From ddd1ed1f9077158fc78d87c3810b1811bd7d01f1 Mon Sep 17 00:00:00 2001 From: Gulsum Atici Date: Wed, 12 Oct 2022 01:35:29 +0300 Subject: [PATCH 1/4] Adding powerdns k8s proxy charm and descriptors Signed-off-by: Gulsum Atici --- Hackfest_Demos/OSM-MR13/powerdns/README.md | 132 ++ .../powerdns/helm-chart/powerdns-5.0.0.tgz | Bin 0 -> 105652 bytes .../powerdns/helm-chart/powerdns/.helmignore | 22 + .../powerdns/helm-chart/powerdns/Chart.lock | 9 + .../powerdns/helm-chart/powerdns/Chart.yaml | 19 + .../powerdns/helm-chart/powerdns/README.md | 148 ++ .../powerdns/README_CONFIG.md.gotmpl | 9 + .../powerdns/charts/mariadb/.helmignore | 21 + .../powerdns/charts/mariadb/Chart.lock | 6 + .../powerdns/charts/mariadb/Chart.yaml | 28 + .../powerdns/charts/mariadb/README.md | 542 +++++++ .../charts/mariadb/charts/common/.helmignore | 22 + .../charts/mariadb/charts/common/Chart.yaml | 22 + .../charts/mariadb/charts/common/README.md | 347 +++++ .../charts/common/templates/_affinities.tpl | 102 ++ .../charts/common/templates/_capabilities.tpl | 139 ++ .../charts/common/templates/_errors.tpl | 23 + .../charts/common/templates/_images.tpl | 75 + .../charts/common/templates/_ingress.tpl | 68 + .../charts/common/templates/_labels.tpl | 18 + .../charts/common/templates/_names.tpl | 63 + .../charts/common/templates/_secrets.tpl | 140 ++ .../charts/common/templates/_storage.tpl | 23 + .../charts/common/templates/_tplvalues.tpl | 13 + .../charts/common/templates/_utils.tpl | 62 + .../charts/common/templates/_warnings.tpl | 14 + .../templates/validations/_cassandra.tpl | 72 + .../common/templates/validations/_mariadb.tpl | 103 ++ .../common/templates/validations/_mongodb.tpl | 108 ++ .../templates/validations/_postgresql.tpl | 129 ++ .../common/templates/validations/_redis.tpl | 76 + .../templates/validations/_validations.tpl | 46 + .../charts/mariadb/charts/common/values.yaml | 5 + ...lues-production-with-rbac-and-metrics.yaml | 33 + .../charts/mariadb/templates/NOTES.txt | 75 + .../charts/mariadb/templates/_helpers.tpl | 149 ++ .../charts/mariadb/templates/extra-list.yaml | 4 + .../templates/networkpolicy-egress.yaml | 32 + .../mariadb/templates/primary/configmap.yaml | 18 + .../primary/initialization-configmap.yaml | 11 + .../primary/networkpolicy-ingress.yaml | 55 + .../charts/mariadb/templates/primary/pdb.yaml | 25 + .../templates/primary/statefulset.yaml | 386 +++++ .../charts/mariadb/templates/primary/svc.yaml | 61 + .../mariadb/templates/prometheusrules.yaml | 24 + .../charts/mariadb/templates/role.yaml | 21 + .../charts/mariadb/templates/rolebinding.yaml | 21 + .../templates/secondary/configmap.yaml | 18 + .../secondary/networkpolicy-ingress.yaml | 48 + .../mariadb/templates/secondary/pdb.yaml | 25 + .../templates/secondary/statefulset.yaml | 357 +++++ .../mariadb/templates/secondary/svc.yaml | 63 + .../charts/mariadb/templates/secrets.yaml | 35 + .../mariadb/templates/serviceaccount.yaml | 19 + .../mariadb/templates/servicemonitor.yaml | 48 + .../charts/mariadb/values.schema.json | 176 +++ .../powerdns/charts/mariadb/values.yaml | 1251 +++++++++++++++++ .../powerdns/charts/postgresql/.helmignore | 21 + .../powerdns/charts/postgresql/Chart.lock | 6 + .../powerdns/charts/postgresql/Chart.yaml | 28 + .../powerdns/charts/postgresql/README.md | 819 +++++++++++ .../postgresql/charts/common/.helmignore | 22 + .../postgresql/charts/common/Chart.yaml | 22 + .../charts/postgresql/charts/common/README.md | 328 +++++ .../charts/common/templates/_affinities.tpl | 102 ++ .../charts/common/templates/_capabilities.tpl | 128 ++ .../charts/common/templates/_errors.tpl | 23 + .../charts/common/templates/_images.tpl | 75 + .../charts/common/templates/_ingress.tpl | 55 + .../charts/common/templates/_labels.tpl | 18 + .../charts/common/templates/_names.tpl | 52 + .../charts/common/templates/_secrets.tpl | 129 ++ .../charts/common/templates/_storage.tpl | 23 + .../charts/common/templates/_tplvalues.tpl | 13 + .../charts/common/templates/_utils.tpl | 62 + .../charts/common/templates/_warnings.tpl | 14 + .../templates/validations/_cassandra.tpl | 72 + .../common/templates/validations/_mariadb.tpl | 103 ++ .../common/templates/validations/_mongodb.tpl | 108 ++ .../templates/validations/_postgresql.tpl | 129 ++ .../common/templates/validations/_redis.tpl | 76 + .../templates/validations/_validations.tpl | 46 + .../postgresql/charts/common/values.yaml | 5 + .../postgresql/ci/commonAnnotations.yaml | 3 + .../charts/postgresql/ci/default-values.yaml | 1 + .../ci/shmvolume-disabled-values.yaml | 2 + .../charts/postgresql/files/README.md | 1 + .../charts/postgresql/files/conf.d/README.md | 4 + .../docker-entrypoint-initdb.d/README.md | 3 + .../charts/postgresql/templates/NOTES.txt | 89 ++ .../charts/postgresql/templates/_helpers.tpl | 361 +++++ .../postgresql/templates/configmap.yaml | 34 + .../templates/extended-config-configmap.yaml | 29 + .../postgresql/templates/extra-list.yaml | 4 + .../templates/initialization-configmap.yaml | 26 + .../templates/metrics-configmap.yaml | 17 + .../postgresql/templates/metrics-svc.yaml | 29 + .../postgresql/templates/networkpolicy.yaml | 42 + .../templates/podsecuritypolicy.yaml | 42 + .../postgresql/templates/prometheusrule.yaml | 26 + .../charts/postgresql/templates/role.yaml | 24 + .../postgresql/templates/rolebinding.yaml | 23 + .../charts/postgresql/templates/secrets.yaml | 27 + .../postgresql/templates/serviceaccount.yaml | 15 + .../postgresql/templates/servicemonitor.yaml | 42 + .../templates/statefulset-readreplicas.yaml | 436 ++++++ .../postgresql/templates/statefulset.yaml | 642 +++++++++ .../postgresql/templates/svc-headless.yaml | 31 + .../postgresql/templates/svc-read-set.yaml | 42 + .../charts/postgresql/templates/svc-read.yaml | 47 + .../charts/postgresql/templates/svc.yaml | 45 + .../postgresql/templates/tls-secrets.yaml | 25 + .../charts/postgresql/values.schema.json | 103 ++ .../powerdns/charts/postgresql/values.yaml | 1001 +++++++++++++ .../helm-chart/powerdns/powerdns-5.0.0.tgz | Bin 0 -> 322335 bytes .../helm-chart/powerdns/templates/NOTES.txt | 15 + .../powerdns/templates/_helpers.tpl | 60 + .../powerdns/templates/configmap.yaml | 31 + .../powerdns/templates/deployment.yaml | 155 ++ .../helm-chart/powerdns/templates/secret.yaml | 22 + .../powerdns/templates/service.yaml | 91 ++ .../powerdns/templates/serviceaccount.yaml | 8 + .../powerdns/helm-chart/powerdns/values.yaml | 139 ++ .../charms/ops/powerdns-operator/.gitignore | 7 + .../charms/ops/powerdns-operator/.jujuignore | 3 + .../charms/ops/powerdns-operator/LICENSE | 202 +++ .../charms/ops/powerdns-operator/README.md | 5 + .../charms/ops/powerdns-operator/actions.yaml | 48 + .../ops/powerdns-operator/charmcraft.yaml | 10 + .../charms/ops/powerdns-operator/config.yaml | 13 + .../charms/ops/powerdns-operator/coverage.xml | 155 ++ .../ops/powerdns-operator/metadata.yaml | 12 + .../ops/powerdns-operator/pyproject.toml | 56 + .../powerdns-operator/requirements-test.txt | 1 + .../ops/powerdns-operator/requirements.txt | 2 + .../charms/ops/powerdns-operator/src/charm.py | 147 ++ .../ops/powerdns-operator/src/powerdns.py | 170 +++ .../ops/powerdns-operator/tests/test_charm.py | 23 + .../charms/ops/powerdns-operator/tox.ini | 95 ++ ...powerdns-operator_ubuntu-20.04-amd64.charm | Bin 0 -> 2923443 bytes .../powerdns/powerdns_knf/powerdns_vnfd.yaml | 65 + .../powerdns/powerdns_ns/powerdns_nsd.yaml | 22 + 142 files changed, 12813 insertions(+) create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/README.md create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns-5.0.0.tgz create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/.helmignore create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/Chart.lock create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/Chart.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/README.md create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/README_CONFIG.md.gotmpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/.helmignore create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/Chart.lock create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/Chart.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/README.md create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/.helmignore create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/Chart.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/README.md create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_affinities.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_capabilities.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_errors.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_images.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_ingress.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_labels.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_names.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_secrets.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_storage.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_tplvalues.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_utils.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_warnings.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_cassandra.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_mariadb.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_mongodb.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_postgresql.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_redis.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_validations.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/values.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/ci/values-production-with-rbac-and-metrics.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/NOTES.txt create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/_helpers.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/extra-list.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/networkpolicy-egress.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/configmap.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/initialization-configmap.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/networkpolicy-ingress.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/pdb.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/statefulset.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/svc.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/prometheusrules.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/role.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/rolebinding.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/configmap.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/networkpolicy-ingress.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/pdb.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/statefulset.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/svc.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secrets.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/serviceaccount.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/servicemonitor.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/values.schema.json create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/values.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/.helmignore create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/Chart.lock create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/Chart.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/README.md create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/.helmignore create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/Chart.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/README.md create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_affinities.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_capabilities.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_errors.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_images.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_ingress.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_labels.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_names.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_secrets.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_storage.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_tplvalues.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_utils.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_warnings.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_cassandra.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_mariadb.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_mongodb.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_postgresql.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_redis.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_validations.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/values.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/ci/commonAnnotations.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/ci/default-values.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/ci/shmvolume-disabled-values.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/files/README.md create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/files/conf.d/README.md create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/files/docker-entrypoint-initdb.d/README.md create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/NOTES.txt create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/_helpers.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/configmap.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/extended-config-configmap.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/extra-list.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/initialization-configmap.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/metrics-configmap.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/metrics-svc.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/networkpolicy.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/podsecuritypolicy.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/prometheusrule.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/role.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/rolebinding.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/secrets.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/serviceaccount.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/servicemonitor.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/statefulset-readreplicas.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/statefulset.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc-headless.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc-read-set.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc-read.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/tls-secrets.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/values.schema.json create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/values.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/powerdns-5.0.0.tgz create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/templates/NOTES.txt create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/templates/_helpers.tpl create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/templates/configmap.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/templates/deployment.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/templates/secret.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/templates/service.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/templates/serviceaccount.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/values.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/.gitignore create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/.jujuignore create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/LICENSE create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/README.md create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/actions.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/charmcraft.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/config.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/coverage.xml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/metadata.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/pyproject.toml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/requirements-test.txt create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/requirements.txt create mode 100755 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/src/charm.py create mode 100755 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/src/powerdns.py create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/tests/test_charm.py create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/ops/powerdns-operator/tox.ini create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/charms/powerdns-operator_ubuntu-20.04-amd64.charm create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_knf/powerdns_vnfd.yaml create mode 100644 Hackfest_Demos/OSM-MR13/powerdns/powerdns_ns/powerdns_nsd.yaml diff --git a/Hackfest_Demos/OSM-MR13/powerdns/README.md b/Hackfest_Demos/OSM-MR13/powerdns/README.md new file mode 100644 index 00000000..cee66c11 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/README.md @@ -0,0 +1,132 @@ +# PowerDNS NS + +Descriptors that installs a PowerDNS chart from "https://gatici.github.io/helm-repo/" repo. + +There is one VNF (powerdns_knf) with only one KDU. + +There is one NS that connects the VNF to a mgmt network + +## Download Packages + +```bash +git clone https://osm.etsi.org/gitlab/vnf-onboarding/osm-packages.git +cd osm-packages/Hackfest_Demos/OSM-MR13/powerdns +``` + +## Create the VIM Account + +```bash +# This is dummy vim account +export VIM_ACCOUNT=k8s-vim +osm vim-create --name $VIM_ACCOUNT \ + --account_type dummy \ + --user dummy \ + --password dummy \ + --auth_url "http://dummy" \ + --tenant dummy +``` + +## Add K8s Cluster + +```bash +# kubeconfig.yaml exists in the HOME directory +export k8s_net= # osm-ext +osm k8scluster-add --creds ~/kubeconfig.yaml \ + --vim k8s-vim \ + --k8s-nets "{k8s_net: $k8s_net}" \ + --version 1.24 \ + k8s-cluster +``` + +## Add Helm Repository + +```bash +osm repo-add --type helm-chart --description "Repository for Powerdns helm Chart" osm-helm https://gatici.github.io/helm-repo/ +``` + +## Build the charm + +```bash +# Install charmcraft +sudo snap install charmcraft --classic +pushd powerdns_knf/charms/ops/powerdns-operator +# Pack charm +charmcraft pack +# Copy charm under VNFD/charms folder +cp powerdns-operator_ubuntu-20.04-amd64.charm ../../ +popd +``` + +## Onboarding and instantiation + +```bash +export VNF_NAME=powerdns +export KDU_NAME=powerdns +# Define the NS name +export NS_NAME= +``` + +```bash +osm nfpkg-create powerdns_knf +osm nspkg-create powerdns_ns +osm ns-create --ns_name $NS_NAME --nsd_name powerdns_ns --vim_account $VIM_ACCOUNT --config "{vld: [ {name: mgmtnet, vim-network-name: $k8s_net}]}" +# Check NS status +osm ns list +``` + +## Test Day2 Actions: add-zone, add-domain + +```bash +# Add Zone Action +# Define zone such as "example.org." +ZONE= +OP_ID=`osm ns-action --action_name add-zone --vnf_name $VNF_NAME --kdu_name $KDU_NAME --params "{"zone_name": $ZONE}" $NS_NAME` +# Check operation status +osm ns-op-show $OP_ID +# Add Domain Action +# Define domain such as "test." +DOMAIN= +# Define ip such as "192.168.2.32" +IP= +OP_ID=`osm ns-action --action_name add-domain --vnf_name $VNF_NAME --kdu_name $KDU_NAME --params "{'zone_name': $ZONE, 'subdomain': $DOMAIN, 'ip': $IP}" $NS_NAME` +# Check operation status +osm ns-op-show $OP_ID +``` + +## Testing PowerDNS server + +```bash +VNF_ID=`osm vnf-list --ns $NS_NAME | grep powerdns | awk '{print $2}'` +export DNS_IP=`osm vnf-show $VNF_ID --literal | yq -e '.kdur[0].services[] | select(.name | endswith("-tcp")) | .external_ip' | tr -d \"[]' '` +RECORD= +# Sample record: "test.example.org" +dig @${DNS_IP} +tcp $RECORD +``` + +## Test Day2 Actions: delete-domain, delete-zone + +```bash +# Delete Domain +OP_ID=`osm ns-action --action_name delete-domain --vnf_name $VNF_NAME --kdu_name $KDU_NAME --params "{'zone_name': $ZONE, 'subdomain': $DOMAIN}" $NS_NAME` +osm ns-op-show $OP_ID +dig @${DNS_IP} +tcp ${RECORD} +# Delete Zone +OP_ID=`osm ns-action --action_name delete-zone --vnf_name $KDU_NAME --kdu_name $KDU_NAME --params "{'zone_name': $ZONE}" $NS_NAME` +osm ns-op-show $OP_ID +``` + +## Upgrade Operation: Scale Out + +```bash +OP_ID=`osm ns-action --action_name upgrade --vnf_name $VNF_NAME --kdu_name $KDU_NAME --params "{'replicaCount':'3',}" $NS_NAME` +osm ns-op-show $OP_ID --literal | yq .operationState +osm vnf-show $VNF_ID --kdu $KDU_NAME | yq .config.replicaCount +``` + +## Rollback Operation: Scale In + +```bash +OP_ID=`osm ns-action --action_name rollback --vnf_name $VNF_NAME --kdu_name $KDU_NAME $NS_NAME` +osm ns-op-show $OP_ID --literal | yq .operationState +osm vnf-show $VNF_ID --kdu $KDU_NAME | yq .config.replicaCount +``` diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns-5.0.0.tgz b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns-5.0.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..4cae974f8164b9f0c9d69ff4b46e451849ee1750 GIT binary patch literal 105652 zcmV)FK)=5qiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POvHf84fmI1cCUeHG{`ttHpoi*9!I)NN%+N%S0F^p)hKr)fSC zmc;HN;t~u1O5VtNUiZ-0O9XD0RSn-Bk1!Ye_ z$+W9~w*a^?IP`m+{(fiMZFUMNhQYAVrhdO_gL|senvw&+X@Xh~B~QidJbHf)Far>X z9}LkOL|=egiaAFSz!5n7_kRa43P6Z`6fqQlBnl7(e1gCar*AvpgaevH43G#+3FF{n zgg=1*QG5eAzCo;$H8VnxClrasLP*C5M9FlBC?F#c;L!+C6mc+w{xymM1}KciI2wZy zB~!rgG!7AXbMpQOFg^HQabz1{2m+s*6UmSI&5j**1=ipd4cLAQH*d)u+FGy~FYrTntj>2-Ro zwa@>Y{11tLz4kWd$p7B%{%%43@ARMK|3f@^q5Fk|>iXp-9wWvFfKA}`-u~bf>hBGQ z-}TTo{0{C6UvBsIzk9jgfB9WMfZy!|2=!l%knh9oQ80opclY+UeYCx|+aJPVe{cKM zc593xM3oqBZ}+yhz22VJ|L&syaM=)LUh?0vVl^YYd1%l~b!e-i$QPdfi^V3;8G zMHIj}^M8MPua}?yJH03U??IjoaD+xM2{}*<07itS3stAJ0WKz(DfQzY2k+i`BSNQ; za})rvw2J~q$PXb!;6_aDpz3BywoVt+OO2jMN8 zF%9K33Bz*%n6m-+d3MuBM=b| z7~)cIQn19x2xu<=RDdu8sVD;p6Y7}&Z2FcCg3)DLt(XMoLbJkrb|}=CPkaFG?q!oB z_5&qJJOJChUQdvsyqFJTIK(05at#r000=0F&2JAJynQQwQv`z#Q8+szgnuto!x`gf zY7vAc(E)o;B2gg!`XfVB$bW^3B$RAn1Dqoc&?kqB7sSI{eLO>>Y^AzRhKNQ;uremyfcUJ-6HX|G zA?s??SXZ^+;kdhz{uJ}aGbOxR%qJe7#YiZ@N(V-?1=7A;sIC}xZnp)q%Ng>Pz~D_* zVFL(!2jErjRbNalqhOj5`WbY{}fG$>^%a0LcNuijzZ#orUen$~DVBtYjVL_Q}}j&6&SP|S9@ffr(}C0HiH ze5O7dF)26qF}}P;vjK>Mh`|_NqnX;hw*Uyp6yj(A2%Cyc02GR!(E5Tmzt_&rJ7(;$46?_tn@L01r4Ah<-hR4y3q=O`%Q9Mt7 zIRAfdFMs@Sexb>#R=e*hnHs_a0GM1I{*Gp1vS+W&uD@-jrKbvd;&t0DCy6^DjF+|k z@%;Gg%eOA*Th{vN!TI?Lt(P@kXxj{AS^GzCzI5xsP`++$fMaE@Nw*stpwsC{2{k1Y z0V0hn3^0VsEChPbQDz-5pA2CAufSNFhz4K;Lx!X!&7WY7e4bD=0F1*ZfFX(Gr-V-i zH7(&LB0+i9y z$b9kCsSfBMTw-^kjI4YDq$`4S1k|lI3qhf0VoKi9r z>z|ZciIUl^SiTgXLVSZF#8?ij?l=HKsACu&p%Bi_kx!z44Zu!Mej7m?CKO#vC}I;5 z1_Q7s-*Y@gB;jfCeov~>Fu)JelGs}DB(5Y>5twczMifi6GzIo&@00$jPrCn4cW2%A zA1;p1JNy%0R~vKo|J!@Lo!tI^cW?K}{`VkHzXN_iN;`(J+>;Bj1U{a<1;d$8(j&cv zWC#dV8j18=O<-I(wm%)*sp;5d%3F-n-uW=!_o2O z>4&q6*WYdmP2T4r7$XimxvaAo`Uu?JfzBBU#m1rYK7D(C4?F^XV z5m4DLy)fJ0Af}TzzGLaI0GDB zBLKk&-GV8O60Yq&f(vYrVt1^JIq(MJP{{923uMnfNCJEqfm_J^i85fwegZPGx#!u! z!_01c;N3PEyl2_qogbh5baGfSeiB-fW*f8zJkLl<(7wBC-`&Y$Fa$Pn6rfMQjC5#` zv4bO_O)${g0{8cKcOCH`AhzK5_wD7QLKg|p(XpWs?(exQ{~K>A`XQbEn!=< zZ2yEA=7yyG?U$Wir`PEZUiDt}v|UY^B`vWhwo`@>f>?(^31r&wA9b2e+at?RUOIS&MAgrnl5_p;B@%-B%}&T@VmL1kOt z!Dq1{iF~lXBY)!Qc`_Q|PoV8(z{Cs`zZHUq$|MfcHiYP&f!`At;t@uHnCcSsPU~l+ zpv&@Hv?02|z!3RRNCrlx2>d-2PpZQsjKY8cNRcx0A!#0!hSAO8OcLYh{kbSBRz0Dc zY;{^EBS4ibQ$SKlE$OC>_8i>eFcb@I!i-acKwe{8P1|g7G9C4W zVf4|p7*#pCnpIS(5DrmTH^Q=5yRttvxz%s&Rs}u-isDc#)a`$7gZ5>6nHfcwhnIUq0!75Ak@O=ep+hTgt`vP;$XL7`Mz0YmoZC-ra$06I`)TZUMb)DC_UCtAePz z=*m#uUj6D&UZ;WlHk9f0J>_^2dTIi7#6JV@*~mI&CiwOm&0c_Sa@eqH zd)kurx+nMeJq_uUP~IGd*zdoV{u8S9&si<#`vM)z0ExmGfMG~(QJ~zOm1UGA!w7Mf zM@tm+L@|R|xA$T&=su>?j1u`Dpg1J6DT>y09i(3V_jh);^Y;J!{@#=Pe~`zP{V{y@n3<=0V9{DUq0^aFyR+QFXof_{Z%=t? zneOCWE3>8wPM0YP0thGnfYVS8exyhLRklcY_9_8DaVJxygOu%gIyNBJgRvB)bj{2A zMV8?Tj1>b>tA}1TP3#@IH4HVlRN%uZk?C){kd@OcXj@z-Uv)AkT5x|q5EP8VToDe( zl3?vTyi?1swg5PDx^*$RAz?B_@5ERzyMu;4O4)IGJ{5&eA)gFD7jeHEi^WNl>jYLg z6x|H+8`}peE77fLY4fjB+TIl+W`?(Hpb|UcPW1 zSl%DC29#UW1?1YR>WH6u)s|B~{rsTh&yZRZ{WE~84?qTMJtLsKjmzn;Kdy)RO(~ZMz%T9Y5Jz1$X}^kf{cE-AJ8$p$7agmt+hVx( zc6YWP>2PH<%x?U(N{lqw<;imMj53I%x=n>0#5ZSe_7E;~^ajdob@t`KteA79u(6G< zV5KXxX6_+cwp4R7aal`Xp$+TuW7dp)BXXIR{%n){gFYqaKWay_#z+wJ&j0tf^YI_{ zw)danKRn1&diJj@_78jPqYg?w#PIh7=|lB~Yozo;G#~ji27}j&EIZbHKWT?ihI0qt z=i&Y?ihOMrFPJS|Q@e#`@wOuP49a0;cRc69GWQn2XTZrhr#Ko{g3T_N&IN0(I=ZkH zQ!V9CNP|VAamZ9Pb4lDDffUYX;P%e7Kjpio`Ain-Bo%abO+mFF;`!uuO*FO8f;m)v z==onN|J8MowJiX1*Q49;k+vaTC7$nX-yRq1>xkBnOj`xi#p=j z^(u*{+uW?G?1ZA(a@)^`sVV7hX;CfutO2wPzvYJ6*tNsv?XRvg$SST9i@Hfv`cbYn zm$?5lm!9U*I_FYm%dDJB>a5|7F%7s@lBx`FWsdU zz^9vlOF!xS?@UlQ#p8%jwC*f!~C#xHcHhZ_W9$S2l&7zM2j5TUV(Ftr&| zG{T=ypicDuWvc@|MBxmONY)f6ff!L4rM1)Q9GzdDb3##T1L#ZXKOLTf08`fLj4|)Z z|0?ubo#7v}EB|X=OvYXDAM+=>iMkn}A@r}4SjN6!t>+zf8@HZ!hVZ)eyu+t)>-qn` zwE=#D6qAI3lcQtS>co`%hJ4=Y-~hp{Do4q0tH%&B8JRNt~M20^R8;Btc#;B_cd$O#D zBNZB6dV&6z%mDLx6hiK?-xEmD7WkK64hlJc=CqJi@KpJ^t+ZNCDRY)gnbUgyTuOHp zmjp8zAAAb2@=;C0mLxIb6u~LbLQrA^qZz=AB}m8c&f=S7Vel!$g3`ZC5JlOz*Qe%D zFuM`D?fMf!7}|RNyw%#+0Ou-t`ymNXtMwfG$DA}e|0ye-q2Cisk&HDiUmRJ}RGik_=)@RRpK0E)2U#-s#GMRwSCMq%btW%kQ#x=9ET2;Bf-`NJAWlt{N z{_W_j)w;U6@=3%X(T)%#HWh^XGEX1t^pd zE!uTtj}M&)!>uy}1HdPgBxBXaFIKLXUpG5;>X$8*)S6r_Q4cU?8EMRbPN7L=yh9`0X1{uAe0tOv7m*s7dpX<9Dl$k zkn3~`SaX<_9!3U>9TKVH>uxg{2Xu(CRYtjy=BA#G6}Q}s2Hpr*W1UX$!-R1%&BfJj zz3(2#ugb6?R=1O>*tNijKYu;|KZ`Ann&tvI7&+l@v%G~e$AsvckfJi$xgmsLG?Gx@ z@|mvHY?WJ#=fn#2cO;f3d3XGCnz={(N|Oer3srH2@|*>%^*MFO1fKyJ%EkOMxVpQ) z0-u3gl}h5nG2;Mp)o!Qd3YUPLaw-c?zBIMhTC22^+$Ud&!?9ahYK6H{_HFdf(t%hM z{pHuRRJH8n9``d$d7O}tmq74&1X%Ft&Mh|Nb+Oa_IMca4>={GVsfBQw-4$ZGW znb`d87j5H}WWe0NXlpmB_CQ8Qf6>xy>55fIL}nDU=@xMMm~Z&f~-cCk{yBhIQEJF~yqB`;S+ zjz?8B%NcNfONPda;g{B07{#<^BP=T}{8bIpyvuW+0gfaK>{Zq&yFiv!+v!!-%iZlt ztMm(1iZ|%$yHj%)t-3$;H{xnKRC!yirbqc3X<2`ygsLiD-JK#@<+sDiaB@QDWCg76 z+0~U&nNSQsQcIQcWS5Gt%+?)}vG{8vwOpvo!Q#~hI0yn1q{?wx$9eTV{$#%Z zAHqOv?i4iEY8`+HW}JxKMhM7_ARoE~WCV1!aI+N{kt7NLiNG%hI;;4PAKzp;aW2)k zIc4aI4MDd||NpNk31IlzH@)0amLPQ)(Q0|%9I2?OzZ?;tWeo+yXPvyUgCx`wEg9W= zj5x>9*pu@K1>LQd2R_6o5<7!mq#0^?n^nsL2kaU^@Qcj#hDkIR7NKJp;XmYfcLU7) zgh}cPSpPqQBf0bV`nFlOqI+qDt~Ok-uBy596&;=YC7#^*&*kBV_urrV(3u9E zG2zqoBmkJ}|IyF;|L?x+??0XYJj7#1j`pP?rDOiF?J1oJf&ro`fOM73B^S!N5nvON z+HwN{@nHfKiA(VVM$JrxEr^7{Vb@QcUMLmK(}3 z;K-kV5vEhtX$j?MuwqhD>a~MP=A>Q z(})XR9c>J+1jN5a)XT6fsgvQ^m3;{=RZ1*Gt@7rIE1~1ojmz_YnWd&){)fcBUcHUE z`rpoOLH_rj{C^(gS-0r6!WC%m+P+#oy^vff;sHy|jT!~X@!Fd59!nNmsOo=8lnh|qu zD0HWMP#b!l=^Q=$UdfqHX>#+Y$Bdr>?t z7OI+^yIWcq|64-PusaTj9Cc1)gH(U4sB5?9RyP%OOi?L|nRM5S0HhR_K(vuH(DXat z%a=Z!Y2{K0ir07BT{H*0PgM!c&J4)n4Gw%}8iuVFqE>To#D6&7zc@pPIlLX zl2U>qj{MieYWQ-x{Ec@(a^q%ljiWrLcGX-v*6ipbS-Z;Sl>dF>acO$0A z6ZFT?*i-M!l!&cNCw5z^sSmO8unK3|L3Wl7iIAZM6>pR2AJc?!F#=NX#SGYbz*asjk-TKEY`m8UY(GquRvP9=t13vX%A63XfPaDsd&l zMd)@RZcAlBEf-j`>7yW1rjut*_oCIcux=82(6b;LojGM%7nwo&g3wybQ(9GFpAumq z;yqw@>!+$gREc!(k)ZfGda5(ibJzT&2o4)>IR^bBz6K z6o4c)cX}|>SZsB`g-nPoQJO%hMd+nZ^6)j9F>qxLwHzrX@JK&cG)uqBw$mc%>vS*R z(5Re_BSL+YGK;cM2=)zLz&fWtKG|d;+lo!BA?8 z>M|*g7)LM=`iU}!py&ou63P2VH=?V+`Ja9t54_K77Zx`qm|nG1&J@_?Ly zBP{oGkSaY@ego?CTv{U14Tw`t7Z5}nB0!S}Kn~<$1BRljHsv-p+$QB4Al6gy`ci@F zu*m>?R$l-B8~-9R5ey-lr0-->f%XvrOditWXxwSb4T}T3rmt!4>MVc4b$chjS$?N))s%eR*l6i1Kdy?XU#6CY)L3Xz=cg)v zYRM?UBQ3Paw!mh>&?pJjgjDiC&sen&+R9rZQq?|(le9e4ASA!94I62xs6r*pkMScR z*V!$_+Lk#HVvI~7N3J6q7^0E9s6zo9aYRk>7=wx1m}JBeg)Zd=mL6=4oIq=0%9#5_*lJaTf-GhayffVjd@Q6NtF)i3XS_cwYYWbX#51 z1q-)Inz}UkMR}+HT1Hc=n35AX`VINoJeVbtFDg6gUXJt*9(GZr{!aI_Lb;J|R7a*W zKN@v6kP*ow*0sJ2z-LdIxPDQ-9>2;z*fowlp&@$|F%sUW)N1IHkh7Ry zYIbIqBSJ4Zo+8HKRE5qIig$qN>n@3T!Tm-C^9z$PjxMXpbk+Bk2?Y3hXQ#KXaFU6L z$}90{tm!36$>Mw(SGK`5vQzl!QfDl`jG+YI-+!n2fukVJojy=jz!(RTkaKVdIx$um z^g=TB5T&F74Y8*;RYIatocI$+q0bTZ7~-DJ0RQpg`&a5K302$+^CjV@p+0jBdCGGLkoCMF z+h|sX5ga4B2CNnw@}i(HIpAw3J%ZE^!Jem)A}~_Di9eQAsSwdF{vQaPu{=0qtUg1wp8b1nTGw18~L2h$~C) z1e*PQ^RDZ&Rncj5qc%)k$QT|+QU!}hfVvwv5+YvwZSe7+SaBnc(>L~jI-RfQPL7+9 z%5Lb3(Ch3^rB{Ip10b+esO6=NXd=%%U!oJ@zXfc?%N(jkO6NwmSh9RAD(j9E-)kJ; z+_E6~u_4aaXjYE0lnOw6=0pXDY=*CCT6-kP-!eUN+Z{2qjXd~=)a%=J7gX5=dZ5F+ z)O13ZF#Tvq__B`ZF))7u-~rW-e(}||-77PARU34}AEs}Wk{>8OPCWyfPYOpHD^7# zY*~@!W2{2dz72k1{r=M9%OQ@q9Lo%Y6mvWAViikPJ5OD|Vsjj*7C9GR++#|2qUbeM zu?WAD8!$mp?e|gkP6`L{4lp0eFjyqkG!p$@gA&$6Atr%0O)>MNGm5pPD8ak3-<-rG zB;(n6Oc4wYNhCCU9C5*g>I+bxfc>p8S1!?O0Z07DGpKn?BH;NM0^PhfYh^cV-v{{V z{2JX3K;OIrX}!OT)x`Xf%dYSTiBMKU$f1uBgB-JwJZ2eyBl4c`bIoSi+^NE-QeCE) z$Z#AXWK2$^Q~k#B{QZ)$KoH#^;l&i8Y3zuD0)iP=<k`GjkC-4MYWq?`?;YqMBId`uFJoILBGo5g{$#22C@1A4Ar%mXSfgJth>Ymo6h z0-$8T2B5#K&i)*V4?urU8Lk|{4S;%^@4c9H>fkKbgH-pgn_`Bg)qMHWrb~regsNXU zU7U{%sxLNS7KJ`{$}9@7!K7IfWW#B*DAhvnMJsjCLLAutv#iSIJoQ0LP$7}=U{Q>3|2`ws ziDq2vtBYQupuBNz(9oWID#wP3I0};3gdd0*z}ozPN9rc0f-n(#Q^Dsb&>OP<0n+ua zBmJ)V1nJ8($~2%~sLCtd3X<2!y4$-w$5$F`$}OxJ3Qg}VZ9^@NUgklKB-Ub@_slyn za6%Xkz;;e6v>{Znid4(K58=3YVwVL)Pd#MCP8f_tX|3KVPZ^o9#M)RFi@%V}gdA7# z%&MFrF#v7Po5D{*sf&=$m4_UA-S72!Kz_N@Uqr87_xJYNnah#|q}&KEiyTKcKS637 zJ4zk;wKFC|-1fq)ngY3gX!vH#Ok|*o|4nV%^6+s0+Q$hcG3uT|ikaID1EcCN$S!pF zuFh*rBP;JNm=24MHr?#IEj6O7z6Dc2O21zxM)}JmS|75~8)(ny(<~RzPty7e4nv5i zi`&k!q(YuHBWGs&tko(f1*=G2hqG}mVLE+{f$9E0aFumQ^+CBsw5C*V982AIn8Od0^#{Z!&mEq_F^-Dm;RY)Iq3e zDoVoe1&BzYIk`#z%rax0^iPl>zfIJ4vofZwBiaFAa~yArxpDCG`3rrImzc-F)q38rQdZo z1hu4#UA|{2in-oZE)u41zM*`RUS);Tky4j;%=-onh6Dz0WER`fR&$^6$l)A-8Mu0D z6}eh3eWfpQ1Vc}t;SF^oc2`~e8uYh3A&%CY)g2=puNs`3Dwke*qay2PU2EX^CRa(% zN@tjPz{$uIoD!xNBw`VyS-b*cus94)90`tg;F|byMfB%&j~=EV!{yEj0l~|l~)== z(o54>^5?*BNC^$b`jpQPVm@GL25^4t=iv zcKxG^;_ih>Y1DpCBGeY!gZ81E9Ve%4Ydev>lp#zR@)M44(#f4VE@Z*zsJbSrwJ9dO z_(-r`QFenVPhjZbm`TrF{XsDGC+uq2IrnOnavjAmLEc8SJOV!~r2gD=HXrgkczDa_yvhi5yO%^!WrAcJV75k(&7-p81 zU|4Bk35F(ZnOY#adP@sn6|OQk5Q*yi4zp!ig0>IW%Tbu(=pYTQ`wmBVnoM&tml|1GeA?bD74*&~DkB@KoRkKYffcuV?h*w|<>^WF_mk-qLY2?pP%UCYiq3|z}}W(O#e74xTa8TjQQU}U{nZw!nKuSKI^ ztcp=-9E=Q|Igv0bTK`h9FfzQp)@T?u1J=gFa47o}5hE87O>}k9(mk}Y&7OYo?x|IDv3R@;y{Br(I;v#x8qOb5T6r)q6X_SQ|{_9C~EtWi$YP_ zmD)HI3wCGSktmAIm&c-TSBHP{XcR6-%#BB}BJEa;NRc7iBqqg|8Rw;=QrO6^8rWb? z*PcQf%nxl~sT_+0H~2D4wL*A9HzU(X9PAhN?W;gJV=~7O$eNhh-5f8Z#iFA6n&MbgKwmzRMFqfBVp&vx zTs4|S1=y!}7LO*Lh3($3R78s^0PBirQ3Zd6s1{WqSBh&<1$5=e7FB@%`mrtSC4R~1 z7L_2@7T=<>g;gS4R03Ts#ziIA)uUWgg8nCnb7Ae(R*G~{r;#>@b&*G7`DhpO5vh-N zk;i0}h!^v5nG^G(po6S4>P7W7w(x}`VHDlq=f%Qs?poEvyeP-&OGJgJXsIkN zgmt3u6dB^rj|@>ha%Hh0>IQCw=nxeMl*EUqLtt$YA}To9juBDI!40ECR5bH=<3!{Z zgEdBqaE=(8#)>FKXWh{vN>-_b;zeXgt`;$(ib8W@Mp!$D<)cPawOt)IBD2dc967?m zxGZ)=hRe#)BZ@7R#gC|MaLEV~#g?mLNYu9eXro9J`&W!3QQNbUND=^bvU|T)L<#FM zvbsG}6KtZ0S4Fsq47sm9;6$;{|Fj_|>W6=cpcB?Tou{x9^TJM)GU5XVo+#q*u%Rc4 z?LP&dSUvc}T&jLu;U`?*!p9JR!rG~>or4Td;LgAvZco>SDOR$vfY(kPy`UycC zr5>-&l&+6Dkwa>UxD#b)X$dohffIhhL90I2gng>@NTN-gy*W564KQ)^Ms;0p77l!0 zY^GXk^f53J1}e~96}!T2Eg!(b{^qj0@+LEEE%uT*#NB8s#%H#bF?Z%)Sl(QecL-M% zgFJzZl#d9P1}GQ>x~Nb@L@O@vLqq1gRSU z#Eh;O=!79PqcR^sLIo@2xlQ5i%tUP;KSgwknVR&ud3lnvM`WJ|;jh|tVdV9D9^LuwJ7uFvNihH?qxXc%>xofnL@F_z8Z-sZOB7G7zHT!8 zL&o%y8bhSq)y=A<^#*Ctg3l4Ymp}kZsYUWF1<})Um$4EK)Q)rpb1l_!fQO|>g_mZy8*-yr`Rv7 z9`9rn7qOw9ilr-Iaz{@&qPh5CQ&ry;)%s;Bprz{&fYRRV`H+IR2)BViHDGgM^w?ll zBQ5h)QyE#PTq+9P>O!dH>MbniT!@x*%K@$uV#WG@lIT+LemrX!weae7`nw%RfbH%+ z$*(UYzYIIrn*1*+lFF|Im0r*yWixZ@FsI9_7Sm}eD8hUSWy}V#FKL$)5D*8T{awGe z+b)*}pE!jFbZp_K?1nO$p7QL8A=6GvinA^q0a5Akm0{A&)hpbk_JHU4Bn*+S_9U0` zmedr9ZK9C4I{uGSZiu6hj4$=caPA|D#yCQkIEqLxyks2mqy&U6#mRM2Q)(QNAq?kz zPTir3C2%w%m&~7_DeNfYmVh;(mH`=u(w#P!LCq%gd7WWpNas zPna}lUJhvUk|FW0=akb_F42y&@#$Wlk<0s7qO^+;Tz#*;hTFOyva5G zLeE=y4MUx1)ZC`l=Nox{L;c!^F&yF$bBvf(8i0V3cmRHBzdydXJUjTg{cHA-A{cy# z!r2)i{QEQtfCahv{ccO)ui1V)UD^JtUfDL2W$_E!CELlWtJ}p!7P`3IprwD7E8LIq zMyVOyCGV4#S6|m{(sJl4+$AjsxYAA1a*!+EBP|E}_1q#YzlB$IYj4iP$=x`6Tr+3s z+pZM=)^^vm0{$vDT`NGYcF(l}=<2szD*%5*cU%{qMV9_&j-TI=2y-&W7~~U*2(xTL zo{CdOXwG+8L(99%7*e~X(#deB&T!A2ui(rmrZRklPhpIsajLZI8%`-kA2NhM;Tlkx z?@R?wsZCS58>nB($IT)hmfEAd&xM_ICu!{xztf5ae%o`!j=+cYUPlQ zQFfNki9GFw>LB(vGSof|k!?Y=5i_kc$4h$J-oOx?m>-ZEZ$CW-+Er+X)bO}YLZ-gp zY}Twv1;xk*V|SO`*YA|dtFVyA-?D}n4|ya|<{9k(wUJR%$o<-sI26gzkq&cb>bF{< zq}3J1aVUfPF{MhH>>!4TOReRNrdxLyl3{lWr624O@e{GJ&{14t+?fU&8Z)&v**&#T zF7X4c=%;#pX7%=+{iZ>maWqCO=PLbhoi5Ue4ABHvrG-7F;5yR#%jB~GR-yHlb})w1W7 zN|!x60#`yOxO$-v));_IFxixL4ee{qz*X*a_(~uADA>}1a8-c`O+v)3wiaG9b70EW zOfv>K+|xyU)8xr9j@4%w4x|-p-m)oSbG11%Qz}!kHg9^T`dO zC;-EmRmgF5&$U>?#bpCwkG*VL-mS&<)lmRE07FFiz*tbcBXVoqd(KEN{WUB1k1t_|>vjPet%LTyk z*m$q}@lBXs*Kgw>2!M9jPs8GFY_uY~j_a%8e9G_l^hb~nv0LM$;lj&%f|S8kS0s#* zwwbZoRs+E4L`!emrbo+KjtZ?eoAJ42rz6x@mIh!qv&Y2EzyXT5QR*_po@D?#4RDmP zaBHxO<(746ysT*$lR$??X&GgLRYt1IDV`RV7Vn2j3!kRgIvxpD6-##5Pz&SJ6n3#< z-o4l*Hjc&=F)5yexRU2d%DMML6wbbaDQ>ptL)p8~UI@RjXhs zEdH8g7v@roHrdvSohzLPrzBtx+aq-edd0rz_)l^nO#5=EayyoYw*uZxTThQdA2l;q zVYyCrHV))gt`zoQ3|-a1HL>&>y0suzS9NF!zRn|`dK6mirD9*^2uiz73KK)|W_n=& zM*;RBM}gxg;Nomr41DpRJRF5f_w{QOR73H)@fs{ zdCsa@w#LwD*^_j2UIAdDU{%w^JcTeMx$kM$bT~0x#>PhaAJ=e#%S!dUP{F}Z+>mSe z@Ue44`3D~S#&2uN^*BI*8Pda7>ItG?=G0W;}~;*)6% zxm>@c=}tx$(nK*1S<0whNxa;4z_K`K219xN%E$4@^Ooi;PTc)-HCNU1)O?Q0^V2s^ z&o|%1*fCKZ|}U^`=-CUv)$X< z>F@8p{HE7`xx2If4d|`2qg7ABIHce7R&Fcbxv%88YXQ*yRtOJP6 z{9tTe4uG`Sh|ppfZrR#(MP)si=gXx7NLMq9m7Yy&mZjn#uQ+5Pk{((LgT08M`GkaK2R2uAF`Xkh~@#AvtAB@F^qY zk!8zB{+&=VcixC5xL~t8{&22*9WiABxD3YbFLL7?ChQv}_Y3c0DHG zm39-A@u8$@#!YmI5tfEm#5j(WnP3jBwSPtv3YUpeOMOcHKa3MifH=e<`!Yk6Hmv>N zOWHSg<7$URSGU5#ID?}@$QGe5w)u4ZFBe$@zLdzWpAHf>mDVXKb56FL08XLI z>r{RXA#HInNxBX>rcqj>3~P!1J)Hp5*#Av%NY;J-;o|tb!$0w*+o-qy_g?mQw~O}w z-jn_RA)dn@56&*Y`-6AK18{c-I){P{I?{@Bf8SDHe>y%pKl$+9F7T63El4EF9Gsq( zl{koFt5ECtb8xEMpk?G9E@M*PPOyowD(V2tzz_+s6QDRGGZcX5&s(j#I}hLy==`LP zqyh}b5n&wr??{mOoZsKKE>b`;ZyiEW1_(zWs|cpjAM79ub%JP>VNTUhL5>4;M_)kH znb1<0IQ9IP$|JK%gz&lBmPuP@ku1#S&}=*ylz9R&~v^ z+}1H3+ThzQ@EJrn3Iz3bMW2C;h_u#bWr(G^Hd{X+b?4t?SdkHZhckda$)MxWSd!#A z86uyDV2rpb;dz;NtzZ=G7~jeKyYBCS7Xlc^9rt3ZaejWCuO`tsupItKAR`x;umu4c zCSwOR8#D2;AyyoN{}8hTeE1$*{CEsbKOFrh@H{YtY|?6-M1ashX(MJ6su?>~R80Cr zwHz~zkq-Z0*hjg%bV@fu3Lv6f#Av3mnU4ewK-b zR5B_tNn|7k75K%98l3WVaWrqg*nn!?gh@P+KOx}MgnhZY%h=pRG}dOfG_r9Ubin<6 zrwXGEyYb~m&Hmc8}~yF1_$7$WAQw2*0|EPqU08POjtz|ik$N!w=Xm@V3B zPRl-@XQ6G%dYwi6{*wK!&zw_V%JdyYftshm6i1kGrMUVON%uq;s&W3P&&USy*s=vc zYC|7@Z#QlB)A0!#ao^ot8t2*}osOEPNCrFteq$sO3g_$goeWac(S<#Mjb{#~?%UwA znDc0V7kFNPd=j9oR_lToM;svmW+b8M0hsJtzXQ&a2tX;Hq|cEMQa+5#Wml-v3upn5 zi71*x&gg5=E_hv1XC~0MN(!tMjb{=s+b`l-cArVKz$WB20z(v%+mxPXA3j`Mo*tZ^ z|NPnVy?KV4L0Y>`z=>P&ydU4RN0q1nyIoj zJ7^m7nY|@&y3z)lQoFD0YY76DtgwFm**n~)r|y|=|GAu?Fh-P#?c{Q8%<=#1_xAQ( z`_Fc7XZy+i^B~XNUH3V-!P9|UYezUld={hEQ$ZGgf(GDu*Jwd1A#$BU<}I<=5#?iw zBR&G{e`VgkvWC*nxQ~F(fYT)M!Tyf?iKpkuXoNq3wwEC!H@{xRGE>y0ZDE%GT}p~F z?aW)DbJe_khJyQtmORIzb6wS3&?P-JTnl9X+=Bg}*0 zxiZ=vzDsq|?(@{bnsduFwnG)3=pBqDQ*~ zc6o4<$3>HCvAVq{aVeMsw=OO;gro@)9fTG+mCt|`Rn9o!yJ_?En%{t|vU=KAhp;dT z3e<5%4Q$%m-AV#(0gGU=Q>C-}ff*}PwC1x`R(46|sspe*dzD)99tne4t< z0Bp`@nqEzqteSSJ@VPc{d9Lwolh9g9%rnl_a7VS)K&CMcWmF6k{EGn`$?FyjN8=Eg zSY9evy)O!mAP#HPt-O)ZwEV4xBrSwe{Ve?g<5=LBy(>x&w*_bFIby_tD>$7b+MwpmDyS5`j)xJLr+ISkMx;8|Lq{5Gf#ziSxgelng83nJ30T~?VaA<%cuGO5KoEK zpghj2t)edzd})4ND?X1D7%;}#gLqKp0%hkQ%R$X*YMbgcj)H+354SZ%90riXK}*Hw zl8so#N`+dpjg{Peq@lM<&X{zpR;9MlK%iA{q{Pka3h`Xt^ap7&iob|uI)7#Ch|Jysg zou~ExAs#(*t4~1+hTu+NalYy61vWhiEMHt3y7ac3qzL7nkDtNs3E^m63vcm)f={L~ ziBQA`#&!8=g-f=V06xn-X8p0%XJCVSvP!MzX)ga=R|Ic?a{x{7M+jzT6{JGNxqR-$kPm9_c& zckMtro^&H!aL)YS@9pL1|L)73{?q(_h-VG0#St~>_gkH+@N`t$YamWx<_ z8teVb8;Ue1Io2S1wl$kQ`BL*|V= z`dSP{)u>jOiu$`C=XzrqzZz4<&H&@kq$K0RpFj;8y=CZ7ZWF9tSr*8{Rn6{8CCXYF z)XI}&DRdv*{8_3OUu0@6m`dys&AJ6Ke{2)7q5EgW99fR|wX1dNJKA8xYS-<4xeBy8 zBYx4dj|JO*Iudz$&zxQPSdyuE%I!>H=Y%jVQk85|~ zrzAMSj3zQ3<(niJBmQ(&^t7LEvY)Tv)G3Y*ZXgb2ykA-0elq|iXG`VP>WJjjgr7b} zFxRB>uDa2Zs!p@4(r8gO_cYI1#Y(LZjT!f8wg2aOny>$iLyksC$k3vW;PvbO?*7hp z!T;lB|0)05gFK5Y?KTHgtncT#$oT`T>rdmN#aX>V(@5d~a&*oqSj>0;K!R8u2CVfw6Y0jz*tVT^fIi~7=n&jGu@0azWaTq(FlG8Ls^a|$(**bgJM z>ku{auz*Q*?3)TXRWUvj!uUamAwyQLt(U6>4=-zF{%{orOXF@G&ZNRJP+pVk*_r{{NVa4V&i%Cevv-6lD7#xy_aSCz79ST+ySrXr=7mVET>KZ zHLyf%^5#R!vTcFSW>>VT`XNMHmOTz^mc`eq=~s0K!F-7nSeCWV@rYE2y69ATom61I zW(7S5eKjrp&me5kwPsKfiPQ2Zkh*yJ?!Gb{XUA?ugAnSxI=Oe|S_KRl&QcXGPCoIZ z>0^NPc%VDPQCFs9aNm2#&%ODa^P2EwJbmx1OaP@pOY=iRljwkbWQgiyA`M1!#D1V8 ziNXCn=;p%KTNveKf`e?@>Hzet54j0Zq%1{@B-BUDC1v`$)V5Lw#!`5;U6>_I4>X^> z6MF%cA2`K{0pu_@E;5_sDddwu9lc8WUp5I?GL)ti2Q5i&^`U(EX#${PmKQ{>^TIC? zYlalXKGw{{#phkKSyn;P%K1@^bFzzy*T`7=L6KN51C!#@4Co-X8?TBS26x+z~E z-ke;#KX`X?d35~d;}1CzEYZ@IC>lXJ18q(PqHUROwe9#+EBU9A<<&E1iAAiG;xbZW z!jPLoC0EDv_dBTE7}}q747<9amWMD3t$>W@l(r{A!(`&d)_uQu`Xs(nZvzMzN21_DjcBM(UJl zV+zA8Gq-KcBhAP2UEd}`{x$R3Z+5$Y5C`EZG9(&a6wJ2wmyw3Oc=-}eu&B1x~ zC^^(l^Ow~#&jR@vt1&w}K7D&~D8rpzzWZ=gfnj?J8Ar6;7*z9_Vj(NHUSCo?TL^v; zDV=p?Az`hnk)@|oS;rpb)GDLU3e&7YOOg>FzYk$vzbg{%_=|O zARX}S74Xy#Eb29DB={$y}x1g zonEidty(nB-yR>IUS6EMtCAhfFkvA=@dcJkrom-Q}5%*Lhokh&dC3`qG5@>Pnk9T~EZL#ul_L?uFX3yVSuAqKbXcqMyp0CNK#|}6^K3xAzfE4ahcK{Sci?@-f1=_YuKST+nvwrS5dWd@p;#{OJ8E5HJeOog18;b6x3xj zSj^G15PH&Us?vf~(l#mUHSnA&LaZpZid$2$hx0s5N;*2f%1W}!+Ul=eemSrgmSJ@_ zm`W}k)s`_5EQEMkHXU+y%d{?6*von@_xj>hHXGuinY9`LD?o`cY1_(cBa&s;=c6YRVxydMH;)!2t0HBOqD>fmHBra~TO0mf*yR`PyrmNCqmJ>snj_N3`zbA<06+gxa zHCDe`n?C-d)GM`wku=DTA3~Ph@wb504hd+FLo$S6R!IH5)j-ZV2$w|8W^28GU)oxu zPziTd3NU8?|LmA*U(>Td{J$Ij%f$cP@4w8)|Lga6pW^>M$WxlO>s&>ud5X;Y@R9rq zk=9CaEs0IG280)g=T}%TtLzPmlgiYRwP+z_@RvlrNm3s3e%;+EgS$vKjP}H5aYbkr zO(z-pXWpL06!yb}aYRo}opcYSAlrwgtV#NiR<6Y-Ya+jhH^LC<9N8BXjz-wmXQG>g zHo*8Tfx#OX!pKLoz15(?dlH~iLV0^jcd@kf+U}O)>xjWB5-i-Is=}dF>|83iXF{dc zj9m4#wp;Zev;2fN6xGLmW79+j1{!5hw+) z0tU*iSc-@Gv>rvizV-TqBTnzEbFMPCe|1!GcL%Bi`)N!hppL9tTPE976jR~@z#$zY zu8z=bJRDYTBylnUvM}#&)x|N?^&$;^UYAX|Eo(Dq-ZdlaqAg|Z*fyR8)|4_tqa?J4 zqFNWJ@Zu>yJB{;4rE^)rs=k;`ByEn8j0@@zji#XmeSu^@?(TkJ>(*kb_@BM^d3u`d z|H%~b2}&51$)y&z0nE$)(|?)I|GVAa*?!vpKg6@d<|ku_vn0$+@gSEdXi6f?3B}R4 z;}eRA++}uC8^fssWsa$#D)(-wI#hvY-t+YOH|+p*)MGC$gfF{)Yh@4 zO>=InU=U!jgN9)RQ(DdqqC@NB81bidrqR<( z{ts~!2u1#jod5RscKU_$-@PaK{~%9e`ClRaGvWP4@yHq$gr`;DpKcXk$?!MibG;Ba zUI>~GW&f(35Gs@F2=S%wxS92302JRPd_pMxLn7O`ekFF%EdVTaWFhwRzRJDLeEFXy z*3TtcYu?6O{l8zx|GD4qJ<0!vc+4qQ$%N9wUX{kL)N?4k!_d%oC~M_Um*lk;wG_`M zp}#(%Z`ebHPZ)sDUduAYS`6si`S}cNfVLCppFNkp#%B@vA0d8A=(Wo5@8M`n5o>ZD zG)MmL?e6E#fA+R_`%m)!A)XTbUk|f#PRedtG`d%`<%E@YAyu6#xurB)oyoJtl=lv# zPydG~oPAHp)X9sq$bQ3Zs=^ZW-Y!(Wj>)vNBhda=W~PCcqT03=(<)_g>uLM(s8%9# zt|BuORb`RZ)};mXgmU87j;v1Ss<~>gsDo<#jGI381-iCACWBG^{uSTk}$j^r4j zX~Tv4W6o#y{!Pg+Ijt}0Q_~dHs_QDdwO5`RQpO^&OOpb#{wdV3(OZTN^PRDmUmt21 zz7d$Fv!M~Nm8Z&*C_lP+v}8ZN$Rt~ITG^Yg?3ycC#cHWPACe@}cMmDL!GigI#EcU< zdyA)-S5__-eH`nnz(9JrykBN^#3XnJBRED=6!DU~>Xx!mEICKFN#X!Z{saX{h^UZy*>~q{3dnga zCui~A{6e5h@|_oktLS@J8F#e8NpTLRP6*=%A%@J3XlK1#Er3ILJM$U0K!-~Fp%cnN z&S5JM#yT)hTWE;36D&VPCS`OX>}oO8Rg?)U$l~+ySzIYSHNaDf7~&F=5?XE0wwwnV zg}#%*nB(>1XaQXZo)HO9VT@6^c4q#5I~VEPst=nw40?8me$rKbubk0lIjU zWWQb4gm79~=UnC_L^Q8tSTEPr0lS^`;vbWcjA!RDMKCxd5#tnMCp%GPk@fYh3Ws&} zG^UuyY&;=k%v~l6pQ?5O1rX({VKLj?axFJ)uUY>|FgMZB{3J(p@ai)&G#Io}g+~aU zLzB9LsQ^O@_0AMlagI+Bonjf1spu|bfhz`AwzfYmN|pW!m3>&df}MlEnwI@%5xD4@ zG0?H8y*Ptu`47~j7AvB%c#^RS7<1E&tv%6@KOwgf@XpGGQe_%5nnVZeBST_o9aLF1 z@|8wR-U$Nt_jO4h^K!yLIBjB9z2AJuYe?{y>&;h^?X67dvB{-?tsm=R8*9vJ-Gug! zBh6j8kwHLOGqO48Yb16CIm9F6&-@VmNXT`r2kEzUbtBimdjvy<+K$Jrl7|5rCgV9wT4JShaZ2+99-qEFIXt*H z`SAYo-G`%!#Gh>z!W-1Ch4k*={NniR^2ZP77nOZ%9x8oqJEtGcE-v4HeD~(~tg^ZF z1w?H~O^usOzWDLH3Nx8j(IsYXGAxzF)oy&HWUjf4$A3l=*RsBpb>nNx=a)p(laK8^> zUOy<(==gsw&JHfWe|zx5d4()1-HkX66eZmvxH1kYPvV~;<{#q1QEnN|=NAWO7avbA ze?B<5xI8<)I6FCB2>D`*9f~-`azAN!d#BecbgdSV^S8&xr#3*+#<)~CRcvsbLFMcZ+b?)seU?>J7{_1!e_ zWxMIwllG1v5|U6;1PefRv~{k}{{LYBkl>?8J=o6He9^`t2+RxygPFn1pv2#ZYJ85U z)bEH&eUGT-qVqB}t>nIQRB`8drN+AG>hl6j`RmUsdoJ99j>>LAR}XL;4yH6x6Dwx| z^=F{c_Tz5uO7w1XPY7r-=kEM3V4*d5Mv7x@$ZlWx#`B8K9@fYoZ;iaoFu)=%TGuMc zj=GU$vX+bStGatwDSy0`a+c+Qg^aYWwUQfm)y2|g1uZ@%td6XHI2~+$I*1k+TiHTn zWyXQIY}!V6SK02mqZ-!XXKPv`G{ zJUf2#>D|!}Z(hQw>0wS+{_pLO`8b>~ArB7@_FnXMyPAYr2z;_a049OsXiSRRhuWi# z_}JOE(3dYD-u3_2;k_*EL#XJ#bnaM0Yx7@PEZ5+iDebDQ!8wsK{*K7JP>Z#`Q%DBFwev=x-_3f-a};l;YFb2dN&;^R$( zh$lTS6&$XqS`2kxzg<{q6DDVA*;#E;8X-wBE>Vn{#lf$OKb!HO=Bq58sb;r~>PID+ z7HaSHo9con5l~Iq=DS@KzfjV9-6w69lVgEyU`b_qZ@sKacKFum5jmF=+y(!d@pxt+xI;D#a*a9b4w-Oyy8rqrbu1pXDr-E8eu07A z#Bqc$lxI{bUS`1-RoDu6($BLr?`x&D(kYQ!Q-wRm^pC&Ih{$iOLNadsDhs@i^j{@8 zY^aQ-OsAe7Vv(l7I-M<;7}OnyY>30Onf|-iNN{9;E-7{@)|{VOI$ook;@_PcA2Jj9 z`$PG$_D`$&UswJn>VLjC_@;3G+q35n_y63=^ZN?*zmi*j%uQVn6};}If>)v9Q7Nn? z)q&OkaEm%#gRTmIS}e)%oj2sI1>MXjnx|&f_X=#!?E3Y`A)S zdDgUT?uRoW2|qc_lohV%wtH+_ca64^e7*pxbeOz0&=5}Y84{7g3yw!4>YIbCZN?kH z{g&b26%KLa6W;AL`s5u8$SLEp+cT(^La+esa;P)Hv5FK+pjF*GbQ+$6_I#!^cEj9N zZxJ~h8d%*RCP z6A>2{GZ|3)qp37XMavS)p;uoi&3qY|Ar_-A%IL8d=9eYd2e4MgGA>kbfH4 z|D4Ds_dHfT3+(@c7ccVlzxNKFJ=Ficl_$0Ti?wleMO>Zb1m$o|u70%}K(&0hzWt9^ zms{J9?_>Pij3n3kS{0^nW;kNpPYxE1dQf`KR?0b69@$1}dx#)}(QH-1Fl>`+ICa&? zZbhtIH|Fe$1|-nXchPo8g+yJQlg^m5NOXJIP47$bG^!dwPJWwFP6E_DLO-ZhuV0}v z#w4=6BPxk9@hJPOn#N-*^)5Z2lTfUEF@!7S7mf zEb$Nv(rDJ=mNS;0zQ*p_WmjRzdGzfs#?nd&^=mTyWSON|g>~r)O&d2`s726P&i+P} z*CzTODEL?xtzJeAT%iB$KYzZLKmU30&BOg~xAGM1Mz=zF#ieffb05>X@$pY(5%dS` zuko2qZlczIQc~Idil;pH@h}R{B!dvhEJI(gOA_VWs#&tseD{?^Bs7-)Qx;Ll_y*+v zvuDNoKfgJ6@gVoA?H95K8Vh{0uWkZ;#CLC?sW|@;j zLCk2Bo{^R1VKkdn8cD*haG0K^*k77}SNysVu-Oa@;d3053pyoi<{S=Xer^I#ML$bI zHDM9s`P-bFADci_+Q*Xc=%3FBtP~o#b@B?YR%GG?Hq_)6!-gxe5L~+?_Nl5x`6LdPH?(1+u56i_ZY-k8c=_^$@P z;|>4Ccj3SGhsk(X{m1?(uA<$vqapS$XE7SlkciF`Ph7{HC*BZWcAj{08h4)jzs?r= zfH`F|flgk(5gjk)>{sH;jz;LKgvln~M za_j&3(-#L1>;E>M|N4)9zmISn_e~`abG*^-|Gm@MO8zu5AV9-8dZm+tJ01Iy3WOuX zViF;pLbU_s9%d1h^L{|CNXTLmp!5Ix7V_)hluT{dgd;h@Qhk3-0}{>=jnGUGggKi< z0g@Aft{D#l6wC;SCn*q7ra{c9AZSFeoN*#{&?qFIDcn0g2SI~;7KV7pOhzt9m=Lnq z$4C-?f<}~2h1cnPe1D}h2Xc+r$Rhj8_C(599PZl1;4wbl?R7dA90z2I`K35Cf{=~m zHRc3`I=@$8QbH*YT}%k#L>X!z8D-KDnvzI?NCJhsLYR$4gsZ+(zwA2FJ;`hbKAXlk zq6&3|t)dwlsYX*2Fd`twl1}4rj&L-G`z=GNNx`^MaTphHxwBWuOLd;k))u;W`=77R zI-S8_07W_;A*B`|PGW{|5FnE$jx52n5b?~<;PEm4wx7~SNF0V}I`4C>sG@wGu)$!^ zQDdJ(lCxmuE4VuyAUO1ohKxxeIgSOw=wo5l##BybLw9id|9-&yOTznRq#kk(EXxuOnYks9FpB(5wSBNJ=ZOTL{6;IIinAOAtZY1&@l?ukjyvIo+~q}5gHQ3k!E8D^5Hnn5l{UBQ`7^<9HOg1 zrpfi=3LZsDbgcWQ$wUbcIXp4J0u2d?kiv!pN?KeqeyL%2_ua|6|3N3wm=hs(kWaYm zn+Z^|V@4twz__QJO^KY4nNV{tS!|XS`uOVm)3YoFF=v5C*>2ARZaw7$j(!D|M07fR zl(G%l_xAtxmrh?Ja^OAn_S9deAM|u7x)W}-Dk}$O%Ipc}AXTCf$3pTM9P*pB0n5m8 z8xW_{xnRlqQom}-00p%C(CbYJdNfEE;NY;Zz?-g8#Xz<;k)A@4a1YaXIApM^#9(O4 zS!JpxXr}yliaDMVHOs$jZ^g+UJtPRo1CY1^x=G*a-NbO9?UktAgKIJZQhJz9=kMsr zlM5O@d2)!}QX!GT*B~p*LLLAy)KFR?{TR_Iy3g#Z-GGEd5_s(r*< z3(mP(m3}Ho6l=Qh>IpTbPQwXpKc7t>JMYdfH5|~M0opQ(`-_?aCD_do)*uV_w@hus zIvU?yd}iZB+gfCRi1%@fK^vt+*pe55$X*?1WhpXHtfF*NP6IN?G(VRh%_LK^DJc$> z(QI1UP^RRNtku+%0%Cj01LFds+N=kN8bHkM@tRFBbtgwLtKLXTwweH1w*-AO5UidB3T2^tVif?fj1?_WwN z;vCLpdBgx>PQKOxLmeQ(pO9b{60RglW@M7f=yn=}%D1 z0pY4pBaRFk&J6%J>xm4e1?BO-cvKtO=! z04XnBr*?=p@K2OBKvNbFw5_Hl=4?omF&u_Ug$bz8N9))a!&Vot4a|xQNYqn+z!iFf zT0l$>1H&WGF-upj0wTQtHC5CS<-Eb8DAI*nd%A`&Wq@El76UsqW3hH9EFd(}$%5Tq zoZZka0l(F*xXFF->wJp4dGe-CuiN0h{&hap^w4WZ7h2}73Y*M8;yzfY!~PK-C1^nR z_9z=<-?)T~nV^!nq%0EBwz&f=?!j||204pAQT$RuN<1DEKg<$R;xXE$)9FmYz9;cm zD;b<9=}V#@t6}`xJvV5uzvn&o_Mi6yGNd@_@9*{b^ZkKK$h3xfHAkv8DAtu8{)o>F z8k~&YF?q^~Adz&{%q$@jb3FO*JSILJ&5?2cE;h^mt)HUGn!HH~3AZi}@*i44(h<_v zGKXv|keIMp7$}9*#)AGao}$W~yitU7GqZAgQR-rMv$wVfI@&X25g8!H(ZD&M82lSc zNo7Jhn7eO)koiPMXK5$7R3pZ<&s8-XpqU`tLnm6*UjxsqhaBm(_mo*Oin&OeorDkY>%m0d_k)$or9)#v)n-#n)*aLl(sJ-0 ziZh#Vq@{t@$rDHUkAf7)qgHv67atIbX(-Tk$>zV47aKcuvu1sz)JzPH0u)pKk_2cL zqY-CQBq5dupy=uIX9Lm%gJaV8B0&aSlDR;G(qaw@j=EIx0gOG!R}>gDB4j38KRtud zr&5Xs0a9V~^CV$C$;;my8{DI3kwRW}r-5-o!~Ge^xt&1SgAfu5aRUSgh>c8G0Ew@4C$~;4baGU@Dz$(e#|oOVg~x;>~{s|;YPwWgWe4KkdBBy_e1gz#xASz zxJk^`S`Z~eP(=buk`07JLo#BVAjT0MNy3qkn9EsQPq8u~nSp-7gggo<7Nm9xZqQK> zxJT~lJB0Ozbs((pG@yNkLe=o!l+oNFtz=*kM86W>gm_##=&p7q=ClUqt(u1;u!?vYw8DfSR;` zm<5?gv;=%-Y8J*>HG+PT%!yf03{orW=?%nYnW(i5!MhCfw&FM(J<6(8TLLVk-axta z7(UJThtmDfG_nSYhmOLKU6VlHnJf;`K(LY2M?w?q+W*ZsN76+YR6rj|+TR!oH}^TH8HBr zGE1P>A0!AgC4K|w7wVWvrwe*YE<~u5H&_Tdj#>mBE{1-Q%uyt?)gEdvxIym{TGt57 zwIa{}ddWh<7i?9~(?#0w_Ml(HIaR^Tg`V8l=F7i|Me)t+fxdyf{~<}9%ZC)XJ(V=n z>s0-QgpVP~iN$7u+`PagcjE@oOBS<`jpyevCpb7}ky5^BBnvXC32c>h?AOV z3Y;=dZ5D>o?<^bK=jqzF9?*&oT{L&-7#>*oA3~Oo^2ZDr`5# zDclbFk@$|YS)79&enTg(6Z0GjII5jq-)s9=d#mR{lIiM@BO3v@w_gW+;u5Hzf#P19 zIz&YF%k_ZXjP{k#^I3Exl9OmS8{jVKtFc)l^h?topnu1rGdOa%LFYs&IU|)R3H~$l z-D835r^r&@{dOhj7tub+;_*T{rFlW=^khm9n3NygxOB-nnHQ@)4J2j?y}f9++%s*U zhbAO&@Yoyz4WKt3xl_)Dq*PYgo~*=l+OGmyGw4eW@T#F#Dlo<2YZBu5Ib4^MX0@H@ zcPLOV&1E{8@|!|Pt=gx11uL%-`j~JE^522m_H+vGZUt-y`sXb;N9wAACE(v6TXFFA zz`sF*BJefPk1!2qoLo#e5fc^$ZUFnY`W=$?<;LL$dEbKeVg@BKN})g3?`|3T1+)+8 z6^V!t3xrN0b29DM4Q~PZMY~lN`bwcwCv!H1Py?Bhg}zegl**h9&qD*g&q7}*bjoGU zX2EaG_mx7YO6F`5{u?wnXa#+x(5aF+8-{)n?KxD=S}1f9nUih5W_SzGFV>JV&{qka zI+?R6gcRp2ShYFmtAtLe%-QffG>|zt=&OWIxy;!t`0e?=O6XL{oK3>tK<4D2uM#>{ zGH1ikFQUDU(>QmOtqRMq5F=vaB%qkWCJe*|mZ66Jtt+<6y|4x7t*GA^_>G}I%P>Hx zU0Z-YVVX^W-`pzy2~+t#u0Dh)fqponp`=m5LD!f{3B>8izm4n)X++RS^|hF=4W333E|TLn(bWgc>)^L1{pEqwIyy%X>Be`h%smZG zeq88}f2fJFsEN-p@Ijck#Zlq5BI~rIeJ0&vA@sWSra*6a`arm#LXya@bETy^rqjNR zO-y*VE#!yM;M9H~KY*kEIK*^1@X*N!fv0Q-s;I(^n6D|%LBH_y!G+#NdBFe`w8v3O z{tD1ash;4~_-RRdF&my@IVq?8`D_?a4yV#{d-AD|P2lJdQYi5HjvkhPzEC>P>8Wrw zm5|*cVaw~m_qPu{t`6~P0==);CKK|tGV}{iJYDEPi~NBF#mLeo(Cg0;e7_>#7W$7} zrNjKhsU+_spLBm2)Nl^{SJh#EBhI1!TDJ%Muiw#HZ&U{Q>R6E*WCKakI3id2q{0Vj z>9Zc_8|gWEzu^xz&}O&k-3hLJRiZRie9RH9LbNRKI%dIkNz8W%^o=wH4Lu}| zRiLm8^t!)h!Q)FpPa`UilkK}cn$!hQedq4`RWLTB^ODdD8W6u;zbu8`e78vinn15F zs;La0PI}72mhho=jh5q1R??s)K zW}%N*Ku)VMXaqe3Ij#?d2AYC}-Y?EkYv_|c(8=lTLLV|5yuu-l{8AK(&}TnDbd+U( zD$wAq(`12ESP^>iSrQ)M@Pgyfi2B8nUB)``L#j4ZQ@#J>R7W85E4=N2H9xpqTt!F)%m;cSVX#ranwDAwQ_RWZ4Ldq ze6^@%&}(OnyK0@R89}6kOZu#Cko&kDkaf^6w5@`nxqp3uCs50rT~jR>VRXs@^qLAj z(>b@VX2F<9U42OXy?UHxgXkg!{gg&WSD1zhtZLheMszxxqG&c9622P~?vqF=E4(V= z7^Ks5CL|Kl6!*Y(7?UfhCXQU`1o|@Q7o9!;^!W3S5w3+_?N*nOKIBY1JKIP)o zlG1Cmj1-4Wn!^W{WqLvU%LaQIIKO_ zz5>T3Ylk+%p>@W6Dp5C|bC2q>?w$Q%y?OWNr5LV+!{T{ZclLccO>0SyY9yCd&%s|a z)XU+}E)zcka(ynovy*Nh8$ZWOZSwJRI4sP_Uk#C(ocy%o)>-)}4h{42S3;uEJhaZu z&*88jJHHNrCeN}s)Mx0I;!vBTzX~4B^wyQ~^m8(4-I@9g<~9>0 z#k{ok?D6&D)NGGiLk{@{r=pQuy2lk18sl&qbre?6sG8!izKs6$tA90db+tI$m%M&t z{h8(Yo2t`C5k?s50HN&spqm+o<`0Mv9n+~bM?Xu0)puj&RE9IEnot8lni z)dNt|dAP?l1Wm+ou^|i&OfTl`mf-nCVBt0ytL-be^i(IUxCB@%Kk^K zbd6i80gySqZkF8Le4oD6N&qF>T{S+9aM)BmfF)?YG!7fA3a}0|n&Hs4Hb4s5=Bops zy7~Y`92!>$sKsH;H3Cpwm4G4+jq3!|;;`mQ0Zn7D+Expw#bM3$0$SqGxMo0#!{)07 zw8Y^aRt`X!H9c62!!i{7!+I+Xl;L33_!I}( zf&)!)SiHyG<9Y+A=1fu795{P*bi7iTft5=Pq_qNC*9Ta+HbB~eom3EQN4~F&&jk`9 zQCidlB?3U1vgkb1PqySpDhg8XW!d0Si|hdnXpkSbp6r&j%LcFCV{gz=MQ*1704;zZ zmC>bx&m;qHYZjdgc1fav8r;55G$?F_ld6fc$M7o%9nUsOg)0oshuCkj7Z|{Qnh>3v z!3@SJ=KXBHl0pqQg1bQEWotn#Ankfi2@Qd zx4J+T=m%s-an#@6>+^%Z{&ldJ?(r-PQ;WSh?CLud>zuH4(EViej!DS$%@o^N2)jN` z6_DS3Zk*4W|N04A3w`9OHeG?RKsZ8}bG$ZwFEMXxU@uE^X+n4VolSUI59}r8R3q5a z^p;kz+s`%&yD7OvB&Yt8JFXq%Zfb0m!&0>wx7V)ks_<6XQwNLY!>OLgx*!FIN)Ygd zFdTpMeaunJ*;MIuGXX9yF4vl#R|`wkHjc80m2Ka}&fZwyH?V8Bd#d;N3dG#Kz1Ud+ zu{Cb#?H)$~fOCh2^pN?ycu@EGHm=IXPpKeR&H%6>U(tNYZ1*XT145uU3+oEUSlG6 z2C-%{)+DXF=}qppfm>t5n&ed8RYGMc@TEba=3O;n<@ro^m1S9hSV`vPLd43GobD?1 zvI?;Zyy_4u&wRS8e9S7uDvuAU5i3uJx~nA33dBkhq!uDpo+EWvnVS`eHJh;}8J%~P z&RGh4Q>oY_&GW8uJSz|@$@^T4SgBaNtHjR=#F|OPCJCW;l?_^j*fMLZR4m?Aif9F5 z&7@+J)X}@j8?8XB*^HU9)*o0zCF506@mL?6o@W}PGwT3`Y9c z6iUt=aVoPVasm!??Np|NQzYhNk{-rO2FKx8pL+hvhWbkyIfl)Wb;DOcj7F01E1XB{ z#Qcn~v_XM};Y{$;kZ4|9H9W8hVh4Lw`4csWY3Ph}PxmqFrGg1EqF-10*Jwh31bnJk z6C8`1Lu{!T;{>>jM&nFXgERfJ4mSjc4vymxs!j?#jYA^r{RW8)*&Jfc+;2I=^v`Em z^lr>qRCDxbG$vvrhfd2PHenIt`8w-2$oU!h6UKxIh|s+}7PclZi;&O4&_u-PAY(0B zOoMeGwv@OpO)B!=Pze~Hg+vT`%~>(`{X)&dPFD_t zM7!EHRTq*R!7~yPEJ)hLY6nb>#eEL3G*aJ@AekU?!;hIO!~_YDV0mP1AZ%D3@vjKLc zOzWyO*=f@#Qjw%sDm%$~%SeK?!d6W%H8w`o^iuWLBu&^%pxG8ZZw+%-%CtA=lm+5; z5z{IB-g-IH6feuFIXCE7--=iwGmDsP@M(@+lG3$!<$Z%ncC{5t~8*25Hv7JdOFvC2a(S{iFKIN>v!j98|qU$KgbKldhDv# zor_(maIEaKeC`0t+kD))>vS#@7Z2GLaqK=c#j$lDn6h-Hav<2TI&<}75-6*s;4j+~ zDPwWCyE~?GG8=k6o9^bbX-rt9`K0HeZV1JTQ!5m6KC4_!o5Q#3y{3Vn^__&k&^Opg_d<@+|GS`HJQ$!;n zaTpFXdgL>>c6U0R!C)}NV$ykp+-7Jx?{nj(`MHCT9t_Xq#N&*~Q!Kj9UU`KUG1!P*r%>HyrPvfP_Tqq7;RcKY_MSKZu^*LWbJd(6}n{bJEuxAu4wiY%@`Y8dOp3(+J^U zN+Svv$kHoC4i*YTM<_{t_d1=U5M-=s5YBfHM*lqe;Vs+|Wm5lv;i=i!%_WJ6?v{!H z=*g1{8b5h*i2liD0FI@OtuFh~ z>ExGf=Z{{ev$bUkhT1!u6}=58`iFo>Ohci)U?0tmzv#m`I>`j-r?MtszVHmJAaT;r z&D{yR?n|~iivq%h#8J>U7XN8(~r#e4@3Uf)ZsRV;jKu06ORZlvE zzSDW7380lDJE0gw3KZXXj*Y*hU#=K7@D%cn)|uedUZlUhC~$24bRz{ zb{M#g25B}&${1<~GAS{NE%T9PkoLA6lpggNQ+2*G5hm~YOhOiNp!SGzS%n&y(7$anBS2?AHP1m;U zf?fq-2z@6YYWZQIQG!LiPCH4H5K?h}MR5s$$u}8D-!W-~H83QsG-gX{*JEimd1IL< z1S5Uuia9|8PfP|o>VLn5<}6G7(;NS5pg$BO#flRo4HXh05YClsAyEKVKSGQM<>@FM z`Uy4(7$?&c`Aqzo>PiV>Lr$<#%Av`83#PT(LEgz=jW#OKkoZ_JSr!5@i@^?1_K`hu zl8}g+_X9!^H8#?yv>-7^G49|5*ED*a&c`!X zwbk5_(Mq-VIjB-QL{B&CIzK-X*A+kNIvuBjFUtrWp4Z5)eDmTi}WLM z-M1@mw`WAgxv4@4P(a3ST355vIT>YZq$eUDXhTSlmb-zi1}^*-i4@+pYMRrDb-pVr zo{h)4QnnFey&XL@Mnkb?Nh$=ur`85oxyha_=@eXmX%#kiiQDicCFXUw2rLlmrcf{| zO;p!lEh6QikLQGF=?6@t*xm916z+~JDT^Pkli|!?q;H1lE18y2l$3Qwr!>SI?PoL^@2K@`>M?WCJzLp z(tt<=RyE;>aL%~UK9u2D1~cT!h~(wsg@&St}qhzVl=$9Sf+0=4Xm-!@~> z5&msA*K7XozEhSvrMB4|j)GrjLL#^10~?i86i-XvbUH_x(M-Vo{$nCLNL| zUI3zud$r+9hOizlsk|d5w7TXF63nVn4oAW~U2`gl=5ZP+O+XnDubi>d{h5kn38Y4v zQ?#*gd#(aAV`@2mivrLZQV;!uU6U(i0s-%i2v#B^HQ~Teq7fvIs6}Fyo;BZzEvlw;walQy zxve8vTboHT6NjaR;YF55JDqQ76qG1VLpGCW!mic#0l}eOY0BnSrnFv(oP;0{Btu4` zJ{FF;04DfHfV_15)hx6zQO0U$Jp}IO{Rs)DeHfrmg_sdx#Qcx(nBxF&I+2fa?633* zkiG>kp{pf;Xqnl5viSwO+3S%&4c1<1&SJvDxl-gw1TxEdZyXk~YSD;tp|zDAB-j+x zU?SWQtvJMU5*Qy+;xlrbX=;S2TFh!af%62KJU&VtU10eqUpz)apC)+dRJ$J3peSJ1 z#xAf9OK`8vBD3tZw{u8B%>|k+))rMr9TwbHwvFSq%I$WQ&f1S>@84g1Iz2i+|LOhN z>tD1#>juoaLqJ*S#4we!p^#M0q+V@th+PvWCLTs2VB$@GT!AuzO ze8JHEp10@isa=>V>-kq;2J2_nj!~f`4-TzEFzXBf+am}Bf;FkwNy{d&qZ%?EXu&a5 zP{7ql39Ou$O8^A8nhmU0X)$Xnt@)wE*Jwn1xZfTiIqY=$Xkg5}OcnM4y2juy=EPTP zcL!ZN)ijKJEB!L5d#-3kaNv~PRrzKEEvQIeKTJEE8WfIqhpPxg zE=GSg8GB*4cG=X$!7$w{G-HFInQ34OLgpw``Dtlo;moMoV|uP+6&cS5X8R0u2*9}n zBLe&i+c76sl+8q#=oo6%JT{)yvYI`pOP+sA|I?Qu^c)2MXygJ7|Ih8WIx0^G)|@2fo%v55Nf~7WEZ*7i{!KftL$QINeDGg>qf>M)QsTjMOS+<14awht0)Rz;|k2zD^*)v+Z-mUFH z1r>HzRqSna@}$bWtw{<80;vNUpge|+TyN6$sDMU3<1tgrqR-Wm!ydc88^;Qb45|m( z+YP<=EV8CnGN;hWV1TF;Bpe}5#+WDCpC#Fw_iw#U=i^&~d8BoAt*2Y90}iX;h*T@) zRvm*;17bW8EBRpD(^MAinh`)LKS+$*3x@uxd7zKZjgI7;l3o)|lKp~lrS#%BCYWog zjqnwNdfpifgQB;lWc0-r>PugE7f!B-@=mdt^&`N#-b z`;`?6pTPN{eT6$N>@g=J`q?hYfgV#ktzpQ4@oit{TbhAPQ#;OJNAYE>)blG6&ON|s zAaYfXo(#+>zuEpXR7y8$$lrHA9PFfTt4b)THqL%s)(0FjIJdJ_^`xOcc1#t=TMJXp z_!vj@Uy3yoy9G?L%yA6Rz+8<8W=o=Er2W;<19N{uB>}#5KhYPF_}~yj@|sy?84cj@ z8HaG!10d@R4s!p(IY7^!gDUxD4}f8V-QV*L)NXKSts_NPFeK#!#4%tAY;Sjco#E<3PZ$gZgsquN^eXyz68UTz zV+j!>RwU*ivWQ#!oWGx?GQ|iAEl!5J#L5U7jr*z_>p|`B?;Z3dbN+m`yG0!^`UZ^t zkjQI7BKQDDfoj?FmIC`(4(#Vkf&DBC_Va~cKQmxI?cDHO7ef>jE^EDL-BZCW; zMiN3Mh)4@NYOjwH1n6T(ha9e(Q$tmNAz4g)v1^)s(kSe1sWv@0vN8vvB=YAT`hoFW zgqgdmsXbsOX{hVDnZ+<-vnW6x75~@z?#;-O6SaXUNxhrJY0G-|^`CtMvUV@^th;0f zqL`7;Wi_ylbATmg*S&KnX)&W|YO+3u)t+%IFf_}5O-zwcFE8HHrv5Y;&;*^Bi37CG#<^ zDy;2Adn5trr>>tAl>dMs!NBQYYFS`3#QtSk)!oLi?HKh0j!h7i_GH=x*Bn4Wn3g@{ z{HO~P&ZcqQicK2r_Ovl!W1mhx94Fc=R1VQ0Gy;Os6y7YV!urBsx03`?rTeXW8?ZUy zFxT}uCuM5u(5qUX$LjMkEQG$8(t6n~_PRKPP@0849V$B6lGrfgQCrf(X4);p=HJQ)35#cv4y{%u3?21hLOt{b^N^B64Tp0ppxprq zXrNvY+OMj-)QGrQ%-KBg@A;Z_+F=T5}|ria5tWX;qLx7 z2YY`t`eaNEIR}=rgt;(CF??EO($(CQ7*+GQd$m6RkL%3!$l{nj&idc9HEHVCl+1&U z`@1Mwqr=%Ww&8jp020$J<;WMBBb#WN`$p3|aP`56CCZR-9-9+6FfLcpN%wC>C+)P? z?e=rJ-P5|A!tC?aI^KR($9uZFP|4djO5W4n62L#r0e`R(@K3YAA1s9Zse%2Vm$2Y- z&4P_}5;Ox=(1%lL(5O*!tyE7~@v(4%cZApZ(QK~Qj9+37>RsXB35b?RokX5X1MJdU zt)Z0OXq9|rA?Z9qm$RV~ST<7K6(KApk&n6Tr(3R%g^vUB64GGw9=WxJ-cp}Lf+$rl zo^v{$Nc4Yv7SI0^J>7fy)E?<{I;Nd#79YjfpAg%_4l*JQJ@xj`wrbEdue!be>;TpA z9OgvpDOBk2b(7m;gj7he61j<7GhKL{f0_>T0U2y9adPXwX@#)tK%RtR&BNW@>+5R| z1C$=)Q*aJ?opVAmgC}`pI;_@5 zA&$l~JSJ$&t_X(+NH@jgaiY#3Up09hyy=Qbh!C5YF~ zmJzUut3fvsR`Kh&Ub#c$IM_PMQaS7(CAh4u@+}RCI7E`qNT*{g6x9R*G~Yy5A21h( zAdC7S#t+fOoAZl~PS*qQ4^j7^oBKjvV{mA9hQ7|t$~8LvA#LDKI|#)rNN+gR7o6&$ z^|_{nGVzb9mj=CKHjCsTdfFE9r_CVm=R3~A4zC+S@7^t_T4dfM1FKakO!K};dFv=K zQ23~0WCBc__TZW~cg^PyPx(_R|Mj2RNwy0P%*BGf;#nmB_g>`X|K7824j$zHZ9LA! zD6pEbBxA_c?*w1eX~`E%dfKk)WCL0Y@&5FMen#%t`Hs=~&?*$hfj znz+J{jj4}}U1I%OHatK(tCP@DrRr)E0yN3t+*-Gt2~(nK6}NDQ`U-B_g?mC8uK)ls)Y94O*Q(nvgIiywgXLOydws(&?koECNNU)3=y* zlADe>d`_mAhKEk{{C_);Br@3=5&ADPq;YYmUKSFW3*`ji))vx<*RBD7e6oA|+MLiR z10d$iCqfY6srLUZE@^DlP$(VP+1l#3e_JV~kJ%oi$h~=*t$(|RiQP|lq^ooi;mNp} zG+40yU%Ys_pIiS2&!0bkSpT>2{Qmpy6LdwVhY<6p?0>cYznm(v_!Dx7p6q`4(&?yX zoiie5JVF@UbddXdq?uvv)NVzc-+#B+qNuC+$8(rQXCkW}x@bF~zC_(iGVh}9x9{I~ zQCIIYU9=riAyN0$(OFmh_kX*+9_oMj(gARO|GjUr#ukmBK8YbQjFaFsWGbHf6B5iq z8jVlJ5leo4qfhK@keU97L_Rq*mO30$z0nRrt1j!Ok1oml5dHo;@-E37efiQ!3kfk( zPgyC{&d)Yz->o^Mu;LKV=NWfQrYALy8Uo#*-)2mb{9E-oi30ocHKF5)JVg5)`=Vc* z$O+~_)kHR$N7cb*=TVQKKC$~z^J!E)*y3jwgijMU%vUs*HM6(E#3gg4R(lt9^=jG3 z4C=|#IMERzzab9-(ao3!b9mcKYIshEBorjutLB$Bz3MMAy&8Jg&>lo!%mPdQUG?us z()RNKg;X>0&}Y+_MI@5RT!6>#2gS5HIi!oc4_YP9zfoU9Xl55ZYCKO42o~)}2@vS; zWfBP4?IJIIk+dxU;d}x(^-vMe^1yV}#$I8BES zP_c(@P(-6Zp}W7AU8aViBPP){nZ|PN5UrPQiegS9IYM0=$6hvVJNf7k{aJKf$`^)n zU(Jw%|g$T z#Vlmw`S(iPW(hK3LRloF zve=efYK<3KZph*yYq`XlEU=m-wYJrCJF12rX$_i&vlp&U(QuaZB0b}l?Z4LczmMaj zq+CM}K)wCHzxV9mdCvZSw)f)U{O4AlCG3Ca#yh9HhAkmjwN^8Hqr{OpKT0<_I!gA@ zama=^%q*__OSccVVNI*P(+t+L^S9j~y<->7@6)e6+lw8bvS)Wun^D#?LL<|}lttw% z<`m-clY={5{DuWV5*#pu-~g}Loas``UfN$~<^-8u5q`|3G3Eqy|7+iSy5HaH7I*$? zKJa=;hp>C2t{!stYJW&1-tT6~TGh6@Hd>h?)CTcpRLa)DZcMCiR;E>2!>}2>44^a` zdzXI&tzey`^Er!tWy6L&t|~snehYcC`hKqmoXH8}rqXgN64rgbK2jc^y>3cCp9d}I zw>sag{)*4J1E7$({90h&dUhDn11@4(yBc{EuQPIY6b zw3B4HLHwSsFqszQ?f(AdOBbOes?zJ207nHDRC`RuhMaj$#^f{j6>S|a#75}%-(fSZ zf&qQ`lGOKxo^4%2h4&@V5t+6vjnID`cn2o8(cGZWg{$I6*w+=iA@#niD?oakCr>V* ztPMAHo1lOqBza+pLpFXa(3D1WI*ZC?A;%dXNNM~-?y(m?)CrnOYh0Y z|Noa?o_zW8sEf8U@{cGu3CTXUL{ z|MT>lXHOsef4A{8^Z$X=y_j$|8&9+#$QMr4B^>mrOmcIOO)JvZ0?vd4c`_uro!9C7 zDDapZ>SHUoHUu_rJ#_f8;8RZ<2@_c1sewb{L6^x{1HAhlju>JrC!S=Ug=%lF zi@G|SCi%xZJSAP!9Z?bn@QH5P-`ne^yIujp{Y^o*-vYw@1i}I+W~tihBgwQBA#u@4 z&S6Ssq)38Z_J~t$(PuVpG^xq}wK0S~FwBpJ`nEh_AK5QG^p@&+sA+4pYwFB$v;8O) zU`Oo*y7aYXJu1;PiyliPC!Af|Jxh&iphW$o_Ov_RDTaD(_HeColUhX5^lT?jDmaGy zmC*=}ZHrWJPp)tjlzd+}`a2OnnmlRO|NIDGG&DVYiMl^Wwr<8bdUJO6{!HH#1?$mV zTV-#X;Xs9S{pJ?AlS=J%s|S5)l)TK3-JgqBnx_}IkSh|IE5kT(OZ4s_76zGG$mZ%9 zb6*A)`jQLt>!rzjF4i~qLrkY)Ent5;8Hg2bbB*1VhI%gocqX}o@bgB8S(~=Fb(h5dFI2@?rE+6=^L}wssBBD_WYZI{1~1A57ro_*yuwnf!To7D91noHoxfZK4=g^6mak^}DCN zl&iBb3Qbr%1C^s>I=?HX1n?A1^StJApovR&S<0nRKZ!{zjPMfSI9BtP`PD0B#Oz<4 z%+Ti6#eNZ}_?7^nBedIm|(t85l;f#T_87KLz9QAVV$(qSxZ zr4HM@x`xRMD`V}fo-+y;uy+YOi<#WKwT7LN$@brwiMB1OgNw|RmbP2N0x3AzWgHsU zfJQv)6zC$)rJs$8?cJAUcI)Weqs4mH>e||$_WHj$*>7P0EY$z^pXT#F_xB$Bzqj(V ziU0gg7lk5F=~t}?5~(c-95^&B7Z{TCK42$6^yu^?Ddp$7ev5mQ;V?5wB27#MBI5}) zZ_Quk-6`WTeP{m4`zKEwZ=};_;)wKMcZJ)SoO=vSON+bvwHhb+diNxf9)h2s+Tb?h zD4I=&g!hutq~@#^oyg=CFv)QwlDpN?8z!LSR(hFm;_k%89}2bfB19ue#-!lte60xQ z`Z+Jm?SAUDJrlHxJ5eWCRP6vQOip4KIfvMXFBcpvm&G8Z=^u{m!Z_L{zhycvi&p6s zTUCda=mDIW*V};03h8?_k(u`}vw1tnygN)Pw3Kv+P^|iL4MDZkP6X=esq7ZUuz4V* z0AwPW4XJF0G?Llgdg;4S$gq6zEdSmP2dr8g@J6v%$xc~s)t&0Ye#w;@U=He)98fCb z#XKem&NJYae|s%-1HoVqhfhr}UA>1dV%g$n4x??CL`eL#b%aDAL;`Aq)<;5U;w%^R zU{E^_u@E3_R-)%guD6zSEq-1ffYP448>enUT%SOx*9ec{M8X_sImNO-dS1Lehq}%r z=%^3qi26!N(#4QTa@VIJjQe@#jEvH1Q|@TVMZR!_`K}@I?p89PeYcy%ldJmvL3gdT z0U~5->p4ADc;l>`b`Y<(=W0f^r<7V$O|bZ$%u%N6Zk`Z+I1`d^eH6l#m~Zr1(%g|( z55XR#Piy_(WNxm}|G&Rq(Ep#lc=7B(|G$l=h5z5t<#Tt_REh(`EVj9p0mYQuM90Ys zF-U^-oW00iI-@V6t^Newn{SHa!2xsR8@bpv!WPo=F8ZmteEV zBz<^r$$`C~)6IZ}V}EhwXIm_yZ6<|!Rr0na)r0)}+Mm|)U-L{G@xRdj^R!U^>*@1@ z{RjDf8&3=Q|K@WHw_4_|@BvP#b{M!ark^%3sj%=ZNE54ms+RAs2hu~&a~qYe84F-4n3Ma?%)J!mLP$Tomu(ROW+Tfwm2)UcWn6ZNU>36TjzmPDa^lHIkTjhxRmeZ~@&Rs$BtZ zpslC5YFIENEuYwz39sZ+&Q??HH>jZr|nE!o^Gkzd@z+xEcfIaH$FJ6 zfyrGg&Y(3brnc1@mQ6yQ>`+aYPFcwt2l%qLD=($eUe~>(j*^={UGCM@d~}#I)8q+= z&J3H*LP`5+Bj-XTbKlPpqEGGh>WepJ=%-Y`CT}YxY;}taX-i5K)sW_{6{0`b(^~)6 z=?H5)|J{GK_bea(d9c6tQ2+NpLGYkxvu)?P3DK)B=_WftdlhL8L5KC-jwJZ0oy1-_}wXrkH++h zMAodB3BpYYwnW=-@;9Y(vp9>0hhQ7fCkj+r!LLsTZEno=uQMUd;c-Iz9(*z^zpu{& z2>wE&5nJtMj4g|Qa(7ZGSL?j}}yz!tqqzGRdA=CwpiKfihjc%qtv5)hT}0(pv1B4COrEr~5lZQWZ{~)3Y`G zedOv`7G|$}<1Q+Hl}%khQwmu0%eADu+_@z4Mq&pl46Yz`bcMo80&&dU2hnmnqUDmz z%Tog1IX)-V$Vv?Obnya**-W@pb#VAn*Z9sX+>&*ZEj(ISIoU6=VU5Ke)rddfIJSub zPUNM61qB)nR)IlBr`*JLaPAF?$=^EtHpC3&?^yFJtmNi>#|F52INIb>=MA&wwx z#b^Fq8$f0je}Q9BKf|(*^-MlaD$Ag2xHuUizAcTZKyXif;MJ{#T+bzoLEm8D5(@Pp zr}n>eXMfN3mKRGl)6d40mx!euM7;5#Qp3b=VM5`qhkl}Ah+^trq7mgnruX8Tpg^-e z1KpVhRnH0PLyS=>FBQ!CjltC1N=X95aTKs=LO9)xo=((9uNVsnjv5vBxXb7KVOuijQWKn<&K&+ z#sf%2HI+y7HNfVcF_R??17%mUV%~kVJ?I6T>_Y`E)dFh!WQ1@D3#+l<=H~QLTiD1g z?^)_T7Us*88>~|=fmNR^U|BLuT22L+J-N$RkA;Ou5`od5{ZQLrqE&^g0MV_0VaO+ip?4qBy@uQsOCrnJ!mhfwttyuGL!jA@&m%XtHFnD*{~A zL6LNV%?C5GlgFEwHJT9BG%Q8>z(Z%SG{U*FT5{wv7$2dCT-%jYq^Oxbv+T`9%Am<; za_AS2GqOViln$(LOTk;X{TH{LWMh1kKz8^Nb-Q-+d}P;V?&nk#MYNE?UZtkv#O*epDmjLWb9fnx(-AoOzLK!uIFsFmS;4v+~l82o?x;avTMT8w%Q|(!gzwwey^whd^ejCPJOiB zL))`BF1ETcbyPletJW>F7e1v08C>-N8I#Xv`k?+O4Bt`--l^`-KmX*=0(Jkpi*A(C zCL~ACn|7XBUSN9}N~A3^3rvTfLGIHc`$#*WQ<*gtqxDW zHflCTF(+4)%|uaKz^>XUnplmx>ixn>3gIX|WH+i;7o8l;IQNqH`xl>6eH z22G2>NLf-S1Z69QlxzjsDbX}8vN%Lef)~#3 zu2Kg{D*0p_+Ba@dnX=oX+)uW>tHg!!Pdp8KPMu|7P!D z{olsZV*Tr6ej4fW^^kch85%2l-dfk@Os`r3Xznq`lw%^zy016uZP8=%D}2+pKQ@#L z6$2+0_7&zf=BFHH81I6;iLO3iZm)49pJT?Qxz|&7@a4qy{$+HtOo%fUD;KehN>&kJ4!W#&LibD#%525}6m7$f^ zYtVMS0B7Mb7UbK)r{Ht!=PP98$8fib%HGnVSXC{yk#<{ps8^yE!=I@Kv$B_p=nR=| zz$4D4cFWW=xNzobk8hHI3H?{Al~w3C^<61!%wd)@gI+g{zA-D%96WWMk73i1?}xv_ zJ-fL>hNPL9&19rP)Q;0nzvQ?k*1`9jTv4Lq@kt~pH$f3>gdYD{JT~4+L?dMHt9?{| zE|V4lpAqyDZQJ9d6qqcBI4@q>&&r%~iCgwc&0l%~sXu`pQH_UIpZQuEI%mI`$PC1| zX=(hTu!JD!Cqxm8`lfXgma9Ih%th~9lKFm?4*RcCZ?4Z2M*-SSJQH0TblgQwLGPZaDVnd|eWTBUzok)tx_$oh&%s|F-G~W( z`uxRVSCFDg;$-D0k(OHT;3Wy}WBmvr1D!EfQ{L7a^^^0org163k_T__MY`vk;JMc8O`H z!#+}EZHaYGOzek^flr`L93P@@pw;8rD6_K2bT0`^Pe-yzb6BL`GOoz#q1W2pJJk4A z?vYK2>sX(;)Rz)lChfs=SxBqO^k+f<8+D}H=6VQ*KMKN6IT_Kucb5DPi>&Zq8 zy0L_*Rg~s0jaiM-pYO;lt7 z-O7;266WnL0xb1_72lP|H>L+Li)8@RIEV}P<=K8qLMYvs#L|$&nhFfF&orc%&z%GT z?bC*;40Jq^*4f5*F5|COxGh{NwsJ^~xVi(eu@LNxYt2hRbT}p-3Y_+-*H%8q&icD^ zkqC8NHtuL$6K_^-ib}h=x6-YA(wk3)?We&kxK6_A8L^1f&_3gBRFbbE)Vs{ry(-;p zM7*BwRy23F0;@qJx`HVSeD7DEi^PIC&#$tw>CC=)2=jb+RSaX-j_vlIyKh`^+GdSql)4Q%Z#KBxGAOLF&fFcT&BChqZq1H4 zwSHU7Y^r8|m9v_HzhFjPDOomS?(cW&hFi`5!=f=;)&H}<_v~rm{Quyahx?yy4fcw@Aa|$@IfRPjZRZd&->=0Xl zRJftw=Qq`C*2Z7rLb1RW-GKK?`ygBp?xkDIh`K+3TTFl8F0xfdP5N2vj8mMILpcY_ z=6!Ox9qnHEL~_LGv*YxKYwKpuQ=O_h!H`QAYJ8m`4` zYykH%J^|D1*X?^VNVJ&uWqofIy{zhcGu_^E-&){zLrN z?L5o)|4#L^pa0*tYxn*+9CdFTfGJGX?!UCnY92smtj+lU$_d=c1?Y6KVj56MPo+M< z#A;32yGHKfUX?;%e-){3ZowE%Ohk=$seH83Fe)#*>)m1ORIynpWvkr>#pczfbIICR zQ;Ja$imcDbP{^6cR$S=LVmfkd;IW?Bk>I34_ zfFw1}%>{!5nPRa9&bmFX$ZRt~JX_&5Q;q48%=>KAx9{rqwaQD=pr(|$_sv49Z(yO3 zf!c0iIU!!TsnlbT)$4N_ctuU!(pJtm4tr`&fg92mer1X?xekr&tlybmYw-@+&eO5D zKWC%UgsQyer3HiL2U&bzQf}zk5?0&!Idxzu_fz$<=+qd4m1DH+c+KuG2gQ~gvz$|` zrlS@8V(w&p9j>v0O4xD=D%8pidS}*a9yG>iBhn*n`eSn1y;y>Pu3TK2HGGTQH5M0C z#%xXBvX6=_qe|8;>_X)uZa|W_%Ib2WB&+Uz#avv9&-$dBOX!x8F5l~duGTE?+|lCY zMP8|G`xUcGB~A-irh+Bn+%k9hp|0KCxS?0_|8f%02893@mhH)myX)7@Ag+Je^TAxyAl~BbDwX1!o3GNDhJG9aKvQ9fE&Mn7nHKBQK%WCg- zRs>fL+&Ui59sTQfT`zJ(X#rceSC?-J?c7i0eXMAk=}zyZ(@F1m`W^vmifQZ{QyP3S zX5-wTm9;i4q1)j$ z+QYIwX3=PG4{or|D}2dyFYr^h%F<7Q8H|F|-`g`va>Z!->m6-B8Lf%JSEc9a3vWtk zQ-(tE@|)Z=pxD{!Etcgjj*E%8&`2_?hXB;k*mOlBM?dlAcp7HvoTa8-g*PQtDk{Ax z<>NY6#P2pQux9T6S~R|HW^gmW1X$woA*$mZ8ff+DMy2lx@)F-z##~y=J%UE#g0YbD zu$N49rB!5ZM=QBlsF`w`aGAYqtai08#;FpQZoWj_!X=rxV9wQroqs+on%iA8IYXn+ zJL+fAvrXXw6bC=YjjS+?!TuO|Z5CyA?c_a{%U;oyuDGh)O|4K{#2gP*x9fVHyl!gx z^lZU3=a=GX_f_GX+r6z)EeEreWtxnMJf3k*qSU3>EnJ3+qacwSnfnwABel8~)A>FR zMry&Ji_}>5bra3nhd)O@M>ZPq&*JB(#LlU>&eQ8v1bSudf89M?>Q@kJ$pt+)2+-qx zU#UgP*n0U$H8)Z~L4l*dQ#M%28tLpizgYqnC~-fmnr8aHHzDDajw8m&5@RgT|M#93 z>c8xLv-jdb|G$lA3!P%ABo$odtEX6PI}sYrXc#Cd9%KI!kBRU)Tj*j!1roD3W?Tv+ zCL|0Y<^@f$^d~eL?;uV>Ea{cmHq+m66m+&wM8-NwdRsdtOf)L`kDiC#N8uc?2)HfCjsnU>#~V|*3;)&Ncf8@h_%8g{{xBKus{hzO z#Z|PMb~MEP7YSK^sL+)MGyztvzc;t-2T=Mhriqh#PY zn#D>_O_p>3v zaV*l_F3m469hzkV5{GO)Rm!1KR(1FACmSK)%wyd@jgTMCgd|*edYgi`nhX;x&`|N1 zBtqF3a8whkEj3XQ;VPa+-oN@xb1VJSc zolf5cci-Fp+h00;jqic?)Z6=u{ze(OL=i->1VJMfhU{A3A2|&5h0gkb#Igdu!Zd_; z#_}^u+3*NNzxXUBU>OEjh`Fz=5wsC+dPTlnOyuq=cZr(EPB7L&u%(5XkeB+PAKI?EFhj>BRN1fNZ-_r zFj7At^~%t6uI*o1My(q(aKo#=egD2|{4D7`+pmt!y6V6G+wBcd9V8RXgA63&Xa{3!IB`tR3BRH~SynC`ou1epHaPFr;ifeF?95v@g^rY= z`gjG5EHDSI(mm$DJNQdG7^~p~)#MH5jJHxsHm;4V>uGIYH0!m6UbJzAXkE`{0CkrF z0Y39)@tEU)q{$5Wh)>Cs6N#>A7$Oph8Ki8KW~7Yi6^XQO`m&A5Iv*g=92^zp=g_RIDbwBd}&UJ{cmB%eWHJP(y15YNI; zr!0s;DFUyVe@VFJL3BpOR7gHYCd=U+o)Uq!0}^xMV@ZNTwLzim5S&B-;iu_9h(A+R;(Y%G6|t|{&rr3yV$aC zPui^QY3K5|i_QJ3Q7Fi1ZiGo4N6rk@+JQTuqVH%c4<|{-ZwJ`Nzj@tH_ zUdBhKCyA!qZrbgt71{`}k!p-}liyAmM5GNd?;2sOhWuzjvtm(=9WhD$++lX=> zlYxWaDW{PXHqpcw7_n(+=p~K{*1KyhIs^!TDmE`G$a;bt zH@|Iw^arhIQ1A9J5J1$Fo+BkL^uLf~pg6M#4YWVp6EX2UK|PX` zjz4#$h+~B0#fS-3ub&&MP!uX^m*^DvViHD3RgfCG;lq{V&^F zwnJe`R+Ko0*1>%R@?Da7B7+n1nXH6M(&G4MCGsUjcfp9eOB&T-=#VdUglpAyP(r>W znTB!1iR6@A5eTuSBZNava4<(cY(#64{Qu-!1<3 zwA(}7kVIoS>7xBT)D@DmXq;AYQu5ynllgbb#5+iTzk~F*pz-LoN7i`KT0BcqoXWTl zW>gF^hiSI307fw!mi+hQPs)a%-$~Ga*UjlX5}nG$=V(I8ERFvc2WBtvFl&4!VeS z_11Oia`#wkTa&tVj}>aLtP9Un0pQhMZ3&3^9$;Gmy;b=&XVjb>>`l z7f8}!lQdi;CTtc4NQ0oO+1O!r5~E_o$!{|f$#8Bz_A^Gu;L$+sn#vk6TmXtdb-(+g zq>Ftfn>{mG8>2Tku-G8Wt*vX9_ev5{^{)PEM#BJ+=!$X{O?93rrx5233c3yqz*=Q! z8Em9kwk$Qh%_d(&BbVBmIE~?0lna!okXYFx8{Wfii^e0{0f8g?T^`m#ylFi zq-w3A%2XDNIGZLul>uVIUx_cxgitATnRYBEt@>{UURSyiRjGMN`9t33>)bJ2REb80VE*eFp`jX7|v&exeU51{KS|8FB z`6U9#?