145653124 + terminationGracePeriodSeconds: -9056662989967493169 + timeoutSeconds: -741454610 + name: pkN5 + readinessProbe: + exec: + command: + - pmJ6cF + failureThreshold: -182850181 + grpc: + port: -30654612 + service: q + httpGet: + host: Vra + path: tovB7 + port: -934938952 + scheme: Ⱥǵ1茆鯨ț]ų1ơñ澂 + initialDelaySeconds: -1966697414 + periodSeconds: -1866944455 + successThreshold: -259752087 + terminationGracePeriodSeconds: -4535014313385885341 + timeoutSeconds: -1545912021 + resizePolicy: + - resourceName: RxDBqX + restartPolicy: 韌ʮ濅& + - resourceName: spCee + restartPolicy: 腋+桯PɆ誎z4µ&ȁou-囈鵼夵v| + resources: + limits: + rElH: "0" + requests: + "": "0" + restartPolicy: 7GK¦碦ǒ抩Z芍緜 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NjǗA窇ţ + - 逈%Ǵ7QǚƶƜr + drop: + - 鹭Iv0蠤'Ɵ皝ƨ=¨ + privileged: false + procMount: èįƤ;L虥u籖ʄƎ}橃V炖 + readOnlyRootFilesystem: false + runAsGroup: -1041723617216276814 + runAsNonRoot: false + runAsUser: -3933065726531016441 + startupProbe: + exec: {} + failureThreshold: -983644738 + grpc: + port: 1827183629 + service: X7oC1 + httpGet: + host: vGk + path: ohKaYc + port: l1rVsh9 + initialDelaySeconds: -648569392 + periodSeconds: 873065120 + successThreshold: -612441773 + terminationGracePeriodSeconds: 6808330544454597158 + timeoutSeconds: 1534439066 + terminationMessagePath: VYh + terminationMessagePolicy: 唌Üi+ + volumeDevices: + - devicePath: DGsn + name: Ia + volumeMounts: + - mountPath: "14" + mountPropagation: 渉seǝ蕟厪ë嵎ǥ墮@ + name: "" + readOnly: true + subPath: C1G4VS1 + subPathExpr: eU + workingDir: odPxO +extraEnv: +- name: Ahlf + value: UEv + valueFrom: + configMapKeyRef: + key: uwaRvb + name: M8Iklu7qx + optional: true + fieldRef: + apiVersion: H + fieldPath: 43xb + resourceFieldRef: + containerName: t8wgC87mO + divisor: "0" + resource: Z + secretKeyRef: + key: "" + name: EQfJ3z7tv + optional: false +- name: xj + value: lwmxmxP + valueFrom: + configMapKeyRef: + key: "" + name: cdBhO + optional: true + fieldRef: + apiVersion: U + fieldPath: Dj1sswKP + resourceFieldRef: + containerName: 1p3yUdrvd + divisor: "0" + resource: 5A + secretKeyRef: + key: DDcgdcu + name: oD38 + optional: true +extraEnvFrom: +- configMapRef: + name: 2ECaB + optional: true + prefix: bao + secretRef: + name: CA5S95 + optional: false +extraVolumeMounts: +- mountPath: v + mountPropagation: ?IJ純ʈxɧʅ + name: 9AiRaE35OlCv + readOnly: true + subPath: 2dv5RZ + subPathExpr: H7f +- mountPath: "4" + mountPropagation: 涾頴tOĜʥ朤 + name: ePEz + readOnly: true + subPath: BY + subPathExpr: w +- mountPath: n5FPgiJmk + mountPropagation: Ǵ棢__@ŗɆ4瞑5ŗ­L/ķ{篦ǯ + name: NryERK9Q + readOnly: true + subPath: tINFMAR5 + subPathExpr: VrBKy +extraVolumes: +- name: Kt6NIoVzEY +- name: O +fullnameOverride: resP +image: + pullPolicy: 讘ɂȴɩF壜î栒p + registry: UqWwteW0x + repository: TZqk + tag: 0fpMB +ingress: + annotations: + 7CEw: nk8 + bqg: H5 + x1S7: Pu + className: 6IuECM + enabled: false + hosts: + - host: gDc + paths: + - path: len9tdPYcpq + pathType: XETm5mmK3Es + - path: zn5u + pathType: p5jlQul + - host: "" + tls: + - hosts: + - Th5w + - xssK + - xFW9 + secretName: wA + - hosts: + - bR + - U73RtLKOI + secretName: jEnKU +initContainers: + extraInitContainers: 0VCU +livenessProbe: + exec: + command: + - wV + - eooUnSLpW + failureThreshold: 1147871047 + grpc: + port: 483952618 + service: Ca + httpGet: + host: pXrlUHltqchNl + path: kMP5 + port: -1823407150 + scheme: Ò壻«Ƭ魠?ǣ×Ç + initialDelaySeconds: -470682176 + periodSeconds: 842863336 + successThreshold: 2078067842 + terminationGracePeriodSeconds: 8174922400865091455 + timeoutSeconds: 1252398573 +nameOverride: tvDI +nodeSelector: + 2i: dRi6btw6 + R4: UsW + fFNJXGk: XBkx +podAnnotations: + N0F: vSjZxkjW +podLabels: + K1uahi: UMygEU2O2 + ecdKkB: "1" +podSecurityContext: + fsGroup: -3027126285888130862 + fsGroupChangePolicy: 袺芥ŵ罋o郘渢e堫柝dž + runAsGroup: -3172565869747057973 + runAsNonRoot: true + runAsUser: 5739747577453985710 + supplementalGroups: + - -1289730562709624524 + - 2918948066534341347 + - 8836988143915675306 + sysctls: + - name: ZSspAgrV + value: ES11 +priorityClassName: 8KMLup9vb +readinessProbe: + exec: + command: + - 50jwjhoUN3n + failureThreshold: 1026367217 + grpc: + port: -238173978 + service: Ju + httpGet: + host: wDDq9i + path: w7hRVdP6kmTaLN + port: -919313657 + scheme: 闡ś + initialDelaySeconds: -233395254 + periodSeconds: -96619339 + successThreshold: -2083481091 + terminationGracePeriodSeconds: -7352799244112409845 + timeoutSeconds: 1827269276 +replicaCount: 410 +resources: + limits: + eYVLCq: "0" + requests: + P: "0" + VsuQcjg: "0" + jwq: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: zvbci + name: W0 + kafka: + awsMskIamSecretKey: SFtL8nb + protobufGitBasicAuthPassword: "" + saslPassword: "" + schemaRegistryPassword: p + schemaRegistryTlsCa: 0m5L + schemaRegistryTlsCert: fqb + schemaRegistryTlsKey: whFm7 + tlsCa: 2Ir + tlsCert: JBVRtfzSurH + tlsPassphrase: OSDd + login: + github: + clientSecret: mCF8qeqhA + personalAccessToken: 7MnYqfh + google: + clientSecret: uo83GiVX2X + groupsServiceAccount: LCEQJi + jwtSecret: cmCx + oidc: + clientSecret: jW3Syrm + okta: + clientSecret: RDyL5FTb + directoryApiToken: BmJgmq2h + redpanda: + adminApi: + password: 6pe + tlsCa: gzJP1h + tlsCert: GRhBENFNa + tlsKey: qKQ +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ɐ毻sǨ斩麀|髦 + - (波F= + - 2鱶ɥǚ蘃齯ʃE桹蹝Ȓ畸蘋桙0 + drop: + - c掁轖e9\Ǟ¦ + - ȽT下Zź%賂蕄3 + - 乯`ŤĊŸ眸ʞ缔Ň妌嵳楕ǐwč*ǩ妩ɴ + privileged: true + procMount: ŃE诩Ŗś僆 + readOnlyRootFilesystem: true + runAsGroup: 6580465723841053659 + runAsNonRoot: true + runAsUser: -56006153890553620 +service: + annotations: + CRHNsVY: Nl04 + nodePort: 437 + port: 103 + targetPort: 329 + type: "" +serviceAccount: + automountServiceAccountToken: true + create: true + name: W9k +strategy: + rollingUpdate: {} + type: ɬdW5f +tests: + enabled: true +topologySpreadConstraints: +- labelSelector: + matchLabels: + 435gSB: cXqM + XuT: nA + sKWX6pPX: YyYe + maxSkew: -1347306472 + minDomains: 1890499147 + nodeAffinityPolicy: 扒Ŕ + nodeTaintsPolicy: 諹uɔM_灢ʫ6ªWŢ庿ɛ + topologyKey: 34nlpPe2Tl + whenUnsatisfiable: šĉ鎨嶕鯖Ťȯ蝲萤ɪeCŒ5ő3|押 +-- case-045 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: MyOwAD1 + operator: 啜0Ȕ + values: + - ZGn4YX + - key: jDkjMmXqE + operator: NŤ~鷚ȃÐ醩@鿘.礡PdL + values: + - N3K + - ow + - PzPEWA + weight: -72104605 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: JvUcVrA7 + operator: Žx"ơ + - key: xqi + operator: 1匹层舕ƒ僜ʓ + values: + - e + - key: eLiG + operator: '[r-!"ĻŻ艂酁嵍鏺]髠' + values: + - EKgA + - 2tR + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + 7EKjs: lal36 + matchLabelKeys: + - DsNc + - EF + - MxSx7 + namespaceSelector: + matchExpressions: + - key: AJRciio + operator: I鎴 3ɡƞK慳hĉ + values: + - dh + - key: O8 + operator: ʤ喜牅ƫ]Ȉʚ廆Ƨ椬訐儹9ȡ趿 + values: + - QIR + - 4QIg3r + - key: xEKeM + operator: 嬕 + values: + - R0qm21j + topologyKey: yN7rFb + weight: 371178507 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 6m + operator: "" + values: + - sEP + - r + - 916oARGpag + - key: YtLdy2vWFRG + operator: "" + values: + - NbAvpL8G + - 0a3vqv + - key: TOiWxWC + operator: ǝ椦誄ȟ2沾ʩɁǢɶ攧Ţ胑< + values: + - BDKh + - NFb9UYct3p + - TFdQLF + matchLabelKeys: + - TACd + - RFCD1IMt + mismatchLabelKeys: + - CLaySswMot + - S3sEweRaY + - tC6pZ + namespaceSelector: + matchExpressions: + - key: pDz + operator: "" + - key: iRP7TsiyE + operator: 8šiƛPċŞ貲I轒ĮÜ + matchLabels: + 4IVb55JZf: "" + XokO: FntMc + namespaces: + - BOohC67i + - tv + topologyKey: Wc36G + - labelSelector: + matchExpressions: + - key: 2swiyf9 + operator: X + values: + - "2" + - Mmu6iYl3 + - XsZhnelID + matchLabels: + zf: IJlhUxrQg + namespaceSelector: + matchExpressions: + - key: RMLd0ptomdzoSd + operator: ƋŲǯ-'Dð獿礘ĘQ蕲螙x + values: + - rz5QKfx + - key: smO + operator: DɴK*4瘢齮 + matchLabels: + "": crZm + R7TX: 7hcjy + Yh: dyM1 + namespaces: + - PqubN + - elFz + - 5Iah6Cz + topologyKey: QE + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: faWSc + operator: ʚʉŝwʊ寭跼Z + values: + - dgKap + matchLabelKeys: + - sEXCWO + mismatchLabelKeys: + - BqB + - QSJQOy + namespaceSelector: + matchExpressions: + - key: 9zT + operator: 锂遼9ɎVn嵕缰~ + - key: bJi68gZ + operator: 己樚僚%隓馦d + values: + - LT + - "" + matchLabels: + yt: Z + zMv4Ez: NSxkcn + namespaces: + - bfc + topologyKey: pUFg7ZP + weight: -962989660 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: {} + matchLabelKeys: + - "" + mismatchLabelKeys: + - Mfh + namespaceSelector: + matchExpressions: + - key: 6Ax1cf + operator: ʆ骜ʣ蘧F栮,C + values: + - 1WljmgAmSY + matchLabels: + 174k: 7or9Mr + F4YETWGCg: Rt46e + cMQyYT: RTaOOxz3Li + topologyKey: 9j +annotations: + 12kkcHLZdTIn: FQ4am + LQDfr: q +automountServiceAccountToken: false +autoscaling: + enabled: true + maxReplicas: 305 + minReplicas: 326 + targetCPUUtilizationPercentage: 344 + targetMemoryUtilizationPercentage: 186 +commonLabels: + M1diW: PVb +configmap: + create: false +console: + roles: + - tvT4mf0wFe: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: kMfu2CiNvgC34 + name: oa9a +extraContainers: +- args: + - HP10TO + - kuCNcTLL + command: + - m + - Nww8 + - 98Rn + env: + - name: SSO + value: dOiVAD + valueFrom: + configMapKeyRef: + key: rG6s + name: ZIOGFg7 + optional: true + fieldRef: + apiVersion: 5QpSAgTC + fieldPath: wvXbuBkn + resourceFieldRef: + containerName: ZRxTJ6p + divisor: "0" + resource: lxXIfgo + secretKeyRef: + key: a4I + name: fdAC + optional: true + - name: t + value: lhJB5Gu + valueFrom: + configMapKeyRef: + key: 9sIY7ap56C + name: jxSPO + optional: true + fieldRef: + apiVersion: 7y + fieldPath: TVs + resourceFieldRef: + containerName: Bk7GMS + divisor: "0" + resource: KghhcLY + secretKeyRef: + key: "4" + name: Q0xn + optional: true + envFrom: + - configMapRef: + name: xkM + optional: false + prefix: 6Hmq + secretRef: + name: 2W7 + optional: false + - configMapRef: + name: nw + optional: true + prefix: ZF8q + secretRef: + name: Hazz + optional: true + - configMapRef: + name: C0TBIATG + optional: true + prefix: Wm + secretRef: + name: Yg2 + optional: true + image: vXSldD9 + imagePullPolicy: .Ś.l庥抁臚蚋巸_ȧʟ[R榶E + lifecycle: + postStart: + exec: + command: + - oN + - eEYgTnILd + httpGet: + host: mg7llOt105m + path: dtlR4G + port: wD90f + scheme: ʖ两ĕ¤¬瞮U? + sleep: + seconds: -2237517267526569736 + preStop: + exec: + command: + - GMjypvCI + httpGet: + host: T8pa05 + path: u9bCqIg + port: M9zgB + scheme: '*蛬ŻĈ' + sleep: + seconds: 475574192596548942 + livenessProbe: + exec: + command: + - dUJeULUg + failureThreshold: 1485223326 + grpc: + port: 701458966 + service: CQKKuIS4d + httpGet: + host: E2fjZ + path: XvuU + port: NoCTx + scheme: 蜼烀ȏǓɦMDn糆ƥHʼn/瓏ìȢŷ + initialDelaySeconds: -1475170089 + periodSeconds: 1989433587 + successThreshold: 1386111224 + terminationGracePeriodSeconds: 5430499533574282933 + timeoutSeconds: 1740226413 + name: wG4ZxvZMuJ + readinessProbe: + exec: + command: + - "6" + - obo + failureThreshold: 2126666969 + grpc: + port: 521888256 + service: z + httpGet: + host: Fpq + path: ghrc2 + port: -314576227 + scheme: 瓰vp烫ǁĴŰDȐ插研Ǽʜ + initialDelaySeconds: 1330937719 + periodSeconds: 78230226 + successThreshold: -351220698 + terminationGracePeriodSeconds: 6147801770047971409 + timeoutSeconds: 1906635539 + resizePolicy: + - resourceName: Waf + restartPolicy: ʑ艜ɾ蘩Ƈ`7ɫ坓弎Ȗƈ + resources: + limits: + WfxZ: "0" + gZ: "0" + oup1P0j: "0" + requests: + D0AyOZ87h: "0" + Wmp9uU8: "0" + mowWvEm: "0" + restartPolicy: ǔ輋篐棶耏īʡm0Ñ!ř$曤Qʢ瞪Ļ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Ì酃`sŬ硪W#鿻Gƃu + - 先ĜtàX + privileged: false + procMount: Ĕʤj螹țȞVa + readOnlyRootFilesystem: true + runAsGroup: 5877071704122825347 + runAsNonRoot: true + runAsUser: 607897543692979281 + startupProbe: + exec: + command: + - 1R1GIynL2u + failureThreshold: 197417586 + grpc: + port: 581882770 + service: jrlDhPYYcBk + httpGet: + host: btMskta + path: iy + port: -1405181644 + scheme: ­劲襇板ƶ2豣Ă輒" + initialDelaySeconds: -317632223 + periodSeconds: 1128778719 + successThreshold: -878681442 + terminationGracePeriodSeconds: -5809012571377279815 + timeoutSeconds: 326998121 + stdin: true + terminationMessagePath: vlSz + tty: true + volumeDevices: + - devicePath: jpSm + name: A1S8F + volumeMounts: + - mountPath: zH + mountPropagation: Œib抪黠wƱ軭 + name: vY1XOHYYy + subPath: Tui26JLZyP + subPathExpr: 2T0bhLFBv + - mountPath: qLd4 + mountPropagation: = + name: MlJNiuK + subPath: Gt + subPathExpr: 1br + workingDir: qaJz +extraEnv: +- name: "" + value: 8qqxpUmb + valueFrom: + configMapKeyRef: + key: nyn + name: 2a6 + optional: true + fieldRef: + apiVersion: 4VL + fieldPath: mLkq5SaY + resourceFieldRef: + containerName: q58NCY4 + divisor: "0" + resource: iTwPTz + secretKeyRef: + key: fymwKG2di + name: jP + optional: false +extraEnvFrom: +- configMapRef: + name: kjk + optional: true + prefix: bXXh + secretRef: + name: ksMoUzjV + optional: true +- configMapRef: + name: 8AWI + optional: false + prefix: hqwWp6 + secretRef: + name: a + optional: false +extraVolumeMounts: +- mountPath: g + mountPropagation: ƎÀ虰|墫} + name: izh4Kt + subPath: l3Jx + subPathExpr: bgpu9UdSPr4CF +extraVolumes: +- name: UQKug +- name: giK +fullnameOverride: 9gCm5xz +image: + pullPolicy: "" + registry: I + repository: utUA + tag: 3NaFJMnq7cwb +imagePullSecrets: +- name: rTO7I +- {} +ingress: + className: y6u9o + enabled: true + hosts: + - host: V + paths: + - path: VRp3 + pathType: WX + - path: ZXqa + pathType: LXDjotJK + - path: b + pathType: 6l3svu + tls: + - hosts: + - SzMunki + secretName: OT +initContainers: + extraInitContainers: Gaa +livenessProbe: + exec: + command: + - w + - 4y0unO7q + - fUMv46yk + failureThreshold: 564680295 + grpc: + port: -274686900 + service: SZ + httpGet: + host: "97" + path: R + port: sw2f4 + scheme: ǖe灻膃爌|rQʮ` + initialDelaySeconds: -1623540175 + periodSeconds: 2083875877 + successThreshold: 1467697726 + terminationGracePeriodSeconds: 1240720412315600394 + timeoutSeconds: 514813622 +nameOverride: tOoxEiwdVpT +nodeSelector: + 4X: PJ6v +podAnnotations: + TImM2rpn: ixT +podLabels: + jAyDz: vW2 +podSecurityContext: + fsGroup: 8841428564051369991 + fsGroupChangePolicy: '''諢憭捽鉚ƾ邓鈽6M_s' + runAsGroup: 5877981406957979012 + runAsNonRoot: false + runAsUser: -2714811370596686768 + supplementalGroups: + - 3627757755693767927 + - 3933990106793080427 +priorityClassName: Op +readinessProbe: + exec: + command: + - Rvxle1 + failureThreshold: -1544911058 + grpc: + port: 1480625343 + service: iUWGjn1Yq + httpGet: + host: 0Wg8b + path: qrDi3 + port: -689203177 + scheme: 馨PƆȣdfTNʫ*ɀLɐ3} + initialDelaySeconds: -386708604 + periodSeconds: -1196967535 + successThreshold: -658970667 + terminationGracePeriodSeconds: -8534050677682835111 + timeoutSeconds: 1352482566 +replicaCount: 218 +resources: + requests: + Nh6YX: "0" + z: "0" +secret: + create: true + enterprise: + licenseSecretRef: + key: "9" + name: Pd + kafka: + awsMskIamSecretKey: "" + protobufGitBasicAuthPassword: naFpMBw + saslPassword: nKEzr + schemaRegistryPassword: xU + schemaRegistryTlsCa: pc + schemaRegistryTlsCert: fF1z9FE + schemaRegistryTlsKey: tx + tlsCa: bhhbwypQ + tlsCert: Dw1477 + tlsPassphrase: zRD + login: + github: + clientSecret: 1UD4N + personalAccessToken: LmFkP6BgmLQ + google: + clientSecret: m + groupsServiceAccount: "" + jwtSecret: 9ejQZ6 + oidc: + clientSecret: cXdjG + okta: + clientSecret: eF90RohF + directoryApiToken: 1zXLSJEQ + redpanda: + adminApi: + password: rr4c4 + tlsCa: Eonnpq + tlsCert: aPCNgYI + tlsKey: vlrLQ9I9 +secretMounts: +- defaultMode: 266 + name: omIzst + path: "" + secretName: Pn +- defaultMode: 133 + name: "1" + path: gIWg + secretName: gi4zM +- defaultMode: 451 + name: lrUYguc + path: D9pR + secretName: 3FH +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - m优ķNJ噓+Pð + - 橯O燁 + drop: + - 褈墄ȃ杵 + - 娨Î + - rƴ}Ɇ橮ʕ*m敼ʎhǰ.ʔcZ + privileged: true + procMount: 攏O婑 + readOnlyRootFilesystem: true + runAsGroup: 8829730151763757512 + runAsNonRoot: false + runAsUser: 64441908715087607 +service: + nodePort: 325 + port: 314 + targetPort: 398 + type: C +serviceAccount: + annotations: + "": zL + EANkzh: rmy + automountServiceAccountToken: false + create: true + name: nX5G +strategy: + rollingUpdate: {} + type: ɬ(ìɅ +tests: + enabled: true +tolerations: +- effect: ɥ)藖朡YȖɌGǼRŗ迼@醹F6鎚 + key: 7Nq + operator: "4" + tolerationSeconds: 3766411560743927749 + value: TCksEtpTf +- effect: ȷ^?3HʉɚŢȾL + key: mj5pit + operator: 隱瀆J纝ɽÄ:憹欓 + tolerationSeconds: -3549323835306297633 + value: CN0gSHK7T +topologySpreadConstraints: +- labelSelector: + matchLabels: + N5pfvDQM4ZnP: "" + ZDk6ppZLAO: nn + f1Z: 2Molvtunvm + matchLabelKeys: + - cUf4VG + maxSkew: 2039905438 + minDomains: -1795353257 + nodeAffinityPolicy: 啚FLjʐəǪɠ梎Ň沮<^Zæ + nodeTaintsPolicy: Å扯R + topologyKey: qVloCmz + whenUnsatisfiable: ūh挕ŀ靕土伔澍鄓 +- labelSelector: + matchExpressions: + - key: sgB0Jx + operator: "y" + matchLabels: + Dhp: chzEB + matchLabelKeys: + - TBO + - g5M + - h + maxSkew: -825758940 + minDomains: 1383227075 + nodeAffinityPolicy: 婬ȴ羉Ā蕲k<ǯŘ`貉ì攘窼ȶ{黺( + nodeTaintsPolicy: 晓}從磹砛鬀D + topologyKey: MXei + whenUnsatisfiable: Ē舐ɒ'Q|ȃ#Y\厾h +-- case-046 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 2Nsqe + operator: 阴闤Bǘ尚僞熐蘐槄TČ鉇拍Ɣ唉f钡 + values: + - EQslZWcPKU3 + - key: clrdH7j + operator: 鹓ī郖漖8ĬwƓ + values: + - zsB2 + - HGN2A + matchFields: + - key: Is7w3FDS5zse + operator: -ĉYd + values: + - U4nF56qPTw + - mm38x0AQL5c + weight: -1981921933 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: mRa + operator: ȥǮĬʩɄeƩ蟤确= + values: + - ooR1 + - QIho6keUV5fIUe + - jrOsTe + matchFields: + - key: miXl + operator: ʯ5yɶȁ/z>Ǡb_Ȉ撿÷đ湕ǭ + - matchFields: + - key: yXFe + operator: ȁ!Ńǩ浉F蕊ƕ倉輴Q¬ß巩ɿ + - key: qEUUleUJCe + operator: dz楥Qɗ鎽嚬t轮黑<ƻ眄 + values: + - pXk + - l22 + - l6 + - key: DiInxf + operator: lťõ祟X鬀ò嬬uġ + values: + - CtW2vs2 + - x + - rT + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 0oFNd + operator: 喯z芡I钷)bę%匾蟨 + values: + - i6xl9Mn + - "Y" + - Dnn1nA + matchLabels: + ACWAVtod: 5MsAi + W7L46x: Iohx + matchLabelKeys: + - tZcagyiX + - 5w + - SMP + mismatchLabelKeys: + - b + - f + - bqCBIIfcdw + namespaceSelector: + matchLabels: + H3qd: 6DBRkuQvCde + namespaces: + - Y3j7k + - 8i2rf + topologyKey: 290Z + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: j8OASVi + operator: Ų驐Ĥ>Ȳ`1)o}嵊袀d + values: + - DE + - key: Iir + operator: WqȊ晝ɛ唊ɵk抩Ǟ紅銫Ş秠Ś~ą + matchLabels: + 8RiTX5m: lU1nenIq2B + B1: gskcNQo6g + D1kq67: "" + matchLabelKeys: + - ii9Ab3 + mismatchLabelKeys: + - 4X2zohLQD + namespaceSelector: + matchExpressions: + - key: HyU35bXzWF + operator: 尽ǰ + values: + - "" + - sB3pY + - 4r + namespaces: + - vW + - LYI + - mhQ0 + topologyKey: pjisw + weight: 1962236401 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 9GtVGXjE + operator: 镭鱆ʁ;崽DȔ3Ĭ鐓敝 + values: + - igW0 + - Qiyx + - zMm24In + matchLabels: + AWiVWW: gPF0Yh + matchLabelKeys: + - 01T9Mphw + - qcecz73o + - o6bBrV + mismatchLabelKeys: + - uJJWe + - 8On4IIB31 + - p4t46HL8K + namespaceSelector: + matchLabels: + h: iExiiF + topologyKey: ZhTV + weight: -2130387111 +annotations: + cflWrdcz: jJe +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 451 + minReplicas: 241 + targetCPUUtilizationPercentage: 434 + targetMemoryUtilizationPercentage: 89 +commonLabels: + "": WcYTY + rHtDM6k: ZY6Kw +configmap: + create: false +console: + roleBindings: + - 0RZs: null + 3MoL: null + DS: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: "" + name: mP +extraContainers: +- args: + - TLL + command: + - "" + - kyr + envFrom: + - configMapRef: + name: cGxJkM382 + optional: false + prefix: 8ZYix + secretRef: + name: sptdX + optional: true + - configMapRef: + name: sv + optional: true + prefix: juf4E1 + secretRef: + name: WrvN + optional: true + - configMapRef: + name: stixRM6Z1c + optional: false + prefix: eHg4 + secretRef: + name: kJK + optional: false + image: Q + imagePullPolicy: 榲µʪ + lifecycle: + postStart: + exec: + command: + - AHw4N6lX4 + httpGet: + host: CuJ + path: kY9OI68 + port: I6fEdljwf7WI + scheme: 0Tæ + sleep: + seconds: 8747859025599270243 + preStop: + exec: + command: + - SAiYloe + - rxrb8 + - U1 + httpGet: + host: D + path: Ck4D + port: 1235678776 + scheme: 讅º頼 + sleep: + seconds: 2255567287221174216 + livenessProbe: + exec: + command: + - rlPo + - TpvecI + - c + failureThreshold: -1194959675 + grpc: + port: 1286950474 + service: l03Ttx + httpGet: + host: iZbpkGTG + port: -104521289 + scheme: ǘɚƃŊ1_蛺ƥ篯 + initialDelaySeconds: -1041934050 + periodSeconds: 1858129919 + successThreshold: 812913269 + terminationGracePeriodSeconds: -6125486107996409317 + timeoutSeconds: -1767574186 + name: "5" + readinessProbe: + exec: {} + failureThreshold: 596482569 + grpc: + port: 1150156757 + service: qaPYsPWRM + httpGet: + host: iNasZ6 + path: CpVj + port: GC + scheme: 謭¤GȫȇƄ聭Dłʬ + initialDelaySeconds: -1604058483 + periodSeconds: -603768209 + successThreshold: 1589218932 + terminationGracePeriodSeconds: 4819160591653315271 + timeoutSeconds: 2047446198 + resizePolicy: + - resourceName: Or + restartPolicy: OȜ)漢ɨ酳h + - resourceName: i6roWBCG + restartPolicy: Ćʊ赆ʒ + resources: + limits: + ZTOf: "0" + requests: + "5": "0" + restartPolicy: ȱTǣıN飿 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - c + - Ɛ絜-Ȭ狆ǚƫȼ)ɦȗ欌3Z + drop: + - '*`N}柁番贝鍝陂±Ǖ弊' + privileged: true + procMount: 湅ʨɩƗ吞硩Ǘɵ櫜5 + readOnlyRootFilesystem: true + runAsGroup: 2454233763446715277 + runAsNonRoot: true + runAsUser: 1349777568495231591 + startupProbe: + exec: + command: + - tEiO0Gf + failureThreshold: 1955219951 + grpc: + port: -4890683 + service: 4tTWT + httpGet: + host: 5h5p4Uk + path: JX2HU + port: b6yI + scheme: 娂儯庬Xǿƫ + initialDelaySeconds: 1159427409 + periodSeconds: -1534574298 + successThreshold: 1143094739 + terminationGracePeriodSeconds: -2223019815025430450 + timeoutSeconds: -1544667872 + stdin: true + stdinOnce: true + terminationMessagePath: 1FuR + volumeDevices: + - devicePath: "Y" + name: EahA503T0 + volumeMounts: + - mountPath: QxOZw9E + mountPropagation: N"賬 + name: k4sw3lfzmj4 + subPath: 9a + subPathExpr: q5p0 + - mountPath: 9FHN + mountPropagation: o~ʆ容Ĺkjɋ5cȔcƼ诔楞 + name: wmkq + subPath: M1UIiHV + subPathExpr: IhSh2 + - mountPath: KTgxDgARv + mountPropagation: 篪k矲PƊ$ʇ謞šS婝耻遄 + name: nvW2 + readOnly: true + subPath: u6 + subPathExpr: C3n82 + workingDir: F2B +extraEnvFrom: +- configMapRef: + name: s4S + optional: true + prefix: g8JM + secretRef: + name: Km8n + optional: false +extraVolumeMounts: +- mountPath: VW + mountPropagation: gjɲi呒>[ɻ + name: HRTFVpU6YN + readOnly: true + subPath: J + subPathExpr: Zx9CYV +extraVolumes: +- name: ldO +fullnameOverride: fB6TF +image: + pullPolicy: '&Q眫' + registry: HjNl + repository: z9WL9QV + tag: jKgmVjE +imagePullSecrets: +- name: DL1OBpd0 +- name: jM +ingress: + annotations: + A4M6T: IUmZ9 + AHN: gcT00IU6 + S: lzi1Q + className: aU0xOzsFN + enabled: true + tls: + - hosts: + - PV + secretName: aHG1 + - hosts: + - bX + - Cu + - xuscoJ + secretName: fBCynrlb +initContainers: + extraInitContainers: aF +livenessProbe: + exec: + command: + - mWA8 + failureThreshold: -2111746605 + grpc: + port: -159496093 + service: 5BzT + httpGet: + host: Pgb + path: W + port: FTodWK + scheme: '@ĝȗɰ*8Eȑ' + initialDelaySeconds: 1224736641 + periodSeconds: 1490424943 + successThreshold: 2012886943 + terminationGracePeriodSeconds: 1140281843739171103 + timeoutSeconds: 1910690397 +nameOverride: "" +podAnnotations: + P10bx: 4As + RWk: E + e: rh7XI +podLabels: + SnZ: mnX + aL0TsomY: aVv4hsuMJ7Aiq + luPi3E6: iCt +podSecurityContext: + fsGroup: -137977092678744094 + fsGroupChangePolicy: ʅ翄ąIJU÷[Ɉ<Ǧ兰巒鄂 + runAsGroup: 2453672470118860 + runAsNonRoot: false + runAsUser: -2867620198524252040 + sysctls: + - name: p + value: "" +priorityClassName: wQ +readinessProbe: + exec: + command: + - bmfgcwd + failureThreshold: -1418487663 + grpc: + port: -468793496 + service: MhQm3 + httpGet: + host: nQSr0S + path: M8 + port: 1657726276 + scheme: 鶉阑 $ý + initialDelaySeconds: 1895968402 + periodSeconds: -1686229865 + successThreshold: 1934722351 + terminationGracePeriodSeconds: 2537915062001973026 + timeoutSeconds: 1366589097 +replicaCount: 376 +resources: + limits: + 87w5tBp: "0" + AmXXE: "0" + QH55ZH: "0" + requests: + EbalAlq: "0" + RpvkPX: "0" +secret: + create: true + enterprise: + licenseSecretRef: + key: ellF2F + name: K3 + kafka: + awsMskIamSecretKey: Xs8UvJPyL + protobufGitBasicAuthPassword: BKbdr + saslPassword: xW3EDKA + schemaRegistryPassword: Vewx + schemaRegistryTlsCa: te + schemaRegistryTlsCert: JxH + schemaRegistryTlsKey: jhxioPhQ + tlsCa: eP + tlsCert: H9 + tlsPassphrase: Gz + login: + github: + clientSecret: Q + personalAccessToken: akEcq + google: + clientSecret: vj6 + groupsServiceAccount: pJ8NQ + jwtSecret: jUc4rQpG + oidc: + clientSecret: 8SCyi + okta: + clientSecret: Yd + directoryApiToken: q1rSa + redpanda: + adminApi: + password: mON + tlsCa: rNzsp + tlsCert: UStA + tlsKey: 3E +secretMounts: +- defaultMode: 305 + name: smBrE0cI + path: "2" + secretName: zeb +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - pij*fƤ + privileged: false + procMount: 罽İ耲,衧駕R=k{ŝ{躈瑮L + readOnlyRootFilesystem: true + runAsGroup: 3478202026348193011 + runAsNonRoot: false + runAsUser: -5521479784565460908 +service: + annotations: + aDeGG7F9S: 5d + nodePort: 439 + port: 271 + targetPort: 481 + type: PK7oH1pcU3 +serviceAccount: + automountServiceAccountToken: false + create: false + name: "" +strategy: + rollingUpdate: {} + type: żb給ū裬M +tests: + enabled: false +tolerations: +- effect: 瑟bĕʫFuěG盲ÿ + key: d + operator: 秸ƿ + tolerationSeconds: -7614909558910242428 + value: h2U4 +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: 60k + operator: ʉ赳Ɇǂt硴煟讒ib + values: + - M755avF + - He6fTmtHDXC + matchLabels: + c4BN5BiYtjB: tyUmvwGkL + matchLabelKeys: + - E4G8mM3 + - G1C9Cjj + maxSkew: -1527756346 + minDomains: 432090734 + nodeAffinityPolicy: qǗ阵W&喁CE®ņpPȂ\Ç苗ĈȄ + nodeTaintsPolicy: ȉ珉@:x凝謽Q釀ļn适c顦 + topologyKey: V + whenUnsatisfiable: 瀥 +-- case-047 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: 182966451 + - preference: {} + weight: -2028220392 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 5a5MXO + operator: kƎǦƙ«嚄ƭr騥邜Fċʐ叧F& + values: + - BRA + - Ywt7JHE + - key: TjE3wFb6 + operator: O`6ƥ縈L:Ckʄ鹟瑧 + values: + - "" + - dxDLfiL + - 0IgsneLlLo + - key: tuBbSOMR + operator: 桛ʫ褛ʒɩWkv濱瘛#Ěi邱CNǖ4孳 + values: + - 9zJ + - 7T3iJAwX + matchLabelKeys: + - ZYcvinlq + - PwQO9 + - M3gb + mismatchLabelKeys: + - e + - K1XrVh + - D1CkR8 + namespaceSelector: + matchExpressions: + - key: uqnyV6k + operator: rĮ'示嶠ĵ攛Ņ + - key: 0ONfMVB + operator: n梷E8ʟ菛晉 + values: + - Q + matchLabels: + IqH8n: pCJ16S + mUE: HyxdirX0F + namespaces: + - gptVP + - L + - 7CmPHtA + topologyKey: XDhewcrvK + weight: 2033587292 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: jcAfZ5VF + operator: 饀re + - key: sj + operator: U姑R° + values: + - p8zbO + - key: 2LmP5 + operator: ŸȢ庾塁BƖ + values: + - NN + matchLabels: + ApvKyKe: kHE9lIIleR + mismatchLabelKeys: + - n3VRcT5qX + - zGNqgUGNX + - hDZ + namespaceSelector: + matchExpressions: + - key: "7" + operator: 砃=G墈赞飍鵝7d + values: + - Uiz9BnY + - key: hd76 + operator: '{緶ɡnW' + values: + - vc1yj10y + - Je + - eg + - key: 06pjmB + operator: =帛胏 + values: + - RQ10 + - Z5WWhGqt + namespaces: + - seMTT1 + topologyKey: E + - labelSelector: + matchLabels: + oplIL: 67Fs0Yu4 + mismatchLabelKeys: + - T1 + namespaceSelector: + matchExpressions: + - key: hOQWYMD + operator: vǑ壞2â飿"Xʝ簮倏c + values: + - "0" + - key: WWGKqAgL + operator: '''OƼŪ祰ǑŗiU嘏ɮ?Ī語' + values: + - yU5IOsL + - koP + namespaces: + - lDs + - xQZsD + - J + topologyKey: j0k4ds + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 9nDdXGQwP + operator: '[痵lǝ,ǶÜÂD' + values: + - th + - u8xZ + - ucr3vqZeG + - key: QWVrK8k + operator: ʀăɼy耯#運+3坽« + values: + - 2lcZKn + - G2IQ + - YbYwv + - key: N4bc7Wn + operator: '%7`iɊȑ槦醒}' + values: + - NiSH90 + - 98iHVkt + - 0r3Yu9i + matchLabelKeys: + - zrV + - Ey + - R + namespaceSelector: + matchExpressions: + - key: gEbVS1wo + operator: z + matchLabels: + 2YURuF: "" + CJTjm6: nOFN + oUtlWUD: 0k14ag + topologyKey: M1yF5YA + weight: 477520510 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: mdjoxbr + operator: V2SŨǰ8嫟淦 + values: + - 3ww0Ei + - 2PjudE + - pmpvETB0n + - key: NFqQGo + operator: 处;Ƕk鎹û絹褡Sy + values: + - V + - key: HuZ + operator: ȓő&ś>S怭ť]E榕 + values: + - sUume + matchLabels: + ef2q: 4ZL0O9b + r8xqG: MJ + matchLabelKeys: + - "" + - "Y" + mismatchLabelKeys: + - djn6fDf + - ukZi8 + namespaceSelector: {} + namespaces: + - dOU1F + - 1ygQdj3xZ3YIf + - wvpeJx + topologyKey: Rq4K6z6 + weight: -1277100698 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: b + operator: "" + values: + - tmuB5 + - 9qE9GM + - oJpaRDn2 + - key: WY + operator: u酘b + values: + - RhO + - Cs2rDIRrPlii + - nG4bqoAkQU + - key: eMae + operator: ǟĕȴnjI覿9¥H艞ɋ + matchLabels: + ToIBbWL: 4k8X + i2qGkWjvF7QJ: pb0sZq + u12o4B4: Ybz + matchLabelKeys: + - HCKtJC7hm + mismatchLabelKeys: + - 21r0Z + - "" + namespaceSelector: + matchLabels: + 2BNgnKr7Ob: 5RffK5NB3ghhfO + bJC: WTOgH + uA: bxdRwsU + topologyKey: 2CsbupZ + - labelSelector: + matchExpressions: + - key: RIP + operator: Oȝ(氧罻 + values: + - 1bx3Fix9 + - key: eqQoi + operator: 68+ʈĘ + values: + - FgfwmYrR + - mznlyr2aLTGF + - GfAoC8M + matchLabels: + FKwNoJ: aJZxa + cEeo8ix: 3dHunLjp5 + ihSd: qG7x + matchLabelKeys: + - F6LQK + mismatchLabelKeys: + - ULcGW + - RYv + - fF + namespaceSelector: + matchExpressions: + - key: Tkp5 + operator: ȴ潺谡Ƣh躈ŮâÿȒũĔ + values: + - fY9NuWB + - O84 + matchLabels: + 09fI: EDSEVi + Dl: 4u38aD4O + vZCciR: neqAXd7k + namespaces: + - ozziI6FZ + - URQlLJF + topologyKey: SeSq4K +annotations: + Bx5i3M: s + svlaTGpSHD: 7P9k +automountServiceAccountToken: true +autoscaling: + enabled: true + maxReplicas: 122 + minReplicas: 449 + targetCPUUtilizationPercentage: 218 + targetMemoryUtilizationPercentage: 488 +configmap: + create: false +console: + roleBindings: + - eaLPMN8qOPT: null + xb: null + xnt: null + - 3Mgk: null + roHIFBN: null + - TtzrP: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: nj + name: rl +extraContainers: +- args: + - lW + - lpUVzUh + command: + - 3mEGtoKbEWE2Jw5T + - b1GBFA + env: + - name: hsiWF93 + value: zBco + valueFrom: + configMapKeyRef: + key: 8hvvaoHB + name: "y" + optional: false + fieldRef: + apiVersion: WPT5J + fieldPath: sc + resourceFieldRef: + containerName: 0xbTU4O + divisor: "0" + resource: tPBV2ObG + secretKeyRef: + key: YEKZukl + name: px + optional: false + - name: PM0MyyH3R6R + value: yOzX + valueFrom: + configMapKeyRef: + key: I3pi + name: DC + optional: true + fieldRef: + apiVersion: "25" + fieldPath: "" + resourceFieldRef: + containerName: aZj1E7LU + divisor: "0" + resource: sxs0nE31 + secretKeyRef: + key: Ktb3c4 + name: g98T + optional: true + - name: 6kDq8UgFIS8 + value: L0i4 + valueFrom: + configMapKeyRef: + key: 9WUe9 + name: tZrRUK + optional: false + fieldRef: + apiVersion: GIc + fieldPath: AXTmU + resourceFieldRef: + containerName: E2 + divisor: "0" + resource: a63tq + secretKeyRef: + key: luWp + name: lPdowo + optional: true + envFrom: + - configMapRef: + name: vzVk + optional: true + prefix: DONFyRd + secretRef: + name: 9uct + optional: false + - configMapRef: + name: z5nC9D + optional: true + prefix: 5epUyS1iy5m8 + secretRef: + name: zqRFC + optional: true + - configMapRef: + name: awjfJlZxN + optional: true + prefix: LhArOQgbq1OCR2L + secretRef: + name: mb5axzX5 + optional: true + image: qPLiX + imagePullPolicy: '{Ĩ檽]ĻĹňɋ偌Ȏ.阛魉' + lifecycle: + postStart: + exec: + command: + - yAeOM + - s53um + - 3m + httpGet: + host: GJWsJm + path: iDQ + port: 1781170742 + scheme: 皐ű葺ȝĬ麐&ʉ執dz0娸叹 + sleep: + seconds: -4230531115544534394 + preStop: + exec: + command: + - sIGb5 + httpGet: + host: AbxhPKar + path: 3ZZ5 + port: 88852320 + scheme: 砨Ĝ_筀¤痟氻劊űI俼员z幛F + sleep: + seconds: -4758564920159898567 + livenessProbe: + exec: + command: + - ty6JMTW6vA + failureThreshold: -1459976999 + grpc: + port: -1689493187 + service: ihsDMVYd + httpGet: + host: e9NNlO5d + path: iBo4 + port: 334788778 + scheme: ƿ:ħȠL$ + initialDelaySeconds: 1625633184 + periodSeconds: 1327859251 + successThreshold: 1766792721 + terminationGracePeriodSeconds: -3971501657411371216 + timeoutSeconds: 557348614 + name: U3U + readinessProbe: + exec: + command: + - "Y" + failureThreshold: 391027623 + grpc: + port: -1858356724 + service: hnqm + httpGet: + host: g + path: C48 + port: F + scheme: 苎lɲÁ频×ȊDžȀ9Ď"昽 + initialDelaySeconds: -1404160881 + periodSeconds: 521131323 + successThreshold: 2005094455 + terminationGracePeriodSeconds: -5942417190535485186 + timeoutSeconds: 2118365394 + resources: + limits: + Ms1A: "0" + WkWhM: "0" + requests: + b4kR9nm9BfQZy: "0" + eLg: "0" + huME: "0" + restartPolicy: ľ慔/PpǏ銢9滖ɝ韍I鍌$ʪ辫Uz + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - wą&嘪研Z`ȧȢfʘ*ō + drop: + - ƿ`ĉĎ苦Ǧ蘈NJ她笻Ƞ + - 磨3踦煨1JƸc錚捁 ĊZe)ám \ + privileged: true + procMount: 鋶XJm/覹ɋ¶ȉĒȤ瀶|ƻŒ(咡 + readOnlyRootFilesystem: false + runAsGroup: -8452021579348253718 + runAsNonRoot: true + runAsUser: 5983932912975749110 + startupProbe: + exec: + command: + - sZhTLr + - GK + - kqL9aDDm + failureThreshold: 1004086477 + grpc: + port: 1266077274 + service: l1ji1IW1ic + httpGet: + host: rJI + path: H731Dr + port: 1333462733 + scheme: 项鰚ɽ洍êƳ + initialDelaySeconds: 1806670133 + periodSeconds: 1290098703 + successThreshold: -490255445 + terminationGracePeriodSeconds: -206080146769410314 + timeoutSeconds: 270060590 + terminationMessagePath: P1HCGJEbJiD4 + terminationMessagePolicy: ʇ鞯BC鸼樁÷ǹ楺 + tty: true + volumeDevices: + - devicePath: a4 + name: 0bA + - devicePath: VeRXU9 + name: A0XbFJhG + - devicePath: fdim + name: RJf + workingDir: ZoDFb +extraEnv: +- name: "" + value: YbKo + valueFrom: + configMapKeyRef: + key: bIruuA + name: x8 + optional: true + fieldRef: + apiVersion: EqX + fieldPath: ZOh + resourceFieldRef: + containerName: IDJTm5lv + divisor: "0" + resource: QDC8v + secretKeyRef: + key: "8" + name: LcSdNiKff4 + optional: false +- name: RZHq9C + value: m + valueFrom: + configMapKeyRef: + key: PZVqf + name: x + optional: true + fieldRef: + apiVersion: xQi + fieldPath: vxeo + resourceFieldRef: + divisor: "0" + resource: l7 + secretKeyRef: + key: i3lK + optional: true +extraVolumeMounts: +- mountPath: OO0aO6h + mountPropagation: "" + name: kDKM + readOnly: true + subPath: AlRCH + subPathExpr: 7UemLsIe +- mountPath: Z8zdlU + mountPropagation: 醗¡°v:胡 + name: aedAMG + subPath: zo5P1xa + subPathExpr: WmuiME +- mountPath: ufiUx + mountPropagation: '`ʡÔ关Ľ?' + name: PWBh + subPath: 2hslJ + subPathExpr: pUtN3 +fullnameOverride: YUi5JpG +image: + pullPolicy: ȕ蚧竔/´苅oC + registry: zUsK + repository: lQjo + tag: p +ingress: + annotations: + CImW98Gx2v: otj + fP: SRGkm + className: lM + enabled: false + hosts: + - host: AYT + - host: oulge + paths: + - path: 3bi + pathType: ixqeQz + - path: nG + pathType: 5LwYGxvMr + - host: "" + paths: + - path: jJrUpe + pathType: 72AAc + - path: B0K + pathType: kxnm8kN + - path: tQDn + pathType: IxAmHD + tls: + - hosts: + - n9Np8ftRtFhzi + - g + secretName: C + - hosts: + - CMhuwA + - wYA0tSvo + secretName: z + - hosts: + - 34mbP + secretName: 80Z +initContainers: + extraInitContainers: PRtnaAy8 +livenessProbe: + exec: {} + failureThreshold: -1392926461 + grpc: + port: 257623603 + service: us + httpGet: + port: L9CrR58RHnS + scheme: ʅ²7kp + initialDelaySeconds: -1384385388 + periodSeconds: -1660079876 + successThreshold: 680842396 + terminationGracePeriodSeconds: 6050526356201491316 + timeoutSeconds: 213455290 +nameOverride: nEojiMtRc +podAnnotations: + Mfsd: hmi +podLabels: + 6dZAs: xJPaLHKS1Y2 +podSecurityContext: + fsGroup: -6567182940167159103 + fsGroupChangePolicy: 6iɰ堂:齐ǪÈ + runAsGroup: -1787219330993537800 + runAsNonRoot: true + runAsUser: -5627543087390804845 + supplementalGroups: + - -3306962996817147613 + - 975882030005456556 + - -5263492609498468245 + sysctls: + - name: YC + value: 7JlDTCP6hs +priorityClassName: 0P6RnoBeb5 +readinessProbe: + exec: {} + failureThreshold: 1689894479 + grpc: + port: 222105741 + service: D + httpGet: + host: vyj + path: JoV4VZMz2Bv + port: vRf9ZHgc4j + scheme: 条om競娷Njʑ + initialDelaySeconds: -1753994274 + periodSeconds: -1189421015 + successThreshold: 1278527365 + terminationGracePeriodSeconds: -6266260075166332402 + timeoutSeconds: -209775227 +replicaCount: 391 +resources: + limits: + 8ycM: "0" + requests: + CvglPI: "0" + s5: "0" + uiHB: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: Iq + name: Tb8RGi + kafka: + awsMskIamSecretKey: gj + protobufGitBasicAuthPassword: kO + saslPassword: IB3qNjrV + schemaRegistryPassword: 4wnp6Qi + schemaRegistryTlsCa: gFBJq + schemaRegistryTlsCert: LUubckiv + schemaRegistryTlsKey: 9Op + tlsCa: 94x0v + tlsCert: h4lSMbv + tlsPassphrase: CVT4wjw + login: + github: + clientSecret: YaYETggo1hi + personalAccessToken: d + google: + clientSecret: tDqsIg + groupsServiceAccount: FSUAkU004n0k + jwtSecret: 2dWKNqarwb + oidc: + clientSecret: i2n + okta: + clientSecret: XytR0yn + directoryApiToken: m3WEq4zKv + redpanda: + adminApi: + password: ozo + tlsCa: 0g + tlsCert: hQ + tlsKey: xfpkmy +secretMounts: +- defaultMode: 184 + name: L8dbWip + path: g + secretName: LF0O +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - «Ƙz损 + - ɟE鄱Į惪Y桦ŗɘoȍ蠣4ƪ呀R> + - "" + drop: + - 娤b + privileged: false + procMount: ʍ曏(ƶæ + readOnlyRootFilesystem: true + runAsGroup: -406748533537085799 + runAsNonRoot: false + runAsUser: 3238073083343117470 +service: + annotations: + 8v2: JbH + 95cxbjjD7C: JBMaJ + VY: yRV7d + nodePort: 18 + port: 168 + targetPort: 227 + type: WAAXkZY +serviceAccount: + annotations: + DQxrtk8: buiWLPbYq + HHbP: sAY + Y0DKOcTa: D82Nfh + automountServiceAccountToken: true + create: true + name: DSw7 +strategy: + rollingUpdate: {} + type: żʧȟ +tests: + enabled: false +-- case-048 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchFields: + - key: v + operator: ė + values: + - ln + - lU4zX8iz + - t0Xc + - key: s3fpu + operator: ɥ娿ăʄĠ mʓ銈E'袭ĵ + values: + - ljJlhx + - matchExpressions: + - key: qPBvuBghor + operator: 泱诅ʫt + values: + - a05XZwN + - SiAvFWs + - FhW1 + - key: MVFTcW + operator: º囜N赧0索d + values: + - c + - ghZI + - AjB0J + matchFields: + - key: QzMSpLW + operator: :ɉùȪÇzǥC货°ÕV? + - matchExpressions: + - key: pA7a1gYdV + operator: '[ĪtOK' + values: + - 2bE4Bw + - fyMOYi + - key: wshbw7Ix + operator: J槭~撑MS=ÑƎ薽饵a緗 + values: + - 9jt6 + matchFields: + - key: s1 + operator: 犫茬睶ňv + values: + - XhyH + - Ng1r1 + - nqis + - key: mHLiT + operator: ȁ佝L郗s稷tŻ+f舭拳鰵2e{a + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: jdvk + operator: ƶ + values: + - NV + - y4 + - V2XRZS + - key: 9VvAl5 + operator: <坎陸$§¤_ã檠奙Å饉J夗ɓ翩锸辸 + values: + - x26kYkJ + matchLabels: + DziixIJYd: yCXzPc + matchLabelKeys: + - XNuk + - RGLu + mismatchLabelKeys: + - aF3 + - R + - Tnj6SmTq + namespaceSelector: + matchExpressions: + - key: e1XR + operator: Kɞ窏ǿ,鸣ŰcNc + values: + - Yrq + matchLabels: + F2Pe7J: dlwTdhs + lK: nolQ + ys9z: euXWPiaJ3Bv + namespaces: + - tAzvw4OH1G + topologyKey: 6y + weight: -1640008169 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: XbjQvP + operator: V嶙NZ谡筩ǒ抂 + - key: i + operator: ɔŃ旓Ɍ鬺X + values: + - Zvx + - 7HWJ + - e4ucTP + matchLabelKeys: + - 0LSTZ + - ESk2r + mismatchLabelKeys: + - CKhfvR0Sg + namespaceSelector: + matchExpressions: + - key: A0tc + operator: 辛§ʢ垝V矋n握匞~嶯筪溆¸ + values: + - ML + matchLabels: + K1pr: ROFIwZhJYYo + ODc: 48WQ + namespaces: + - Wv7 + - zenLPw + topologyKey: tIVDde5U + weight: 1977587462 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3YyUamlR + operator: 橯F + values: + - dHitre + - 90jUjk + - key: NtnSL + operator: 臰sR=坵Ěcñ黪:ɻ寊â9dƎ\V + values: + - qqzycK + - key: ICXJGRFS + operator: $貕^eėǭD鳅ʇ + values: + - txX + - SFrkJ9r + - 3jOnwEW1 + matchLabels: + Uwj1kpV: oUXOYkF + o: ts5wRqjTyCy + matchLabelKeys: + - V2DNNCORe7ZRA + - pglXe4D + - w3881 + mismatchLabelKeys: + - xbi5KtUmR + - eZenitLdd + namespaceSelector: + matchExpressions: + - key: fxd5Y + operator: 頣R熗!A麳Ƚ6r爤暓 + values: + - oe46YF + - rT30v + matchLabels: + 4WA: EH + nRhlLLx1yHy: 5UFrj + namespaces: + - 7j92oP + - 2hf + topologyKey: "" + weight: 92207265 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: wBvol + operator: Ɂüɯ + values: + - eKmyok + - key: B2uj69 + operator: "" + - key: hLrZlh + operator: ȕ嵠味 ɼ_ + mismatchLabelKeys: + - W + namespaceSelector: + matchExpressions: + - key: Qu + operator: 亣i拴ÿ + values: + - OeiUsmYu + - oGXa6Ma + matchLabels: + "": Li + oDV7yR: NP + namespaces: + - PQjQb3LP + topologyKey: Gs1 + - labelSelector: + matchLabels: + "": nF + mismatchLabelKeys: + - YG6aQj + namespaceSelector: + matchExpressions: + - key: HpxPVtw + operator: z畘ŠƽǢ蘟\ɡ忕ɋ蜹5B + values: + - EQ + - RP3fBi + - key: Lv60cZut + operator: 裰ƈ + values: + - I9JbN + - dt + - Cya + - key: 0MGm8N + operator: 遍Ż + matchLabels: + nELvnrAFr: DClM + topologyKey: N57yxG + - labelSelector: + matchExpressions: + - key: "" + operator: KǞ}ɣȿ嚶宗荝«Dž + values: + - CGw32z4JHya + - E + - u5CDtdc + matchLabels: + J5LzcLei: kBwTCGZ + iLpqu: j4bqBNDjAK + jN: jUZ0u + matchLabelKeys: + - lNM + - K3nOO5 + - 9norFQpMiC + namespaceSelector: + matchExpressions: + - key: y4teb + operator: 蚯 + values: + - P + - O0 + - MvxOu + - key: v8w1Ok + operator: 8ƴņŨƊ¹艗胲ƦpYƿ9d脙~Ë + values: + - "4" + - "66" + namespaces: + - OtWsVW + - p + topologyKey: GeF + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: GRLHy + operator: Ä椶 + - key: Z + operator: ė牫ȃ汥Ƈ娍q\桕ɄNǴ + values: + - S1hMkP + - K + - x5coDg + - key: kJzBQ + operator: ʉĻ孺bɧɬʬ柿娤e¯]每) + values: + - DbD1 + - C5dyvNew + matchLabelKeys: + - 8G + - 7cCVU + - lN + mismatchLabelKeys: + - xJ5l + namespaceSelector: + matchExpressions: + - key: U89y + operator: ȓ2浿澰V缐厧钎wň莁願菶ʈ杈 + values: + - 9m6ydjpHu + - CatqpZmUCL + - dJz + - key: SIePbOJc6H + operator: ljR2qɟ$s櫮c雕Ů幔莁沥ʫľƙŝ + values: + - 75tj75r + - XiO + - key: "" + operator: 舄或崙Ĭɐ耼Ī弋禽$ + values: + - HWwXVr4o + - WEkwi8ZNDQ + - f + matchLabels: + fi8w0BX: Z48LRdXmkJ + namespaces: + - Yaw2NnfJ + topologyKey: ElKfd7Eo + weight: 1078166465 +annotations: + Dgw3Wl: 7aofTp +automountServiceAccountToken: true +autoscaling: + enabled: true + maxReplicas: 1 + minReplicas: 224 + targetCPUUtilizationPercentage: 468 + targetMemoryUtilizationPercentage: 256 +commonLabels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE +configmap: + create: true +console: + roleBindings: + - FZ5NQS6: null + - 0ToI: null + RTwav: null + mWwdgyM: null + - {} +deployment: + create: true +enterprise: + licenseSecretRef: + key: "" + name: 3VGefRh +extraContainers: +- args: + - 3QF + - k1BJBm + command: + - PMW + - j + - V7MAcfomz + env: + - name: rAzI53 + value: WlHlq + valueFrom: + configMapKeyRef: + key: zzIBsb + name: Bh261F + optional: false + fieldRef: + apiVersion: SlA + fieldPath: "6" + resourceFieldRef: + containerName: q0BBEv + divisor: "0" + resource: JE + secretKeyRef: + key: FvrZgBz + name: ZTBeic + optional: false + - name: uPptX + value: i9 + valueFrom: + configMapKeyRef: + key: JeHwi + name: TiQHOG1EsFUgIE + optional: true + fieldRef: + apiVersion: i7dd + fieldPath: Tu + resourceFieldRef: + containerName: ChdvA + divisor: "0" + resource: Eq1V33RTZQSJRJFg3V + secretKeyRef: + key: ojxn54r + name: L + optional: false + - name: Sl9Py25FX + value: e9 + valueFrom: + configMapKeyRef: + key: Zq80J9tyR0opcz + name: gy00dyvHFa + optional: true + fieldRef: + apiVersion: UJLSQy7zL + fieldPath: Xm4sg5H + resourceFieldRef: + containerName: ZmY7Fno6Fcop3 + divisor: "0" + resource: gqZwW + secretKeyRef: + key: v + name: hJDoWtjkfL + optional: true + envFrom: + - configMapRef: + name: RdWA + optional: true + prefix: Dq + secretRef: + name: BOBOO0sLIWw0e + optional: false + - configMapRef: + name: MoMnWNTC + optional: false + prefix: "3" + secretRef: + name: B58Vvj3 + optional: false + image: Vn5V + imagePullPolicy: 筥ǏŤČ癳嶧GĒH挕ÄHɡ + lifecycle: + postStart: + exec: + command: + - hTIx + - lslygl + - lSgx5G2IfU + httpGet: + host: GNVKz7 + path: d0Y + port: Igi + scheme: 莵łEǐ嫖ʒʔvŊ>ry5贛 + sleep: + seconds: -184172880642712439 + preStop: + exec: {} + httpGet: + host: tD1TkKV0ES + path: s6 + port: OpK5riOe96 + scheme: 琊*i#欱E唂ȧ鐄膶詃7 + sleep: + seconds: -4889549574266894064 + livenessProbe: + exec: {} + failureThreshold: 1591130939 + grpc: + port: -540029946 + service: aoAN2Lx03 + httpGet: + host: vWu + path: Lo + port: 1468671948 + scheme: ȯ煐IŢ + initialDelaySeconds: -1879733088 + periodSeconds: 1106663448 + successThreshold: 240850805 + terminationGracePeriodSeconds: -7405296717602935730 + timeoutSeconds: 524743651 + name: AInfx2Rak + readinessProbe: + exec: + command: + - oIA3 + - H + - 96Uj2 + failureThreshold: -1855887857 + grpc: + port: -495541010 + service: X + httpGet: + host: ZplmMg + path: tAAr + port: 1950182935 + scheme: ʂ綽oa;n轮ęB觼Z=G泇跢揌韇锶 + initialDelaySeconds: 1057136331 + periodSeconds: -2025421367 + successThreshold: -812558156 + terminationGracePeriodSeconds: 4314843605692522234 + timeoutSeconds: -1609986779 + resizePolicy: + - resourceName: EvmpG + restartPolicy: 4ɱ + - resourceName: hTB20ObO1 + restartPolicy: ½ŏ伐Q蔏ʝ噙漃袩J]Ɣ蒘岇 + resources: + limits: + KWlx2c: "0" + O: "0" + requests: + ZCJwGBL: "0" + restartPolicy: 1nĔ:蹮>s蹬ÍǺ + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 迠寈搣弝渎İ- + drop: + - 檹Ɩ + - ɧ麧ç2ā兛杧蔙團载^P蚡5缿ʒU襩 + - cLD|ƶ虌Ȗ + privileged: false + procMount: ïƋ圏滜ľ転謀ĤP蹥ȅ|髃蒃Q癎æ + readOnlyRootFilesystem: false + runAsGroup: -4850605470374303682 + runAsNonRoot: false + runAsUser: 7731251064648990624 + startupProbe: + exec: + command: + - LqYoUQy3c4BE + - 5N + - Ug + failureThreshold: -1290004088 + grpc: + port: -1721281251 + service: H2p + httpGet: + host: 02CP5 + path: F609y + port: JjwFH + scheme: 珑 + initialDelaySeconds: -402608647 + periodSeconds: -1520214127 + successThreshold: 209058699 + terminationGracePeriodSeconds: -1900030585542850396 + timeoutSeconds: 1686394545 + terminationMessagePath: qixKzKz + terminationMessagePolicy: Ǥ衚蔁ʙ剠Ǡɭf~ + volumeDevices: + - devicePath: zM1 + name: jmc + - devicePath: IZ + name: PS + - devicePath: kN24U + name: Apu0r1U2 + workingDir: WgB +- args: + - 2Z37 + - 75kO + - TjvjkZTrc8s + command: + - M0NtzJ + env: + - name: 2EH + value: O + valueFrom: + configMapKeyRef: + key: J1ozKsuji + name: glLvAIHP7i + optional: true + fieldRef: + apiVersion: 3gAjGu + fieldPath: sNpuR8m + resourceFieldRef: + containerName: oxx + divisor: "0" + resource: PuKq + secretKeyRef: + key: Iua2L1LoCWMs2 + name: YfKwS8s + optional: true + image: PKNM + imagePullPolicy: ÍĪ0魣Ŋʒ + lifecycle: + postStart: + exec: {} + httpGet: + host: fsZ + path: EGnu + port: 765491661 + scheme: ?ğ叆ɂ&pʠ溶Ǚu + sleep: + seconds: 4688626474961012693 + preStop: + exec: {} + httpGet: + host: TB + path: "6" + port: -50369560 + scheme: ~Ǚɇ>ƃ\7]歉sh羘y4 + sleep: + seconds: -5293607398165581925 + livenessProbe: + exec: + command: + - 1g8dewdj + - lRmD + failureThreshold: -125369558 + grpc: + port: -1490211482 + service: R + httpGet: + host: CSGThzhG + path: 9NBKzoiFzs + port: -272474300 + scheme: ŀ + initialDelaySeconds: -1094670881 + periodSeconds: 1768141210 + successThreshold: -985604418 + terminationGracePeriodSeconds: -1297054466922920616 + timeoutSeconds: -1289231356 + name: KtKv6dg + ports: + - containerPort: -632764671 + hostIP: 8CU + hostPort: 917138107 + name: 1VgOx + protocol: 典ȫ窃ÛǪ3m患 + - containerPort: 739656218 + hostIP: dQQ3 + hostPort: -1348301133 + name: "3" + protocol: '?Ū慾ŘLº桒J:茦扰絥ǗȑĎ:' + readinessProbe: + exec: + command: + - qZ2J + failureThreshold: 293719665 + grpc: + port: 1235836411 + service: ig3 + httpGet: + host: Ws + path: FVnJhZq7I + port: -1075951148 + initialDelaySeconds: 321800409 + periodSeconds: -556535717 + successThreshold: -625124830 + terminationGracePeriodSeconds: -4084380722124342213 + timeoutSeconds: -904900305 + resizePolicy: + - resourceName: GKINnuJx + restartPolicy: Řl©=嬈牍]佧& + resources: + requests: + omO: "0" + uga5: "0" + xnRsp6C: "0" + restartPolicy: ʝdŌİ蒘傥>晑|癶x&ĭmŭƙŵ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 約nɤưHĞ4WƳǤȣ糥蠇t + - ¾ʃŔ冻楟?¿揈h嘼œ + drop: + - 7忭譺屩嫕ƞʅ袬/氼Xg养ȸ陣萓 + - 胨`鯵ƪĽ藹 + privileged: true + procMount: Ulƙxȿƌ乜溬噕瀆储铐\纬 + readOnlyRootFilesystem: true + runAsGroup: 4589112012742886931 + runAsNonRoot: true + runAsUser: 3204614620414442288 + startupProbe: + exec: + command: + - TFJ + failureThreshold: -585814509 + grpc: + port: 178002023 + service: lAuHCrE + httpGet: + host: "88" + path: Th + port: In + scheme: 鷵菭g顲Ⱦ穪 + initialDelaySeconds: -1856697198 + periodSeconds: 1469578394 + successThreshold: 160563852 + terminationGracePeriodSeconds: -4442318275257517382 + timeoutSeconds: -16211809 + terminationMessagePath: 513sVbgA + terminationMessagePolicy: 隓Ǽ屼Å7嗟Ʈ麝0{ȦDžĐ! + tty: true + volumeDevices: + - devicePath: ugQAJ + name: Jf + - devicePath: BFfnTD + name: kfF6CZ + volumeMounts: + - mountPath: C3 + mountPropagation: 呍婻厦ǒ絶偂蠛ƺ蠖蕍v貰Ė + name: DQvHajhHx + subPath: aYHGugq + subPathExpr: MSs + workingDir: OE +extraEnv: +- name: rd10f1l + value: GtUE + valueFrom: + configMapKeyRef: + key: C1N + name: bi + optional: true + fieldRef: + apiVersion: 9GWlMsB + fieldPath: l2 + resourceFieldRef: + containerName: 4t + divisor: "0" + resource: eyjvzsf + secretKeyRef: + key: xBMOaej + name: O8AG + optional: false +- name: C + value: fYlde + valueFrom: + configMapKeyRef: + key: 4HvhDAkW + name: 5bgA7leE7 + optional: false + fieldRef: + fieldPath: zY6rf + resourceFieldRef: + containerName: S3 + divisor: "0" + resource: 3sD + secretKeyRef: + key: s43 + name: LpaQ + optional: true +extraVolumeMounts: +- mountPath: M5 + mountPropagation: 稤Bơ觓Ð琋 + name: yQHj49RtdzN + subPath: GdQkAKF + subPathExpr: Gvswh +- mountPath: QRg + mountPropagation: 搚Kƕ欕K貵蠜d旓ĀÝ虩釓 + name: qCEH27RF + readOnly: true + subPath: nHB05RuTZ + subPathExpr: K0yH +fullnameOverride: 3um +image: + pullPolicy: Ƀşb?師Ğ`3H觉趟糯襖 + registry: VHbf77MFq + repository: 9Gz + tag: Tg +ingress: + className: ob + enabled: false + hosts: + - host: gH + paths: + - path: Ts + pathType: CGb + - path: "" + pathType: zZQ + - host: iiV3 + tls: + - hosts: + - tHQ4 + secretName: fnmcizOYm + - hosts: + - iPP + - 6ESVwf0d + - ziZck0N + secretName: O7mKv7 + - hosts: + - 8YGvchGJ + - wN + - XtvjzH0 + secretName: VlbaTuVK +initContainers: + extraInitContainers: thAoOYwQDaAt +livenessProbe: + exec: + command: + - nCg + - T6fzKjCjD + failureThreshold: 279778022 + grpc: + port: -995356959 + service: 9yOO2 + httpGet: + host: PYJSaHej + path: fr7 + port: 8Ij + scheme: QɄ揆ѧ鶹i骡l僴Ǎ植烤ĕǘqɦ + initialDelaySeconds: 1098820524 + periodSeconds: 414174316 + successThreshold: 1178515566 + terminationGracePeriodSeconds: -5729352865043664628 + timeoutSeconds: 873461419 +nameOverride: W7q3X +nodeSelector: + Bm9U: oTYglG6dh +podAnnotations: + eG: vxInc0 + g: BI6yk + xCtSP: rQ +podLabels: + ZEXh: zufy +podSecurityContext: + fsGroup: -3794452885502571644 + fsGroupChangePolicy: 欲飹Rɦ薕µL<Ĕ + runAsGroup: -3171560656159467191 + runAsNonRoot: true + runAsUser: -4412205905842408558 + supplementalGroups: + - -7215185124091152595 + - 5139656417921062736 + - 600742233156257714 + sysctls: + - name: Te + value: cKzihj +priorityClassName: l4Mowg +readinessProbe: + exec: + command: + - "" + - c8G + failureThreshold: 37001950 + grpc: + port: 1211428387 + service: UUKg3TJGP2 + httpGet: + host: eznD + path: aBohoOMPU + port: -2044766681 + scheme: 讻;Ǩ办鈁癃靟èʣ¾fǖ^Ǟ + initialDelaySeconds: -396024246 + periodSeconds: -1467409206 + successThreshold: -1328773613 + terminationGracePeriodSeconds: -8721653473984246810 + timeoutSeconds: -1781454259 +replicaCount: 46 +resources: + limits: + 8cdWaeK7jVrR: "0" + HYBi6o: "0" + requests: + NOz: "0" + gH: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: wNZRnHu3m + name: ULOBG + kafka: + awsMskIamSecretKey: RfMF + protobufGitBasicAuthPassword: julgURa4B + saslPassword: uuq + schemaRegistryPassword: "54" + schemaRegistryTlsCa: 0rjT0gsnw3 + schemaRegistryTlsCert: kpA9ZJQgp1 + schemaRegistryTlsKey: 4rfN + tlsCa: NhTEC0A + tlsCert: iN0W + tlsPassphrase: Id1ovgK + login: + github: + clientSecret: LWyKxwgV + personalAccessToken: Nkq1DyJixsC + google: + clientSecret: tJv + groupsServiceAccount: 9jqz4h + jwtSecret: PWdr6CcxS + oidc: + clientSecret: RMxiMIY + okta: + clientSecret: SJ6I + directoryApiToken: 1wIf + redpanda: + adminApi: + password: C9I2x + tlsCa: Qpp + tlsCert: "" + tlsKey: 7uh28L +secretMounts: +- defaultMode: 80 + name: Mt1 + path: WsSL4vxNxCkXP + secretName: ZxXI0Hhv +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Ɋ闻ǃɗʀd撪 + - 蘑ǪY桼ɮǚɳ爥ňB + drop: + - 乄}ñ0詘蛾牪坣缰ƩǏ薷©瓚`Ʋ虯r + - ǓJğ&ĊƯʝbǠCŪzgì + - ńǜ[ɪ判Uʋ]泘狔 + privileged: false + procMount: 媹:堏_ɟ榧禙Ɲ'瞟 + readOnlyRootFilesystem: false + runAsGroup: 2759228957449300312 + runAsNonRoot: true + runAsUser: -812867783664200775 +service: + annotations: + c: DNy + kDPtPpnL: kFmmx + nodePort: 377 + port: 311 + targetPort: 29 + type: l5gj +serviceAccount: + automountServiceAccountToken: true + create: true + name: sKa +strategy: + rollingUpdate: {} + type: 顓ǝSm +tests: + enabled: false +tolerations: +- effect: 嫜ʎ愤wßj硭 + key: JO1 + operator: ȼ¾Pȇ挮ƶȋ'蹑鶚嗵ïG + tolerationSeconds: -6027642013843151183 + value: a3XbyS +-- case-049 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: L + operator: 域%Ɠ礇!ʘl.ǷŠ该貹&N + values: + - oAk8rvkey + - Fb08GpumY + - key: YJGr + operator: '|4\i事!ų藦x鳜Ǫ' + values: + - 63Yvc + - key: j + operator: ¸瀖čņ!彅搀 + values: + - RnzdW + - Nxs + - unZuno + matchFields: + - key: wLP0QqdHBmd9e + operator: ȑwȼ嶢vC`ȖĜƐ桡牆ēIa,謧ŗ + - key: mdgmMZ + operator: Ō§ȶƔ>#Z骻5S洝岛Ċ啞. + values: + - Fvf6 + - key: GQsV + operator: 涥ȕêȩȋ婍0毙舺糩\DŽŅ饒 + values: + - XccQkxG + weight: -1172839714 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: JpS0BkW + operator: 聣耥ʒ昼|Ȏ)ß瞖a癨櫒缮{v + - key: HLL3gv + operator: 铡ÞC腢z蟒Á + - key: iDGQV8Bjyu5Q + operator: 舢脛歛ƻ68 + values: + - eLCH7Nc + - QQqPUN + - "" + matchFields: + - key: AY2q9fnL + operator: ȏ伌鎩5桀ʁ + values: + - Uac + - K0q + - bY71A + - key: rBwZz + operator: '*ĴȉǼ矼SN]ʛ源' + values: + - 5yMkn + - key: S1C + operator: ÿƙ彋,嘲樦 + values: + - OXH + - vl1 + - uCYaO8Cn + - {} + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: mZ3rAF9 + operator: yŲĺȫ阁笵W®詃Œ + values: + - bhvFz + - key: uiaNXZcXT + operator: "" + - key: AAM + operator: 閸鬼駝洁c奊(Ƅ謍MǍ辰T堍癩)丗 + values: + - "9" + - ESiN3 + matchLabels: + kCSDZtsm5: vVk + oBlyCq: jlh + matchLabelKeys: + - BCZ8FFbh + - A + namespaceSelector: + matchExpressions: + - key: Lsf + operator: L + values: + - a0HB + - C + - key: eoj6ic3 + operator: ż伌oA汄俔ɿ7巪娻% + matchLabels: + Cx: wwPPM + namespaces: + - 9xhG + - JAutZqe4gGeuf + - "" + topologyKey: 1a + weight: 223935020 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: LtGRhs + operator: 棺ǔ'ɘ砒Æ擑Ɵģ + values: + - GhM4BSJqNOf + matchLabels: + "": 7Ni + matchLabelKeys: + - yxF4 + - 22RoWr + - etRteovEh9 + mismatchLabelKeys: + - 7NOfe + namespaceSelector: + matchExpressions: + - key: 3KCX2 + operator: 臞ʀ¯弄Ɨ橎琜ġ鍳¶ȣ2墛.ɮ濎ɕ磞 + values: + - 5YiE0xEC + - 4spxMd + - vUPA + matchLabels: + YHIq: nS + topologyKey: F4 + weight: 716052627 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "9" + operator: ĠƑȥ兾3ŶJ + - key: pPvuyWZ + operator: ;bļo刲+圊}MǏŅ惤ć + values: + - 9pMXT + - Ezwo11 + matchLabels: + 66347W: ccFxZoF9 + X: VrN5kt + mismatchLabelKeys: + - u4LyY1 + - zT + namespaceSelector: + matchExpressions: + - key: qwhutJo + operator: 垴ǞƼ + matchLabels: + OFxMkYx: lhxtM + topologyKey: WN8qbUgigF + weight: -1609734055 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - "" + mismatchLabelKeys: + - XnhP + - "" + - Bk + namespaceSelector: + matchExpressions: + - key: M + operator: Ǽ糨ʡ毺Ɇw + values: + - ntvI + - vs + matchLabels: + "4": 2Y2FBpcbg + namespaces: + - 1S8c + topologyKey: jxiZ4d + weight: 1993833508 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: EpKkdimp + operator: 额ƀ箰L禼aÅ顙)C舉 + - key: e2Zu7Kb + operator: t潱髦pö鵺b澁6銹 + values: + - z9n + - LdMQ + - r + matchLabels: + F: Nc + Qa2h5toVwd: GGxZ3BQ + l: Z6Rh + matchLabelKeys: + - LsCC + - dgmxxZW + mismatchLabelKeys: + - e + - Cb + - e0DAEluN + namespaceSelector: + matchLabels: + oJ56D: 33m + tkP8tO: mIkfyE6E + namespaces: + - VxN + - hbwB9 + - t + topologyKey: qag0unul +annotations: + BceQMZiOm: E1uakdHPkLNL +automountServiceAccountToken: true +autoscaling: + enabled: true + maxReplicas: 292 + minReplicas: 381 + targetCPUUtilizationPercentage: 255 + targetMemoryUtilizationPercentage: 99 +commonLabels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + ztm: qegfb80 +configmap: + create: false +console: + roleBindings: + - K: null + nGSYV: null + roles: + - {} +deployment: + create: true +enterprise: + licenseSecretRef: + key: yAo51i + name: blNvk6O7Urx +extraContainers: +- args: + - kn0F9 + command: + - M + - Hph3 + - lZfWKF + env: + - name: HBWtNh10A + value: 8guE + valueFrom: + configMapKeyRef: + key: Chnm + name: UlwzEQ + optional: false + fieldRef: + apiVersion: 8pq9 + fieldPath: qpnfP4p + resourceFieldRef: + divisor: "0" + resource: L0tn + secretKeyRef: + key: J + name: gbfgF + optional: true + envFrom: + - configMapRef: + name: n32MM + optional: true + prefix: cp3 + secretRef: + name: Uc + optional: true + - configMapRef: + name: VGBL + optional: true + prefix: NTMU + secretRef: + name: CEg + optional: true + image: zIWYBi7 + imagePullPolicy: 蘂ȱʃ& + lifecycle: + postStart: + exec: + command: + - QpTcv + - MS0T0N + - wiE + httpGet: + host: ZCUJOIH + path: UsXT + port: 8nExSP2u + scheme: 'uŊ6熀: 焆 烷ʫ-Ŗ亾ɣʖ氝"肰' + sleep: + seconds: -2519616411083819638 + preStop: + exec: + command: + - rmQ7 + - GxRXQk + httpGet: + host: UIVpXMrzW + path: 4tHQ + port: 8xLK1VyM + scheme: ƳǃóɃȊ{回żz闓葊G嚥 + sleep: + seconds: 3595323074300269449 + livenessProbe: + exec: {} + failureThreshold: -882825879 + grpc: + port: 503069299 + service: W + httpGet: + host: FilCCd + path: NPZrCEq + port: 6NoPho8wIsxe + scheme: āȹ顺悩錣Xƕ灄ĿG乒 + initialDelaySeconds: 781680731 + periodSeconds: 205458 + successThreshold: 1115648780 + terminationGracePeriodSeconds: 4579765768791485272 + timeoutSeconds: -676867842 + name: 2tf + readinessProbe: + exec: + command: + - edKf + - 0U + - MFr2Oh + failureThreshold: 1812906550 + grpc: + port: -791379232 + service: IAqADBco + httpGet: + host: 55GZ + path: AQC + port: sxTXcp + scheme: ƷMg靚珨嘸ȗʒ鑉Ȝ梒ŗǐkōĕĵ鞍 + initialDelaySeconds: -130429301 + periodSeconds: 876742351 + successThreshold: -1424043483 + terminationGracePeriodSeconds: -1574530902871555383 + timeoutSeconds: 764935409 + resources: + limits: + 9eHi: "0" + rO52puR: "0" + requests: + UF8LV7N: "0" + ao: "0" + cRVsAz8v: "0" + restartPolicy: ɥ]×璳 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ɖ膵7&ʞíXĦx-ǰİɾ榩聨ŗ% + - DŽ熲鴼玜覲杷ȆƠ沺伤{拢 + - ɉȋʠRÂo霾噜奩ƻv$Áő + drop: + - ɑ摿愻J«ʘA宜ƹ¶ + - 餫aJ矐sǁ隑z36渢X赼 + - )ǜ鄰挺溒ŒV栜Ù涸JH-_d + privileged: false + procMount: Ito縎 + readOnlyRootFilesystem: false + runAsGroup: 2484782727894659713 + runAsNonRoot: false + runAsUser: -6936271037843914749 + startupProbe: + exec: + command: + - X + failureThreshold: -256045507 + grpc: + port: 376282302 + service: wdQrDn0 + httpGet: + host: teaO6 + path: DBHpGkYdgAJ + port: -1625640156 + scheme: Ʌ + initialDelaySeconds: 673272264 + periodSeconds: -1050905915 + successThreshold: 282500457 + terminationGracePeriodSeconds: 5768805478519709604 + timeoutSeconds: -601307290 + stdinOnce: true + terminationMessagePath: POO + terminationMessagePolicy: '#d鿂Hk閎=ɰ蜐ġOʡ蠁żǖ' + tty: true + workingDir: Z3pdGL +- args: + - a7Tqs + - UuID5t + - gRCnbjyp + env: + - name: ZV1KP + value: WrT0 + valueFrom: + configMapKeyRef: + key: zZzTgax + name: 3z3eoets + optional: true + fieldRef: + apiVersion: 88zo + fieldPath: z0vE72 + resourceFieldRef: + containerName: DF4t + divisor: "0" + resource: hfVfYFW4 + secretKeyRef: + key: I6JwpO5 + name: I88w22gsx3 + optional: true + - name: z8 + value: sgj8UHZ + valueFrom: + configMapKeyRef: + key: Q85vN + name: lYGl4 + optional: true + fieldRef: + apiVersion: oQu7 + fieldPath: TYd + resourceFieldRef: + containerName: "Y" + divisor: "0" + resource: Yx + secretKeyRef: + key: f + name: 0Pjf9YBj + optional: false + envFrom: + - configMapRef: + name: fAH + optional: false + prefix: vjjU + secretRef: + name: 9A8OgEQ9 + optional: false + image: R7L + imagePullPolicy: '}m6铤<豎ŵ,#M狥ʬo' + lifecycle: + postStart: + exec: + command: + - 2E + - gzntg + httpGet: + host: BOoVI + path: ns7ZMdNwQC + port: XF + scheme: ky咊ʅ ʂ娼ȟƐ橽ǿ唔ARɨ罙 + sleep: + seconds: -3978858376823543730 + preStop: + exec: + command: + - Hns + httpGet: + host: Lw8 + path: wdo + port: -239095421 + scheme: ƹ禍OÇ + sleep: + seconds: 3838288160382433952 + livenessProbe: + exec: + command: + - 8E + failureThreshold: -1052479375 + grpc: + port: 82058135 + service: S3UA2HwQaN + httpGet: + host: T0 + path: wYV6 + port: cEf + scheme: 斡1{嘫b葎剜屙唯皎図Ǜ錮ơxȒt駦Ƨ + initialDelaySeconds: -1976610733 + periodSeconds: 436460884 + successThreshold: -949159248 + terminationGracePeriodSeconds: 1786907735670591108 + timeoutSeconds: -2035324376 + name: 0ygO + readinessProbe: + exec: + command: + - "" + - YQ + failureThreshold: 1469514474 + grpc: + port: -1835111333 + service: 5WmTypZfT + httpGet: + host: BDf + path: ZY + port: tyrBXIqhX + scheme: 趬扬鉰昵 + initialDelaySeconds: -683847692 + periodSeconds: -95594828 + successThreshold: -1707399501 + terminationGracePeriodSeconds: 3256417681193515380 + timeoutSeconds: -2088454060 + resources: + limits: + zVX: "0" + restartPolicy: 晄d塮@ʥO%驮ÆgǍô + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ' 吓zǘa畷' + - 鲃ʍ瑘ƴɛjV艑ǔpMK杣Ġ + privileged: true + procMount: zɱÙŭǫäƿ诧聉ń醽Ƥ裩5 + readOnlyRootFilesystem: true + runAsGroup: -2381715627246700598 + runAsNonRoot: false + runAsUser: 6590063474480015904 + startupProbe: + exec: + command: + - "9" + - oRMM2F + - "" + failureThreshold: -1711876939 + grpc: + port: 1138187974 + service: OvdS + httpGet: + host: GZWJ + path: vzJeBCvGMHn7 + port: h9p1Pak + initialDelaySeconds: 447733263 + periodSeconds: 1805541821 + successThreshold: -1114184264 + terminationGracePeriodSeconds: 2730048172651207780 + timeoutSeconds: -1850805595 + terminationMessagePath: GK8 + terminationMessagePolicy: ɾDŽ÷郃ɻ玗璺,4 + volumeDevices: + - devicePath: bLf + name: UVN1o + - devicePath: fIT + name: Qiswb + - devicePath: 9b8i + name: h1 + workingDir: 1IOT +extraEnvFrom: +- configMapRef: + name: GTjM + optional: true + prefix: GSbKp + secretRef: + name: vhsV8Pl5 + optional: true +- configMapRef: + name: cvXs + optional: false + prefix: cBFtb + secretRef: + name: x9N + optional: false +- configMapRef: + name: rDSrOmdL + optional: false + prefix: 0u3 + secretRef: + name: A6PG37zBJfwNR + optional: false +extraVolumeMounts: +- mountPath: De7 + mountPropagation: 1k噟霞ƁĹ + name: 1Z2WnghTc + subPath: Ts5Ful + subPathExpr: YyidD +- mountPath: onM7c3 + mountPropagation: m=Cɬ + name: GC5ZsY07Mr + readOnly: true + subPath: Xt + subPathExpr: r6gZk +- mountPath: 8gPjX7hc + mountPropagation: ƃ柅珚ȭ能 + name: oN + subPath: auYcD + subPathExpr: aheb25w +fullnameOverride: 0BIfuN +image: + pullPolicy: õ鴀铑û + registry: RCYS61Exfql + repository: 8ZLfmymq + tag: 4BSL9iL +imagePullSecrets: +- name: h5x +ingress: + annotations: + q5IN: ehJ3uPo + zL3YTK: "3" + className: aflhQOHWYOXuZ3 + enabled: false + hosts: + - host: obOeJZKpH + - host: u1ac0 + paths: + - path: Riz + pathType: Oa0rGRl + - path: w2xzu + pathType: n2bXr + - path: a68 + pathType: S + tls: + - hosts: + - pgmng + - hosts: + - rxpJYOgPS + secretName: dMa7jxJF +initContainers: + extraInitContainers: N4zG +livenessProbe: + exec: + command: + - "8" + - hRb + - cFB + failureThreshold: -567921134 + grpc: + port: -512457609 + service: F01OY6OLj + httpGet: + host: C04PqGy + path: lMqUJbF + port: 381786117 + scheme: c隢ƖȂ賒Q'd{X旝ĤɪI,k4Ú + initialDelaySeconds: -507660572 + periodSeconds: 1912372611 + successThreshold: -232304560 + terminationGracePeriodSeconds: -4579383330955987300 + timeoutSeconds: 582403024 +nameOverride: 8dJzE +nodeSelector: + ra78: fJ +podAnnotations: + "": cuRn + qBdeU: EQv +podLabels: + O2n4u: kpFpu + g1c: XEOMg +podSecurityContext: + fsGroup: 6449559755791185949 + fsGroupChangePolicy: 慩梱ʂcƎƱ\火ɘ²ɉ_ + runAsGroup: 841256803887707704 + runAsNonRoot: true + runAsUser: -2824253868920734938 + supplementalGroups: + - 8145086042470336086 + - -5005570809576723279 +priorityClassName: JhGfjGXQ +readinessProbe: + exec: {} + failureThreshold: 1010917423 + grpc: + port: 1307350058 + service: TfOG + httpGet: + host: dKWY + path: Qr + port: -837347685 + scheme: C_ + initialDelaySeconds: -986314779 + periodSeconds: 1763110639 + successThreshold: 1473932979 + terminationGracePeriodSeconds: -4633283219964217670 + timeoutSeconds: 1291669389 +replicaCount: 308 +resources: + limits: + x6: "0" + requests: + eeR: "0" + l: "0" + xppI8xB: "0" +secret: + create: true + enterprise: + licenseSecretRef: + key: 6LDJ8t + name: 4n4q72vaO + kafka: + awsMskIamSecretKey: INqD5 + protobufGitBasicAuthPassword: SBJl + saslPassword: 78E + schemaRegistryPassword: YMuFCG7qR + schemaRegistryTlsCa: 1y5yRb6O2b + schemaRegistryTlsCert: NuhkhpMV7b + schemaRegistryTlsKey: 9zcrFj + tlsCa: 0PF + tlsCert: wArD + tlsPassphrase: bj3xqz + login: + github: + clientSecret: jdPGF7 + personalAccessToken: y6xqv + google: + clientSecret: m6FeI + groupsServiceAccount: xi1j27Lipj8 + jwtSecret: pg + oidc: + clientSecret: zbsTootC + okta: + clientSecret: rHSfT + directoryApiToken: rOXaN + redpanda: + adminApi: + password: 8c + tlsCa: CJbHIM + tlsCert: uO + tlsKey: uhB0L +secretMounts: +- defaultMode: 500 + name: 99SgdOsZD + path: AQpWvptFEk7y + secretName: B6Fq +- defaultMode: 337 + name: U + path: p44 + secretName: DddF02 +- defaultMode: 246 + name: WFd + path: UiI + secretName: tz +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 趩燡º嗂{踦 + - CƮ + drop: + - 殟kĔ=ņŧɋ] + privileged: false + procMount: aŻ釯fȠ埱ɺȚ + readOnlyRootFilesystem: true + runAsGroup: 4284419790643993066 + runAsNonRoot: true + runAsUser: -4828746969388386674 +service: + annotations: + L: CP + Yf: K4waOjMg + tIYLLgy: d1szIPW6xt + nodePort: 291 + port: 269 + targetPort: 479 + type: IfYfRoHRG +serviceAccount: + annotations: + 5bpPp: ponDVyZ + Ml1: "" + lt: 6VN8BRlJd + automountServiceAccountToken: true + create: true + name: z12W +strategy: + rollingUpdate: {} + type: 擺m鷾DžPĨ +tests: + enabled: true +tolerations: +- key: ka + tolerationSeconds: 2857628758439265098 + value: Ohni9QGx +topologySpreadConstraints: +- labelSelector: + matchLabels: + 3Ym: o2h5aVp + yR4PPZO: 3X + matchLabelKeys: + - vCKujB + - UqCFKCN + - Xnjfai + maxSkew: -943395897 + minDomains: 1955399000 + nodeAffinityPolicy: 噙撢馥櫱m>Q脕擏w梪 + nodeTaintsPolicy: 蝚溄鑝刉=歱Mr踄 + topologyKey: cHyq + whenUnsatisfiable: Q輒ƗȈʑǯƐ| +- labelSelector: + matchLabels: + E: lyK5b9t + UuSjduy: NcK4 + fty: iP6ai + maxSkew: 1881677866 + minDomains: -561571142 + nodeAffinityPolicy: ȫ寴ī嘌.樥'ǹs + nodeTaintsPolicy: ɇ剀ǨUǜ!俛dz餂~匹呃 + topologyKey: pCHj + whenUnsatisfiable: 尘I:Ƒ匌,騸 diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/testdata/template-cases.golden.txtar b/charts/redpanda/redpanda/5.9.6/charts/console/testdata/template-cases.golden.txtar new file mode 100644 index 0000000000..cf65330d4f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/testdata/template-cases.golden.txtar @@ -0,0 +1,24705 @@ +-- testdata/autoscaling-cpu.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +spec: + maxReplicas: 100 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 10 + type: Utilization + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/autoscaling-memory.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +spec: + maxReplicas: 100 + metrics: + - resource: + name: cpu + target: + averageUtilization: 14 + type: Utilization + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/autoscaling-nulls.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +spec: + maxReplicas: 100 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/case-000.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: HRoLg + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: hvGoJL +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: hvGoJL +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: hvGoJL + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: "n" + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + Q9AVJD4: G9TEnp + creationTimestamp: null + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: hvGoJL + namespace: default +spec: + replicas: 387 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: "n" + strategy: + type: Ò泆A + template: + metadata: + annotations: + checksum/config: a2b60d22337ad49c09f2108d08f05fc6590bc4b45c804adc901467f348d564e1 + lyW: mn + pjq6fDr: YA2w301 + uXvFB: VQ5gP9 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: "n" + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: Z2BpO + value: 0ggF3ha7D + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: hvGoJL + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1028486626 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1713123405 + periodSeconds: -1411200119 + successThreshold: -1362510905 + timeoutSeconds: 1375594715 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + x0StjCjt: "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: vQhDS + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: HRoLg + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: hvGoJL + name: configs + - name: secrets + secret: + secretName: hvGoJL + - name: 7iCCax + - name: meEH + - name: xYVSV +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "hvGoJL-test-connection" + namespace: "default" + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['hvGoJL:8080'] + restartPolicy: Never + priorityClassName: vQhDS +-- testdata/case-001.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: T50cZi + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: T50cZi +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: T50cZi +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: T50cZi + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Sh + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: T50cZi + namespace: default +spec: + replicas: 414 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Sh + strategy: {} + template: + metadata: + annotations: + checksum/config: 6eb5d8456a652d5006051c8425191238a1a7d39e93a9336b0cc8ca98963c2dbd + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Sh + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: 3Nf + value: vATdo0CH + valueFrom: + configMapKeyRef: + key: IRw5 + name: fa + fieldRef: + apiVersion: 93Fjhay + fieldPath: LRa2I + - name: T0 + value: trXO4 + - name: P9hPooVH + value: yii5lolb + valueFrom: + configMapKeyRef: + key: spAKa + name: U0EYAAe0 + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: T50cZi + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - image: LlCU3if + imagePullPolicy: RɷVȄ×ʤǫĠ侻Ɏźx跻Å榜 + lifecycle: {} + name: l0 + resources: {} + securityContext: + allowPrivilegeEscalation: true + privileged: true + startupProbe: + exec: {} + failureThreshold: -1510490758 + initialDelaySeconds: 112782468 + periodSeconds: -738545847 + successThreshold: -1801864225 + timeoutSeconds: 1026753125 + terminationMessagePath: gCG + terminationMessagePolicy: hmƂÚÕʏ疅耪鯉瓉Ɏ煐8qĺ + tty: true + workingDir: ixD7Jq + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: NyOpfr + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: T50cZi + tolerations: + - effect: Mǣ鍙x奬Ø裗Ʈ唿踣ʘ)ɒâÄ + key: AWx + operator: yīÄLJʑʢ避 + value: cO + - effect: ï楡ɜƐf鱖À夹ǙȤK + key: Gk23T + operator: è6槈$_ȋ6}rvĕ曉¸顋ŀÓ + value: DCkzy + - effect: 蠯u牰ŇɔnÜȎĤ原H + key: qSC + operator: "n" + tolerationSeconds: -7696192156323826000 + value: z + topologySpreadConstraints: [] + volumes: + - configMap: + name: T50cZi + name: configs + - name: secrets + secret: + secretName: T50cZi +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "T50cZi-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['T50cZi:8080'] + restartPolicy: Never + priorityClassName: NyOpfr +-- testdata/case-002.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: R1Yar8 + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: xZty +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: xZty +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: xZty + namespace: default +spec: + ports: + - name: http + port: 413 + protocol: TCP + targetPort: 267 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vN4yH7I + type: ILpSX2Cy +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: xZty + namespace: default +spec: + replicas: 417 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vN4yH7I + strategy: {} + template: + metadata: + annotations: + 8vRMfVroYC2: QXbUbLea + VV4w: s4sL + checksum/config: 69703ab54946efe744831224dacdb980663f666d8fa5be794fb800135f91d11f + upwTMuIqflmD: 9J0H45zXX + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vN4yH7I + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: xZty + envFrom: + - prefix: cfVf + secretRef: + name: ha + - prefix: i2E2Jvnc + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 267 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + 27ywV: "0" + nMnjjF4kM: "0" + xar2JX: "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: Y40 + mountPropagation: $寕洦敬苖ēRõøȀ + name: vn5hd + readOnly: true + subPath: oXCY9 + subPathExpr: p + imagePullSecrets: + - {} + - name: YPVBzxvx + initContainers: [] + nodeSelector: {} + priorityClassName: TeCy + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: R1Yar8 + tolerations: + - effect: ǩ趥螏|F8ǻĬ嵍Ğ错ʂĺƠǷ俆峻噸 + key: b + operator: wąȹV{İ刡嚮ȜJ + value: ZuTw + - effect: D稕栥[Ǟ$焫昲 + key: NnhmxYy + operator: Xʀ + value: v65W + - effect: 岂bĤ晏#DĢº + key: MOgT + operator: 礩懜蹻ǍBȟvɸ堊 + value: 3iXh + topologySpreadConstraints: [] + volumes: + - configMap: + name: xZty + name: configs + - name: secrets + secret: + secretName: xZty +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "xZty-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - {} + - name: YPVBzxvx + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['xZty:413'] + restartPolicy: Never + priorityClassName: TeCy +-- testdata/case-003.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 8nE + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 8nE +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: Fb + kafka-sasl-aws-msk-iam-secret-key: SrYY84t + kafka-sasl-password: xCc3TeVY + kafka-schema-registry-password: ovCqxwz9Bf + kafka-schemaregistry-tls-ca: JL + kafka-schemaregistry-tls-cert: cS + kafka-schemaregistry-tls-key: UMwYx4F + kafka-tls-ca: HFpsnPdw + kafka-tls-cert: hseIt + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 8nE + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: w6 + type: ClusterIP +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 8nE +spec: + ingressClassName: EqUYi + rules: + - host: bKQCmfZ + http: + paths: null + - host: djItx5GtejC6 + http: + paths: null + - host: 2wLaQU8 + http: + paths: null + tls: + - hosts: + - V8BpuMCig + - 7LqG4w92 + - el3u4v + secretName: nUlu5bMwB8 + - hosts: + - 4HLzq + - 2i4g + secretName: lSgQIKwj5 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "8nE-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['8nE:8080'] + restartPolicy: Never + priorityClassName: HNqN9h2 +-- testdata/case-004.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console-YMl + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console-YMl +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console-YMl +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console-YMl + namespace: default +spec: + ports: + - name: http + port: 112 + protocol: TCP + targetPort: 173 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: YMl + type: dO7eovC +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console-YMl + namespace: default +spec: + replicas: 261 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: YMl + strategy: + type: ɡv?ĨJ姯ɚƟć匪cb + template: + metadata: + annotations: + 1iK8Ic: Qo3FCg9qi + 63SsVxDT: v + A1Q4J4: U9jygY2t1F + checksum/config: 5f83295c905c2d3c9fea06172a38428a89334248aea9df0ebd8b589a29afeb4f + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: YMl + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: -1713447377 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: null + podAntiAffinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console-YMl + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 173 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: Oj + name: QmzFlXE + subPath: "" + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: JT0MK + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console-YMl + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console-YMl + name: configs + - name: secrets + secret: + secretName: console-YMl + - name: QmzFlXE + secret: + defaultMode: 197 + secretName: 7gi +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-YMl-test-connection" + namespace: "default" + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console-YMl:112'] + restartPolicy: Never + priorityClassName: JT0MK +-- testdata/case-005.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: pN + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: pN +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: R4Zj + login-github-personal-access-token: N85av + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: enei1WIcV + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: pN + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: MW + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: pN + namespace: default +spec: + replicas: 396 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: MW + strategy: {} + template: + metadata: + annotations: + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: MW + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: pN + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: pN + - name: LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN + valueFrom: + secretKeyRef: + key: login-github-personal-access-token + name: pN + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: pN + envFrom: [] + image: 7iw15D/RnJFs0:OQDirE + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -1921365096 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1548958176 + periodSeconds: -1952555242 + successThreshold: -1289242499 + timeoutSeconds: -265051013 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: JU4z + name: QEJyD + subPath: ZBEy2m0m + subPathExpr: S1Kk + - mountPath: RjUw5sX7NP + name: ett1n + subPath: NmZKwz + subPathExpr: QOMT + imagePullSecrets: + - name: ATcT6Hd + - name: l15Hhw + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: KnLhcy2cw + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: pN + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: pN + name: configs + - name: secrets + secret: + secretName: pN +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "pN-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: ATcT6Hd + - name: l15Hhw + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['pN:8080'] + restartPolicy: Never + priorityClassName: KnLhcy2cw +-- testdata/case-006.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gCH15URsJZr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: nd7TSb2mNTS + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gCH15URsJZr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: rzd +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: G + kafka-sasl-aws-msk-iam-secret-key: 1tq + kafka-sasl-password: K8kPgIp6 + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: Zr + kafka-schemaregistry-tls-cert: KN + kafka-schemaregistry-tls-key: t + kafka-tls-ca: CQ + kafka-tls-cert: 6xZ8 + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gCH15URsJZr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: rzd +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gCH15URsJZr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: rzd + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: gCH15URsJZr + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gCH15URsJZr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: rzd + namespace: default +spec: + replicas: 176 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: gCH15URsJZr + strategy: {} + template: + metadata: + annotations: + checksum/config: f55f3fdc49a4774db4d2377ea9b69fd8da2a190ef99f7fb31aeb393215f878cc + s2D: DMU7 + creationTimestamp: null + labels: + CoBI: 20aOZaZvs + app.kubernetes.io/instance: console + app.kubernetes.io/name: gCH15URsJZr + e0xqmoOD: Nb5V + ylGQE: p + spec: + affinity: + podAffinity: {} + podAntiAffinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: KAFKA_SASL_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-sasl-password + name: rzd + - name: KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-protobuf-git-basicauth-password + name: rzd + - name: KAFKA_SASL_AWSMSKIAM_SECRETKEY + valueFrom: + secretKeyRef: + key: kafka-sasl-aws-msk-iam-secret-key + name: rzd + - name: KAFKA_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-tls-ca + - name: KAFKA_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-key + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: rzd + envFrom: [] + image: zT38Q/V:iSGm6MT1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + PY: "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: 5uhd1qMX + mountPropagation: ȵS鈛ZQì暗 + name: "N" + readOnly: true + subPath: lbeciOZZ + subPathExpr: Pd88cwE + - mountPath: yVo + mountPropagation: ÑƇ[嫨ĸŁ幵鿯它(ȡ~嘶ƌO情=į臺 + name: Z + readOnly: true + subPath: Nrqx + subPathExpr: Q4ChfT + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: 1x11c0q + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: nd7TSb2mNTS + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: rzd + name: configs + - name: secrets + secret: + secretName: rzd +-- testdata/case-007.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + name: RFjc7 + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + name: "y" +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: gp + login-google-oauth-client-secret: Ln0 + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: 3A593BjCuu + login-okta-directory-api-token: mSSz8MZ + redpanda-admin-api-password: t + redpanda-admin-api-tls-ca: QD1x71f + redpanda-admin-api-tls-cert: 744Ysvi + redpanda-admin-api-tls-key: 56VaHh +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - "": null + 5w1YcAu: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + name: "y" +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + name: "y" + namespace: default +spec: + ports: + - name: http + port: 286 + protocol: TCP + targetPort: 404 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: HWL + type: Vvrvx +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + name: "y" + namespace: default +spec: + replicas: 103 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: HWL + strategy: {} + template: + metadata: + annotations: + checksum/config: 37ddb9195e66f6743cc901bea8e2e2db0492fbf3e78355ffe8c7f2395ece1e90 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: HWL + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: qY0f + value: Wu + - name: 9zVp + value: g + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: "y" + - name: LOGIN_GOOGLE_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-google-oauth-client-secret + name: "y" + - name: LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH + value: /etc/console/secrets/login-google-groups-service-account.json + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: "y" + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: "y" + - name: REDPANDA_ADMINAPI_PASSWORD + valueFrom: + secretKeyRef: + key: redpanda-admin-api-password + name: "y" + - name: REDPANDA_ADMINAPI_TLS_CAFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-ca + - name: REDPANDA_ADMINAPI_TLS_KEYFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-key + - name: REDPANDA_ADMINAPI_TLS_CERTFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-cert + envFrom: + - configMapRef: + name: OUS + optional: true + prefix: YWvtgT + - configMapRef: + name: 4xZZ + prefix: Djbp99U + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1105213631 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1727299217 + periodSeconds: -579129147 + successThreshold: -1278687101 + timeoutSeconds: -603846855 + name: console + ports: + - containerPort: 404 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 114758306 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 457836757 + periodSeconds: -1914503008 + successThreshold: 1926018786 + timeoutSeconds: 458769630 + resources: + requests: + 4P1f3: "0" + DmuY: "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + CAy: 19kW + R2z: OpcDywz9x + priorityClassName: rs + securityContext: + fsGroup: 99 + fsGroupChangePolicy: 驸Ǩiµ慷泱世 + runAsGroup: 6873387834465682000 + runAsUser: 7937848737866681000 + sysctls: + - name: mp + value: SkIvFN + - name: E + value: RknyuPB + - name: kcY + value: us1 + serviceAccountName: RFjc7 + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: "y" + name: configs + - name: secrets + secret: + secretName: "y" + - name: dCz +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "y-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['y:286'] + restartPolicy: Never + priorityClassName: rs +-- testdata/case-008.