>=bj9`Eh9{VWk!fA^ZhU5|f{9#^m|s9fP5!8WMHvPq`P=w*#+D0$H;6o zH`_4>pvtaKDl25|`I89wSb(o>p2qm?I7w|fByXHX229ws-8P-A)I;aWnEBvVVEScy z%T^@;JbP%t{AJ4l4a(-vHmR`G7!2kylLVM? zf)p0&)TA%YB$*zGA1xTaqTH76mmWVWyXk`rVSfCqbbMcS2(8Q-Pcn)N#xE1B-rNZ+ zH-1iXf_sf%e&l4R=`TBIR-oIbS#>o=ZiqR@p&w&s^p+jD0}bVYcxQh644z+j3=JMn zHI9pRK9ySio;#nN*8dT=KZ)#@-u@&OPrLoWf&Mofhcp~7KF!xSx!>z>z3@0%Fs0)uOD?u)^LfXzJ3Ggo&Jbq1cdBc${`Prs2m%Bf;ZEU?rRck8LoWR%gG} z@q99%IP^L@UcCRJ(THY2Al*e50R>`@<_Jsh7p9^KP!DR+=e^(#&-rsiM=2hHX3xRl zB6+?oL(OxNK=I?z8A~o=!bzAsm-r}iqZA<=$9UdAh$ch^53R;j$G!~ah-;)n2?ViG zioSMu*-R7kI=&&TM#CqAnMLk_jN_jpjqHo|1O;{l+%2FtVC5xdH~E;v7}0RV;;FPc zmw}kLJxDUbznI&-5RS<>91;a=K)Q_$GcD~Ix8X!ua_7s2pnu8eZy;;HaZ^Zx!3fX+sJO_3_?UTn=0&%Pr1O8BY!RkI+Q`3IAwydIT$y+W}|_JL&Etf z^T{G~dr%ThnV;qfEXCVt=#pUnx0oj690q{XKNdFDr+<(oTKM5DZ8RdBOcuetP{DZz z=|K7pBoo)GYC7wwBL{uM84gL;4P+5ELx2qg6ab_*;J(6Y*34PgmMERJ5D{!aFYVyD z+5|~kl-Zq~&K2||4X$H(I~+02DY)d%WwRhcObCs6mKwa3j_yXv$=ixn z@ZR&h;;?awDyzqgL&_{&?oc?2>Q|LRcpl*oGh$-TrK9oblXWYv1phzLV1JK}caa*361>7yqKw zgdA0_T3~1AS4aI;@=@}sAqzPR$bIrU?Cd;kW`~{53b`F>CU;nv&FkJ-9$;*aM}i}b zSUeOvC*$VUKyG(38iC+h5OshM$;xm*;)FZHrh-@kGZrUp!V@%|t6=RA;W{%^uba*7 z3^iXjn=t2}XNuMgp`C5unO^GG0z@XPc6n&$Ybc=oP`3t*Ue8Y!Sh}tnG zbcewgZwiN{5e+Gy5I^;U9n)ko8$eW0F_Bg9)(xKEWX3%<@{$ShR8Z!vZInzXM^pT7 z7TfV}r0)wC-B#jE>K{14;h1n4cT)yH72nhFqH4v#aUo%XMX)$x#>_trg*hTPnZ*K> z@5?Zmva2toJOxn1s#F3n7>bytR1XkMI0;7Lh=pTcNg0M@N9QN4M&tYMe*-Hzh4>wb z38E?pEK!LYvPAgb-+$j|c<4e~G^^KKl0yefmHh=*Cs#aqk2Vzp0Wu8cXuy(*th5W= zd!cD>0TLrCBj!T)U6{Lhm@99GxK=z}F~ttVMDx3P8u=?76~=eNKUR}rFKwKw2pw2DJ#vsEaQ6cNRSgj zhX+>cW*gv1gU;}If<}UU;c$*9=QG0VH!04gg5nT9L6#t%=mWIp z-R^n`Q$Js{VK+OWLlTNpcp2O6effWnoaz&GmLlVJ?AF^o_PkR}jOY}$^H!s;f^O)>jV2$|vUG?79FAvrOwgF!5_w?|k$6hE+#qr2 zHv&4P+V4Ntoz^#$@xgtv`5#h~fOfji+_Q}Z`CmGFFFJ1ihtB@X-Iwe94^Qz}0V%o- zgoZdFV^H58;sgtM-&IoWHgFV~KRcaPXRo!BNz0H+%CKbqg*nD3z9lxQYSXwYK&GdaHju zc`M~P9oN;w7HHXuiEXfvPPv^{XTP=k%`)^QpN0HCV8fexwy`Mx*NYc>IsV^S=l^|@ z=MhB|nTh{>vXR`JwZ22b2AsAAcO}`mc8JkK_d&?vDK7 z&hUqk|HJ-|gWb-~?(RPEN3VvjI)scmo!$Kx4daI0Ma|uv-HzAU^#t-P)7TEub7=0o74 zJEG%RERUD+Y)p{!J(mh_(XdLVX{9Y1S0bw{l5~L9?Ys#NxSCj3|Ba0e&J+`r-LEAOa@BeC`tc`_g(CwUU(r@uhpRe+Mt9C2zIFXrKtyX6GU2!YA%EDGMSH0T0BV$IO=YGa3A&qKo zW8s2aqM!Oo*l~RDr!-8Bdy9LkD=uuy3WVzPL;P)nR^?ja!}|p=t%Hi`z-9UlMyj|2 zR!wukrMl2S)`3G>738OonyU6EJ?`d{I~WBuF3g?0`ef0_yesG^OBgFL%Nqvo?j>0mGsT4MWoS44c5v^-(YvN)FhG-58*n;-LW+;35Ox)x<+IlZBOO z3QQbTO1_>px0H5|Qc1vNibE)1w5qx@t{Ema4MPVl(7?sgMkUrNQe)3Iu^|&?u32P@ z#7`622#|KgF8cI22eW5I92J1=2&6TkTOgnb(Z-Rqe)K6Ghm0q5C=CJC(5BW>0!ms) z+ZCory5CyLlCBK=ra(7}*?=esVL-Hjqi<}^)b+P1kcK8S>(m(RNyE?zgfy@N^>4z` zsV0y~)ffeRSFI@+k|lVE2ZTgbZQ^*$QBVA5mDWUU-4qRFE;)D6JG()4;p^KxtB{mR z)Y(jwiODEE&`oB8ma^g%hq)pRRXf3B-nOPDKx`RtCD&Gg1f;7NTl0cS`dhAAg2(yt z;^iitPG>TqrN9yVPGTYkOvsb|Rt{2XYn%rtz9E@(sIZ| z4VtwjkBU??07G;!fKaImC-1z0H7Yc)wsc%bSy@ZHtZin!`-7aXrRMYU^TV0Y12|`z zxzWtw_D<~5-griR(w2D-+8a?!JV8(zjy?I#Y|Ujx;?UHR*7i!M)dLEqI|I-Z&j5xB zil-N;F`a4E>sW&M4R4!cj2AKAGfTfMdLldLMKQg_3GwuBx0Tqf40`2X(JE4RloPn2 zzxQ+z*w{eF36hRnZ+iWo1c%(jYb&_|7sW62NsC}?8yL+hX>KHtJQ z;?6ZOmqoSY~Ly4IFar%`JgsoS=_ zyVPw$GpME7(0h@6{_d(HMbWNOyszl16h0wAAibSnb8+^S7dtQE(}Jz#!8ex&-Ch)( zDz}(bH<{J9naAH~vRh5jW>aIkambh3axycwuhLJV18MQRU?u2mm8x{ha6|T|Ry2)Uze?r;#WJK}FC!AhGn8FM~u7qtYfUu$&1d}=^L zDZ~h5lsv`!++eGH^R;yU21W2>Ds`o;;bh8uw}j@c88C{=8j%C-SO)?=oDhE&kQnrR z@1PlkgM`E(glyKIw-ITLTd2ts7T+{mx${~n8vwN(Im~T9t3NK7 zpXU?zW`=sGJmqU)A7@KugBJJnXB`~0qNWluk^Ha4pCaZ1x$_gobv{H$fe>5mP6sYJ z%DLyGQpJ?&SCc251QmoT1y;_|Q*I8Ltm67b6totgrlFiupkzh8;ZPhA?oYh*z0%)$ zSb~--OTJUBxhD+wTYkPtL=`l&DL1kV{_2V?4CdgRAQzvq`8I;Z$mrE|TQXaLm36+x z(V+l@xwQZ$X2n967Z^?lTH@fDNLL1`G9adY&5&bRW1s6g^n`*n0$^z=+Dq{h&`zOt zZ5$y2wN}9K|e#NPoM;y@`R*l6^=1etI)?WZjlc1^tk?FsO*3BDx` zzBWK5%^$%1hv0Z)7;MnKgzmkbP0aVL5(Je+yZ8;P>_Cc4$a=5xFTG18UF_fDa7cU` zl3=2c6QpcdAg-ro-fEJIGl%9zLl%Z)n5gS890V}z-h$Ddh4jNrgXL*HDf!+27g!TK zoFE!%Ba6g=59=p|+b!A&X0VrvQr9zinn}Hi;jNk72-(E%qE3Orw7>upSmlqc{dPPH z6FMcH+*-Xm9JD6MG}w6i?!f!4cjBEK{d#m_r0?v6@1iCfjnv+7c7Ao#MaKymnkn<2 z4t8csDV(Z8ct0mF5)4xKR99)nH}g&-F$n$ z4Zaz0CL3Z-(hu4rQZ}IN8n$v9+A=1#?Loi>+RFLzsCRgJ)SCJmasv;?9`>}Ah6kD% zaMO!<;>EKNZE^wu!^r;!485E@nIp<#gAKF^$I)3tV#$bOdP@T`CR|8I#-xK<#trWu zg%FBOfVXPQSYm?WI+SpGpPCjJv+cq;R4{jPyUy3ppOR607=suA@XDmx0xg7)omgtI za6{(YBAdZjtr4{-oTzpM6ATt0O%R0^Q-@79GNrejR@BdIbFPV8o=DpbP*xZ?7MHFD zRVa~&4ch`1_&6$rG5|IOoJOAMCnQWDDJo(iIyvlJw1CPc@kWWk1nj${HHO=qtVIl0 zv0pYC1-3HjyqIyKiSZK+2$Dj*HTF6g6Nmf_0nusWVJt8QWmi$=2hnl{comPXGC6xH zo>{)A9MhyS^bcvA#UA-IR$9YH=tLgJLmH=nk!Bx z3c>d~uS85@9C9p8TLLzIqRvQ6OS^O6=rCQCXZoRGU3@9gHKYAZueBwY^64-!YIr;) z!2wuLlhzm*=BK8Nj{0UMb`{?2qUOt;ozpi>(2Vw!wwT_MV7_ev3PiI+{I)l%mcYXD zR29sTx6|9_9Ffa}aus)^%@dr^VMaa&+1w?rL${1UTUzSqV*;10qBPQfpi4zTwX7~u z(rw}>l4TMGMu>>T=C0f!_*NY{eP2u-@v`M-sI z%Csh>tUkD%b96{SHWBNCjkE+NebTu-4SlDaDxf%SJPQ#{R0^;GliXm@w9_E6Q%>zS zBuwHt7`k~9sh00fMt%Bnx}&7w>HJ!}zLssY_@s;e)M7E(`2X4i8n*ewydlF0L(M}5 zLFSSP4aY5zm|f8BcJF*E9kd#BDxGXj3psRZjjmETsDJ8Ugf^+lJ4CHSmTAyY%W`rn zgS{BtI~Ly{9567Gw5J)1ODLA>Sm9Y&mVi4{Js~r4w$XKojqM{D&Q$!e+>CCdunHS7 z>ZX#0j9Q^)LwWa>%$>2=K#OF7KqBG4k;g&x5j2-;?`-;g;U;SG=_l@R1$5uumxNbc^9doI$%e7N1VdQ z-4tgVIlu`PP+?TmZ`pz>lZUCQICl*WbV;968lDo)@tAO=egOUfxg`M@eTjo!>VP!U zW?~J5auB*QTSoB^ozRe6#AHN2qATsLB}5@;jfN11Onltb2PQhoUH&^@N~jjF@fDqt zKUheR`JvDAqA>`goZx9>PiS4T^rYQ~1Mfvl#QEq1Lg!J!k$f$17w=UBKJj4_tk*nF z1fYcYkV-RiYfucci<;3G`cjO^DgJ1$tW*4vPG?h;umlIln!RpYZmrU8>WhrD>UnRiOxXR1`lQ652Q&+**ZvY0#S;@ ziea+^nHR9I*enA&TfThejVA+qNv7hAjpkJRU>FD zYJpqnQWiQwG86oQw<9M1)84Rf@z}@{A8g6G64fqxu_L;^ppfkQ$zkszf6UT`m_ClO zhAU7(1*FUtoyCFt{_gSw4ak^=q2-n%#8dQM6#Sk4tJ`i1G358Ifb*}mI9>YT`z%1E z+c>^J*!OjSJv%pm#0E;WvXy0kV)36)S$~AtI!Xg1xCu&F4uIUhEcfLYOc}Je0Y~BV zYEJY|%Ls>OAjZ?s&vj`wa)C+}K&e;OL0n2r3CSn?HP`T6T@8rKFtlXfO>c) zD$Cpkv2IHID+pFp!I)p53;XKQG_wGN#OxX;NsM}l3d$%It;ukL@K_vhk_=UxUX?%` z!SYsjvaqoZSBxjcTLrw|(2aK-u$93dJ0Qm=hx$-xj@nA*5wVQ~wb7DzuSGf;5LsDE9bXi}8S1aFhtVNQ zU$7XRX}NJiun&<&RXycl2+S3JnQC3Al#0jZb+I9+W;srx5zd4GwTPBr#~X&U86$QI6Mh8a4ZnriK@iMC?g49P4-O4FS*-=-6G- z=#|pL4jNzw6v&uTsN%*9HWN3X2y$SN;P?V4f(Du-#~0$PVbcQaY;3Z(p`6m=>> zpjptDNu%e7B&r4sS2UhRKRv|QT`Z-sIED%!S1}%q=up|_~(>iI7JlV+CH+3$xxAPJuqayOgf5 zJt->?W#cK1yUO23vVJ|jlsn@t8@U%LjA8yTU^CxSH&d}UqA|I{LD1fa2~T1=Ogsf< z#A2YBCYYC53mY4#te=Wmc@R7j{pRMd`n2T;vXSY zi{pSDf|!MfPo`)}rYx2hYH#M|K2$2HRC-IL3iGAkmCRxk%=HbA(VeM#T?h*$TSD*K zKDll4$rQHC_xpRN@1>a@xF;nOH~{>v8iP39g((}9%1p(?H)bDg71?{Qv%jSye*i!W z<#M2DA^WES`C|X&-WC{7Dbq(CWC0SAhHN&T2)5*EMx_IK5Rd>gwBnF7A^4UCK;DM& z2Fq-m#z`zAokIeUL#kbMfzfJu%6qEJfa~ixG2$06@F`<_pKC@ANfOTp{E{9H7=`2x zCDUkRywKBQ99Vk}#IJN7wQ{Z>%6he^gN_%Rk*5p_@8LUo_39N$=M4)H2CZ-E!n8@p zA&Zr3N~xng7^uDn`6~_11T9DxyE+JS`UjC(4!OBdZr$i&$l0c5x;l@Dp#kbiTXP-E zj>w|wpd-l(Cw*>2V>1VzbG0TV{jpOp6U z;@5-4gX=(4c6bK?rc-pGuJUo18ezUqqsU1LL(%u!Y3kleYe4A@JQ7@rhQ!|%C>oDw z?XP4!qm|R3n#MX3(16WC>7-N31aTX2wk<8-rCHc^n$vEGLlt#U41eoVg@0l(YC+`N zbU(D{lH2=j3c@0Ue1unEM5^?dN$RDjG<9D@f=B zGZgc~$(os!Rwc6eiIq>L`M>N}|7mJ0%D}l@Ck3a0HVYL7GS!3Hjkm;p4& zK(6eB!))R9m%KS{J*~5lB4QSRYd%-tI7!+Y5+{#Kq^L9_b`ec8$X?3y=I`LMDCq7Z z7izA%f#cK)$Os(rWh-KSZzSW;K|mB&v!dZKA7NEW9&VEsI<{mz4NVt%ui{@6I3jX3 zO5O{;`F?_9|NXKnP)0Nm2VHV2O>)|pb2<*eeLG~nKJmlf8XpgbzK6qvnm4J!DAWJ^ zvb87`CbTBC?6&@bB+C(^3)z8kl8v5`qLu6vdW?RE|K<=DFEiNc=r@@$&X<&oqhOSa zdIYQV0f*T{-;t|d#g46o_6?brVh!O-A>*^*cbq)E6}pc4Q>kl}`TEuH7*`ggP!#re|iB=eXlVTf;#>#hm&SsHtz586_l50hM!2o4#LLFg2xnSFpd9UP4is8)5tfT?Q8Mqjm-4Hdmyli8@zh3&?aK`TLbX~{8v()|t4OwAWRq`t48N=xGBqAd( zqQQ*M2kc||UdNM0zd!fc^KJCp)P4RhXQ5 z(`I>docd&l&1ky=Z3psk9YU1?R@Ti8;GE536)G{*QFQGwOuuJ7U05+AWl+nsK&0)D zwH3W-PJD6Ok@LbbT<)UI?u)(jSg#N_R5`bEs}x@M+xHB`l(et?LDu9-4~Z?ecIOth zE=Y4>UJBNfs0%W+At;5J7Rdr_m>dh;ytJITKF=B$xW^Sx4nfo{r6I~3rJeXEPKWF- z)rab|jlcD=I!Ca|vvr1O>(h0HDqs2e+8OK`hwSQ(J@qkr5%!t0b_V&c>$JV7FZm;P zVRydXL$}kxg(q)^uYBpVcl92!U4vzA8zIu zW-;-6HpMjLEp$|Tiz9KpT-_Sq(|z(JPTnxZyuFcs2R2>yk-d~A)ueoQMTY}^IcsUs|nF6hd`n-AXwZEwFaX2jsgg;+cfcBJ83JMGGq8>O5}q-jmEm5xC%Dd3l!L!8Nv$7QsIU+VXxlC; zgNF@;NbfqC$7~9=c9QTC%w`r@9ZP5HDnje zx7=xT;wZbb&v}ZYY*xBg;6$mGlwtAK)!XxR2tiDu$GQNSOo{z zH_Dv*%`A}tf#{U*ZFEOeh&Cvr;^)Y@L?K`sQ@v26lZd1Q-Io1 znHwTCF3E&&;s6UBBmPnv=`5T$;DE3-rH;yCQ{Osx42Z25xUyK;VtF`>3K9;(ac0iuJ9mia7sJ92}AW&vh(;WBCsG z;w9qhtwn@Nh>;VYKzjEt4Mc@_&`@*?h-JYjWz5wiCVavIAN?d>pv1hX3yRNR<))ze zGqo*Lfoj-)7kX0{3;;w*0Kv=-jL>=6K**&_7m0V-PIgge2Rsa1guAG-XpZZt__a-P zUAu6WJ0D9cEjQ2W!CW}g>w&2;*XseQIos<2t2y7Zz#7hrqI6XCC;U$B3BSMEd^eNv zNhW-aiEauP&UE){d9~%{dR?dsXM0^hHRgL=P&H?KU2rw$d=6a0eN%hZzkIAouOkLR z?4iE31*K{p?Lw86Ya01V89xzO;KW|%d9b;yq)||<5b&i#%RJ=#qHPpaRInj#^GQD+ z`6CH3_9#h^OKdGF>LZMfEwuQYD*)kH!rqdQ$aqrvS0*hTC&9?$bQ}_2;z;6zjv%>2 zdbwZ&Dr+r@$%w>#h{ke2qX~(*tsRml2BN~XJm<18D2HTK5{d&{jAe}pmggvWI(eSv zoXyeN_e|q zDWqS>yb#z8nHK`I%9p}C=%pZgF`IJbJ|E^hTQb=Ze66Ic*fbd1a_7>if9hL$SyF7j~fa1y#)vD&f- zbnO^KWfko^KBJH9`975ww$2?Ocq(T|nc9t(G>{2(llha5P)vNv4cr=GZ;CbNc5Eg0 zvb7Y;F*OT|s7O^mc7Avz3oHm}lj->>3u(e)H~52!r;tW~P!70# zr;fZ(PUni&UDRm~o3T@u$kt%$i)3J=I5aN3oMjQvmMlKyLv{-)+`-&JsSYNou1H`1 zTk0c|Vy%n@bz0ETFHs*x(?r8;38tumwMtE$MNA{nxOK#26U3;~uB>VzPD(&Z8e67q zRb`o`V*-On!!bvf^0(x3+~~GJy$2dMt|LM~dq(kG-GY35X|;1|zp2q04aZ_nNka>} zEo82bG~YxhJ9QP;L+P|J_hHlyYARkhLt@@q)KXWN2<7^hUTz-9Ae`xdUCyKec0lx% zQhKkjVjK-wtyUn7(u6)k78AzXDZBDChuDxZuHHBRX_{V$G;AIxI+wL4)pNovRmj5x z3$s?QTZ31yFk@&~Fa;K3vLbuSVpoH|88l0$4yUHYmmrZZ2nwwQsC%EIwAG|}GD_?+S!f;gP6 zAv~!v7lX+!u~9cGDhf8G4_$*fb<9J1+@g>tl7qgfDu$uDZ5&!0U-*5+r_MlbevcF=#Kj@{IV#a+~y z+OGn0abcNRaB@pxu=*Uv6i#;b_nf$5>iI+l{)coVcJdjqzUuZOdk=}nV35raXxqWAGy_ zfI<n5E}XNgR>gvT7N9b+Pf2-2u*RRE8SX-`EP zq7aga&=-J`XJBpub6WM~x!UXu(&k9*o06Jc6&9~WnR>6O(?!_;N}hExLZa7QB*Xf7 zJ{eFPdYv6F?!1zw=8vZ*_<)6B^6p z_76=oE8wIltGSm(SM*02az!z{#b5;@Y1lT#`RO$%{B4bn!{Vm%OI7t3GM5F;>+ShutHw4IV?1kh`GfVH5Vh`(V z)F!0`axgOYw9)ulXK1o6dq2#Gm}JfV(aF)l74lm?mYG0$eHgrLbkOS`q2GQ!Iuj67 z7K+vca|7+#BrV=F)wj{}gY&bqql2sGTj(lN*}~+S(?6_gTj=Pde}s0>(b=KEKzzL( z%*9Fjr_1xx5+KM|yS>I;91CcOHlJ&*z4Lq4^7|aTg{Xh(+tThn?Bc+51|UY{0^WyFG(f_?Tzq~rSygoec z_uiZwT^}C()O&Ywb$xntb$NWyH$>GbSGBStHDJ}i4HvjzLQEgdr0FyZ6Y{a9XGJxK z;|eCcA|I1>$yrjCQVr)!4K!j3h^&0zN&Sz)a`l=0Qb6QuK|DA8}}L@m%n?j0d%!n z_!@v$yN@?_EZIBxuVfMZWBq)kPsHv>?1#KPoZvX&c2a)jkpQ_yaO>Zkg)6qPv$M0a zzqbef?(FPj|J~c)+xbUl@5S!U%NL#fy;uL(+1=TFvHuUW^T2&Ad}chs@jrI%-Bz}9 z-^lZ+fl%|A9OGseHN~FQZMVf}durraJZ{UM8_jJ|JefyCl$BSk@?8|Oh{OpcyxB#c zfDts)x%5sY9yQ-AC>-)H0TlV3CINitnbdRX#}SLCO^cU(-p)3q6Cf?sl&Q41q11J# zs0E88vUr{>@Lrrnoj2uJW-!e~&=u!Vx3Gn~^FAh_Phw~ypuR;`i4wd!rD3y+Iz?ab z$0i&l3ckGyX(HghrA_nkbHn~u)6bXz)S;f~^`-QZ@zJHJZVFkab5XRy8>(=07Y>!F zT{2u5q^n@TH|f}vdtW^Ps>XHk*t*12erqb2biSZ75q8Qx!)(~y+54fSfSwYk)|5c$ zL@=d?(d-M-;^5-l0}*1UtbiuOG((3*(eJWFW3DFZESsX)Z7rqrn&Xfpm+PL^Rn!-R~p9L-<=o}mUrEnYdHzE8sZ>II>w zsq`$FsT|>CBAYWkZEMOcG1|GDDEHZDRvEc6nq)^*9Q;t~dhY_svgHX5$I>Q~-GwC9 z8dSBPIv)6t(Hua5eyjkyWVi{rBiX+64_DH4eD4-c4vAc>>HnL^&D| z$bv(nfX#`IzW=__`1Hv`bc9;J%JZmC@i=5Wp~F+=rz)+_pBq;O&;$!eBuoL(5TzBt zff}N|Nu3>+KCiNdO!eaHlw>*(NeYwQlK3vBNkT$!uI@G(R=5(tHXH^sKeb~>qQJQK zgJ^;_eL76^Zc^4Y-EvdiFf`G#E%YY}Y3K{;?TJ1kgyS)P&}Id|$~GHsRjx*pG@AKf zflWS=;Vhxy7)Ww68<1fVpfO2g3C~MShr~otmSQdAor*qxMqYq$6t!HPDGhmo!y$Q{ ztp@1yw1!OPgPyaQ@vzk5)VE%0uB_^qpDsOXU5+?B+cF7i>EG!+* z!j?c%Oc4@rNi)kFLz$OJH*MmhTZ*N}zhjbPS;{NRqYD-%$|i^DywX9y?!*EfOH8x5NJS}5!*M{g zJ^JU*OZ5O$_{(=g`To1TAmJiZXCeJC)2MP?_?apqlh=1&7gn|9ZS*G+vY4sPn5?GX z#30o@qub~i5g%q@LW4{*OVCL+plIcN`h=cQHTLl3ew4EoC(@v^)Xe|XL=IVkHpvIH zX}GMlB4%2@g<4zbhvpUn2v-bvAn+$UJ$G6V#j{W?2q`e4i}U`~+smW=b?@->`0V7FNERwN;K<%pODk<}4Janb*xvEgvV?@{{q50fO$!=O+3S zvRv=)A*2%5bvi3HEm7NVJ;pmgdY&(lJf=b?yy2$1JZ z7*Fb(t9tK%stWtON*v1gD8tIra))}3$eCJMz}n%Bosiv`sQ#8N_}-(8kBnm5r{R!f zVlYvzFDrB5i)5Ih)kagB$73CUCS8OedfAeY+C{R=t90GUAU3mv>nL(MFls8?6)bAr zHM@#&0d4BU@u^tu_`?ZIEdFhr-4AsCcW^Tv`-|{n_GE z&0ivpQ!;ro(IHuW~lKMEqF`hccz-{hFCe>&d#rny68ATQ#?lrz99&s5xGNC z8qN|crkj(q|M)`3eY(Xo5UZ|bbX>nd_$eLGb|zPM7d>~j?%TR&vb)-|;<>YU`bU?) z9v>8}pW02==l)(=PPq|Ck$F=bs6QgT-fVZwmJTJhvjsy8kjyM>ivKS;%U7M`DWUW{ zuYV-``j>(6vR%M(^$ZaN@J1}Y!?9m)n(*6UyY^J6P1A=-ZdKk2kT8;$5k)bvtdVySutMdcidO&fyA&e4Y%4y3avjv_$5)%cA_ z=ukcpZHSI=G$2Df;{?K5+F>Z5%OgqxU%J3SSY6_qbHwIgF5_NG)h7gdiO6uPnld^K zO1c^7jy;10yRYk$%hc4s?An`AOv7Y^n%{BnJHfIXHTpB@8Kl8#06EYL)Tg>wrmYmA zrs{9A-q;HEo`-1zTxN>or^_WtW^t%ez_W-rsShMWh2S(*BdAm#vVj~Ehp${0QuiPp2hYc}{d6b%@=nMJ61 z+i9YvhG(58;O7=-oo#ju^^F86&Xn+`^$VG!Kha=+&nLrThAO((3!(`=n@uIgWehVr zCGEtxYI=d4uF>vSZ+Yscb@(XQUgRWb71a9>sP?%w+fA>Syw&PE^eH@<6jsT$S+@nd zu339U(@8BlGYOhS2hFCuqS(x?;@l~73pM2&Y@*H%YW_mzO?zPSH#^NORDTn-Cq=Dk zu=41yI_gV|cFj@#rbhRkgKEdes5QX0fVkvfTUD1E?V^fh!(D`5;eeMG{Mv`yLj2yt zudie)hdjNvU2;uZ3ZkXfw5eA*92Lr_`>ujoByo%~mLrc<6+Fb3T>(&OAz`uzuEz0M zoK%v*(Ye*?y;Y-L&+Q5ed#yFSkyCn!9_t`1`Yy1t_a-96vg^XqcP_OqOufZ>ol~@Y z)#M?T66KNj+~reHIPg8D$7ZIu!%Q_`!`-U8^QFlsRV z`nrvH2K~4*@z`dZ*vF!Njlr35a^w_u#)!rBDO`h`fbr7(!}@q94gCv(&sB9$mMQ2P zn0=L)d}T?ZhGofq=+)vTo|B#gr&wz%E0MQr9-J1gAGeGFUZh-erf^BUqN$uw{5drr zYEo-rk&g)kAG-(DG>C&5)U(SjLA>H>HE5?RJ`NFcD@V36#gVmYz!Qh~(*DNY_nfHm zl`2I6p^CaJMw_jlXh3-DZNLVoITF9ynVH?(DlRp?o(!-qk>9VJhSTrkp9i@3Q^`zU zeL<@@3-k}!j<)+=W{wIF{-7^wmds7JO#R7OQm@AB6g557orhl7B}7x(#F7-t^7DGM zDA=tFQPmpuWd>B$v4_$ktae{piKZ@cnW!|{^lZUV#SR~GAZtiOJ@luZcZIuQD&V%1 z6(;yrMB{791=zVV4On12js8R*W-QTm0!@D)KD;ieXf-Mg2Ap+aC%5?g8F3yANt~3y zN&Cz1|*%c-6EJqVV?r2|^%pZzbZ<14B##UJg;nG;EewFPnL4ih}=UG(^q+4x3g{ z&vFVeWwXruzr$a9C-08>=-1xK@nP@k`24K<-yvLG>neZ3h}YN}e^otGi5?LfX?YB6 zu+Z@ciBW3JViWjZYyseIg?z{|8xr|WCEVmBNnlPwG&UbcOH8}+8DYsLVp6xP@`m|r zf<3wPrI|*_+$}YWgRQOd&oY_M))wqADS}0X8I@LZXcE4S~H!`_9gaw@Y2jF3*06vg&=HBz-qJLqT)uYQdy#q_c*RK=CmYD#sSW5;w;*mN_yIukD01wrN+~}os zwvkm1s91tA&2^1x4@`*F-v=AyI~Lzm3`Rj%z99>TM7mD~jJ5tlyGeE?XU}t<&vE5(keqmw zt5dqS7e&H|J|^KL9QR1M@# z)_-Rv$s}tMwk?{oX2pVDhmwF^SCd|MK|?z@ih~N0dqaVEK3@YEwo>P|6(FMp9(yK{ zj*}Lv->M-+jhh;iza|4#hSe`8CG_ce3ica|uxUTW_ONCJ9mcyzY*nIbs$IIi<4WCC>;5x@@?WrH%}MXO`ob zt5fX{ly`zhOdRz-@x0C9p8XRwigAou)lDu{swX$a)TzvhGSa4HA>&a|vhG!1<}k7Z zrGmd<=7sFA4w494_+#%aFhajZ|B%elE9LRp0U<=ShG(3D^hbZm%>;i8qDA<&DyN;!ku8YT9vm;F{F6?=2 za~U?H>3>n%Dy8ae@%$x9BCFV;8&kSw1}v{g>M4Q733vDzdYw(^sIf(@hQ>5DSCy8( z*w|1!_C;0WXKlFfg1sT0ZFP*38F4x?@6JnUA;>oDyhi_@hN50d5b}4@j%XbGXsN6pE=9Ms(c6nP?QjqP!!aW=O^@QEMAt<&2LK- ztKWr8;b--nCtZMV# zDUmrI1xDNlE6@;t{Twd$r#`)I!>Xbm=~j*1oJUPGlV&1MFGDn|Z=$3hoA}`Ce|*F| z+|8M)BK7Cj6eNhYjr;dTTRMD5YDAFq7G*i9jy&IH(Ei?vx&W0_d_$5)xxJ}x4a$t) z$`sN1HT@;?gdm-#U2iFsNl5#?!iT3F+eLbIKk=(tWcul!2)sLId7k);8S=xgN9p>M0oxXIAJY!uRkVRP8{jkZTd=#n z8|V!z{Tqp7?B;|0q6TAp?U1K5>xF^CE8B1B;2HJTS!Im=KOLM#Ya))}6AfbB-0EMF zrnGQL6BO#eVk)9=0^Z}FBjG0q_JOa}a|7-(_q&Kxjy#w2i42t&XqXuIBaCmqwTY4` zBY~ML#LAV?{%3DjGTl;+{M4h+T~jHCl%#_p!-$|UESkZ{oZ8TF=z@$-M1&eE=w9RX z(a-uEOkWo58mO)R70?9k9oq+Q`dxo|62SpcG>tUa=1=IpBKEHe1H_W-v~A@0J8-C$ z!kAf#h^E$+$r~rmLk3#@Pp3o}_fsTny$Cvlrni#942nc zn9e3#ws7jcTP9dDWbzYA&ap--$k!Qo3GSo;SGCA1mMuRz?K$uw-P9YZ*$4T2nCUAR zu`$oSBV6nF4mBKFVKsirIHrHlN&fJVBbHX66KZmtRy2bpCzkYQsz$ybUIrMLy$k7| zUDQs46>lOcZWwozr$baOdnB@RJ_$T2;4Z56-T?H$q6a-d9%x zMe|n`L`DK*T10r)Hr-(;`?YT!$w2Kn(K1L{<0t_f|Hw*PIY~`+JZ9lwb2t;Cz8Rvd zPKUodY`6PU4nb^)24QAzdwrW=!3!4t`kxJW zu^3QA(DS=&!vHWZqz>|XLVLHGI@a9 zpp(sr@ql5tWj106BJ7CY!_`7*DgN}#hOF}s1qs`aXhaydqfo!Rs8~W+t(^Oy3l_>C zsegscR#3QVNAcBm%Q}V|q%`M^cTn(-rq8s(*;zF@N135#sPQL_%F*Cx%nR!p@D<}8 zxcx2uhfk-?2bfaPJW>04Nu~Od3UNebOh2#zbp0VeZIx72kriL5<5&}VYKaRK{|8;& zg67T#Q&*gfU-#DFCPkDddsy_VL8CW|jBC9P25SCDOtPGOzPPuXwsBkl{NJvXw*X;L z12`8{2k^XCdv9JN_@BWon8xem2K?RmX=%03o1nZCxh_yQDe)VFYz)9?f@|<%?5K|K zt#Sh3b_?mC4BFy|Fofk86pf43cHl8>Wc{q7(Oa&XitB$XM7A??k)R7?`eC4@$C6g7 zaIPK=mR+YaxQDAd`mp$p3oe@18V4)h`c_JvY*C9_r*s1JGwxW%R4Ud%-o~Kdu(T-5B(cg`a<5?WA7p1i-Bi{X5d-|sl zo#c{ctdt|$tRZ=iz!E!p*@b2N(QI$T5Z*+)YpkR1!{(d^GLq=MQ*{Bu_QNvt9~N8& z@Ugf&LjNes@aT5x*h zYoGg9HyTi*Q%1Sj2n2Lw2NUKkJXBg^L zhCu!CXTJ7_PkZaFGYc;Ga`EDG5mokk2ZND!XvCm0v3J27qx=;g84m@H1Orh7OE5x7^6zs$ z*ulw7wZWi<>Y*=4#y4C;bJ6fJsD^)OgPYI7X&v{RE$@D|ZO>=I{PiB_h$2XgVInEj z_#D1o{de69@r~8ZLroQj!tw0O$;rVGCXZmT>@B2hdBtB$`Yu@pt>NzJkmluKjIR|O zy%Yzv5og8+i39oy4M6=w^jpMVccxEq`-eGv%og&k+kr(O1Bl!w$DeOn!aE$}4Pu0m zz$IryhN@Y{3!T|m^5Ti!4CtV)F3oZJ-pa~981WLE#iMJ5k>0AWU+O)TQev+?=Vg`>I)ivKPx5f!bL}1_S}dcI)%i!q5Q)smm`>ppUflwV8^~Pl;AkHUWBs^RS>KR$S_j6j-nCPX42%y>{4w@M@KDAhLjTcHXDT<`(sn97W$@~87O#W{a`>||~{ zaZ2c`!J6v;8Pv??kV6PxKf$G*1LXp+7INu{@ZhWyVY6x@g+SWlNM4VLIH5xZ=f z45OX8ZT>d3lZ1PJwMyO64fn$*xV!E?v|6G*@#!av3=0pVcG-%hvW04OG`O5t1@7#z zE20=QUGDc|^l?n_~2~K{Bo$M;Lt}}*Gner&@|6*gN%d)EAqmYUI zd#1mR4TUa9pr)a|*@!J$YW+}`u^VUBJ=Vxyr5P$$PYi>Nq})oh`$LgYlCMxS2TeaH zeEWB3AY*T0)>UPOsGCK)3IaBfAIZUqsS!t&e%V5=K_p#p3BKXfdUVKI*~Frr04=X= zSo^M*G;PkXrmf|*QQN`nQV-Q=uIqd>Msya{12WfCI~7;@UTnKhcanUo<2~~RU~EhM zbU~wkt;~~<{rAi^-K{K7uHe5-*}*I;seZ=pfe}}6sb$m^!H6?10+wP5c!$PHl=i3% zLWBS0tyY z?H~7Vd+W!u_uJQIZ1$7*osKTb6u5`!noAa!3Y&zfO)8Xi`gJ_@99`*dl|MPu=;^-^ zZW2G#cq2N=B=QWw3l=+JGef_6rco}XOXAY}h3)F4c>idrDV*9O zJ~LP0qDY=I5H1-sAFO1$CU&w*P-!g;gXa00^WF4fHk}474$^SK(5Q$aaH8&yd8zb_ z4tk?LJp2hmXqZzSV?#O(gRzfS17YPo&f4g+4jPO#JhA7&d@*+2^>hr)%<)UII;X3n zzq`9DDOA@DcCyVW>7+oDsZ03Z_f&2EV&As5*$G$HW<^UWW@Gk35}QIVXJ2q~foCE>>%yUX?M>r~-R z>K2@**WB;xpjuRK&2IHNo<4Y#u|zt{`>nmFqqCEj|8%dr^3BU`fyy6Xvxchw^`S8~ z9=!-XGRLC~>k9H-66xm=_O_qt5ieQtnYq2g$3+I9CkGmVLr{zf=bZ@~=;0s_umYN% z{}?YQ`hY#?9@JJAy3IWh?ti|^h~&-C$)CvaxYTg2w+r$L3NQ;@E;_si@p*k+a&9`~y1x{ElyFz8=kt)nTZv{vflte+G1CK{!$AO`!%;IFzy=7;n;p-URS6seS9 zj7YHLax6I~lRySMw;!Ucye4X#u&~I0T42@(6jl210 z{(0L>Q0Yx4)A=*N)Qlvggi^#_VL)onx%^Q7b>?GKaeZ$ZI9{>qIa0j&R|wVdx~yPV zr4i~_qhvYiy9{FK8-+G(8GJ-1ZKQ>1D9RqPS3vWViP3)e73OrSTJrRviGRvnsA?Wk zy_zh4PDNvow$)}1MR#&bry&-7OP2R)%$m^JIU^S|pkFuN@WHo8t`H@d)oMWxK_gom z$%Q%Kk$lVKoJIDWi2;2;!U+2p<4!3TA-6^@Si0}kOg3K-a>?qh^GG%K1C+ETQ_MY| zGQUW7eQdiTUS>MB(=H4B0vm*w%zV;S!c|sQUCEem!A^&v8y{7;BmVA8)sHO=XsNi; z%?-bGon=~ZbkZ6&IQ;ee9)ZNcMQl62xF!3rDksJm{K9zS^z%hJ29sUGsMOS-Quf9j zakN|lAqRw>j9Ts`ZThF$TwR>Q>VE*6y}{&qSX009gAn$==pbsjQdj&iFdKKC7KCHX z)jx)-=i_wao+2JoJW>1yuyGe{-wMAO74wvX80I0wygLhAD&;dM5sW<=dyuYtF$*xeOLf zn#3Cf-f9vl@x>SE9{Q<|z2s0^FOX{U8?g~%=9bnMI#k%C7KuNzQt(&BD+!PP5C+qB znKDH%S6vgpWR!`FF&a)5;wZTg)fHp?FI;WejH9sO+}}(G(H=+>jOVu8NDr@Z5>zm1m~3T{7$EaX4;EDMf279 z)b61FFhbJ1#d3`_8A9{I5K-ls1oV-p7jkEM^yXoS8ssq%!`HY`ym< z+5&4HTz_S@Yoct)ILa|kJ7YvrzCXqOedEr#NgVJy+zL=n>^ZMcMibsgtUlInlSui?Y#&ax$%-*jgO?gOQ_ALI`vwzEQcvR&!&+-)hJLlGP{uvIGD-T65 z1O7=z8(LEibr`ELLPwE_dVx##*Z-~;x3f<-_E*iwO906HN?o|{*WU>V=h~R(dhZov zDzt)HtoQUIR0E4qc%vos^H+u1_zN&l@Q|99mXZJ(;;Br14Zzf_pf?c;!=pwM!vk%3N5_K zfMK$#m@9)C^x4$X3>r%2@@CV6Ah(Xd&oJA`(h<3cP9w|$-N6}OHX<7N!!S3 zN7LfPcmR93U)}CM|9kHIxbJ^HKE75LSBXi2f_naABP0FGh4))IgdSto@??0UmC&&8 z599Uk@*^gtrsdzKPEBFPw?6Zg*Kj%W1d5?Kg3($X*93ACxBf}bu$D$|&D~YI2{bks=Swe7JbZgggGzUu|br=p|LX9sf zbQLS`Ai=(n+0<#I9QJ!9k4(yr-_@;h?78}mKu*HWIj3wFWjUrW4jSzw=iC{P@{pim zG5U}NUK8(cZ;I=sf93kuyjTs(ZTZ>&S3ggUTKIkZws$9kB;DY{ zT0MPfK7u@C2dT3}*2qKjBBLE?11u@0+epQh=WyY-UapVb#?*5OoD)K4Ly1Kk?&&C#-xC`$*&*6b=H z7U!WwC^;wggQ@wr(vefk8CYThqpXJ|X(3us;;-(*B+*KKTVa1Y=?UADrgvZSdU(l<8dsV7SeOwu3dcngLsP4Y ztvIsv&Df}Q)iO~1+Unyqd-~X0UZstb zNzUJckshqxg`9(@zF!T9D6W34A@-)=0)Svq>7ua*dho(MoXCw>_+4t!K$zzGHx==qvfKc;6$p;kmQ z2YGE)+&Oj}V?>~`XQnNw3&pf}RP*|1Pi7K3R4@vvm&IDgI?sMqNNTb8gMJ&kKUbCrV~RO%2xXhDn`3DWG#9_2ZEDMN&4c+5{@)Z6a_;y8MJxmqN>*` z!1>k^X06{*#+NVKeU>h>!4u`RD_NhzE^=N-s^B&AnRNK&r&GZZ#t3m{;rPUW0}0({ zef__j0mpr%`-IaC^B-dQ(xgYD1_A5L&VJ^u^RM67YgAUE_&W6sTYp-L5up*At>yJu zdr13c}dqcArsW9&0*$J`8P$>40~8{%d85Usp73vDYy< za^Wy0&MuqP`dgn)iuyg1fB>&#B`U{2;~^h(Qy1i2{7;LCU#9Q)y+(mvS<#DML5$WA zT>IzR94@OZ>K=8@70T6Tn~%E$;?)Z>dR5^=E?Or-AjOBsWunOUgw}9O!XN3vc1(6x z+`U9uVt4t2fSTCc&&PYWz>|lC1v$f7@+ryqjSjjuh`U$|Ycx!H$X%u~t?cfGPx@?qjsqElXvB3}$edE#P zsQ5cwHjpCw<3s;2RJ-DmNe-!&MT{X`P%xeE<9EagGGj2)Pl6*N8rn=Hd$Lf=h`LMF zr(D()Ik@`f zFZtHnda2iXDj&T@Mi0U4 z)nX@O>yQ#i&WCrF{mDs6fde`5e47zC=hG9*gMAa^34dkUh=dIHm4Jjz$I%f|L&%dy z`KrPU>9aMC?bnx@Md1>TG1?`jVULnk-{S5)Sy#IjbqV@!l%GQ*#H|0i7{*ShOqQ4O z;3-fx(r&36WaYBFFKmE^zj^0S#(&Dly<->PT+RQ}TD4OuvA!uhgeCZApi?n?D_XVS zEBdtOyBQRb4MJ>-?ySw7etTpZjH;HA@KC#wAGvSfB6IKiSM$o(YK+*}EW)&ijHf0} z*nrq!K@ssGrWWR#xQHh^@vqA$cm0^#8>W0>AOt4U-PLX~)K^(4JJ0X$KEmsiL*e9| z8OQlHj<*Cf()2Cv@+zfr{=v1Vj6u*bg58j2qy`2R@dD*MP&t zmp3rww7^5aXWMc9Bba9M)T>lh z{pgCLsgAy-h?EZu(Pa#eULCwhW!&1;EZ)hsWO5upHr8y)l-rmRu#t!n#Fy-=@V~QE zZI7*~FRFU_i4ZMmvLG!c1`lmGaBz28{8CJJER(wQ~`5`1}Kz7Nh_ zPp<{td}{LJBWHh@KI(_=Z6Q(VD=dP93KH}e?^H()|2>fCa!zw!iI?0o3-{oREPZ{} zCIyE<-}IL7*KjBHmJxoG{MNn+z_1L+RG$Fjtb)5Ij==`!=fM3>ol8(1YMuBG6wMxe zT~}61%GQ|IN|Upq{z(nh4Fd`3z$!X83< zUPW-1{zS@v79Jo$dR@#$f3fIA`AXnX`lbj`ARzXoy_3Oyr$3lKXcXoSG)P90E-P2F znN|t6Hb|X4u@a5lQZ$0o9)@Dd_$^|jm&AQ2O%} zg{+e(&H`|dsN7HUmI^K~u?ge+BG*9~e5k0!KjAW%VYq;u>aC>}LAN*dF>sJ7PSWA; z)c;H(2jJY_1xUGf3#R3O*Dbm&o^N{}--aK)zxMv{B2J{JjLk2Pz=6`t)|CUu!Eg|V z@)IYApiCcSROH`Bh;V4f|<3UYaZ_M-93XroA z6j?ptmquBT@y)!)-v@R@7xALAEpUpG!zWYjupw&qe~gx4GEv$HkoyQTjf8h&VmMc5 z_h+2SKMA4qVk3P}ecuLO44ZaYeH{8%-gB^_?=4UGbe$P4TYz*6~79| zYb$z*VF^w&`a~tZ*XLjb@J|r+JZaT|<5AroHwmHUuR8n~ z*T6c82DToZ!|$7ZA8)H4z0rrgAChJBWSr8#?aX@=p6AP@;`wKrs{0Y2d27E3|F@n4 zeimkC=C_fYpK;%p;GZ(k*jQhSgDFLZILF8X6s+X_CR8Stx6j$ifHsIO!A}RKMDSl@ z;j^hRE8ED)VY)SePl1xU(;`k3#ydQWi+E917*6=8S~J!H-eL*{;KL86s>RF4aB>ZD z%YMVud`Ay=pmgdcy-f0fE=ePe(2r2ct);VFMc^GQ^f%&2rf0CLNFTqKsDUJoiAdy1fUXy}& z)bjzA0+L+d^RfHa5wmw&n>&w6_e}(yqlG)OVA@?i`aB-^kiXd|;qy3i39(0vbCkFu zqm0ZHB=P0Ns^*_fIn9#NFDALP6Us;foxjW*YQ+@G-7}7~&B)*_Fv>862ko`1dy{As z6})ctMp3*bvAtcj5>nUQ{W37-u~lLo*=n-_8ozKnT5*`7&mUPFPPc@gq+&W$nQ@IJ zGm?F;BDXJiufU!c8)5_@=sv^=o(X7#&{KuwShrGf?DbJa=U0YPKm_hUD6LPCQ?mas zEvHzLau%e_b=5b(F5s}a(y%ngG1^>k#Ed2ib}6)>bBW@h!77N-t)oR4NgP&@2y-nB zf^F(?E(kPRaxW_NH1-!H7Yau04i~HjQ9<}g1s^7zam1*aCS3pdE&KI`yWLhVNue>E zlev9vH!HN@&d${#LN;LHkFFK(r6%&G!igZ^uWzTnrF6FO8|NHaUyJ!uinOo_E~Ky} zRS9MI;1-g0iHbzX@iFPC?07n4=fF=sMzq}JgZg6XR^QqSay+58?|#S>ftG1;ZLHt5 z8yi^PI_OR@j~ItKc`Q_J66oe?%UgVgBVN`Gmg~_vmF^O^xxNh&Yw2=PFa?q_NMHD%lY1ls5=g4UpjtkzuN@ z``0rzDYwa`MwlSZqlBUwaC^!)8!WF$lBD!-V)H822%{@Ufa`x7r%oF>g+g{SXTda*A(8zCJRZ~?V zjlqf7y>ys#hbrk1Dwrf!-!^iEYgnB)a(kY;EN4QT5Ar{6G17WS$tZtYLINcqnX}U1BSHxbvjjxB+!dGr%-p z86E|CXulin#`fL1j+rNvdDMtl3b;Pn@1`iJ9L!Nh42n{<#0Ffx(B4cDdceYJpuX?d zY5e{U8=uH;oQN+z^#5{;}bNBQ6U4K!VZEgr5zAl zXGoaPGWYX$b1*@;*+11el>J_O0EM9OCj;9!0CUHdY#!>o{r=8V{4xVOWU476i+5zb zvV(w)44%k}I&x0!M9X=w?m(T<3}B;zxs)>!m+sgc(ah65Dq?WmPU**F;a08%e<~$X zcf$wRF6uSHMBiXWk|*JD>F5@(EB)p>+&f8FuA>se-sP_^0USbMXgliYVgusR8i;H7O~LoX$8*jS{z$wh3piQ~}E*(ZrB- z#~6%-0))oA0Hp#D=qBxMq3ucvPXfcp9HZO`nDJ0-!3WwDVw_Sh3U9kg`{%MoBmzT+ zfBqarr`!*jj3aav_Fot9_j!6a%)R*@oJ}T6NkES9w)#^+s0;$Z1#?W`Zf%)N?nIcDp*v`bli+Hpax zmc805dy5^z+qHK8Li0+nkISHBY*2CV0GEECfjreVOhd0OHYMeGDMd>Z8A(Z8-Ty`%ltEqgYJ81-GOnH#_7QM zGyP7C1%4Edxv1T_^2}aFSZ?P=Kk{DA3(rkzSe{Ru)<6SYpE)ntJyg7C8tWbUy-^P$ zApIsHlPmZAwESaF%d#;10~HfTGmC|i`;-mi*~07SY%Tu2{j;gk+|cB~3;ZLvX@exBWXV%;HEm za))ZpXe9O!po6B-#@!l++OeKjBYuWiYRFST1KOh$Ln^X#Q_8}t531j?bG42+tDHq= zuhfOG*IpFNcS&b_-=Slt5-kO_LyJ9_U^v@4o$LJbRnEJuU=XhXxTq*|pbRdC(r}59eAx+$S2k1l)P8&~_P1vnY z?8X6SDf`*A1MP$$4mS~CX9)IjviqXg&fOOyOP!u}eGAyx%1F!~@NK9|3PeDi_w~+3 zH%I{xAD6+r5u&s^^WT!Mcr5^AB9v|DpT8W2IN&_G7he6~8%satlJ5;CX5avdVAaj^ zpbL#+^1C+VsdDNd#sESPR<8`;ZvepzjOl30;e2UC@a4OlA^=D<^C(e|-VQ%C;j@^uPte8O;q>fd1>envH&M4a2t zr8u7!QhUdPJwrXbaH5oqL-i@+pImrO6|ByqOusbPS{6ZWna(?NVP9=wj_~6}Y$Vv{ zxy7-fvBQrv_=(|pyV*($*?^bn>oX;F+Wu{Q&!yU&gC@S_gPF*G9K)qHzJXx8xfTyGd^) zL2Yczu+|9+D~SBGjRg|$VM=~3(r9ia2txr$#r%+nkj|J`Q%ByxSH@P0@^}G$Jr&d( zG}}ru#OA0bhHHv7lK<0ru(@PhpNuk)6+YRQD!$Qx+zw~qF~Y-@FE0*wEH70i8gcJ6 zMn^0NzUaw=c|3t*DBLF??lqE`b=tp2J$b+W0W=?)(lSlckS{mQOn-l0{`+l1Uq*S5 zdhhYnhPaU;VyHdBfzM4DQQ{|gAHO*ig=Z31nbmgD;u*EWj#bQH;zA zwMuTzD{DbBnRzScyuZ^j-b0wdk=u!;iTT?$f(dFjU)c>X7)^2JQpgh-BtWFX!jknN zGIg9WZ5@N^!>>zhKwT=_l<<4x_pY;;Zc2wE3&C9ZNSrK*p&!NeBpFoGGN&iDaO{Bw zx4&XlVX9Eg%wOV>*HE3b&wry7=Rzki2Xo;#(KI@>AwJ!h=sBSZfZgEJ_w^#qfr~*;{E^x(r*ayV>GUg*q?;tY)R5c3J>9~0}jP~xM7e??Y(VSHMsKk37h z)nLA~J?m}ubBCq=HR1p~ZsKc0&9n{AeQiAx5UT3a-mO!!oYs5W!@VX8Tz{KjlX{A@ z?w-iA*R&ahb>yOA)k7&T88azCT;-16@VNT?uY_CP3O)5cu~VcyXB-HkG!k=r`w#%S z_B-$4Ki&9htxHT=P4YV8@o|icO?hzzoBp!Pf zfE~2Gs6~m~C%F3fJ=l!M_l55G68xEvazZt5@W5qOLe z=Y9v}(yM3!mLwRRc!{3}z3|tnaBojpcwKybA~~sq!r~lhYVynpa5fCrAhxh$AQJxgZMF3-7{&5KPxwj&n9>UeON9%fs!hmuqf@$WH@k>dbA zXHQcOs3+xehPzqm)?k6QP3Z^B*hUC9LngC&^YOi|cf=8FN#;8~ZxFf{Hf)epwT#h< zpheUs{U!ajq8jTlfKlLR^|eX$KECZS7yJC71>4z=W^_ok?{!DW6cDlI=yT?}PYLl7ay1!shFky!-=D8;b(Q}N(Tgj9f&``z$>$r5 zhBhL$Gc`XzD79TRHx}qDK^lMPwDT`Nw9qy92-!17 z4N1lI3;iZ6pQ`qNEEsNw%lA>di@<3 zD7OJjAo)F~r;K-(KPmpCHa^lXECC0Ib}TMDU2-)H68Xt5j}>y>{;SrpF^C5 zmJoOX_5<3fm=>sxNf4zbUx@!KvkY28Cy}CWU%(|JiMU={BmT+h8I59(goAHZSB_hR z;JxGVTMA`>LJ~}&hh|bWE`Al0n#-FhA?Bn45WMt$1=b%#Z&!zNfx29JzZi5xjT^;^ zkK6=mY`IVYOU<2(L`Ym(`)cZHuCHOfBEQ}DF zLjWt3C;a-PYhX@)X4gR1nS=Bmp===m?@u?f*tWb{L~@X%=rh4HHG0q>afBA}x{X%% z>L7b2*i&|B9b_Qt&(4;U4rbLlreF6x%{Je^*eLY35Q1LkYq)p}Tl|%W108bxElREK;JTWSL2XKMjNNBxWBtoWfR(ft_1!l>JybvW z5JRwB2(LdoEp}R=C|wG<3)}dwoVkjKzouedoXJ4UD7yW6gb|VZ>ix;V4!O*y)Km2T zj!Df8qBt=7(HpOWd8HBRmdWl^KwMvEaQUKz4Kf=W!oH92X!!kaStHD?fc=`@d#LlP zrx_rf7E=>Mv9Uc?Ge+^b3w`ByPt7K)dk%{r_Uq3qoi)44g7AV}jI{$h6rv=|myHw7$QnJg2XOzpZ`hU)31G0|c6qLr}rnbLJ>m0ey zS^kAdh;iYzwicL<{>MwC=_MvM|ubY0kFUHG;Vl!vK)h8sB&x& zK`iS%slq=_fo!}zl2Ph0g}ZbAeH?? zF;EdkTy5Vs8nF$V>ltl=hTGjrm3^#`P zT&EofC{=iEV@!efP_q0=fOMeE(6rV>inUmTDql{Oo6VrXv6W-bfsx+N2;AB2SD0Q1 zqN%}-5H!uX&jtHuRpC7=+zpyO1_=Wt?dL{uELg4rWtgVkE zHmkYE@jrprbs^*@YFHalq0w4C6kl{u=)oLXKt>U^?^F#4&b_6?w)+y4c8+k`!J76! zH5x$eD@KXfE(6is>$$=(L;YjqJNbe32);^c{Ae~bS<5z>qO)CotZz#%TS;>p6MoBA zJNiBuRo(m89T%Rnv#lVmVm3VCtkeWrWvCTs59D_IC>Pcsyoq><}B>C6WxXx1n7rXP26A?HO+4M=cFdng^=9+628t}`lrNITYj1>yz!@JF9q)ZJLb@jCPWN^uZb zzfNo%%Tx`#_qI?#KkMXi)!=bKr~~El{!?~gGivyM0J}g$zr2{KQL&mh8$(?7TW1$n zpiKo>r5Sm}J>4GSEBb?S7LtzuE;!^TUOYwd`ibGkZjDAmURy6Ip6#P$Kyj);;LS4q}P8gNk0_BGbRHr zmdH5{)n*gf<)?^k%)oFs3!fL9L1P$Tu zx&3ertks10E4Lr6fwh_tf93YWHLz9_;;-C(xCYj0Lj0B657)q2 zO^Cl{`{7p0$=(=!iAp+UMg+rH8HTynMbAUeXwjr7mo`-IBz3?w@(NPohj zDdDlwG>ZBG`AJB^KEpM@Myu8D_lF`@B4VxYh+mRS=N-u+MinE!wFtrfvIsgyRH+Lg z!&j&iNbJvzti(RmbU+n*HJx`t`!_U2NIAiz8Az*jI$?wk#JLe(rc)Xl3Z&84&eOc~ zU9~=;L&)7qT=xKQenkDi)1F6j!nIWwD?&*+u9!|)Nc!GT`$4PqSMv7V>A?(fh3rrF(elg(}cxh zw_N~~E8%`;Wcv>0bQ;xS?qA81C#O7l@??knL(E`MZjRgq>PN4g-`Bh!>#f$KM`X`e z;$vDm91Xq*nWj8arsyN`(Wa0iA5O?&PQRMn9E4)10z2GbD5jfPw5ZLAxaerHIg3Lk zm8Nmnk=S6zw9)ZOuD4o;fZs|>5s#y}ue^08!37nsK>)KJ;S54#_^PIWoSI$4Vl|V@ zM)1r~l!SuePO=!Dx31=xH&)Rps+PI3dHzCj!Sy5;LkM-8t=5k?0eBVW)|8T%U0C#n z7R*#~t^9ym23w)nx!Ech?!@#yr995cZ4kxBG1wc%Zqy2P$WU?^H#wh0F_Uz_Bd!fL zgI#fe>$nF>M*c6;e_a}KXD4Lm)xI@A=dOKPtzArStwlm2cFrQW$(LYSlr}=d;14#` z)`A1W=cv@Ao4e381ED9S0i_{;U>k*uB}`g1DgPIY!SzTbD|F~J3){B{tDYwSV93vT zI5VqlF@<7~sJWOKWJ|*ac_e|yd9aJ1Dv_oBF7<1PhZxm_6;n_Yu&W|Il_HyIU@jGq z-AD;HoT0%pGwKV27}YQf+cg+~xpp?NmO`oXLd?VNw1)?7wXEepXrB zX|2|&AX5<<{- zWnkJ!K#ti6ohD4tk4S7nF$BI0fdREFT49WYoZ6^Lu|3zlBhH}AL|k|t7*oVa7=R7K zV@NJPr#ib%U2qnhr8cLVJRV7^w44p~Ofv6aD_kohaqB>r9Xqd^>vmPMT7juWHc2x6 zG#OC*We#;^_#15T4NVNI#}yvBmd!Am$NCEaGCRtGoBd)U(9+vGBTci0kqAQ@3L39$ zkcAMW4c%@QhSoM{1H~_dJj0CYHZi#+IZ(fpjNKc&TU76~z$~(9EkI8jC<+GbP{zY{ z^r0y;LUYSL&@lAxqr95=S@7`0L(L58gU=ccYr|jUupIbbKGcrA9MUO^_NZbTgazY( z{Ml9$Dp~mB%S0d#@uSi=C6{ zOle$p3&q>pHB$IN0a=ZWC4k%PGo2SM0J7L?5$w`qjV+0>;ZNSCA@ zOVSOQhck!GrmqwHP@wXL#@`BEO(z*~(GF_~Hs(fplcbd(5tKEW-DkU; z2FBN*@u2#QBwGU|4OIjeZE5P=T|HVZi%=n)El!KmUySKzZTMVEnJX-CQSd z>2GGu`cmU+pT0h6wN783q^{K#r|bnyDt-Wl4pLg4PQQ*+(D!);RF_~-PjH~KLNW>t zBVoo5;%QdJv%9p!2<4PSiiF8%?n2y}4*j9}W7}!9I(ZNC9p8c6Rtd;H(o}RTL4yfb zvBIr)=jsl;2JIXLSApM0>WjEj=~r1_(f3W=sdYgu)Ngq@s-0Hr3Hgajr8k^qGm7c} z59~z*BXdIrVzko&Evu*BGCvK^Kh%+H$+j|PF_V0ln~RQ)RL6erbj*R*G3~wzHchEu zC@WtZpbD?4DeJ~!fH|G8cq83HRoGQMc2rUxF*)T5c9BDyS6a@nh=)u0mt{P8)vkfI zovY*)4~rX6^54DnwMEX@yq$q-{`f0WGlSD+mwzb2v6Bx34e@4G#(8B0jbNCOF62Mf zQmU25Ewv761C9Evfb64jJT=l~XDrNwf8K)SC+J0I+Y!@WG_|xRF*EwF@eNqV13Rr9hrorBH8^^I=)HWg?yjj!%gV5ysI=hOw#hW5t{uay3`G>- zXOMk7M)>TdN)vD)f1+SW@E4!*hyn+S!jWOb1{sU;(H?TXKZ^A+%gH#EG|KaV@ctY` zVz4=-W;mNURokZR%P-x@C|59_M(dVgOQ+q+8ktj3!6F!yZW#qIX!*|>lictUCk!WO z&#d%gm4>i48?g^73JeNPfLRBS2_o%g2FIZC3d72oxR7GTRLr7O(e=qye}uAeCuSEN zJL=9krybhC35H{OJyS#4D<)4-D@J4-i2;o=6JZb}p!iUj(SIgt$YLtFP#ffektv;% z2|X_!@LDodv$Mnqqw$cNrp)%JyaWHflY73eE_GSFIIpb!Jt4Rbq*wfwwR^d!-O4_4 zh0+GIE|=6;@baP8IIpTv@$$U&eZ{nVU!JSdt5($t6vuQ~@yb;6j)}D5$!yRWIvltx zyxOuAuhwG`RY@6rb1j8!3=6bD z)NEiY_kfmc!6tOKM>bc1`O}*js>lV4qP#K$*psUETw7n0fLvY856ZnkjAmYq^p4f)y)lHLXxtEVXnA2fbxus4QF4 zeXcB^%OT!l#k1*vNuQo-vuYi?Y&xw0sPX40O<+%bi)CHYylt$-N%&9pFT&+iu zyCzIG033znC`-h1OL|SEg=8f=r;uvun1hTTQpB=o{mrs5N}nWDPaGU6M;f$RN14SB z3ZY~#qI`-R9^6-%{moc{+!}O^X;w4)3{SUbC;{jZjp${j@8`XP4YK>|$p(yg%42T$ ztDxmLp^rx?zWu)TC_}z=qA-(+rB$d;!m0SMM=%LV$Q3M;pJ*wS>1bqx0Lyj2z0ecz#Kzq;G54{)9!tS%t3mX2g^}IX$VSDq3;Q6NYSNvg93ZX}8GvWge z>(%7Z>u0@}o!8HvJzsZ<&y+}`c10+hj17{Y(F=HhYrH%*bMVgy1%N3C2xu*qw-qEK z9&KF_jn-71sZD2n#$?9|Cz~M~MpUwn9Y6<%`Us;Sbmn5#8L%;r*AaUSMXSq>lm@u5 zsyc75=e^(=`498Yb5EB68g)IBaJ8R@r=T0Ry3TzT&pjvjEKU+?#&s`GY)8nT8VcK>1K6j1ir)9o$02q2Fnk`1|X zld(~?in+W`uTY(AX&T-##L*lDKb*moH5t3Gp!r--b?jAuhYuF=qA(;8oo5oTnCWDu zL0e6%5%Xvkx&4BhZr_@q3?XKRzF;gS< zYCF%&Rg2@cb0QfzdUtaA^YOvSr}rlZ#~azt{U5y_N4qB{zrH)(_g)>oJv`n2@zd_{ z&nM-#zwW-?KRkvxKl*up_jETPyY^yCvZ;+nSUq&Gk3;j;q0`{iEoxv_rFPLlsS|h1 zL1AXX?p%x2sYV&-tXUU1i_=V@fZqLrdnsN=p6ISZRn7Ow+iybDVc?)C$+ z3s)Qi7PAr8Sc$8`-8EO9VV(#bXP7zb4w%{Mk`6T(Ccl&b#U~R!(q^U&F-c!+fGlHVDaPTZ-zsBaiJjUShBZ<@ zOEF6_y=*iGBTy~p2s!Fk=4J(lRyx|LxYVfi^nKN)GcDR1HEz#H$~J11?D=A9GDQ|J z7*3`l%zs7Y&pwK1)>2C9H3S{I5g@Z;?PEL>!y?n2nx;Sle)?nrTGfF3NEKQoZ`3tl z*hfPo2Z%6UZQH!5%Qcx$XJBGZfq`cg1LtJX#_*M++O5=f@l~%IJa6Sip?xl2ZJMEM zCS&tY%V(WoEJsvNY>`Y&ePY>>BN0AU#2msg*K;dNIYT|)2E!b(z72+};u|OY{qKJd z+hRRWjkK;}v z!j6#zHXpg(Iy4SDG}gT1-mC|$)~P$qnl=7n!H;lMaqZ3YxfDpT>C1Xx4p0DlT<%S8cJ`$&y9>@yzuz-mOckQ4c z#E9;1WFKP9OCN>A?*^X2M^E>FT+XQ!GjlRdgfQsWYUR;F=J3K=!iJ1SNH-7`!lV?^ z9C;D7yrMlb|G)p||5e~TLsI<+`G}Fj^8J$WjQc`f$!r$cz{vSe_|-c`bV3D82k%PJ zHkQ0k#*&5r)uDc@NX!hQM{dF@neEG~ywVG!DfyntSYQ+E+l1*_44=scu}>irk`kzpSaTmMlIyn0jI5ZBCej zBd3@`0cAkd#5v?RU_FPNveLskmDPHveRQnbf4@$-yx((`sz&_k%+a>)5CXf zvwF_m2SqVo?pCvb(p)=hGBAgofQ^_UpDM@j33vRb>YhGjr=pwr0UYnyJsenV19`F3 zG3PQA3qt~tu%8Oj>zc#3)%y4@CU3<#u61vFgKTxTx*NDb&bLyg{sNSBatareP7_c` zZp=zqTJuP0s%NSrMjbt2okWU1*if%q9)C*z5HjTrxU$SLTzpxqvJ7kJd}+}7pQVZX zVU(yjwuh!=D0n;+G7-`l$z-(OD7#lSqKQ%ibW&O z?jbF4zC{k+y$)KfCr^F_3nM%53-G;(HTXe!-U_)%_&=UJF=E$|GiI}|Rmw7Z@Pgqq zP51{avqR2%eX{0O+)Tq@jxIJ(X$!#Hc60AFWLDPE2Q3P1Zk5}Fs@ouotq0`e-Jr8*e+zNS$I5na3fxxjCE^@$_z06@Dp;0oS1D5*E z#e|ZHm<S$sA+}?!K>k;`;G74&AOI@9=N;5enedKNX*(R{gC{Dv+jhifcq9S_E z`u3A=Kh!6BBE@VxaTLgM#K$7Cx>3Aiz%kfUIPKhT+fdbfr>38N09tbovHEx>_dyWM z%xb}KTCz-pI{L7u(n}f$Wl$w_3hQ8zB6()YoAUIiWJ!62lz+f$=e7JbY-*sQ6u5|| z>Kez3L0%EAd|t4>zLWXQA3?Fyc$Ja?9iGh+bGo7HuXDe*;fNg_rtut4K%p3+L+3m5 z4)~wab)K^|w4U>$D@@sNCas?zjJT*NM~fO#!Na}!Zq2FD$4rydXtu0M_xRP0Ab%(k zCq@Eq{~4H(csH3H$ANxnlS^Wz=lN68>4a=3LbhH#nh$%0fh6Zc(uoZBRM6ZzH;7kR zhZ|Bv>=oj1aco?(sruOcJ(x00VW0-GFYR^YgZD9{K+&~LQ*DTkVjAu&xb+LOW&!<< zp=3iEGOL2GyO^*63%ur3K$Aoff3m!3%{Pl9d~31Y?K&_OEq0ibHM|xpWQ|%WpO=ak(T>w_ThG;O5&a;N)jr?(Y6`+*$3{plScuU`GtYEKKRghm$@6G9+ArZMwh zs(w2aDqv}p>1 zSt-?I%BXdkFeLnf$`I`TsOAvZVD31!@r+6uYsPAY{FI@}2|`x82HTTLF^fabYPtgb zeH>rQg~iE}7BY(H7;(p`MzFbX-5omVd0ZVQ#Hy*$&4v=xq?lojB5?t3ELK@gV`7dO zw_Ki&I_ z3$gPTkM`K9_)D)ByfphHBN>iHc%T-aF)8V`Fr>0gH{c_BZTxe zarnoULm{M_wfo|^a%*$y9W_=Qz##2#m$dc+;6#opk0_6>d>pk7q!e<8yg&N+cz6GR z{Iq-c`e1*@-902!4=1Eu304~^(wULMPwZ|wVS2~^fv0U9*7{+PrQQ#gEIBbOP91B_ z)=%|pr85(hh%Va8nm?;%wi6Mq!~RR>cK{|2;@tX_kWR8u1O`C%iZq6}Q+D_-f}R=vZWyKpD?t5T@9!Sv zZwUQ505Ynd@#@ELMv)LkbaoNYY;+?d9s&SdD>4Qngf&Bs);BUno#T)8go(wjesSC)w}+}4Id^X`T4^y0ogOaIZo^655EvJ=>YwpS=a(cIFO8o9DegXnkif%Qg*7_+v24l?;LtY}i{Ah+`I4tpi3wJ1yVB3}(~B z1u{vnPekpQ65EbK~WTVQq2H(nOPrrVuNp3Bd=UgC#ZFloq6tKue(8d z=#S9bGMMLD-3p!szfG&G3df9O7W5~P6x;bKI)SaV@&0cgzwFw&m8X0rOQ z3`9`)?vRfTOD`@ie2aM@$D5!)-i+CW+U&jj;pt{35jH5ij%J2SYuIbIDbIhCKc4XekrVJbkQr?ilC%<$?GBNxt)RHi{WO|_ZAGXidXDx2;TRa4EQwWjnUnIx(l{%*JyZF%}N!@Qh^P7MN83)4OnJ zwK84FlP8$ixUf~=;3ZFv9Zu@}xz`$KLPcr`^-t*E=M; zEU@9^;NsXFb&)+CF{+xaxqooFduXbjI+vEru+JQ}S(G45j8_Up2&WD*2v)yU>@TOJ z>-B@%?(@p=IGt=>F(Rp9g+s4gAG$M14!HTRNJv9VVSyVj3sX+O0$x!sG>a zI}K1_?6QNx@r|~$h745Q(o|XLLs*1qqUT2ZvAJ;rn{$*^*Vuji`rWUe4&EG{{v*2| zoZGBgsg^#&K9rmR2OYOMh-iG~8|68FJ3s0&I7Ogu?Kz7?Vn&g>L)i9qN6I0r!n#!?j}AXK3F{% z&7ue*B#{Y=5;H4S^9PeI1`N(bSL&S&0~Rc>3+ThB^*m<}fbrdpRAu|k43e{p`|Ksg zamoN*+*Yoj*PQlxE+@g>wY)*d+_%@8Auvq{_cJc z-sBD_??MUh@04Z<3QOMoyNm4$765DglY`?AhkFN~-tN9R=%a*?hU8!Czk9u((Xn;6 zfju=|#uDTGOGy&S*(zvZEg?~Bnxv4#0vPfw^cesNiuD_P85Cw9w+I6kAko{g-r4O zhE-xwO)kzmiQoO*YXKB}gYZ zwFE3=pzyW^rWu&R)hpP}rO0P*2{T+&c_{G2tKAaTUl8+BLm~(04`OVC466CmSv{iQ znevY?!HWOOkVLyqX2fX-7He^1mMD{LJr2u8&UetJQZB@9WO&7ypK!RFtexHes-E34 zKMZUII6ZoCtRgX_{=Mjijh&fIUA7cHi@cUIDn-UIB?Rl4!q;&lZUS<%=&lm7X&p}3 zlxF^pK(W$;N|EFKh?!@LLXNpPk z{^a1eTmn2>h!hda3bWrnpuVmZpqJi#KsK5*Hw?v zOy8p6)YK9emWA@_S{{hJ=0g@M)@tpEWG?x5qRD>@MKb?Sven(%aw0*iWy^&G5@Eo) z?Iv_MVXlP@Vl}tsd`0WHw*Ayz|IZfqc+)vLTsVg|AcpMokR{sbVk1t?zD)Izwut~N zeM|$Ee4A~U%-#8DOA)Ful%NsftPDqClpw!FSW0caKHNKadveg(GJL@MIATg=*7Sq9 z3!@KdGwFrlYUx;7*99IE8$8);xRJh~lC@G-%G?CGQE|`L5^o@AOxn9A?$k;J%Wlw8A?rLY%4hM2NE;(*CWTNY=58?}p)y zI+lt4t=%pZ?_4lLxOYgq(`$d*oe%z5y#K96uH%J4yh0yK_y4nQVgGkuym-_GfW`Yhi6YBI$r3LP8D zE4&IRShoMW+fNJof7`GG-}e6mss z7J~wzL6bNdhG`Nxwm=@azZ7zBT&RpR6jrTW9>HC9wQ#kMasXqJfaSz^>He=zkk*(c zEZhH2yIY0*|8#rn#kc)`7tcScH>kBW%;!53GD~-cG{9xZqmsFld?5+5ys3D7^S`(C z;@keelZWOt|3j+TSjhPfIn3pkZsmhbwP=#0KYKy18+2QEX>Mbr?vmGhAgP@D0jx$s zqOTLCm4N7fXn^TLB-`C=1O8bvy3{cPjk1$S%w32p4DS`RCSuBV7Ma2?4XN1TLo;sI zgdb)n6c@4K0MuqA#zLheXG-N+ki_HG8JmOI-%hJz!D@A^SzN1=8pgFcWHgJx7OK^8 zkhZ3jJ5zg8olPl^cIxc!iA`YTZo=`G?b5mXqcb=e=+H|1O?C|J-~+&iQl)!bTgR&Yb_Rre<1(6ShO1Y<~IDYMElK zV+Q$9DA<}2KR`5w*vBO0tv~;Cj>4pk$P;)N1Ic>=(?Xl9g?y+<`;5)or2W&ocWu(f zW2Q~kBCa%P|G0bHHvj)W+w1G3^W{qmhV$p29T(JpNe`w<0#P0%3->`VJsD0|IE#2Z zKE#w2`1%0ESHtQ+3R0}Z;vw6y3G~3F`~a=o9J`E9hn%tb4*By>0?CxWeDTsAqHVB{ zhN1ReBbYn6{D=lBN#ijifejp-YsvIux*(V2pEIFZ@vEuM;?TWzb~wG3`_L&bB;;7A zS;$7~Xd1ZPb;KS_6?YyrUq;{Q;*`m0ng{kPTFV8ica4Qh*UaqpHfiH-xs?^f#Y33* zh_HW>z;x>Rw2;HsW>h2a8f1}T`Bo8MR%sP$=S(iJoxNF6=fQl-Z=BC%q;ySq` zF~>}ey>5P+T7-^;CTnOkl}*}uu_#F-kM)SO%MlLKN;~A=RokEWQgsqhjL?cm3^FvDvP;)f#WK zLYL)Dw&E6RvcVQ?sTf0P|^e3YJ}HUqW4 zxr!hCHvEDMN_D(qu%Er(?tl#T{Bi!0)ec-Mu7lc^{Y`CqxtSgsi6$6lE|DUU9DKdg zi#wOgEaXbg;GS+U3&%_c&DJcjxmeToax16U^qk2(F-@psr2SvLV5`^Zw#z4fJst$> zX@hWjlQwp_dEOf^O?&P9wAPhv-`HH)B(xUrX0udCT-$WAUR-;w(kOkZ*?eU=orANN zz!lu&)D5MG{}6+Qljcg_C2kE2yVh)~T+y4Go-8+e!x{1_G@hj1(>q5h8~XC*Cdv=j z+-#=u0iN$}sx0XDF-bOucf$#CrE4a~9X__$f=^xxX{iQ994CE02wUCp57+Lvik#jE z75+ABcYSsp|G2xCh4*c^tK@(VSD-i7Kku=_nVtw~gW0V#g^Q}++*Ixz?>C*mp$u1; zzw4tOO?Za(D@|QZ&E~VFh?X2LW)|@T{iv1x3p^ zFK6W});tTryd7)@U5sLqmpx1~A6yV*43}vQ&oE(f7=n(6Mx_1cmoIISB}NQf2uCw4 z$S0BZ4OaS+joD{Vi20F||NIk9k-9OEFJH)j4e3lVY#AcR*^nV;3{44LSss)B+77mD z0Bwbd659|{ctnR7g>EEfaoEO4fTUX^sJSs`UF)&tXV!~$qC z)iuMnUqHp2P(2B>NE1YNyKU0Ogn#KDZ|Rh^NgI;eKou<7>2}-M!BHAv@3uzRTVaH~ zbcCg$*nMhawFFss($YwLuu?sI#fp@tU_F1uWlp+dXE&He9|Mmtg%?J}-bja70@op~ zW0f>=T+8jQfOO}L_bi!x{+c3G?U=|=jX64 zhA8zS^Oy4WV)p51b0RJ}T5M`5W`l^Si4YnS=)%eCGWI^ofbSssbuK16axs{AJhtUs z$lxo0`0s^E_VzSatc;MCkOb{v-DiD!R(r0(|A7zR&GCOvpFVq0;{STz{J-zyS%Lra zM1BldkItOLS`w7l4~r)7Pn)a}suHAF~RYjtiyC8&6R4HKx@Unf7iHTW}+CrXXbyUe(m7 zy>;~d=A%MmzAj@#+W)RL|6T2XAxy4Vab5uIdaVewamvrJOQieF3^AS@8nWri^hd-u5=?ziq8&Se?J4 zZi3>uQF%COVLgh|vQrpou4Cw>W1Ta>uDdXf+%Rqq|CtdYF)xvov<*A# z4(bI+UfLNqj_L)Wa0z->jAuEL+pkWrGc?)#om*&EqTaZ~E@@@C8`vNvJ+)3Es~SMS z^Gbm>3H|cT%elg@gbxB-0$TlB#pxOq{RhJhhpu z%x8DCmS%2p?1YHx6`-ZXN#!E%>UZbWlDpX|8P-u< z18?Q=81PXc`)(F8_Z?QYCs}t~H;Bh1OP_*K+m6HXN%@@2$-4eV@Sh`&@5FgvA9wPs zp#SxFIi+bFQW>KApQ9HoG63v>Qoi)+{JU!B0l~kWAbJT2{^^jB_V;bl{?xuYP&A#m(JYGQ zBEd%rG~YTmef1RGpPYn^Fz8lR6;;Xpfx*H`)^N7 zSBkFNAjDW;Y#xuBE^G@5r` zg!nGDH^Pna)f;Cz9oS0#=uF3&d%N-gi&&Uz4f|aM*%r&6OOX(@R4g9Oze-%Jmy;12 zGw?jbbTL9qH&zvym9utPSQ5*8u#pZN_7n>@zBpSjCV#Vdoi5lh3rpR=wn?Wa-&NDC zQx)>U8+_H*Yj35>R&Q=g-S@GdK3C!Y&?5P!?tgk)Tc!Aq+b_D`_`f@OR^b2A>mOWy zOEwqKO@}8rQt2*KPON=x6eCW;8CjxpxKRtcc*f7ZI6^`8kUnTRBrq+7LYHY2&#;`3XZr%mT8DNk_nySKCSg zZwH)h{MsKgn{LsY{B@`@pu@8ZD#Ppojz?V20~o>gJRXVbMMi(*;K!a}R!a-wTk&Tz ziE)Ghe#jKVN92NGj(f$FM_swziqb;II{FpyK095(lA?6;lCPFOHzGR_Vd@%G2P0ISF|cE7e?SxtY(U(rh%PT z7~?g!aVz#sKJZ*==j3bT&6>(BnjYWKByonqp5>Jp%PYd;kbPcM>$`N&^~O_6x0`EX z`EE;{xP&B1S8rMTSR3k^u@<}YC^>EuxMF|Op}G_nA> zfOJb>@#*H6E26Y8=)Pz#6k4v>3>d-MpD5A+pSu6T#{Qabtw@%fr;oEMtsqMqgazXr z!-lDUM(GT<1M;hpu@gQ#v&o;*Y;e{n$nMV&8^fXEnvf3I7-aO)j2XXJNXHg8Ln3J$ zifKA=*bFWw>5w0Vh!~CYP5nAyn6yn08iqv8rvriaGYy)~B-jc@r?4I<$OCBx|2ai@ zm?g16=EmtC)NEk&r^|d4NvE-sV*OT2iNSX%%I&-&?Y1Kr-?{M=UT5GJ!;hvPTv6As zT{*9OuS){E(rICfqer&VFG!Y)v}2}uq=GTizp(jFQcMjd`%%Y@z+OOiZ_{QhT3xpv zTqMuhj-iC<`WKI>0Mb+m!@}Mz$uQhyB*fV)A?m5;e~*2Uksu(wCvmMHpYSFf@=vh1p)?%6PXZ8wazH=+u}@GaeoLjgz2D|wlh zq3V>^=0k;xGP-_O55(h!ZpziXek_%H2uI+dgQfX}<9fu0+v}(eiV##G(>AkUpH_Re9Xghax zINf0Ans3hyJXg~HYa!{F-IV`FulM}vH~s%TJ*)eF`#y>%hzSI2ek-Y}MU|l`kU1Hq z;W>t^S{LUPXzC1J=qeL+><1VlD1E%fgWSgo&+Vc%$2tX;s`*j;^F6*=Txp?-6ewu9 zma|!B{{%H~uE=^pt>jKtzYID({MP=h?fY5!r~R_J$X-;BtQMMYB>v$&SE2uzzh|=( zU07GDO_?d=!e{D1G{Sz-U9GarvJ3M>~fD9^`6%62lZ)#=w$07MrQb0Va+d7ZFAaI(2Q6QbLQ|fS625>TL=th( zNGS6MM20k6uLawy0V=#bs@PAZs-OuhMaU@j;U5*Xtz|(m>PoB;R3-*wy)LLlrdOt+caB4QCo91C71d@m4TsXSeTm2ii-RwpSTW z9Q|(a2jp2RDF4%9b~V$UO1Ji2JDqZv!*+tE!;+nIc7cW&vF6fVii#0={O{_q)gcld z6PK?Hui|UNAZCF;XN>zCceVHIeREYO?cy{wx< z13}fzED_R{wAxD8LU8FHkyykXTe=C#)nD5cZtu_7yqCvAxU*js6Lb9)Z9XjcrvL1l zWamsO_KSJB^NQG?wp1R={G!E0zS+bQ}!?!>0kmC$`5;Dz(nuTP|u;gCg&@W$h%o|hY%a`>H zVwsINjeU&)eefbXniI(km@E#_^NF4d9+qd@X1qus?FK}kX7M?fB1W@mFwU%xKyBxS zN#%l2&p@}MX&iQJFCEiM$1B_GI(ZkSayvP|^j5!4mratlKN* ze|`R}_wD}gPM#I$zqQa|WY4WRk;POG=(uSJYbnJ?6C0)so6-jBltV7?TWVzGjCk|1 zLNmjRymh%PhsGEgur9=^WY!|X*}$fwP8A=jV@HeqI_s}0%hVt>OwD?7PBTdj*F?l4}h<|R> z%o&>pSgFvGv*hz_{4%L1vtKUs*~!@+0$U*@G7jGr?fxMGUD1aG?pW8|M>`=Hlq&Bj zP_npFMYYu`)`}%?YfTj^khi^TV3`K2{H@yVur^0}1)5H0k>*J$Uyf_H!nD!16)gB; zExeK5eA3#TedZCTa!y9G82Kox(}r9pd_2)k*(PMc<7XjpTe?-8=lBA0bq{1?>9BLE zwICa!pMkqzqMNmed#mVU=MSZ&*6cjUW#V4AMuGt2m{W5Uxr>&KpMh8CG&*ST7s6 z-?S3K&2)K^Z&VFYw72)c#{>dC^=W&1p}k-dYBp6p_EnT`fP`7CTbQP*F)g04|6LS0 zO-{fY)8*VCGtgw*S5W4-W-HpeiXx|BGdHZpaX_rF?pIXd)U|R=1&(X>fvazPa=OYM z%Q1DgsJyww?Un=KI{VB&kyhDQHT7;-F=zJg3M-qj*TiVj@OivCnT=CjT@uEfz1+Ne4(QFlci9d=Zvgj>nzfcF^58*+o z#Vo1&-#{&f75q(honF&+mMh~7W)(m#jOF%qa)lG^LFwca(+yN|8ChDUjI$*hAU&4v zD5g7UNZA|Iz}bO()4eriHf~P$0bm%P=LXEz;6}v82IIbpPQW(%b?e?N5G$L^|x=1AXN|a}dK)4S1yM2}D zeQRaz?zyi1FDqZK0$ig1>pkBt*?+zGX8(0J&sFq)N4VxE|NZ*LwSOKuJs1UGHl}*@ zUsmRN8bGhF+tL43Pw+}AK(C2wx&c+RRH*|@rPj2(FXS$7)i4C^t;%$BOZxC^A{JUzk)2dMxa(Qbmz+2+)v82Q@=41L+RVtT^Yf-y&3RU-b3zWoX zRCNR z!=iHcqlUh&{#UY)FAD^?#Q*pCc6Y0w|9$rSTl~Mfd0JOd03Vx0{|_x`$Zp;M6fx?- zXn$ci^@?Bkd_A2n_HaAu-qK_?Q_NzuW;)qg+ss@eXKb#51j-f~f}n#`@_(`L1Cy#o zNtbKPs}h`Joi@h7t=D2}!(+-hSu5noE5OmNGS*mMTB}@v{j(A@ryQ(PxL+$3X;EEV zZDv-s;S9O*)sHJpRjNc>K1qJj#?zA<<$J|;XP8xXwe_?pynKu^#g0}Q=7Z4Zdr|AN z8M=lnIZ}a z?4q-}`cPO+{Z!q?HDxnw^g$|}@WjJB0!|b|=o`;8=w$4{d5cokjd3CM$A0}XV;z6Z z7Ek@&gbmNK46rcYFn(z9v2ru2ke_n|9QPzyvpfU&>nqZGy54vtD%p-};D2R%zGH(| zz!CNQ@wK)B&$W(cVY`O+G9B2I5LY}qilbf3eqd_Ds_y+Ao2HBXW~+5O&voU0|E#Oi z0xXgLpFZF27UcgI-51~dKkwwZiuiAZVN(Xg`~fRV`pCIMdDzx_A|7?SkXO3M@TKWq z;8nX$(oc;UEQ8ePb}f@!(_8Omd+VjWHDUPb_&iK_Q#m(PAe58e6qbP`-cj$MtX6TH zPHaLWEgT;LqmIY6DIRcmLO>_H8lOH%ClL6lrc^b>71kUVSxD*}H<`a&4>@E^XEx zN!fTQSg3S3E(N_ZDss1@HC!yTopW1inZImot+j9N)5^ZI79r|3nq=*QxzHC5K7KWt zhc%joKx3(P=+?XEi<%2ig8l`|$hwEQi9bg1E=F0moy8T)n_kgXS=_3#o7SQB9Sc^d zTCH%^DQ;DvPsanU1>Y?1cF&gfxx?EkwK=${tX5=<>a-97S+%6tTDlCEu(TXGYWFEF zwY1ZH;zKvO|j8tWLWQjJRb!FQg4OPu&TqMEJ!|9FDgl#Uq} zxN935{QrY*m+)Wu-}Vo``u`8{wBej6JyMy=e64)-w8LOn&@9!XcutZlGDaCkZFoJQ z5@eC*Tqp^0f>~yAUSLX8GNEj|4+1ly=*&%<)%S#@Q5zVJZI<+&U6^p$sPJ!{7+$e# z4xE`cHA#@8fQ&MXqxkvd@0WU#i`sB%6cXN?UP4NRjN&m>J@c<6KZ=Kcik|t`e=!;N z^gsSjIb*%5q9IAHirmCLGI|or>pXfA56M;ZBv#Wrdh&l!8{QB>c_HEK`3o7vx!~_H zQBh1&Bt2VB@b^(XlL=3;_XVvUY*dB*2c?Hp=n)mCr*OXaV=e!U=@-j`#*}=I$vz8#KLK#KfklcRU zKm143wf#Mc`|*K&MaQ_P`JpueVZ^hHU)$>=hnc<4+3t^cO&~KuGxM7Z{G25_6*0*# z3D404hAAD5&^YZ9lZw(doQy`4QAIVKA2m^W7N;pP%>Wb-J|E#Z%0y5TCBoLvM|kle zx3_JcvAj^5Ux+?-*FT$nzpK|iMjv6|ES{8{iWyHamVBfJ@Dc1q-9SKp0s1G$)42_Q zX%n|T!XV79{-0N`T5g%8x@P;?$wf>5`@gNu0M=15AtJ3&qQ7`(N^+h$mMrlk=cy;8 zr#~}An+Pi@N%%D944EqFsTPO^bv;={iDk(WPwtNrV@#(cCqtTTX-*A>awGfN{%Nwr z&Bk_nGrEfgLSZKXpJP47yXkze*j*=mJvu5P^gths#C~6S&(4)eM)mmUj~>xcdF64? z0#IqzA0(Oay1|`7o}$k3kciB+muU1vRU=Wl=NR_!@2?_Z{f0 z=I}*Qx1}?v;U4LfiYOcvnZ!jxx1}?z;r{5P%$(1;h1`7&yD@WDI>nGA4Mgrh=f$&= zQxGV5Arjn$+#T&GZ6?rh=bebvug%Diq zG}+(#EPq$e&VKuLweH|=+`FT3SI_+r8kzzcJ&TKcEJ%vg83DUtpx8sB2A41iuEtzz}F+Wb?h$ z5xX%%OEC}=cE*)&z1YBFwuS#8$h9cH>UW^-iaTpOo09Qn*ZZO3*c(5aY~-QB-y1)n z=29aQ`(LByqvsX0sxvCG3`|M0^0q7ir#q&|1?Q?&I_W-9NKMeT1ucJ&`O#n>BqF>! z^RNB3*EVGY=c-et`bs4VgEtpLLkIFA%j`)2IcV&_bDmtGusR4AIHppGIk>|EKa(j+ z*h?`Nm=J~Ov7Vry-h@DwqByS_0?MR9l6DrlUK-2F-uL%c|904^cvA=D7&LW!iK?4- z--DV|N3>+Q#3}E-lT9Op^`&=<&hKc-ez*bT&Ys;?2kvNq`C_L1>ZzHH3)hAuxk8o> z8n_DIyJR3B-h7;5f_n>)Y4fo=8G3T&*4R$Y&q{x`G#80tMicazSDd%X@6Nf&uo@E4 za-*QG<(+TMk4L&X#uZH#7SHWcNlbZfnDKG%@Sy*ny@UVg_5ax;Iqe2-%PwWzez*U$ z7mTNKrpSkK?KwdSO?>i>{W(#S*Yg|)0iVtVWlH*k6V9{GT|uAsRPJ$O+N{J4?)zu{ ztmBiD-DyUo)U)JZ6`$xr!A<=7BKc%S^_OIb*+cq$59pzVs*ss}`lBdmeN`@4+Vlm$ zzR=vO^|7~W%4CFC_TG5fUlTr?0_)^`+woaHa^2GP`T{+-9iLF~Z9;3^s7uFg z(X3te>w4LEhi(a?w;{?|Je}?gTaT!h#mJl@Y)$9o$1oN$!SIXP`@ikAeTCAUfo}+l z??U^Q*ms5Vav`^5pG$MT!W|ZrZ^gb6#nX7vpOQ!GdKj>;S^~6bHiHKCmD%}RfIuZE z&d}s+(h-nMAW7$tn3*As!*HT@prh;1-s&8JmdjR3-_(-@Jd=If{nqk#hpi5@GGt>l zX+i%0T2cwl#uY4#9{*i4wa=9j?}L4RAMCqk{m7O*@vg32^5o^2i6-qc5|xA6HiAE? ztb;S0nN-s9^oD1xXPLz=VU9w&vP5lS+r@%>!jnpkYb%y!!RGy>?J`#j>i=px3#DgS;zW?lbn< z?#SKxj2){`4^^I(P*yBOVO3FolI77vbBIh2hJ>HQ)gI*DlUiV>f=px$eYED#Hv{2_q_`3c8>vHVN~@ z9ezz+SGjOyT|8)F%P+X!>(h!b zfa-q`DQ=M80{V5iC$O9RYG~)TlHjuBEOzau6=u z9gUsK@+;~5#4;@Dcqln;n)%#a&9|KS!h6E+ar(2we(LGZQt`0Up9$#S62T}NZ;s}- zh}>@#TyG3Vw+Q`imvR$m^|j+lEO?etHhxXUdhU130y5-%epb9M-;d)9vm|ivq z>4|2x65ykXe4pySSKato%ZiVqD8*qBuzP5M!IxNL`{K{Qnc>QeZW+Bo{fpLa{GbE@ z%0^sFZQ8Fzc9EfwEM&OW?Gt9gWWo}3l@0MYYL{vmYFxVp-BQ<=w&wo|>9-*eKZKHq z+F-lxC~^QQZ3uQ9E6Z|l@EiH$G1P5&2=*-FkO`WPQRH@3&8F!l-TZ#Sr3GHB2vqQf zXT=oj+pqg@HuAdH>bCYFZ02W!In!!6Adi$vO{au(t{IwGlo(059@uIWx4Nw;B1wW$ z{=`$h3SSukNc!i-#xCifxI+v7{GLWpPSj*mz2^?? zb65#7t<_Wl1+7zOuR2!f?V30&U)vBcc7XwHFdQ&Mx6OV<&}^x*^<1J#Z4JcGhF*qf zoIVA~XOxAVoz7kDS2+KP=;-NISR zY>TN>lG=ul*fv1vRq8_if{h<>Ub0g2(sWo8R_KxHtvk2sR$SLE?Cx;RrKILC^4vCST!;x$As4wJ<4U^iY9#MD zUYYN^-EK1umE+3IL8!nbecKs|e`Lyq)QhLy!%hE1a)w@hU*5-L^r$jagoA^!ML}e^EPxFE(slu&BE6 zZ?Yz+E#*1``}x)D7nia6V8^M1Gs!c&4N&~S!NWquAM|ek7QZE0{Ko5nZVel6WOFvs zBhrYAM9-XDmb(V-f_QTdTaQ`hyfva7%1DMn$(q<4DxMjPb)=0_!F2A>pABU0f~dZ0 zwe}ad`CY4JbpG)|(Je7~7aMrwP5pOW#R5+6YOLX?v^)HebD+19UmOmz-(xzH9vz>oG45^ziSN9^i_knB=--GD z{g4s;yJ1BC9vIPYW`qYc{KZ2Exb!{_{rDh0h@y9|82rpTWxCrd-8JCWMVqS|C4*sHlIh@Cu#9nQ%dIJw$Mk^D@o90@oWMQH9V| zrKttpvt2#1{*&V5F+`&wFdcmzhJ!6^0kXXn!AG#_QvLcMP2wsbHVyV4qI`sMAPgju8}n&fArd}bk`8qby~iG8r|UQ zx-!`m_T0w8-t&H97;EPKCk6$%g3IK>;WC&Z6i{MH|p$W z-_&OlI@x0dBRzZ(HU}zYfpYsMt-tQ9$myv}kP$(73F=m!iY2oCcFIxe=KX->t&y;~ zmSaUm)eD<>UAMKcYu08o*>WA-b!NEvMBoU8AEw^%(TJJ_NK-83Nui@0BenImGdui! zcJ%v{j;)A$?eb%{kl0O#MA>mx;(lUdD?Hx^#bI`&mE{+SqauThvMXtI!MChitReTR zLUBP!CVK)U&t}-w#2uP{kGeURs#_6a<=hME+omTC#m)J3TLQbf52n5D?69l2`*`#v cL4kjLzCK@{f3fHP0{{U3|6FgNC;+qy0842Mj{pDw literal 0 HcmV?d00001 diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/.helmignore b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/Chart.lock b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/Chart.lock new file mode 100644 index 00000000..207a0020 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 10.16.2 +- name: mariadb + repository: https://charts.bitnami.com/bitnami + version: 10.5.1 +digest: sha256:8e15bb90e2a9a3b72069761791da93dee17fecca2fdfa74562ce2541bab15282 +generated: "2022-05-19T17:36:07.359537847Z" diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/Chart.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/Chart.yaml new file mode 100644 index 00000000..cfe12ea6 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +appVersion: v4.3.1 +dependencies: +- condition: postgresql.enabled + name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 10.16.2 +- condition: mariadb.enabled + name: mariadb + repository: https://charts.bitnami.com/bitnami + version: 10.5.1 +deprecated: true +description: PowerDNS is a DNS server, written in C++ and licensed under the GPL. It runs on most Unix derivatives. PowerDNS features a large number of different backends ranging from simple BIND style zonefiles to relational databases and load balancing/failover algorithms. A DNS recursor is provided as a separate program. +home: https://github.com/k8s-at-home/charts/tree/master/charts/stable/powerdns +icon: https://avatars.githubusercontent.com/u/1282630?s=200&v=4 +name: powerdns +sources: +- http://www.github.com/PowerDNS/ +version: 5.0.0 diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/README.md b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/README.md new file mode 100644 index 00000000..23d80ea9 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/README.md @@ -0,0 +1,148 @@ +# powerdns + +![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![AppVersion: v4.3.1](https://img.shields.io/badge/AppVersion-v4.3.1-informational?style=flat-square) + +PowerDNS is a DNS server, written in C++ and licensed under the GPL. It runs on most Unix derivatives. PowerDNS features a large number of different backends ranging from simple BIND style zonefiles to relational databases and load balancing/failover algorithms. A DNS recursor is provided as a separate program. + +**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/k8s-at-home/charts/issues/new/choose)** + +## Source Code + +* + +## Requirements + +## Dependencies + +| Repository | Name | Version | +|------------|------|---------| +| https://charts.bitnami.com/bitnami | mariadb | 10.5.1 | +| https://charts.bitnami.com/bitnami | postgresql | 10.16.2 | + +## TL;DR + +```console +helm repo add k8s-at-home https://k8s-at-home.com/charts/ +helm repo update +helm install powerdns k8s-at-home/powerdns +``` + +## Installing the Chart + +To install the chart with the release name `powerdns` + +```console +helm install powerdns k8s-at-home/powerdns +``` + +## Uninstalling the Chart + +To uninstall the `powerdns` deployment + +```console +helm uninstall powerdns +``` + +The command removes all the Kubernetes components associated with the chart **including persistent volumes** and deletes the release. + +## Configuration + +Read through the [values.yaml](./values.yaml) file. It has several commented out suggested values. +Other values may be used from the [values.yaml](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml) from the [common library](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common). + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +```console +helm install powerdns \ + --set env.TZ="America/New York" \ + k8s-at-home/powerdns +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. + +```console +helm install powerdns k8s-at-home/powerdns -f values.yaml +``` + +## Custom configuration + +N/A + +## Values + +**Important**: When deploying an application Helm chart you can add more values from our common library chart [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common) + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"Always"` | | +| image.repository | string | `"naps/powerdns"` | | +| image.tag | string | `"4.3.1"` | | +| imagePullSecrets | list | `[]` | | +| mariadb | object | `{"architecture":"standalone","auth":{"database":"pdns","password":"pdns-pass","rootPassword":"pdnsrootpass","username":"pdns"},"enabled":false,"primary":{"persistence":{"enabled":false}}}` | ... for more options see https://github.com/bitnami/charts/tree/master/bitnami/mariadb | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podSecurityContext | object | `{}` | | +| postgresql | object | `{"enabled":true,"persistence":{"enabled":false},"postgresqlDatabase":"pdns","postgresqlPassword":"pdnspass","postgresqlPostgresPassword":"pdnsadminpass","postgresqlUsername":"pdns"}` | ... for more options see https://github.com/bitnami/charts/tree/master/bitnami/postgresql | +| powerdns.additionalEnv | list | `[]` | | +| powerdns.config | object | `{}` | | +| powerdns.dnssec | bool | `true` | | +| powerdns.domain | string | `"mydomain.local"` | | +| powerdns.mysql.database | string | `"pdns"` | | +| powerdns.mysql.password | string | `"pdnspass"` | | +| powerdns.mysql.username | string | `"pdns"` | | +| powerdns.postgres.database | string | `"pdns"` | | +| powerdns.postgres.password | string | `"pdnspass"` | | +| powerdns.postgres.username | string | `"pdns"` | | +| probes.liveness.enabled | bool | `true` | | +| probes.liveness.failureThreshold | int | `5` | | +| probes.liveness.initialDelaySeconds | int | `30` | | +| probes.liveness.timeoutSeconds | int | `10` | | +| probes.readiness.enabled | bool | `true` | | +| probes.readiness.failureThreshold | int | `5` | | +| probes.readiness.initialDelaySeconds | int | `30` | | +| probes.readiness.timeoutSeconds | int | `10` | | +| probes.startup.enabled | bool | `false` | | +| probes.startup.failureThreshold | int | `30` | | +| probes.startup.periodSeconds | int | `10` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| service.externalTrafficPolicy | string | `""` | | +| service.port | int | `53` | | +| service.type | string | `"ClusterIP"` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `nil` | If not set and create is true, a name is generated using the fullname template | +| strategyType | string | `"Recreate"` | | +| tolerations | list | `[]` | | + +## Changelog + +### Version 5.0.0 + +#### Added + +N/A + +#### Changed + +N/A + +#### Fixed + +N/A + +### Older versions + +A historical overview of changes can be found on [ArtifactHUB](https://artifacthub.io/packages/helm/k8s-at-home/powerdns?modal=changelog) + +## Support + +- See the [Docs](https://docs.k8s-at-home.com/our-helm-charts/getting-started/) +- Open an [issue](https://github.com/k8s-at-home/charts/issues/new/choose) +- Ask a [question](https://github.com/k8s-at-home/organization/discussions) +- Join our [Discord](https://discord.gg/sTMX7Vh) community + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v0.1.1](https://github.com/k8s-at-home/helm-docs/releases/v0.1.1) diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/README_CONFIG.md.gotmpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/README_CONFIG.md.gotmpl new file mode 100644 index 00000000..e93d80bf --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/README_CONFIG.md.gotmpl @@ -0,0 +1,9 @@ +{{- define "custom.custom.configuration.header" -}} +## Custom configuration +{{- end -}} + +{{- define "custom.custom.configuration" -}} +{{ template "custom.custom.configuration.header" . }} + +N/A +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/.helmignore b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/.helmignore new file mode 100644 index 00000000..f0c13194 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/Chart.lock b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/Chart.lock new file mode 100644 index 00000000..ced79cbe --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.13.0 +digest: sha256:e83af41b39942278f8389623671732e624f28c6f1ad6ac2d937e210c5f354a18 +generated: "2022-03-27T01:47:43.851311689Z" diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/Chart.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/Chart.yaml new file mode 100644 index 00000000..37f69f7d --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/Chart.yaml @@ -0,0 +1,28 @@ +annotations: + category: Database +apiVersion: v2 +appVersion: 10.5.15 +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +description: MariaDB is an open source, community-developed SQL database server that is widely in use around the world due to its enterprise features, flexibility, and collaboration with leading tech firms. +home: https://github.com/bitnami/charts/tree/master/bitnami/mariadb +icon: https://bitnami.com/assets/stacks/mariadb/img/mariadb-stack-220x234.png +keywords: +- mariadb +- mysql +- database +- sql +- prometheus +maintainers: +- email: containers@bitnami.com + name: Bitnami +name: mariadb +sources: +- https://github.com/bitnami/bitnami-docker-mariadb +- https://github.com/prometheus/mysqld_exporter +- https://mariadb.org +version: 10.5.1 diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/README.md b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/README.md new file mode 100644 index 00000000..1ba79039 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/README.md @@ -0,0 +1,542 @@ + + +# MariaDB packaged by Bitnami + +MariaDB is an open source, community-developed SQL database server that is widely in use around the world due to its enterprise features, flexibility, and collaboration with leading tech firms. + +[Overview of MariaDB](https://mariadb.org/) + +Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. + +## TL;DR + +```bash +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/mariadb +``` + +## Introduction + +This chart bootstraps a [MariaDB](https://github.com/bitnami/bitnami-docker-mariadb) replication cluster deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +MariaDB is developed as open source software and as a relational database it provides an SQL interface for accessing data. The latest versions of MariaDB also include GIS and JSON features. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```bash +$ helm install my-release bitnami/mariadb +``` + +The command deploys MariaDB on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```bash +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ------------------------- | ----------------------------------------------- | ----- | +| `global.imageRegistry` | Global Docker Image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global storage class for dynamic provisioning | `""` | + + +### Common parameters + +| Name | Description | Value | +| ------------------------ | --------------------------------------------------------------------------------------- | --------------- | +| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | +| `nameOverride` | String to partially override mariadb.fullname | `""` | +| `fullnameOverride` | String to fully override mariadb.fullname | `""` | +| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` | +| `commonAnnotations` | Common annotations to add to all MariaDB resources (sub-charts are not considered) | `{}` | +| `commonLabels` | Common labels to add to all MariaDB resources (sub-charts are not considered) | `{}` | +| `schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | + + +### MariaDB common parameters + +| Name | Description | Value | +| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| `image.registry` | MariaDB image registry | `docker.io` | +| `image.repository` | MariaDB image repository | `bitnami/mariadb` | +| `image.tag` | MariaDB image tag (immutable tags are recommended) | `10.5.15-debian-10-r51` | +| `image.pullPolicy` | MariaDB image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Specify if debug logs should be enabled | `false` | +| `architecture` | MariaDB architecture (`standalone` or `replication`) | `standalone` | +| `auth.rootPassword` | Password for the `root` user. Ignored if existing secret is provided. | `""` | +| `auth.database` | Name for a custom database to create | `my_database` | +| `auth.username` | Name for a custom user to create | `""` | +| `auth.password` | Password for the new user. Ignored if existing secret is provided | `""` | +| `auth.replicationUser` | MariaDB replication user | `replicator` | +| `auth.replicationPassword` | MariaDB replication user password. Ignored if existing secret is provided | `""` | +| `auth.existingSecret` | Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` | `""` | +| `auth.forcePassword` | Force users to specify required passwords | `false` | +| `auth.usePasswordFiles` | Mount credentials as files instead of using environment variables | `false` | +| `auth.customPasswordFiles` | Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` | `{}` | +| `initdbScripts` | Dictionary of initdb scripts | `{}` | +| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `""` | + + +### MariaDB Primary parameters + +| Name | Description | Value | +| ----------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------- | +| `primary.command` | Override default container command on MariaDB Primary container(s) (useful when using custom images) | `[]` | +| `primary.args` | Override default container args on MariaDB Primary container(s) (useful when using custom images) | `[]` | +| `primary.lifecycleHooks` | for the MariaDB Primary container(s) to automate configuration before or after startup | `{}` | +| `primary.hostAliases` | Add deployment host aliases | `[]` | +| `primary.configuration` | MariaDB Primary configuration to be injected as ConfigMap | `""` | +| `primary.existingConfigmap` | Name of existing ConfigMap with MariaDB Primary configuration. | `""` | +| `primary.updateStrategy.type` | MariaDB primary statefulset strategy type | `RollingUpdate` | +| `primary.rollingUpdatePartition` | Partition update strategy for Mariadb Primary statefulset | `""` | +| `primary.podAnnotations` | Additional pod annotations for MariaDB primary pods | `{}` | +| `primary.podLabels` | Extra labels for MariaDB primary pods | `{}` | +| `primary.podAffinityPreset` | MariaDB primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.podAntiAffinityPreset` | MariaDB primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `primary.nodeAffinityPreset.type` | MariaDB primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.nodeAffinityPreset.key` | MariaDB primary node label key to match Ignored if `primary.affinity` is set. | `""` | +| `primary.nodeAffinityPreset.values` | MariaDB primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `primary.affinity` | Affinity for MariaDB primary pods assignment | `{}` | +| `primary.nodeSelector` | Node labels for MariaDB primary pods assignment | `{}` | +| `primary.tolerations` | Tolerations for MariaDB primary pods assignment | `[]` | +| `primary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `primary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB primary pods | `""` | +| `primary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB primary pods assignment | `{}` | +| `primary.priorityClassName` | Priority class for MariaDB primary pods assignment | `""` | +| `primary.podSecurityContext.enabled` | Enable security context for MariaDB primary pods | `true` | +| `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | +| `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` | +| `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` | +| `primary.containerSecurityContext.runAsNonRoot` | Set Controller container's Security Context runAsNonRoot | `true` | +| `primary.resources.limits` | The resources limits for MariaDB primary containers | `{}` | +| `primary.resources.requests` | The requested resources for MariaDB primary containers | `{}` | +| `primary.startupProbe.enabled` | Enable startupProbe | `false` | +| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | +| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` | +| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | +| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `primary.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `primary.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `primary.customStartupProbe` | Override default startup probe for MariaDB primary containers | `{}` | +| `primary.customLivenessProbe` | Override default liveness probe for MariaDB primary containers | `{}` | +| `primary.customReadinessProbe` | Override default readiness probe for MariaDB primary containers | `{}` | +| `primary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB primary containers | `{}` | +| `primary.extraFlags` | MariaDB primary additional command line flags | `""` | +| `primary.extraEnvVars` | Extra environment variables to be set on MariaDB primary containers | `[]` | +| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB primary containers | `""` | +| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB primary containers | `""` | +| `primary.persistence.enabled` | Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir | `true` | +| `primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas | `""` | +| `primary.persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `primary.persistence.storageClass` | MariaDB primary persistent volume storage Class | `""` | +| `primary.persistence.annotations` | MariaDB primary persistent volume claim annotations | `{}` | +| `primary.persistence.accessModes` | MariaDB primary persistent volume access Modes | `["ReadWriteOnce"]` | +| `primary.persistence.size` | MariaDB primary persistent volume size | `8Gi` | +| `primary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | +| `primary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB Primary pod(s) | `[]` | +| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB Primary container(s) | `[]` | +| `primary.initContainers` | Add additional init containers for the MariaDB Primary pod(s) | `[]` | +| `primary.sidecars` | Add additional sidecar containers for the MariaDB Primary pod(s) | `[]` | +| `primary.service.type` | MariaDB Primary Kubernetes service type | `ClusterIP` | +| `primary.service.ports.mysql` | MariaDB Primary Kubernetes service port | `3306` | +| `primary.service.nodePorts.mysql` | MariaDB Primary Kubernetes service node port | `""` | +| `primary.service.clusterIP` | MariaDB Primary Kubernetes service clusterIP IP | `""` | +| `primary.service.loadBalancerIP` | MariaDB Primary loadBalancerIP if service type is `LoadBalancer` | `""` | +| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `primary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB Primary service is LoadBalancer | `[]` | +| `primary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `primary.service.annotations` | Provide any additional annotations which may be required | `{}` | +| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `primary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB primary pods | `false` | +| `primary.pdb.minAvailable` | Minimum number/percentage of MariaDB primary pods that must still be available after the eviction | `1` | +| `primary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB primary pods that can be unavailable after the eviction | `""` | +| `primary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` | + + +### MariaDB Secondary parameters + +| Name | Description | Value | +| ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `secondary.replicaCount` | Number of MariaDB secondary replicas | `1` | +| `secondary.command` | Override default container command on MariaDB Secondary container(s) (useful when using custom images) | `[]` | +| `secondary.args` | Override default container args on MariaDB Secondary container(s) (useful when using custom images) | `[]` | +| `secondary.lifecycleHooks` | for the MariaDB Secondary container(s) to automate configuration before or after startup | `{}` | +| `secondary.hostAliases` | Add deployment host aliases | `[]` | +| `secondary.configuration` | MariaDB Secondary configuration to be injected as ConfigMap | `""` | +| `secondary.existingConfigmap` | Name of existing ConfigMap with MariaDB Secondary configuration. | `""` | +| `secondary.updateStrategy.type` | MariaDB secondary statefulset strategy type | `RollingUpdate` | +| `secondary.rollingUpdatePartition` | Partition update strategy for Mariadb Secondary statefulset | `""` | +| `secondary.podAnnotations` | Additional pod annotations for MariaDB secondary pods | `{}` | +| `secondary.podLabels` | Extra labels for MariaDB secondary pods | `{}` | +| `secondary.podAffinityPreset` | MariaDB secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `secondary.podAntiAffinityPreset` | MariaDB secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `secondary.nodeAffinityPreset.type` | MariaDB secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `secondary.nodeAffinityPreset.key` | MariaDB secondary node label key to match Ignored if `secondary.affinity` is set. | `""` | +| `secondary.nodeAffinityPreset.values` | MariaDB secondary node label values to match. Ignored if `secondary.affinity` is set. | `[]` | +| `secondary.affinity` | Affinity for MariaDB secondary pods assignment | `{}` | +| `secondary.nodeSelector` | Node labels for MariaDB secondary pods assignment | `{}` | +| `secondary.tolerations` | Tolerations for MariaDB secondary pods assignment | `[]` | +| `secondary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB secondary pods assignment | `{}` | +| `secondary.priorityClassName` | Priority class for MariaDB secondary pods assignment | `""` | +| `secondary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `secondary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB secondary pods | `""` | +| `secondary.podSecurityContext.enabled` | Enable security context for MariaDB secondary pods | `true` | +| `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | +| `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` | +| `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` | +| `secondary.containerSecurityContext.runAsNonRoot` | Set Controller container's Security Context runAsNonRoot | `true` | +| `secondary.resources.limits` | The resources limits for MariaDB secondary containers | `{}` | +| `secondary.resources.requests` | The requested resources for MariaDB secondary containers | `{}` | +| `secondary.startupProbe.enabled` | Enable startupProbe | `false` | +| `secondary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | +| `secondary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` | +| `secondary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `secondary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | +| `secondary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `secondary.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `secondary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `secondary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `secondary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `secondary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `secondary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `secondary.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `secondary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `secondary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `secondary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `secondary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `secondary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `secondary.customStartupProbe` | Override default startup probe for MariaDB secondary containers | `{}` | +| `secondary.customLivenessProbe` | Override default liveness probe for MariaDB secondary containers | `{}` | +| `secondary.customReadinessProbe` | Override default readiness probe for MariaDB secondary containers | `{}` | +| `secondary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB secondary containers | `{}` | +| `secondary.extraFlags` | MariaDB secondary additional command line flags | `""` | +| `secondary.extraEnvVars` | Extra environment variables to be set on MariaDB secondary containers | `[]` | +| `secondary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB secondary containers | `""` | +| `secondary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB secondary containers | `""` | +| `secondary.persistence.enabled` | Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` | `true` | +| `secondary.persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `secondary.persistence.storageClass` | MariaDB secondary persistent volume storage Class | `""` | +| `secondary.persistence.annotations` | MariaDB secondary persistent volume claim annotations | `{}` | +| `secondary.persistence.accessModes` | MariaDB secondary persistent volume access Modes | `["ReadWriteOnce"]` | +| `secondary.persistence.size` | MariaDB secondary persistent volume size | `8Gi` | +| `secondary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | +| `secondary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB secondary pod(s) | `[]` | +| `secondary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB secondary container(s) | `[]` | +| `secondary.initContainers` | Add additional init containers for the MariaDB secondary pod(s) | `[]` | +| `secondary.sidecars` | Add additional sidecar containers for the MariaDB secondary pod(s) | `[]` | +| `secondary.service.type` | MariaDB secondary Kubernetes service type | `ClusterIP` | +| `secondary.service.ports.mysql` | MariaDB secondary Kubernetes service port | `3306` | +| `secondary.service.nodePorts.mysql` | MariaDB secondary Kubernetes service node port | `""` | +| `secondary.service.clusterIP` | MariaDB secondary Kubernetes service clusterIP IP | `""` | +| `secondary.service.loadBalancerIP` | MariaDB secondary loadBalancerIP if service type is `LoadBalancer` | `""` | +| `secondary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `secondary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB secondary service is LoadBalancer | `[]` | +| `secondary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `secondary.service.annotations` | Provide any additional annotations which may be required | `{}` | +| `secondary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `secondary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `secondary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB secondary pods | `false` | +| `secondary.pdb.minAvailable` | Minimum number/percentage of MariaDB secondary pods that should remain scheduled | `1` | +| `secondary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB secondary pods that may be made unavailable | `""` | +| `secondary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` | + + +### RBAC parameters + +| Name | Description | Value | +| --------------------------------------------- | -------------------------------------------------------------- | ------- | +| `serviceAccount.create` | Enable the creation of a ServiceAccount for MariaDB pods | `true` | +| `serviceAccount.name` | Name of the created ServiceAccount | `""` | +| `serviceAccount.annotations` | Annotations for MariaDB Service Account | `{}` | +| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` | +| `rbac.create` | Whether to create and use RBAC resources or not | `false` | + + +### Volume Permissions parameters + +| Name | Description | Value | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `10-debian-10-r388` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | +| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | + + +### Metrics parameters + +| Name | Description | Value | +| -------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `metrics.enabled` | Start a side-car prometheus exporter | `false` | +| `metrics.image.registry` | Exporter image registry | `docker.io` | +| `metrics.image.repository` | Exporter image repository | `bitnami/mysqld-exporter` | +| `metrics.image.tag` | Exporter image tag (immutable tags are recommended) | `0.14.0-debian-10-r33` | +| `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.annotations` | Annotations for the Exporter pod | `{}` | +| `metrics.extraArgs` | Extra args to be passed to mysqld_exporter | `{}` | +| `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` | +| `metrics.resources.limits` | The resources limits for MariaDB prometheus exporter containers | `{}` | +| `metrics.resources.requests` | The requested resources for MariaDB prometheus exporter containers | `{}` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | +| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | +| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` | +| `metrics.prometheusRule.enabled` | if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | +| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | + + +### NetworkPolicy parameters + +| Name | Description | Value | +| ---------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `networkPolicy.enabled` | Enable network policies | `false` | +| `networkPolicy.metrics.enabled` | Enable network policy for metrics (prometheus) | `false` | +| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` | +| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. | `false` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the primary node. This label will be used to identified the allowed namespace(s). | `{}` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the primary node. This label will be used to identified the allowed pod(s). | `{}` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the primary node. | `{}` | +| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled` | Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. | `false` | +| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to acces the secondary nodes. This label will be used to identified the allowed namespace(s). | `{}` | +| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the secondary nodes. This label will be used to identified the allowed pod(s). | `{}` | +| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules` | Custom network policy for the secondary nodes. | `{}` | +| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` | +| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` | + + +The above parameters map to the env variables defined in [bitnami/mariadb](https://github.com/bitnami/bitnami-docker-mariadb). For more information please refer to the [bitnami/mariadb](https://github.com/bitnami/bitnami-docker-mariadb) image documentation. + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +$ helm install my-release \ + --set auth.rootPassword=secretpassword,auth.database=app_database \ + bitnami/mariadb +``` + +The above command sets the MariaDB `root` account password to `secretpassword`. Additionally it creates a database named `my_database`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +$ helm install my-release -f values.yaml bitnami/mariadb +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Change MariaDB version + +To modify the MariaDB version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/mariadb/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. + +### Initialize a fresh instance + +The [Bitnami MariaDB](https://github.com/bitnami/bitnami-docker-mariadb) image allows you to use your custom scripts to initialize a fresh instance. Custom scripts may be specified using the `initdbScripts` parameter. Alternatively, an external ConfigMap may be created with all the initialization scripts and the ConfigMap passed to the chart via the `initdbScriptsConfigMap` parameter. Note that this will override the `initdbScripts` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +These scripts are treated differently depending on their extension. While `.sh` scripts are executed on all the nodes, `.sql` and `.sql.gz` scripts are only executed on the primary nodes. This is because `.sh` scripts support conditional tests to identify the type of node they are running on, while such tests are not supported in `.sql` or `.sql.gz` files. + +[Refer to the chart documentation for more information and a usage example](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/configuration/customize-new-instance/). + +### Sidecars and Init Containers + +If additional containers are needed in the same pod as MariaDB (such as additional metrics or logging exporters), they can be defined using the sidecars parameter. + +The Helm chart already includes sidecar containers for the Prometheus exporters. These can be activated by adding the `--set enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. [See an example of configuring and using sidecar containers](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/configuration/configure-sidecar-init-containers/). + +Similarly, additional containers can be added to MariaDB pods using the `initContainers` parameter. [See an example of configuring and using init containers](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/configuration/configure-sidecar-init-containers/). + +## Persistence + +The [Bitnami MariaDB](https://github.com/bitnami/bitnami-docker-mariadb) image stores the MariaDB data and configurations at the `/bitnami/mariadb` path of the container. + +The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) volume at this location. The volume is created using dynamic volume provisioning, by default. An existing PersistentVolumeClaim can also be defined. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). + +### Adjust permissions of persistent volume mountpoint + +As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it. + +By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. + +As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination. You can enable this initContainer by setting `volumePermissions.enabled` to `true`. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +It's necessary to set the `auth.rootPassword` parameter when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use under the 'Administrator credentials' section. Please note down the password and run the command below to upgrade your chart: + +```bash +$ helm upgrade my-release bitnami/mariadb --set auth.rootPassword=[ROOT_PASSWORD] +``` + +| Note: you need to substitute the placeholder _[ROOT_PASSWORD]_ with the value obtained in the installation notes. + +### To 10.0.0 + +This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. + +Affected values: + +- `primary.service.port` was deprecated, we recommend using `primary.service.ports.mysql` instead. +- `primary.service.nodePort` was deprecated, we recommend using `primary.service.nodePorts.mysql` instead. +- `secondary.service.port` was deprecated, we recommend using `secondary.service.ports.mysql` instead. +- `secondary.service.nodePort` was deprecated, we recommend using `secondary.service.nodePorts.mysql` instead. +- `metrics.serviceMonitor.additionalLabels` was deprecated, we recommend using `metrics.serviceMonitor.selector` instead. +- `primary.pdb.enabled` renamed as `primary.pdb.create`. +- `secondary.pdb.enabled` renamed as `secondary.pdb.create`. +- `primary.updateStrategy` changed from String type (previously default to 'rollingUpdate') to Object type, allowing users to configure other updateStrategy parameters, similar to other charts. +- Removed value `primary.rollingUpdatePartition`, now configured using `primary.updateStrategy` setting `primary.updateStrategy.rollingUpdate.partition`. +- `secondary.updateStrategy` changed from String type (previously default to 'rollingUpdate') to Object type, allowing users to configure other updateStrategy parameters, similar to other charts. +- Removed value `secondary.rollingUpdatePartition`, now configured using `secondary.updateStrategy` setting `secondary.updateStrategy.rollingUpdate.partition`. +- `metrics.serviceMonitor.relabellings`, previously used to configure ServiceMonitor metricRelabelings, has been replaced with the value `metrics.serviceMonitor.metricRelabelings`, and new value `metrics.serviceMonitor.relabelings` can be used to set ServiceMonitor relabelings parameter + +### To 9.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/administration/upgrade-helm3/). + +### To 8.0.0 + +- Several parameters were renamed or disappeared in favor of new ones on this major version: + - The terms _master_ and _slave_ have been replaced by the terms _primary_ and _secondary_. Therefore, parameters prefixed with `master` or `slave` are now prefixed with `primary` or `secondary`, respectively. + - `securityContext.*` is deprecated in favor of `primary.podSecurityContext`, `primary.containerSecurityContext`, `secondary.podSecurityContext`, and `secondary.containerSecurityContext`. + - Credentials parameter are reorganized under the `auth` parameter. + - `replication.enabled` parameter is deprecated in favor of `architecture` parameter that accepts two values: `standalone` and `replication`. +- The default MariaDB version was updated from 10.3 to 10.5. According to the official documentation, upgrading from 10.3 should be painless. However, there are some things that have changed which could affect an upgrade: + - [Incompatible changes upgrading from MariaDB 10.3 to MariaDB 10.4](https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104/#incompatible-changes-between-103-and-104). + - [Incompatible changes upgrading from MariaDB 10.4 to MariaDB 10.5](https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/#incompatible-changes-between-104-and-105). +- Chart labels were adapted to follow the [Helm charts standard labels](https://helm.sh/docs/chart_best_practices/labels/#standard-labels). +- This version also introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/master/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade. + +Consequences: + +Backwards compatibility is not guaranteed. To upgrade to `8.0.0`, install a new release of the MariaDB chart, and migrate the data from your previous release. You have 2 alternatives to do so: + +- Create a backup of the database, and restore it on the new release using tools such as [mysqldump](https://mariadb.com/kb/en/mysqldump/). +- Reuse the PVC used to hold the master data on your previous release. To do so, use the `primary.persistence.existingClaim` parameter. The following example assumes that the release name is `mariadb`: + +```bash +$ helm install mariadb bitnami/mariadb --set auth.rootPassword=[ROOT_PASSWORD] --set primary.persistence.existingClaim=[EXISTING_PVC] +``` + +| Note: you need to substitute the placeholder _[EXISTING_PVC]_ with the name of the PVC used on your previous release, and _[ROOT_PASSWORD]_ with the root password used in your previous release. + +### To 7.0.0 + +Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec. + +In https://github.com/helm/charts/pull/17308 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage. + +This major version bump signifies this change. + +### To 6.0.0 + +MariaDB version was updated from 10.1 to 10.3, there are no changes in the chart itself. According to the official documentation, upgrading from 10.1 should be painless. However, there are some things that have changed which could affect an upgrade: + +- [Incompatible changes upgrading from MariaDB 10.1 to MariaDB 10.2](https://mariadb.com/kb/en/library/upgrading-from-mariadb-101-to-mariadb-102//#incompatible-changes-between-101-and-102) +- [Incompatible changes upgrading from MariaDB 10.2 to MariaDB 10.3](https://mariadb.com/kb/en/library/upgrading-from-mariadb-102-to-mariadb-103/#incompatible-changes-between-102-and-103) + +### To 5.0.0 + +Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments. +Use the workaround below to upgrade from versions previous to 5.0.0. The following example assumes that the release name is mariadb: + +```console +$ kubectl delete statefulset opencart-mariadb --cascade=false +``` + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/.helmignore b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/Chart.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/Chart.yaml new file mode 100644 index 00000000..457e3350 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + category: Infrastructure +apiVersion: v2 +appVersion: 1.13.0 +description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. +home: https://github.com/bitnami/charts/tree/master/bitnami/common +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- email: containers@bitnami.com + name: Bitnami +name: common +sources: +- https://github.com/bitnami/charts +- https://www.bitnami.com/ +type: library +version: 1.13.0 diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/README.md b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/README.md new file mode 100644 index 00000000..c090f742 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/README.md @@ -0,0 +1,347 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 1.x.x + repository: https://charts.bitnami.com/bitnami +``` + +```bash +$ helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ + +## Parameters + +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +|-------------------------------|------------------------------------------------------|------------------------------------------------| +| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.node.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.pod.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pod.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| +| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | +| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | +| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | +| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | +| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | +| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | +| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context | +| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | + +### Errors + +| Helper identifier | Description | Expected Input | +|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | +| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | + +### Ingress + +| Helper identifier | Description | Expected Input | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | +| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context | +| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context | +| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` | + +### Labels + +| Helper identifier | Description | Expected Input | +|-----------------------------|-----------------------------------------------------------------------------|-------------------| +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Input | +|--------------------------|------------------------------------------------------------|-------------------| +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | + +### Secrets + +| Helper identifier | Description | Expected Input | +|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | +| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | +| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | + +### Storage + +| Helper identifier | Description | Expected Input | +|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| +| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | + +### Utils + +| Helper identifier | Description | Expected Input | +|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | +| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | +| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | +| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis™ are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | +| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | +| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +|------------------------------|----------------------------------|------------------------------------------------------------| +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +$ helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_affinities.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_affinities.tpl new file mode 100644 index 00000000..189ea403 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_affinities.tpl @@ -0,0 +1,102 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname + weight: 1 +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_capabilities.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_capabilities.tpl new file mode 100644 index 00000000..4ec8321e --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_capabilities.tpl @@ -0,0 +1,139 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiregistration.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_errors.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_errors.tpl new file mode 100644 index 00000000..a79cc2e3 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_errors.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_images.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_images.tpl new file mode 100644 index 00000000..42ffbc72 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_images.tpl @@ -0,0 +1,75 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $tag := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if $registryName }} +{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- else -}} +{{- printf "%s:%s" $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_ingress.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_ingress.tpl new file mode 100644 index 00000000..8caf73a6 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_ingress.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_labels.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_labels.tpl new file mode 100644 index 00000000..252066c7 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_names.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_names.tpl new file mode 100644 index 00000000..c8574d17 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_names.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_secrets.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_secrets.tpl new file mode 100644 index 00000000..a53fb44f --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_secrets.tpl @@ -0,0 +1,140 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + +The order in which this function returns a secret password: + 1. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 2. Password provided via the values.yaml + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 3. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" $.context.Release.Namespace .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key }} + {{- else }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString | b64enc | quote }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- else }} + {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- end }} +{{- end -}} +{{- printf "%s" $password -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_storage.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_storage.tpl new file mode 100644 index 00000000..60e2a844 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_storage.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_tplvalues.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_tplvalues.tpl new file mode 100644 index 00000000..2db16685 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_utils.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_utils.tpl new file mode 100644 index 00000000..ea083a24 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_utils.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_warnings.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_warnings.tpl new file mode 100644 index 00000000..ae10fa41 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/_warnings.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} + +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_cassandra.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 00000000..ded1ae3b --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_mariadb.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 00000000..b6906ff7 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_mongodb.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 00000000..a071ea4d --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,108 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB® required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_postgresql.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 00000000..164ec0d0 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,129 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_redis.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_redis.tpl new file mode 100644 index 00000000..5d72959b --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,76 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis™ required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} + + {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} + {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} + + {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} + {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} + {{- if eq $useAuth "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_validations.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_validations.tpl new file mode 100644 index 00000000..9a814cf4 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/values.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/values.yaml new file mode 100644 index 00000000..f2df68e5 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/charts/common/values.yaml @@ -0,0 +1,5 @@ +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: common-chart diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/ci/values-production-with-rbac-and-metrics.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/ci/values-production-with-rbac-and-metrics.yaml new file mode 100644 index 00000000..2f1a8d95 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/ci/values-production-with-rbac-and-metrics.yaml @@ -0,0 +1,33 @@ +# Test values file for generating all of the yaml and check that +# the rendering is correct +architecture: replication +auth: + usePasswordFiles: true + +primary: + extraEnvVars: + - name: TEST + value: "3" + extraEnvVarsSecret: example-secret + extraEnvVarsCM: example-cm + podDisruptionBudget: + create: true + +secondary: + replicaCount: 2 + extraEnvVars: + - name: TEST + value: "2" + extraEnvVarsSecret: example-secret-2 + extraEnvVarsCM: example-cm-2 + podDisruptionBudget: + create: true + +serviceAccount: + create: true + name: mariadb-service-account +rbac: + create: true + +metrics: + enabled: true diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/NOTES.txt b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/NOTES.txt new file mode 100644 index 00000000..65a65e7c --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/NOTES.txt @@ -0,0 +1,75 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +** Please be patient while the chart is being deployed ** + +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash + +In order to replicate the container startup scripts execute this command: + + /opt/bitnami/scripts/mariadb/entrypoint.sh /opt/bitnami/scripts/mariadb/run.sh + +{{- else }} + +Tip: + + Watch the deployment status using the command: kubectl get pods -w --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Services: + + echo Primary: {{ include "mariadb.primary.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ coalesce .Values.primary.service.ports.mysql .Values.primary.service.port }} +{{- if eq .Values.architecture "replication" }} + echo Secondary: {{ include "mariadb.secondary.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ coalesce .Values.secondary.service.ports.mysql .Values.secondary.service.port }} +{{- end }} + +Administrator credentials: + + Username: root + Password : $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "mariadb.secretName" . }} -o jsonpath="{.data.mariadb-root-password}" | base64 --decode) + +To connect to your database: + + 1. Run a pod that you can use as a client: + + kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --image {{ template "mariadb.image" . }} --namespace {{ .Release.Namespace }} --command -- bash + + 2. To connect to primary service (read/write): + + mysql -h {{ include "mariadb.primary.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} -uroot -p {{ .Values.auth.database }} + +{{- if eq .Values.architecture "replication" }} + + 3. To connect to secondary service (read-only): + + mysql -h {{ include "mariadb.secondary.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} -uroot -p {{ .Values.auth.database }} +{{- end }} + +To upgrade this helm chart: + + 1. Obtain the password as described on the 'Administrator credentials' section and set the 'auth.rootPassword' parameter as shown below: + + ROOT_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "mariadb.secretName" . }} -o jsonpath="{.data.mariadb-root-password}" | base64 --decode) + helm upgrade --namespace {{ .Release.Namespace }} {{ .Release.Name }} bitnami/mariadb --set auth.rootPassword=$ROOT_PASSWORD + +{{- include "common.warnings.rollingTag" .Values.image }} +{{- include "common.warnings.rollingTag" .Values.metrics.image }} +{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} +{{- include "mariadb.validateValues" . }} +{{- if not .Values.auth.customPasswordFiles -}} + {{- $passwordValidationErrors := include "common.validations.values.mariadb.passwords" (dict "secret" (include "common.names.fullname" .) "context" $) -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}} +{{- end }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/_helpers.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/_helpers.tpl new file mode 100644 index 00000000..5f6f8f79 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/_helpers.tpl @@ -0,0 +1,149 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "mariadb.primary.fullname" -}} +{{- if eq .Values.architecture "replication" }} +{{- printf "%s-%s" (include "common.names.fullname" .) "primary" | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- include "common.names.fullname" . -}} +{{- end -}} +{{- end -}} + +{{- define "mariadb.secondary.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) "secondary" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the proper MariaDB image name +*/}} +{{- define "mariadb.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper metrics image name +*/}} +{{- define "mariadb.metrics.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "mariadb.volumePermissions.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "mariadb.imagePullSecrets" -}} +{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }} +{{- end -}} + +{{ template "mariadb.initdbScriptsCM" . }} +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "mariadb.initdbScriptsCM" -}} +{{- if .Values.initdbScriptsConfigMap -}} +{{- printf "%s" .Values.initdbScriptsConfigMap -}} +{{- else -}} +{{- printf "%s-init-scripts" (include "mariadb.primary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "mariadb.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return the configmap with the MariaDB Primary configuration +*/}} +{{- define "mariadb.primary.configmapName" -}} +{{- if .Values.primary.existingConfigmap -}} + {{- printf "%s" (tpl .Values.primary.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s" (include "mariadb.primary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MariaDB Secondary +*/}} +{{- define "mariadb.primary.createConfigmap" -}} +{{- if and .Values.primary.configuration (not .Values.primary.existingConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return the configmap with the MariaDB Primary configuration +*/}} +{{- define "mariadb.secondary.configmapName" -}} +{{- if .Values.secondary.existingConfigmap -}} + {{- printf "%s" (tpl .Values.secondary.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s" (include "mariadb.secondary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MariaDB Secondary +*/}} +{{- define "mariadb.secondary.createConfigmap" -}} +{{- if and (eq .Values.architecture "replication") .Values.secondary.configuration (not .Values.secondary.existingConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret with MariaDB credentials +*/}} +{{- define "mariadb.secretName" -}} + {{- if .Values.auth.existingSecret -}} + {{- printf "%s" .Values.auth.existingSecret -}} + {{- else -}} + {{- printf "%s" (include "common.names.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created for MariaDB +*/}} +{{- define "mariadb.createSecret" -}} +{{- if not (or .Values.auth.existingSecret .Values.auth.customPasswordFiles) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "mariadb.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "mariadb.validateValues.architecture" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* Validate values of MariaDB - must provide a valid architecture */}} +{{- define "mariadb.validateValues.architecture" -}} +{{- if and (ne .Values.architecture "standalone") (ne .Values.architecture "replication") -}} +mariadb: architecture + Invalid architecture selected. Valid values are "standalone" and + "replication". Please set a valid architecture (--set architecture="xxxx") +{{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/extra-list.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/extra-list.yaml new file mode 100644 index 00000000..9ac65f9e --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/networkpolicy-egress.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/networkpolicy-egress.yaml new file mode 100644 index 00000000..dc309e0e --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/networkpolicy-egress.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }} +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ printf "%s-egress" (include "common.names.fullname" .) }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: + {{- include "common.labels.standard" . | nindent 6 }} + policyTypes: + - Egress + egress: + {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }} + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - to: + - namespaceSelector: {} + {{- end }} + {{- if .Values.networkPolicy.egressRules.customRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/configmap.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/configmap.yaml new file mode 100644 index 00000000..ae4d5b17 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/configmap.yaml @@ -0,0 +1,18 @@ +{{- if (include "mariadb.primary.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "mariadb.primary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + my.cnf: |- +{{ .Values.primary.configuration | indent 4 }} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/initialization-configmap.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/initialization-configmap.yaml new file mode 100644 index 00000000..f85903c3 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/initialization-configmap.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.initdbScripts (not .Values.initdbScriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-init-scripts" (include "mariadb.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary +data: +{{- include "common.tplvalues.render" (dict "value" .Values.initdbScripts "context" .) | nindent 2 }} +{{ end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/networkpolicy-ingress.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/networkpolicy-ingress.yaml new file mode 100644 index 00000000..be184955 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/networkpolicy-ingress.yaml @@ -0,0 +1,55 @@ +{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled) }} +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ printf "%s-ingress" (include "common.names.fullname" .) }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: primary + {{- include "common.labels.standard" . | nindent 6 }} + ingress: + {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} + - from: + {{- if .Values.networkPolicy.metrics.namespaceSelector }} + - namespaceSelector: + matchLabels: + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.metrics.podSelector }} + - podSelector: + matchLabels: + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} + {{- end }} + {{- end }} + {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector) }} + - from: + {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector }} + - namespaceSelector: + matchLabels: + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector }} + - podSelector: + matchLabels: + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }} + {{- end }} + {{- end }} + {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (eq .Values.architecture "replication") }} + - from: + - podSelector: + matchLabels: + app.kubernetes.io/component: secondary + {{- include "common.labels.standard" . | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules "context" $) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/pdb.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/pdb.yaml new file mode 100644 index 00000000..d9230586 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/pdb.yaml @@ -0,0 +1,25 @@ +{{- if .Values.primary.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "mariadb.primary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.primary.pdb.minAvailable }} + minAvailable: {{ .Values.primary.pdb.minAvailable }} + {{- end }} + {{- if .Values.primary.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.primary.pdb.maxUnavailable }} + {{- end }} + selector: + matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: primary +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/statefulset.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/statefulset.yaml new file mode 100644 index 00000000..3ee7005b --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/statefulset.yaml @@ -0,0 +1,386 @@ +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "mariadb.primary.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: 1 + revisionHistoryLimit: {{ .Values.primary.revisionHistoryLimit }} + selector: + matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: primary + serviceName: {{ include "mariadb.primary.fullname" . }} + {{- if .Values.primary.updateStrategy }} + updateStrategy: {{- toYaml .Values.primary.updateStrategy | nindent 4 }} + {{- end }} + template: + metadata: + annotations: + {{- if (include "mariadb.primary.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/primary/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.primary.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.podAnnotations "context" $) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: primary + {{- if .Values.primary.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.podLabels "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- include "mariadb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.primary.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if or .Values.primary.schedulerName .Values.schedulerName }} + schedulerName: {{ (coalesce .Values.primary.schedulerName .Values.schedulerName) | quote }} + {{- end }} + serviceAccountName: {{ template "mariadb.serviceAccountName" . }} + {{- if .Values.primary.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.primary.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.schedulerName }} + schedulerName: {{ .Values.primary.schedulerName }} + {{- end }} + {{- if .Values.primary.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.primary.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.priorityClassName }} + priorityClassName: {{ .Values.primary.priorityClassName | quote }} + {{- else if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.primary.podSecurityContext.enabled }} + securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if or .Values.primary.initContainers (and .Values.primary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.primary.persistence.enabled) }} + initContainers: + {{- if .Values.primary.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.primary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.primary.persistence.enabled }} + - name: volume-permissions + image: {{ include "mariadb.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + - | + chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} /bitnami/mariadb + securityContext: + runAsUser: 0 + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: data + mountPath: /bitnami/mariadb + {{- if .Values.primary.persistence.subPath }} + subPath: {{ .Values.primary.persistence.subPath }} + {{- end }} + {{- end }} + {{- end }} + containers: + - name: mariadb + image: {{ include "mariadb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.primary.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.primary.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.primary.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.primary.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.primary.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.primary.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- if .Values.auth.usePasswordFiles }} + - name: MARIADB_ROOT_PASSWORD_FILE + value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }} + {{- else }} + - name: MARIADB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mariadb.secretName" . }} + key: mariadb-root-password + {{- end }} + {{- if not (empty .Values.auth.username) }} + - name: MARIADB_USER + value: {{ .Values.auth.username | quote }} + {{- if .Values.auth.usePasswordFiles }} + - name: MARIADB_PASSWORD_FILE + value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-password" .Values.auth.customPasswordFiles.user }} + {{- else }} + - name: MARIADB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mariadb.secretName" . }} + key: mariadb-password + {{- end }} + {{- end }} + - name: MARIADB_DATABASE + value: {{ .Values.auth.database | quote }} + {{- if eq .Values.architecture "replication" }} + - name: MARIADB_REPLICATION_MODE + value: "master" + - name: MARIADB_REPLICATION_USER + value: {{ .Values.auth.replicationUser | quote }} + {{- if .Values.auth.usePasswordFiles }} + - name: MARIADB_REPLICATION_PASSWORD_FILE + value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-replication-password" .Values.auth.customPasswordFiles.replicator }} + {{- else }} + - name: MARIADB_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mariadb.secretName" . }} + key: mariadb-replication-password + {{- end }} + {{- end }} + {{- if .Values.primary.extraFlags }} + - name: MARIADB_EXTRA_FLAGS + value: "{{ .Values.primary.extraFlags }}" + {{- end }} + {{- if .Values.primary.startupWaitOptions }} + - name: MARIADB_STARTUP_WAIT_RETRIES + value: "{{ .Values.primary.startupWaitOptions.retries | default 300 }}" + - name: MARIADB_STARTUP_WAIT_SLEEP_TIME + value: "{{ .Values.primary.startupWaitOptions.sleepTime | default 2 }}" + {{- end }} + {{- if .Values.primary.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.primary.extraEnvVarsCM .Values.primary.extraEnvVarsSecret }} + envFrom: + {{- if .Values.primary.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.primary.extraEnvVarsCM }} + {{- end }} + {{- if .Values.primary.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.primary.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: mysql + containerPort: 3306 + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.primary.startupProbe.enabled }} + startupProbe: {{- omit .Values.primary.startupProbe "enabled" | toYaml | nindent 12 }} + exec: + command: + - /bin/bash + - -ec + - | + password_aux="${MARIADB_ROOT_PASSWORD:-}" + if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then + password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") + fi + mysqladmin status -uroot -p"${password_aux}" + {{- else if .Values.primary.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.primary.livenessProbe.enabled }} + livenessProbe: {{- omit .Values.primary.livenessProbe "enabled" | toYaml | nindent 12 }} + exec: + command: + - /bin/bash + - -ec + - | + password_aux="${MARIADB_ROOT_PASSWORD:-}" + if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then + password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") + fi + mysqladmin status -uroot -p"${password_aux}" + {{- else if .Values.primary.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.primary.readinessProbe.enabled }} + readinessProbe: {{- omit .Values.primary.readinessProbe "enabled" | toYaml | nindent 12 }} + exec: + command: + - /bin/bash + - -ec + - | + password_aux="${MARIADB_ROOT_PASSWORD:-}" + if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then + password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") + fi + mysqladmin status -uroot -p"${password_aux}" + {{- else if .Values.primary.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.primary.resources }} + resources: {{ toYaml .Values.primary.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: data + mountPath: /bitnami/mariadb + {{- if .Values.primary.persistence.subPath }} + subPath: {{ .Values.primary.persistence.subPath }} + {{- end }} + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.primary.configuration .Values.primary.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mariadb/conf/my.cnf + subPath: my.cnf + {{- end }} + {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} + - name: mariadb-credentials + mountPath: /opt/bitnami/mariadb/secrets/ + {{- end }} + {{- if .Values.primary.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ include "mariadb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + env: + {{- if .Values.auth.usePasswordFiles }} + - name: MARIADB_ROOT_PASSWORD_FILE + value: {{ default "/opt/bitnami/mysqld-exporter/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }} + {{- else }} + - name: MARIADB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mariadb.secretName" . }} + key: mariadb-root-password + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + - | + password_aux="${MARIADB_ROOT_PASSWORD:-}" + if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then + password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") + fi + DATA_SOURCE_NAME="root:${password_aux}@(localhost:3306)/" /bin/mysqld_exporter {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} + {{- end }} + ports: + - name: metrics + containerPort: 9104 + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- omit .Values.metrics.livenessProbe "enabled" | toYaml | nindent 12 }} + httpGet: + path: /metrics + port: metrics + {{- end }} + {{- if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- omit .Values.metrics.readinessProbe "enabled" | toYaml | nindent 12 }} + httpGet: + path: /metrics + port: metrics + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} + volumeMounts: + - name: mariadb-credentials + mountPath: /opt/bitnami/mysqld-exporter/secrets/ + {{- end }} + {{- end }} + {{- if .Values.primary.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + {{- if or .Values.primary.configuration .Values.primary.existingConfigmap }} + - name: config + configMap: + name: {{ include "mariadb.primary.configmapName" . }} + {{- end }} + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mariadb.initdbScriptsCM" . }} + {{- end }} + {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} + - name: mariadb-credentials + secret: + secretName: {{ template "mariadb.secretName" . }} + items: + - key: mariadb-root-password + path: mariadb-root-password + - key: mariadb-password + path: mariadb-password + {{- if eq .Values.architecture "replication" }} + - key: mariadb-replication-password + path: mariadb-replication-password + {{- end }} + {{- end }} + {{- if .Values.primary.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.primary.persistence.enabled .Values.primary.persistence.existingClaim }} + - name: data + persistentVolumeClaim: + claimName: {{ tpl .Values.primary.persistence.existingClaim . }} + {{- else if not .Values.primary.persistence.enabled }} + - name: data + emptyDir: {} + {{- else if and .Values.primary.persistence.enabled (not .Values.primary.persistence.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: {{ include "common.labels.matchLabels" . | nindent 10 }} + app.kubernetes.io/component: primary + {{- if .Values.primary.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.primary.persistence.annotations "context" $ ) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.primary.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.primary.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.primary.persistence "global" .Values.global) }} + {{- if .Values.primary.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.selector "context" $) | nindent 10 }} + {{- end -}} + {{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/svc.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/svc.yaml new file mode 100644 index 00000000..3d59535d --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/primary/svc.yaml @@ -0,0 +1,61 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mariadb.primary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.primary.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.primary.service.type }} + {{- if and .Values.primary.service.clusterIP (eq .Values.primary.service.type "ClusterIP") }} + clusterIP: {{ .Values.primary.service.clusterIP }} + {{- end }} + {{- if and .Values.primary.service.externalTrafficPolicy (or (eq .Values.primary.service.type "LoadBalancer") (eq .Values.primary.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.primary.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.primary.service.type "LoadBalancer") .Values.primary.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ .Values.primary.service.loadBalancerSourceRanges }} + {{ end }} + {{- if (and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.primary.service.loadBalancerIP }} + {{- end }} + {{- if .Values.primary.service.sessionAffinity }} + sessionAffinity: {{ .Values.primary.service.sessionAffinity }} + {{- end }} + {{- if .Values.primary.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: mysql + port: {{ coalesce .Values.primary.service.ports.mysql .Values.primary.service.port }} + protocol: TCP + targetPort: mysql + {{- if (and (or (eq .Values.primary.service.type "NodePort") (eq .Values.primary.service.type "LoadBalancer")) (coalesce .Values.primary.service.nodePorts.mysql .Values.primary.service.nodePort)) }} + nodePort: {{ coalesce .Values.primary.service.nodePorts.mysql .Values.primary.service.nodePort }} + {{- else if eq .Values.primary.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + port: 9104 + protocol: TCP + targetPort: metrics + {{- end }} + {{- if .Values.primary.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{ include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: primary diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/prometheusrules.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/prometheusrules.yaml new file mode 100644 index 00000000..d751acbe --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/prometheusrules.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "common.names.fullname" . }} + {{- if .Values.metrics.prometheusRule.namespace }} + namespace: {{ .Values.metrics.prometheusRule.namespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + groups: + - name: {{ include "common.names.fullname" . }} + rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 6 }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/role.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/role.yaml new file mode 100644 index 00000000..a561f51c --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/role.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/rolebinding.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/rolebinding.yaml new file mode 100644 index 00000000..671aa6ef --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +kind: RoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +subjects: + - kind: ServiceAccount + name: {{ include "mariadb.serviceAccountName" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "common.names.fullname" . -}} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/configmap.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/configmap.yaml new file mode 100644 index 00000000..4cfec646 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/configmap.yaml @@ -0,0 +1,18 @@ +{{- if (include "mariadb.secondary.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "mariadb.secondary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: secondary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + my.cnf: |- +{{ .Values.secondary.configuration | indent 4 }} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/networkpolicy-ingress.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/networkpolicy-ingress.yaml new file mode 100644 index 00000000..334a1428 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/networkpolicy-ingress.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.networkPolicy.enabled (eq .Values.architecture "replication") (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled) }} +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ printf "%s-ingress-secondary" (include "common.names.fullname" .) }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: secondary + {{- include "common.labels.standard" . | nindent 6 }} + ingress: + {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} + - from: + {{- if .Values.networkPolicy.metrics.namespaceSelector }} + - namespaceSelector: + matchLabels: + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.metrics.podSelector }} + - podSelector: + matchLabels: + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} + {{- end }} + {{- end }} + {{- if and .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector) }} + - from: + {{- if .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector }} + - namespaceSelector: + matchLabels: + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector }} + - podSelector: + matchLabels: + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules "context" $) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/pdb.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/pdb.yaml new file mode 100644 index 00000000..cae28ffd --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/pdb.yaml @@ -0,0 +1,25 @@ +{{- if and (eq .Values.architecture "replication") .Values.secondary.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "mariadb.secondary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: secondary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.secondary.pdb.minAvailable }} + minAvailable: {{ .Values.secondary.pdb.minAvailable }} + {{- end }} + {{- if .Values.secondary.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.secondary.pdb.maxUnavailable }} + {{- end }} + selector: + matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: secondary +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/statefulset.