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: YcV5zP8 + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: GbgHqD +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: GbgHqD + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: RW + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + hfXF: v4uLEC6f8m + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: GbgHqD + namespace: default +spec: + replicas: 475 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: RW + strategy: + rollingUpdate: {} + type: 堯飉J侚桤 合w犌ŝ|#è:(蹝Ƀy輐 + template: + metadata: + annotations: + BTlN: z8t + a: Pqjhw + checksum/config: 1ba99bb938e262d91c73069e0caf6c1ce45d5e92491a50db9d1af5d59db59aed + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: RW + spec: + affinity: {} + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: [] + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1421249778 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1194618095 + periodSeconds: 1245060237 + successThreshold: -641096828 + timeoutSeconds: -617099936 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -10750427 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 208988771 + periodSeconds: -2096658971 + successThreshold: -233405863 + timeoutSeconds: 2042765580 + resources: {} + securityContext: + procMount: ȃ蘗ʮǺ踰蒐佛桸gɋ + readOnlyRootFilesystem: false + runAsGroup: 5367218369967094000 + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: 0fXQqWA96 + securityContext: + fsGroup: 99 + fsGroupChangePolicy: ǶȚ/廻 + runAsGroup: 3241750191956122000 + runAsNonRoot: false + runAsUser: 2693812519144067600 + supplementalGroups: + - -7558357415363805000 + - -9152494874115652000 + - -906805565867492900 + sysctls: + - name: CBe8XsS + value: bh + - name: pUYyG9c + value: xPm1 + serviceAccountName: YcV5zP8 + tolerations: [] + topologySpreadConstraints: + - maxSkew: -722842418 + nodeTaintsPolicy: uã链掎ŏȅ噘籥邟澶N3-昃嗽(七|犘 + topologyKey: vq + whenUnsatisfiable: Ȭť'Ùt苷ŲĤ蘝 + - labelSelector: {} + maxSkew: 1436245353 + nodeAffinityPolicy: 0ʠƃ氁ʆZ + topologyKey: t + whenUnsatisfiable: x叾džʜƽ耨 + - labelSelector: {} + matchLabelKeys: + - 6T2 + - FqrwFd + maxSkew: -172720268 + nodeAffinityPolicy: 觏败TʙȎ喧5婬ȑªgȢ'!ÅWp襎 + nodeTaintsPolicy: ÛB¹]ʐ梳Ě + topologyKey: VyU9 + whenUnsatisfiable: 烹wɹȐN坿¨叻ʊ鴥/Ŭ屎釽C欼 + volumes: + - configMap: + name: GbgHqD + name: configs +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "GbgHqD-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['GbgHqD:8080'] + restartPolicy: Never + priorityClassName: 0fXQqWA96 +-- testdata/case-009.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BKV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: l1Bnpx + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BKV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: l1Bnpx +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + efgehQaV5UI0y: GymqDudh + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BKV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: l1Bnpx + namespace: default +spec: + ports: + - name: http + port: 229 + protocol: TCP + targetPort: 85 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: BKV + type: yZy +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BKV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: l1Bnpx + namespace: default +spec: + replicas: 315 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: BKV + strategy: {} + template: + metadata: + annotations: + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: BKV + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: l1Bnpx + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -1420734522 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 753838163 + periodSeconds: -444344576 + successThreshold: -1003403229 + timeoutSeconds: -172453343 + name: console + ports: + - containerPort: 85 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -286281002 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 138566964 + periodSeconds: -361700659 + successThreshold: 422528479 + timeoutSeconds: 352721839 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: xShE + name: yWBr98zs1 + subPath: "" + - mountPath: Wnbf + name: qUQ5 + subPath: "" + - mountPath: fgV + name: hpqapQJQ + subPath: "" + imagePullSecrets: + - name: x42RbB4KLm + initContainers: [] + nodeSelector: + OBRBvRK: hMXDLGN5 + ky: sv + priorityClassName: p0ShP6Yru + securityContext: + fsGroup: 99 + fsGroupChangePolicy: 灆Zeɪ霅ǭɒ<ǖ韆 + runAsGroup: -2394155475284911600 + runAsNonRoot: true + runAsUser: 99 + supplementalGroups: + - 802667379359895800 + - 8316082600801372000 + serviceAccountName: l1Bnpx + tolerations: [] + topologySpreadConstraints: + - maxSkew: -73453467 + minDomains: 326628755 + nodeAffinityPolicy: "" + topologyKey: zWgGRC + whenUnsatisfiable: 黚堳ʈ¡ + volumes: + - configMap: + name: l1Bnpx + name: configs + - name: secrets + secret: + secretName: l1Bnpx + - name: yWBr98zs1 + secret: + defaultMode: 414 + secretName: YMpib3J + - name: qUQ5 + secret: + defaultMode: 402 + secretName: Pw8 + - name: hpqapQJQ + secret: + defaultMode: 410 + secretName: 1JLIOjZI8 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "l1Bnpx-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BKV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: x42RbB4KLm + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['l1Bnpx:229'] + restartPolicy: Never + priorityClassName: p0ShP6Yru +-- testdata/case-010.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + TTsn5: s3xEhO + tZiUN: CtjX + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: JFcK + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: kIzbDF + namespace: default +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: JFcK + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: ivK + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: JFcK + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: JFcK + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: ivK + namespace: default +spec: + replicas: 250 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: JFcK + strategy: {} + template: + metadata: + annotations: + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: JFcK + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: hu5a9Q0m + operator: Ʊ飁Ɲŗʫf + values: + - fDVpOP + - fUBu2Zhz + matchFields: + - key: zOA + operator: 豔|Ĺ霱鑕yȮM錕陰蔆 + - key: uqlr1 + operator: ʏ + weight: -157546286 + - preference: + matchExpressions: + - key: yI2tB1c6Om + operator: 槼湝@)萢=\Ɇ剋Ś>(.aC俥?蔔 + values: + - 5QB3 + - C + - key: IhL2k3 + operator: "" + matchFields: + - key: Kn1 + operator: q'ʏC効L¶ƋMʐģƥƝnĤe + weight: -1818860211 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + podAffinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LICENSE + valueFrom: + secretKeyRef: + key: 6Y + name: juyv + envFrom: [] + image: 4A/0YeLdES:1a4iH + imagePullPolicy: "" + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1992527736 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1233698472 + periodSeconds: 1177961840 + successThreshold: -1634725396 + timeoutSeconds: -1493252430 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: C3nMA + name: 0sxSVsP + readOnly: true + subPath: V + subPathExpr: 1E5cYdMw + - env: + - name: nE8 + value: hFfGzdv + valueFrom: + configMapKeyRef: + key: 9Sc + name: kviW + fieldRef: + fieldPath: bzL + resourceFieldRef: + containerName: ky9X6 + divisor: "0" + resource: RgwF + image: mEMnGhDi + imagePullPolicy: <Ǐ(嬘箓閁1_Y.脯鮉娇腾1 + name: ZyDivTyKOX + readinessProbe: + failureThreshold: 368214623 + initialDelaySeconds: 1711545214 + periodSeconds: -1669571514 + successThreshold: 830602444 + timeoutSeconds: -1406663042 + resources: + requests: + Ta: "0" + restartPolicy: M#L粓Ojw+ĸɊcƗ镃聆琮ǘ滂W + stdin: true + terminationMessagePath: 7hyobl + terminationMessagePolicy: gŜĶ蔓林驲%嶄ʚ轿竷 + volumeDevices: + - devicePath: zlgauG + name: Uy7Ds5N + - devicePath: pturCrgNMxS + name: "1" + volumeMounts: + - mountPath: 2ftw3U97pI + mountPropagation: ǮmW + name: NeLq9zvIQ + subPath: 5XYnpNAb + subPathExpr: rAeHuQk + - mountPath: aOj5TCBKn + name: DWFR + subPath: G + - mountPath: ovoJMYcQZ7 + mountPropagation: ɷ&娈瘱 + name: o6QaPD8 + subPath: rIo + subPathExpr: j0F1wa + workingDir: tj + - env: + - name: KO7zek + value: AE8r + valueFrom: {} + envFrom: + - prefix: T4nvtH0yCoJCx + - prefix: KaMGNcK + image: m + imagePullPolicy: 牀 + lifecycle: + preStop: + exec: {} + sleep: + seconds: -1229802121654850600 + livenessProbe: + failureThreshold: 1036399450 + grpc: + port: 1383801223 + service: nm0jd39Ta + httpGet: + host: VhafGy + path: CP9 + port: BnhNd + scheme: hxu崚奵Y + initialDelaySeconds: 141265356 + periodSeconds: 251484282 + successThreshold: 257415096 + terminationGracePeriodSeconds: 3476093234934520000 + timeoutSeconds: -1657896181 + name: UCZJ + ports: + - containerPort: 574867450 + hostPort: 156179933 + name: 0re + protocol: 頶韜»釟ţKFƂƄp錴畗~[禬B琡9 + - containerPort: -374880824 + hostPort: 1342282100 + name: OeyfSkg3EJIuD + protocol: 佃ŦŬ穷唂&2ŌĜ,gF躊貀j寝ô + readinessProbe: + failureThreshold: 978947885 + httpGet: + host: A + path: Ngfyt + port: "" + scheme: Í蠕窩獙 + initialDelaySeconds: 60101484 + periodSeconds: 1102760384 + successThreshold: 1260060937 + terminationGracePeriodSeconds: 1157546254675437000 + timeoutSeconds: -465800822 + resizePolicy: + - resourceName: P6b56 + restartPolicy: 冿÷Ý萦{[P貍ȕ,Sɕ錼 + - resourceName: azLsfqbuYlr + restartPolicy: 蒃Ký阹ǒ1T獽蛍峸伦ƨ(Ƭ-央á + - resourceName: skOpL + restartPolicy: 鸿dŶ徥w^ȏ嘳Ƙ唓Ęɸ-ɫ鷠C + resources: {} + terminationMessagePath: vmp + terminationMessagePolicy: Ƒh庛ʘ$8L藑奾ń4說 + workingDir: rgrA + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: x0ISc2 + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: kIzbDF + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: ivK + name: configs +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "ivK-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: JFcK + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['ivK:8080'] + restartPolicy: Never + priorityClassName: x0ISc2 +-- testdata/case-011.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + name: hbe + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + name: hbe +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + name: hbe +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + "": NbuyvXjW + 2CTz: vRGLHMO53rD + yLzpKqz: uBjXvD + creationTimestamp: null + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + name: hbe + namespace: default +spec: + ports: + - name: http + port: 478 + protocol: TCP + targetPort: 90 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cy9eHCiP + type: sl +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + pJ: f0brcnhV + creationTimestamp: null + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + name: hbe + namespace: default +spec: + replicas: 65 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cy9eHCiP + strategy: {} + template: + metadata: + annotations: + checksum/config: 0ebeace369c9c96d75109609694bd464d6c28c2e8d1fcbd96529ef96d4ba0ec5 + creationTimestamp: null + labels: + "2": RgUAFm + D2V: V80aQ + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cy9eHCiP + spec: + affinity: + podAffinity: {} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - E9nCu6aLM + topologyKey: PfPCGvStt + weight: -1379963896 + - podAffinityTerm: + namespaceSelector: {} + topologyKey: CgA4 + weight: -726546395 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ijh1hJb + operator: ƏŧD續筚朊 + values: + - BOfF5xB + - 3iu4 + - key: "93" + operator: Dij%{欬ɽ + - key: NEd + operator: ÿD + values: + - r + - B7E1BoYQ4Njb + - BTV + matchLabelKeys: + - FuyLvc + - Lh60qi + namespaceSelector: + matchExpressions: + - key: w + operator: 嘑 + - key: eQ6nY99xw + operator: H辄萟蘎Ÿ塪²;暃 + - key: 8JrCFA + operator: "" + values: + - wVO + topologyKey: ByO + - namespaceSelector: {} + topologyKey: b21 + - namespaces: + - Ifv + topologyKey: F9j5 + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: XW + value: PCPsJt + valueFrom: + configMapKeyRef: + key: Zk0vTu6kC + name: d9zm3 + optional: false + secretKeyRef: + key: mRF + name: CW + optional: false + - name: loir2K + value: Ti0q + - name: lAxIKF7cbLlc + value: 1ksS + valueFrom: + fieldRef: + apiVersion: 8i2Z + fieldPath: vD7H + resourceFieldRef: + containerName: yqY + divisor: "0" + resource: ebRDAl + secretKeyRef: + key: E9514U + name: g3Rbzs + optional: false + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: hbe + envFrom: + - configMapRef: + name: d + prefix: Fl1 + secretRef: + name: X8xDu + optional: true + - prefix: M + secretRef: + name: 10or1C2m + optional: false + - configMapRef: + name: BBj + optional: false + prefix: Xy + secretRef: + name: ZA3 + image: gjR/U:Tl0EP + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 653767212 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 832425522 + periodSeconds: -1810991482 + successThreshold: 1954581711 + timeoutSeconds: -574178850 + name: console + ports: + - containerPort: 90 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1745353710 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1504484890 + periodSeconds: -846859037 + successThreshold: -1564014824 + timeoutSeconds: 888372342 + resources: + requests: + "Y": "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: 2Qy8k + name: n4BPeF + subPath: "" + - mountPath: O + mountPropagation: ŜQLhlkU穒´宕Ïůŝƪ + name: JeSPIB + readOnly: true + subPath: RTiJ + subPathExpr: wad + - mountPath: QV6Kf + name: Pj7R + subPath: qBOd + subPathExpr: kN3Uujt + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + HC7: EI8 + priorityClassName: sJXoA3V + securityContext: + fsGroup: 4103142176308445000 + fsGroupChangePolicy: Ő6­撱悤ÅC`碸 + runAsUser: 9170579519391071000 + sysctls: + - name: 4OKA + value: P7ouRq + - name: iD9Oz + value: gL6ARE + serviceAccountName: hbe + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: hbe + name: configs + - name: secrets + secret: + secretName: hbe + - name: n4BPeF + secret: + defaultMode: 12 + secretName: auIr +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "hbe-test-connection" + namespace: "default" + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['hbe:478'] + restartPolicy: Never + priorityClassName: sJXoA3V +-- testdata/case-012.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: tmn2Kt + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: tmn2Kt +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: tmn2Kt +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: tmn2Kt + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Qr03ts + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + v: D + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: tmn2Kt + namespace: default +spec: + replicas: 407 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Qr03ts + strategy: + rollingUpdate: {} + type: 9Cɠ+餌µ骽O惠LƬɇɦ鉍挶 + template: + metadata: + annotations: + checksum/config: f03a44f92485e3dfb6772dc84dec7c868a151f08fa5c04332bebe63251290ce5 + creationTimestamp: null + labels: + "": S7BNyT + app.kubernetes.io/instance: console + app.kubernetes.io/name: Qr03ts + r1F: Fsc + yeY4LjT: MRlwtd + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: tmn2Kt + envFrom: + - prefix: RyT9JuZ + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 666524470 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1841184951 + periodSeconds: 465079780 + successThreshold: -1928046688 + timeoutSeconds: 1377323766 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + allowPrivilegeEscalation: false + privileged: true + readOnlyRootFilesystem: false + runAsGroup: -6536894786619940000 + runAsNonRoot: false + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - command: + - "" + - 7yJE + envFrom: + - prefix: kRXk + secretRef: + name: TJsCapqoxl + - prefix: ucUEP + secretRef: + name: 1zCfpPiVt9o + optional: true + image: hwJ + imagePullPolicy: dh + name: Ody4zqt + readinessProbe: + exec: {} + failureThreshold: 1607990521 + grpc: + port: 2033135747 + service: "" + initialDelaySeconds: -889776869 + periodSeconds: -35190825 + successThreshold: -958310065 + terminationGracePeriodSeconds: 3166888730011246600 + timeoutSeconds: 806015074 + resources: + requests: + mg2KyOVo97: "0" + restartPolicy: 档媘řĖ焘傐Yʮ,+Ƽ梽讫ƭ焇 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: -2035296945120192500 + stdinOnce: true + terminationMessagePolicy: '*.Q' + workingDir: 0g9 + - command: + - ktel2 + - 2gO + image: Kq1K2HexLL + imagePullPolicy: 蟫黳jª0狫ĝ| + lifecycle: + postStart: + exec: + command: + - I + name: XmcrosJ9Art + resizePolicy: + - resourceName: 8dOXgKMh + restartPolicy: T@罞 + resources: + limits: + Qf424: "0" + UkBWyCgR: "0" + yS9FH: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - Ǐ蟯ƛU賊稁uv/u讎胗< + - 1湹 + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -281571585037868400 + runAsUser: 8469885005475494000 + stdin: true + stdinOnce: true + terminationMessagePath: 6ii28 + terminationMessagePolicy: ȊGī3慺Ŏ + volumeDevices: + - devicePath: "" + name: lqvpF + - devicePath: 3vTez + name: pD6EOo + workingDir: QEqnPlY6YE + - args: + - eiyTiCxBp + envFrom: + - configMapRef: + name: uxUzs + prefix: 0Oq + secretRef: + name: ahghhjB + - configMapRef: + name: yjx + prefix: cOCr6ajjpSTT + - configMapRef: + name: "4" + prefix: 0XtWv + secretRef: + name: oKDQ + image: PV + imagePullPolicy: d?遼gŜT纬ɷšǧ餝Ƨ + livenessProbe: + exec: {} + failureThreshold: 746140291 + grpc: + port: 1197495917 + service: "" + httpGet: + host: x78yAB + path: P5mSLs + port: Cb2 + scheme: 儰试9ȷǴ燀ǃ¦籇射,ǠöcƲ伙 + initialDelaySeconds: 1418617842 + periodSeconds: 187037501 + successThreshold: -1821323321 + timeoutSeconds: -894994792 + name: ToH + resizePolicy: + - resourceName: 7Ut8kM + restartPolicy: gěǏ* + - resourceName: gvoJz7 + restartPolicy: ł0Iɷ»u诎żȋ貏C炭 + - resourceName: VpTvtNnJOw + restartPolicy: 阠eR'k.Ơ糦啮ŋ睷N譺 + resources: + limits: + cYhO6a: "0" + startupProbe: + exec: {} + failureThreshold: -1040244189 + grpc: + port: 1921669257 + service: Me + httpGet: + host: 5fL4Z + path: BwLac + port: SKrb2z + scheme: ľ<Ƽ浳s剪ɍ + initialDelaySeconds: -1064995957 + periodSeconds: 230643461 + successThreshold: -1865926881 + timeoutSeconds: 1102271416 + terminationMessagePath: ZbnnI + terminationMessagePolicy: 阳壀ɀS强pŇȆDž鹩 + tty: true + volumeDevices: + - devicePath: pP2eHwth + name: S9Sy + workingDir: Z + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: vMcB + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: tmn2Kt + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: tmn2Kt + name: configs + - name: secrets + secret: + secretName: tmn2Kt +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "tmn2Kt-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['tmn2Kt:8080'] + restartPolicy: Never + priorityClassName: vMcB +-- testdata/case-013.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: RttlJN + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: RttlJN +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: RttlJN +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: RttlJN + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: dDkIKgMwXv + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: RttlJN + namespace: default +spec: + replicas: 412 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: dDkIKgMwXv + strategy: {} + template: + metadata: + annotations: + checksum/config: 80fd97b611d09c692bd5e12a12d43f51c7486213c5798a4f57bb8f0866119572 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: dDkIKgMwXv + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: RttlJN + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -225696508 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1573121125 + periodSeconds: -1561542711 + successThreshold: 1804677264 + timeoutSeconds: -1540252725 + resources: + limits: + f7Jr: "0" + fl: "0" + requests: + Q4O7nA: "0" + securityContext: + privileged: true + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: -8804799239371185000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: DVlVa1jiDIh5G + name: zaV + subPath: lXnque8 + subPathExpr: aFzzfyzr + - mountPath: 7VmD + name: bNuYmK + readOnly: true + subPath: zsTvmtU0 + subPathExpr: uNyQSZ + - mountPath: p + name: q3 + readOnly: true + subPathExpr: k4yfc0H + - env: + - name: bNyX + value: DpJ + valueFrom: + secretKeyRef: + key: r3ZL + name: GM2zRN8 + optional: false + - name: dS + value: u2CpI14PZ + - name: JVoNndPj + value: eCfRy + image: 9nkfM + imagePullPolicy: v洓p褾NJ翛Y/笸i洞偀fX綤鰐 + livenessProbe: + exec: + command: + - TzQ + - 5tBBhynsjV + failureThreshold: -1613952147 + httpGet: + host: gYV + path: 9qC2GovT + port: Gh + initialDelaySeconds: 1651935443 + periodSeconds: -1307313312 + successThreshold: 1553368137 + terminationGracePeriodSeconds: -4575724788805099000 + timeoutSeconds: -499895377 + name: aOBSLF + readinessProbe: + failureThreshold: 687754614 + initialDelaySeconds: -1880005074 + periodSeconds: 794268536 + successThreshold: -1510519942 + terminationGracePeriodSeconds: 3334702514671978000 + timeoutSeconds: -178867660 + resources: + requests: + hiWTQ: "0" + m7CDU: "0" + stdin: true + terminationMessagePath: Yj9V + terminationMessagePolicy: js$昦夁糎fț + tty: true + volumeMounts: + - mountPath: Xaoy + name: XuLXzMm + readOnly: true + subPath: NI8v + subPathExpr: nPRuyC + - mountPath: S + mountPropagation: ĜX鴮璫ȓĢ + name: c2o + readOnly: true + subPath: DEcziG + subPathExpr: 7UjF6H + workingDir: yPE + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: BDUfm1wSRDI + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: RttlJN + tolerations: + - effect: ƞ嬂 + key: wnH + operator: Ā蔥ąʏƅȑǚ缗'r~熐{Ǎ楯&鑫咂] + value: LYZYjeFUmK29wdL + - effect: 硞撤幅娰tȬ婒ĎɕÏǜ蚭馸諄W)偒½ + key: e2 + operator: bƤrZ + value: 8ssobF8u + topologySpreadConstraints: [] + volumes: + - configMap: + name: RttlJN + name: configs + - name: secrets + secret: + secretName: RttlJN +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "RttlJN-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['RttlJN:8080'] + restartPolicy: Never + priorityClassName: BDUfm1wSRDI +-- testdata/case-014.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vi2vH + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: h6eHrUr + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vi2vH + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: htymHJ +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vi2vH + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: htymHJ +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vi2vH + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: htymHJ + namespace: default +spec: + ports: + - name: http + port: 41 + protocol: TCP + targetPort: 168 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Vi2vH + type: Oiwzbmtjpb +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "htymHJ-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vi2vH + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['htymHJ:41'] + restartPolicy: Never + priorityClassName: rcxHoi +-- testdata/case-015.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + IH: 3W + K5hNNf: "" + r: 9cmm + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: zmr + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9RweMGWqBs +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9RweMGWqBs +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9RweMGWqBs + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: KD8DmV + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + 2V: 50l + jFB7K: 5ZqGXdsD94 + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9RweMGWqBs + namespace: default +spec: + replicas: 128 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: KD8DmV + strategy: {} + template: + metadata: + annotations: + checksum/config: c07b76ad8263a0560734a09b913b4c726efe461a7f519da293467d20a90d78bf + creationTimestamp: null + labels: + FlwBgvWNMrbg5: YKgnz8q + TGDbR: 4egH + Xr8XMOk: 1DAii + app.kubernetes.io/instance: console + app.kubernetes.io/name: KD8DmV + spec: + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 7eVqbmnw4 + operator: 屈ǧȔŗS#~¸Dd馔uÈ飏ƌĔ魼ȓ + values: + - eZapFDhb + - dBr2cD + - key: Z13Kq48NE0 + operator: ª + values: + - 03LE6GE + - key: s + operator: 箱+ʑ圼;0丢顃M媆熋熼妄瞬 + values: + - E + - jC2mNBN + matchLabels: + 4tdQRoO: Tgv + 7Apxz: EPl5 + bPvG5Bf: sCS + namespaceSelector: {} + namespaces: + - bkN0U + topologyKey: haPJ + weight: -1043017794 + - podAffinityTerm: + labelSelector: + matchLabels: + PP8DxAPJwUzY: z9RL6 + U1a: J + due4: eRc0tKn + namespaceSelector: + matchExpressions: + - key: "y" + operator: 霮ʡ`罵瀖Kʓa嚃*Q`UV邠想ɷġ + namespaces: + - M2GNeyD + - eDNVdz1ne46 + topologyKey: kQ + weight: -1134437930 + - podAffinityTerm: + namespaceSelector: + matchExpressions: + - key: SnD + operator: 6愔ȶ獧:öȰ浻珼»ǰs睑,s頀旓eX + - key: yt197hBb + operator: ȒǦ^(á咟獐赠5ĺĜ嶜庌愖V揺ɞ\Ș + values: + - pu5 + - Ywv1TEhK + - pAo + matchLabels: + "": rZ + topologyKey: WSD + weight: 613733383 + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: 4b6nMCalUl1 + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: iQE + value: Aj6RWPJE + - name: QwMCc + value: N9g6bDNI + - name: U5Qg5Qc0NWE + valueFrom: + configMapKeyRef: + key: R + name: n8 + optional: false + fieldRef: + apiVersion: zg0 + fieldPath: fNjpqJ + secretKeyRef: + key: MlF + name: h + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: 9RweMGWqBs + envFrom: [] + image: FezgEM/b4CZb:OoX + imagePullPolicy: '&Ŕ<駄AG' + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 398655641 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1516319657 + periodSeconds: -635156272 + successThreshold: 1338596793 + timeoutSeconds: -905426079 + resources: + requests: + I: "0" + b7jbi: "0" + r1cN: "0" + securityContext: + privileged: false + procMount: d聉l蝲ɓH>狱(Ȁ胄hʍy龝Ȼ埓Y + readOnlyRootFilesystem: false + runAsGroup: 2951274493718237000 + runAsNonRoot: true + runAsUser: -1772317555576666000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: y5BZm9v9L5 + name: mE9WF + readOnly: true + subPathExpr: 3vKqLj2 + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + vy4h: rk + priorityClassName: "68" + securityContext: + fsGroup: 99 + fsGroupChangePolicy: ¶鮬眴帘ʥb豚DIĂ + runAsGroup: 4190388773600424000 + runAsUser: 99 + supplementalGroups: + - 6652209348598506000 + - 5521245057591626000 + - 6754698685787706000 + sysctls: + - name: "7" + value: vp + serviceAccountName: zmr + tolerations: + - effect: '#U媷ɑɥ±箑妌RɱfÈB矅蒟(' + key: g + operator: Řg~歟1ƹ,纙蝝垺 + tolerationSeconds: -9038490283678034000 + value: x6T1NM + - effect: ė{ɼ 5;^ʤàOKv泣0ƫ¢ + key: wdW6LI1a5 + operator: ú4ʫ-哖ýȻȣŦiĩġ膳". + tolerationSeconds: -5247520709138794000 + value: NXt + topologySpreadConstraints: + - labelSelector: + matchExpressions: + - key: dme + operator: )\鹮İ又Ȥ鏥Ĝ + matchLabels: + Cdk: atEBel + PhEVPxOjN: QTW4 + fC0YTiwm: fdAQN8t + maxSkew: 472867304 + minDomains: 1802867157 + nodeAffinityPolicy: ʈǔ聿ŶŹ&y鰜# + nodeTaintsPolicy: '"篍Ɛɰl鄱' + topologyKey: fqmSu + whenUnsatisfiable: äƟĻ鍣ųø啼ǫǷ" + - labelSelector: + matchExpressions: + - key: BEj + operator: Ɠ墳 + values: + - qBJ + - KZbk + - key: 9wxm2wFXlY + operator: ì蠁{\媽;ě8ɠ + values: + - yiuVv9DzzRse + - "N" + - z + - key: SWu + operator: Ī½曖1șWb3 + maxSkew: 774109577 + minDomains: -110979462 + nodeAffinityPolicy: 醿卨¬婾豜ʦKd` + topologyKey: 4iskW3Hbv + whenUnsatisfiable: ǮXƞ棤Ǘ + volumes: + - configMap: + name: 9RweMGWqBs + name: configs + - name: secrets + secret: + secretName: 9RweMGWqBs +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + "": ZKQ6I + ES: uo + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9RweMGWqBs +spec: + ingressClassName: x7Um + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: 9RweMGWqBs + port: + number: 8080 + path: / + pathType: ImplementationSpecific + tls: + - hosts: null + secretName: Ye6 + - hosts: + - nNQW2NL + - g + - "N" + secretName: YQl +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "9RweMGWqBs-test-connection" + namespace: "default" + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['9RweMGWqBs:8080'] + restartPolicy: Never + priorityClassName: 68 +-- testdata/case-016.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: DdF7ALq + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 6maz +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - Q0kslM: null + - null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 6maz +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 6maz + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: SC + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 6maz + namespace: default +spec: + replicas: 331 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: SC + strategy: + rollingUpdate: {} + type: ŀ剭º(;ƍ4兖ȇ + template: + metadata: + annotations: + JYLUc483y: gTnWiG + checksum/config: e4b69acb9132e0c7dea94f0e868bb2c5850883e5487d4cca28762798c1b9dda6 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: SC + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 2Ldss9 + operator: ?霏ƦxǰA7ȇ(堃R + values: + - Ce7pGgB5o + - B8EWZ + - key: pJKw3VVY5 + operator: 2wq6JK?Ȏ惙徵r儊ǒ嵀匫W + matchFields: + - key: EQvFQjoLm1 + operator: «/o咑澇ƉɑȨŞƙ|5時 + weight: -508343495 + - preference: + matchExpressions: + - key: VRoHsoMNa + operator: cƄábŊɕg追ĦǙȿ男)hŬ + values: + - tcCIpd9m + - FsoFrK + - key: ReH4ocoZ + operator: "" + values: + - bnUyPckbz + - AE + - njW + - key: fZBGR + operator: 租ǜ藇錼 + weight: -1003115262 + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + namespaceSelector: + matchLabels: + qGlBCw: zUBwqj2xV + zlHLG: TDTkLQOC + namespaces: + - QWFH + - TEzgQKPSQ + topologyKey: "" + weight: 682123393 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - 1MiHrQ + namespaceSelector: + matchExpressions: + - key: JUYumiiJFrY + operator: .ƽCDZo& + values: + - t3wDXa + - 70HCTbI6g + - C + - key: ik + operator: Œ8v + values: + - Wp + - Zf + - c2q7e + topologyKey: Sc1Q + weight: 869908297 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ore + operator: ?ɴ$瀜蝪ĪźȀŐƌS莣幮屒n×U锇Ľ + values: + - mJM + - oc + - aU + - key: SQmv + operator: ȥī+ūĬ诧犂¹ + - key: Hh1r9 + operator: h蓟x蹵D¨谧罬 + matchLabelKeys: + - mDk + - Hki8 + topologyKey: x2q0Rx1f1N + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + namespaceSelector: + matchExpressions: + - key: H1Ni + operator: Ȧ厜OŊ + values: + - UWzAFu2 + - key: M + operator: 罐hĹ;'ǫ貉yĊ啉刉DzQį + - key: zZ + operator: 颉śĴJ|@W補A篐S献;ɾ[_鶙ȱ + values: + - 4BL + namespaces: + - Thgfgf7Z + topologyKey: XBju19e + weight: 1392601493 + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: 6maz + envFrom: [] + image: PYDGV/HV3:cI8TzaYkws + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 713465020 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1849009003 + periodSeconds: 2079209425 + successThreshold: 1679782943 + timeoutSeconds: 2000039211 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + allowPrivilegeEscalation: false + procMount: 垮Ř2 + readOnlyRootFilesystem: true + runAsGroup: 5797501600954334000 + runAsNonRoot: true + runAsUser: -8444673787636984000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - command: + - opIk + - v9eJ + - 4V + env: + - name: 5Q + value: o + envFrom: + - prefix: eBWmLK + secretRef: + name: FedJi + optional: false + - configMapRef: + name: M + optional: false + prefix: vUvV7W8k0 + secretRef: + name: IA + image: T4SYV + imagePullPolicy: Ƈ祃ǗǤɈ遖竀壙/ + livenessProbe: + failureThreshold: 20929095 + grpc: + port: -1775507003 + service: UZ6BT7NDI + httpGet: + host: QFkZxI6kA + path: tzQ + port: "" + scheme: Ƞ揞á惗É莏6XȪ/ʡ忨償 + initialDelaySeconds: 1046895310 + periodSeconds: -1971173139 + successThreshold: -476756841 + terminationGracePeriodSeconds: 144861231583008740 + timeoutSeconds: 814968592 + name: gEB + ports: + - containerPort: 2060914354 + hostIP: 9IXWKx38q5 + hostPort: -1191426039 + name: 5Mw7k + protocol: 悛ķ鳉ɍ恽j頔Œ6Eʮnx + resources: {} + restartPolicy: 樦ýȃ梪ĵ + stdin: true + stdinOnce: true + terminationMessagePath: c0e + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: XtKq + securityContext: + fsGroup: -1425599568169885200 + fsGroupChangePolicy: ƶ Ÿ恢 + runAsGroup: -8737472966684837000 + runAsUser: 99 + supplementalGroups: + - 809809813702093200 + - 6124706841582845000 + - 6159358527003038000 + serviceAccountName: DdF7ALq + tolerations: [] + topologySpreadConstraints: + - labelSelector: {} + maxSkew: 972537130 + minDomains: -499606767 + topologyKey: q5 + whenUnsatisfiable: 鳯°ôŕƨʪuɘ"h貇榧0?cɉjA蜝 + - labelSelector: + matchExpressions: + - key: lAV + operator: 嵖xߟ擱ʄ衯"xɂ + - key: U6 + operator: =换J+Ř:嫚ʥ畠餐ǒŃ + values: + - Vj + - snF6cyZ + - 0sW9y4T5 + matchLabelKeys: + - 2wCjBs + maxSkew: -324080521 + minDomains: 695322418 + nodeAffinityPolicy: ʖ[兘Ũ鬎盦İƲ + topologyKey: z5y4Q8jyHH + whenUnsatisfiable: =Y~É.J樢ȃŤƫ甶Ȍ* + - labelSelector: {} + maxSkew: -1720129802 + minDomains: 1017048856 + nodeTaintsPolicy: 龨9猶e僦ɻ髧Ȍc + topologyKey: qKf6Ef3o + whenUnsatisfiable: ʂ?$鳴寘ŧ6脹餗ſ媷,峇埽 + volumes: + - configMap: + name: 6maz + name: configs + - name: secrets + secret: + secretName: 6maz +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "6maz-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['6maz:8080'] + restartPolicy: Never + priorityClassName: XtKq +-- testdata/case-017.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPiY + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9XG3SZW + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPiY + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9XG3SZW +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: jw6tY22 + login-github-personal-access-token: JvG1jx + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: MalR2 + login-okta-client-secret: mDILgPMjOS9 + login-okta-directory-api-token: M2ywAiP + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + roles.yaml: |- + roles: + - JlwOk: null + QUzHpm: null + ch3WnNF: null + - {} + - null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPiY + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9XG3SZW +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPiY + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9XG3SZW + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: tPiY + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + J5Z: aLYd149 + LCqYvOjK: Qsk + bU: "" + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPiY + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9XG3SZW + namespace: default +spec: + replicas: 173 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: tPiY + strategy: {} + template: + metadata: + annotations: + checksum/config: a9353e622b2ed64d835d05830dc4357d8eb982e89685498d39ac88a30931fb87 + creationTimestamp: null + labels: + LBQpbD: AHB4hNVL + app.kubernetes.io/instance: console + app.kubernetes.io/name: tPiY + ey1GpAHh: fA + spec: + affinity: {} + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: Z + value: 1PasJFATvz + valueFrom: + configMapKeyRef: + key: Out + name: Z + - name: pUN + value: QTGN + valueFrom: + configMapKeyRef: + key: BLzs5FKV + name: xsgY3vBvZ + optional: true + fieldRef: + apiVersion: 5Ng + fieldPath: Psowh + resourceFieldRef: + containerName: pMz + divisor: "0" + resource: "" + secretKeyRef: + key: IY9s0 + optional: false + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: 9XG3SZW + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: 9XG3SZW + - name: LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN + valueFrom: + secretKeyRef: + key: login-github-personal-access-token + name: 9XG3SZW + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: 9XG3SZW + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: 9XG3SZW + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: 9XG3SZW + envFrom: + - prefix: oK16T1 + - configMapRef: + name: GxM9 + optional: false + prefix: Hj8 + secretRef: + name: o5P67 + image: 3s/kPWhaC:BcBi + imagePullPolicy: k痿蹒 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 738983906 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1729478206 + periodSeconds: 902558671 + successThreshold: 989047880 + timeoutSeconds: -402268186 + resources: + limits: + 0fvc8: "0" + W19cC: "0" + loZ4: "0" + securityContext: + capabilities: + add: + - "" + - 鸼ǀɛ_Y + - 利ƯǢ謼Ŀʇ佔4銣 + privileged: false + procMount: 頿ū詁ǎTɁ¯PlFd只鶗ƝǛƤ臃 + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: TLaWLIiD + name: 3SwG7HrS + subPath: "" + - mountPath: dXXPfK + name: Bfv9SGjlbgN + subPath: "" + - mountPath: YEOA49 + name: wz4K9oIYM + subPath: "" + - args: + - Bd + command: + - QwtEp + - lLi7 + - kxB1 + image: RpMWaJ + imagePullPolicy: ~崆Ǭe侊k + livenessProbe: + exec: {} + failureThreshold: -2101638962 + grpc: + port: -208999597 + service: jICxjA + initialDelaySeconds: 925230214 + periodSeconds: -996383814 + successThreshold: 152844544 + terminationGracePeriodSeconds: -7802949917649734000 + timeoutSeconds: -188255799 + name: qwOkQZ + ports: + - containerPort: -255758148 + hostIP: R + hostPort: 316791912 + name: 09i3b5oQR + protocol: 腴醗9-鐶 + - containerPort: 247145105 + hostIP: L4 + hostPort: 1727912240 + name: bz7Y1N7 + protocol: 暄璎 + readinessProbe: + exec: + command: + - 2fQQ + failureThreshold: -873648342 + grpc: + port: 889903834 + service: C3 + httpGet: + host: IPHal + path: 5Nb6iW9 + port: tkqo + scheme: m说Ď盐2Ƹ,约h鰥Ȕť3 + initialDelaySeconds: 1391319902 + periodSeconds: -1638942635 + successThreshold: 644454270 + timeoutSeconds: -553602240 + resources: + requests: + 0XxId: "0" + VsY2R9: "0" + ZLtS2: "0" + restartPolicy: ų蓶Lj,g珯i'Sû竒 + terminationMessagePath: Mx7V + terminationMessagePolicy: =Jƈ乚貃庪ș¯ÑVȯ6筌巨华ɀ(v + tty: true + workingDir: nKFDPLJvOh + - args: + - AV3kjV + - Gwq78lY2 + - wq + command: + - D + - EI + - fY5J + env: + - name: eCtpNU + value: jLkcq8S + - name: rynLbx + value: CdqgJabHhM + valueFrom: + configMapKeyRef: + key: uBUH5 + name: Uxei4G1 + optional: false + fieldRef: + apiVersion: Ul9al + fieldPath: vtGid + resourceFieldRef: + containerName: Oc + divisor: "0" + resource: "" + - name: GmDNpa0 + value: 7VJM2XsPm8N + valueFrom: + configMapKeyRef: + key: x3J0PMWE + resourceFieldRef: + containerName: x9Q + divisor: "0" + resource: EKFgoq + secretKeyRef: + key: lOZRvK9 + name: V + image: 1xn6 + imagePullPolicy: ɀ稤¼Mɻ«鐾6Ú{ŬtŮ鄖SSɌ戲 + lifecycle: + postStart: + exec: {} + httpGet: + host: sT2dWyT + path: vvbIxNVANZ + port: aCK8 + scheme: 昿孊卿昤軒JYƜÁ嶠şe灶 + sleep: + seconds: -3542823673709563400 + preStop: + exec: + command: + - "N" + - qkHmJ + - HupYy + httpGet: + host: 137dx + path: y3u7HE + port: -1357399425 + scheme: '@济ɉ鳛讧跕(#7NJɓũǸ]ɨ梊sj' + sleep: + seconds: -2408406850575106600 + name: J6VFtJd3giFt + resources: + requests: + 3dqK0M: "0" + restartPolicy: 70ʆ氶応爱怙鉉塼tƗhY嚇 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + privileged: false + procMount: ȚƼ提瀴t8oƥc + startupProbe: + exec: {} + failureThreshold: 1782005431 + grpc: + port: 676289916 + service: 3xqeCsf + httpGet: + host: YDL1TP + path: "8" + port: lLWR + scheme: BKō筹 + initialDelaySeconds: 134613881 + periodSeconds: 1547524591 + successThreshold: 1778605907 + terminationGracePeriodSeconds: -7593859121613943000 + timeoutSeconds: 2026260743 + terminationMessagePath: E + terminationMessagePolicy: 碓 + workingDir: kl + - command: + - "" + env: + - name: TG1HQA + value: 5X + valueFrom: + fieldRef: + apiVersion: Vhn + fieldPath: jluMkQnv9 + resourceFieldRef: + containerName: rLfbH + divisor: "0" + resource: "" + - name: "" + value: TOTyqqGn + valueFrom: + fieldRef: + apiVersion: 0CAdSa + fieldPath: LWMRC + resourceFieldRef: + divisor: "0" + resource: G5eZP4R + secretKeyRef: + key: xYOgJL + name: vMTywG + image: 2Z + imagePullPolicy: z.鎸ƦʖFNj棪Ƃ鯌b抵#Dzr + lifecycle: + postStart: + exec: {} + httpGet: + host: k8z + path: TxNa2e + port: -573570086 + scheme: oɌdǹ[M灙螮伪芛探塢庖Njȕ仸 + sleep: + seconds: 4118046687980194000 + preStop: + exec: + command: + - 6iZbF + - OeZTW + httpGet: + host: rbqq + path: sno + port: -429531729 + scheme: s璙Ȼȗ榛ǵ0ƿ.忋闳溨 + name: Cms + ports: + - containerPort: -211101225 + hostIP: 8v + hostPort: 1994344080 + name: kyMvksZa + protocol: fȞ蚊悘ū錩Ȩ龒ċŴ + - containerPort: -806313867 + hostIP: Ky2F2 + hostPort: 1605736520 + name: oe0nMMl + protocol: 慿)"Ǒ3浹襈}(VE-B³閪叒k1绝 + readinessProbe: + exec: {} + failureThreshold: 1398486074 + grpc: + port: 1157090744 + service: oFrTS0 + httpGet: + host: 5pfrE + port: TJb4 + scheme: 畢î + initialDelaySeconds: -1830121652 + periodSeconds: -1398007905 + successThreshold: 1183454316 + timeoutSeconds: 1797763090 + resizePolicy: + - resourceName: hzxTj + restartPolicy: 渣箢樳掯ȉÏǼ店喘©g + resources: + limits: + zGvF9poISMtK: "0" + requests: + lUp3T: "0" + restartPolicy: '}賩6''V霟足''È''*F÷ƙǕ' + stdin: true + terminationMessagePath: 4tn + terminationMessagePolicy: ɢ荵鯴庡ǁ婛埽猜犝笖á7譃ǁ¦GɖC + volumeDevices: + - devicePath: eGfD9B + name: G3Bd + - devicePath: x + name: TB + workingDir: iKksE1 + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: qcIlT + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: 9XG3SZW + tolerations: + - effect: 懻 + key: JifsKW + operator: 檧űÊǮȡ廄儱RəȏĮ顪ÅÞ + tolerationSeconds: 4501363800484543000 + value: KkCBzwToBMjJ + - effect: B囧ƉOß + key: Q3cj + operator: ɲ朁ß栢 + tolerationSeconds: 4944598504260379000 + value: Z5 + - effect: 敘愰ɰuƪ晐 + key: K8wM + operator: ș + tolerationSeconds: 8375376960471889000 + value: TnWS + topologySpreadConstraints: [] + volumes: + - configMap: + name: 9XG3SZW + name: configs + - name: secrets + secret: + secretName: 9XG3SZW + - name: 3SwG7HrS + secret: + defaultMode: 442 + secretName: VR + - name: Bfv9SGjlbgN + secret: + defaultMode: 383 + secretName: T + - name: wz4K9oIYM + secret: + defaultMode: 13 + secretName: WzM +-- testdata/case-018.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + X7E: CRSzr + lPi: bGP + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 1qyLP36T + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: uAvlOXf + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 1qyLP36T + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: ExFU3 +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: IsvQ9 + kafka-sasl-aws-msk-iam-secret-key: 8GlUc + kafka-sasl-password: Vb + kafka-schema-registry-password: UJ7Zl + kafka-schemaregistry-tls-ca: T1Q + kafka-schemaregistry-tls-cert: 17r + kafka-schemaregistry-tls-key: O44 + kafka-tls-ca: n8k9 + kafka-tls-cert: aK + kafka-tls-key: "" + login-github-oauth-client-secret: t6z0n + login-github-personal-access-token: "" + login-google-groups-service-account.json: fpuCEFLL + login-google-oauth-client-secret: h + login-jwt-secret: SECRETKEY + login-oidc-client-secret: t + login-okta-client-secret: 3CcKl + login-okta-directory-api-token: AZt8H77 + redpanda-admin-api-password: NUkb3zIpwAR + redpanda-admin-api-tls-ca: t + redpanda-admin-api-tls-cert: zttTAvj + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 1qyLP36T + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: ExFU3 + namespace: default +spec: + ports: + - name: http + port: 415 + protocol: TCP + targetPort: 489 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 1qyLP36T + type: 2cM +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + "": 3E5rtKA + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 1qyLP36T + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: ExFU3 + namespace: default +spec: + replicas: 297 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 1qyLP36T + strategy: + rollingUpdate: {} + type: ɬ搢.Ƒ躂ɻɅȄ莨qc婔Åå + template: + metadata: + annotations: + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 1qyLP36T + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: -37659402 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + matchLabelKeys: + - ajbCE + - Y0MRgpE8 + namespaceSelector: + matchExpressions: + - key: Auai + operator: ùfƽÜQķɨ逑ʒÅģ + values: + - Q + - key: 1S2Nfq + operator: 臺瑷tƎ鍤p}滳`竦ÙǾ晖ǃʏȵ + namespaces: + - 4GTSAZF + topologyKey: NS733 + weight: -968286112 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: eyt3TPSYPBWDt + operator: e偁&蔄癳.ŚƘ + matchLabelKeys: + - eE7PA8D + - cKalkvb + mismatchLabelKeys: + - Lan + topologyKey: v + weight: -2133598054 + - podAffinityTerm: + mismatchLabelKeys: + - "5" + namespaceSelector: + matchExpressions: + - key: UrrD + operator: ƞ + - key: rkfCsnUcx + operator: ȇ睾¦棌鉝-m糤LPjX.;Ğ× + - key: kla + operator: '"竮壣祠ł9抵墙' + namespaces: + - gyF + topologyKey: ZG + weight: -428742233 + requiredDuringSchedulingIgnoredDuringExecution: + - matchLabelKeys: + - tZZj + namespaces: + - VuG + - I5XU + topologyKey: V2CZqa + - labelSelector: {} + mismatchLabelKeys: + - "" + - q9L4 + - C4YJ57 + namespaces: + - 8xRk06ngy + - WeZO2 + - 7tbTFK + topologyKey: rnpto + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: KAFKA_SASL_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-sasl-password + name: ExFU3 + - name: KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-protobuf-git-basicauth-password + name: ExFU3 + - name: KAFKA_SASL_AWSMSKIAM_SECRETKEY + valueFrom: + secretKeyRef: + key: kafka-sasl-aws-msk-iam-secret-key + name: ExFU3 + - name: KAFKA_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-tls-ca + - name: KAFKA_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-key + - name: KAFKA_SCHEMAREGISTRY_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-schema-registry-password + name: ExFU3 + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: ExFU3 + - name: LOGIN_GOOGLE_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-google-oauth-client-secret + name: ExFU3 + - name: LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH + value: /etc/console/secrets/login-google-groups-service-account.json + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: ExFU3 + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: ExFU3 + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: ExFU3 + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: ExFU3 + - name: REDPANDA_ADMINAPI_PASSWORD + valueFrom: + secretKeyRef: + key: redpanda-admin-api-password + name: ExFU3 + - name: REDPANDA_ADMINAPI_TLS_CAFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-ca + - name: REDPANDA_ADMINAPI_TLS_CERTFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-cert + envFrom: + - prefix: hg + secretRef: + name: eLM59WyoAXO + image: iCFSIwyDtoG/6V6:6uR + imagePullPolicy: 螣暛擂ɾ#鏲*胭8饭1胠 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 489 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + QZqMxIAt: "0" + SUsu9: "0" + requests: + EMOXCuje: "0" + EzKKMIR: "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - envFrom: + - prefix: EVZ + secretRef: + name: MxD + optional: true + - configMapRef: + name: A + optional: false + prefix: HuqxI + secretRef: + name: A + optional: true + image: SU + imagePullPolicy: 禵7璙p + lifecycle: + postStart: + httpGet: + host: YZMjhOUO8IS + path: nzYfH + port: Fcx + scheme: 矪Q9 + sleep: + seconds: 3463625415546708000 + livenessProbe: + failureThreshold: -560403806 + grpc: + port: 1751268094 + service: I + httpGet: + host: 0Sb + path: Utm2X + port: 395973041 + scheme: 醆蚎忨ŕ縨ƍ爋釬šÒ暺ƒŎO記岣 + initialDelaySeconds: -1011110535 + periodSeconds: -1229381750 + successThreshold: 260149510 + timeoutSeconds: 74546945 + name: e + resizePolicy: + - resourceName: XNKV + restartPolicy: ì焹.¬哄ȾŢȎȴe$p尶m`飻Ȭ + - resourceName: "" + restartPolicy: 閭I哗.寢荨ʪɛ侭ȵ(8 + resources: + requests: + 3nUsL: "0" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -8616852535795885000 + terminationMessagePath: FjZ + terminationMessagePolicy: ÿb熿3,ćp寫ʃ#叺渍ƣș + volumeDevices: + - devicePath: Xvjm + name: 7yLA + - devicePath: 1Ci + name: Y0AloAQS + - devicePath: Gt + name: ZMKKc + workingDir: Mh + imagePullSecrets: + - name: vlnGQbo3y + initContainers: [] + nodeSelector: + Vckw: ifBZ9p7 + priorityClassName: 6jxv + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: uAvlOXf + tolerations: + - effect: č喅Ȳ崥ï{禙ÊÿC逻準?霘2 + key: YJE + operator: 珟 + tolerationSeconds: 3838637075734495700 + value: 1VemeDTEk1 + - effect: 艋Ƿ淛襀|Ǽ&矠Ģ凍J賜ɰō + key: ggxS8L + operator: 閞判ŏ + tolerationSeconds: -2249155605077506300 + value: m3c + - effect: 'Ljə]IŴ:' + key: 4BkJSo + value: Le + topologySpreadConstraints: + - matchLabelKeys: + - uyTA + - rJcqdY3 + maxSkew: 1887613958 + nodeAffinityPolicy: u鞝侠轁蛃6Ơfrt迄ʇQ勭ĶÇǻě + topologyKey: 3f9j + whenUnsatisfiable: µ + volumes: + - configMap: + name: ExFU3 + name: configs + - name: secrets + secret: + secretName: ExFU3 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "ExFU3-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 1qyLP36T + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: vlnGQbo3y + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['ExFU3:415'] + restartPolicy: Never + priorityClassName: 6jxv +-- testdata/case-019.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: NZ7h9 + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: NZ7h9 +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: NZ7h9 +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: NZ7h9 + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8MIg + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + lgiIA: u + wK8: JrSfKH + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: NZ7h9 + namespace: default +spec: + replicas: 79 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8MIg + strategy: + type: 鎦v財ɕŪ + template: + metadata: + annotations: + checksum/config: 9960ac5c5faddbc59ee9638bfac7f4fd7513b7e295e3fcc28b0fdfabc2aba1d3 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8MIg + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: pJ + value: whmTukCTD + valueFrom: + configMapKeyRef: + key: OHk + name: "3" + fieldRef: + apiVersion: TSp7 + fieldPath: mEUVMSp7vUo + resourceFieldRef: + containerName: bBDw + divisor: "0" + resource: tIcs3z + secretKeyRef: + key: jIR5V + name: "9" + - name: ZCEPmHP + value: FhwE4R + valueFrom: + fieldRef: + apiVersion: Nv + fieldPath: WMXeIjk + resourceFieldRef: + containerName: Hbt + divisor: "0" + resource: mo7F + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: NZ7h9 + envFrom: [] + image: GNXgFQ/W3:2vPed + imagePullPolicy: 韃ĝ + livenessProbe: + failureThreshold: -1736131786 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 538755540 + periodSeconds: -937262167 + successThreshold: 2014961170 + timeoutSeconds: -614674118 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -1936056692 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -2019126091 + periodSeconds: -1696700553 + successThreshold: 398361977 + timeoutSeconds: -184667912 + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 狞濮噞饅烥H}湛m=U+卓Ǭï呣8Ú + privileged: true + runAsNonRoot: true + runAsUser: -471077223001866500 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: UF6 + mountPropagation: ĻsŸ氂ǐ钋鮠Ĺ咳渼.pɫ + name: W1LIZa3 + subPath: qdDtjk + subPathExpr: Ew + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: FERw + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: NZ7h9 + tolerations: + - effect: 飝壊%ǂP胅ɂǏ趸疷擁鹒DŽ营風顺z拇 + key: Ku2m + operator: ŲǪFTǗǔȟʥȰȎǎo玼Ü + value: 1u + - effect: 雾Ź歘ɇƇ昨OČƑɎ騨Ŗ=Ì楯 + key: 12vKa + operator: ( + value: u + topologySpreadConstraints: [] + volumes: + - configMap: + name: NZ7h9 + name: configs + - name: secrets + secret: + secretName: NZ7h9 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "NZ7h9-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['NZ7h9:8080'] + restartPolicy: Never + priorityClassName: FERw +-- testdata/case-020.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + Cs0Tv: PNgn + tawhZGj4: yuBQ1 + xdl: jbYUlUI + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zzmAR9 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: HMpc + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zzmAR9 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Om7 +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: XhRg8T + login-github-personal-access-token: oB8xbs + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: saEi + login-okta-directory-api-token: tq8L + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zzmAR9 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Om7 +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zzmAR9 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Om7 + namespace: default +spec: + ports: + - name: http + port: 310 + protocol: TCP + targetPort: 28 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: zzmAR9 + type: "" +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + 0lA: PZvwfKrip + AUm: KY + KBFrJC: hkdfq + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zzmAR9 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Om7 + namespace: default +spec: + replicas: 344 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: zzmAR9 + strategy: + rollingUpdate: {} + type: x&N涮ĶJ­ɕ + template: + metadata: + annotations: + checksum/config: 2881fbe0f4a9d0f2f17dbbbe515c08d46dd6d4a6d2c84c3482c94ace8ee6b09f + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: zzmAR9 + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + - matchExpressions: + - key: a23jbG + operator: yb庇ɍ闒ǰPâƟVsJu + values: + - "" + - 1lQmmGa8 + - XzVleDXV4YoRc + - key: 3Gwd9r + operator: 4Nj7Ġ$Ea狆Ö絞Ƙ殈廔as知 + - key: 7C4FjM + operator: ɩ.叧¬ʧ倒 + matchFields: + - key: H + operator: Ğų* + values: + - 0i + - qK + - key: 7ocDt + operator: 餯ǚ璗汭槰<ƤƐ評ź膹棅珢ȹ3鮑 + values: + - g5Aa1Hm + - LKNvXrtO + - key: o + operator: ŎJ甧鷓 + values: + - vJQQjLRrqIK + - Isj + - 6EBsy + - matchFields: + - key: H0oh1dBCg + operator: 鉔qƿ氵[ȕ凭Śȅ3džȿȳ + name: xYM + subPath: nMMkHAUoYIsN + subPathExpr: 579Yn2LXk + - mountPath: 5z + mountPropagation: Ƀ陪7k惿Ɏǚ霤ƨƱ«ɤ»ȣ薥頠媉fʠ + name: KIX5g + readOnly: true + subPath: CGOswgk + subPathExpr: oxiB23ZW2KX + workingDir: IzOAr + - args: + - jrZTvs + env: + - name: jxl5Q + value: fm2F7DzZA + image: r7sTpTP8N + imagePullPolicy: 眒弿 + lifecycle: + preStop: + httpGet: + host: WEBUk + path: "1" + port: -377365982 + scheme: 娖阋顿|儴Éȱ鋦 + livenessProbe: + exec: + command: + - 2j + failureThreshold: -1631622345 + grpc: + port: -188887701 + service: s + httpGet: + host: "6" + path: 07rm4AD + port: DCtZ5 + scheme: ʼnK襡5殛鯙ȋʛ稲(C姓 + initialDelaySeconds: -1011676147 + periodSeconds: -1141844037 + successThreshold: -1528778970 + terminationGracePeriodSeconds: 422553046190448100 + timeoutSeconds: 99607263 + name: rhg + ports: + - containerPort: 1265703793 + hostIP: lYiq + hostPort: -931710582 + name: r2OdlKyZ + protocol: ŌK4Ʒ霖R婧,Ģ墤ʠ_Ƒ亽vĨO + - containerPort: -1093198499 + hostIP: xHuDhI2 + hostPort: 1423992590 + name: WdH + protocol: K嚜pn犓ɯ`劮ƫķPLm + resizePolicy: + - resourceName: M3EK5NW + restartPolicy: Ɲ囩 + resources: + limits: + 4zeCyo: "0" + PgUjG: "0" + requests: + IseC3: "0" + WHgRSz: "0" + yzZn: "0" + restartPolicy: ijƞ墫噌L诠=脳%Ɗ + securityContext: + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -1074724161449892000 + runAsUser: 8255497511479977000 + startupProbe: + exec: {} + failureThreshold: -1172398717 + grpc: + port: 1919051215 + service: "" + initialDelaySeconds: 2020291403 + periodSeconds: 450860281 + successThreshold: 193397000 + timeoutSeconds: -665894379 + stdin: true + terminationMessagePath: MCVu + terminationMessagePolicy: ŷÍ:+壩ùI賎Rɜ卮cɣS惕mIɭ + tty: true + workingDir: 2L97y + imagePullSecrets: + - name: iA1C + - name: ZOdo + - name: qTOK0W + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: 0bGHQk7gL + securityContext: + fsGroup: -6946946538076897000 + fsGroupChangePolicy: 呆ɔȂwijà + runAsGroup: 3944693697856007700 + runAsNonRoot: true + runAsUser: -732766343758518300 + supplementalGroups: + - -5691922089175975000 + serviceAccountName: H5TDAALUdD + tolerations: + - effect: 媄 + key: IQD9Yww8 + operator: bǾå鱍 + tolerationSeconds: -7454358062612207000 + value: odxS1Q2Sd + - effect: Ɣv璔}oȡʞ¤ + key: ySGX + operator: ƪ渺¸貗ȹV廋ȉňu増嬎Ë韍ǘz茩Ƹ怯 + tolerationSeconds: -1083807005557333500 + value: bAy + topologySpreadConstraints: [] + volumes: + - configMap: + name: Uo + name: configs + - name: Jq0CSftnp + - name: QMHGzzYC2HW + - name: 1PkbzhfK +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "Uo-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Mh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: iA1C + - name: ZOdo + - name: qTOK0W + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['Uo:8080'] + restartPolicy: Never + priorityClassName: 0bGHQk7gL +-- testdata/case-026.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: + "": tWl + 5mzy: 4t87VKeHA + a: UqD3iv5LoNYP + creationTimestamp: null + labels: + "": h0uSAPIi + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vLjrafvp + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + kuKPk7: "" + name: Utu8ZHG2 + namespace: default +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + "": h0uSAPIi + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vLjrafvp + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + kuKPk7: "" + name: qhaD + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vLjrafvp + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + "": h0uSAPIi + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vLjrafvp + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + kuKPk7: "" + name: qhaD + namespace: default +spec: + replicas: 78 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vLjrafvp + strategy: + rollingUpdate: {} + type: I6终j2炅ȲbȻ + template: + metadata: + annotations: + LtAjph: 8Q + MiPvJub: 0x + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + j: xR98FRh + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vLjrafvp + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: GP94 + operator: 駑Ŀ峇[ɕdž0 + values: + - jjNFKv8 + - uG7Rs + - ApO075 + weight: -549077137 + - preference: + matchExpressions: + - key: R88 + operator: Dzv)bôȏ磜覐橮波赘T^ + values: + - DscaGMdgXV + - uy + - N3d + - key: "" + operator: 誮Vw!/毴Z匌忶ª渆 + values: + - 4mX0s + - key: byy + operator: 鿟y馡錥HJ鶟b左Ő*čt顭塶 + values: + - 6oQ + - 9r22TM + matchFields: + - key: fNLkt + operator: "" + values: + - tW + - M03GnpfhQn + - key: WQQs + operator: 騡(Í芝x焍麅ɰ窓ɶÜò鵹 + weight: 579622465 + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: {} + namespaceSelector: + matchLabels: + IYAfjz: GloAc + namespaces: + - hfFjlR + - KWIdaP11Y + - 3Dn + topologyKey: UB + - labelSelector: + matchExpressions: + - key: B7LSh + operator: ɉ邦夝ɷ1傹Þ袳@ɲ鉴 + matchLabelKeys: + - "n" + namespaceSelector: {} + namespaces: + - 88M + - fIEJUewFK + topologyKey: i + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: [] + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1372450161 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -913177144 + periodSeconds: 912808843 + successThreshold: -765941931 + timeoutSeconds: 1174210794 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1666039794 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 989921147 + periodSeconds: 536392931 + successThreshold: 1020018972 + timeoutSeconds: 1790731281 + resources: {} + securityContext: + capabilities: + drop: + - ɿX齀蹪 + privileged: true + procMount: Ƚ[孠犥ƶʒ)遷U竕 + runAsGroup: 5229411704597624000 + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: U6f3w + name: ooYxXE + subPath: "" + - mountPath: qzOMXCl + name: Hmms9 + subPath: "" + - mountPath: dXa6uPxR + name: "" + subPath: "" + - mountPath: q + mountPropagation: 跐ʩ4鄧SD炿ɜǚhU + name: "" + subPath: SCLzbAMUW3x + subPathExpr: nzFw + - mountPath: cX8U + mountPropagation: b幈簇@艭K + name: b + readOnly: true + subPath: u5fY + subPathExpr: TRymQ + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + ggwC: SQ + rIwToCbB: tUBM5 + priorityClassName: JnI8 + securityContext: + fsGroup: -2594082004410587000 + fsGroupChangePolicy: 'ċV1鯍E ' + runAsGroup: -880388195249084200 + runAsNonRoot: false + runAsUser: -9051010573896130000 + supplementalGroups: + - -2777109499517678000 + serviceAccountName: Utu8ZHG2 + tolerations: [] + topologySpreadConstraints: + - labelSelector: {} + maxSkew: -154369657 + minDomains: -319419210 + nodeTaintsPolicy: '#Vʅ糗斬ƈ橮IJȶ纀' + topologyKey: dTnKex + whenUnsatisfiable: '@OȤ驮Ʀ琓' + volumes: + - configMap: + name: qhaD + name: configs + - name: ooYxXE + secret: + defaultMode: 45 + secretName: LyH9zvv + - name: Hmms9 + secret: + defaultMode: 429 + secretName: zvR + - name: "" + secret: + defaultMode: 39 + secretName: PC2Ms7 + - name: LeIYAb + - name: 176OvjD + - name: b6NpMGfVo1N +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + Lftu: PjroKEh + qvZJNWSzR: Jpoyc0 + creationTimestamp: null + labels: + "": h0uSAPIi + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vLjrafvp + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + kuKPk7: "" + name: qhaD +spec: + ingressClassName: cAir + rules: + - host: o + http: + paths: null + - host: i18Wi + http: + paths: + - backend: + service: + name: qhaD + port: + number: 8080 + path: apsXYvp + pathType: 7q5 + - host: 8eBXg + http: + paths: + - backend: + service: + name: qhaD + port: + number: 8080 + path: cMbMbCQl + pathType: gJT + - backend: + service: + name: qhaD + port: + number: 8080 + path: XvfTwH + pathType: 4se + tls: + - hosts: + - fqD + - JDOgIG + secretName: vzUD + - hosts: + - M6H + - T + - twxgtsi + secretName: lg5siLdo +-- testdata/case-027.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + "": ta51q + RW5sX: LXvP + creationTimestamp: null + labels: + Q0: "" + T4ZmAFi: nfIb0b + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: h9P + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 55C9f3 + namespace: default +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + Gi0OSuP5jF: ARBECJB + qId: Bo + wPKI: "" + creationTimestamp: null + labels: + Q0: "" + T4ZmAFi: nfIb0b + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: h9P + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 61hunk + namespace: default +spec: + ports: + - name: http + port: 376 + protocol: TCP + targetPort: 473 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: h9P + type: G2gqK +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + "": ZtbWlWc + y1ML9Hmg: d6h9 + creationTimestamp: null + labels: + Q0: "" + T4ZmAFi: nfIb0b + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: h9P + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 61hunk +spec: + ingressClassName: Ijdd3 + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: 61hunk + port: + number: 376 + path: / + pathType: ImplementationSpecific + tls: + - hosts: null + secretName: x + - hosts: null + secretName: aSf1 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "61hunk-test-connection" + namespace: "default" + labels: + Q0: "" + T4ZmAFi: nfIb0b + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: h9P + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: jkqm + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['61hunk:376'] + restartPolicy: Never + priorityClassName: bpi +-- testdata/case-028.yaml.golden -- +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + BKrxjHNg8: qlqPhj + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 5XQu4RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: odFI2M4 +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: aM + kafka-sasl-aws-msk-iam-secret-key: pcNJ4lPh + kafka-sasl-password: OT9m4 + kafka-schema-registry-password: 4VybIhiIU + kafka-schemaregistry-tls-ca: FVWvaL5HS3DE + kafka-schemaregistry-tls-cert: UqZl + kafka-schemaregistry-tls-key: ch + kafka-tls-ca: 0h0Ac6CS + kafka-tls-cert: pNm4uHVMn + kafka-tls-key: "" + login-github-oauth-client-secret: 5XbGmlDmls + login-github-personal-access-token: y0PF13 + login-google-groups-service-account.json: w3 + login-google-oauth-client-secret: lEvrgxa + login-jwt-secret: SECRETKEY + login-oidc-client-secret: VfRrL3 + login-okta-client-secret: 1Gm + login-okta-directory-api-token: hgmY7AyguR + redpanda-admin-api-password: WvzP1D53 + redpanda-admin-api-tls-ca: dxtnG + redpanda-admin-api-tls-cert: Rs3rHA8Qdb + redpanda-admin-api-tls-key: 7hsD +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + BKrxjHNg8: qlqPhj + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 5XQu4RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: odFI2M4 +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + BKrxjHNg8: qlqPhj + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 5XQu4RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: odFI2M4 + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 5XQu4RW + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + VLzukyGLL5H: "" + creationTimestamp: null + labels: + BKrxjHNg8: qlqPhj + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 5XQu4RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: odFI2M4 + namespace: default +spec: + replicas: 278 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 5XQu4RW + strategy: + rollingUpdate: {} + type: 砓涶rƀł庫x烮ȯ~茤įêŎZ姮Ⱦ + template: + metadata: + annotations: + YefFO9J: uVUZra + checksum/config: cc3f7478d926a8c80ab516ac0060a56c87bbbfdd227b765567fa8644fbee7f09 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 5XQu4RW + n8PG: NEb + sINjD1zSK: exkAcWK3 + yG: T + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 9yhGd: kXTYKV + xb5Co: trB98 + matchLabelKeys: + - gTre + - 3SLXY + namespaceSelector: {} + namespaces: + - q + - j3 + - k76qB + topologyKey: gz6KtIn43 + - labelSelector: + matchLabels: + 9slaN: 9Cv + M: NcJRMIAxd6 + f4JK: QX + matchLabelKeys: + - BGI9Dr + mismatchLabelKeys: + - SZUKIlPB + - WzTTmXWoFc + - wXLg9viobEw + namespaceSelector: + matchLabels: + MZx: u + NztFyV3: EvzmJzLQcn + topologyKey: iLs + - labelSelector: + matchExpressions: + - key: d3S + operator: ò洏ʓ暝歆Ű鈰钌鸔栵ù舁Tb曯ƫ貊ȵ + values: + - sanCz + - lZ + - 5rZ0 + matchLabels: + MEoILl9k: Jd + hVfX4: "" + "n": yhV + matchLabelKeys: + - HOI + namespaceSelector: + matchLabels: + fodO5ovc74m: lvF + mlCh: E1 + ve7: r4P5biTA + topologyKey: CtXr + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: wti + value: AYZm + valueFrom: + configMapKeyRef: + key: Sxryl + name: xXe78 + fieldRef: + apiVersion: HoyJsUxLKd + fieldPath: 2Ns + secretKeyRef: + key: w7WydZL + name: CgxV7 + optional: true + - name: eEKnv + value: BBAXaggk0n + valueFrom: + secretKeyRef: + key: GRP + name: dYBHtrO + optional: true + - name: KAFKA_SASL_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-sasl-password + name: odFI2M4 + - name: KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-protobuf-git-basicauth-password + name: odFI2M4 + - name: KAFKA_SASL_AWSMSKIAM_SECRETKEY + valueFrom: + secretKeyRef: + key: kafka-sasl-aws-msk-iam-secret-key + name: odFI2M4 + - name: KAFKA_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-tls-ca + - name: KAFKA_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-key + - name: KAFKA_SCHEMAREGISTRY_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-schema-registry-password + name: odFI2M4 + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: odFI2M4 + - name: LOGIN_GOOGLE_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-google-oauth-client-secret + name: odFI2M4 + - name: LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH + value: /etc/console/secrets/login-google-groups-service-account.json + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: odFI2M4 + - name: LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN + valueFrom: + secretKeyRef: + key: login-github-personal-access-token + name: odFI2M4 + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: odFI2M4 + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: odFI2M4 + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: odFI2M4 + - name: REDPANDA_ADMINAPI_PASSWORD + valueFrom: + secretKeyRef: + key: redpanda-admin-api-password + name: odFI2M4 + - name: REDPANDA_ADMINAPI_TLS_CAFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-ca + - name: REDPANDA_ADMINAPI_TLS_KEYFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-key + - name: REDPANDA_ADMINAPI_TLS_CERTFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-cert + envFrom: + - configMapRef: + name: I6Dbq + optional: false + secretRef: + name: fhgE + optional: false + - prefix: L0m + - configMapRef: + name: pVHt + optional: true + prefix: 0xFYui3Ke2pJ + secretRef: + name: IBHH4sd + optional: false + image: qnkfx/ARBa:BetSp + imagePullPolicy: ȸ才TkâĆ8o + livenessProbe: + failureThreshold: -544797053 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1464359845 + periodSeconds: -775253635 + successThreshold: -2065370772 + timeoutSeconds: 3873767 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 286014638 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1755094379 + periodSeconds: 712612179 + successThreshold: 1265199044 + timeoutSeconds: 939664799 + resources: + limits: + H2g: "0" + requests: + i0vpd: "0" + piR58NXU: "0" + securityContext: + privileged: true + procMount: '`4乬+ʍÿȦ!常ʥ_' + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 8119235947749130000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: hHTC4sQ + mountPropagation: ƭ埢Ş@ʮ擈Ɓsmďĝ + name: mVbo + subPath: bI + subPathExpr: q6R + - mountPath: "" + name: gC + readOnly: true + subPath: 5xyS + subPathExpr: Ju9L6o + imagePullSecrets: + - name: Nu2 + - name: j0 + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + fD: q5Hun + priorityClassName: u8cTjKLB + securityContext: + fsGroup: -9123846953160880000 + fsGroupChangePolicy: UƻA竘锵]湞ȊM + runAsNonRoot: false + runAsUser: 2594597056592417300 + sysctls: + - name: 4eRaw + value: HnWeNFR + - name: 4hP + value: UoCU8Ni + - name: d + value: TpLFHKFo + serviceAccountName: 5zV + tolerations: + - effect: x)|綻%ŴC¸÷G) + key: 6c + operator: 皐łʨɆ挓R衯Ǫ诌ƍ爂vĂB麧尣Ć* + tolerationSeconds: 341291117142213700 + value: 45gIZCr + - effect: ɿ鎅ɸƱɿ韆頟R躦0P^,豐ƨe祠攇覙 + operator: ß¼ʐȻ*溃N妞 + tolerationSeconds: -7034164218355111000 + value: xb5 + topologySpreadConstraints: [] + volumes: + - configMap: + name: odFI2M4 + name: configs + - name: secrets + secret: + secretName: odFI2M4 + - name: 0nP + - name: 5Mq +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "odFI2M4-test-connection" + namespace: "default" + labels: + BKrxjHNg8: qlqPhj + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 5XQu4RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: Nu2 + - name: j0 + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['odFI2M4:8080'] + restartPolicy: Never + priorityClassName: u8cTjKLB +-- testdata/case-029.yaml.golden -- +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + HzuQ: mCfbHBQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 3Wh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + xi7L: ibI45 + name: HK +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + roles.yaml: |- + roles: + - null + - null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + HzuQ: mCfbHBQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 3Wh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + xi7L: ibI45 + name: HK +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + 33Yi: tesf5 + creationTimestamp: null + labels: + HzuQ: mCfbHBQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 3Wh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + xi7L: ibI45 + name: HK + namespace: default +spec: + ports: + - name: http + port: 389 + protocol: TCP + targetPort: 52 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 3Wh + type: sIQBZD +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + WVwaqt: gTMC + s6HZpOA: bc0 + sZaCXy: LXRQNTghxb1 + creationTimestamp: null + labels: + HzuQ: mCfbHBQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 3Wh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + xi7L: ibI45 + name: HK + namespace: default +spec: + replicas: 385 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 3Wh + strategy: + rollingUpdate: {} + template: + metadata: + annotations: + IVy: ho3qpcI + checksum/config: ed80a6573dafe73ab884b6322e9c75c1018d618e61286f9e61f445266092293d + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 3Wh + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: hPtYq9oSSQ + operator: ŗ妃Mīú玢盛 + values: + - T0M + - aywAkbl + - key: F7yCY + operator: '2Pl@äEɜś`PȾ槯c:' + values: + - n7sIXrD6 + - 5EPSQgq3v + matchFields: + - key: wOOgY + operator: 乾Ǧ + values: + - GqfE + - key: gRF5bu + operator: DŸQ95ʊÊj蕵髪OHōM4Ľɝ钣 + values: + - 2rEXM1C + - BB + - key: TK75p + operator: 譌嵡荀Ș枻賿ė + values: + - MHB + - sI + weight: -1638497382 + - preference: + matchExpressions: + - key: sgUr6t + operator: ʁE'[剳嫯Ȧ梳*&櫺窟ľ幣ɥ{紌 + values: + - 6x + - NRmDb1X + - key: VrZW4eZ + operator: 蘨ȘÚ籘J嬋JƒÎhUl田U + values: + - 0cG6ed0 + - I + - key: Ui + operator: 遂樸tUŏǞF)橷嵱 + values: + - mUT9H9 + matchFields: + - key: zzI6 + operator: ƈ肶帅ʒb漄i + values: + - 9Xi0r + - key: Bm + operator: 嚏鈻峓霙ʊcʔ暏g圖鹔夺mą¹跑 + values: + - tvOC + weight: 1006541829 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: ZlUi + operator: ʯ鼙%淹ȏ č>稄鱑Í朹s狑Ȱ螪;ǃ嘲 + values: + - gIlS + - 5lD7AvT7I + - "8" + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: hi0zfFEN + operator: 裧禿 + values: + - SymXRnv + - iKr + mismatchLabelKeys: + - wesfXhv + - Z78yvK + namespaceSelector: + matchExpressions: + - key: jqHt + operator: ûų:碃;ė燱5ìb-垢xźɆ + values: + - u8cOuqy + matchLabels: + "8": nCrnu + Fd: 5YhLJD3 + r5sMi70hp4TeB: KrDX7d + namespaces: + - LOH + - 9EvOI7HWh + - 5sHJp + topologyKey: "" + weight: 403248696 + - podAffinityTerm: + mismatchLabelKeys: + - Vrf + namespaceSelector: + matchExpressions: + - key: 5w + operator: '|泀ŏ咙ƚ' + matchLabels: + 4vRvwhR: Nz + T6uTCUGiwx: lS + ZuFER: Db8xhFevK + topologyKey: K7NA + weight: 249855905 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: No2 + operator: Ɗ]鿇躠骐 + matchLabels: + 7nohEoAMei: WrMV + ddLK: 2ehkh + qtrhf: EAAqHFcrjgT + mismatchLabelKeys: + - DrrBoq + - Nh + namespaceSelector: + matchExpressions: + - key: BEXHPr1wQ + operator: 傝魦voȪwć撈 + values: + - i3 + - gUU + - 7nmbvkGs + matchLabels: + Rh65F: rKR + namespaces: + - 1x9DGG + - xKj137E + topologyKey: CSNQy1M + - labelSelector: + matchExpressions: + - key: psq4G + operator: ɓƦ + - key: 3IlNf + operator: ćȬ4鏉1, + values: + - L0 + namespaceSelector: + matchExpressions: + - key: nVgt + operator: ɤ湿ŭò-ɋ鼴)箥Ȅ鋖ʄBK + - key: GD7 + operator: 峄9ƚ涙閉ʃ謩云飠:鎂玚wƁȖ] + values: + - i8cg6A + - TeOYSsj + topologyKey: rEB + - labelSelector: + matchLabels: + s0PrY366si5H: Qwj + ytBgNf0: e + mismatchLabelKeys: + - eylzvu + - q + namespaceSelector: + matchExpressions: + - key: os4H6DpxQ + operator: 5õċ鋵葿葄痄ɍ览逪ȋ`j + matchLabels: + vL3arho: gPmLG + namespaces: + - PjQTIWTFeK + - g5HCelWpMjnF + - QN3mXW + topologyKey: I5osiWTrzhb + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: HK + envFrom: [] + image: nZ5PG/5q2qCT:z10JAfCu + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -1989869025 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 56050789 + periodSeconds: 193173949 + successThreshold: -1606638368 + timeoutSeconds: -1117024654 + name: console + ports: + - containerPort: 52 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -509957017 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1816814831 + periodSeconds: 406466643 + successThreshold: 450108513 + timeoutSeconds: -1862950899 + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 邻ȸNJ"纴ý汫篤訙铵寄貹Z[逗ą弣 + - lǀ敕ɖ + privileged: true + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 3375680259081538600 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: P + name: zBgE7HVQ + subPath: hw6PBLgv5R + subPathExpr: YAI5mPj5 + - args: + - K9 + - 02olyp + env: + - name: F + value: rhVGTadjT + valueFrom: + configMapKeyRef: + key: 3TA0cg2R2 + name: DLZ + fieldRef: + apiVersion: s + fieldPath: Ux + resourceFieldRef: + containerName: avop + divisor: "0" + resource: itl5J4xK4 + secretKeyRef: + key: Av9eKok + optional: false + - name: QaOLYDLT + value: FQu + image: 1MFnpZG + imagePullPolicy: 脓 + livenessProbe: + exec: + command: + - lH4S + failureThreshold: 1311534645 + grpc: + port: 1048835191 + service: p5EtELTs + httpGet: + path: Zjrv + port: Ypah5av + scheme: þʙ龠ȉ%Vę皓ŏ蟝ǙĿìɋN + initialDelaySeconds: 1980070741 + periodSeconds: -728109708 + successThreshold: 1412960079 + terminationGracePeriodSeconds: 4797597904045468000 + timeoutSeconds: -1164059804 + name: oron + readinessProbe: + failureThreshold: -1734715333 + grpc: + port: -673781482 + service: 20iHh + initialDelaySeconds: 270804414 + periodSeconds: 1240219458 + successThreshold: 957649997 + terminationGracePeriodSeconds: -7921460752123720000 + timeoutSeconds: 2069469191 + resizePolicy: + - resourceName: M29 + restartPolicy: tL + - resourceName: WK + restartPolicy: T軂>ȋ1觫蚴Ș + resources: + limits: + KS: "0" + ZDx: "0" + kIjQHQZ: "0" + requests: + BSB: "0" + restartPolicy: LJW獮 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ɺ嚹晐囕胐ƻ + - ņɹ桴O塾q6賤呋f铰}Ʒ輽ʁ[顝 + runAsGroup: 6868723237582569000 + runAsNonRoot: true + runAsUser: 433131246318901200 + startupProbe: + exec: + command: + - mB6 + - Om9w + - "" + failureThreshold: -1184477652 + grpc: + port: -1276243610 + service: m6d + httpGet: + host: VzPuwIiTpY + path: C + port: 0NYj1C + scheme: V=@彆鈂t³Ɉµs斾m蛊ɲ + initialDelaySeconds: -898287287 + periodSeconds: -413255468 + successThreshold: -1510482870 + terminationGracePeriodSeconds: 4884332649151511000 + timeoutSeconds: -1445193311 + stdinOnce: true + terminationMessagePath: DQTH7 + terminationMessagePolicy: ÈɁ;ň);ɑI×ĕ觫'ɣ + volumeDevices: + - devicePath: v + name: AZ6wCimJFM + - devicePath: ZtIx + name: GFe3 + volumeMounts: + - mountPath: tt + mountPropagation: 侮E墝調cé攊疀" + name: UJ + readOnly: true + subPath: JlqP + subPathExpr: lA2v + workingDir: OV90 + - command: + - 8jHRuz + envFrom: + - configMapRef: + optional: false + prefix: yfl3PI + secretRef: + name: r7eR + optional: true + image: m4Etaoz8Bf + imagePullPolicy: okÛļ閷YƗzƄǧ + lifecycle: + postStart: + exec: {} + httpGet: + host: zu9aQLsX + path: xIFogzAoC + port: 1MjUE + scheme: 斔疏ʟn菝 + preStop: + exec: {} + livenessProbe: + failureThreshold: -1399917612 + grpc: + port: -876522011 + service: 2y + httpGet: + host: X9nNdf + path: 8mVJlz + port: 220487349 + scheme: 兇)hr裳ǔ湟钑>ȓn厠tū晣颊 + initialDelaySeconds: -968878635 + periodSeconds: 411754743 + successThreshold: 2083381130 + terminationGracePeriodSeconds: 2736468416107855400 + timeoutSeconds: -423937148 + name: Or + readinessProbe: + failureThreshold: 1628351372 + grpc: + port: -1466105410 + service: b + httpGet: + host: 8kOz + path: IhSlrBw8tiX + port: 1Vd + scheme: qV·dƖ> + initialDelaySeconds: 735135195 + periodSeconds: -175995819 + successThreshold: 1379601279 + terminationGracePeriodSeconds: 386635447886660740 + timeoutSeconds: 125503732 + resources: + limits: + LuudLJ9i: "0" + iXpYUWY: "0" + mHi: "0" + requests: + XLnFU: "0" + mSq9e3u: "0" + t6WYwzmga: "0" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - ɭ鎣肪綢ȀNj8)屫鈄骸嗢æ憰qWTƶ剡 + - "n" + - OwkʙƝk}ɾ丧< + drop: + - Ť<嶼ȯ愉9宆嵧pɡ%ɐxė鹞鸵鏞 + - ƅgʆ炊ƞąÙ$Ǯ帶SȔ黌畕ǦƖȫV9 + - Ŏʠ羮ɍ痘摬 + privileged: true + runAsGroup: 5710532895986022000 + runAsUser: -7207500526873246000 + startupProbe: + failureThreshold: 2053062827 + grpc: + port: -1076044334 + service: s8s7 + initialDelaySeconds: 7348194 + periodSeconds: 889500482 + successThreshold: -645465298 + terminationGracePeriodSeconds: 4356974427366500000 + timeoutSeconds: 136481601 + stdinOnce: true + terminationMessagePath: t4pW + terminationMessagePolicy: ƣ + volumeDevices: + - devicePath: Df8O3UFZ + name: QL93u + - devicePath: WKg + name: nD4H + volumeMounts: + - mountPath: xs9 + mountPropagation: e羝ș+oũ蘘汉 + name: grr + readOnly: true + subPath: aUYSuUM6f + subPathExpr: mm773yL + workingDir: o + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + Jy9: v + VcMeUW2U: xOwcDQYY + wkI: TbemvxUUg + priorityClassName: sLkcwZ + securityContext: + fsGroup: 99 + runAsGroup: -9040107238323409000 + runAsNonRoot: false + runAsUser: 99 + serviceAccountName: 43zobnL + tolerations: + - effect: 蜆³Ə抴璖獍ä鷲炥/=霒0ǷU伀稂ı + key: EMvrrkeG3 + operator: Ȓǒs夃Ȑɉ鋄蛓m÷,旂 + value: yd + - effect: 旌;"ȡ媟窐:ljʥh蓭殰Ȩƴ邃ȬIȻL + key: n87GpiB + operator: '偵~ȥʢȈ珎ſ龕5sʠŇưT4-§Ƀ ' + value: TUaznROmQffrRe1 + topologySpreadConstraints: [] + volumes: + - configMap: + name: HK + name: configs + - name: secrets + secret: + secretName: HK + - name: "" + - name: SXJ +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "HK-test-connection" + namespace: "default" + labels: + HzuQ: mCfbHBQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 3Wh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + xi7L: ibI45 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['HK:389'] + restartPolicy: Never + priorityClassName: sLkcwZ +-- testdata/case-030.yaml.golden -- +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + T: f0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: J + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + jwrBMvwfg: K6I5HsI5 + nk8eJc: nS + name: G9 +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: DtIy + kafka-sasl-aws-msk-iam-secret-key: 9xCf7 + kafka-sasl-password: 8F + kafka-schema-registry-password: krNk2 + kafka-schemaregistry-tls-ca: 5I73C + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "34" + kafka-tls-ca: DaT + kafka-tls-cert: LaU0jwOpGv + kafka-tls-key: "" + login-github-oauth-client-secret: BoOjni + login-github-personal-access-token: uUxZ + login-google-groups-service-account.json: NulwlJ + login-google-oauth-client-secret: oeL6p7fcL + login-jwt-secret: SECRETKEY + login-oidc-client-secret: yRSh2 + login-okta-client-secret: xKLBJ9ZAR + login-okta-directory-api-token: HTZWfHt + redpanda-admin-api-password: 5DQTqKD + redpanda-admin-api-tls-ca: m5pg + redpanda-admin-api-tls-cert: yfP + redpanda-admin-api-tls-key: gzG +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + T: f0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: J + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + jwrBMvwfg: K6I5HsI5 + nk8eJc: nS + name: G9 + namespace: default +spec: + ports: + - name: http + port: 250 + protocol: TCP + targetPort: 475 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: J + type: QAVsE +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + T: f0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: J + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + jwrBMvwfg: K6I5HsI5 + nk8eJc: nS + name: G9 +spec: + maxReplicas: 10 + metrics: + - resource: + name: cpu + target: + averageUtilization: 227 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 477 + type: Utilization + type: Resource + minReplicas: 306 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: G9 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "G9-test-connection" + namespace: "default" + labels: + T: f0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: J + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + jwrBMvwfg: K6I5HsI5 + nk8eJc: nS + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: wu1 + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['G9:250'] + restartPolicy: Never + priorityClassName: KuRS +-- testdata/case-031.yaml.golden -- +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - {} + - {} + roles.yaml: |- + roles: + - {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xknw + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC + name: 59cQ0qKLI +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xknw + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC + name: 59cQ0qKLI + namespace: default +spec: + ports: + - name: http + port: 112 + protocol: TCP + targetPort: 375 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: xknw + type: N9chrF +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xknw + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC + name: 59cQ0qKLI +spec: + maxReplicas: 25 + metrics: + - resource: + name: cpu + target: + averageUtilization: 460 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 169 + type: Utilization + type: Resource + minReplicas: 20 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: 59cQ0qKLI +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + Q: 3KXvHleq + YUY: BD + mdCRk: Ilk9wDjAw + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xknw + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC + name: 59cQ0qKLI +spec: + ingressClassName: GuB1VTCp + rules: + - host: WsTbK7W + http: + paths: + - backend: + service: + name: 59cQ0qKLI + port: + number: 112 + path: MKCR56 + pathType: hEV + - backend: + service: + name: 59cQ0qKLI + port: + number: 112 + path: "6" + pathType: pv + - backend: + service: + name: 59cQ0qKLI + port: + number: 112 + path: rNv + pathType: L0CY1c8 + - host: OxFD + http: + paths: null + - host: Ojx + http: + paths: null + tls: + - hosts: + - C + - wxjmQWXDn + secretName: ESgom5IBQR +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "59cQ0qKLI-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xknw + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: 2Ry3vDGf6 + - name: PE5R + - name: uWsoZ + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['59cQ0qKLI:112'] + restartPolicy: Never + priorityClassName: mFg +-- testdata/case-032.yaml.golden -- +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - K8wnWSD: null + bwYE7: null + y4j: null + - GvFfKdgL: null + enU8G4: null + wvnJcOn: null + - td7: null + roles.yaml: |- + roles: + - YQBucbbDX2R: null + - 2UuDKjR: null + IV0Yus9: null + ci20SljQkhw: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + name: llK4G +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + name: llK4G + namespace: default +spec: + ports: + - name: http + port: 418 + protocol: TCP + targetPort: 486 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: wB + type: aaIqePq +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + xpNWT: MpOZ + creationTimestamp: null + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + name: llK4G + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: wB + strategy: + rollingUpdate: {} + type: ȁ进辫fu + template: + metadata: + annotations: + checksum/config: ae52af057e6331e5caa1d321881f906df93659aa45a5458c4dd4ae890cf7695b + creationTimestamp: null + labels: + So: waKMMvnY + VXPE0: 8ExVsj + app.kubernetes.io/instance: console + app.kubernetes.io/name: wB + ip1RGEzt4t6: "1" + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: 735732238 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cFkyLM + operator: 岊B + - key: V3cKSq + operator: ǟ濈1ɑÎ"孲ȀŨFhŲ + values: + - hz + - matchExpressions: + - key: 8N + operator: 9´敤T + values: + - amWROpS + matchFields: + - key: 7hmWbsKS + operator: "" + values: + - lS + - slkOyX + - YlwPcdVh + - matchExpressions: + - key: n5YD + operator: Əüʢ軾ŚũɳnŒ + values: + - 5s4eD6x + - WMkZIzS40rxp + - zCnW + - key: JawyIOLo + operator: 巳c習Gnƛ{ɩ¯Ĭ枺lȜʩ泿趏ǙĊi + values: + - Fvzyw13fUZC + - 4w9T3GeG + - mVj9N + matchFields: + - key: 4amyTWvhx + operator: Ąŵ8雌%ɸ*W褒卒S + values: + - cPr0Nm2WFo1dBq + - a + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: XgsMMBS + operator: ȗ諹 + values: + - foI + - NN1yiUNR + matchLabels: + Qq: VB19aUlI + mismatchLabelKeys: + - hcD + namespaceSelector: + matchLabels: + vMT90cNq3PYf2z: upe + topologyKey: RSVn9W + weight: 603398420 + - podAffinityTerm: + labelSelector: {} + mismatchLabelKeys: + - 4IL0rEe9 + - yY0RMU2 + namespaceSelector: + matchExpressions: + - key: tIka9jS + operator: 7怘xə4ÏɦW + values: + - l + - ajs6c + - hkYj + - key: Qu + operator: ʊ鏀ɑ蒀刹gE + values: + - 2UvY + - hRB1wKXyHi9 + topologyKey: ZKWyn5kI + weight: -1674108352 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: KQfZ4 + operator: ġȁAu盝ȭƈŦ齬{z + values: + - itNS0T + - jL + - key: q0HemjU + operator: e銳ȇ葁õDÏ筃 + values: + - M5yeE + - gJJY + - HInHzXgX + - key: d1LKZ1 + operator: Q + matchLabels: + XElv: QGJ + nD: kNCk5qe + wUtw34v: sCjj5z + matchLabelKeys: + - ej9hOPjp7W + mismatchLabelKeys: + - lhU9gP + - T7rMlvu + namespaceSelector: {} + namespaces: + - ii3aa + topologyKey: 8U7 + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: CkQsu4fS + operator: 鄦&ɲȅ + values: + - RVnwZ + - EVk + - key: yt + operator: 傓N嬅宠H^÷ + values: + - 1L + - rVQPs + - dUHOKQ + - key: hQ1Tl + operator: ɣë筁尻!