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/statefulset.yaml new file mode 100644 index 00000000..017bb448 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/statefulset.yaml @@ -0,0 +1,357 @@ +{{- if eq .Values.architecture "replication" }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "mariadb.secondary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: secondary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.secondary.replicaCount }} + revisionHistoryLimit: {{ .Values.secondary.revisionHistoryLimit }} + selector: + matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: secondary + serviceName: {{ include "mariadb.secondary.fullname" . }} + podManagementPolicy: {{ .Values.secondary.podManagementPolicy }} + {{- if .Values.secondary.updateStrategy }} + updateStrategy: {{- toYaml .Values.secondary.updateStrategy | nindent 4 }} + {{- end }} + template: + metadata: + annotations: + {{- if (include "mariadb.secondary.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/secondary/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.secondary.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.secondary.podAnnotations "context" $) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: secondary + {{- if .Values.secondary.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.secondary.podLabels "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- include "mariadb.imagePullSecrets" . | nindent 6 }} + {{- if or .Values.secondary.schedulerName .Values.schedulerName }} + schedulerName: {{ (coalesce .Values.secondary.schedulerName .Values.schedulerName) | quote }} + {{- end }} + serviceAccountName: {{ template "mariadb.serviceAccountName" . }} + {{- if .Values.secondary.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.secondary.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.secondary.podAffinityPreset "component" "secondary" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.secondary.podAntiAffinityPreset "component" "secondary" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.secondary.nodeAffinityPreset.type "key" .Values.secondary.nodeAffinityPreset.key "values" .Values.secondary.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.secondary.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.secondary.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.secondary.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.secondary.priorityClassName }} + priorityClassName: {{ .Values.secondary.priorityClassName | quote }} + {{- else if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.secondary.podSecurityContext.enabled }} + securityContext: {{- omit .Values.secondary.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if or .Values.secondary.initContainers (and .Values.secondary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.secondary.persistence.enabled) }} + initContainers: + {{- if .Values.secondary.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.secondary.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.secondary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.secondary.persistence.enabled }} + - name: volume-permissions + image: {{ include "mariadb.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + - | + chown -R {{ .Values.secondary.containerSecurityContext.runAsUser }}:{{ .Values.secondary.podSecurityContext.fsGroup }} /bitnami/mariadb + securityContext: + runAsUser: 0 + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: data + mountPath: /bitnami/mariadb + {{- if .Values.secondary.persistence.subPath }} + subPath: {{ .Values.secondary.persistence.subPath }} + {{- end }} + {{- end }} + {{- end }} + containers: + - name: mariadb + image: {{ include "mariadb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.secondary.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.secondary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.secondary.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.secondary.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.secondary.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: MARIADB_REPLICATION_MODE + value: "slave" + - name: MARIADB_MASTER_HOST + value: {{ include "mariadb.primary.fullname" . }} + - name: MARIADB_MASTER_PORT_NUMBER + value: {{ coalesce .Values.primary.service.ports.mysql .Values.primary.service.port | quote }} + - name: MARIADB_MASTER_ROOT_USER + value: "root" + {{- if .Values.auth.usePasswordFiles }} + - name: MARIADB_MASTER_ROOT_PASSWORD_FILE + value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }} + {{- else }} + - name: MARIADB_MASTER_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mariadb.secretName" . }} + key: mariadb-root-password + {{- end }} + - name: MARIADB_REPLICATION_USER + value: {{ .Values.auth.replicationUser | quote }} + {{- if .Values.auth.usePasswordFiles }} + - name: MARIADB_REPLICATION_PASSWORD_FILE + value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-replication-password" .Values.auth.customPasswordFiles.replicator }} + {{- else }} + - name: MARIADB_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mariadb.secretName" . }} + key: mariadb-replication-password + {{- end }} + {{- if .Values.secondary.extraFlags }} + - name: MARIADB_EXTRA_FLAGS + value: "{{ .Values.secondary.extraFlags }}" + {{- end }} + {{- if .Values.secondary.startupWaitOptions }} + - name: MARIADB_STARTUP_WAIT_RETRIES + value: "{{ .Values.secondary.startupWaitOptions.retries | default 300 }}" + - name: MARIADB_STARTUP_WAIT_SLEEP_TIME + value: "{{ .Values.secondary.startupWaitOptions.sleepTime | default 2 }}" + {{- end }} + {{- if .Values.secondary.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.secondary.extraEnvVarsCM .Values.secondary.extraEnvVarsSecret }} + envFrom: + {{- if .Values.secondary.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.secondary.extraEnvVarsCM }} + {{- end }} + {{- if .Values.secondary.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.secondary.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: mysql + containerPort: 3306 + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.secondary.startupProbe.enabled }} + startupProbe: {{- omit .Values.secondary.startupProbe "enabled" | toYaml | nindent 12 }} + exec: + command: + - /bin/bash + - -ec + - | + password_aux="${MARIADB_MASTER_ROOT_PASSWORD:-}" + if [[ -f "${MARIADB_MASTER_ROOT_PASSWORD_FILE:-}" ]]; then + password_aux=$(cat "$MARIADB_MASTER_ROOT_PASSWORD_FILE") + fi + mysqladmin status -uroot -p"${password_aux}" + {{- else if .Values.secondary.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.secondary.livenessProbe.enabled }} + livenessProbe: {{- omit .Values.secondary.livenessProbe "enabled" | toYaml | nindent 12 }} + exec: + command: + - /bin/bash + - -ec + - | + password_aux="${MARIADB_MASTER_ROOT_PASSWORD:-}" + if [[ -f "${MARIADB_MASTER_ROOT_PASSWORD_FILE:-}" ]]; then + password_aux=$(cat "$MARIADB_MASTER_ROOT_PASSWORD_FILE") + fi + mysqladmin status -uroot -p"${password_aux}" + {{- else if .Values.secondary.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.secondary.readinessProbe.enabled }} + readinessProbe: {{- omit .Values.secondary.readinessProbe "enabled" | toYaml | nindent 12 }} + exec: + command: + - /bin/bash + - -ec + - | + password_aux="${MARIADB_MASTER_ROOT_PASSWORD:-}" + if [[ -f "${MARIADB_MASTER_ROOT_PASSWORD_FILE:-}" ]]; then + password_aux=$(cat "$MARIADB_MASTER_ROOT_PASSWORD_FILE") + fi + mysqladmin status -uroot -p"${password_aux}" + {{- else if .Values.secondary.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.secondary.resources }} + resources: {{ toYaml .Values.secondary.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: data + mountPath: /bitnami/mariadb + {{- if .Values.secondary.persistence.subPath }} + subPath: {{ .Values.secondary.persistence.subPath }} + {{- end }} + {{- if or .Values.secondary.configuration .Values.secondary.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mariadb/conf/my.cnf + subPath: my.cnf + {{- end }} + {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} + - name: mariadb-credentials + mountPath: /opt/bitnami/mariadb/secrets/ + {{- end }} + {{- if .Values.secondary.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ include "mariadb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + env: + {{- if .Values.auth.usePasswordFiles }} + - name: MARIADB_ROOT_PASSWORD_FILE + value: {{ default "/opt/bitnami/mysqld-exporter/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }} + {{- else }} + - name: MARIADB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mariadb.secretName" . }} + key: mariadb-root-password + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + - | + password_aux="${MARIADB_ROOT_PASSWORD:-}" + if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then + password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") + fi + DATA_SOURCE_NAME="root:${password_aux}@(localhost:3306)/" /bin/mysqld_exporter {{- range .Values.metrics.extraArgs.secondary }} {{ . }} {{- end }} + {{- end }} + ports: + - name: metrics + containerPort: 9104 + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- omit .Values.metrics.livenessProbe "enabled" | toYaml | nindent 12 }} + httpGet: + path: /metrics + port: metrics + {{- end }} + {{- if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- omit .Values.metrics.readinessProbe "enabled" | toYaml | nindent 12 }} + httpGet: + path: /metrics + port: metrics + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} + volumeMounts: + - name: mariadb-credentials + mountPath: /opt/bitnami/mysqld-exporter/secrets/ + {{- end }} + {{- end }} + {{- if .Values.secondary.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.secondary.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + {{- if or .Values.secondary.configuration .Values.secondary.existingConfigmap }} + - name: config + configMap: + name: {{ include "mariadb.secondary.configmapName" . }} + {{- end }} + {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} + - name: mariadb-credentials + secret: + secretName: {{ template "mariadb.secretName" . }} + items: + - key: mariadb-root-password + path: mariadb-root-password + - key: mariadb-replication-password + path: mariadb-replication-password + {{- end }} + {{- if .Values.secondary.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if not .Values.secondary.persistence.enabled }} + - name: data + emptyDir: {} + {{- else }} + volumeClaimTemplates: + - metadata: + name: data + labels: {{ include "common.labels.matchLabels" . | nindent 10 }} + app.kubernetes.io/component: secondary + {{- if .Values.secondary.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.secondary.persistence.annotations "context" $ ) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.secondary.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.secondary.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.secondary.persistence "global" .Values.global) }} + {{- if .Values.secondary.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.persistence.selector "context" $) | nindent 10 }} + {{- end -}} + {{- end }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/svc.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/svc.yaml new file mode 100644 index 00000000..66552847 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secondary/svc.yaml @@ -0,0 +1,63 @@ +{{- if eq .Values.architecture "replication" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mariadb.secondary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: secondary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.secondary.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.secondary.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.secondary.service.type }} + {{- if and .Values.secondary.service.clusterIP (eq .Values.secondary.service.type "ClusterIP") }} + clusterIP: {{ .Values.secondary.service.clusterIP }} + {{- end }} + {{- if and .Values.secondary.service.externalTrafficPolicy (or (eq .Values.secondary.service.type "LoadBalancer") (eq .Values.secondary.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.secondary.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.secondary.service.type "LoadBalancer") .Values.secondary.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ .Values.secondary.service.loadBalancerSourceRanges }} + {{ end }} + {{- if and (eq .Values.secondary.service.type "LoadBalancer") (not (empty .Values.secondary.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.secondary.service.loadBalancerIP }} + {{- end }} + {{- if .Values.secondary.service.sessionAffinity }} + sessionAffinity: {{ .Values.secondary.service.sessionAffinity }} + {{- end }} + {{- if .Values.secondary.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: mysql + port: {{ coalesce .Values.secondary.service.ports.mysql .Values.secondary.service.port }} + protocol: TCP + targetPort: mysql + {{- if (and (or (eq .Values.secondary.service.type "NodePort") (eq .Values.secondary.service.type "LoadBalancer")) (coalesce .Values.secondary.service.nodePorts.mysql .Values.secondary.service.nodePort)) }} + nodePort: {{ coalesce .Values.secondary.service.nodePorts.mysql .Values.secondary.service.nodePort }} + {{- else if eq .Values.secondary.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + port: 9104 + protocol: TCP + targetPort: metrics + {{- end }} + {{- if .Values.secondary.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.secondary.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{ include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: secondary +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secrets.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secrets.yaml new file mode 100644 index 00000000..2ff62edd --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/secrets.yaml @@ -0,0 +1,35 @@ +{{- if eq (include "mariadb.createSecret" .) "true" }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if (not .Values.auth.forcePassword) }} + mariadb-root-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "mariadb-root-password" "providedValues" (list "auth.rootPassword") "context" $) }} + {{- else }} + mariadb-root-password: {{ required "A MariaDB Root Password is required!" .Values.auth.rootPassword | b64enc | quote }} + {{- end }} + {{- if (not (empty .Values.auth.username)) }} + {{- if (not .Values.auth.forcePassword) }} + mariadb-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "mariadb-password" "providedValues" (list "auth.password") "context" $) }} + {{- else }} + mariadb-password: {{ required "A MariaDB Database Password is required!" .Values.auth.password | b64enc | quote }} + {{- end }} + {{- end }} + {{- if eq .Values.architecture "replication" }} + {{- if (not .Values.auth.forcePassword) }} + mariadb-replication-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "mariadb-replication-password" "providedValues" (list "auth.replicationPassword") "context" $) }} + {{- else }} + mariadb-replication-password: {{ required "A MariaDB Replication Password is required!" .Values.auth.replicationPassword | b64enc | quote }} + {{- end }} + {{- end }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/serviceaccount.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/serviceaccount.yaml new file mode 100644 index 00000000..03a6b4e9 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "mariadb.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.serviceAccount.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/servicemonitor.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/servicemonitor.yaml new file mode 100644 index 00000000..ca5bf7ca --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/templates/servicemonitor.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "common.names.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- else }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel | quote }} + endpoints: + - port: metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace | quote }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + {{- if .Values.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} + {{- end }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/values.schema.json b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/values.schema.json new file mode 100644 index 00000000..500c4eb9 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/values.schema.json @@ -0,0 +1,176 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "architecture": { + "type": "string", + "title": "MariaDB architecture", + "form": true, + "description": "Allowed values: `standalone` or `replication`" + }, + "auth": { + "type": "object", + "title": "Authentication configuration", + "form": true, + "properties": { + "rootPassword": { + "type": "string", + "title": "MariaDB root password", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set" + }, + "database": { + "type": "string", + "title": "MariaDB custom database", + "description": "Name of the custom database to be created during the 1st initialization of MariaDB", + "form": true + }, + "username": { + "type": "string", + "title": "MariaDB custom user", + "description": "Name of the custom user to be created during the 1st initialization of MariaDB. This user only has permissions on the MariaDB custom database", + "form": true + }, + "password": { + "type": "string", + "title": "Password for MariaDB custom user", + "description": "Defaults to a random 10-character alphanumeric string if not set", + "form": true, + "hidden": { + "value": false, + "path": "usePassword" + } + }, + "replicationUser": { + "type": "string", + "title": "MariaDB replication user", + "description": "Name of user used to manage replication.", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + } + }, + "replicationPassword": { + "type": "string", + "title": "Password for MariaDB replication user", + "description": "Defaults to a random 10-character alphanumeric string if not set", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "primary": { + "type": "object", + "title": "Primary replicas settings", + "form": true, + "properties": { + "persistence": { + "type": "object", + "title": "Persistence for primary replicas", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "value": false, + "path": "persistence/enabled" + } + } + } + } + } + }, + "secondary": { + "type": "object", + "title": "Secondary replicas settings", + "form": true, + "hidden": { + "value": false, + "path": "replication/enabled" + }, + "properties": { + "persistence": { + "type": "object", + "title": "Persistence for secondary replicas", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "value": false, + "path": "persistence/enabled" + } + } + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination" + } + } + }, + "metrics": { + "type": "object", + "form": true, + "title": "Prometheus metrics details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus metrics exporter", + "description": "Create a side-car container to expose Prometheus metrics", + "form": true + }, + "serviceMonitor": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus Operator ServiceMonitor", + "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", + "form": true, + "hidden": { + "value": false, + "path": "metrics/enabled" + } + } + } + } + } + } + } +} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/values.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/values.yaml new file mode 100644 index 00000000..cc432a0d --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/mariadb/values.yaml @@ -0,0 +1,1251 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass + +## @param global.imageRegistry Global Docker Image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global storage class for dynamic provisioning +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + +## @section Common parameters + +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param nameOverride String to partially override mariadb.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override mariadb.fullname +## +fullnameOverride: "" +## @param clusterDomain Default Kubernetes cluster domain +## +clusterDomain: cluster.local +## @param commonAnnotations Common annotations to add to all MariaDB resources (sub-charts are not considered) +## +commonAnnotations: {} +## @param commonLabels Common labels to add to all MariaDB resources (sub-charts are not considered) +## +commonLabels: {} +## @param schedulerName Name of the scheduler (other than default) to dispatch pods +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) +## +extraDeploy: [] + +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +## @section MariaDB common parameters + +## Bitnami MariaDB image +## ref: https://hub.docker.com/r/bitnami/mariadb/tags/ +## @param image.registry MariaDB image registry +## @param image.repository MariaDB image repository +## @param image.tag MariaDB image tag (immutable tags are recommended) +## @param image.pullPolicy MariaDB image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Specify if debug logs should be enabled +## +image: + registry: docker.io + repository: bitnami/mariadb + tag: 10.5.15-debian-10-r62 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## It turns BASH and/or NAMI debugging in the image + ## + debug: false +## @param architecture MariaDB architecture (`standalone` or `replication`) +## +architecture: standalone +## MariaDB Authentication parameters +## +auth: + ## @param auth.rootPassword Password for the `root` user. Ignored if existing secret is provided. + ## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-the-root-password-on-first-run + ## + rootPassword: "" + ## @param auth.database Name for a custom database to create + ## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-on-first-run + ## + database: my_database + ## @param auth.username Name for a custom user to create + ## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-user-on-first-run + ## + username: "" + ## @param auth.password Password for the new user. Ignored if existing secret is provided + ## + password: "" + ## @param auth.replicationUser MariaDB replication user + ## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-up-a-replication-cluster + ## + replicationUser: replicator + ## @param auth.replicationPassword MariaDB replication user password. Ignored if existing secret is provided + ## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-up-a-replication-cluster + ## + replicationPassword: "" + ## @param auth.existingSecret Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` + ## + existingSecret: "" + ## @param auth.forcePassword Force users to specify required passwords + ## + forcePassword: false + ## @param auth.usePasswordFiles Mount credentials as files instead of using environment variables + ## + usePasswordFiles: false + ## @param auth.customPasswordFiles Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` + ## Example: + ## customPasswordFiles: + ## root: /vault/secrets/mariadb-root + ## user: /vault/secrets/mariadb-user + ## replicator: /vault/secrets/mariadb-replicator + ## + customPasswordFiles: {} +## @param initdbScripts Dictionary of initdb scripts +## Specify dictionary of scripts to be run at first boot +## Example: +## initdbScripts: +## my_init_script.sh: | +## #!/bin/bash +## echo "Do something." +## +initdbScripts: {} +## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) +## +initdbScriptsConfigMap: "" + +## @section MariaDB Primary parameters + +## Mariadb Primary parameters +## +primary: + ## @param primary.command Override default container command on MariaDB Primary container(s) (useful when using custom images) + ## + command: [] + ## @param primary.args Override default container args on MariaDB Primary container(s) (useful when using custom images) + ## + args: [] + ## @param primary.lifecycleHooks for the MariaDB Primary container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param primary.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param primary.configuration [string] MariaDB Primary configuration to be injected as ConfigMap + ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file + ## + configuration: |- + [mysqld] + skip-name-resolve + explicit_defaults_for_timestamp + basedir=/opt/bitnami/mariadb + plugin_dir=/opt/bitnami/mariadb/plugin + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + tmpdir=/opt/bitnami/mariadb/tmp + max_allowed_packet=16M + bind-address=:: + pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid + log-error=/opt/bitnami/mariadb/logs/mysqld.log + character-set-server=UTF8 + collation-server=utf8_general_ci + slow_query_log=0 + slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log + long_query_time=10.0 + + [client] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + default-character-set=UTF8 + plugin_dir=/opt/bitnami/mariadb/plugin + + [manager] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid + ## @param primary.existingConfigmap Name of existing ConfigMap with MariaDB Primary configuration. + ## NOTE: When it's set the 'configuration' parameter is ignored + ## + existingConfigmap: "" + ## @param primary.updateStrategy.type MariaDB primary statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + ## @param primary.rollingUpdatePartition Partition update strategy for Mariadb Primary statefulset + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + ## + rollingUpdatePartition: "" + ## @param primary.podAnnotations Additional pod annotations for MariaDB primary pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param primary.podLabels Extra labels for MariaDB primary pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param primary.podAffinityPreset MariaDB primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param primary.podAntiAffinityPreset MariaDB primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Mariadb Primary node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param primary.nodeAffinityPreset.type MariaDB primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param primary.nodeAffinityPreset.key MariaDB primary node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param primary.nodeAffinityPreset.values MariaDB primary node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param primary.affinity Affinity for MariaDB primary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param primary.nodeSelector Node labels for MariaDB primary pods assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param primary.tolerations Tolerations for MariaDB primary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param primary.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param primary.podManagementPolicy podManagementPolicy to manage scaling operation of MariaDB primary pods + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + ## + podManagementPolicy: "" + ## @param primary.topologySpreadConstraints Topology Spread Constraints for MariaDB primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: topology.kubernetes.io/zone + ## whenUnsatisfiable: DoNotSchedule + ## + topologySpreadConstraints: {} + ## @param primary.priorityClassName Priority class for MariaDB primary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## MariaDB primary Pod security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param primary.podSecurityContext.enabled Enable security context for MariaDB primary pods + ## @param primary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## MariaDB primary container security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param primary.containerSecurityContext.enabled MariaDB primary container securityContext + ## @param primary.containerSecurityContext.runAsUser User ID for the MariaDB primary container + ## @param primary.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## MariaDB primary container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param primary.resources.limits The resources limits for MariaDB primary containers + ## @param primary.resources.requests The requested resources for MariaDB primary containers + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 256Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 256Mi + requests: {} + ## Configure extra options for MariaDB primary containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param primary.startupProbe.enabled Enable startupProbe + ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe + ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param primary.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 120 + periodSeconds: 15 + timeoutSeconds: 5 + failureThreshold: 10 + successThreshold: 1 + ## Configure extra options for liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param primary.livenessProbe.enabled Enable livenessProbe + ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param primary.readinessProbe.enabled Enable readinessProbe + ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param primary.customStartupProbe Override default startup probe for MariaDB primary containers + ## + customStartupProbe: {} + ## @param primary.customLivenessProbe Override default liveness probe for MariaDB primary containers + ## + customLivenessProbe: {} + ## @param primary.customReadinessProbe Override default readiness probe for MariaDB primary containers + ## + customReadinessProbe: {} + ## @param primary.startupWaitOptions Override default builtin startup wait check options for MariaDB primary containers + ## `bitnami/mariadb` Docker image has built-in startup check mechanism, + ## which periodically checks if MariaDB service has started up and stops it + ## if all checks have failed after X tries. Use these to control these checks. + ## ref: https://github.com/bitnami/bitnami-docker-mariadb/pull/240 + ## Example (with default options): + ## startupWaitOptions: + ## retries: 300 + ## waitTime: 2 + ## + startupWaitOptions: {} + ## @param primary.extraFlags MariaDB primary additional command line flags + ## Can be used to specify command line flags, for example: + ## E.g. + ## extraFlags: "--max-connect-errors=1000 --max_connections=155" + ## + extraFlags: "" + ## @param primary.extraEnvVars Extra environment variables to be set on MariaDB primary containers + ## E.g. + ## extraEnvVars: + ## - name: TZ + ## value: "Europe/Paris" + ## + extraEnvVars: [] + ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for MariaDB primary containers + ## + extraEnvVarsCM: "" + ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for MariaDB primary containers + ## + extraEnvVarsSecret: "" + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param primary.persistence.enabled Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir + ## + enabled: true + ## @param primary.persistence.existingClaim Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas + ## NOTE: When it's set the rest of persistence parameters are ignored + ## + existingClaim: "" + ## @param primary.persistence.subPath Subdirectory of the volume to mount at + ## + subPath: "" + ## @param primary.persistence.storageClass MariaDB primary persistent volume storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param primary.persistence.annotations MariaDB primary persistent volume claim annotations + ## + annotations: {} + ## @param primary.persistence.accessModes MariaDB primary persistent volume access Modes + ## + accessModes: + - ReadWriteOnce + ## @param primary.persistence.size MariaDB primary persistent volume size + ## + size: 8Gi + ## @param primary.persistence.selector Selector to match an existing Persistent Volume + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param primary.extraVolumes Optionally specify extra list of additional volumes to the MariaDB Primary pod(s) + ## + extraVolumes: [] + ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MariaDB Primary container(s) + ## + extraVolumeMounts: [] + ## @param primary.initContainers Add additional init containers for the MariaDB Primary pod(s) + ## + initContainers: [] + ## @param primary.sidecars Add additional sidecar containers for the MariaDB Primary pod(s) + ## + sidecars: [] + ## MariaDB Primary Service parameters + ## + service: + ## @param primary.service.type MariaDB Primary Kubernetes service type + ## + type: ClusterIP + ## @param primary.service.ports.mysql MariaDB Primary Kubernetes service port + ## + ports: + mysql: 3306 + ## @param primary.service.nodePorts.mysql MariaDB Primary Kubernetes service node port + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + mysql: "" + ## @param primary.service.clusterIP MariaDB Primary Kubernetes service clusterIP IP + ## + clusterIP: "" + ## @param primary.service.loadBalancerIP MariaDB Primary loadBalancerIP if service type is `LoadBalancer` + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param primary.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param primary.service.loadBalancerSourceRanges Address that are allowed when MariaDB Primary service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## E.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param primary.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param primary.service.annotations Provide any additional annotations which may be required + ## + annotations: {} + ## @param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## MariaDB primary Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param primary.pdb.create Enable/disable a Pod Disruption Budget creation for MariaDB primary pods + ## + create: false + ## @param primary.pdb.minAvailable Minimum number/percentage of MariaDB primary pods that must still be available after the eviction + ## + minAvailable: 1 + ## @param primary.pdb.maxUnavailable Maximum number/percentage of MariaDB primary pods that can be unavailable after the eviction + ## + maxUnavailable: "" + ## @param primary.revisionHistoryLimit Maximum number of revisions that will be maintained in the StatefulSet + ## + revisionHistoryLimit: 10 + +## @section MariaDB Secondary parameters + +## Mariadb Secondary parameters +## +secondary: + ## @param secondary.replicaCount Number of MariaDB secondary replicas + ## + replicaCount: 1 + ## @param secondary.command Override default container command on MariaDB Secondary container(s) (useful when using custom images) + ## + command: [] + ## @param secondary.args Override default container args on MariaDB Secondary container(s) (useful when using custom images) + ## + args: [] + ## @param secondary.lifecycleHooks for the MariaDB Secondary container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param secondary.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param secondary.configuration [string] MariaDB Secondary configuration to be injected as ConfigMap + ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file + ## + configuration: |- + [mysqld] + skip-name-resolve + explicit_defaults_for_timestamp + basedir=/opt/bitnami/mariadb + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + tmpdir=/opt/bitnami/mariadb/tmp + max_allowed_packet=16M + bind-address=0.0.0.0 + pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid + log-error=/opt/bitnami/mariadb/logs/mysqld.log + character-set-server=UTF8 + collation-server=utf8_general_ci + + [client] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + default-character-set=UTF8 + + [manager] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid + ## @param secondary.existingConfigmap Name of existing ConfigMap with MariaDB Secondary configuration. + ## NOTE: When it's set the 'configuration' parameter is ignored + ## + existingConfigmap: "" + ## @param secondary.updateStrategy.type MariaDB secondary statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + ## @param secondary.rollingUpdatePartition Partition update strategy for Mariadb Secondary statefulset + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + ## + rollingUpdatePartition: "" + ## @param secondary.podAnnotations Additional pod annotations for MariaDB secondary pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param secondary.podLabels Extra labels for MariaDB secondary pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param secondary.podAffinityPreset MariaDB secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param secondary.podAntiAffinityPreset MariaDB secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Mariadb Secondary node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param secondary.nodeAffinityPreset.type MariaDB secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param secondary.nodeAffinityPreset.key MariaDB secondary node label key to match Ignored if `secondary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param secondary.nodeAffinityPreset.values MariaDB secondary node label values to match. Ignored if `secondary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param secondary.affinity Affinity for MariaDB secondary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param secondary.nodeSelector Node labels for MariaDB secondary pods assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param secondary.tolerations Tolerations for MariaDB secondary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param secondary.topologySpreadConstraints Topology Spread Constraints for MariaDB secondary pods assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: topology.kubernetes.io/zone + ## whenUnsatisfiable: DoNotSchedule + ## + topologySpreadConstraints: {} + ## @param secondary.priorityClassName Priority class for MariaDB secondary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param secondary.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param secondary.podManagementPolicy podManagementPolicy to manage scaling operation of MariaDB secondary pods + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + ## + podManagementPolicy: "" + ## MariaDB secondary Pod security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param secondary.podSecurityContext.enabled Enable security context for MariaDB secondary pods + ## @param secondary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## MariaDB secondary container security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param secondary.containerSecurityContext.enabled MariaDB secondary container securityContext + ## @param secondary.containerSecurityContext.runAsUser User ID for the MariaDB secondary container + ## @param secondary.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## MariaDB secondary container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param secondary.resources.limits The resources limits for MariaDB secondary containers + ## @param secondary.resources.requests The requested resources for MariaDB secondary containers + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 256Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 256Mi + requests: {} + ## Configure extra options for MariaDB Secondary containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param secondary.startupProbe.enabled Enable startupProbe + ## @param secondary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param secondary.startupProbe.periodSeconds Period seconds for startupProbe + ## @param secondary.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param secondary.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param secondary.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 120 + periodSeconds: 15 + timeoutSeconds: 5 + failureThreshold: 10 + successThreshold: 1 + ## Configure extra options for liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param secondary.livenessProbe.enabled Enable livenessProbe + ## @param secondary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param secondary.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param secondary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param secondary.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param secondary.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param secondary.readinessProbe.enabled Enable readinessProbe + ## @param secondary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param secondary.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param secondary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param secondary.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param secondary.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param secondary.customStartupProbe Override default startup probe for MariaDB secondary containers + ## + customStartupProbe: {} + ## @param secondary.customLivenessProbe Override default liveness probe for MariaDB secondary containers + ## + customLivenessProbe: {} + ## @param secondary.customReadinessProbe Override default readiness probe for MariaDB secondary containers + ## + customReadinessProbe: {} + ## @param secondary.startupWaitOptions Override default builtin startup wait check options for MariaDB secondary containers + ## `bitnami/mariadb` Docker image has built-in startup check mechanism, + ## which periodically checks if MariaDB service has started up and stops it + ## if all checks have failed after X tries. Use these to control these checks. + ## ref: https://github.com/bitnami/bitnami-docker-mariadb/pull/240 + ## Example (with default options): + ## startupWaitOptions: + ## retries: 300 + ## waitTime: 2 + ## + startupWaitOptions: {} + ## @param secondary.extraFlags MariaDB secondary additional command line flags + ## Can be used to specify command line flags, for example: + ## E.g. + ## extraFlags: "--max-connect-errors=1000 --max_connections=155" + ## + extraFlags: "" + ## @param secondary.extraEnvVars Extra environment variables to be set on MariaDB secondary containers + ## E.g. + ## extraEnvVars: + ## - name: TZ + ## value: "Europe/Paris" + ## + extraEnvVars: [] + ## @param secondary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for MariaDB secondary containers + ## + extraEnvVarsCM: "" + ## @param secondary.extraEnvVarsSecret Name of existing Secret containing extra env vars for MariaDB secondary containers + ## + extraEnvVarsSecret: "" + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param secondary.persistence.enabled Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` + ## + enabled: true + ## @param secondary.persistence.subPath Subdirectory of the volume to mount at + ## + subPath: "" + ## @param secondary.persistence.storageClass MariaDB secondary persistent volume storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param secondary.persistence.annotations MariaDB secondary persistent volume claim annotations + ## + annotations: {} + ## @param secondary.persistence.accessModes MariaDB secondary persistent volume access Modes + ## + accessModes: + - ReadWriteOnce + ## @param secondary.persistence.size MariaDB secondary persistent volume size + ## + size: 8Gi + ## @param secondary.persistence.selector Selector to match an existing Persistent Volume + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param secondary.extraVolumes Optionally specify extra list of additional volumes to the MariaDB secondary pod(s) + ## + extraVolumes: [] + ## @param secondary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MariaDB secondary container(s) + ## + extraVolumeMounts: [] + ## @param secondary.initContainers Add additional init containers for the MariaDB secondary pod(s) + ## + initContainers: [] + ## @param secondary.sidecars Add additional sidecar containers for the MariaDB secondary pod(s) + ## + sidecars: [] + ## MariaDB Secondary Service parameters + ## + service: + ## @param secondary.service.type MariaDB secondary Kubernetes service type + ## + type: ClusterIP + ## @param secondary.service.ports.mysql MariaDB secondary Kubernetes service port + ## + ports: + mysql: 3306 + ## @param secondary.service.nodePorts.mysql MariaDB secondary Kubernetes service node port + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + mysql: "" + ## @param secondary.service.clusterIP MariaDB secondary Kubernetes service clusterIP IP + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param secondary.service.loadBalancerIP MariaDB secondary loadBalancerIP if service type is `LoadBalancer` + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param secondary.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param secondary.service.loadBalancerSourceRanges Address that are allowed when MariaDB secondary service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## E.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param secondary.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param secondary.service.annotations Provide any additional annotations which may be required + ## + annotations: {} + ## @param secondary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param secondary.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## MariaDB secondary Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param secondary.pdb.create Enable/disable a Pod Disruption Budget creation for MariaDB secondary pods + ## + create: false + ## @param secondary.pdb.minAvailable Minimum number/percentage of MariaDB secondary pods that should remain scheduled + ## + minAvailable: 1 + ## @param secondary.pdb.maxUnavailable Maximum number/percentage of MariaDB secondary pods that may be made unavailable + ## + maxUnavailable: "" + ## @param secondary.revisionHistoryLimit Maximum number of revisions that will be maintained in the StatefulSet + ## + revisionHistoryLimit: 10 + +## @section RBAC parameters + +## MariaDB pods ServiceAccount +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable the creation of a ServiceAccount for MariaDB pods + ## + create: true + ## @param serviceAccount.name Name of the created ServiceAccount + ## If not set and create is true, a name is generated using the mariadb.fullname template + ## + name: "" + ## @param serviceAccount.annotations Annotations for MariaDB Service Account + ## + annotations: {} + ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account + ## + automountServiceAccountToken: false +## Role Based Access +## ref: https://kubernetes.io/docs/admin/authorization/rbac/ +## +rbac: + ## @param rbac.create Whether to create and use RBAC resources or not + ## + create: false + +## @section Volume Permissions parameters + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` + ## + enabled: false + ## @param volumePermissions.image.registry Init container volume-permissions image registry + ## @param volumePermissions.image.repository Init container volume-permissions image repository + ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10-r399 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param volumePermissions.resources.limits Init container volume-permissions resource limits + ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## + resources: + limits: {} + requests: {} + +## @section Metrics parameters + +## Mysqld Prometheus exporter parameters +## +metrics: + ## @param metrics.enabled Start a side-car prometheus exporter + ## + enabled: false + ## @param metrics.image.registry Exporter image registry + ## @param metrics.image.repository Exporter image repository + ## @param metrics.image.tag Exporter image tag (immutable tags are recommended) + ## @param metrics.image.pullPolicy Exporter image pull policy + ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/mysqld-exporter + tag: 0.14.0-debian-10-r44 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.annotations [object] Annotations for the Exporter pod + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9104" + ## @param metrics.extraArgs [object] Extra args to be passed to mysqld_exporter + ## ref: https://github.com/prometheus/mysqld_exporter/ + ## E.g. + ## - --collect.auto_increment.columns + ## - --collect.binlog_size + ## - --collect.engine_innodb_status + ## - --collect.engine_tokudb_status + ## - --collect.global_status + ## - --collect.global_variables + ## - --collect.info_schema.clientstats + ## - --collect.info_schema.innodb_metrics + ## - --collect.info_schema.innodb_tablespaces + ## - --collect.info_schema.innodb_cmp + ## - --collect.info_schema.innodb_cmpmem + ## - --collect.info_schema.processlist + ## - --collect.info_schema.processlist.min_time + ## - --collect.info_schema.query_response_time + ## - --collect.info_schema.tables + ## - --collect.info_schema.tables.databases + ## - --collect.info_schema.tablestats + ## - --collect.info_schema.userstats + ## - --collect.perf_schema.eventsstatements + ## - --collect.perf_schema.eventsstatements.digest_text_limit + ## - --collect.perf_schema.eventsstatements.limit + ## - --collect.perf_schema.eventsstatements.timelimit + ## - --collect.perf_schema.eventswaits + ## - --collect.perf_schema.file_events + ## - --collect.perf_schema.file_instances + ## - --collect.perf_schema.indexiowaits + ## - --collect.perf_schema.tableiowaits + ## - --collect.perf_schema.tablelocks + ## - --collect.perf_schema.replication_group_member_stats + ## - --collect.slave_status + ## - --collect.slave_hosts + ## - --collect.heartbeat + ## - --collect.heartbeat.database + ## - --collect.heartbeat.table + ## + extraArgs: + primary: [] + secondary: [] + ## MariaDB metrics container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled Enable security context for MariaDB metrics container + ## Example: + ## containerSecurityContext: + ## enabled: true + ## capabilities: + ## drop: ["NET_RAW"] + ## readOnlyRootFilesystem: true + ## + containerSecurityContext: + enabled: false + ## Mysqld Prometheus exporter resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param metrics.resources.limits The resources limits for MariaDB prometheus exporter containers + ## @param metrics.resources.requests The requested resources for MariaDB prometheus exporter containers + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 256Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 256Mi + requests: {} + ## Configure extra options for liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param metrics.livenessProbe.enabled Enable livenessProbe + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + ## Configure extra options for readiness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param metrics.readinessProbe.enabled Enable readinessProbe + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## + namespace: "" + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 30s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## @param metrics.serviceMonitor.selector ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor + ## + labels: {} + ## Prometheus Operator PrometheusRule configuration + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + additionalLabels: {} + ## @param metrics.prometheusRule.rules Prometheus Rule definitions + ## - alert: MariaDB-Down + ## expr: absent(up{job="mariadb"} == 1) + ## for: 5m + ## labels: + ## severity: warning + ## service: mariadb + ## annotations: + ## message: 'MariaDB instance {{ $labels.instance }} is down' + ## summary: MariaDB instance is down + ## + rules: [] + +## @section NetworkPolicy parameters + +## Add networkpolicies +## +networkPolicy: + ## @param networkPolicy.enabled Enable network policies + ## + enabled: false + ## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus) + ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. + ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + ## + metrics: + enabled: false + ## e.g: + ## podSelector: + ## label: monitoring + ## + podSelector: {} + ## e.g: + ## namespaceSelector: + ## label: monitoring + ## + namespaceSelector: {} + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the primary node. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the primary node. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules [object] Custom network policy for the primary node. + ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. + ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to acces the secondary nodes. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the secondary nodes. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules [object] Custom network policy for the secondary nodes. + ## + ingressRules: + ## Allow access to the primary node only from the indicated: + primaryAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## customRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + + ## Allow access to the secondary node only from the indicated: + secondaryAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## CustomRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + + ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). + ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule + ## + egressRules: + # Deny connections to external. This is not compatible with an external database. + denyConnectionsToExternal: false + ## Additional custom egress rules + ## e.g: + ## customRules: + ## - to: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/.helmignore b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/.helmignore new file mode 100644 index 00000000..f0c13194 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/Chart.lock b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/Chart.lock new file mode 100644 index 00000000..830fa8c9 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.10.3 +digest: sha256:e8f1d59ae8150ae6099f2d72a9e3ac2fdc0c8fd869b210226edf7c71eef11263 +generated: "2021-12-31T20:02:44.936728424Z" diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/Chart.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/Chart.yaml new file mode 100644 index 00000000..58d34d4f --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/Chart.yaml @@ -0,0 +1,28 @@ +annotations: + category: Database +apiVersion: v2 +appVersion: 11.14.0 +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.x.x +description: Chart for PostgreSQL, an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance. +home: https://github.com/bitnami/charts/tree/master/bitnami/postgresql +icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png +keywords: +- postgresql +- postgres +- database +- sql +- replication +- cluster +maintainers: +- email: containers@bitnami.com + name: Bitnami +- email: cedric@desaintmartin.fr + name: desaintmartin +name: postgresql +sources: +- https://github.com/bitnami/bitnami-docker-postgresql +- https://www.postgresql.org/ +version: 10.16.2 diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/README.md b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/README.md new file mode 100644 index 00000000..e14bdc0b --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/README.md @@ -0,0 +1,819 @@ + + +# PostgreSQL + +[PostgreSQL](https://www.postgresql.org/) is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance. + +## TL;DR + +```console +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/postgresql +``` + +## Introduction + +This chart bootstraps a [PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +For HA, please see [this repo](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart +To install the chart with the release name `my-release`: + +```console +$ helm install my-release bitnami/postgresql +``` + +The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm delete my-release +``` + +The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release. + +To delete the PVC's associated with `my-release`: + +```console +$ kubectl delete pvc -l release=my-release +``` + +> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| --------------------------------------- | ------------------------------------------------------------------------------------ | ----- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides `postgresqlDatabase`) | `""` | +| `global.postgresql.postgresqlUsername` | PostgreSQL username (overrides `postgresqlUsername`) | `""` | +| `global.postgresql.existingSecret` | Name of existing secret to use for PostgreSQL passwords (overrides `existingSecret`) | `""` | +| `global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides `postgresqlPassword`) | `""` | +| `global.postgresql.servicePort` | PostgreSQL port (overrides `service.port` | `""` | +| `global.postgresql.replicationPassword` | Replication user password (overrides `replication.password`) | `""` | + + +### Common parameters + +| Name | Description | Value | +| ------------------------ | -------------------------------------------------------------------------------------------- | -------------- | +| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override common.names.fullname template | `""` | +| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` | +| `commonLabels` | Add labels to all the deployed resources | `{}` | +| `commonAnnotations` | Add annotations to all the deployed resources | `{}` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | + + +### PostgreSQL parameters + +| Name | Description | Value | +| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | +| `image.registry` | PostgreSQL image registry | `docker.io` | +| `image.repository` | PostgreSQL image repository | `bitnami/postgresql` | +| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `11.14.0-debian-10-r28` | +| `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify image pull secrets | `[]` | +| `image.debug` | Specify if debug values should be set | `false` | +| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `10-debian-10-r305` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | +| `volumePermissions.securityContext.runAsUser` | User ID for the init container | `0` | +| `schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `lifecycleHooks` | for the PostgreSQL container to automate configuration before or after startup | `{}` | +| `securityContext.enabled` | Enable security context | `true` | +| `securityContext.fsGroup` | Group ID for the pod | `1001` | +| `containerSecurityContext.enabled` | Enable container security context | `true` | +| `containerSecurityContext.runAsUser` | User ID for the container | `1001` | +| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` | +| `serviceAccount.name` | Name of an already existing service account. Setting this value disables the automatic service account creation | `""` | +| `serviceAccount.autoMount` | Auto-mount the service account token in the pod | `false` | +| `psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | +| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` | +| `replication.enabled` | Enable replication | `false` | +| `replication.user` | Replication user | `repl_user` | +| `replication.password` | Replication user password | `repl_password` | +| `replication.readReplicas` | Number of read replicas replicas | `1` | +| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | +| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.readReplicas`. | `0` | +| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | +| `replication.singleService` | Create one service connecting to all read-replicas | `true` | +| `replication.uniqueServices` | Create a unique service for each independent read-replica | `false` | +| `postgresqlPostgresPassword` | PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`, in which case`postgres` is the admin username) | `""` | +| `postgresqlUsername` | PostgreSQL user (has superuser privileges if username is `postgres`) | `postgres` | +| `postgresqlPassword` | PostgreSQL user password | `""` | +| `existingSecret` | Name of existing secret to use for PostgreSQL passwords | `""` | +| `usePasswordFile` | Mount PostgreSQL secret as a file instead of passing environment variable | `false` | +| `postgresqlDatabase` | PostgreSQL database | `""` | +| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql/data` | +| `extraEnv` | An array to add extra environment variables | `[]` | +| `extraEnvVarsCM` | Name of a Config Map containing extra environment variables | `""` | +| `postgresqlInitdbArgs` | PostgreSQL initdb extra arguments | `""` | +| `postgresqlInitdbWalDir` | Specify a custom location for the PostgreSQL transaction log | `""` | +| `postgresqlConfiguration` | PostgreSQL configuration | `{}` | +| `postgresqlExtendedConf` | Extended Runtime Config Parameters (appended to main or default configuration) | `{}` | +| `primaryAsStandBy.