絜辩^riʨ莠8dƋ + values: + - 4D6Y + - 5TXh + - 8RH + matchLabels: + "9": jb2X + IdL: PQj0N + iB09Upiijt: JpN + matchLabelKeys: + - rKS9p8 + - sK8p + namespaceSelector: + matchExpressions: + - key: KQ6 + operator: '篛I6ÝBŘ F媍/:' + values: + - NXP47Fm + - Z0Qh2Y4 + - JeWX + - key: Yh + operator: '!j3W' + values: + - mTm5dkO58H + - "" + - key: 6q + operator: 景¨Sŝvo/ + values: + - TrgtrP + - zqIsId + matchLabels: + 7E3A1K: "7" + 63IlVL: aSxc + W1hP: 1H9k3O + namespaces: + - "" + - 2Ma + topologyKey: FFqt + - labelSelector: + matchLabels: + "": wklJJ + C8JZ: LP + U1pz: kAE1l4 + matchLabelKeys: + - shj5V + - oU074y + - Ufq2w + mismatchLabelKeys: + - oBzMiOSgd + - iSF + namespaceSelector: + matchExpressions: + - key: fCbLu + operator: 塊衅m鑀ȣ戢ŭ阻蹯ȟ獇ɨ + values: + - B6TgQ75 + - FAHTEOSesQ + - Ms2Kw7XQ + - key: 133fMqId + operator: "" + values: + - pJc0Zu8 + - T1PEuV0uism + matchLabels: + 1rfPa2b4Ny: cemR + Np9l: lcX + SjNYy4: VZX + namespaces: + - 7W + - umFBWrpUDHv + - "" + topologyKey: pPUIqPXo + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LICENSE + valueFrom: + secretKeyRef: + key: bujGpO7D0C + name: V + envFrom: + - configMapRef: + name: nJXDn + optional: true + prefix: g3ZpAEUJC + secretRef: + name: 5Yin + optional: true + - configMapRef: + name: spYG9o0 + optional: false + prefix: Wv01 + secretRef: + name: BxDbe + optional: true + image: mU/xY76Tj:AgKh6S1 + imagePullPolicy: "" + livenessProbe: + failureThreshold: 1396135036 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1526591550 + periodSeconds: -972224922 + successThreshold: -39437670 + timeoutSeconds: -1229662908 + name: console + ports: + - containerPort: 486 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1061708880 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1618839364 + periodSeconds: -2098998213 + successThreshold: -846859522 + timeoutSeconds: 1824930679 + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 退晦Ţ鲛 + - '}ʄ攏嫫;Mǐ豒ɇf,搅Ð貑ș|Óf' + privileged: false + procMount: D + readOnlyRootFilesystem: false + runAsGroup: 1564095685271138800 + runAsNonRoot: true + runAsUser: -3929576237300142600 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - args: + - T + - Pvf1yAamEa + - jQE8UakuY + env: + - name: 3g + value: JexRP + valueFrom: + configMapKeyRef: + key: QZ + name: QcC + optional: true + fieldRef: + apiVersion: Iv + fieldPath: d7xQ + resourceFieldRef: + containerName: jLpJ + divisor: "0" + resource: m + secretKeyRef: + key: Quhh + name: HUhzPAEo85 + optional: true + - name: ehSBff + value: nHu + valueFrom: + configMapKeyRef: + key: v3Icanu + name: dNPJ8 + optional: false + fieldRef: + apiVersion: xO7UQDq0 + fieldPath: gAyGB6Nj4 + resourceFieldRef: + containerName: Bs2D + divisor: "0" + resource: xJCQsH + secretKeyRef: + key: 3T6tjIQWa0C + name: 8TvRbhP + optional: false + envFrom: + - configMapRef: + name: mf + optional: false + prefix: pZxp + secretRef: + name: v + optional: true + - configMapRef: + name: wosjc9 + optional: true + prefix: ehhmFeLY + secretRef: + name: Ll + optional: false + image: kZ8UUm + imagePullPolicy: Ɓ + lifecycle: + postStart: + exec: {} + httpGet: + host: K29SzZPo + path: y2bQL8 + port: Cr + scheme: 轂Ì蕏ʋ + sleep: + seconds: -3765902632580054500 + preStop: + exec: + command: + - 1pT5X + httpGet: + host: NouEQF + path: WITzSW + port: 1565482371 + scheme: ƒ塒廛鎐藽瀫 + sleep: + seconds: 1831382645860082000 + livenessProbe: + exec: {} + failureThreshold: -1525719681 + grpc: + port: 99688681 + service: xa0sl3k5KM + httpGet: + host: prjHPqf + path: RHwZIE + port: 2UZ7hXI + scheme: 瑀ċ廤ȵ + initialDelaySeconds: -1367665605 + periodSeconds: -1023789296 + successThreshold: 206844073 + terminationGracePeriodSeconds: -3901072071078889000 + timeoutSeconds: 1670691424 + name: t + ports: + - containerPort: 2046398071 + hostIP: pJg + hostPort: -1247541550 + name: DrYeHQ6 + protocol: ²ȑBŸ + readinessProbe: + exec: {} + failureThreshold: 852505381 + grpc: + port: 8093048 + service: "N" + httpGet: + host: uuaPC + path: Mpxk6p + port: -297149767 + scheme: 這伦礗鯪àe]雚腴k£ɂ闧ɦĚH鏰浳 + initialDelaySeconds: 296244720 + periodSeconds: 1237321103 + successThreshold: 722306410 + terminationGracePeriodSeconds: 7739978307238029000 + timeoutSeconds: -2129506856 + resizePolicy: + - resourceName: NBfNOBC + restartPolicy: ƞdWǝi鎠R殩杜Ś晚尒尧ǐ; + - resourceName: oDw8xEb + restartPolicy: ja侬ƕ + resources: + limits: + BJcVkW: "0" + Ub5Spt: "0" + nWi63TNlCyM: "0" + requests: + e5vcw0H: "0" + eKz0z: "0" + gK: "0" + restartPolicy: 嗈ǒɟNǭ臥穥Ť + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - $拷霒Ø耖} + - ijĸN藬?w粯痵餒薃辕5勅ů + - 幒Ƹʁòĺǂ浼GX + drop: + - 宖 + privileged: true + procMount: 凝 + readOnlyRootFilesystem: false + runAsGroup: -7000080292188881000 + runAsNonRoot: false + runAsUser: 9107304642056619000 + startupProbe: + exec: {} + failureThreshold: -208121509 + grpc: + port: 133215347 + service: pj4Kw + httpGet: + path: hGLW3 + port: -239286046 + scheme: YsÌǮŦʁ¡ē峪3 + initialDelaySeconds: -817672524 + periodSeconds: 1846655614 + successThreshold: -243958761 + terminationGracePeriodSeconds: 4190490525804645400 + timeoutSeconds: -973067987 + terminationMessagePath: 9vMe3Y + terminationMessagePolicy: 雍Wȯ嘷台厃$Țʍ13b霞两e + tty: true + volumeMounts: + - mountPath: yZbL + mountPropagation: 鲫絎Q(銞ÎÕX堙Ľ銃曅注t锋ɮj覧« + name: UFfAqsgd + subPath: wSo + subPathExpr: bIsBP3O + workingDir: DYBcINRq + - command: + - wgBryFN + image: NorbK + imagePullPolicy: 鉓Ĕʠ;兮)Frë + lifecycle: + postStart: + exec: {} + httpGet: + host: Z + path: 3v + port: W1vDkt + scheme: ŷ索gp=ŵāǼ餆嬦Ƹl媓R}豟ɠĖ. + sleep: + seconds: 1583583004300077000 + preStop: + exec: + command: + - XztEol6So + - GveA + - H4aUl + httpGet: + host: 75LDW + path: nu + port: I + scheme: 胛Uȁ¬ + sleep: + seconds: 4617693270470586000 + livenessProbe: + exec: {} + failureThreshold: 1423393786 + grpc: + port: 2097410769 + service: "" + httpGet: + host: W7 + path: PyPprD6 + port: dHwCyz + initialDelaySeconds: -1439644816 + periodSeconds: 182024489 + successThreshold: -1861505070 + terminationGracePeriodSeconds: -4166230023615503400 + timeoutSeconds: -704907360 + name: sFz5 + ports: + - containerPort: 1977465061 + hostIP: kxqRig + hostPort: 393211643 + name: DRO + protocol: ķǔȈ + readinessProbe: + exec: + command: + - mn + - 4TZCjrWPW18 + failureThreshold: 972699487 + grpc: + port: -1384519737 + service: IY5quWWV4JC + httpGet: + host: wq91i + path: Zy + port: -1192576969 + scheme: Á^_ + initialDelaySeconds: 2107832874 + periodSeconds: 1041520026 + successThreshold: -118135340 + terminationGracePeriodSeconds: -4946782594204673000 + timeoutSeconds: -1933961678 + resizePolicy: + - resourceName: MG7PMkMMObJJU + restartPolicy: §觫困Ȏ龝ƃȃɩ芴ÎĽ + resources: + requests: + I4: "0" + zLy: "0" + restartPolicy: 粛醑綇蝙Ɣò犁鶓A + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 掀ǃA颺LnFąɏ動 + drop: + - 输6sĺ宯hĢ + - ĨƨO檔暰z + - Neɬ慿Ȁ0ɳ蠈ǚǦO¸Ğ崔ʂ¢剚 + privileged: false + procMount: 翄怉DžǬ?胉獄ǙƊɚx虉F + readOnlyRootFilesystem: false + runAsGroup: -1943526545280953900 + runAsNonRoot: true + runAsUser: -7089742793545457000 + startupProbe: + exec: + command: + - hDj + - ONyz91fkTFY9t3 + - ynDWkO + failureThreshold: -5561223 + grpc: + port: -1069825885 + service: oQmy + httpGet: + path: l4sWc + port: 53AhP + scheme: ȩ + initialDelaySeconds: -6165070 + periodSeconds: 1844899228 + successThreshold: 903779261 + terminationGracePeriodSeconds: -3909221818854749700 + timeoutSeconds: 746670574 + stdinOnce: true + terminationMessagePath: egr00cLki + terminationMessagePolicy: ɯ2鰌^坪yN蠏Ĵ + tty: true + volumeMounts: + - mountPath: YOyu1MjxN2 + mountPropagation: :鸛o鮓L`<]ơ1b忙n鲃{< + name: dODfVz + subPath: ZknFq + subPathExpr: oX1n + - mountPath: 4TEsoc + mountPropagation: 帺Õ斯剅ƫf鳌麓HƸŘÂ瘖?謾軌 + name: hau + subPath: w24Wq4e + subPathExpr: i2TEix + - mountPath: uuujj + mountPropagation: 氻ʃ2NFJ啼铗"O{À-ŧLJ弟 + name: klnXhhnxKk + subPath: SEx + subPathExpr: CK2FmmyYThL + workingDir: NCvZAa + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + ih: xT3Dk3PXT + xhq: vu + zLR9: wFjrfu + priorityClassName: WeB9y8 + securityContext: + fsGroup: 7101468120327600000 + fsGroupChangePolicy: ȴ鳁ƨ殳h`熡ƍʊ0ŀ擳琗图.AƱX滋 + runAsGroup: 4262945102741077000 + runAsNonRoot: false + runAsUser: -9214274730002703000 + supplementalGroups: + - 4135587743067906600 + - -2908166639165702700 + sysctls: + - name: Yo9 + value: zak2 + serviceAccountName: zpH + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: llK4G + name: configs + - name: 1zZI6J + - name: D + - name: OUqOnvjvba +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + name: llK4G +spec: + maxReplicas: 459 + metrics: + - resource: + name: cpu + target: + averageUtilization: 497 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 146 + type: Utilization + type: Resource + minReplicas: 198 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: llK4G +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + Lhm: f24CRNEJvs + pk6fq: "2" + creationTimestamp: null + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + name: llK4G +spec: + ingressClassName: EXqR + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: llK4G + port: + number: 418 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - xEciJGskt + - pBxfBltrqACoat + - INyj + secretName: Qy + - hosts: + - F6sf + - EHuJ + - 95my0 + secretName: XOIr +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "llK4G-test-connection" + namespace: "default" + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['llK4G:418'] + restartPolicy: Never + priorityClassName: WeB9y8 +-- testdata/case-033.yaml.golden -- +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - 7x: null + Ia1K2tdRuYi: null + j6c9: null + roles.yaml: |- + roles: + - {} + - 6Vndf: null + f: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: bCPeYVWao + app.kubernetes.io/version: v2.7.0 + gZ85uw3T: e + helm.sh/chart: console-0.7.29 + qO: F4dqLo67vKYZ + name: foGC +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + lrtdFF: 60R7 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: bCPeYVWao + app.kubernetes.io/version: v2.7.0 + gZ85uw3T: e + helm.sh/chart: console-0.7.29 + qO: F4dqLo67vKYZ + name: foGC + namespace: default +spec: + ports: + - name: http + port: 229 + protocol: TCP + targetPort: 59 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: bCPeYVWao + type: 2K35 +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: bCPeYVWao + app.kubernetes.io/version: v2.7.0 + gZ85uw3T: e + helm.sh/chart: console-0.7.29 + qO: F4dqLo67vKYZ + name: foGC + namespace: default +spec: + replicas: 390 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: bCPeYVWao + strategy: + rollingUpdate: {} + type: 呇弰$腕煴贔棳軀+œʃǀŖ* + template: + metadata: + annotations: + checksum/config: b3a4b261d0705e207d46ac15067d5c7d7c951cf0c0fa7736607331369bd47b6d + creationTimestamp: null + labels: + 1bb6: "" + 3U: mfPv + T: Q + app.kubernetes.io/instance: console + app.kubernetes.io/name: bCPeYVWao + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: 1O + operator: 拺5ř(Ƅ餕ʟ{鐻Ƈ + weight: -2070567569 + - preference: + matchFields: + - key: JlGR + operator: 脱?ĶA蛜頒ǽGǷ藸 , + values: + - 8zZEVom + - TY + - FSSQQ + - key: w3C + operator: sɯeM^筘褑 + values: + - Q + - i48uKb + weight: -1969968900 + - preference: + matchExpressions: + - key: ZsgVr + operator: Eȗ + - key: RfMZL + operator: "" + - key: r + operator: džɬ毿鵮V町iAÉ橁zy题ʔu7ÆO9 + values: + - uj8h + matchFields: + - key: "" + operator: :止褮Ȃ宸 + values: + - 9h + - Do + weight: 1160212382 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: nmW + operator: '%U<Ȫk7家fƥ降]:' + values: + - e4hDXWb9G8Qi + - SynNDfUn + - C8kz + matchFields: + - key: QO0Q + operator: l!m0ʒbƹ豫ň + values: + - eh + - key: VE5mZtP + operator: ~x蹵#ÂvǗRɩ啭Ö澭肞¤7跜庛Ɍ + values: + - yT + - key: 1Cony + operator: 阃 + values: + - ahj6j + - matchExpressions: + - key: TvhlZutK + operator: 5叹ùz + values: + - rog + - key: qLPNTFw8 + operator: 藘鸘Œé溇ʄsoɷƱǺȾ蹾K混īl軇 + - key: F + operator: 則Yǹ郰饉貓伜ſ0|麊 az襽准 + matchFields: + - key: VcfFwmb + operator: WJMU狰槃žiǶq挿} + values: + - b7G + - "" + - wzxeij27DD + - key: "" + operator: 殀ǥ + values: + - "9" + - 0E3EkrfSX + - vzth + - key: omoz + operator: e´Ģ桇适TŽǤʈ + values: + - TVj0W7 + - 7HjUt2w + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: nN1614M7 + operator: '鰺/堅ý髉铊ɇƴ2友凇3 ' + values: + - D0tt + - sG9E + matchLabelKeys: + - l + mismatchLabelKeys: + - vqTKCL2D + namespaceSelector: + matchLabels: + LIgB: qqC9YL + namespaces: + - BLdVDzfY + - eq + - qB + topologyKey: qwces + weight: 899210618 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: hIz8wo + operator: ĥ\{ė + values: + - ZwYh1 + - 4l9U + - Q5Io + - key: sd3eCUDob + operator: 蒴ǚ<灁Q柷娸颂嘃üĸƢı + values: + - U0 + - "" + - WXJjoBRKrfEY + matchLabels: + QSrEl7t0: hxsiSGCubb + mismatchLabelKeys: + - PiUy + - VhBWFCyx6C + namespaceSelector: + matchLabels: + G: 07tU6 + ZCO1QQK: b + uq: HISLIo9ZC + topologyKey: 87eQuI + weight: 1750437304 + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: nK0RSDE + operator: R(陛m诜ȯơȴ豨躻 + matchLabels: + CE9: u8FukDT + U5N: "y" + matchLabelKeys: + - 5I6wiiY + - JDZsP + - zGyW + mismatchLabelKeys: + - 4WZHZ + namespaceSelector: + matchExpressions: + - key: N9E9 + operator: ȅ)礯占鷨ʫɩfǡnʎə掅Ux曶HŁ遐 + values: + - JdC + - 3NS25HFHxU + - key: "" + operator: ı獗& + - key: q + operator: 髢£Ȋ泽ZwVfc剻Ţ嬊j + topologyKey: "" + - labelSelector: + matchExpressions: + - key: Tof0 + operator: ĥM:ɑȏF叆綯炩藁û漄f + values: + - jTpj + - gYZ8IIq + - key: avL + operator: ɼƌ壟.敾¦ + matchLabels: + P1w: Nb9t3e + matchLabelKeys: + - TkIx94Dmu + - 8KVE + - UEJW + namespaceSelector: + matchExpressions: + - key: gQOOR5Pz + operator: Ȁ蛝畆粔辧殤,ǔžɨʜ + values: + - MiGt + topologyKey: nn1x + - labelSelector: + matchExpressions: + - key: C + operator: 瘎%瑧¹$兤 + values: + - p5TR + matchLabels: + c9PNRTZ: L + matchLabelKeys: + - 9xrNO + - saFgUzTD530EV + namespaceSelector: + matchExpressions: + - key: "" + operator: 琨j貙ŰĤ煾骣ƢƐ肾Q`ĥ?舶 + values: + - "7" + - T4pSI + - key: u0lbHcT + operator: čÉ壶霻*ǻ蠦Źê潡%!Ȱʁr.ň沀痊 + values: + - voUu0X + namespaces: + - tX + - uDgtoDt + topologyKey: "1" + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: RTz9f + value: kK5WtZCFpsl + valueFrom: + configMapKeyRef: + key: CB1UV + name: 0pF + optional: false + fieldRef: + apiVersion: xO4s + fieldPath: n2G + resourceFieldRef: + containerName: GmnwMQ + divisor: "0" + resource: yX30Dke4u + secretKeyRef: + key: vPbHh + name: oBAn1EoZmPzN + optional: true + - name: LICENSE + valueFrom: + secretKeyRef: + key: 9y6KmPZ + name: QM + envFrom: + - configMapRef: + name: lo + optional: false + prefix: mSdySXyKqEkl + secretRef: + name: t4daT3 + optional: true + - configMapRef: + name: IFTvBGq + optional: false + prefix: qKk6o + secretRef: + name: "4" + optional: true + image: JWsGq/JAUpWzFL:3WF1aV + imagePullPolicy: 躂Qʢ瞶CǁȮ + livenessProbe: + failureThreshold: 604102540 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 93396392 + periodSeconds: 1323534907 + successThreshold: 2044410955 + timeoutSeconds: -725304614 + name: console + ports: + - containerPort: 59 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -1216486926 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1636119248 + periodSeconds: -1587206371 + successThreshold: 1085720843 + timeoutSeconds: 1603673472 + resources: + limits: + HS: "0" + sspp8OAsyF: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ɇǎȬ+丰DZ}薞ɎƐ + privileged: false + procMount: Ȧ杖煃a/ɓ<3ő+笽pȗdzSj + readOnlyRootFilesystem: true + runAsGroup: 8336843233603803000 + runAsNonRoot: true + runAsUser: 956863148985923500 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: WfYQ + name: v1bEam0d + subPath: "" + - mountPath: hpZaUwi + name: 2keqwtlu + subPath: "" + - mountPath: bCeiaipj + name: RAI0g6yvn + subPath: "" + - mountPath: gRGvu + mountPropagation: Ŋ4ǔ盍薟惮睌ȿ濍ȯȀüƳ$ + name: oJv65V + readOnly: true + subPath: P20XHtoR + subPathExpr: SzD + - mountPath: xhuwGvn + mountPropagation: 搛悈nj鰣*颵俠Ʀ慫灗岵ȆǴ騔Ė栢č)q + name: ebDa1q2nKt + readOnly: true + subPath: "6" + subPathExpr: N0xOT + - mountPath: xHTM + mountPropagation: 0關ɮUeŪ + name: P8noEsWy3t + subPath: y5E + subPathExpr: oP2A6C + - args: + - 3OUsoZkVHy + - Gn3 + command: + - NLtY + env: + - name: 51Xcm68sAs + value: PUTq + valueFrom: + configMapKeyRef: + key: udLx6h9 + name: wSgnPbc + optional: false + fieldRef: + apiVersion: oVPbc + fieldPath: CGK + resourceFieldRef: + containerName: Ind7j + divisor: "0" + resource: 9tlZc + secretKeyRef: + key: z2i + name: aloI0W + optional: true + - name: nGb + value: I91 + valueFrom: + configMapKeyRef: + key: Ft8IZO4DX + name: 7PY9CO1 + optional: false + fieldRef: + apiVersion: DysSUO + fieldPath: M + resourceFieldRef: + containerName: i + divisor: "0" + resource: mbVAnrQ + secretKeyRef: + key: ZVD + name: 4gLX + optional: true + - name: SEd7KC2 + value: I0 + valueFrom: + configMapKeyRef: + key: 71k + name: B + optional: true + fieldRef: + apiVersion: vJE + fieldPath: nvSzEcQ + resourceFieldRef: + divisor: "0" + resource: fYaXGkFYlrz + secretKeyRef: + key: xDT4Uhi + name: a + optional: false + image: NLoqH + imagePullPolicy: U肵銨龋搁}ŗ=;ī篱ɺ頁掆薑 + lifecycle: + postStart: + exec: + command: + - NAmBp8Ijy9vgKS + httpGet: + path: GukCZ + port: umdXEe + scheme: ɭL莒ƠĦZ¢.0tȠȴF梩¯牏GȐ + sleep: + seconds: 2463489515348869600 + preStop: + exec: + command: + - RAP7lxh + - 0WRf37xLvaEE + httpGet: + host: Xi + port: 395093084 + scheme: '}Ä*諓懚泾ıɥ磀>ȃÓ愍瘞5' + sleep: + seconds: -2989387296528249000 + livenessProbe: + exec: + command: + - AondI + - CvX + - X9Dwm + failureThreshold: -1669443788 + grpc: + port: 1602861347 + service: 5dF71q + httpGet: + host: yOYLS + path: m99M + port: 1421693426 + scheme: cǶ嫙x勬´筮 + initialDelaySeconds: -348887387 + periodSeconds: -855526929 + successThreshold: -1868658835 + terminationGracePeriodSeconds: 7220662525875544000 + timeoutSeconds: -893266456 + name: 62y7 + ports: + - containerPort: 41082986 + hostIP: H + hostPort: -671022955 + name: Q + protocol: Ģ + - containerPort: -676585553 + hostIP: jdTqIIXMX + hostPort: 441858691 + name: bam + protocol: ã鯑 + readinessProbe: + exec: {} + failureThreshold: -1607827734 + grpc: + port: -732628448 + service: d + httpGet: + host: q2uSglvPX + path: 5YB9kNfy37 + port: -425352890 + scheme: ZʇįʔÌ玫Ʊ儝$緀ƥǣ鮀 + initialDelaySeconds: 1646541382 + periodSeconds: 597275764 + successThreshold: 1444783765 + terminationGracePeriodSeconds: -4224719974242331600 + timeoutSeconds: 1778484407 + resizePolicy: + - resourceName: YWwAdc + restartPolicy: 蓊ƽqs洊蛀Ƴ澠誉 + resources: + limits: + 9c5: "0" + DJI: "0" + uyw: "0" + requests: + 7livK1: "0" + PWZFD5fFpVA: "0" + restartPolicy: ǐ踊丸y苡汎0塛yM眗酊L攚dzyÚmG + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - țƒ摨1娣Q札遢ʌā4魯 + drop: + - W~ + - ȮnLv|麬O稕Ʉ幖0Ţ&揵¸ + - àPĪɉɯ鋹芨ȲƿƛĞx + privileged: false + procMount: ɉq$|ŀ蘨寱彣ɎȈORe]O掓I + readOnlyRootFilesystem: false + runAsGroup: -2438856757446633000 + runAsNonRoot: false + runAsUser: -8511671649189409000 + startupProbe: + exec: + command: + - "" + failureThreshold: 157629836 + grpc: + port: -20533111 + service: vASy4b + httpGet: + host: 94HpH + path: t70 + port: W59mpID + scheme: ħ6琏 + initialDelaySeconds: -146258274 + periodSeconds: 47385732 + successThreshold: -1646222325 + terminationGracePeriodSeconds: -5575789846018255000 + timeoutSeconds: -351943504 + terminationMessagePath: r0ZY2 + terminationMessagePolicy: 傂G嶃a橢抴=Ȃĺ庆ɏ鬹揖絴鹥ɣ¸Ȫs + tty: true + workingDir: XFFilzd + - command: + - VSuU6yfyc8y + - gLgP + env: + - name: PSOr4 + value: m2ujo1f4 + valueFrom: + configMapKeyRef: + key: B9Gc + name: BaR3c + optional: true + fieldRef: + apiVersion: OFu + fieldPath: Pydi + resourceFieldRef: + containerName: jPiF + divisor: "0" + resource: jyp8A7uPD + secretKeyRef: + key: fcGCM + name: Hs + optional: false + - name: Ax9HfRa4p + value: S3R2 + valueFrom: + configMapKeyRef: + key: ZDzzhFD + name: soDgOej + optional: false + fieldRef: + apiVersion: iSfQ + fieldPath: Plzxy53z + resourceFieldRef: + containerName: DfBt3S + divisor: "0" + resource: 757s44h + secretKeyRef: + key: bn2IGjj + name: x8E + optional: false + - name: r + value: PmO + valueFrom: + configMapKeyRef: + key: Htzib1 + name: gfbsiTcDY + optional: true + fieldRef: + apiVersion: Frhab7p2yh + fieldPath: K6XKg + resourceFieldRef: + containerName: CLX + divisor: "0" + resource: cq + secretKeyRef: + key: R + name: zPHkUHXQ + optional: false + image: bSZCow + lifecycle: + postStart: + exec: + command: + - "y" + httpGet: + host: 2cDO + path: L5m + port: yhJI + sleep: + seconds: 6222265361848815000 + preStop: + exec: + command: + - yVT + httpGet: + host: Ibt0C5XF + path: Kf7kW1 + port: Tlj66QW + scheme: 砰僮 + sleep: + seconds: 4926532563180302000 + livenessProbe: + exec: {} + failureThreshold: 982752870 + grpc: + port: -257993986 + service: XKTDj + httpGet: + host: 7vfaAybCd + path: GuTTi + port: 1952486193 + scheme: 馾耼qȩ罔磙ɮƥŴ²叇yēņȮ藺 + initialDelaySeconds: -817095459 + periodSeconds: 603211453 + successThreshold: -1693358568 + terminationGracePeriodSeconds: 3002071779676479000 + timeoutSeconds: 992801771 + name: 9QZX + ports: + - containerPort: -1838828544 + hostIP: cQQMftB + hostPort: -321659395 + name: XBD7a + protocol: '>V>ŝO随;YƁ' + - containerPort: -439290918 + hostIP: Bp0lf + hostPort: 431013681 + name: WQ5qc + protocol: 髄Ĝ估螗ȳ鎷ʫh + readinessProbe: + exec: + command: + - PjwAB3G + - k + failureThreshold: -2015478850 + grpc: + port: 156976837 + service: RSgDfH + httpGet: + host: Yi7aQ + path: 8Ql9 + port: 1150587533 + scheme: C箿i綔ȍȢ ŅŴ娒燸孆5乬瓤Ɛ + initialDelaySeconds: -486757233 + periodSeconds: -994300453 + successThreshold: 2128356439 + terminationGracePeriodSeconds: 4683705418302065000 + timeoutSeconds: 1635565784 + resizePolicy: + - resourceName: deutsepb + restartPolicy: õ崑o¾oɞø°ŮƑ欩Ʋ + - resourceName: WaO + restartPolicy: ±蜊ư蕭材y昍U + resources: + limits: + XiOokB: "0" + gxJ8zn4y: "0" + requests: + "": "0" + RFaH: "0" + restartPolicy: 7岻ðȸɉo熮燍ȉ=n + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 迠譚綞撪颫,ʖʃ佞诌Ŧ丞śɧ璯PʥT + privileged: false + procMount: 荞£DS + readOnlyRootFilesystem: true + runAsGroup: 6728166770219184000 + runAsNonRoot: true + runAsUser: 2918288689668335000 + startupProbe: + exec: + command: + - o + failureThreshold: -949081542 + grpc: + port: 220928812 + service: EIuHGNT4 + httpGet: + host: 21BmFcJ50ov + path: WC7WP + port: njQtxPF + scheme: 鲰ʌȱ卹烛橇淃ō雀)缅tb憅棔JǓ*ɒ + initialDelaySeconds: 1631334347 + periodSeconds: -785602818 + successThreshold: -1111896125 + terminationGracePeriodSeconds: -8014749222013301000 + timeoutSeconds: 795835881 + stdinOnce: true + terminationMessagePath: m08AZSt + terminationMessagePolicy: 盛P1砦ǚ瀱#Ʌ穇嘜\Ɍ + volumeDevices: + - devicePath: NdQPZme + name: uHcdGnKv + volumeMounts: + - mountPath: IX + mountPropagation: diȔiN6ļɃƐ釭卬O + name: fPg + subPath: iY + subPathExpr: U + - mountPath: E + mountPropagation: 1ĵ氓ŝ瘛o扬=[蟗 + name: xt + readOnly: true + subPath: 2KRhR + subPathExpr: Vm0HMwn + workingDir: jusEo + - args: + - Ejt + - DYgNM8X + env: + - name: HkwQ + value: fpHbv + valueFrom: + configMapKeyRef: + key: 3e + name: Q + optional: true + fieldRef: + apiVersion: lh + fieldPath: "" + resourceFieldRef: + containerName: E1uEhn3 + divisor: "0" + resource: 0Pa + secretKeyRef: + key: co85cv7H + name: KL1I3G + optional: false + - name: 5MQMJhqUni + value: 34PEKwUkR + valueFrom: + configMapKeyRef: + key: ABhM + name: qq5b + optional: false + fieldRef: + apiVersion: vCLN + fieldPath: tge3Z + resourceFieldRef: + containerName: ST + divisor: "0" + resource: qFS8 + secretKeyRef: + key: Am + name: BLI353a5GI + optional: false + envFrom: + - configMapRef: + name: KBum1 + optional: false + prefix: 56g + secretRef: + name: zt5 + optional: true + image: XgUFG + imagePullPolicy: 锄ģnj[眈例ƚ淍ƁĐ~ + lifecycle: + postStart: + exec: {} + httpGet: + host: Yp7F87b + path: "y" + port: OtElY + scheme: ǐʮŕ + sleep: + seconds: 640752187186511100 + preStop: + exec: + command: + - 4GYkI2pQ + - QB + httpGet: + host: DFjlmWGAFM + path: qLfFaRePdtA + port: GTUH4 + scheme: 罛&ĥ顱Ƌ + sleep: + seconds: -1289822532228205800 + livenessProbe: + exec: + command: + - youyR + - J + - IiK3AJ + failureThreshold: 527043957 + grpc: + port: -1790391516 + service: wFKNeu + httpGet: + host: TjItsuCL + path: Lo07CoiEpmJ + port: 1449812891 + scheme: 聗œdz_x忔8 + initialDelaySeconds: -923296146 + periodSeconds: -920279093 + successThreshold: 1372003156 + terminationGracePeriodSeconds: 4545671926845562400 + timeoutSeconds: -1730135112 + name: ouxZOTiA7 + ports: + - containerPort: 365499724 + hostIP: c3z3 + hostPort: -1622732613 + name: jfpQ + protocol: 鬍匤<ɔɟǜ鼴`ʃ荞ɗ线亮Ô¼ + - containerPort: 387750436 + hostIP: 7OF + hostPort: -922470687 + name: 20ZoNWnefc + - containerPort: -1003650010 + hostIP: yK31 + hostPort: -479225666 + name: 1Up + protocol: 郣-齡^c艃7ɑU牌驀墭:煞 + readinessProbe: + exec: {} + failureThreshold: -189409295 + grpc: + port: -880806937 + service: N1zEO + httpGet: + host: vN9 + path: n8TKqPF + port: -995680865 + initialDelaySeconds: -2090855365 + periodSeconds: 1849358636 + successThreshold: 811072097 + terminationGracePeriodSeconds: -5833095732594203000 + timeoutSeconds: -65186305 + resizePolicy: + - resourceName: 9rUpDkTFnW + restartPolicy: KSʮ1ĩ`乀_Ɠ颩紵 慒¨ƶ挢¸s诡 + resources: + limits: + MYEa: "0" + ngW: "0" + requests: + 174vfq: "0" + restartPolicy: 軵ƿǽ嚢遳E + securityContext: + allowPrivilegeEscalation: true + capabilities: {} + privileged: true + procMount: Ő\烔Z座畄睸zɩCɎx簫S悍a + readOnlyRootFilesystem: false + runAsGroup: -6410700953715651000 + runAsNonRoot: true + runAsUser: -8187102783441072000 + startupProbe: + exec: {} + failureThreshold: 1640672315 + grpc: + port: -799307372 + service: w9KE22PLk + httpGet: + host: e6Zo4rWs + path: tscGwI + port: 2071839677 + scheme: '&ǂȞ<辳)9撆ʚ6&U}P%捸`y' + initialDelaySeconds: 652003075 + periodSeconds: 1077051101 + successThreshold: 1528128815 + terminationGracePeriodSeconds: -2176015428967645200 + timeoutSeconds: -998563216 + stdinOnce: true + terminationMessagePath: P + terminationMessagePolicy: 8痃v7ȱ噣愜Å%Ġ3 + volumeDevices: + - devicePath: k8uvc + name: GL + - devicePath: 31O9l + name: ivY + workingDir: PtgSFsc1GvC + imagePullSecrets: + - name: s1B + - name: R54rm + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + TDma3: eGasO + cs6G: CyEFp0L + r: xdylcKb + priorityClassName: uHKqx + securityContext: + fsGroup: -4412504815274792000 + fsGroupChangePolicy: Ȯƭhjb糯妔ȂǑʜ胴}轣 + runAsGroup: 3860793197532220000 + runAsNonRoot: true + runAsUser: -1963293898483195400 + supplementalGroups: + - 2429921255984048000 + - -2773566751575633000 + - 5629450590441919000 + sysctls: + - name: h + value: zKVw + - name: D5ekUqS2 + value: 5FxU + - name: dgHyyau + value: o + serviceAccountName: S9Bk + tolerations: + - effect: 酼駘宁ì<^ʉ逐GM¼韹宅劑圦ȢN鵸; + key: LjdOPUZjJ + operator: 窃銥ɺ嘭t緯ȇw,[t捻S麨vɂ閰 + tolerationSeconds: 1714321621775966700 + value: Uvm9nY3 + topologySpreadConstraints: + - labelSelector: + matchExpressions: + - key: AUro1 + operator: 聘 + values: + - x5E03owNK1 + - 61u06hoBRErcl + matchLabels: + HMA: 7iZSaiF + jCP15v: ksLC1iD + matchLabelKeys: + - cp + - CZpJKgP + maxSkew: 644443933 + minDomains: 1722624609 + nodeAffinityPolicy: ú(ʆɴȾ狍lfĒHȉ嫔7ix壿 + nodeTaintsPolicy: 遡lşř门Ǣl + topologyKey: qP + whenUnsatisfiable: "" + - labelSelector: + matchExpressions: + - key: i8xDfgO + operator: ʖĝ#烕ɋřĊI + values: + - bOA4n + - ByUsK + - key: 6fCdAFtmFF + operator: 靕ƭ錒Ĕ + values: + - JIMC2Pc + - a7wA08 + - key: xMn + operator: "" + values: + - gSa5XT + - 50IS6 + - "8" + matchLabels: + DoGCwvltR: vVXQcZcxdz + JLmhsQlh: L3AY0Pv + X9: U + maxSkew: -2038040013 + minDomains: -1884001920 + nodeAffinityPolicy: 嵋磋ɹ:ɢ慚TA烁.X幰 + nodeTaintsPolicy: 奒)ʅm=矕郔o鬻鴊ȵɯt债CŔ儤 + topologyKey: qkx4gKx7 + whenUnsatisfiable: 匊aO卞肝喚覕Ȭnr說ɉƢ/Æȧ婡賛 + volumes: + - configMap: + name: foGC + name: configs + - name: v1bEam0d + secret: + defaultMode: 64 + secretName: FOCtz7x + - name: 2keqwtlu + secret: + defaultMode: 494 + secretName: 1dug + - name: RAI0g6yvn + secret: + defaultMode: 354 + secretName: "2" + - name: MqQb15NA +-- testdata/case-034.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + 0fz: qRhpB + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zE + app.kubernetes.io/version: v2.7.0 + blGSa: Hnim0SflkfpF + helm.sh/chart: console-0.7.29 + name: QxrM + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - zktoFv: null + - BnTf: null + N30: null + O: null + - "5": null + up6oELWDxO: null + roles.yaml: |- + roles: + - 3vFSt6CV6h: null + - zwoEunAfS: null + - "": null + Kz: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + 0fz: qRhpB + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zE + app.kubernetes.io/version: v2.7.0 + blGSa: Hnim0SflkfpF + helm.sh/chart: console-0.7.29 + name: l +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + W8Ix4: 4kOonr2 + g93: wNXcKSBg + creationTimestamp: null + labels: + 0fz: qRhpB + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zE + app.kubernetes.io/version: v2.7.0 + blGSa: Hnim0SflkfpF + helm.sh/chart: console-0.7.29 + name: l + namespace: default +spec: + ports: + - name: http + port: 421 + protocol: TCP + targetPort: 214 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: zE + type: d2QGeqxiX +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "l-test-connection" + namespace: "default" + labels: + 0fz: qRhpB + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zE + app.kubernetes.io/version: v2.7.0 + blGSa: Hnim0SflkfpF + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: AGiMf + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['l:421'] + restartPolicy: Never + priorityClassName: ER4 +-- testdata/case-035.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + 7lpi: QQ + RK: "" + od3x: "3" + creationTimestamp: null + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: HMyYp + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + roles.yaml: |- + roles: + - CSJ: null + - 0hM2tbS5: null + ZhG3M: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Bv0I +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + C3p: uCspVMX + creationTimestamp: null + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Bv0I + namespace: default +spec: + ports: + - name: http + port: 51 + protocol: TCP + targetPort: 456 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ZQQlqx7Np +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Bv0I + namespace: default +spec: + replicas: 464 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: + rollingUpdate: {} + type: Ʉ>朄崍ʡƥɼ戋\IJĹ + template: + metadata: + annotations: + checksum/config: 6556f5b75614fc7b5556cf3e548fa463f543604a0e97446ccd74584bf794de97 + creationTimestamp: null + labels: + Klzm: we + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + e: C2swj + s: vw1lrq + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: Zjc3H + operator: ~IJʚ伥ʜ1鷦鄪脳= + - key: AI40kXKS + operator: Tr^ǘõ8ù<鹶ĉ崱 + values: + - fCyDs + - nJRkjROTjd + matchFields: + - key: yFbZ + operator: Ĉ8%Sp + - key: AUDzh + operator: 礉 + values: + - agJ0f + - MD + - key: hREcH + operator: Ǻŀɏʉ紸戳禰ȸ酲 + values: + - JUaNJ + - CXFmegvU + weight: 1536882470 + - preference: + matchExpressions: + - key: pXW + operator: '@ļ矏鮯ɭ碊Gɽt蜮閻ƃǖ#ũ' + values: + - I8SZLF + - key: Rz + operator: '''p麛ȧ' + - key: mvD0aV1 + operator: 狴ȸ溂辷0Ġ + values: + - JpJWDh + matchFields: + - key: OB4 + operator: "" + values: + - tnWLH4yB + - "" + weight: 410194565 + - preference: + matchFields: + - key: 2C + operator: 屮少Ļɶ賊滺W + values: + - 28ZwpH + - ybv8 + - 8qy7 + - key: bs + operator: ŝ鮱芬Ǧ脸ƍ蠎Ā + weight: -1129044572 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: ayaEl + operator: Ɗ琫 + values: + - WGZPb + - EzYpfj + - key: Isb + operator: '@£驍' + matchLabelKeys: + - 2NNt + - NCBB22ja0 + - retU + mismatchLabelKeys: + - x3 + namespaceSelector: + matchExpressions: + - key: iQ + operator: u倲鹩?úʈ腄跛[¤O + values: + - 5y4bG + topologyKey: STnAVX + weight: -1894745290 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: R + operator: xʣcǦ:槠ʒ鄊喁蠨 + values: + - P + - 348OOM + - "0" + - key: hpIVL + operator: 鷭ʚ櫹hȅɩ&嘨Ād旌³ƑǫʄcǶ + matchLabels: + h6hNi: II1Z29P + t: 8wxT + matchLabelKeys: + - P + - axCJXjr + - ICeVp + mismatchLabelKeys: + - ljKwc + - mr6kl5v + - e + namespaceSelector: + matchExpressions: + - key: C + operator: =ĥĕ壚_隈]Ȑ釀侹ʩʎ痿c揜 + values: + - K1K + - c8fwp + - 8vQ4EPywlatl + - key: 28EpNe + operator: 鼓頳'ʛ1挂ō緕当gToʇ接遫 + - key: "" + operator: ƝZĂ 寑=愝奚Ĩw桟t摧pŸ + values: + - BuqtJnV + - 0hpJEbg + matchLabels: + 4lNwC: NEzAktH + h3ErklId8G: qClR4lO9e + namespaces: + - AYtMy3oUrS + - aX5P8O + topologyKey: 6D + weight: -1152164451 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: F6jo11z + operator: 亊路+M + values: + - h + - mmuiW + - GIV7E3H + - key: C + operator: v2佉鱉v辑ɞȠXɎʫǸú81Ɵ + values: + - QL + - MPxVd + - dqj9PPnthc + - key: 6JaPa + operator: 8dž貒ɑzןlȍH琧3ɞ + values: + - 1vJUmwXUq + matchLabels: + CIFj: YwH + Y2kn8RCwh: 90KzxhieelQ + y05g7PKLJ: 75bPN + matchLabelKeys: + - bYiD + mismatchLabelKeys: + - IiTYx5K5t + namespaceSelector: {} + namespaces: + - rZw0zlprDr + topologyKey: sxEn3K + weight: -1384321177 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: VgaK0hEji + operator: Ĺ礇紈銠噐ɴ諠2稇Ɠ鸈ý藁 + - key: S + operator: 鋸ɢǎ"膤ƭU軖tg埞鴤駩蹡 + - key: 9CwIty + operator: '`\糖ť8弤娹)覇gƲ妒墲9n' + values: + - 3j6O7C1tYz8 + matchLabels: + 0gEuFD: 74yF5 + matchLabelKeys: + - C + - IaGS + mismatchLabelKeys: + - W1 + - x + namespaceSelector: + matchExpressions: + - key: WXQ4P + operator: eĈ峧ʔƟ±ps缆D戭ǟ + values: + - "" + - EyV7u6ShG55 + topologyKey: DHgv6 + - labelSelector: + matchExpressions: + - key: RrGr5 + operator: 苭 + values: + - s + - Uk9D + - qTA4 + matchLabels: + yvalC: zQDHWOCId + matchLabelKeys: + - j1mN0G + mismatchLabelKeys: + - VdCZU8 + namespaceSelector: + matchExpressions: + - key: YzPO7z + operator: Lȇ杦娀 + values: + - 4UCJLskm4 + - VY + - key: arPd + operator: 燔佰馛{I諵Gƣ_*e + matchLabels: + g3PzQTKu: EtFrI + namespaces: + - ZXe + - ik9z + topologyKey: Os0u + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: DTU + operator: 鷚OíDzRě¤觹J闬#6U脥狍 + values: + - "" + - A5o + - gC + matchLabels: + Dm: WpOLJ + matchLabelKeys: + - z + mismatchLabelKeys: + - ICMl + namespaceSelector: + matchLabels: + XY9q9YY6uD: CiedBn + namespaces: + - vZ6M + topologyKey: OpLnLGsE + weight: 538966601 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: kEha + operator: Ę沌`f帞qA'躚S郻Ɏ珍韄 + values: + - etjdRyp + - zavjaM + - OYvYj + matchLabels: + KVwZfB: KEPzsU59 + RkZ: 0VcRQYQ + YpbOAE: DLjKEd + mismatchLabelKeys: + - djF + - SUMMj + - TGSC2G8I1Up + namespaceSelector: + matchExpressions: + - key: menWm + operator: k÷餌Ō + values: + - x9N + - mtsmYut + - key: szQb + operator: °« + values: + - hkxKeWqC + - key: YJUom + operator: ź²%FÔ縥:嗚K + values: + - NiQwKD + matchLabels: + 4AI5GYaY: ALH1BY + Bu43TOQ: WD + H: iujH1 + namespaces: + - Lc1PZ + - Z7LIE + - s4c0o + topologyKey: P7xmm2 + weight: 1130067767 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - yJiUSi + mismatchLabelKeys: + - 3ulP + - "66" + - "4" + namespaceSelector: + matchExpressions: + - key: eK + operator: 钕Ŧ + values: + - yRj + - Ukm + - "" + - key: "" + operator: 锧BȾLF譨Ɣ? + values: + - MtLk2 + - mUrlwRAdRoNX + - key: rlSqK0xlaaI + operator: 'Ɏƶʗ疇ȵMÇŕ翸鑉d劯kʦĺʄ4 ' + matchLabels: + FGHX9SlJz: MRMXuk + topologyKey: 4morNsk6TdYi + weight: -971499940 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: zosngP + operator: ʒ蠜¡ȂŧIH闦º弓鳾蠖Ą批9}_ + matchLabels: + "": wEhn + P1O8tGwJ: ZC + matchLabelKeys: + - IN0 + namespaceSelector: + matchLabels: + wMID0: aOr1UxM + topologyKey: krnVB + - labelSelector: + matchExpressions: + - key: mE + operator: 虵xǯ6熋湧ƳʝŅU节擎隆X鏯 + values: + - k + - bcx + - ks + matchLabels: + nYs: Hv5tuwQ + zAVu: G1PF + matchLabelKeys: + - u + - Gi6tJR + - "60" + namespaceSelector: + matchExpressions: + - key: bqRj + operator: ĭ啞&/sFş(墠O1Ÿ( + values: + - fe2dTLTbB + - QLUYqgc + - XBuCBfk27 + - key: exMkm + operator: m輚ɮ凪哇褚 + values: + - EQROy + - XQDPF7uw + - key: MwOO + operator: 鹗u仏兤o*>蒟顨ƽėȰ + values: + - TGv + - VVtqHApm + - 7Mub + matchLabels: + PI: elzxW + Wd1Q: MYEPScu1su + i: uENdc + topologyKey: QlwUBoDWM + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: 14jKCyMC + value: Mb95Ivlchi + valueFrom: + configMapKeyRef: + key: FMRh9 + name: VwME2dRYnb + optional: true + fieldRef: + apiVersion: NlY1uxRPgql + fieldPath: NDrKU5 + resourceFieldRef: + containerName: gPQ1TD3MX + divisor: "0" + resource: r6HOpjj + secretKeyRef: + key: "n" + name: RQLa2rQL7Y + optional: false + - name: LICENSE + valueFrom: + secretKeyRef: + key: xLO4B2BCZUJ + name: BQR2Y + envFrom: [] + image: XB9ke7yB/EwU0pzhz:SmZAnO7 + imagePullPolicy: 垿儣Ƈ#WMƻ + livenessProbe: + failureThreshold: 724782955 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1633166106 + periodSeconds: 2105675880 + successThreshold: 225361138 + timeoutSeconds: -1665363921 + name: console + ports: + - containerPort: 456 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -1128918125 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -116128728 + periodSeconds: -1936485392 + successThreshold: -1735161598 + timeoutSeconds: -1293939870 + resources: + limits: + 0PRJ1bi: "0" + JUjtrq: "0" + WN9h: "0" + requests: + TCeGWCB: "0" + x5O0IxuN: "0" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - '@晏駚T!UɎȉépg鎘Ȉ' + drop: + - ÚơĊ猴渋ĭ8膔櫔ż択ůĦ抹 + privileged: true + procMount: 偖躪 + readOnlyRootFilesystem: false + runAsGroup: -543916493751029760 + runAsNonRoot: false + runAsUser: 7772713475568768000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: pqfdKzb + mountPropagation: "" + name: 6btv + subPath: xLjoA + subPathExpr: UseM + - mountPath: EYXxm + mountPropagation: 煊`ś蠶+蓲慅4曌Ƥ4臜.魼簌m缽荈巇 + name: 6ut6g + subPath: 7N + subPathExpr: ypY + - command: + - DlBCuc8xa + - X2hi8Mp + image: 00GQ5 + imagePullPolicy: 賎ʂG}Ƌ煚6ūaĠ腻f + lifecycle: + postStart: + exec: + command: + - mVlE + - cFmlozRTJ + - "" + httpGet: + host: RIzcOYFo + path: eZge9wzJjW + port: ugY08 + scheme: 讣Ɨƶ"ɇǘƓƮ + sleep: + seconds: -5362042555365295000 + preStop: + exec: + command: + - "" + httpGet: + host: hLxRfJhv + path: JA8kOIY + port: tpH1 + scheme: '''k:嘡葊佒ďȏǓɡ毫/视倴ĩ}Ɓ u' + sleep: + seconds: -915316715834475000 + livenessProbe: + exec: {} + failureThreshold: 1628387875 + grpc: + port: -119747124 + service: 3cnWKI + httpGet: + host: 6Wzb9 + path: Af + port: RAzYX + scheme: 嘾Q經f + initialDelaySeconds: 4951530 + periodSeconds: 1309655668 + successThreshold: 918641827 + terminationGracePeriodSeconds: -3073080783253286400 + timeoutSeconds: -1896420637 + name: yML27O + ports: + - containerPort: 509868797 + hostIP: XMFIjyy7MNejY + hostPort: 2083818454 + name: gd + protocol: 槏 R¨ƽT³簑ƤA$<猿.0d + - containerPort: -164866787 + hostIP: eh + hostPort: 1842390272 + name: H7 + protocol: y擫`/洄]ʢÓ7Ā紐ǟ塋 + readinessProbe: + exec: + command: + - 5MrELPMn + - 23x1a + failureThreshold: 1394382122 + grpc: + port: -96138878 + service: DBq + httpGet: + host: 60SrHkgc + path: OwZeja1P + port: 721461548 + scheme: ' `$ħ' + initialDelaySeconds: -2125734502 + periodSeconds: 66441733 + successThreshold: 130216629 + terminationGracePeriodSeconds: -7113768241875088000 + timeoutSeconds: -977567736 + resizePolicy: + - resourceName: 8VNf4C + restartPolicy: Ě} + resources: + limits: + 2TX: "0" + Yd3: "0" + avcFFX: "0" + restartPolicy: Ę<彪6 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - ūW銹fn|óOB¶őǝ:ɛ暙- 嫴 + - 韣噺Ȑ主鋥Ɣ睩熾@Ĥvƈ + - 気ʎɭ愢勈īɔ垆ŀ槌,q儇p顼ǯ歳 + drop: + - EģIJ>筡|n譌ɶd2鍇$X/ȴ偎穾7 + - "赻探ǞiN胂a + name: 79CeZyd + subPath: xMQ + subPathExpr: NvU + - mountPath: smgfnmvP + mountPropagation: ʈ + name: CuKUC + subPath: hZ8KJ3 + subPathExpr: CK4WsX + - mountPath: zm + mountPropagation: 傩骟Ⱥ|尤fŇɓ呣ɘĩŽ + name: wRtUU + readOnly: true + subPath: T1 + subPathExpr: cidBhX8I + workingDir: M0jsi8 + - args: + - rQ7QBmZ4 + - Q32wY3lGUA + - VGeP + command: + - "6" + - 5vVr2Q + - 4YDd + env: + - name: DY1 + value: sge + valueFrom: + configMapKeyRef: + key: O8RUTpJ + name: SCF5ph + optional: true + fieldRef: + apiVersion: NY0hb + fieldPath: ViZ0f + resourceFieldRef: + containerName: "Y" + divisor: "0" + resource: sCX + secretKeyRef: + key: Ma + name: 6s6lc5 + optional: false + - name: m19lk2eiDtcdB7 + value: 0JaB + valueFrom: + configMapKeyRef: + key: VolU + name: jnFjMLIQ19 + optional: true + fieldRef: + apiVersion: "6" + fieldPath: N0wIEnFmQ + resourceFieldRef: + containerName: QwDG86d + divisor: "0" + resource: pda + secretKeyRef: + key: Uc7x1XF + name: efgc + optional: true + - name: 8A + value: 1kUmljHSb + valueFrom: + configMapKeyRef: + key: "" + name: z18yxT + optional: true + fieldRef: + apiVersion: 1qaE + fieldPath: vEzPx + resourceFieldRef: + containerName: GYhSz + divisor: "0" + resource: Ttq + secretKeyRef: + key: aaGRQS + name: C + optional: false + envFrom: + - configMapRef: + name: "0" + optional: false + prefix: 5cqcw + secretRef: + name: O7Gex12 + optional: false + - configMapRef: + name: DHEYwZ + optional: false + prefix: wSbyGx + secretRef: + name: 9nM86dZi + optional: false + image: E + imagePullPolicy: 栧Z + lifecycle: + postStart: + exec: + command: + - 6775E + httpGet: + host: hIoYmpbc + path: qEf + port: rnJpXG69m + scheme: 赙¯6a腚 + sleep: + seconds: 4894208532244896000 + preStop: + exec: + command: + - mHtY + - 0hh1Tr + - "" + httpGet: + host: BuElf + path: fJPDiyG + port: PybmIT + scheme: M*Ķ + sleep: + seconds: 7544543348205058000 + livenessProbe: + exec: + command: + - z7IJ + failureThreshold: -360493877 + grpc: + port: -1395908290 + service: zV1i + httpGet: + host: GLn + port: -279409955 + scheme: ǃU螄骰褃Ʀ诐Ɯ{,ɍb萎Ɲʢ鰪\U + initialDelaySeconds: 1831688310 + periodSeconds: -280461011 + successThreshold: 84363106 + terminationGracePeriodSeconds: 7513815341722355000 + timeoutSeconds: 442815657 + name: pGthpc + readinessProbe: + exec: + command: + - T39QO5 + - "" + - DbSsPel + failureThreshold: -1901163919 + grpc: + port: 1255815597 + service: xeTv + httpGet: + host: bipPJGJ + path: nghEbF + port: uyLPK + scheme: 翁渹牯澖 + initialDelaySeconds: 1295268788 + periodSeconds: 17921235 + successThreshold: -212369586 + terminationGracePeriodSeconds: 1061046207943693700 + timeoutSeconds: -1707711843 + resizePolicy: + - resourceName: RLHi + restartPolicy: 掳?帐(Ǖčĭ纜 + - resourceName: H1Bv + restartPolicy: Ɉ駃愝ɲƁ2*ʍJ蕦ʃĹr}尕5J埉g + - resourceName: f + restartPolicy: ɧ帨y晒ʪäǗ«ǤǞugT埤X澇寿Ù\ + resources: {} + restartPolicy: 7Y熀7rúǬ轘 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - Ǒn%Aʙ]m* + privileged: false + procMount: 鼷R珍沌 + readOnlyRootFilesystem: false + runAsGroup: -287129322294347260 + runAsNonRoot: true + runAsUser: 3942212766283409400 + startupProbe: + exec: + command: + - gN + - zpmlcJ + - DeLJ4s + failureThreshold: 102924404 + grpc: + port: -1304933194 + service: 0iK + httpGet: + host: jbg + path: ZqaSpx8C + port: UPJqfy9dOO + scheme: 韼QY岩沴ì釪儇9ĩN + initialDelaySeconds: -46268668 + periodSeconds: -1126074804 + successThreshold: -2093938118 + terminationGracePeriodSeconds: -3498490773203628500 + timeoutSeconds: -736335366 + terminationMessagePath: "7" + terminationMessagePolicy: 辺OB¯悱楆3Ǫ首傭ɟ鮛ïƇ豙ǁUȵ + tty: true + volumeDevices: + - devicePath: DSh1 + name: 1OMawuQAlZD7 + - devicePath: "Y" + name: liCI2j + volumeMounts: + - mountPath: JPO9Ewk3kgaeuBD + mountPropagation: k釂Żɮ>ɸêW箁B| + name: QGO7HtoR + readOnly: true + subPath: oYudCrOqA + subPathExpr: Z1oG + - mountPath: iH6 + mountPropagation: dP帗俪Ťŷ/6¤þ剛&Ģ趽qi + name: 9Ro4aQU5yby + readOnly: true + subPath: piBl3 + subPathExpr: nfDFn + - mountPath: uU2H4 + mountPropagation: ljQ + name: "" + subPath: rj2 + subPathExpr: E + workingDir: BveK3 + imagePullSecrets: + - name: ygWNP7C0W9 + - name: lo0PU + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + LAqpO: N7lh0C2 + RqG8qj: ltTa5 + X3q: F5c + priorityClassName: F + securityContext: + fsGroup: -8750452531563962000 + fsGroupChangePolicy: RȗɻÎ + runAsGroup: 3754171381447903000 + runAsNonRoot: false + runAsUser: 2565919490422334500 + supplementalGroups: + - 2907772986244332000 + - -4686580881125536000 + - -7134026849524392000 + sysctls: + - name: 8gezWufB + value: 2Jv + - name: 4nhjhT6P + value: 32ZuT + - name: cQk5tljX + value: Aimzt8kirN + serviceAccountName: HMyYp + tolerations: + - effect: aƻƀi + key: 7II7D0fA + operator: 跳<ȴŤƇ梐ȸŷR + tolerationSeconds: -92963183946417040 + value: U + - effect: p鸿xś冣9ɩ揊Ů忁琺ȖP壡o繊堮 + key: 5sC + operator: XɦǨ燖Ż綯逆挤ʦ斝蟏滣ʣ + tolerationSeconds: -6405135249548566000 + value: c2m6hlo + topologySpreadConstraints: + - labelSelector: + matchExpressions: + - key: bsO + operator: Ⱥ8欟慡Ƿţ6氙絿鐘黬聠ç + values: + - hbuLC + - SdAZnchI + - key: b4Pjya + operator: jɀh5湧,Ȳǣ6謉<ɦ + - key: gXEm + operator: ',k涃栏岴g橚甇ȳ0禰餝榖睌ěB縩侾F' + values: + - q9VqX4l + - zoMoc9Vb5 + matchLabels: + B0T: uiIEpLD2 + V: jdhpTcaa + pz: V1dJXS8 + matchLabelKeys: + - yoFhTrxV + - o + maxSkew: -1837539887 + minDomains: 2144009248 + nodeAffinityPolicy: 怓覷環ʤ苷疿ʡB聧!]LJƱĿGť + nodeTaintsPolicy: V~0韾¾Ȣû&嵙纠&ȠVƧ鍌 + topologyKey: GldA + whenUnsatisfiable: Ƀk纩{寍HƋ&庝僟D徼聊 + volumes: + - configMap: + name: Bv0I + name: configs + - name: 00PT1WRWHX + - name: P4 + - name: fn +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: {} + creationTimestamp: null + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Bv0I +spec: + ingressClassName: vg + rules: + - host: daRMGxIy7gKoE + http: + paths: + - backend: + service: + name: Bv0I + port: + number: 51 + path: GVhF41Ue + pathType: TeM8 + - backend: + service: + name: Bv0I + port: + number: 51 + path: UontjIzl + pathType: MN + - backend: + service: + name: Bv0I + port: + number: 51 + path: "" + pathType: xN + - host: YCgI + http: + paths: + - backend: + service: + name: Bv0I + port: + number: 51 + path: MPhdfahEcn + pathType: ECPrn + - host: GDOlAVRM + http: + paths: + - backend: + service: + name: Bv0I + port: + number: 51 + path: H5pExfzke + pathType: v8 + tls: + - hosts: + - dQiMWdJ8cYKS + - 35K + - 8Kin + secretName: C + - hosts: + - zPo + - Z7 + secretName: SiZz +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "Bv0I-test-connection" + namespace: "default" + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: ygWNP7C0W9 + - name: lo0PU + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['Bv0I:51'] + restartPolicy: Never + priorityClassName: F +-- testdata/case-036.yaml.golden -- +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + Nv: YHcp9u + RMi5: o4 + ViLr0: zrEw3 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 9mG8n4Wu4 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: AumW +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: EfQbyB + kafka-sasl-aws-msk-iam-secret-key: B + kafka-sasl-password: w + kafka-schema-registry-password: qiltVq + kafka-schemaregistry-tls-ca: kyT4j + kafka-schemaregistry-tls-cert: Tu4varJ + kafka-schemaregistry-tls-key: bmT + kafka-tls-ca: UyskLmDZ + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: hPt + login-github-personal-access-token: vRbRqD0 + login-google-groups-service-account.json: lcc9 + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: A9RDbO6GzTtHYG + login-okta-client-secret: HktzleLAg + login-okta-directory-api-token: qX + redpanda-admin-api-password: 5imX8ztdqjU + redpanda-admin-api-tls-ca: opQQ + redpanda-admin-api-tls-cert: PGcfJC3zH + redpanda-admin-api-tls-key: IhqyTvQn4T +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + Nv: YHcp9u + RMi5: o4 + ViLr0: zrEw3 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 9mG8n4Wu4 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: AumW + namespace: default +spec: + ports: + - name: http + port: 113 + protocol: TCP + targetPort: 414 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 9mG8n4Wu4 + type: XHYb2qmrk +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + GvX4jkWw: xAyNk + MdtXxfH: "" + WyrWx: 8QO + creationTimestamp: null + labels: + Nv: YHcp9u + RMi5: o4 + ViLr0: zrEw3 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 9mG8n4Wu4 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: AumW + namespace: default +spec: + replicas: 24 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 9mG8n4Wu4 + strategy: + rollingUpdate: {} + type: LJėwǮ甧 + template: + metadata: + annotations: + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + jLE31lUP: LWc + creationTimestamp: null + labels: + 6W: FQvOa + YwkBSNWK: 0qqd + app.kubernetes.io/instance: console + app.kubernetes.io/name: 9mG8n4Wu4 + jP3: iNkD + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: bkwD5 + operator: B砟摫ʟ]估ȽÓĖ頒ʙǯ + - key: 4n + operator: "" + - key: DDWUTPllaee + operator: ǒ@訹Ðđɤ軗ɲǃZ袓6悔ʙ[x] + values: + - bHwxZg + - iPWF3DQz + - yhiFQZ98w6h + weight: -551427274 + - preference: + matchExpressions: + - key: kZ + operator: "" + values: + - BMfDa + - key: l + operator: unɚʀɂ7Ǩ蘕 + values: + - 1vsAjW + - lEGj0 + matchFields: + - key: EYCyU + operator: 袒雬Ǐ蔡|骐pOĆƍbʌʝl + - key: e9QdJHV + operator: Ɏ鼛鏗擌-悝Ű + values: + - DToToJ + - Gq4 + - key: M4b3wwVy + operator: 煛苅=İ哋ońɢ\Głh斳hɷ韙 + values: + - fMIoNrUiyJdi + - tcNEhOds + - N0 + weight: -906035045 + - preference: + matchExpressions: + - key: 05VafuKQo + operator: ƃèĢC篘 + values: + - McUwm + - oMXVW + matchFields: + - key: "" + operator: 9ȮLǟ3V廉\5膏ɩ袴 + values: + - t + - r8d6G + - FevHe + - key: KeJd9X4 + operator: \Y#uɆɫwĉɎ卲S + weight: -773391374 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: PiRY + operator: 週畯嘰Œ铖'ȸ0Į5k,逊 + values: + - Fo9oE + - KLfm4 + - PiZJC + - key: 6HCuuj + operator: Ȋ!ʈh牅HŹ蓓% + values: + - PU34U + - bZ12kwJ4s1 + matchFields: + - key: CCVSIZH + operator: (铴Njʦ釖Ĩ鎅ƒ獞p)唓u¸::2 + values: + - DjvLD + - key: 9gy6tFM + operator: ø + values: + - lPjPu0 + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 2oL + operator: Ì溄祤BNjɎ_ )jðZF + - key: Tl1mGP + operator: r0ȨȵeēP眼饾j + - key: 98uL + operator: "" + matchLabels: + "": H0F + IGfr: 8iR8 + pTjU: 2vy5Ol + matchLabelKeys: + - l2d3an + mismatchLabelKeys: + - gomcuJ + - UMhaBnQUuSH4 + namespaceSelector: + matchExpressions: + - key: CyYjfraf + operator: 鸫ʊűoǪĞ3 + values: + - uPW + - key: vuREiHB + operator: ^ĄçȂ挌 + matchLabels: + tlcI6jz: 87JK + namespaces: + - eUszN + topologyKey: yJ + weight: 1657692208 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3d3mr + operator: 鿈Ė聭焚歉Ð(币帄Ⱥ + values: + - h + - key: Z5c + operator: ma琓 + values: + - i5Ae6oUo + - EWixIB + - "y" + namespaceSelector: + matchExpressions: + - key: XFYbW + operator: M~ + - key: lWHcsQ + operator: 铿X异~<ÿ缇ī*^ĩ + matchLabels: + s: l6sxM + vFiVA7j: WEOy1jtU + topologyKey: JW85dr45m2G + weight: 444678250 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: bMT + operator: ^)4ɊDZǸDŽ + values: + - CG9Onrt + - key: T + operator: ƞ傏 + values: + - bXs59oj + matchLabels: + 6BRwn: Pdm + Yy: aaoLnp + myN: rwJGrW + mismatchLabelKeys: + - "n" + - c + namespaceSelector: + matchLabels: + 5QMzPp: AP + D: "2" + u: Dca + namespaces: + - 8Af + - NYfxoYf + - R4G + topologyKey: yY + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 2uhHhqog + operator: Ȧ + values: + - YgsgGf + - key: EaR + operator: 愅YVǵ楔¢4Ʋ + values: + - xaEk + - key: NV5iPi5Kw + operator: ' 軕氡#晉Ʀ筜篧e蹶ʀSɟʂÊʕT' + values: + - BY4 + matchLabelKeys: + - 9fTYFH7s + - aK6HB6 + mismatchLabelKeys: + - 13L + namespaceSelector: + matchExpressions: + - key: 3FT + operator: Tğ枕Ōo*a種JU-ɶƠdz鱓fƑS + values: + - 4ISUCT + - po8yM2L + - T5Q0UARu + - key: RhB + operator: "" + values: + - Re7 + - 7id + - 91GFPdrt + - key: ShRTzNRj + operator: ʬ吇Ȭ?搰Ç + values: + - HiGOGJE + - wOi + - HmllR83Dbvoz + namespaces: + - "" + - TBCPW + topologyKey: 0H + weight: 1493754197 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: CESaz + operator: ŢaæX#暁鲸'媩俛5齗aw'ĥ煆W + values: + - "" + - key: YtpoWP + operator: 瀽LƠ' + values: + - uS13z + - ip0h + - o8m9MWnmr92 + matchLabels: + 7o4tt: QX9gjN + KScJOoR95: Dpu + wfAk1b: rH5Z + matchLabelKeys: + - Yh1S1nZ7hm + - Fwx + - 6mhp + mismatchLabelKeys: + - ihvyNa7 + - m8 + - Q + namespaceSelector: + matchLabels: + 2KH67NR4: Vy8qZyy + topologyKey: w0KJ + weight: 1592497187 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 1UcAh: h + namespaceSelector: + matchExpressions: + - key: yxz + operator: ',酵ýhȿ鲹芫澥 Ǧ_Ź躄_莯ʊ傡硬M' + values: + - Fof + - key: 8KwNEN + operator: 8炮逴8`M鞵ȍȟ蟷盱 + - key: N0 + operator: Ì崌爷矉&佷* JQȴ躀厇退ƿƍ肙 + values: + - kjlwyKc + - DDz + - Yf8Vf5Ar7w7 + topologyKey: n5cRtvXjK + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: 0iCX + value: UfKNkXj6I + valueFrom: + configMapKeyRef: + key: GGYmdb5PBtUx + name: Zl1rWu9 + optional: true + fieldRef: + apiVersion: 1pKgni + fieldPath: 8Zmv + resourceFieldRef: + containerName: nK + divisor: "0" + resource: Yizp + secretKeyRef: + key: Dxqh + name: td + optional: false + - name: bm + value: K06vl + valueFrom: + configMapKeyRef: + key: dOTjzfwtRPzX + name: YleYOzRS + optional: true + fieldRef: + apiVersion: xl + fieldPath: 6NM2 + resourceFieldRef: + containerName: jreT + divisor: "0" + resource: "" + secretKeyRef: + key: B7 + name: cu + optional: true + - name: F4Vp + value: 9q + valueFrom: + configMapKeyRef: + key: dAPalKT0 + name: UXC7S + optional: false + fieldRef: + apiVersion: bTxwQmS + fieldPath: XW + resourceFieldRef: + containerName: iqnl + divisor: "0" + resource: e9 + secretKeyRef: + key: c1WJ + name: sg2TuPSW + optional: false + - name: KAFKA_SASL_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-sasl-password + name: AumW + - name: KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-protobuf-git-basicauth-password + name: AumW + - name: KAFKA_SASL_AWSMSKIAM_SECRETKEY + valueFrom: + secretKeyRef: + key: kafka-sasl-aws-msk-iam-secret-key + name: AumW + - name: KAFKA_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-key + - name: KAFKA_SCHEMAREGISTRY_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-schema-registry-password + name: AumW + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: AumW + - name: LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH + value: /etc/console/secrets/login-google-groups-service-account.json + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: AumW + - name: LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN + valueFrom: + secretKeyRef: + key: login-github-personal-access-token + name: AumW + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: AumW + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: AumW + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: AumW + - name: REDPANDA_ADMINAPI_PASSWORD + valueFrom: + secretKeyRef: + key: redpanda-admin-api-password + name: AumW + - name: REDPANDA_ADMINAPI_TLS_CAFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-ca + - name: REDPANDA_ADMINAPI_TLS_KEYFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-key + - name: REDPANDA_ADMINAPI_TLS_CERTFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-cert + envFrom: + - configMapRef: + name: 3PT + optional: true + prefix: l + secretRef: + name: zakko + optional: false + - configMapRef: + name: RdxlkV + optional: false + prefix: 9Ae4W + secretRef: + name: UiJ + optional: true + - configMapRef: + name: bp + optional: true + prefix: SU + secretRef: + name: fy + optional: true + image: ai/f54I:iO + imagePullPolicy: ǫtŖŮƘ瓧ù¹勍u + livenessProbe: + failureThreshold: 864346345 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1341055636 + periodSeconds: 2055603833 + successThreshold: -175204389 + timeoutSeconds: -589897727 + name: console + ports: + - containerPort: 414 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1075627654 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 333726894 + periodSeconds: 1376975278 + successThreshold: 112483424 + timeoutSeconds: 669945326 + resources: + limits: + 7VHN3: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - '*·戌ɳKõʚK(懷ë蟅ȣg' + - vOpɔm&ɞ法槪ųf + drop: + - l¤0ɖK樌ŕDĪ箰ɬȓũ梫h揼 + - 躟OBZş互鹫Íʨƶ`ã + privileged: false + procMount: 9®俠ɳ屑ŏO'pe,Q+膿麣 + readOnlyRootFilesystem: false + runAsGroup: -289823929905824060 + runAsNonRoot: true + runAsUser: -4392330066259666400 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: Oly + mountPropagation: ƈįlñ + name: QuM + readOnly: true + subPath: NPJ + subPathExpr: vn + - mountPath: xsiqpcicm + mountPropagation: Ŝȃ燩čƃʤǸ儼 + name: blYv + readOnly: true + subPath: 8f + subPathExpr: I + - mountPath: "" + mountPropagation: 犒k洐ɨ3UʓďȏUm8/x艂" + name: i2 + readOnly: true + subPath: G + subPathExpr: Wo47OrA + - args: + - gfDaDhh + command: + - Eu + envFrom: + - configMapRef: + name: 9LtiYU + optional: false + prefix: dS5JDbtZJ + secretRef: + name: 3X5 + optional: false + - configMapRef: + name: vpOLCCmA + optional: true + prefix: IJpeUVYk3 + secretRef: + name: TaghAr + optional: true + image: Nw59jHFBw + imagePullPolicy: Eźz购綗映ò#ZuS絇溾^飷 + lifecycle: + postStart: + exec: + command: + - N2F2q + - XKeJn + - CfoVd + httpGet: + host: 0u3Kgf + port: PVA8u + scheme: ȧX[噦摼鎥憈ǴńƘŅ + sleep: + seconds: 9185496374723368000 + preStop: + exec: + command: + - lrWSClt + httpGet: + host: uS + path: 51Gzg9s + port: -1680102290 + scheme: 8涒齃ɠĬ諛鰅jyr塸ȷg× + sleep: + seconds: -302278202696680100 + livenessProbe: + exec: + command: + - fmu + - wJR3 + - 60zV6s4327rKb9 + failureThreshold: 2122798666 + grpc: + port: 1914605377 + service: ES + httpGet: + host: 7LAmwy8 + path: o2XAC + port: S5 + scheme: 犘ßħɚÂ剐*鬰ȇxȺ錎 + initialDelaySeconds: 343978803 + periodSeconds: -1725283583 + successThreshold: 1055506692 + terminationGracePeriodSeconds: -737021961431151200 + timeoutSeconds: 1721351711 + name: r + ports: + - containerPort: -341996687 + hostIP: zR + hostPort: -641414216 + name: AGa7X6lnw + protocol: 阧 + - containerPort: -1616018360 + hostIP: 8q + hostPort: -2060443566 + name: B + protocol: 位ŲȟHbfp餪魹| + - containerPort: -321829785 + hostIP: S + hostPort: 850049722 + protocol: ĢŔ=ɦŊ鳺醩hĂ踻鉀 + readinessProbe: + exec: + command: + - VRq0lZK + - nCUDH3Zgc + - f2h2C + failureThreshold: -444080905 + grpc: + port: -1484737838 + service: UL8hSUw + httpGet: + host: 8DDb + path: Z + port: It67aEO18 + scheme: 蹐疒Į浤 + initialDelaySeconds: -1225398553 + periodSeconds: -1497056806 + successThreshold: -1256842388 + terminationGracePeriodSeconds: -3265344141862786600 + timeoutSeconds: 1127947387 + resources: + limits: + "36": "0" + Oaiu: "0" + v: "0" + requests: + F0olO: "0" + tvGpYtd: "0" + restartPolicy: Ě卿ɫȰLZ懁 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - "" + drop: + - Ę螅7O5Ɵ駢Ó宮緂 + privileged: true + procMount: ʤ敠æx漭fƈŸʄ + readOnlyRootFilesystem: true + runAsGroup: -1779689763650766000 + runAsNonRoot: true + runAsUser: -1786517016760367000 + startupProbe: + exec: + command: + - Mcn36l + - "n" + - OMT3J + failureThreshold: 1137002720 + grpc: + port: -2106637755 + service: OYW + httpGet: + path: K + port: STUmUBT + scheme: 貪iɐ巶ɿiɲbɎ;Ŏċ2橺汲ŋ刢g + initialDelaySeconds: -648188998 + periodSeconds: -278768915 + successThreshold: 890955082 + terminationGracePeriodSeconds: 5660177701724483000 + timeoutSeconds: 959596283 + stdin: true + terminationMessagePath: h2a2mAm + terminationMessagePolicy: pjĉ + volumeDevices: + - devicePath: cZ95 + name: wLm + - devicePath: P9RW + name: PjzHR + volumeMounts: + - mountPath: b + mountPropagation: 脣Į + name: bOY + readOnly: true + subPath: mBuB + subPathExpr: 0io + - mountPath: DYp + mountPropagation: 9鹺t"Ĭij(?NB4ɖ鴼B屈桲ȋ噤ǁ + name: O + readOnly: true + subPath: EcI7mF + subPathExpr: HKfaS + - mountPath: NTgHw + mountPropagation: (ńÆ;裉嵀 + name: U6TGXB + subPath: wjpyjQ + subPathExpr: nqq + workingDir: NpjQN3dM + - args: + - m + - fmRfLPl + command: + - okKsRu + env: + - name: y8FxBu + valueFrom: + configMapKeyRef: + key: 1kdTq + name: NGzFHD + optional: false + fieldRef: + apiVersion: WDoDm + fieldPath: HTHz + resourceFieldRef: + containerName: aWk + divisor: "0" + resource: RcTwrpd4PaqW + secretKeyRef: + key: 27uDnW9fM1 + name: diwId6SMC + optional: true + - name: NZ1pEV + value: Xq7fA + valueFrom: + configMapKeyRef: + key: cYo + name: IhK1oKNNr + optional: true + fieldRef: + apiVersion: 0C + fieldPath: "" + resourceFieldRef: + containerName: OywKEud3 + divisor: "0" + resource: E4 + secretKeyRef: + key: gGTl + name: V + optional: false + envFrom: + - configMapRef: + name: fJ + optional: true + prefix: zFUU1PguE + secretRef: + name: S7Jre + optional: false + image: gbZ4mqT + imagePullPolicy: '*罖Ē掙*uĕĥ世û煨o曁ɖ)嬫噩肖Ñ' + lifecycle: + postStart: + exec: + command: + - nxKsxt + - F25ka4x + httpGet: + host: "0" + path: 9k0yMphk + port: GJdG + scheme: 婁箅蝼đ杣Ɗ°VAƭ0ĺ钘1 + sleep: + seconds: 8039264634100238000 + preStop: + exec: + command: + - NuJoJm + - gykEI + - "6" + httpGet: + host: UnkqD3SS + path: BhN + port: 712546393 + scheme: u + sleep: + seconds: 409536667065008450 + livenessProbe: + exec: {} + failureThreshold: 204373937 + grpc: + port: 1803358082 + service: VXsxSeh + httpGet: + host: Ht64jf7Eo + path: u1jjW9Qu + port: 556487018 + scheme: 熖Ű存ŖT磇ɘ外 + initialDelaySeconds: -1152834471 + periodSeconds: -1133396594 + successThreshold: -1385193405 + terminationGracePeriodSeconds: 2915006546098799000 + timeoutSeconds: -1401054296 + name: dfD716 + ports: + - containerPort: 691082006 + hostIP: b + hostPort: 636825973 + name: S5FmEWKv + protocol: g]se墰掀媸晓櫚驟憽hbƥsư° + readinessProbe: + exec: {} + failureThreshold: 152987910 + grpc: + port: 642951905 + service: q2qfom8L + httpGet: + host: GaxyfqlQ + path: Oh0t + port: -766612198 + scheme: UÂ_ + initialDelaySeconds: -1382761032 + periodSeconds: 967018272 + successThreshold: -178373997 + terminationGracePeriodSeconds: 6605400648980209000 + timeoutSeconds: -1404918452 + resources: + limits: + 7cu: "0" + 22n7v: "0" + XsU5mrE: "0" + requests: + kyXuqf: "0" + mBk4P9DWW: "0" + restartPolicy: ʓdT>NȚks_q祈 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ȸŏ脸(Yǃ¯~垇耗A) + - T翱ĥ + drop: + - 商ʏ軒Ƣ厢 + - Ⱥãt\跋þ漙苣ű吡憕鿶0傜om + privileged: false + procMount: Ŷ% + readOnlyRootFilesystem: true + runAsGroup: -1052699124096043900 + runAsNonRoot: false + runAsUser: 3737016357651072500 + startupProbe: + exec: + command: + - jefRNS + failureThreshold: -9144267 + grpc: + port: 642233169 + service: WjvgDkGG + httpGet: + host: 8hzgS0q + path: z + port: -885964296 + scheme: ɸliŵ + initialDelaySeconds: 1014078949 + periodSeconds: 1410148112 + successThreshold: 1164669668 + terminationGracePeriodSeconds: -3385668069040238000 + timeoutSeconds: -1723583731 + stdin: true + terminationMessagePath: zbCh + terminationMessagePolicy: 4攨2õė+軩Ç + tty: true + volumeDevices: + - devicePath: Nx + name: QLHA + - devicePath: 9JAgFLSdSqQ + name: "5" + volumeMounts: + - mountPath: KXG1 + mountPropagation: ȁ捄ɺ絒馢A¥`Èť + name: aghWO + readOnly: true + subPath: el7KEVsV + subPathExpr: tdksniBM + - mountPath: 5nus8 + mountPropagation: N饢杼M7X尅扐ǗÃɱNƞeuĦg儡 + name: TS4kHG + readOnly: true + subPath: i + subPathExpr: ktDaTCGG + - mountPath: CSkt9N0i + mountPropagation: 爕ɐYYȁ<獱椂@椗áʇ憣>\Ɋ筙纉Ë + name: KIKRXUR + readOnly: true + subPath: bWYTiq + subPathExpr: cgxlHqVV + workingDir: F + imagePullSecrets: + - name: bbjdn + - name: VI + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + U3Rfg9: WSTvjvP + hODw: LSv + iwleZ: fD + priorityClassName: gPB + securityContext: + fsGroup: 8205502301244812000 + fsGroupChangePolicy: "" + runAsGroup: -8440674019915816000 + runAsNonRoot: true + runAsUser: 4432310384984167400 + supplementalGroups: + - 7965846110903122000 + - -9174375158887063000 + sysctls: + - name: OkeQ + value: A + - name: 24y + value: fIPA + - name: "" + value: b3 + serviceAccountName: Jg + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: AumW + name: configs + - name: secrets + secret: + secretName: AumW + - name: HUa7xM +-- testdata/case-037.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: u2r6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + uEVMkDkYRvnn: zvptNai + name: ItYso + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - 2m: null + VNrY1fwY: null + eaGm2c: null + - Ng0sM: null + Txhv6: null + e2uo: null + roles.yaml: |- + roles: + - Dd: null + H0QLXtA: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: u2r6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + uEVMkDkYRvnn: zvptNai + name: ADIhC +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: u2r6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + uEVMkDkYRvnn: zvptNai + name: ADIhC + namespace: default +spec: + ports: + - name: http + port: 226 + protocol: TCP + targetPort: 87 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: u2r6 + type: At +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + "8": SeJ + creationTimestamp: null + labels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: u2r6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + uEVMkDkYRvnn: zvptNai + name: ADIhC +spec: + ingressClassName: PHr + rules: + - host: PXAcFs520n + http: + paths: + - backend: + service: + name: ADIhC + port: + number: 226 + path: 1uGP0 + pathType: dWpX + - backend: + service: + name: ADIhC + port: + number: 226 + path: hAH + pathType: LjzFf + - backend: + service: + name: ADIhC + port: + number: 226 + path: 7Qy + pathType: vjB + - host: z9QAJ5 + http: + paths: null + - host: "" + http: + paths: + - backend: + service: + name: ADIhC + port: + number: 226 + path: Hc0IpaX + pathType: bc0T + - backend: + service: + name: ADIhC + port: + number: 226 + path: dzn1ldJ5h + pathType: M + tls: null +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "ADIhC-test-connection" + namespace: "default" + labels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: u2r6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + uEVMkDkYRvnn: zvptNai + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: Yi + - name: 6XnEhUN + - name: oeoW + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['ADIhC:226'] + restartPolicy: Never + priorityClassName: U7wS +-- testdata/case-038.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ld + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: fP77cJ3T + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - zn: null + - WCQKaiaj: null + py: null + roles.yaml: |- + roles: + - {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ld + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: j1dUk8TGy8Np +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ld + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: j1dUk8TGy8Np + namespace: default +spec: + ports: + - name: http + port: 46 + protocol: TCP + targetPort: 43 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: ld + type: uqFB +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "j1dUk8TGy8Np-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ld + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: OlRQO + - name: Hkuk3 + - name: fP + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['j1dUk8TGy8Np:46'] + restartPolicy: Never + priorityClassName: 89gnK9rXyDXui +-- testdata/case-039.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: + PPZDrdmxKV: UBjiSx + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: o2F37Lr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 8s2qVhKEW + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - 6O4d: null + EY: null + oPTMvYGp: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: o2F37Lr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: bbshm +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + 4yhZo: zLVEslN + Amz4VM: QAvK + IPCS: b1R + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: o2F37Lr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: bbshm + namespace: default +spec: + ports: + - name: http + port: 400 + protocol: TCP + targetPort: 329 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: o2F37Lr + type: dPOD9Kzb +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: o2F37Lr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: bbshm +spec: + ingressClassName: qyKUEOUT4u + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: bbshm + port: + number: 400 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - F7m23 + - "7" + secretName: M +-- testdata/case-040.yaml.golden -- +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + X: zjmrl + "Y": yG0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 6sW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: KchYZFsbB3 +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + X: zjmrl + "Y": yG0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 6sW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: KchYZFsbB3 + namespace: default +spec: + ports: + - name: http + port: 424 + protocol: TCP + targetPort: 17 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6sW + type: oZi +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + X: zjmrl + "Y": yG0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 6sW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: KchYZFsbB3 + namespace: default +spec: + replicas: 291 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6sW + strategy: + rollingUpdate: {} + type: G阏发6s + template: + metadata: + annotations: + checksum/config: 6f40381c972fd418dd311a992b76c4181a57129add8096d427da1c5284bcdd8a + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6sW + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 7RRFnuao + operator: 鑿梞e璺瀧敢tȱ + - key: 3qz030r9N4 + operator: 脟óȨq駥Ƽx垤R$L + - key: 4egJ + operator: 敕ƒ洀ņ+Ō轲C丼Ʒij.ƾ蚯ƺ痻3皆咒 + values: + - "" + - J66saNw8 + - xBRUfDKhiA + matchFields: + - key: Kgp4qFm + operator: 桋iz<ïŃǃ襶D齿 + - key: 7F + operator: "" + values: + - iquNT + - aFPIw + - lYMJn4Un3 + weight: -954635927 + - preference: + matchExpressions: + - key: ePHgEs + operator: 撹ł + weight: -2109244754 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gK + operator: 垭ʮȌ)"彛 + values: + - Vvo + - "" + - key: n0 + operator: 挪VɱȒ + values: + - 595ST + - sHQoTQgQ + - ZyYxnGB + matchFields: + - key: "8" + operator: 餒ơ鋦r)锟壃m汇 + values: + - H8 + - matchExpressions: + - key: nErJm + operator: Ûɟ敀淽 + values: + - sbjW + - 1l + - go + matchFields: + - key: ozzkD4D + operator: Ʌ\h崭蠒ȓ旉蹖楚_掁S5 + values: + - NrN0Id15O + - VrahPz + - YJfhO + - {} + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: qiGNj + operator: jƯȨ穞ɿPȧ + - key: HPRR + operator: ž8ƃKKDz蠽ƚ0ƻ + values: + - NAx + - Pr2F + matchLabels: + LY: ZRjD + matchLabelKeys: + - ikCO + - n25 + - IY0AqNStYm + mismatchLabelKeys: + - uO6G + - EFKfLOM0 + namespaceSelector: + matchExpressions: + - key: frBwUGG + operator: ǧ啯ʖ6džȡ衺Z莋æȘzv + values: + - 68q + - PrId4k5Nk + - 1Izg6c + - key: H5neR + operator: "" + values: + - gf2 + - "" + - key: LTEiVQV + operator: ʅďl$y韙bO儺e籾吕ŃV + values: + - LccIflVn3 + - QX + - kRZLtn + matchLabels: + lccn5: lx6 + topologyKey: AE + - labelSelector: + matchExpressions: + - key: ljGag0 + operator: "" + values: + - 3AlcF9eOiK + - key: XPoIj + operator: ĻĵN稙²x鸴ʊ + - key: "" + operator: m[ɻD«ʯĢĥɖHÃú锺N蓍!f + values: + - cwRFs + - wJtpMgyV1I + matchLabels: + 6gzmw2BW: v1eC + QI6Gl: Ckzyw0v + uRw21: 36kl + mismatchLabelKeys: + - XiX9Mrhv + - Xk2Ri + namespaceSelector: + matchExpressions: + - key: Roq9G + operator: 槓G{? + values: + - YCBJEhS + matchLabels: + 9X5C: TU1y + PG1k: 8j76iX8R + iYq9QLUSh3bk: Mvl2WRQ + namespaces: + - Pp + - z1O9mW5rB + topologyKey: U + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: pqtCgWlk + operator: eŭñZ) + values: + - 6eUrtsX + - GmGeP7 + - pBhe0 + - key: gctw + operator: L?岤紎!蠾黅誽帯÷Ʉ坏q + values: + - G + - "" + - "" + matchLabelKeys: + - IGYc + mismatchLabelKeys: + - C + - XlxD2Y5h + - Eut + namespaceSelector: + matchExpressions: + - key: QNvJq6Uc + operator: Ǔƀ閝遨垛簙UdĢ7ȍ騽¹DŽ + values: + - m4wq + - TmuqVB1 + - key: PTVC + operator: 珙'ɀɒ虃龓楼ƺ譄êǿ + values: + - w + - K + matchLabels: + GQp: tw + namespaces: + - t + topologyKey: I9Ng7D + weight: -278680619 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: IaZiqfV6 + operator: 幋x:Ȗ + values: + - XmaYG80 + - aaEScB + - DxB + matchLabels: + J3Ny9zUJ2DOTKO: eiUL0RR + lt: bqOs + matchLabelKeys: + - XYHp1S + - JKj1 + namespaceSelector: + matchLabels: + WopugltEP1J: eaGpkiS + namespaces: + - H9w9Q + - A8D + topologyKey: pvkKW + weight: 252280673 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: lSi + operator: 襚ǫAŇþ腦W[ĕ嘱ʌſœɃ槏Z岪 + matchLabels: + OzmceOBQ: F2mtk + QcoH: qt3OR6ZcjY + t5Cqg1: 1x9WW8EUyyn + matchLabelKeys: + - 0XGJ + mismatchLabelKeys: + - K6T + namespaceSelector: + matchExpressions: + - key: KoofEA + operator: ' íɀ馩Ȭɫġo娤螗暴Û漷ʦO腔' + values: + - nj + - U + - onkfJ4 + - key: 0aO + operator: Ŷű輖+¶)罩ƌ×螂 + matchLabels: + 2hf: GeFfROs4 + pA23: kqkG + rZ: DH6cT + namespaces: + - yvfsu + - L3Pu + topologyKey: BBBCjZel + weight: 392487334 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 0hp: sd9 + mwTeR: D3HlJbmoK8 + matchLabelKeys: + - MwDkniC + - "" + mismatchLabelKeys: + - VuQB + namespaceSelector: + matchLabels: + 1x: Pj + D3J: 4gFps + bQU: weT0tI + namespaces: + - y9zrYKWApO + - rq0K3 + - 5XUeP7 + topologyKey: P7V + - labelSelector: + matchExpressions: + - key: Jv + operator: 啽ŃŐø + matchLabelKeys: + - s + namespaceSelector: + matchExpressions: + - key: Fy5Deb + operator: 旉錛!荕Ɂ! + values: + - nbiy + - "" + - 6QORDbd6zn + matchLabels: + bba0KJ: NE1j + nYif5xu0Hy9XW: 0s + qAoT: "46" + namespaces: + - 4JHyx + topologyKey: 7621t + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: cD + value: JW + valueFrom: + configMapKeyRef: + key: "" + name: 8Ri7OfQ + optional: false + fieldRef: + apiVersion: Qc + fieldPath: 6ZYFg + resourceFieldRef: + containerName: qkUV + divisor: "0" + resource: yEf5zz13U + secretKeyRef: + key: xozuxs + name: z + optional: true + - name: "" + value: gea3 + valueFrom: + configMapKeyRef: + key: hwe3l3k2h + name: QX + optional: true + fieldRef: + apiVersion: kx + fieldPath: m7f + resourceFieldRef: + containerName: 0XEGE + divisor: "0" + resource: y4ce5 + secretKeyRef: + key: hmvX + name: 18Z + optional: true + - name: LICENSE + valueFrom: + secretKeyRef: + key: a7Ph + name: zsHNWVcS9 + envFrom: + - configMapRef: + name: DR3hdrvZIv + optional: true + prefix: kGV4HZ8 + secretRef: + name: tR3Yu1G + optional: true + - configMapRef: + name: 6pMd0VA0 + optional: true + prefix: Csp + secretRef: + name: ceqZBJ7fdqP + optional: true + image: cwfXN2KlU/qYQHJ:RIG + imagePullPolicy: -0Ź桛ɼ訚Ņ;秵ňĝ苒9麡ñà臸ʫ + livenessProbe: + failureThreshold: -1894321442 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1986051838 + periodSeconds: 541607099 + successThreshold: -1968479306 + timeoutSeconds: 1374945691 + name: console + ports: + - containerPort: 17 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 467513555 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -6410364 + periodSeconds: -623380707 + successThreshold: 1641270972 + timeoutSeconds: 1203716236 + resources: + limits: + "1": "0" + MrwIP: "0" + hgaW: "0" + requests: + 1lF: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 阊 + - DIȜO吽解诎-曅 + drop: + - 贎秨Ůɭ懾Ù盾| + privileged: true + procMount: ʪ勪įOew\Ǡ礓 + readOnlyRootFilesystem: true + runAsGroup: -6230225082797374000 + runAsNonRoot: true + runAsUser: -2569068293811685000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: d + name: ieSo8V + subPath: "" + - args: + - jlI16Xnnb0 + - x0Z + - Tv6z + command: + - 3MnkZe0L + - OK + - cKvaGI + env: + - name: 7RtgX9 + value: TQH + valueFrom: + configMapKeyRef: + key: "" + name: GE2 + optional: false + fieldRef: + apiVersion: x2H + fieldPath: iVYVzT + resourceFieldRef: + containerName: 3QSG + divisor: "0" + resource: AgMtPE + secretKeyRef: + key: BhGA6 + name: LKemd3Cs9 + optional: false + - name: 9dFxchX + value: huoZj + valueFrom: + configMapKeyRef: + key: skdmo + name: gSEkUx + optional: true + fieldRef: + apiVersion: ymAcwLzaJ00G + fieldPath: de9Q + resourceFieldRef: + containerName: ZgwwQvA + divisor: "0" + resource: OTraA + secretKeyRef: + key: Pe8 + name: 39mCZV7ERv + optional: true + envFrom: + - configMapRef: + name: l + optional: false + prefix: kGdnbCakM + secretRef: + name: JrDM + optional: true + - configMapRef: + name: 0iH67 + optional: true + prefix: 3JVMhcII7 + secretRef: + name: PS1J + optional: true + image: Bx3IW17kjF7 + imagePullPolicy: È8秏糇 + lifecycle: + postStart: + exec: {} + httpGet: + host: EeLx + path: JC + port: 638412697 + scheme: 翔ĩñɁɬj局³喪Eů磘Ʒ唡嬤 + sleep: + seconds: -2739564842418698000 + preStop: + exec: + command: + - zjNyV + - 3i + httpGet: + host: RxhMCXQN + path: Dq + port: -821303664 + scheme: 髒xD>?ǠĆ踃w¬ + sleep: + seconds: 8925361607851383000 + livenessProbe: + exec: {} + failureThreshold: -2015695369 + grpc: + port: 102189788 + service: VG2k6Atq + httpGet: + host: 0dxm + path: Pix7SytH + port: 284583441 + scheme: 畝ǂƬƜ聞|b + initialDelaySeconds: 1150668189 + periodSeconds: 1279412097 + successThreshold: 337444728 + terminationGracePeriodSeconds: -665826210809930800 + timeoutSeconds: -802810999 + name: 1KSo0a + readinessProbe: + exec: + command: + - 3cCL4 + - en + - VN0 + failureThreshold: 448729232 + grpc: + port: -174942651 + service: paUcCUtV8A6 + httpGet: + host: tSEChhvGgDsf + path: Jrr + port: 516172996 + scheme: c{Ƭ臾斡:Ɣ?Í + initialDelaySeconds: -714126900 + periodSeconds: -88316167 + successThreshold: -1820867160 + terminationGracePeriodSeconds: 272130190949654340 + timeoutSeconds: 1803351679 + resources: + limits: + f9GQWFTKPFP: "0" + g5: "0" + requests: + 4A89zLoFG: "0" + SmOBH: "0" + restartPolicy: Ű高ǙG%7BČCaďʥyď + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - H鞕ă鶅镀秀 + - Ŏ昮0yƤɯ斺R妕Je芓BɜCĵ + privileged: false + procMount: ÿʑ鎆乭cŇ陛ǼȠn + readOnlyRootFilesystem: true + runAsGroup: 5591360478943232000 + runAsNonRoot: false + runAsUser: 6381588597473823000 + startupProbe: + exec: + command: + - rV83LKQ + - 87Vc + failureThreshold: -2022114361 + grpc: + port: 1348736621 + service: Gx8f9phR + httpGet: + host: fWnW4CGV + path: yQl0PNEE3g + port: TYi + scheme: 絅xn,ȵ6ʎ癙 + initialDelaySeconds: 205090742 + periodSeconds: -1401542741 + successThreshold: -2130268569 + terminationGracePeriodSeconds: 4104437343850793000 + timeoutSeconds: 604054255 + terminationMessagePath: ec8kHaD + terminationMessagePolicy: 甎i + tty: true + volumeDevices: + - devicePath: NFjF + name: AH + - devicePath: "" + name: u + - devicePath: 0q6A + name: nFe3FY4 + volumeMounts: + - mountPath: ad7JXhGN + mountPropagation: =廄殞+ + name: qVHWCUHp + readOnly: true + subPath: m3RBekA0 + subPathExpr: 7F0F8Ge + workingDir: LmnqIVV + - args: + - 3g94Jb + - "n" + - HxatWli7Qe + env: + - name: yKfn + value: fni0 + valueFrom: + configMapKeyRef: + key: cQjxg02ud + name: DqLUCO + optional: false + fieldRef: + apiVersion: dS + fieldPath: aH + resourceFieldRef: + containerName: BVSH2Bxu + divisor: "0" + resource: ZLW3 + secretKeyRef: + key: J + name: APYyG5qY + optional: false + - name: b4i9WEf + value: Ru + valueFrom: + configMapKeyRef: + key: mzxgZ + name: XgDd + optional: false + fieldRef: + apiVersion: U1l + fieldPath: sG2pcjz + resourceFieldRef: + containerName: Vlc1Ru + divisor: "0" + resource: hZpqB + secretKeyRef: + key: X0W3QpdAhux + name: I3L + optional: true + envFrom: + - configMapRef: + name: DJjN7Phe + optional: true + prefix: 4K2MBzNl + secretRef: + name: s4GF + optional: true + - configMapRef: + name: td0aZ + optional: true + prefix: CYvFW + secretRef: + name: WaBWGCRa8 + optional: true + - configMapRef: + name: ehHs9m + optional: false + prefix: n1x + secretRef: + name: TdUJ + optional: true + image: UNJ6E6 + imagePullPolicy: 砓³绔丬A + lifecycle: + postStart: + exec: + command: + - Qs8Sd + - JGX4Qj + - eCw00uq + httpGet: + host: NNLSd + path: y4tS + port: QzOfwe3a + scheme: º猗ĥɮƅLɘ隮术ƒ赥;,ǝ髳Ĝ7Ĭ嬳 + sleep: + seconds: 1170469124057922000 + preStop: + exec: + command: + - TN62uDLAuIx + - ndI + httpGet: + host: t7H6l2 + port: RHeYpAvJ8 + scheme: KǠɀƴ杔¸Ɉ$毕削peýfv! + sleep: + seconds: -5232306180460338000 + livenessProbe: + exec: {} + failureThreshold: -1900233123 + grpc: + port: -1323381498 + service: wJ + httpGet: + host: pAHsn3 + path: k31zW1 + port: 2elbrK + scheme: 痯秿丌 + initialDelaySeconds: 537756270 + periodSeconds: 1139432456 + successThreshold: -289377675 + terminationGracePeriodSeconds: -709025030374540900 + timeoutSeconds: 254134433 + name: zWs + readinessProbe: + exec: + command: + - x093a + - v1 + - Ef + failureThreshold: 75768089 + grpc: + port: -237977747 + service: "y" + httpGet: + host: EBEth + path: C + port: 790399211 + scheme: ær堹mhʢ + initialDelaySeconds: -157687184 + periodSeconds: 1071897332 + successThreshold: 824432298 + terminationGracePeriodSeconds: -54575953702939670 + timeoutSeconds: -1190752843 + resizePolicy: + - resourceName: R9fM + restartPolicy: ?ʖȒƅƀ逎v鐰wģ籫 + - resourceName: 7C + restartPolicy: óʌF鿯薸k} + - resourceName: Bqy + restartPolicy: E吻X秤} + resources: + limits: + UMJnobyO: "0" + qJmAwr: "0" + requests: + ZktW7e51vRUG: "0" + restartPolicy: '>ŀ鎙莸鼔茷蝼薼Ƽƅ°3貦罌臣洴軟處姼' + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - 儜vƝ¾ + - 輝Ġ$琑+檂 + - 飂 + privileged: false + procMount: ɓĎʙʗG0瑑娄K坢Ö&Ù + readOnlyRootFilesystem: true + runAsGroup: 2234167178876811300 + runAsNonRoot: true + runAsUser: -1191472066985646800 + startupProbe: + exec: + command: + - KGi9U + - D6 + - HZ3aC1 + failureThreshold: -2057203764 + grpc: + port: -1203229903 + service: Xd + httpGet: + host: tTW + path: oWk + port: -1347841801 + scheme: 檸`sȝBULj懄 + initialDelaySeconds: 1386184157 + periodSeconds: 2110004457 + successThreshold: -692279219 + terminationGracePeriodSeconds: -7060466210747559000 + timeoutSeconds: -905577521 + terminationMessagePath: g + terminationMessagePolicy: 頨Ĥ° òȯǤū暓坐ƚă杋鍄 + volumeMounts: + - mountPath: FmQht + mountPropagation: 饌^ǩ朳ųW磀ĥAijƨ+= + name: j5 + subPath: aoEWb7k + subPathExpr: 0ra + workingDir: zmwmt + - command: + - oFEaN2U1 + - HuBj9vk17eCjI + - "" + env: + - name: n3JVvVY + value: U14PEXs + valueFrom: + configMapKeyRef: + key: Ai0Xg3owIe7XlG + name: U4 + optional: false + fieldRef: + apiVersion: ZyO4Jpwkp2hV + fieldPath: roNil + resourceFieldRef: + containerName: gx + divisor: "0" + resource: Z + secretKeyRef: + key: AcP + name: qMy + optional: false + - name: oSWakHA + value: eR + valueFrom: + configMapKeyRef: + key: qsSVOr + name: o + optional: false + fieldRef: + apiVersion: SeP3aPXfjLIcfE + fieldPath: 091i + resourceFieldRef: + containerName: T5hI + divisor: "0" + resource: KxGi43CVGe + secretKeyRef: + key: "" + name: 5uI + optional: true + envFrom: + - configMapRef: + name: MujT + optional: false + prefix: cVRH + secretRef: + name: mpF + optional: true + - configMapRef: + name: MeO3F + optional: false + prefix: w3C4 + secretRef: + name: hnYx + optional: false + - configMapRef: + name: NT5MFmC65 + optional: true + prefix: "7" + secretRef: + name: yl2ze1 + optional: false + image: A8o + imagePullPolicy: ?晐T鴭Xp + lifecycle: + postStart: + exec: + command: + - zaLOG2 + httpGet: + host: kA51kbv + path: LMnFclIJczBo + port: 402299955 + scheme: :踖坯(Iȷ碨劅 + sleep: + seconds: 245674034851902980 + preStop: + exec: + command: + - Tz87qO + httpGet: + host: Xr6sP + path: xxE + port: 1901089000 + scheme: 3媧ş>La芸`Lzuŀɽ坤¦.痻Jǻ + sleep: + seconds: 6906639179439192000 + livenessProbe: + exec: + command: + - yxk0313sz + failureThreshold: 385001414 + grpc: + port: 1589713469 + service: UA + httpGet: + host: ZWfT + path: vTNYug5RZh + port: -192111662 + scheme: e¢dYÜdz + initialDelaySeconds: 1708942834 + periodSeconds: 1356452566 + successThreshold: 1750780088 + terminationGracePeriodSeconds: -1272770054640189000 + timeoutSeconds: 1656218869 + name: FxzTg + ports: + - containerPort: 63673829 + hostIP: 4xjED0VKV0G + hostPort: 2007665826 + name: xbwJ + protocol: ¼vb皪螯ʉwʒR玔È覦劙 + readinessProbe: + exec: + command: + - 0S + - "" + - GkPj + failureThreshold: 1405674719 + grpc: + port: -1659132742 + service: gIFP + httpGet: + host: jYnI3ins7 + path: bIEaFAc1 + port: UHfz + scheme: ʼn + initialDelaySeconds: 1531278754 + periodSeconds: -238235402 + successThreshold: -1690388514 + terminationGracePeriodSeconds: -2788228502880198700 + timeoutSeconds: -567709755 + resizePolicy: + - resourceName: nxpzTS + restartPolicy: ƫŀMs+,ǼƞȒ + - resourceName: 61uCVQ1 + restartPolicy: /澰ɍ½鑀a帷[鞺鏨攬姟壃F$R犬 + resources: + requests: + YfM: "0" + restartPolicy: œ|F彟S崘Ȑ貸1Ũȷ+齳 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 鸎dĉç荧 + privileged: true + procMount: "" + readOnlyRootFilesystem: false + runAsGroup: 5795239965908151000 + runAsNonRoot: true + runAsUser: 2409160731771391000 + startupProbe: + exec: + command: + - D6j2Q + failureThreshold: 975103738 + grpc: + port: -2081980063 + service: Nh + httpGet: + host: vdLm3FUXIs + path: jqCqF + port: "" + scheme: Ű"ƆĩNÙ襔冠ʈ + initialDelaySeconds: 524220215 + periodSeconds: 923596095 + successThreshold: 547119693 + terminationGracePeriodSeconds: 7382309226647739000 + timeoutSeconds: -1902082444 + terminationMessagePath: 2i5 + terminationMessagePolicy: 踑ĆĦ荷ýA/ǎ桫 + tty: true + volumeDevices: + - devicePath: KlUUX + name: NWO + - devicePath: W1JLM + name: qNw + - devicePath: BVE + name: c + volumeMounts: + - mountPath: yCztpht + mountPropagation: 巧苄;钽肇謌ʭɿw刄wɰM迵. + name: Mv9 + subPath: RWmlw + subPathExpr: Oy + - mountPath: Gf + mountPropagation: ɩ + name: On78O + readOnly: true + subPath: s7p + subPathExpr: 57aJIvpEm + - mountPath: m + mountPropagation: 崌蠿Ƣ湺 + name: CXSu + subPath: F8oe + subPathExpr: S + imagePullSecrets: + - name: V1 + - name: AyLzRkaGE + - name: 3pZ8 + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + y63G: wNiNvOMv + priorityClassName: 3A + securityContext: + fsGroup: 2302511509023017200 + fsGroupChangePolicy: 闦ñ禢`J鉤 + runAsGroup: -2347956389924857000 + runAsNonRoot: true + runAsUser: 1720952380350228700 + supplementalGroups: + - -621944387099711200 + sysctls: + - name: CvGz + value: "" + - name: dO + value: qwZyE + serviceAccountName: Cj + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchExpressions: + - key: pPoL + operator: ǭȉćŴ讶Y + values: + - "69" + - UC9 + - "7" + - key: 6toZoG + operator: Ġ+kʫȸ颷ʅÓ欽V譵; + values: + - go8adRXrn + - key: S + operator: ĕȻ*Gɝ靿暛_洳瑼Ĩ + matchLabelKeys: + - "" + - V7xIs1 + - eqq + maxSkew: 983843814 + minDomains: 854272231 + nodeAffinityPolicy: '>S篐ö抏茄(6' + nodeTaintsPolicy: e3äTȦ硷B捕萑Ǵ吷Ǿ邂Ǝièø + topologyKey: NoEcMWkg + whenUnsatisfiable: 幗鞲&渶Ÿɪ`鹵N + volumes: + - configMap: + name: KchYZFsbB3 + name: configs + - name: ieSo8V + secret: + defaultMode: 83 + secretName: mD0jl + - name: iPeR + - name: ZgdCb2kUB +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "KchYZFsbB3-test-connection" + namespace: "default" + labels: + X: zjmrl + "Y": yG0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 6sW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: V1 + - name: AyLzRkaGE + - name: 3pZ8 + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['KchYZFsbB3:424'] + restartPolicy: Never + priorityClassName: 3A +-- testdata/case-041.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: + 5DCBJ96u: 12Himnm + ZQrRxpb: Aa + abcRNo3AHIw: gH1 + creationTimestamp: null + labels: + T1: pMf7C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: x + app.kubernetes.io/version: v2.7.0 + cxAL7zvwvb: tmEjSXwTK6 + helm.sh/chart: console-0.7.29 + name: 0Z71mJNQUx + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + T1: pMf7C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: x + app.kubernetes.io/version: v2.7.0 + cxAL7zvwvb: tmEjSXwTK6 + helm.sh/chart: console-0.7.29 + name: Wq +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: 4uTKbvRNSh + kafka-sasl-aws-msk-iam-secret-key: tfc + kafka-sasl-password: NAMo + kafka-schema-registry-password: 5LUUey + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: i + kafka-tls-ca: Fydyp8 + kafka-tls-cert: R4y + kafka-tls-key: "" + login-github-oauth-client-secret: Y0 + login-github-personal-access-token: xyn + login-google-groups-service-account.json: zFJbYJ + login-google-oauth-client-secret: CsVVc6 + login-jwt-secret: SECRETKEY + login-oidc-client-secret: dsx + login-okta-client-secret: wr9eIA + login-okta-directory-api-token: Dy + redpanda-admin-api-password: O7kPq + redpanda-admin-api-tls-ca: 7ORz + redpanda-admin-api-tls-cert: IT + redpanda-admin-api-tls-key: KR25cT +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - EQY9390E: null + WXyS: null + roles.yaml: |- + roles: + - {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + T1: pMf7C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: x + app.kubernetes.io/version: v2.7.0 + cxAL7zvwvb: tmEjSXwTK6 + helm.sh/chart: console-0.7.29 + name: Wq +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + Sxsz0HWh: z9cj + creationTimestamp: null + labels: + T1: pMf7C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: x + app.kubernetes.io/version: v2.7.0 + cxAL7zvwvb: tmEjSXwTK6 + helm.sh/chart: console-0.7.29 + name: Wq + namespace: default +spec: + ports: + - name: http + port: 359 + protocol: TCP + targetPort: 363 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: x + type: tJUW +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + I4K: K1yz + creationTimestamp: null + labels: + T1: pMf7C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: x + app.kubernetes.io/version: v2.7.0 + cxAL7zvwvb: tmEjSXwTK6 + helm.sh/chart: console-0.7.29 + name: Wq + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: x + strategy: + rollingUpdate: {} + type: 稫启玩ɡʂ56 龪o + template: + metadata: + annotations: + checksum/config: 2e1f5f5401bac9a6ca8b2205a50f20ebc4a08fcafa78467ca458eb9e8411b634 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: x + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: gRchHJ + operator: g>騿b鈐ʃB¾偡医選ȍ恋 + values: + - I + - Ei + - "" + - key: hyf + operator: 斒ʃǜƆƲ + values: + - QUyyD + - key: Bkmx + operator: ư酰姺醪芄堑 + weight: 751548356 + - preference: + matchExpressions: + - key: oLam + operator: 蟹 + values: + - ouUaVpYnKDUI + - key: vjw6GPYYTKt + operator: 竣iN¸嚿×ɮib + values: + - ZTaqp + - key: d8VuBX6qV + operator: 脼Ȩ + values: + - a8aOe1 + matchFields: + - key: twbeCR + operator: óçøG靼Ɏȸ­乷ɍ + values: + - fJAm6rm + - 2h8IU + - zE9 + weight: 291395585 + - preference: + matchExpressions: + - key: qC6uf99en + operator: 鼢犖龆醑IÐ肣ɚòĺIGʖƟ穿ź' + readOnlyRootFilesystem: true + runAsGroup: -6867300864246943000 + runAsNonRoot: true + runAsUser: 972586500223089800 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: ctE5Qa + name: gcTdF + subPath: "" + - mountPath: n8KpOJZ + name: "4" + subPath: "" + - mountPath: 3Ka7 + name: lBE0nAE + subPath: "" + - mountPath: cIK + mountPropagation: 爂 YLƝ«煘?沀#朚ń鮾+ğÔ + name: orwvhF0 + subPath: ivP1ha4I + subPathExpr: VPCFJYVRHf + - mountPath: s + mountPropagation: m椥扶ȟqÈ倕{峙刷} + name: O35 + subPath: AN + subPathExpr: vm7 + - mountPath: 7P72D19W + mountPropagation: 堂窜B,Ś贃腔Ʈ£顽ąfYR + name: 6Z + readOnly: true + subPath: d7MJ + subPathExpr: LF + - args: + - M5GoLEac + command: + - "" + env: + - name: xn + value: gHloqKCZA0M + valueFrom: + configMapKeyRef: + key: 9EasdvqH1 + name: 3Jm5qlVRdb + optional: false + fieldRef: + apiVersion: IEuh0S + fieldPath: yGW + resourceFieldRef: + containerName: 6ytjPS + divisor: "0" + resource: Z + secretKeyRef: + key: a1KfCCp1 + name: OspUW + optional: false + - name: 1jMB + value: gsvW9h + valueFrom: + configMapKeyRef: + key: lEB1Z + name: sB + optional: true + fieldRef: + fieldPath: zsUJ + resourceFieldRef: + containerName: 11SE1A + divisor: "0" + resource: OFZYobDs5 + secretKeyRef: + key: wwZ + name: 0z + optional: false + envFrom: + - configMapRef: + name: AuPTaMX7 + optional: true + prefix: YNB9WA + secretRef: + name: QyV6 + optional: true + - configMapRef: + name: N5izN44MJ + optional: true + prefix: 103jYU2pj + secretRef: + name: IsJ + optional: true + image: f + imagePullPolicy: ']L7掻钏ĚxǢRʃd×?ŠɓT{' + lifecycle: + postStart: + exec: + command: + - 1Kv + - F2E + - uX1vDFV + httpGet: + host: XQ5sY + path: 5X8E + port: ZEAsx0C5i + scheme: 巇L嶤n蔢ȥ.&h喵趶旃 + sleep: + seconds: 3646722142291548000 + preStop: + exec: + command: + - "98" + httpGet: + host: MWUlhjhJA + path: JM3LkEQY + port: I4x4q + scheme: ʄȀ%ʎ兒餐oc-c + sleep: + seconds: 2358122019278204000 + livenessProbe: + exec: + command: + - dyqr + - 79j + - 6N2YiU + failureThreshold: 1763651267 + grpc: + port: 1387074657 + service: m + httpGet: + host: G + path: 9kp6wlF5 + port: 5zuLtPI + scheme: d輢殣ſē诧Wɹ讏 + initialDelaySeconds: -1520109712 + periodSeconds: -1170771093 + successThreshold: -1383663641 + terminationGracePeriodSeconds: -1296467687071372800 + timeoutSeconds: 1017261975 + name: xf5VXbM9DX + ports: + - containerPort: -1245943187 + hostIP: iVo + hostPort: -1606480480 + protocol: à唿Ň癫俤健ǛƵ虰響 + - containerPort: 1088776251 + hostIP: mN + hostPort: 2006200810 + name: izfW + protocol: 蠣狓j霎緦(Lǫ[ + readinessProbe: + exec: + command: + - w + - ZZzn + failureThreshold: -841549142 + grpc: + port: -1318693763 + service: z3 + httpGet: + host: DK8AT0w + path: TQEPNMTrmL26 + port: -1446467943 + scheme: ś檊:& + initialDelaySeconds: -768827532 + periodSeconds: -2057604270 + successThreshold: -1558550931 + terminationGracePeriodSeconds: 6890017506404353000 + timeoutSeconds: -1558365951 + resizePolicy: + - resourceName: BhJ20rFM28sOexT + restartPolicy: 槟"äÅ緦Xjê荀谆 + resources: + limits: + 3yphxx: "0" + requests: + "71": "0" + qj1cwc9x: "0" + xIH2: "0" + restartPolicy: 兜藄墲皀 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 翇ƒ\Ý琂麌褶犗錀Ć姉溬[I珵巖â迍Õ + - ȖnS¦ºǀʼndz&ü1 + privileged: false + procMount: ǻ\頧ADȜ[ʋɺɗ鬌ʢ栵鏆W剨 + readOnlyRootFilesystem: true + runAsGroup: -8217745538717204000 + runAsNonRoot: false + runAsUser: 8409092840666673000 + startupProbe: + exec: {} + failureThreshold: 514371514 + grpc: + port: 1386630692 + service: 5k9JljF + httpGet: + host: Yxa + path: KKzxL + port: 1749552838 + scheme: ǁ1钥`岺ȱ$ + initialDelaySeconds: 198009978 + periodSeconds: 1269387330 + successThreshold: 150401625 + terminationGracePeriodSeconds: 756942197968954200 + timeoutSeconds: -1507606503 + stdin: true + stdinOnce: true + terminationMessagePath: Yuuqhx + tty: true + workingDir: cNvZ0 + - args: + - EBJwKsy + - 88iT6Xcn + - XcT28aSWj + command: + - KYgqdbR + envFrom: + - configMapRef: + name: N30BWF9jx + optional: true + prefix: b + secretRef: + name: g + optional: true + - configMapRef: + name: vkY + optional: false + prefix: gn67ft + secretRef: + name: 9bmgS + optional: true + image: mhs + imagePullPolicy: agŒJ!Ǽƴ硴ĘBjp¸ǟ鏔ȫv + lifecycle: + postStart: + exec: {} + httpGet: + host: k1oZic + port: kWma + scheme: /A縊$/Ðl脿ʅK\Yû¡DȜ + sleep: + seconds: 4880710696024837000 + preStop: + exec: + command: + - mE1S + httpGet: + host: wmLvZ + path: P8Lw + port: 2130804875 + scheme: Aɷĝ/éȏ圳%)n帣 + sleep: + seconds: 5681554568621785000 + livenessProbe: + exec: + command: + - g + - 1tbHYej2 + failureThreshold: 721918154 + grpc: + port: 977234381 + service: K8 + httpGet: + host: o1a + path: EL + port: 606530945 + scheme: ɬ憋} + initialDelaySeconds: 527377871 + periodSeconds: 1831783866 + successThreshold: -925249104 + terminationGracePeriodSeconds: -5462814855858063000 + timeoutSeconds: 1067001478 + name: Cyr + ports: + - containerPort: -1582092218 + hostIP: HefrxT + hostPort: -1694778841 + name: "5" + protocol: 5訙奆Ņ蘹Ǭ馲ǧõsg + - containerPort: -1709296974 + hostIP: S + hostPort: -12435236 + name: RQIJVqVp + protocol: ı+=Ŷ\褭昊 + readinessProbe: + exec: + command: + - LxHQI2 + failureThreshold: -1670032382 + grpc: + port: 2038020216 + service: uS1pHYQuE + httpGet: + host: dFCk9 + path: 2YYVJoTxFI + port: 1533020718 + scheme: 侅弴噉讀ŲĨ趚ʉB + initialDelaySeconds: 753694711 + periodSeconds: -620933924 + successThreshold: 1935472803 + terminationGracePeriodSeconds: -1414957386950590200 + timeoutSeconds: 1810571120 + resources: + limits: + SwVZL: "0" + m6OD8E: "0" + requests: + bZQK: "0" + h9G0: "0" + hCGxGGtFgSx: "0" + restartPolicy: 毄鶏疡ɍʛ啔l鹯ą9掇悋ƦjþË + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - '*6珛åǪ' + drop: + - qć纣cȈʊ«Ȯ¤u俳糐郭ȉHT5į軌 + - ³R语 + privileged: false + procMount: GɛFȖ黸ȋȤá峠缂蛞·NN + readOnlyRootFilesystem: true + runAsGroup: 2219217566755129900 + runAsNonRoot: false + runAsUser: -6958635490019934000 + startupProbe: + exec: + command: + - VqKEGlA + - h1eQQmyq + failureThreshold: 1344510971 + grpc: + port: 1296412500 + service: 0FZIq + httpGet: + host: Gk + path: J1ncBCi + port: yqdEt689 + scheme: Ƹ陳ƨj>喐蠿鯌ʛB契p + initialDelaySeconds: -879591831 + periodSeconds: 1110714898 + successThreshold: -1301180826 + terminationGracePeriodSeconds: 3872467306429463000 + timeoutSeconds: 674947774 + terminationMessagePath: bm28lY3K2pwh + terminationMessagePolicy: Ȇƍ@¦Ț'±0ž + tty: true + volumeDevices: + - devicePath: o8dr + name: XmhFb + workingDir: 5wQN + - args: + - o0cO9clz7 + - HMSb + - 6uV0c + env: + - name: M3V9WePpx + value: ysO25 + valueFrom: + configMapKeyRef: + key: UqaJg4r + name: RfxtXP + optional: true + fieldRef: + apiVersion: lwe4YmNPx + fieldPath: tQj57vj + resourceFieldRef: + containerName: ZQ + divisor: "0" + resource: T + secretKeyRef: + key: x + name: ny4NEtt3z + optional: false + - name: cc2 + value: L0hw + valueFrom: + configMapKeyRef: + key: 385Ue36 + name: mmjoQw + optional: false + fieldRef: + apiVersion: 6oECJJ + fieldPath: viT + resourceFieldRef: + containerName: gwdJxK + divisor: "0" + resource: ck7 + secretKeyRef: + key: UuNsYAQvXJ0 + name: 1NAqDCU3 + optional: true + envFrom: + - configMapRef: + name: ZFk + optional: true + prefix: bXa4IzYR + secretRef: + name: aAJU + optional: false + image: JPgUP + imagePullPolicy: Q ¶ + lifecycle: + postStart: + exec: + command: + - r1uMNf + - M + - 8G + httpGet: + host: cuhhh + path: lXMriYoe + port: -988033465 + scheme: ',轄kzĒfť' + sleep: + seconds: -8820103652541682000 + preStop: + exec: + command: + - bElmX + httpGet: + host: bCNS + path: A0F + port: "" + scheme: 砘ɁA甜猷14ʣ)ǨƿŊ\ + sleep: + seconds: 821413986956195800 + livenessProbe: + exec: + command: + - M9y + - ay + - sRaY + failureThreshold: 600887441 + grpc: + port: 1597779369 + service: ua8K + httpGet: + host: 0XuF + path: V3 + port: -703127215 + scheme: 舷$趺É螳P阁]嚂驶钋琦袳$ƸO侎 + initialDelaySeconds: -1230549565 + periodSeconds: -335663932 + successThreshold: -1184112514 + terminationGracePeriodSeconds: 9077275487127833000 + timeoutSeconds: 1992088322 + name: pz + readinessProbe: + exec: + command: + - lVaA + - E9DNIWT7reP + - NW1Cc5O2 + failureThreshold: 1119300491 + grpc: + port: 2061347792 + service: fUXdOYJ9On + httpGet: + host: "0" + path: Us3pM3OkquAEW2 + port: -1693856749 + scheme: 鞡|鬟扝}肾~ + initialDelaySeconds: 1307857751 + periodSeconds: 1903760018 + successThreshold: 612917619 + terminationGracePeriodSeconds: -4296518247806248400 + timeoutSeconds: 1025631498 + resizePolicy: + - resourceName: "8" + restartPolicy: ȯy髚ʦ=ǰɮ瓿b:劀ǴáiO3IĮ + - resourceName: 8mFXK1FTs + restartPolicy: ėv|冿瀱Ƥ鐻D[ƼŮ/ + resources: + limits: + TVwPaoBqGL: "0" + juxQS6V3mr: "0" + requests: + igiG: "0" + restartPolicy: 皷ƴȿOvJ郦'欝 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ǐ缠]館ʚƾó|őɤ + - 6 銨dN_ZɻǦ絛顆麓 + - u鹍u鼓练gʘɍK]痰痁鶄Ȼ咶嚅俊ǙǕ + drop: + - 沎闸埲dz + privileged: false + procMount: "" + readOnlyRootFilesystem: false + runAsGroup: -265773045457612130 + runAsNonRoot: true + runAsUser: -6489119899323829000 + startupProbe: + exec: + command: + - 95NULc + - cCLaGfz + failureThreshold: -414102461 + grpc: + port: 339886942 + service: 7hdbpU + httpGet: + host: bN6EBrngIW + path: Luv09 + port: plsGDEJ + scheme: ʔ垃桪抴痺MM温ǹ + initialDelaySeconds: 2135898388 + periodSeconds: 1107416140 + successThreshold: -648919802 + terminationGracePeriodSeconds: 4653203112295128000 + timeoutSeconds: 1294917615 + terminationMessagePath: C + terminationMessagePolicy: 擎:Ȓ + volumeDevices: + - devicePath: TGjb8dLs + name: QN5Dj50Kuoc + - devicePath: aRIfAur + name: wQ47Fq7W3WPNDG + - devicePath: 2Smu + name: 1Q3d5wRJf6 + volumeMounts: + - mountPath: 5Trbk9 + mountPropagation: 秮驇穁 + name: YvM + readOnly: true + subPath: pFKsUV + subPathExpr: mhIjzA + - mountPath: F3lqb + mountPropagation: 窆f + name: NJXDvoxv + subPath: zVGgP + subPathExpr: H + workingDir: IEObw8N + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + JDRn7n: tOGfx + lKq0V88a: uR3S + vXzm2Hny: tURxvlp + priorityClassName: 6ZbHC + securityContext: + fsGroup: 3426922926776119300 + fsGroupChangePolicy: 橣 + runAsGroup: 8316915980597683000 + runAsNonRoot: false + runAsUser: 6270039107728701000 + supplementalGroups: + - -2399342924686736400 + - 620655430084388100 + serviceAccountName: gIkiPRSc53Eb4w + tolerations: + - effect: ć`湇Ȏ2篤螕巴蛬>@ø£鞌q + key: E7p + operator: 畁鼄瓈貔Ĕ釲ĸȚ貺|ǴĄl蔺İɽ糹 + tolerationSeconds: 3092681449541781000 + value: Zmrz8 + topologySpreadConstraints: [] + volumes: + - configMap: + name: eHZ + name: configs + - name: gcTdF + secret: + defaultMode: 210 + secretName: MPU + - name: "4" + secret: + defaultMode: 186 + secretName: s6 + - name: lBE0nAE + secret: + defaultMode: 412 + secretName: RG + - name: "4" + - name: Kry +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + "": vWjW + G: qF + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 84QIe + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: eHZ +spec: + maxReplicas: 165 + metrics: + - resource: + name: cpu + target: + averageUtilization: 42 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 454 + type: Utilization + type: Resource + minReplicas: 187 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: eHZ +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "eHZ-test-connection" + namespace: "default" + labels: + "": vWjW + G: qF + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 84QIe + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['eHZ:190'] + restartPolicy: Never + priorityClassName: 6ZbHC +-- testdata/case-043.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Gma + namespace: default +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: y0pa6pm83 + namespace: default +spec: + ports: + - name: http + port: 11 + protocol: TCP + targetPort: 465 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: 9TsjJQkJZ +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + GOF: Fk7wcu + J2: ViiBwn6 + WODaheluZ: jCoFdBnr + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: y0pa6pm83 +spec: + ingressClassName: 4Z1r6JSTY + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: y0pa6pm83 + port: + number: 11 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - hAi45 + - N3wGXf + - 2Og0 + secretName: 11BdzGx + - hosts: + - MPqkMom + - mBwetJrK + - PcEKgK + secretName: HtA + - hosts: null + secretName: jRYKg +-- testdata/case-044.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + BvJq2xZ: jY6O0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tvDI + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: W9k + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - UiHg9: null + - "": null + mAYLjAybA: null + roles.yaml: |- + roles: + - 0NpG04j: null + UxtPt: null + l5dMdK: null + - J9: null + MzWfEl: null + yNu: null + - "": null + Pv: null + tGJIDyXG: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + BvJq2xZ: jY6O0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tvDI + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: resP +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + CRHNsVY: Nl04 + creationTimestamp: null + labels: + BvJq2xZ: jY6O0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tvDI + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: resP + namespace: default +spec: + ports: + - name: http + port: 103 + protocol: TCP + targetPort: 329 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: tvDI + type: "" +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + 4i: zwiMMKf + ZTKUDg2t: qHc7 + fGsx: dIpd + creationTimestamp: null + labels: + BvJq2xZ: jY6O0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tvDI + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: resP + namespace: default +spec: + replicas: 410 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: tvDI + strategy: + rollingUpdate: {} + type: ɬdW5f + template: + metadata: + annotations: + N0F: vSjZxkjW + checksum/config: 8ebe1d816245b967e7ea3109d93ad79599a2b8a33eed8e72fc85166d6ffa7aaf + creationTimestamp: null + labels: + K1uahi: UMygEU2O2 + app.kubernetes.io/instance: console + app.kubernetes.io/name: tvDI + ecdKkB: "1" + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: AFOKvXU + operator: ¸藬 + values: + - vIFxLM + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + ZpWVx: agTJ2kP3DWNYN + matchLabelKeys: + - "4" + mismatchLabelKeys: + - 0qG + namespaceSelector: + matchExpressions: + - key: D8 + operator: d|ɬ曖 + values: + - p3iQYi6Y + - key: c + operator: ǵmV逛鲳鈐譮稹ÚȾČXú + values: + - a + - 3C55L6S7 + - SQaxr + matchLabels: + "5": jC + namespaces: + - oDKjy + - "" + topologyKey: C9jgFk + weight: 1276231314 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: lGp2 + operator: "" + matchLabels: + "": sKP1q2 + 44krG: UrYUSMsisV + unYZqLh67: tMKQ + matchLabelKeys: + - orDt3ZdEA + - LIBJK3 + mismatchLabelKeys: + - bgz2i + - CNqlQJ + namespaceSelector: + matchExpressions: + - key: 35CZTXLY + operator: 掟0笝润ɲDGĪ1Ɋ乧鴹ǥ + values: + - OOB1s + - o4H + - key: f21 + operator: nȿqh + namespaces: + - L0w7 + - DB9 + - T1mom4CrS + topologyKey: OWKJz + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: WaOHp + operator: Ƥ熅ǒe²敹Ņ0ľ(Ȯɩ6ÿ + - key: 0X + operator: be3蚛鷿_鴈y+圚ʀF虹D + values: + - ZIZDTnyfwD + - B4NWO9ffPz + - 1jsu + matchLabelKeys: + - mXhYg + mismatchLabelKeys: + - mp6 + namespaceSelector: + matchExpressions: + - key: xE + operator: ʩ畕 + values: + - uc7IZ + - Hxl1 + - key: Xb41Q + operator: cʓʁ卡嵷韻 + values: + - pA + namespaces: + - edcrY + topologyKey: sP2BdI + - labelSelector: + matchExpressions: + - key: U0 + operator: 卢ʩ + values: + - OBtefl + - yMIZlx + - key: X + operator: Ǔ%é鵔:ß侙鞅 + values: + - s1qg3meB + - e6J6ZH89 + - key: dhFO + operator: ƋŎ頖,é襺枣Ť卩骏ɰ抟篧JɂǛȝȵ + values: + - R9sJoCz + matchLabels: + 2T: 84ZhksfB + matchLabelKeys: + - Yc41 + mismatchLabelKeys: + - zgncb + - pCwXYOK + - hViR + namespaceSelector: + matchExpressions: + - key: 3hWtuB6Y + operator: ʪ+ʜǻ拎奜跁ª4鶒鲒[ʒJi\ʝ)皡 + values: + - s + - key: xGSn + operator: 羥/Br=Z擧Ŀ泀Ą舨cïŕɘʡȽIJ鉽 + values: + - lOZtQ2cI + - Vk6 + - Ri3t + - key: Z6UDhR9VLqSA + operator: 淸c欨pɝo腛ı廓齩鄬檏繑郭>Ö呡 + values: + - s6hp + topologyKey: wZZTf + - labelSelector: {} + matchLabelKeys: + - afDo + mismatchLabelKeys: + - S + namespaceSelector: + matchExpressions: + - key: AWObA + operator: ĝf表OS厅啬児0~L槩华L稙訐\Tȼ + values: + - M39 + matchLabels: + 0D9: u5 + T1: xiLiZn + v6: nSQp5 + topologyKey: mr + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: Ahlf + value: UEv + valueFrom: + configMapKeyRef: + key: uwaRvb + name: M8Iklu7qx + optional: true + fieldRef: + apiVersion: H + fieldPath: 43xb + resourceFieldRef: + containerName: t8wgC87mO + divisor: "0" + resource: Z + secretKeyRef: + key: "" + name: EQfJ3z7tv + optional: false + - name: xj + value: lwmxmxP + valueFrom: + configMapKeyRef: + key: "" + name: cdBhO + optional: true + fieldRef: + apiVersion: U + fieldPath: Dj1sswKP + resourceFieldRef: + containerName: 1p3yUdrvd + divisor: "0" + resource: 5A + secretKeyRef: + key: DDcgdcu + name: oD38 + optional: true + - name: LICENSE + valueFrom: + secretKeyRef: + key: x8ik3q + name: K7c7oe + envFrom: + - configMapRef: + name: 2ECaB + optional: true + prefix: bao + secretRef: + name: CA5S95 + optional: false + image: UqWwteW0x/TZqk:0fpMB + imagePullPolicy: 讘ɂȴɩF壜î栒p + livenessProbe: + failureThreshold: 1147871047 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -470682176 + periodSeconds: 842863336 + successThreshold: 2078067842 + timeoutSeconds: 1252398573 + name: console + ports: + - containerPort: 329 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1026367217 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -233395254 + periodSeconds: -96619339 + successThreshold: -2083481091 + timeoutSeconds: 1827269276 + resources: + limits: + eYVLCq: "0" + requests: + P: "0" + VsuQcjg: "0" + jwq: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ɐ毻sǨ斩麀|髦 + - (波F= + - 2鱶ɥǚ蘃齯ʃE桹蹝Ȓ畸蘋桙0 + drop: + - c掁轖e9\Ǟ¦ + - ȽT下Zź%賂蕄3 + - 乯`ŤĊŸ眸ʞ缔Ň妌嵳楕ǐwč*ǩ妩ɴ + privileged: true + procMount: ŃE诩Ŗś僆 + readOnlyRootFilesystem: true + runAsGroup: 6580465723841054000 + runAsNonRoot: true + runAsUser: -56006153890553620 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: v + mountPropagation: ?IJ純ʈxɧʅ + name: 9AiRaE35OlCv + readOnly: true + subPath: 2dv5RZ + subPathExpr: H7f + - mountPath: "4" + mountPropagation: 涾頴tOĜʥ朤 + name: ePEz + readOnly: true + subPath: BY + subPathExpr: w + - mountPath: n5FPgiJmk + mountPropagation: Ǵ棢__@ŗɆ4瞑5ŗ­L/ķ{篦ǯ + name: NryERK9Q + readOnly: true + subPath: tINFMAR5 + subPathExpr: VrBKy + - args: + - CCdc + - xnWsPf + - K9Lp8whZH + envFrom: + - configMapRef: + name: eRd + optional: true + prefix: jF9v + secretRef: + name: QS0dQM4 + optional: false + image: UEbFmY + imagePullPolicy: ɂǖ耒ȯ+Ǎ妸ÄĊ wʠB堯¥ƿɤp + lifecycle: + postStart: + exec: + command: + - 89MtW + - LOaqkcP + - JzjyxNZS + httpGet: + host: "3" + path: V + port: RUOELw + scheme: u*暪÷鰦ʭ,0噱D #干 + sleep: + seconds: 7312334685976475000 + preStop: + exec: + command: + - Cmo91luAq + - DTCwI + - d3Q8xly + httpGet: + host: e + port: -1761554680 + scheme: '|' + sleep: + seconds: -8572473558022234000 + livenessProbe: + exec: + command: + - 1K0Fir + - Ws + - jWym + failureThreshold: 1492079208 + grpc: + port: -1612320137 + service: wk3AYU + httpGet: + host: U + path: yLWf + port: dE + scheme: (魠ʫ倳|岺溻IJħu|æ粅 + initialDelaySeconds: -1551121242 + periodSeconds: 101556636 + successThreshold: -690762638 + terminationGracePeriodSeconds: -7606489989577612000 + timeoutSeconds: -947750725 + name: GKPhj2 + ports: + - containerPort: 690563670 + hostIP: mVXvug29A + hostPort: -1389446008 + name: pcUz3a8NWF + protocol: o& + readinessProbe: + exec: {} + failureThreshold: 816403475 + grpc: + port: 2090385753 + service: pp5W00 + httpGet: + host: sP9DV + path: cpLL + port: TNUIzm + scheme: '!敓GĜƝ塀ȏ@{8嶤ɍ|' + initialDelaySeconds: 911169006 + periodSeconds: 257542772 + successThreshold: 1702435185 + terminationGracePeriodSeconds: -4557510245814657500 + timeoutSeconds: -581799810 + resources: + limits: + 5UdZ91O: "0" + TXdC: "0" + bK0pEj0Mb: "0" + requests: + s8hZFXOGF: "0" + tCP: "0" + restartPolicy: Ǩ轡´@ǂȟ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 鿞;P粜鬌)Ǭ郑&鑉k!f] + - Ċ + drop: + - ?孡渄:Ơ廔晞!ē8瞅@rDZ_ + - cfdú¯'ƱơÅś祏侪 + privileged: true + procMount: ȝ?A@û2蝓撕%o摤絡) + readOnlyRootFilesystem: true + runAsGroup: -2314751572399379000 + runAsNonRoot: true + runAsUser: 989961539055775400 + startupProbe: + exec: {} + failureThreshold: 971752114 + grpc: + port: -1594677871 + service: O + httpGet: + host: EIXRs + path: EA1CukJtUZ + port: g9g0 + scheme: 遱O靑課淁hɕ怡ņ鲥 + initialDelaySeconds: -1020857297 + periodSeconds: 1332161137 + successThreshold: -1412285197 + terminationGracePeriodSeconds: -7087737322486666000 + timeoutSeconds: 563432789 + stdin: true + terminationMessagePath: S + terminationMessagePolicy: =ɑ_èʊâ錯Ɛ窾O亇_ + tty: true + volumeDevices: + - devicePath: 2EtZS + name: "" + - devicePath: glBRF4 + name: e8K + volumeMounts: + - mountPath: L4U + mountPropagation: '}6ʓ蓱9峖3疖售Ʉ朞' + name: 4oVeDs + subPath: RoA + subPathExpr: b + - mountPath: b3TFcP + mountPropagation: ʘʟ| + name: jg4Ya + subPath: F + subPathExpr: flS + workingDir: VZi6ElPHw + - command: + - 3xxCjTRw + env: + - name: 1n + value: cHl + valueFrom: + configMapKeyRef: + key: "95" + name: gi + optional: true + fieldRef: + apiVersion: sQA8hZeZu + fieldPath: xgpJlFJ2 + resourceFieldRef: + containerName: fLR0HyM + divisor: "0" + resource: Sanx4 + secretKeyRef: + key: XgKm5 + name: gvoS9jB + optional: false + - name: s2cwze + value: hu + valueFrom: + configMapKeyRef: + key: fDoUz3 + name: XKG + optional: true + fieldRef: + apiVersion: q0CUy1W + fieldPath: B3Lkh + resourceFieldRef: + containerName: V1gnkr8hpTmU + divisor: "0" + resource: 7PEJNYX + secretKeyRef: + key: IiBIw + name: kiXa5 + optional: false + envFrom: + - configMapRef: + name: JayMLn + optional: true + prefix: Iyk + secretRef: + name: I8 + optional: true + image: uuJKCAGoiYb + imagePullPolicy: '&mɈ{DC鹪ŘƖ暢C镯VĪɮJ樟' + lifecycle: + postStart: + exec: {} + httpGet: + host: TlUl + path: v9nd + port: Khf + scheme: 雦G'獲ɕ垑Ɠ奚 + sleep: + seconds: 3204757101293724700 + preStop: + exec: + command: + - s8505Cg5U + httpGet: + host: hAMBGK + port: LNxGid + scheme: 9?Ɉ + sleep: + seconds: -7512312074000843000 + livenessProbe: + exec: {} + failureThreshold: -1252597876 + grpc: + port: -544919593 + service: "N" + httpGet: + host: xfP + path: ByIZxFF1w + port: 465839308 + scheme: ôȔʄǽȕ$Ɨ嫸% + initialDelaySeconds: 1827740835 + periodSeconds: 1434348082 + successThreshold: 1145653124 + terminationGracePeriodSeconds: -9056662989967493000 + timeoutSeconds: -741454610 + name: pkN5 + readinessProbe: + exec: + command: + - pmJ6cF + failureThreshold: -182850181 + grpc: + port: -30654612 + service: q + httpGet: + host: Vra + path: tovB7 + port: -934938952 + scheme: Ⱥǵ1茆鯨ț]ų1ơñ澂 + initialDelaySeconds: -1966697414 + periodSeconds: -1866944455 + successThreshold: -259752087 + terminationGracePeriodSeconds: -4535014313385885000 + timeoutSeconds: -1545912021 + resizePolicy: + - resourceName: RxDBqX + restartPolicy: 韌ʮ濅& + - resourceName: spCee + restartPolicy: 腋+桯PɆ誎z4µ&ȁou-囈鵼夵v| + resources: + limits: + rElH: "0" + requests: + "": "0" + restartPolicy: 7GK¦碦ǒ抩Z芍緜 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NjǗA窇ţ + - 逈%Ǵ7QǚƶƜr + drop: + - 鹭Iv0蠤'Ɵ皝ƨ=¨ + privileged: false + procMount: èįƤ;L虥u籖ʄƎ}橃V炖 + readOnlyRootFilesystem: false + runAsGroup: -1041723617216276900 + runAsNonRoot: false + runAsUser: -3933065726531016000 + startupProbe: + exec: {} + failureThreshold: -983644738 + grpc: + port: 1827183629 + service: X7oC1 + httpGet: + host: vGk + path: ohKaYc + port: l1rVsh9 + initialDelaySeconds: -648569392 + periodSeconds: 873065120 + successThreshold: -612441773 + terminationGracePeriodSeconds: 6808330544454598000 + timeoutSeconds: 1534439066 + terminationMessagePath: VYh + terminationMessagePolicy: 唌Üi+ + volumeDevices: + - devicePath: DGsn + name: Ia + volumeMounts: + - mountPath: "14" + mountPropagation: 渉seǝ蕟厪ë嵎ǥ墮@ + name: "" + readOnly: true + subPath: C1G4VS1 + subPathExpr: eU + workingDir: odPxO + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + 2i: dRi6btw6 + R4: UsW + fFNJXGk: XBkx + priorityClassName: 8KMLup9vb + securityContext: + fsGroup: -3027126285888131000 + fsGroupChangePolicy: 袺芥ŵ罋o郘渢e堫柝dž + runAsGroup: -3172565869747058000 + runAsNonRoot: true + runAsUser: 5739747577453986000 + supplementalGroups: + - -1289730562709624600 + - 2918948066534341000 + - 8836988143915676000 + sysctls: + - name: ZSspAgrV + value: ES11 + serviceAccountName: W9k + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + 435gSB: cXqM + XuT: nA + sKWX6pPX: YyYe + maxSkew: -1347306472 + minDomains: 1890499147 + nodeAffinityPolicy: 扒Ŕ + nodeTaintsPolicy: 諹uɔM_灢ʫ6ªWŢ庿ɛ + topologyKey: 34nlpPe2Tl + whenUnsatisfiable: šĉ鎨嶕鯖Ťȯ蝲萤ɪeCŒ5ő3|押 + volumes: + - configMap: + name: resP + name: configs + - name: Kt6NIoVzEY + - name: O +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "resP-test-connection" + namespace: "default" + labels: + BvJq2xZ: jY6O0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tvDI + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['resP:103'] + restartPolicy: Never + priorityClassName: 8KMLup9vb +-- testdata/case-045.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: + "": zL + EANkzh: rmy + creationTimestamp: null + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: nX5G + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9gCm5xz +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: naFpMBw + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: nKEzr + kafka-schema-registry-password: xU + kafka-schemaregistry-tls-ca: pc + kafka-schemaregistry-tls-cert: fF1z9FE + kafka-schemaregistry-tls-key: tx + kafka-tls-ca: bhhbwypQ + kafka-tls-cert: Dw1477 + kafka-tls-key: "" + login-github-oauth-client-secret: 1UD4N + login-github-personal-access-token: LmFkP6BgmLQ + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: m + login-jwt-secret: SECRETKEY + login-oidc-client-secret: cXdjG + login-okta-client-secret: eF90RohF + login-okta-directory-api-token: 1zXLSJEQ + redpanda-admin-api-password: rr4c4 + redpanda-admin-api-tls-ca: Eonnpq + redpanda-admin-api-tls-cert: aPCNgYI + redpanda-admin-api-tls-key: vlrLQ9I9 +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9gCm5xz + namespace: default +spec: + ports: + - name: http + port: 314 + protocol: TCP + targetPort: 398 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: tOoxEiwdVpT + type: C +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9gCm5xz +spec: + maxReplicas: 305 + metrics: + - resource: + name: cpu + target: + averageUtilization: 344 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 186 + type: Utilization + type: Resource + minReplicas: 326 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: 9gCm5xz +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: {} + creationTimestamp: null + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9gCm5xz +spec: + ingressClassName: y6u9o + rules: + - host: V + http: + paths: + - backend: + service: + name: 9gCm5xz + port: + number: 314 + path: VRp3 + pathType: WX + - backend: + service: + name: 9gCm5xz + port: + number: 314 + path: ZXqa + pathType: LXDjotJK + - backend: + service: + name: 9gCm5xz + port: + number: 314 + path: b + pathType: 6l3svu + tls: + - hosts: + - SzMunki + secretName: OT +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "9gCm5xz-test-connection" + namespace: "default" + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: rTO7I + - {} + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['9gCm5xz:314'] + restartPolicy: Never + priorityClassName: Op +-- testdata/case-046.yaml.golden -- +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + "": WcYTY + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + rHtDM6k: ZY6Kw + name: fB6TF +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: BKbdr + kafka-sasl-aws-msk-iam-secret-key: Xs8UvJPyL + kafka-sasl-password: xW3EDKA + kafka-schema-registry-password: Vewx + kafka-schemaregistry-tls-ca: te + kafka-schemaregistry-tls-cert: JxH + kafka-schemaregistry-tls-key: jhxioPhQ + kafka-tls-ca: eP + kafka-tls-cert: H9 + kafka-tls-key: "" + login-github-oauth-client-secret: Q + login-github-personal-access-token: akEcq + login-google-groups-service-account.json: pJ8NQ + login-google-oauth-client-secret: vj6 + login-jwt-secret: SECRETKEY + login-oidc-client-secret: 8SCyi + login-okta-client-secret: Yd + login-okta-directory-api-token: q1rSa + redpanda-admin-api-password: mON + redpanda-admin-api-tls-ca: rNzsp + redpanda-admin-api-tls-cert: UStA + redpanda-admin-api-tls-key: 3E +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + aDeGG7F9S: 5d + creationTimestamp: null + labels: + "": WcYTY + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + rHtDM6k: ZY6Kw + name: fB6TF + namespace: default +spec: + ports: + - name: http + port: 271 + protocol: TCP + targetPort: 481 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: PK7oH1pcU3 +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + A4M6T: IUmZ9 + AHN: gcT00IU6 + S: lzi1Q + creationTimestamp: null + labels: + "": WcYTY + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + rHtDM6k: ZY6Kw + name: fB6TF +spec: + ingressClassName: aU0xOzsFN + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: fB6TF + port: + number: 271 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - PV + secretName: aHG1 + - hosts: + - bX + - Cu + - xuscoJ + secretName: fBCynrlb +-- testdata/case-047.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + DQxrtk8: buiWLPbYq + HHbP: sAY + Y0DKOcTa: D82Nfh + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nEojiMtRc + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: DSw7 + namespace: default +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + 8v2: JbH + 95cxbjjD7C: JBMaJ + VY: yRV7d + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nEojiMtRc + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: YUi5JpG + namespace: default +spec: + ports: + - name: http + port: 168 + protocol: TCP + targetPort: 227 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: nEojiMtRc + type: WAAXkZY +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + Bx5i3M: s + svlaTGpSHD: 7P9k + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nEojiMtRc + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: YUi5JpG + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: nEojiMtRc + strategy: + rollingUpdate: {} + type: żʧȟ + template: + metadata: + annotations: + Mfsd: hmi + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + creationTimestamp: null + labels: + 6dZAs: xJPaLHKS1Y2 + app.kubernetes.io/instance: console + app.kubernetes.io/name: nEojiMtRc + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: 182966451 + - preference: {} + weight: -2028220392 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 5a5MXO + operator: kƎǦƙ«嚄ƭr騥邜Fċʐ叧F& + values: + - BRA + - Ywt7JHE + - key: TjE3wFb6 + operator: O`6ƥ縈L:Ckʄ鹟瑧 + values: + - "" + - dxDLfiL + - 0IgsneLlLo + - key: tuBbSOMR + operator: 桛ʫ褛ʒɩWkv濱瘛#Ěi邱CNǖ4孳 + values: + - 9zJ + - 7T3iJAwX + matchLabelKeys: + - ZYcvinlq + - PwQO9 + - M3gb + mismatchLabelKeys: + - e + - K1XrVh + - D1CkR8 + namespaceSelector: + matchExpressions: + - key: uqnyV6k + operator: rĮ'示嶠ĵ攛Ņ + - key: 0ONfMVB + operator: n梷E8ʟ菛晉 + values: + - Q + matchLabels: + IqH8n: pCJ16S + mUE: HyxdirX0F + namespaces: + - gptVP + - L + - 7CmPHtA + topologyKey: XDhewcrvK + weight: 2033587292 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: jcAfZ5VF + operator: 饀re + - key: sj + operator: U姑R° + values: + - p8zbO + - key: 2LmP5 + operator: ŸȢ庾塁BƖ + values: + - NN + matchLabels: + ApvKyKe: kHE9lIIleR + mismatchLabelKeys: + - n3VRcT5qX + - zGNqgUGNX + - hDZ + namespaceSelector: + matchExpressions: + - key: "7" + operator: 砃=G墈赞飍鵝7d + values: + - Uiz9BnY + - key: hd76 + operator: '{緶ɡnW' + values: + - vc1yj10y + - Je + - eg + - key: 06pjmB + operator: =帛胏 + values: + - RQ10 + - Z5WWhGqt + namespaces: + - seMTT1 + topologyKey: E + - labelSelector: + matchLabels: + oplIL: 67Fs0Yu4 + mismatchLabelKeys: + - T1 + namespaceSelector: + matchExpressions: + - key: hOQWYMD + operator: vǑ壞2â飿"Xʝ簮倏c + values: + - "0" + - key: WWGKqAgL + operator: '''OƼŪ祰ǑŗiU嘏ɮ?Ī語' + values: + - yU5IOsL + - koP + namespaces: + - lDs + - xQZsD + - J + topologyKey: j0k4ds + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 9nDdXGQwP + operator: '[痵lǝ,ǶÜÂD' + values: + - th + - u8xZ + - ucr3vqZeG + - key: QWVrK8k + operator: ʀăɼy耯#運+3坽« + values: + - 2lcZKn + - G2IQ + - YbYwv + - key: N4bc7Wn + operator: '%7`iɊȑ槦醒}' + values: + - NiSH90 + - 98iHVkt + - 0r3Yu9i + matchLabelKeys: + - zrV + - Ey + - R + namespaceSelector: + matchExpressions: + - key: gEbVS1wo + operator: z + matchLabels: + 2YURuF: "" + CJTjm6: nOFN + oUtlWUD: 0k14ag + topologyKey: M1yF5YA + weight: 477520510 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: mdjoxbr + operator: V2SŨǰ8嫟淦 + values: + - 3ww0Ei + - 2PjudE + - pmpvETB0n + - key: NFqQGo + operator: 处;Ƕk鎹û絹褡Sy + values: + - V + - key: HuZ + operator: ȓő&ś>S怭ť]E榕 + values: + - sUume + matchLabels: + ef2q: 4ZL0O9b + r8xqG: MJ + matchLabelKeys: + - "" + - "Y" + mismatchLabelKeys: + - djn6fDf + - ukZi8 + namespaceSelector: {} + namespaces: + - dOU1F + - 1ygQdj3xZ3YIf + - wvpeJx + topologyKey: Rq4K6z6 + weight: -1277100698 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: b + operator: "" + values: + - tmuB5 + - 9qE9GM + - oJpaRDn2 + - key: WY + operator: u酘b + values: + - RhO + - Cs2rDIRrPlii + - nG4bqoAkQU + - key: eMae + operator: ǟĕȴnjI覿9¥H艞ɋ + matchLabels: + ToIBbWL: 4k8X + i2qGkWjvF7QJ: pb0sZq + u12o4B4: Ybz + matchLabelKeys: + - HCKtJC7hm + mismatchLabelKeys: + - 21r0Z + - "" + namespaceSelector: + matchLabels: + 2BNgnKr7Ob: 5RffK5NB3ghhfO + bJC: WTOgH + uA: bxdRwsU + topologyKey: 2CsbupZ + - labelSelector: + matchExpressions: + - key: RIP + operator: Oȝ(氧罻 + values: + - 1bx3Fix9 + - key: eqQoi + operator: 68+ʈĘ + values: + - FgfwmYrR + - mznlyr2aLTGF + - GfAoC8M + matchLabels: + FKwNoJ: aJZxa + cEeo8ix: 3dHunLjp5 + ihSd: qG7x + matchLabelKeys: + - F6LQK + mismatchLabelKeys: + - ULcGW + - RYv + - fF + namespaceSelector: + matchExpressions: + - key: Tkp5 + operator: ȴ潺谡Ƣh躈ŮâÿȒũĔ + values: + - fY9NuWB + - O84 + matchLabels: + 09fI: EDSEVi + Dl: 4u38aD4O + vZCciR: neqAXd7k + namespaces: + - ozziI6FZ + - URQlLJF + topologyKey: SeSq4K + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: "" + value: YbKo + valueFrom: + configMapKeyRef: + key: bIruuA + name: x8 + optional: true + fieldRef: + apiVersion: EqX + fieldPath: ZOh + resourceFieldRef: + containerName: IDJTm5lv + divisor: "0" + resource: QDC8v + secretKeyRef: + key: "8" + name: LcSdNiKff4 + optional: false + - name: RZHq9C + value: m + valueFrom: + configMapKeyRef: + key: PZVqf + name: x + optional: true + fieldRef: + apiVersion: xQi + fieldPath: vxeo + resourceFieldRef: + divisor: "0" + resource: l7 + secretKeyRef: + key: i3lK + optional: true + - name: LICENSE + valueFrom: + secretKeyRef: + key: nj + name: rl + envFrom: [] + image: zUsK/lQjo:p + imagePullPolicy: ȕ蚧竔/´苅oC + livenessProbe: + failureThreshold: -1392926461 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1384385388 + periodSeconds: -1660079876 + successThreshold: 680842396 + timeoutSeconds: 213455290 + name: console + ports: + - containerPort: 227 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1689894479 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1753994274 + periodSeconds: -1189421015 + successThreshold: 1278527365 + timeoutSeconds: -209775227 + resources: + limits: + 8ycM: "0" + requests: + CvglPI: "0" + s5: "0" + uiHB: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - «Ƙz损 + - ɟE鄱Į惪Y桦ŗɘoȍ蠣4ƪ呀R> + - "" + drop: + - 娤b + privileged: false + procMount: ʍ曏(ƶæ + readOnlyRootFilesystem: true + runAsGroup: -406748533537085800 + runAsNonRoot: false + runAsUser: 3238073083343117300 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: g + name: L8dbWip + subPath: "" + - mountPath: OO0aO6h + mountPropagation: "" + name: kDKM + readOnly: true + subPath: AlRCH + subPathExpr: 7UemLsIe + - mountPath: Z8zdlU + mountPropagation: 醗¡°v:胡 + name: aedAMG + subPath: zo5P1xa + subPathExpr: WmuiME + - mountPath: ufiUx + mountPropagation: '`ʡÔ关Ľ?' + name: PWBh + subPath: 2hslJ + subPathExpr: pUtN3 + - args: + - lW + - lpUVzUh + command: + - 3mEGtoKbEWE2Jw5T + - b1GBFA + env: + - name: hsiWF93 + value: zBco + valueFrom: + configMapKeyRef: + key: 8hvvaoHB + name: "y" + optional: false + fieldRef: + apiVersion: WPT5J + fieldPath: sc + resourceFieldRef: + containerName: 0xbTU4O + divisor: "0" + resource: tPBV2ObG + secretKeyRef: + key: YEKZukl + name: px + optional: false + - name: PM0MyyH3R6R + value: yOzX + valueFrom: + configMapKeyRef: + key: I3pi + name: DC + optional: true + fieldRef: + apiVersion: "25" + fieldPath: "" + resourceFieldRef: + containerName: aZj1E7LU + divisor: "0" + resource: sxs0nE31 + secretKeyRef: + key: Ktb3c4 + name: g98T + optional: true + - name: 6kDq8UgFIS8 + value: L0i4 + valueFrom: + configMapKeyRef: + key: 9WUe9 + name: tZrRUK + optional: false + fieldRef: + apiVersion: GIc + fieldPath: AXTmU + resourceFieldRef: + containerName: E2 + divisor: "0" + resource: a63tq + secretKeyRef: + key: luWp + name: lPdowo + optional: true + envFrom: + - configMapRef: + name: vzVk + optional: true + prefix: DONFyRd + secretRef: + name: 9uct + optional: false + - configMapRef: + name: z5nC9D + optional: true + prefix: 5epUyS1iy5m8 + secretRef: + name: zqRFC + optional: true + - configMapRef: + name: awjfJlZxN + optional: true + prefix: LhArOQgbq1OCR2L + secretRef: + name: mb5axzX5 + optional: true + image: qPLiX + imagePullPolicy: '{Ĩ檽]ĻĹňɋ偌Ȏ.阛魉' + lifecycle: + postStart: + exec: + command: + - yAeOM + - s53um + - 3m + httpGet: + host: GJWsJm + path: iDQ + port: 1781170742 + scheme: 皐ű葺ȝĬ麐&ʉ執dz0娸叹 + sleep: + seconds: -4230531115544534500 + preStop: + exec: + command: + - sIGb5 + httpGet: + host: AbxhPKar + path: 3ZZ5 + port: 88852320 + scheme: 砨Ĝ_筀¤痟氻劊űI俼员z幛F + sleep: + seconds: -4758564920159899000 + livenessProbe: + exec: + command: + - ty6JMTW6vA + failureThreshold: -1459976999 + grpc: + port: -1689493187 + service: ihsDMVYd + httpGet: + host: e9NNlO5d + path: iBo4 + port: 334788778 + scheme: ƿ:ħȠL$ + initialDelaySeconds: 1625633184 + periodSeconds: 1327859251 + successThreshold: 1766792721 + terminationGracePeriodSeconds: -3971501657411371000 + timeoutSeconds: 557348614 + name: U3U + readinessProbe: + exec: + command: + - "Y" + failureThreshold: 391027623 + grpc: + port: -1858356724 + service: hnqm + httpGet: + host: g + path: C48 + port: F + scheme: 苎lɲÁ频×ȊDžȀ9Ď"昽 + initialDelaySeconds: -1404160881 + periodSeconds: 521131323 + successThreshold: 2005094455 + terminationGracePeriodSeconds: -5942417190535485000 + timeoutSeconds: 2118365394 + resources: + limits: + Ms1A: "0" + WkWhM: "0" + requests: + b4kR9nm9BfQZy: "0" + eLg: "0" + huME: "0" + restartPolicy: ľ慔/PpǏ銢9滖ɝ韍I鍌$ʪ辫Uz + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - wą&嘪研Z`ȧȢfʘ*ō + drop: + - ƿ`ĉĎ苦Ǧ蘈NJ她笻Ƞ + - 磨3踦煨1JƸc錚捁 ĊZe)ám \ + privileged: true + procMount: 鋶XJm/覹ɋ¶ȉĒȤ瀶|ƻŒ(咡 + readOnlyRootFilesystem: false + runAsGroup: -8452021579348254000 + runAsNonRoot: true + runAsUser: 5983932912975749000 + startupProbe: + exec: + command: + - sZhTLr + - GK + - kqL9aDDm + failureThreshold: 1004086477 + grpc: + port: 1266077274 + service: l1ji1IW1ic + httpGet: + host: rJI + path: H731Dr + port: 1333462733 + scheme: 项鰚ɽ洍êƳ + initialDelaySeconds: 1806670133 + periodSeconds: 1290098703 + successThreshold: -490255445 + terminationGracePeriodSeconds: -206080146769410300 + timeoutSeconds: 270060590 + terminationMessagePath: P1HCGJEbJiD4 + terminationMessagePolicy: ʇ鞯BC鸼樁÷ǹ楺 + tty: true + volumeDevices: + - devicePath: a4 + name: 0bA + - devicePath: VeRXU9 + name: A0XbFJhG + - devicePath: fdim + name: RJf + workingDir: ZoDFb + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: 0P6RnoBeb5 + securityContext: + fsGroup: -6567182940167159000 + fsGroupChangePolicy: 6iɰ堂:齐ǪÈ + runAsGroup: -1787219330993537800 + runAsNonRoot: true + runAsUser: -5627543087390805000 + supplementalGroups: + - -3306962996817147400 + - 975882030005456500 + - -5263492609498468000 + sysctls: + - name: YC + value: 7JlDTCP6hs + serviceAccountName: DSw7 + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: YUi5JpG + name: configs + - name: L8dbWip + secret: + defaultMode: 184 + secretName: LF0O +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nEojiMtRc + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: YUi5JpG +spec: + maxReplicas: 122 + metrics: + - resource: + name: cpu + target: + averageUtilization: 218 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 488 + type: Utilization + type: Resource + minReplicas: 449 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: YUi5JpG +-- testdata/case-048.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W7q3X + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: sKa + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - FZ5NQS6: null + - 0ToI: null + RTwav: null + mWwdgyM: null + - {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W7q3X + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 3um +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + c: DNy + kDPtPpnL: kFmmx + creationTimestamp: null + labels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W7q3X + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 3um + namespace: default +spec: + ports: + - name: http + port: 311 + protocol: TCP + targetPort: 29 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: W7q3X + type: l5gj +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + Dgw3Wl: 7aofTp + creationTimestamp: null + labels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W7q3X + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 3um + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: W7q3X + strategy: + rollingUpdate: {} + type: 顓ǝSm + template: + metadata: + annotations: + checksum/config: 1f1200550e8f17e44439daf44ec8c9721945fe5e499d9d558666a7a6516a4bd3 + eG: vxInc0 + g: BI6yk + xCtSP: rQ + creationTimestamp: null + labels: + ZEXh: zufy + app.kubernetes.io/instance: console + app.kubernetes.io/name: W7q3X + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchFields: + - key: v + operator: ė + values: + - ln + - lU4zX8iz + - t0Xc + - key: s3fpu + operator: ɥ娿ăʄĠ mʓ銈E'袭ĵ + values: + - ljJlhx + - matchExpressions: + - key: qPBvuBghor + operator: 泱诅ʫt + values: + - a05XZwN + - SiAvFWs + - FhW1 + - key: MVFTcW + operator: º囜N赧0索d + values: + - c + - ghZI + - AjB0J + matchFields: + - key: QzMSpLW + operator: :ɉùȪÇzǥC货°ÕV? + - matchExpressions: + - key: pA7a1gYdV + operator: '[ĪtOK' + values: + - 2bE4Bw + - fyMOYi + - key: wshbw7Ix + operator: J槭~撑MS=ÑƎ薽饵a緗 + values: + - 9jt6 + matchFields: + - key: s1 + operator: 犫茬睶ňv + values: + - XhyH + - Ng1r1 + - nqis + - key: mHLiT + operator: ȁ佝L郗s稷tŻ+f舭拳鰵2e{a + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: jdvk + operator: ƶ + values: + - NV + - y4 + - V2XRZS + - key: 9VvAl5 + operator: <坎陸$§¤_ã檠奙Å饉J夗ɓ翩锸辸 + values: + - x26kYkJ + matchLabels: + DziixIJYd: yCXzPc + matchLabelKeys: + - XNuk + - RGLu + mismatchLabelKeys: + - aF3 + - R + - Tnj6SmTq + namespaceSelector: + matchExpressions: + - key: e1XR + operator: Kɞ窏ǿ,鸣ŰcNc + values: + - Yrq + matchLabels: + F2Pe7J: dlwTdhs + lK: nolQ + ys9z: euXWPiaJ3Bv + namespaces: + - tAzvw4OH1G + topologyKey: 6y + weight: -1640008169 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: XbjQvP + operator: V嶙NZ谡筩ǒ抂 + - key: i + operator: ɔŃ旓Ɍ鬺X + values: + - Zvx + - 7HWJ + - e4ucTP + matchLabelKeys: + - 0LSTZ + - ESk2r + mismatchLabelKeys: + - CKhfvR0Sg + namespaceSelector: + matchExpressions: + - key: A0tc + operator: 辛§ʢ垝V矋n握匞~嶯筪溆¸ + values: + - ML + matchLabels: + K1pr: ROFIwZhJYYo + ODc: 48WQ + namespaces: + - Wv7 + - zenLPw + topologyKey: tIVDde5U + weight: 1977587462 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3YyUamlR + operator: 橯F + values: + - dHitre + - 90jUjk + - key: NtnSL + operator: 臰sR=坵Ěcñ黪:ɻ寊â9dƎ\V + values: + - qqzycK + - key: ICXJGRFS + operator: $貕^eėǭD鳅ʇ + values: + - txX + - SFrkJ9r + - 3jOnwEW1 + matchLabels: + Uwj1kpV: oUXOYkF + o: ts5wRqjTyCy + matchLabelKeys: + - V2DNNCORe7ZRA + - pglXe4D + - w3881 + mismatchLabelKeys: + - xbi5KtUmR + - eZenitLdd + namespaceSelector: + matchExpressions: + - key: fxd5Y + operator: 頣R熗!A麳Ƚ6r爤暓 + values: + - oe46YF + - rT30v + matchLabels: + 4WA: EH + nRhlLLx1yHy: 5UFrj + namespaces: + - 7j92oP + - 2hf + topologyKey: "" + weight: 92207265 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: wBvol + operator: Ɂüɯ + values: + - eKmyok + - key: B2uj69 + operator: "" + - key: hLrZlh + operator: ȕ嵠味 ɼ_ + mismatchLabelKeys: + - W + namespaceSelector: + matchExpressions: + - key: Qu + operator: 亣i拴ÿ + values: + - OeiUsmYu + - oGXa6Ma + matchLabels: + "": Li + oDV7yR: NP + namespaces: + - PQjQb3LP + topologyKey: Gs1 + - labelSelector: + matchLabels: + "": nF + mismatchLabelKeys: + - YG6aQj + namespaceSelector: + matchExpressions: + - key: HpxPVtw + operator: z畘ŠƽǢ蘟\ɡ忕ɋ蜹5B + values: + - EQ + - RP3fBi + - key: Lv60cZut + operator: 裰ƈ + values: + - I9JbN + - dt + - Cya + - key: 0MGm8N + operator: 遍Ż + matchLabels: + nELvnrAFr: DClM + topologyKey: N57yxG + - labelSelector: + matchExpressions: + - key: "" + operator: KǞ}ɣȿ嚶宗荝«Dž + values: + - CGw32z4JHya + - E + - u5CDtdc + matchLabels: + J5LzcLei: kBwTCGZ + iLpqu: j4bqBNDjAK + jN: jUZ0u + matchLabelKeys: + - lNM + - K3nOO5 + - 9norFQpMiC + namespaceSelector: + matchExpressions: + - key: y4teb + operator: 蚯 + values: + - P + - O0 + - MvxOu + - key: v8w1Ok + operator: 8ƴņŨƊ¹艗胲ƦpYƿ9d脙~Ë + values: + - "4" + - "66" + namespaces: + - OtWsVW + - p + topologyKey: GeF + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: GRLHy + operator: Ä椶 + - key: Z + operator: ė牫ȃ汥Ƈ娍q\桕ɄNǴ + values: + - S1hMkP + - K + - x5coDg + - key: kJzBQ + operator: ʉĻ孺bɧɬʬ柿娤e¯]每) + values: + - DbD1 + - C5dyvNew + matchLabelKeys: + - 8G + - 7cCVU + - lN + mismatchLabelKeys: + - xJ5l + namespaceSelector: + matchExpressions: + - key: U89y + operator: ȓ2浿澰V缐厧钎wň莁願菶ʈ杈 + values: + - 9m6ydjpHu + - CatqpZmUCL + - dJz + - key: SIePbOJc6H + operator: ljR2qɟ$s櫮c雕Ů幔莁沥ʫľƙŝ + values: + - 75tj75r + - XiO + - key: "" + operator: 舄或崙Ĭɐ耼Ī弋禽$ + values: + - HWwXVr4o + - WEkwi8ZNDQ + - f + matchLabels: + fi8w0BX: Z48LRdXmkJ + namespaces: + - Yaw2NnfJ + topologyKey: ElKfd7Eo + weight: 1078166465 + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: rd10f1l + value: GtUE + valueFrom: + configMapKeyRef: + key: C1N + name: bi + optional: true + fieldRef: + apiVersion: 9GWlMsB + fieldPath: l2 + resourceFieldRef: + containerName: 4t + divisor: "0" + resource: eyjvzsf + secretKeyRef: + key: xBMOaej + name: O8AG + optional: false + - name: C + value: fYlde + valueFrom: + configMapKeyRef: + key: 4HvhDAkW + name: 5bgA7leE7 + optional: false + fieldRef: + fieldPath: zY6rf + resourceFieldRef: + containerName: S3 + divisor: "0" + resource: 3sD + secretKeyRef: + key: s43 + name: LpaQ + optional: true + - name: LICENSE + valueFrom: + secretKeyRef: + key: enterprise-license + name: 3VGefRh + envFrom: [] + image: VHbf77MFq/9Gz:Tg + imagePullPolicy: Ƀşb?師Ğ`3H觉趟糯襖 + livenessProbe: + failureThreshold: 279778022 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1098820524 + periodSeconds: 414174316 + successThreshold: 1178515566 + timeoutSeconds: 873461419 + name: console + ports: + - containerPort: 29 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 37001950 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -396024246 + periodSeconds: -1467409206 + successThreshold: -1328773613 + timeoutSeconds: -1781454259 + resources: + limits: + 8cdWaeK7jVrR: "0" + HYBi6o: "0" + requests: + NOz: "0" + gH: "0" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Ɋ闻ǃɗʀd撪 + - 蘑ǪY桼ɮǚɳ爥ňB + drop: + - 乄}ñ0詘蛾牪坣缰ƩǏ薷©瓚`Ʋ虯r + - ǓJğ&ĊƯʝbǠCŪzgì + - ńǜ[ɪ判Uʋ]泘狔 + privileged: false + procMount: 媹:堏_ɟ榧禙Ɲ'瞟 + readOnlyRootFilesystem: false + runAsGroup: 2759228957449300500 + runAsNonRoot: true + runAsUser: -812867783664200800 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: WsSL4vxNxCkXP + name: Mt1 + subPath: "" + - mountPath: M5 + mountPropagation: 稤Bơ觓Ð琋 + name: yQHj49RtdzN + subPath: GdQkAKF + subPathExpr: Gvswh + - mountPath: QRg + mountPropagation: 搚Kƕ欕K貵蠜d旓ĀÝ虩釓 + name: qCEH27RF + readOnly: true + subPath: nHB05RuTZ + subPathExpr: K0yH + - args: + - 3QF + - k1BJBm + command: + - PMW + - j + - V7MAcfomz + env: + - name: rAzI53 + value: WlHlq + valueFrom: + configMapKeyRef: + key: zzIBsb + name: Bh261F + optional: false + fieldRef: + apiVersion: SlA + fieldPath: "6" + resourceFieldRef: + containerName: q0BBEv + divisor: "0" + resource: JE + secretKeyRef: + key: FvrZgBz + name: ZTBeic + optional: false + - name: uPptX + value: i9 + valueFrom: + configMapKeyRef: + key: JeHwi + name: TiQHOG1EsFUgIE + optional: true + fieldRef: + apiVersion: i7dd + fieldPath: Tu + resourceFieldRef: + containerName: ChdvA + divisor: "0" + resource: Eq1V33RTZQSJRJFg3V + secretKeyRef: + key: ojxn54r + name: L + optional: false + - name: Sl9Py25FX + value: e9 + valueFrom: + configMapKeyRef: + key: Zq80J9tyR0opcz + name: gy00dyvHFa + optional: true + fieldRef: + apiVersion: UJLSQy7zL + fieldPath: Xm4sg5H + resourceFieldRef: + containerName: ZmY7Fno6Fcop3 + divisor: "0" + resource: gqZwW + secretKeyRef: + key: v + name: hJDoWtjkfL + optional: true + envFrom: + - configMapRef: + name: RdWA + optional: true + prefix: Dq + secretRef: + name: BOBOO0sLIWw0e + optional: false + - configMapRef: + name: MoMnWNTC + optional: false + prefix: "3" + secretRef: + name: B58Vvj3 + optional: false + image: Vn5V + imagePullPolicy: 筥ǏŤČ癳嶧GĒH挕ÄHɡ + lifecycle: + postStart: + exec: + command: + - hTIx + - lslygl + - lSgx5G2IfU + httpGet: + host: GNVKz7 + path: d0Y + port: Igi + scheme: 莵łEǐ嫖ʒʔvŊ>ry5贛 + sleep: + seconds: -184172880642712450 + preStop: + exec: {} + httpGet: + host: tD1TkKV0ES + path: s6 + port: OpK5riOe96 + scheme: 琊*i#欱E唂ȧ鐄膶詃7 + sleep: + seconds: -4889549574266894000 + livenessProbe: + exec: {} + failureThreshold: 1591130939 + grpc: + port: -540029946 + service: aoAN2Lx03 + httpGet: + host: vWu + path: Lo + port: 1468671948 + scheme: ȯ煐IŢ + initialDelaySeconds: -1879733088 + periodSeconds: 1106663448 + successThreshold: 240850805 + terminationGracePeriodSeconds: -7405296717602936000 + timeoutSeconds: 524743651 + name: AInfx2Rak + readinessProbe: + exec: + command: + - oIA3 + - H + - 96Uj2 + failureThreshold: -1855887857 + grpc: + port: -495541010 + service: X + httpGet: + host: ZplmMg + path: tAAr + port: 1950182935 + scheme: ʂ綽oa;n轮ęB觼Z=G泇跢揌韇锶 + initialDelaySeconds: 1057136331 + periodSeconds: -2025421367 + successThreshold: -812558156 + terminationGracePeriodSeconds: 4314843605692522000 + timeoutSeconds: -1609986779 + resizePolicy: + - resourceName: EvmpG + restartPolicy: 4ɱ + - resourceName: hTB20ObO1 + restartPolicy: ½ŏ伐Q蔏ʝ噙漃袩J]Ɣ蒘岇 + resources: + limits: + KWlx2c: "0" + O: "0" + requests: + ZCJwGBL: "0" + restartPolicy: 1nĔ:蹮>s蹬ÍǺ + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 迠寈搣弝渎İ- + drop: + - 檹Ɩ + - ɧ麧ç2ā兛杧蔙團载^P蚡5缿ʒU襩 + - cLD|ƶ虌Ȗ + privileged: false + procMount: ïƋ圏滜ľ転謀ĤP蹥ȅ|髃蒃Q癎æ + readOnlyRootFilesystem: false + runAsGroup: -4850605470374304000 + runAsNonRoot: false + runAsUser: 7731251064648991000 + startupProbe: + exec: + command: + - LqYoUQy3c4BE + - 5N + - Ug + failureThreshold: -1290004088 + grpc: + port: -1721281251 + service: H2p + httpGet: + host: 02CP5 + path: F609y + port: JjwFH + scheme: 珑 + initialDelaySeconds: -402608647 + periodSeconds: -1520214127 + successThreshold: 209058699 + terminationGracePeriodSeconds: -1900030585542850300 + timeoutSeconds: 1686394545 + terminationMessagePath: qixKzKz + terminationMessagePolicy: Ǥ衚蔁ʙ剠Ǡɭf~ + volumeDevices: + - devicePath: zM1 + name: jmc + - devicePath: IZ + name: PS + - devicePath: kN24U + name: Apu0r1U2 + workingDir: WgB + - args: + - 2Z37 + - 75kO + - TjvjkZTrc8s + command: + - M0NtzJ + env: + - name: 2EH + value: O + valueFrom: + configMapKeyRef: + key: J1ozKsuji + name: glLvAIHP7i + optional: true + fieldRef: + apiVersion: 3gAjGu + fieldPath: sNpuR8m + resourceFieldRef: + containerName: oxx + divisor: "0" + resource: PuKq + secretKeyRef: + key: Iua2L1LoCWMs2 + name: YfKwS8s + optional: true + image: PKNM + imagePullPolicy: ÍĪ0魣Ŋʒ + lifecycle: + postStart: + exec: {} + httpGet: + host: fsZ + path: EGnu + port: 765491661 + scheme: ?ğ叆ɂ&pʠ溶Ǚu + sleep: + seconds: 4688626474961013000 + preStop: + exec: {} + httpGet: + host: TB + path: "6" + port: -50369560 + scheme: ~Ǚɇ>ƃ\7]歉sh羘y4 + sleep: + seconds: -5293607398165582000 + livenessProbe: + exec: + command: + - 1g8dewdj + - lRmD + failureThreshold: -125369558 + grpc: + port: -1490211482 + service: R + httpGet: + host: CSGThzhG + path: 9NBKzoiFzs + port: -272474300 + scheme: ŀ + initialDelaySeconds: -1094670881 + periodSeconds: 1768141210 + successThreshold: -985604418 + terminationGracePeriodSeconds: -1297054466922920700 + timeoutSeconds: -1289231356 + name: KtKv6dg + ports: + - containerPort: -632764671 + hostIP: 8CU + hostPort: 917138107 + name: 1VgOx + protocol: 典ȫ窃ÛǪ3m患 + - containerPort: 739656218 + hostIP: dQQ3 + hostPort: -1348301133 + name: "3" + protocol: '?Ū慾ŘLº桒J:茦扰絥ǗȑĎ:' + readinessProbe: + exec: + command: + - qZ2J + failureThreshold: 293719665 + grpc: + port: 1235836411 + service: ig3 + httpGet: + host: Ws + path: FVnJhZq7I + port: -1075951148 + initialDelaySeconds: 321800409 + periodSeconds: -556535717 + successThreshold: -625124830 + terminationGracePeriodSeconds: -4084380722124342300 + timeoutSeconds: -904900305 + resizePolicy: + - resourceName: GKINnuJx + restartPolicy: Řl©=嬈牍]佧& + resources: + requests: + omO: "0" + uga5: "0" + xnRsp6C: "0" + restartPolicy: ʝdŌİ蒘傥>晑|癶x&ĭmŭƙŵ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 約nɤưHĞ4WƳǤȣ糥蠇t + - ¾ʃŔ冻楟?¿揈h嘼œ + drop: + - 7忭譺屩嫕ƞʅ袬/氼Xg养ȸ陣萓 + - 胨`鯵ƪĽ藹 + privileged: true + procMount: Ulƙxȿƌ乜溬噕瀆储铐\纬 + readOnlyRootFilesystem: true + runAsGroup: 4589112012742887000 + runAsNonRoot: true + runAsUser: 3204614620414442500 + startupProbe: + exec: + command: + - TFJ + failureThreshold: -585814509 + grpc: + port: 178002023 + service: lAuHCrE + httpGet: + host: "88" + path: Th + port: In + scheme: 鷵菭g顲Ⱦ穪 + initialDelaySeconds: -1856697198 + periodSeconds: 1469578394 + successThreshold: 160563852 + terminationGracePeriodSeconds: -4442318275257517600 + timeoutSeconds: -16211809 + terminationMessagePath: 513sVbgA + terminationMessagePolicy: 隓Ǽ屼Å7嗟Ʈ麝0{ȦDžĐ! + tty: true + volumeDevices: + - devicePath: ugQAJ + name: Jf + - devicePath: BFfnTD + name: kfF6CZ + volumeMounts: + - mountPath: C3 + mountPropagation: 呍婻厦ǒ絶偂蠛ƺ蠖蕍v貰Ė + name: DQvHajhHx + subPath: aYHGugq + subPathExpr: MSs + workingDir: OE + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + Bm9U: oTYglG6dh + priorityClassName: l4Mowg + securityContext: + fsGroup: -3794452885502571500 + fsGroupChangePolicy: 欲飹Rɦ薕µL<Ĕ + runAsGroup: -3171560656159467000 + runAsNonRoot: true + runAsUser: -4412205905842408400 + supplementalGroups: + - -7215185124091152000 + - 5139656417921063000 + - 600742233156257700 + sysctls: + - name: Te + value: cKzihj + serviceAccountName: sKa + tolerations: + - effect: 嫜ʎ愤wßj硭 + key: JO1 + operator: ȼ¾Pȇ挮ƶȋ'蹑鶚嗵ïG + tolerationSeconds: -6027642013843151000 + value: a3XbyS + topologySpreadConstraints: [] + volumes: + - configMap: + name: 3um + name: configs + - name: Mt1 + secret: + defaultMode: 80 + secretName: ZxXI0Hhv +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W7q3X + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 3um +spec: + maxReplicas: 1 + metrics: + - resource: + name: cpu + target: + averageUtilization: 468 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 256 + type: Utilization + type: Resource + minReplicas: 224 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: 3um +-- testdata/case-049.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + 5bpPp: ponDVyZ + Ml1: "" + lt: 6VN8BRlJd + creationTimestamp: null + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + name: z12W + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + name: 0BIfuN +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: SBJl + kafka-sasl-aws-msk-iam-secret-key: INqD5 + kafka-sasl-password: 78E + kafka-schema-registry-password: YMuFCG7qR + kafka-schemaregistry-tls-ca: 1y5yRb6O2b + kafka-schemaregistry-tls-cert: NuhkhpMV7b + kafka-schemaregistry-tls-key: 9zcrFj + kafka-tls-ca: 0PF + kafka-tls-cert: wArD + kafka-tls-key: "" + login-github-oauth-client-secret: jdPGF7 + login-github-personal-access-token: y6xqv + login-google-groups-service-account.json: xi1j27Lipj8 + login-google-oauth-client-secret: m6FeI + login-jwt-secret: SECRETKEY + login-oidc-client-secret: zbsTootC + login-okta-client-secret: rHSfT + login-okta-directory-api-token: rOXaN + redpanda-admin-api-password: 8c + redpanda-admin-api-tls-ca: CJbHIM + redpanda-admin-api-tls-cert: uO + redpanda-admin-api-tls-key: uhB0L +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + L: CP + Yf: K4waOjMg + tIYLLgy: d1szIPW6xt + creationTimestamp: null + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + name: 0BIfuN + namespace: default +spec: + ports: + - name: http + port: 269 + protocol: TCP + targetPort: 479 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8dJzE + type: IfYfRoHRG +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + BceQMZiOm: E1uakdHPkLNL + creationTimestamp: null + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + name: 0BIfuN + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8dJzE + strategy: + rollingUpdate: {} + type: 擺m鷾DžPĨ + template: + metadata: + annotations: + "": cuRn + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + qBdeU: EQv + creationTimestamp: null + labels: + O2n4u: kpFpu + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8dJzE + g1c: XEOMg + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: L + operator: 域%Ɠ礇!ʘl.ǷŠ该貹&N + values: + - oAk8rvkey + - Fb08GpumY + - key: YJGr + operator: '|4\i事!ų藦x鳜Ǫ' + values: + - 63Yvc + - key: j + operator: ¸瀖čņ!彅搀 + values: + - RnzdW + - Nxs + - unZuno + matchFields: + - key: wLP0QqdHBmd9e + operator: ȑwȼ嶢vC`ȖĜƐ桡牆ēIa,謧ŗ + - key: mdgmMZ + operator: Ō§ȶƔ>#Z骻5S洝岛Ċ啞. + values: + - Fvf6 + - key: GQsV + operator: 涥ȕêȩȋ婍0毙舺糩\DŽŅ饒 + values: + - XccQkxG + weight: -1172839714 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: JpS0BkW + operator: 聣耥ʒ昼|Ȏ)ß瞖a癨櫒缮{v + - key: HLL3gv + operator: 铡ÞC腢z蟒Á + - key: iDGQV8Bjyu5Q + operator: 舢脛歛ƻ68 + values: + - eLCH7Nc + - QQqPUN + - "" + matchFields: + - key: AY2q9fnL + operator: ȏ伌鎩5桀ʁ + values: + - Uac + - K0q + - bY71A + - key: rBwZz + operator: '*ĴȉǼ矼SN]ʛ源' + values: + - 5yMkn + - key: S1C + operator: ÿƙ彋,嘲樦 + values: + - OXH + - vl1 + - uCYaO8Cn + - {} + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: mZ3rAF9 + operator: yŲĺȫ阁笵W®詃Œ + values: + - bhvFz + - key: uiaNXZcXT + operator: "" + - key: AAM + operator: 閸鬼駝洁c奊(Ƅ謍MǍ辰T堍癩)丗 + values: + - "9" + - ESiN3 + matchLabels: + kCSDZtsm5: vVk + oBlyCq: jlh + matchLabelKeys: + - BCZ8FFbh + - A + namespaceSelector: + matchExpressions: + - key: Lsf + operator: L + values: + - a0HB + - C + - key: eoj6ic3 + operator: ż伌oA汄俔ɿ7巪娻% + matchLabels: + Cx: wwPPM + namespaces: + - 9xhG + - JAutZqe4gGeuf + - "" + topologyKey: 1a + weight: 223935020 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: LtGRhs + operator: 棺ǔ'ɘ砒Æ擑Ɵģ + values: + - GhM4BSJqNOf + matchLabels: + "": 7Ni + matchLabelKeys: + - yxF4 + - 22RoWr + - etRteovEh9 + mismatchLabelKeys: + - 7NOfe + namespaceSelector: + matchExpressions: + - key: 3KCX2 + operator: 臞ʀ¯弄Ɨ橎琜ġ鍳¶ȣ2墛.ɮ濎ɕ磞 + values: + - 5YiE0xEC + - 4spxMd + - vUPA + matchLabels: + YHIq: nS + topologyKey: F4 + weight: 716052627 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "9" + operator: ĠƑȥ兾3ŶJ + - key: pPvuyWZ + operator: ;bļo刲+圊}MǏŅ惤ć + values: + - 9pMXT + - Ezwo11 + matchLabels: + 66347W: ccFxZoF9 + X: VrN5kt + mismatchLabelKeys: + - u4LyY1 + - zT + namespaceSelector: + matchExpressions: + - key: qwhutJo + operator: 垴ǞƼ + matchLabels: + OFxMkYx: lhxtM + topologyKey: WN8qbUgigF + weight: -1609734055 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - "" + mismatchLabelKeys: + - XnhP + - "" + - Bk + namespaceSelector: + matchExpressions: + - key: M + operator: Ǽ糨ʡ毺Ɇw + values: + - ntvI + - vs + matchLabels: + "4": 2Y2FBpcbg + namespaces: + - 1S8c + topologyKey: jxiZ4d + weight: 1993833508 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: EpKkdimp + operator: 额ƀ箰L禼aÅ顙)C舉 + - key: e2Zu7Kb + operator: t潱髦pö鵺b澁6銹 + values: + - z9n + - LdMQ + - r + matchLabels: + F: Nc + Qa2h5toVwd: GGxZ3BQ + l: Z6Rh + matchLabelKeys: + - LsCC + - dgmxxZW + mismatchLabelKeys: + - e + - Cb + - e0DAEluN + namespaceSelector: + matchLabels: + oJ56D: 33m + tkP8tO: mIkfyE6E + namespaces: + - VxN + - hbwB9 + - t + topologyKey: qag0unul + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: KAFKA_SASL_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-sasl-password + name: 0BIfuN + - name: KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-protobuf-git-basicauth-password + name: 0BIfuN + - name: KAFKA_SASL_AWSMSKIAM_SECRETKEY + valueFrom: + secretKeyRef: + key: kafka-sasl-aws-msk-iam-secret-key + name: 0BIfuN + - name: KAFKA_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-tls-ca + - name: KAFKA_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-key + - name: KAFKA_SCHEMAREGISTRY_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-schema-registry-password + name: 0BIfuN + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: 0BIfuN + - name: LOGIN_GOOGLE_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-google-oauth-client-secret + name: 0BIfuN + - name: LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH + value: /etc/console/secrets/login-google-groups-service-account.json + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: 0BIfuN + - name: LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN + valueFrom: + secretKeyRef: + key: login-github-personal-access-token + name: 0BIfuN + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: 0BIfuN + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: 0BIfuN + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: 0BIfuN + - name: REDPANDA_ADMINAPI_PASSWORD + valueFrom: + secretKeyRef: + key: redpanda-admin-api-password + name: 0BIfuN + - name: REDPANDA_ADMINAPI_TLS_CAFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-ca + - name: REDPANDA_ADMINAPI_TLS_KEYFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-key + - name: REDPANDA_ADMINAPI_TLS_CERTFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-cert + envFrom: + - configMapRef: + name: GTjM + optional: true + prefix: GSbKp + secretRef: + name: vhsV8Pl5 + optional: true + - configMapRef: + name: cvXs + optional: false + prefix: cBFtb + secretRef: + name: x9N + optional: false + - configMapRef: + name: rDSrOmdL + optional: false + prefix: 0u3 + secretRef: + name: A6PG37zBJfwNR + optional: false + image: RCYS61Exfql/8ZLfmymq:4BSL9iL + imagePullPolicy: õ鴀铑û + livenessProbe: + failureThreshold: -567921134 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -507660572 + periodSeconds: 1912372611 + successThreshold: -232304560 + timeoutSeconds: 582403024 + name: console + ports: + - containerPort: 479 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1010917423 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -986314779 + periodSeconds: 1763110639 + successThreshold: 1473932979 + timeoutSeconds: 1291669389 + resources: + limits: + x6: "0" + requests: + eeR: "0" + l: "0" + xppI8xB: "0" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 趩燡º嗂{踦 + - CƮ + drop: + - 殟kĔ=ņŧɋ] + privileged: false + procMount: aŻ釯fȠ埱ɺȚ + readOnlyRootFilesystem: true + runAsGroup: 4284419790643993000 + runAsNonRoot: true + runAsUser: -4828746969388386000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: AQpWvptFEk7y + name: 99SgdOsZD + subPath: "" + - mountPath: p44 + name: U + subPath: "" + - mountPath: UiI + name: WFd + subPath: "" + - mountPath: De7 + mountPropagation: 1k噟霞ƁĹ + name: 1Z2WnghTc + subPath: Ts5Ful + subPathExpr: YyidD + - mountPath: onM7c3 + mountPropagation: m=Cɬ + name: GC5ZsY07Mr + readOnly: true + subPath: Xt + subPathExpr: r6gZk + - mountPath: 8gPjX7hc + mountPropagation: ƃ柅珚ȭ能 + name: oN + subPath: auYcD + subPathExpr: aheb25w + - args: + - kn0F9 + command: + - M + - Hph3 + - lZfWKF + env: + - name: HBWtNh10A + value: 8guE + valueFrom: + configMapKeyRef: + key: Chnm + name: UlwzEQ + optional: false + fieldRef: + apiVersion: 8pq9 + fieldPath: qpnfP4p + resourceFieldRef: + divisor: "0" + resource: L0tn + secretKeyRef: + key: J + name: gbfgF + optional: true + envFrom: + - configMapRef: + name: n32MM + optional: true + prefix: cp3 + secretRef: + name: Uc + optional: true + - configMapRef: + name: VGBL + optional: true + prefix: NTMU + secretRef: + name: CEg + optional: true + image: zIWYBi7 + imagePullPolicy: 蘂ȱʃ& + lifecycle: + postStart: + exec: + command: + - QpTcv + - MS0T0N + - wiE + httpGet: + host: ZCUJOIH + path: UsXT + port: 8nExSP2u + scheme: 'uŊ6熀: 焆 烷ʫ-Ŗ亾ɣʖ氝"肰' + sleep: + seconds: -2519616411083819500 + preStop: + exec: + command: + - rmQ7 + - GxRXQk + httpGet: + host: UIVpXMrzW + path: 4tHQ + port: 8xLK1VyM + scheme: ƳǃóɃȊ{回żz闓葊G嚥 + sleep: + seconds: 3595323074300269600 + livenessProbe: + exec: {} + failureThreshold: -882825879 + grpc: + port: 503069299 + service: W + httpGet: + host: FilCCd + path: NPZrCEq + port: 6NoPho8wIsxe + scheme: āȹ顺悩錣Xƕ灄ĿG乒 + initialDelaySeconds: 781680731 + periodSeconds: 205458 + successThreshold: 1115648780 + terminationGracePeriodSeconds: 4579765768791485400 + timeoutSeconds: -676867842 + name: 2tf + readinessProbe: + exec: + command: + - edKf + - 0U + - MFr2Oh + failureThreshold: 1812906550 + grpc: + port: -791379232 + service: IAqADBco + httpGet: + host: 55GZ + path: AQC + port: sxTXcp + scheme: ƷMg靚珨嘸ȗʒ鑉Ȝ梒ŗǐkōĕĵ鞍 + initialDelaySeconds: -130429301 + periodSeconds: 876742351 + successThreshold: -1424043483 + terminationGracePeriodSeconds: -1574530902871555300 + timeoutSeconds: 764935409 + resources: + limits: + 9eHi: "0" + rO52puR: "0" + requests: + UF8LV7N: "0" + ao: "0" + cRVsAz8v: "0" + restartPolicy: ɥ]×璳 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ɖ膵7&ʞíXĦx-ǰİɾ榩聨ŗ% + - DŽ熲鴼玜覲杷ȆƠ沺伤{拢 + - ɉȋʠRÂo霾噜奩ƻv$Áő + drop: + - ɑ摿愻J«ʘA宜ƹ¶ + - 餫aJ矐sǁ隑z36渢X赼 + - )ǜ鄰挺溒ŒV栜Ù涸JH-_d + privileged: false + procMount: Ito縎 + readOnlyRootFilesystem: false + runAsGroup: 2484782727894659600 + runAsNonRoot: false + runAsUser: -6936271037843915000 + startupProbe: + exec: + command: + - X + failureThreshold: -256045507 + grpc: + port: 376282302 + service: wdQrDn0 + httpGet: + host: teaO6 + path: DBHpGkYdgAJ + port: -1625640156 + scheme: Ʌ + initialDelaySeconds: 673272264 + periodSeconds: -1050905915 + successThreshold: 282500457 + terminationGracePeriodSeconds: 5768805478519710000 + timeoutSeconds: -601307290 + stdinOnce: true + terminationMessagePath: POO + terminationMessagePolicy: '#d鿂Hk閎=ɰ蜐ġOʡ蠁żǖ' + tty: true + workingDir: Z3pdGL + - args: + - a7Tqs + - UuID5t + - gRCnbjyp + env: + - name: ZV1KP + value: WrT0 + valueFrom: + configMapKeyRef: + key: zZzTgax + name: 3z3eoets + optional: true + fieldRef: + apiVersion: 88zo + fieldPath: z0vE72 + resourceFieldRef: + containerName: DF4t + divisor: "0" + resource: hfVfYFW4 + secretKeyRef: + key: I6JwpO5 + name: I88w22gsx3 + optional: true + - name: z8 + value: sgj8UHZ + valueFrom: + configMapKeyRef: + key: Q85vN + name: lYGl4 + optional: true + fieldRef: + apiVersion: oQu7 + fieldPath: TYd + resourceFieldRef: + containerName: "Y" + divisor: "0" + resource: Yx + secretKeyRef: + key: f + name: 0Pjf9YBj + optional: false + envFrom: + - configMapRef: + name: fAH + optional: false + prefix: vjjU + secretRef: + name: 9A8OgEQ9 + optional: false + image: R7L + imagePullPolicy: '}m6铤<豎ŵ,#M狥ʬo' + lifecycle: + postStart: + exec: + command: + - 2E + - gzntg + httpGet: + host: BOoVI + path: ns7ZMdNwQC + port: XF + scheme: ky咊ʅ ʂ娼ȟƐ橽ǿ唔ARɨ罙 + sleep: + seconds: -3978858376823544000 + preStop: + exec: + command: + - Hns + httpGet: + host: Lw8 + path: wdo + port: -239095421 + scheme: ƹ禍OÇ + sleep: + seconds: 3838288160382434000 + livenessProbe: + exec: + command: + - 8E + failureThreshold: -1052479375 + grpc: + port: 82058135 + service: S3UA2HwQaN + httpGet: + host: T0 + path: wYV6 + port: cEf + scheme: 斡1{嘫b葎剜屙唯皎図Ǜ錮ơxȒt駦Ƨ + initialDelaySeconds: -1976610733 + periodSeconds: 436460884 + successThreshold: -949159248 + terminationGracePeriodSeconds: 1786907735670591200 + timeoutSeconds: -2035324376 + name: 0ygO + readinessProbe: + exec: + command: + - "" + - YQ + failureThreshold: 1469514474 + grpc: + port: -1835111333 + service: 5WmTypZfT + httpGet: + host: BDf + path: ZY + port: tyrBXIqhX + scheme: 趬扬鉰昵 + initialDelaySeconds: -683847692 + periodSeconds: -95594828 + successThreshold: -1707399501 + terminationGracePeriodSeconds: 3256417681193515500 + timeoutSeconds: -2088454060 + resources: + limits: + zVX: "0" + restartPolicy: 晄d塮@ʥO%驮ÆgǍô + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ' 吓zǘa畷' + - 鲃ʍ瑘ƴɛjV艑ǔpMK杣Ġ + privileged: true + procMount: zɱÙŭǫäƿ诧聉ń醽Ƥ裩5 + readOnlyRootFilesystem: true + runAsGroup: -2381715627246700500 + runAsNonRoot: false + runAsUser: 6590063474480016000 + startupProbe: + exec: + command: + - "9" + - oRMM2F + - "" + failureThreshold: -1711876939 + grpc: + port: 1138187974 + service: OvdS + httpGet: + host: GZWJ + path: vzJeBCvGMHn7 + port: h9p1Pak + initialDelaySeconds: 447733263 + periodSeconds: 1805541821 + successThreshold: -1114184264 + terminationGracePeriodSeconds: 2730048172651207700 + timeoutSeconds: -1850805595 + terminationMessagePath: GK8 + terminationMessagePolicy: ɾDŽ÷郃ɻ玗璺,4 + volumeDevices: + - devicePath: bLf + name: UVN1o + - devicePath: fIT + name: Qiswb + - devicePath: 9b8i + name: h1 + workingDir: 1IOT + imagePullSecrets: + - name: h5x + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + ra78: fJ + priorityClassName: JhGfjGXQ + securityContext: + fsGroup: 6449559755791186000 + fsGroupChangePolicy: 慩梱ʂcƎƱ\火ɘ²ɉ_ + runAsGroup: 841256803887707600 + runAsNonRoot: true + runAsUser: -2824253868920734700 + supplementalGroups: + - 8145086042470337000 + - -5005570809576723000 + serviceAccountName: z12W + tolerations: + - key: ka + tolerationSeconds: 2857628758439265300 + value: Ohni9QGx + topologySpreadConstraints: + - labelSelector: + matchLabels: + 3Ym: o2h5aVp + yR4PPZO: 3X + matchLabelKeys: + - vCKujB + - UqCFKCN + - Xnjfai + maxSkew: -943395897 + minDomains: 1955399000 + nodeAffinityPolicy: 噙撢馥櫱m>Q脕擏w梪 + nodeTaintsPolicy: 蝚溄鑝刉=歱Mr踄 + topologyKey: cHyq + whenUnsatisfiable: Q輒ƗȈʑǯƐ| + - labelSelector: + matchLabels: + E: lyK5b9t + UuSjduy: NcK4 + fty: iP6ai + maxSkew: 1881677866 + minDomains: -561571142 + nodeAffinityPolicy: ȫ寴ī嘌.樥'ǹs + nodeTaintsPolicy: ɇ剀ǨUǜ!俛dz餂~匹呃 + topologyKey: pCHj + whenUnsatisfiable: 尘I:Ƒ匌,騸 + volumes: + - configMap: + name: 0BIfuN + name: configs + - name: secrets + secret: + secretName: 0BIfuN + - name: 99SgdOsZD + secret: + defaultMode: 500 + secretName: B6Fq + - name: U + secret: + defaultMode: 337 + secretName: DddF02 + - name: WFd + secret: + defaultMode: 246 + secretName: tz +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + name: 0BIfuN +spec: + maxReplicas: 292 + metrics: + - resource: + name: cpu + target: + averageUtilization: 255 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 99 + type: Utilization + type: Resource + minReplicas: 381 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: 0BIfuN +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "0BIfuN-test-connection" + namespace: "default" + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: h5x + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['0BIfuN:269'] + restartPolicy: Never + priorityClassName: JhGfjGXQ +-- testdata/console-config-listen-and-target-port.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + server: + listenPort: 3333 +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 4444 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: f57fffad24d8562b91b674515ee68bfe758dbbfe634dcd2bb3497934f70538c9 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 3333 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/console-config-listen-port.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + server: + listenPort: 3333 +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: f57fffad24d8562b91b674515ee68bfe758dbbfe634dcd2bb3497934f70538c9 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 3333 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/console-with-role-bindings.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - metadata: + name: Redpanda POC + roleName: admin + subjects: + - kind: user + name: e2euser + provider: Plain +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: fb8e6e138b819f5ea3ae5c413e14f624501b139f2294e15c4f188ec463049755 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/console-with-roles-and-bindings.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - metadata: + name: Redpanda POC + roleName: admin + subjects: + - kind: user + name: e2euser + provider: Plain + roles.yaml: |- + roles: + - name: my-role + permissions: + - allowedActions: + - '*' + excludes: + - '*' + includes: + - '*' + resource: 1234 +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: a586a304567f15fd4a79d95e15044439368fd8985e42a1a93cdcb6d0b540ed57 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/console-with-roles.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + roles.yaml: |- + roles: + - name: my-role + permissions: + - allowedActions: + - '*' + excludes: + - '*' + includes: + - '*' + resource: 1234 +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 1afc8dfaddbbe103d0707800bfc71b4cc8f14e12334b3e22484d2b73ef5d57c0 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/custom-tag-no-registry.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: redpandadata/console:my-custom-tag + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/default-values.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/extra-init-containers.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: + - args: + - |- + set -xe + echo "Hello 3!" + command: + - /bin/bash + - -c + image: mintel/docker-alpine-bash-curl-jq:latest + name: test-init-container + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/ingress-templating.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + ingress: test + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +spec: + ingressClassName: null + rules: + - host: '"a-host"' + http: + paths: + - backend: + service: + name: console + port: + number: 8080 + path: / + pathType: Exact + tls: + - hosts: + - '"blah"' + secretName: my-secret +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/no-registry.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/service-nodeport.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 2000 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: NodePort +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 2000 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/service-with-nodeport.