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not | `false` | +| `primaryAsStandBy.primaryHost` | The Host of replication primary in the other cluster | `""` | +| `primaryAsStandBy.primaryPort` | The Port of replication primary in the other cluster | `""` | +| `pgHbaConfiguration` | PostgreSQL client authentication configuration | `""` | +| `configurationConfigMap` | ConfigMap with PostgreSQL configuration | `""` | +| `extendedConfConfigMap` | ConfigMap with PostgreSQL extended configuration | `""` | +| `initdbScripts` | Dictionary of initdb scripts | `{}` | +| `initdbScriptsConfigMap` | ConfigMap with scripts to be run at first boot | `""` | +| `initdbScriptsSecret` | Secret with scripts to be run at first boot (in case it contains sensitive information) | `""` | +| `initdbUser` | Specify the PostgreSQL username to execute the initdb scripts | `""` | +| `initdbPassword` | Specify the PostgreSQL password to execute the initdb scripts | `""` | +| `containerPorts.postgresql` | PostgreSQL container port | `5432` | +| `audit.logHostname` | Log client hostnames | `false` | +| `audit.logConnections` | Add client log-in operations to the log file | `false` | +| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` | +| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `""` | +| `audit.pgAuditLogCatalog` | Log catalog using pgAudit | `off` | +| `audit.clientMinMessages` | Message log level to share with the user | `error` | +| `audit.logLinePrefix` | Template for log line prefix (default if not set) | `""` | +| `audit.logTimezone` | Timezone for the log timestamps | `""` | +| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` | +| `postgresqlMaxConnections` | Maximum total connections | `""` | +| `postgresqlPostgresConnectionLimit` | Maximum connections for the postgres user | `""` | +| `postgresqlDbUserConnectionLimit` | Maximum connections for the non-admin user | `""` | +| `postgresqlTcpKeepalivesInterval` | TCP keepalives interval | `""` | +| `postgresqlTcpKeepalivesIdle` | TCP keepalives idle | `""` | +| `postgresqlTcpKeepalivesCount` | TCP keepalives count | `""` | +| `postgresqlStatementTimeout` | Statement timeout | `""` | +| `postgresqlPghbaRemoveFilters` | Comma-separated list of patterns to remove from the pg_hba.conf file | `""` | +| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `""` | +| `ldap.enabled` | Enable LDAP support | `false` | +| `ldap.url` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn` | `""` | +| `ldap.server` | IP address or name of the LDAP server. | `""` | +| `ldap.port` | Port number on the LDAP server to connect to | `""` | +| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `""` | +| `ldap.suffix` | String to append to the user name when forming the DN to bind | `""` | +| `ldap.baseDN` | Root DN to begin the search for the user in | `""` | +| `ldap.bindDN` | DN of user to bind to LDAP | `""` | +| `ldap.bind_password` | Password for the user to bind to LDAP | `""` | +| `ldap.search_attr` | Attribute to match against the user name in the search | `""` | +| `ldap.search_filter` | The search filter to use when doing search+bind authentication | `""` | +| `ldap.scheme` | Set to `ldaps` to use LDAPS | `""` | +| `ldap.tls` | Set to `1` to use TLS encryption | `""` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `service.port` | PostgreSQL port | `5432` | +| `service.nodePort` | Specify the nodePort value for the LoadBalancer and NodePort service types | `""` | +| `service.annotations` | Annotations for PostgreSQL service | `{}` | +| `service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | +| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | +| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for primary and read replica(s) Pod(s) | `true` | +| `shmVolume.chmod.enabled` | Set to `true` to `chmod 777 /dev/shm` on a initContainer (ignored if `volumePermissions.enabled` is `false`) | `true` | +| `shmVolume.sizeLimit` | Set this to enable a size limit on the shm tmpfs. Note that the size of the tmpfs counts against container's memory limit | `""` | +| `persistence.enabled` | Enable persistence using PVC | `true` | +| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. | `""` | +| `persistence.mountPath` | The path the volume will be mounted at, useful when using different | `/bitnami/postgresql` | +| `persistence.subPath` | The subdirectory of the volume to mount to | `""` | +| `persistence.storageClass` | PVC Storage Class for PostgreSQL volume | `""` | +| `persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | +| `persistence.snapshotName` | Provide a VolumeSnapshot name which to create the PVC | `""` | +| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `persistence.annotations` | Annotations for the PVC | `{}` | +| `persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | +| `updateStrategy.type` | updateStrategy for PostgreSQL StatefulSet and its reads StatefulSets | `RollingUpdate` | +| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` | +| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` | +| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` | +| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` | +| `primary.extraPodSpec` | Optionally specify extra PodSpec | `{}` | +| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` | +| `primary.annotations` | Annotations for PostgreSQL primary pods | `{}` | +| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` | +| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` | +| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `""` | +| `primary.extraInitContainers` | Extra init containers to add to the pods (postgresql primary) | `[]` | +| `primary.extraVolumeMounts` | Extra volume mounts to add to the pods (postgresql primary) | `[]` | +| `primary.extraVolumes` | Extra volumes to add to the pods (postgresql primary) | `[]` | +| `primary.sidecars` | Extra containers to the pod | `[]` | +| `primary.service.type` | Allows using a different service type for primary | `""` | +| `primary.service.nodePort` | Allows using a different nodePort for primary | `""` | +| `primary.service.clusterIP` | Allows using a different clusterIP for primary | `""` | +| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` | +| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` | +| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` | +| `readReplicas.tolerations` | Tolerations for PostgreSQL read only pods assignment | `[]` | +| `readReplicas.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec | `{}` | +| `readReplicas.labels` | Map of labels to add to the statefulsets (postgresql readReplicas) | `{}` | +| `readReplicas.annotations` | Annotations for PostgreSQL read only pods | `{}` | +| `readReplicas.podLabels` | Map of labels to add to the pods (postgresql readReplicas) | `{}` | +| `readReplicas.podAnnotations` | Map of annotations to add to the pods (postgresql readReplicas) | `{}` | +| `readReplicas.priorityClassName` | Priority Class to use for each pod (postgresql readReplicas) | `""` | +| `readReplicas.extraInitContainers` | Extra init containers to add to the pods (postgresql readReplicas) | `[]` | +| `readReplicas.extraVolumeMounts` | Extra volume mounts to add to the pods (postgresql readReplicas) | `[]` | +| `readReplicas.extraVolumes` | Extra volumes to add to the pods (postgresql readReplicas) | `[]` | +| `readReplicas.sidecars` | Extra containers to the pod | `[]` | +| `readReplicas.service.type` | Allows using a different service type for readReplicas | `""` | +| `readReplicas.service.nodePort` | Allows using a different nodePort for readReplicas | `""` | +| `readReplicas.service.clusterIP` | Allows using a different clusterIP for readReplicas | `""` | +| `readReplicas.persistence.enabled` | Whether to enable PostgreSQL read replicas replicas persistence | `true` | +| `readReplicas.resources` | CPU/Memory resource requests/limits override for readReplicass. Will fallback to `values.resources` if not defined. | `{}` | +| `resources.requests` | The requested resources for the container | `{}` | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed | `{}` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `15` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `customStartupProbe` | Override default startup probe | `{}` | +| `customLivenessProbe` | Override default liveness probe | `{}` | +| `customReadinessProbe` | Override default readiness probe | `{}` | +| `tls.enabled` | Enable TLS traffic support | `false` | +| `tls.autoGenerated` | Generate automatically self-signed TLS certificates | `false` | +| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` | +| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `""` | +| `tls.certFilename` | Certificate filename | `""` | +| `tls.certKeyFilename` | Certificate key filename | `""` | +| `tls.certCAFilename` | CA Certificate filename | `""` | +| `tls.crlFilename` | File containing a Certificate Revocation List | `""` | +| `metrics.enabled` | Start a prometheus exporter | `false` | +| `metrics.resources` | Prometheus exporter container resources | `{}` | +| `metrics.service.type` | Kubernetes Service type | `ClusterIP` | +| `metrics.service.annotations` | Additional annotations for metrics exporter pod | `{}` | +| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `""` | +| `metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` | +| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.namespace` | Optional namespace in which to create ServiceMonitor | `""` | +| `metrics.serviceMonitor.interval` | Scrape interval. If not set, the Prometheus default scrape interval is used | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Scrape timeout. If not set, the Prometheus default scrape timeout is used | `""` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | `""` | +| `metrics.prometheusRule.rules` | Create specified [Rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) | `[]` | +| `metrics.image.registry` | PostgreSQL Exporter image registry | `docker.io` | +| `metrics.image.repository` | PostgreSQL Exporter image repository | `bitnami/postgres-exporter` | +| `metrics.image.tag` | PostgreSQL Exporter image tag (immutable tags are recommended) | `0.10.0-debian-10-r172` | +| `metrics.image.pullPolicy` | PostgreSQL Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify image pull secrets | `[]` | +| `metrics.customMetrics` | Define additional custom metrics | `{}` | +| `metrics.extraEnvVars` | Extra environment variables to add to postgres-exporter | `[]` | +| `metrics.securityContext.enabled` | Enable security context for metrics | `false` | +| `metrics.securityContext.runAsUser` | User ID for the container for metrics | `1001` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release \ + --set postgresqlPassword=secretpassword,postgresqlDatabase=my-database \ + bitnami/postgresql +``` + +The above command sets the PostgreSQL `postgres` account password to `secretpassword`. Additionally it creates a database named `my-database`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +$ helm install my-release -f values.yaml bitnami/postgresql +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Customizing primary and read replica services in a replicated configuration + +At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object. + +### Use a different PostgreSQL version + +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/configuration/change-image-version/). + +### postgresql.conf / pg_hba.conf files as configMap + +This helm chart also supports to customize the whole configuration file. + +Add your custom file to "files/postgresql.conf" in your working directory. This file will be mounted as configMap to the containers and it will be used for configuring the PostgreSQL server. + +Alternatively, you can add additional PostgreSQL configuration parameters using the `postgresqlExtendedConf` parameter as a dict, using camelCase, e.g. {"sharedBuffers": "500MB"}. Alternatively, to replace the entire default configuration use `postgresqlConfiguration`. + +In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `configurationConfigMap` parameter. Note that this will override the two previous options. + +### Allow settings to be loaded from files other than the default `postgresql.conf` + +If you don't want to provide the whole PostgreSQL configuration file and only specify certain parameters, you can add your extended `.conf` files to "files/conf.d/" in your working directory. +Those files will be mounted as configMap to the containers adding/overwriting the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. + +Alternatively, you can also set an external ConfigMap with all the extra configuration files. This is done by setting the `extendedConfConfigMap` parameter. Note that this will override the previous option. + +### Initialize a fresh instance + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, they must be located inside the chart folder `files/docker-entrypoint-initdb.d` so they can be consumed as a ConfigMap. + +Alternatively, you can specify custom scripts using the `initdbScripts` parameter as dict. + +In addition to these options, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `initdbScriptsSecret` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +### Securing traffic using TLS + +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: + +- `tls.enabled`: Enable TLS support. Defaults to `false` +- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. +- `tls.certFilename`: Certificate filename. No defaults. +- `tls.certKeyFilename`: Certificate key filename. No defaults. + +For example: + +* First, create the secret with the cetificates files: + + ```console + kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt + ``` + +* Then, use the following parameters: + + ```console + volumePermissions.enabled=true + tls.enabled=true + tls.certificatesSecret="certificates-tls-secret" + tls.certFilename="cert.crt" + tls.certKeyFilename="cert.key" + ``` + + > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected. + +### Sidecars + +If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. + +```yaml +# For the PostgreSQL primary +primary: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +# For the PostgreSQL replicas +readReplicas: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). + +The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. + +### Use of global variables + +In more complex scenarios, we may have the following tree of dependencies + +``` + +--------------+ + | | + +------------+ Chart 1 +-----------+ + | | | | + | --------+------+ | + | | | + | | | + | | | + | | | + v v v ++-------+------+ +--------+------+ +--------+------+ +| | | | | | +| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | +| | | | | | ++--------------+ +---------------+ +---------------+ +``` + +The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: + +``` +postgresql.postgresqlPassword=testtest +subchart1.postgresql.postgresqlPassword=testtest +subchart2.postgresql.postgresqlPassword=testtest +postgresql.postgresqlDatabase=db1 +subchart1.postgresql.postgresqlDatabase=db1 +subchart2.postgresql.postgresqlDatabase=db1 +``` + +If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: + +``` +global.postgresql.postgresqlPassword=testtest +global.postgresql.postgresqlDatabase=db1 +``` + +This way, the credentials will be available in all of the subcharts. + +## Persistence + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. + +Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to [code](https://github.com/bitnami/bitnami-docker-postgresql/blob/8725fe1d7d30ebe8d9a16e9175d05f7ad9260c93/9.6/debian-9/rootfs/libpostgresql.sh#L518-L556). If you need to use those data, please covert them to sql and import after `helm install` finished. + +## NetworkPolicy + +To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: + +```console +$ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" +``` + +With NetworkPolicy enabled, traffic will be limited to just port 5432. + +For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. +This label will be displayed in the output of a successful install. + +## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image + +- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. +- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. +- For OpenShift, one may either define the runAsUser and fsGroup accordingly, or try this more dynamic option: volumePermissions.securityContext.runAsUser="auto",securityContext.enabled=false,containerSecurityContext.enabled=false,shmVolume.chmod.enabled=false + +### Deploy chart using Docker Official PostgreSQL Image + +From chart version 4.0.0, it is possible to use this chart with the Docker Official PostgreSQL image. +Besides specifying the new Docker repository and tag, it is important to modify the PostgreSQL data directory and volume mount point. Basically, the PostgreSQL data dir cannot be the mount point directly, it has to be a subdirectory. + +``` +image.repository=postgres +image.tag=10.6 +postgresqlDataDir=/data/pgdata +persistence.mountPath=/data/ +``` + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` paremeter(s). Find more infomation about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami’s Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +It's necessary to specify the existing passwords while performing an upgrade to ensure the secrets are not updated with invalid randomly generated passwords. Remember to specify the existing values of the `postgresqlPassword` and `replication.password` parameters when upgrading the chart: + +```bash +$ helm upgrade my-release bitnami/postgresql \ + --set postgresqlPassword=[POSTGRESQL_PASSWORD] \ + --set replication.password=[REPLICATION_PASSWORD] +``` + +> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes. + +### To 10.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Move dependency information from the *requirements.yaml* to the *Chart.yaml* +- After running `helm dependency update`, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock* +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Chart. + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +#### Breaking changes + +- The term `master` has been replaced with `primary` and `slave` with `readReplicas` throughout the chart. Role names have changed from `master` and `slave` to `primary` and `read`. + +To upgrade to `10.0.0`, it should be done reusing the PVCs used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is `postgresql`): + +> NOTE: Please, create a backup of your database before running any of those actions. + +Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: + +```console +$ export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +$ export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=postgresql,role=master -o jsonpath="{.items[0].metadata.name}") +``` + +Delete the PostgreSQL statefulset. Notice the option `--cascade=false`: + +```console +$ kubectl delete statefulsets.apps postgresql-postgresql --cascade=false +``` + +Now the upgrade works: + +```console +$ helm upgrade postgresql bitnami/postgresql --set postgresqlPassword=$POSTGRESQL_PASSWORD --set persistence.existingClaim=$POSTGRESQL_PVC +``` + +You will have to delete the existing PostgreSQL pod and the new statefulset is going to create a new one + +```console +$ kubectl delete pod postgresql-postgresql-0 +``` + +Finally, you should see the lines below in PostgreSQL container logs: + +```console +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +... +postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... +... +``` + +### To 9.0.0 + +In this version the chart was adapted to follow the Helm label best practices, see [PR 3021](https://github.com/bitnami/charts/pull/3021). That means the backward compatibility is not guarantee when upgrading the chart to this major version. + +As a workaround, you can delete the existing statefulset (using the `--cascade=false` flag pods are not deleted) before upgrade the chart. For example, this can be a valid workflow: + +- Deploy an old version (8.X.X) + +```console +$ helm install postgresql bitnami/postgresql --version 8.10.14 +``` + +- Old version is up and running + +```console +$ helm ls +NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION +postgresql default 1 2020-08-04 13:39:54.783480286 +0000 UTC deployed postgresql-8.10.14 11.8.0 + +$ kubectl get pods +NAME READY STATUS RESTARTS AGE +postgresql-postgresql-0 1/1 Running 0 76s +``` + +- The upgrade to the latest one (9.X.X) is going to fail + +```console +$ helm upgrade postgresql bitnami/postgresql +Error: UPGRADE FAILED: cannot patch "postgresql-postgresql" with kind StatefulSet: StatefulSet.apps "postgresql-postgresql" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden +``` + +- Delete the statefulset + +```console +$ kubectl delete statefulsets.apps --cascade=false postgresql-postgresql +statefulset.apps "postgresql-postgresql" deleted +``` + +- Now the upgrade works + +```console +$ helm upgrade postgresql bitnami/postgresql +$ helm ls +NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION +postgresql default 3 2020-08-04 13:42:08.020385884 +0000 UTC deployed postgresql-9.1.2 11.8.0 +``` + +- We can kill the existing pod and the new statefulset is going to create a new one: + +```console +$ kubectl delete pod postgresql-postgresql-0 +pod "postgresql-postgresql-0" deleted + +$ kubectl get pods +NAME READY STATUS RESTARTS AGE +postgresql-postgresql-0 1/1 Running 0 19s +``` + +Please, note that without the `--cascade=false` both objects (statefulset and pod) are going to be removed and both objects will be deployed again with the `helm upgrade` command + +### To 8.0.0 + +Prefixes the port names with their protocols to comply with Istio conventions. + +If you depend on the port names in your setup, make sure to update them to reflect this change. + +### To 7.1.0 + +Adds support for LDAP configuration. + +### To 7.0.0 + +Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec. + +In https://github.com/helm/charts/pull/17281 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage. + +This major version bump signifies this change. + +### To 6.5.7 + +In this version, the chart will use PostgreSQL with the Postgis extension included. The version used with Postgresql version 10, 11 and 12 is Postgis 2.5. It has been compiled with the following dependencies: + +- protobuf +- protobuf-c +- json-c +- geos +- proj + +### To 5.0.0 + +In this version, the **chart is using PostgreSQL 11 instead of PostgreSQL 10**. You can find the main difference and notable changes in the following links: [https://www.postgresql.org/about/news/1894/](https://www.postgresql.org/about/news/1894/) and [https://www.postgresql.org/about/featurematrix/](https://www.postgresql.org/about/featurematrix/). + +For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs: + +```console +Welcome to the Bitnami postgresql container +Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql +Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues +Send us your feedback at containers@bitnami.com + +INFO ==> ** Starting PostgreSQL setup ** +NFO ==> Validating settings in POSTGRESQL_* env vars.. +INFO ==> Initializing PostgreSQL database... +INFO ==> postgresql.conf file not detected. Generating it... +INFO ==> pg_hba.conf file not detected. Generating it... +INFO ==> Deploying PostgreSQL with persisted data... +INFO ==> Configuring replication parameters +INFO ==> Loading custom scripts... +INFO ==> Enabling remote connections +INFO ==> Stopping PostgreSQL... +INFO ==> ** PostgreSQL setup finished! ** + +INFO ==> ** Starting PostgreSQL ** + [1] FATAL: database files are incompatible with server + [1] DETAIL: The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3. +``` + +In this case, you should migrate the data from the old chart to the new one following an approach similar to that described in [this section](https://www.postgresql.org/docs/current/upgrading.html#UPGRADING-VIA-PGDUMPALL) from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one. + +### To 4.0.0 + +This chart will use by default the Bitnami PostgreSQL container starting from version `10.7.0-r68`. This version moves the initialization logic from node.js to bash. This new version of the chart requires setting the `POSTGRES_PASSWORD` in the slaves as well, in order to properly configure the `pg_hba.conf` file. Users from previous versions of the chart are advised to upgrade immediately. + +IMPORTANT: If you do not want to upgrade the chart version then make sure you use the `10.7.0-r68` version of the container. Otherwise, you will get this error + +``` +The POSTGRESQL_PASSWORD environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development +``` + +### To 3.0.0 + +This releases make it possible to specify different nodeSelector, affinity and tolerations for master and slave pods. +It also fixes an issue with `postgresql.master.fullname` helper template not obeying fullnameOverride. + +#### Breaking changes + +- `affinty` has been renamed to `master.affinity` and `slave.affinity`. +- `tolerations` has been renamed to `master.tolerations` and `slave.tolerations`. +- `nodeSelector` has been renamed to `master.nodeSelector` and `slave.nodeSelector`. + +### To 2.0.0 + +In order to upgrade from the `0.X.X` branch to `1.X.X`, you should follow the below steps: + +- Obtain the service name (`SERVICE_NAME`) and password (`OLD_PASSWORD`) of the existing postgresql chart. You can find the instructions to obtain the password in the NOTES.txt, the service name can be obtained by running + +```console +$ kubectl get svc +``` + +- Install (not upgrade) the new version + +```console +$ helm repo update +$ helm install my-release bitnami/postgresql +``` + +- Connect to the new pod (you can obtain the name by running `kubectl get pods`): + +```console +$ kubectl exec -it NAME bash +``` + +- Once logged in, create a dump file from the previous database using `pg_dump`, for that we should connect to the previous postgresql chart: + +```console +$ pg_dump -h SERVICE_NAME -U postgres DATABASE_NAME > /tmp/backup.sql +``` + +After run above command you should be prompted for a password, this password is the previous chart password (`OLD_PASSWORD`). +This operation could take some time depending on the database size. + +- Once you have the backup file, you can restore it with a command like the one below: + +```console +$ psql -U postgres DATABASE_NAME < /tmp/backup.sql +``` + +In this case, you are accessing to the local postgresql, so the password should be the new one (you can find it in NOTES.txt). + +If you want to restore the database and the database schema does not exist, it is necessary to first follow the steps described below. + +```console +$ psql -U postgres +postgres=# drop database DATABASE_NAME; +postgres=# create database DATABASE_NAME; +postgres=# create user USER_NAME; +postgres=# alter role USER_NAME with password 'BITNAMI_USER_PASSWORD'; +postgres=# grant all privileges on database DATABASE_NAME to USER_NAME; +postgres=# alter database DATABASE_NAME owner to USER_NAME; +``` + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/.helmignore b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/Chart.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/Chart.yaml new file mode 100644 index 00000000..5db0444e --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + category: Infrastructure +apiVersion: v2 +appVersion: 1.10.0 +description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. +home: https://github.com/bitnami/charts/tree/master/bitnami/common +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- email: containers@bitnami.com + name: Bitnami +name: common +sources: +- https://github.com/bitnami/charts +- https://www.bitnami.com/ +type: library +version: 1.10.3 diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/README.md b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/README.md new file mode 100644 index 00000000..cbbc31d9 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/README.md @@ -0,0 +1,328 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 0.x.x + repository: https://charts.bitnami.com/bitnami +``` + +```bash +$ helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 3.1.0 + +## Parameters + +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +|-------------------------------|------------------------------------------------------|------------------------------------------------| +| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.node.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.pod.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pod.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| +| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | +| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | +| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | +| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | +| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | +| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | +| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | + +### Errors + +| Helper identifier | Description | Expected Input | +|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | +| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | + +### Ingress + +| Helper identifier | Description | Expected Input | +|-------------------------------------------|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | +| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context | +| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context | + +### Labels + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|-------------------| +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Return the proper Docker Image Registry Secret Names | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Input | +|-------------------------|------------------------------------------------------------|-------------------| +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | + +### Secrets + +| Helper identifier | Description | Expected Input | +|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | +| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | +| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | + +### Storage + +| Helper identifier | Description | Expected Input | +|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| +| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | + +### Utils + +| Helper identifier | Description | Expected Input | +|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | +| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | +| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | +| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis™ are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | +| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | +| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +|------------------------------|----------------------------------|------------------------------------------------------------| +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +$ helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_affinities.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_affinities.tpl new file mode 100644 index 00000000..189ea403 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_affinities.tpl @@ -0,0 +1,102 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname + weight: 1 +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_capabilities.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_capabilities.tpl new file mode 100644 index 00000000..b94212bb --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_capabilities.tpl @@ -0,0 +1,128 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_errors.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_errors.tpl new file mode 100644 index 00000000..a79cc2e3 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_errors.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_images.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_images.tpl new file mode 100644 index 00000000..42ffbc72 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_images.tpl @@ -0,0 +1,75 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $tag := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if $registryName }} +{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- else -}} +{{- printf "%s:%s" $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_ingress.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_ingress.tpl new file mode 100644 index 00000000..f905f200 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_ingress.tpl @@ -0,0 +1,55 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_labels.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_labels.tpl new file mode 100644 index 00000000..252066c7 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_names.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_names.tpl new file mode 100644 index 00000000..cf032317 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_names.tpl @@ -0,0 +1,52 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_secrets.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_secrets.tpl new file mode 100644 index 00000000..60b84a70 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_secrets.tpl @@ -0,0 +1,129 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- if index $secret.data .key }} + {{- $password = index $secret.data .key }} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString | b64enc | quote }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- else }} + {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- end }} +{{- end -}} +{{- printf "%s" $password -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_storage.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_storage.tpl new file mode 100644 index 00000000..60e2a844 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_storage.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_tplvalues.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_tplvalues.tpl new file mode 100644 index 00000000..2db16685 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_utils.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_utils.tpl new file mode 100644 index 00000000..ea083a24 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_utils.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_warnings.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_warnings.tpl new file mode 100644 index 00000000..ae10fa41 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/_warnings.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} + +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_cassandra.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 00000000..ded1ae3b --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_mariadb.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 00000000..b6906ff7 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_mongodb.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 00000000..a071ea4d --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,108 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB® required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_postgresql.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 00000000..164ec0d0 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,129 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_redis.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_redis.tpl new file mode 100644 index 00000000..5d72959b --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,76 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis™ required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} + + {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} + {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} + + {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} + {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} + {{- if eq $useAuth "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_validations.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_validations.tpl new file mode 100644 index 00000000..9a814cf4 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/values.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/values.yaml new file mode 100644 index 00000000..f2df68e5 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/charts/common/values.yaml @@ -0,0 +1,5 @@ +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: common-chart diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/ci/commonAnnotations.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/ci/commonAnnotations.yaml new file mode 100644 index 00000000..97e18a4c --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/ci/commonAnnotations.yaml @@ -0,0 +1,3 @@ +commonAnnotations: + helm.sh/hook: "\"pre-install, pre-upgrade\"" + helm.sh/hook-weight: "-1" diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/ci/default-values.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/ci/default-values.yaml new file mode 100644 index 00000000..fc2ba605 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/ci/default-values.yaml @@ -0,0 +1 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/ci/shmvolume-disabled-values.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/ci/shmvolume-disabled-values.yaml new file mode 100644 index 00000000..347d3b40 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/ci/shmvolume-disabled-values.yaml @@ -0,0 +1,2 @@ +shmVolume: + enabled: false diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/files/README.md b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/files/README.md new file mode 100644 index 00000000..1813a2fe --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/files/README.md @@ -0,0 +1 @@ +Copy here your postgresql.conf and/or pg_hba.conf files to use it as a config map. diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/files/conf.d/README.md b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/files/conf.d/README.md new file mode 100644 index 00000000..184c1875 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/files/conf.d/README.md @@ -0,0 +1,4 @@ +If you don't want to provide the whole configuration file and only specify certain parameters, you can copy here your extended `.conf` files. +These files will be injected as a config maps and add/overwrite the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. + +More info in the [bitnami-docker-postgresql README](https://github.com/bitnami/bitnami-docker-postgresql#configuration-file). diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/files/docker-entrypoint-initdb.d/README.md b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/files/docker-entrypoint-initdb.d/README.md new file mode 100644 index 00000000..cba38091 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/files/docker-entrypoint-initdb.d/README.md @@ -0,0 +1,3 @@ +You can copy here your custom `.sh`, `.sql` or `.sql.gz` file so they are executed during the first boot of the image. + +More info in the [bitnami-docker-postgresql](https://github.com/bitnami/bitnami-docker-postgresql#initializing-a-new-instance) repository. \ No newline at end of file diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/NOTES.txt b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/NOTES.txt new file mode 100644 index 00000000..ccb581df --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/NOTES.txt @@ -0,0 +1,89 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +** Please be patient while the chart is being deployed ** + +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash + +In order to replicate the container startup scripts execute this command: + + /opt/bitnami/scripts/postgresql/entrypoint.sh /opt/bitnami/scripts/postgresql/run.sh + +{{- else }} + +PostgreSQL can be accessed via port {{ template "postgresql.servicePort" . }} on the following DNS names from within your cluster: + + {{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection +{{- if .Values.replication.enabled }} +{{- if .Values.replication.singleService }} + {{ template "common.names.fullname" . }}-read.{{ .Release.Namespace }}.svc.cluster.local - Read only connection +{{- end }} +{{- if .Values.replication.uniqueServices }} +{{- $replicaCount := .Values.replication.readReplicas | int }} +{{- $root := . }} +{{- range $i, $e := until $replicaCount }} + {{ template "common.names.fullname" $root }}-read-{{ $i }}.{{ $root.Release.Namespace }}.svc.cluster.local - Read only connection to replica {{ $i }} +{{- end }} +{{- end }} +{{- end }} + +{{- if not (eq (include "postgresql.username" .) "postgres") }} + +To get the password for "postgres" run: + + export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-postgres-password}" | base64 --decode) +{{- end }} + +To get the password for "{{ template "postgresql.username" . }}" run: + + export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-password}" | base64 --decode) + +To connect to your database run the following command: + + kubectl run {{ template "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ template "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} + --labels="{{ template "common.names.fullname" . }}-client=true" {{- end }} --command -- psql --host {{ template "common.names.fullname" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.servicePort" . }} + +{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} +Note: Since NetworkPolicy is enabled, only pods with label {{ template "common.names.fullname" . }}-client=true" will be able to connect to this PostgreSQL cluster. +{{- end }} + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} + +{{- else if contains "LoadBalancer" .Values.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $SERVICE_IP --port {{ template "postgresql.servicePort" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} + +{{- else if contains "ClusterIP" .Values.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{ template "postgresql.servicePort" . }}:{{ template "postgresql.servicePort" . }} & + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.servicePort" . }} + +{{- end }} +{{- end }} + +{{- include "postgresql.validateValues" . -}} +{{- include "common.warnings.rollingTag" .Values.image -}} +{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/_helpers.tpl b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/_helpers.tpl new file mode 100644 index 00000000..16e44564 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/_helpers.tpl @@ -0,0 +1,361 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "postgresql.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.primary.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $fullname := default (printf "%s-%s" .Release.Name $name) .Values.fullnameOverride -}} +{{- if .Values.replication.enabled -}} +{{- printf "%s-%s" $fullname "primary" | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s" $fullname | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper PostgreSQL image name +*/}} +{{- define "postgresql.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper PostgreSQL metrics image name +*/}} +{{- define "postgresql.metrics.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "postgresql.volumePermissions.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "postgresql.imagePullSecrets" -}} +{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }} +{{- end -}} + +{{/* +Returns the available value for certain key in an existing secret (if it exists), +otherwise it generates a random value. +*/}} +{{- define "getValueFromSecret" }} +{{- $len := (default 16 .Length) | int -}} +{{- $obj := (lookup "v1" "Secret" .Namespace .Name).data -}} +{{- if $obj }} +{{- index $obj .Key | b64dec -}} +{{- else -}} +{{- randAlphaNum $len -}} +{{- end -}} +{{- end }} + +{{/* +Return PostgreSQL postgres user password +*/}} +{{- define "postgresql.postgres.password" -}} +{{- if .Values.global.postgresql.postgresqlPostgresPassword }} + {{- .Values.global.postgresql.postgresqlPostgresPassword -}} +{{- else if .Values.postgresqlPostgresPassword -}} + {{- .Values.postgresqlPostgresPassword -}} +{{- else -}} + {{- include "getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "common.names.fullname" .) "Length" 10 "Key" "postgresql-postgres-password") -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL password +*/}} +{{- define "postgresql.password" -}} +{{- if .Values.global.postgresql.postgresqlPassword }} + {{- .Values.global.postgresql.postgresqlPassword -}} +{{- else if .Values.postgresqlPassword -}} + {{- .Values.postgresqlPassword -}} +{{- else -}} + {{- include "getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "common.names.fullname" .) "Length" 10 "Key" "postgresql-password") -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL replication password +*/}} +{{- define "postgresql.replication.password" -}} +{{- if .Values.global.postgresql.replicationPassword }} + {{- .Values.global.postgresql.replicationPassword -}} +{{- else if .Values.replication.password -}} + {{- .Values.replication.password -}} +{{- else -}} + {{- include "getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "common.names.fullname" .) "Length" 10 "Key" "postgresql-replication-password") -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL username +*/}} +{{- define "postgresql.username" -}} +{{- if .Values.global.postgresql.postgresqlUsername }} + {{- .Values.global.postgresql.postgresqlUsername -}} +{{- else -}} + {{- .Values.postgresqlUsername -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL replication username +*/}} +{{- define "postgresql.replication.username" -}} +{{- if .Values.global.postgresql.replicationUser }} + {{- .Values.global.postgresql.replicationUser -}} +{{- else -}} + {{- .Values.replication.user -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL port +*/}} +{{- define "postgresql.servicePort" -}} +{{- if .Values.global.postgresql.servicePort }} + {{- .Values.global.postgresql.servicePort -}} +{{- else -}} + {{- .Values.service.port -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL created database +*/}} +{{- define "postgresql.database" -}} +{{- if .Values.global.postgresql.postgresqlDatabase }} + {{- .Values.global.postgresql.postgresqlDatabase -}} +{{- else if .Values.postgresqlDatabase -}} + {{- .Values.postgresqlDatabase -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "postgresql.secretName" -}} +{{- if .Values.global.postgresql.existingSecret }} + {{- printf "%s" (tpl .Values.global.postgresql.existingSecret $) -}} +{{- else if .Values.existingSecret -}} + {{- printf "%s" (tpl .Values.existingSecret $) -}} +{{- else -}} + {{- printf "%s" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if we should use an existingSecret. +*/}} +{{- define "postgresql.useExistingSecret" -}} +{{- if or .Values.global.postgresql.existingSecret .Values.existingSecret -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created +*/}} +{{- define "postgresql.createSecret" -}} +{{- if not (include "postgresql.useExistingSecret" .) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the configuration ConfigMap name. +*/}} +{{- define "postgresql.configurationCM" -}} +{{- if .Values.configurationConfigMap -}} +{{- printf "%s" (tpl .Values.configurationConfigMap $) -}} +{{- else -}} +{{- printf "%s-configuration" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the extended configuration ConfigMap name. +*/}} +{{- define "postgresql.extendedConfigurationCM" -}} +{{- if .Values.extendedConfConfigMap -}} +{{- printf "%s" (tpl .Values.extendedConfConfigMap $) -}} +{{- else -}} +{{- printf "%s-extended-configuration" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap should be mounted with PostgreSQL configuration +*/}} +{{- define "postgresql.mountConfigurationCM" -}} +{{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "postgresql.initdbScriptsCM" -}} +{{- if .Values.initdbScriptsConfigMap -}} +{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}} +{{- else -}} +{{- printf "%s-init-scripts" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts Secret name. +*/}} +{{- define "postgresql.initdbScriptsSecret" -}} +{{- printf "%s" (tpl .Values.initdbScriptsSecret $) -}} +{{- end -}} + +{{/* +Get the metrics ConfigMap name. +*/}} +{{- define "postgresql.metricsCM" -}} +{{- printf "%s-metrics" (include "common.names.fullname" .) -}} +{{- end -}} + +{{/* +Get the readiness probe command +*/}} +{{- define "postgresql.readinessProbeCommand" -}} +- | +{{- if (include "postgresql.database" .) }} + exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if .Values.tls.enabled }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} +{{- else }} + exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if .Values.tls.enabled }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} +{{- end }} +{{- if contains "bitnami/" .Values.image.repository }} + [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "postgresql.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}} +{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}} +{{- $messages := append $messages (include "postgresql.validateValues.tls" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap +*/}} +{{- define "postgresql.validateValues.ldapConfigurationMethod" -}} +{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) }} +postgresql: ldap.url, ldap.server + You cannot set both `ldap.url` and `ldap.server` at the same time. + Please provide a unique way to configure LDAP. + More info at https://www.postgresql.org/docs/current/auth-ldap.html +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If PSP is enabled RBAC should be enabled too +*/}} +{{- define "postgresql.validateValues.psp" -}} +{{- if and .Values.psp.create (not .Values.rbac.create) }} +postgresql: psp.create, rbac.create + RBAC should be enabled if PSP is enabled in order for PSP to work. + More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql TLS - When TLS is enabled, so must be VolumePermissions +*/}} +{{- define "postgresql.validateValues.tls" -}} +{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} +postgresql: tls.enabled, volumePermissions.enabled + When TLS is enabled you must enable volumePermissions as well to ensure certificates files have + the right permissions. +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert file. +*/}} +{{- define "postgresql.tlsCert" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "/opt/bitnami/postgresql/certs/tls.crt" -}} +{{- else -}} + {{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert key file. +*/}} +{{- define "postgresql.tlsCertKey" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "/opt/bitnami/postgresql/certs/tls.key" -}} +{{- else -}} +{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "postgresql.tlsCACert" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "/opt/bitnami/postgresql/certs/ca.crt" -}} +{{- else -}} + {{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CRL file. +*/}} +{{- define "postgresql.tlsCRL" -}} +{{- if .Values.tls.crlFilename -}} +{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a TLS credentials secret object should be created +*/}} +{{- define "postgresql.createTlsSecret" -}} +{{- if and .Values.tls.autoGenerated (not .Values.tls.certificatesSecret) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "postgresql.tlsSecretName" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "%s-crt" (include "common.names.fullname" .) -}} +{{- else -}} + {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }} +{{- end -}} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/configmap.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/configmap.yaml new file mode 100644 index 00000000..0ff4dfe2 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/configmap.yaml @@ -0,0 +1,34 @@ +{{ if and (or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration) (not .Values.configurationConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-configuration + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +data: +{{- if (.Files.Glob "files/postgresql.conf") }} +{{ (.Files.Glob "files/postgresql.conf").AsConfig | indent 2 }} +{{- else if .Values.postgresqlConfiguration }} + postgresql.conf: | +{{- range $key, $value := default dict .Values.postgresqlConfiguration }} + {{- if kindIs "string" $value }} + {{ $key | snakecase }} = '{{ $value }}' + {{- else }} + {{ $key | snakecase }} = {{ $value }} + {{- end }} +{{- end }} +{{- end }} +{{- if (.Files.Glob "files/pg_hba.conf") }} +{{ (.Files.Glob "files/pg_hba.conf").AsConfig | indent 2 }} +{{- else if .Values.pgHbaConfiguration }} + pg_hba.conf: | +{{ .Values.pgHbaConfiguration | indent 4 }} +{{- end }} +{{ end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/extended-config-configmap.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/extended-config-configmap.yaml new file mode 100644 index 00000000..a94e06f9 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/extended-config-configmap.yaml @@ -0,0 +1,29 @@ +{{- if and (or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf) (not .Values.extendedConfConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-extended-configuration + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +data: +{{- with .Files.Glob "files/conf.d/*.conf" }} +{{ .AsConfig | indent 2 }} +{{- end }} +{{ with .Values.postgresqlExtendedConf }} + override.conf: | +{{- range $key, $value := . }} + {{- if kindIs "string" $value }} + {{ $key | snakecase }} = '{{ $value }}' + {{- else }} + {{ $key | snakecase }} = {{ $value }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/extra-list.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/extra-list.yaml new file mode 100644 index 00000000..9ac65f9e --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/initialization-configmap.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/initialization-configmap.yaml new file mode 100644 index 00000000..c681e5ce --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/initialization-configmap.yaml @@ -0,0 +1,26 @@ +{{- if and (or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScripts) (not .Values.initdbScriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-init-scripts + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.sql.gz" }} +binaryData: +{{- range $path, $bytes := . }} + {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} +{{- end }} +{{- end }} +data: +{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql}" }} +{{ .AsConfig | indent 2 }} +{{- end }} +{{- include "common.tplvalues.render" (dict "value" .Values.initdbScripts "context" .) | nindent 2 }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/metrics-configmap.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/metrics-configmap.yaml new file mode 100644 index 00000000..b6411f3a --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/metrics-configmap.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "postgresql.metricsCM" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +data: + custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/metrics-svc.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/metrics-svc.yaml new file mode 100644 index 00000000..06c52fde --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/metrics-svc.yaml @@ -0,0 +1,29 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }}-metrics + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- toYaml .Values.metrics.service.annotations | nindent 4 }} + namespace: {{ .Release.Namespace }} +spec: + type: {{ .Values.metrics.service.type }} + {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} + {{- end }} + ports: + - name: http-metrics + port: 9187 + targetPort: http-metrics + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} + role: primary +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/networkpolicy.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/networkpolicy.yaml new file mode 100644 index 00000000..c51f6785 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/networkpolicy.yaml @@ -0,0 +1,42 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} + ingress: + # Allow inbound connections + - ports: + - port: {{ template "postgresql.servicePort" . }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.explicitNamespacesSelector }} + namespaceSelector: +{{ toYaml .Values.networkPolicy.explicitNamespacesSelector | indent 12 }} + {{- end }} + - podSelector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 14 }} + role: read + {{- end }} + {{- if .Values.metrics.enabled }} + # Allow prometheus scrapes + - ports: + - port: 9187 + {{- end }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/podsecuritypolicy.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/podsecuritypolicy.yaml new file mode 100644 index 00000000..0eefb3b8 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- if and $pspAvailable .Values.psp.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + privileged: false + volumes: + - 'configMap' + - 'secret' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'projected' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/prometheusrule.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/prometheusrule.yaml new file mode 100644 index 00000000..727a6b78 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/prometheusrule.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "common.names.fullname" . }} +{{- with .Values.metrics.prometheusRule.namespace }} + namespace: {{ . }} +{{- end }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- with .Values.metrics.prometheusRule.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: +{{- with .Values.metrics.prometheusRule.rules }} + groups: + - name: {{ template "postgresql.name" $ }} + rules: {{ tpl (toYaml .) $ | nindent 8 }} +{{- end }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/role.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/role.yaml new file mode 100644 index 00000000..1366eda5 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/role.yaml @@ -0,0 +1,24 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +rules: + {{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} + {{- if and $pspAvailable .Values.psp.create }} + - apiGroups: ["extensions"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: + - {{ template "common.names.fullname" . }} + {{- end }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/rolebinding.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/rolebinding.yaml new file mode 100644 index 00000000..988cb73d --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ template "common.names.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/secrets.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/secrets.yaml new file mode 100644 index 00000000..6bab4622 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/secrets.yaml @@ -0,0 +1,27 @@ +{{- if (include "postgresql.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + {{- if not (eq (include "postgresql.username" .) "postgres") }} + postgresql-postgres-password: {{ include "postgresql.postgres.password" . | b64enc | quote }} + {{- end }} + postgresql-password: {{ include "postgresql.password" . | b64enc | quote }} + {{- if .Values.replication.enabled }} + postgresql-replication-password: {{ include "postgresql.replication.password" . | b64enc | quote }} + {{- end }} + {{- if (and .Values.ldap.enabled .Values.ldap.bind_password) }} + postgresql-ldap-password: {{ .Values.ldap.bind_password | b64enc | quote }} + {{- end }} +{{- end -}} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/serviceaccount.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/serviceaccount.yaml new file mode 100644 index 00000000..8e951b81 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if and (.Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/servicemonitor.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/servicemonitor.yaml new file mode 100644 index 00000000..6cd6a1d4 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/servicemonitor.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "common.names.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- end }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.additionalLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + +spec: + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/statefulset-readreplicas.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/statefulset-readreplicas.yaml new file mode 100644 index 00000000..830fadb5 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/statefulset-readreplicas.yaml @@ -0,0 +1,436 @@ +{{- if .Values.replication.enabled }} +{{- $readReplicasResources := coalesce .Values.readReplicas.resources .Values.resources -}} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: "{{ template "common.names.fullname" . }}-read" + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: read + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.readReplicas.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.labels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- with .Values.readReplicas.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + serviceName: {{ template "common.names.fullname" . }}-headless + replicas: {{ .Values.replication.readReplicas }} + selector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} + role: read + template: + metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: read + role: read + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.podLabels "context" $) | nindent 8 }} + {{- end }} +{{- with .Values.readReplicas.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} +{{- include "postgresql.imagePullSecrets" . | indent 6 }} + {{- if .Values.readReplicas.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.readReplicas.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.serviceAccount.autoMount }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name }} + {{- end }} + {{- if or .Values.readReplicas.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }} + initContainers: + {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }} + - name: init-chmod-data + image: {{ template "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -cx + - | + {{- if .Values.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.persistence.mountPath }} + {{- else }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + xargs chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ template "postgresql.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + {{ if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.readReplicas.extraInitContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraInitContainers "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.priorityClassName }} + priorityClassName: {{ .Values.readReplicas.priorityClassName }} + {{- end }} + containers: + - name: {{ template "common.names.fullname" . }} + image: {{ template "postgresql.image" . }} + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if $readReplicasResources }} + resources: {{- toYaml $readReplicasResources | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: "{{ .Values.persistence.mountPath }}" + - name: POSTGRESQL_PORT_NUMBER + value: {{ .Values.containerPorts.postgresql | quote }} + {{- if .Values.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + - name: POSTGRES_REPLICATION_MODE + value: "slave" + - name: POSTGRES_REPLICATION_USER + value: {{ include "postgresql.replication.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-replication-password + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + - name: POSTGRES_MASTER_HOST + value: {{ template "common.names.fullname" . }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ include "postgresql.servicePort" . | quote }} + {{- if not (eq (include "postgresql.username" .) "postgres") }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-postgres-password + {{- end }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ template "postgresql.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ template "postgresql.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ template "postgresql.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ template "postgresql.tlsCRL" . }} + {{- end }} + {{- end }} + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.postgresqlMaxConnections }} + - name: POSTGRESQL_MAX_CONNECTIONS + value: {{ .Values.postgresqlMaxConnections | quote }} + {{- end }} + {{- if .Values.postgresqlPostgresConnectionLimit }} + - name: POSTGRESQL_POSTGRES_CONNECTION_LIMIT + value: {{ .Values.postgresqlPostgresConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlDbUserConnectionLimit }} + - name: POSTGRESQL_USERNAME_CONNECTION_LIMIT + value: {{ .Values.postgresqlDbUserConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesInterval }} + - name: POSTGRESQL_TCP_KEEPALIVES_INTERVAL + value: {{ .Values.postgresqlTcpKeepalivesInterval | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesIdle }} + - name: POSTGRESQL_TCP_KEEPALIVES_IDLE + value: {{ .Values.postgresqlTcpKeepalivesIdle | quote }} + {{- end }} + {{- if .Values.postgresqlStatementTimeout }} + - name: POSTGRESQL_STATEMENT_TIMEOUT + value: {{ .Values.postgresqlStatementTimeout | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesCount }} + - name: POSTGRESQL_TCP_KEEPALIVES_COUNT + value: {{ .Values.postgresqlTcpKeepalivesCount | quote }} + {{- end }} + {{- if .Values.postgresqlPghbaRemoveFilters }} + - name: POSTGRESQL_PGHBA_REMOVE_FILTERS + value: {{ .Values.postgresqlPghbaRemoveFilters | quote }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ .Values.containerPorts.postgresql }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{ end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.readReplicas.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} +{{- if .Values.readReplicas.sidecars }} +{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }} +{{- end }} + volumes: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + secret: + secretName: {{ template "postgresql.secretName" . }} + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + configMap: + name: {{ template "postgresql.configurationCM" . }} + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + configMap: + name: {{ template "postgresql.extendedConfigurationCM" . }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ template "postgresql.tlsSecretName" . }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + sizeLimit: 1Gi + {{- end }} + {{- if or (not .Values.persistence.enabled) (not .Values.readReplicas.persistence.enabled) }} + - name: data + emptyDir: {} + {{- end }} + {{- if .Values.readReplicas.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.extraPodSpec }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraPodSpec "context" $) | nindent 6 }} + {{- end }} + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} +{{- if and .Values.persistence.enabled .Values.readReplicas.persistence.enabled }} + volumeClaimTemplates: + - metadata: + name: data + {{- with .Values.persistence.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + {{- if .Values.persistence.snapshotName }} + dataSource: + name: {{ .Values.persistence.snapshotName }} + kind: VolumeSnapshot + apiGroup: snapshot.storage.k8s.io + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + + {{- if .Values.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }} + {{- end -}} +{{- end }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/statefulset.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/statefulset.yaml new file mode 100644 index 00000000..b819b4ca --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/statefulset.yaml @@ -0,0 +1,642 @@ +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ template "postgresql.primary.fullname" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.primary.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.labels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- with .Values.primary.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + serviceName: {{ template "common.names.fullname" . }}-headless + replicas: 1 + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} + role: primary + template: + metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 8 }} + role: primary + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.primary.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- with .Values.primary.podAnnotations }} + annotations: {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} +{{- include "postgresql.imagePullSecrets" . | indent 6 }} + {{- if .Values.primary.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.primary.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.serviceAccount.autoMount }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name }} + {{- end }} + {{- if or .Values.primary.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }} + initContainers: + {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }} + - name: init-chmod-data + image: {{ template "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -cx + - | + {{- if .Values.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.persistence.mountPath }} + {{- else }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + xargs chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ template "postgresql.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.primary.extraInitContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraInitContainers "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.primary.priorityClassName }} + priorityClassName: {{ .Values.primary.priorityClassName }} + {{- end }} + containers: + - name: {{ template "common.names.fullname" . }} + image: {{ template "postgresql.image" . }} + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: POSTGRESQL_PORT_NUMBER + value: {{ .Values.containerPorts.postgresql | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: "{{ .Values.persistence.mountPath }}" + {{- if .Values.postgresqlInitdbArgs }} + - name: POSTGRES_INITDB_ARGS + value: {{ .Values.postgresqlInitdbArgs | quote }} + {{- end }} + {{- if .Values.postgresqlInitdbWalDir }} + - name: POSTGRES_INITDB_WALDIR + value: {{ .Values.postgresqlInitdbWalDir | quote }} + {{- end }} + {{- if .Values.initdbUser }} + - name: POSTGRESQL_INITSCRIPTS_USERNAME + value: {{ .Values.initdbUser }} + {{- end }} + {{- if .Values.initdbPassword }} + - name: POSTGRESQL_INITSCRIPTS_PASSWORD + value: {{ .Values.initdbPassword }} + {{- end }} + {{- if .Values.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + {{- if .Values.primaryAsStandBy.enabled }} + - name: POSTGRES_MASTER_HOST + value: {{ .Values.primaryAsStandBy.primaryHost }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ .Values.primaryAsStandBy.primaryPort | quote }} + {{- end }} + {{- if or .Values.replication.enabled .Values.primaryAsStandBy.enabled }} + - name: POSTGRES_REPLICATION_MODE + {{- if .Values.primaryAsStandBy.enabled }} + value: "slave" + {{- else }} + value: "master" + {{- end }} + - name: POSTGRES_REPLICATION_USER + value: {{ include "postgresql.replication.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-replication-password + {{- end }} + {{- if not (eq .Values.replication.synchronousCommit "off") }} + - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE + value: {{ .Values.replication.synchronousCommit | quote }} + - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS + value: {{ .Values.replication.numSynchronousReplicas | quote }} + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + {{- end }} + {{- if not (eq (include "postgresql.username" .) "postgres") }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-postgres-password + {{- end }} + {{- end }} + - name: POSTGRES_USER + value: {{ include "postgresql.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + {{- if (include "postgresql.database" .) }} + - name: POSTGRES_DB + value: {{ (include "postgresql.database" .) | quote }} + {{- end }} + {{- if .Values.extraEnv }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnv "context" $) | nindent 12 }} + {{- end }} + - name: POSTGRESQL_ENABLE_LDAP + value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }} + {{- if .Values.ldap.enabled }} + - name: POSTGRESQL_LDAP_SERVER + value: {{ .Values.ldap.server }} + - name: POSTGRESQL_LDAP_PORT + value: {{ .Values.ldap.port | quote }} + - name: POSTGRESQL_LDAP_SCHEME + value: {{ .Values.ldap.scheme }} + {{- if .Values.ldap.tls }} + - name: POSTGRESQL_LDAP_TLS + value: "1" + {{- end }} + - name: POSTGRESQL_LDAP_PREFIX + value: {{ .Values.ldap.prefix | quote }} + - name: POSTGRESQL_LDAP_SUFFIX + value: {{ .Values.ldap.suffix | quote }} + - name: POSTGRESQL_LDAP_BASE_DN + value: {{ .Values.ldap.baseDN }} + - name: POSTGRESQL_LDAP_BIND_DN + value: {{ .Values.ldap.bindDN }} + {{- if (not (empty .Values.ldap.bind_password)) }} + - name: POSTGRESQL_LDAP_BIND_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-ldap-password + {{- end }} + - name: POSTGRESQL_LDAP_SEARCH_ATTR + value: {{ .Values.ldap.search_attr }} + - name: POSTGRESQL_LDAP_SEARCH_FILTER + value: {{ .Values.ldap.search_filter }} + - name: POSTGRESQL_LDAP_URL + value: {{ .Values.ldap.url }} + {{- end }} + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ template "postgresql.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ template "postgresql.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ template "postgresql.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ template "postgresql.tlsCRL" . }} + {{- end }} + {{- end }} + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.postgresqlMaxConnections }} + - name: POSTGRESQL_MAX_CONNECTIONS + value: {{ .Values.postgresqlMaxConnections | quote }} + {{- end }} + {{- if .Values.postgresqlPostgresConnectionLimit }} + - name: POSTGRESQL_POSTGRES_CONNECTION_LIMIT + value: {{ .Values.postgresqlPostgresConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlDbUserConnectionLimit }} + - name: POSTGRESQL_USERNAME_CONNECTION_LIMIT + value: {{ .Values.postgresqlDbUserConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesInterval }} + - name: POSTGRESQL_TCP_KEEPALIVES_INTERVAL + value: {{ .Values.postgresqlTcpKeepalivesInterval | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesIdle }} + - name: POSTGRESQL_TCP_KEEPALIVES_IDLE + value: {{ .Values.postgresqlTcpKeepalivesIdle | quote }} + {{- end }} + {{- if .Values.postgresqlStatementTimeout }} + - name: POSTGRESQL_STATEMENT_TIMEOUT + value: {{ .Values.postgresqlStatementTimeout | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesCount }} + - name: POSTGRESQL_TCP_KEEPALIVES_COUNT + value: {{ .Values.postgresqlTcpKeepalivesCount | quote }} + {{- end }} + {{- if .Values.postgresqlPghbaRemoveFilters }} + - name: POSTGRESQL_PGHBA_REMOVE_FILTERS + value: {{ .Values.postgresqlPghbaRemoveFilters | quote }} + {{- end }} + {{- if .Values.extraEnvVarsCM }} + envFrom: + - configMapRef: + name: {{ tpl .Values.extraEnvVarsCM . }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ .Values.containerPorts.postgresql }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.startupProbe.enabled }} + startupProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.startupProbe.successThreshold }} + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + {{- else if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d/ + {{- end }} + {{- if .Values.initdbScriptsSecret }} + - name: custom-init-scripts-secret + mountPath: /docker-entrypoint-initdb.d/secret + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.primary.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} +{{- if .Values.primary.sidecars }} +{{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }} +{{- end }} +{{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "postgresql.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.securityContext.enabled }} + securityContext: {{- omit .Values.metrics.securityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- end }} + env: + {{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }} + {{- $sslmode := ternary "require" "disable" .Values.tls.enabled }} + {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} + - name: DATA_SOURCE_NAME + value: {{ printf "host=127.0.0.1 port=%d user=%s sslmode=%s sslcert=%s sslkey=%s" (int (include "postgresql.servicePort" .)) (include "postgresql.username" .) $sslmode (include "postgresql.tlsCert" .) (include "postgresql.tlsCertKey" .) }} + {{- else }} + - name: DATA_SOURCE_URI + value: {{ printf "127.0.0.1:%d/%s?sslmode=%s" (int (include "postgresql.servicePort" .)) $database $sslmode }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: DATA_SOURCE_PASS_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + - name: DATA_SOURCE_USER + value: {{ template "postgresql.username" . }} + {{- if .Values.metrics.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: / + port: http-metrics + initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: / + port: http-metrics + initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.metrics.customMetrics }} + - name: custom-metrics + mountPath: /conf + readOnly: true + args: ["--extend.query-path", "/conf/custom-metrics.yaml"] + {{- end }} + ports: + - name: http-metrics + containerPort: 9187 + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} +{{- end }} + volumes: + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + configMap: + name: {{ template "postgresql.configurationCM" . }} + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + configMap: + name: {{ template "postgresql.extendedConfigurationCM" . }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: postgresql-password + secret: + secretName: {{ template "postgresql.secretName" . }} + {{- end }} + {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "postgresql.initdbScriptsCM" . }} + {{- end }} + {{- if .Values.initdbScriptsSecret }} + - name: custom-init-scripts-secret + secret: + secretName: {{ template "postgresql.initdbScriptsSecret" . }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ template "postgresql.tlsSecretName" . }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if .Values.primary.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} + - name: custom-metrics + configMap: + name: {{ template "postgresql.metricsCM" . }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory +{{- with .Values.shmVolume.sizeLimit }} + sizeLimit: {{ . }} +{{- end }} + {{- end }} +{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} + - name: data + persistentVolumeClaim: +{{- with .Values.persistence.existingClaim }} + claimName: {{ tpl . $ }} +{{- end }} +{{- else if not .Values.persistence.enabled }} + - name: data + emptyDir: {} + {{- if .Values.primary.extraPodSpec }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraPodSpec "context" $) | nindent 6 }} + {{- end }} +{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + {{- with .Values.persistence.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + {{- if .Values.persistence.snapshotName }} + dataSource: + name: {{ .Values.persistence.snapshotName }} + kind: VolumeSnapshot + apiGroup: snapshot.storage.k8s.io + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- if .Values.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }} + {{- end -}} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc-headless.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc-headless.yaml new file mode 100644 index 00000000..fbbfd400 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc-headless.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }}-headless + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + # Use this annotation in addition to the actual publishNotReadyAddresses + # field below because the annotation will stop being respected soon but the + # field is broken in some versions of Kubernetes: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" + namespace: {{ .Release.Namespace }} +spec: + type: ClusterIP + clusterIP: None + # We want all pods in the StatefulSet to have their addresses published for + # the sake of the other Postgresql pods even before they're ready, since they + # have to be able to talk to each other in order to become ready. + publishNotReadyAddresses: true + ports: + - name: tcp-postgresql + port: {{ template "postgresql.servicePort" . }} + targetPort: tcp-postgresql + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc-read-set.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc-read-set.yaml new file mode 100644 index 00000000..63b410ac --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc-read-set.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.replication.enabled .Values.replication.uniqueServices }} +{{- $serviceAnnotations := coalesce .Values.readReplicas.service.annotations .Values.service.annotations -}} + +{{- $fullName := include "common.names.fullname" . }} +{{- $replicaCount := .Values.replication.readReplicas | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-read-%d" (printf "%s" $fullName) $i }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ $fullName }}-read-{{ $i }} + labels: + pod: {{ $targetPod }} + {{- include "common.labels.standard" $root | nindent 4 }} + {{- if $root.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" $root.Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + + {{- if $root.Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" $root.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if $serviceAnnotations }} + {{- include "common.tplvalues.render" (dict "value" $serviceAnnotations "context" $) | nindent 4 }} + {{- end }} + namespace: {{ $root.Release.Namespace }} +spec: + type: ClusterIP + ports: + - name: tcp-postgresql + port: {{ template "postgresql.servicePort" $root }} + targetPort: tcp-postgresql + selector: + {{- include "common.labels.matchLabels" $root | nindent 4 }} + role: read + statefulset.kubernetes.io/pod-name: {{ $targetPod }} + +{{- end }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc-read.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc-read.yaml new file mode 100644 index 00000000..ed1005fe --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc-read.yaml @@ -0,0 +1,47 @@ +{{- if and .Values.replication.enabled .Values.replication.singleService }} +{{- $serviceAnnotations := coalesce .Values.readReplicas.service.annotations .Values.service.annotations -}} +{{- $serviceType := coalesce .Values.readReplicas.service.type .Values.service.type -}} +{{- $serviceLoadBalancerIP := coalesce .Values.readReplicas.service.loadBalancerIP .Values.service.loadBalancerIP -}} +{{- $serviceLoadBalancerSourceRanges := coalesce .Values.readReplicas.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}} +{{- $serviceClusterIP := coalesce .Values.readReplicas.service.clusterIP .Values.service.clusterIP -}} +{{- $serviceNodePort := coalesce .Values.readReplicas.service.nodePort .Values.service.nodePort -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }}-read + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if $serviceAnnotations }} + {{- include "common.tplvalues.render" (dict "value" $serviceAnnotations "context" $) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + type: {{ $serviceType }} + {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }} + loadBalancerIP: {{ $serviceLoadBalancerIP }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- include "common.tplvalues.render" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }} + {{- end }} + {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }} + clusterIP: {{ $serviceClusterIP }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ template "postgresql.servicePort" . }} + targetPort: tcp-postgresql + {{- if $serviceNodePort }} + nodePort: {{ $serviceNodePort }} + {{- end }} + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} + role: read +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc.yaml new file mode 100644 index 00000000..a47efb9c --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/svc.yaml @@ -0,0 +1,45 @@ +{{- $serviceAnnotations := coalesce .Values.primary.service.annotations .Values.service.annotations -}} +{{- $serviceType := coalesce .Values.primary.service.type .Values.service.type -}} +{{- $serviceLoadBalancerIP := coalesce .Values.primary.service.loadBalancerIP .Values.service.loadBalancerIP -}} +{{- $serviceLoadBalancerSourceRanges := coalesce .Values.primary.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}} +{{- $serviceClusterIP := coalesce .Values.primary.service.clusterIP .Values.service.clusterIP -}} +{{- $serviceNodePort := coalesce .Values.primary.service.nodePort .Values.service.nodePort -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if $serviceAnnotations }} + {{- include "common.tplvalues.render" (dict "value" $serviceAnnotations "context" $) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + type: {{ $serviceType }} + {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }} + loadBalancerIP: {{ $serviceLoadBalancerIP }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- include "common.tplvalues.render" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }} + {{- end }} + {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }} + clusterIP: {{ $serviceClusterIP }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ template "postgresql.servicePort" . }} + targetPort: tcp-postgresql + {{- if $serviceNodePort }} + nodePort: {{ $serviceNodePort }} + {{- end }} + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} + role: primary diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/tls-secrets.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/tls-secrets.yaml new file mode 100644 index 00000000..a5944fc5 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/templates/tls-secrets.yaml @@ -0,0 +1,25 @@ +{{- if (include "postgresql.createTlsSecret" . ) }} +{{- $ca := genCA "postgresql-ca" 365 }} +{{- $fullname := include "common.names.fullname" . }} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $headlessServiceName := printf "%s-headless" (include "common.names.fullname" .) }} +{{- $altNames := list (printf "*.%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) $fullname }} +{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-crt" (include "common.names.fullname" .) }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $crt.Cert | b64enc | quote }} + tls.key: {{ $crt.Key | b64enc | quote }} +{{- end }} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/values.schema.json b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/values.schema.json new file mode 100644 index 00000000..66a2a9dd --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/values.schema.json @@ -0,0 +1,103 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "postgresqlUsername": { + "type": "string", + "title": "Admin user", + "form": true + }, + "postgresqlPassword": { + "type": "string", + "title": "Password", + "form": true + }, + "persistence": { + "type": "object", + "properties": { + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi" + } + } + }, + "resources": { + "type": "object", + "title": "Required Resources", + "description": "Configure resource requests", + "form": true, + "properties": { + "requests": { + "type": "object", + "properties": { + "memory": { + "type": "string", + "form": true, + "render": "slider", + "title": "Memory Request", + "sliderMin": 10, + "sliderMax": 2048, + "sliderUnit": "Mi" + }, + "cpu": { + "type": "string", + "form": true, + "render": "slider", + "title": "CPU Request", + "sliderMin": 10, + "sliderMax": 2000, + "sliderUnit": "m" + } + } + } + } + }, + "replication": { + "type": "object", + "form": true, + "title": "Replication Details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Replication", + "form": true + }, + "readReplicas": { + "type": "integer", + "title": "read Replicas", + "form": true, + "hidden": { + "value": false, + "path": "replication/enabled" + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" + } + } + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Configure metrics exporter", + "form": true + } + } + } + } +} diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/values.yaml b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/values.yaml new file mode 100644 index 00000000..56d76df0 --- /dev/null +++ b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/charts/postgresql/values.yaml @@ -0,0 +1,1001 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + ## @param global.postgresql.postgresqlDatabase PostgreSQL database (overrides `postgresqlDatabase`) + ## @param global.postgresql.postgresqlUsername PostgreSQL username (overrides `postgresqlUsername`) + ## @param global.postgresql.existingSecret Name of existing secret to use for PostgreSQL passwords (overrides `existingSecret`) + ## @param global.postgresql.postgresqlPassword PostgreSQL admin password (overrides `postgresqlPassword`) + ## @param global.postgresql.servicePort PostgreSQL port (overrides `service.port` + ## @param global.postgresql.replicationPassword Replication user password (overrides `replication.password`) + ## + postgresql: + postgresqlDatabase: "" + postgresqlUsername: "" + existingSecret: "" + postgresqlPassword: "" + servicePort: "" + replicationPassword: "" + +## @section Common parameters +## + +## @param nameOverride String to partially override common.names.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname template +## +fullnameOverride: "" +## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) +## +extraDeploy: [] +## @param commonLabels Add labels to all the deployed resources +## +commonLabels: {} +## @param commonAnnotations Add annotations to all the deployed resources +## +commonAnnotations: {} + +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +## @section PostgreSQL parameters +## + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## @param image.registry PostgreSQL image registry +## @param image.repository PostgreSQL image repository +## @param image.tag PostgreSQL image tag (immutable tags are recommended) +## @param image.pullPolicy PostgreSQL image pull policy +## @param image.pullSecrets Specify image pull secrets +## @param image.debug Specify if debug values should be set +## +image: + registry: docker.io + repository: bitnami/postgresql + tag: 11.14.0-debian-10-r28 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## It turns BASH and/or NAMI debugging in the image + ## + debug: false +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) + ## + enabled: false + ## @param volumePermissions.image.registry Init container volume-permissions image registry + ## @param volumePermissions.image.repository Init container volume-permissions image repository + ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10-r305 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container Security Context + ## @param volumePermissions.securityContext.runAsUser User ID for the init container + ## Note: the chown of the data folder is done to securityContext.runAsUser + ## and not the below volumePermissions.securityContext.runAsUser + ## When runAsUser is set to special value "auto", init container will try to chwon the + ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). + ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with + ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false + ## + securityContext: + runAsUser: 0 +## @param schedulerName Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param lifecycleHooks for the PostgreSQL container to automate configuration before or after startup +## +lifecycleHooks: {} +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## @param securityContext.enabled Enable security context +## @param securityContext.fsGroup Group ID for the pod +## +securityContext: + enabled: true + fsGroup: 1001 +## Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## @param containerSecurityContext.enabled Enable container security context +## @param containerSecurityContext.runAsUser User ID for the container +## +containerSecurityContext: + enabled: true + runAsUser: 1001 +## Pod Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.enabled Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) + ## + enabled: false + ## @param serviceAccount.name Name of an already existing service account. Setting this value disables the automatic service account creation + ## + name: "" + ## @param serviceAccount.autoMount Auto-mount the service account token in the pod + ## + autoMount: false +## Pod Security Policy +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later +## +psp: + create: false +## Creates role for ServiceAccount +## Required for PSP +## @param rbac.create Create Role and RoleBinding (required for PSP to work) +## +rbac: + create: false +## @param replication.enabled Enable replication +## @param replication.user Replication user +## @param replication.password Replication user password +## @param replication.readReplicas Number of read replicas replicas +## @param replication.synchronousCommit Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` +## @param replication.numSynchronousReplicas Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.readReplicas`. +## @param replication.applicationName Cluster application name. Useful for advanced replication settings +## @param replication.singleService Create one service connecting to all read-replicas +## @param replication.uniqueServices Create a unique service for each independent read-replica +## +replication: + enabled: false + user: repl_user + password: repl_password + readReplicas: 1 + ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL + ## + synchronousCommit: "off" + ## NOTE: It cannot be > readReplicas + ## + numSynchronousReplicas: 0 + applicationName: my_application + singleService: true + uniqueServices: false +## @param postgresqlPostgresPassword PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`, in which case`postgres` is the admin username) +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run (see note!) +## +postgresqlPostgresPassword: "" +## @param postgresqlUsername PostgreSQL user (has superuser privileges if username is `postgres`) +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +postgresqlUsername: postgres +## @param postgresqlPassword PostgreSQL user password +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +postgresqlPassword: "" +## @param existingSecret Name of existing secret to use for PostgreSQL passwords +## The secret has to contain the keys postgresql-password which is the password for postgresqlUsername when it is +## different of postgres, postgresql-postgres-password which will override postgresqlPassword, +## postgresql-replication-password which will override replication.password and postgresql-ldap-password which will be +## used to authenticate on LDAP. The value is evaluated as a template. +## e.g: +## existingSecret: secret +## +existingSecret: "" +## @param usePasswordFile Mount PostgreSQL secret as a file instead of passing environment variable +## +usePasswordFile: false +## @param postgresqlDatabase PostgreSQL database +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run +## +postgresqlDatabase: "" +## @param postgresqlDataDir PostgreSQL data dir folder +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +postgresqlDataDir: /bitnami/postgresql/data +## @param extraEnv An array to add extra environment variables +## For example: +## extraEnv: +## - name: FOO +## value: "bar" +## +extraEnv: [] +## @param extraEnvVarsCM Name of a Config Map containing extra environment variables +## +extraEnvVarsCM: "" +## @param postgresqlInitdbArgs PostgreSQL initdb extra arguments +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +postgresqlInitdbArgs: "" +## @param postgresqlInitdbWalDir Specify a custom location for the PostgreSQL transaction log +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +postgresqlInitdbWalDir: "" +## @param postgresqlConfiguration PostgreSQL configuration +## Specify runtime configuration parameters as a dict, using camelCase, e.g. +## {"sharedBuffers": "500MB"} +## Alternatively, you can put your postgresql.conf under the files/ directory +## ref: https://www.postgresql.org/docs/current/static/runtime-config.html +## +postgresqlConfiguration: {} +## @param postgresqlExtendedConf Extended Runtime Config Parameters (appended to main or default configuration) +## Alternatively, you can put your *.conf under the files/conf.d/ directory +## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf +## +postgresqlExtendedConf: {} +## Configure current cluster's primary server to be the standby server in other cluster. +## This will allow cross cluster replication and provide cross cluster high availability. +## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. +## @param primaryAsStandBy.enabled Whether to enable current cluster's primary as standby server of another cluster or not +## @param primaryAsStandBy.primaryHost The Host of replication primary in the other cluster +## @param primaryAsStandBy.primaryPort The Port of replication primary in the other cluster +## +primaryAsStandBy: + enabled: false + primaryHost: "" + primaryPort: "" +## @param pgHbaConfiguration PostgreSQL client authentication configuration +## Specify content for pg_hba.conf +## Default: do not create pg_hba.conf +## Alternatively, you can put your pg_hba.conf under the files/ directory +## pgHbaConfiguration: |- +## local all all trust +## host all all localhost trust +## host mydatabase mysuser 192.168.0.0/24 md5 +## +pgHbaConfiguration: "" +## @param configurationConfigMap ConfigMap with PostgreSQL configuration +## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration +## +configurationConfigMap: "" +## @param extendedConfConfigMap ConfigMap with PostgreSQL extended configuration +## +extendedConfConfigMap: "" +## @param initdbScripts Dictionary of initdb scripts +## Specify dictionary of scripts to be run at first boot +## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory +## e.g: +## initdbScripts: +## my_init_script.sh: | +## #!/bin/sh +## echo "Do something." +## +initdbScripts: {} +## @param initdbScriptsConfigMap ConfigMap with scripts to be run at first boot +## NOTE: This will override initdbScripts +## +initdbScriptsConfigMap: "" +## @param initdbScriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information) +## NOTE: This can work along initdbScripts or initdbScriptsConfigMap +## +initdbScriptsSecret: "" +## @param initdbUser Specify the PostgreSQL username to execute the initdb scripts +## +initdbUser: "" +## @param initdbPassword Specify the PostgreSQL password to execute the initdb scripts +## +initdbPassword: "" + +## @param containerPorts.postgresql PostgreSQL container port +## +containerPorts: + postgresql: 5432 +## Audit settings +## https://github.com/bitnami/bitnami-docker-postgresql#auditing +## +audit: + ## @param audit.logHostname Log client hostnames + ## + logHostname: false + ## @param audit.logConnections Add client log-in operations to the log file + ## + logConnections: false + ## @param audit.logDisconnections Add client log-outs operations to the log file + ## + logDisconnections: false + ## @param audit.pgAuditLog Add operations to log using the pgAudit extension + ## + pgAuditLog: "" + ## @param audit.pgAuditLogCatalog Log catalog using pgAudit + ## + pgAuditLogCatalog: "off" + ## @param audit.clientMinMessages Message log level to share with the user + ## + clientMinMessages: error + ## @param audit.logLinePrefix Template for log line prefix (default if not set) + ## + logLinePrefix: "" + ## @param audit.logTimezone Timezone for the log timestamps + ## + logTimezone: "" +## @param postgresqlSharedPreloadLibraries Shared preload libraries (comma-separated list) +## +postgresqlSharedPreloadLibraries: "pgaudit" +## @param postgresqlMaxConnections Maximum total connections +## +postgresqlMaxConnections: "" +## @param postgresqlPostgresConnectionLimit Maximum connections for the postgres user +## +postgresqlPostgresConnectionLimit: "" +## @param postgresqlDbUserConnectionLimit Maximum connections for the non-admin user +## +postgresqlDbUserConnectionLimit: "" +## @param postgresqlTcpKeepalivesInterval TCP keepalives interval +## +postgresqlTcpKeepalivesInterval: "" +## @param postgresqlTcpKeepalivesIdle TCP keepalives idle +## +postgresqlTcpKeepalivesIdle: "" +## @param postgresqlTcpKeepalivesCount TCP keepalives count +## +postgresqlTcpKeepalivesCount: "" +## @param postgresqlStatementTimeout Statement timeout +## +postgresqlStatementTimeout: "" +## @param postgresqlPghbaRemoveFilters Comma-separated list of patterns to remove from the pg_hba.conf file +## Cannot be used with custom pg_hba.conf +## +postgresqlPghbaRemoveFilters: "" +## @param terminationGracePeriodSeconds Seconds the pod needs to terminate gracefully +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## e.g: +## terminationGracePeriodSeconds: 30 +## +terminationGracePeriodSeconds: "" +## LDAP configuration +## @param ldap.enabled Enable LDAP support +## @param ldap.url LDAP URL beginning in the form `ldap[s]://host[:port]/basedn` +## @param ldap.server IP address or name of the LDAP server. +## @param ldap.port Port number on the LDAP server to connect to +## @param ldap.prefix String to prepend to the user name when forming the DN to bind +## @param ldap.suffix String to append to the user name when forming the DN to bind +## @param ldap.baseDN Root DN to begin the search for the user in +## @param ldap.bindDN DN of user to bind to LDAP +## @param ldap.bind_password Password for the user to bind to LDAP +## @param ldap.search_attr Attribute to match against the user name in the search +## @param ldap.search_filter The search filter to use when doing search+bind authentication +## @param ldap.scheme Set to `ldaps` to use LDAPS +## @param ldap.tls Set to `1` to use TLS encryption +## +ldap: + enabled: false + url: "" + server: "" + port: "" + prefix: "" + suffix: "" + baseDN: "" + bindDN: "" + bind_password: "" + search_attr: "" + search_filter: "" + scheme: "" + tls: "" +## PostgreSQL service configuration +## +service: + ## @param service.type Kubernetes Service type + ## + type: ClusterIP + ## @param service.clusterIP Static clusterIP or None for headless services + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.port PostgreSQL port + ## + port: 5432 + ## @param service.nodePort Specify the nodePort value for the LoadBalancer and NodePort service types + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePort: "" + ## @param service.annotations Annotations for PostgreSQL service + ## + annotations: {} + ## @param service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] +## Start primary and read(s) pod(s) without limitations on shm memory. +## By default docker and containerd (and possibly other container runtimes) +## limit `/dev/shm` to `64M` (see e.g. the +## [docker issue](https://github.com/docker-library/postgres/issues/416) and the +## [containerd issue](https://github.com/containerd/containerd/issues/3654), +## which could be not enough if PostgreSQL uses parallel workers heavily. +## +shmVolume: + ## @param shmVolume.enabled Enable emptyDir volume for /dev/shm for primary and read replica(s) Pod(s) + ## Set `shmVolume.enabled` to `true` to mount a new tmpfs volume to remove the above limitation. + ## + enabled: true + ## @param shmVolume.chmod.enabled Set to `true` to `chmod 777 /dev/shm` on a initContainer (ignored if `volumePermissions.enabled` is `false`) + ## + chmod: + enabled: true + ## @param shmVolume.sizeLimit Set this to enable a size limit on the shm tmpfs. Note that the size of the tmpfs counts against container's memory limit + ## e.g: + ## sizeLimit: 1Gi + ## + sizeLimit: "" +persistence: + ## @param persistence.enabled Enable persistence using PVC + ## + enabled: true + ## @param persistence.existingClaim Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart + ## + existingClaim: "" + ## @param persistence.mountPath The path the volume will be mounted at, useful when using different + ## PostgreSQL images. + ## + mountPath: /bitnami/postgresql + ## @param persistence.subPath The subdirectory of the volume to mount to + ## Useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param persistence.storageClass PVC Storage Class for PostgreSQL volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param persistence.accessModes PVC Access Mode for PostgreSQL volume + ## + accessModes: + - ReadWriteOnce + ## @param persistence.snapshotName Provide a VolumeSnapshot name which to create the PVC + ## The same snapshot will be used for the primary and any read replicas + ## ref: https://kubernetes.io/docs/concepts/storage/volume-snapshots/ + ## + snapshotName: "" + ## @param persistence.size PVC Storage Request for PostgreSQL volume + ## + size: 8Gi + ## @param persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} +## @param updateStrategy.type updateStrategy for PostgreSQL StatefulSet and its reads StatefulSets +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## +updateStrategy: + type: RollingUpdate +## +## PostgreSQL Primary parameters +## +primary: + ## @param primary.podAffinityPreset PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param primary.podAntiAffinityPreset PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL Primary node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param primary.nodeAffinityPreset.type PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param primary.nodeAffinityPreset.key PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param primary.nodeAffinityPreset.values PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param primary.affinity Affinity for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param primary.extraPodSpec Optionally specify extra PodSpec + ## + extraPodSpec: {} + ## @param primary.labels Map of labels to add to the statefulset (postgresql primary) + ## + labels: {} + ## @param primary.annotations Annotations for PostgreSQL primary pods + ## + annotations: {} + ## @param primary.podLabels Map of labels to add to the pods (postgresql primary) + ## + podLabels: {} + ## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary) + ## + podAnnotations: {} + ## @param primary.priorityClassName Priority Class to use for each pod (postgresql primary) + ## + priorityClassName: "" + ## @param primary.extraInitContainers Extra init containers to add to the pods (postgresql primary) + ## Example + ## + ## extraInitContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + extraInitContainers: [] + ## @param primary.extraVolumeMounts Extra volume mounts to add to the pods (postgresql primary) + ## + extraVolumeMounts: [] + ## @param primary.extraVolumes Extra volumes to add to the pods (postgresql primary) + ## + extraVolumes: [] + ## @param primary.sidecars Extra containers to the pod + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## Override the service configuration for primary + ## @param primary.service.type Allows using a different service type for primary + ## @param primary.service.nodePort Allows using a different nodePort for primary + ## @param primary.service.clusterIP Allows using a different clusterIP for primary + ## + service: + type: "" + nodePort: "" + clusterIP: "" +## PostgreSQL read only replica parameters +## +readReplicas: + ## @param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL read only node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param readReplicas.affinity Affinity for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: readReplicas.podAffinityPreset, readReplicas.podAntiAffinityPreset, and readReplicas.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec + ## + extraPodSpec: {} + ## @param readReplicas.labels Map of labels to add to the statefulsets (postgresql readReplicas) + ## + labels: {} + ## @param readReplicas.annotations Annotations for PostgreSQL read only pods + ## + annotations: {} + ## @param readReplicas.podLabels Map of labels to add to the pods (postgresql readReplicas) + ## + podLabels: {} + ## @param readReplicas.podAnnotations Map of annotations to add to the pods (postgresql readReplicas) + ## + podAnnotations: {} + ## @param readReplicas.priorityClassName Priority Class to use for each pod (postgresql readReplicas) + ## + priorityClassName: "" + ## @param readReplicas.extraInitContainers Extra init containers to add to the pods (postgresql readReplicas) + ## Example + ## + ## extraInitContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + extraInitContainers: [] + ## @param readReplicas.extraVolumeMounts Extra volume mounts to add to the pods (postgresql readReplicas) + ## + extraVolumeMounts: [] + ## @param readReplicas.extraVolumes Extra volumes to add to the pods (postgresql readReplicas) + ## + extraVolumes: [] + ## @param readReplicas.sidecars Extra containers to the pod + ## + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## Override the service configuration for read + ## @param readReplicas.service.type Allows using a different service type for readReplicas + ## @param readReplicas.service.nodePort Allows using a different nodePort for readReplicas + ## @param readReplicas.service.clusterIP Allows using a different clusterIP for readReplicas + ## + service: + type: "" + nodePort: "" + clusterIP: "" + ## @param readReplicas.persistence.enabled Whether to enable PostgreSQL read replicas replicas persistence + ## + persistence: + enabled: true + ## @param readReplicas.resources CPU/Memory resource requests/limits override for readReplicass. Will fallback to `values.resources` if not defined. + ## + resources: {} +## Configure resource requests and limits +## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## @param resources.requests [object] The requested resources for the container +## +resources: + requests: + memory: 256Mi + cpu: 250m +networkPolicy: + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## + enabled: false + ## @param networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port PostgreSQL is listening + ## on. When true, PostgreSQL will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed + ## If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace + ## and that match other criteria, the ones that have the good label, can reach the DB. + ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this + ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. + ## + ## Example: + ## explicitNamespacesSelector: + ## matchLabels: + ## role: frontend + ## matchExpressions: + ## - {key: role, operator: In, values: [frontend]} + ## + explicitNamespacesSelector: {} +## Configure extra options for startup probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 5 + failureThreshold: 10 + successThreshold: 1 +## Configure extra options for liveness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 +## Configure extra options for readiness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 +## @param customStartupProbe Override default startup probe +## +customStartupProbe: {} +## @param customLivenessProbe Override default liveness probe +## +customLivenessProbe: {} +## @param customReadinessProbe Override default readiness probe +## +customReadinessProbe: {} +## +## TLS configuration +## +tls: + ## @param tls.enabled Enable TLS traffic support + ## + enabled: false + ## @param tls.autoGenerated Generate automatically self-signed TLS certificates + ## + autoGenerated: false + ## @param tls.preferServerCiphers Whether to use the server's TLS cipher preferences rather than the client's + ## + preferServerCiphers: true + ## @param tls.certificatesSecret Name of an existing secret that contains the certificates + ## + certificatesSecret: "" + ## @param tls.certFilename Certificate filename + ## + certFilename: "" + ## @param tls.certKeyFilename Certificate key filename + ## + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename + ## If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate + ## ref: https://www.postgresql.org/docs/9.6/auth-methods.html + ## + certCAFilename: "" + ## @param tls.crlFilename File containing a Certificate Revocation List + ## + crlFilename: "" +## Configure metrics exporter +## +metrics: + ## @param metrics.enabled Start a prometheus exporter + ## + enabled: false + ## @param metrics.resources Prometheus exporter container resources + ## + resources: {} + ## @param metrics.service.type Kubernetes Service type + ## @param metrics.service.annotations [object] Additional annotations for metrics exporter pod + ## @param metrics.service.loadBalancerIP loadBalancerIP if redis metrics service type is `LoadBalancer` + ## + service: + type: ClusterIP + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9187" + loadBalancerIP: "" + ## @param metrics.serviceMonitor.enabled Set this to `true` to create ServiceMonitor for Prometheus operator + ## @param metrics.serviceMonitor.additionalLabels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus + ## @param metrics.serviceMonitor.namespace Optional namespace in which to create ServiceMonitor + ## @param metrics.serviceMonitor.interval Scrape interval. If not set, the Prometheus default scrape interval is used + ## @param metrics.serviceMonitor.scrapeTimeout Scrape timeout. If not set, the Prometheus default scrape timeout is used + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## + serviceMonitor: + enabled: false + additionalLabels: {} + namespace: "" + interval: "" + scrapeTimeout: "" + relabelings: [] + metricRelabelings: [] + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Set this to true to create prometheusRules for Prometheus operator + ## + enabled: false + ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so prometheusRules will be discovered by Prometheus + ## + additionalLabels: {} + ## @param metrics.prometheusRule.namespace namespace where prometheusRules resource should be created + ## + namespace: "" + ## @param metrics.prometheusRule.rules Create specified [Rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) + ## Make sure to constraint the rules to the current postgresql service. + ## rules: + ## - alert: HugeReplicationLag + ## expr: pg_replication_lag{service="{{ template "common.names.fullname" . }}-metrics"} / 3600 > 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: replication for {{ template "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). + ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). + ## + rules: [] + ## @param metrics.image.registry PostgreSQL Exporter image registry + ## @param metrics.image.repository PostgreSQL Exporter image repository + ## @param metrics.image.tag PostgreSQL Exporter image tag (immutable tags are recommended) + ## @param metrics.image.pullPolicy PostgreSQL Exporter image pull policy + ## @param metrics.image.pullSecrets Specify image pull secrets + ## + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.10.0-debian-10-r172 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.customMetrics Define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + ## customMetrics: + ## pg_database: + ## query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" + ## metrics: + ## - name: + ## usage: "LABEL" + ## description: "Name of the database" + ## - size_bytes: + ## usage: "GAUGE" + ## description: "Size of the database in bytes" + ## + customMetrics: {} + ## @param metrics.extraEnvVars Extra environment variables to add to postgres-exporter + ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables + ## For example: + ## extraEnvVars: + ## - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS + ## value: "true" + ## + extraEnvVars: [] + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param metrics.securityContext.enabled Enable security context for metrics + ## @param metrics.securityContext.runAsUser User ID for the container for metrics + ## + securityContext: + enabled: false + runAsUser: 1001 + ## Configure extra options for liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param metrics.livenessProbe.enabled Enable livenessProbe + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## Configure extra options for readiness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param metrics.readinessProbe.enabled Enable readinessProbe + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 diff --git a/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/powerdns-5.0.0.tgz b/Hackfest_Demos/OSM-MR13/powerdns/helm-chart/powerdns/powerdns-5.0.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..09375d596f10707b19106f9429a089a2e563b6ab GIT binary patch literal 322335 zcmV(?K-a$?iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMYYToX(8I2?)s0Wmhjf(!v^LI@p#^d^cF!3HQS$tGDzvLU;n z2nZ@FSP-%I-UYj2K@d?;u=j?&q1X$e!u#122u;2BxzGLH=l9vB*t(^M56!4b+vBX|44#_$S7EZA*g@>5^TtjP}uy_j%G`X0xe_Elv zw9z7%3E?n{0dSERCbM9SDMEx&1VRX=@d*k82nHZPJYcXW0Tx++L=l4HumB(e;5}#% zfCMbSLzu7tgIPc>5RN3k7_GS) zHVoln5lmFZgG3w{2*mtYSOicuU?FTaEP@3%h=rJOuz-aD5hUOs0uEq{P(HvAzK{n4 zuYe#QfZ@qJ7)(S3FdN~)7{E~=f_V_pCWr@E5Dvvc7*Pv>H43pnEX0EZOhmx3VnYZI zO@KuJ;&D(Bf^+#84R}hLE`ph25r&EgVhBZO0>Xk>03vY3U?C)eaF}?_5kY(!nTrzr zB<~Rpf^)^OlAefj!Ym=&lK3v`C@Wk9!&ZCcd}<~Cc_=gPFR$Yl@}F+!VAn?eTmLKn|CZERy8oA? z_g^od5e|&u41jSV8+!+a6KriC8|zGmZ6IgJHrCOG?%?d`VD0E^&4Qe5Sukwv$cC9r z$cD{gLymU#4mM2K#@^047K*jDw{fx|b6^21lFECk4c*4Zl5THl?Hq3H$gp)_&>d;E z_RjXUj!t%t5!C--Zf~2K_&)*SiDB%&q5%Ga{~c`X>8<(S#=+)a{{K6YA@G6OkeG)9 z=>Pz1RMa#h(#VD&oQq&mJ!h=v@IXs8D&j*p4zmEELl7B!U?vX|!61QP?pT>#5eow$ zgb`W~BEV6QjEY47hxtMtgu@t(OcudH9>RpYQLzAL0BbUa6U@g+4o?=s3@`#_ieLzb z$z+5NabQL(fgyl|ShErU01j~&K&q?)AQba>At(=FCNqF1FA++{WKcrHJYE<97{?eO za-3xH4^DtZB7_Aq0F_E+i+Q{@FUf>vhcIDJCR2hd8302NCWM&?8-X#9$c1q(p%wvI zJ^)EG0*s4_c`Sku(zXz4s`N>wQ4)Z{xv)eu5}F*L7`6t2qd<(oG)dk7HV~jVz+haW zph;m7JwrgV0FV?Af`KMc2E-Vl2NHngZENZTxzbD~3sF`Wp~4|}vNxeGCE*N^k|wE= zjrogEv5*05=yWU05uS0LOd!#PN4{v=;}bK?16v~fC{8gWXh`u1DIGSL`673JOr11909YNXR0`H zEG!bh#85_1D;CPctZ*@oiV%p0S;Y6A_$ii6;wTLfe)q z+pvfXn%WXBZHjz2Q>nyYmvBfR3bDMJ3m5_dUj}fZJ6RLVCD&x-Jv15yVoVJ2c*%si zj`I1ifF&7CI0`VyU`_@snH*>;Eg5Dw3V1M-00W$m0}{2Ki3%_#f{HO|=W|hF#1dkI z7-)prO_K@@h=-v75fB5FSXD5&1h$g@A{-;Slvw(}f&@f_3iz-9#{fYOz(a7HC+l`O zDi#0}Gr2_d!w~^Oke^2ILozA`EEFU{f)*`NC?*z2TZ>D%0Oj$}L`1-mK<6O>A`8Tt zAjTx$`9uW*m$?Px;P9~VW`L*1H$|*_uwx zpF-LbC<>otPc5@SEIuM=lh>zp2eqMOJ9KQ1iey6&B0^({`A;IZ#8R0}7D`?cpm<0E zEPyer6?kr2n4aogpw|hEg>-& z5UMmpFeEu8#S$QFLX_bUBESGO2xY+`s0gP5+9;_ZNw&zL5$hF@mL^%%5Q`KL6zt<0 z9TGeu+||gG(Bzpo4{%@{SW2dKOb9VykdgvuBVZn}aG(V>y-iC4mMEBjp#mXlI)7hz@L#G z06=gx0|elJ4L zz_nGkN*bG%*1?eQ=7|Z_Dj?)HSTQ8nCpyS;xNj?Z2~pPX4tE})LP8;}r9p%!=-MtV zo9SrLwiqHHv}C5FXp8CyGIhvVd>DraHCh5&ftJ)!2!`Ntl3Lq1(&#ig&6?pvccRPe zYErYLg4iRLQ*uHO1hQnKqC`l<0!DI50irm=i7q9+qzC`ERg-q+|7b4EBh*|PF8ph@ z0)8?7+uGZh8m zhl$y2BneP0n}HD=NIbV+aUvWm^~-23AQT}2oDHZ=pDYJr)c+bzR_0`HshJ*Xs)LwL zl0m!};vsAVW)b2?LQWcaG%STK$&V9t5TwOGEX;%mX@#MD7z}F?nbJ;RBQTGJ0Z0T( zO^>j|WGgY&n#LweI>;v|jL1vO#Du%jG%lF4#Xs*uO&2Ty?!NjudbfQ-!y(=3k(p)?!7Uun|hb7tC zGL^hNisY6)%Y4c}DiFa!9-%x?2T=hvn)+ur3gz=rffPyXCrC;&NTIZ^qcGZ6_?ndz zG8g9YX&6^(y6Paij2M#q9V<1AHcAvwU=AsjJe!>F+K1KT13`dlQzR9{i&4A@tV}s+ z3xy8}AP&s3j7@HdQwq3016c7-^7}&KvQK8ZS?4NfwaSa|JPIdZ>4thKdFI|4+;M&XOLg||2nkx|Fw6t zwf+heH zz(mlSz3pfdJhS5+asyaB_>9AtB`4pZ0y>iO#Eun!kaKO1OXwyQ)(C^CYeMy zR_0qR@kEg9yht536iQplENQNE$r_(7gA{^_@ZX0)toL0d{u9#Dqnk@XOeTR2f&o;( zO9l{+hbF=-seiT9GKz^~1u%}aMvKU3No12_W<|GPFs%MbyBY1se-Z3X1&DwJ z3veJ26T})-=JCfvm=GqFyfQ(g=r<^>1Cx8hNSKcg;Y@Cz!o2gJ%{+f*9+A5;O6!-p zYbjcB6+9iK1>~G3Yk>l-iNtHsnE$jne{N!wcL^cCEu~&s^5(R5t!%EUjnicl3Iq@w z9SiY!lFk>%df%yelCV^qB>-rWZ&Qv}q~gRxzdn&!OLev$3r3gi|8SftQG z%VsuFTn#I9!%uMO03WPFWUOskLY6ws0;y9O6g_Mr{o* zM8U7N4d7;{+m@Ilpgb`j9!~THrr1C^eWc1xiK;T{SRYWDc(QjSSjBBD2|n4{Zn?8Vf}ZoYYXMC*({*w ze%-n)9jJR!t)-2wM2zZu|v-T}?9{+b?;c^kJ+f7!>shWfulDLFR3qEjnZ=Z*oj$k-8${)k4! zL)b7gnaOKK4?;r>BkF8T4>(C~1yD>fr%(onq*}!y0xOJ5wE$F0Ch?aC;{bA{yMRP4 z!h=C1FoJ+34+l1MIvD2ySSY}FFf0W2EA}a#EIoS&HyGxkPFc!0TWmz zOeEU+)BSU*tj*N4G+=8>cW?nX7Zym|_r*BElh}VPC!zuvv}fOz9)kjDX~4$KiUlWF z3B)`eFg6CUA{dHuX$B+RlKc%oE`W^?O%=e@aUH9^zgoNgKiXH#%_h3b-p@b&7`vo3phzQuy08x;9q2 zHnqvmAu8BXlOGaS?13gYsi0-+TH2plH%&IqB$;U94(Q&} z6!cRN!e5iSrHSUJ&{)5q^54z>?aF`Yago1l0{Dgex2N0MxAp)3cmMxyNgc?4$q4v! z6M)2w*1kU{4H5`YTv1brV#;j%it;5u`)7*Bm z%0!<+2PznT+c(S#TiRh;+h1EcgZwA15`WZ9qC-E*|BRP#=D)o3FE9O-ywq&V?2wnF zdkz10yd)hQZFj3=&ZlO7lHZygGk<3p^Do!^%XNPp*R|dP6t>>+`zLYV|358Z|Nl%K zum5Ccy8eP?;4jvHbXyzi*8bm)4vzn>|Nf5j+XwG{HrdLu|Mp3tpLps1sR{6Z?$q5s zCpGaujSKVm2uFa5;J><#U-7@aO`H2aZ2mp}_xB`25CY+ZW+MsPEbV`g$b|(UR*dji zh=2ox5Hk+qz|GO1W#Mr#fN^0S4{&&Btn}aoBH&oau9QfCfe^yE3hyBSi);u4Fh?3; z%2X(V*+>%1lJ4jkn9)G6fR_wVfutmX5)i^7Nt9L^ndTD~9fqSKm~04S2f#;phXEEM z!pJlZf?G-cO3^3NVke5MB!A^ExEw3ukNhW=Ah2o%6bmuq#6n5z3yf?|!xDvLb6PAE zM>eP7d?DF<64?-pfWiIZsv3x=$u`9$ahGA#jPqAb|ze@F;5 z@&5>4PoLqwG(PLEuj5zeziisf|2DSv|L*_&Ey=L?`V+E20h5U~)816#>5TT1d;A_8e>c!?LNyX2}FS2hpAEwOkpB!bO=L8ND!%Y}YXLvsO3 zY5rfEn#pI$W2Ai3ilgWmLAWRy)-5X`W zWU@IJ{EPc~+$4oY!0}>41WRI#OJ4XWTz*0(r-Bj9=c7`AEVfHicnxx@r9w(=@sD^S zr~bxGCLmQFl^CSTt}+3?U9x$vR$AEFfo20zB`paLbnzKMCdb6YFi`=9@?c5m63MLz z0AjI#0&Sb4*f+nER3xLhLP@cZ1>rJK5~Bf+*CZ|!K{j8;5EBz4!6!hPTYmk31Exhtq8K^In6|C@W2lT2ARQqi7AT_ATqS5e0^PRu=0Yv23gK-trM1O0A zep7`^S)3p#tiQHSGa8v3CcA9_hL~JH2va_c!y<({H)1R;F&GDNaI&ie#Yl^$$8j+L z5^==RiwRH=qd2T%XumPyqsRbA!NY((iN#cOU!p*ac)Qz+i>&arp z{W*>XmTaKV*G&xWEyi$^-zu&)ImpUW@>OcsAZE7!KCx1>IB(qXGvDh%V156B++LW)&A>bDI zq_^<2&Mi`$YZY?0xZJ08Asphg%q`IhTjf$bjh-rTASSX#j%&)*JOeAVnyMJEpUR*% zN9?CsP$4nSr7}{eay^X7pb81}EU0qtAlVy9aDJ)@6dE#fwoM~y&?)vZCa3CSq?~H&JuEiaUrgjh1caT#-(NXN9 zrnXD&Jo*J?EU0ar+Y~ykjX$02o2-vIzAr$Quj#^o7MVx3?