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + hello: world + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + nodePort: 1000 + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: NodePort +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/testdata/template-cases.txtar b/charts/redpanda/redpanda/5.9.6/charts/console/testdata/template-cases.txtar new file mode 100644 index 0000000000..804cca4a6b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/testdata/template-cases.txtar @@ -0,0 +1,136 @@ +Manually crafted test cases for TestTemplate +-- default-values -- +# Intentionally left blank. (test of default values) + +-- console-with-roles -- +# console.roles specified +console: + roles: + - name: my-role + permissions: + - resource: 1234 + includes: + - "*" + excludes: + - "*" + allowedActions: ["*"] + +-- console-with-role-bindings -- +# console.roleBindings specified +console: + roleBindings: + - roleName: admin + metadata: + name: Redpanda POC + subjects: + - kind: user + provider: Plain + name: "e2euser" + +-- console-with-roles-and-bindings -- +# console.roles and console.roleBindings both specified +console: + roles: + - name: my-role + permissions: + - resource: 1234 + includes: + - "*" + excludes: + - "*" + allowedActions: ["*"] + roleBindings: + - roleName: admin + metadata: + name: Redpanda POC + subjects: + - kind: user + provider: Plain + name: "e2euser" + +-- autoscaling-nulls -- +# Autoscaling w/ explicit nulls +autoscaling: + enabled: true + targetCPUUtilizationPercentage: null + targetMemoryUtilizationPercentage: null + +-- autoscaling-cpu -- +# Autoscaling w/ memory no cpu +autoscaling: + enabled: true + targetCPUUtilizationPercentage: null + targetMemoryUtilizationPercentage: 10 + +-- autoscaling-memory -- +# Autoscaling w/ cpu no memory +autoscaling: + enabled: true + targetCPUUtilizationPercentage: 14 + targetMemoryUtilizationPercentage: null + +-- service-nodeport -- +# Service type NodePort +service: + type: "NodePort" + targetPort: 2000 + +-- service-with-nodeport -- +# Service w/ NodePort +service: + type: "NodePort" + nodePort: 1000 + annotations: + hello: world + +-- ingress-templating -- +ingress: + enabled: true + annotations: + ingress: test + hosts: + - host: '{{ "a-host" | quote }}' + paths: + - path: / + pathType: Exact + tls: + - secretName: my-secret + hosts: + - '{{ "blah" | quote }}' + +-- no-registry -- +image: + registry: "" + +-- custom-tag-no-registry -- +image: + registry: "" + tag: my-custom-tag + +-- console-config-listen-port -- +console: + config: + server: + listenPort: 3333 + +-- console-config-listen-and-target-port -- +service: + targetPort: 4444 +console: + config: + server: + listenPort: 3333 + +-- extra-init-containers -- +# NB: Many of the generated tests have an invalid value for extraInitContainers +# as it's just a string and render an error message. This case showcases what +# valid YAML looks like. +initContainers: + extraInitContainers: |- + - name: {{ "test-init-container" | quote }} + image: "mintel/docker-alpine-bash-curl-jq:latest" + command: [ "/bin/bash", "-c" ] + args: + - | + set -xe + echo "Hello {{ add 1 2 }}!" diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/values.go b/charts/redpanda/redpanda/5.9.6/charts/console/values.go new file mode 100644 index 0000000000..0a855af598 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/values.go @@ -0,0 +1,215 @@ +// +gotohelm:ignore=true +package console + +import ( + _ "embed" + + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + networkingv1 "k8s.io/api/networking/v1" +) + +var ( + //go:embed values.yaml + DefaultValuesYAML []byte + + //go:embed values.schema.json + ValuesSchemaJSON []byte +) + +type Values struct { + ReplicaCount int32 `json:"replicaCount"` + Image Image `json:"image"` + ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets"` + NameOverride string `json:"nameOverride"` + FullnameOverride string `json:"fullnameOverride"` + AutomountServiceAccountToken bool `json:"automountServiceAccountToken"` + ServiceAccount ServiceAccountConfig `json:"serviceAccount"` + CommonLabels map[string]string `json:"commonLabels"` + Annotations map[string]string `json:"annotations"` + PodAnnotations map[string]string `json:"podAnnotations"` + PodLabels map[string]string `json:"podLabels"` + PodSecurityContext corev1.PodSecurityContext `json:"podSecurityContext"` + SecurityContext corev1.SecurityContext `json:"securityContext"` + Service ServiceConfig `json:"service"` + Ingress IngressConfig `json:"ingress"` + Resources corev1.ResourceRequirements `json:"resources"` + Autoscaling AutoScaling `json:"autoscaling"` + NodeSelector map[string]string `json:"nodeSelector"` + Tolerations []corev1.Toleration `json:"tolerations"` + Affinity corev1.Affinity `json:"affinity"` + TopologySpreadConstraints []corev1.TopologySpreadConstraint `json:"topologySpreadConstraints"` + PriorityClassName string `json:"priorityClassName"` + Console Console `json:"console"` + ExtraEnv []corev1.EnvVar `json:"extraEnv"` + ExtraEnvFrom []corev1.EnvFromSource `json:"extraEnvFrom"` + ExtraVolumes []corev1.Volume `json:"extraVolumes"` + ExtraVolumeMounts []corev1.VolumeMount `json:"extraVolumeMounts"` + ExtraContainers []corev1.Container `json:"extraContainers"` + InitContainers InitContainers `json:"initContainers"` + SecretMounts []SecretMount `json:"secretMounts"` + Secret SecretConfig `json:"secret"` + Enterprise Enterprise `json:"enterprise"` + LivenessProbe corev1.Probe `json:"livenessProbe"` + ReadinessProbe corev1.Probe `json:"readinessProbe"` + ConfigMap Creatable `json:"configmap"` + Deployment DeploymentConfig `json:"deployment"` + Strategy appsv1.DeploymentStrategy `json:"strategy"` + Tests Enableable `json:"tests"` +} + +type DeploymentConfig struct { + Create bool `json:"create"` + Command []string `json:"command,omitempty"` + ExtraArgs []string `json:"extraArgs,omitempty"` +} + +type Enterprise struct { + LicenseSecretRef SecretKeyRef `json:"licenseSecretRef"` +} + +type ServiceAccountConfig struct { + Create bool `json:"create"` + AutomountServiceAccountToken bool `json:"automountServiceAccountToken"` + Annotations map[string]string `json:"annotations"` + Name string `json:"name"` +} + +type ServiceConfig struct { + Type corev1.ServiceType `json:"type"` + Port int32 `json:"port"` + NodePort *int32 `json:"nodePort,omitempty"` + TargetPort *int32 `json:"targetPort"` + Annotations map[string]string `json:"annotations"` +} + +type IngressConfig struct { + Enabled bool `json:"enabled"` + ClassName *string `json:"className"` + Annotations map[string]string `json:"annotations"` + Hosts []IngressHost `json:"hosts"` + TLS []networkingv1.IngressTLS `json:"tls"` +} + +type IngressHost struct { + Host string `json:"host"` + Paths []IngressPath `json:"paths"` +} + +type IngressPath struct { + Path string `json:"path"` + PathType *networkingv1.PathType `json:"pathType"` +} + +type AutoScaling struct { + Enabled bool `json:"enabled"` + MinReplicas int32 `json:"minReplicas"` + MaxReplicas int32 `json:"maxReplicas"` + TargetCPUUtilizationPercentage *int32 `json:"targetCPUUtilizationPercentage"` + TargetMemoryUtilizationPercentage *int32 `json:"targetMemoryUtilizationPercentage,omitempty"` +} + +// TODO the typing of these values are unclear. All of them get marshalled to +// YAML and then run through tpl which gives no indication of what they are +// aside from YAML marshal-able. +type Console struct { + Config map[string]any `json:"config"` + Roles []map[string]any `json:"roles,omitempty"` + RoleBindings []map[string]any `json:"roleBindings,omitempty"` +} + +type InitContainers struct { + ExtraInitContainers *string `json:"extraInitContainers"` // XXX Templated YAML +} + +type SecretConfig struct { + Create bool `json:"create"` + Kafka KafkaSecrets `json:"kafka"` + Login LoginSecrets `json:"login"` + Enterprise EnterpriseSecrets `json:"enterprise"` + Redpanda RedpandaSecrets `json:"redpanda"` +} + +type SecretMount struct { + Name string `json:"name"` + SecretName string `json:"secretName"` + Path string `json:"path"` + SubPath *string `json:"subPath,omitempty"` + DefaultMode *int32 `json:"defaultMode"` +} + +type KafkaSecrets struct { + SASLPassword *string `json:"saslPassword,omitempty"` + AWSMSKIAMSecretKey *string `json:"awsMskIamSecretKey,omitempty"` + TLSCA *string `json:"tlsCa,omitempty"` + TLSCert *string `json:"tlsCert,omitempty"` + TLSKey *string `json:"tlsKey,omitempty"` + TLSPassphrase *string `json:"tlsPassphrase,omitempty"` + SchemaRegistryPassword *string `json:"schemaRegistryPassword,omitempty"` + SchemaRegistryTLSCA *string `json:"schemaRegistryTlsCa,omitempty"` + SchemaRegistryTLSCert *string `json:"schemaRegistryTlsCert,omitempty"` + SchemaRegistryTLSKey *string `json:"schemaRegistryTlsKey,omitempty"` + ProtobufGitBasicAuthPassword *string `json:"protobufGitBasicAuthPassword,omitempty"` +} + +type LoginSecrets struct { + JWTSecret string `json:"jwtSecret"` + Google GoogleLoginSecrets `json:"google"` + Github GithubLoginSecrets `json:"github"` + Okta OktaLoginSecrets `json:"okta"` + OIDC OIDCLoginSecrets `json:"oidc"` +} + +type GoogleLoginSecrets struct { + ClientSecret *string `json:"clientSecret,omitempty"` + GroupsServiceAccount *string `json:"groupsServiceAccount,omitempty"` +} + +type GithubLoginSecrets struct { + ClientSecret *string `json:"clientSecret,omitempty"` + PersonalAccessToken *string `json:"personalAccessToken,omitempty"` +} + +type OktaLoginSecrets struct { + ClientSecret *string `json:"clientSecret,omitempty"` + DirectoryAPIToken *string `json:"directoryApiToken,omitempty"` +} + +type OIDCLoginSecrets struct { + ClientSecret *string `json:"clientSecret,omitempty"` +} + +type EnterpriseSecrets struct { + License *string `json:"License,omitempty"` +} + +type RedpandaSecrets struct { + AdminAPI RedpandaAdminAPISecrets `json:"adminApi"` +} + +type RedpandaAdminAPISecrets struct { + Password *string `json:"password,omitempty"` + TLSCA *string `json:"tlsCa,omitempty"` + TLSCert *string `json:"tlsCert,omitempty"` + TLSKey *string `json:"tlsKey,omitempty"` +} + +type SecretKeyRef struct { + Name string `json:"name"` + Key string `json:"key"` +} + +type Enableable struct { + Enabled bool `json:"enabled"` +} + +type Creatable struct { + Create bool `json:"create"` +} + +type Image struct { + Registry string `json:"registry"` + Repository string `json:"repository"` + PullPolicy corev1.PullPolicy `json:"pullPolicy"` + Tag *string `json:"tag"` +} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/values.schema.json b/charts/redpanda/redpanda/5.9.6/charts/console/values.schema.json new file mode 100644 index 0000000000..f4f369e98a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/values.schema.json @@ -0,0 +1,323 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "required": [ + "image" + ], + "properties": { + "affinity": { + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "configmap": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "console": { + "type": "object" + }, + "deployment": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "extraContainers": { + "type": "array" + }, + "extraEnv": { + "type": "array" + }, + "extraEnvFrom": { + "type": "array" + }, + "extraVolumeMounts": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + }, + "fullnameOverride": { + "type": "string" + }, + "image": { + "type": "object", + "required": [ + "repository" + ], + "properties": { + "pullPolicy": { + "type": "string" + }, + "registry": { + "type": "string" + }, + "repository": { + "type": "string", + "minLength": 1 + }, + "tag": { + "type": "string" + } + } + }, + "imagePullSecrets": { + "type": "array" + }, + "ingress": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "className": { + "type": ["string", "null"] + }, + "enabled": { + "type": "boolean" + }, + "hosts": { + "type": "array", + "items": { + "type": "object", + "properties": { + "host": { + "type": "string" + }, + "paths": { + "type": "array", + "items": { + "type": "object", + "properties": { + "path": { + "type": "string" + }, + "pathType": { + "type": "string" + } + } + } + } + } + } + }, + "tls": { + "type": "array" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "nameOverride": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "annotations": { + "type": "object" + }, + "podAnnotations": { + "type": "object" + }, + "podSecurityContext": { + "type": "object", + "properties": { + "fsGroup": { + "type": "integer" + }, + "runAsUser": { + "type": "integer" + } + } + }, + "readinessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "replicaCount": { + "type": "integer" + }, + "resources": { + "type": "object" + }, + "secret": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "enterprise": { + "type": "object" + }, + "kafka": { + "type": "object" + }, + "login": { + "type": "object", + "properties": { + "jwtSecret": { + "type": "string" + }, + "github": { + "type": "object" + }, + "google": { + "type": "object" + }, + "oidc": { + "type": "object" + }, + "okta": { + "type": "object" + } + } + }, + "redpanda": { + "type": "object", + "properties": { + "adminApi": { + "type": "object" + } + } + } + } + }, + "secretMounts": { + "type": "array" + }, + "securityContext": { + "type": "object", + "properties": { + "runAsNonRoot": { + "type": "boolean" + } + } + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "port": { + "type": "integer" + }, + "nodePort": { + "type": "integer" + }, + "targetPort": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + }, + "type": { + "type": "string" + } + } + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "create": { + "type": "boolean" + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "name": { + "type": "string" + } + } + }, + "tolerations": { + "type": "array" + }, + "initContainers": { + "type": "object", + "properties": { + "extraInitContainers": { + "type": "string" + } + } + }, + "strategy": { + "type": "object" + }, + "tests": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + } + } +} diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/values.yaml b/charts/redpanda/redpanda/5.9.6/charts/console/values.yaml new file mode 100644 index 0000000000..4825fc4876 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/values.yaml @@ -0,0 +1,279 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for console. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +# -- Redpanda Console Docker image settings. +image: + registry: docker.redpanda.com + # -- Docker repository from which to pull the Redpanda Docker image. + repository: redpandadata/console + # -- The imagePullPolicy. + pullPolicy: IfNotPresent + # -- The Redpanda Console version. + # See DockerHub for: + # [All stable versions](https://hub.docker.com/r/redpandadata/console/tags) + # and [all unstable versions](https://hub.docker.com/r/redpandadata/console-unstable/tags). + # @default -- `Chart.appVersion` + tag: "" + +# -- Pull secrets may be used to provide credentials to image repositories +# See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] + +# -- Override `console.name` template. +nameOverride: "" +# -- Override `console.fullname` template. +fullnameOverride: "" + +# -- Automount API credentials for the Service Account into the pod. +automountServiceAccountToken: true + +serviceAccount: + # -- Specifies whether a service account should be created. + create: true + # -- Specifies whether a service account should automount API-Credentials + automountServiceAccountToken: true + # -- Annotations to add to the service account. + annotations: {} + # -- The name of the service account to use. + # If not set and `serviceAccount.create` is `true`, + # a name is generated using the `console.fullname` template + name: "" + +# Common labels to add to all the pods +commonLabels: {} + +# -- Annotations to add to the deployment. +annotations: {} + +podAnnotations: {} + +podLabels: {} + +podSecurityContext: + runAsUser: 99 + fsGroup: 99 + +securityContext: + runAsNonRoot: true + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 8080 + # nodePort: 30001 + # -- Override the value in `console.config.server.listenPort` if not `nil` + targetPort: + annotations: {} + +ingress: + enabled: false + className: + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as minikube. If you want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +topologySpreadConstraints: [] + +# -- PriorityClassName given to Pods. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). +priorityClassName: "" + +console: + # -- Settings for the `Config.yaml` (required). + # For a reference of configuration settings, + # see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). + config: {} + # roles: + # roleBindings: + +# -- Additional environment variables for the Redpanda Console Deployment. +extraEnv: [] + # - name: KAFKA_RACKID + # value: "1" + +# -- Additional environment variables for Redpanda Console mapped from Secret or ConfigMap. +extraEnvFrom: [] +# - secretRef: +# name: kowl-config-secret + +# -- Add additional volumes, such as for TLS keys. +extraVolumes: [] +# - name: kafka-certs +# secret: +# secretName: kafka-certs +# - name: config +# configMap: +# name: console-config + +# -- Add additional volume mounts, such as for TLS keys. +extraVolumeMounts: [] +# - name: kafka-certs # Must match the volume name +# mountPath: /etc/kafka/certs +# readOnly: true + +# -- Add additional containers, such as for oauth2-proxy. +extraContainers: [] + +# -- Any initContainers defined should be written here +initContainers: + # -- Additional set of init containers + extraInitContainers: |- +# - name: "test-init-container" +# image: "mintel/docker-alpine-bash-curl-jq:latest" +# command: [ "/bin/bash", "-c" ] +# args: +# - | +# set -xe +# echo "Hello World!" + +# -- SecretMounts is an abstraction to make a Secret available in the container's filesystem. +# Under the hood it creates a volume and a volume mount for the Redpanda Console container. +secretMounts: [] +# - name: kafka-certs +# secretName: kafka-certs +# path: /etc/console/certs +# defaultMode: 0755 + +# -- Create a new Kubernetes Secret for all sensitive configuration inputs. +# Each provided Secret is mounted automatically and made available to the +# Pod. +# If you want to use one or more existing Secrets, +# you can use the `extraEnvFrom` list to mount environment variables from string and secretMounts to mount files such as Certificates from Secrets. +secret: + create: true + + # Secret values in case you want the chart to create a Secret. All Certificates are mounted + # as files and the path to those files are configured through environment variables so + # that Console can automatically pick them up. + # -- Kafka Secrets. + kafka: {} + # saslPassword: + # awsMskIamSecretKey: + # tlsCa: + # tlsCert: + # tlsKey: + # tlsPassphrase: + # schemaRegistryPassword: + # schemaRegistryTlsCa: + # schemaRegistryTlsCert: + # schemaRegistryTlsKey: + # protobufGitBasicAuthPassword + # Enterprise version secrets + # - SSO secrets (Enterprise version). + login: + # Configurable JWT value + jwtSecret: "" + google: {} + # clientSecret: + # groupsServiceAccount: + github: {} + # clientSecret: + # personalAccessToken: + okta: {} + # clientSecret: + # directoryApiToken: + oidc: {} + # clientSecret: + + enterprise: {} + # license: + + redpanda: + adminApi: {} + # password: + # tlsCa: + # tlsCert: + # tlsKey: + +# -- Settings for license key, as an alternative to secret.enterprise when +# a license secret is available +enterprise: + licenseSecretRef: + name: "" + key: "" + +# -- Settings for liveness and readiness probes. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes). +livenessProbe: + # initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + +readinessProbe: + # -- Grant time to test connectivity to upstream services such as Kafka and Schema Registry. + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + +configmap: + create: true +deployment: + create: true + +strategy: {} + +tests: + enabled: true diff --git a/charts/redpanda/redpanda/5.9.6/charts/console/values_partial.gen.go b/charts/redpanda/redpanda/5.9.6/charts/console/values_partial.gen.go new file mode 100644 index 0000000000..723065a25c --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/charts/console/values_partial.gen.go @@ -0,0 +1,206 @@ +//go:build !generate + +// +gotohelm:ignore=true +// +// Code generated by genpartial DO NOT EDIT. +package console + +import ( + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + networkingv1 "k8s.io/api/networking/v1" +) + +type PartialValues struct { + ReplicaCount *int32 "json:\"replicaCount,omitempty\"" + Image *PartialImage "json:\"image,omitempty\"" + ImagePullSecrets []corev1.LocalObjectReference "json:\"imagePullSecrets,omitempty\"" + NameOverride *string "json:\"nameOverride,omitempty\"" + FullnameOverride *string "json:\"fullnameOverride,omitempty\"" + AutomountServiceAccountToken *bool "json:\"automountServiceAccountToken,omitempty\"" + ServiceAccount *PartialServiceAccountConfig "json:\"serviceAccount,omitempty\"" + CommonLabels map[string]string "json:\"commonLabels,omitempty\"" + Annotations map[string]string "json:\"annotations,omitempty\"" + PodAnnotations map[string]string "json:\"podAnnotations,omitempty\"" + PodLabels map[string]string "json:\"podLabels,omitempty\"" + PodSecurityContext *corev1.PodSecurityContext "json:\"podSecurityContext,omitempty\"" + SecurityContext *corev1.SecurityContext "json:\"securityContext,omitempty\"" + Service *PartialServiceConfig "json:\"service,omitempty\"" + Ingress *PartialIngressConfig "json:\"ingress,omitempty\"" + Resources *corev1.ResourceRequirements "json:\"resources,omitempty\"" + Autoscaling *PartialAutoScaling "json:\"autoscaling,omitempty\"" + NodeSelector map[string]string "json:\"nodeSelector,omitempty\"" + Tolerations []corev1.Toleration "json:\"tolerations,omitempty\"" + Affinity *corev1.Affinity "json:\"affinity,omitempty\"" + TopologySpreadConstraints []corev1.TopologySpreadConstraint "json:\"topologySpreadConstraints,omitempty\"" + PriorityClassName *string "json:\"priorityClassName,omitempty\"" + Console *PartialConsole "json:\"console,omitempty\"" + ExtraEnv []corev1.EnvVar "json:\"extraEnv,omitempty\"" + ExtraEnvFrom []corev1.EnvFromSource "json:\"extraEnvFrom,omitempty\"" + ExtraVolumes []corev1.Volume "json:\"extraVolumes,omitempty\"" + ExtraVolumeMounts []corev1.VolumeMount "json:\"extraVolumeMounts,omitempty\"" + ExtraContainers []corev1.Container "json:\"extraContainers,omitempty\"" + InitContainers *PartialInitContainers "json:\"initContainers,omitempty\"" + SecretMounts []PartialSecretMount "json:\"secretMounts,omitempty\"" + Secret *PartialSecretConfig "json:\"secret,omitempty\"" + Enterprise *PartialEnterprise "json:\"enterprise,omitempty\"" + LivenessProbe *corev1.Probe "json:\"livenessProbe,omitempty\"" + ReadinessProbe *corev1.Probe "json:\"readinessProbe,omitempty\"" + ConfigMap *PartialCreatable "json:\"configmap,omitempty\"" + Deployment *PartialDeploymentConfig "json:\"deployment,omitempty\"" + Strategy *appsv1.DeploymentStrategy "json:\"strategy,omitempty\"" + Tests *PartialEnableable "json:\"tests,omitempty\"" +} + +type PartialImage struct { + Registry *string "json:\"registry,omitempty\"" + Repository *string "json:\"repository,omitempty\"" + PullPolicy *corev1.PullPolicy "json:\"pullPolicy,omitempty\"" + Tag *string "json:\"tag,omitempty\"" +} + +type PartialServiceAccountConfig struct { + Create *bool "json:\"create,omitempty\"" + AutomountServiceAccountToken *bool "json:\"automountServiceAccountToken,omitempty\"" + Annotations map[string]string "json:\"annotations,omitempty\"" + Name *string "json:\"name,omitempty\"" +} + +type PartialServiceConfig struct { + Type *corev1.ServiceType "json:\"type,omitempty\"" + Port *int32 "json:\"port,omitempty\"" + NodePort *int32 "json:\"nodePort,omitempty\"" + TargetPort *int32 "json:\"targetPort,omitempty\"" + Annotations map[string]string "json:\"annotations,omitempty\"" +} + +type PartialIngressConfig struct { + Enabled *bool "json:\"enabled,omitempty\"" + ClassName *string "json:\"className,omitempty\"" + Annotations map[string]string "json:\"annotations,omitempty\"" + Hosts []PartialIngressHost "json:\"hosts,omitempty\"" + TLS []networkingv1.IngressTLS "json:\"tls,omitempty\"" +} + +type PartialAutoScaling struct { + Enabled *bool "json:\"enabled,omitempty\"" + MinReplicas *int32 "json:\"minReplicas,omitempty\"" + MaxReplicas *int32 "json:\"maxReplicas,omitempty\"" + TargetCPUUtilizationPercentage *int32 "json:\"targetCPUUtilizationPercentage,omitempty\"" + TargetMemoryUtilizationPercentage *int32 "json:\"targetMemoryUtilizationPercentage,omitempty\"" +} + +type PartialConsole struct { + Config map[string]any "json:\"config,omitempty\"" + Roles []map[string]any "json:\"roles,omitempty\"" + RoleBindings []map[string]any "json:\"roleBindings,omitempty\"" +} + +type PartialInitContainers struct { + ExtraInitContainers *string "json:\"extraInitContainers,omitempty\"" +} + +type PartialSecretConfig struct { + Create *bool "json:\"create,omitempty\"" + Kafka *PartialKafkaSecrets "json:\"kafka,omitempty\"" + Login *PartialLoginSecrets "json:\"login,omitempty\"" + Enterprise *PartialEnterpriseSecrets "json:\"enterprise,omitempty\"" + Redpanda *PartialRedpandaSecrets "json:\"redpanda,omitempty\"" +} + +type PartialEnterprise struct { + LicenseSecretRef *PartialSecretKeyRef "json:\"licenseSecretRef,omitempty\"" +} + +type PartialCreatable struct { + Create *bool "json:\"create,omitempty\"" +} + +type PartialDeploymentConfig struct { + Create *bool "json:\"create,omitempty\"" + Command []string "json:\"command,omitempty\"" + ExtraArgs []string "json:\"extraArgs,omitempty\"" +} + +type PartialEnableable struct { + Enabled *bool "json:\"enabled,omitempty\"" +} + +type PartialSecretMount struct { + Name *string "json:\"name,omitempty\"" + SecretName *string "json:\"secretName,omitempty\"" + Path *string "json:\"path,omitempty\"" + SubPath *string "json:\"subPath,omitempty\"" + DefaultMode *int32 "json:\"defaultMode,omitempty\"" +} + +type PartialKafkaSecrets struct { + SASLPassword *string "json:\"saslPassword,omitempty\"" + AWSMSKIAMSecretKey *string "json:\"awsMskIamSecretKey,omitempty\"" + TLSCA *string "json:\"tlsCa,omitempty\"" + TLSCert *string "json:\"tlsCert,omitempty\"" + TLSKey *string "json:\"tlsKey,omitempty\"" + TLSPassphrase *string "json:\"tlsPassphrase,omitempty\"" + SchemaRegistryPassword *string "json:\"schemaRegistryPassword,omitempty\"" + SchemaRegistryTLSCA *string "json:\"schemaRegistryTlsCa,omitempty\"" + SchemaRegistryTLSCert *string "json:\"schemaRegistryTlsCert,omitempty\"" + SchemaRegistryTLSKey *string "json:\"schemaRegistryTlsKey,omitempty\"" + ProtobufGitBasicAuthPassword *string "json:\"protobufGitBasicAuthPassword,omitempty\"" +} + +type PartialLoginSecrets struct { + JWTSecret *string "json:\"jwtSecret,omitempty\"" + Google *PartialGoogleLoginSecrets "json:\"google,omitempty\"" + Github *PartialGithubLoginSecrets "json:\"github,omitempty\"" + Okta *PartialOktaLoginSecrets "json:\"okta,omitempty\"" + OIDC *PartialOIDCLoginSecrets "json:\"oidc,omitempty\"" +} + +type PartialEnterpriseSecrets struct { + License *string "json:\"License,omitempty\"" +} + +type PartialRedpandaSecrets struct { + AdminAPI *PartialRedpandaAdminAPISecrets "json:\"adminApi,omitempty\"" +} + +type PartialSecretKeyRef struct { + Name *string "json:\"name,omitempty\"" + Key *string "json:\"key,omitempty\"" +} + +type PartialIngressHost struct { + Host *string "json:\"host,omitempty\"" + Paths []PartialIngressPath "json:\"paths,omitempty\"" +} + +type PartialGoogleLoginSecrets struct { + ClientSecret *string "json:\"clientSecret,omitempty\"" + GroupsServiceAccount *string "json:\"groupsServiceAccount,omitempty\"" +} + +type PartialGithubLoginSecrets struct { + ClientSecret *string "json:\"clientSecret,omitempty\"" + PersonalAccessToken *string "json:\"personalAccessToken,omitempty\"" +} + +type PartialOktaLoginSecrets struct { + ClientSecret *string "json:\"clientSecret,omitempty\"" + DirectoryAPIToken *string "json:\"directoryApiToken,omitempty\"" +} + +type PartialOIDCLoginSecrets struct { + ClientSecret *string "json:\"clientSecret,omitempty\"" +} + +type PartialRedpandaAdminAPISecrets struct { + Password *string "json:\"password,omitempty\"" + TLSCA *string "json:\"tlsCa,omitempty\"" + TLSCert *string "json:\"tlsCert,omitempty\"" + TLSKey *string "json:\"tlsKey,omitempty\"" +} + +type PartialIngressPath struct { + Path *string "json:\"path,omitempty\"" + PathType *networkingv1.PathType "json:\"pathType,omitempty\"" +} diff --git a/charts/redpanda/redpanda/5.9.6/templates/NOTES.txt b/charts/redpanda/redpanda/5.9.6/templates/NOTES.txt new file mode 100644 index 0000000000..6992f8e36d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/NOTES.txt @@ -0,0 +1,26 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $warnings := (get ((include "redpanda.Warnings" (dict "a" (list .))) | fromJson) "r") }} +{{- range $_, $warning := $warnings }} +{{ $warning }} +{{- end }} + +{{- $notes := (get ((include "redpanda.Notes" (dict "a" (list .))) | fromJson) "r") }} +{{- range $_, $note := $notes }} +{{ $note }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/templates/_cert-issuers.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_cert-issuers.go.tpl new file mode 100644 index 0000000000..f1188ce7bd --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_cert-issuers.go.tpl @@ -0,0 +1,57 @@ +{{- /* Generated from "cert_issuers.go" */ -}} + +{{- define "redpanda.CertIssuers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.certIssuersAndCAs" (dict "a" (list $dot) ))) "r")) ))) "r") -}} +{{- $issuers := $tmp_tuple_1.T1 -}} +{{- $_is_returning = true -}} +{{- (dict "r" $issuers) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RootCAs" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.certIssuersAndCAs" (dict "a" (list $dot) ))) "r")) ))) "r") -}} +{{- $cas := $tmp_tuple_2.T2 -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cas) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.certIssuersAndCAs" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $issuers := (coalesce nil) -}} +{{- $certs := (coalesce nil) -}} +{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $issuers $certs)) | toJson -}} +{{- break -}} +{{- end -}} +{{- range $name, $data := $values.tls.certs -}} +{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- if (eq (toJson $data.issuerRef) "null") -}} +{{- $issuers = (concat (default (list ) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "selfSigned" (mustMergeOverwrite (dict ) (dict )) )) (dict )) )))) -}} +{{- end -}} +{{- $issuers = (concat (default (list ) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-root-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "ca" (mustMergeOverwrite (dict "secretName" "" ) (dict "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) )) )) (dict )) )))) -}} +{{- $certs = (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "duration" (default "43800h" $data.duration) "isCA" true "commonName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) "issuerRef" (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "kind" "Issuer" "group" "cert-manager.io" )) )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $issuers $certs)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_certs.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_certs.go.tpl new file mode 100644 index 0000000000..086186e448 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_certs.go.tpl @@ -0,0 +1,71 @@ +{{- /* Generated from "certs.go" */ -}} + +{{- define "redpanda.ClientCerts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $values := $dot.Values.AsMap -}} +{{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") -}} +{{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") -}} +{{- $ns := $dot.Release.Namespace -}} +{{- $domain := (trimSuffix "." $values.clusterDomain) -}} +{{- $certs := (coalesce nil) -}} +{{- range $name, $data := $values.tls.certs -}} +{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $names := (coalesce nil) -}} +{{- if (or (eq (toJson $data.issuerRef) "null") (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.applyInternalDNSNames false) ))) "r")) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s.svc" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s.svc" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s.%s.svc.%s" $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s.%s.svc" $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s.%s" $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s.svc.%s" $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s.svc" $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s" $service $ns))) -}} +{{- end -}} +{{- if (ne (toJson $values.external.domain) "null") -}} +{{- $names = (concat (default (list ) $names) (list (tpl $values.external.domain $dot))) -}} +{{- $names = (concat (default (list ) $names) (list (tpl (printf "*.%s" $values.external.domain) $dot))) -}} +{{- end -}} +{{- $duration := (default "43800h" $data.duration) -}} +{{- $issuerRef := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.issuerRef (mustMergeOverwrite (dict "name" "" ) (dict "kind" "Issuer" "group" "cert-manager.io" "name" (printf "%s-%s-root-issuer" $fullname $name) ))) ))) "r") -}} +{{- $certs = (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-%s-cert" $fullname $name) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "dnsNames" $names "duration" $duration "isCA" false "issuerRef" $issuerRef "secretName" (printf "%s-%s-cert" $fullname $name) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $name := $values.listeners.kafka.tls.cert -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.tls.certs $name (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $data := $tmp_tuple_1.T1 -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "Certificate %q referenced but not defined" $name)) -}} +{{- end -}} +{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "redpanda.ClientAuthRequired" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $certs) | toJson -}} +{{- break -}} +{{- end -}} +{{- $issuerRef := (mustMergeOverwrite (dict "name" "" ) (dict "group" "cert-manager.io" "kind" "Issuer" "name" (printf "%s-%s-root-issuer" $fullname $name) )) -}} +{{- if (ne (toJson $data.issuerRef) "null") -}} +{{- $issuerRef = $data.issuerRef -}} +{{- $_ := (set $issuerRef "group" "cert-manager.io") -}} +{{- end -}} +{{- $duration := (default "43800h" $data.duration) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-client" $fullname) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "commonName" (printf "%s-client" $fullname) "duration" $duration "isCA" false "secretName" (printf "%s-client" $fullname) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) "issuerRef" $issuerRef )) ))))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_chart.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_chart.go.tpl new file mode 100644 index 0000000000..88bb1f8d22 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_chart.go.tpl @@ -0,0 +1,61 @@ +{{- /* Generated from "chart.go" */ -}} + +{{- define "redpanda.render" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $manifests := (list (get (fromJson (include "redpanda.NodePortService" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.PodDisruptionBudget" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.ServiceAccount" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.ServiceInternal" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.ServiceMonitor" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.SidecarControllersRole" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.SidecarControllersRoleBinding" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.StatefulSet" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.PostInstallUpgradeJob" (dict "a" (list $dot) ))) "r")) -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.ConfigMaps" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.CertIssuers" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.RootCAs" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.ClientCerts" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.ClusterRoleBindings" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.ClusterRoles" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.LoadBalancerServices" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.Secrets" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $manifests) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_configmap.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_configmap.go.tpl new file mode 100644 index 0000000000..5f234bfecd --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_configmap.go.tpl @@ -0,0 +1,504 @@ +{{- /* Generated from "configmap.tpl.go" */ -}} + +{{- define "redpanda.ConfigMaps" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $cms := (list (get (fromJson (include "redpanda.RedpandaConfigMap" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.RPKProfile" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cms) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaConfigMap" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ConfigMap" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "data" (dict "bootstrap.yaml" (get (fromJson (include "redpanda.BootstrapFile" (dict "a" (list $dot) ))) "r") "redpanda.yaml" (get (fromJson (include "redpanda.RedpandaConfigFile" (dict "a" (list $dot true) ))) "r") ) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapFile" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $bootstrap := (dict "kafka_enable_authorization" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_sasl" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_rack_awareness" $values.rackAwareness.enabled "storage_min_free_bytes" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64) ) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.AuditLogging.Translate" (dict "a" (list $values.auditLogging $dot (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.Logging.Translate" (dict "a" (list $values.logging) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.TunableConfig.Translate" (dict "a" (list $values.config.tunable) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.ClusterConfig.Translate" (dict "a" (list $values.config.cluster) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.Auth.Translate" (dict "a" (list $values.auth (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.TieredStorageConfig.Translate" (dict "a" (list (deepCopy (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r")) $values.storage.tiered.credentialsSecretRef) ))) "r")) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "default_topic_replications" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_1 := $tmp_tuple_1.T2 -}} +{{- if (and (not $ok_1) (ge ($values.statefulset.replicas | int) (3 | int))) -}} +{{- $_ := (set $bootstrap "default_topic_replications" (3 | int)) -}} +{{- end -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "storage_min_free_bytes" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_2.T2 -}} +{{- if (not $ok_2) -}} +{{- $_ := (set $bootstrap "storage_min_free_bytes" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (toYaml $bootstrap)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaConfigFile" -}} +{{- $dot := (index .a 0) -}} +{{- $includeSeedServer := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $redpanda := (dict "empty_seed_starts_cluster" false ) -}} +{{- if $includeSeedServer -}} +{{- $_ := (set $redpanda "seed_servers" (get (fromJson (include "redpanda.Listeners.CreateSeedServers" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r")) -}} +{{- end -}} +{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.NodeConfig.Translate" (dict "a" (list $values.config.node) ))) "r")) -}} +{{- $_ := (get (fromJson (include "redpanda.configureListeners" (dict "a" (list $redpanda $dot) ))) "r") -}} +{{- $redpandaYaml := (dict "redpanda" $redpanda "schema_registry" (get (fromJson (include "redpanda.schemaRegistry" (dict "a" (list $dot) ))) "r") "schema_registry_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r") "pandaproxy" (get (fromJson (include "redpanda.pandaProxyListener" (dict "a" (list $dot) ))) "r") "pandaproxy_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r") "rpk" (get (fromJson (include "redpanda.rpkNodeConfig" (dict "a" (list $dot) ))) "r") "config_file" "/etc/redpanda/redpanda.yaml" ) -}} +{{- if (and (and (get (fromJson (include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list $dot) ))) "r") $values.auditLogging.enabled) (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) -}} +{{- $_ := (set $redpandaYaml "audit_log_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r")) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (toYaml $redpandaYaml)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RPKProfile" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.external.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ConfigMap" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-rpk" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "data" (dict "profile" (toYaml (get (fromJson (include "redpanda.rpkProfile" (dict "a" (list $dot) ))) "r")) ) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkProfile" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $brokerList := (list ) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $brokerList = (concat (default (list ) $brokerList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedKafkaPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $adminAdvertisedList := (list ) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $adminAdvertisedList = (concat (default (list ) $adminAdvertisedList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedAdminPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $kafkaTLS := (get (fromJson (include "redpanda.rpkKafkaClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $kafkaTLS "ca_file" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_3 := $tmp_tuple_3.T2 -}} +{{- if $ok_3 -}} +{{- $_ := (set $kafkaTLS "ca_file" "ca.crt") -}} +{{- end -}} +{{- $adminTLS := (get (fromJson (include "redpanda.rpkAdminAPIClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $adminTLS "ca_file" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_4 := $tmp_tuple_4.T2 -}} +{{- if $ok_4 -}} +{{- $_ := (set $adminTLS "ca_file" "ca.crt") -}} +{{- end -}} +{{- $ka := (dict "brokers" $brokerList "tls" (coalesce nil) ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $kafkaTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $ka "tls" $kafkaTLS) -}} +{{- end -}} +{{- $aa := (dict "addresses" $adminAdvertisedList "tls" (coalesce nil) ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $adminTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $aa "tls" $adminTLS) -}} +{{- end -}} +{{- $result := (dict "name" (get (fromJson (include "redpanda.getFirstExternalKafkaListener" (dict "a" (list $dot) ))) "r") "kafka_api" $ka "admin_api" $aa ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedKafkaPort" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $externalKafkaListenerName := (get (fromJson (include "redpanda.getFirstExternalKafkaListener" (dict "a" (list $dot) ))) "r") -}} +{{- $listener := (index $values.listeners.kafka.external $externalKafkaListenerName) -}} +{{- $port := (($values.listeners.kafka.port | int) | int) -}} +{{- if (gt (($listener.port | int) | int) ((1 | int) | int)) -}} +{{- $port = (($listener.port | int) | int) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts $i) | int) -}} +{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $port) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedAdminPort" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $keys := (keys $values.listeners.admin.external) -}} +{{- $_ := (sortAlpha $keys) -}} +{{- $externalAdminListenerName := (first $keys) -}} +{{- $listener := (index $values.listeners.admin.external (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $externalAdminListenerName) ))) "r")) -}} +{{- $port := (($values.listeners.admin.port | int) | int) -}} +{{- if (gt (($listener.port | int) | int) (1 | int)) -}} +{{- $port = (($listener.port | int) | int) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts $i) | int) -}} +{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $port) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedHost" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $address := (printf "%s-%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") ($i | int)) -}} +{{- if (ne (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") "") -}} +{{- $address = (printf "%s.%s" $address (tpl $values.external.domain $dot)) -}} +{{- end -}} +{{- if (le ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $address) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}} +{{- $address = (index $values.external.addresses (0 | int)) -}} +{{- else -}} +{{- $address = (index $values.external.addresses $i) -}} +{{- end -}} +{{- if (ne (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") "") -}} +{{- $address = (printf "%s.%s" $address $values.external.domain) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $address) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.getFirstExternalKafkaListener" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $keys := (keys $values.listeners.kafka.external) -}} +{{- $_ := (sortAlpha $keys) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" (first $keys)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BrokerList" -}} +{{- $dot := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $port := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $bl := (coalesce nil) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}} +{{- $bl = (concat (default (list ) $bl) (list (printf "%s-%d.%s:%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") $port))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $bl) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkNodeConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $brokerList := (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") -}} +{{- $adminTLS := (coalesce nil) -}} +{{- $tls_5 := (get (fromJson (include "redpanda.rpkAdminAPIClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_5) ))) "r") | int) (0 | int)) -}} +{{- $adminTLS = $tls_5 -}} +{{- end -}} +{{- $brokerTLS := (coalesce nil) -}} +{{- $tls_6 := (get (fromJson (include "redpanda.rpkKafkaClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_6) ))) "r") | int) (0 | int)) -}} +{{- $brokerTLS = $tls_6 -}} +{{- end -}} +{{- $result := (dict "overprovisioned" (get (fromJson (include "redpanda.RedpandaResources.GetOverProvisionValue" (dict "a" (list $values.resources) ))) "r") "enable_memory_locking" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.resources.memory.enable_memory_locking false) ))) "r") "additional_start_flags" (get (fromJson (include "redpanda.RedpandaAdditionalStartFlags" (dict "a" (list $dot ((get (fromJson (include "redpanda.RedpandaSMP" (dict "a" (list $dot) ))) "r") | int64)) ))) "r") "kafka_api" (dict "brokers" $brokerList "tls" $brokerTLS ) "admin_api" (dict "addresses" (get (fromJson (include "redpanda.Listeners.AdminList" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r") "tls" $adminTLS ) ) -}} +{{- $result = (merge (dict ) $result (get (fromJson (include "redpanda.Tuning.Translate" (dict "a" (list $values.tuning) ))) "r")) -}} +{{- $result = (merge (dict ) $result (get (fromJson (include "redpanda.Config.CreateRPKConfiguration" (dict "a" (list $values.config) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkKafkaClientTLSConfiguration" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tls := $values.listeners.kafka.tls -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls) ))) "r") ) -}} +{{- if $tls.requireClientAuth -}} +{{- $_ := (set $result "cert_file" (printf "/etc/tls/certs/%s-client/tls.crt" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "/etc/tls/certs/%s-client/tls.key" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkAdminAPIClientTLSConfiguration" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tls := $values.listeners.admin.tls -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls) ))) "r") ) -}} +{{- if $tls.requireClientAuth -}} +{{- $_ := (set $result "cert_file" (printf "/etc/tls/certs/%s-client/tls.crt" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "/etc/tls/certs/%s-client/tls.key" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.kafkaClient" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $brokerList := (list ) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $brokerList = (concat (default (list ) $brokerList) (list (dict "address" (printf "%s-%d.%s" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) "port" ($values.listeners.kafka.port | int) ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $kafkaTLS := $values.listeners.kafka.tls -}} +{{- $brokerTLS := (coalesce nil) -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.kafka.tls $values.tls) ))) "r") -}} +{{- $brokerTLS = (dict "enabled" true "require_client_auth" $kafkaTLS.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $kafkaTLS $values.tls) ))) "r") ) -}} +{{- if $kafkaTLS.requireClientAuth -}} +{{- $_ := (set $brokerTLS "cert_file" (printf "/etc/tls/certs/%s-client/tls.crt" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_ := (set $brokerTLS "key_file" (printf "/etc/tls/certs/%s-client/tls.key" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- end -}} +{{- end -}} +{{- $cfg := (dict "brokers" $brokerList ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $brokerTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $cfg "broker_tls" $brokerTLS) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cfg) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.configureListeners" -}} +{{- $redpanda := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_ := (set $redpanda "admin" (get (fromJson (include "redpanda.AdminListeners.Listeners" (dict "a" (list $values.listeners.admin) ))) "r")) -}} +{{- $_ := (set $redpanda "kafka_api" (get (fromJson (include "redpanda.KafkaListeners.Listeners" (dict "a" (list $values.listeners.kafka $values.auth) ))) "r")) -}} +{{- $_ := (set $redpanda "rpc_server" (get (fromJson (include "redpanda.rpcListeners" (dict "a" (list $dot) ))) "r")) -}} +{{- $_ := (set $redpanda "admin_api_tls" (coalesce nil)) -}} +{{- $tls_7 := (get (fromJson (include "redpanda.AdminListeners.ListenersTLS" (dict "a" (list $values.listeners.admin $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_7) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $redpanda "admin_api_tls" $tls_7) -}} +{{- end -}} +{{- $_ := (set $redpanda "kafka_api_tls" (coalesce nil)) -}} +{{- $tls_8 := (get (fromJson (include "redpanda.KafkaListeners.ListenersTLS" (dict "a" (list $values.listeners.kafka $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_8) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $redpanda "kafka_api_tls" $tls_8) -}} +{{- end -}} +{{- $tls_9 := (get (fromJson (include "redpanda.rpcListenersTLS" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_9) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $redpanda "rpc_server_tls" $tls_9) -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.pandaProxyListener" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $pandaProxy := (dict ) -}} +{{- $_ := (set $pandaProxy "pandaproxy_api" (get (fromJson (include "redpanda.HTTPListeners.Listeners" (dict "a" (list $values.listeners.http (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $_ := (set $pandaProxy "pandaproxy_api_tls" (coalesce nil)) -}} +{{- $tls_10 := (get (fromJson (include "redpanda.HTTPListeners.ListenersTLS" (dict "a" (list $values.listeners.http $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_10) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $pandaProxy "pandaproxy_api_tls" $tls_10) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pandaProxy) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.schemaRegistry" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $schemaReg := (dict ) -}} +{{- $_ := (set $schemaReg "schema_registry_api" (get (fromJson (include "redpanda.SchemaRegistryListeners.Listeners" (dict "a" (list $values.listeners.schemaRegistry (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $_ := (set $schemaReg "schema_registry_api_tls" (coalesce nil)) -}} +{{- $tls_11 := (get (fromJson (include "redpanda.SchemaRegistryListeners.ListenersTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_11) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $schemaReg "schema_registry_api_tls" $tls_11) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $schemaReg) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpcListenersTLS" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $r := $values.listeners.rpc -}} +{{- if (and (not ((or (or (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" (dict "a" (list $dot) ))) "r")) (get (fromJson (include "redpanda.RedpandaAtLeast_23_1_2" (dict "a" (list $dot) ))) "r")))) ((or (and (eq (toJson $r.tls.enabled) "null") $values.tls.enabled) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $r.tls.enabled false) ))) "r")))) -}} +{{- $_ := (fail (printf "Redpanda version v%s does not support TLS on the RPC port. Please upgrade. See technical service bulletin 2023-01." (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $r.tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $certName := $r.tls.cert -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" $r.tls.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $r.tls $values.tls) ))) "r") )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpcListeners" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "address" "0.0.0.0" "port" ($values.listeners.rpc.port | int) )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.createInternalListenerTLSCfg" -}} +{{- $tls := (index .a 0) -}} +{{- $internal := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $internal $tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "name" "internal" "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $internal.cert) "key_file" (printf "/etc/tls/certs/%s/tls.key" $internal.cert) "require_client_auth" $internal.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $internal $tls) ))) "r") )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.createInternalListenerCfg" -}} +{{- $port := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "name" "internal" "address" "0.0.0.0" "port" $port )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAdditionalStartFlags" -}} +{{- $dot := (index .a 0) -}} +{{- $smp := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $chartFlags := (dict "smp" (printf "%d" ($smp | int)) "memory" (printf "%dM" (((get (fromJson (include "redpanda.RedpandaMemory" (dict "a" (list $dot) ))) "r") | int64) | int)) "reserve-memory" (printf "%dM" (((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64) | int)) "default-log-level" $values.logging.logLevel ) -}} +{{- if (eq (index $values.config.node "developer_mode") true) -}} +{{- $_ := (unset $chartFlags "reserve-memory") -}} +{{- end -}} +{{- range $flag, $_ := $chartFlags -}} +{{- range $_, $userFlag := $values.statefulset.additionalRedpandaCmdFlags -}} +{{- if (regexMatch (printf "^--%s" $flag) $userFlag) -}} +{{- $_ := (unset $chartFlags $flag) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $keys := (keys $chartFlags) -}} +{{- $_ := (sortAlpha $keys) -}} +{{- $flags := (list ) -}} +{{- range $_, $key := $keys -}} +{{- $flags = (concat (default (list ) $flags) (list (printf "--%s=%s" $key (index $chartFlags $key)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $flags) (default (list ) $values.statefulset.additionalRedpandaCmdFlags))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_console.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_console.go.tpl new file mode 100644 index 0000000000..f8498e9986 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_console.go.tpl @@ -0,0 +1,60 @@ +{{- /* Generated from "console.tpl.go" */ -}} + +{{- define "redpanda.ConsoleConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $schemaURLs := (coalesce nil) -}} +{{- if $values.listeners.schemaRegistry.enabled -}} +{{- $schema := "http" -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.schemaRegistry.tls $values.tls) ))) "r") -}} +{{- $schema = "https" -}} +{{- end -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $schemaURLs = (concat (default (list ) $schemaURLs) (list (printf "%s://%s-%d.%s:%d" $schema (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.schemaRegistry.port | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $schema := "http" -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}} +{{- $schema = "https" -}} +{{- end -}} +{{- $c := (dict "kafka" (dict "brokers" (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") "sasl" (dict "enabled" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") ) "tls" (get (fromJson (include "redpanda.KafkaListeners.ConsolemTLS" (dict "a" (list $values.listeners.kafka $values.tls) ))) "r") "schemaRegistry" (dict "enabled" $values.listeners.schemaRegistry.enabled "urls" $schemaURLs "tls" (get (fromJson (include "redpanda.SchemaRegistryListeners.ConsoleTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls) ))) "r") ) ) "redpanda" (dict "adminApi" (dict "enabled" true "urls" (list (printf "%s://%s:%d" $schema (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.admin.port | int))) "tls" (get (fromJson (include "redpanda.AdminListeners.ConsoleTLS" (dict "a" (list $values.listeners.admin $values.tls) ))) "r") ) ) ) -}} +{{- if $values.connectors.enabled -}} +{{- $port := (dig "connectors" "connectors" "restPort" (8083 | int) $dot.Values.AsMap) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $port) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $p := ($tmp_tuple_1.T1 | int) -}} +{{- if (not $ok) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $c) | toJson -}} +{{- break -}} +{{- end -}} +{{- $connectorsURL := (printf "http://%s.%s.svc.%s:%d" (get (fromJson (include "redpanda.ConnectorsFullName" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace (trimSuffix "." $values.clusterDomain) $p) -}} +{{- $_ := (set $c "connect" (mustMergeOverwrite (dict "enabled" false "clusters" (coalesce nil) "connectTimeout" 0 "readTimeout" 0 "requestTimeout" 0 ) (dict "enabled" $values.connectors.enabled "clusters" (list (mustMergeOverwrite (dict "name" "" "url" "" "tls" (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) "username" "" "password" "" "token" "" ) (dict "name" "connectors" "url" $connectorsURL "tls" (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false )) "username" "" "password" "" "token" "" ))) ))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.console.console.config $c)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ConnectorsFullName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne (dig "connectors" "connectors" "fullnameOverwrite" "" $dot.Values.AsMap) "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $values.connectors.connectors.fullnameOverwrite) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list (printf "%s-connectors" $dot.Release.Name)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_example-commands.tpl b/charts/redpanda/redpanda/5.9.6/templates/_example-commands.tpl new file mode 100644 index 0000000000..9a5c695e32 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_example-commands.tpl @@ -0,0 +1,58 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + + +{{/* +Any rpk command that's given to the user in NOTES.txt must be defined in this template file +and tested in a test. +*/}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-acl-user-create" -}} +{{- $cmd := (get ((include "redpanda.RpkACLUserCreate" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-acl-create" -}} +{{- $cmd := (get ((include "redpanda.RpkACLCreate" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-cluster-info" -}} +{{- $cmd := (get ((include "redpanda.RpkClusterInfo" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-topic-create" -}} +{{- $cmd := (get ((include "redpanda.RpkTopicCreate" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-topic-describe" -}} +{{- $cmd := (get ((include "redpanda.RpkTopicDescribe" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-topic-delete" -}} +{{- $cmd := (get ((include "redpanda.RpkTopicDelete" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.6/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_helpers.go.tpl new file mode 100644 index 0000000000..58805d14c5 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_helpers.go.tpl @@ -0,0 +1,535 @@ +{{- /* Generated from "helpers.go" */ -}} + +{{- define "redpanda.ChartLabel" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list (replace "+" "_" (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version))) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Name" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "nameOverride") "") ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_1.T2 -}} +{{- $override_1 := $tmp_tuple_1.T1 -}} +{{- if (and $ok_2 (ne $override_1 "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $override_1) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $dot.Chart.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Fullname" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "fullnameOverride") "") ))) "r")) ))) "r") -}} +{{- $ok_4 := $tmp_tuple_2.T2 -}} +{{- $override_3 := $tmp_tuple_2.T1 -}} +{{- if (and $ok_4 (ne $override_3 "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $override_3) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.FullLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $labels := (dict ) -}} +{{- if (ne (toJson $values.commonLabels) "null") -}} +{{- $labels = $values.commonLabels -}} +{{- end -}} +{{- $defaults := (dict "helm.sh/chart" (get (fromJson (include "redpanda.ChartLabel" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/managed-by" $dot.Release.Service "app.kubernetes.io/component" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $labels $defaults)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServiceAccountName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $serviceAccount := $values.serviceAccount -}} +{{- if (and $serviceAccount.create (ne $serviceAccount.name "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $serviceAccount.name) | toJson -}} +{{- break -}} +{{- else -}}{{- if $serviceAccount.create -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}} +{{- break -}} +{{- else -}}{{- if (ne $serviceAccount.name "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $serviceAccount.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "default") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Tag" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tag := (toString $values.image.tag) -}} +{{- if (eq $tag "") -}} +{{- $tag = $dot.Chart.AppVersion -}} +{{- end -}} +{{- $pattern := "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" -}} +{{- if (not (regexMatch $pattern $tag)) -}} +{{- $_ := (fail "image.tag must start with a 'v' and be a valid semver") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tag) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServiceName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (ne (toJson $values.service) "null") (ne (toJson $values.service.name) "null")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $values.service.name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalDomain" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") -}} +{{- $ns := $dot.Release.Namespace -}} +{{- $domain := (trimSuffix "." $values.clusterDomain) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s.%s.svc.%s." $service $ns $domain)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSEnabled" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if $values.tls.enabled -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}} +{{- range $_, $listener := $listeners -}} +{{- $tlsCert := (dig "listeners" $listener "tls" "cert" false $dot.Values.AsMap) -}} +{{- $tlsEnabled := (dig "listeners" $listener "tls" "enabled" false $dot.Values.AsMap) -}} +{{- if (and (not (empty $tlsEnabled)) (not (empty $tlsCert))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $external := (dig "listeners" $listener "external" false $dot.Values.AsMap) -}} +{{- if (empty $external) -}} +{{- continue -}} +{{- end -}} +{{- $keys := (keys (get (fromJson (include "_shims.typeassertion" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $external) ))) "r")) -}} +{{- range $_, $key := $keys -}} +{{- $enabled := (dig "listeners" $listener "external" $key "enabled" false $dot.Values.AsMap) -}} +{{- $tlsCert := (dig "listeners" $listener "external" $key "tls" "cert" false $dot.Values.AsMap) -}} +{{- $tlsEnabled := (dig "listeners" $listener "external" $key "tls" "enabled" false $dot.Values.AsMap) -}} +{{- if (and (and (not (empty $enabled)) (not (empty $tlsCert))) (not (empty $tlsEnabled))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ClientAuthRequired" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}} +{{- range $_, $listener := $listeners -}} +{{- $required := (dig "listeners" $listener "tls" "requireClientAuth" false $dot.Values.AsMap) -}} +{{- if (not (empty $required)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.DefaultMounts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/etc/redpanda" )))) (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.CommonMounts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $mounts := (list ) -}} +{{- $sasl_5 := $values.auth.sasl -}} +{{- if (and $sasl_5.enabled (ne $sasl_5.secretRef "")) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "users" "mountPath" "/etc/secrets/users" "readOnly" true )))) -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}} +{{- $certNames := (keys $values.tls.certs) -}} +{{- $_ := (sortAlpha $certNames) -}} +{{- range $_, $name := $certNames -}} +{{- $cert := (index $values.tls.certs $name) -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "redpanda-%s-cert" $name) "mountPath" (printf "/etc/tls/certs/%s" $name) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $adminTLS := $values.listeners.admin.tls -}} +{{- if $adminTLS.requireClientAuth -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "mtls-client" "mountPath" (printf "/etc/tls/certs/%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) )))) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $mounts) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.DefaultVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "base-config" )))) (default (list ) (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r")))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.CommonVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $volumes := (list ) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}} +{{- $certNames := (keys $values.tls.certs) -}} +{{- $_ := (sortAlpha $certNames) -}} +{{- range $_, $name := $certNames -}} +{{- $cert := (index $values.tls.certs $name) -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (get (fromJson (include "redpanda.CertSecretName" (dict "a" (list $dot $name $cert) ))) "r") "defaultMode" (0o440 | int) )) )) (dict "name" (printf "redpanda-%s-cert" $name) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $adminTLS := $values.listeners.admin.tls -}} +{{- $cert := (index $values.tls.certs $adminTLS.cert) -}} +{{- if $adminTLS.requireClientAuth -}} +{{- $secretName := (printf "%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- if (ne (toJson $cert.clientSecretRef) "null") -}} +{{- $secretName = $cert.clientSecretRef.name -}} +{{- end -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $secretName "defaultMode" (0o440 | int) )) )) (dict "name" "mtls-client" )))) -}} +{{- end -}} +{{- end -}} +{{- $sasl_6 := $values.auth.sasl -}} +{{- if (and $sasl_6.enabled (ne $sasl_6.secretRef "")) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $sasl_6.secretRef )) )) (dict "name" "users" )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $volumes) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.CertSecretName" -}} +{{- $dot := (index .a 0) -}} +{{- $certName := (index .a 1) -}} +{{- $cert := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $cert.secretRef) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cert.secretRef.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s-%s-cert" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $certName)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.PodSecurityContext" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $sc := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.statefulset.podSecurityContext $values.statefulset.securityContext) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "fsGroup" $sc.fsGroup "fsGroupChangePolicy" $sc.fsGroupChangePolicy ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ContainerSecurityContext" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $sc := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.statefulset.podSecurityContext $values.statefulset.securityContext) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "runAsUser" $sc.runAsUser "runAsGroup" (get (fromJson (include "redpanda.coalesce" (dict "a" (list (list $sc.runAsGroup $sc.fsGroup)) ))) "r") "allowPrivilegeEscalation" (get (fromJson (include "redpanda.coalesce" (dict "a" (list (list $sc.allowPrivilegeEscalation $sc.allowPriviledgeEscalation)) ))) "r") "runAsNonRoot" $sc.runAsNonRoot ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_2_0" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.2.0-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_3_0" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.3.0-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_1_1" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.1.1-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_1_2" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.1.2-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.3.13-0,<22.4") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.2.10-0,<22.3") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_2_1" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.2.1-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_3_0" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.3.0-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.redpandaAtLeast" -}} +{{- $dot := (index .a 0) -}} +{{- $constraint := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $version := (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (list (semverCompare $constraint $version) nil)) ))) "r") -}} +{{- $err := $tmp_tuple_3.T2 -}} +{{- $result := $tmp_tuple_3.T1 -}} +{{- if (ne (toJson $err) "null") -}} +{{- $_ := (fail $err) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.cleanForK8s" -}} +{{- $in := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $in))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaSMP" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $coresInMillies := ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64) -}} +{{- if (lt $coresInMillies (1000 | int64)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (1 | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.coalesce" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- range $_, $v := $values -}} +{{- if (ne (toJson $v) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $v) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StrategicMergePatch" -}} +{{- $overrides := (index .a 0) -}} +{{- $original := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $overrides.labels) "null") -}} +{{- $_ := (set $original.metadata "labels" (merge (dict ) $overrides.labels (default (dict ) $original.metadata.labels))) -}} +{{- end -}} +{{- if (ne (toJson $overrides.annotations) "null") -}} +{{- $_ := (set $original.metadata "annotations" (merge (dict ) $overrides.annotations (default (dict ) $original.metadata.annotations))) -}} +{{- end -}} +{{- if (ne (toJson $overrides.spec.securityContext) "null") -}} +{{- $_ := (set $original.spec "securityContext" (merge (dict ) $overrides.spec.securityContext (default (mustMergeOverwrite (dict ) (dict )) $original.spec.securityContext))) -}} +{{- end -}} +{{- $overrideContainers := (dict ) -}} +{{- range $i, $_ := $overrides.spec.containers -}} +{{- $container := (index $overrides.spec.containers $i) -}} +{{- $_ := (set $overrideContainers (toString $container.name) $container) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $merged := (coalesce nil) -}} +{{- range $_, $container := $original.spec.containers -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $overrideContainers $container.name (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_8 := $tmp_tuple_4.T2 -}} +{{- $override_7 := $tmp_tuple_4.T1 -}} +{{- if $ok_8 -}} +{{- $env := (concat (default (list ) $container.env) (default (list ) $override_7.env)) -}} +{{- $container = (merge (dict ) $override_7 $container) -}} +{{- $_ := (set $container "env" $env) -}} +{{- end -}} +{{- if (eq (toJson $container.env) "null") -}} +{{- $_ := (set $container "env" (list )) -}} +{{- end -}} +{{- $merged = (concat (default (list ) $merged) (list $container)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $original.spec "containers" $merged) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $original) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.6/templates/_helpers.tpl new file mode 100644 index 0000000000..a885f9dcd3 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_helpers.tpl @@ -0,0 +1,368 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +Expand the name of the chart. +*/}} +{{- define "redpanda.name" -}} +{{- get ((include "redpanda.Name" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "redpanda.fullname" -}} +{{- get ((include "redpanda.Fullname" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +Create a default service name +*/}} +{{- define "redpanda.servicename" -}} +{{- get ((include "redpanda.ServiceName" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +full helm labels + common labels +*/}} +{{- define "full.labels" -}} +{{- (get ((include "redpanda.FullLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "redpanda.chart" -}} +{{- get ((include "redpanda.Chart" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "redpanda.serviceAccountName" -}} +{{- get ((include "redpanda.ServiceAccountName" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Use AppVersion if image.tag is not set +*/}} +{{- define "redpanda.tag" -}} +{{- get ((include "redpanda.Tag" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* Generate internal fqdn */}} +{{- define "redpanda.internal.domain" -}} +{{- get ((include "redpanda.InternalDomain" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* ConfigMap variables */}} +{{- define "admin-internal-tls-enabled" -}} +{{- toJson (dict "bool" (get ((include "redpanda.InternalTLS.IsEnabled" (dict "a" (list .Values.listeners.admin.tls .Values.tls))) | fromJson) "r")) -}} +{{- end -}} + +{{- define "kafka-internal-tls-enabled" -}} +{{- $listener := .Values.listeners.kafka -}} +{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}} +{{- end -}} + +{{- define "kafka-external-tls-cert" -}} +{{- dig "tls" "cert" .Values.listeners.kafka.tls.cert .listener -}} +{{- end -}} + +{{- define "http-internal-tls-enabled" -}} +{{- $listener := .Values.listeners.http -}} +{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}} +{{- end -}} + +{{- define "schemaRegistry-internal-tls-enabled" -}} +{{- $listener := .Values.listeners.schemaRegistry -}} +{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}} +{{- end -}} + +{{- define "tls-enabled" -}} +{{- $tlsenabled := get ((include "redpanda.TLSEnabled" (dict "a" (list .))) | fromJson) "r" }} +{{- toJson (dict "bool" $tlsenabled) -}} +{{- end -}} + +{{- define "sasl-enabled" -}} +{{- toJson (dict "bool" (dig "enabled" false .Values.auth.sasl)) -}} +{{- end -}} + +{{- define "admin-api-urls" -}} +{{ printf "${SERVICE_NAME}.%s" (include "redpanda.internal.domain" .) }}:{{.Values.listeners.admin.port }} +{{- end -}} + +{{- define "admin-api-service-url" -}} +{{ include "redpanda.internal.domain" .}}:{{.Values.listeners.admin.port }} +{{- end -}} + +{{- define "sasl-mechanism" -}} +{{- dig "sasl" "mechanism" "SCRAM-SHA-512" .Values.auth -}} +{{- end -}} + +{{- define "fail-on-insecure-sasl-logging" -}} +{{- if (include "sasl-enabled" .|fromJson).bool -}} + {{- $check := list + (include "redpanda-atleast-23-1-1" .|fromJson).bool + (include "redpanda-22-3-atleast-22-3-13" .|fromJson).bool + (include "redpanda-22-2-atleast-22-2-10" .|fromJson).bool + -}} + {{- if not (mustHas true $check) -}} + {{- fail "SASL is enabled and the redpanda version specified leaks secrets to the logs. Please choose a newer version of redpanda." -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "fail-on-unsupported-helm-version" -}} + {{- $helmVer := (fromYaml (toYaml .Capabilities.HelmVersion)).version -}} + {{- if semverCompare "<3.8.0-0" $helmVer -}} + {{- fail (printf "helm version %s is not supported. Please use helm version v3.8.0 or newer." $helmVer) -}} + {{- end -}} +{{- end -}} + +{{- define "redpanda-atleast-22-2-0" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_2_0" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-22-3-0" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-1-1" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_1_1" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-1-2" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_1_2" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-22-3-atleast-22-3-13" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-22-2-atleast-22-2-10" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-2-1" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-3-0" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} + +{{- define "redpanda-22-2-x-without-sasl" -}} +{{- $result := (include "redpanda-atleast-22-3-0" . | fromJson).bool -}} +{{- if or (include "sasl-enabled" . | fromJson).bool .Values.listeners.kafka.authenticationMethod -}} +{{- $result := false -}} +{{- end -}} +{{- toJson (dict "bool" $result) -}} +{{- end -}} + +{{- define "pod-security-context" -}} +{{- get ((include "redpanda.PodSecurityContext" (dict "a" (list .))) | fromJson) "r" | toYaml }} +{{- end -}} + +{{- define "container-security-context" -}} +{{- get ((include "redpanda.ContainerSecurityContext" (dict "a" (list .))) | fromJson) "r" | toYaml }} +{{- end -}} + +{{- define "admin-tls-curl-flags" -}} + {{- $result := "" -}} + {{- if (include "admin-internal-tls-enabled" . | fromJson).bool -}} + {{- $path := (printf "/etc/tls/certs/%s" .Values.listeners.admin.tls.cert) -}} + {{- $result = (printf "--cacert %s/tls.crt" $path) -}} + {{- if .Values.listeners.admin.tls.requireClientAuth -}} + {{- $result = (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path) -}} + {{- end -}} + {{- end -}} + {{- $result -}} +{{- end -}} + +{{- define "admin-http-protocol" -}} + {{- $result := "http" -}} + {{- if (include "admin-internal-tls-enabled" . | fromJson).bool -}} + {{- $result = "https" -}} + {{- end -}} + {{- $result -}} +{{- end -}} + +{{- /* +advertised-port returns either the only advertised port if only one is specified, +or the port specified for this pod ordinal when there is a full list provided. + +This will return a string int or panic if there is more than one port provided, +but not enough ports for the number of replicas requested. +*/ -}} +{{- define "advertised-port" -}} + {{- $port := dig "port" .listenerVals.port .externalVals -}} + {{- if .externalVals.advertisedPorts -}} + {{- if eq (len .externalVals.advertisedPorts) 1 -}} + {{- $port = mustFirst .externalVals.advertisedPorts -}} + {{- else -}} + {{- $port = index .externalVals.advertisedPorts .replicaIndex -}} + {{- end -}} + {{- end -}} + {{ $port }} +{{- end -}} + +{{- /* +advertised-host returns a json string with the data needed for configuring the advertised listener +*/ -}} +{{- define "advertised-host" -}} + {{- $host := dict "name" .externalName "address" .externalAdvertiseAddress "port" .port -}} + {{- if .values.external.addresses -}} + {{- $address := "" -}} + {{- if gt (len .values.external.addresses) 1 -}} + {{- $address = (index .values.external.addresses .replicaIndex) -}} + {{- else -}} + {{- $address = (index .values.external.addresses 0) -}} + {{- end -}} + {{- if ( .values.external.domain | default "" ) }} + {{- $host = dict "name" .externalName "address" (printf "%s.%s" $address .values.external.domain) "port" .port -}} + {{- else -}} + {{- $host = dict "name" .externalName "address" $address "port" .port -}} + {{- end -}} + {{- end -}} + {{- toJson $host -}} +{{- end -}} + +{{- define "is-licensed" -}} +{{- toJson (dict "bool" (or (not (empty (include "enterprise-license" . ))) (not (empty (include "enterprise-secret" . ))))) -}} +{{- end -}} + +{{- define "seed-server-list" -}} + {{- $brokers := list -}} + {{- range $ordinal := until (.Values.statefulset.replicas | int) -}} + {{- $brokers = append $brokers (printf "%s-%d.%s" + (include "redpanda.fullname" $) + $ordinal + (include "redpanda.internal.domain" $)) + -}} + {{- end -}} + {{- toJson $brokers -}} +{{- end -}} + +{{/* +return license checks deprecated values if current values is empty +*/}} +{{- define "enterprise-license" -}} +{{- if dig "license" dict .Values.enterprise -}} + {{- .Values.enterprise.license -}} +{{- else -}} + {{- .Values.license_key -}} +{{- end -}} +{{- end -}} + +{{/* +return licenseSecretRef checks deprecated values entry if current values empty +*/}} +{{- define "enterprise-secret" -}} +{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}} + {{- .Values.enterprise.licenseSecretRef -}} +{{- else if not (empty .Values.license_secret_ref ) -}} + {{- .Values.license_secret_ref -}} +{{- end -}} +{{- end -}} + +{{/* +return licenseSecretRef.name checks deprecated values entry if current values empty +*/}} +{{- define "enterprise-secret-name" -}} +{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}} + {{- dig "name" "" .Values.enterprise.licenseSecretRef -}} +{{- else if not (empty .Values.license_secret_ref ) -}} + {{- dig "secret_name" "" .Values.license_secret_ref -}} +{{- end -}} +{{- end -}} + +{{/* +return licenseSecretRef.key checks deprecated values entry if current values empty +*/}} +{{- define "enterprise-secret-key" -}} +{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}} + {{- dig "key" "" .Values.enterprise.licenseSecretRef -}} +{{- else if not (empty .Values.license_secret_ref ) -}} + {{- dig "secret_key" "" .Values.license_secret_ref -}} +{{- end -}} +{{- end -}} + +{{/* mounts that are common to all containers */}} +{{- define "common-mounts" -}} +{{- $mounts := get ((include "redpanda.CommonMounts" (dict "a" (list .))) | fromJson) "r" }} +{{- if $mounts -}} +{{- toYaml $mounts -}} +{{- end -}} +{{- end -}} + +{{/* mounts that are common to most containers */}} +{{- define "default-mounts" -}} +{{- $mounts := get ((include "redpanda.DefaultMounts" (dict "a" (list .))) | fromJson) "r" }} +{{- if $mounts -}} +{{- toYaml $mounts -}} +{{- end -}} +{{- end -}} + +{{/* volumes that are common to all pods */}} +{{- define "common-volumes" -}} +{{- $volumes := get ((include "redpanda.CommonVolumes" (dict "a" (list .))) | fromJson) "r" }} +{{- if $volumes -}} +{{- toYaml $volumes -}} +{{- end -}} +{{- end -}} + +{{/* the default set of volumes for most pods, except the sts pod */}} +{{- define "default-volumes" -}} +{{- $volumes := get ((include "redpanda.DefaultVolumes" (dict "a" (list .))) | fromJson) "r" }} +{{- if $volumes -}} +{{- toYaml $volumes -}} +{{- end -}} +{{- end -}} + +{{/* support legacy storage.tieredConfig */}} +{{- define "storage-tiered-config" -}} +{{- $cfg := get ((include "redpanda.StorageTieredConfig" (dict "a" (list .))) | fromJson) "r" }} +{{- if $cfg -}} +{{- toYaml $cfg -}} +{{- end -}} +{{- end -}} + +{{/* + rpk sasl environment variables + + this will return a string with the correct environment variables to use for SASL based on the + version of the redpada container being used +*/}} +{{- define "rpk-sasl-environment-variables" -}} +{{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool -}} +RPK_USER RPK_PASS RPK_SASL_MECHANISM +{{- else -}} +REDPANDA_SASL_USERNAME REDPANDA_SASL_PASSWORD REDPANDA_SASL_MECHANISM +{{- end -}} +{{- end -}} + +{{- define "curl-options" -}} +{{- print " -svm3 --fail --retry \"120\" --retry-max-time \"120\" --retry-all-errors -o - -w \"\\nstatus=%{http_code} %{redirect_url} size=%{size_download} time=%{time_total} content-type=\\\"%{content_type}\\\"\\n\" "}} +{{- end -}} + +{{- define "advertised-address-template" -}} + {{- $prefixTemplate := dig "prefixTemplate" "" .externalListener -}} + {{- if empty $prefixTemplate -}} + {{- $prefixTemplate = dig "prefixTemplate" "" .externalVals -}} + {{- end -}} + {{ quote $prefixTemplate }} +{{- end -}} + +{{/* check if client auth is enabled for any of the listeners */}} +{{- define "client-auth-required" -}} +{{- $requireClientAuth := get ((include "redpanda.ClientAuthRequired" (dict "a" (list .))) | fromJson) "r" }} +{{- toJson (dict "bool" $requireClientAuth) -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.6/templates/_memory.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_memory.go.tpl new file mode 100644 index 0000000000..015a771b46 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_memory.go.tpl @@ -0,0 +1,63 @@ +{{- /* Generated from "memory.go" */ -}} + +{{- define "redpanda.RedpandaReserveMemory" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $rpMem_1 := $values.resources.memory.redpanda -}} +{{- if (and (ne (toJson $rpMem_1) "null") (ne (toJson $rpMem_1.reserveMemory) "null")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rpMem_1.reserveMemory) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((add (((mulf (((get (fromJson (include "redpanda.ContainerMemory" (dict "a" (list $dot) ))) "r") | int64) | float64) 0.002) | float64) | int64) (200 | int64)) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaMemory" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $memory := ((0 | int64) | int64) -}} +{{- $containerMemory := ((get (fromJson (include "redpanda.ContainerMemory" (dict "a" (list $dot) ))) "r") | int64) -}} +{{- $rpMem_2 := $values.resources.memory.redpanda -}} +{{- if (and (ne (toJson $rpMem_2) "null") (ne (toJson $rpMem_2.memory) "null")) -}} +{{- $memory = ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rpMem_2.memory) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64) -}} +{{- else -}} +{{- $memory = (((mulf ($containerMemory | float64) 0.8) | float64) | int64) -}} +{{- end -}} +{{- if (eq $memory (0 | int64)) -}} +{{- $_ := (fail "unable to get memory value redpanda-memory") -}} +{{- end -}} +{{- if (lt $memory (256 | int64)) -}} +{{- $_ := (fail (printf "%d is below the minimum value for Redpanda" $memory)) -}} +{{- end -}} +{{- if (gt ((add $memory ((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64)) | int64) $containerMemory) -}} +{{- $_ := (fail (printf "Not enough container memory for Redpanda memory values where Redpanda: %d, reserve: %d, container: %d" $memory ((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64) $containerMemory)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $memory) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ContainerMemory" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne (toJson $values.resources.memory.container.min) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.memory.container.min) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.memory.container.max) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_notes.