%MxG?(dj@$F|6LCLjP=}}0e$t}WC(@eRBau)YW$(B-ZP9A~ zbXa>hwFsTloI&Ax^U;-dWkTBkBpqb?*@k%s^GA!==FPol+a?1pRecnIGzUCyow?O6 zRtKZ0y{L|g6$lWXB=28)|DLpJ#aKWs8YRC0vAIo(M_t;H>=H$o3kf(d59JWQ44W($ z(kqIISBAio#e!K)%5hVf7O(t}B*hmXn8zX(cT#8=nd}L;2!^A?YJ&&R1cH2UB0$-a z8{Rl@(^7zqiUlly3P7Z%2uIiu6CX0tt63+8WG{(%4?(Tuy9`#ug21Xh{okFBvLK!- zQ{GB5sU=9d89^pnf-qPbp)}G5Wn#@0u}~&PYi;a6#Ue|hCb{m-fpHuWa4aSK1hcHn z$d({j2n&dnL8QbC_2+F?WJ}KqgB1+lqx?Ofe>*J^^be ziU=etk4PT`W1=FKLQ|zLXdI3e7CwB8<0!6~WPKtgw0ttz@((4lrx-_@2eV|sBVFCd z_jzRlJW@hPg3KU+PP0}t>vqt*rUF(n!v$s~Eot^Yv~}|TL~6DF6YU)w8ioTsn-%{}aIS z@XrcvBEN%%#9Kr%Mg8mh@gJoo{+B;UxASN?XX0O0$4~j+!Oq&=*0DAJ{~Q1FZ%X>J z)O$)E8qG+9pdlmZ%pt=a0+XHXV{J##Sz-1_M3}Qf@TgG^!$D~?9`^+CP#O}M>Gi~wmw}a=t`7r6;y>GAFYwlp5$EVcp{}Pc>yZ`$5)ktaP6F2xl%XcMB;!)}_!7EWSI^zREpz&w)0Ez^Qek~CDu2xCCmj6&TK(ozG;;%UmMx&2hJsTm$_rAi@7 zPB6Vol13+TNGGW`D3omBT8|}N){>@^QnR`|IV;2an3`zne#2(rGt|Qr>G?63{OL-^CRD z$GIBE)vJT^253y#9i!xZqldv~Q;o7Ab&2u*p>#LZP$w|cGxhYKo+n&ZQ0I+RU6TD} zx@v#j&aps$;H(mINY;6uLfx{HnfB_Yi|kUC<@XX>)Of5PG3P}89U6IS%{$MaD!YZ* zRm3mB$pZ%uUSTn9;|6cj%+K#)y*K4;&1^(y4KKIO`pz+|%Dp$fJovHu)mzsNFaLh< z`{;&7!>!x##;yTx?pdvQ0Mt)DC-v33#N)mAoV&5hRO>wQ#gchzdY#De+pmXk;tNe7-j~SM4GH#oaSfLLyPn#Mz_}s=e_+mAD*Y&%}uS0p4I6-Lv_{h zKCyc|-BdFlRGp=~?4_lCf3j)8r;;cwB`QTpzXWK{?Gj5FYD}r4%9OnPD)oMB zzY9wK2~N6`XRb{m-{4vGr%%76RD7uP^gTnZhaVsvAGItWuQeHGUw_Wah)baN5V35g z6?P|;klsG@40NJQ4*`R9OQ*!|SEoEv@d))Jb@5Z>=>(~VMhfjmel)sf8t+kkJU7Jd z;j;b(x(S`87-W#9Rg@krm`v(@oYb>4le|n_r`p!ZPLtGAX-eptaSN1`dtO(GFUdQw zKXHl=VoXU=uhbms%h+#g>#j+WR!c?=>`qf?UA-ZyHi3{xPfx#vS(g(A=A5&HKBDq12YU#by@3s zT2CzLi9tS0R{crx-z&(lKV?(dG%9#b4u zS##c)#*psUT~bQfRy6QjRQKVdE_olL0FO>!x!&aMFV$zL#E&h#m}x*V?_br8G|WQn z)-cT(eWsIm>RMAtT8mY@_OHqoh8oXS4+(vyW>}YX@?>YX3&Q=&ExPvw{d`GFW_1lu z9eG^q)b3sl&zPpw8|yBqJ)C|#HM4SZp)UFUN74=Y^xY@#(mYQpdvvObIal)I5ERMpiEt&E_K3@qujU#CaBQYqW;0o`$k`pPcYI|~qZjMQt=v-`b-2F97| zfP1OejY)20o|*YGNSiXw=a6($LxwE((0Zt1thd3zVAf<&%#M|sO9oFCmWj%WohkmN z$1RZ0VNiSz?@pBZ?E}@LGCL)E^0KlGQlU59>6vpdm)Sz!*f|+p`_N|lX1NV3Gt$<7 ze7wORL{;zp?n2XwsorbUJ(j4GO1zvv)kYQdGsk-?fr7e#eI7?Gz^k#l6HL1w$p|T% zVVJt;d9Q|HbrE~=c;`=NdwAbW??;|BYaM0pICFY80qAcu;2{{s>QA~!yF)k7%X~cF zbk(XJMVk(N4SxUjz0UlRcDIM$H|($RK#AlrZSRSmrplbpIoG>?P!26!WEASxy($pUoyi3 zHq$CTgy*F7(985zryYe4NEw=9U6zYCk6x-7OO4VQsAW>~6XTZI*^sBB zx2xN+@)+$*^mZq^C7Je)y{F-IIa3%8*h-@5$sq^{ko76_*VhjtRk$ zgT-^Qm4>L(^?eHmQ#2ER-@N!at7m)r{@8+@jQO1!aQ%JE##(MAR zYpl!y#;0~@3JO+@qn~)NE?vW2cdC=ul@P5mRntDK-F1|iUZsf-^{ssjl&fNV_PmTS z^_wcV5j4o)q=5rjY<%RS&0GHsY9!LL35@$QmHN|_OG+r}q{$wp{qL7VDH$L5c7MG` zU!!9TojzCzox*4QoARF{-S>Fgurezc36Ih(a) zR$LEL4||o^*mdhF>hwv`Q_9OI%!$t%a~55Qk2->H-?iJ?x=2gI zD}LP7+k6;b+q*0DqejS4@yRVWOmxV)-$`%c23Sqc@^J5|hYA-}_0*{i*9+P--g%Y^ z1Pc5#p;iXociV(spP)2F@Hz?k#mg>*X%0OpEaga zeSJf#CexRA_wKt$1#-w7rlF=Cq{F8Bs8yMHg?d|?6k6QZu$(fEcdZoGTMEwkD~|~Q zRki0nZpbu$2h4yJnuTX zzqYl{q(1AEYu!(~&l|qdb5`FsMm7hh*490`?4?REC*2eRt=&Rvs*&c>`77Q6?OaM(K1~_ucV9{|So>lm7q^Ff)HP~fy`J{$Bqu!T zjkRHqC>5n+LxN^z>^rYq>edZakMVG-Vn3Q+NLrZ0zF#qGcWu!ep{ydi#;jCydBigRcs{6<_=DbFg8>qZ3gU6wr6Ak>P?H zotAB>cDKz+NqKEY+Bi{%Q}y=J>Rw%Yh0+`Qs-9CJkc+C;MdzozzEX8r7>9`S$S%nRw0qx$7Xo2rWIW-Oen#F{~*y z1CK1xE&X0J$mFBo30ge%shb+~;^?57>g5Zbub5*|z1JxFx>0Co?GApuchT(~ju}yA z^#}K|dtdN*=k1tQ=nq`q-fR5W^N0R$*XQX}m4RxHf6zF&tLqzYC46e!zkBbxAKM#$ z^vL$1c4K@cMRxa!q0Q2E((peXp6j2xW7qTAoCBeu9_7@+#nWt*D6gO$ zdR@BdEYe{mbpytoqjhFgic@=>*H-PXWUle}_y&sUy0EjLYeH5=NPv>rgFE9lCPf!c z)$%gc9V_8{pwEdZVXXX zd)QF$2)Hk5Tr}$1zJizOk;7i5KWTK&+W@;)JX*Wpvqs6GG~JJbRlZk^Ft=CwxFmAj z_4$*zq^ElTt+V<`)nf;GrF`EF8E4Hj+Bt?2@U6?t8jpe1bg!q6GIVWk44+W_HO2OP z^iqGLg4yfpeP2gh8Wm+0>>sM6@hm$M_{I(1?PCA*jl;8@!)NEwjz4h>c)W2S5;Xey znVfBhoyQ$mpP_O*cPyA;`6{)b@Jp?Wu}0oU3nkLs(fx{E0N4Cs6_+v?DfG`-BfhP; ze${G^Nt9CdMx}?t_UB$XZhUDwcdMXIiB@!f>gSoW2j<(d=3Tb%SkPBoI{LA;Ndz#S zo)eZ^{yMLd%G69%!-Q$i%$|(C-9<%NPZnQl~gb6BNw5<8fp zxk;s`I&(x)-Q&z>hI==>_q;=&c>N^%%VqA$c`vqHyI6kv#OV`hUYqB}p5KsjqN}S; z?c;!J`Mb*Uw_-Ilcdyw0=riw@eRltyWxC&HrJbMX9r>^(K@^-r3!|vDj>KnX%{p88RE4K4}e2-7gKn{MIT;YG&!g#u_(%P~urm12| z5AVm+GVQa`^;>(WBsyRJdcAP;^SE2gLtFPYXpSA7C3urMsPt>`Y}D7OF&FVoYFuoc zul`0~v_t((qj^p*=!bVgFXoTnU2!H)cAl^RwUh4dw=CL{Le1Z}ykLgOTK}#^<(u{t znrblLAKtfToZ5$;1E%iUUGsirxj#KKd)JGMgY!8%g`IX3YhN!vlvr4+Gg;pob#(jQ z|4qTNxfik*SiA$ZV>5;xBi{{i>Cv0{{wRg5o+;KVSr<0Y_2N-~{ZM39Xzv9REAEL` z;9olbP&!($^oa7ynz{8VAuIPLbiQ(P{3pYQ2UD(o4*c=?e52`Cm)!c{AK#GbzPPMW zx%TFT((Z%t=RfvN|L%IFvDeUmU0?gGJY2~5qP->TR5kY_$IjfLzq+;Il2^2kCH6j6 zN6!^}%+MLKgLEn2RnMVn-?MsluG+ZfxQ}MWkl2UmHz}Pnw6BDEB+;v;liW)vszZ2M zYeKh{+zBOVDup)W z$4S2NsWQ^2QQ@~kNjh5b(_Vj5)?#bc7H=4msj1|8^Pq3}nv5m784lA+r<9sTDJ}1! z+fPNyO?CS08j|6yGv7OTtk3Y!Ma_Ft&()6m^yB8OPmPz4)o>lE$2nXZwXgBg>zXxC zdA7S(SHERBC+52@=lFDTmO>1 z@#U!HkNdA%U^!A`^KNH^@{y|s;=0}I`@ZNgFMZ>tMr8hX_hl1rGme^E86q4|LhYg&$ZLp zx8^b4nCv@|rS)tj$AYbdc*UEr*lX`M#255^-e**KpYy9r^HxNvu2a%_ zS6WAR+%kHXo?2i!d6ekNZrdI1ny<4vAOR29H~A zJb+Ug$nvzp-|)!w2I|%4Pv5=i^TC_DV|B>a)lVA-JSl!&Sb;7lO`|?d^4A(%L@x9QP2LiYL@1`;HlZ@^XsCZ-00-zTm^Yivix>BO5y3O{_W6 ze|gO-*MVQn(=JqA4V&%1InhvhkWr*>dJ#+|tG@xq+}duRHt4p$r6XHtqo)qBQm=*X>T7niBu^+spAzcjwMUH{3w zM+0YnwX*tAIjng8Vg_$%(fd5^&Ijo^i+!f9|0Y;?P-Irq@VZd;ji)2DW7M3?-n2iJ;^G*12e z=4)}faUaquFg?zpbl2H+4Qi!R4QM5l5}r;~7v&^itEx4HvCebWiAU>5eYJMq^q};E zvb4vS+yR>J7IudyB`UjPwtfMNed(makX+N!1!i-*b}H2bi@5&5_hxG)32$~ImG)Xx z7OI>?iPqh?Fc7$;d`*GW^{Kj~hf^Qft~g54sq)u&40PA4H_p6ZlG|rq>dd!0ANvX^ zof-|lW>1ed)638Wwmv02P95{mc*?R{;ZHZQEulKBUF*q?EUsdDvbl0SGJ$IKz-b?k86(>1%J$@(3 z^seu2@0f61{S_*uRQ;=;FHn^S%zS5%tCBTs4aG3GpHhjbc}AJ_QJ2_UJoEUosq`SE zI3}yB_~W;^Z%EybZxF5(l5KT8Ln^B7tni@INk@Gy-d;)3@c~Oz)~Ac2&+9^KUxaKS zJ@qaf^Qg4SpOg z!^+=9r*n!TLZM-iHeIrG4wT*IFZh5f8vu}zEey@a)BK~Z=|xG|C%G$t3$V7Bdd?scC$Gd`Y6;xIl}x_j~)-+ zQVQsIT(j1x_t2@na$#Cr)mh(J`fKY4W;@LeI9gtHc3NQhlp9`IBla0;M!vdYR!WB$ zs(VNlOXjLi@e$Vr-2G&8eSt;Vr&&v%M|6!Mb)IUP;RR9jSt<`fJw?+)RX2k?WeVuo zIFJ_bmNI^d!7YIl}@u#?)46Pf3S$9Ibt9g3_TShn)4^o?Pribts>w za%g4gy`a*0-FL@kI-N43`A)ldZeV7KT3_mYm6hd73$N@vD@qqsJ+QsfQ+@TaOiuaw z+vw}#t8bwuywzI{pAXp()I->an0cCcT!&*8fBiixiamrPHD-SbBCryK#QX;ZN9jEns!;zsNzGlhZyXb zt)qHuRQcTFMOjYP4u63Lr>l2&imCR!xueZ{i3T*@bmj!k-g2bD*0I0(=}&_U*UXQL zw_3loT;)^I;{_w|4d1pD)t0)expfw7FSGP6UJU$ zFz(yx=XyxJ`su5Wtd9;TpLE^HyXdpW<{nc#>`FW+M;(=gXTIbPf9!q_!G%;G)c4D2 z%8}kRPrI3nTyj18TT0^Tmm_>`=oj^xFY5d~d3g7}jn3b14f}!gygjU;`=X-$buaUm zPfAFl_02d`Y7lcdZs{uR-2J`xuKOHOP>mq$;(-?xZ(Q~UK@cA>uA zmg|=%xN}3V_dxV&yA9n^z2{5yir3svsf-;aD;U$xy{G`6iXJ^5I@e}x3Mp^=o* zM;CuxAIAHTQ@yulky4MXZX-Mx%BvF3-hq2>UwrXOnB9;UyD}!_B>5f=@d-~nRuzOTtv~SNQfC4ff(;m&2}(USM7ekQ#N&Z zy|ZE9zV%d{QlHb~=ICW*1eeC;J+JnpOh0}H zJ2{(XO_>R~k=T z+Vt{=d%~6UM~#h!0gS`8Vca1G!x{o^hgBS>ROG2%dUN*ar8u7kebS=LIg3O+zV@=q ztfrQl)kNQ$TfFer*XZ}));U9_=e*+l9R2sj3peKX+TX7+vf*XpyYogxz0&q)cIC5e z3`+toZ>>EL!;PYyScBsEWvQ8Lfot>9_uY0d= zAGPj{uNCuWfA06;gx}m%1^1_?9XdZbYMlFv`t*qC{VDo`{jd`YyOup$wr$V+%ALOF zzKuV^-6AsIWnJU+PCVkQO|^2k<|?WsJ@z!NVSj2dO!gf7XYW32%P5a$&ITts9qZ<`2FbsM5vpQ{}kS!NY66 z-*H(V7j8Lv@MZGcO;`JG0jGueS0kR*R&F(Q-aGI|Ug?vJr5}p+{0M&Lyr6`39af22 ze0~7;@x_mmaMq5#BSVXVf-5V|*?BE;xxeY0Xz7AGXI2~tjlaw~ReW#ZzA*NeeNJbi z9vwS-6y-d=D>lA6Jn!;s$J=ZBu8iWWJ2q}@?49mDMVo3y?O|vJjVZa3IOzGy?>fUS z^>7Qn&eW15}LT z4x8M5dHd$v`ExFR8h38UBg-i3jHeB+t`wcEVcs!ZsmUIZ|7p?4Z`ING2j7!ZJH&;NEhaVHNy(q-F9t3j5Q!?W+%4qoW;@Z>4pm-Sz~w9EHtZ=1RD zN>m!-vM4r=Ifhxcp#H`VzY`8c&)AtZGuM7GoO#!OC33)KNfi6hVmE(RX18xo4Tqf% zpZ;OWvG;pzZl57XMrg(rpLW28pQ=S4S>;@NR50{HmfPZmOT+eVH$Jjs;it69Tv9S4C!%n$pIL8lK@FfWSI?>*0 z(B8qPFT7l)?Rly(z~`vv)e+ks?HxEkKcT8&*S1)JHV>w~)*zkW1uklCrY#~X{tyYoVazp#Bh zZd+BaF`V0dKfN)5Yrjz!o_@ONTg*y6SFk67Hjr~@_~j>)=G%)8R(9sp*X|j$((B#w zuw+E5h-U2OGq6A(Eu36!UUQBEY0T|CW47+W@zvNGWrqgZr<)J2EIDIxWZ4(4^OhpW z$U?h-s+IbY`_)NrtnFgx^08e#vlg?W?oUB-pyL-=$qUq6K3U==YoxE^RRQft|>4o49+q;})gxaTC%{*5*#a z-20Tjo4shnSGOT2-;`hwXL)%)e6H3G*ye}r8GGjNpt+wokIl;R7j-#j-FJP&VR0O{G}f#5?u4PQU+<~Z z+W$GJPh79a&4uIlG!7ZJeRMdlrm=ipO8xxo(d;hcEA@K+P_?lQ8NV)?Im!LTm#V#I z_Kw{ixvg(Owe8{iiIVr>82X5p< zUlny-q~CwOH7B7uZEEl+5j)Itwj(etu@=|W9Nt?;%9BVlhnz_ zH6|w_I%sS5DbBF#?)dVBgT$I27EakQ_oL>$as4-=Mz--U_hBY8`(BUY9ZG8^^U_)B`(~b19%fN9KIubs%0Z{Xq!-W92DwIPyH)IbE2@4^zj0D{ zCob%nb>~X_Oy|DOIalb9XT9g_bb4{1u#Eq}`xO3Jjg6O`@ksvU);D`mZ<8@AXL+%% zhMg_AGcR;=@f|8QJmnSSyMNHBKHIhLj=cS0O#JtSGwr8u^)Ie>cOTcFWpj)3$+E_R zueU2~J2F3U<@Qel*$vo)3E@l5z0FS0n4ocSuX~PQD^E~)PSB8a$ZTGcFzBrB+_-9$ z>6No9(?|Cf{D{r>e)Zt3PL9fHXwo-m|)LU)-rts_i+gGReHZkk!crv`n;R)v-Acm%LXpl`j3PwH4zANBKGv}CYXCH8K` zWYOm65A080S(i}uu(eOL9PI&lWmgwi$1ll(BEW{pfZ5R;pR;jKEyIKa9Y#s}5f!nlS-nBz`ASlWBrfw^pqN z-R-GvXX&TY@^U7;KG4Zm9I^en=hu6B34zBfY!famc%J+H2D_mnHhZvJqfsp@(l=Q==i1@}JGO)lh!)lRr1l$SQv5U< z7Bw8mA2hqh?U>1nJ8nnVb^1o$iwmbFhPf8FS`2#=ws_x^O+9N~)!p?xbfZfAG=%qH z*}&oDEV)~)Cx!R2r613m=dvdEn5cZ)ojnkG z;Pnt+{Kb9~+kXA9E~{=1uilD1ocL++p<&+3W^Bzzi@yE%NU}ZAb>qCwVg7w<9432b zJiP5V!{?Uk$iAm$oqcyYe=DPxW73NSa~9V}j*WY>dXrt;d(#Qg!#TERZ+)9MXGLA% z?)rOM&VTQ&xoV;D`5{Sy!{3(0Upq8uhE{*p!|)Xr`~7Aq7T*@kz5K*+;qiB8ho?n7`quAlxWk-r`5PvdGw-NAI(2c9=B4U_SLti7 zB!#Y@Ry}QcZxh=)SEm=zZwgda$Im{)ciJDh)_Bm%VPg*$<%N}GWbe7x(`|UfHoK$+ zKR%d{XWld#&*RmtKjUzdyKvg>UcFDuXI5T6Gv0N$>%I>x=K2G^Th3KGZ+>Cu9L}G+ z`!HseGmhfMIkGddwED}59=!R{8-!N|?f>C_eEI7%+}Y9S$*bvK25DD$96X$VkUX{^ z%)T+a|K>WM%8Vl9?J}#S4bZ$7A3o0+_ZHMl9=)W?(c|@J-jWlO1_#qhW6oY4Hr=Mz z2b0Qkv$nd#?3rz|wqW9^@Vhk!7L&6v!PWke_vxWJX*U*)ANBcrWDt8)!lSL%c8|XB z*57)<9fnqjrQL;rd2^m7&t7qL$6%w^pQ3(zeKzZR0h{j8Wmfr&_viZ`a{Tdx`>D3C znd7xZy>mwHjt%NBC|>ts*TacUn}Yo=cRx{o^xA@*m7j|y^*frx`@VF}d#fEIZkN7V zH`?NmOXBz0artl1f>jgxMO}KViY?X_%vrTiC;Gw04^hl1ufSB*Ss!Qk&ewh1ZFn63nie_D^Z;!l9yiLfV4>&3*i)hNkNXc;WIVyB>jl?>Zg(6WVlV4$%}?&w(d)_u zwF>ghh1;VGRyy!}PuSItQ{x=wf$(i6WG#zDs|UPWdFa$map#+FmR>aq9(U~G=S2}g z?|dDmz3#pHV_%1*g;j5NJ^DC#>#E@My&n&7b4l`Gl@3hW`c3de#pQhW#Y^h-tG6+} zPG?+Adhz;5&d#CHmSgYvJW76TeZFG5y~@sfOyv0K(&@cMQCp6VeVY(;xZ%VFOOa!@e;=P!MCTSHVAJF7VKyCOKB*HU)pt4exDEHA0$Wc zUiCh!)4OP6zVVN1$uIg__OH5iZB%6SVPQn%l|%CjUt>>v%ML6%yD{tK8uI4BCvRnJ zPW0CkrC!zPQ@weTxm9|p^GWgXe)^+4{1W{4eoiM>e%$zYp~m#6<<8>EM`!Lgo0_m> zNfM2}H}ABQ>%`$P%A$|wQcmu)#d~;F8uxsCEN0h-%$xf=-8y<>UDbD$4-uOOj56Ff zdr$=H>ywI=%Ri{~PW`ci!56HmuN@nA@9b{Ju{}pOX4c%#|1n}l;+;1Yo1((L9kW`n z-uBLiV?s6W{9`Gj)m{i6U7PqWV^Y=g3m<4fRxd66;-U^6Q%(t7sV`=pUHri~`WVCX z*f>rScSFs|nPW!m)!1&l9!iLRG-Tqk73_5jtDaoh>{7lmamffSL%g-~qwq@}XO_>M zZD4X}|5v4x)`D-Hx7)wqA9Ngy9QeLA=Em#f{5cPxrGt(g+`n(qnA`oAPZW>SwC{A_ z!~B4?H{a)+u^aQsEH{N6U-!Xr|ITfL^J@e4)Srs3qqw~qisUs&IHK_bB>TddcjF~IC*x#_v<%ruVOX}CpI*Z-Z<3#&gz5yLFi|jgEuY>)Oj&EXXE+j`dxSE ziA^4SOT3w;bXa9^Sgo3Qrq;GV{XK8@g}y$NGGp}kH=9$>TfDEintArb>-2~;!zZ3o z`wUzbQkv(y`bzjBzxZN$dFDiB`Erl*n_qSL{{RC({J)fCCD*EM4UfL?mG`x>rSaj! zmz&o4FXYWQJ^K3O^{4&TwrFKWIXTd+Hqyj`usa-GP4UbdguTcQ;~d z?(E=xz2LKhJf~v#u;))cA5#0+`1Se#J8QB=T^w~b z2bs7#J*4#&B}8t}5kInBRN~P;PL^lIj=uEAh~mTBGBsaMv_*_=pI$rTdCN89!&kDx z3MOCBdyu?-<|B9C#LrG{zEheCZ^`ZbE;vrnez)!Z?8)bc$1a{&lw0xu*g3r6#dwO< zu=n0`7CkOCi(WP0Qj*6d*|YYe4=>)LRCu{%fpkqdqu7-Do8M%}&xw)Y&#WFS`;zm1Z_c-~!{6EMSXU4@Je_dl z_Jg=X2|m`dop%vF_HD8nYf-!?BT)zHlwKA=x^Kb$)8%uq%&(kXPzt?32=*GxUb~fO$91Pk;P) zg71mD>u29!^K5cvlZRz#?^9Ic-m7`8I4ygrdMWYKpzlSd0Rrjs8GtIa^=*ZNPa<6X(BkojJc~^qjs2s`n;JQ=i zm!~A~_>(`Aj=Xmn_VH%q`YT=>?hKzZb$(O-DklZ!W)G|eVwH& zQ_8$&!Oi2L$g_^X5;o()(rLv{WHg2p_VwBlnlRz(07BKW@*K7xcd6-CSxc{{5{rry^YDJE51D?D~wya*>Hu;lZdZnJLZ?kVsT5?wN*l!+@ z0|e+er#Jrljwi)9`W21(WXpA^Rjm|MM=YKC;$cHuY>0fb!T`7F1oxB__}~DOD!Zza zGy3%D8wQA{ol2fcd%PChUw{MkNV)Y=yRrJZR?{jxTT`JB#Pb^l^SGF zH2Lngjs6QyoLJd>{*PS|&)=SPG9fxESBz2xsT1bV1%S}W6iNP3&r`rE~|X6~s;HspD_gRgtcK3w$7B1iA@;QeXT zSu;}}1{EzBmv=BIwRKIS+5k~^Wgzwe{?cWn+CIXuC-IHA5r}BVZ-DwuR&`q z#_wG|#3Npb;~Z6g-P(9{-|+rsMq>tU8bUbvstG;Ur15TJiv7(~jgK2%Gwv#yYN_{o zB5+>S|8U>ShpiOkbB&c!wtK6pW;V5+-FeSfJw40cBb+Ao{pcU$xON- zGxaLdxyk=PVD+L&2|H*>Zj}}*Z1>b&8}wwW)pw`SZUMB0_epo`&3C`9Pi&nrZfr=g z@5e;LL!Zx_djOxl?Q=#}p+))GC2YCQM+x% z)?HplqmiyW;AYnjPda+{Se|d@TCEsEztgL>y7%|9C)Cf@N$;Q%xd&i zs`40ln%0V@Af6yRR&k8{ar2Rkv(sv1&kh>O-7=;CFNV;(OG{)E80eu*~)*(>{BzE5&PX`=w9~S;ZIMW9{zCnDP~If ziZfr-rX$Y0)-Nm04BqS?bN6^tDdowN5w45Q#on30^{$CeN@?AB_)=rTgq5ic%^q1* zE!nz9C~GUnr5;r7GxJEk_S32hp8nJBdSW*%Z+s*3hu_+9b46Imxm!AC*Njd7wzptE z-9OHJqmk+{Lac>a%|@MJYsVzaxgD~=y_`}o_<*i#^%CH#>XOBEcg{Xv7p}FowP9em zTTuPsnal>%9e*%_nB7>`HsUUJT_Y<{SVw zhev#{%3U20pM8UVM1?i$box9f`%>AFLz8p7_e3u`a&eSR_?-jay~&h7`Cxve z_l4CP8YfQLf8hCpGP7MTFAjTk={g~O?I7yK*S@}6X*+b|cJG{779WxS4a~PKnuzT4 zj&pr*Rc1|}(UgJYtqdRD+7Ux`myBENG%YND9BytXBc8^W}9FWC^sF_6M2S--gH1{NwtAxpv{2LpZ0^auvKLeB~M_R4rNC zzf6uMXYO~loRB@cvyJlWeVVVXLip)tQ|HggpkYl*wpZV6YYUkyr*rX(fRee} zXwvWrr)CegpGZ6LmNN0mz6dATkMO?W_W=C-YQWbgGaI?w^L#9sU*eeUd<=tA=5#FIQ+r}ms9B=sgvaeT$ zVf-DRrkz&9!{6p-wM8`DV@-MQG5yHP%-QARJ*ol7FevbN!Jrq^Oz=Ygq+*ymeDo#ef#`EmI)p)*-oc_Nhway9)g(NyH8NO)6Hc z-^Ok|_+SdBIg2*G%;`#-*2!$GwsScR)@^#vk3ZcgTX$}Zx#sQpE0)!KJzbVipnqg^ z?voJ3f{{>?CXftQMZ(jJ?>$TU2YyC3h>rxs%+!-2L zKUDV8X}fcKB36%ZoEOLSoW#(IYiMh<9X0cooPx)8`|lU>WeGtt6Nw(`Zi~$e1%-ZV z7R&aXZuk_^Q8ZP%n0+ovSwb`X7A%4ftQy8cXNRK}U`uu-Ab+_}3-NUn00 zht4Z{D9&o2)t?>>_+L@pM6`7@<3JOyF592HSAD6x!R%MDL-#|i35ZtzYdP4WSyvQ~ zrr2)wm3!{L>q_Bq!TswW-!H$Yu#sjoaB_0}x8);T3l0z6^16*SWomYF|7Ee+kwekX zIq79Pn=4|Qs@fWWqVq19`WfFxrOz9Y%XBW0DOP@3UaGgbVrfNrNo+~%xsxluWQI>HJ=)wdO;722afRB&(uieezB|Msr%q<7d_Ow7WFaQ= zq%^yRb2Re>C+EVO&wa8eeX>TS`$n~-FN|$_5Z+eWT6psgrOEqN?2GM!m$vg?$HpQ- zuc48x-&@zVHUdQjN?(!X(K|LYtFO^lUFj5a@tzlD)s>y*{b#BexhE>VR!r*awN0ML z*>sIQ;nO+&N9oJg`^P;k%wOk3IT5qxWt=Mb~~2U9VuM1_MN8oHMOcO zR@MdUj7|=E`GRrez@~FqiHRR`6crS+nDM5bubr*a_OH?w-1_qV-T9r%&CFSr+8-h{ z;#}p1sZV9uSbtXg`ut^*A&?gO_WhLCs^o2<)?5zzl%e_&*e_diaG~tu$1+#bLnpTK zUC@fh>X}dXTFw1f8*Dr_$5;8A-RupiQ`moxHp3j_sah)9F~Q4q=b3f%(pLu4wB(lSEmsfVG){!(tD9)l25x*I5GE z7e>sfUh(8{QRU{-DsfZFwMX(c%{exZcRWn?EXBhmrRv)+0;8eQd7xi;y!jFG9j!Swk- zG9NxnS#WJm|J=#OnHL}W7%OLi?>szHmzZh{-&uRhdj2<+$A*^-Ql zTx~JZI9`35@{pIC*T*<{J-#}4_oGuIqWe+x)I9o4u^X_u+`8Z36sIca);)4Nnnd zpFm!NJlB%P-Py1q;J_wX^?hdqec^zm@BAm!yWU)VJv=An;=zYl>IA{kna*<$g$yue z64buNZh%)ldN{Rm()mRtJ7;?6RhX@Lu*4xVn+N+d*cWRyl=6?yH62VkubQHG@7pv&{cD3bvjxT<3{D17 zSZgeoFFyJH@b^i0=z?d~7 zoGz+fF|0c=xZ-7cYD+yMl%oh)Jn%VRW@5k6i4^bx^3FQD`@zT68!um3$9?Dtofmd6IM?p z=q9FqJ@676Yz2g*k7Ujsy27f zjWM`1{z_Ethld_MEB9-?eP-Zd^mOD#)`bCpQs|_-S3a((bF*c92kwF>x{v2TH|%D3 zzc`O3w}fcLSw9Sqr25Qc3vv@D%_ezn9=F3~{~nLJI-AYYczgPvwlFLBcx{Z1b>YPo zXHF7Js@ar)JJ+UO)o_hoXSw2(C+~~;g86&&S8vop`QZoLKg?wO>o&@ zLynfaD3|9MyrQ0FmSXBeefDjc^-|%+pJwAK?gHPX;E^^heczqH%WW$agN7LOw;Hp0 zQqp!gU-zd+<8=HY22HjP3OlbS-wBaWHR3=6aybaSuD-tlL>wQlYiMy>L&nd9gDF=nT{ zOQ~m`9hz4+M>o}rw>W>Hn(=fG?TWb34udu%vE>=-y%g>5Ea__qD**D0ooW=tVPCT?Y{#-_eYQr%C46aN_ZJxRt~4Gy*ba4LUEzTCWf zk1WCk+w$pljK>arw$v&+$#1_EtTkuW_T3*|FPUfS_b##0yS&_tyP@I_Kbw@Ip+iZ6 zmse+KJSe<*B6YBeAo9E0%OZ=xYNJn#--4;I_iC-Y>*+qptpEMw_20K2-f2Yis!_35 zE_CWQ{`vPO$22x9H}^i#tTR@VpI$Nj5NDGHx!{@>jWy~-y#A17E9lB`21_*4M^9if z?2L8pB;H%>8K%w%<+K5PRbQw)%aB=D!7AIla+?QHFW*Atrb~9;<9=)Aya;}p==f|$ zl9A4|RT{^Yoo_ZSkiY+8G-YArfx|~WB*gm}P33HECT8D@72LURYWz|mWuenWTK`we zstRwUT-a!EVbRjLTGw+q-U~ zAMxLP^y<;){UcX0SA|@gmtd-lu;$x*T2?sgCRuyby+RFF^5AX68_&F#+^$+49=G<< zT+NefzOU^2YS3P$?%Wyc-`=Pt4eML?`L;Xa|J+bhX z>)Yv&MNaY#nTm>7lkf4nfWq`KsWWnQ`Xr>HyuNhH4TC?8r+x8UlS;7ux^14X@-ny3 z=NLf?#CXNHIwOxj##f!HhEr>Yrt@1I4g6$ zqnliHnpO3NJfr6<#BxdT#{K8#`)sUErzcep=@(d?xstJmpt*M3u+-ryiw@HDV$@GT ze#Qj_@Ou81_+2wfzs8B0sRsD*thF z$;H0ew_Cj<*YBsw=uTNSd)kvaJoeZU7LnN`r0yWHu&JPSsD+%yEgVI^)0y9vV^Cf5)TDTjXmeR6dPM zjQHd2V)Gr}@1)ipN!f2%94q%swq(`9rUz$AMmQ|+8H(M~JCCeiqc>^H?a}g^JqS~V zj__DI(rWOe>M5?@vUwi7h)tI)(*VBo`btYOFfO271uj2zyD&3<&4b%skB+|4?Q_88cK)Eo zwCU-lQB!>^F4bO9O7`+@iaA@ZT$x)T`_4&2X~mW06E0MQcwX9Udd0AA@8G~~ya|?P zwA3z)_)I9!u~|h>7(I64 zcE3-7hu<%G`(0*iy8o_H**DeUz`@4wi<{q!B`ni!1vGAi@J4>J+?fi}HLqI8^PI~E zgdKTokul0g$LBzyvN2J2VqY`u0dKvtEl0=Z?6!F3{AkjG(1c>^Gglmy^R^yb9-O`g zP@xc$PrdPSO4;9-aEI!kcrwdTW5AJq`IPb`!{JpA4!(-g5A(UxbS$ZL>(qzQUk$!F zjlZjNt!fqy4u`Te7!c9XW384VPEfudVUsHv5c_FRuOk?L*%6 ze&1Fxl1?1(nGn)+dj8p0jUS5N&+)2r9Wu)t2if z_w1p&(Uj)%>(kl>$FG|_DC;KVb#}qfeYM|?nKvr?emJk6U^j_AwC|(9i_5>J?It+H zjz6~Q#PRhhG$Q+i{nCQf8A&{2;=q(u-qw)0n!77&Th_rz*YyJ}ZmK2`HVul~+q&4G zPHkeE*A992-6Q6X%OxeJ)wrhmOfk^@!$)ZtF?!X~UB?ylo+oXL&qK_#75839?Aw$y zJ#GJr8#MmmPs#2g$C)aPK44M(``1NuZsB%v@#&2k6dX`YAQrYg+}(zp!QJA9btC%1dKS`kQz=oa1dtMQ5Jx zze2ufeqdz0TI0cNb3t@oByF@j-MLgHHQ&~2(Dp0vzWS~HOOuN#s%^6mxq8^%E2EmP zu=D%SvdHaT~xL1u*uiF^ysE&-(AGC-wkvU2`_OQ$m_0SLFThGbm zPG5Yk_N7Yh3A+{Yd;TbLaaH>?=VDqP?>S0^71|Ghnka=hX0Foq98yuM#q$2+Vm*c& zvAEPPF52(CLx!OK*`eY^ZjDE`FgEXb8QpYm@03Kp#fNIQk{@1GdN61Ub;bCMQP4oe z#{qXO2q!8}&C+6DUgo7VB6?c#MxS@3hmPka!{YAsW!vn5|=<1=O&E|AHL0Q&!dua$2Hf-lv+I4zhm31 zC4TVT)h-pAz0M~u$}YE9yjU?pZD7#DXY21=6BOisJO=s_ckXYoy7GR}Y~GY$RWDtd zE@XhJSjx95G(GC~IiRH8C$Hw^jTC)qy!V-^!Bel#*qelWrlwy^P34+A&M+;=zj)zI zzRL2UuZQ$|dEEqMUrX8rtQ35WPm?=zv;P7^gg?3OfQxo7qf_Kg>wnh+=Csi-)oz}e zdfv@os{FgeLl^EI213&hWo4J1jNX&C_wl87J3K#?Pq)2a|K{cJ`;!80?Thfpc_Du_ zu~LTp|ERbJ=1c%BZP&4F+qT`YZQFLowr$(CZQHifao$sB@2YQRe#X6OT@Pl92&xEr zHB{@(7gF3brMs8n%gmp&`;ftiboHy;mlR}dnV49&&Ue^B*$HR#`PwON6wrl#J=EVL zsa;SXvfdMm>p%MSkR$0buc2>OZvGDSx!rWwLObG~N+(=hAJ7zAjl-7<^*PMc#$}lH zt7ud&e+Ji0%1A-=z8%cBF~Z|P7X;){QHt-VWtm#L3yoCqAu>Y|_E)`PsZB?B!FP@J z7R$1IyGzAW)Y=WDB`e>qM=CrsMKAw|dxM^0`(~Ykd`fBh4;n!|x;kxZ<*81nn4j#} z=C^B~mKdT@UpZ3DA(W}CV^v%sf@yfAo5qWV*M;=Tlno&r8Z5AxHPJ zgagZud_2k$)=ddxj3*vtA(@)nRGBZk&t$NcqQ)7wRng(a!c`OxaA|wVp@NwDG^lgKFJ|4#-d>us)R`>Ch|xYWk)SB`2dqBTg%s= z04?umQhuX~PB`Gd>ea_+T~l2GHE_qZf9!C*e|(2_N#uY9h;o+@{`!3f`9lCGj1%%% zFAN;CK-J;$Sp8RI+ebfw&!V}FSD1Ce$>)bVV`0(1@uBeu*iXmItcap?ZqF1UXzcnR zI~YD(g0Mf4KIBS(M*UOfP4RT20S$a6AN!yWSCBg;(6_=#ok^yB@?|a5&@S*>b3cst zijP}U{!2`VpjhLeOu1f6arCz5AMp{Z5^d6Y#PBCc6islB*qPOe)~!gK-}soe#wfOD z8tyadSE)c+lDbB^5QJ)tldXi1_D$~OK|aCW8R5#@P#~zlzpF7V%Avt>*tq7c?QjSQ zh|{rEZ_(}5z-ROr)72?=XS-~A8h(|^Fg0-aVin>C)V*&;oz-23rWt0>8Ou?ULiEp{ zY*w-*5llF!tF1`LiV#HIf=avAq9Cqan$tr@3zmMsgeK!|jIVXwgO%jEH&Oi4igYh^ z&WQ`Y&+Mn!FEorfu_--0#rvF=Ok_-+q)i(VgAzpD!wj=z{#o|zMGvJ`RL2_B24NK$p!)zLOf+07F~S@=xg z6r>kp8YHUj9Y^70@Om_37GDHd3PnjsGtLCBZ*1TT6#4d2p=FFN z4l`ip^&`1}G*Zt!G!d4m57->a2IMNDe zp-S^E3NX8Bmav!BHAJr?;X;bM`bKy*(+=Q3T;HXVb#hGrU-u0s<&!I?8T928kBlc7YyXFyH=`UE z-C>bJoi=asDh?gu?Q2Si=P+9k*Ge!m2hti3v_DW~D?C z7rQo~!4QvIU&nzTHXYdV#KJJkCox7NG3HBS!t9NE7mQpvj&~!5yd(xuq;h|ME|xw) zwg2cqL3eo+CY3q)sfeaetdCMyB!^QoPJKr?XGr2O(C9M_iR=lV9?h8OJY^QmZ184f zoEyOu?R6@F&i=jwg2BjpU8I1+e_+INC>p3vMW%!S%f@vvcB}FQSE6*rewjFyKPhHr zd;+VzO(Oj_5(Nr>CYoO{x)UR)B;+Fx7KKxzSGKciqPX&}7%6mUGj)p#4c6UaH<4;; zw%bH$qk34-iw!25^lYqHGtr$^yksKL4kh_$I_7yviCXqV1KyUY+(w}g{w$n>Ni|L^ z2-gR@Oq;kzxRTevYXwyXUDskKIh6z4fa^&Ldt3sybOjHXXkud7Bi8>dKUR7c}wS8#uyh0-F?@%J`4CsuQi3XQvskAi% zc7IV*sDB$2MqKc8J$+bcAtD3nXi?E;){&;Fkbyvw82Esiv6gCpE_;?3_(r)WMm$Ac z=;dC6s%SI~&~=oR61ab81%?`tMwE>bxa;WzhFSpNvypy=+;8#%Bb8_kW51{=RE9O-a<`!xHluxia2EX~Z-&0`u7^6ZN^M zB)Eq4O6-;6l=^OT9s6y_HHk*7ZzBAw9`≠jpyWKvf|WGRFV#Zia`%aAmTPo0(}x zvX&f1T&1QjjSDM`-seyf%Z&5gtC6XuTb-SmaYxfPvH}U6zVk=~ixNg5k@)v}0_iT% zWi+e;w*$TCk1EkY1fo*-z!r(9s$&y2X;E4*u6SgH<=Nv{Bo!TmO$?e5J~Kxw`k|=B z?ji|Z^@_+Ni8Gl-G?tQBAvZH=4F1TI5^2>|T^w%W_9WJ#uv$f3CcO?=;S!N{H zv9OeE1`R^}9U8XwQxo;9a*Z^S!|C7I!2-77(M9Y{*A^Y#yTHC|>)M4$0XbYsK{tzg z=%zMvK2HRFoV1XOL8*L(nZV?6WS?O)>vU*@HWWQfZh>3te#6CUqwer)mtFN z75%!i)~@taM1$m(Xa~_c6$s>~Nm*oNB805Z{HTvJsgG%`2sQ`1oMmE5Bk-JL!~pJu zS`uiXBm1H1Vd#D+b#?+6fEe77C8W<#?048)=vTaXcOI3@0SJk|%cnpk>Lg~$7ffnM zt8l^&#lePx=IfnWx-4T#${-`168x{|uh)Q}Om?J_KM(???lY?a;=&HIMt5Abj%{&>?COISL7&iT`LLCy_#}ztrOP6lgN~spP(kDl0^L%j zT$kF#x>}`)Mka9O1+aQ}1DD?|nPm*MjCm-r@@ek|mWr2tH7#2R0czB!mypYQmvk`( z79J$(6oMTEwtIU(Rn!=gPKYeb>PoGf`oEa_=Xyyw^T|97!J z@4hdIr6C;!%8A)SrKqD6&qSUy;#swH&cme2!|~lMxeAZCBxehg?5e(2levU1T4#P~ z{@IGE=Dm-gTzEVJ+ZQ_IWsF>_ee&ginA|#$x3H+X+Fz8#IJmAi+h(o8n5{9(qw0*E zx9Gm%2=odp5C+|(un(kg&4sCd461HF&9Q?-`a?J9XZ7kyS=8|W|C++6M~%+=8B$n+ zBxp->y0-KG3^4LwOWhg3-hh>0tIw3aNn zXq(!WIpAZsdTknW$Z?BRMwC(V z|239OT~0cwk&zKn_4YZX;G!r-qT=e?d7aDax2xTD%LZ>yVF#K{5KTUv%mnm}d-C_epoF zOraW`rhg_+&QPhFrE?xgUnj`s8WD{(NcjIbHS`k*hqh#iad9w zlaenrM{~Lg8-CGAQxKsgl!IcaVxoZ<*X+|cbPzNy$pu#Qjmp@jn^{Ja|Ct}A5BUOY zY(#Z7{<~@0e3L~`l2TZfZjVV%gxC-4KGZtw{?6BdT-{^3_a2Qk){|)Q8AmJ6KGi2~ z)w)2;AyRmTk!b7^5EyhMUuwX&BOe9+?OGb>6U)p>G*KODn(LYWWRRQ=! zD`7U|J@!UQV^L3W5KHOq*ThYfj=E`f8~tr{t4v1v#<56oSS`;sZz zMx^omA_zi6C$fX5n6`kdi3w^`e>>?Mu*gMZ1Q&~^cHP2|RrE0@s-Q2WO6jW`qO8c= zwI}iAT3)!x2Hwyi#D5X*)ccwhRCUaEvcd47nY!6Cc{o(O-$JyX)CT$3y}lNGRtpw* zvB>lt(t^6>GVh%CpCO`TN{3ss`$s`pPXP&P`AYZ>X`&<=p-(u;d!5clQy>)95Hq1* zDNguPDCwJjt1CM>yH3qJrcpxJB3~)T6>YKZqx93Y=65{mp0bXj)PBovcdU0?tcBtl zNDBHMrkkU*^|wMN-ok9xVIv>!=-?BFCtJ+iqtYw2|J^8WHib(ZL|ubvFs=;ZfHy!> zWDnI9`qWZ)(BvQ(R0b15>u4g?(J)CZAuU$dhOW}>l z#I%dUbj14+316;HwgYs zQ}P)(-^#NZgPL9^0T$z=LY_NoXJW1gs;+<9!(mdvo{TR=Rn)VHq6#%(1DbCkm&`{A z=;nQ>6)j5c?e0If@e#5wws2p*RNd;7QB-xZ0Y4GNfDJfpeANFuzGmue+aD7~0y=HT z4;|gzuoN@L-_{uZRNc9+j4!}4ZXc5x4%2u6a~e$5AZtl#%WU3K2OZcHownaLmzb80 zbFSsge+)G%A70hW0ykW5mKdKM0FKH~zj7YQI|br}cSLJ+v}uSQO>?vAiLt^;777)& zvN8)&7q6nF%7aLQxDQu`%{SlBCV&=4|KpyaD094w=H6+%*tc!JJZw`YwDG}SfSU5J2V+6q%P^j$CIXT&gUnQULX!F?{u zMGow{K`<$^K>JT@)E@=bXf6Fu=Jq1-p0p>Y9X~IO@5+pB=qb;p7Hr}9NGv#T29 z`pA;a#afWA-fAKFdsl?dnUZBodZce6Db+O(wH(}J_GTzB9{5H$9C%uBKx}j0?49QE z&1;3dSkpRLsP{jyp9<}i9QafW)oy61AY<4%ay0_n>XybazH&8sTocRI8|W_WdY}cR zhAOL~d}XYpp|=_vnw$(86JyfvcpI)k^HOj9ih~16d#V03#$NqXs^2y2&01Rv`9 zW49E{Lx&X6>Gs9{h2G!W`+J|A@BgoQ_wVfPeS^QKZ7x<*kj9qnyR6+&Z*(!3bXf-} z_^HJ^`v=rQ88aGepN`m34v|lGT=(6%=r7}GL%e& zWwPWD<1cw_-5Vp?5_NV*0y~cl>EDDVXpLraw(Tta_?BSvBVQ3H-q4i2B(jD+)#W)k zK?F(NWTb?eCIlbd5Iz>$O(ZfVm?hs!B4rR6L zIjKD5Yq@ahdYm<||J?cA$_f~Pz)2?is5Z)FdD$v-cEqW|rLB2*bCmlc`F~~8~R5Tp~&X`WGXUA@9;ufO|-}NT+>P=;;Flwp?(+LBGI5109P~J<6g>h}eLc)Z(0i(15$f zAkF&}9D{hzjun9LKFVcMNE5=rg@=SdiH9Cm+RxvKaBI3@D+aP+#!c)kzP+qG0h7{}$`3)X_OhT|7jv;l! z446>|b54OXR2H$4>dtaRF2B@Q4W7?z%tdu9$MVvLb2+n{5xi9wiLd*K4Wobh{T+=I z5ng`D5b{O>KYpq)AWNCZ;ZnR6UNyUJ~OWzemLv)v! zg$5%+fTeY_iTbV=f$LMUDI!5%I3_hYLF(N*>#p^Xp{p$YVV3~ZmRz6=Vgu6!lGG=E;fSmq87H~oJIfZfh-0rE0sis;S2O~y4-#6weuqaNy~2Hs zW!jY-0QbE&_x9;GfS+`Qe}HgL1b;rRZlHU_J$%H0UHl6?XO0Uf+PNQJ8NZ*)_nYsN z;lIrT3c9UC$c!$I-d8kENaNy#YtQEgs$Ig-6a2CxC4ISu_$I0Az!^crN5+&wPLk$S zK=b+S+8!PR1EdQdQUp@q|NV#BPb7Nd?(cWdGYt^k;|VFkLy8m9N0tp0+z`g90$XGm z&Z!{|#)Eu{69}(hDKul6gqQx$$is-!RRK8(W`uGM2*E%iVHq%p-EW#GK1TQzpB#0X zA?tv^GD<_0P1k8#)Z+rgzJ1_4(U8(WW&89OoTz9?D+jFz-D>ORC-5XMfM+-=;(|8^ z_(ci~KYlETZ2c1HgAUAO#1wjdy4Qxgm}>l8{%+sRAF&5%fa`7pQ>XR$`P!I0a4zuh zK>`H1QvhT@o4+WW9%_LJU#B87<1rn+(HQF+GN1fl`0e0m+{E$o@Io-~Jdn5~S^b&} zgbccbqlmLGs*zPptXv^wnpq92@&Pf+w`5u-eT1&NrfA9{30sUVGcuqUpQn;Bt3)Zh zcsvs{R8{#JWV|RdU#y5YGbTy_1$j~!!jHKK!oo+7V0N34qd=Oo5Jcfb0g7wY$l&hI znPVL}Hg%Ie+V($4cfWF|;*W#Rqf%qP^DP$%3B&u(&%qtSJ6Kr6ClzhUw&Q7hCGGH6 zF&Ne-Kdsf4EPb<>&Yaca`7>WjZ1uX=%01)e{pSq#YpLtL6550pj;vD%b#hd7KG9(w z)F19S!d2`|Av~Qnpb6Ux(1+WyNk19^BhtI>?&%|4oe~wLXR^rvi2;WcQQbqI-9A*| zD4wc@@y5rO!4+RzpEDPN+k23C*aQWTmQ`y#q}zyL@`0EVDR&@>&$au2W;PJT3Ccs4 zku4R7*^LM!24-JP!22UFylu+)OAFmrq8f!w2V87bqDci$w@=5YS`-8T0c0cJn`3Jc-HqheKv*#r$$ zs&=p?`(r(g%GZr}{}X{ZA#jZVv7_`-r-sS96xwH@Zct{+gYJ>-kFfagrPu?>P1uHl zQDy6~O>N&4Ue1`Ep$}Y5<=8;m@-;KShr((adjGJvcg)Z0vgrFccMclD zB2RIkOt&$K16cI8w>xb6xBcbqrTm%?=JW8_JwJd@fHbbfKSXNOiuoV0Tnj!KGT{c3 z**;<(o*w@{n3p5PZ_5|V2ZBzDld-WHnq=)Syi zM+>V%=-jEr?QB>2@tW@*&mTHD5?^F)@lMbrU1Bd*dghwCI;tOoAcjS0pVF=bZQcBQ1L9JFo?q5R{gV5nw=VV*8w+<0d?aq6( ztko)2E);B#fk>b-lMPVpa{ax>oZ(b)Du7pR%xsal2J7h9nd)1|eBs0z37L~!E9p$o zVJF)be&4j~(%tjSkhbIWYTF;|ybJsoa1}S}3w7Heq(yA-8W!x6rf+M`TH{EaKfjOG zc~`;I&^B%FI?o|aZ(cIFR!t%qjn3Xo2}?N8#+1Z=4RjZsb<$}Ka#ROG<;23j>_{$Y z1H`9LtdX06`fB}JaDgky@|YD)S3{{|o?oiHPZ#3S-D?V@m9GM4h}4x;(pNU`5Lxk_ z7`FL3CXbpXTXlDLk~h%k0(3AjtwkuPkMKhvxJ%~)kk#aQ54WwJSF-j4YKpwqG@=`r zV5C-?kJA3}x z+N>@&-&yqiXoQr$i5k~n=P;OnGB%$TK^EPfsC@6f*e+daIyzZ9MU#0251 z1Ni5ws*CB+eQf=8$oUdba9Ad%!hDXMLYdqXFpAGvQ)S+<#fFCC!*+7W!N8`D3rUZi zqNHJs%0+9oCgkpfS{HWX*vV0=G^=f72bQULUNV2Bv@}LNIihFMM+Yu1Y=GHLSRFgi z&$~xkwG8xoANpO`C*8{6I2k?C0ZLMN_1gc7ftmA}CVG-B*Y~`bdqqS;=wY&~A z!~K$TSRLUnSy(0D!y!Y?Pl=j=CNM!8+D&x5BL8cC-#uNoS}sNpE3HK&jzQ1^J6tWf zqd74yO0j=znd97@rJBR8e$H#>zL%+~pV$4(i0{nT#zNbHUDg1<@(%3{zYY%lJAT># z!XqWt_D{4DQ>eQXjPvY1ZNuhdp|_*0h0=C2axurh0)7zvh_X|)rb#oLK+xB_Z2NT-qe-CO5;ByeLiZ@YFqs)edqk1+Ya zG#h@(NfXN@_-5Y#PE5K>z_xh+2?vYv2EhHBzQ87c;H0u64%LESJKBEicuVh{8aj?i zP8m7=Ne(9l`7aNx_tre;=KQ+j6`BMjCsH`cUVVi_A2!hVW>U8{eqv45!}0(RK=8jf z6h>Cdo*L&>g*CejZ7fDzXSwGZ)me)OoB2-p>TmwFRo|})1U617u~;-u(0V*q2{Ta*o(gCs=!K@akRHYz!x4@a-1N&G{2SO*(l)pJ#lg z`$rF)aCivXwI}c`y4gFlEO89j^dg5mq3}@_qji7M$n=EJQM(V-phBOMf+$+PFv3Ds zPZ&7ZB`T~lRBznX*FWgnCQH6MEk9nYOU{W5vhP-x>V?OFNUS_TPN;i`xv`f#EK&a8 z-=2V6d9)TLt6VHt>1A^lcms%cDD#;b{gn)?0PGD2q@i0&Q|STDq-t8&EcJ?{v0%(f z-5=HIVHAqhMhBV`)zNoZC^JanFf{C54*fa|zMa*n??W2+w4q(DoXH~UFI2P=Vrfy& zX*$(_R}N5qix}lFA7vU+SbnF7i?kk1V37i~v$_)omyc4L80eR?0l2Zn%0} zLC}*cE^#uUSmcw?b0bTTlnXac;e|f&X7SScMOkJ0WD6tq;x<5TYhP8}`6yI3)s;iy?FjO2tEi*u(SLq|!HDU=9ObESr&iLMK+ z(813NT*?fxj9G*~l9h55OO)-%jbH=4;!eVL?ftIZv0FAv9w<4ag6Iom{If6g-rTJ) z6M^JD$()4Rd3LZqYu!a^tB4F+Pd846%jgExWd^InVA13(hF)s|)1=BI*2OB9Zpwi_ zS?DhyFRLvtg24@D>sf)MDCLJrM6OP6cYQ2)7UQ;Jfd^MTe4XuQ+Td`=bIKTu3Ie~T zmnH#^o&~%kN*X1m4f}s57<)c+AF>|A_ybK6pRn8Jpd?S@^M_!WKr z#odEjIvtQvLL>|hbwt=El_$tSxV<>P?6X5#@}QNW!O{ymd<^z}vjHnIPs@<3dmr+S zWKoE9#gI16xv%#d8`pznOD)gj;SvddMbX?&of)IM2o30DJLCW2?L5+gvuoqho>XR0-?;yn|2tNOLAthc1ziD>3z7#2}RO1OQ!hHjI zJUco18SGA;E42dW*}iN zL)+w5g>iEg+{4ew#l!3EYPjrqH;Q`hjBNCm*3om;5*UgZ+b&5xc?`ofuQ5?d(~?~E7wH$A2+!<;ny-deEQ@>uM&o9`BP;rc-@6WbRbVVIh_h$h;ff8#WKWmPY(EJb?y_##Y) z+qN`4l*?nF1$6e}-e^(1@|LWeWNdd%-l2a6%N#A4V*AcJ(IqRvNKC9*G}dXHt}R0t zGGgX%w9rXAKsXj1i;I46zzQBCxF{`KCd1Er_xImi=PtG;DHmR^*%ZJv@!)gaRz-p#e zu6}h}+%jv8L(i*<^hneK{Ai7)7^ry63LHyXBQrM}!<&gh(|_ZQ-P@|>B0$*RyK7W? zlr=;>^v*_1s?6P&-sy~vMk^3{C2dz!fc|{5- zM=Nv?9EjCMfOL;D6epB=0)m6oT$Cih^}KfDV4e@^29*k3Up~0vuse;BJTFvaQNohS zkH?Ohr<{)0FSDPxcG&uAR1TW1e!W$H)K505twA5Xu6J;v*|b5tO~ zXMg)S{~QfFicsO++`Rm2@3NB;p$21UMM4TTv{;%-L+lgBCp)%X1$lcD>6rFkH^QK= z6)CXA`l;LB*6TJ>eRF~rC#I|rdmBU@J0e7)jcU=f=CS9Q+@U&kkQ+%B_ogoc;%tzR z3OaMu8k%m?_2T|Jo37M+eowEV*iXwA{fRKYZrW@DiAO|O2cQsw@TlYkN-8?thP&Q{ zR=)#jHsSuuc0OK1bwYH{hMUZOvygo|cm7&kv$gr&W3yAr$h?>(N5L(8gK!3O#ezd; zZmA8!f61<9B}`$Jo$`v~DW6KLj;1qOTe&mrl}8a5H&@@3bi>m2X_Ib%aT98$xeHG* zURu1xq8${9q@cH4XxKh;#S+6SL^G+QXVlp^S)^bJZ||zmoHi6MiN$iO{(wi@8kOo$ zZX(DG&VV3q+1C0C9TMPv48Zc}|MtZg{RsH{$t{2HM||R1cF&!bWLHS^A{0n6pkB&C z)sV1lVkhbm;_F`u(lT>M$T?A#St|hiE&zt497aL9K3-(xIp$f^!I|5^oa|8ZWk?eomBAY6zL{I(VXeJ>d(Hz}mGT@^F8cHMnFww@fKTC%}0yb2~u*rb)P8Q!leYIRtG>og^s103zjpP8V0R&>H z?qcMRpLRTn!M?Ze5OTH07Va1vl zO^@e}MY+>sg)4&$)+*+5WXP;if|D?Q(IOjL0b|0=_}(s~?XI>gI-vPYKtZATNAN#% zT29ota?}p!`3dl1fbk5le{26z_yUA`rfqzmz&WLbby5?cp@7Rtg6o_F%wr&wRQr}Ra|`qgy6H~ z5Sg*YU^$5ble95u5DSn%Z|fYrm)3VuTI{K$x5JdIJqIrxHa5;|tZ*$`T%P$&ctmv& z^^M65xV^u9kvZ@0R(Jvk=Z!t}i+rCCeZ`(6veQ8+R1XO5(g-adI!stt6F2lAp%F&? zs__!5Qmh{y$?Q5UUrz%`_Q`C9ki8=Y+Ma)+?~AnqF|8zqZp?qtym36A`lo63Cs@{c z;kvv6{HOuvd(-I(PXJ;9->B0JMeB{~rFU-r@Fre3c;E0R^3CKI3@VlL;a;=N1hKS~=Sex(oaA8&HYRZXtJ%talJB?!}r9F`hM9$*S?GiNi zZM)y+3Y)a{mCDa5t5Da|*sSe+T1jAmh_uT}$#_*L42#@jam~1o>HYpx9Dax$V9SM% z4XEW)OB4NAoGm8*dK9DBEFyi&Fh3aTsCV$L3rL6(%fxZ&BFG@4fPn1~_w#M*rI;uA z>gU2@a06jm2RMA0J$_rXzqtbLh4Z3tDcpE_ngYXE$D9d(oo?lCQotlKC@LkL9x33* zBKSAa^W9zKJY2wY?EG?%E)F1$5@@4Pf6*um?jCOkI zkEi?dtwCXQ-|M=>fUS9wYeBPwLM0sK5sW3!t98KcZtm^R&}V=1uKyFjKjGYdus|uA z?vA2gwdUcxYT{#g>bIqd(_j-_V<~D?*;jzfs^pG<;sV0u>qOiO1$#~Z?*)fqEA}WqHPJVEVL;Q%xP*xj40$h|T6J z#MWcB%}kR+kykMgETo35Ks~f#;fsYUxt*qYo^DDUE=UQMYUr*l{7U!T3^!Fb`jkF9LNT z@R6bvj7dHXJvXumOQWf^MA)#|X#V2NqR}pfv6~)N`Ele!;kkZLP5N}#K^wKU%yrI4 zMkEy_8TIIDK+d?YMf?9R7DgpQ)YgQmhM{G!U*)K2p>Pa_nixwNlCm{zda1H1UjR1L zi<8#8OTX^C{4eV@AIt?6e^$X+6|!D{^-r*{3k{#{1K!mNzA6Nkc7;b*LyU`0R1!4? zapu&W2tz2atgEA0mOd$rZ3KStnm9X2R>_Exk@Mi@Xy&bpC>CYlnv zI)IsTcVi0`{sYw+7x;dLK80pEgWSqhNKknseN8yktXR`ZbTpU9(cd8brICt~E~MEV zvcSTJN;ZzgEqy9h8S+eta?({HG<3<70jkJ&EFG-zb;u*4Q-mhUoYnd9qg~axAL7|~ z^2P6&xSn{>pper*s*N*!$s|bzL`QJ#lw&PpwF~-|P$G-BJu&c)Hft03g$?Men_Kb11`R$<>Dh|%)9mEvSFi_Vy2QAHz^@|Gq?frIG8AWKAcqWB z)h#j{wY3gGw=w~QWk%dNQ{}L<#c|3hG@pR)UuRE8r>Dc8({4lw^hm*Nwh+z=J=n|L z!H?0$&C__oIYyeV4L;S+9d~)b96jAW!28|oqn4S=HEhIILKX~XqR->87rHq~ZIRr} zkf|n3boJ)D^rS8l#hSOF$o?;wC+lM{O)@GFDc}7K5?X2n`d!`<`cxIJSjjho6b`xmB9ScL|#0$KB z(3ZIGZ(jaQ%QhMFoG+=?NLkpXy#qGBzJA;6$d&N+`(J4qoabUwO%@fTyw|!n=ey*$ zjt!Pa*4>x?+HV0{kw+*4FDq)yBc(tpB3EF1Pja@G-P7Uz+UM> z+zGQ|WTnX8{d-79Ed3o@F?Jpy{S#NQ@)lvuz{9ArEPcl-f$ou~VOQ-P~RVbh7#U)4RH`gE>CeXfO|IU#wiP21_Dp+{$@ zzHnqRbTx4`zC3tV9&8!dm`X3IZjP5RU1k^Jk$PLlTUDr+Nh#&qQf*VJrc``l$Dftm z(Lu=G*V7NZw&vf~#s5BNbOFEhooS@b{0*>ljYY5OnSxo(SJ?jD%2%=Iv;C`YC#e5s z^;+b&?x?QE^{5@)?{)eN+qw$j`^0Uoi{e**jsONP3-njW`Zd!$7NBfI0(+tno=eZlgNIpFql#~@+o7o(M$TzzxvLbV$Vq6&D5Dix zc;8*`&De<6eN#u7*6!04eyT}Uh5z*XD;XkCfLBZG`nJU$Vaa>feV5F+xiKyv(p1ad z)~2gW!yR%75?#0l^&aY}1x5UQsCT9-(;uWFE>|c{DA%LTqag~Keuqz^c}_o-Xc=Av}6t96*j z0^Yx3BEH9H$d1?Qn+Col0a{7JVN;q@u2&z#7*;qn%bP)w!n;lrVO+A=m;HZZ!6YCq zl8noZXFn=SkJ+cFe}_9CiCGi<`O*k&04-Gjw_Asz-}C8V2bi~henFoez`1;$pn3%$ zb?4K>{>r=Nz)cXn2L?S}+K9dqp#>s9XXTORrfXHaa8itF(Q&P0Atknf?A@+z&VW?(gGx*8+&e7)M3|d?7b~b8^~GE4YYTj`nUa zQNp!vPGxb*mlH5jsa_3O=s)w+p(2CYY4r-i{=N`@h(G5OMRW_=e{-i%E~6S!N|#dG zrR~x)SSNij2nwf@S)a2^0oCF-IWdiRJA~uzuEjze! ze|2=L65Z%p+?!j~P6+kDKFSk+<|A#L=S^0d2Yv;8K3EI@fA1e28h_t%`6_=5YGSKt zkFMw_slsiXU#oY4s!oqzZ~gnacDDR{2#@zI$U4{7tC&Jrhmnu{oEt1xf|p#{l;;|s zCODM0|9}z4m{+5O8D;AZS5}L=(;A<4FcecxARS0RFlE8;$w*<2gT_k?`KXJGtDD zvkQHSmcea0|0`oHHr}5mx z8NOyS(S#kDSw6{;PNYlFZyGX0y&(=Um;@(($#E2H$-vRJ7gDriap)$79vs0(e2XEE zGRjE(pjTYm_*cF7JBSQX<4eROr;ckD0PcG?{1aCJZw7bwf@6Ta$>z|xhLjKq5UH@2 zkm79U$OT97;Q(I50+Z-*0(>h`;i4y`Xl2Pdm~u|e zz7v{jo1*C0mPHr73rkVHRDgX&PJ#cu*M%?I9CGx53^+;@v;=W%#QLMYflpULO!6EC z4={3|K#p!ffb-(xnCjh-Kl?kr!@EKsETC0TcC7nK@SlPc{%sjPe4{^m^kPJqsB50r z5yc(fbJ%;;^Gxz`$MX%qt!)8vhB_PC_470K!jsveAKAd24+p8IdfVyW_Bs`N)f(U< z`*>Zj@3CwUXRJaG0Qog&Ej;zE2PU zdym{uI48|aBY(_UoP~!%5=I5YlipF;ihO8#sZNOnY_)BBT%yDU3UKyrI@XBnWq)ibdjD)LRA;MlHv4Kg) z7T|qetY0rtnNN5a8Ny!j24l>21qp(L> z_~Gt*h5a8wSDaXGWMjyWkm~Be<=30gE`@fFvd80&U zbPrV9w_XFa7C8fp^#w^0^5yZ$ZNguBzy9B?%j*$%-jI8FpVv3Rc?@D6L$&H=rvtK? z{D*iY(ribXk^;eh{F*rov9;_$k6d}u>9h>4G~}=g0@4V*d#Q!vAud7i@X#?lm({AU zCe|pHRH#tyjBpUc;oMWP;Ow}oWnaN&QwZmo##M^UKh|$+xju@+!GOJhP&9-%FLipe zu@G8%QCj~x%83g}BQ9Tlb9(=~NgA8a!!K-Cl`MH+pMYsjfE0pbPf3#$6l?ka03bl$ zzl!cN`)W5JA&~@LyF_+ayhv~JP1?LjUQVX$S}kldxh`F8sH;F&2pupgjP)dF$Tq#WKsw>v<^ex2LR2Zer<9(5Fq_T+&4 zju7S?&sD!4f6eu462ajP)B(!CYhEG95!Zrqu2!X=N)pAIF1&g|jj7XcLfg-0)5p%c z^Ggi}v}b^}jN<;Hra%dHbA&a>!u=gn8?lbYcNd@8IMKEi86e_)9AnT%DG|2hg&?w5 z$5~m53>2#<-IUXS3^L6xBuF#K)ND$MLuE9ZmNt|rIV5W}HKl;qp7OxBfT%X>0ip&F zvwOT|Q%v2-QOv40l9H_^fYvPmZ~!s=cu;n2U;xRV)eLNNv&!6P38@uj^}jGo_Qtf5 z)V7!n`$l(C3Z7yWpGATOgp;6`0P@F|5{fv7b6FlSfS8l7wZKpZi0~&Qn1zHZiISNb z5HUuFN?M_9CMVkXi>wyVQ{V+u#8~_ld$heJl0AECrbK~D9CCU|8mbQ8tm_RFTDL1{eTQ9 zj{5t1eg0y9;1V*epyDPe*fP z+`o&>@_*^4sIn$+QbNM5%Y*!fmXLIW^tH?(8w(^RY!(JeA+@ofe~zc9awl&TA>GWZ z++LKr*xl@{?SYQ=3|T}5h;cM<&L;-{!ctP1kPhbV8z5vp(a~AjNiNlhaqV+e4F_l@ z2=~w_9QX&2GG}V=+C@)=JuC^ldqH{=Pthz+-Xw&y$3-~<8O$CyBtp8TZ+fmI88V4L zf12kO4W{!?Wu!_8X;Wnv5>hq%GZGOst``b$w?@-o?{|khyEp?cqV{ z@k>v;fhYfz&uzM`GG4XW6q9uab%eAW{HNl~CLC#Lpmp-ZQT~%41@fp>p5(;`L}D5W zv|Y0K@8reCPTj0oUnw;cgQEb&)W0GDn#E|u*%V2LiXL04oh z(4e%KgMy0;S^Nf#fqX@X%{AqLGOrR~xg3!JI){ z%WAWP%pI6z2uUL`tYyCY>l2aggmhqrwq(tsQEKJ zI0rlSbR3hqh;ejAo%0-+BWy@*O;dqL&}D%)6L@ zJ~{hc0eZNRaLu4MgFd7q;?Mn%{GG9@YCLWev$YmP$q-bLz>;JGA<>YG7$=Bvgh!Ha zBqZi?7S~g(Oh{&+pD-bhLy85doq}6*90cx>yZR1c{b3ylD?ANopP^7S{I_K^cStK4 zSOn2;#5ds`=^n8H^d)jN1AXBduyPF2sF}n>%57n_*e&JFYykZ%4zMH_l4D86b10iz z27gL>^C4USua==wy@dH3D$XwhXchG545D&>0w4!P=(+p;40B0KS?Cre?~q0~1zD}< zAGPt8P~OFD1?U&iK4w8N-mI*r;~=0WEg)t=CK4?H-UnFy478HZj%6fVO zu~{Z+ZA0)b1HG*{4o8o&YSoqi3#m6yZas!iGyb7;KQxW3f#RX#Fl09*(03+_BQy|f zB=wQd1iSWsGtQB85e5~|N0Rn8hQh7=ts44>1tbf4soW_-uRhEZA7swjz;8hN66mkU zye48I13fGQW%a7<3espBg5Km=4thn=^Ln6fAn$)nlIQXvMQ%?e4fQ%zzaimcNOEGanIJbWaLL`c0rZl^EM(*P zMa&5fPFSRrFB-{$%(*lTk#32crW@j%$;iPxmDUDG<5QKHq83XIOl@+ zGp=t|k>s;X!`3rBnFw}a8Y5F;WrGUat#JysgMK8w=WG_|poibk>FdNihXRgjr`Pw| zKGojpxsYVKI^@Vk0PgMAL7%t;>Sv(1*QO2;k^OQ#pf{s^CG>n29gE~78qNl|OZsYT z)(HL5vj5AvQFm3YEJ`+nL=+b+Aa4?8|a}42^>5&hd=}9jYsZ`vmq&!m9{4ggarl~qczyxb<)m3{r}`ZV)Jt=jj;8#k5K^o5V6R~1RYD&VPC@=V zaNC~F;N6{o?Lhyc1?NazRj>s7TVyK^-W~Y2Xix;c2Ko`E;f#~Z2`6I0!oUq+|4zR{ z(!Sg{{2=dJ&|b`-Bt|Lp7y8{DL%)FbA-yIM5n_SRNn}o@{kq{TK)-0W%0gc$bn0Zz zrVwf%bF$D^3Y}7!v*CGY!1r0`D}_$E%-JmXt@*xE=v2v^O~QYR28XSnuM|2}GH1ik zFQPq%%2^AAP9k%%?bi%%0s6%nat8V;p;ISwHieMloCT{k2Yr>$DU~@Jo`(i9CkK6% z&?%QWn+3l;-&YBpDw(rM_#4Qa9Q0K}r%L8*82UxD*Krybj(7$!XcDWa}0KFCU8w0;F^ye7{D79+~&?ii@De#+Hpn~=|O37aVS}D~Nyc$0(X)k8OGb|_Nw7-}Q1Ipo4 zdTviX^|1*Y9YP8PUf~F+5^q=eY zfdB1#TI-F%A*GH4O0IKiY zeZLCEhIC#MdO-u?*Xx(1(3|fzi9i$R^+h$6;nPV^d6=BymZp#O#!v(FC%W9_>Dizj zdbs|>o6g1WVSNmE4fIg#dackO9`3!Y)6y*T5evv!H3p5KhakuGq0m56u+aO(Icg1k z(g!*{yIbf(hJ$Z$h$Fugg(CFX4-g$?*`EqDcxFXcr>DZv1FIA zPW+In4b@cdKRweC$ov|wKM5{fwSz^_yQI7T(9Ur*Ch1B4aS(9r3B(eLv|$qk4GC2F znX&Ug1#)MgE%Z$#ChVKAY%AnCwj;);umPuc5= znz|@>c5HS2?mHHdE@B*YPhhQ_o^@M8|1MuGsu}d!S>vu+Cu>F!DdCbns~hA#ZUifMg3ol$?YFaFOr)+pr2bw#PP0LDk%E3oqvLB# zLj_i~ZABwGolQ|Rn+^%zjS2TjB$X9j6>$vGX*v@U32BOZU^|S-l~fZ)u5|)^8T5-z z9{_s%`KJii!moC#&&xn>Z%K(-0dApRv|DkauLAfx6_WA!TRNp>zQ8>63S|4KfzuXG znPRGy=H!~93zPVE(Jt|=>dY{kd9Du#SI<31_g1laZ5inIS1h?M4_(*^vNd;3l+{{m z&%8@`%+7Ms$r4`8=JQaw)>9ldlue&<@oGuwHCjfB!zOa-*M&e+9G1?kuK;wdx%IVs zc8bFT&aX#J=b?3$eTM!U&a z`-@TxSHfZOJghtWKAonuq(?Q9ORMMLuNms)aA=o_p8>f(7vI@QH;|2=4k7j!7 zN_qM@nY8Xq{f2UBttj>BSJT6^~RdU0yD$E_iUe1lWbNG?6#3JQ&J zxQjXpD`-?raadnQ|N7Oxnz*`J93DzuKeGPJ^8E6QJ>4$5Uljcr8_Vx+I1el5_?O|d zRvcEChx^a;M@{Epefj<+6LLqk=vuS>*N;Xc93F7)KdL{WtH9x5RRAzJRAuB=;P9~O z09YI@UW@@7#yl90#xAeuxbLJnsdi$93EC>0Mzs>>jBpXKu!0!2V5lpHI+*b zxK;pax*i^I#Q?P2dU#NE0}KvTdAwCPJgDjcsOdaB;2Hv`x$ga7D+w4Js;UW8;_#5_ z381EO=>b<2KufNNhg4etHI+*bxWWKxIuDzuGq6UJw2>{kk!l0$L!t!^>#jMlHYD2k z1U6rJU^%oJ;n2GNKnly|D-bk}{n=C%g0=8dqqD5Lt3|LBPOax*gB1yuos?#0DC?<9 zP!j99pfW)d44R&yJly<#w9Gs-%JO&4t2UnJzXT4Aa{cRYSa-I6)AQ-J8UJ-StUKo) z)n)xx@KTe!|5{#JbLKy)%l)sw;bCR}qgJ}c9n}EH9A7s}?ry$M-)SX)lI^YZ~g>3WH0Z?6ifFcf!D+JWyu;v;8sIE#t5r@Wg0%~zs zbESZ$F<5P@1=QlO=6V4wacEpKAjM(xRRdb$@Bk|Zpv;;cEXH9?^#hzNl{HilXenDC zU=@MZI6S~w0;sW%?BP}vFgR3I6a>I4f==@>5l?KXiFl&5@gKWWprZ_C#;~sFm0aSCQsA~?Ke|vngQkj93 zOAMs70$SGxSh+Sp+JT)^5N*f4uZ+(H5+YGr)C460K$)`WBGXT{YX}|BHcEvn492)&!E-xAJ$cH=L0mP2f< z`+aM~_PqV)URFamOwF_`Vp*+VA!2J)23jLlp*mC|mZ}WJ&hABps6wnlugD>`z-4Ya z%NzB|I!R_RW-I!~+dS19cMdT)&p56x{$~$0puV4uYmBiFB!HL@Si+y~O6WI6tVz;* zv&sdg$BpEjXAo<)k2T5QZggFHal>9?B6kL{W;50#t-I+>?stJ(W5k-|RNhxYWhwBb zL80bdHDcxYO!t*#S%Fwd=H)`f%9EV#EA_Gpu?oEE5G&7oy03i9D#R*}52_I>Plvj% zB+UxMN)n_NB37OwbzhmA6^J#Pu_hUv_m$3B3Vc(k*d)#KzH&S(5G%?1T#Q($SiG;q z&kDqvNyR1!q4$*yT7}p$Yphf(-dBof1!B#lVw2R-`^p=wK&;t}nX}d(Swtn{RZ{Up zADmuf8l!XT0ETKJKF2YQ#)lw&JeGmXub9AaSP$Joz&s2#`fvk5Ru z!9`RcK8qlki{62oxIA)YF=D^5Arwl^9dRnNC2|4|bnR58gHt5tW0D@mO9sc`Sf6_S z#)kS!8aal|l6AvZK#WF`@N1k$?9}{>u(UyehT%-`(~xLhTs1tf31WwPRrwP&h-v7I zbWis&>!pGTGNNBs``2hffCPN1SQ8wJn?r1=8RG=Fj7H;3RfBW=vko@|hYpV85UNfJ zJdHyl?EMCb4A~rF&D?J}#PrYSS@dqrSyXfMXf!5bBZp4QA~scEVg&^G)64lTh3=;r9DPR#thmq(OUvxcb87IinC02Xd8!u*+6koa@?r>%ErXP zQBVmOpM^vWdd*oe_x(c6!%kNYgG9U9HdPmr9KmxE5-dpC#cBskjm3Qqu{2WOksz5M za>I|AE5rl|kYIUaZ6Iwxh0m@DCjlDH-FaRTv87m1&v>CT2O5AmAP@?_mR#m`PrbO; zffDbCykY#xRCr$XUa|@>9!Ma?3K7XmMKIjylMi{0+=*=zK2c6G62c%(aW4F z0LcXRX0dA%B$Dm43_G2ZW6g!_bk%R_fW9Gi$qv!rQU=|r+0vD&oP3{aJ`PVw{d?i|f5=IkN$FrA+IpHQ8y?C{mH6SSmZoddo7A~TDaZ18E0U6RtZ zc;$VC>#hpBl9ji_x-$tkzH`BnSbgQKK6fQ6Z<%$s2F!{}Z*}ZSR^Fm@SHNUbPc3%D zK`tQC{Degjfoq?|C3|Cv1(ZhLnRQ3<%Pt_1Qa9O5j+xr(rLHufeh@S;NqRche+QAz zK8bah)a!Q_XdCKNyg1AY#(M0k*PV-9sc@|9w0!OW%e#Esx$AT;6&DZLHF4}dG{v!X zAegdrrg9+Iu{r>zKv}2cakRTTrgAbHdOn-(=Cf%`Sf%--=b`VE zmaQG0BgUsX%`(lj^RwSYQX&2ltelj((81rH=SUAl2XAONBO!4Z4m5h?Gq`qlI-S8_FvMcgd4k+#Xgcq6 zAIUbyFj;M4TZwWL?>IY~rohJYeyiVu8(YyDTZ;sIW z$XDx^3gk~P2Pv(u4kp2l>W~V^w2YbARV6cdcUu0&P;pQ}@Kjit?sEcC8i!&BiJ3n^ zP?AuIovF^u)yW6QbYDsT6-a!EgiPS|Y3MqdAZJ&J*J-vkt zwXvabRpjTSuRB6i?kL!1q6{^tqS~hs!oieA6fTgZ*NPl06o`&clKk##Z%Sk)k$ z?;wo+as1<3xFgD>{sY5Pv$2~?5)<7m6$8c(7weK60lJw`(29U7>wlwX&n{{F?Aa0e2b%#nmO8e&>_?}QU$>n=A1&Pe4t*nu%ZrJE>dQ)hH|^5;IN&nzNb9oG4&KuOY+R=H77X z>ou#-d!^3`PMRjR;pg=@9x(=UYtxtsL12#V8^-hOwasI1QJ=jc!$Z z3eB$7BGC!;a9D(Cl(ySJf{r6PqCSq2EL&I`KBoXTx}Jp*;dn?xDit3?(LYbmi9b_aDM4(=306uuG?{O~ zw01klI~lCeMgfMhKq#WdM!L40oRGOr(K6vZEZQ;K zASf2P3)MggSTl$gBnBzQ9h~5rMz7QPcNHe#%|qo>AbDAp`Vg@CP@Sy&fJ z)3fSV$O#VSh(>-m3y7#In0Z!A+ep021_Km+H>BHpI+5jsz z*|Q~`f(tOM!sae<8@{B(ybc$E1!CP43TCB=>Kd#?q&)QTf)FkJfQb~lTV8;|-H|0_ z@#A$eocW9N%`kl>(=v*Zvd-v~hM0rAF6A&w{=g_tnPNP-ZNV)C>qy(i^vIQky>nu0 zZKY+6H?UO;$vDYcgUV(D0%X7y2zDld26;tC(N#{8+C>(8v-+FE^MYwh-u0^DZn44F2f^l~yUsYv#BJ+Z-DA>rHiVDhN_ zj7H-fwVsW=;i2Qw3e!$?d*DY<%2L7Pfq+yR5Q)I5CL9sY85g>IIzYs(?`kKY#0(TVGQ6H&y-f6mVNQtW-L0wzwhRH&HvqZ%5taFHk-q7@Y_sCT|}VL-NE6K$LN>Hhjqt*5f6Wcf^EN*W5vZSyjs6 zNSLP^P9@PiP9voWC?n!qXY6!;rXpDasgdRsZ7kfLtH8{dT8`hM0JMhGLw{#CgqyqtW|GXrVQFD_ndQ+==Q|n&C5qFK z%_N$z8})raaHv#)p*nj2vg08eysyvszE! zJb@-pk5fk%SpLZuPm$242_8Drt_L+J3fPUY3#`Ku+-tMQEPL(k9FkCTfu@VKMHNy< z1-F%L00FLM1FKb9%-Tw8ekk!Z z8WA7vw+Bd$I-Ncm7;`UEg?)f-F!+l(@zvVhK{rk{4I|%5zf9_$E1D4;cx6M_BI(Nw zQz)_S4pm-NzS%$vD$>^v(+;Nwh2!1fDgu#<(VtDmUKp-jHg$0@Og9V7*kEX88kmBR zISN&NT3T5+GphEOUMN{b#`A&MJ_8*Ba3R5n0KdX^%*i!nGZ7{_hFUdGji>l0=;vuq z{q}zN8}TK4wxhi{s+XBiCXd>otuA5!CP3N0ynR^^954P3654`FJ%f79DGbiZlwI3} zmg18E=L~ZR(>K^b5xa4t{fkOJr4w_(rhJ-|LJs9@g67z;IjZkx1gxW7N*+p(N zxzU|+Ks(LTsZDmy|Ii!f$M+F>$F2#KciunTK?i#WdplY|ygo=Aj7qYNY(f2z(qJYe zC^gBIim|JiWlKmbXQIzWeK{fhm@~zlJ)^bj-P#^hP+@mf#ok6IPpaJ8nxt?bkUF3N z$`jbg^(JkP3TWgr9y7%(`dlqJ?6Ld1ajekDpn9mi-O!8AB5P_Ta|*2t28c>Q!V%(R zjCrE{S(3eZ|JLhtKE5TGM_Omsdb-s*;IImgNVQ^a)iD?~AjT81k`Kl`O=Z!p83B~? z!^F6~Waw|22m0v3=t#~f=?&o|*)JGZN-vIMg1M&J2wyX(2d>zbMGz=fGOtG+g!37j9=SGeQC9&<9HpY4(y z=rOg^8ipJg-}X(ur5VUHwc`wS6ko%)Q4gb?)k-zYj-BSq*=Eyrcp?Q$T&RII#PrM zLsCva90QiX_IB6T8LmF`guzfi*qXUSucD8qktc;-1xUagg9@PH+-eF%d=g;T6ThsxgZ@}meiM$~sf)8*MsFpo%DX^dCz<#k5 z*w3?IzgP(Na|8B^p5i6Fsn`H}n8E$A(-0}fwaVq)CA zs_~~G5%N>au`j7l#IF8gcguFs*FW?$UsI7VGPq!ABq3yih_tYy_WCG6fIfzF$l|do--EAD(j!{qG*aT5&Po`aP%>fjIY1u>0kGe47Y#P_C*rd^JPa6|9_UY`y zNutd{Jy{h$jtUfQpLgFmSFvW~e-AC6zn zEu)c4Q`K~6_Nnpm!AVHs&a@FqaU6@@P9jIQulIWz(kmJTX!~_?O5O9&u@bUZ5xarY8`TNiVDLeI`vZ*vh}-)9 z!w;U0%d$4W_aA;RCn})IlK|nIoEUO~uL#$RI6doliuBD1Y=o{Ux!FO2*+4BNR=P%z zbdj7eVew4Tq1DQSp`$)bsE6KQ9#WF1;c#vRv^zur4Rq|OrlPKmqRHqp&WSI>xlu=y zjVoy68|_?c%E_&?5RecP-|KWvBUEn+?#8n)+};1?aPMzMpNy#?=fHB7Fc$_XhEJV&9V{;-0#^p*n>HeMQq@DJ<-F{BDJE+?!%syYOKfA)Tp^uswb@Y zR5-yq!t4BGHrE@*uP_Jou5j=KL`$SjBG07(cImCwP)cvKO1`p?be^EA*-!~A8>#M! z5Ehfj$6WT)E!W4w#{qc-X)t<^+}c8KsZSz7l&TlcIUP?V`d>ba=l_Wg_6`p0kxr*$ z+PP-&ag6;5u|4b{Bht`;w}-Y>gRXhi?fqv5sE+3_Ct6RTLWi%L+#VyOLW-5hP2`&C z!t4CQbf6E&U~7q!TmMZfgk=ZvBou2N?e5;(+;|wE^cWxShPsv5eS3QH=H11c{()kk zpEO$}?zZ9F4ZRKVjoR(-m>V5}>Iee}A`xsPZ!jmFqG~zLIAP zT@oRa{1zoY6ocz%3~j)Mp_K}dg#vMI6XIWic9YVI>tg#O&~z?O?3SMb8!T+s1IWN2wlFpxa{b3Jplg*bq~9_ zFZ4AAM|NlE>)fndqmv)g2L7~zP|Sk#hEsjPsUBLNYg#B1|EPLt&^uwXNFJeswvZn* zgS?;bI14+xZVbJ9x1ef~d5;XNR;e(}`zGbBqr^brqmGdYFmc+0Yu?;9pFck3Po@0V ze`+V$E;uk33;K#@k^J9#nV0{2&tD!q%Ky7~oQqLlHDgJ}jL(nIY34AnlUmqE==z|8 z<2dZA*!jO%rkBnVn{aQ9WKs&3G&{C!9 zY7+u9$>H2ux19-7qG}blaEJN|Zrg=>LK?7}C}cPgyCEAhk%Wg&F~9QSXxzCXb4Zju z>huj-oj#h7FebdyN0LnA5KGeOqtPq^MXJ-cn0AtzjyZfzrkI9DPW1f$IFKYV*%}f0 zFEgZZaj0Gv62fVtRC*WNj-1Ej2pNmBbDf*z`{vijXT47|`S0WmFEPdf`Mv$chCf^cgK>BMW-fIm6iJ$Y?TXp{jEbLJBvi11YV{}ER-wrVJp4(x1g zb=<$Ll+wp+k5c5pJk8d>-NVH0Cp^+sI*IUP+)NrQSpP3y9_;7V|KW@0&mY(ST|9sM zvHJ{N)9De!{3-ii?fAu)`T;5B3_UicFd%t9KCPsb5Uetx4*>}`;l{)j|AIWm?y z98!**d$ovTX@dxs*$Q*t7(n$*mF;h=jDb&u-HfZ0iIi#@S5YXotcTA=y zHI5nr-J;)TOp^Rt^*M%`yKnDU!2GZ=0Vj&HkwD(!Di=CkDxxW`%&|0 zR6W?@XP1Oe6F1CPG?z8Ax5C6FbEZ~%7j^Y&*~kp)$e_PYwtc?I#Hk=;&1v2-)o-FMW};Edb$s0yyv&yvL~WaIe{O5A1%GGRhlB&6j&w!YPv z+12i6HKyC%-L1y<8*IOP)va&M{mo^?#tUxsV$|F zPM#&~f9J+Kr@V$OAy~CmGkl}OkvTs~H#s^=_R(?3hB(YDuKY{454T}WtG?3=*0b}s z-5|Xa7tSBjuRYs~9iXyjcTt;B)-ysQ)5MfTER?y`)3fy-`;WxqH1oBogm;vt+Gm z+g%&2Oc82>crz+x>tHt~);BBDDy?DIj9vy%8jZcHzkyb;PSW|DMZd9OL!#N%cgb5r zrLHw2m2J8{@}z;V4JqV&(3nX3&+nY6OgR1e2<3#}Hl&pM#a)uhpne}jGB+hOB#>=g zK^(jJ*n2&yUpYM_tr|43n)LlJZ27?dvGTxW;&d%i_>pRNy?32|dwi0n3^iO;e2D!P z@@Dn@UJp2v6UI%Yt(HPunsUxvf%?XizE$`28Z6Ex2N-HvL>AB#!zV|$#R4EJzZfkEy&ybw%mW?TgW`tl{I?+rcMx`qnxE21MZZCe_l z|2p&zO>U#PL7@v*#gDMBD|SQbeOFh2^g7R;T|!wKZt6Bc0Yymi!V-sU{8XSRjp%e1 zmCeSpXAQMDQ-0HdHN(#iWx9WCUw_=||HrSrXCMFnUw(b|<;#;U+Rl&%-6F|M5iH{< zR{a3`)N$K=J7@0TY3={hg+Lp}{`}kG_@Bf5=lS@bgKrM^AN_xK@ig=Qfz-X6a5fuH zv>?bAPSqtG^r=j8bC69d($@mcgammqB)Xl~>HH+{m>lV2E4VfUHiI{6fW19*^s3-f zPa6pnSmCLGL*hY~$yo!u`vHy^Vk{?~WS)g;Z?B8GI-4f>$2&YFUDO>>5(e;zZrb15 z>!!P20mA)FLAc)n!uUyYYYqe|Y%yP5+C>3Bw?FG8@wPrmk(G829N+c(o-Pk=# zjccGp{iOD^JKhIkhW(Av2##%wRB%tOa1@k$UpV?Z6+f9g zY1jY!1Yk5YJ$i+@zeKif#szwFe*XSk-xLMw(Og?)Z=2yjg>?Pq7P*s3?RBdMePxuq z%#Yn)idUMa7r2mX5}7N*IB`q#?jRNhnOex^>KSui1{V5~3-jxh$$T!>H}^wKr(!K& ze>da$@*t;rwke>PR2#+;t*6xW?pBI?U$b8yE?4QN#Q=1BGc#fd6#tU@$ef;MniU!H z7L70sAJ%#1l)~=zos$LKna{*HV~Bl7jkS zI0gRKMcYVg8}R2jV=|4Jvigsl5ZxMe_35ouDXMnk>?^mi zEvjDH+`dddka(PHrG9ZNOxI&xevoa>rgaY%A{z=+MB!D%7nP^Z&cEp>*O}{v8KLf9 z#O`0j5d=bIn&s&NXjeOQpeNf+&4*1qV}`k2!|glh6c{4GS*OM8>$%Z(TAt|$ilAiq zLKh`Cn}wnNN?0#SuZCUYw0Vwc6UDfaZ})eq-yQT)uFl3NG-2@!RF0DA{H~Z1z*98M z^P0#=ycPA z`N)&yCL;~cYwJ592^-i*2n)u8Iih5hq1JkI&Amq8YVBSjJ30R&L~{K-X-uX zW^(h^8g@!1+ka;!+P0_;E;3VE+HMUCq~K(iacEov8u6@Cpo=`0el{w$_fVGEoul)B z7VCYhYiobn>;L9tzl8y?Q2*aQ$mf6Vee>x5y_2U+{O9+&C=`K8ziLI0NNq{rz@cfm zz>uW(0XqSr$7iQWDL>csTil}zhnZ0lX<{l68BeHrYyL9t&KQ^JJM&lGKY8YOBb`1I zN2CY4E8NE9++%23THM{Q)i}x5yQh)#5c~wy2DceU(QG;-yqAyX~AQQ=KNM$>uk<9kiOW%z`hULrW z`S*4>VAbM)w~EC|cFKCI?o1!{ORm%ab5O73fKnMR=P^NWo&mS~+iRg42nKsNd}ey- z>OFiB%N9R#7;U>GLgH_&BP0qT5>OkoJ`zF`XStvUgW5@mg#c-@5os zl=kG^ICT@^`UFb7MtBS-66Qe5DV7D&^YZNl)O997M}0s?)K^N9E{05!yFLwJ+|N7b zWRzB$az{%p@`WqRcMXwuw~`6%yWK3FT-EoFx@)x!5Ft}r&*`bc8)xOTgLu6?S2LHNb90UU|NZ@f{(tcD z#o?p=e-}>+|G%Tl=kBJd6bFV`Y;!FGiYd8?j*}N+kOb>Fdy&0#Mqfr-{RzA`-xSA# z1Lnv#dX<|=Ti#xamY_eJXTLB(m*pNklL~Au!Df+3`tabA1A9TIn*j~S{^Hutwpc{l zObYd?%r-l4~^ErlFEpu1+0H;(t z3|tx0Pn(!jSojvCiB&&U%lFrWa~cqItJJp0M=uZIpLBXL8;$5^)a@5_dJUwxjY`*y z1uzxN$$e+$UJ7#|q@Ui)wg>^Up%f22`+rfovx|uSw{=9^+G{9L_pe>l{nT9^DVz{) zGz-Hy`hA8&I-<%jiDN+4>-b|x-Qx72Mum`W#>d-9DNADq^}t0gF$<3cG_v&gsI?S1A@&rU@hD~Ror2Vv!bD@&C?`H_nr}ldF z#hWtpQz~GSx0MpMxkfExUG>qM z%n!Rs?#cUDCu!<4QU#5@DbYCswo!!eyHgY&jp;RstXVM=gqsp&Tm%0K>W3U2cfJ6;hCE!f}|VsZblNTODQ7=h;~vEvPVs?zc(kx`vR`Dw8jC%u5r4#SY!d~X$V&ywD@3D!e6IWINdk0r@Z`ef zX1iFt+L9zr#t|oyQ*uodZ$X}7$O#VS<_@@^(W*>SCiSU`6W*0cc(rD8b`_$o$yf|N zWNU`zb7=QV@@fydJ=6_JG?tSt+TVjYWNHo}jv#BrXZ~FqKxP(yfn!lW!?I8HOg>F2 z%b**$I2j_oEsd!_a8G{V)vbkG&n1gN-(cVp3iTnU_P=yz|DEkEFP3bkpN%Uo5lcIW zc;h3bhKb+9gu-19{Y=9U#nit-Bg%zL@5MJkfo6RMx-$)`o)grE7^75PDwy>fgQ>Zd zk_3q3C}7isaJm~kov4q#Wh^8(%69ehgh1A&WC#ZV67%Vhg~_Go3%X7{7$u5MZa%al z2ShXE&k9U~^b#|z+*tpUm<^5pd{K@v>KBrfJ8Iq-4wKY3r3}&W1UoBEJ)-OVaubH7QBZ>mYRCp|d2n-J*I; zaek4c#8Uz@U9Q3cZOM~etF`b$>?bVHWXWPz1h}e$BIyL14`yU1k2f)EG$E>KSc>$a zht6SXgmY)L+R6o=Z;_4K^P z5`(oBGIlkKQTJMH-&R+DQd9HX%x}*NR2NRpqtmgg!kO?f_qBV^OO_q1GFIODkCH0F zR>vwSxp0{(*uQlDB7W(jfDv7C%80jQGuQ8biMkd&J!*Zry@>*@m`^8}D#fm%t&_@n zi-s?slgM{#%e#0xd4{>@dTs&UQhq|ZZ;*H`e?t0wr6o%Y;|kusC?>Hty^d>d`b&4 zxatEkCZEssLH%(UzNHepQ{7*F`Prcb>i$m`-72L`NRD1K?L4)-!1gkfNLyqUoS4i; zqmYy?y>g*bKwJ^(-E3L_ucpiLVE&BB7`qHx9iDz;)NG7mPOd4NiK4cEUA0p*u^M&D zMYiI-8EP#R_eIKz#kQZ_CRf`ci@W1vCA`O{{rR6{9FNHw^FR0ZUp_CK|Gj)X|GSf? zef<}=M!|(<1_U`jrSjWwi?14_i6=>UE}xY9;++Ofi^1fEO3gd-0$>EEuhY4gdD$;k zZpnLdO;LctXYMUd*%4pWe^h%!0J^K=)rw3xWR=)FZYB@!X)XWLVh@dXfCch@@8w=0{^R-c$N29%d0NT;C?GuXCTeGG z;+nNAQWr>BQYZvvD}|J71==amG%m6@L{5Si&hM^M2T3aVWE|QzZc&-C+oRl1w!Q1b zh4K$P4SVHZKcKoIt=GSH1FkjyW3RCO4_>_Z=5hVs#nWQ_>tuc!>GJiEc`F$jD|_Br z*XB&GS^{Y9F~^i+BF(z5H|uTDWAiI~)3-l1lnWIDCl>ZK<~HW19A+5rlD&zpKVWXJ zaU`E(#-+K}Q+M#?%d02bSF<7UWeCKvjt3`fx9L5erV4|x)lr|J-vo=4aD3JM16i)SR)mE#PBHxLLFhZKAtLj40OLo2P1$PV^*L!c$w-B$9jBju z$#G4rgYP-HrbNf%lSoo-f+E-mJ^hP#YP^+*M#$b*`=tI{CM^U$Bj^>{w#P{+Fj)?9 zUc9oOl{w`Sx9qi=zw`uBe*!(C8V{{L^R+Z|&VDnI8HjPy()dMT2|>_Lh$0sCP3tBs zSAA5Oi{7~+^ZhIzLd;HEPRxv#kNGm_!!dmFj+1M`1^Ge!c=QUHKTWGFm$^;zlf2xq zsaJaZ)XN-PI_!`O81srJXtjQPv*^&n&_5ra`+ZvL|2LRNG#a-t0T%jy_X_^sgXfR; zKi|pILjV6+&pg6IHk0PU7tX>EZic|)I<-Gx8q@v~k88?*pED-whgeE#nA-S?CKjR3~dM(_7VyR;Db6XeKSg5jna2ob{yZug1Q82~j7;=+A-w%?KvN;f94G$gU60>kVx4JqbxCqY2_w4o{k9Z#fnwlSW|_^TCe z3zv$m98x2$?m=uU1Uute^HLBUj>(4tr+wgtE_A~vu_^5JRhIc>_5|Zkt=Y4{rAnwgBN-G@9_Df{dXtNGWOq(YT93a zyLRi(veSdH{VbxDmLFt4uV(exF*alKm5{WR#b>`a-Qk&>EN%4V`YJd1F!v`^5?{`E z>2X>fAg6i0rfJcmE-KtO3!O?iq^g}t56vO; z8cRIHBL970e!eS*(gm>@9z|D@ez&lv=$X(p4QV8s?BK6HJ z7{iH)sPQh9k5(E+bI@A2q~o8#+|WoQ-B+vtdN_m^~z?#&TMHKztgIq{g|qV2~hFEY`qTx91g^ zZ6=6kE8J$PFAXmDjwqV9@*^iw{i7 z4Lw`JYCAut4lLzjJ6%G*&XJf*pg$GbBfh;w4z_kovg3JHC9jwTTVfR zTDd{*%zDj(#u#lxdZbN%N=~~MOAyeNi%YYHZ;`vk;)2SUt?66#QL$xI$=ZcosC>i? zND^0BT~3r_)!na{i%aoYpLBBx-BQx!dtK1gn&q84TD-i-E46LEVs@#-X#vYrutc0& z<}N?fwYwiT^h*9;P6FDX5a5FR-SC6n6cW;51%^b7(vt~Zo%Gk_ICs$-HycpW%I)b8unA3lf-~-{J z!bz9u%=yH-*57n>9o%X!wp2PMpQG*EZG1UAx@Ex{y@g*DKOn!CqGp|gRSx%+u3yc& zi_62ziZPr46|VcS6{!*@;$kAXO&gOZ1LaSG9MAMky6xuEu<&9SXM&uy0`o!m^PQ^o zDTP)ERm@Pk+J~CpuHd&r8_h54v~%Lza@$7B`zPLI_{x?R-bNE`mP`^@r`B7rN!JMXf!Su3n>qK$wXILMdo(2l8c3!DYpri z*~`XiSNmd|Dsk!NOVlk~l9>zUTwU1t=i{Qe+eMQzGzz_=eil936fQt<@N?YA3d0!e zkCE4AQD)ap-ebA!6DwjVw@~7#sd9+??s{h%ihaxUOejmckyhYGc1*) zg3EmM6sv6~Lc|fzA5ng8tT~4S#Viw1YOM%3MgdxPdpedIAght~X#7T%H zy*Ars`a6z-&K8QuSVu{3YsZ9%Mn(VL^U(V!oFf*&mkJ~l6OKX}5wGLDzW8*ZHo49g zIsu+UA5Jb%K)L96V=8yyzZ(3GH~c5xh5y(Ul1A=#TJI;RVc-O*b0onbE zd=kyp|M{Ea*FV1TromEU)UW>+-@Mq*+y8re2aorE-^sIuzSZ}_+12ot4!P1=P80)l zI>+ea-$^*l{`~8F!gu+Wxj(*y7Kn6p`|M2coB6tXe( z(U8a+q6CfsM1SXXI$K-l^6h`VKJRn}gMrelI{}GF6p+ZL#AxqoZ#^>o!9H&ssYhtv z`|N$TQ8(r?zN6$yJTr)UDW3Va8Vp7pVlnAFK?;173_M4(Sm~)rD}W2f^n)GudcSi; zqu>ZB3!aXD#BpazBv#t90$BrGVlu(?;NEB!hB_7!&a>@T)45iSQ1|a73>o^F@i6FW zAhx#9X(W@206QHJ(pnLTIlHC-5eQqFTUVaKD<)i^n+f$N$j6aVfx!6>i4NB!WHE}! zjhPQ~1tD-lVg7q|lR#4(;W6P}r}J%QIx_=+#Q*riY)Eh%i?p{Z^9xLeW|@G*A)8N? za;TJ5-97xtMhH0bME6f4MBgeCKS&5ss5EF|!WNI00XRppuAAr|*Kh@9qD`Upsw`@1b|# z?fq4Mql{dl2%=bmpb-m0cBAi)9ESQrXMI3oSpi>T8p1nc`I)6`cm$$fd=?Y13c9WD+Z&)dNG6yE8A#L*cMVC*0z;AlO=1>UKz7x?BT35u zOCa&tG-eTrWCBm>AsS@)qzV#Ek^)UO2MH{u6CC3q4I3_}l7+I=`fC1^t;EHPZS`fe zjse`s_8mHVO30i2e2_=i%)XM25_2W#9Z_r#mbdk0>4#LwN1J;@N6DSX&IpJKa6kwm zd!FJGZ=m-yWN(76gwy9N`i%{}RQ(u~!HMITvzSwG=O#^IyRkhiG4CzlOgHg7s7>K? zde|VGLSjiqvrv#cpiSX)d)OSDG=c=373SUc(2kgG;p9W?mjKxU&hu}NPY@@9&A3n6 zfZK8%1?6BihV$h7^%BHv3unwi>d(tSZ3<`10zv#4r*dvO+XS2ukvEKAofW}t3a9Cz z9gMBv#4)`f{F?e?S-Et4c4~Xr;JjOho6_*JGjHJ(I#Pz};}tNnz#OH_)LjY$_{^KdV~zuoCNt92MI#Z$5Z>+uiIPDhBGF6Nldbkd3_HNsd8`O$)A#iANJVv_o~!v^hH@+jLKhHSihu($soyL;d4?*DBU z$F%Q!E&4R-@Avm#?mA+99!dN;an<`opfaLb`{E4C$>lsI0|&t~P9rI7qKPpuV$;yZ zi6t=sBv`{*Dls`8_)|wzGtnm@7DDapgDRrZT*I{z_g{plKH>65eZ+W9exDH`Q@yG{ z)Wi-@U-iw&B*Ia|q{#$Q>*Vt71rl@|nRfP+PM>xWX^+C}dUZcfmcR33g<57kc4@;B z5q2j;1zq4R9+GfV)a83hKMb-RhHn;Qg7$z z_Zbcq%>#tv7~m*+7MqO*|BbN^;2nn{yD^E9I=(e|ZOTJ3jZ8rD6WeSwpwhs6pc?}b z<8UV0C|5Q7X>721skNfa`U-82mQTINT~XkEg;qw($K`w-f9^^V#|X)b5fiLlKQ~sP zC{)xg(JAu9B#azUQv6~zf~4Q>be{av^$37V=uPJPU$?hxhr*PsC~*$0gZm2PyCU;M z1}Ee*SqWF9#qrNdy+e6)uL}NMWqWwM86_T@P zoK|sC^4|=T`FG01J4k=OgY>tc@#wb4)_BrdJWEoX%D4|^R17kQX|}KcMlmPX5c!=X zTUpXt^6BqAw2*w|aXw$uWA|anI3APrMfcs$rn|nF!28+tGR&-}#PdTeTqm{br8d)s zz`>AmYpirLAxY$uazW`dC^=X-OW*#wz2&s6I9vb@x{P)8)^+J}4_Iqkle+bQ6)Tqy zWgI4z=c0gc&5G(@BFQ9%oKGbTF^$qQkj&}mtb!GF=3I6cNYY`GG+ZPmY!(JcgP^O~ z*kN`OqhiF#?=up~aBe^LGe*bY$w2Lz${I0T`;(-LeI}bdGg%v>H#o4^Aj_?-YnS&* z5>oZ9{_Tv00V2^gVZzKBLHwKZ`X!?7sW z*$E=aHLyB~PPK2%3kwt%i=Fuu2I<=$vj>fNG;&GRT1AzqEEsV%O?)Z?#D>2SUz!P_ zQs^@6SWa4@ah0j_q5o>5e3hc{1DPu%-csSlqYE^mTu2861u^8eV3VsJ7*rWIZH+w$ z$}*_oA&OYkx2;_?ic0krneS(j168^VJtMU~q$%=C1d!i<(AERq+wb~WBC!7cHHZ5i z{{cO&U|CSP!aag*P>W@gOqbEi8r4wpqE#xk49sq}V-7%-U7u7|$lCL#5%RGBU)wy5 z@!N5d+H^?XIE@ULup7H=I$NoSE|f9z!L7jb>-LtdN&Pn%}DhipGEVRt3)Ks0U%_Py6jXHX9_c9 zZ_v#aL0^7ai`toiv!AZIntGsvbnPVZ1a<*wml@bfL!u+d6+GaAqte95{D17ddw1Km zvM9d))~CQvPEYJ!Q?eY#X?1VTJ&Nt7UiIr*PJ8$5*~@`MNWwNnFa%{sP4nG<3xfv% zzC_87B(1piZe$V|3VjFyjO%EYztzNCRn|>6IgEioa6-e8o~U?$xzc@cF?Rqw@zwj6uJf3PC7wvp1wfa4GK0B@dBW`~Z*)P5Q zNi3dr`-21hZ#WKVI9`03uW@p}*Wr5MakR$K?|wEu)~vo$RB6R52xvII!eg=bD`Fu$ zV6#NUFi|B?g2%w*jc>&J<$Wa@8ylz}ks-waqCi1DoRBHzmRF7dmBxyRm486DflxA! zNLK));kbd2pAJ`7I~C~SRxC*A<3TwJ82D2(5F#J(Gzv%;`B1AxS)*Zvy;;!Ir6~y$ zIrT!ZA*=8>?Ql%PkBvrx$BV#9I0+uxU^=bNegIcMsK2Y@`D8$G=yi6yc>hJC5zT@? zx{EFX3dA1G5tiUDOhpr*9@L`Gd%+!^^XG_;Qal9Bo`b_h@_bu{n&%{e;>V*imR!Vy zlQ4NM@lobRDMC1o@w|Z$O^6I0T8*iWeHqLV*GPvF2x6lYeeLkFnI`CUd_!7|hEE1F zi`)Yl$3I6J*%$2z3hWBFTR?BX%1g{{@-c}qqTz_eQ)zWB12J)XkYt2^F}Hgm9FuW4 zBnsGobQ>FHTG}&i!-=%y&X)~A|B}()K-Tahdn6hgNOoOeq~aZIAnVpKU0Eu7!$Lag zln1grvhFNfHW36J8x3`{3YVsf=H}Z8<1$WaieQ3%Wx;Gp-0RnEbUe~?ujw_nk=@K0 zgotW3RoES$a)BpD{#+1rD1$n2$^>I`Fm8IyMgtFrg!5D8lSSzEpd^|yKg|G>07!4ZeTCJmnX|4fQ95lQBG`gn+QDJ!!jf!{_+Z^lGri?nn85~*~o4nWTZ+_Naw@( zh0F~p1udb&0&UI>JYI0-q07?iLULBg~niP6wpnQbG^rUWH)O1J=UheKGD zV^LcgT*vZuIAWYraLJ#`W-Hnu!w-v46z2|wwVdE54R*xBnlv%pm zp>Pz{uPTS|Ji;Gl#KfLUN8{5c>sDR~{(qvu{vHX3Ce!-o&kd*3eiWoVZnat}Ixq=u zyA3T#>NtKEy?+0<^UK3VDrDa3>%(rtmOUjYAxqTA{Zc_L+g{VecP_IPEKR2NOa*+l zpBpl-Z1KhlC|$QfeT`|dk$wIQ^lNO`(Z+$SnHA+O{za<^IjUT>z|PLEj{2?SqvTUV z7IGGl`{Z@l*?HQ`4m+I{ay!&a?yxYM*S)hmz}Os*1VQH& z>Hr~O=e4YP__-+<9Oh(y4|$$XhRi2hjUqyHRw6{lCPe392+?^2LUf7=q2rIf(}6UU zc^^Za)=q1u(fIv5L}%=lOa~-Jofq3^cV~BJTg9f?)sBtm4udb=6b?%x8d5$Xe(DE1 zrpaVBfT*BiBCFu78$7|ujC*Y4B@^PQpv+s_D49@>rug41w&UMO-xn^rt;CtsKX8J> zG2t@qrVM~8zNg_u)ry1TLc#=#U~$BZnSUAzb3|}5iv=j(mtitxS6@hZ3ZRHpsRUp! z6fsSy9w3@<5{$$V3&*~aG7QO%&QDs6#`oX<23B+m@jDU|L{$)2q7pY`iSWO_|Gv@i z(1o^WRGXTS` zyF%ogG-M7e5^AQAoLt9B?VzM+9RVj(R+@cT#`WNlASZ$j53JVBHo%hxo#FEYjRgC` z;T%!UXN1>pQp)RU6{&g3ha|)?WhMlp@w3LD7qCxfsV3jkFii^4eW% zcGu*Z5oq%&yj^0b{UjzM5^FZ~I~$ECC?KJj&xSK`%7IaS1 zdNWSEA?Ac{sa2vrg=0B*x(^9Mw=cwGdB@3U7NCHJH(bsI-Lh!W3ACNe5*AY&@ODf% z3vP)gklTg-zVIT(6E8(Xj&s|BSEnZh#UXrxEI~Zc2WZc`-SrZte!ghKZgxV4BowF0 z0~XC?9?$<6vS|K4#qPDMS4*Rz%K2y(`YH=$FT%qK(Ga$gjup4t+CiJ5KvR8cZvD@O zm@iX2hp9IMD;CP-iY6b2B!U$`WYZ|1@(8Ur3k9Op_@@HE1__2mF0ja&$lDd$_Pa13oTnS)V6J0QL*Qt9hXnT+$3${< z8lttDn!` zU7_E4mzTY>tK*|SI=@5*=VynYe=){c?PExQz&vO1+N}`02A4(J5@_ ztwvu3-O!C2O+Kh)=@11t9MABWpfS58^1>h@@sx78LE_MF1awNZ-+!(ADyeoG zIEu`loldK>*V@UXWymFESTg@YE{B7oy_905YpAm=n1@t6dNTbCT<`j-3wG83KIaLU zqRsQm!#Ah>EoG`5iu2k8a|*Y;0T z@nbstFQ0G$Zi?fChOJR-DmWjMO3Ok306_o0T*UzHT3dSoz16>-yp{5tj_Yb-3$$#- z#5UMSr`%4fv)|hNW*PdD&qDqmu;I-;+gOzU>&1(`9RJ^0=l^|@=MhB|nTh{>vXR`JwZ22b2AsAAcO}`mc8JkK_d&?vDK7&hUqk|HJ-|gWb-~ z?(RPEN3VvjI)scmo!$Kx4daI0Ma|uv-HzAU^3E#kOk^C9rj9ntYDmd8tZHYP~= zo=XL|XjrAww9*!hE0I+eNjgC5cHRUBTurR2|Hj4!XaxQXfGF@S2TCD0HM-d3TcUFkhLHT7PIVF7_H1mRqZXK$Y;5F+ z)s?Ri^3ZgyEB->%9pss`9^2T^pzWII_kT4|*2Y3L=yuLF={G<1(Zn{@H?sbwo^l+$ z&sTZBRlAjUoXE_rRx308uDBIlWnn9st6pv0kuf9Cb3fyikVZAPv2Z~y(NBFP>^MI7 zQyQkmy~VxN6&JQ;1wwWDA^x^Ot8y*z;r#-b)%bwc z3i4A(O;!7o9(VJ}9gKn+7v@f0eX?j|-WBu_zBO#7tGs1tyLvC0|dQTS~h} zsU+Ys#UT_hT2rNmmAb zQ=l8gY(SKRFd*8%(Kj|{>iXLhNJA5vb!rUuq+w_ULK@hC`ZrTD*;#AK8n=q9s4 zOIh)X!(5Sus-565Z(CCnAhwLSl549#0@78Ct$9Hu{Vi85!Q*^+@p6++r!$$*Qs4-F zCovHNCge$fD+ejHHO>PR-;hi?R9H_7ZQ2Oks--Nwa@D|oIjt~~2F==%M@6a`fFZgV zK&aG(lXu?08WkE?TRJYJtgNM8);6=={Xx#xQuBHF`Qc3H0h}|<+-T--dna~jZ#<(u zY0JC^?TsiVo**a<$DVv=w&pS;acF8uYkMWs>H!7QodIZyX8=P5#nX$_n9j87bu7XB zhPTZz#*3KmnWf(rJ&~RBqL|*|gm`+m+e++K2EFpHXcehD$_d=i-+Q_UY;2(81W8A( zH@*JPf@il`jLv$e$8u^zW?Mxz=%Yr+vE+w*6g08

XSX%#;I2YiDPtUk zg?)jjSv^iL@@WjAnCEB{GB9FJxaHiVO|x!(5VESqUBz=AsXr9=@EP14-?8|n&c>MU zRfdbZBcjTCPDfnkUJtrq`1RqNeV|SYf-ThrU2Dsz)2OwL)NR||UFtTW8Prm3=)K53 ze|Oc9qG(qs-dFTh3ZIZ5kls$Pxj6gEi=CJ7X~EX=;G4^XZZC>Xm0QfJo6PFl%;Rq~ z*{!B%v#GJ&IONN1IhmQ;SLr9wfwXvDuo85(N>#dLI3j}o93L8E4wofMuxBhGT@~Ap z-GzF;P+lQ{Phv1cVWHalO4^dZ1P2!ERzMh#fZZ*Ft^@&YDrpxe*Ylez7g8DDr-^3? zYi?(E8JTr1o{I{@$(>AIBLUkz5@*6$!hErnP9db2SO@8iIBjTC`^O7fI6B5K>zcIg#8H}CCX)Of;r;Dp*&n` zw>5zU^*P!Ugxt|KcQ^>x9r3r6V5Lo(j5(jSi&}!#uQj@0J~g1B6k-H2N}ghVZm`w9 z`C7VvgCck`mAcZ_a581STSD{J3>d{_jmUv^tOEfbPKZAXNDTVEchC&NK|Pw8ke?a5 z;i;2gdTz30AUW-(qAR*pN%#R7u^4>o@hBmXBsor`9OgEl)gKqk&-00UGebR8p7OP@ zkFzDSL5q9(vknegQBw(-NdDL2PZ9Hh-1!OPIv*mWK!~k&rvn!q<=pd8sbWg?tI3m2 zf(k;F0xM_fDK`gAR&o6z3R(+L(@@SSP_m-la43!l_a|QZUg>W=EJ4eaCEuym+!KcT zEkEBRq6!+?lp9$Fe|5zc26J#ukc&^*d>g@HWc2E~Et##r$~s@;=uiN{+*$w=vtpsk z3k;_NEphNnq$>ke84y#yX2`LuvCs7#dP2b(0kE_b?WOn$Xs1xSH%piY2SSyE!3CbM z8xm^iORP|>g3|!3^Qyy@E{u|B(F_{0a7ZG!S{GH?Vg{K-r`}o1B;rv^4xaH-7u&r~ z7IVRTje`z*@LTWl?D*_$H~$TU8#%bF$>v@AF%0^CZO-J-h$jm6HvvsWKJL*pH_&1EPTI>-p6Fh5^{~B zD41J+-^DZ`;_rYBaiA0uY&3dbf=oD@_S2RNyQW@&_5^s@1m6+|UmKv3<`3ZhLvXw? z3^r(ALib+JCg%HA34+R^UHk@Cb|6J2WW87Um)@n4F7|J6I3&IeNib2!2~svJ5Z6;P zZ#BuqnL~4XkwxObhxL=f z?H26>GuTT-sq2|M&7@w%@Yc+3glyt>QKvv*T3~<)tn$a!emkCp37ry8Zmr%O4qB6B z8f?6Mci{cjJMm7Aemy!d(sy>kcTtm#Mrv<3JHI;WqT>V&&6N312RpN+6i!tkyd#vE zC0#U~Ut8}4687*K5yTyxJV&zbg4M4&7x9qU9~`lY%ntOXZoa+W2Hy-glMOK^=?Co* zDI3ss4O_VlZ5b2W_8?#bZRLD<)H^&qYEAtOxq*jc4}025!voC>xaq|_@#0yCHaUTS zVdVb>R^DwsRDUFU1)Psu1gj6sY5cx6&;ffho@PAs)pxFK_Hkj=* z833CCP9x9s6A~tn6cw=$ogDTqT0mu!c%#H%0`^_f8pCZ))*^KqhOza}?g9o>s1liRk<4X0m8JVI}?~L>;ZphDj&k zz#nOpnV-(jFuYbicKR8WKzUTm?6m*Is&1PW2RifE&p_LBW zaYz$?09GWnp#r>BP2hM8zP|j?hc88D0lvTCK+LrCGH5vC37g7Th2Z<0S0W}c4mp;l zEdd)pQD-EkrQJDjbeOKnGyTx8F20oLn$doy*V>Xx`E-~VH9Ve@-~gOJHGnstV@F+v)9dj>u&~ zxr#f|<_S*dFe9IXZ0-`*pb+={9i`$ubE8BSgev zb64&Ve5($fzAq+^c-itZR9a;gZosvMrw@i+!n^_T0)~C!OXqWF&|}Gj#GW|7f)u4X zWC0Qwx%9Our^%~no<@mL`v2!#h`Un^7Ul7+R3;6GierjHe_%ccl7hNPRc%RWN?YqslI+$*#oXCwX6-DEp2iRSH)D7~WA~#Bh zc^Ps=-Zg=4q7XlIq_vd+iZVUk7nFE2H<}?!@upfTCoASzLV`-vA*GnBAxo;7Rxf^L zJOSYfexyng$w^d`N|tq+r~w=7udjgf#>>KPWPuiH39L>i4XxF5meJ-1+2*kU1<#ID z_!I?7IWOEcgwicI8edNaxTO}3Hah5PV;QAt%#>QlSJUDPcxt|1UG%3XEo`nb}Dh1epNp7%c+G!BkDW~=u5+?B+4Bb45RLgfK zqdt8(-BHr;bbc*fU&}UHe9}dKYOxq?{D18M4cmNT-jLyhq2?ijAaluthT|4U%r0nm zyLY~o4q6R5l}TMv4<_hJ_o-^{0pqq|>C(i324C{8U6`0ZZw!mC!m z#$s0l;-9dw-rpwbozX;F<%+Ih4X^`sW1xLP6uf|qJt4!u{zQjQ`cB~%O8_=--+A1oxu{Ltrl(HMkL zPVh9cC$uhEdeZL0f%hUN;(T-hq4Ox=NWK=hi}xx5pZKr|)@vRo0#HJHNTr#%H7JJJ zMa^goeJRG|6o0f=)+zo-r?V+aSb_s&&0e=Hw^nI4^+iTn_JmGpVp_3RS!y&S>*y=z zf_sq+xN;pJu=8aa4_WA?_d^+VUJ zHdI)(W_ghh=9`FOuL}#FDgNHKk2hyaZY#k&xfha{{#jsg|%nMjpY?c9? zEnhzK#*+cQBvW=vexd>BQw|E2kkpwcLL>!d8$%5l?@zMZ^biEhePhGAjh9!Gf|)6e zpL@h=RH2i>TpF$d*MA%1A-Nzi1=|)D`W)$hmB|h$5ahVA#cx>c}54L1oiE0l8k3>zE+i>ijqm$54B!>xI#^46=>b;7X! z1_wACk{C2xXSy7>D97tLjhcN(Q^N~MBK9O2j`h3th5+aZbnGr^^h)Vr2Mw?T3S>+v zRB>Yln~57x1UaxsaC`w2K?6;a;|p=tuxSByHa6MbTb`*|iaHe`&@AZ7q|x(35>*3+ zD;iIupB`fDE|$_*976?=s~C?)bf|1_wT-+yGt1Bnf-Vr&JHAbAn?+Y@_;^4TBF{2G zOMN{+we4v%+`fS88(^v|b|gZcM98C&u>vpZg<0vu$k|vo2l3v(U{!fAZTyIgeNf_CY}N_Vlhxm6U@u3g^dkV z)=$N(JO~~M|J!Nr?iI}*r??C8~}b-jX|95!juh4Wu{`{8?%qLitN4D+27KUKLDVGayihnko{AEe6jy> zZwrj4lv1Y2@7qtXFA2uJ`LT5(945PVAmAaBEXgJm{O<0O`m&LIKF zA=R$Bz-To+?ie&ov{5B#CDPen}4pj6!mUl4&$DUg+sD4y-)~ z;#WG4S~=GbWxZO|LB|Wu$WsP|_wXIPdi4sW^M-{8gVr~7VcMkQkj2V1rPR?L3{>BP z{FMf0f)=EUT^)ou{ews?humB!w{CPXDy+rVdW!q=bD|UFf-e%PfB}v@$13j!F3=iJG_Gc z(6pcr;_E$2V(aLF1O=BGi zXuxKnbkeD1g1C)1+m;sa(kyH{&1pBpp^7>vhQD>G!auPXwIK3sx*u9}$?g3%1z{0F zKEf+7B2{|bOc$V(KoqQiz_CDP)_`F%#-y^9Y=jzaR;+2P(4wvsM?M=E4Eb!32BT23 zJ7pWnX^Kfu$_0W7n%&x_ZCnM&Cg|cogW#HVdlY-Mgn}rGknd(99##>@asfNN?5NxB6nriLX;ydP$Km9m!oa*5&ehs(N6F%4HZ%ufYBb6 zH1nk#6qPviR3{EC9ujeWNGs}qR&M6Z(s>Z#h) z-)Cr^rXnpJ&Wf|3O}zyNKnGP403Shp{Ug;LSvyER_v@zR5L(X1l_;cJF+q@^g%gwQ zQrRj%%FF3o91K!7eO1#nP>`9a`bmrvGM-EAhx;x|YtXrmW`U3>AXj$6VYYDlOWqu} zp4M4N5itwEHJ>YRoFwfHiIc}AQdF7|yNIS4WG`iU^LOxB6m<8I3pLl>z;S8?WCRZR zvK2AEHSMe_j91%GiCGQ2_d_Tdl|9;sO zC?gt(gD$z1COK`)IUR@Kz8x}OpZMW#jgN;z-@{=-&6`wVl<9wd*;(dHutG9$H2j9_xJ`H5$S(2lACQx>Y4<{wU7`~z7Fu;b z(!{CIm73%)>Wdl)J2H~&N+rLgfp!oP>y!bVK|ITqUz)Y5(}`AL(a@3$Q>WB{>31cRSo8YVE%DG~;G3$M~C3qD8}%7%3ySn6d{sgx>eyiRc>&ZSl)W#3%STJjOvvh?Q zWN}|$RI55+z*IG4qpw=ahKgRU$!yfd0=n>_QX*A^23bn*~@Z zYr#x9wsngf9jVZzZe-DAx~}8lS!(}+hO98GDtQ(2jA3+o5|NP?(O|~s1NJd}uj5Ih z-=F*J`8IlP>OTLMvrsavR<1;OqB@m|Nl6GhAnMXHAP2Ng^KQ%cX|udJPJJ@OX0+Xb zwgdUN4xvf`E9>S4aL#723Y8e@D7y9-rr$H4F07c5GN@%*Aky~7+KS#ZC%(At$a!HI zE_YF9_r+d%tXGH|s+`-oRSK{B?R$n|O4`@{AZv1^hs2g!yK@U$7o@o`F9mB#)CHN^ z5R}49i)4W|Opb+aURusvpJxpW+~W!;hal>f(hy~i(oXynr$hFa>O*zf#^3r_og-M~ z**ZhC_31i8m9PAK?F@E}Lw0q?p8A-*2>Z-gJA?e!b=qFkm;8~tusdJxq1)-;!jred zSHASwyLu1VuE8?5jmbg97~k_Ko`YWJJbq6)-}6N7pj`7<{x~yZ<%4;q3lR(0c;1i1 z>jM_@Bo=^0hvXL|KOy^@jCkZ*T|r!y!qTfB{8F`FJD##|j7FFSvzT~3n_?RB7CI`v z#gVvPu5OL*={|W9CvTWy-rmT+1Dh`U$X-g5YEnMDqQe2doVLR~K-qv6={#JnS5NWb z&hR>_k1PXPMgLLQt8yhsp6A_16H?ZAl{&=5;J!MMVhk24M)Gs^A+#fTWWFgCNuDV8 z)sqyC&SGUr86rz+Ocu4ipyArOleGdxD^LXeDhRro3MChYv=aD|%9Q1RFRfN73Zc5P zZl#=y7Favx1M_6Js$8gK+f2ok$ru0Uq9f^{mRaZJKzmowSurnKAq`CGx?aa;Si$FVU%El442FLpF_O zkS<2G)^?&0tCua)(C;#{=D)z=O1-snQ5MJaPx}HLld$BFNGsYd+I_iyO69zXX5!DC zX+wE%D5l|zm-8u?r$B|07XrbVUC`v%JlbHf2-TPMI$w2tbVPmP{+7Obh{uZR=2C z;tLE}9Fw6snmFyHv9}e%%5X2;6I^F1%E4clq}GotR9J`wv~8D_!NZ0^q<5XnV>Sg_ zJ4tv6W;2T{@(E9L0vCbCmLa=C&4QJinF$}o+M{4}2N{;QIg$2khc}QgZ6h{aQHcBS zI!)4~I-x?xW@e1>IZzHS61U?Ks=$PD1a|P@*s>Y@^jVFj8nO%KTkbSEag^QJ=RCzx zHY?pLaH3R8%J(Ct35h9|Hqk89UOF%lAm2J;Dvj+nSWCwstbzmV8)eS@W|qi+Ky*s@ zHo7A!L>rV*@pI%{q7bl+sa`13NkmeDZp;2apd2xa@1&WwP68y`%ngwmmt;aXae#%6 z5q~L-bQVq=a6s4^a_svS>&+!*EFa4SCWDabyTPN(;wylnxGj(U~|31vqt@^#} z53s9t?Nv*d*OHPOdbr6jh55u99fRK}DBeGbLD6_;32MZm!C6J|D{})-CCGLKMCh$V zfCeKb3p6x`5kKp({e84h8a>=?OVM4?3`qb@Kd85)#X9<=`nf^gS*OQ2nHyi4nwEX~ zWJsTL{?xyearp$coOAsYxSVsVWr%btro>(Kj^SVa9I|U**Oxv1N{Z3Q zf-Tm!G$ucS*3r2Bfp=|7eSxw<9rksh(2T&@f1W*xntBbj{jDTF{xk6hj!z2d7+D(t z>j_PK6rk-pgBAFX*2qCh(v+9#izYcOF4^$Ni5oeR!HLvKSRz4}xL3CUJhc@tVk&yT zFKWV7Fds6!wSqj30jadFo#(RtGex9{8g2xf{%_OYACoRAyt%vzE;FauRGilEAy;{( zO&Mzhirk5Cq=>79B8A5g(nm%os^(qi`IdtH_&2|6A%(hxX~=r?8ZZ|aO!Z-}!ln?w zwU1?t2p*LadYv&x?li@${~@Hnx|1hWC;NBr3NVe159nUTrwkoo8fE)KVK=F1Rfy{B zq>y5qxZoV_TsUoHA0Uqgozs!hH8P7BmOrE)sauF~7H-k9A_TGv$h1FFNf~n=9axSU zW98`dx?s0^XL4VOWWdqF(sGNN17b#KbVX#ays^DF-8td(>NM@NessAb7BxjZQj->r!037yQIHh z4WC}Clrgnod=g`3RK~+i*Pm&EwUhzm-xGC1Vci(o7plS}t7??ggXo?Tr5e@6|8Uct zouyZx6k8P;wf#_09ndZnrS+D~c`)d`AsDQ87v(8?qudii;t95tDGB(VlvAm=(bQ{3DDv{+toRZrW zby?`Tk@3N34a0`TkVC}eKxbV^BOBuUCBwjhVv0KB+D~tx49@fWU7D&_Lz5{ktVW$C zLEK6>pC}sc@H$1$D@(*y5=X-UFOXG^K@^ug9wT>hBl&`BKaKjxC^%HBdbM_dMl*wn zl{Nzcfk`W|*Q~L6U>7l~bkUipiK<&BU|UWyr#!7QRMq;4wJSPS${(LrlnDAC^=xHJ zZ_%&>P^8%^h0@~`GLhbI8L*g1p`|k=C~3C;ikoHWVC5@+ha`k2zlxftni)NCl)hH+ zi#eC@FZ0rz@SiZKV|)yC%hqWByx7Q8y4N4^i^2ti@!gcT20H87b&$N@C3`@7|98_B zDr@9**9l=R?b>--*#0Bz*16N!JYt&%7VBc{4<4Q~0i{uU>)`|X3)yRppw5nlDO%1> zGA2zwWD|G_o(~^+U8W~rVn~n(H#*N-jHZE`PhxNQ@L?lr4U7x8(A+`hk#xQQhuAq> z_DHsGb?W(mE&M#P?n4k};W4-j07)dL6*%9F6Qifigrkx-9LMyU2oNlUT@a%#6pc}V z-BN*)z^)2R*>i$|y>m;JFK-ql*BvxLUX5cy6Zv7K+D08H@wcVC2uTTcT=WbwQ zqv~z_L;5%3{JZe7+lN|n=@_dp(=@q!n~Ctbm_Pf54<#=rXC;|m z7gyxdEHs#%e>>0H65U%`O51xq9O3~jOYO$sxEFJ%;74Wi`>xq7tK7f*!=av7U1V}RL43wi3Ps4iXl@=JY9tW4#y*PR z>GBP9v}OCS+v~x_OXp7mM89#G`w_78K3W4r=Te)85krkGL5)RjkH|crVoirKZJ#P_ zpE_-~CT*X#Zij7Cx{JYbm)3=QFLa>KcJpc=@G8~^DPeNAcNMH_gU%PJzj}K#n z4jv=|p$jJ7TA}xc=SlIU`{OlwZnSu=pI+OlaDy)>%VkPO|B}`VkJ4_CB#u5EhqxWl zTJlnfGlO2#{h{YX;D(^n!EwHEHeRJ}fGRF?E?QsxAjJb4q> z;$mCb7J6~+WTbO`ta)l8O|g`_=*R#{Y26Eb0hq#vSDK%^ zx>bn|eB^U(obzKqW=dVNg zV@;-o7RlZo6jg{aMAZn#-U21C7w9d)DxLaMpX`Mp$1x0_i6-U)1p#>IP`2{Ek6$mb zf6EmJib$5;)$%0#qDF}h;qddA1=OtkzPCD<1IaZ7iH+bR!YFHDk(W@PRYHD=u326I~WE_3It6K))2(e=DQfPNKB!Jt9k zuZfr4YbZGELT-ff@J#X4%fVSyw9KBqkFJI)I)`F`#Do!9x4))rU*yo0H#pnkvk|Y1 z2pG7gSz5vJP2gfQw~G{yF;$J>3@^nwt(=L_xuxdc<>by|=q*zG1#&}XwOCAx?{rHW z(gLjQsDd5F{g6Qd>*t+|!IXKS)^*j0mPxU_G<)ap>|7lRH&a&IJRrN$# zH#Xca*VH;M89)Dg=ddW`obIvrw|?UsNXw70Kty#l;OCgnPdN7epSA%qoD7^|ShAQx zLpu${?5b#nv^Okq3ET}C4eJTX9qpvxHjXHWsOPd^#kNkr7GB7d4NG)6tPc{KwgJIPvu?RWgi$-wY5{V1I51*IO=(6 zJWDR3GfNW?E65I4Ay+e^PwlP)F9c@3rkI=jNa3Uyed3&aRbu=k%0Jlqo`Pn*LnDjFY^~{nr3%v1T zsLIbGKHSDzr)A?r+CEq9Ej2%d#!U@Wi>hyT99#*eG1q0hjbYB%z}sES+85XPwP%yDNOj+sk=av$-RS0$ra^uLXu*OZHv-FE0zu6S0C(Q`rZC zUufq~=G`W3u9S_rbU%#)P0fu|J_E+J`YuQn;7U)uzDV|0frv5b*AQvd77@P#IgIb{ zG7ThmU1_OA27MA8op@*SEhU2uW%& zQRqAnGPr7?F)<%By|H;N#hSPn=)m$0pUwVo@$XSF-8p=VO7S9uTY{iIOBTOvS&Imj z7G;7WOD}LRQ(Y+8?O@4yBnZtp6K0Ayqrl$O4>^bnMczbPh`0ym0}=0HFko%0!V3fG z<0;{M&mmxp+#(%j(6aw@#`sXF<)dDa5f9Z`Pn@w*o|_l&JR{;>_0=iRtEfOW+c=0b zAtj?(`;YeC{+M)LI-4!ANPw;eKN4h6%)cO{P)2EYW zjuc9R&k`S$@FyT*1uv?`7AX6TK|9Oh^*QTFZUg%b(qqWhYYVuL*T7)TZQfo0+5|p+ z;Cjv2am~lQK8J$c9`y_K1#*5zj>$hMAHW%;UqrNQs+$(cvd?)oOSFgUEEB|MztVyqi8*wBDDnIvu58%8MAap zxs*@QEv2|LL~`>~ydh+ATnCNsUa__-e#tH6VYZeHOcVnzDj1kH*d*SvakqVttMCbn zSHLzQ4wC-Zsp;9bL{q0Bd7$}+Lh5V(vmtawxbr~)_9fNg-9PTQkF(iPMWksjmg%26 zs!|r;bi-RG4l_+?#__7F{X;cyhY~Ce4H+lyz#X-4QkH_2I90EHQIGZJYp0>TYF&90 zmp>=-uKCk&*4;m`lO2IMS%)CA+qu-m_yo9hlb^p=OAgnRu4&iOL80>0pb@sUiPjcf zFz)64)*Rc+3Z5o~zku{=Qqn@09gs1cp*DesM* zV_aKXBf3-P<*41^zr_sgndm&7IY{;tRpu;yce>7WxB}jR%*QXEU6-N>jVes25bBGjpLT8jMd16j?cl!( zP9#6=EzI3rsymimy_x&FME!xzxbndG0D`>(1u_=DC#c#3+BpGJo{bxyOfG7{*FSwV zTFe~V%uf^+QoXp%Doc;59t7S->8Nsc7&6MVle3reMTYJ4qG~p4={SmNqXg2?4I6%T zWLaHfWKS`FXtDKF*oLPQtcF2%tnV0p z8I7WwaI9ZJum8GAik2%_e>$#&=58H4SPXkHk~%3v)4;ugGr42rz;KxM70}|f>ujJ4 z;hcJ6Y~m3&)&9)cYGJPye)jhHd7!o^obZfxKL2T&X|xqi5SK1u-BIkP$J}n=uBcjY za69&^bBC$TZHU#n9kHE={~i1NK|!swphL$MoQ215F#pTQ&%^SOOAy5sgFwf&=s%?5eG%822R z+rZQa2^2&oI8QE7qQwR+<6hg7N-Fs8?0Hl+5Ra|47~dq-aLP3E0|+_bI=6@CqS(NP zVl=$B`tYIoCLr9=t+x6Tjzr(Y=2PuSmdsn!w&a+pVL*74gjBqeEn03bpb;vt8|$8E z(pK__C)F`InKXzCZhp-dkB;ej!Xkt$J3?x^Y2w#OGu-phLb^FFnM?Z;Epl7igutXJ zzm87BPzkKN+)I0+8uD;kKobtGu&8x|15Sf!@XqDIE%@w`b0nM|MA=;-fIGxd1- z-A80vGy|agPaSiJeq%bEs|bk;+G}s9VMtz8Lg(W2m347-t^#AYzpSflReX#@>H&nd z3AdWQDoj72jNZa%@zBrtapv}W@R@d5285Tpk(eZD%L3*cX?K+dZ`o8eDEyAbAIA^M zuVDr<;Xt1@&)>e8OpxxH%;s&5dx+ZKe|I{3O~d9O8e^ra2NW?~F@9pXs*t(O3JGQu z^PvA=zT^3E)b3&uw4LR85XLSDR(2>AO#3H6eOiTyl0G>y@=C$j3R|O>iIL zrWr={=!M^Q`~-~-w*TtZMTrUn8k>sg6l{4;H2wK5YNPhv-LIt_K9Pd=ufJS$?zb_Yg)6!owobZ$H$Qk-lf~LVGRG~61 ziZLwY_iF`ZD+;wx%G7HItItj(QA5gV!SxbAD0K&!HMBDSP4&`cKZ>}_ zj?!+%Y3uej)8TVdf@a?eJfqjPG(42|JClZX*4VDAu;k`2?W=8$)gs^(T+rT|9*Yul znv%m@W(~~*u!!oMDGZDFiiAzv-LrYyTk!bUgO$BtV7XmaSxr~L@~9ObJEle@Hcis8 zNxyvw7f5}~}*xIMLJm(dKa$r)Eh zHuFB9wo#_NZ@KoxX18!<)`Z{f1pq}ry1(?(2mE+k8a@!}10-(&GJF06IroADrjwaj zZARnnh=%0=z5@?E#Mt|xjiKAHgEsmPsr;=gK%11#npdFW_pNKw-R{e?evfuNsNB%KP<)NXs==yw+djtv@~-)<<@jqEPBN&K=B?S43#b!=KF{MAQ11)7f`9G# zSGP3ayMDb2!{N0p3sP`&dT$iv|3 zw*CcF?#b+?TZ>>>8TWZDy~JngaX4^?Na^+y z?crlZKP;iu%uOb=Kx}ifPgL|+A<>atkpXrMzi2;jT6lK?W^8%J)^71U+L=s@-zTKz zg$n7XT2EGvuBKJ5(o~uKCCM1s~QPn;<`$yC@J@6ITO zq{%P~cfg6QIZyi|VA%H>sy7O;;otX*+6w4!IUn&Nd=3OFwagI{;@d|NUCW=KtIf# z?xGY)WV62SK+ZG#mhokV;#Ep=j0*Df@^#wl>)_;#kIucoR+7 zZ3#M_#Af&f8_U`6L+NPD!i)0fjm!j9GH}*QxGW3P#%*ZzVQCW-D@$DVcL6?7>;?Ey z-}D0PW_VdS1yOjZcYx$9hDtM#$TXl-01F`_ta$BVwB(5H5pA7<9gcxp7AOjK)>U_i z*S)0eho-|Pzz##jaQ(HH%C#}4gb^*mvu|Pah!nbuBymTf(C@X4uwJMWB{N zsVI6o$rDV>Jjc`;f^NZN0o~}`Sq3aH9PrVTU$;K3Lps& z=tZh&59-%W_p0gIqmSKM|wGA@C1ihQ$8|)}4`s_h_x+DNKYN zAvvtCAh=CV{V0@ZV@{pjA_Zct=^=Ib$@uMJNx$_KxRiUZ77rGE6X5Q0C%~QC`Uzs4 zEsrWewpT7u@AS!