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_notes.go.tpl new file mode 100644 index 0000000000..e547ce092d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_notes.go.tpl @@ -0,0 +1,167 @@ +{{- /* Generated from "notes.go" */ -}} + +{{- define "redpanda.Warnings" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $warnings := (coalesce nil) -}} +{{- $w_1 := (get (fromJson (include "redpanda.cpuWarning" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $w_1 "") -}} +{{- $warnings = (concat (default (list ) $warnings) (list (printf `**Warning**: %s` $w_1))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $warnings) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.cpuWarning" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $coresInMillis := ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64) -}} +{{- if (lt $coresInMillis (1000 | int64)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%dm is below the minimum recommended CPU value for Redpanda" $coresInMillis)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Notes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $anySASL := (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $notes := (coalesce nil) -}} +{{- $notes = (concat (default (list ) $notes) (list `` `` `` `` (printf `Congratulations on installing %s!` $dot.Chart.Name) `` `The pods will rollout in a few seconds. To check the status:` `` (printf ` kubectl -n %s rollout status statefulset %s --watch` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")))) -}} +{{- if (and $values.external.enabled (eq $values.external.type "LoadBalancer")) -}} +{{- $notes = (concat (default (list ) $notes) (list `` `If you are using the load balancer service with a cloud provider, the services will likely have automatically-generated addresses. In this scenario the advertised listeners must be updated in order for external access to work. Run the following command once Redpanda is deployed:` `` (printf ` helm upgrade %s redpanda/redpanda --reuse-values -n %s --set $(kubectl get svc -n %s -o jsonpath='{"external.addresses={"}{ range .items[*]}{.status.loadBalancer.ingress[0].ip }{.status.loadBalancer.ingress[0].hostname}{","}{ end }{"}\n"}')` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace $dot.Release.Namespace))) -}} +{{- end -}} +{{- $profiles := (keys $values.listeners.kafka.external) -}} +{{- $_ := (sortAlpha $profiles) -}} +{{- $profileName := (index $profiles (0 | int)) -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Set up rpk for access to your external listeners:`)) -}} +{{- $profile := (index $values.listeners.kafka.external $profileName) -}} +{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}} +{{- $external := "" -}} +{{- if (and (ne (toJson $profile.tls) "null") (ne (toJson $profile.tls.cert) "null")) -}} +{{- $external = $profile.tls.cert -}} +{{- else -}} +{{- $external = $values.listeners.kafka.tls.cert -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list (printf ` kubectl get secret -n %s %s-%s-cert -o go-template='{{ index .data "ca.crt" | base64decode }}' > ca.crt` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $external))) -}} +{{- if (or $values.listeners.kafka.tls.requireClientAuth $values.listeners.admin.tls.requireClientAuth) -}} +{{- $notes = (concat (default (list ) $notes) (list (printf ` kubectl get secret -n %s %s-client -o go-template='{{ index .data "tls.crt" | base64decode }}' > tls.crt` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` kubectl get secret -n %s %s-client -o go-template='{{ index .data "tls.key" | base64decode }}' > tls.key` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list (printf ` rpk profile create --from-profile <(kubectl get configmap -n %s %s-rpk -o go-template='{{ .data.profile }}') %s` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $profileName) `` `Set up dns to look up the pods on their Kubernetes Nodes. You can use this query to get the list of short-names to IP addresses. Add your external domain to the hostnames and you could test by adding these to your /etc/hosts:` `` (printf ` kubectl get pod -n %s -o custom-columns=node:.status.hostIP,name:.metadata.name --no-headers -l app.kubernetes.io/name=redpanda,app.kubernetes.io/component=redpanda-statefulset` $dot.Release.Namespace))) -}} +{{- if $anySASL -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Set the credentials in the environment:` `` (printf ` kubectl -n %s get secret %s -o go-template="{{ range .data }}{{ . | base64decode }}{{ end }}" | IFS=: read -r %s` $dot.Release.Namespace $values.auth.sasl.secretRef (get (fromJson (include "redpanda.RpkSASLEnvironmentVariables" (dict "a" (list $dot) ))) "r")) (printf ` export %s` (get (fromJson (include "redpanda.RpkSASLEnvironmentVariables" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Try some sample commands:`)) -}} +{{- if $anySASL -}} +{{- $notes = (concat (default (list ) $notes) (list `Create a user:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkACLUserCreate" (dict "a" (list $dot) ))) "r")) `` `Give the user permissions:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkACLCreate" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Get the api status:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkClusterInfo" (dict "a" (list $dot) ))) "r")) `` `Create a topic` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicCreate" (dict "a" (list $dot) ))) "r")) `` `Describe the topic:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicDescribe" (dict "a" (list $dot) ))) "r")) `` `Delete the topic:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicDelete" (dict "a" (list $dot) ))) "r")))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $notes) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkACLUserCreate" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf `rpk acl user create myuser --new-password changeme --mechanism %s` (get (fromJson (include "redpanda.SASLMechanism" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SASLMechanism" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne (toJson $values.auth.sasl) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.auth.sasl.mechanism) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "SCRAM-SHA-512") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkACLCreate" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk acl create --allow-principal 'myuser' --allow-host '*' --operation all --topic 'test-topic'`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkClusterInfo" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk cluster info`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkTopicCreate" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf `rpk topic create test-topic -p 3 -r %d` (min (3 | int64) (($values.statefulset.replicas | int) | int64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkTopicDescribe" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk topic describe test-topic`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkTopicDelete" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk topic delete test-topic`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkSASLEnvironmentVariables" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (get (fromJson (include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list $dot) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" `RPK_USER RPK_PASS RPK_SASL_MECHANISM`) | toJson -}} +{{- break -}} +{{- else -}} +{{- $_is_returning = true -}} +{{- (dict "r" `REDPANDA_SASL_USERNAME REDPANDA_SASL_PASSWORD REDPANDA_SASL_MECHANISM`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_poddisruptionbudget.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_poddisruptionbudget.go.tpl new file mode 100644 index 0000000000..763b7b0bdf --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_poddisruptionbudget.go.tpl @@ -0,0 +1,21 @@ +{{- /* Generated from "poddisruptionbudget.go" */ -}} + +{{- define "redpanda.PodDisruptionBudget" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $budget := ($values.statefulset.budget.maxUnavailable | int) -}} +{{- $minReplicas := ((div ($values.statefulset.replicas | int) (2 | int)) | int) -}} +{{- if (and (gt $budget (1 | int)) (gt $budget $minReplicas)) -}} +{{- $_ := (fail (printf "statefulset.budget.maxUnavailable is set too high to maintain quorum: %d > %d" $budget $minReplicas)) -}} +{{- end -}} +{{- $maxUnavailable := ($budget | int) -}} +{{- $matchLabels := (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (set $matchLabels "redpanda.com/poddisruptionbudget" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "disruptionsAllowed" 0 "currentHealthy" 0 "desiredHealthy" 0 "expectedPods" 0 ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "policy/v1" "kind" "PodDisruptionBudget" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (dict "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" $matchLabels )) "maxUnavailable" $maxUnavailable )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_post-install-upgrade-job.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_post-install-upgrade-job.go.tpl new file mode 100644 index 0000000000..f71579edb9 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_post-install-upgrade-job.go.tpl @@ -0,0 +1,123 @@ +{{- /* Generated from "post_install_upgrade_job.go" */ -}} + +{{- define "redpanda.bootstrapYamlTemplater" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $env := (get (fromJson (include "redpanda.TieredStorageCredentials.AsEnvVars" (dict "a" (list $values.storage.tiered.credentialsSecretRef (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r")) ))) "r") -}} +{{- $image := (printf `%s:%s` $values.statefulset.sideCars.controllers.image.repository $values.statefulset.sideCars.controllers.image.tag) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "bootstrap-yaml-envsubst" "image" $image "command" (list "/redpanda-operator" "envsubst" "/tmp/base-config/bootstrap.yaml" "--output" "/tmp/config/.bootstrap.yaml") "env" $env "resources" (mustMergeOverwrite (dict ) (dict "limits" (dict "cpu" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "100m") ))) "r") "memory" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "25Mi") ))) "r") ) "requests" (dict "cpu" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "100m") ))) "r") "memory" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "25Mi") ))) "r") ) )) "securityContext" (mustMergeOverwrite (dict ) (dict "allowPrivilegeEscalation" false "readOnlyRootFilesystem" true "runAsNonRoot" true )) "volumeMounts" (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/tmp/config/" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config/" ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.PostInstallUpgradeJob" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.post_install_job.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $image := (printf `%s:%s` $values.statefulset.sideCars.controllers.image.repository $values.statefulset.sideCars.controllers.image.tag) -}} +{{- $job := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "batch/v1" "kind" "Job" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-configuration" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") (default (dict ) $values.post_install_job.labels)) "annotations" (merge (dict ) (dict "helm.sh/hook" "post-install,post-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation" "helm.sh/hook-weight" "-5" ) (default (dict ) $values.post_install_job.annotations)) )) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) (dict "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.post_install_job.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "generateName" (printf "%s-post-" $dot.Release.Name) "labels" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (printf "%.50s-post-install" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) ) (default (dict ) $values.commonLabels)) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "nodeSelector" $values.nodeSelector "affinity" (get (fromJson (include "redpanda.postInstallJobAffinity" (dict "a" (list $dot) ))) "r") "tolerations" (get (fromJson (include "redpanda.tolerations" (dict "a" (list $dot) ))) "r") "restartPolicy" "Never" "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "initContainers" (list (get (fromJson (include "redpanda.bootstrapYamlTemplater" (dict "a" (list $dot) ))) "r")) "automountServiceAccountToken" false "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "post-install" "image" $image "env" (get (fromJson (include "redpanda.PostInstallUpgradeEnvironmentVariables" (dict "a" (list $dot) ))) "r") "command" (list "/redpanda-operator" "sync-cluster-config" "--redpanda-yaml" "/tmp/base-config/redpanda.yaml" "--bootstrap-yaml" "/tmp/config/.bootstrap.yaml") "resources" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_install_job.resources (mustMergeOverwrite (dict ) (dict ))) ))) "r") "securityContext" (merge (dict ) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_install_job.securityContext (mustMergeOverwrite (dict ) (dict ))) ))) "r") (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r")) "volumeMounts" (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/tmp/config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config" )))) ))) "volumes" (concat (default (list ) (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r")) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "base-config" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) (dict "name" "config" )))) "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") )) )) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $job) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.postInstallJobAffinity" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (empty $values.post_install_job.affinity)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.post_install_job.affinity) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.post_install_job.affinity $values.affinity)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.tolerations" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $result := (coalesce nil) -}} +{{- range $_, $t := $values.tolerations -}} +{{- $result = (concat (default (list ) $result) (list (merge (dict ) $t))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.PostInstallUpgradeEnvironmentVariables" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $envars := (list ) -}} +{{- $license_1 := (get (fromJson (include "redpanda.GetLicenseLiteral" (dict "a" (list $dot) ))) "r") -}} +{{- $secretReference_2 := (get (fromJson (include "redpanda.GetLicenseSecretReference" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $license_1 "") -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "value" $license_1 )))) -}} +{{- else -}}{{- if (ne (toJson $secretReference_2) "null") -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" $secretReference_2 )) )))) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.bootstrapEnvVars" (dict "a" (list $dot $envars) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.GetLicenseLiteral" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne $values.enterprise.license "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.enterprise.license) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.license_key) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.GetLicenseSecretReference" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (empty $values.enterprise.licenseSecretRef)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.enterprise.licenseSecretRef.name )) (dict "key" $values.enterprise.licenseSecretRef.key ))) | toJson -}} +{{- break -}} +{{- else -}}{{- if (not (empty $values.license_secret_ref)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.license_secret_ref.secret_name )) (dict "key" $values.license_secret_ref.secret_key ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_post_upgrade_job.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_post_upgrade_job.go.tpl new file mode 100644 index 0000000000..6a95bb94e6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_post_upgrade_job.go.tpl @@ -0,0 +1,87 @@ +{{- /* Generated from "post_upgrade_job.go" */ -}} + +{{- define "redpanda.PostUpgrade" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.post_upgrade_job.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $labels := (default (dict ) $values.post_upgrade_job.labels) -}} +{{- $annotations := (default (dict ) $values.post_upgrade_job.annotations) -}} +{{- $annotations = (merge (dict ) (dict "helm.sh/hook" "post-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation" "helm.sh/hook-weight" "-10" ) $annotations) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "batch/v1" "kind" "Job" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-post-upgrade" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") $labels) "annotations" $annotations )) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) (dict "backoffLimit" $values.post_upgrade_job.backoffLimit "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.post_upgrade_job.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $dot.Release.Name "labels" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (printf "%s-post-upgrade" (trunc (50 | int) (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r"))) ) $values.commonLabels) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "nodeSelector" $values.nodeSelector "affinity" (merge (dict ) $values.post_upgrade_job.affinity $values.affinity) "tolerations" $values.tolerations "restartPolicy" "Never" "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "post-upgrade" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list "/bin/bash" "-c") "args" (list (get (fromJson (include "redpanda.PostUpgradeJobScript" (dict "a" (list $dot) ))) "r")) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot $values.post_upgrade_job.extraEnv) ))) "r") "envFrom" $values.post_upgrade_job.extraEnvFrom "securityContext" (merge (dict ) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_upgrade_job.securityContext (mustMergeOverwrite (dict ) (dict ))) ))) "r") (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r")) "resources" $values.post_upgrade_job.resources "volumeMounts" (get (fromJson (include "redpanda.DefaultMounts" (dict "a" (list $dot) ))) "r") ))) "volumes" (get (fromJson (include "redpanda.DefaultVolumes" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.PostUpgradeJobScript" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $script := (list `set -e` ``) -}} +{{- range $key, $value := $values.config.cluster -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $value) ))) "r")) ))) "r") -}} +{{- $isInt64 := $tmp_tuple_1.T2 -}} +{{- $asInt64 := ($tmp_tuple_1.T1 | int64) -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $value false) ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_2.T2 -}} +{{- $asBool_1 := $tmp_tuple_2.T1 -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" $value "") ))) "r")) ))) "r") -}} +{{- $ok_4 := $tmp_tuple_3.T2 -}} +{{- $asStr_3 := $tmp_tuple_3.T1 -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "[]%s" "interface {}") $value (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_6 := $tmp_tuple_4.T2 -}} +{{- $asSlice_5 := $tmp_tuple_4.T1 -}} +{{- if (and $ok_2 $asBool_1) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %t" $key $asBool_1))) -}} +{{- else -}}{{- if (and $ok_4 (ne $asStr_3 "")) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %s" $key $asStr_3))) -}} +{{- else -}}{{- if (and $isInt64 (gt $asInt64 (0 | int64))) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %d" $key $asInt64))) -}} +{{- else -}}{{- if (and $ok_6 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $asSlice_5) ))) "r") | int) (0 | int))) -}} +{{- $script = (concat (default (list ) $script) (list (printf `rpk cluster config set %s "[ %s ]"` $key (join "," $asSlice_5)))) -}} +{{- else -}}{{- if (not (empty $value)) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %v" $key $value))) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $tmp_tuple_5 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "default_topic_replications" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_7 := $tmp_tuple_5.T2 -}} +{{- if (and (not $ok_7) (ge ($values.statefulset.replicas | int) (3 | int))) -}} +{{- $script = (concat (default (list ) $script) (list "rpk cluster config set default_topic_replications 3")) -}} +{{- end -}} +{{- $tmp_tuple_6 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "storage_min_free_bytes" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_8 := $tmp_tuple_6.T2 -}} +{{- if (not $ok_8) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set storage_min_free_bytes %d" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64)))) -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list $dot) ))) "r") -}} +{{- $service := $values.listeners.admin -}} +{{- $caCert := "" -}} +{{- $scheme := "http" -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $service.tls $values.tls) ))) "r") -}} +{{- $scheme = "https" -}} +{{- $caCert = (printf "--cacert %q" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $service.tls $values.tls) ))) "r")) -}} +{{- end -}} +{{- $url := (printf "%s://%s:%d/v1/debug/restart_service?service=schema-registry" $scheme (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") (($service.port | int) | int64)) -}} +{{- $script = (concat (default (list ) $script) (list `if [ -d "/etc/secrets/users/" ]; then` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print))` ` curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \` (printf ` %s \` $caCert) ` -X PUT -u ${USER_NAME}:${PASSWORD} \` (printf ` %s || true` $url) `fi`)) -}} +{{- end -}} +{{- $script = (concat (default (list ) $script) (list "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (join "\n" $script)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_rbac.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_rbac.go.tpl new file mode 100644 index 0000000000..162092626d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_rbac.go.tpl @@ -0,0 +1,116 @@ +{{- /* Generated from "rbac.go" */ -}} + +{{- define "redpanda.ClusterRoles" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $crs := (coalesce nil) -}} +{{- $cr_1 := (get (fromJson (include "redpanda.SidecarControllersClusterRole" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $cr_1) "null") -}} +{{- $crs = (concat (default (list ) $crs) (list $cr_1)) -}} +{{- end -}} +{{- if (not $values.rbac.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crs) | toJson -}} +{{- break -}} +{{- end -}} +{{- $rpkBundleName := (printf "%s-rpk-bundle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $crs = (concat (default (list ) $crs) (default (list ) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "nodes") "verbs" (list "get" "list") ))) )) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $rpkBundleName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "configmaps" "endpoints" "events" "limitranges" "persistentvolumeclaims" "pods" "pods/log" "replicationcontrollers" "resourcequotas" "serviceaccounts" "services") "verbs" (list "get" "list") ))) ))))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crs) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ClusterRoleBindings" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $crbs := (coalesce nil) -}} +{{- $crb_2 := (get (fromJson (include "redpanda.SidecarControllersClusterRoleBinding" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $crb_2) "null") -}} +{{- $crbs = (concat (default (list ) $crbs) (list $crb_2)) -}} +{{- end -}} +{{- if (not $values.rbac.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crbs) | toJson -}} +{{- break -}} +{{- end -}} +{{- $rpkBundleName := (printf "%s-rpk-bundle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $crbs = (concat (default (list ) $crbs) (default (list ) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) )) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $rpkBundleName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" $rpkBundleName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crbs) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersClusterRole" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "nodes") "verbs" (list "get" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "persistentvolumes") "verbs" (list "delete" "get" "list" "patch" "update" "watch") ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersClusterRoleBinding" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" $sidecarControllerName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersRole" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "Role" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "apps") "resources" (list "statefulsets/status") "verbs" (list "patch" "update") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "secrets" "pods") "verbs" (list "get" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "apps") "resources" (list "statefulsets") "verbs" (list "get" "patch" "update" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "persistentvolumeclaims") "verbs" (list "delete" "get" "list" "patch" "update" "watch") ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersRoleBinding" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "RoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "Role" "name" $sidecarControllerName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_secrets.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_secrets.go.tpl new file mode 100644 index 0000000000..1f03df9848 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_secrets.go.tpl @@ -0,0 +1,423 @@ +{{- /* Generated from "secrets.go" */ -}} + +{{- define "redpanda.Secrets" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $secrets := (coalesce nil) -}} +{{- $secrets = (concat (default (list ) $secrets) (list (get (fromJson (include "redpanda.SecretSTSLifecycle" (dict "a" (list $dot) ))) "r"))) -}} +{{- $saslUsers_1 := (get (fromJson (include "redpanda.SecretSASLUsers" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $saslUsers_1) "null") -}} +{{- $secrets = (concat (default (list ) $secrets) (list $saslUsers_1)) -}} +{{- end -}} +{{- $configWatcher_2 := (get (fromJson (include "redpanda.SecretConfigWatcher" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $configWatcher_2) "null") -}} +{{- $secrets = (concat (default (list ) $secrets) (list $configWatcher_2)) -}} +{{- end -}} +{{- $secrets = (concat (default (list ) $secrets) (list (get (fromJson (include "redpanda.SecretConfigurator" (dict "a" (list $dot) ))) "r"))) -}} +{{- $fsValidator_3 := (get (fromJson (include "redpanda.SecretFSValidator" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $fsValidator_3) "null") -}} +{{- $secrets = (concat (default (list ) $secrets) (list $fsValidator_3)) -}} +{{- end -}} +{{- $bootstrapUser_4 := (get (fromJson (include "redpanda.SecretBootstrapUser" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $bootstrapUser_4) "null") -}} +{{- $secrets = (concat (default (list ) $secrets) (list $bootstrapUser_4)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secrets) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretSTSLifecycle" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-sts-lifecycle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $adminCurlFlags := (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (set $secret.stringData "common.sh" (join "\n" (list `#!/usr/bin/env bash` `` `# the SERVICE_NAME comes from the metadata.name of the pod, essentially the POD_NAME` (printf `CURL_URL="%s"` (get (fromJson (include "redpanda.adminInternalURL" (dict "a" (list $dot) ))) "r")) `` `# commands used throughout` (printf `CURL_NODE_ID_CMD="curl --silent --fail %s ${CURL_URL}/v1/node_config"` $adminCurlFlags) `` `CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE --silent -o /dev/null -w "%{http_code}"'` `CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT --silent -o /dev/null -w "%{http_code}"'` (printf `CURL_MAINTENANCE_GET_CMD="curl -X GET --silent %s ${CURL_URL}/v1/maintenance"` $adminCurlFlags)))) -}} +{{- $postStartSh := (list `#!/usr/bin/env bash` `# This code should be similar if not exactly the same as that found in the panda-operator, see` `# https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go` `` `# path below should match the path defined on the statefulset` `source /var/lifecycle/common.sh` `` `postStartHook () {` ` set -x` `` ` touch /tmp/postStartHookStarted` `` ` until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do` ` sleep 0.5` ` done` `` ` echo "Clearing maintenance mode on node ${NODE_ID}"` (printf ` CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} %s ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance"` $adminCurlFlags) ` # a 400 here would mean not in maintenance mode` ` until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do` ` status=$(${CURL_MAINTENANCE_DELETE_CMD})` ` sleep 0.5` ` done`) -}} +{{- if (and $values.auth.sasl.enabled (ne $values.auth.sasl.secretRef "")) -}} +{{- $postStartSh = (concat (default (list ) $postStartSh) (list ` # Setup and export SASL bootstrap-user` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print))` (printf ` MECHANISM=${MECHANISM:-%s}` (dig "auth" "sasl" "mechanism" "SCRAM-SHA-512" $dot.Values.AsMap)) ` rpk acl user create ${USER_NAME} -p {PASSWORD} --mechanism ${MECHANISM} || true`)) -}} +{{- end -}} +{{- $postStartSh = (concat (default (list ) $postStartSh) (list `` ` touch /tmp/postStartHookFinished` `}` `` `postStartHook` `true`)) -}} +{{- $_ := (set $secret.stringData "postStart.sh" (join "\n" $postStartSh)) -}} +{{- $preStopSh := (list `#!/usr/bin/env bash` `# This code should be similar if not exactly the same as that found in the panda-operator, see` `# https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go` `` `touch /tmp/preStopHookStarted` `` `# path below should match the path defined on the statefulset` `source /var/lifecycle/common.sh` `` `set -x` `` `preStopHook () {` ` until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do` ` sleep 0.5` ` done` `` ` echo "Setting maintenance mode on node ${NODE_ID}"` (printf ` CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} %s ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance"` $adminCurlFlags) ` until [ "${status:-}" = '"200"' ]; do` ` status=$(${CURL_MAINTENANCE_PUT_CMD})` ` sleep 0.5` ` done` `` ` until [ "${finished:-}" = "true" ] || [ "${draining:-}" = "false" ]; do` ` res=$(${CURL_MAINTENANCE_GET_CMD})` ` finished=$(echo $res | grep -o '\"finished\":[^,}]*' | grep -o '[^: ]*$')` ` draining=$(echo $res | grep -o '\"draining\":[^,}]*' | grep -o '[^: ]*$')` ` sleep 0.5` ` done` `` ` touch /tmp/preStopHookFinished` `}`) -}} +{{- if (and (gt ($values.statefulset.replicas | int) (2 | int)) (not (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" (dig "recovery_mode_enabled" false $values.config.node)) ))) "r"))) -}} +{{- $preStopSh = (concat (default (list ) $preStopSh) (list `preStopHook`)) -}} +{{- else -}} +{{- $preStopSh = (concat (default (list ) $preStopSh) (list `touch /tmp/preStopHookFinished` `echo "Not enough replicas or in recovery mode, cannot put a broker into maintenance mode."`)) -}} +{{- end -}} +{{- $preStopSh = (concat (default (list ) $preStopSh) (list `true`)) -}} +{{- $_ := (set $secret.stringData "preStop.sh" (join "\n" $preStopSh)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretSASLUsers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (and (ne $values.auth.sasl.secretRef "") $values.auth.sasl.enabled) (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.auth.sasl.users) ))) "r") | int) (0 | int))) -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $values.auth.sasl.secretRef "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $usersTxt := (list ) -}} +{{- range $_, $user := $values.auth.sasl.users -}} +{{- if (empty $user.mechanism) -}} +{{- $usersTxt = (concat (default (list ) $usersTxt) (list (printf "%s:%s" $user.name $user.password))) -}} +{{- else -}} +{{- $usersTxt = (concat (default (list ) $usersTxt) (list (printf "%s:%s:%s" $user.name $user.password $user.mechanism))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $secret.stringData "users.txt" (join "\n" $usersTxt)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- else -}}{{- if (and $values.auth.sasl.enabled (eq $values.auth.sasl.secretRef "")) -}} +{{- $_ := (fail "auth.sasl.secretRef cannot be empty when auth.sasl.enabled=true") -}} +{{- else -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretBootstrapUser" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.auth.sasl.enabled) (ne (toJson $values.auth.sasl.bootstrapUser.secretKeyRef) "null")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $secretName := (printf "%s-bootstrap-user" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- if $dot.Release.IsUpgrade -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.lookup" (dict "a" (list "v1" "Secret" $dot.Release.Namespace $secretName) ))) "r")) ))) "r") -}} +{{- $ok_6 := $tmp_tuple_1.T2 -}} +{{- $existing_5 := $tmp_tuple_1.T1 -}} +{{- if $ok_6 -}} +{{- $_is_returning = true -}} +{{- (dict "r" $existing_5) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $password := (randAlphaNum (32 | int)) -}} +{{- $userPassword := $values.auth.sasl.bootstrapUser.password -}} +{{- if (ne (toJson $userPassword) "null") -}} +{{- $password = $userPassword -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $secretName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict "password" $password ) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretConfigWatcher" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.sideCars.configWatcher.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $bootstrapUser := (get (fromJson (include "redpanda.BootstrapUser.Username" (dict "a" (list $values.auth.sasl.bootstrapUser) ))) "r") -}} +{{- $sasl := $values.auth.sasl -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-config-watcher" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $saslUserSh := (coalesce nil) -}} +{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `#!/usr/bin/env bash` `` `trap 'error_handler $? $LINENO' ERR` `` `error_handler() {` ` echo "Error: ($1) occurred at line $2"` `}` `` `set -e` `` `# rpk cluster health can exit non-zero if it's unable to dial brokers. This` `# can happen for many reasons but we never want this script to crash as it` `# would take down yet another broker and make a bad situation worse.` `# Instead, just wait for the command to eventually exit zero.` `echo "Waiting for cluster to be ready"` `until rpk cluster health --watch --exit-when-healthy; do` ` echo "rpk cluster health failed. Waiting 5 seconds before trying again..."` ` sleep 5` `done`)) -}} +{{- if (and $sasl.enabled (ne $sasl.secretRef "")) -}} +{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `while true; do` ` echo "RUNNING: Monitoring and Updating SASL users"` ` USERS_DIR="/etc/secrets/users"` `` ` new_users_list(){` ` LIST=$1` ` NEW_USER=$2` ` if [[ -n "${LIST}" ]]; then` ` LIST="${NEW_USER},${LIST}"` ` else` ` LIST="${NEW_USER}"` ` fi` `` ` echo "${LIST}"` ` }` `` ` process_users() {` ` USERS_DIR=${1-"/etc/secrets/users"}` ` USERS_FILE=$(find ${USERS_DIR}/* -print)` (printf ` USERS_LIST="%s"` $bootstrapUser) ` READ_LIST_SUCCESS=0` ` # Read line by line, handle a missing EOL at the end of file` ` while read p || [ -n "$p" ] ; do` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM <<< $p` ` # Do not process empty lines` ` if [ -z "$USER_NAME" ]; then` ` continue` ` fi` ` if [[ "${USER_NAME// /}" != "$USER_NAME" ]]; then` ` continue` ` fi` ` echo "Creating user ${USER_NAME}..."` (printf ` MECHANISM=${MECHANISM:-%s}` (dig "auth" "sasl" "mechanism" "SCRAM-SHA-512" $dot.Values.AsMap)) ` creation_result=$(rpk acl user create ${USER_NAME} -p ${PASSWORD} --mechanism ${MECHANISM} 2>&1) && creation_result_exit_code=$? || creation_result_exit_code=$? # On a non-success exit code` ` if [[ $creation_result_exit_code -ne 0 ]]; then` ` # Check if the stderr contains "User already exists"` ` # this error occurs when password has changed` ` if [[ $creation_result == *"User already exists"* ]]; then` ` echo "Update user ${USER_NAME}"` ` # we will try to update by first deleting` ` deletion_result=$(rpk acl user delete ${USER_NAME} 2>&1) && deletion_result_exit_code=$? || deletion_result_exit_code=$?` ` if [[ $deletion_result_exit_code -ne 0 ]]; then` ` echo "deletion of user ${USER_NAME} failed: ${deletion_result}"` ` READ_LIST_SUCCESS=1` ` break` ` fi` ` # Now we update the user` ` update_result=$(rpk acl user create ${USER_NAME} -p ${PASSWORD} --mechanism ${MECHANISM} 2>&1) && update_result_exit_code=$? || update_result_exit_code=$? # On a non-success exit code` ` if [[ $update_result_exit_code -ne 0 ]]; then` ` echo "updating user ${USER_NAME} failed: ${update_result}"` ` READ_LIST_SUCCESS=1` ` break` ` else` ` echo "Updated user ${USER_NAME}..."` ` USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}")` ` fi` ` else` ` # Another error occurred, so output the original message and exit code` ` echo "error creating user ${USER_NAME}: ${creation_result}"` ` READ_LIST_SUCCESS=1` ` break` ` fi` ` # On a success, the user was created so output that` ` else` ` echo "Created user ${USER_NAME}..."` ` USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}")` ` fi` ` done < $USERS_FILE` `` ` if [[ -n "${USERS_LIST}" && ${READ_LIST_SUCCESS} ]]; then` ` echo "Setting superusers configurations with users [${USERS_LIST}]"` ` superuser_result=$(rpk cluster config set superusers [${USERS_LIST}] 2>&1) && superuser_result_exit_code=$? || superuser_result_exit_code=$?` ` if [[ $superuser_result_exit_code -ne 0 ]]; then` ` echo "Setting superusers configurations failed: ${superuser_result}"` ` else` ` echo "Completed setting superusers configurations"` ` fi` ` fi` ` }` `` ` # before we do anything ensure we have the bootstrap user` ` echo "Ensuring bootstrap user ${RPK_USER}..."` ` creation_result=$(rpk acl user create ${RPK_USER} -p ${RPK_PASS} --mechanism ${RPK_SASL_MECHANISM} 2>&1) && creation_result_exit_code=$? || creation_result_exit_code=$? # On a non-success exit code` ` if [[ $creation_result_exit_code -ne 0 ]]; then` ` if [[ $creation_result == *"User already exists"* ]]; then` ` echo "Bootstrap user already created"` ` else` ` echo "error creating user ${RPK_USER}: ${creation_result}"` ` fi` ` fi` `` ` # first time processing` ` process_users $USERS_DIR` `` ` # subsequent changes detected here` ` # watching delete_self as documented in https://ahmet.im/blog/kubernetes-inotify/` ` USERS_FILE=$(find ${USERS_DIR}/* -print)` ` while RES=$(inotifywait -q -e delete_self ${USERS_FILE}); do` ` process_users $USERS_DIR` ` done` `done`)) -}} +{{- else -}} +{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `echo "Nothing to do. Sleeping..."` `sleep infinity`)) -}} +{{- end -}} +{{- $_ := (set $secret.stringData "sasl-user.sh" (join "\n" $saslUserSh)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretFSValidator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.initContainers.fsValidator.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-fs-validator" (substr 0 (49 | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $_ := (set $secret.stringData "fsValidator.sh" `set -e +EXPECTED_FS_TYPE=$1 + +DATA_DIR="/var/lib/redpanda/data" +TEST_FILE="testfile" + +echo "checking data directory exist..." +if [ ! -d "${DATA_DIR}" ]; then + echo "data directory does not exists, exiting" + exit 1 +fi + +echo "checking filesystem type..." +FS_TYPE=$(df -T $DATA_DIR | tail -n +2 | awk '{print $2}') + +if [ "${FS_TYPE}" != "${EXPECTED_FS_TYPE}" ]; then + echo "file system found to be ${FS_TYPE} when expected ${EXPECTED_FS_TYPE}" + exit 1 +fi + +echo "checking if able to create a test file..." + +touch ${DATA_DIR}/${TEST_FILE} +result=$(touch ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?) +if [ "${result}" != "0" ]; then + echo "could not write testfile, may not have write permission" + exit 1 +fi + +echo "checking if able to delete a test file..." + +result=$(rm ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?) +if [ "${result}" != "0" ]; then + echo "could not delete testfile" + exit 1 +fi + +echo "passed"`) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretConfigurator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%.51s-configurator" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $configuratorSh := (list ) -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `set -xe` `SERVICE_NAME=$1` `KUBERNETES_NODE_NAME=$2` `POD_ORDINAL=${SERVICE_NAME##*-}` "BROKER_INDEX=`expr $POD_ORDINAL + 1`" `` `CONFIG=/etc/redpanda/redpanda.yaml` `` `# Setup config files` `cp /tmp/base-config/redpanda.yaml "${CONFIG}"`)) -}} +{{- if (not (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list $dot) ))) "r")) -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `` `# Configure bootstrap` `## Not used for Redpanda v22.3.0+` `rpk --config "${CONFIG}" redpanda config set redpanda.node_id "${POD_ORDINAL}"` `if [ "${POD_ORDINAL}" = "0" ]; then` ` rpk --config "${CONFIG}" redpanda config set redpanda.seed_servers '[]' --format yaml` `fi`)) -}} +{{- end -}} +{{- $kafkaSnippet := (get (fromJson (include "redpanda.secretConfiguratorKafkaConfig" (dict "a" (list $dot) ))) "r") -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (default (list ) $kafkaSnippet)) -}} +{{- $httpSnippet := (get (fromJson (include "redpanda.secretConfiguratorHTTPConfig" (dict "a" (list $dot) ))) "r") -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (default (list ) $httpSnippet)) -}} +{{- if (and (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list $dot) ))) "r") $values.rackAwareness.enabled) -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `` `# Configure Rack Awareness` `set +x` (printf `RACK=$(curl --silent --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt --fail -H 'Authorization: Bearer '$(cat /run/secrets/kubernetes.io/serviceaccount/token) "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/api/v1/nodes/${KUBERNETES_NODE_NAME}?pretty=true" | grep %s | grep -v '\"key\":' | sed 's/.*": "\([^"]\+\).*/\1/')` (squote (quote $values.rackAwareness.nodeAnnotation))) `set -x` `rpk --config "$CONFIG" redpanda config set redpanda.rack "${RACK}"`)) -}} +{{- end -}} +{{- $_ := (set $secret.stringData "configurator.sh" (join "\n" $configuratorSh)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.secretConfiguratorKafkaConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $internalAdvertiseAddress := (printf "%s.%s" "${SERVICE_NAME}" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}} +{{- $snippet := (coalesce nil) -}} +{{- $listenerName := "kafka" -}} +{{- $listenerAdvertisedName := $listenerName -}} +{{- $redpandaConfigPart := "redpanda" -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `LISTENER=%s` (quote (toJson (dict "name" "internal" "address" $internalAdvertiseAddress "port" ($values.listeners.kafka.port | int) )))) (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[0] "$LISTENER"` $redpandaConfigPart $listenerAdvertisedName))) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.listeners.kafka.external) ))) "r") | int) (0 | int)) -}} +{{- $externalCounter := (0 | int) -}} +{{- range $externalName, $externalVals := $values.listeners.kafka.external -}} +{{- $externalCounter = ((add $externalCounter (1 | int)) | int) -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `ADVERTISED_%s_ADDRESSES=()` (upper $listenerName)))) -}} +{{- range $_, $replicaIndex := (until (($values.statefulset.replicas | int) | int)) -}} +{{- $port := ($externalVals.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = (index $externalVals.advertisedPorts (0 | int)) -}} +{{- else -}} +{{- $port = (index $externalVals.advertisedPorts $replicaIndex) -}} +{{- end -}} +{{- end -}} +{{- $host := (get (fromJson (include "redpanda.advertisedHostJSON" (dict "a" (list $dot $externalName $port $replicaIndex) ))) "r") -}} +{{- $address := (toJson $host) -}} +{{- $prefixTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $externalVals.prefixTemplate "") ))) "r") -}} +{{- if (eq $prefixTemplate "") -}} +{{- $prefixTemplate = (default "" $values.external.prefixTemplate) -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `PREFIX_TEMPLATE=%s` (quote $prefixTemplate)) (printf `ADVERTISED_%s_ADDRESSES+=(%s)` (upper $listenerName) (quote $address)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[%d] "${ADVERTISED_%s_ADDRESSES[$POD_ORDINAL]}"` $redpandaConfigPart $listenerAdvertisedName $externalCounter (upper $listenerName)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $snippet) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.secretConfiguratorHTTPConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $internalAdvertiseAddress := (printf "%s.%s" "${SERVICE_NAME}" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}} +{{- $snippet := (coalesce nil) -}} +{{- $listenerName := "http" -}} +{{- $listenerAdvertisedName := "pandaproxy" -}} +{{- $redpandaConfigPart := "pandaproxy" -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `LISTENER=%s` (quote (toJson (dict "name" "internal" "address" $internalAdvertiseAddress "port" ($values.listeners.http.port | int) )))) (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[0] "$LISTENER"` $redpandaConfigPart $listenerAdvertisedName))) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.listeners.http.external) ))) "r") | int) (0 | int)) -}} +{{- $externalCounter := (0 | int) -}} +{{- range $externalName, $externalVals := $values.listeners.http.external -}} +{{- $externalCounter = ((add $externalCounter (1 | int)) | int) -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `ADVERTISED_%s_ADDRESSES=()` (upper $listenerName)))) -}} +{{- range $_, $replicaIndex := (until (($values.statefulset.replicas | int) | int)) -}} +{{- $port := ($externalVals.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = (index $externalVals.advertisedPorts (0 | int)) -}} +{{- else -}} +{{- $port = (index $externalVals.advertisedPorts $replicaIndex) -}} +{{- end -}} +{{- end -}} +{{- $host := (get (fromJson (include "redpanda.advertisedHostJSON" (dict "a" (list $dot $externalName $port $replicaIndex) ))) "r") -}} +{{- $address := (toJson $host) -}} +{{- $prefixTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $externalVals.prefixTemplate "") ))) "r") -}} +{{- if (eq $prefixTemplate "") -}} +{{- $prefixTemplate = (default "" $values.external.prefixTemplate) -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `PREFIX_TEMPLATE=%s` (quote $prefixTemplate)) (printf `ADVERTISED_%s_ADDRESSES+=(%s)` (upper $listenerName) (quote $address)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[%d] "${ADVERTISED_%s_ADDRESSES[$POD_ORDINAL]}"` $redpandaConfigPart $listenerAdvertisedName $externalCounter (upper $listenerName)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $snippet) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminTLSCurlFlags" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" "") | toJson -}} +{{- break -}} +{{- end -}} +{{- if $values.listeners.admin.tls.requireClientAuth -}} +{{- $path := (printf "/etc/tls/certs/%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $path := (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "--cacert %s" $path)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.externalAdvertiseAddress" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $eaa := "${SERVICE_NAME}" -}} +{{- $externalDomainTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") -}} +{{- $expanded := (tpl $externalDomainTemplate $dot) -}} +{{- if (not (empty $expanded)) -}} +{{- $eaa = (printf "%s.%s" "${SERVICE_NAME}" $expanded) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $eaa) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedHostJSON" -}} +{{- $dot := (index .a 0) -}} +{{- $externalName := (index .a 1) -}} +{{- $port := (index .a 2) -}} +{{- $replicaIndex := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $host := (dict "name" $externalName "address" (get (fromJson (include "redpanda.externalAdvertiseAddress" (dict "a" (list $dot) ))) "r") "port" $port ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}} +{{- $address := "" -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}} +{{- $address = (index $values.external.addresses $replicaIndex) -}} +{{- else -}} +{{- $address = (index $values.external.addresses (0 | int)) -}} +{{- end -}} +{{- $domain_7 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") -}} +{{- if (ne $domain_7 "") -}} +{{- $host = (dict "name" $externalName "address" (printf "%s.%s" $address $domain_7) "port" $port ) -}} +{{- else -}} +{{- $host = (dict "name" $externalName "address" $address "port" $port ) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $host) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminInternalHTTPProtocol" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" "https") | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "http") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminInternalURL" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s://%s.%s.%s.svc.%s:%d" (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") `${SERVICE_NAME}` (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace (trimSuffix "." $values.clusterDomain) ($values.listeners.admin.port | int))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_service.internal.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_service.internal.go.tpl new file mode 100644 index 0000000000..0719ec5fa3 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_service.internal.go.tpl @@ -0,0 +1,38 @@ +{{- /* Generated from "service_internal.go" */ -}} + +{{- define "redpanda.MonitoringEnabledLabel" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "monitoring.redpanda.com/enabled" (printf "%t" $values.monitoring.enabled) )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServiceInternal" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $ports := (list ) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "admin" "protocol" "TCP" "appProtocol" $values.listeners.admin.appProtocol "port" ($values.listeners.admin.port | int) "targetPort" ($values.listeners.admin.port | int) )))) -}} +{{- if $values.listeners.http.enabled -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "http" "protocol" "TCP" "port" ($values.listeners.http.port | int) "targetPort" ($values.listeners.http.port | int) )))) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "kafka" "protocol" "TCP" "port" ($values.listeners.kafka.port | int) "targetPort" ($values.listeners.kafka.port | int) )))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "rpc" "protocol" "TCP" "port" ($values.listeners.rpc.port | int) "targetPort" ($values.listeners.rpc.port | int) )))) -}} +{{- if $values.listeners.schemaRegistry.enabled -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "schemaregistry" "protocol" "TCP" "port" ($values.listeners.schemaRegistry.port | int) "targetPort" ($values.listeners.schemaRegistry.port | int) )))) -}} +{{- end -}} +{{- $annotations := (dict ) -}} +{{- if (ne (toJson $values.service) "null") -}} +{{- $annotations = $values.service.internal.annotations -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.MonitoringEnabledLabel" (dict "a" (list $dot) ))) "r")) "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "type" "ClusterIP" "publishNotReadyAddresses" true "clusterIP" "None" "selector" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") "ports" $ports )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_service.loadbalancer.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_service.loadbalancer.go.tpl new file mode 100644 index 0000000000..dbc7547509 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_service.loadbalancer.go.tpl @@ -0,0 +1,101 @@ +{{- /* Generated from "service.loadbalancer.go" */ -}} + +{{- define "redpanda.LoadBalancerServices" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.external.enabled) (not $values.external.service.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne $values.external.type "LoadBalancer") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $externalDNS := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.externalDns (mustMergeOverwrite (dict "enabled" false ) (dict ))) ))) "r") -}} +{{- $labels := (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (set $labels "repdanda.com/type" "loadbalancer") -}} +{{- $selector := (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") -}} +{{- $services := (coalesce nil) -}} +{{- $replicas := ($values.statefulset.replicas | int) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $podname := (printf "%s-%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i) -}} +{{- $annotations := (dict ) -}} +{{- range $k, $v := $values.external.annotations -}} +{{- $_ := (set $annotations $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if $externalDNS.enabled -}} +{{- $prefix := $podname -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) ($i | int)) -}} +{{- $prefix = (index $values.external.addresses $i) -}} +{{- end -}} +{{- $address := (printf "%s.%s" $prefix (tpl $values.external.domain $dot)) -}} +{{- $_ := (set $annotations "external-dns.alpha.kubernetes.io/hostname" $address) -}} +{{- end -}} +{{- $podSelector := (dict ) -}} +{{- range $k, $v := $selector -}} +{{- $_ := (set $podSelector $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $podSelector "statefulset.kubernetes.io/pod-name" $podname) -}} +{{- $ports := (coalesce nil) -}} +{{- range $name, $listener := $values.listeners.admin.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($values.listeners.admin.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "admin-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.kafka.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "kafka-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.http.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "http-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.schemaRegistry.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "schema-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $svc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "lb-%s" $podname) "namespace" $dot.Release.Namespace "labels" $labels "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "externalTrafficPolicy" "Local" "loadBalancerSourceRanges" $values.external.sourceRanges "ports" $ports "publishNotReadyAddresses" true "selector" $podSelector "sessionAffinity" "None" "type" "LoadBalancer" )) )) -}} +{{- $services = (concat (default (list ) $services) (list $svc)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $services) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_service.nodeport.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_service.nodeport.go.tpl new file mode 100644 index 0000000000..bc199951d7 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_service.nodeport.go.tpl @@ -0,0 +1,80 @@ +{{- /* Generated from "service.nodeport.go" */ -}} + +{{- define "redpanda.NodePortService" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.external.enabled) (not $values.external.service.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne $values.external.type "NodePort") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $ports := (coalesce nil) -}} +{{- range $name, $listener := $values.listeners.admin.external -}} +{{- if (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "admin-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.kafka.external -}} +{{- if (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "kafka-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.http.external -}} +{{- if (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "http-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.schemaRegistry.external -}} +{{- if (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "schema-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $annotations := $values.external.annotations -}} +{{- if (eq (toJson $annotations) "null") -}} +{{- $annotations = (dict ) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-external" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "externalTrafficPolicy" "Local" "ports" $ports "publishNotReadyAddresses" true "selector" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") "sessionAffinity" "None" "type" "NodePort" )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_serviceaccount.go.tpl new file mode 100644 index 0000000000..9122cbd2a4 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_serviceaccount.go.tpl @@ -0,0 +1,18 @@ +{{- /* Generated from "serviceaccount.go" */ -}} + +{{- define "redpanda.ServiceAccount" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.serviceAccount.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ServiceAccount" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_servicemonitor.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_servicemonitor.go.tpl new file mode 100644 index 0000000000..7f5a621309 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_servicemonitor.go.tpl @@ -0,0 +1,26 @@ +{{- /* Generated from "servicemonitor.go" */ -}} + +{{- define "redpanda.ServiceMonitor" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.monitoring.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $endpoint := (mustMergeOverwrite (dict ) (dict "interval" $values.monitoring.scrapeInterval "path" "/public_metrics" "port" "admin" "enableHttp2" $values.monitoring.enableHttp2 "scheme" "http" )) -}} +{{- if (or (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") (ne (toJson $values.monitoring.tlsConfig) "null")) -}} +{{- $_ := (set $endpoint "scheme" "https") -}} +{{- $_ := (set $endpoint "tlsConfig" $values.monitoring.tlsConfig) -}} +{{- if (eq (toJson $endpoint.tlsConfig) "null") -}} +{{- $_ := (set $endpoint "tlsConfig" (mustMergeOverwrite (dict "ca" (dict ) "cert" (dict ) ) (mustMergeOverwrite (dict "ca" (dict ) "cert" (dict ) ) (dict "insecureSkipVerify" true )) (dict ))) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "endpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "monitoring.coreos.com/v1" "kind" "ServiceMonitor" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") $values.monitoring.labels) )) "spec" (mustMergeOverwrite (dict "endpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) (dict "endpoints" (list $endpoint) "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (dict "monitoring.redpanda.com/enabled" "true" "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name ) )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.6/templates/_shims.tpl new file mode 100644 index 0000000000..1e6d0425c3 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_shims.tpl @@ -0,0 +1,289 @@ +{{- /* Generated from "bootstrap.go" */ -}} + +{{- define "_shims.typetest" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs $typ $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.typeassertion" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (typeIs $typ $value)) -}} +{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.dicttest" -}} +{{- $m := (index .a 0) -}} +{{- $key := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (hasKey $m $key) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (index $m $key) true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.compact" -}} +{{- $args := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $out := (dict ) -}} +{{- range $i, $e := $args -}} +{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $out) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.deref" -}} +{{- $ptr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $ptr) "null") -}} +{{- $_ := (fail "nil dereference") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.len" -}} +{{- $m := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $m) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (len $m)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Deref" -}} +{{- $ptr := (index .a 0) -}} +{{- $def := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $ptr) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $def) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Equal" -}} +{{- $a := (index .a 0) -}} +{{- $b := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (eq (toJson $a) "null") (eq (toJson $b) "null")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (eq $a $b)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.lookup" -}} +{{- $apiVersion := (index .a 0) -}} +{{- $kind := (index .a 1) -}} +{{- $namespace := (index .a 2) -}} +{{- $name := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (lookup $apiVersion $kind $namespace $name) -}} +{{- if (empty $result) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (coalesce nil) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $result true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asnumeric" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asintegral" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.parseResource" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $repr) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (typeIs "string" $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}} +{{- end -}} +{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}} +{{- end -}} +{{- $reprStr := (toString $repr) -}} +{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}} +{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $scale := ($tmp_tuple_1.T1 | float64) -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $numeric $scale)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MustParse" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_2.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_2.T1 | float64) -}} +{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}} +{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}} +{{- $idx := -1 -}} +{{- range $i, $s := $scales -}} +{{- if (eq ($s | float64) ($scale | float64)) -}} +{{- $idx = $i -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (eq $idx -1) -}} +{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_Value" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_3.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_3.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MilliValue" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_4.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_4.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.render-manifest" -}} +{{- $tpl := (index . 0) -}} +{{- $dot := (index . 1) -}} +{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}} +{{- if not (typeIs "[]interface {}" $manifests) -}} +{{- $manifests = (list $manifests) -}} +{{- end -}} +{{- range $_, $manifest := $manifests -}} +{{- if ne (toJson $manifest) "null" }} +--- +{{toYaml (unset (unset $manifest "status") "creationTimestamp")}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.6/templates/_statefulset.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_statefulset.go.tpl new file mode 100644 index 0000000000..ccef558b4c --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_statefulset.go.tpl @@ -0,0 +1,712 @@ +{{- /* Generated from "statefulset.go" */ -}} + +{{- define "redpanda.statefulSetRedpandaEnv" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "SERVICE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "metadata.name" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "POD_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.podIP" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "HOST_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.hostIP" )) )) )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetPodLabelsSelector" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if $dot.Release.IsUpgrade -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.lookup" (dict "a" (list "apps/v1" "StatefulSet" $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_1.T2 -}} +{{- $existing_1 := $tmp_tuple_1.T1 -}} +{{- if (and $ok_2 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $existing_1.spec.selector.matchLabels) ))) "r") | int) (0 | int))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $existing_1.spec.selector.matchLabels) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $values := $dot.Values.AsMap -}} +{{- $additionalSelectorLabels := (dict ) -}} +{{- if (ne (toJson $values.statefulset.additionalSelectorLabels) "null") -}} +{{- $additionalSelectorLabels = $values.statefulset.additionalSelectorLabels -}} +{{- end -}} +{{- $component := (printf "%s-statefulset" (trimSuffix "-" (trunc (51 | int) (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")))) -}} +{{- $defaults := (dict "app.kubernetes.io/component" $component "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $additionalSelectorLabels $defaults)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetPodLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if $dot.Release.IsUpgrade -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.lookup" (dict "a" (list "apps/v1" "StatefulSet" $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")) ))) "r") -}} +{{- $ok_4 := $tmp_tuple_2.T2 -}} +{{- $existing_3 := $tmp_tuple_2.T1 -}} +{{- if (and $ok_4 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $existing_3.spec.template.metadata.labels) ))) "r") | int) (0 | int))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $existing_3.spec.template.metadata.labels) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $values := $dot.Values.AsMap -}} +{{- $statefulSetLabels := (dict ) -}} +{{- if (ne (toJson $values.statefulset.podTemplate.labels) "null") -}} +{{- $statefulSetLabels = $values.statefulset.podTemplate.labels -}} +{{- end -}} +{{- $defaults := (dict "redpanda.com/poddisruptionbudget" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $statefulSetLabels (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") $defaults (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetPodAnnotations" -}} +{{- $dot := (index .a 0) -}} +{{- $configMapChecksum := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $configMapChecksumAnnotation := (dict "config.redpanda.com/checksum" $configMapChecksum ) -}} +{{- if (ne (toJson $values.statefulset.podTemplate.annotations) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.statefulset.podTemplate.annotations $configMapChecksumAnnotation)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.statefulset.annotations $configMapChecksumAnnotation)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") -}} +{{- $volumes := (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r") -}} +{{- $values := $dot.Values.AsMap -}} +{{- $volumes = (concat (default (list ) $volumes) (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.50s-sts-lifecycle" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" "lifecycle-scripts" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $fullname )) (dict )) )) (dict "name" "base-config" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) (dict "name" "config" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.51s-configurator" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%.51s-configurator" $fullname) )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%s-config-watcher" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%s-config-watcher" $fullname) ))))) -}} +{{- if $values.statefulset.initContainers.fsValidator.enabled -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.49s-fs-validator" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%.49s-fs-validator" $fullname) )))) -}} +{{- end -}} +{{- $vol_5 := (get (fromJson (include "redpanda.Listeners.TrustStoreVolume" (dict "a" (list $values.listeners $values.tls) ))) "r") -}} +{{- if (ne (toJson $vol_5) "null") -}} +{{- $volumes = (concat (default (list ) $volumes) (list $vol_5)) -}} +{{- end -}} +{{- $volumes = (concat (default (list ) $volumes) (default (list ) (get (fromJson (include "redpanda.templateToVolumes" (dict "a" (list $dot $values.statefulset.extraVolumes) ))) "r"))) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (get (fromJson (include "redpanda.statefulSetVolumeDataDir" (dict "a" (list $dot) ))) "r"))) -}} +{{- $v_6 := (get (fromJson (include "redpanda.statefulSetVolumeTieredStorageDir" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $v_6) "null") -}} +{{- $volumes = (concat (default (list ) $volumes) (list $v_6)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $volumes) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetVolumeDataDir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $datadirSource := (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) -}} +{{- if $values.storage.persistentVolume.enabled -}} +{{- $datadirSource = (mustMergeOverwrite (dict ) (dict "persistentVolumeClaim" (mustMergeOverwrite (dict "claimName" "" ) (dict "claimName" "datadir" )) )) -}} +{{- else -}}{{- if (ne $values.storage.hostPath "") -}} +{{- $datadirSource = (mustMergeOverwrite (dict ) (dict "hostPath" (mustMergeOverwrite (dict "path" "" ) (dict "path" $values.storage.hostPath )) )) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) $datadirSource (dict "name" "datadir" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetVolumeTieredStorageDir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tieredType := (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") -}} +{{- if (or (eq $tieredType "none") (eq $tieredType "persistentVolume")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (eq $tieredType "hostPath") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "hostPath" (mustMergeOverwrite (dict "path" "" ) (dict "path" (get (fromJson (include "redpanda.Storage.GetTieredStorageHostPath" (dict "a" (list $values.storage) ))) "r") )) )) (dict "name" "tiered-storage-dir" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict "sizeLimit" (get (fromJson (include "redpanda.TieredStorageConfig.CloudStorageCacheSize" (dict "a" (list (deepCopy (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r"))) ))) "r") )) )) (dict "name" "tiered-storage-dir" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetVolumeMounts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}} +{{- $values := $dot.Values.AsMap -}} +{{- $mounts = (concat (default (list ) $mounts) (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "lifecycle-scripts" "mountPath" "/var/lifecycle" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data" ))))) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $values.listeners $values.tls) ))) "r")) ))) "r") | int) (0 | int)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststores" "mountPath" "/etc/truststores" "readOnly" true )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $mounts) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetInitContainers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $containers := (coalesce nil) -}} +{{- $c_7 := (get (fromJson (include "redpanda.statefulSetInitContainerTuning" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $c_7) "null") -}} +{{- $containers = (concat (default (list ) $containers) (list $c_7)) -}} +{{- end -}} +{{- $c_8 := (get (fromJson (include "redpanda.statefulSetInitContainerSetDataDirOwnership" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $c_8) "null") -}} +{{- $containers = (concat (default (list ) $containers) (list $c_8)) -}} +{{- end -}} +{{- $c_9 := (get (fromJson (include "redpanda.statefulSetInitContainerFSValidator" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $c_9) "null") -}} +{{- $containers = (concat (default (list ) $containers) (list $c_9)) -}} +{{- end -}} +{{- $c_10 := (get (fromJson (include "redpanda.statefulSetInitContainerSetTieredStorageCacheDirOwnership" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $c_10) "null") -}} +{{- $containers = (concat (default (list ) $containers) (list $c_10)) -}} +{{- end -}} +{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.statefulSetInitContainerConfigurator" (dict "a" (list $dot) ))) "r"))) -}} +{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.bootstrapYamlTemplater" (dict "a" (list $dot) ))) "r"))) -}} +{{- $containers = (concat (default (list ) $containers) (default (list ) (get (fromJson (include "redpanda.templateToContainers" (dict "a" (list $dot $values.statefulset.initContainers.extraInitContainers) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $containers) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerTuning" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.tuning.tune_aio_events) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "tuning" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/bash` `-c` `rpk redpanda tune all`) "securityContext" (mustMergeOverwrite (dict ) (dict "capabilities" (mustMergeOverwrite (dict ) (dict "add" (list `SYS_RESOURCE`) )) "privileged" true "runAsUser" ((0 | int64) | int64) "runAsGroup" ((0 | int64) | int64) )) "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.tuning.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/etc/redpanda" )))) "resources" $values.statefulset.initContainers.tuning.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerSetDataDirOwnership" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.initContainers.setDataDirOwnership.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-datadir-ownership") ))) "r")) ))) "r") -}} +{{- $gid := ($tmp_tuple_3.T2 | int64) -}} +{{- $uid := ($tmp_tuple_3.T1 | int64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "set-datadir-ownership" "image" (printf "%s:%s" $values.statefulset.initContainerImage.repository $values.statefulset.initContainerImage.tag) "command" (list `/bin/sh` `-c` (printf `chown %d:%d -R /var/lib/redpanda/data` $uid $gid)) "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.setDataDirOwnership.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" `datadir` "mountPath" `/var/lib/redpanda/data` )))) "resources" $values.statefulset.initContainers.setDataDirOwnership.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.securityContextUidGid" -}} +{{- $dot := (index .a 0) -}} +{{- $containerName := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $uid := $values.statefulset.securityContext.runAsUser -}} +{{- if (and (ne (toJson $values.statefulset.podSecurityContext) "null") (ne (toJson $values.statefulset.podSecurityContext.runAsUser) "null")) -}} +{{- $uid = $values.statefulset.podSecurityContext.runAsUser -}} +{{- end -}} +{{- if (eq (toJson $uid) "null") -}} +{{- $_ := (fail (printf `%s container requires runAsUser to be specified` $containerName)) -}} +{{- end -}} +{{- $gid := $values.statefulset.securityContext.fsGroup -}} +{{- if (and (ne (toJson $values.statefulset.podSecurityContext) "null") (ne (toJson $values.statefulset.podSecurityContext.fsGroup) "null")) -}} +{{- $gid = $values.statefulset.podSecurityContext.fsGroup -}} +{{- end -}} +{{- if (eq (toJson $gid) "null") -}} +{{- $_ := (fail (printf `%s container requires fsGroup to be specified` $containerName)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $uid $gid)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerFSValidator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.initContainers.fsValidator.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "fs-validator" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/sh`) "args" (list `-c` (printf `trap "exit 0" TERM; exec /etc/secrets/fs-validator/scripts/fsValidator.sh %s & wait $!` $values.statefulset.initContainers.fsValidator.expectedFS)) "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.fsValidator.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%.49s-fs-validator` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" `/etc/secrets/fs-validator/scripts/` )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" `datadir` "mountPath" `/var/lib/redpanda/data` )))) "resources" $values.statefulset.initContainers.fsValidator.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerSetTieredStorageCacheDirOwnership" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-tiered-storage-cache-dir-ownership") ))) "r")) ))) "r") -}} +{{- $gid := ($tmp_tuple_4.T2 | int64) -}} +{{- $uid := ($tmp_tuple_4.T1 | int64) -}} +{{- $cacheDir := (get (fromJson (include "redpanda.Storage.TieredCacheDirectory" (dict "a" (list $values.storage $dot) ))) "r") -}} +{{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data" )))) -}} +{{- if (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "none") -}} +{{- $name := "tiered-storage-dir" -}} +{{- if (and (ne (toJson $values.storage.persistentVolume) "null") (ne $values.storage.persistentVolume.nameOverwrite "")) -}} +{{- $name = $values.storage.persistentVolume.nameOverwrite -}} +{{- end -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $name "mountPath" $cacheDir )))) -}} +{{- end -}} +{{- $mounts = (concat (default (list ) $mounts) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" `set-tiered-storage-cache-dir-ownership` "image" (printf `%s:%s` $values.statefulset.initContainerImage.repository $values.statefulset.initContainerImage.tag) "command" (list `/bin/sh` `-c` (printf `mkdir -p %s; chown %d:%d -R %s` $cacheDir $uid $gid $cacheDir)) "volumeMounts" $mounts "resources" $values.statefulset.initContainers.setTieredStorageCacheDirOwnership.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerConfigurator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" (printf `%.51s-configurator` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/bash` `-c` `trap "exit 0" TERM; exec $CONFIGURATOR_SCRIPT "${SERVICE_NAME}" "${KUBERNETES_NODE_NAME}" & wait $!`) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONFIGURATOR_SCRIPT" "value" "/etc/secrets/configurator/scripts/configurator.sh" )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "SERVICE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "metadata.name" )) "resourceFieldRef" (coalesce nil) "configMapKeyRef" (coalesce nil) "secretKeyRef" (coalesce nil) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "KUBERNETES_NODE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "spec.nodeName" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "HOST_IP_ADDRESS" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "apiVersion" "v1" "fieldPath" "status.hostIP" )) )) )))) ))) "r") "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.configurator.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%.51s-configurator` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/etc/secrets/configurator/scripts/" )))) "resources" $values.statefulset.initContainers.configurator.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetContainers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $containers := (coalesce nil) -}} +{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.statefulSetContainerRedpanda" (dict "a" (list $dot) ))) "r"))) -}} +{{- $c_11 := (get (fromJson (include "redpanda.statefulSetContainerConfigWatcher" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $c_11) "null") -}} +{{- $containers = (concat (default (list ) $containers) (list $c_11)) -}} +{{- end -}} +{{- $c_12 := (get (fromJson (include "redpanda.statefulSetContainerControllers" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $c_12) "null") -}} +{{- $containers = (concat (default (list ) $containers) (list $c_12)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $containers) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetContainerRedpanda" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $internalAdvertiseAddress := (printf "%s.%s" "$(SERVICE_NAME)" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}} +{{- $container := (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "env" (get (fromJson (include "redpanda.bootstrapEnvVars" (dict "a" (list $dot (get (fromJson (include "redpanda.statefulSetRedpandaEnv" (dict "a" (list ) ))) "r")) ))) "r") "lifecycle" (mustMergeOverwrite (dict ) (dict "postStart" (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/bash` `-c` (join "\n" (list (printf `timeout -v %d bash -x /var/lifecycle/postStart.sh` ((div ($values.statefulset.terminationGracePeriodSeconds | int64) (2 | int64)) | int64)) `true` ``))) )) )) "preStop" (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/bash` `-c` (join "\n" (list (printf `timeout -v %d bash -x /var/lifecycle/preStop.sh` ((div ($values.statefulset.terminationGracePeriodSeconds | int64) (2 | int64)) | int64)) `true # do not fail and cause the pod to terminate` ``))) )) )) )) "startupProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (join "\n" (list `set -e` (printf `RESULT=$(curl --silent --fail -k -m 5 %s "%s://%s/v1/status/ready")` (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminApiURLs" (dict "a" (list $dot) ))) "r")) `echo $RESULT` `echo $RESULT | grep ready` ``))) )) )) (dict "initialDelaySeconds" ($values.statefulset.startupProbe.initialDelaySeconds | int) "periodSeconds" ($values.statefulset.startupProbe.periodSeconds | int) "failureThreshold" ($values.statefulset.startupProbe.failureThreshold | int) )) "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (printf `curl --silent --fail -k -m 5 %s "%s://%s/v1/status/ready"` (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminApiURLs" (dict "a" (list $dot) ))) "r"))) )) )) (dict "initialDelaySeconds" ($values.statefulset.livenessProbe.initialDelaySeconds | int) "periodSeconds" ($values.statefulset.livenessProbe.periodSeconds | int) "failureThreshold" ($values.statefulset.livenessProbe.failureThreshold | int) )) "command" (list `rpk` `redpanda` `start` (printf `--advertise-rpc-addr=%s:%d` $internalAdvertiseAddress ($values.listeners.rpc.port | int))) "volumeMounts" (concat (default (list ) (get (fromJson (include "redpanda.StatefulSetVolumeMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.extraVolumeMounts) ))) "r"))) "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "resources" (mustMergeOverwrite (dict ) (dict )) )) -}} +{{- if (not (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" (dig `recovery_mode_enabled` false $values.config.node)) ))) "r")) -}} +{{- $_ := (set $container "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (join "\n" (list `set -x` `RESULT=$(rpk cluster health)` `echo $RESULT` `echo $RESULT | grep 'Healthy:.*true'` ``))) )) )) (dict "initialDelaySeconds" ($values.statefulset.readinessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.statefulset.readinessProbe.timeoutSeconds | int) "periodSeconds" ($values.statefulset.readinessProbe.periodSeconds | int) "successThreshold" ($values.statefulset.readinessProbe.successThreshold | int) "failureThreshold" ($values.statefulset.readinessProbe.failureThreshold | int) ))) -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "admin" "containerPort" ($values.listeners.admin.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.admin.external -}} +{{- if (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "admin-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "http" "containerPort" ($values.listeners.http.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.http.external -}} +{{- if (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "http-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "kafka" "containerPort" ($values.listeners.kafka.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.kafka.external -}} +{{- if (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "kafka-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "rpc" "containerPort" ($values.listeners.rpc.port | int) ))))) -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "schemaregistry" "containerPort" ($values.listeners.schemaRegistry.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.schemaRegistry.external -}} +{{- if (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "schema-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (and (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r") (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "none")) -}} +{{- $name := "tiered-storage-dir" -}} +{{- if (and (ne (toJson $values.storage.persistentVolume) "null") (ne $values.storage.persistentVolume.nameOverwrite "")) -}} +{{- $name = $values.storage.persistentVolume.nameOverwrite -}} +{{- end -}} +{{- $_ := (set $container "volumeMounts" (concat (default (list ) $container.volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $name "mountPath" (get (fromJson (include "redpanda.Storage.TieredCacheDirectory" (dict "a" (list $values.storage $dot) ))) "r") ))))) -}} +{{- end -}} +{{- $_ := (set $container.resources "limits" (dict "cpu" $values.resources.cpu.cores "memory" $values.resources.memory.container.max )) -}} +{{- if (ne (toJson $values.resources.memory.container.min) "null") -}} +{{- $_ := (set $container.resources "requests" (dict "cpu" $values.resources.cpu.cores "memory" $values.resources.memory.container.min )) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $container) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminApiURLs" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf `${SERVICE_NAME}.%s:%d` (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.admin.port | int))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetContainerConfigWatcher" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.sideCars.configWatcher.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "config-watcher" "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/sh`) "args" (list `-c` `trap "exit 0" TERM; exec /etc/secrets/config-watcher/scripts/sasl-user.sh & wait $!`) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot (coalesce nil)) ))) "r") "resources" $values.statefulset.sideCars.configWatcher.resources "securityContext" $values.statefulset.sideCars.configWatcher.securityContext "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%s-config-watcher` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/etc/secrets/config-watcher/scripts" ))))) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.sideCars.configWatcher.extraVolumeMounts) ))) "r"))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetContainerControllers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.rbac.enabled) (not $values.statefulset.sideCars.controllers.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "redpanda-controllers" "image" (printf `%s:%s` $values.statefulset.sideCars.controllers.image.repository $values.statefulset.sideCars.controllers.image.tag) "command" (list `/manager`) "args" (list `--operator-mode=false` (printf `--namespace=%s` $dot.Release.Namespace) (printf `--health-probe-bind-address=%s` $values.statefulset.sideCars.controllers.healthProbeAddress) (printf `--metrics-bind-address=%s` $values.statefulset.sideCars.controllers.metricsAddress) (printf `--additional-controllers=%s` (join "," $values.statefulset.sideCars.controllers.run))) "env" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_HELM_RELEASE_NAME" "value" $dot.Release.Name ))) "resources" $values.statefulset.sideCars.controllers.resources "securityContext" $values.statefulset.sideCars.controllers.securityContext ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkEnvVars" -}} +{{- $dot := (index .a 0) -}} +{{- $envVars := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (ne (toJson $values.auth.sasl) "null") $values.auth.sasl.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $envVars) (default (list ) (get (fromJson (include "redpanda.BootstrapUser.RpkEnvironment" (dict "a" (list $values.auth.sasl.bootstrapUser (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $envVars) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.bootstrapEnvVars" -}} +{{- $dot := (index .a 0) -}} +{{- $envVars := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (ne (toJson $values.auth.sasl) "null") $values.auth.sasl.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $envVars) (default (list ) (get (fromJson (include "redpanda.BootstrapUser.BootstrapEnvironment" (dict "a" (list $values.auth.sasl.bootstrapUser (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $envVars) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.templateToVolumeMounts" -}} +{{- $dot := (index .a 0) -}} +{{- $template := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (tpl $template $dot) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (fromYamlArray $result)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.templateToVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- $template := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (tpl $template $dot) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (fromYamlArray $result)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.templateToContainers" -}} +{{- $dot := (index .a 0) -}} +{{- $template := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (tpl $template $dot) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (fromYamlArray $result)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSet" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (not (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_0" (dict "a" (list $dot) ))) "r")) (not $values.force)) -}} +{{- $sv := (get (fromJson (include "redpanda.semver" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (fail (printf "Error: The Redpanda version (%s) is no longer supported \nTo accept this risk, run the upgrade again adding `--force=true`\n" $sv)) -}} +{{- end -}} +{{- $ss := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "serviceName" "" "updateStrategy" (dict ) ) "status" (dict "replicas" 0 "availableReplicas" 0 ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "StatefulSet" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "serviceName" "" "updateStrategy" (dict ) ) (dict "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) "serviceName" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") "replicas" ($values.statefulset.replicas | int) "updateStrategy" $values.statefulset.updateStrategy "podManagementPolicy" "Parallel" "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.statefulset.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "labels" (get (fromJson (include "redpanda.StatefulSetPodLabels" (dict "a" (list $dot) ))) "r") "annotations" (get (fromJson (include "redpanda.StatefulSetPodAnnotations" (dict "a" (list $dot (get (fromJson (include "redpanda.statefulSetChecksumAnnotation" (dict "a" (list $dot) ))) "r")) ))) "r") )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "terminationGracePeriodSeconds" ($values.statefulset.terminationGracePeriodSeconds | int64) "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "initContainers" (get (fromJson (include "redpanda.StatefulSetInitContainers" (dict "a" (list $dot) ))) "r") "containers" (get (fromJson (include "redpanda.StatefulSetContainers" (dict "a" (list $dot) ))) "r") "volumes" (get (fromJson (include "redpanda.StatefulSetVolumes" (dict "a" (list $dot) ))) "r") "topologySpreadConstraints" (get (fromJson (include "redpanda.statefulSetTopologySpreadConstraints" (dict "a" (list $dot) ))) "r") "nodeSelector" (get (fromJson (include "redpanda.statefulSetNodeSelectors" (dict "a" (list $dot) ))) "r") "affinity" (get (fromJson (include "redpanda.statefulSetAffinity" (dict "a" (list $dot) ))) "r") "priorityClassName" $values.statefulset.priorityClassName "tolerations" (get (fromJson (include "redpanda.statefulSetTolerations" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") "volumeClaimTemplates" (coalesce nil) )) )) -}} +{{- if (or $values.storage.persistentVolume.enabled ((and (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r") (eq (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "persistentVolume")))) -}} +{{- $t_13 := (get (fromJson (include "redpanda.volumeClaimTemplateDatadir" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $t_13) "null") -}} +{{- $_ := (set $ss.spec "volumeClaimTemplates" (concat (default (list ) $ss.spec.volumeClaimTemplates) (list $t_13))) -}} +{{- end -}} +{{- $t_14 := (get (fromJson (include "redpanda.volumeClaimTemplateTieredStorageDir" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $t_14) "null") -}} +{{- $_ := (set $ss.spec "volumeClaimTemplates" (concat (default (list ) $ss.spec.volumeClaimTemplates) (list $t_14))) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.semver" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetChecksumAnnotation" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $dependencies := (coalesce nil) -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list (get (fromJson (include "redpanda.RedpandaConfigFile" (dict "a" (list $dot false) ))) "r"))) -}} +{{- if $values.external.enabled -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r"))) -}} +{{- if (empty $values.external.addresses) -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list "")) -}} +{{- else -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list $values.external.addresses)) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (sha256sum (toJson $dependencies))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetTolerations" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default $values.tolerations $values.statefulset.tolerations)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetNodeSelectors" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default $values.statefulset.nodeSelector $values.nodeSelector)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetAffinity" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $affinity := (mustMergeOverwrite (dict ) (dict )) -}} +{{- if (not (empty $values.statefulset.nodeAffinity)) -}} +{{- $_ := (set $affinity "nodeAffinity" $values.statefulset.nodeAffinity) -}} +{{- else -}}{{- if (not (empty $values.affinity.nodeAffinity)) -}} +{{- $_ := (set $affinity "nodeAffinity" $values.affinity.nodeAffinity) -}} +{{- end -}} +{{- end -}} +{{- if (not (empty $values.statefulset.podAffinity)) -}} +{{- $_ := (set $affinity "podAffinity" $values.statefulset.podAffinity) -}} +{{- else -}}{{- if (not (empty $values.affinity.podAffinity)) -}} +{{- $_ := (set $affinity "podAffinity" $values.affinity.podAffinity) -}} +{{- end -}} +{{- end -}} +{{- if (not (empty $values.statefulset.podAntiAffinity)) -}} +{{- $_ := (set $affinity "podAntiAffinity" (mustMergeOverwrite (dict ) (dict ))) -}} +{{- if (eq $values.statefulset.podAntiAffinity.type "hard") -}} +{{- $_ := (set $affinity.podAntiAffinity "requiredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.statefulset.podAntiAffinity.topologyKey "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) )))) -}} +{{- else -}}{{- if (eq $values.statefulset.podAntiAffinity.type "soft") -}} +{{- $_ := (set $affinity.podAntiAffinity "preferredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "weight" 0 "podAffinityTerm" (dict "topologyKey" "" ) ) (dict "weight" ($values.statefulset.podAntiAffinity.weight | int) "podAffinityTerm" (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.statefulset.podAntiAffinity.topologyKey "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) )) )))) -}} +{{- else -}}{{- if (eq $values.statefulset.podAntiAffinity.type "custom") -}} +{{- $_ := (set $affinity "podAntiAffinity" $values.statefulset.podAntiAffinity.custom) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- else -}}{{- if (not (empty $values.affinity.podAntiAffinity)) -}} +{{- $_ := (set $affinity "podAntiAffinity" $values.affinity.podAntiAffinity) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $affinity) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.volumeClaimTemplateDatadir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.storage.persistentVolume.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $pvc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "resources" (dict ) ) "status" (dict ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" "datadir" "labels" (merge (dict ) (dict `app.kubernetes.io/name` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") `app.kubernetes.io/instance` $dot.Release.Name `app.kubernetes.io/component` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) $values.storage.persistentVolume.labels $values.commonLabels) "annotations" (default (coalesce nil) $values.storage.persistentVolume.annotations) )) "spec" (mustMergeOverwrite (dict "resources" (dict ) ) (dict "accessModes" (list "ReadWriteOnce") "resources" (mustMergeOverwrite (dict ) (dict "requests" (dict "storage" $values.storage.persistentVolume.size ) )) )) )) -}} +{{- if (not (empty $values.storage.persistentVolume.storageClass)) -}} +{{- if (eq $values.storage.persistentVolume.storageClass "-") -}} +{{- $_ := (set $pvc.spec "storageClassName" "") -}} +{{- else -}} +{{- $_ := (set $pvc.spec "storageClassName" $values.storage.persistentVolume.storageClass) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pvc) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.volumeClaimTemplateTieredStorageDir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "persistentVolume")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $pvc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "resources" (dict ) ) "status" (dict ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (default "tiered-storage-dir" $values.storage.persistentVolume.nameOverwrite) "labels" (merge (dict ) (dict `app.kubernetes.io/name` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") `app.kubernetes.io/instance` $dot.Release.Name `app.kubernetes.io/component` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeLabels" (dict "a" (list $values.storage) ))) "r") $values.commonLabels) "annotations" (default (coalesce nil) (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeAnnotations" (dict "a" (list $values.storage) ))) "r")) )) "spec" (mustMergeOverwrite (dict "resources" (dict ) ) (dict "accessModes" (list "ReadWriteOnce") "resources" (mustMergeOverwrite (dict ) (dict "requests" (dict "storage" (index (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r") `cloud_storage_cache_size`) ) )) )) )) -}} +{{- $sc_15 := (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeStorageClass" (dict "a" (list $values.storage) ))) "r") -}} +{{- if (eq $sc_15 "-") -}} +{{- $_ := (set $pvc.spec "storageClassName" "") -}} +{{- else -}}{{- if (not (empty $sc_15)) -}} +{{- $_ := (set $pvc.spec "storageClassName" $sc_15) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pvc) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetTopologySpreadConstraints" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $result := (coalesce nil) -}} +{{- $labelSelector := (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) -}} +{{- range $_, $v := $values.statefulset.topologySpreadConstraints -}} +{{- $result = (concat (default (list ) $result) (list (mustMergeOverwrite (dict "maxSkew" 0 "topologyKey" "" "whenUnsatisfiable" "" ) (dict "maxSkew" ($v.maxSkew | int) "topologyKey" $v.topologyKey "whenUnsatisfiable" $v.whenUnsatisfiable "labelSelector" $labelSelector )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StorageTieredConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/_values.go.tpl b/charts/redpanda/redpanda/5.9.6/templates/_values.go.tpl new file mode 100644 index 0000000000..5b802d218b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/_values.go.tpl @@ -0,0 +1,1326 @@ +{{- /* Generated from "values.go" */ -}} + +{{- define "redpanda.AuditLogging.Translate" -}} +{{- $a := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- $isSASLEnabled := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- if (not (get (fromJson (include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- $enabled := (and $a.enabled $isSASLEnabled) -}} +{{- $_ := (set $result "audit_enabled" $enabled) -}} +{{- if (not $enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne (($a.clientMaxBufferSize | int) | int) (16777216 | int)) -}} +{{- $_ := (set $result "audit_client_max_buffer_size" ($a.clientMaxBufferSize | int)) -}} +{{- end -}} +{{- if (ne (($a.queueDrainIntervalMs | int) | int) (500 | int)) -}} +{{- $_ := (set $result "audit_queue_drain_interval_ms" ($a.queueDrainIntervalMs | int)) -}} +{{- end -}} +{{- if (ne (($a.queueMaxBufferSizePerShard | int) | int) (1048576 | int)) -}} +{{- $_ := (set $result "audit_queue_max_buffer_size_per_shard" ($a.queueMaxBufferSizePerShard | int)) -}} +{{- end -}} +{{- if (ne (($a.partitions | int) | int) (12 | int)) -}} +{{- $_ := (set $result "audit_log_num_partitions" ($a.partitions | int)) -}} +{{- end -}} +{{- if (ne ($a.replicationFactor | int) (0 | int)) -}} +{{- $_ := (set $result "audit_log_replication_factor" ($a.replicationFactor | int)) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.enabledEventTypes) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $result "audit_enabled_event_types" $a.enabledEventTypes) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.excludedTopics) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $result "audit_excluded_topics" $a.excludedTopics) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.excludedPrincipals) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $result "audit_excluded_principals" $a.excludedPrincipals) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Auth.IsSASLEnabled" -}} +{{- $a := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $a.sasl) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $a.sasl.enabled) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Auth.Translate" -}} +{{- $a := (index .a 0) -}} +{{- $isSASLEnabled := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not $isSASLEnabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $users := (list (get (fromJson (include "redpanda.BootstrapUser.Username" (dict "a" (list $a.sasl.bootstrapUser) ))) "r")) -}} +{{- range $_, $u := $a.sasl.users -}} +{{- $users = (concat (default (list ) $users) (list $u.name)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "superusers" $users )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Logging.Translate" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- $clusterID_1 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.usageStats.clusterId "") ))) "r") -}} +{{- if (ne $clusterID_1 "") -}} +{{- $_ := (set $result "cluster_id" $clusterID_1) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaResources.GetOverProvisionValue" -}} +{{- $rr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (lt ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $rr.cpu.cores) ))) "r") | int64) (1000 | int64)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $rr.cpu.overprovisioned false) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.IsTieredStorageEnabled" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $conf := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $s) ))) "r") -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $conf "cloud_storage_enabled" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_3.T2 -}} +{{- $b := $tmp_tuple_3.T1 -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and $ok (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" $b) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.GetTieredStorageConfig" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $s.tieredConfig) ))) "r") | int) (0 | int)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredConfig) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.config) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.GetTieredStorageHostPath" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $hp := $s.tieredStorageHostPath -}} +{{- if (empty $hp) -}} +{{- $hp = $s.tiered.hostPath -}} +{{- end -}} +{{- if (empty $hp) -}} +{{- $_ := (fail (printf `storage.tiered.mountType is "%s" but storage.tiered.hostPath is empty` $s.tiered.mountType)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $hp) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredCacheDirectory" -}} +{{- $s := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $values.config.node "cloud_storage_cache_directory") "") ))) "r")) ))) "r") -}} +{{- $ok_3 := $tmp_tuple_4.T2 -}} +{{- $dir_2 := $tmp_tuple_4.T1 -}} +{{- if $ok_3 -}} +{{- $_is_returning = true -}} +{{- (dict "r" $dir_2) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tieredConfig := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r") -}} +{{- $tmp_tuple_5 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $tieredConfig "cloud_storage_cache_directory") "") ))) "r")) ))) "r") -}} +{{- $ok_5 := $tmp_tuple_5.T2 -}} +{{- $dir_4 := $tmp_tuple_5.T1 -}} +{{- if $ok_5 -}} +{{- $_is_returning = true -}} +{{- (dict "r" $dir_4) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "/var/lib/redpanda/data/cloud_storage_cache") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredMountType" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (ne (toJson $s.tieredStoragePersistentVolume) "null") $s.tieredStoragePersistentVolume.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" "persistentVolume") | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (empty $s.tieredStorageHostPath)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" "hostPath") | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.mountType) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredPersistentVolumeLabels" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $s.tieredStoragePersistentVolume) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredStoragePersistentVolume.labels) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.persistentVolume.labels) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredPersistentVolumeAnnotations" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $s.tieredStoragePersistentVolume) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredStoragePersistentVolume.annotations) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.persistentVolume.annotations) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredPersistentVolumeStorageClass" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $s.tieredStoragePersistentVolume) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredStoragePersistentVolume.storageClass) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.persistentVolume.storageClass) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.StorageMinFreeBytes" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (ne (toJson $s.persistentVolume) "null") (not $s.persistentVolume.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (5368709120 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $minimumFreeBytes := ((mulf (((get (fromJson (include "_shims.resource_Value" (dict "a" (list $s.persistentVolume.size) ))) "r") | int64) | float64) 0.05) | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (min (5368709120 | int) ($minimumFreeBytes | int64))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Tuning.Translate" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- $s := (toJson $t) -}} +{{- $tune := (fromJson $s) -}} +{{- $tmp_tuple_7 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $tune (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_7.T2 -}} +{{- $m := $tmp_tuple_7.T1 -}} +{{- if (not $ok) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- range $k, $v := $m -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.CreateSeedServers" -}} +{{- $l := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $fullname := (index .a 2) -}} +{{- $internalDomain := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (coalesce nil) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}} +{{- $result = (concat (default (list ) $result) (list (dict "host" (dict "address" (printf "%s-%d.%s" $fullname $i $internalDomain) "port" ($l.rpc.port | int) ) ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.AdminList" -}} +{{- $l := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $fullname := (index .a 2) -}} +{{- $internalDomain := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.ServerList" (dict "a" (list $replicas "" $fullname $internalDomain ($l.admin.port | int)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServerList" -}} +{{- $replicas := (index .a 0) -}} +{{- $prefix := (index .a 1) -}} +{{- $fullname := (index .a 2) -}} +{{- $internalDomain := (index .a 3) -}} +{{- $port := (index .a 4) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (coalesce nil) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}} +{{- $result = (concat (default (list ) $result) (list (printf "%s%s-%d.%s:%d" $prefix $fullname $i $internalDomain ($port | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.TrustStoreVolume" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $cmSources := (dict ) -}} +{{- $secretSources := (dict ) -}} +{{- range $_, $ts := (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $l $tls) ))) "r") -}} +{{- $projection := (get (fromJson (include "redpanda.TrustStore.VolumeProjection" (dict "a" (list $ts) ))) "r") -}} +{{- if (ne (toJson $projection.secret) "null") -}} +{{- $_ := (set $secretSources $projection.secret.name (concat (default (list ) (index $secretSources $projection.secret.name)) (default (list ) $projection.secret.items))) -}} +{{- else -}} +{{- $_ := (set $cmSources $projection.configMap.name (concat (default (list ) (index $cmSources $projection.configMap.name)) (default (list ) $projection.configMap.items))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $sources := (coalesce nil) -}} +{{- range $_, $name := (sortAlpha (keys $cmSources)) -}} +{{- $keys := (index $cmSources $name) -}} +{{- $sources = (concat (default (list ) $sources) (list (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $name )) (dict "items" (get (fromJson (include "redpanda.dedupKeyToPaths" (dict "a" (list $keys) ))) "r") )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $name := (sortAlpha (keys $secretSources)) -}} +{{- $keys := (index $secretSources $name) -}} +{{- $sources = (concat (default (list ) $sources) (list (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $name )) (dict "items" (get (fromJson (include "redpanda.dedupKeyToPaths" (dict "a" (list $keys) ))) "r") )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (lt ((get (fromJson (include "_shims.len" (dict "a" (list $sources) ))) "r") | int) (1 | int)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "projected" (mustMergeOverwrite (dict "sources" (coalesce nil) ) (dict "sources" $sources )) )) (dict "name" "truststores" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.dedupKeyToPaths" -}} +{{- $items := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $seen := (dict ) -}} +{{- $deduped := (coalesce nil) -}} +{{- range $_, $item := $items -}} +{{- $tmp_tuple_8 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $seen $item.key (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_6 := $tmp_tuple_8.T2 -}} +{{- if $ok_6 -}} +{{- continue -}} +{{- end -}} +{{- $deduped = (concat (default (list ) $deduped) (list $item)) -}} +{{- $_ := (set $seen $item.key true) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $deduped) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (get (fromJson (include "redpanda.KafkaListeners.TrustStores" (dict "a" (list $l.kafka $tls) ))) "r") -}} +{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.AdminListeners.TrustStores" (dict "a" (list $l.admin $tls) ))) "r"))) -}} +{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.HTTPListeners.TrustStores" (dict "a" (list $l.http $tls) ))) "r"))) -}} +{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.SchemaRegistryListeners.TrustStores" (dict "a" (list $l.schemaRegistry $tls) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Config.CreateRPKConfiguration" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c.rpk -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCertMap.MustGet" -}} +{{- $m := (index .a 0) -}} +{{- $name := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_9 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $m $name (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_9.T2 -}} +{{- $cert := $tmp_tuple_9.T1 -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "Certificate %q referenced, but not found in the tls.certs map" $name)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cert) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapUser.BootstrapEnvironment" -}} +{{- $b := (index .a 0) -}} +{{- $fullname := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) (get (fromJson (include "redpanda.BootstrapUser.RpkEnvironment" (dict "a" (list $b $fullname) ))) "r")) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RP_BOOTSTRAP_USER" "value" "$(RPK_USER):$(RPK_PASS):$(RPK_SASL_MECHANISM)" ))))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapUser.Username" -}} +{{- $b := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $b.name) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $b.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "kubernetes-controller") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapUser.RpkEnvironment" -}} +{{- $b := (index .a 0) -}} +{{- $fullname := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_PASS" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (get (fromJson (include "redpanda.BootstrapUser.SecretKeySelector" (dict "a" (list $b $fullname) ))) "r") )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_USER" "value" (get (fromJson (include "redpanda.BootstrapUser.Username" (dict "a" (list $b) ))) "r") )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_SASL_MECHANISM" "value" (get (fromJson (include "redpanda.BootstrapUser.GetMechanism" (dict "a" (list $b) ))) "r") )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapUser.GetMechanism" -}} +{{- $b := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $b.mechanism "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" "SCRAM-SHA-256") | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $b.mechanism) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapUser.SecretKeySelector" -}} +{{- $b := (index .a 0) -}} +{{- $fullname := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $b.secretKeyRef) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $b.secretKeyRef) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (printf "%s-bootstrap-user" $fullname) )) (dict "key" "password" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TrustStore.TrustStoreFilePath" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s/%s" "/etc/truststores" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TrustStore.RelativePath" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $t.configMapKeyRef) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "configmaps/%s-%s" $t.configMapKeyRef.name $t.configMapKeyRef.key)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "secrets/%s-%s" $t.secretKeyRef.name $t.secretKeyRef.key)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TrustStore.VolumeProjection" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $t.configMapKeyRef) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $t.configMapKeyRef.name )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" $t.configMapKeyRef.key "path" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r") ))) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $t.secretKeyRef.name )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" $t.secretKeyRef.key "path" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r") ))) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.IsEnabled" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.enabled $tls.enabled) ))) "r") (ne $t.cert ""))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.TrustStoreFilePath" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $t.trustStore) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert) ))) "r").caEnabled -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "/etc/tls/certs/%s/ca.crt" $t.cert)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "/etc/ssl/certs/ca-certificates.crt") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.ServerCAPath" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert) ))) "r").caEnabled -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "/etc/tls/certs/%s/ca.crt" $t.cert)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "/etc/tls/certs/%s/tls.crt" $t.cert)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.GetCert" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- $tls := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r")) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.GetCertName" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.cert $i.cert) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.TrustStoreFilePath" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- $tls := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $t.trustStore) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.ExternalTLS.GetCert" (dict "a" (list $t $i $tls) ))) "r").caEnabled -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "/etc/tls/certs/%s/ca.crt" (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "/etc/ssl/certs/ca-certificates.crt") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.IsEnabled" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- $tls := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $t) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (ne (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r") "") (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.enabled (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $i $tls) ))) "r")) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.ConsoleTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") )) -}} +{{- if (not $t.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $adminAPIPrefix := "/mnt/cert/adminapi" -}} +{{- $_ := (set $t "caFilepath" (printf "%s/%s/ca.crt" $adminAPIPrefix $l.tls.cert)) -}} +{{- if (not $l.tls.requireClientAuth) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $t "certFilepath" (printf "%s/%s/tls.crt" $adminAPIPrefix $l.tls.cert)) -}} +{{- $_ := (set $t "keyFilepath" (printf "%s/%s/tls.key" $adminAPIPrefix $l.tls.cert)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $admin := (list (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r")) -}} +{{- range $k, $lis := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "port" ($lis.port | int) "address" "0.0.0.0" ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $admin) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $admin := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $admin = (concat (default (list ) $admin) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $admin) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (list ) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (index $l.external $key) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- $saslEnabled := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r") -}} +{{- if $saslEnabled -}} +{{- $_ := (set $internal "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_7 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_7 "") -}} +{{- $_ := (set $internal "authentication_method" $am_7) -}} +{{- end -}} +{{- $result := (list $internal) -}} +{{- range $k, $l := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}} +{{- if $saslEnabled -}} +{{- $_ := (set $listener "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_8 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_8 "") -}} +{{- $_ := (set $listener "authentication_method" $am_8) -}} +{{- end -}} +{{- $result = (concat (default (list ) $result) (list $listener)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $pp := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $pp = (concat (default (list ) $pp) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $pp = (concat (default (list ) $pp) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pp) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (coalesce nil) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (index $l.external $key) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- $auth := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r") -}} +{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $auth) ))) "r") -}} +{{- $_ := (set $internal "authentication_method" "sasl") -}} +{{- end -}} +{{- $am_9 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_9 "") -}} +{{- $_ := (set $internal "authentication_method" $am_9) -}} +{{- end -}} +{{- $kafka := (list $internal) -}} +{{- range $k, $l := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}} +{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $auth) ))) "r") -}} +{{- $_ := (set $listener "authentication_method" "sasl") -}} +{{- end -}} +{{- $am_10 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_10 "") -}} +{{- $_ := (set $listener "authentication_method" $am_10) -}} +{{- end -}} +{{- $kafka = (concat (default (list ) $kafka) (list $listener)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $kafka) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $kafka := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $kafka = (concat (default (list ) $kafka) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $kafka = (concat (default (list ) $kafka) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $kafka) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (coalesce nil) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (index $l.external $key) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.ConsolemTLS" -}} +{{- $k := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $k.tls $tls) ))) "r") )) -}} +{{- if (not $t.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $kafkaPathPrefix := "/mnt/cert/kafka" -}} +{{- $_ := (set $t "caFilepath" (printf "%s/%s/ca.crt" $kafkaPathPrefix $k.tls.cert)) -}} +{{- if (not $k.tls.requireClientAuth) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $t "certFilepath" (printf "%s/%s/tls.crt" $kafkaPathPrefix $k.tls.cert)) -}} +{{- $_ := (set $t "keyFilepath" (printf "%s/%s/tls.key" $kafkaPathPrefix $k.tls.cert)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.Listeners" -}} +{{- $sr := (index .a 0) -}} +{{- $saslEnabled := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($sr.port | int)) ))) "r") -}} +{{- if $saslEnabled -}} +{{- $_ := (set $internal "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_11 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $sr.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_11 "") -}} +{{- $_ := (set $internal "authentication_method" $am_11) -}} +{{- end -}} +{{- $result := (list $internal) -}} +{{- range $k, $l := $sr.external -}} +{{- if (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}} +{{- if $saslEnabled -}} +{{- $_ := (set $listener "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_12 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_12 "") -}} +{{- $_ := (set $listener "authentication_method" $am_12) -}} +{{- end -}} +{{- $result = (concat (default (list ) $result) (list $listener)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $listeners := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $listeners = (concat (default (list ) $listeners) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $listeners = (concat (default (list ) $listeners) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $listeners) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (coalesce nil) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (index $l.external $key) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.ConsoleTLS" -}} +{{- $sr := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $sr.tls $tls) ))) "r") )) -}} +{{- if (not $t.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $schemaRegistryPrefix := "/mnt/cert/schemaregistry" -}} +{{- $_ := (set $t "caFilepath" (printf "%s/%s/ca.crt" $schemaRegistryPrefix $sr.tls.cert)) -}} +{{- if (not $sr.tls.requireClientAuth) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $t "certFilepath" (printf "%s/%s/tls.crt" $schemaRegistryPrefix $sr.tls.cert)) -}} +{{- $_ := (set $t "keyFilepath" (printf "%s/%s/tls.key" $schemaRegistryPrefix $sr.tls.cert)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TunableConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $c) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c -}} +{{- if (not (empty $v)) -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.NodeConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c -}} +{{- if (not (empty $v)) -}} +{{- $tmp_tuple_12 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v) ))) "r")) ))) "r") -}} +{{- $ok_13 := $tmp_tuple_12.T2 -}} +{{- if $ok_13 -}} +{{- $_ := (set $result $k $v) -}} +{{- else -}}{{- if (kindIs "bool" $v) -}} +{{- $_ := (set $result $k $v) -}} +{{- else -}} +{{- $_ := (set $result $k (toYaml $v)) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ClusterConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c -}} +{{- $tmp_tuple_13 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false) ))) "r")) ))) "r") -}} +{{- $ok_15 := $tmp_tuple_13.T2 -}} +{{- $b_14 := $tmp_tuple_13.T1 -}} +{{- if $ok_15 -}} +{{- $_ := (set $result $k $b_14) -}} +{{- continue -}} +{{- end -}} +{{- if (not (empty $v)) -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretRef.AsSource" -}} +{{- $sr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $sr.name )) (dict "key" $sr.key )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretRef.IsValid" -}} +{{- $sr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (and (ne (toJson $sr) "null") (not (empty $sr.key))) (not (empty $sr.name)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TieredStorageCredentials.AsEnvVars" -}} +{{- $tsc := (index .a 0) -}} +{{- $config := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_14 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_access_key" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $hasAccessKey := $tmp_tuple_14.T2 -}} +{{- $tmp_tuple_15 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_secret_key" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $hasSecretKey := $tmp_tuple_15.T2 -}} +{{- $tmp_tuple_16 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_azure_shared_key" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $hasSharedKey := $tmp_tuple_16.T2 -}} +{{- $envvars := (coalesce nil) -}} +{{- if (and (not $hasAccessKey) (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $tsc.accessKey) ))) "r")) -}} +{{- $envvars = (concat (default (list ) $envvars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_CLOUD_STORAGE_ACCESS_KEY" "valueFrom" (get (fromJson (include "redpanda.SecretRef.AsSource" (dict "a" (list $tsc.accessKey) ))) "r") )))) -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $tsc.secretKey) ))) "r") -}} +{{- if (and (not $hasSecretKey) (not (get (fromJson (include "redpanda.TieredStorageConfig.HasAzureCanaries" (dict "a" (list (deepCopy $config)) ))) "r"))) -}} +{{- $envvars = (concat (default (list ) $envvars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_CLOUD_STORAGE_SECRET_KEY" "valueFrom" (get (fromJson (include "redpanda.SecretRef.AsSource" (dict "a" (list $tsc.secretKey) ))) "r") )))) -}} +{{- else -}}{{- if (and (not $hasSharedKey) (get (fromJson (include "redpanda.TieredStorageConfig.HasAzureCanaries" (dict "a" (list (deepCopy $config)) ))) "r")) -}} +{{- $envvars = (concat (default (list ) $envvars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_CLOUD_STORAGE_AZURE_SHARED_KEY" "valueFrom" (get (fromJson (include "redpanda.SecretRef.AsSource" (dict "a" (list $tsc.secretKey) ))) "r") )))) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $envvars) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TieredStorageConfig.HasAzureCanaries" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_17 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_container" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $containerExists := $tmp_tuple_17.T2 -}} +{{- $tmp_tuple_18 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_storage_account" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $accountExists := $tmp_tuple_18.T2 -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and $containerExists $accountExists)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TieredStorageConfig.CloudStorageCacheSize" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_19 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $c `cloud_storage_cache_size` (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_19.T2 -}} +{{- $value := $tmp_tuple_19.T1 -}} +{{- if (not $ok) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TieredStorageConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- $creds := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $config := (merge (dict ) (dict ) $c) -}} +{{- range $_, $envvar := (get (fromJson (include "redpanda.TieredStorageCredentials.AsEnvVars" (dict "a" (list $creds $c) ))) "r") -}} +{{- $key := (lower (substr ((get (fromJson (include "_shims.len" (dict "a" (list "REDPANDA_") ))) "r") | int) -1 $envvar.name)) -}} +{{- $_ := (set $config $key (printf "$%s" $envvar.name)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $size_16 := (get (fromJson (include "redpanda.TieredStorageConfig.CloudStorageCacheSize" (dict "a" (list (deepCopy $c)) ))) "r") -}} +{{- if (ne (toJson $size_16) "null") -}} +{{- $_ := (set $config "cloud_storage_cache_size" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $size_16) ))) "r") | int64)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $config) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.6/templates/connectors/connectors.yaml b/charts/redpanda/redpanda/5.9.6/templates/connectors/connectors.yaml new file mode 100644 index 0000000000..25343f584a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/connectors/connectors.yaml @@ -0,0 +1,109 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{ if and .Values.connectors.enabled (not .Values.connectors.deployment.create) }} + +{{ $values := .Values }} + +{{/* brokers */}} +{{ $kafkaBrokers := list }} +{{ range (include "seed-server-list" . | mustFromJson) }} + {{ $kafkaBrokers = append $kafkaBrokers (printf "%s:%d" . (int $values.listeners.kafka.port)) }} +{{ end }} + +{{ $connectorsValues := dict + "Values" (dict + "connectors" (dict + "bootstrapServers" (join "," $kafkaBrokers) + "brokerTLS" (dict + "enabled" (include "kafka-internal-tls-enabled" . | fromJson).bool + "ca" (dict + "secretRef" (ternary (printf "%s-default-cert" (include "redpanda.fullname" .)) "" (include "kafka-internal-tls-enabled" . | fromJson).bool) + ) + ) + ) + ) +}} + +{{ $extraVolumes := list }} +{{ $extraVolumeMounts := list }} +{{ $extraEnv := .Values.connectors.deployment.extraEnv }} +{{ $command := list }} +{{ if (include "sasl-enabled" . | fromJson).bool }} + {{ $command = concat $command (list "bash" "-c") }} + {{ $consoleSASLConfig := (printf "set -e; IFS=':' read -r CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD CONNECT_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print)); CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-%s}; export CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD CONNECT_SASL_MECHANISM;" ( include "sasl-mechanism" . | lower )) }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-256\" ]] && CONNECT_SASL_MECHANISM=scram-sha-256;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-512\" ]] && CONNECT_SASL_MECHANISM=scram-sha-512;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " export CONNECT_SASL_MECHANISM;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " echo $CONNECT_SASL_PASSWORD > /opt/kafka/connect-password/rc-credentials/password;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " exec /opt/kafka/bin/kafka_connect_run.sh" }} + {{ $command = append $command $consoleSASLConfig }} + + {{ $extraVolumes = concat $extraVolumes .Values.connectors.storage.volume }} + + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "%s-users" (include "redpanda.fullname" .)) + "secret" (dict + "secretName" .Values.auth.sasl.secretRef + ) + )}} + + {{ $extraVolumeMounts = concat $extraVolumeMounts .Values.connectors.storage.volumeMounts }} + + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "%s-users" (include "redpanda.fullname" .)) + "mountPath" "/mnt/users" + "readOnly" true + )}} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "%s-user-password" ((include "redpanda.fullname" .)) | trunc 49) + "emptyDir" (dict) + )}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "%s-user-password" ((include "redpanda.fullname" .)) | trunc 49) + "mountPath" "/opt/kafka/connect-password/rc-credentials" + )}} + {{ $extraEnv = append $extraEnv (dict + "name" "CONNECT_SASL_PASSWORD_FILE" + "value" "rc-credentials/password" + )}} + {{ $connectorsValues := merge $connectorsValues (dict + "Values" (dict + "storage" (dict + "volumeMounts" $extraVolumeMounts + "volume" $extraVolumes + ) + "auth" (dict + "sasl" (dict + "enabled" .Values.auth.sasl.enabled + ) + ) + "deployment" (dict + "command" $command + "extraEnv" $extraEnv + ) + ) + )}} +{{ end }} + +{{ $connectorsValues := merge $connectorsValues (dict "Values" (dict "deployment" (dict "create" (not .Values.connectors.deployment.create)))) }} +{{ $connectorsValues := merge $connectorsValues (dict "Values" (dict "test" (dict "create" (not .Values.connectors.test.create)))) }} +{{ $helmVars := merge $connectorsValues .Subcharts.connectors }} +{{ $helmVars = (dict "Chart" .Subcharts.connectors.Chart "Release" .Release "Values" (merge (dict "AsMap" $helmVars.Values) $helmVars.Values)) }} +{{ include (print .Subcharts.connectors.Template.BasePath "/deployment.yaml") $helmVars }} +--- +{{ include (print .Subcharts.connectors.Template.BasePath "/tests/01-mm2-values.yaml") $helmVars }} +{{ end }} diff --git a/charts/redpanda/redpanda/5.9.6/templates/console/configmap-and-deployment.yaml b/charts/redpanda/redpanda/5.9.6/templates/console/configmap-and-deployment.yaml new file mode 100644 index 0000000000..0f4de4a71b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/console/configmap-and-deployment.yaml @@ -0,0 +1,239 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* Secret */}} +{{ $secretConfig := dict ( dict + "create" $.Values.console.secret.create + ) +}} +{{/* if the console chart has the creation of the secret disabled, create it here instead if needed */}} +{{ if and .Values.console.enabled (not .Values.console.secret.create) }} +{{ $licenseKey := ( include "enterprise-license" . ) }} +# before license changes, this was not printing a secret, so we gather in which case to print +# for now only if we have a license do we print, however, this may be an issue for some +# since if we do include a license we MUST also print all secret items. + {{ if ( not (empty $licenseKey ) ) }} +{{/* License and license are set twice here as a work around to a bug in the post-go console chart. */}} +{{ $secretConfig = ( dict + "create" true + "enterprise" ( dict "license" $licenseKey "License" $licenseKey) + ) +}} + +{{ $config := dict + "Values" (dict + "secret" $secretConfig + )}} + +{{ $secretValues := merge $config .Subcharts.console }} +{{ $wrappedSecretValues := (dict "Chart" .Subcharts.console.Chart "Release" .Release "Values" (dict "AsMap" $secretValues.Values)) }} +--- +{{- include "_shims.render-manifest" (list "console.Secret" $wrappedSecretValues) -}} + {{ end }} +{{ end }} + +{{ $configmap := dict }} +{{/* if the console chart has the creation of the configmap disabled, create it here instead */}} +{{ if and .Values.console.enabled (not .Values.console.configmap.create) }} +{{ $consoleConfigmap := dict "create" true }} + +{{ $consoleConfig := merge .Values.console.config (get ((include "redpanda.ConsoleConfig" (dict "a" (list .))) | fromJson) "r") }} + +{{ $config := dict + "Values" (dict + "console" (dict "config" $consoleConfig) + "configmap" $consoleConfigmap + "secret" $secretConfig + ) +}} + +{{ $configMapValues := merge $config .Subcharts.console }} +--- +{{- $wrappedSecretValues := (dict + "Chart" .Subcharts.console.Chart + "Release" .Release + "Values" (dict "AsMap" $configMapValues.Values) + "Template" (dict "BasePath" "" "Name" "") +) -}} +{{- include "_shims.render-manifest" (list "console.ConfigMap" $wrappedSecretValues) -}} +{{ $configmap = include "_shims.render-manifest" (list "console.ConfigMap" $wrappedSecretValues) }} +{{ end }} + +{{/* Deployment */}} +{{ if and .Values.console.enabled (not .Values.console.deployment.create) }} + +{{ $extraVolumes := list }} +{{ $extraVolumeMounts := list }} +{{ $command := list }} +{{ if (include "sasl-enabled" . | fromJson).bool }} + {{ $command = concat $command (list "sh" "-c") }} + {{ $consoleSASLConfig := (printf "set -e; IFS=':' read -r KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print)); KAFKA_SASL_MECHANISM=${KAFKA_SASL_MECHANISM:-%s}; export KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM;" ( include "sasl-mechanism" . )) }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " export KAFKA_SCHEMAREGISTRY_USERNAME=$KAFKA_SASL_USERNAME;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " export KAFKA_SCHEMAREGISTRY_PASSWORD=$KAFKA_SASL_PASSWORD;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " export REDPANDA_ADMINAPI_USERNAME=$KAFKA_SASL_USERNAME;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " export REDPANDA_ADMINAPI_PASSWORD=$KAFKA_SASL_PASSWORD;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " /app/console $@" }} + {{ $command = append $command $consoleSASLConfig }} + {{ $command = append $command "--" }} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "%s-users" (include "redpanda.fullname" .)) + "secret" (dict + "secretName" .Values.auth.sasl.secretRef + ) + )}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "%s-users" (include "redpanda.fullname" .)) + "mountPath" "/mnt/users" + "readOnly" true + ) }} +{{ end }} + +{{ $kafkaTLS := list }} +{{ if (include "kafka-internal-tls-enabled" . | fromJson).bool }} + {{ $service := .Values.listeners.kafka }} + {{ $cert := get .Values.tls.certs $service.tls.cert }} + {{- $secretName := (printf "%s-%s-cert" (include "redpanda.fullname" .) $service.tls.cert) }} + {{- if $cert.secretRef }} + {{- $secretName = $cert.secretRef.name }} + {{- end }} + {{ if $cert.caEnabled }} + {{ $kafkaTLS = append $kafkaTLS (dict + "name" "KAFKA_TLS_CAFILEPATH" + "value" (printf "/mnt/cert/kafka/%s/ca.crt" $service.tls.cert) + )}} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "kafka-%s-cert" $service.tls.cert) + "secret" (dict + "defaultMode" 0420 + "secretName" ( $secretName ) + ))}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "kafka-%s-cert" $service.tls.cert) + "mountPath" (printf "/mnt/cert/kafka/%s" $service.tls.cert) + "readOnly" true + )}} + {{ end }} +{{ end }} + +{{ $schemaRegistryTLS := list }} +{{ if (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }} + {{ $service := .Values.listeners.schemaRegistry }} + {{ $cert := get .Values.tls.certs $service.tls.cert }} + {{- $secretName := (printf "%s-%s-cert" (include "redpanda.fullname" .) $service.tls.cert) }} + {{- if $cert.secretRef }} + {{- $secretName = $cert.secretRef.name }} + {{- end }} + {{ if $cert.caEnabled }} + {{ $schemaRegistryTLS = append $schemaRegistryTLS (dict + "name" "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH" + "value" (printf "/mnt/cert/schemaregistry/%s/ca.crt" $service.tls.cert) + )}} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "schemaregistry-%s-cert" $service.tls.cert) + "secret" (dict + "defaultMode" 0420 + "secretName" ( $secretName ) + ))}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "schemaregistry-%s-cert" $service.tls.cert) + "mountPath" (printf "/mnt/cert/schemaregistry/%s" $service.tls.cert) + "readOnly" true + )}} + {{ end }} +{{ end }} + +{{ $adminAPI := list }} +{{ if (include "admin-internal-tls-enabled" . | fromJson).bool }} + {{ $service := .Values.listeners.admin }} + {{ $cert := get .Values.tls.certs $service.tls.cert }} + {{- $secretName := (printf "%s-%s-cert" (include "redpanda.fullname" .) $service.tls.cert) }} + {{- if $cert.secretRef }} + {{- $secretName = $cert.secretRef.name }} + {{- end }} + {{ if $cert.caEnabled }} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "adminapi-%s-cert" $service.tls.cert) + "secret" (dict + "defaultMode" 0420 + "secretName" ( $secretName ) + ))}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "adminapi-%s-cert" $service.tls.cert) + "mountPath" (printf "/mnt/cert/adminapi/%s" $service.tls.cert) + "readOnly" true + )}} + {{ end }} +{{ end }} + +{{ $enterprise := dict }} +{{ if ( include "enterprise-secret" .) }} + {{ $enterprise = dict + "licenseSecretRef" ( dict + "name" ( include "enterprise-secret-name" . ) + "key" ( include "enterprise-secret-key" . ) + ) + }} +{{ end }} + +{{ $extraEnv := concat $kafkaTLS $schemaRegistryTLS $adminAPI .Values.console.extraEnv }} +{{ $extraVolumes = concat $extraVolumes .Values.console.extraVolumes }} +{{ $extraVolumeMounts = concat $extraVolumeMounts .Values.console.extraVolumeMounts }} +{{ $consoleValues := dict + "Values" (dict + "extraVolumes" $extraVolumes + "extraVolumeMounts" $extraVolumeMounts + "extraEnv" $extraEnv + "secret" $secretConfig + "enterprise" $enterprise + "image" $.Values.console.image + "autoscaling" .Values.console.autoscaling + "replicaCount" .Values.console.replicaCount + "strategy" .Values.console.strategy + "podAnnotations" .Values.console.podAnnotations + "podLabels" .Values.console.podLabels + "imagePullSecrets" .Values.console.imagePullSecrets + "podSecurityContext" .Values.console.podSecurityContext + "secretMounts" .Values.console.secretMounts + "initContainers" .Values.console.initContainers + "extraArgs" .Values.console.extraArgs + "securityContext" .Values.console.securityContext + "livenessProbe" .Values.console.livenessProbe + "readinessProbe" .Values.console.readinessProbe + "resources" .Values.console.resources + "extraContainers" .Values.console.extraContainers + "nodeSelector" .Values.console.nodeSelector + "affinity" .Values.console.affinity + "topologySpreadConstraints" .Values.console.topologySpreadConstraints + "priorityClassName" .Values.console.priorityClassName + "tolerations" .Values.console.tolerations +)}} + +{{ if not (empty $command) }} + {{ $consoleValues := merge $consoleValues (dict "Values" (dict "deployment" (dict "command" $command))) }} +{{ end }} +{{ $consoleValues := merge $consoleValues (dict "Values" (dict "deployment" (dict "create" (not .Values.console.deployment.create)))) }} + +{{ if and .Values.console.enabled (not .Values.console.configmap.create) }} +{{ $consoleValues := merge $consoleValues (dict "Values" (dict "podAnnotations" (dict "checksum-redpanda-chart/config" ( $configmap | toYaml | sha256sum )))) }} +{{ end }} + +{{ $deploymentValues := merge $consoleValues .Subcharts.console }} +{{ $wrappedDeploymentValues := (dict "Chart" .Subcharts.console.Chart "Release" .Release "Template" (dict "BasePath" "" "Name" "") "Values" (dict "AsMap" $deploymentValues.Values)) }} + +--- +{{- include "_shims.render-manifest" (list "console.Deployment" $wrappedDeploymentValues) -}} +{{ end }} diff --git a/charts/redpanda/redpanda/5.9.6/templates/entry-point.yaml b/charts/redpanda/redpanda/5.9.6/templates/entry-point.yaml new file mode 100644 index 0000000000..6cdf646ad6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/entry-point.yaml @@ -0,0 +1,17 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.render" .) -}} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-api-status.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-api-status.yaml new file mode 100644 index 0000000000..330a2c4a4d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-api-status.yaml @@ -0,0 +1,52 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (not (or (include "tls-enabled" . | fromJson).bool (include "sasl-enabled" . | fromJson).bool)) -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-api-status" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + until rpk cluster info \ + --brokers {{ include "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }} + do sleep 2 + done + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-auditLogging.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-auditLogging.yaml new file mode 100644 index 0000000000..fea34776fc --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-auditLogging.yaml @@ -0,0 +1,86 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/}} +{{/* + This feature is gated by having a license, and it must have sasl enabled, we assume these conditions are met + as part of setting auditLogging being enabled. +*/}} +{{- if and .Values.tests.enabled .Values.auditLogging.enabled (include "redpanda-atleast-23-3-0" . | fromJson).bool }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-audit-logging" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: { { - toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -xe + old_setting=${-//[^x]/} + audit_topic_name="_redpanda.audit_log" + expected_partitions={{ .Values.auditLogging.partitions }} + + # sasl configurations + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi + + # now run the to determine if we have the right results + # should describe topic without error + rpk topic describe ${audit_topic_name} + # should get the expected values + result=$(rpk topic list | grep ${audit_topic_name}) + name=$(echo $result | awk '{print $1}') + partitions=$(echo $result | awk '{print $2}') + if [ "${name}" != "${audit_topic_name}" ]; then + echo "expected topic name does not match" + exit 1 + fi + if [ ${partitions} != ${expected_partitions} ]; then + echo "expected partition size did not match" + exit 1 + fi + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: +{{- toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-connector-via-console.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-connector-via-console.yaml new file mode 100644 index 0000000000..67619a829b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-connector-via-console.yaml @@ -0,0 +1,166 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled .Values.connectors.enabled .Values.console.enabled }} +{{- $sasl := .Values.auth.sasl }} +{{- $values := .Values }} +{{- $consoleValues := (merge (dict) .Values.console .Subcharts.console.Values) -}} +{{- $consoleDot := dict "Values" (dict "AsMap" $consoleValues) "Release" .Release "Chart" .Subcharts.console.Chart -}} +{{- $connectorsDot := dict "Values" (merge (dict) .Values.connectors .Subcharts.connectors.Values) "Release" .Release "Chart" .Subcharts.connectors.Chart -}} +{{/* brokers */}} +{{- $kafkaBrokers := list }} +{{- range (include "seed-server-list" . | mustFromJson) }} + {{- $kafkaBrokers = append $kafkaBrokers (printf "%s:%s" . ($values.listeners.kafka.port | toString)) }} +{{- end }} +{{- $brokersString := join "," $kafkaBrokers}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . | trunc 54 }}-test-connectors-via-console + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + test-name: test-connectors-via-console + annotations: + test-name: test-connectors-via-console + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: TLS_ENABLED + value: {{ (include "kafka-internal-tls-enabled" . | fromJson).bool | quote }} + command: + - /bin/bash + - -c + - | + set -xe + + trap connectorsState ERR + + connectorsState () { + echo check connectors expand status + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors?expand=status + echo check connectors expand info + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors?expand=info + echo check connector configuration + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors/$CONNECTOR_NAME + echo check connector topics + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors/$CONNECTOR_NAME/topics + } + + {{- if .Values.auth.sasl.enabled }} + set -e + set +x + + echo "SASL enabled: reading credentials from $(find /etc/secrets/users/* -print)" + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + RPK_USER="${REDPANDA_SASL_USERNAME}" + RPK_PASS="${REDPANDA_SASL_PASSWORD}" + RPK_SASL_MECHANISM="${REDPANDA_SASL_MECHANISM}" + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + + JAAS_CONFIG_SOURCE="\"source.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${RPK_USER}\\\\"\" password=\\\\"\"${RPK_PASS}\\\\"\";\"," + JAAS_CONFIG_TARGET="\"target.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${RPK_USER}\\\\"\" password=\\\\"\"${RPK_PASS}\\\\"\";\"," + set -x + set +e + {{- end }} + + {{- $testTopic := printf "test-topic-%s" (randNumeric 3) }} + rpk topic create {{ $testTopic }} + rpk topic list + echo "Test message!" | rpk topic produce {{ $testTopic }} + + SECURITY_PROTOCOL=PLAINTEXT + if [[ -n "$RPK_SASL_MECHANISM" && $TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SASL_SSL" + elif [[ -n "$RPK_SASL_MECHANISM" ]]; then + SECURITY_PROTOCOL="SASL_PLAINTEXT" + elif [[ $TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SSL" + fi + + CONNECTOR_NAME=mm2-$RANDOM + cat << 'EOF' > /tmp/mm2-conf.json + { + "connectorName": "CONNECTOR_NAME", + "config": { + "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector", + "topics": "{{ $testTopic }}", + "replication.factor": "1", + "tasks.max": "1", + "source.cluster.bootstrap.servers": {{ $brokersString | quote }}, + "target.cluster.bootstrap.servers": {{ $brokersString | quote }}, + "target.cluster.alias": "test-only-redpanda", + "source.cluster.alias": "source", + "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "source->target.enabled": "true", + "target->source.enabled": "false", + "sync.topic.configs.interval.seconds": "5", + "sync.topics.configs.enabled": "true", + "source.cluster.ssl.truststore.type": "PEM", + "target.cluster.ssl.truststore.type": "PEM", + "source.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt", + "target.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt", + JAAS_CONFIG_SOURCE + JAAS_CONFIG_TARGET + "source.cluster.security.protocol": "SECURITY_PROTOCOL", + "target.cluster.security.protocol": "SECURITY_PROTOCOL", + "source.cluster.sasl.mechanism": "SASL_MECHANISM", + "target.cluster.sasl.mechanism": "SASL_MECHANISM" + } + } + EOF + + sed -i "s/CONNECTOR_NAME/$CONNECTOR_NAME/g" /tmp/mm2-conf.json + sed -i "s/SASL_MECHANISM/$RPK_SASL_MECHANISM/g" /tmp/mm2-conf.json + sed -i "s/SECURITY_PROTOCOL/$SECURITY_PROTOCOL/g" /tmp/mm2-conf.json + set +x + sed -i "s/JAAS_CONFIG_SOURCE/$JAAS_CONFIG_SOURCE/g" /tmp/mm2-conf.json + sed -i "s/JAAS_CONFIG_TARGET/$JAAS_CONFIG_TARGET/g" /tmp/mm2-conf.json + set -x + + URL=http://{{ get ((include "console.Fullname" (dict "a" (list $consoleDot))) | fromJson) "r" }}:{{ get (fromJson (include "console.ContainerPort" (dict "a" (list $consoleDot) ))) "r" }}/api/kafka-connect/clusters/connectors/connectors + {{/* outputting to /dev/null because the output contains the user password */}} + echo "Creating mm2 connector" + curl {{ template "curl-options" . }} -H 'Content-Type: application/json' "${URL}" -d @/tmp/mm2-conf.json + + rpk topic consume source.{{ $testTopic }} -n 1 + + echo "Destroying mm2 connector" + curl {{ template "curl-options" . }} -X DELETE "${URL}/${CONNECTOR_NAME}" + + rpk topic list + rpk topic delete {{ $testTopic }} source.{{ $testTopic }} mm2-offset-syncs.test-only-redpanda.internal + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-console.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-console.yaml new file mode 100644 index 0000000000..aeef1117ac --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-console.yaml @@ -0,0 +1,49 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled .Values.console.enabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-console" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + curl {{ template "curl-options" . }} http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{ (get (fromJson (include "console.ContainerPort" (dict "a" (list (dict "Values" (dict "AsMap" .Values.console)) )))) "r" ) }}/api/cluster + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-internal-external-tls-secrets.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-internal-external-tls-secrets.yaml new file mode 100644 index 0000000000..53d75bb1ba --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-internal-external-tls-secrets.yaml @@ -0,0 +1,122 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "tls-enabled" . | fromJson).bool ( eq .Values.external.type "NodePort" ) }} + {{- $values := .Values }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-internal-externals-cert-secrets + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - bash + - -c + - | + set -x + + retry() { + local retries="$1" + local command="$2" + + # Run the command, and save the exit code + bash -c $command + local exit_code=$? + + # If the exit code is non-zero (i.e. command failed), and we have not + # reached the maximum number of retries, run the command again + if [[ $exit_code -ne 0 && $retries -gt 0 ]]; then + retry $(($retries - 1)) "$command" + else + # Return the exit code from the command + return $exit_code + fi + } + + {{- range $name, $cert := $values.tls.certs }} + {{- if $cert.secretRef }} + echo testing cert: {{ $name | quote }} + + {{- if eq $cert.secretRef.name "internal-tls-secret" }} + echo "---> testing internal tls" + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ include "admin-api-urls" $ }}' + {{- end }} + + {{- if eq $cert.secretRef.name "external-tls-secret" }} + echo "---> testing external tls" + + {{- if eq $values.listeners.kafka.external.default.tls.cert $name }} + echo "-----> testing external tls: kafka api" + {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }} + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ $values.external.domain }}:{{ $port }}' + {{- end }} + + {{- if and (eq $values.listeners.schemaRegistry.external.default.tls.cert $name) (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + echo "-----> testing external tls: schema registry" + {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }} + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ $values.external.domain }}:{{ $port }}' + {{- end }} + + {{- if and (eq $values.listeners.http.external.default.tls.cert $name) (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + echo "-----> testing external tls: http api" + {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }} + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ $values.external.domain }}:{{ $port }}' + {{- end }} + + {{- end }} + echo "----" + + {{- end }} + {{- end }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-internal-tls-status.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-internal-tls-status.yaml new file mode 100644 index 0000000000..dcfc02cbdc --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-internal-tls-status.yaml @@ -0,0 +1,62 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "kafka-internal-tls-enabled" . | fromJson).bool (not (include "sasl-enabled" . | fromJson).bool) -}} + {{- $service := .Values.listeners.kafka -}} + {{- $cert := get .Values.tls.certs $service.tls.cert -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-kafka-internal-tls-status + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + until rpk cluster info \ + --brokers {{ include "redpanda.fullname" .}}-0.{{ include "redpanda.internal.domain" . }}:{{ $service.port }} \ + --tls-enabled \ + {{- if $cert.caEnabled }} + --tls-truststore /etc/tls/certs/{{ $service.tls.cert }}/ca.crt + {{- else }} + {{- /* This is a required field so we use the default in the redpanda debian container */}} + --tls-truststore /etc/ssl/certs/ca-certificates.crt + {{- end }} + do sleep 2 + done + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-nodelete.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-nodelete.yaml new file mode 100644 index 0000000000..9b5fe4237e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-nodelete.yaml @@ -0,0 +1,100 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (dig "kafka_nodelete_topics" "[]" $.Values.config.cluster) }} +{{- $noDeleteTopics := .Values.config.cluster.kafka_nodelete_topics }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-kafka-nodelete + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: REDPANDA_BROKERS + value: "{{ include "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.kafka.port }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -e +{{- $cloudStorageFlags := "" }} +{{- if (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }} + {{- $cloudStorageFlags = "-c retention.bytes=80 -c segment.bytes=40 -c redpanda.remote.read=true -c redpanda.remote.write=true"}} +{{- end }} +{{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi +{{- end }} + + exists=$(rpk topic list | grep my_sample_topic | awk '{print $1}') + if [[ "$exists" != "my_sample_topic" ]]; then + until rpk topic create my_sample_topic {{ $cloudStorageFlags }} + do sleep 2 + done + fi + + {{- range $i := until 100 }} + echo "Pandas are awesome!" | rpk topic produce my_sample_topic + {{- end }} + sleep 2 + rpk topic consume my_sample_topic -n 1 | grep "Pandas are awesome!" + + # now check if we can delete the topic (we should not) + rpk topic delete my_sample_topic + + {{- if has "my_sample_topic" $noDeleteTopics }} + result=$(rpk topic list | grep my_sample_topic | awk '{print $1}') + if [[ "$result" != "my_sample_topic" ]]; then + echo "topic should not have been deleted" + exit 1 + fi + {{- end }} + + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-produce-consume.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-produce-consume.yaml new file mode 100644 index 0000000000..d8f0ee7518 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-produce-consume.yaml @@ -0,0 +1,83 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.tests.enabled }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-kafka-produce-consume + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: REDPANDA_BROKERS + value: "{{ include "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.kafka.port }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -e +{{- $cloudStorageFlags := "" }} +{{- if (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }} + {{- $cloudStorageFlags = "-c retention.bytes=80 -c segment.bytes=40 -c redpanda.remote.read=true -c redpanda.remote.write=true"}} +{{- end }} +{{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi +{{- end }} + until rpk topic create produce.consume.test.$POD_NAME {{ $cloudStorageFlags }} + do sleep 2 + done + {{- range $i := until 100 }} + echo "Pandas are awesome!" | rpk topic produce produce.consume.test.$POD_NAME + {{- end }} + sleep 2 + rpk topic consume produce.consume.test.$POD_NAME -n 1 | grep "Pandas are awesome!" + rpk topic delete produce.consume.test.$POD_NAME + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-sasl-status.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-sasl-status.yaml new file mode 100644 index 0000000000..0519c44bba --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-kafka-sasl-status.yaml @@ -0,0 +1,79 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-kafka-sasl-status" + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -xe + +{{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi +{{- end }} + + until rpk acl user delete myuser + do sleep 2 + done + sleep 3 + + {{ include "rpk-cluster-info" $ }} + {{ include "rpk-acl-user-create" $ }} + {{ include "rpk-acl-create" $ }} + sleep 3 + {{ include "rpk-topic-create" $ }} + {{ include "rpk-topic-describe" $ }} + {{ include "rpk-topic-delete" $ }} + rpk acl user delete myuser + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: +{{- toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-license-with-console.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-license-with-console.yaml new file mode 100644 index 0000000000..1edf7a3507 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-license-with-console.yaml @@ -0,0 +1,61 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "is-licensed" . | fromJson).bool .Values.console.enabled }} +{{- $consolePort := (get (fromJson (include "console.ContainerPort" (dict "a" (list (dict "Values" (dict "AsMap" .Values.console)) )))) "r" ) }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-license-with-console" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: mintel/docker-alpine-bash-curl-jq:latest + command: [ "/bin/bash", "-c" ] + args: + - | + echo "testing that we do NOT have an open source license" + set -xe + + max_iteration=10 + curl -vm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq . + type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq -r .console.license.type) + while [[ $max_iteration -gt 0 && ("$type" == "open_source" || "$type" == "") ]]; do + max_iteration=$(( max_iteration - 1 )) + type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq -r .console.license.type) + done + if [[ "$type" == "open_source" || "$type" == "" ]]; then + curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq . + exit 1 + fi + set +x + echo "license test passed." +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-lifecycle-scripts.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-lifecycle-scripts.yaml new file mode 100644 index 0000000000..5c72e1d9fb --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-lifecycle-scripts.yaml @@ -0,0 +1,66 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-lifecycle" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: SERVICE_NAME + value: {{ include "redpanda.fullname" . }}-0 + command: + - /bin/timeout + - "{{ mul .Values.statefulset.terminationGracePeriodSeconds 2 }}" + - bash + - -xec + - | + /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/preStop.sh + ls -l /tmp/preStop* + test -f /tmp/preStopHookStarted + test -f /tmp/preStopHookFinished + + /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/postStart.sh + ls -l /tmp/postStart* + test -f /tmp/postStartHookStarted + test -f /tmp/postStartHookFinished + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + - name: lifecycle-scripts + mountPath: /var/lifecycle + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} + - name: lifecycle-scripts + secret: + secretName: {{ (include "redpanda.fullname" . | trunc 50 ) }}-sts-lifecycle + defaultMode: 0o775 + {{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-loadbalancer-tls.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-loadbalancer-tls.yaml new file mode 100644 index 0000000000..4db3523d2b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-loadbalancer-tls.yaml @@ -0,0 +1,173 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} +{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "LoadBalancer" ) -}} + {{- $values := .Values }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-loadbalancer-tls + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + serviceAccountName: test-loadbalancer-tls-redpanda + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: mintel/docker-alpine-bash-curl-jq:latest + command: + - bash + - -c + - | + set -x + export APISERVER=https://kubernetes.default.svc + export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount + export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) + export TOKEN=$(cat ${SERVICEACCOUNT}/token) + export CACERT=${SERVICEACCOUNT}/ca.crt + + ip_list="" + + replicas={{ .Values.statefulset.replicas }} + if [ "${replicas}" -lt "1" ]; then + echo "replicas cannot be less than 1" + exit 1 + fi + + range=$(expr $replicas - 1) + ordinal_list=$(seq 0 $range) + + set -e + + for i in $ordinal_list + do + POD_DESC=$(curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \ + -X GET ${APISERVER}/api/v1/namespaces/{{ .Release.Namespace }}/services/lb-{{ template "redpanda.fullname" . }}-$i) + ip=$(echo $POD_DESC | jq -r .status.loadBalancer.ingress[0].ip ) + ip_list="$ip $ip_list" + done + + echo test will be run against $ip_list + echo testing LoadBalancer connectivity + + {{- range $name, $cert := $values.tls.certs }} + {{- if $cert.secretRef }} + {{- if eq $cert.secretRef.name "external-tls-secret" }} + echo "---> testing external tls" + + {{- if eq $values.listeners.kafka.external.default.tls.cert $name }} + echo "-----> testing external tls: kafka api" + {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }} + + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled -}} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end -}} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }} + done + {{- end }} + + {{- if (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + {{- if eq $values.listeners.schemaRegistry.external.default.tls.cert $name }} + echo "-----> testing external tls: schema registry" + {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled -}} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end -}} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }} + done + {{- end }} + + {{- if eq $values.listeners.http.external.default.tls.cert $name }} + echo "-----> testing external tls: http api" + {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled -}} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end -}} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }} + done + {{- end }} + {{- end }} + + {{- end }} + {{- end }} + {{- end }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-loadbalancer-tls-redpanda + annotations: + helm.sh/hook-weight: "-100" + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: test-loadbalancer-tls-redpanda + annotations: + helm.sh/hook-weight: "-100" + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: test-loadbalancer-tls-redpanda +subjects: + - kind: ServiceAccount + name: test-loadbalancer-tls-redpanda + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: test-loadbalancer-tls-redpanda + annotations: + helm.sh/hook-weight: "-100" + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +rules: + - apiGroups: + - "" + resources: + - pods + - services + verbs: + - get + +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-nodeport-tls.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-nodeport-tls.yaml new file mode 100644 index 0000000000..4310eaf3a9 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-nodeport-tls.yaml @@ -0,0 +1,173 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} +{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "NodePort" ) -}} + {{- $values := .Values }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-nodeport-tls + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +spec: + serviceAccountName: test-nodeport-tls-redpanda-no-a-test + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: mintel/docker-alpine-bash-curl-jq:latest + command: + - bash + - -c + - | + set -x + export APISERVER=https://kubernetes.default.svc + export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount + export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) + export TOKEN=$(cat ${SERVICEACCOUNT}/token) + export CACERT=${SERVICEACCOUNT}/ca.crt + + ip_list="" + + replicas={{ .Values.statefulset.replicas }} + if [ "${replicas}" -lt "1" ]; then + echo "replicas cannot be less than 1" + exit 1 + fi + + range=$(expr $replicas - 1) + ordinal_list=$(seq 0 $range) + + set -e + + for i in $ordinal_list + do + POD_DESC=$(curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \ + -X GET ${APISERVER}/api/v1/namespaces/{{ .Release.Namespace }}/pods/{{ template "redpanda.fullname" . }}-$i) + ip=$(echo $POD_DESC | jq -r .status.hostIP ) + ip_list="$ip $ip_list" + done + + echo test will be run against $ip_list + echo testing NodePort connectivity + {{- range $name, $cert := $values.tls.certs }} + {{- if $cert.secretRef }} + {{- if eq $cert.secretRef.name "external-tls-secret" }} + echo "---> testing external tls" + + {{- if eq $values.listeners.kafka.external.default.tls.cert $name }} + echo "-----> testing external tls: kafka api" + {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \ + -connect ${ip}:{{ $port }} + done + {{- end }} + + {{- if (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + {{- if eq $values.listeners.schemaRegistry.external.default.tls.cert $name }} + echo "-----> testing external tls: schema registry" + {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \ + -connect ${ip}:{{ $port }} + done + {{- end }} + + {{- if eq $values.listeners.http.external.default.tls.cert $name }} + echo "-----> testing external tls: http api" + {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \ + -connect ${ip}:{{ $port }} + done + {{- end }} + {{- end }} + + {{- end }} + {{- end }} + {{- end }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-nodeport-tls-redpanda-no-a-test + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-100" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: test-nodeport-tls-redpanda-no-a-test + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-100" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: test-nodeport-tls-redpanda-no-a-test +subjects: + - kind: ServiceAccount + name: test-nodeport-tls-redpanda-no-a-test + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: test-nodeport-tls-redpanda-no-a-test + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-100" +rules: + - apiGroups: + - "" + resources: + - pods + - services + verbs: + - get +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-pandaproxy-internal-tls-status.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-pandaproxy-internal-tls-status.yaml new file mode 100644 index 0000000000..4cb6aaa0f6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-pandaproxy-internal-tls-status.yaml @@ -0,0 +1,81 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "http-internal-tls-enabled" . | fromJson).bool .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} + {{- $service := .Values.listeners.http -}} + {{- $cert := get .Values.tls.certs $service.tls.cert -}} + {{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-pandaproxy-internal-tls-status + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: [ "/bin/bash", "-c" ] + args: + - | + {{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + RPK_USER="${RPK_USER:-${REDPANDA_SASL_USERNAME}}" + RPK_PASS="${RPK_PASS:-${REDPANDA_SASL_PASSWORD}}" + if [[ -n "$old_setting" ]]; then set -x; fi + {{- end }} + + curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + {{- if $cert.caEnabled }} + --cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \ + {{- end }} + https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.http.port }}/brokers + + curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + {{- if $cert.caEnabled }} + --cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \ + {{- end }} + https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.http.port }}/topics + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-pandaproxy-status.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-pandaproxy-status.yaml new file mode 100644 index 0000000000..4f5ee6bb71 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-pandaproxy-status.yaml @@ -0,0 +1,72 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (not (include "http-internal-tls-enabled" . | fromJson).bool) .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} + {{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-pandaproxy-status" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: [ "/bin/bash", "-c" ] + args: + - | + {{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + RPK_USER="${RPK_USER:-${REDPANDA_SASL_USERNAME}}" + RPK_PASS="${RPK_PASS:-${REDPANDA_SASL_PASSWORD}}" + if [[ -n "$old_setting" ]]; then set -x; fi + {{- end }} + + curl {{ template "curl-options" . }} \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + http://{{ include "redpanda.servicename" . }}:{{ .Values.listeners.http.port }}/brokers + + curl {{ template "curl-options" . }} \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + http://{{ include "redpanda.servicename" . }}:{{ .Values.listeners.http.port }}/topics + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-prometheus-targets.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-prometheus-targets.yaml new file mode 100644 index 0000000000..81f83a34e2 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-prometheus-targets.yaml @@ -0,0 +1,84 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} + +{{- if and .Values.tests.enabled .Values.monitoring.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-prometheus-targets" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: registry.gitlab.com/gitlab-ci-utils/curl-jq:latest + command: [ "/bin/bash", "-c" ] + args: + - | + set -xe + + HEALTHY=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/-/healthy) + if [ $HEALTHY != 200 ]; then + echo "prometheus is not healthy, exiting" + exit 1 + fi + + echo "prometheus is healthy, checking if ready..." + + READY=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/-/ready) + if [ $READY != 200 ]; then + echo "prometheus is not ready, exiting" + exit 1 + fi + + echo "prometheus is ready, requesting target information..." + + + curl_prometheus() { + + # Run the command, and save the exit code + # from: https://prometheus.io/docs/prometheus/latest/querying/api/ + local RESULT=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/api/v1/targets?scrapePool=serviceMonitor/{{ .Release.Namespace }}/{{ include "redpanda.fullname" . }}/0 | jq '.data.activeTargets[].health | select(. == "up")' | wc -l ) + + echo $RESULT + } + for d in $(seq 1 30); do + RESULT=$(curl_prometheus) + if [ $RESULT == {{ .Values.statefulset.replicas }} ]; then + break + fi + sleep 15 + done + + set +x + if [ $RESULT != {{ .Values.statefulset.replicas }} ]; then + curl --fail http://prometheus-operated.prometheus.svc.cluster.local:9090/api/v1/targets?scrapePool=serviceMonitor/{{ .Release.Namespace }}/{{ include "redpanda.fullname" . }}/0 | jq . + echo "the number of targets unexpected; got ${RESULT} targets 'up', but was expecting {{ .Values.statefulset.replicas }}" + exit 1 + fi +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-rack-awareness.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-rack-awareness.yaml new file mode 100644 index 0000000000..82a31937f5 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-rack-awareness.yaml @@ -0,0 +1,61 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-rack-awareness + namespace: {{ .Release.Namespace | quote }} +{{- with include "full.labels" . }} + labels: {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} +{{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /bin/bash + - -c + - | + set -e +{{- if and .Values.rackAwareness.enabled (include "redpanda-atleast-22-3-0" . | fromJson).bool }} + curl {{ template "curl-options" . }} \ + {{- if (include "tls-enabled" . | fromJson).bool }} + {{- if (dig "default" "caEnabled" false .Values.tls.certs) }} + --cacert "/etc/tls/certs/default/ca.crt" \ + {{- end }} + https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}/v1/node_config | grep '"rack":"rack[1-4]"' + {{- else }} + http://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}/v1/node_config | grep '"rack":"rack[1-4]"' + {{- end }} +{{- end }} + + rpk redpanda admin config print --host {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }} | grep '"enable_rack_awareness": {{ .Values.rackAwareness.enabled }}' + + rpk cluster config get enable_rack_awareness + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-rpk-debug-bundle.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-rpk-debug-bundle.yaml new file mode 100644 index 0000000000..3230f08817 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-rpk-debug-bundle.yaml @@ -0,0 +1,104 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* + +This test currently fails because of a bug where when multiple containers exist +The api returns an error. We should be requesting logs from each container. + + +{{- if and .Values.tests.enabled .Values.rbac.enabled (include "redpanda-atleast-23-1-1" .|fromJson).bool -}} + {{- $sasl := .Values.auth.sasl }} + {{- $useSaslSecret := and $sasl.enabled (not (empty $sasl.secretRef )) }} + + +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-rpk-debug-bundle + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + statefulset.kubernetes.io/pod-name: {{ include "redpanda.fullname" . }}-0 + topologyKey: kubernetes.io/hostname + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + initContainers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + - name: shared-data + mountPath: /usr/share/redpanda/test + - name: datadir + mountPath: /var/lib/redpanda/data + command: + - /bin/bash + - -c + - | + set -e + {{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi + {{- end }} + rpk debug bundle -o /usr/share/redpanda/test/debug-test.zip -n {{ .Release.Namespace }} + containers: + - name: {{ template "redpanda.name" . }}-tester + image: busybox:latest + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + - name: shared-data + mountPath: /test + command: + - /bin/ash + - -c + - | + set -e + unzip /test/debug-test.zip -d /tmp/bundle + + test -f /tmp/bundle/logs/{{ .Release.Namespace }}-0.txt + test -f /tmp/bundle/logs/{{ .Release.Namespace }}-1.txt + test -f /tmp/bundle/logs/{{ .Release.Namespace }}-2.txt + + test -d /tmp/bundle/controller + + test -f /tmp/bundle/k8s/pods.json + test -f /tmp/bundle/k8s/configmaps.json + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end -}} +*/}} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.6/templates/tests/test-sasl-updated.yaml b/charts/redpanda/redpanda/5.9.6/templates/tests/test-sasl-updated.yaml new file mode 100644 index 0000000000..5f61be552e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/templates/tests/test-sasl-updated.yaml @@ -0,0 +1,71 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool (eq .Values.auth.sasl.secretRef "some-users") -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-update-sasl-users" + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -e + IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + + set -x + + # check that the users list did update + ready_result_exit_code=1 + while [[ ${ready_result_exit_code} -ne 0 ]]; do + ready_result=$(rpk acl user list | grep anotheranotherme 2>&1) && ready_result_exit_code=$? + sleep 2 + done + + # check that sasl is not broken + {{ include "rpk-cluster-info" $ }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: +{{- toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.6/values.schema.json b/charts/redpanda/redpanda/5.9.6/values.schema.json new file mode 100644 index 0000000000..80d6eb62d9 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/values.schema.json @@ -0,0 +1,5845 @@ +{ + "$id": "https://github.com/redpanda-data/helm-charts/charts/redpanda/values", + "$schema": "https://json-schema.org/draft/2020-12/schema", + "description": "DO NOT EDIT!. This file was generated by ./cmd/genschema/genschema.go", + "properties": { + "affinity": { + "properties": { + "nodeAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "preference": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "oneOf": [ + { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "podAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "auditLogging": { + "properties": { + "clientMaxBufferSize": { + "type": "integer" + }, + "enabled": { + "type": "boolean" + }, + "enabledEventTypes": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "excludedPrincipals": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "excludedTopics": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "listener": { + "type": "string" + }, + "partitions": { + "type": "integer" + }, + "queueDrainIntervalMs": { + "type": "integer" + }, + "queueMaxBufferSizePerShard": { + "type": "integer" + }, + "replicationFactor": { + "oneOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "auth": { + "properties": { + "sasl": { + "properties": { + "bootstrapUser": { + "properties": { + "mechanism": { + "pattern": "^(SCRAM-SHA-512|SCRAM-SHA-256)$", + "type": "string" + }, + "name": { + "type": "string" + }, + "password": { + "type": "string" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "mechanism": { + "type": "string" + }, + "secretRef": { + "type": "string" + }, + "users": { + "oneOf": [ + { + "items": { + "properties": { + "mechanism": { + "pattern": "^(SCRAM-SHA-512|SCRAM-SHA-256)$", + "type": "string" + }, + "name": { + "type": "string" + }, + "password": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "required": [ + "enabled" + ], + "type": "object" + } + }, + "required": [ + "sasl" + ], + "type": "object" + }, + "clusterDomain": { + "type": "string" + }, + "commonLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "config": { + "properties": { + "cluster": { + "type": "object" + }, + "node": { + "type": "object" + }, + "pandaproxy_client": { + "properties": { + "consumer_heartbeat_interval_ms": { + "type": "integer" + }, + "consumer_rebalance_timeout_ms": { + "type": "integer" + }, + "consumer_request_max_bytes": { + "type": "integer" + }, + "consumer_request_timeout_ms": { + "type": "integer" + }, + "consumer_session_timeout_ms": { + "type": "integer" + }, + "produce_batch_delay_ms": { + "type": "integer" + }, + "produce_batch_record_count": { + "type": "integer" + }, + "produce_batch_size_bytes": { + "type": "integer" + }, + "retries": { + "type": "integer" + }, + "retry_base_backoff_ms": { + "type": "integer" + } + }, + "type": "object" + }, + "rpk": { + "type": "object" + }, + "schema_registry_client": { + "properties": { + "consumer_heartbeat_interval_ms": { + "type": "integer" + }, + "consumer_rebalance_timeout_ms": { + "type": "integer" + }, + "consumer_request_max_bytes": { + "type": "integer" + }, + "consumer_request_timeout_ms": { + "type": "integer" + }, + "consumer_session_timeout_ms": { + "type": "integer" + }, + "produce_batch_delay_ms": { + "type": "integer" + }, + "produce_batch_record_count": { + "type": "integer" + }, + "produce_batch_size_bytes": { + "type": "integer" + }, + "retries": { + "type": "integer" + }, + "retry_base_backoff_ms": { + "type": "integer" + } + }, + "type": "object" + }, + "tunable": { + "additionalProperties": true, + "properties": { + "group_initial_rebalance_delay": { + "type": "integer" + }, + "log_retention_ms": { + "type": "integer" + } + }, + "type": "object" + } + }, + "required": [ + "cluster", + "node", + "tunable" + ], + "type": "object" + }, + "connectors": { + "properties": { + "connectors": { + "properties": { + "fullnameOverwrite": { + "type": "string" + }, + "restPort": { + "type": "integer" + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + } + }, + "type": "object" + }, + "console": { + "properties": { + "console": { + "properties": { + "config": { + "type": "object" + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + } + }, + "type": "object" + }, + "enterprise": { + "properties": { + "license": { + "type": "string" + }, + "licenseSecretRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "external": { + "properties": { + "addresses": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "domain": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "externalDns": { + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "type": "object" + }, + "prefixTemplate": { + "type": "string" + }, + "service": { + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "type": "object" + }, + "sourceRanges": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "type": { + "pattern": "^(LoadBalancer|NodePort)$", + "type": "string" + } + }, + "required": [ + "enabled" + ], + "type": "object" + }, + "force": { + "type": "boolean" + }, + "fullnameOverride": { + "type": "string" + }, + "image": { + "description": "Values used to define the container image to be used for Redpanda", + "properties": { + "pullPolicy": { + "description": "The Kubernetes Pod image pull policy.", + "pattern": "^(Always|Never|IfNotPresent)$", + "type": "string" + }, + "repository": { + "default": "docker.redpanda.com/redpandadata/redpanda", + "description": "container image repository", + "type": "string" + }, + "tag": { + "default": "Chart.appVersion", + "description": "The container image tag. Use the Redpanda release version. Must be a valid semver prefixed with a 'v'.", + "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$", + "type": "string" + } + }, + "required": [ + "repository", + "pullPolicy" + ], + "type": "object" + }, + "imagePullSecrets": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "license_key": { + "deprecated": true, + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\\.(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$|^$", + "type": "string" + }, + "license_secret_ref": { + "deprecated": true, + "properties": { + "secret_key": { + "type": "string" + }, + "secret_name": { + "type": "string" + } + }, + "type": "object" + }, + "listeners": { + "properties": { + "admin": { + "properties": { + "appProtocol": { + "type": "string" + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "port" + ], + "type": "object" + } + }, + "type": "object" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "port", + "tls" + ], + "type": "object" + }, + "http": { + "properties": { + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "prefixTemplate": { + "type": "string" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "port" + ], + "type": "object" + } + }, + "type": "object" + }, + "kafkaEndpoint": { + "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$", + "type": "string" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "enabled", + "tls", + "kafkaEndpoint", + "port" + ], + "type": "object" + }, + "kafka": { + "properties": { + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "sasl", + "none", + "mtls_identity" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "sasl", + "none", + "mtls_identity" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "prefixTemplate": { + "type": "string" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "port" + ], + "type": "object" + } + }, + "type": "object" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "tls", + "port" + ], + "type": "object" + }, + "rpc": { + "properties": { + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "port", + "tls" + ], + "type": "object" + }, + "schemaRegistry": { + "properties": { + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "kafkaEndpoint": { + "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$", + "type": "string" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "enabled", + "kafkaEndpoint", + "port", + "tls" + ], + "type": "object" + } + }, + "required": [ + "admin", + "http", + "kafka", + "schemaRegistry", + "rpc" + ], + "type": "object" + }, + "logging": { + "properties": { + "logLevel": { + "pattern": "^(error|warn|info|debug|trace)$", + "type": "string" + }, + "usageStats": { + "properties": { + "clusterId": { + "type": "string" + }, + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "type": "object" + } + }, + "required": [ + "logLevel", + "usageStats" + ], + "type": "object" + }, + "monitoring": { + "properties": { + "enableHttp2": { + "type": "boolean" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "scrapeInterval": { + "type": "string" + }, + "tlsConfig": { + "properties": { + "ca": { + "properties": { + "configMap": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "caFile": { + "type": "string" + }, + "cert": { + "properties": { + "configMap": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "certFile": { + "type": "string" + }, + "insecureSkipVerify": { + "type": "boolean" + }, + "keyFile": { + "type": "string" + }, + "keySecret": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "serverName": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "enabled", + "scrapeInterval" + ], + "type": "object" + }, + "nameOverride": { + "type": "string" + }, + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "post_install_job": { + "properties": { + "affinity": { + "properties": { + "nodeAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "preference": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "oneOf": [ + { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "podAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "podTemplate": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "spec": { + "properties": { + "containers": { + "oneOf": [ + { + "items": { + "properties": { + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "enum": [ + "redpanda", + "post-install", + "post-upgrade" + ], + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "name", + "env" + ], + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "securityContext": { + "properties": { + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "supplementalGroups": { + "oneOf": [ + { + "items": { + "type": "integer" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "sysctls": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "containers" + ], + "type": "object" + } + }, + "required": [ + "labels", + "annotations", + "spec" + ], + "type": "object" + }, + "resources": { + "properties": { + "claims": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "drop": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "post_upgrade_job": { + "properties": { + "affinity": { + "properties": { + "nodeAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "preference": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "oneOf": [ + { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "podAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "backoffLimit": { + "type": "integer" + }, + "enabled": { + "type": "boolean" + }, + "extraEnv": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "extraEnvFrom": { + "oneOf": [ + { + "items": { + "properties": { + "configMapRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "prefix": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "podTemplate": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "spec": { + "properties": { + "containers": { + "oneOf": [ + { + "items": { + "properties": { + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "enum": [ + "redpanda", + "post-install", + "post-upgrade" + ], + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "name", + "env" + ], + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "securityContext": { + "properties": { + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "supplementalGroups": { + "oneOf": [ + { + "items": { + "type": "integer" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "sysctls": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "containers" + ], + "type": "object" + } + }, + "required": [ + "labels", + "annotations", + "spec" + ], + "type": "object" + }, + "resources": { + "properties": { + "claims": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "drop": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "rackAwareness": { + "properties": { + "enabled": { + "type": "boolean" + }, + "nodeAnnotation": { + "type": "string" + } + }, + "required": [ + "enabled", + "nodeAnnotation" + ], + "type": "object" + }, + "rbac": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled", + "annotations" + ], + "type": "object" + }, + "resources": { + "properties": { + "cpu": { + "properties": { + "cores": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "overprovisioned": { + "type": "boolean" + } + }, + "required": [ + "cores" + ], + "type": "object" + }, + "memory": { + "properties": { + "container": { + "properties": { + "max": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "min": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + } + }, + "required": [ + "max" + ], + "type": "object" + }, + "enable_memory_locking": { + "type": "boolean" + }, + "redpanda": { + "properties": { + "memory": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "reserveMemory": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + } + }, + "type": "object" + } + }, + "required": [ + "container" + ], + "type": "object" + } + }, + "required": [ + "cpu", + "memory" + ], + "type": "object" + }, + "service": { + "properties": { + "internal": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "serviceAccount": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + }, + "required": [ + "create", + "name", + "annotations" + ], + "type": "object" + }, + "statefulset": { + "properties": { + "additionalRedpandaCmdFlags": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "additionalSelectorLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "budget": { + "properties": { + "maxUnavailable": { + "type": "integer" + } + }, + "required": [ + "maxUnavailable" + ], + "type": "object" + }, + "extraVolumeMounts": { + "type": "string" + }, + "extraVolumes": { + "type": "string" + }, + "initContainerImage": { + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "type": "object" + }, + "initContainers": { + "properties": { + "configurator": { + "properties": { + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "extraInitContainers": { + "type": "string" + }, + "fsValidator": { + "properties": { + "enabled": { + "type": "boolean" + }, + "expectedFS": { + "type": "string" + }, + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "setDataDirOwnership": { + "properties": { + "enabled": { + "type": "boolean" + }, + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "setTieredStorageCacheDirOwnership": { + "properties": { + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "tuning": { + "properties": { + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "livenessProbe": { + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + } + }, + "required": [ + "initialDelaySeconds", + "failureThreshold", + "periodSeconds" + ], + "type": "object" + }, + "nodeAffinity": { + "type": "object" + }, + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "podAffinity": { + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "custom": { + "type": "object" + }, + "topologyKey": { + "type": "string" + }, + "type": { + "pattern": "^(hard|soft|custom)$", + "type": "string" + }, + "weight": { + "type": "integer" + } + }, + "required": [ + "topologyKey", + "type", + "weight" + ], + "type": "object" + }, + "podSecurityContext": { + "deprecated": true, + "properties": { + "allowPriviledgeEscalation": { + "type": "boolean" + }, + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + } + }, + "type": "object" + }, + "podTemplate": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "spec": { + "properties": { + "containers": { + "oneOf": [ + { + "items": { + "properties": { + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "enum": [ + "redpanda", + "post-install", + "post-upgrade" + ], + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "name", + "env" + ], + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "securityContext": { + "properties": { + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "supplementalGroups": { + "oneOf": [ + { + "items": { + "type": "integer" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "sysctls": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "containers" + ], + "type": "object" + } + }, + "required": [ + "labels", + "annotations", + "spec" + ], + "type": "object" + }, + "priorityClassName": { + "type": "string" + }, + "readinessProbe": { + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "required": [ + "initialDelaySeconds", + "failureThreshold", + "periodSeconds" + ], + "type": "object" + }, + "replicas": { + "type": "integer" + }, + "securityContext": { + "deprecated": true, + "properties": { + "allowPriviledgeEscalation": { + "type": "boolean" + }, + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + } + }, + "type": "object" + }, + "sideCars": { + "properties": { + "configWatcher": { + "properties": { + "enabled": { + "type": "boolean" + }, + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "drop": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "controllers": { + "properties": { + "createRBAC": { + "type": "boolean" + }, + "enabled": { + "type": "boolean" + }, + "healthProbeAddress": { + "type": "string" + }, + "image": { + "properties": { + "repository": { + "default": "docker.redpanda.com/redpandadata/redpanda-operator", + "type": "string" + }, + "tag": { + "default": "Chart.appVersion", + "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$", + "type": "string" + } + }, + "required": [ + "tag", + "repository" + ], + "type": "object" + }, + "metricsAddress": { + "type": "string" + }, + "resources": true, + "run": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "drop": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "startupProbe": { + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + } + }, + "required": [ + "initialDelaySeconds", + "failureThreshold", + "periodSeconds" + ], + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "tolerations": { + "oneOf": [ + { + "items": { + "properties": { + "effect": { + "type": "string" + }, + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "tolerationSeconds": { + "type": "integer" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "topologySpreadConstraints": { + "oneOf": [ + { + "items": { + "properties": { + "maxSkew": { + "type": "integer" + }, + "topologyKey": { + "type": "string" + }, + "whenUnsatisfiable": { + "pattern": "^(ScheduleAnyway|DoNotSchedule)$", + "type": "string" + } + }, + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "updateStrategy": { + "properties": { + "type": { + "pattern": "^(RollingUpdate|OnDelete)$", + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object" + } + }, + "required": [ + "additionalSelectorLabels", + "replicas", + "updateStrategy", + "podTemplate", + "budget", + "startupProbe", + "livenessProbe", + "readinessProbe", + "podAffinity", + "podAntiAffinity", + "nodeSelector", + "priorityClassName", + "topologySpreadConstraints", + "tolerations", + "securityContext", + "sideCars" + ], + "type": "object" + }, + "storage": { + "properties": { + "hostPath": { + "type": "string" + }, + "persistentVolume": { + "deprecated": true, + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "nameOverwrite": { + "type": "string" + }, + "size": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "storageClass": { + "type": "string" + } + }, + "required": [ + "annotations", + "enabled", + "labels", + "size", + "storageClass" + ], + "type": "object" + }, + "tiered": { + "properties": { + "config": { + "properties": { + "cloud_storage_access_key": { + "type": "string" + }, + "cloud_storage_api_endpoint": { + "type": "string" + }, + "cloud_storage_api_endpoint_port": { + "type": "integer" + }, + "cloud_storage_azure_adls_endpoint": { + "type": "string" + }, + "cloud_storage_azure_adls_port": { + "type": "integer" + }, + "cloud_storage_bucket": { + "type": "string" + }, + "cloud_storage_cache_check_interval": { + "type": "integer" + }, + "cloud_storage_cache_directory": { + "type": "string" + }, + "cloud_storage_cache_size": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "cloud_storage_credentials_source": { + "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$", + "type": "string" + }, + "cloud_storage_disable_tls": { + "type": "boolean" + }, + "cloud_storage_enable_remote_read": { + "type": "boolean" + }, + "cloud_storage_enable_remote_write": { + "type": "boolean" + }, + "cloud_storage_enabled": { + "type": "boolean" + }, + "cloud_storage_initial_backoff_ms": { + "type": "integer" + }, + "cloud_storage_manifest_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_max_connection_idle_time_ms": { + "type": "integer" + }, + "cloud_storage_max_connections": { + "type": "integer" + }, + "cloud_storage_reconciliation_interval_ms": { + "type": "integer" + }, + "cloud_storage_region": { + "type": "string" + }, + "cloud_storage_secret_key": { + "type": "string" + }, + "cloud_storage_segment_max_upload_interval_sec": { + "type": "integer" + }, + "cloud_storage_segment_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_trust_file": { + "type": "string" + }, + "cloud_storage_upload_ctrl_d_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_max_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_min_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_p_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_update_interval_ms": { + "type": "integer" + } + }, + "required": [ + "cloud_storage_enabled" + ], + "type": "object" + }, + "credentialsSecretRef": { + "properties": { + "accessKey": { + "properties": { + "configurationKey": { + "type": "string" + }, + "key": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "secretKey": { + "properties": { + "configurationKey": { + "type": "string" + }, + "key": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "hostPath": { + "type": "string" + }, + "mountType": { + "pattern": "^(none|hostPath|emptyDir|persistentVolume)$", + "type": "string" + }, + "persistentVolume": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "nameOverwrite": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": "string" + } + }, + "required": [ + "annotations", + "labels", + "storageClass" + ], + "type": "object" + } + }, + "required": [ + "mountType" + ], + "type": "object" + }, + "tieredConfig": { + "deprecated": true, + "properties": { + "cloud_storage_access_key": { + "type": "string" + }, + "cloud_storage_api_endpoint": { + "type": "string" + }, + "cloud_storage_api_endpoint_port": { + "type": "integer" + }, + "cloud_storage_azure_adls_endpoint": { + "type": "string" + }, + "cloud_storage_azure_adls_port": { + "type": "integer" + }, + "cloud_storage_bucket": { + "type": "string" + }, + "cloud_storage_cache_check_interval": { + "type": "integer" + }, + "cloud_storage_cache_directory": { + "type": "string" + }, + "cloud_storage_cache_size": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "cloud_storage_credentials_source": { + "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$", + "type": "string" + }, + "cloud_storage_disable_tls": { + "type": "boolean" + }, + "cloud_storage_enable_remote_read": { + "type": "boolean" + }, + "cloud_storage_enable_remote_write": { + "type": "boolean" + }, + "cloud_storage_enabled": { + "type": "boolean" + }, + "cloud_storage_initial_backoff_ms": { + "type": "integer" + }, + "cloud_storage_manifest_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_max_connection_idle_time_ms": { + "type": "integer" + }, + "cloud_storage_max_connections": { + "type": "integer" + }, + "cloud_storage_reconciliation_interval_ms": { + "type": "integer" + }, + "cloud_storage_region": { + "type": "string" + }, + "cloud_storage_secret_key": { + "type": "string" + }, + "cloud_storage_segment_max_upload_interval_sec": { + "type": "integer" + }, + "cloud_storage_segment_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_trust_file": { + "type": "string" + }, + "cloud_storage_upload_ctrl_d_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_max_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_min_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_p_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_update_interval_ms": { + "type": "integer" + } + }, + "type": "object" + }, + "tieredStorageHostPath": { + "deprecated": true, + "type": "string" + }, + "tieredStoragePersistentVolume": { + "deprecated": true, + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "storageClass": { + "type": "string" + } + }, + "required": [ + "annotations", + "enabled", + "labels", + "storageClass" + ], + "type": "object" + } + }, + "required": [ + "hostPath", + "tiered", + "persistentVolume" + ], + "type": "object" + }, + "tests": { + "properties": { + "enabled": { + "type": "boolean" + } + }, + "type": "object" + }, + "tls": { + "properties": { + "certs": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "applyInternalDNSNames": { + "type": "boolean" + }, + "caEnabled": { + "type": "boolean" + }, + "clientSecretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "duration": { + "pattern": ".*[smh]$", + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "issuerRef": { + "properties": { + "group": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "caEnabled" + ], + "type": "object" + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled", + "certs" + ], + "type": "object" + }, + "tolerations": { + "oneOf": [ + { + "items": { + "properties": { + "effect": { + "type": "string" + }, + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "tolerationSeconds": { + "type": "integer" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "tuning": { + "properties": { + "ballast_file_path": { + "type": "string" + }, + "ballast_file_size": { + "type": "string" + }, + "tune_aio_events": { + "type": "boolean" + }, + "tune_ballast_file": { + "type": "boolean" + }, + "tune_clocksource": { + "type": "boolean" + }, + "well_known_io": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "affinity", + "image" + ], + "type": "object" +} diff --git a/charts/redpanda/redpanda/5.9.6/values.yaml b/charts/redpanda/redpanda/5.9.6/values.yaml new file mode 100644 index 0000000000..3a9287d140 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.6/values.yaml @@ -0,0 +1,1131 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file contains values for variables referenced from yaml files in the templates directory. +# +# For further information on Helm templating see the documentation at: +# https://helm.sh/docs/chart_template_guide/values_files/ + +# +# >>> This chart requires Helm version 3.6.0 or greater <<< +# + +# Common settings +# +# -- Override `redpanda.name` template. +nameOverride: "" +# -- Override `redpanda.fullname` template. +fullnameOverride: "" +# -- Default Kubernetes cluster domain. +clusterDomain: cluster.local +# -- Additional labels to add to all Kubernetes objects. +# For example, `my.k8s.service: redpanda`. +commonLabels: {} +# -- Node selection constraints for scheduling Pods, can override this for StatefulSets. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). +nodeSelector: {} +# -- Affinity constraints for scheduling Pods, can override this for StatefulSets and Jobs. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). +affinity: {} +# -- Taints to be tolerated by Pods, can override this for StatefulSets. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). +tolerations: [] + +# -- Redpanda Docker image settings. +image: + # -- Docker repository from which to pull the Redpanda Docker image. + repository: docker.redpanda.com/redpandadata/redpanda + # -- The Redpanda version. + # See DockerHub for: + # [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) + # and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + # @default -- `Chart.appVersion`. + tag: "" + # -- The imagePullPolicy. + # If `image.tag` is 'latest', the default is `Always`. + pullPolicy: IfNotPresent + +# -- Redpanda Service settings. +# service: +# -- set service.name to override the default service name +# name: redpanda +# -- internal Service +# internal: +# -- add annotations to the internal Service +# annotations: {} +# +# -- eg. for a bare metal install using external-dns +# annotations: +# "external-dns.alpha.kubernetes.io/hostname": redpanda.domain.dom +# "external-dns.alpha.kubernetes.io/endpoints-type": HostIP + +# -- Pull secrets may be used to provide credentials to image repositories +# See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). +imagePullSecrets: [] + +# -- DEPRECATED Enterprise license key (optional). +# For details, +# see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). +license_key: "" +# -- DEPRECATED Secret name and secret key where the license key is stored. +license_secret_ref: {} + # secret_name: my-secret + # secret_key: key-where-license-is-stored + +# -- Audit logging for a redpanda cluster, must have enabled sasl and have one kafka listener supporting sasl authentication +# for audit logging to work. Note this feature is only available for redpanda versions >= v23.3.0. +auditLogging: + # -- Enable or disable audit logging, for production clusters we suggest you enable, + # however, this will only work if you also enable sasl and a listener with sasl enabled. + enabled: false + # -- Kafka listener name, note that it must have `authenticationMethod` set to `sasl`. + # For external listeners, use the external listener name, such as `default`. + listener: internal + # -- Integer value defining the number of partitions used by a newly created audit topic. + partitions: 12 + # -- Event types that should be captured by audit logs, default is [`admin`, `authenticate`, `management`]. + enabledEventTypes: + # -- List of topics to exclude from auditing, default is null. + excludedTopics: + # -- List of principals to exclude from auditing, default is null. + excludedPrincipals: + # -- Defines the number of bytes (in bytes) allocated by the internal audit client for audit messages. + clientMaxBufferSize: 16777216 + # -- In ms, frequency in which per shard audit logs are batched to client for write to audit log. + queueDrainIntervalMs: 500 + # -- Defines the maximum amount of memory used (in bytes) by the audit buffer in each shard. + queueMaxBufferSizePerShard: 1048576 + # -- Defines the replication factor for a newly created audit log topic. This configuration applies + # only to the audit log topic and may be different from the cluster or other topic configurations. + # This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, + # Redpanda will use the `internal_topic_replication_factor cluster` config value. Default is `null` + replicationFactor: + +# -- Enterprise (optional) +# For details, +# see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). +enterprise: + # -- license (optional). + license: "" + # -- Secret name and key where the license key is stored. + licenseSecretRef: {} + # name: my-secret + # key: key-where-license-is-stored + +# -- Rack Awareness settings. +# For details, +# see the [Rack Awareness documentation](https://docs.redpanda.com/docs/manage/kubernetes/kubernetes-rack-awareness/). +rackAwareness: + # -- When running in multiple racks or availability zones, use a Kubernetes Node + # annotation value as the Redpanda rack value. + # Enabling this requires running with a service account with "get" Node permissions. + # To have the Helm chart configure these permissions, + # set `serviceAccount.create=true` and `rbac.enabled=true`. + enabled: false + # -- The common well-known annotation to use as the rack ID. + # Override this only if you use a custom Node annotation. + nodeAnnotation: topology.kubernetes.io/zone + +# +# -- Redpanda Console settings. +# For a reference of configuration settings, +# see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). +console: + enabled: true + configmap: + create: false + secret: + create: false + deployment: + create: false + config: {} + +# +# -- Redpanda Managed Connectors settings +# For a reference of configuration settings, +# see the [Redpanda Connectors documentation](https://docs.redpanda.com/docs/deploy/deployment-option/cloud/managed-connectors/). +connectors: + enabled: false + deployment: + create: false + test: + create: false + +# -- Authentication settings. +# For details, +# see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). +auth: + sasl: + # -- Enable SASL authentication. + # If you enable SASL authentication, you must provide a Secret in `auth.sasl.secretRef`. + enabled: false + # -- The authentication mechanism to use for the superuser. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + mechanism: SCRAM-SHA-512 + # -- A Secret that contains your superuser credentials. + # For details, + # see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/#use-secrets). + secretRef: "redpanda-users" + # -- Optional list of superusers. + # These superusers will be created in the Secret whose name is defined in `auth.sasl.secretRef`. + # If this list is empty, + # the Secret in `auth.sasl.secretRef` must already exist in the cluster before you deploy the chart. + # Uncomment the sample list if you wish to try adding sample sasl users or override to use your own. + users: [] + # - name: admin + # password: change-me + # mechanism: SCRAM-SHA-512 + # -- Details about how to create the bootstrap user for the cluster. + # The secretKeyRef is optionally specified. If it is specified, the + # chart will use a password written to that secret when creating the + # "kubernetes-controller" bootstrap user. If it is unspecified, then + # the secret will be generated and stored in the secret + # "releasename"-bootstrap-user, with the key "password". + bootstrapUser: + # -- The name used to override the name of the bootstrap user. If unspecified the bootstrap user is named + # "kubernetes-controller". This should only be specified when SASL authentication is enabled (usually installation) + # and should not be changed afterward. + # name: my-user + # -- The authentication mechanism to use for the bootstrap user. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + mechanism: SCRAM-SHA-256 + # secretKeyRef: + # name: my-password + # key: my-key + +# -- TLS settings. +# For details, see the [TLS documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/). +tls: + # -- Enable TLS globally for all listeners. + # Each listener must include a Certificate name in its `.tls` object. + # To allow you to enable TLS for individual listeners, + # Certificates in `auth.tls.certs` are always loaded, even if `tls.enabled` is `false`. + # See `listeners..tls.enabled`. + enabled: true + # -- List all Certificates here, + # then you can reference a specific Certificate's name + # in each listener's `listeners..tls.cert` setting. + certs: + # -- This key is the Certificate name. + # To apply the Certificate to a specific listener, + # reference the Certificate's name in `listeners..tls.cert`. + default: + # -- To use a custom pre-installed Issuer, + # add its name and kind to the `issuerRef` object. + # issuerRef: + # name: redpanda-default-root-issuer + # kind: Issuer # Can be Issuer or ClusterIssuer + # -- To use a secret with custom tls files, + # secretRef: + # name: my-tls-secret + # -- Indicates whether or not the Secret holding this certificate + # includes a `ca.crt` key. When `true`, chart managed clients, such as + # rpk, will use `ca.crt` for certificate verification and listeners with + # `require_client_auth` and no explicit `truststore` will use `ca.crt` as + # their `truststore_file` for verification of client certificates. When + # `false`, chart managed clients will use `tls.crt` for certificate + # verification and listeners with `require_client_auth` and no explicit + # `truststore` will use the container's CA certificates. + caEnabled: true + # duration: 43800h + # if you wish to have Kubernetes internal dns names (IE the headless service of the redpanda StatefulSet) included in `dnsNames` of the certificate even, when supplying an issuer. + # applyInternalDNSNames: false + # -- Example external tls configuration + # uncomment and set the right key to the listeners that require them + # also enable the tls setting for those listeners. + external: + # -- To use a custom pre-installed Issuer, + # add its name and kind to the `issuerRef` object. + # issuerRef: + # name: redpanda-default-root-issuer + # kind: Issuer # Can be Issuer or ClusterIssuer + # -- To use a secret with custom tls files, + # secretRef: + # name: my-tls-secret + # -- Indicates whether or not the Secret holding this certificate + # includes a `ca.crt` key. When `true`, chart managed clients, such as + # rpk, will use `ca.crt` for certificate verification and listeners with + # `require_client_auth` and no explicit `truststore` will use `ca.crt` as + # their `truststore_file` for verification of client certificates. When + # `false`, chart managed clients will use `tls.crt` for certificate + # verification and listeners with `require_client_auth` and no explicit + # `truststore` will use the container's CA certificates. + caEnabled: true + # duration: 43800h + # if you wish to for apply internal dns names to the certificate even when supplying an issuer + # applyInternalDNSNames: false + +# -- External access settings. +# For details, +# see the [Networking and Connectivity documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/networking-and-connectivity/). +external: + # -- Service allows you to manage the creation of an external kubernetes service object + service: + # -- Enabled if set to false will not create the external service type + # You can still set your cluster with external access but not create the supporting service (NodePort/LoadBalander). + # Set this to false if you rather manage your own service. + enabled: true + # -- Enable external access for each Service. + # You can toggle external access for each listener in + # `listeners..external..enabled`. + enabled: true + # -- External access type. Only `NodePort` and `LoadBalancer` are supported. + # If undefined, then advertised listeners will be configured in Redpanda, + # but the helm chart will not create a Service. + # You must create a Service manually. + # Warning: If you use LoadBalancers, you will likely experience higher latency and increased packet loss. + # NodePort is recommended in cases where latency is a priority. + type: NodePort + # Optional source range for external access. Only applicable when external.type is LoadBalancer + # sourceRanges: [] + # -- Optional domain advertised to external clients + # If specified, then it will be appended to the `external.addresses` values as each broker's advertised address + # domain: local + # Optional list of addresses that the Redpanda brokers advertise. + # Provide one entry for each broker in order of StatefulSet replicas. + # The number of brokers is defined in statefulset.replicas. + # The values can be IP addresses or DNS names. + # If external.domain is set, the domain is appended to these values. + # There is an option to define a single external address for all brokers and leverage + # prefixTemplate as it will be calculated during initContainer execution. + # addresses: + # - redpanda-0 + # - redpanda-1 + # - redpanda-2 + # + # annotations: + # For example: + # cloud.google.com/load-balancer-type: "Internal" + # service.beta.kubernetes.io/aws-load-balancer-type: nlb + # If you enable externalDns, each LoadBalancer service instance + # will be annotated with external-dns hostname + # matching external.addresses + external.domain + # externalDns: + # enabled: true + # prefixTemplate: "" + +# -- Log-level settings. +logging: + # -- Log level + # Valid values (from least to most verbose) are: `warn`, `info`, `debug`, and `trace`. + logLevel: info + # -- Send usage statistics back to Redpanda Data. + # For details, + # see the [stats reporting documentation](https://docs.redpanda.com/docs/cluster-administration/monitoring/#stats-reporting). + usageStats: + # Enable the `rpk.enable_usage_stats` property. + enabled: true + # Your cluster ID (optional) + # clusterId: your-helm-cluster + +# -- Monitoring. +# This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. +monitoring: + enabled: false + scrapeInterval: 30s + labels: {} + # Enables http2 for scraping metrics for prometheus. Used when Istio's mTLS is enabled and using tlsConfig. + # enableHttp2: true + # tlsConfig: + # caFile: /etc/prom-certs/root-cert.pem + # certFile: /etc/prom-certs/cert-chain.pem + # insecureSkipVerify: true + # keyFile: /etc/prom-certs/key.pem + +# -- Pod resource management. +# This section simplifies resource allocation +# by providing a single location where resources are defined. +# Helm sets these resource values within the `statefulset.yaml` and `configmap.yaml` templates. +# +# The default values are for a development environment. +# Production-level values and other considerations are documented, +# where those values are different from the default. +# For details, +# see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/). +resources: + # + # -- CPU resources. + # For details, + # see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-cpu-resources). + cpu: + # -- Redpanda makes use of a thread per core model. + # For details, see this [blog](https://redpanda.com/blog/tpc-buffers). + # For this reason, Redpanda should only be given full cores. + # + # Note: You can increase cores, but decreasing cores is not currently supported. + # See the [GitHub issue](https://github.com/redpanda-data/redpanda/issues/350). + # + # This setting is equivalent to `--smp`, `resources.requests.cpu`, and `resources.limits.cpu`. + # For production, use `4` or greater. + # + # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for + # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers + # access to exclusive CPUs on the node. See + # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy. + cores: 1 + # + # -- Overprovisioned means Redpanda won't assume it has all of the provisioned CPU. + # This should be true unless the container has CPU affinity. + # Equivalent to: `--idle-poll-time-us 0 --thread-affinity 0 --poll-aio 0` + # + # If the value of full cores in `resources.cpu.cores` is less than `1`, this + # setting is set to `true`. + # overprovisioned: false + # + # -- Memory resources + # For details, + # see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-memory-resources). + memory: + # -- Enables memory locking. + # For production, set to `true`. + # enable_memory_locking: false + # + # It is recommended to have at least 2Gi of memory per core for the Redpanda binary. + # This memory is taken from the total memory given to each container. + # The Helm chart allocates 80% of the container's memory to Redpanda, leaving the rest for + # the Seastar subsystem (reserveMemory) and other container processes. + # So at least 2.5Gi per core is recommended in order to ensure Redpanda has a full 2Gi. + # + # These values affect `--memory` and `--reserve-memory` flags passed to Redpanda and the memory + # requests/limits in the StatefulSet. + # Valid suffixes: k, M, G, T, P, Ki, Mi, Gi, Ti, Pi + # To create `Guaranteed` Pod QoS for Redpanda brokers, provide both container max and min values for the container. + # For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a memory limit and a memory request. + # * For every container in the Pod, the memory limit must equal the memory request. + # + container: + # Minimum memory count for each Redpanda broker. + # If omitted, the `min` value is equal to the `max` value (requested resources defaults to limits). + # This setting is equivalent to `resources.requests.memory`. + # For production, use 10Gi or greater. + # min: 2.5Gi + # + # -- Maximum memory count for each Redpanda broker. + # Equivalent to `resources.limits.memory`. + # For production, use `10Gi` or greater. + max: 2.5Gi + # + # This optional `redpanda` object allows you to specify the memory size for both the Redpanda + # process and the underlying reserved memory used by Seastar. + # This section is omitted by default, and memory sizes are calculated automatically + # based on container memory. + # Uncommenting this section and setting memory and reserveMemory values will disable + # automatic calculation. + # + # If you are setting the following values manually, keep in mind the following guidelines. + # Getting this wrong may lead to performance issues, instability, and loss of data: + # The amount of memory to allocate to a container is determined by the sum of three values: + # 1. Redpanda (at least 2Gi per core, ~80% of the container's total memory) + # 2. Seastar subsystem (200Mi * 0.2% of the container's total memory, 200Mi < x < 1Gi) + # 3. Other container processes (whatever small amount remains) + # redpanda: + # Memory for the Redpanda process. + # This must be lower than the container's memory (resources.memory.container.min if provided, otherwise + # resources.memory.container.max). + # Equivalent to --memory. + # For production, use 8Gi or greater. + # memory: 2Gi + # + # Memory reserved for the Seastar subsystem. + # Any value above 1Gi will provide diminishing performance benefits. + # Equivalent to --reserve-memory. + # For production, use 1Gi. + # reserveMemory: 200Mi + +# -- Persistence settings. +# For details, see the [storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/configure-storage/). +storage: + # -- Absolute path on the host to store Redpanda's data. + # If unspecified, then an `emptyDir` volume is used. + # If specified but `persistentVolume.enabled` is true, `storage.hostPath` has no effect. + hostPath: "" + # -- If `persistentVolume.enabled` is true, a PersistentVolumeClaim is created and + # used to store Redpanda's data. Otherwise, `storage.hostPath` is used. + persistentVolume: + enabled: true + size: 20Gi + # -- To disable dynamic provisioning, set to `-`. + # If undefined or empty (default), then no storageClassName spec is set, + # and the default dynamic provisioner is chosen (gp2 on AWS, standard on + # GKE, AWS & OpenStack). + storageClass: "" + # -- Additional labels to apply to the created PersistentVolumeClaims. + labels: {} + # -- Additional annotations to apply to the created PersistentVolumeClaims. + annotations: {} + # -- Option to change volume claim template name for tiered storage persistent volume + # if tiered.mountType is set to `persistentVolume` + nameOverwrite: "" + # + # Settings for the Tiered Storage cache. + # For details, + # see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/#caching). + + tiered: + # mountType can be one of: + # - none: does not mount a volume. Tiered storage will use the data directory. + # - hostPath: will allow you to chose a path on the Node the pod is running on + # - emptyDir: will mount a fresh empty directory every time the pod starts + # - persistentVolume: creates and mounts a PersistentVolumeClaim + mountType: emptyDir + + # For the maximum size of the disk cache, see `tieredConfig.cloud_storage_cache_size`. + # + # -- Absolute path on the host to store Redpanda's Tiered Storage cache. + hostPath: "" + # PersistentVolumeClaim to be created for the Tiered Storage cache and + # used to store data retrieved from cloud storage, such as S3). + persistentVolume: + # -- To disable dynamic provisioning, set to "-". + # If undefined or empty (default), then no storageClassName spec is set, + # and the default dynamic provisioner is chosen (gp2 on AWS, standard on + # GKE, AWS & OpenStack). + storageClass: "" + # -- Additional labels to apply to the created PersistentVolumeClaims. + labels: {} + # -- Additional annotations to apply to the created PersistentVolumeClaims. + annotations: {} + + # credentialsSecretRef can be used to set `cloud_storage_secret_key` and/or `cloud_storage_access_key` from + # referenced Kubernetes Secret + credentialsSecretRef: + accessKey: + # https://docs.redpanda.com/current/reference/object-storage-properties/#cloud_storage_access_key + configurationKey: cloud_storage_access_key + # name: + # key: + secretKey: + # https://docs.redpanda.com/current/reference/object-storage-properties/#cloud_storage_secret_key + # or + # https://docs.redpanda.com/current/reference/object-storage-properties/#cloud_storage_azure_shared_key + configurationKey: cloud_storage_secret_key + # name: + # key + # -- DEPRECATED `configurationKey`, `name` and `key`. Please use `accessKey` and `secretKey` + # configurationKey: cloud_storage_secret_key + # name: + # key: + # + # -- Tiered Storage settings + # Requires `enterprise.licenseKey` or `enterprised.licenseSecretRef` + # For details, see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/). + # For a list of properties, see [Object Storage Properties](https://docs.redpanda.com/current/reference/properties/object-storage-properties/). + config: + # -- Global flag that enables Tiered Storage if a license key is provided. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enabled). + cloud_storage_enabled: false + # -- Cluster level default remote write configuration for new topics. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_write). + cloud_storage_enable_remote_write: true + # -- Cluster level default remote read configuration for new topics. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_read). + cloud_storage_enable_remote_read: true + # -- Maximum size of the disk cache used by Tiered Storage. + # Default is 20 GiB. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_cache_size). + cloud_storage_cache_size: 5368709120 + +post_install_job: + enabled: true + # Resource requests and limits for the post-install batch job + # resources: + # requests: + # cpu: 1 + # memory: 512Mi + # limits: + # cpu: 2 + # memory: 1024Mi + # labels: {} + # annotations: {} + affinity: {} + + podTemplate: + # -- Additional labels to apply to the Pods of this Job. + labels: {} + # -- Additional annotations to apply to the Pods of this Job. + annotations: {} + # -- A subset of Kubernetes' PodSpec type that will be merged into the + # final PodSpec. See [Merge Semantics](#merging-semantics) for details. + spec: + securityContext: {} + containers: + - name: post-install + securityContext: {} + env: [] + +statefulset: + # -- Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster) + replicas: 3 + updateStrategy: + type: RollingUpdate + budget: + maxUnavailable: 1 + # -- DEPRECATED Please use statefulset.podTemplate.annotations. + # Annotations are used only for `Statefulset.spec.template.metadata.annotations`. The StatefulSet does not have + # any dedicated annotation. + annotations: {} + # -- Additional labels to be added to statefulset label selector. + # For example, `my.k8s.service: redpanda`. + additionalSelectorLabels: {} + podTemplate: + # -- Additional labels to apply to the Pods of the StatefulSet. + labels: {} + # -- Additional annotations to apply to the Pods of the StatefulSet. + annotations: {} + # -- A subset of Kubernetes' PodSpec type that will be merged into the + # final PodSpec. See [Merge Semantics](#merging-semantics) for details. + spec: + securityContext: {} + containers: + - name: redpanda + securityContext: {} + env: [] + # -- Adjust the period for your probes to meet your needs. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + startupProbe: + initialDelaySeconds: 1 + failureThreshold: 120 + periodSeconds: 10 + livenessProbe: + initialDelaySeconds: 10 + failureThreshold: 3 + periodSeconds: 10 + readinessProbe: + initialDelaySeconds: 1 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + # + # StatefulSet resources: + # Resources are set through the top-level resources section above. + # It is recommended to set resource values in that section rather than here, as this will guarantee + # memory is allocated across containers, Redpanda, and the Seastar subsystem correctly. + # This automatic memory allocation is in place because Repanda and the Seastar subsystem require flags + # at startup that set the amount of memory available to each process. + # Kubernetes (mainly statefulset), Redpanda, and Seastar memory values are tightly coupled. + # Adding a resource section here will be ignored. + # + # -- Inter-Pod Affinity rules for scheduling Pods of this StatefulSet. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + podAffinity: {} + # -- Anti-affinity rules for scheduling Pods of this StatefulSet. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + # You may either edit the default settings for anti-affinity rules, + # or specify new anti-affinity rules to use instead of the defaults. + podAntiAffinity: + # -- The topologyKey to be used. + # Can be used to spread across different nodes, AZs, regions etc. + topologyKey: kubernetes.io/hostname + # -- Valid anti-affinity types are `soft`, `hard`, or `custom`. + # Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + type: hard + # -- Weight for `soft` anti-affinity rules. + # Does not apply to other anti-affinity types. + weight: 100 + # -- Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + custom: {} + # -- Node selection constraints for scheduling Pods of this StatefulSet. + # These constraints override the global `nodeSelector` value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + nodeSelector: {} + # -- PriorityClassName given to Pods of this StatefulSet. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + priorityClassName: "" + # -- Taints to be tolerated by Pods of this StatefulSet. + # These tolerations override the global tolerations value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + tolerations: [] + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/). + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + # -- DEPRECATED: Prefer to use podTemplate.spec.securityContext or podTemplate.spec.containers[0].securityContext. + securityContext: + fsGroup: 101 + runAsUser: 101 + fsGroupChangePolicy: OnRootMismatch + sideCars: + configWatcher: + enabled: true + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a memory limit and a memory request. + # * For every container in the Pod, the memory limit must equal the memory request. + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + # + # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for + # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers + # access to exclusive CPUs on the node. For details, see + # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + resources: {} + securityContext: {} + extraVolumeMounts: |- + # Configure extra controllers to run as sidecars inside the Pods running Redpanda brokers. + # Available controllers: + # - Decommission Controller: The Decommission Controller ensures smooth scaling down operations. + # This controller is responsible for monitoring changes in the number of StatefulSet replicas and orchestrating + # the decommissioning of brokers when necessary. It also sets the reclaim policy for the decommissioned + # broker's PersistentVolume to `Retain` and deletes the corresponding PersistentVolumeClaim. + # - Node-PVC Controller: The Node-PVC Controller handles the PVCs of deleted brokers. + # By setting the PV Retain policy to retain, it facilitates the rescheduling of brokers to new, healthy nodes when + # an existing node is removed. + controllers: + image: + tag: v2.2.4-24.2.5 + repository: docker.redpanda.com/redpandadata/redpanda-operator + # You must also enable RBAC, `rbac.enabled=true`, to deploy this sidecar + enabled: false + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + # + # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for + # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers + # access to exclusive CPUs on the node. For details, see + # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + resources: {} + securityContext: {} + healthProbeAddress: ":8085" + metricsAddress: ":9082" + run: + - all + createRBAC: true + initContainers: + fsValidator: + enabled: false + expectedFS: xfs + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + tuning: + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + setDataDirOwnership: + # -- In environments where root is not allowed, you cannot change the ownership of files and directories. + # Enable `setDataDirOwnership` when using default minikube cluster configuration. + enabled: false + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + setTieredStorageCacheDirOwnership: + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + configurator: + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + ## Additional init containers + extraInitContainers: |- +# - name: "test-init-container" +# image: "mintel/docker-alpine-bash-curl-jq:latest" +# command: [ "/bin/bash", "-c" ] +# args: +# - | +# set -xe +# echo "Hello World!" + initContainerImage: + repository: busybox + tag: latest + # -- Additional flags to pass to redpanda, + additionalRedpandaCmdFlags: [] +# - --unsafe-bypass-fsync + # -- Termination grace period in seconds is time required to execute preStop hook + # which puts particular Redpanda Pod (process/container) into maintenance mode. + # Before settle down on particular value please put Redpanda under load and perform + # rolling upgrade or rolling restart. That value needs to accommodate two processes: + # * preStop hook needs to put Redpanda into maintenance mode + # * after preStop hook Redpanda needs to handle gracefully SIGTERM signal + # + # Both processes are executed sequentially where preStop hook has hard deadline in the + # middle of terminationGracePeriodSeconds. + # + # REF: + # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution + # https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination + terminationGracePeriodSeconds: 90 + ## Additional Volumes that you mount + extraVolumes: |- + ## Additional Volume mounts for redpanda container + extraVolumeMounts: |- + +# -- Service account management. +serviceAccount: + # -- Specifies whether a service account should be created. + create: false + # -- Annotations to add to the service account. + annotations: {} + # -- The name of the service account to use. + # If not set and `serviceAccount.create` is `true`, + # a name is generated using the `redpanda.fullname` template. + name: "" + +# -- Role Based Access Control. +rbac: + # -- Enable for features that need extra privileges. + # If you use the Redpanda Operator, + # you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag + # to give it the required ClusterRoles. + enabled: false + # -- Annotations to add to the `rbac` resources. + annotations: {} + +# -- Redpanda tuning settings. +# Each is set to their default values in Redpanda. +tuning: + # -- Increase the maximum number of outstanding asynchronous IO operations if the + # current value is below a certain threshold. This allows Redpanda to make as many + # simultaneous IO requests as possible, increasing throughput. + # + # When this option is enabled, Helm creates a privileged container. If your security profile does not allow this, you can disable this container by setting `tune_aio_events` to `false`. + # For more details, see the [tuning documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-tune-workers/). + tune_aio_events: true + # + # Syncs NTP + # tune_clocksource: false + # + # Creates a "ballast" file so that, if a Redpanda node runs out of space, + # you can delete the ballast file to allow the node to resume operations and then + # delete a topic or records to reduce the space used by Redpanda. + # tune_ballast_file: false + # + # The path where the ballast file will be created. + # ballast_file_path: "/var/lib/redpanda/data/ballast" + # + # The ballast file size. + # ballast_file_size: "1GiB" + # + # (Optional) The vendor, VM type and storage device type that redpanda will run on, in + # the format ::. This hints to rpk which configuration values it + # should use for the redpanda IO scheduler. + # Some valid values are "gcp:c2-standard-16:nvme", "aws:i3.xlarge:default" + # well_known_io: "" + # + # The following tuning parameters must be false in container environments and will be ignored: + # tune_network + # tune_disk_scheduler + # tune_disk_nomerges + # tune_disk_irq + # tune_fstrim + # tune_cpu + # tune_swappiness + # tune_transparent_hugepages + # tune_coredump + + +# -- Listener settings. +# +# Override global settings configured above for individual +# listeners. +# For details, +# see the [listeners documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/configure-listeners/). +listeners: + # -- Admin API listener (only one). + admin: + # -- The port for both internal and external connections to the Admin API. + port: 9644 + # -- Optional instrumentation hint - https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol + # appProtocol: + # -- Optional external access settings. + external: + # -- Name of the external listener. + default: + port: 9645 + # Override the global `external.enabled` for only this listener. + # enabled: true + # -- The port advertised to this listener's external clients. + # List one port if you want to use the same port for each broker (would be the case when using NodePort service). + # Otherwise, list the port you want to use for each broker in order of StatefulSet replicas. + # If undefined, `listeners.admin.port` is used. + tls: + # enabled: true + cert: external + advertisedPorts: + - 31644 + # -- Optional TLS section (required if global TLS is enabled) + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + # -- Name of the Certificate used for TLS (must match a Certificate name that is registered in tls.certs). + cert: default + # -- If true, the truststore file for this listener is included in the ConfigMap. + requireClientAuth: false + # -- Kafka API listeners. + kafka: + # -- The port for internal client connections. + port: 9093 + # default is "sasl" + authenticationMethod: + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + external: + default: + # enabled: true + # -- The port used for external client connections. + port: 9094 + # prefixTemplate: "" + # -- If undefined, `listeners.kafka.external.default.port` is used. + advertisedPorts: + - 31092 + tls: + # enabled: true + cert: external + # default is "sasl" + authenticationMethod: + # -- RPC listener (this is never externally accessible). + rpc: + port: 33145 + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + # -- Schema registry listeners. + schemaRegistry: + enabled: true + port: 8081 + kafkaEndpoint: default + # default is "http_basic" + authenticationMethod: + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + external: + default: + # enabled: true + port: 8084 + advertisedPorts: + - 30081 + tls: + # enabled: true + cert: external + requireClientAuth: false + # default is "http_basic" + authenticationMethod: + # -- HTTP API listeners (aka PandaProxy). + http: + enabled: true + port: 8082 + kafkaEndpoint: default + # default is "http_basic" + authenticationMethod: + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + external: + default: + # enabled: true + port: 8083 + # prefixTemplate: "" + advertisedPorts: + - 30082 + tls: + # enabled: true + cert: external + requireClientAuth: false + # default is "http_basic" + authenticationMethod: + +# Expert Config +# Here be dragons! +# +# -- This section contains various settings supported by Redpanda that may not work +# correctly in a Kubernetes cluster. Changing these settings comes with some risk. +# +# Use these settings to customize various Redpanda configurations that are not covered in other sections. +# These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, +# and therefore should not be modified for the purpose of configuring those objects. +# Instead, these settings get passed directly to the Redpanda binary at startup. +# For descriptions of these properties, +# see the [configuration documentation](https://docs.redpanda.com/docs/cluster-administration/configuration/). +config: + rpk: {} + # additional_start_flags: # List of flags to pass to rpk, e.g., ` "--idle-poll-time-us=0"` + # -- [Cluster Configuration Properties](https://docs.redpanda.com/current/reference/properties/cluster-properties/) + cluster: {} + + # -- Tunable cluster properties. + # Deprecated: all settings here may be specified via `config.cluster`. + tunable: + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_min). + log_segment_size_min: 16777216 # 16 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_max). + log_segment_size_max: 268435456 # 256 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#compacted_log_segment_size). + compacted_log_segment_size: 67108864 # 64 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#max_compacted_log_segment_size). + max_compacted_log_segment_size: 536870912 # 512 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#kafka_connection_rate_limit). + kafka_connection_rate_limit: 1000 + + # -- [Broker (node) Configuration Properties](https://docs.redpanda.com/docs/reference/broker-properties/). + node: + # -- Crash loop limit + # A limit on the number of consecutive times a broker can crash within one hour before its crash-tracking logic is reset. + # This limit prevents a broker from getting stuck in an infinite cycle of crashes. + # User can disable this crash loop limit check by the following action: + # + # * One hour elapses since the last crash + # * The node configuration file, redpanda.yaml, is updated via config.cluster or config.node or config.tunable objects + # * The startup_log file in the node’s data_directory is manually deleted + # + # Default to 5 + # REF: https://docs.redpanda.com/current/reference/broker-properties/#crash_loop_limit + crash_loop_limit: 5 + + # Reference schema registry client https://docs.redpanda.com/current/reference/node-configuration-sample/ + schema_registry_client: {} + # # Number of times to retry a request to a broker + # # Default: 5 + # retries: 5 + # + # # Delay (in milliseconds) for initial retry backoff + # # Default: 100ms + # retry_base_backoff_ms: 100 + # + # # Number of records to batch before sending to broker + # # Default: 1000 + # produce_batch_record_count: 1000 + # + # # Number of bytes to batch before sending to broker + # # Defautl 1MiB + # produce_batch_size_bytes: 1048576 + # + # # Delay (in milliseconds) to wait before sending batch + # # Default: 100ms + # produce_batch_delay_ms: 100 + # + # # Interval (in milliseconds) for consumer request timeout + # # Default: 100ms + # consumer_request_timeout_ms: 100 + # + # # Max bytes to fetch per request + # # Default: 1MiB + # consumer_request_max_bytes: 1048576 + # + # # Timeout (in milliseconds) for consumer session + # # Default: 10s + # consumer_session_timeout_ms: 10000 + # + # # Timeout (in milliseconds) for consumer rebalance + # # Default: 2s + # consumer_rebalance_timeout_ms: 2000 + # + # # Interval (in milliseconds) for consumer heartbeats + # # Default: 500ms + # consumer_heartbeat_interval_ms: 500 + + # Reference panda proxy client https://docs.redpanda.com/current/reference/node-configuration-sample/ + pandaproxy_client: {} + # # Number of times to retry a request to a broker + # # Default: 5 + # retries: 5 + # + # # Delay (in milliseconds) for initial retry backoff + # # Default: 100ms + # retry_base_backoff_ms: 100 + # + # # Number of records to batch before sending to broker + # # Default: 1000 + # produce_batch_record_count: 1000 + # + # # Number of bytes to batch before sending to broker + # # Defautl 1MiB + # produce_batch_size_bytes: 1048576 + # + # # Delay (in milliseconds) to wait before sending batch + # # Default: 100ms + # produce_batch_delay_ms: 100 + # + # # Interval (in milliseconds) for consumer request timeout + # # Default: 100ms + # consumer_request_timeout_ms: 100 + # + # # Max bytes to fetch per request + # # Default: 1MiB + # consumer_request_max_bytes: 1048576 + # + # # Timeout (in milliseconds) for consumer session + # # Default: 10s + # consumer_session_timeout_ms: 10000 + # + # # Timeout (in milliseconds) for consumer rebalance + # # Default: 2s + # consumer_rebalance_timeout_ms: 2000 + # + # # Interval (in milliseconds) for consumer heartbeats + # # Default: 500ms + # consumer_heartbeat_interval_ms: 500 + + # Invalid properties + # Any of these properties will be ignored. These otherwise valid properties are not allowed + # to be used in this section since they impact deploying Redpanda in Kubernetes. + # Make use of the above sections to modify these values instead (see comments below). + # admin: "127.0.0.1:9644" # Address and port of admin server: use listeners.admin + # admin_api_tls: validate_many # TLS configuration for admin HTTP server: use listeners.admin.tls + # advertised_kafka_api: None # Address of Kafka API published to the clients + # advertised_pandaproxy_api: None # Rest API address and port to publish to client + # advertised_rpc_api: None # Address of RPC endpoint published to other cluster members + # enable_admin_api: true # Enable the admin API + # enable_sasl: false # Enable SASL authentication for Kafka connections + # kafka_api: "127.0.0.1:9092" # Address and port of an interface to listen for Kafka API requests + # kafka_api_tls: None # TLS configuration for Kafka API endpoint + # pandaproxy_api: "0.0.0.0:8082" # Rest API listen address and port + # pandaproxy_api_tls: validate_many # TLS configuration for Pandaproxy api + # rpc_server: "127.0.0.1:33145" # IP address and port for RPC server + # rpc_server_tls: validate # TLS configuration for RPC server + # superusers: None # List of superuser usernames + +tests: + enabled: true diff --git a/index.yaml b/index.yaml index 578650b503..7d6b683cbf 100644 --- a/index.yaml +++ b/index.yaml @@ -4274,6 +4274,38 @@ entries: - assets/cerbos/cerbos-0.37.0.tgz version: 0.37.0 cf-runtime: + - annotations: + artifacthub.io/changes: | + - kind: security + description: "updating engine and container logger with security fixes" + artifacthub.io/containsSecurityUpdates: "false" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Codefresh + catalog.cattle.io/kube-version: '>=1.18-0' + catalog.cattle.io/release-name: cf-runtime + apiVersion: v2 + created: "2024-10-11T00:35:26.660567966Z" + dependencies: + - name: cf-common + repository: oci://quay.io/codefresh/charts + version: 0.16.0 + description: A Helm chart for Codefresh Runner + digest: 3ab3bf60aad1a13307e403dcfd595e690fe6f900fe805834d91b387f528f796b + home: https://codefresh.io/ + icon: file://assets/icons/cf-runtime.png + keywords: + - codefresh + - runner + kubeVersion: '>=1.18-0' + maintainers: + - name: codefresh + url: https://codefresh-io.github.io/ + name: cf-runtime + sources: + - https://github.com/codefresh-io/venona + urls: + - assets/codefresh/cf-runtime-6.4.3.tgz + version: 6.4.3 - annotations: artifacthub.io/changes: | - kind: security @@ -24151,6 +24183,38 @@ entries: catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 + appVersion: edge-24.10.2 + created: "2024-10-11T00:35:29.425930832Z" + dependencies: + - name: partials + repository: file://../partials + version: 0.1.0 + description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' + digest: 4373a5cbbc95629a7f43ed53ecb8927146b6dab35f9abc89cebd4f9f4e1b7f34 + home: https://linkerd.io + icon: file://assets/icons/linkerd-control-plane.png + keywords: + - service-mesh + kubeVersion: '>=1.22.0-0' + maintainers: + - email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ + name: linkerd-control-plane + sources: + - https://github.com/linkerd/linkerd2/ + type: application + urls: + - assets/linkerd/linkerd-control-plane-2024.10.2.tgz + version: 2024.10.2 + - annotations: + catalog.cattle.io/auto-install: linkerd-crds + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd Control Plane + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-control-plane + apiVersion: v2 appVersion: edge-24.10.1 created: "2024-10-04T01:02:44.814644985Z" dependencies: @@ -24159,7 +24223,7 @@ entries: version: 0.1.0 description: 'Linkerd gives you observability, reliability, and security for your microservices — with no code change required. ' - digest: a12592302778f823aff1067ff7592072f45bb48c2aede205841e2d10f23004f6 + digest: 8bf440ed380edf87e622a4a76df8a691b99f081fe567651f7571528119068f2c home: https://linkerd.io icon: file://assets/icons/linkerd-control-plane.png keywords: @@ -25382,6 +25446,36 @@ entries: - assets/linkerd/linkerd-control-plane-1.12.5.tgz version: 1.12.5 linkerd-crds: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd CRDs + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-crds + apiVersion: v2 + created: "2024-10-11T00:35:29.486105036Z" + dependencies: + - name: partials + repository: file://../partials + version: 0.1.0 + description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' + digest: 9bfe932e38f48d529cfb7b45c07d7cf08b499aec497df477b6512109e6d14357 + home: https://linkerd.io + icon: file://assets/icons/linkerd-crds.png + keywords: + - service-mesh + kubeVersion: '>=1.22.0-0' + maintainers: + - email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ + name: linkerd-crds + sources: + - https://github.com/linkerd/linkerd2/ + type: application + urls: + - assets/linkerd/linkerd-crds-2024.10.2.tgz + version: 2024.10.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Linkerd CRDs @@ -27367,6 +27461,33 @@ entries: - assets/airlock/microgateway-cni-4.2.3.tgz version: 4.2.3 minio-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Minio Operator + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: minio-operator + apiVersion: v2 + appVersion: v6.0.4 + created: "2024-10-11T00:35:29.648880109Z" + description: A Helm chart for MinIO Operator + digest: e7c5ce0c79c67abc83ba1457374a2ed4f2b0ee1b947e28fe35f942fa222cbf6a + home: https://min.io + icon: file://assets/icons/minio-operator.png + keywords: + - storage + - object-storage + - S3 + kubeVersion: '>=1.19-0' + maintainers: + - email: dev@minio.io + name: MinIO, Inc + name: minio-operator + sources: + - https://github.com/minio/operator + type: application + urls: + - assets/minio/minio-operator-6.0.4.tgz + version: 6.0.4 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Minio Operator @@ -34341,6 +34462,48 @@ entries: - assets/quobyte/quobyte-cluster-0.1.8.tgz version: 0.1.8 redpanda: + - annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v24.2.5 + - name: busybox + image: busybox:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.10.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda + apiVersion: v2 + appVersion: v24.2.5 + created: "2024-10-11T00:35:30.999489577Z" + dependencies: + - condition: console.enabled + name: console + repository: https://charts.redpanda.com + version: '>=0.5 <1.0' + - condition: connectors.enabled + name: connectors + repository: https://charts.redpanda.com + version: '>=0.1.2 <1.0' + description: Redpanda is the real-time engine for modern apps. + digest: 8cfd146e51fd3fdc46f6c76b8fd3f75c2cea7578228736aaac4b0efe463f30f8 + icon: file://assets/icons/redpanda.svg + kubeVersion: '>=1.21-0' + maintainers: + - name: redpanda-data + url: https://github.com/orgs/redpanda-data/people + name: redpanda + sources: + - https://github.com/redpanda-data/helm-charts + type: application + urls: + - assets/redpanda/redpanda-5.9.6.tgz + version: 5.9.6 - annotations: artifacthub.io/images: | - name: redpanda @@ -44669,4 +44832,4 @@ entries: urls: - assets/netfoundry/ziti-host-1.5.1.tgz version: 1.5.1 -generated: "2024-10-10T10:49:05.901593572-06:00" +generated: "2024-10-11T00:35:26.244020247Z"