|Z92IMz?h+*W}hYbG!lJ8k94ZqxT)6vTgdpFks&%UxCFF0 zOGY!(w;i`)le}2rn?K43u)PGJ`Zl2Z61;zxKQLQ>I@^KmJD~i7#_J22BVCNgU8j8p z)UfIwKO`{Qp+bRIeZZC!LhwMsQu%9g!_9jnU`h@ zRK4z4WjwU|ZsP@PDIw z)7dbJ?IeNogM~4PK`bJk?SEg42!o4sutWLrRW_qMwmPGAxGExo+ioyVWz!N$xI2xC7+-?+Y2%6$~Gt<^6uZ5 zK{sHsqz>a+gqy%GdBL9VjbQ)|XBt8toq>E!W22%A8)Er>cd|D(-KX<4;3K#7^956Z zZ-h+KIU*6LN)k{xO{)09hRckH%1;VNX)&GDRMpIX`o%!PO5df_MsECVtOb`=B?e!XB#$8|OJ;ceRO{k>i9!0N+hq5l>)th+r-6tX_r; z?ub^#MrWUXSES_gu_x3m-KI3g82hVw@!Tb1K`!@;-;dER(x*_d}(<) zlETqfGW`T5O;IJDLe(=}y(!8kAI_#Rn(T+Ng}=m<0owY=6iH}rj;U5JG06$`kMr?= z_>;3-Zn`sB_Cw$jwLl2&yZw;Y=D=Z#G_y!fbglYhfVz6I)>eDbFEPo?044+oFR%JE zHGeg=STcfGOUdL;F^s3OXK>@Yf-G@s5VihkGOYj5$bM-}5?G z08jEG^-=l&y|m5T7GOSK8o2eFV?&3hv~XVhVFEb}b3J2ZrwyrU)+iw})K3_MYe@lF zJt2HXU*=T$=T3yu$4N(Kvpy!)wT&jXMfPBvf%EEqc0G1*1q1EwQg?)qPe{d83=1@x zD8w=2WB)&IbwW_5j>i44iSp2Y9Z%fgV$@Bey4AJc$M4i@yPTx8^jY%n??@J3K@l?LAvrV#AZ6WAu7 zWS3xCT0^sf^I0Ei5h@>H9qM#V%4jx^6Y57FAIx?Bm-xh_{- zL&tn|Zmt9PIvUa!w_ySYmJPc!dBvX|s_%+`O#pDR=r&TDz}8SM6UZ>K__lUH6!#iJ zCU@%A?|CmEZVL#e{I_dhI#2wFHfmC*p5)Q#__d;+%{3O^EPF{mFoBY3=Xw6sY>VZU zezsh#QE{ET$(}EpE?Q}*KyOJYd~J%`8cr(j`Qfu?!xZ4fekYv5>7!PK56 z(PypW*+SJ0k#!v7Zos@DoJj@u3LcqkAn2y(A}#QpK+k_iYx{#ujwZCcKzM+fV<|LZ zX|&M3TMJ%h%&}ks%0yS0by3+(JOvQH-rGe3OYF;DQB&1tL6auCd}YKmia+U{YT>0` z51(nwhe-Xi$e!n~N1kS!t7teUQ4a*l5FY}#mOlyGz8X{b#SDEZCN=jv|J3sMpt*Xl zd}RO-T?JZ(tv{z58?I9!v%1?`(RmHgW%MCQku$n}ZSG*mak{wPPbP`yybPNRz$SC` z%R0wJ#+rWom&=PcS+@QDgWo>Y$!X2k6Z{d*2NxCDqUlTArjBPO?Sj#&! z@jNP_fw097b=`(tUs3{n$6O8H8LOA8kNYy0z<`jT*XxCSh##DyRrdgO)CFr3hmB~> zcu^@}JasR5z_!P*qb+J#h)N#&^sBl(UE&Mm;{0{_Hr~Bhd^vPDX}p!i=DvSYBu+oW zP+vE@liSBdZB;61*lXxyY~jgpsTyitp{mNr*~fRK_XIddA$E$u@RdBI)`fq*qm`;- zh^Lp2L-E!aJ+)XZKMj{4YdHn)BU@f_6YRazK=n+tsXE@%NnT=+r%wT%DX?mCZsMsj zcz=C6oTi7b3gG9bxB+EL6p4^F5b&I{-wLTX*_Q{KUDaoFNIhlcak;NsAiv%rC4_=_E zU119iQb_bEwoP(*BGhicJ2Kr_UTg6^=XsKAQo!_n&%?ApW~s5ZWMdBRzuh`FWyEah`xu&bq)o1gDJ z;M7893TLq&a_?8H&%rJRdtK1Y$mUM>&>>BbyPPfEzZV{du37`a$2#w7L#IFtyc80Z zxr>4EyZQCyr}Mk@r*kFXu8)tZ$M>YEMmZ}lSOXOepIKg^A1lBKbODD zdN*&~yz9ipI|d#Gh?pFF=o=1yn6vDd(^L%=dW!1X@*#GlBLDgOR{5&3rP62m2J<5H zJvErWP$g?A)A2;ts>{XC+1Fdwf2Vr)9n$T_@n2lB=UZLxC81ta>;=Cbjr~Uuw>w*m zKN0C5crV!}=joH)Mq~A#=u3mRIC^i2Q6Rxnef(@)9DTrbF715nK^kGH&i8?ficmT- zjcFb?9lxSR|Du!hAnEC+{zme*+U>=eYJ*DSc`i`LyzMy4CkBnn(a!D?d3@llyV>kr zdG17nsr$|}kYPM!J1O5Xfs-S;w71jq;~{(J>3IJ9tzJU7q_2uQeA(J1bH@}NVS|%= zXiR2vyx_=k-R5F9`X=_O!r1L5j=2Tfk4}!hfwaeMs4nje06dod@a}ILL(JRpAXo^ zZgh(A9zkM`+~(3f(Rijs@*ZT^9})CDuf+1mZg&J}3vlsLc^dkPiZwGa{>ZIn(rv_fUe-*!jkyCU{Qh;TMzKcdP4D3f07E)X89=v+$A0=HORFd zD>bO~BB{%@Uv*{>MpHF&<)*tTt!Y~K_`qsjPMU5~!0)alSoZtajt(eBvl3i?N!kHw2~pyl}DlSsg9_d zNJNDofxAxz-BNPuUiD-BWl;I>avUsOW%MpV>c1c0BBQ0|a0|84jaUvT0NFQ*7G!x0 zR1YQe*)e$hv0wM!)_0?W6Da!>c@CB2`Lm;+l;;TL{5ZyyX`Y-a7LctAeOwaW6m}j1 zl&ZFDPi;7z0UeuK*6`!DU)^(V2O=HzaL8n(=~V0=G(`btpdLQZ zaLlcF*UG8~(y!VxBQ&9(w2lr#9+Q7knAQx+j(Q9tM#&!cd`? zho~N!lcGh-8%(UQu(@z5JI?yd?}$B+T_@!DZMf(tcVWUwvsuElPV2b~TnQvPXFjS@ zp1970!$F))Q)DJlj85RDdX!U1_ z(G{F<8bacg5FYO~u-n9{(+g%`;XUZb)HbAQ3vKgjjd$?-1<4Lyp33k}{ssB}`<%_q z&BbOgFn<7EUDX{12#i0J%(qX<|5B1I=gdndhoU=*Ktc7@Y5kZU-d%C^ZkXG|2@I&N z*zCI9HSE8hS@r+tnWeaUe*ZO5>}N5*eBeyCqWW9fACd|9bfL|+<-s;8yfs(t#@k!aTcj~T7{`eLpB zvHH;vXWsiCez%q@yFDcR?fb@e9!M5?ZdZPqVjn6{jqKJ_YKI!DUlbVabny0dTx5HyAvDrE7~vqcuC69&s*9!4^*7a|W+m^@#Go6{sy=xN3>1RQ^*ID> zYu7ePV=J%)So#=K7MbT;v0EuTx2%txl}pON$D6tHQ!BM_sscucs$>2c)S=C%mSs?o z(pR*ao&>pd1-f+wnjK{62;D@d;pK-9Nlgi}AHvvDlU|Vjip}ao)#5^b26?&vdpLeu zf9w8!8hATDzf%)aj!F9QF{PNfe}F-<82PPF_SXW3XYje zQ|QUP7p(e^a9Q&NlHrA4zXzq*YqbNuoP>jGR+%2s3JgI2D&;im!c`6F>93~c=u-wb4V+P6itDX^ z)iy+ath(jCTz!D6pQm~~+yFlEto0v$ex4eXtT2CqmXlCr<1F!UUV}?*metx&+WCR2 zUu*25gtyst5{+>?#{;vgz17tlpOB+N<81Ot8?vIUM8&KO%M-B1EUR{>+s6kP=U{$- zQ{pE2Ub32G%-a7QKYXbuY1Mk*K?Y&Y31ats6cPi{zIMfmWGb$b;)*nV-JStMCc1)S z&Qwvr)YHJQcn4$V_Eq}B2;19E~-iJ#Nn7R~v8%_$6i z2$E0+J*!xTLNX|p=Y8_&?I(9O1R%TnSGO+Sx0=P{<-?~-SFiuafKpFiiu+eSl7r+` zB4gw!TCvfAlmVus(?g^}+grHcCy?#?usQWw9B_eRf=k9bZK3koDVs?G2YKzK3z)7E z9Hr{Uo5xB~Kn`a9JVLkhUZ^r?%SAG%SU21-doknxkeXk(LcjY}r*sEH6R{k+M!5{~_mQ zOGiqrpkas!jIth)pagG6j{o-*CV^U-XNC3iqA%=7mX(~}njk!4gg;VgFrlO&Z`E?f zoRV}HJKs|@%#~H*Ck|uwNZjnd>HCS)^Hgp3i3HuZ+LQY#ku!|bft0s7G86u)_Z3mO zeCPQ>kJDRvl(?$gm!gcYaacBr7>aroEVbc-qbCpkEGKl} zcO1#G+7kw=`TZ$UCh$8B5=!QPuu8BO8*#}}M~7|e9nlOSx{SLMT{Dij&hf13v&?p( zx0_dAl1rrJ#>4-E=NqV^OedD=8k(_F@2X{>0@3c{HGla6tfp{xF zQ9G{Hj3}vnt0V9xVbffJL7|Gq8U*HduMhns+`6^4P9mM(w5`(#A*N!m*bPn%tvEO) zYZ$2#ksE|j9mD>ktCpyVcunv=Y#jKaOau5+Q>f=_TKkfoA&F8MO&{d7TlwhNb&ei^ z!kn45swNQA=26S#qdlET;801+uT~yw9qT*~;pUT|QmAT39d8Td;47`P^UFx|yn$n% z-x8NA4R+HGJIb66pu4dT#WJF*9$!cOUVGbLK7jm^W+Hh=waKM-@k^bgP8NInwREsN zzlZao;-OnDwrNDa*RyRqu=U2Q@l!_6phgt-SEw4S@*jcK!|9}Rb9Ciw$T9fv6z3dZ z63wvpYB)`7RrJDrap#`8Q{}G_HJCQA@OP3PLxDQ9A#b&oWI-YwMzYIjFw~m8gui-^ zR+&yT9mso~2Po*B+K}~VO>9IjnTSY`)P&g|pfu|I6Tvcr$CoqyE}KT27?EvvAMgux%~m9c~YAy3IIzz||@Wt0zAz+s5X1ch$d)cE% z^VAy}x&IVudAu-ssyw=j@qgo5F-yqa!yjZA6Lcl0NNCS~@IZ{PBsd|@j48*!qV?Ye zzRrJ>WP-oEW?xJOJGnu21!!bJ@zA7(9+rY(p3wb~NFQ;~L2LWOtiM_DqWzeNheBQ> zSO7%>v}kO2o+-sbQ}(dG|E{ML=x_;e8IwFt+6o>d{G_sjd@StQw2!x9&P4hVyTMVG z@RjV$Ptx;sAO7{V4K2O+v)vI@&XI<0y{M*kK?}nH5G<1{Axx-B*Hg{xUqLoN!mFD7 zLIwwWQsP!-fY4=QM3X5|5{(>;qaf+)JCAAs_S79cqe&Uj5adsCh8zwzC=^J1;vxho zqzr4rm<8pR6v33Wr}LXFc4Tf`Xuep?m(`d_5QB}Yk0{vjfJ26yR2;j~0-aUJUMd3G zbl5nMD}Vq)(R;QXtz4KNl>t1@Hmwj`$ncQF90A$B{{jYu0-nD$CJ5S;QXI9v6}Q4w z9Ot;J^tH}4JH92|H?nTJZ9)?2&yP`)B*|+}BIJ zr$~JA5!y58OJn^D_+b6tQLA9Iaw^2o_zvm<3QLhGl!@zytc7cPTjh-nt10JiU&$OD zZ~VhPGtEY|@v}JiKDbW(Hu7O)&P_LiQ*~RTHuj3rE}}nG5hCtFFSbAC^CKn_7@D|E zBDu0TYMObr#b?1%wKC>@FUHl?b|x^uTR$}4cIX=IzR9&@_Su&4Z3)j-1nzt3n|M{y zku9ChHj&*WN$+GxTLw2zM7tqOE2Gg+bW2U7j63{$3JUFT&X^n%kCQJ$-_P-UQPixb zUa?X|NZV$9?L5N*qv7(vEuA|-k^Z{ z>s|XRYl6i0T3GvJNEC)vhz@n}AzZsB+HyeCY%UXi#>@BGkS_5yv7jUnyYxUwt2g-(^QO%HQu4uDX^zph%c z`3AwocUy4oYW-ZPFJrM1W`54>$35`l+EDK;Ky02cPwXCaW3T?byS}|?FbPt)qa|tn z)&4q)zS@k$TTzk+^&KMYt+uE@ly9*a;5g5_*^iw%u?q2~{o4TH$R_CX7hnvOcHglf z`km+en(l2q4w5SPGE-*)>DYo^n9D%{tsmBOAc2vGO5(F;MsiLfjiBS@7PH4s5n9p# zCO8ytcQS{F?6Z+?85Q|S^GW@=p}HLViS1P~omNqC=N%FD5!M!l$8D6Z4t9Cfrm{A| zhMNO7IG!>^oCPX5M=f#pMmKF+g-eWEk*+Kp<(7Mm+HM_l;(ZA1aUwB{FnZ~0CI^}yh?ol6pG3BP#gXlO? z9-sJRCLwl7VrzD9$O6-wvE~!Dlcy6Y^FsJD@!heqn{WOX?Z^@PEqF@IDtI@XQQ9pN zWuFma0oVxEB69pfyLNwAWJ>V=sZQCR}b2ST<6!0+sR1nM+^(P%y;-h^oV z>0Q(L+av!e?|2rp^MI|hdj+~V@)C`!U=J=L)<)H}b7nGP!kO~Ky!Vtv=jJUoDGOd9 zapvBSs?dTsKvcp2h?(L=f`gOij~*fsYl*T6SfDbF`Y0SWJVgxK#+2>bWKidYo(aAP ztU%t=$DN1{D=s2NlFBAUjM7>{eNg1fwxXAY-p3c>O7rqLn#o@yzAx+Jv~g2DN0_~0H{t@z%6I`LyL)SVer z&K&^-+Cs!5gtiqr;3zoT!_LZ|cZ?pd2Nnb00{m;+0WPSrLzmBujvxmp^HIO? z0FuCo4`w7bBJ!|7)q=82YS@a`RH*vt42{e0EB|A(RvoxY7^N8*(b`9H!by@u7CgsD z%C4w%ArSmZxVE|{VGMFt^QvKuC1%d`pp}uCn2(c9XAB|HU%ry3&$m|& zfL!xE^q!#H3jSUDB-tPJOA4a#U3U)2V3mTOB!mOyW3t!6ziA`qlNzU~*dQxlv6nOF zp42ZTy16w&5v^pQW2RDg=)okjNTE=tf1Nq!#)LeU|22#WcQzJ9>^DW(JZ;QI$3k_e zC09)ZH({EWwL&!ZAv(f|+rOR-cL2#Fo3Plo3WdpD#O0PDF-Muxt`I%?kdCCB!)1e$ z+az*^=fn$qJGHy)uPpfGz*8HH!EB1^iEQ_^w_q-B1tO;3ekfTJb95Di|Qmhos)?X{G@yn z?sxiAbM5?Y<%S=PZK29yI#N;0WrgnnDJp>jH=ewXqzHRavt+XF53=Tt7+>C^B>7CO z>)llXvh#SiB1Q=&*jxCl@ji6E!VRM$o77O!9H|_6Fr;p))^F)NUasTuWD1@mHjT4+ zGa+^N%_k#iSq(|1ozWia?`epst@7yvG1=n$T!Br3Dh>Ib+O%a#g{F|Lny8M@=W=yf z476rV8pm~>_l6fuw5pV!&Q;rKQwfmiw82#baX-MKURCqg08^fqI& z4kF*)B0drM9|_)Dw9|h)5+UWuG|e)~Ckp-jF9kZh4J}+NK=wgXD>XU_b3VWdS-ho;)ix>Ct*LynnVuN@cUe}WP|%Ee zdypeFE>b25EZVpyVk4OF`DNV6iHYsqX-;X?YJ)N&mLXJg-p$=`JrdC|i!9T^C^FPK zA%1B*Q@Q1cAXm?kkA;0x$4SGQbI*BQYi_?V5q)AluGk|p*{3lIv+hXw4Yq~vo>aZK zr^Spp>qnHGCgYsb3vF7Nhqe1cq{Yv$uJ}*1VIwSzVvr6WT_1J~{fyTl$} zZP9kb!}IaAHK)MpsH>eZzLXJDqfFYwG`7OwD3;U){y6Q+1Z7>SO=4s^TK@ zWvq~W3~AG@pcxv>qx;@}^LSt8wGRYWE2U~Z;I@8B5@x)=w7bZYV&ChXc1cgDhp68^ zO(Tg5oJle&-)3o9rL+V~s2vV&V2Mp$wx^#AeZ7~TG475H>lMb`rM{Jt))34(gL{eC zAv8`%1A+~3;GsQ<#(+0ZpZ2Gz{tLFqvb}6PuL~M!OBy*pHJ0K~TQ8`>k8>D78ns;F zU{5)y!;`^R1Xz%3(ks=ou#;@kn=;x^oM|9OOtLbiiS9La<|nrg+;|V0)ty)hBygN4 z?bfhd)P3ret*`pZK?#4ic1Wm*H zNuhuwXzNCPSTmS-a5`Zm!OT&eX0}TDuthf5@;MH2YV}v2W&v+c-OE`Ak%<_@$Vd~4 zv(SP&JCHo`Pf{NIdWxPo{&|XV?QvW^bP{zu{@A}Wp1EtU?W`-OmYrvOFf5c`6ejG! zdXr%rIUpZ03Tl-ipKJ3nWsmm>(tU5;jIdZ&H!Zm{Vh4zGWpVbKqJq$a`Ld#9&^giB zqvj+r^-i<88!LvRkNWTdtY2s7sp@s4eiI>w~}<`FNE`?sj~X zkb8N>u58u}2bxr`X9Dk+!3SSjIwOiQ#AaSeamGxKi2u9T7G zLWlS#&QYCuohvH_X(H1w=1D5_N*dgzJnb;R*nYrm*>F(Ud?F8qxQJ}XA^Lz&90@Zl zlx6wTzHN=;U!ssthN3BP;?!U7s<Ve*YGoDm-N^Y32Uo~J2M^S+zeY|{9$NEOiY=*t6wm{c=f>fQUlEED-d!vl zzxJk2pRfmVO!s6%p_NuShc;oG2a!Ro*jkAnzL!|1H=(2hp7!#qD;+KvdlN zBi`zmHOZ}QV$I7AS!*B_LHYx0lm**l`&%-7tRg*mYpC)A+?%H)2IC8?r5RixOn0D# z@Z)6%fjEyBsc&7NPgZVFP#%lJPl9%_^e5tnS8(07p)Ohun5zL9zC`uvF-R)agpG{|PbHm{hQY<}IuHKp z@%(bRzgg%txr^i&!I*3xMN9Z@$#>FYTw|rQA7wj~KW*x(j;Z>q<2Vutxvs3bEYm=&djvd*z*h~&= z{(x6sF+6Sh7!bhDP+k#9Ggf39it2niLx#M1cWKaqR1H~4%-0r=+?_3lq@JlVL*Uof zS|@pa!ZkFFR>+K%=S_^npfhDv_cP`DTNZk)q29~Ga?HmGYmIw6QL0wa~H?JEGN)~af#o8pP42aq5!ESMWG{M0+&?5Z9) zzZ6C`{`ot~5b1&nd>sTkHi&TSPJz;txfoIQg92=28a8&W1CtfNlCM4?>fa6x$X%kI zOX%wDp?|-Myah_+A_3q1i;L7l(!=yqlA{LSGrgH)`vzScm*SePbEAldPvYC><(tm8 zFgf_7OJ1$9Qg&K#=l8BA2i}6^TA#~V9ZI0wic+~bTw>JMa-Lz{<#_zzY{tCuPt862 zdS_76+U8Yx3ls+m&wC3P`rjDh&$t~dVZ|K+9896u_AVJ5TU&lNmVnlkE^qx*^X;giF80a@#I!0faL7@cd-*kt$w`v>$(AL=nFN^z93 znZn>no=G@V@}88j!K6Hf3+UcK9HRn>S00X zsbX57%^M59Vm@3pI8N0Dr#rHyrMGG^87)tM(12HDCje86H=(eJsmiEDSfY39O?mV% zniVtJ&}-x=o;hgyx({)ZYrBAyc$0s6S|>15mJD;gV6Cu(@e-M%hVds?hD6HX{Jv^^r4!^+GhKTYO39xgt36 zu5$v7Vn>wt;OvOGAhof5rnrvC^R~$jmxH*lOtwpNq&!GBKVu{r!%#Zk1Ms(MD1cEJ zPTn68bdqD~tHPDfW7iEi==@g6I=Y<2DHeuL&t@cM-hOnF$hk?o_4Pi}38X(x$a_zh zC4b_=M}ysGp~vmXg7V746SbOiyQ3>uQKU`%Co3+D$PHbO+tsQz=KE`2)94f{CVmkM zGn}F;BT+|4r$~lG)W3?TO(2f@%QhtG$f(Ci)Zyxcf`Jo_{GcCLWH~rP(Z;$q8f$P( z*HJ<;V%ML)>4}Eh0t->$I2BhKxsJ zCI+1E}V99-4hot*OEm6WFVyYK`EZY$o-(a z+5GfX|Lm2x2-k&rXhYfu0c6*yGOV^n4e}5C$U$1m8e<*p4A&%v=N&l~s^0bD;-(Qh zP2{&^3)m%885xwsk>tMNFwpKMb~tEu^_H;4l`F^G%F~rchh$*lt7Z#dKiD9h|LEYfn~TMz9Z*`U$_n}!<^j{J8@iyx-29DQ2jlHu zgPjxa;?1Rtr_~bU%~He_u`-|V*`{bLh%MH&KyYR*2vR zK$n=#WWOokyF1WK4x}&+#i={5Y7;DOX@-MM2}57GeSdCPgq}*)^T!|J%WL?nDxQ~^ zjSWzIBr1Y&QFipbVGvR@Sy@n1huWPhWz2S6y-_i8#CDmfu2QJ@WetSTUgR`w-swe~Mxs(5lHb7e!;a-2epirx6&-;k9 zqoP7pfg+5vkg6AyF~x|F*RIJgK<=NW$K;%Uul?i+{jjx$UvFn|@Yd8jG4d+P4iUHI zAfiOc{&Txj&|fOj?z*lTw4!Wj)LyYESq9Zyx2Yj!Y=5H$J3CR!s{Q)QkEVg?eoi%& z?wG`;#8`ecT@gcY_k<~l*nWE^Dc`Aj0yE&Z=S@-`cX}bRr);QWrDCA-*tiv?+YkNk626}V-7J|}U|z@j zQ}dR16geOe5*zgusZK`mESg}czOKCvE%YqvOtuI4<8-*Z6`CiBr9%QqWxKzGI}VB? zM^Yx&WnWwfpS8nuFl5EJ_6GiPb)ecZR5Gc&>CHX~TH%l1Tu3c+qiEL^fWP~$lWD5R z!ue&WV5(5E8%h_i!aBJ3-AWR0>O7w2OEKu%#R+-Ngh^4p6&j4`6aBnxD9CZ`2Hvl;o7lT9Uk4ut)QU4+c1OXe=)()tD^` z(aBdBWU_%`nZEOB#t#3!5gJBwm?PSVL4f<&PYC~0dZtKDY_cgx-Qcz5udI0$#KGIBQPGhtY!bftdR(BXF%;jN#x-cM~TBkOg1X9US(b zlk!r`D!R??r1tE@L(S9%gL@ldH*nCS`RnT&m%;Fl)xf#EIv&`x8rMrVD8AP4t$Yw8bPxu@{t zoz(HP&i!59CX?fOl^HakKCm!#Xum5^D~J=_gxA8hqet=_L1gDMq})so8ssVka`nRo znWlhX!EWdq+mVmOBB!GuT&)ptuHTwbxpt@~ zGo{x+N0I)z^rbVIom>oYh_2R;zdp%c45 zN5^X$qXF6Y@oc6 z5YE}4H^sI$K8HGgpx7lx$;6$|MEms6n3hrf&7L zSVpjE+hUW=)>uV+TenZS8q})vza-wM{dGV+y@O@d^u*F}s*I)IZ%QO>2G@w=_@ zX!uR&i8}3K1@nLXQ!go;#SM#E#dl%!(C&gZCQ(Tf10Vrr<;-CM%@c!}-V_!ADNL(f zxXEn+h3Obl6qBAwZCp!ZRNU@5Y%s&5+GQK)u8Kec`CuiiLPpMXqZyi0JTsz9vTb+p40OHE%)f#z(5#` zw<0D6O?BwPR;=pP=wwQ#&UK(#Mxu{VrL_OaLopL{ip9IE>n>DBFba&xuS=4o zSbK4~hR)K*onQx~a~BkNoL3ZV6UBw+-e3o?ngoqQ4H!ITm$x@cO$ec+G#F%eI~Xm# zr2{K$cA3V;wZd5}it^bsTOo-qChT~=m_#$|K>?)fW&hzwja?m;rHBUVl=v)xV6;y^ zfozR8{p5q~6$MrTzKvx+Aev02QiCKmYBqU_X*~Q0z`jx>(0|EoK1iCQ;jN~DrS+Q1 z$Bv!zC0P~o_$~a!#pcT}=!{9bO|}3F@myKJbV{uxMZPH$ndELrgtip+76^9EY~M?` zB>=Rt{|eeO00;GK!!Y>CK6#RyEpmlxO2wGnyWI_4NKQ0M7>j8<~{f**ECPj7Rj) z4_^m1^&+_!q`OgBc4T%knnKi0*kNlC;sO(`!CZIiU!!TDgFn`52rX4$42mu*+%a?e z4b7pjprlcAFdHqg5(#u`oGs2HTiV$HC`*>-iv0*<1N2BDV3nfuKt%s5&|HcnY^=;X z6B=-R)WL^xpOaTfBQ86m)KUoPnpIvr>OHh$TV|W%Pt+U_4o-{!{=SV0dgA>3{ph*l#?JO+yYjwhC z`Tx=ndP(WN-Q^C-8Z#@uq8u1NXs|@Ox@D~H8k#KRJs!V>Q|pEH7?Yl*w^9NJo#*pP zHe4Uf>+Da{_3L^an@i7(giYL;mP?J;9@rzftUKi!=m&FQ8K+wwVLiM1Mb-a9oz#&L zf{5#@S8P#Qo;|h%DfN$7(nd`Bwc@GHr0oz6N);9_-B8EJ!4W13i&o@nKRD``^xe@B zHH$Q{YU_e{fhYd=sDz2An$b1Bt;vSp9h9FcNOM_8?Evx<9sou$5?Nh@Co8b-%s@no z^G^V4ci>pG{wFuUUUi&oy41nFy*sw86VVp?CGTZbeunj z*;X2d$s5f#Y@_gFwub;B08(`@H7nqC5o)UBesF~KC7z@_ph`Q1N3`RXZQXD-lyG&A z7S8^Cy4w@ieEC&rfM8~)kbBdMvR(rH<^H}WBi3}7X*{9<=xehIzsJ(2L_N4ijXg-> z-4(?ybfaSd4)UgNU8wBZHAxUUB8vsuGu#Xf;k9$b0-EPKb7ZG4J{@f4$(rW)Dx5nD zt*Ck=h_!fQy;l6vwSO4=xQ`&b(taV{=58^*U#ex#9v|2kPk3QyBdLpM9reEq-b7_? zcB=l5|L^ht3$s_J_-p8af1idp8?-PE>bC;gVL-NGAL*N@tNpr)QGKrO`}lww_*-p9 zVSPwDPO`6@%SgSSG=63eRP?85c<4xG7P!Z~yQj3}6L`6OA^+e=xEF;3uQBMy*pn_= zNI&6Y%frUxmT1plk7&r?-;q|q2>##sGC-Cs--|L9S2OMdL=N>nMgEUawTvkMNkF#0 z49TciiL_CeyXnWf#uB*Z#ftk5{N?UECfQ%8R7=uY&}kStAKHnOceav^J#CVd8Nc%V zqSwk>7z&vegUdE#|10_iO0-tF_CQr_4wI5-V#LzAzAErjgVK9gpH)j1)79+~RMCt~BJ`J=UMQd6kq_qvL zTz3|u-KvyT3B({%&svT!c66m9|%Wwb7q}^i$Bq^N6&{* z(B*$C0^QP^1i^2kYbnHT4Mf1L5?I>LqH&;Z7>`nH@3R)~r;X{`$Z`sEFOiW;zC_Kt zO;QZ8Le+vCq4seUf~|W+Xvi`mC>cZahlP~$RmTWX)I|8Yc3-a!cCQ^y+P+3DoJ9u4jDoJ`g1B~tifNi>o#L0q2 z(TO&v&Kxh~<~esV*(HhN(z#*@{yb!nyq~t7ZfG&Z2p7(w#aWJ)3ng4M2PLH=$BZc1 z8abmT(x#zAOHyMD9Xqx}5CIH7B?S_Wd+$KmP&gXhFyPa^VeD|p`!zWbuC|`&u`3E} z1Ox2isy`4S_$N%gcRF*-b^wwUmAc21$FGPJ(5tEXNMy?{e{_Wpp!PJg^wi}{Jxvw} zbXn9VTJIoj@$AD*Pb_PU+cB2j)9!c}+C(u)#*CeCyHpw0$iyd1wvPOkf%&@m~8BzCCQl^YfGPwckNt`CU&ot)8qst=RCq87wv{zdwvvU{)#8f%CFRIw0Jp} z_VZjpXp(hNQ?E`qa|x|z--VcBY|tZRVFNb4mbOjBye`vYZqztTVUn-U4c|=*?>ZJP z6|K4zAqtY#FNK46sg6=S<;E{p3Oh2PXK%GQT+D_R-uh`?Bk3+W94Or3)2)Zw8|k+1 znZY&`;JlU;?l~-y!sLzcBWN#dP%z6)*5Rx_Ty0C~N1pVb6L><|FkJS1j1|ynOu)F1 z63IF~^3E>!JO*@}GdA)Z@4P9i7G1fP*(bU~Yn^N3hHD`WJTJN(>ozrKY@y4s*C{7n zmdr(NGkKTO_njI>xH(vX#M<8fbh(D?iO-p##xH0Q9iL*OMdY2X<2YvUrO1&SXsx@O zM6tz^xZJyRaCJ9}kTLtv?vU84H;0chjzm7y*gTzX994UkAezU^Tfqb!ifC~g#PLu! z7b452;bwlmiww>8CEnQ{TMZ0hpmMTTq6*pZ0FeWehg|mpUsd>@TxBX4H%en1(6Hkm z@2vC`E6w*4*_#nH{32TlJ-VC%>;qYUGjUt~+|w@+*Jm6GnT)%gNL)2;;O-{eH1ob1 z;(^{&YB7}vA}YDFgq?@Jd;Vbw>7#=^2}HYtj8IUlZjf3p%>}vTLhOSJi|57q7rRra zv)e+iUA|J7>7V0jer6;efgKL@KobB{SC~h8=E9XX?u^(I-BFWMBt!`UVe+{9)*8gm zwIhZiRyS57Z3)X`^dN=&ctPjjl_51<@E$)ya8$j3V&+^j$`Mp%Dt1 zT7LwgZ708m{|3Ls4O1UFfTW7~K&i~g;+Nzuw?_pCx>cp`?`fr{ZY|9b4O9A#bH)s9 zHKafT4tm@)GG5ez5@HLmAYkf)L*QFQx{hjdGHXQP&cu<4k57&0y=RFP)^M!loqmm@ zETkCd?+`@aU0x0(hy_1(A3TV6N7OXYeq2+P^%*`&V_1_!aWJ&u9U>=Y`fHSNd!*R~ zv*B5nq9?%UC^8ZF3|htJHM{qOse3)FmzhCQ$~E{Zh8t57LgN_D)xJia~1ZynArJkM`dZ? zkH(ryx|VYG=TLFU|CH)ir5N*6vzrd1#7;1f7kMkQxHf}w;7pBcaHBr)HH9$&$f2Xc-nM1))Y&T zi5s(2nRRv)PY`itoO#ud?@`7qNCvHY10( zK@ybXr&OVOj{ffwL9KG-v*n_X|EJhi<@7F5JMMb$SM5J1LonMR3@Br+{Q$x7cHKI5IAz6y?>v@&vzr8UFB>)8HNH%7DKEysh83^ zJ&~H(Fjd0}MW1eQ_nR~675l?KqC?0AjQl4l5C~}zq$AJ?%o!)8{l;IvXhCC)G>00C zv~#e7?`~+(1IKAO`}W5g4!M7r``l?t^#}a%YxN?2=6f>OnJY;`#~N#NT444U{S~%S za2=A*W63KLY+g*%#2?(T9~J`Ave5E?TM~&-N44bQ5r$4OATd}Sh{fQkv&O1PuF`0K zqEC+IXBoI(RPvwXd0NBL;3k|tDj?g`X9-Bw;wHOL!f;F~go!2v9f+GqeP>sa#a11O zIV2%UmAflZKXiNd+fAs<%>JN=8x?oVVcRUdL-}}Dx_a&HT(-D9=x%y@4%_2PGQ8CT zUHvWbWOyIPk|UVz)K@bbn2Iz!?5>s?nYsr(V=dkN@~M-n*VSZDAzZQ;VNhS-r(TSq zX%@Bm=e*Z+V>_kQt(z#RL1pnUGmuqcXnR{kW9ilpz{G2i(O+{gWrjr3>%Z|;wT+wv zf6Z-YVVs9iZ4R#8g4At-&Yj;TUe|{{R(7(iB*$Tlxtl~YR<7P~bI2b#DDlQTLB@k( z6%!_Q5Yf5u#Ce!fvTZ4ca#SvNRfy*?KAu>r)XXZfE^m3Q|0}hFs0D0TX%Vw%TwbIi ze8`9|Zn9T=?q~{Piu6vznk$E-{^eUeQ|)olbh}2V6H^s0#}Aixn*u+gqL5uPxnC`O zREkbAOHP!uoi(q(E6KE_>${rTdj^#qe6ViPfP%AL%aCEs_Zlmgd4jO4g5%z+il48} zT5(M4+)6BYmBX?P=8TzA%7{Mq^OQ3kJ0<-hPprDi423N~27RjJk$Y;C_E(CEpo{Zw zLYsM8A`5I`+OU+Ks5?4WZ)YQmCvG!%SG#%6a-EqAc7g4JVyGf%j*`sm-oj@TuJNmS z8UmIBy2OtC`jCvnFd^cym#6oQQlwW<^q>NLhE}l;4Pr8usG$K>%S)gRY@r z=j3>1uYcpC{jl$TtaH~C%!S1ZF;^@^XeGK_#_l)m7^ ztYzX?!`~aNKIG6EuLaUVc;($+r4c$ zU?hg;HUF9pEKz-czbDcaWpJ>qFups+4EY0FZ|o)8^7f7ykwg=G=Fg*0ZRDU)~!Vn-ew3MG-;%_@*qsQxiR z>S=Pkim?ABmx%0#(5g$MLWYS?>y@f|$~)5AEDK54x=dRv7hF~K+_-q^K6KE0NXuh+ zB<%siDAQU~eJQ}M{WD>6Hro8?-}c1m+!!oP;Z7kTp_94rbKpY&;blSI$J>?nuAj%t z(~bN0m~z*caADf+SLeI$_YLmx$G?-$?WOIYi;Y;;iE=JtlgIf1A(R=tNTpEiw#s0G z^bJYaGNmn6*zj!lF1Mdr75ElK&6Wm7j7sd`5WdfdS7qKr;SuRFiEg^qM~wDTI^8I7 zw@i$R?VG6MO!_WJfN3dxGpafSuT_1Y2p@9yJdw(!>_UYXncQryVai{P;7xJKWw?>K0X1>q zRGzkWxFDHN#u3Jeho%L>IFZ&oila)S>|88D-Bas|1GQ4n(z9mnY>Tzia=Rb}-Dag` z(@AXA1g1{EF;8|3%QsfK@H=gZ4u+2LF-}srI3^`s~Z+m;Gh`>ERy4#63Q9;gD zrSQjw#W0Qa=Qt*}z23ehyCqItlNAtl70vxZDrh>PHStyfDOSPDHU|Rvve4giG9&n%F*G$}^+lAoxi;b7Z3Cq~Vj66F#J!Ia}o4sAG z>C$13xew7?Xhwvsk{x|TZ8A}5i{(HrUWw-?gxE!SMjUUeckiFjOakiuH<>(3Us8s( zAqZ;nt=7;GG>Xo?Rud?_!>&Kfb>TzqNz!kz^k!jwqy1rk>?T*{=|NsG4=mAt_FT_qDHa z7vQm2h`JdhHvxA-c=GrV8j){}eTPvmsgLq9%|w z%yuNLEirnrtOQl~H$lX3luMNH9nIJM?B?!$STIYvdS>0GC?Vz4ZBJRqbgTxS8I5U(7K?mf%!X40)G2flm zf{aw30XtrxE3#$y6`R-lna{elK;RXNG47(Dx&N6Ov?fGh=1k9Ol8%lvNegXDho&P&wPPsb zAL69MK(octWXoGf&c-*KWM{XHgO2<0A~3~v=xX)@MugQR3b&S^QOMwl(G?n%Rp)O-CL&U_-ojyWR-iF3?0V zS+iYe@4?@!a@9P}`xTaISOh@M)NOT{Z4=6O3e34{{Hsh-7U*di;}M~OCxzS=^@*8? zeo2I+n{@Bc?0StwFhl<1_C;ZTaJh-ow>I&(i@zC1Z}V>6|8)N>ix*VyS(B*XOU^ ztu|Bz$EfX*7gXC3GQ;>tw%_>-e7z|ha|c3=s2ys`!MJ;K$xoj~)b-7N?nF>{x@V2L z34n*2hN0wNPxJ2u%B}j$g64f^6YE$khO%1%0$2`8$_ank%0Qz&pLKCoNRhBBs+F!c z(QhAW^M`yCOXT6gcYj(LOC4;RdlJIFl_@esXBV6(%T{1C6~nFjK3WT1V8Nv1p~}** zZK;d8U2l;ZS`azPpf_qqjg2(A%#@#*JwF>ya)bxtkN38$CZq0*B|%88aw)cw3B}m7 zH}8R%r*ohm_#;w~ZN`BJy;r7#FpM`j>fnk$BtItZ$~ku#6K-lpJloFuHCon8lt4GS zz$8xFvbbydhN1K)cV?xWkj+*9GE_gFqri4Q`Igcjj>N8mSx!TAgZ8Kmh=IL9(&$f> zN?yful%{{YL5el$_gkk2EP)5C^!?MUcF~zlZ9V8O=@hE_E(5pIITcc-`nqu3F!%A8 zEV^OUymFcH!P%bZr}^rhW57HO$$FEJwjcgcA7t%;~`N0PA3cWacyS`jq8tsr=UKbEwXsN9J28hvG1|74}{@_V_FH zUVC;K+H54|pUPCuytpO_F>Ltj*_PjAgqO6-Uce{DFZqgvS4j17Og=m2Ut@Tx#I1K8DVpIc z3}`wUZs73%a_R}MG^fuhsE~JBGuwRubJmq4+ELz_^LN3s1ftx|)l+H;boZk=H<;J6DSF8=VplqWQ1uiIxO3heZ#TE(Tk@dz^>_D{3|(N`SaZ< zSV|~QA*hdLfX$u;K!}kC#&uG4-%+@oRyg@}HF3TPDRf-0b%sUU1Eux-J~&^?moAem zd?47PUr(Q3S|8cNIoNn*z-SH05T2wM?!vmHNb^E`oHrbpbL}{892y9TS9fr?Cs%#kphy@T0)67%i^CW#R2cRWY_hdOC_be=b?L{N^n#6azisl!A zR6UP75__&-PK$-boTiKm>^vB}v6IB}>AsO31Y8yWa_aWJqu*SKaKbbvKU-O?odt2g z1;%Boyxb9@98TyI0^!4MiDTRRd>2`fn=P?cbig_Njb5SiCanPNiI6YM((V5Y8^o`5Wq|$}<2=tlJbeGbp6=d$sakr@{z@jy9JS}dTu7W?HA?k(8GHp;&^RFD0n!iIb?qq4auGv z)jIf3<%M$QaO=$Fgty?#9NxT{v1_hEV+h6*7i;a`T+ZdAMt0?w7C!Ix@oxP3^xYAF7(h5JA=2~XudHe^AH6p2Al7}g?VNA^j*o;)^ zK5v_sjS}-fg*vutwGIcj{cUck*H}fDld_i#ejEyy!UPhj!>YQ&SV5S@SvhM)cRKBi z;n|kd&MAB<&ekP|NODxNfAnJ0d|dsw3sZX8Czzg0h7r+%1Yi4P_c)Pm{0!b zxL14bOWcd`qcKM;c~p`FHKW`#5HLfc(22{!gJDqR#f1cD=w~WIEd|}@34)D!ajT_Y za%i;*QZldb{X#gc!Pg`B^U%ZjUG)%lkSU3zODPhQGifm?!&MqhGV zj~wd~>S?6;N6SANl7a^}@v|(A5wz=#`7_B2d#I+JRsR+i;Ow@B;`5{K+FalmYKPZ^epJZv!6ccG8tB^7jEUNznK1PM9QLf9lx_uM| z@OEM3X6DgRPrRpw9=gKc*psPAFf#0gNUog*ejM(fZf6T@f44 z!}-p(BE3Nk(eS{E47hXnW5VWjQuV)N1Mm z{Q5A8E?s8{^_VG6==aQToQRq-GaCaOZw31s^X7f2w-7myoB^F1#*x&Bppkrca1pD` zbwSclD%Y#a^U;lY>ErqS>F!RCFje0bG0AnWpr8N`*>%FiPFLG|WJTolPC=5FaPoHB zH)$VX@Aj^5# z=e`^T))=v|h&zOOF@%iE@2jV!!LQvbhhO~P*GICUFW zzL;l?zZfs^cd!l;LKuwVfi-Tq?9m#8&(W9Kc#lgl+oB4f)zb&cYkg&KMQ9Q{P8K2q z*;&xa_9a(H$$L?lZu^P)|?l$dBzozP0&=5G?g3OtJn`q zANAV+2hy( z@YNbeA}zP-;Dx7^Xqilhz$<5D;=<)*XVWH|Nu$SV*|}hw`|`EMLRQWI&Fxw=oN;y@ z?DSx5EyZH_JSvH*UqAmX*S^j}H#WaWpE+ zPT)7m(3y+V#8wey4Cqt0=KSUAQ4&H0g z`bFmYy-OgP9CA^qA!VycS^7OheJFd3V&M23hKiw z7l}(88j>Q4pA0Fo_&YwLVCZEJSt){%3G?hG9?UvPGmi?{i*;^ms%8)7dptdPdNSVU z>6j^x0F^r9Qs>tA?b{y1#0pqm#GFP_yQc?f6E-=pPYk+K&^2E1;qt4~7f)O^hmIZT zSi>XYSuaryfhqm&XKyV@L#vh=6gT+h$)>Mb=tf#LSawIct@k~~SHV!e1CQK@w-34X zu%=YFWL8xXRS-NpU=f7to+c&PrjaU5@7ByFTpIZ;{1*kw=@6|yBn#4&S> zVP?*lbHHv%{`|h5$HyPc zJeO;GUe9Yg*Wqt6U4AQVzMpQu-S7F&54>MN>vU*jbsl(ge@J23lp3G#rf|0~p#OLT zZuY~(Ns2eZI(3sx&!*aHoU5g2A3FcR)AzR6Rol~AH}AOTr|%AyJ<}XlUG|QUxl*Zc zOGpkq;GEt5(4f`suBzcCwYyTJ4ObrPIh6Kzp3pNRt@jO9b+LV0y_WmqDJ2 zY6+aS{&bVc?RN{^Z#`H@y(U&?;`PYQ$xP!u#hd)LRB6fUh@A!G`ji1Lk-osq3k38M zmbgubC}QJxQbl?K&0^ODel;1&J@P@IGdD)@;<;1ssa}%NnYToMIRI{RR zQ;VjXih2LJ#P3hxNBBGEw-w4w>#yl=7b zG|!irU;Ln2E9VZ9`DA_4d%@2w(^45v&#T0nyBVWC3IjoQcoUs>{sW9csRXl!lwEcb^EW8wcg3n@F|hr+<(Q zsl0l&)F$GY<{ICb_76-l+O} z>Es}nZ(YE{^os+G(oz>$@i%>+<4X1hh=-97Z;dFxCd-9c|CV?J_x*kP@d!8bJdeuW zeK)I?u^H{5iA60T=5OIt&uVh@*JIhfw%!c~vW#EE zAEhQuufGO7o4K@v5!9Ex_S4h-WY^rv=T*=m%AA`nx`G@Vp^9um!{5rQun~KB42v7Pt7CMt_M@~3K)?uIs_N2KDgqe zx2t|_U_f8xYFp>L`#}uVM|=I|QyQGE;A_tKPYXIDuGv?+K=XPnmCS^HRG+tAYrLQK<=%tz0#!q*i@&sJn%x(XWvR>V-d>Zj z=c0jNu}7A}t*(U2mZbtRzA4Mkgi0>d4ZD`K_}<_o+2;M949^>!1+waBVd|>~jM?7C zSFfAY9WqM_aA0@|f#PJz+_p}}PqGcJ8nuyLad-jXRr`}42ub-%N2%CWb# zN!qi9N~eZA3jT2=F?K`G>jHtEo?{IU7PUuxzAMq*;4J#3egD#>;<;L{_vl976py~@ zsBkVWw&>m|!Ln6Sv}&&(B}}8t)9nq;Tm4?g9j3k1JTf!iJoHKVfqQ!{#O0)2uq0^A zn5(idYsw?)=hrbc9W=_PjV6k_r!L-j%B(6xu>Wf0l-_mg4ziT=uZc$Hp2`qSHQRJ< zfydLQ&X&eXV)|Q5_E((I6*b*?I;GcQn&0%N$%xY16GtB8HKyRcte@sMF)t9m?N-Ls zOlN5S-TfYl(_QV5VSaow??ipZ*?je*_!K}uyoomS!2=g|dy%eSsIxus-dS2nwxWO^TH zS7F2sJS$=PD~G(&`@XnM7X+F4!CjM_s@)CFud05sH`t`xaAD@R2bWGSowWY4Vysgf{pPL} z?zXZwmd)67vT#=MyW_=|Y=uEw)2Vr_vntezgGG<4Lr2}e-p;UK)7*6)eHvKCS|D5= zQbJVD>76D6db^k&xzkKMpKkokq9pc`sax2#Pj5vo%p|>joHJW?o)SATymiT*6020l zlUhq=h=YpWb$^;n%Qe<~+o}nZ zVr&G`4BwQ;rUu&wO4qfOJ@C;z*K@BXT`Vvuk6ripRotZe%7d`x(Bp4iqIC`5+1cLK zDeP2AhoWXs&Ahq7Gep+dhcmA~mF}E9#p{^Rvn^KlK4tiAwC%o?bNP8*-2Rla=KWPe zw;DqCKd;f~PmGV%?o2ze^V~HF<=xN156!#a5z$_->T(LLKiy;jg_UZ47npUoM zUw_hDeVJmUOGQc*FnH|<^UA6atM|+zm&4J`=n|jB`de92=|9Xj&zQSGxl~E+8lkr| zuWwhG<+WZ;8| zez0qD{8HVrlU1hS?#BxW4Yj+z(S&Cv#IC~yc)gmK5TSKfRodEPt3t%5(2fFo<44n8 z_R}{^7kunZFk7^zU+~E{f!;WIs_vrtWvwS@S3=0&l~3Vpy5`buJS=+CRI+i}D!Ius zE@!`tnjrPT?e^q_X*q{vr#^4C>+;#|O3U}b**H=krTplAUDEctccx!%xz+b|t#?_L zKN@x>+q`4PtnF`Rdq|ZF{BS&W+VX6{itrU#>}z)OL8W|=!jSEr#m41#B$Osd-MN3s zK%r_z^Qpw-Ne#4UW}t!)upGH3<-qEb328YK6#YQku`#c6e|UFo)}&h9Vu{-u8}=Bz zR5X7 z8AhJ^Bd|l$L%HrDvjXQdX|IT4#J`-q>?oVeW zVNRHK*b+sxb(iZlteSFpie0K@I{RDRsi`KLA0BAcYh}Er?xCLCNhY+F>XZvFRs7<# zlsXOGl}!`;@a=%gI?r*K{xW^co!c;_NF~zsNDiBktLr8}E;mq1Q7rPECO0+s*tLc6^XjRIS>0&MS zL9-M_PP)h&CMrQUo#n|co2)#;%2ieR+@fA@inf6h1S1Zq$7?dSgD{VkXY z#hrvd4PDJhw+d$8863#h82VxwBl11B`^WU^hLfdJ(PwWBL$_tk3SZ#fuoE&kjwf!G zojX5ux<_)lp)bLVZI3>%bWPYG#Kfyx)^&N!{6ToT?C|0cWBO-@iJEc}-d_y#R}%xu zoC~eXgu~RQnC+_drke*moI5XdcbjwNJVsO1?UVQGCX&T+zZE`-+tIx`a9M)j$BwqW zC5qX*8|PJbP1x9>b8OSQT_>K3Ykp55pQ)XC==oEc&IVX%GukX{k}@u)RiuOl7~Cy4 zwYhm&`js}6#kwxuPrfdOnES_t&tcbI9MVl)%y?s?5@V2s6f}nv3F)87npX8-h80<` zZBbpr=Etv&N2sVLd(Pa|+Ol-ZicL!AKXuL)N{n>AMsfNeQs7-ms}J@Mo1<-0tJ$~2 zCpC_FB(6|H)iCP9O|lPE&>7sZh7>DW^+RD9n)CH}Wqb44?f2@oN-3;3OtNEomI>1L z#BN==c=iXD{6C$sx0KA&N-7ibCIanGe zn1!#M6%-+-K6&HKZ&JbN{i~mIZ>Hon?~psW>O)Ion~_{m+EyQTy%z zH&WaFIpx&OtEysAY67?VRq_fL@po2Vo~%A?agHjn0Kc#@CBO9e<|PN6&zde(-}l&% z@P5+@iH(hZmbs>jR?`;jKd{20t3~(C;Ff)HDl>2IeJXQ(xsmC)t zeoR*r+dkN$EN)OqX}i2Vw`!|%heI$^D|vHv`-}oFx^__Y;_vw#ms+OVJXfRIl*u); zp1hxg+P!@D@x+bpStpw$+RspyUvqlWji(NU30v+f4tVY%c~i9FRbATRBi7aJ(?yF@ zZxf}#tf73O>~2-7hc|C}87m8VEuQJ2ZoIj_{Ill~`;HpDin$lXMx-K(WZT+^> zz~!^M-ahGSWxM&jou5kHbtC3ciI7{#E(Mj-q>cfZBL@QnpRLRJ?h~_a!-LIrao4}$ z!jxAAG!g01tgl`QZS5yARt2xEtx9YQmCu&F=BvKNv2OOI_K^5VN`A(@@67K%?KIli z48;?g()-NcUObxAP&N7MoeSrfYRTfpP0Jt7^Zw{W2>|=d(zbxMNAjkIkxDCiUP(uq zSMG2ujD^XTtNV_3zbLMiH!QiLaHH_sRr~Wc;u#n2E@AGx=*JRydB%Tjf!u{x(z{C4 ziXOB#1oT&(n_W2+OJh<(r(ap+^CIo*(Zb0Jr^2AekPZc!#b?e39=n^(PII};uqymM(>b~6f$seQ5kr*R>k79-t0WVHn#B$W zdY4;$3~c^V(>7)MdUkeswn2aH)g5NB0hicbU$5)48;=_r#9ImMZE$o;eA_`hvBD(i zl47y1fX&jW@$#;2qL!a8>OL_3(ciVj$ZZnz*tY?{y^XUJ`Hw*mXGyI_QxlM#G{iQ8wi$krJT4G{luO1qepmx zMPb5{!Yy_Fx!YfQ>dk525&z5sFIE|JHdM=&x~b*!Kw_cbV07@l?*o&=6+-6pN6olK z+bKnT^Z2w)!;R?DY1DYhGfS@ueZ0IlddUZmTRYEK?_Ir2Z^&FiJ@2bkzgfleX>n5s zgZ_P;S4pix)Tyg5^<^6c487K6Ys?IMNn0R8v>}vN1-`sW!z{h02SzeQMon$;uIoSXE zCIgzgt@+Wc`R-G~4^OmBp5=C;MZ|r_wan^ z)<=;Wi*<>3&$}XmwKeV8ul9VKAJ=YmV8Nzbv4M#`F9b^1X=fZt)2>$D$f-8Hy0rOb z^!b*Xqz_RJ=fREFGt*9Abk<+a&fZ039ok=**Ch8S@q4Y}AzPqgv1D@5*=$Pjw6Mat zUmnTX+%U3=kTotZ{Q+foY@ceka#nYoH@>yGLf4$7V!S_X)s5TpZ_l;=v1#Q(kHQH0 zUS?0VXHZ?giu#wPuX8`Q+2rTh2O6B4GwWW*{eL z*)wR-ww<$Xe4ux0qtc6xPEiwOv1(b_Ek%#stjpEu?Y9qN=bl$?{(2{6#?5W)I^3tg zSkKtC>;iT}e(EGPTTVgi!epgq>Tj}zEvB5f(BeI>F4p-dF3_lO*2BQ%vo44}?JIfV z7cCRA;Z}s(>e{l8H%;#Dj%iho+pe_h!>ZR6LwSwI)3iD>8XkVh&EB>ktEa8cRP0g6 zV3zN|w~qF5t@ms8#q8gbdckFdt%`i6=$h`wrXkF{K;6BILb*%x}>})Ku zgK_Ah8pPd{q*OJTKwt9E&gkpYyaO_i;?f=vnvTyJh*)B)Df#;D^@=BolCT5)@dc%g z)2`1-k&R3*VyNG2iMPx@`03?S=iIU%i6zQvn`c|5#zZ|6w6b+rQJOZ5B;J&>Y=6eL zqf|m>Ot-C~fAVqY*1|G}d;NQN7$oVqpRJBxA-}_Q#nQVrTb3KDzl#-9LkgNFTFa)r zm+$iv%iSVd(sp{5zbEtd!TZ)T4j+BwWsn_sNY|!&#U8B}tlp=lGp1cB@fA2F|9P7Q zEj>8hd1k$xWxl|B8eVLB+(fy+#M@feOHb_F6Zg#avd`9%(~Y$^6lvYGsk4T*&w?*& z#HM+YV}0_jMTI?;-?+BqQ`(B^nc`+?mbYixc6_(pTpvLf`Jj1kxBaWhHQNboQEs@R z10Tt66wZ8fp}l)8`{U&rf3FAgL5r{uv8-!B8Cn{Xq4adG=QnmeJ%>Nwe)WOuccX_t zL_Bum&h$s!erkSi$$~anhhEl)SD6`ab|tHR7_xY?=Flmdo8Uz8fzMrgw%=;bcd$;6 z>ccl2#pmi&N3i3zF_#D}Oqg`KC=ee5>&TS^=8zlS=W6*RNw9O2-0!g)LyQB3PA@;& z_F=+}@PYgNUw3VdZEf@<-3yj+Fnovf&=53E%4XpY0h-kjzimQN_9{in^(5V$U!9Fr zbgqdmo7H}1--~VW^Tdt?Rj6IO)V($x$+1o&hB}g6-lZ$0CZB%csBljqDe%e3Lvtn? ze7Y}lS~}y0uED!^vQ@$PnR|OKrsSUpwS6ZR5sF9_ZJ4~TdtQ^Q>9tk+6HgxRI&dQ3 zKzRM47mufX*0`~sq2dtpUd(EPaC^Idhti(iX8yIWce>)w>_2N_bdfdqX5;^C=yg%+$(ZQGpQ!{ThhfM%F8FS6FrvBmAl?AVzq{K!`^aF z<5~YVpTuILl5Q0;x4gp1!gP=9Cfz$_YrD)YTd7-{nDMMxo&sdTLbmA7gkrYyR*zPjC$EQ9~wFX>x+?9gU4*U2F2MMZhZ}WeRqD5 z#PdfMllm%NxbJ1WtbRVV&*9a{_3_#{i8A}CgJKpln(7iPX5g$F-=B-OXq2~-71^C& zBdentRI#=S)wN0qaCK}5U*ED{bI!3_vNLmWG>TW8)bzzk-tCvYEiN6{TRpwU^>*;R zJn{Vbw%rTU9OL(O9P9w9oFkqO!si!05*S*YZJJEcdK~UCEmZ&zEnxN&G9MoPb{=I0 zw@j1GJSvZ~ET}m-`}p$5Uc%3!RWG;Ac6-yNd#~m7S!FSetG<()-5HY3#C;x)22xJv z2D4c3!b2i21{1O}&RQoW`lgnyWxU!!oNcmfy8pQ)XT>5AH*kAg+*kGIBF|Mb66QOs zJn6TpB-H@0KREE}o>BL`bY-tzdmHxY@MN2b3QyTRG4ScO+?{@@?5uMiWPjvJ+INMq z1N<9n*UgDuesq$em}Slnyd0u4`+RkE`$u+yl=mu;^VNB3uXfAYB|M)Px7FS5wJ7s+ zhTEb^z1C1x<|==0^?9?>jH`02&RR_Evj9v$v%mbZoOZP&UzU7(r@y(vPCUV;Ekul| zBzsIES>=|>d)#}Y?H`k!Z}0MH*EbN&@7bFj*;!6e`JO4W}}cqkDe7` zoyV`7D5ULG+DN^*U8~H1ymN7lOYl^MhctyH&laEa%8PHjha*(Gg{{`xB6F^{I7EHF z_d4y{mpnIZ-*c#Xx$Kb@MO{5ph3>A7qeC*u;&XK7Sppj>EA7Lt?erK^oIGd>mU2OZ~JOaowzge zuA1l@+}GaiTb&noDfuVLh8q{8$2$;$5`6DYHF~F#Xd}7G$Fo9*aZ1ZojM|lt_q!KUChB`<84IQ; zpObM(u~Uhr-k`Z8olsG?(VGO#nypu%C)=01{ret6t4o(3t2JBAEK4yJYkc#Qs{+DeR6nkTD(G%x{6#KAXp9c9-7AuAKOu8bOD`ZAuz-J%s1No+<&= z=}iNjMq1@%H+IuzZRr{~*;CuDJu|7@8}il8?M-%M(5hke8s!-`?CckZCQrbNmM}Hy|=4G}q(ah&&s=O(RIWKG)c53d+n7BAJt8eS4)ERi;nYI4j@(;14Ji-g-W=LB^xba9o)30~ zsW%-S`9=y+jSk7hEX#kY;Id9J9kl8l3N?9_ACOv=75yQrGdJ)>6=h;X5!);l_L|kn zKJqyg9*Xtqv^N;Ycz9E0vh&dH@Kyfr>n~_iTXp6g%W^1^b0B@MMDZO74pJ>w3j`zd zKB3tWhDj|qyi#*|Dqo*f^kexgUw!vl)H&I?CB?A7W8L{*;=RnR6W5qZsb4s;Fm%oy zi$eA~Uz>*d+okW>AFjR(V=j<8W?<`i&bLe>TCA`*Jti)s&@?R4SW84dX=R@9{YmGS zrnmTi6T5rjynap}u2}o6_+j}y_njSgJ2-uP^wP?}_DyUaqFm~>hHMp|;jDIrDQle+ zryyvq7yEW_)UkW5xRy?iER} zma}IC@38v#?CWm#2O5vFU!`90|J-rgh$cjrO%z#tiGbU$YmJk+9ii}Ol{{`!Xsv&+ zF|HlOxpWLkEVi05IXTfuGsWP#n>f2909q^dwV^5b`ie4Jk7#ne?TL?8$Jn%<=B>F` zz#DhZAG|E1{n;~p$K`!DzASHfM;ETxHaDVxFfDQ0rIP_2(d0MtrPdyccX4O0i*ZuF zLM)j2xwc>$oBgJ4)xhbYjOl~PL+lOOv^7#j$F?;qJIXogv@0%JsA}9J9TWCG_^3sJ zh1gEB_$jvUHARi~Mma@9Mv0!8AHGFe?90CUN2LkKGnXD6kn()m0pht;Ib_k*_Uf_& zJERWS$e)``ZZe%^5!al6aIdrwsg1*_ArgvZZIOX-=?wYir9@uxtMN>y6kLgT5 z(<&45O#hqmj&853>u3&fMC;tby`q`Rw_Z2ZD=1Xmvm(L$`Q%W^ynCXXEV5@OI}TNM z9g$ulIIT7{bnBB7SBmBbm-$vBttpA+PrB$UdKL-2oAY&gEUQtWQA;5?4++_S`dwyu zmeR9#$BPWRXQ=j>t7{*Ws19(mEvYbI{wT=MYTaaW>Pq2xNpHf?;rCC4MV`J+U0pN3 zey(z4>w`v%6Og)SWgEFaBMxa@qSre8iLwx!SyUOZ>f);dDsd%8CR{2Ktb8%AcxvoZ z;Z<|Xk=)R${o$96GjuK#PnrKPZ5C-EyHxMsVi)b{2dYh%e->DOX|{3am+yv?;`X0V z3SJW&QlEL+dk>djhERO477B zdWmsEmc3qOvnH;@Kg)|+7Bx%NedbBoQx?x>7q=G}22OS?HE}vq`E*9eGX!3WNJs(b(~iBXq6Ov*!GF-)05B? zVVmH7J2u)rtvi=p_es!c*{TH+l}lFrIC3y<<%es;;`wIGm|g34{ZO$?JACux$^B+X z+3{;9W8C(*npcNeo!TBD|MmTlv{C_T#8kdq6Vd$KNm}Dpa(nD*<9aGJL*r7mD;C|030=hMo2u_U5T)cPvy(4M~1GjoGlL%uUE~C2I#^ z-;&QKOs^e!XmP^OekHnt@My{BW2Plf`l5Cey{f(`rs8$QQqZtc_q`ChQ(H@O>YkIL z5)T}TUOf%1bWzTT>*{{jH~UPcT(oAnt1>LX+Ce~KjJ62qRn=R0ilfTgs_pHg@nPAx z=%fR$ThIsQL5|iEub%oj7cR)0f0}xysBrJ)?a}jYYLRQL%Z2Tq$xkNTQj}V; zWX`UmErO8_%J(*Qh1{r|az}kA^euJDKDXqugzxvW*Lu!5n)Twjeuq0CD7a_!M)d~c zWhr7RX~L70K(c+`izBn;U3PpI-)n!QGcjQLr=&Zn1*tNNVb2_K+0dM?sl^+Y%MRpx zUErpmrkui7+qHJrPQ66JC5gxPPpQhmkLNS8h{5)ZB)cnNpBDr@pF-PF(K$U*eD*gz ziHF%L>{{5DX1S4(M1T^Kw_Q~9MwC=h0DtRA%#`E%3WT&j6pIKX?qlpB%7&lWr={JY z5_xfdjxe%krp1}%tuqBanam)`1a~E@IKM@9C53#U^-9Y1HvhoD9{6B%um(#vRL`>T zbbOXiuTH!nOW!!cII8orR*mZV?T))LJ`RM&wH*}G{oGbVW4#HTb_VZKn;dht<_?3l z`J^1F<@}z+jvV7@lirmU%B;SVF(Fc2JUi@y6qz2<{(j(kH`y3DA?>277wePnlQ{4> z>YQNWig`ElMQDPW2vGEZ!?L=Lfq+>-({t>{y+X&*&Yu z+qS-F_v$zEec(+X2m47^$1FHiktg-#W$XeqADwcKxg9O`=5d$Tt$C~6UoX<_W7f1> zBd*k_{>{C>=5oSX&6;QzeIp%XA?vS)6@=^alJO_aT($)o9yp_OxuJLWa=Une$d;?? zf=|A%Y1(_m#BoB~tkN7iao_B?EgKI(UqY@9s=ZB>xoJwzIJ--1WrisuuYbtS^8LSlWX5`n0h5?%@-smyrI&nf09Gmve+KUYMetd zz5=QHI#Z-!b=r%NEVON5X)TnSbUMWAV+62E>|#{@vzD@(J%@JL9(^M7@CCXvK#;g% zfnaWY4!dq=osIOX#orIy{H~A&ANIFdgBN8Qf6G+;AXg9S^;x&cS!jod4$AnXB^{jD zpRh{zoQsO9lVfCb`P3QP_P!G|DO)MySy$|lWzc@y% zS@7jk?JBdKF_Es7Yb7l-<7txL!%7Hi9z`0i!kNL|FLr&a=_S4_y4U<<55DDV*Ufi( zkAD5!8MLSm!<+vXM_*GJ99_jx|NuolR?r$?c)_H_Bh82=tgY+0KOWw+dT}^hnt*H&H!U z)a|rcI?+1Ny?=eafK}Qik58$(KKGKetEV#`9+97Fyf>(@qqOa`UjF7c;!~BwO9vkt z;yy0YUh>h_a+9Q~d!Pl{wdBztz2kM{MK~qN_n52~+3H|cHREAv*{5=WvsZRgH%=v6 z`Z7$+!!+HOqS>pAu0Os>{IS=nCN4E8drRlzSKHUf*(iLCoV@~k77az-ZS$Y+>*+;y zc=_he_t%-QiKGJ?@;?Hlh|RjHdgDk!LWR(`?=SG>4B;ry(#&S8pX^>3@6v%+WDyvW~IV5?5|o^~`f z3BSyfSaa>(L!aE&nvF&ptnv^$I6);tW3%C4cZ+Q7*ZQG~^4VKi>vBGHT&rUrjbS*| zFof6EPp+F(|8{M7QuArr)ROtBb-KEO_0-#6ZYQGlj?1f(3cJXH^Ce2{>h6}%Yv+U( zza(AuNUtNjtq!OajH_Ivz*6j5y&vtPCAWh@Th?ja)C*wwozM##@HP-ly(@+Ufk?$7jK%V+;(*TKzI~u zThqBCtQsu@^^{B8FpFA^4lN6?jm!B+f z_)R>+BCMh47B%bYSJ!<5XB8fcwaMqc$;#83_x9Gn-u|4mH)c$ZADVvR-LyX3dB@Yf zld_AG4|oR1%~UWhbFL1syD+sVat@KTW3$4Ft@9%UwuZebO6e^ur8I1+zXYGC=*b;fO1V}|5K=4cH@?jFL;J9_JDvunVSqCx8iJp~N( zNW~XV8I3*Gj#^21d&!HT#%j{_4*`Ypz=oaD(}Uj_?Uo>_6rHwxyYE$M-X%{l1!RkK z@$Mx;C8WKU68pMlWF-jrt-m9Dt#O8KDWd&CWUG4Ugi0g(!nMgIqI2#yQ9ZT7k9&j} zE}!^jx^k(C_JQYjMJ$&aObjhJ5T{Uba^s1_f&QB=2Q!`$i6v|GPe?SHRMqYhUVN~s zyK(5*ody$+%`;oS&B=P#Vj&GqMvCBTo!eH*ay-y@3Bvf3Smvr^{z7_~M z9^>jFH*sx3QSY@O->Q(<^y}Z(1aDosaANksg^T}9kfn)ho+=r5n2Z&Aj zx8g2e?_QGLstab=ylTJN1f@jClW;$RZM#{aRXY{W;3NUg0Q1} zRl@TZx`MQi(4m4B%j133)K>)rb;WLuv2-~QV(0L=e|}N%inA;8dxA*_=A?uYJd1y=!3nHn~-EVEwv!% z3?RZhA*P&kxh`pAXG~*w-@Uqa^+t2er23`%1?(#`qAzTYf!PTnZxf>iESzS#SQ$1Z z=k9gz`S3k(|J!Hq@l{P#rGe~aRfOnf+p5Mjq08!}Z`FAC9L}6RO>14|UBCWM?|imt zMyllcdoK;TcNMyl>FKhK4b9Ge=vO*l(bFpFO-Wtka?L3<9hndNY8NI?+Fwf(>#jS~ z)Uz>=P5UmIzTvy`qZd<;B#5zByYH>tnxt|w)-fl*V{zgf&nTlcVcL)CCgh7R)t28j zpvRu(^mWI@eE9D2k1uY1-Kb8M)R73ev$^|8F_h{4M&XdghnqcTpt2p3wHJ<(q)%Nx zTzcVM@C`gvfrmHeCT zq=F@(M%j<%Xo?E#b-U-A=4BT~cg=5O{ zu6Md~*z}f(p_~1F%to_iR%_>*KF>Qe6td{)oW)Ob#Wr?-*)wm@Wuv$5BS-E1yN$mz zRver2ZlCn7-rxu2eg~ed5cnwG{^;$4w-4@ZXj;=?h}~Ne8FZLX+IogD3NzCac^%VOg$9*qgNog!ZvEAsBra$DWaPAX9IGKoO$!DW;j@#wR@veS0&kM7HOAeMVS6_ zW$-DJ%;giT=BJ(zN;$MS`n1KZw*17?9>O|4oi9jFH6JEh0Oki}4-3re2DU!~QK5=$E3dweg#cU#w@G{aoFu zZJ+e)qQoR}&D{l$vc=8c?E1cS&W;4D-S3~XO5&tgTLh!##<66BWHjs(BpkD)FK24a z0AcF#?azZ8RYk9xy}v0k-B`6W^xYC$$<9s5?M7a+Jshq!iN!yieJ@Ea%mgf_$+ziz zkvfp#@;T7i{J7kmEeiJch!JK*b45&!>Mi#2dU)0Es9^g03P2O#K!}+S6 zg{AQ42Z`~8LNbXF;@Do8$Jd>B{W}9p0D9=-*8I)h~qU zSSwaO5(Sa-TNg@az?DB*%Yvg~N~SEHck1+cdegP-60PvnrB~>$=WKtyWac?{O>5G& zoSTu=tR1tmU1%G_aMe#8$Oq1uO$jys4t`oD9ujZ6TQz@cj4+`@Y3mMHEA>$Wc~h=g z%gf+9)e7r8XB~dEfAgtj*|AU+C+NKZjh)5?NtgmUI3dZC9mveUxLys+)=ZPPMINLfOID$2K|6 z7ye%Tp|z{0Pt0%K59PsQB|=B~=Z@2}-Ie%1Vk#%F1fW6BL!yG!!)^0E+(! z2LJ7cg`gmFg5rN0*U!xTf8+}lOQ^g0wDwe96$$Y5CI^A1Sab^NgCjwn5EW)XB*4;Q3qay=2_O*D6Ji3W zD~MwIy(lDz>H|>d01JTtkO{NsBmi}V056zHB>^NB1fVcLK@k9=qY#t9q#zLB0)Z%t z2_f=;3l;LFI8&$;)JGlw=_G&%Q>mac%;ZQK@S>ou02KmB6gn9|A)+hbLSfPn1p!wW z6C7VgWD4raavm)k{w+nB5QL|J2nsQWr+7D4fI`G%!G|$gz#xJ^D1t{&kmx>g(CAeb4sgHm5pqwF1LhxO!`BrOOmv5sxDjf{ z*)u{Xp2G{t5%OlhOcY{{TF--^05iz~o?~_X{~Dk3&-R}R6W#y&IR3@{E2^ld{%rr% zHB|ne{r}(i`A?hfQTAC$ML|)3L?J^6N&pa7P+3i#0Ig90T~w8vRWvnKm6bKtxU5lG zqp7Z}qOPH&p`r|_E33LFuOX_tD1jt(kf==3RMCKxl@y6;E-GrOpwb!vGDL@%APSKP zfP}K5vNBFl1*fdBO;L%UszFdyQCOpT{eb zK%s$T=%*FtR0u>Md4LY15I2BAT{$5Xl?uR~5R*wEL7dp>=gsl}g-)chI8o4OJA{R6 zbQcPl#e_&$n1zL4*nTpX6pm_Qh&Qm9Oo)yGpeIP7g3i?86~7^tz#Z8Nktqnu^pWR& zHD^(&mJpE%p$I2bLr|CrlA#S$5J3bmG`buJJlG0jK>Q>fLk>bFZ}K;LN8=m2oxc%4 zIMW??K zj8?@B90xR7(MIv^&T@u$IS8;3W)dL)1({?B1&mqF5R(p}5W@FEfHVui)N32AmL2HBSQrlILoOhTIz~Xe1ptY&0)sea3xU4? zivdCEXvmzS(HqGd`G++smBe@eNu0|IQmMm<8580~@_;nLa>j984gfMC&QTCyIzk~q zOo+rekzeo-0AK%K=-2`}L)2jssN8S=G3;FEKOshlt`Lbug_xL@1Ds#53&%hW&j8Xe z>dH+g=>UlM=$5(Qy^DA5&Qz$A|GWI`?@k(K-K@hDJWJP9Tucoan35j;quQRo!x zIB>jU!4I2A9F0XqDGVxv8%B@dF&4(q`ICA;-Y65)hZt1Y2hhVz3&sLx5P+TCAR@{U zB8j_zldfX?F(Hnr2c#j)24hhe$2tKhL}O4v6yiv36ll&>$FLgEIp&!}0m*b2K`BIl z29qExy~efC684eW3uf(qQEV*j=BDMG zbm5nx1s(;-9Hr&+$N{4;>=4I5AJ4(^*YmTLUv}^(e%XV9)zGDK0($uX^z}u>cns336tU zhrv)>0PX-4CL;ji3bUvrOuc!!j9oO&HUcNf$kaQzQQf}ANJ z9jBy-W2!52b(K#CIO6}g;^9v791=%orSzy?pbsL2(L8bj6a=iFd-Z!e+r$9L8t2*@P5Qc#G9vY62D^&B%O?S!Bpodi;0I^+bvOu&f= zF{l(Ghc+jUUmLxi0E{fh@bF>ku~1itj`H@6&65N`7V0|Iona#iOc+MZK?L!FnIvHN z0~WSp>^Wi6PFM=WQ~(UgbQsHtD44INASfmVo_(Mo+~}SJkrc+!pFb{_N+J-7!NsAj z5DvqQWAI4A!E~Gpg^8dzCX3D&_-Nus(uUFO4OiGXffB|R2oPBa3e!f4?4F4U< z@y=A(nO_v&YM`fYVxT}HNpb*V41qX4zHvF>PZ9u{kK=G%`xkbwgP;$`ePh_crvBGi z;aIlu_~8>e{;4p2t8jG4>#wwJ*cSYw7L2-0R+yMZV)Ef}4%YvO>arL(5H|`kKV}|Q z+OfnCh6iBgKTP#Jpe}0DiTN1c-Z!8s<((vrzu%2*<@N$LdJRSHMgA>3x zTTa~Igar;x3Rr|lp+f)zL|r*r$30W7H{=`cX+HhEe(Lez3o>%~j=S6q;(aOeO$l@56-z*%lcEBk6^Lw~sO%#?Vjzi+u zLIsx0k(@0#56BTfpTf!KKqfa%<;(%xr{|nX#Bc&KW*u( zj+UIH4+9A2AuWYY zR*>K%EMtKG1Fsu6L9q$Q07gCy7cs_i4oI8AC`17GWi$kE8UuLsKjua}z1tR(osnBK^c1MPTnSaEL z!k8I@X&?#>KXBmsa%ac|Wyz+n+GjtL=S z1O27_23x?Ovd9#=|#LvcbfE z9=tV}8$dB%g;9d=Rsz_{KP%V`+i}cxQ(=(A8A6#bmGj7E6m+~KmmC}q3uRPrK88;2 zoyCGT-oQ34HJq^xAm+*VA@5e0Q|q+i?8jW28C@TuLMVSZ*P!??Ai~(C<4TJ;dWAX2 zL@6BOKk|u7=7^Lqhx~K&Gm7Cq_kn*PI|iQ$WTZ+p9=X5O1qMtS{diN4M51tOz5oLz zjd{#D%+@F^;XK*+g6E;_#yo4*T!1B>px8VZbEb15yJ{!Ik%X z^nZnHF0RoOk9wN=JF&ZPpFnXc?&x?l0w8Y*z~HPIQ)zJ;j!b!r_&J{fpvQHA+~yI4 z05~DA3(BqZx`O=t{?A$GJzK??hCI0m6COkm3YpFc!RRmv!b?)Uey3l6w)`6niLEBJi;q2R}3gm(t~uK<7pxO^!6 zI;1?BEB@jAE9Vwi-Z4O52WG^314DaN7u zw|t{81E#`cA4>)k0!bTSIu_wm=qRRz+!=s71&p5iW3BuzaE-yie&P6};Sdf1IN}Ha z_@BF3f6K<`-Uraz(jD?5080EZV0fP~=1urt6vh&|3#LOOJ1{$BMMprCg1B%Vvk(A% z*c3)Bd1^LtcYa6FZ^LCK1!huEA5I4?=OUT&Mn-l1{!iKhOz3`|s|%C2z+D z?uMV64}T{AUy`hUhwp-HV!|v2!2NBgKU~zN!7Mt8MQ$*aMS~D2?(;Pt1chj$uJljf zxWUD6CnL&aaT9+Y76PE8sHiml;fxgY|Nr8MhPVE%Xw9Ad-EsXpcN<1C_ov{QEV>@T zX>H*A8g*R1MfhJpU<%W>!Z6C|vDz?f?ngjMApn0Lz}pCn-Z-i}J}#EuX~{5m!+HXY zfjhkPpVUVR8E(PmJpG0c-WwNG3XOvPq2C)7KM`RXgN1U-_nf|No|(6S02ab+u^VpL zi#e2A_foyh&mL=nz|QwQY zM}h$_kdBV+BpBYtqI3D>R!Uu9EXSkJ$z1SM3LRSmlH6DbX8{evK!=DBf`Clki^@!h z277W}w;{5aR3E^Z339~4c@QQwjEf+pFn(o_zd(U|s+>-Z5h?Qq$Fq$i-OB$0cvyG1 zpgCV4(kLW<0G-noGyGaHKP4M!0pJM?BX(3;1`ru6&JCcA8lyopPLHgznz{-1;RJ6V z*Kv=AJOYc)!`}lR-Z>l>Y~Wi~egi+__qo7`7^DCy#S@}K2qF(KIj^Ea2>%5r&eKj_ z=lp-d#*d8iapHzi;<#w=lA|_rMr6j%AGpMsV@rNeKVE`Qb4LcL7oL-bsgTD*k{_5r^j(c;IesgnF{`unk z;>3AsJg!2Ho&6I4f2Wdv5C314^6x?Zfm;4O&_7hnzX$w>syPl|PJ}gj^skgt<$qr{ zxm{3Y3%Q1zXJv@3@^ZEQI_2CiscesegB*n%SW0PM|c}e>pwIujOGtvIh%v1>;I3ve{XN&R`x{U^*28ShR(c^ z@`{w?Th`W0)-$r~Bs$9%9Z631KHhmmkPVWEn~e_8l+4&ZpZz?zbpzc%H=1n9aw5*` z6^q2B3Mdo`g{mLG#c~{BD(;V0`f^oHvbc^EX+khFds8(-`!O+RDmNU3gsMI@9E}9j zQO%!DRnAVdXCcAJYoh;ce)TV-j*4aM5BjcZ{r;ZXeih0Cb0gmr?JW~U1=x}B2nwl# zP~BCsjN?6!kVmFFqsn~MB8Yu=pE4^06VkvAzvHEzh3OAJYpIFk`yid z^zRpY{Ack018-84Tx4+ae%G3?GI&n&teIhp&673}Ys9Ey_6{qNhmD;J6Z{p491%6u z&ShyJid+2_tw_zpw?3lgO8v(MANMT%u9#t_U?Z-iztnDR`A5c#UD3#+VG6~?nnn)`? z8tjp=+w@1v;0R4%wNv$d`+jwUMUUn37wTwYRO42R*pcPKjH5+ArU%j*Ru#1G`epQW9&%x zQs3=A;G-o%?8=Ov&UO{e3`(F@e!D7{g@Z?6veWo?4Ov zFax8PMv+ms<11p36BrLT8H2Iv#AMZ`FMwb4K{k0w;dF{8Dnd-z%`(SG;Z=jvGa1rL zuf;ZNuoe*cCU!}_Ba{IF_9ZgKKoer~CLnPHtqT1^k~EMc4RC7Prw(57)!Sm?FGTC- zFqz3LNh+O-FcX%sN?eoCoMi#g;(!@21wnVd(Lm*wE0dTkqk+O}po1x<=my5|{sV5; zQ#{EAs+lRFVm$S54itH=cwgTDSP{U72SfS)5B48E_6eRqdXR7C z=tD{v0y_zz3$gPGXGoqjJyILTNS^w4OR}IE4WPg@L(k->0+?7{8ncKr=NE7#vd2gxb7>Q;KgzQlI3EI=zfam1SJ_i+Iu3Ir5+c!XDm}9Utsl02R4@nolIj=X!fjc zcsw-14{wvA*;nwxI#j9!zD$A%w7T_r6e*G?|DQ2Gv#(y_18^mMU7Sv`5Ov3 zO5BAC?7k?n8eCn7yD}#HOUYw=c*B?><3uqBFJ@g7~m zFeNs@m$+~ZY52afO@xVp!}TyG3Te3uC=(VpO*j)}d=A-r%piUGz=#Jw~6tmHUJi%&Na$rwvIMJX1eWI3f6Mv#acmo1O z4b?7J?&cU2wS1IND4eX+;!w0?r)wmNYWHp|3VV0>o1;lqp$Ds?cBA|tkD( zTl|{n7TzX0!?*DEunEG2x6#coF1*cdj&k8``fq@9VVu=ALb|B4NCU7g%4DpMcF{~o zJ>Er`l1&gVnrUgkyr|e9U7}w2k16-K7hfmtg&8DOLB1%a`>%t2QDS&)^b7w|xJCR6 zH#1!zVAScM1`G^0QJtV*gi`gj;9wZO@YYBe)iC%bEDS5xss{7IP1QC~Av`^~a3PEv zg?nU(FOLl2o;epbMBT(~fDYjyz=01@M?hx?5gti4F(PUuI1nYm)6Lz*i70Ib9U?_o zSB#-p5l(WtMvHLlQmybJ3L-Z{jPQ+617?JAf><9l!q>MSH=^*%w?>XID0X2-6trxN z9#QSdg&$Gd;hG2%)t-GA61BbGSrmyXe^nfbTFx9u5�yk7%R!bnDz*)ug@6IHrA za1#Y_Up?SNmFK@Lh2p27;mzQV2poC~Pv?!%&n$f`x8pbFz#@oDjrG9`R}|>3Yad5 zPPoWY8fF0_3x2{Ps~&5@yw$oRXcOnpj!&Eb6VIPX*41I*crxLKsa}UM23o^F+4R1| zt}uHm16Y{9*&;8a$+TGWvt)^I8*N3$%=QZ5F5(N_-6iFKa9J@b50KXK3CV;53MP>% z$_)|T%N~HjN6r718RX)2C3iWgD~;iF8ONerh8Ah8b8ve=Ik+pbWsz%ckjI`RRecUL zN$lg~1gfsUix0A1<>wq4-a!faw@cgedZV*aFDE(PH=O9LWp-qGy*+^pYXDqKX(n zLb)iErA^XptwiM?KSOkZnOyXxb$MFyM-)FF@t>v7#HfD+PUhV56QfLS1jb1cftiT? zR#IGbm5ISl36>F{MPRND9amXwQ%V+U`m6|Fp!gZ`F|3kg4QS=(vTNS4ldQe#f#eXXt#*m_DB7WV<+?dvK* zJ!Ehe+%zw{gBOcsCKWH7NpS2u5E@0hL7k?{I93PU(7t&UAd*AE_~PZ|T@?ctIxbsY z9OqNU5j#NObtaGFq8DgTo*Q0#|%J*k zF-!)B2Lt-(KmJ4dsPdsW0;kj0Bopb0N$x~)xK1^hT;>IdX9ll3O#MS(dI^gmk>Tok z*HU(a;5vnq{Jgf|?#>w*2yzA~#n({8&dWjD_r*RNlVlxm7prqs_1|bE3-JBd^6eQ_ z%Wl@HOjN?go5e2ACNL8S0y@YKaV@&gbv#kyrBH7xINJsgLm9=B%I@(>pt$e@^@49* zOD0bAG()t6AGVP7ZB?zl%oVf<9Rg7Jn+Fp}L0WA$K%wepOKS9mrmRL=maFDEvQpWp z3hnA#sg>%r)^m1?hIT78>{DXZ`d>(ONxYwdF^x)j9Sjd24=n}u`0>5|+LHd#;$T|x z?j*<1sqD}7H_Mepdww(Q&3r<=)`IYD?eGJq2(4TjnrE-rG%f_V$8DOg2M$)1ioE; zjX#!%uC6FzDM=U#sE`HBgDf+QU~*w>#tLXk9u&u8;F~jn&KE;$eO zWb(eDoC-4Is`^SCX0H}#F-G*tBM&Tw*T}0>B7Uo~Z0FP8QR+m7R;FLk@xNvp)|fS&#?DcpB4qg2oCn)#&e>Rn}% zx?A5Mm(<&f3|oo(4M0b@jBrNv5l( z$<6XyJ&kUjk&gEMGCC?d@82@NDp8KI@vWz||aTt*MI zT`FG;C-M&W!ul1QYr|B)M@%S8aWcz|c9r3jQ}m`F2vpL5T(L7AnsT3}2se=bk}+<^ z;9+4sihM3?J$I7VcEp`}I{clCMJ9qUml7kyLBf_2>1xd&ouT3`KO^F{8_J8=-^p0T zG$f`6(Iiaw5>A(hw7rHgIMx4vnU3~TbD%`N2Y=xTbixh#n})0iGf7-#VR;E?J zaKs)!eG!*u6}6(YOUU-XOx>~tLw6hWv>rFF;BEU$Q;35v3O~^H(C<5b^QOF8)FZEa>#jc4k z=U((Ja%-`fItsu5z!=f&NPAEQ&&iFE`3lg7lpX;%W+=&amg&de$@qu93To_s20#1& z4tI^>Q@+-om~M=?nidHdx<*t4o8LfcrU0v7W!@SvpE8m^R&GFbodseH&d?F~R(pc< zEdluW5qu+w80O!7{>=CIh}<=M9R z)w0r~-0Ce>d}-Smax<3Y0PK48Xxt1Op(N8rT|wBlMT5ft8U+?^4RxtFvaU^+u?$lZ zDQJ|QHYS)Csjg&r8dMsxA4@BIkyC3$Bp6i;-C?#`nV-WQl> zai1iEd*1-hKrp`~@#;rP7S(uBQA4aV9kl-*vHTfHr5;4qB)65~mC8iNytW8wg+M$S zG+D-w0z&Z&Cv^f5Kx2(OzxD{Rq+Q$}$P_nj-fABJ%Gu#;sEYwiH$Jl-!f9D;HWt}Rtw8>?qyjdjj^JsWdq^*j*c zYJCNOM#1uriT+ezNJ_uwtSLA#RmP-7#2?p4f-Oq*vfz>6dub^3d~(;N!Fw1n)K!F% z)ky&`cS&9--~hb=qVoP1p#<}-Zkf%9$d;1`1N;kyBNd+@Q}p)$`Y=JM47Yjy`U32v zgl6E$qgr)plGj3OQsWUFR8f%NIZ8zMkLFZn(@S2}wt$(4MVXLA3Nx{P3)h`M7gB?w z1G1!3-8*=tRz1D9e_Ttc=*_XTMa{%T%*OmF4Ll_n&|KBPBP8MhVmI zQVo15)A5EXitu+vlJ)yII5;?X`uMT<@4>-A>A!~$AASGiABT@0Jv=-(eE9Im!+#tc ze*gI4;XlAZmyG&8OO`?UkAsc-Dl_+$d_ML7=zk-pxqk%u^DIk`_V@XO57gunI@_23 ze9+(H#j{n4cv-2vonq*6g@^6j$@&$EKUw)6XSp1-U zURDEnu_>X8zPxnKzl#u?P%J_xcmvhvB?XvXOcEp?nKZ&;N7C#1c~23&%;qj)4Q6d( zkC)k;o7u88+nZibv}4S~_mq(A3^H~@Xk`83A3OK>@rFd2glNes>!8Oqkk1WYHUtzV z5m|u4gW>^k0ONEHljQ~zM1wCkW&2bc=q{JNneW9oN%EsEWe@mfINL+?;rC^l!>>Nl# zzrE$GZ=^+vw!(!^$cy$vsHXsphKAjYSHIBfeb2C2dq|sc+eiaDWwF&j-VK55W`KL< zfAvPI95k)=+B4<;$)S@qxYK$YtpUdBo8=NIC2|aiXFkzsiM+5m@K7gyQ?7~14+e!} zLSh7y()9TIvstKuRaYA-NoH$Q?!MLF=aL*T{AYReLBl%p%tGGn1#hy|cuUd@K^(K~Oi|vkii3CbuXE#Sr$tpa zU}3DuQ4q4#*4rIE?fAo=D#E{55MZ0$bk{r?BwA3lCq@&6w_y7&Lz#^>bc zn|_PFHYaQHVgd1O$(CnGRJ3Ut`f&-Y82{y z_Z>KsVbB7(Cli>|H*>5pR(TzO85kq3b|RFZSBQO9snZ(NofjWEWu8MCz;lOKGt;4eTDJR z2jA?1Pawfb#7FNj=NSk@q)xjP5KDD^_I^S#=U>0DA`pGYD}X)-(D7s@hUEQnj3!wO zW+;;-27@BHmJ5msj2{;9U7tULK@4D;4(-HN9sK-5xtbv7*a-L|kw7lcumuqsFJ~5M zCT0A~K&mnf{x@GG;LVTV^5+-e?9KCkfx!TbA)EJlrwJf5lGcbmget+#4Hf--qTG&| zqDa9%Xz`IDFZ(3T@?;fNKG)1B$>>S|jt<$pz9?NLLrxwS4iqyvT9-H#-TW#Z8j_Du z@kJt#93=3Iff}64b#*pxwl<;4HerHJG?^1{reR+`ek{aXBN{8WTaIkp2Sf1r^Uz1p zkX=v2k4pSiXvcFRaKS%+KKl3(ObCn-o1naq?!)zdOkEkyk5XXhkG!PmGqv0neYvIu z&ld%>jf?97^?RFq*T0-oUrO_il1Q%8Xn_;VGHJL@C=%g`FqZTDR^5>uiEGOq0J#tS z2z;|+il4$K43fT&A9I{*Yv>eeo*XhTAmDdK5^exJK*GOp{?Pv@K#GQ{@PJb@&=*sm z``{B_^XTbgFc?H=LL#)=>s=BZh{H9&iY#e<0Va4m9D?&@0-(@OBIbxIsR>MUvMW^2 z3n&Fps3^Kjtl3wpU2tBSc=dV;7!2qF3k;SktkqFv)U&v%C+813_I6z%3rOQ9OfZ)25%!BSk04^m*1g3D~4 zV^j&DZM%4T06Z!)Uwu4AuslQUdVtvgN{+8{UqOdRl&C!=vzJttPG8B1zl!b#J5F06Yqh|$xQ;rC?+@gc%Hv` zb9r@kd~xyXoAc*C+;J5mNfslj$2gR@^8N`*Z#sj)K)e`G9>O2Ku|`OVdP&i!v^X}T zB#v=1yM(jCaFlvP?{IBuTA;LRwcx?#uC%2m>>9>6f*F$4<)rDwosi640WxYp50pSF z0|T)$^BUjisr*H@iAnN8ym1VUeyA{UotI%lWsT<=O*O-E!(2*LAM7;h`(4{YFNiDG zl&>!jl~5IZ4$&gbR_2kwVxIN8 zu8fuVmFYri?+|~T6OxrJgT4fzF20t3?}9+O^<6{=-IhhMG5xlEvMC=0{a{C@!r`#D zNp}4ldn}-hdG}dXn~uVB@j?JN6^&^OdmwS@WsYZqR2oqJO-!a{QIpl&u(2i8J?{-8 zvfE}zTu1E$XVLgVI_*wgX5ce#hP6qc)fhZ3IX6-g#}ED=U4U4p#v{%tRU}D>WR!- z^p2)3sb9N4$!RE9wqLDmjW?({P!+z>k9KGM`H+eR04 z$wx@NijdU{nt!*k8Vr{+HC`b?<{vv*_(D0j2DbBUhtS%QXmZZgNQd8QAd3{o0u@7p ze=&d)k#50oGK-PM@{(Zn6JBr%aa?0=m7R>b=WkR?!b2#`Pvxzsci&`PJr-_3N2@8Xwp&SoA7_dYGr&flEnmrD6xQ%fAyGCh8T?-iB z{m}pL;lqdiu6KIAw72U1)Ags>|0`hW2jXF@66srj0BUcEN`3703)uN{IslLZa zbY$b<_7*6E5zOFGPvUclP7G(IBrWVGM?REL+VRKr;fzzYriCMD;{HKpsU95o#SAR;f1au0y~;s`u>WTd>Llw@Q=;v?|( z`B`Yu%ab$Jg+}879w06aEoaF_3ocFcvvv~gl#;NH>f`4vX8v|YO7s4&JjDCCx3Tpx zpke<%e01=*wEsVR`1I-h{(l=EwQ~KpAQeaOu(CN{AF2&DzX^12u7M%FJ?l{fcjV(I z@W+y5sH=^)nxHTtiu$_J*)&Xvp2&Dea%hOd9y52Wy=^24qW0eV^Yz)5ZM;9hcK`a0A|*+dH^^LVVXLQHs(Ce5-&3hCZw%LN;c_x@{~O#q z{*H~Pm6|65R1#!$lC0i4aTNJU^|*=-AA?fpjp6(X9vSlm7;8)%FFt&M(J;wdXB^x< zLI2Lu;vFu(xUcn4*4j;Nyhzp}_s*@KwYb>I(rWpX*d1DREh)ci3oG!!nO94%o@dQ@mbBbxB#mg zD_aY8I80S-7(PNl8vAy%b{(NwA66*wW8Zl6lxKeCgk{Guh71{88((e)9`5R;dAcf- zrD!)UXL2;<$s9$?7*PRlnL`Cw-{#F&Ukg>T+7v@vl)pIEgKKUm)#I=_R<~g!KyW|V)&S)Bqp=fMM@Ej zPDsKs3UQKIBj_p8)p+_S=x%gViV4Np>LiAY*#lMi$?Zg}G~nK&xT3cEU%TI+{z7;s z(FK|;MQd_A&F5S6c4`%n6HE9Zuer72wJq>TpNcj$Ke%cuUXKGiE_|&TzWfk^)%_7}#oP&5;9%(}*Y#wz&Ir?}g(Wn!TtdxH&Ix z?ya@vX+ywS%Hq|<$3OY=F~Il?!2TE~`{GFk`}+Z!l)m{?ikg@RJpIABO9ADerRAxi z%jB57Wr(WBL;_}W%6_6`nS#%s!F~z0-k_+g6D(r$UXQ?m@k41rR7aK~MwWDfm_3yF z*G}I`T{DKk^U!Y7A@o4W*(-h)VC9LEk{H1ZmgYsgCV2+4`BB|?Irw)i0=66rSBgcJ z7;pK5d;1A#z_ZFLD%bjA;!taPD5^Zxti<-~E^L)~hSa+r97?9m{^o19ewPc9y^o=d-3AjJEP7fw<&Gg5VRIDwv>kQS~7O0 z#jCAkIleCQ`~3Lw_}TG=f0nG#&fhPq7oHaHG5RSxe{uHm^hCg&UcGwr+(Ti10a=D< zKe(yzm0}Ppj$YeT&jx{8(b5Ggt(3K@M%G?VF2?TU(sGT^2FuK2B?$z`A7fay@2Ug$ z;y*9XkFS1wdHmCbNAMjdNUQn&26URt3+TppiazCFA8_4xGi>ios! z`RR)mgjf3;Qj}3F&i-1|9~~T2*s3Mt;^m7MXIGb}uY9^Aj1m?jlwM-7WolX;ZaBbV zrd}l1zd%|U+AeHltNlO=x!&M+IB?BQPF~gitkA~G#&>nu2aMOrtEw(l6N*E?;MFH1Og!1M#H*dKA(SE>CZX9DBy(W8T>RlzV(OhS&` z^(yC#lCh_vS)#_dV-{=Y&;jD*@bc6+J;0#G3k;l|VBquyi%C)2%@tgJ_@V#JN9S?p zXi(BO@`I<~-8(Rt0$)90Mexetx8MF3$mS?FK>r(mll@&sJ5%iVQV14| z7C6ywpy%)7_P_aPc5881>yi?-%7r=64U)34i>lh=R-7o;C_#+XECQ=Y%_^|U-7kZ` z@G^L5&2*Enbh8lbKDV$ED1s4gSPFKTnzdjTyk87|;l*%nPj#cbbh8{vy>7Z5!WT*N zJ*zK-{r++_>~a-2Pe7hm8l6A;PR>$vEO@?}QH#VAp97R+bd?gEWCPjBu#KD9afY*z zK&xku^6P9qW<-G+`dwZsUTI$fmHKAV@oPPcW~__b6}J=eCcW3;uKh*kt7h%E*1ow- zkD9+23vp{M1gn!x{0JpZ%BWk8XdzX^Xt*XYq4Y*^ivR_yX4^moUAgN(g{F2p2vn$C zecp|0Ms65H1N0#!G(+_My0QG(F3S8IR@5a>M)XcA#_|K0okFPG? zygfg8arOH6)r%kcTvCrpmi_F6JIu(4qo8IS4grL9S^-$_@e|r>ZS_ift0sROPTK(!{}NbCr#B zmvPkZTz^?@x7J~G8BC6(quMfBgT)XpT+5;4x6JEil6q0kmfi{fs#pza)y?WBzyK)G zE^Tumw@j@n(Jn$spJV;1oY_g}Q0_ERW3r?4%XKkQ8doHL#IKBe0$ilW>%+>}+1?!i za2WhTH)=_D&_7L``XDfD#w)AdM8N<63glXT2(dJA^@!!9rl@R>^*|oFye_kn8Y*m5 z%W(Z;iCEe2V;P~^>sRa3$A3DbQXPV%njB7I$ch|)qp{j40sUD_#xO1l$-j34^sGg& z138;@nt<=@EeI;%qwxfoHGy9mQ|)W|w7~zno@@vI_vzvHW&FRx!$X*#p$!jpK(GDJ_$tmht_P4-W8S^elkUb&W@qKon-9z-EhZ)9Im zIGy5&x)a?YG=Sol1V+zb43i0>{oQ~HuStZ?2+jJtibZGdwd}g-wbY<*2wF4bD;yie zE`))5&P{41$i81|*{W}{c%Lw5XlE^sb{q+ab)=l0?dqwrzYb=mPA+}*84}14#};l| z>C0LIoDFP1f%Gdn>5xBlW60O{UjN{T#hr1_24ukr;uz_vcQ_+v<<7u&{ zxCl*_u{jlfTf`H^Z|&V`XNrI6 zv(Nn}?EFs_D4U}tqvCO?_CA27_kRw*FTel$@bK`-{rUekK5HC)3V}FZ#)T^$lpYFN zkOXIh;$$|Q5Q>O6W$x!bhBK>`23Ldc?Omri5xR=3u#7Zzs$sS*F599<*L900=$4As3#(r{&iLErtYE z`Msn5E`6H!e@bGsrsH3I8utIgM~_SU|Kayf51!ud|F`jR?Ef}Sy?zET|Cx^AWX-n$ zMODwsLFZ&cE8w0m>+-v$15y8v5` ze@Bx{Z3I>nf|5hQpFaq}`?wBQUn<8*7#17y8lb@n{02t;-EAbnA zm1mn~{hvRqUwUXQypKlv|FH7@=acUr-Ru9`_~=_K$AVJR?t8}1899{aFa*X96}^0M zO9zDVe%k2&1Z6jbzLzij z4{$Q0h=tq-HR%5*kDr$Bf1W&i`1oG`-^Ryb|Ep=1!AV7?MNnSRt_3S^x8%E5vP&tk zIv011x$GT_nEp3Oy!w%nh4n5{oAZX&R;-K7=Sn)dFN=LQ5REXt*U({;;3 zVp7l|H1g~7?S*{Wod42jyw(j+WBlL4@5}c;j}Pwi|8C{u$uOxq;Z+?pTrk#)2uN#B zVrL|Jju~BwCoY~XqZ!KX{fhUexzN*GiDp|~7dSb-hB)SiqHMwZ#tI5;s#rHrrMmFL z+XR-nwZ5zC*iqRXx?efEt`p1uw6F>SMfk6|L;kftZT5eb!3<58F+*7^JD`65fBg8- z!>6VF|Ix#P`}qG``Fv~%8r5cVH|52%!(XT(7xz2+{mve~vn#1&p50RYd_tCq$~~m$ z8gt?M8MBPg)l0m~IRzrh<@GwNBPG!*n7|oYpd@qTsvE{ewPb^BvrHqH zp^J>d49!$w`#UGjr?-Ln1Yx~5sd*?Nc2y8GjPyPoA>nqMbL(nluM0$foWUZ~JTEe6Fo>t!7(Y zz|@bJt${lotg0>!AE%)G;&%3oIzmm%Hj9!RPE@~WAYTOZE5MHxWYl6T*<_BQWsE4- zdd2V7w|PU>*J5#2^X6MM?Rf9JGF{c!Loe>ACrGhDQs;za$1#S?M6@%$+zi0M-A}XN zR>r|gKeV7M#2Pk$FuI^T?;((E3oJh;CKq(B>}n}gRiq0mD)9NTRqEBAs=+gg7|KLT zQfc);-v}NEg1!^VIK$o3Xf)adoe7ChFp<1)GnHnOl0=0T@gA)L%fCk}B}y!?hAiyk zGkhWNrmI&;=C@rf2&<HT zbjO>IhAufxDJJ4Io)|J_Zrr_vm9;Pgn%!{T_h>7XsE+PhZ==*TbEhB4bT5Tg&t$f2 z!n5KlirD&M;!ty?rzpZ!Wc&5E*5iHw>tfC4{hC|u;DNsqH($wXZ!V+994^^d_f%K= z=lT&)m7447{a|i7mC>;b0dn$9Re+t4WN0CggpIgZ#Iy*eG?j2}6~qIklF2 zc6#~x_|@sv^B2$F{!~)Q#mkxk2$!xvKck$~{uIUx^{t3qsShJGUd|eX)ZwMGY0BRT zd~x>j^yK*R^v&z5S8tws9{%jJ7+#}(ZA-6?FD_r4U;X^%;?m1wI8=ILKWA^wFRxy| zef8|cxwpIS08s-+Q_&_KUwnJvqf9)jXb)y-F|759tJ(QRkGYm!JpK}oxVm_8vGKLN zb$qJD!Rm~1T2Q6gG#n|1Hv8H##Jfh~^ zVFeWKk1;IU2h}lp@t>FH$5%hTJpSpzqsyG95vzl$rfWkh%OK5`>8}uHZ_>(Du8Zc2 z%j5IQw`W(s9-m%boxiv|KYh`P_-c=^rI%Q^0yQ-cHy&m&V=t2HUrKLbg3dftRu7xJNnh_QG`l%@)lfiQ!&c0=>WU8< zx06>@(afKmbgGHO?`f`Yc$4XMG0jPpYH1TX-7R~ku+@Xk2GG3zl%8{b^yuJeRY*2` z&bhJ_Yo0SUOVqj#%z|wnGe#fGcj5FvIQ)&E#^(r}en;T+J%XBt&Ru4jdGp+B zu{J$@UZJV{{JFQ~$}8x=^%6S&2#JHy0w;W8vn2zAr7&p+X}|O&dOzF~A}pB;bN(Ad zr~}VPwa+b`+c$pk+|$_o8u|OJk(ZVLG)YlctHkbgE6b#lhw**Q-LI6t-%2^RC7@A| zx>_rxem7k#ZB|h8HK9MU`u=t>{B{sD9JXvAGS}fiJvOZ)ynSbP*-*{cxjad{(!Rt> z^Noh%*LpU$@o+x~e!M?~YwbVV{5<%JA<$bq^IP3)a`68c^o$koK4k^!@27Qp?eD3r znr-i^b>*&atDD;G;I6uI-30{%SpTi{~XgJ@bPoyT~4`#PhyA{Iw3!QR=f-v09@_I>w`Pk zX^&qIq*{=w&nK%vr6!47P#IqJ`)r9rXQ&hLdd?1ZluT!G5 zrYdiY$uIv{B39m5Sw^V#t2B5Y@t=+yHsBH|)#z{%Lsq208jUqf4Cv2dGKO(cO#Zza zq&O_19bl)d;Rue|^E_|g6QKezJv zxB>oG{_2l&qZ`RS=Jyv^vm%Iv}_Oj#p*Z^&bjVE`r0t>ByjQ^{^)SZJy5W znju%aZP?I;Shh-i){Gu00kUD*@$Rf?U3?NRS%&E8nFTBCX|{i&OZSzvl2>n_s_3R{ z4FuAOK8Qr5_>#iu6i?Je)()XTbiX7pdIn>dOc3qw232`YB6LP**56gEIw@#i+fB8l z9DPHv23!8(u~G0sSkLF&VpqcL`?Z0&`bIx~?20Yn%-9h}$UtgN&-A3(-?m_=PE!3X zFeGxlk1ZUf(w7ZHIGfmr3hB*q(jtHA>a0-Te?5f1#i4O!;R>{tUT0S#U6mGBDxJGj zadt^5$;gDnN8s}0OnsL@IzySf5iw~|lOe!ALbXw$TGm(&yY)zEs%E0PXl7lP+%?Xh z`n%9UZr@wcml;adY6o(Wn=E5k0quk0{vs~ikEu+44e~^0o^*lEHCswN)db}72p#XKYfgnN%Kk2b@tI$zLby7 z?rybw@Fae*`3s!7wEeU-&e(I9!7*egXx7q}Ggh9yV0Z1htI%;Defx{iiIh;kCW|WT zEKMKR&J|h|4qK>I(pt{`R*csW`%f77P=Z#kV+JZ{xGZC8iRHS4toZSEsp2D0#ujY&anl z5wS-1%Ug$PWFwz}#|2v=Gv8aBTTQFFw)NO<)3TJ~UwQ`%otStXYHM%9-5s>@N`Fnx z7k!EUI~j|K3Xy1C))r2bL@B{ZaYyFL!w8#IoMebz!??Ij(cgrSSFK$M*bF0sO(;y! zC0-!1G%km%uR{p(w6i8vbCM8Re$C1FGK3;$8*9=dzdlD|rQpQG$*cUdp`Zs-u=z_E zp022iO}cFc>H4hY8_Y%Z{XwzI=-}i*$OcsVh@p2I3VFpaa79*vi?^Win<9#zI*0lz zFxNZ(`0W4T9K{PfO9(|9_t9YgA3QmHV%z_RPY)08<9~1E^8lQ|EJHM5AR|CdIJlXk z1dNwBj&L#qDV)5AGsK3y2jFs!8DPs)guehbM{x{hF&Rrmf|J>vP^B5ZMk2+@_#P%v z?*T~AO!`cBQi`Vd1B$>6&gS5M><+=3BwhiMh?<-vkRl3VoS^ z{^I!gs~5vX)IlG$>;K{5gX?+`}@#*=i7>YZQ|dMd0H9ekt9A>=!4USN}0yqInh5)2wnM5F)BXC1#9D!(wgnG&tK>TQsQp^yTBA6{HVtZg3 zqYqfTJH8T%224mC!!c1AxkAIlB8zTx7WL*FhUDR-?Jm72+1_NffRvQ=J#?=93wRZmvaOt;s-UM8MC}0us{hX z5k;JL&M=uy5#??1cF9d5TgvPPCS;Mq1asCow|vaVlowinh#)3%Eb$_ZR{$m}@xEn@ zTBWgQUBIeal$ef$6&DQwAV- zSDCdL&gRRp*}4AjAR?3Zhz?XwyTG`V(;?>|LTOA^d~^UwcnAN^**_OL3Nnl*8DVzayIVu(; zUvJ_dJ>`dhDWNLUl9R~mNU;=7-V9tzza2By0e~?hxn=&->4oV1|GIedI$wFiUQfxm zoEiouFacx4B~oqdV)$U1mIjZ1Bc^CqP-YA|?_`lbKhEjlLkUh~`#7H{HUx%D%pn6~ zgc88HK@ry$H-x^IG`#-l^!0y&(_}^wV|!qNXf{w2z;(wGC0Qi;J)>lSvN>8ZKKB_( z)v^Nbp8fmm+~y#qBpPC}zdIDtdPb4B`eisntk)ZWLTtd{@bEwW|Gj}^;hUtj!NIWl4dr2dfW zjVpREDi+}AsItIAS1A`DjZGw{kmb@tBp=2w=vAUP)Noc7dV&&>(+s=bD z|6><0B=mvMxJ)!t{3>@7C4stC#CH!Whfy#kyXp1*1-|?45~tsNcLZKymI2PMVwS0e zJQ9P!yOJ8|ZGwH{zSKYMM<_-a50Suyj7i|cy)LwT99kLu+`+6B$lLI{}bVxZ>@;`>oWjN(2{gppJk=ulfmy9C4{QSA11Y3QfXA)1+5U zs5Nnfc65=R#41u_!Mx(uCA~~Hr+oGz7fl4d~@-sjT7uhl_6C8 z1g20}qZly_dBIS&TPIoeh>W4u0JLe%c@oGc(VCx;8G+(;Z-O(aUUB)}jNS`L1T9i>p;; zMoVPUQ0D)M<9u%{kfe6lay(GB6F2axhWmG9f~Nmk4n~*YO?Vh4?2Z z3V;QP5ZK{UlTtE9{4gBH+=PiRlUM6d9fq|npbMxK7olXA6C$3_8`Tn`S{NxA5e<`K z<#Hm52T%(`EjP{sK72&_;?LoB~wJUCO zU;H{h)!jV*rOvL~;=cZMe*EJh*Ny~Qrltv-&p_@zXtZJf4j-;)gzY`VWMuzh4rEFg z&WJgb)q&Jyz5o|@;PVNLN+Stobj+K#EtFN9BroAn_E)XPIL%V}Q-c zGLE=Gs$)U_9-peoo&UlI(#*^%?L~!)-OS$F8OdnRm?UTf2n8eKeq!_&){^`PX>e}- zA_lUY=x8kMJeO)psPwt=f+MhGhz`N2xbTle%ACUB)r%f8eOVF>zX;RY_*9R@`7ilE z>g%G?0a+Y-#3d1sn7+lmQbvGE1p3>2K7r9$kWVjy*@Y~w)kf`7+B1c4HnmX|ef zFYN@~v|87<#^h~$LI$$*OuD{2C_H|}ZMTrgzvbssv8@v7+ia@Ix}&;*)Drx+lFSf^ z)MFrR^4wAWmZ8e<@Kv7Y#YZTEIA&nSvH9RwpU!>4M@6n2ZkrT{;(@~d7J`#P8%7_A^pn$RyMu1FJSO7|{F(rv` zMPKvT9P?s-rBBE}I$nMlsim##o_saSaTHO-zDW=(Fyk^j%IFe}hTu7x;zUIebKM|U zp0w`8LgG?C+LKXAkt}R!c04Vg!HiDKlht+yvUFi)4J1x*7L6~&l>#f7KhLp9wC?^W~5WRg^7JTJ7v zcEQe)q3JS~>RWDrO1}$FA=@qY>GCdG)aQ4<8&EG^BKk$@Sp10lf}O$kMSPynYHqJU+PX3MmG#9T_!qJB@Eg zUb*vn0LqGWBy8{r7<+4k{Pcfvjkz(j84)Lfuu>tiCy=qZkc?QhQK@l~R zACXF1SS@#Jc{2m3U#1bv&_zaJhGr`Po9m*#7<*MwJOIy^Ave94sxA=c*CEtL{W%d) zxo-uLqbl{({QV5l3_C^W6Ucu9lHr16zMfyn!&^S`CT|;1-!%3qiK_8tu9l9Y2&=S! zltfk}T28((HH~prLDVAT?J@FGOsXidx$ez3Wh~5y!>VW9D164q`>>jeuKE zMODi`RP2YUkUpRc!Eqdu8x+Ymli3j%F*42MmCziT=l?Lt$#4?~9_o_}54Og_C;gqD z`h-NtCf%ubs?_s}<-r#^r!(>c#@<2wd$g*Fn6Ri9%YdJH`F17JXah+P`K(9191P!G zrh|G}A!i_T@B^rCv@!EW8(PXAMDXex$QYg_Edmdlsc+Ibdg2txB|XSroiI>YF6T7tCB~$&77&|4-Hw-`oxL0s8(`o;+6$DKcAf6qM_f ze+SqEiXRJX;q1Fv+<fet7PayR)novEvX20rV0ZEv9d*j?UQl} zx1)Z_exhWVmZ%rsfz#*t@mv5n@||A3Yx}MARuyAS)7a-(Ji{0-a9L3rEhz{BmGUDCJD04Hd9m3iKw}ov>xXvTo@qtB zD1st`kL@uKK)v$Fol!DIPF<;6(i+n!zX@q!)H^Ql{M2(37{mBEis9-)JeN~swVle} zK*WDkkLk#f-xfoB)jm9^obtTXr-)*q{|&lzOK0M@TOr$^{z(hT$t0?vgZxiGBM#mk z`Jce3N_-9VQ;6dwMVE7m*qp?X8NmLd{0(IK$F0*Z^nHu5XG;Nz;iUdT{&vgMH;jFZ zuTg>+Yfw75&aujOO>c$zrrpY>-m7%#bk4RI3eY(=^^srM=!x6auv z`K{&Nt8{!iXPfkY0;5N*sP`%zpU&Ab^-W_>1#(uS(#ds>UA|*_E7Uhz$QJcJrBkPK zw#5*aoQ73fqTZ);oH}RA^AMnOO4R$5j$7w!m;Cl}?^8NHowH5)19VP_dY{tq>6|T7 z-!%3zPUFHbwmc`pN{on(lMrAE+c+QwoD3!PFHN=W_QF=E*Q$PNc50=P(NPcIKxRUK{pU*U@}LO_kg7STZ(Xo0;m`8BtOQmAwsI^ z353PXzmDvRae}~;rEc{ z9QB;9;7`l3XUp*!%;xT~zgUhVOvSDAO5c3SYZGyGC{ie3cUKQCaC}0s77+|pT5ifAj!dhcI^TG=TErS8)Z@Nj}`d@bRbC)M`UWBLiqrxeY&AO z$j*@+)>{hFh7%}RP?Ylmj)FhDCGxvQTje+C5CiM(QXi{%qI;mInw#h&U_41(_Z}@cH zQkfPc*M_eBRUPHYAyY7_wM~@Dk)>&zq`h-O2 z%+Em(^&-fzI~D>g1x@{=I!CRk&)Wc}XSYjzOkng3#xR*US*TKPR{(fwi$7*y^wKEO zpcOWx9(~9VO<;UU;dF{8Rmd)NI+?_nZ>S2r|MW~oAk%BueG*);YDZ1fn?rdaNIQqg z3>7#1$5BM3ClF==qz$SlXpulwo*6w4m;rMJ+EO2?F~z zoi*mFHL_+H$};gtpSBH3mD>?nM}6bjDjKWz*Bd;6Qs?X|v|s?i8HvDi%;-|)+&)`I zGn7g6A^!K~ahd_qMV$HtPL8i3jyYNWvlUM8Vz~gxaxq49KSgwcl8m3ieG$h(J1v$h z11wYE9#D6qawYl1p=+5y@1nlx_CZh&KfFy~E&Y7A`mhf5`jwQV72%rtrrnAn`4qs< zm}P{nUg8CI`2x$-bCPvcMW+T&SwJj}=KPtW3zhhG(Jt}LcV}p4p34iu&2!Je7ej3B zECc<^fhE`Fp))-}8gu7_pIU3rGp}*`Oz2IR>+4O}JZD+WS&SUa=cLujYD^|gC;!NVQSuLq&?&^pWB8viZl+1KuX1rMF)+Ix6h6FW4B zht?VQg+|?e&ONBhx;OTRZu9OhoE&b%L-Razoqb*XI zaUJB4Z*eMu^wJ$hPzdJXHgFU+u&6?L=q{tbd-Ja*uCA7cyOP%rv_I3GUv8bJ+hzB& zsy}0E`Tc?OuyKyRi>FR`*kB&Me5OALormu7{T&l>OJ~tev;MnhBZ!APocj;zZ|FQc z+${tE#e**+*Tciz!U51cc(4FGJlrib0L6n35x~R4-NFO_HTRBw9_|)000_Oyy2JPY zAaswr!zckDR4?6OtN;+Y9_}z=09bE5+$r1u#e*-8*T=)1LJt6;^KgeT1VFg$eP@vb z6c0W$0WS}C2~Plo>ZLo3Dgf484|fS$0EFtLJB%;@Lg!%{I0GFXNrTR!TR|J>j)@jL zbd5RC853=M0^3I(SdXnB9$MoM6trv~fgm{cXIm%)oyb$rUDoYk5v;{i>v`BBBEhHbhmP?ATJjK#8Bp-Bebj)KJlsL#0AQ`@Q8N!6;RhI5DjgsQwA8J4 z5JjLh4|fnt00jHU?k=K$;=zY1(8$AGz!d<&=eXNI7g#@LG$?+lTa1Acu|kKjIa$UL zplAVcl7}Y;u9Kkqhi;JuTs){XzJQSpI1tK1^B#AH@diN6oub4XIDdA0vJuR{#t;Jq zRzPcffQ_*MiU#zg3e|QznefABgNDeB7Cu3_0^mnkaACD$Lyi=xpzvP0I!{_;4@g3z za=-P%u0`9`dHo*y2^@QJI~4(-fr3IuJ3C)yM0i_mb}q?#l#F=i`uE&|f~vcW7cur2 zdM!f7?Lvie6`j*DoP_KJitu0ONakh`HR=E+kpRyXOR0#`B@`spm}s+exdN5r=?u{Y zW>OifwI06^)`uJF1GHMsUkKyF->sAk>4!2Vraphf_6I4Xo4Gh52yrAg0%anJz)U1- zsI^=1sqU~{dD)N>EMyvt@+^a+Jp03KBIt2<&@Rv^h7`>(%jn9CAvB1V)dr~{jG`XU z^*WN7QA8&15glUUFme2}r-Wg?$BtUkuIqI}`xs{lT;P56-vOJWI3Cs0p23+FUldAv z24`RgFBZ#8ZZ&Ym#L)naKyts5q6t|nP!gdi{M02(fkA}E7$$?mg8_Z?&wq}Z$30!f zadBb~r=8aWsmuxMV%$%suSq5{eJ!w^M%v|dDiitL7s~l8mT_SW^60^V|c>S&R2xR4WB7o=c}k_dPMP+WfuCXj-Zk_ETxmQ1+3Xx3?ZUM(%Y zZ5-H)xwh|WV=pxETiCVRef)d8hcR<+uQpa;tivt6-N!Hh#Jxx~&=NCpF=lW4)y7JU zb-LfTX6#^i_;_er2#<C?pYH=%h=N4mO`&dW@chGa~)eXDDL~e_*uo(+U>kfU%{Wf?DW-KJ9@=GODI*E4% zg{t5DjJflfzEqZ_hcQRyWg}zmB&RQxdg)`#!&e<+?#!nzm5=FT%zJ&{XUv@r^`(+D zJ&ZXLq#7A>=SY32%uNqtVKWwz(fOs)Ii19ZYQ>N=&o7nZ>0!)~_u0&tQ!Rd}#7_@n zVOlXHA@oaSgZda-XN@`4;+IMh^)MEu6+==-zf|6+hq163Q+KVeNP;s$eOmEEUYuT7 zg~7RY01Gsc356+6X8G|&<_n$WrtupADMvOu%>*A?N{op^ehMd6Md>&eU#kGKf?R+Z zpvy!gbKzTX6T2f0@j0I3~>57vdTM{GSKw_s78JvMkmrJ)F!C+sdWWx{S?9LTDLh{Sz?029r41oAh)h|6zW2rBY2Kt1Q{xt*zAHSSlyQxD9K2!>nzltZ2qb7F(SC)`7(JYA|edDDxx`k0f45G%OX z=B`bUh~21*JDHQCj|)4+s^8WHeIR%F4iWGugKSi7>D*M#E0?XAAwL7M{QU;4VVCM2 z6-Ow^^m(Hgif@YsgI>%qqr%_4N(9&hN#d1)pTNBKl#&I2T&-t# zvWy`GgyI=)@w`{9WCn2O6k5})v8PS4h*_Ru$=mob^bKkQaA6?mC#=6nJt@>N8K&a85>#ZNeQc}iFF%KHk} zosT=m%3EXIsf3$}@xT(>eC2IEcaD{}&bsS>v+B~@oIA(LYg%^|PPX-_Ez1}64;xV~K#<>qHV5%Jm3YJbG z2a0p7%v^n!2g*t<_}k7r%Tjio)L(&0HJbRp9$ zQ|YsyXex8@I2~Pdr=nFOGFdKABBLRPy`J`_BRH8Cqo6LO1QNnvz)%L>qty=r3gO*e z{?Fe=0MeOgP9$^9QM>>+VHu3$kz@~j5U$<5UT-uSjUk)&z5!-2uviVKa?|{G4*=O2 zTxRnjB_un8jNK3#{UAe7Q}ySbC=kI6jv+%oz%;$me~4B9C=D3z-JEWXW64m)EKHyg z6;H+Jj7r_1V9%yuG&DRo@e1I~aJ=QzaIGJK(PEVoI2!hP{{pYyT)sF0Z;}aLznFo^ z98#gB<)C0i--p0Tv zx!dcV3dv>}CCMyanHd23inWv{z^9(iM6?t;sfp~W3>K8IB}ELZ$kG%}5D_HTkdkfn zZaALEH7oCY8C=Nx1kBVU#R>@qf(TEii1LUkgknKAxL(EyqHv63oN+l8pnpR- zk0+8%t$9d&E0E$7-B5*lvZ5EW}cawvbTuuD)~%i~9=fCu*pT zCtX}2e`rk>Sp%EkEE-?PlGfms6=MQ4c9j7wteV!a3vw02v1mIdQR)v(4OcAu=c17! z387H;*BCko%L+=4d5T zv{ZNxN%qt>C=3hP1TVl9tm;H662%mu22bLd#$m7b?%XtOrF2+Usq{XV?P5Ma5G)yA zRZ2(HY)$WTK&gG4Oetg;T~4wkMY&G0Ui;sd3ljf{1_`t5n8?LZK8?h>YI? zSF_hUo!S`bxylz~gHTk!-H5G5JowFWExe=6G@}vieCMZlGMh=HY^BC__vF+l3q>DG z3MHU1Gb`(YTYB33iYbE83gBcCFC)b205i|3X&bqBSrGvz8NL>aWh|k|?9+pEGz}D2 zKgi4E;u~p|711riVXL#*+ocQ`#0xC|E<= z29HMx7WUQ${8#a#BBHmhbO! zVxtvjVxoT+M;^YP;bgYQ*Rwir48gGzVcI~q7xE~KvO+Npg@WW35K6?U8c~2KC6r0{ z$Qwf6^9F^jQ9VHJ6|N9&Ilap$S&n1G=7b13W=n1r@MT}E8z!Pt_{V;!)$-p11D3lO zZM8WZN53yw2298YGIbz|7tlAo-mw%kmGiw!xcW~>GN6QH#*pV;0K^aXe8bNOfU>_F zd56uhA9DvVqD?77BE>x2P@Ewt<2d1#06#=LGx{#}XUy^?P#n?>(8kK^xtvVvsAc#q zDnv_4hu~*&gRc1zNXYIKL9Q~2Bb;y?Vrf7beMgvO6pxo;X%5BE3L(s`-97VMqs)~2 znT7;dsjma_tb8^G$M+nAprSUU2KT6A$NKq^lLPmhnsNXWfTo6a_cY<=~ z`m0%JGsF+8vGx#{)dzDFF9xE60cLE8m{Rj^(;0=4;OR8`wj}=Co)Fr%;w3b#1fg1% zx*a>eVBdZoNtnUXD@{p?XuRTvJW7Pl(%u_GgtS>S#gs{FWe+g25N0r9W{6fA!xf5@ z4=MK<8O}7`!-6knzMh2hL=^el~+IQz~-dtXt9ba7h`sV!kZ_=OjNgV5r z1k2ne7E`$#vkYg;Os=*xh7&X=F&~DjQX^LdHm`7W0W!9MBrV^TmG^jd4BF2w9ixnE9vEwfpzRD1XOAdiK&(kFPEt3qJzkK|NGgsor$Ri9l+#L) zdIW$8SF@s38!c*W6__7feNCrmBHp(blpOVX129s@Jqv|>1a6@47gIFhYj+Ra7-$+w zzd38>xaWM#5R8VdE;LB`dfikY*3GWmsPbVQH6YU0chioi0N{ADJ5L~THTpB8@5XR# z*VLuaxY#VDV2gvMRX_nkmPW{1)rl-@^(sB47hG4N*=nS=&q#&yvY2`pOy6JlNsOmHgA zp4f)O1ww62E4#>yCResoiD;vEF}3;5`5$uQeD@{+ugNtM@Xm*i_Q1n~hX;GoK)imK zI~ciUn`%J)DYszeC~_Xjxrwnah2;UuV76ofG96@dG)O7o(z&awcDY;Yiwey2uFAz* z+2lFOy~ZRJ7XpO?T2Of+HgdU1>#G8sObAU07Z!Q1mS6Vh{ara$aH3d!B)#3Dl?h4o zQ7fNQQA%+DaK=zP1r*I7&8kJ{a>hl_dMB2Vs;y$`7}f1pHIVzyMq*8_BpOy+IV^`vsxg=!I#DAeEywh1W#j zfpf7Xi3k*P%BTG4^X$8{(S5c%9YPlBE8`II0-lS~2B>&R~N7 z4-bY=jM1<9x^hL;tAVVMXw|a`ww`TU2$clE<{l>Sq;G} zLQ4^5=B~!~fMtebiRY#k!;~zO2)yI+U+cS9J!cg04UB8*eVeBT+Pg3R94L~ddudm@ zOZG$*Ghh-{1IjoDvBdPcH!dYLXShgBmiMsIbGXtAZ`kXdkc6Q>mMEEsBl|Nrd4B_G z#DJD2$+imUnk^xPNrq4);;!`Go)It-o9$>X_dCgu5$&x|7LS&DL8nye3p^|A7??r1 zV1$E5o3OeS>5&vnKQ#TM!uXE}U_>|_6qW@9V>o$Vpt|cgwmoH@h-(voGkr5{lB+JD zM3|Po_IKrBLdQOx{c@69vjRCphR`q(l*aiciI3|`#ob;WNLB2& z=4-&}hC@BqYuuFatwXMAc^@n9%OGR&VM^^~*W62R2*xc7c{@~fvgNU1%A>ZXhfS4h z(VgqVT}kPCoJ3&fd45a1 zI|RpE$-Ym>jkvwxjffWvevx(mjgv^kZTLL`sLs1Mn#zNC<3sgC&m=P z_lU|xT-x=sdSLWkf5q%lUh z87}Uv#MnIo5sqZ+sT@U#jUtC}LMTO(EM6&dgr9NQ|Ht0Dzqf584Ws)r{|bC^c4K!< z>SD)fwQt_Dj_r2+G#4M+Y0rLbPYjWegqk8)g0iDca{l)7U~nP8i$wXB^n1;xPa~7S zU@#aA27|#2O+uxeOHJ8ir3HtCl!Srj9Vck{R60l{e}DrZc@dssTl|9_jg|1jgIECRJ-ee05Ds( zf+P1NN4C*4`%2T?vGu`(8D&TrkJX7BY%Xu5llC7(C-v6X?fNC%Zm?{nQ0siNj@Nf} zyg_%RlGj&C-eBtn$PY@$@7xOcfs6dkO56tu_nj@ng3lxiw$@3|99TgfP8Ck0O3l?$ z-LT?QZaMGpzZv)nJ1+z|5+N8|-ugOO|G#s+#tLy~YJRK0YO(aAJNe+yZ<_y-#F1_OPh z<9Vu_y)E8PaX2L!!ZuPO4Gn@G+7tyk>QiUyA0AL0FJMfhoWr)teI2d?mggA|xdt}nBHbgN_CUZO?Xu_^Y1|E>Mj|Wa758^i~ zr=UuAg1>yhCuP?pixRF^R^xa@yV6$T7yk6VU?M*o;Shv}wkt32EMD41uh;AC?e4Sn_m}?e&Y<7x4+hT$f9VaL^?Lokpx#3eV9s-#{iS#7w#uFRlRO*fobcS- zZxQlCFu3%_kQ>-I)=~j(p@5&;l!TWcUcC(^Uaxyn+kKA<^S`+;8FfR#Iv!1 zN`i1>1Idfm_6GjoxO;G@PH4miAkA1vI43+1<^RbqX{yyw2p#BcY1IteF3MdxL&y{_i~7?LE%_hj>1I?0$o;=xhi+e`5bH z*8dkXL6&ezhUlB_=g*!eig~9bpJxfeV5Wn+zx$FI7FO(5&h=w`pT#`ixb-sW5wu3ryrRku}nDQKTUhbcE#Q*>v6JB(A|DwkU+y1#u2j9K|%4sl&v6PRe?Tjp(>&`7tICL#iZ5~56&I+Y%gZx ztY~rwgS%NC3l#=;=8#uWaSMGy2~8r=-G0xVri!5xmZMEFOY?0y$?Xi`iuHqY$?)L8gq09SK=;9lN{P=&WjAW;Pbf-owqt^%q#b ze%9UHocq>h#nuz<_S3CqvfXg1wVr6DCaaTd%_-Jqf-RX+cQ%_IM%9ol-GQcIt%Y}| zXjoHvm7ejy`@gmK{~=CINV%34faUxDes6c@S!w^j+uMCS|9Oz-2K#?2;SR$CJl7BypOM!_%N9Nfv^H!O;bbHE6k1A=yACPOg?1w3cuIGJ6M?10Tu zoDtOduYNG-`@K$e;zFDR=t2Bb4QW+mcdtjfW(a>iU-;lFF3Ol0dq2199}?qw{(+f3hH$QZ0&T zP5R3)Y<pQ4y>^|x+&?I;47Hq9*$9Vg$eY`*_p-rxK4qDTw7eDx zmsP(zQXZThwk2SgMQhOS_N<3fTCn|Eq-&^ocU0RyIaa|}TG9@uR99$E!ronwFe4Ka z8Dw1|*4J%MMh>3EIygVvHjOAWZ-@C%{hd%$yD4X2%rd;yl{?VHhId?j3#t8PwGbFn{QfbaVq?#g{#BQ z7G*jgH?Mx_`QQDv_02E;@8{pX`TY4w2W>j!L7!00R1hp>C>C&leU@?Cmp0Bkz_Ygf zPX+>Q?fdhW)&4&_{oS(v&*1ss*`xjMA)a>jKajfT(~Qk0Qz;0_fm3A&2YD)EG6(5v zMKUemoaZ1t|gaXt-l7HF(`y$kCx+9N4jQ!UQrnj zwJ0rCO?k6iEk8m9*cNMn41FzGkLKu_B~NpdPcwF{*DTSl!V>u=_O#vJ35IxX`f#mr zky=I4;%ui(DmaGyozVo2ZL3tUPp)th)zq&X{T=gn>YlW1e|`cuDw+;opw6#}j+=3Y zj!sYCp2|#7FdtRgDxGa611c2rw=~JEtJFcKxzQI&$#Y(Ieyyf7FA}(rE0U;`VHvSQ z^ll>-M@}qcm3l_y%fMVFxlnH})y?N>eDg5IbjI%l?eFKAOde!K&sG5xO|)U0qq_-p z-Q6fU?@RXcA-RfQ1Ot%e)yVK0bn&mHO6v67DOP33PiTy3{B@mYK0fO`YwLe9W7b{j zf4jTSo|pB%z2}ejzaQjTL;tgk7cv08N=uW8k#+^DcHu=sjmA@F>o*;jfZ1l4G3xx4cmK+V;0WauE7JwK-E7bSNE*zN zift@oin$IU`wlt=hA@4W*WzV*ZnRm1XBt8f6qhe#P=b?r9Lri!Z+y#T~3HCDVE@m=e$vG%fR*&4J1<-DWA9M!xY$tF-U};WQQF z=DZDR8PWaAbDCCJ7yT+y=>s7`$7s{`BecM5!FZI(GAv>0Gz_ii;11x|U&6ydyM zh)tx7(xGA|o~N-g4aknWMu83rZ2D=h*sZT+nmu@TzM{$crPZ}Nf7aLk)ye)E8-SJie}7QE z|JmDnwEsTHvyT7g4>Bkefk?k%Mvz1-NnpUCMYzD26#0NH2hshLV-w2HHvLxDD8*r_ z6(dbl1R`Y#RbSO#>e~s+^5UENt8AYcF+o%&PX*PgX2FL7+tV8VKixmgUbv{VN^$%2ReT%A4Ci~hvRgBWd?AH-R}s0pVFuK{0uyt^cc=n|Emc@AoVE|6p(T`J?{-5YHO+e@mAy<)&#A2Z~vAaVZ0; zS8|PxQx;-y2{y3SBAs+bCZlbx0^e1gYI|_NoPBx9F*> zz$ytgOVp*00FoT&1fBK`XgK!gSD{;C6>Xg>)VC$?x}+e3w|A%X(rhrWWsF}GQCDH1E=Uuteu|QBuSk~Bh@ekG zZA(J5w*x=v>})DmW5xoS0%w!&Oy#9e2_eHGFWagPs0F2Z=;{Ae z=+1UWBI?T3whrE&riwu8%N?vTLb5FT& z>x0uJIN6iMYIMnrSz782ri~$w+f>`BQy22aLcZ?nt*25g)VrQi`zG_J&Al?3k92cp zk~|TSH^XN0IH!J5$V#ZB^8Jj!`&6e_U%e;;oLT{EzBWqO<`NERYeE$*AH^E|Mqu#yJi2+o!;}u_`eVGtfBv#<6p@FYS~<}ZfaI>mP&n~dZzBT)R~># zGGa-Eg+#~?DQi2ZGh3LS%MN%;pnP=Xyy%*{CvQ`ENmHJY3T$+yMC%AxdlABWD=0pi z&?}PYZN;3EOod=G+J<$1Gq*B}vxEc)mH~O9Kyxkl<>{cl8?*WQoagHB*bsjUs*LLM z^#y>z-)S;tx66#Nq5E%gCz%agF(CFWo`RAxj=ahQ7%#-?a!q7bNKURuhT}3#xmaNB z=qUGnp6&8zMTMyxPnCBj?y0p|Lu&}+fPPU{IFzbWt+(cG(N{N=%Y0v~@8C&QIe9M5 z)@1#}*0D6sLH)vARsI@_+K3hu(A}@slFD-Dk}O(@9f&Y^3#lU`6kZbWW9~ePmWL57 zmt;|YCGd@9a}tHL#DJ=+Cpe6z;Zgx$_(I0`b|!Akym14MR%VV{!*y${LKH2&#%ZcA z3Rs?(0+$zvCK36ttkx5QbhGp1%IT&-te$P=5+}=0M)Hi3Dck|OmZU4Y0~Hrfx|?L+)%A%-a{sgPg!-9jb7t6i}PTV}xs1ShNM1n~S8ju#jus z)6{*+Rn3AMv{BFCD$f>hUeinwP6e3Vv$!Svti6AFR#SK zl+-puNlFrJc?b;xbYkwd>#kl=T%IHa@r1xErYqM-Yx1~rbt(Sf`w0`&Oj&G;09$ns zB%NYaVNSNo{U&OT8ltL#wVmDx&?!ufcwxRHr&4g69GqCUu3QD5iTEL3!N>j5x>8R$7 z4MPdh^pBQ;4a;nvHH>DJE^ z?RI%$P0w=dlzNWSs-z~L4x0jG>}WJP7DhEpYTrOBqXGdCZWR5c+AF_0Hb2#b4v`^Q z>JhPaDR&hDrWu#o`Rv}-3X~>R8vL_7Gd0PJP#?Y$l#_5WI{fi%7gm-IDSQQuugS;{q<*y7O3;j4*DdN zHlAnbSzF-6&I|TliV{T$XTtI6d_0ax?bNFmI+czKLcN*KD(Ec%S?|p6Y#CFVVVm94 zua%mOQJRq}%I3VPEnr*i-4a<{9Umj%JwEH7 z|K%*h6LN?5Kl}Z?-Rk|%$Me4jdDf5rV#g>rlgxnN&QGoUR@@Sb0>#A>6P_z1^|pAc zK-*w2rKXDQo%#Scg3;Fk9ylNUYUGx(HCF`%s8qAFIJqspSYB!A5edlZYAy9?ll%e4 zKu(dZl37`=;dU8$>G9XjuN^zif~{Aqsw)+lddwPo^SGFNeb3tRzXE9ZAt zg@L4ye0dt{FLqFwy6jPQmCfMFm{9(WXYp2j?XM`V$lCK?ngQ?h{ztDe{|C>W?L5x^ zhj`YQ|MD_FO=S3bxOtm1G!grGy}MRtdd(6*a*sNuoRD12`{mnu9rReeg*v`|*-|bv zG;DU*S2)u?KlM06d*|#Zx%vrbI*lXwkg_aSc|9e7&!1mB*}R;ONSMb!9Bp{8+;-dM z@l;V5)LtF=4E@eoB820M&POnL2cm?$^#A$u=MMUWMwpYmUF7=_30Xw8YD_gR=QNHG zNv_Zp&g3DQbTYxx`+nv4m1rRcPY=j!;hW>&)gw{@Wf?=^3phfhF$LQP7e62}w9tB0 zx2+mrEIh!Rd|#;wHb=i4A*=oH>JY6hxvQ{FRAf2!F$?|iV zA`tkTpciOUA14*axEx}Ac%iG+8Rd*w_DYOjaRMo;07SIJLMzXFH4Uw^U&k{8u}qaz zc2Sr@;PextgeATz-G=3wk19*vJC|h9cli)}cGl%Yr@gYzm+C$o!<%mzxgr@SKZ=*b z7fAi7O1WHS7cCF+&5lij+T*7!=it&}hmylsP(49gYR6ZT4t*W^=i~EbpSAV>Yn&xC znXIz~SZV+5RqVfmoyYvo5Av*`|NksU9^nz2=PKb##^M+`yn<-8rv}r689qn}7K~_NTEfrI=9KHLKJPZDwCK2lR*{{Dwe}D3cPx0W{ z-moLXjsCoU`sVn}4?}cX^d3bdCt*$^v?)|_D{%Pd&qMJ>l==L5Ya1zLBQd!zWI#W8 zWF9Y2MnpGBqTJ{36{As=+A3973i-moF^nWvG-HXpHUZAr%^4^ZZAiv-5(;qOgE%d| zYQ-0=_*O~JvRynb9{-0t>&k!2!KM2?#GKoC+3Bm<`{|B0?)>2P^X+zhx{dqU^VN`atsS4PufXAX zKE3g#uLP@p%ZIaYN^=tC^Q`tbt&EUWybNicPn)-nB{*WC6%`t`ji-#|4O_>|`qXh+ zt$`z!U+rdM!I-PpE9iEsg|fh{YtmQa)w_dmcaCM(#J>^7|$IIE3ug0o6p zF5zi8aRkrna{RD7Uq}DX?F;?X9(irb&aoPYcZ*?{gaau*yth zO{g1~Y3|h|x@=4GCo!Ha>%wis-~F3JzqD26;htOB|5C>DNk;e|@lq4u3j1GwZ>Q}4 zwby_2|9Y6`CicG*IqYZu_p3X%{#hLL)ffN^oSMylMVZ@K0Ijy}$NpDO;I&ME7KmG3 z1FC^kYXda9R#V>I?r_v=Qqyk}pN zQR8M>eMCYU5fkHFB^V?~1&dX9E?e`e%r@sF&=GE(XiS%6;j^)?zb#wW8k43$OevN3 zO=BxFu+T(dt(UNp5N}*mmiNHb>q{DVLrmS;QdT<_drD4$3~4KCso+euLBk#OFJ{+T zy@IZ1=~xZVTIeL98q>V2!Jy?vRv(zuZ}fBstIhJ5TDa8PskYqiEZGb;wy`eYJ2r<| zU0jo6Ze|o)0_c`@F?+E79Hy~~O1S0_G^myLXq~y+?Lq4v-HY@nioP?a-K!-C=*rcp zxrA?#J;&0D%IL=Qt*cZmnKZI?WfiJ#@g5|Jt*qWml(_2dpO}kl`*U~F%_j7klCBJO z1*kigcXn&(%|%}A-u6$-E{%O!!7>djk(Q>p%@51UeHk(mt?_%6v~zWLC`^*(f^R>CzA07Bb@`xsuEnuIvp7Yx7muF3mr3Cpv_V? zzEVFrbrj3J52KQT~UoD%9>)p(%KAaKdw)t@_QW+!SY9iT1Ta(AZ z@*OApbD2qZz425myc)+jCnsy6`Bm8St*G?{g>K`j=uo@ahHCmQ@YhW%&CfO3S$=LM zZd>A-XP0cYZo4A5vEjA-@$AT_Cv z%Q=ZQmCk_v`vvOnZnYkXTD9XA{9g;tzSv+D&_dl^zBbp;xwhn5*lEzcL<1@%#0}Su zGPcXr51HDqu6cXLn#8n^zFPP5+-m=CFLX<+04w(YyL&smvj5j$_woMcgFH9c{;SQf zCzmfv zD11$No=kXCOPjhbRFmJ7h5@D4Qm=biZ{j$gs)R;4(|QPColF!cnppZtu)wp}iE~zL z^%|@xg;LRIO{s6!N)g{}A7D-8|60|)ET;OVkcn`P>zioyduXB67Ymil6%-iTn6q74 z%{`nZlgehH;NidwbmOi_Wk;(?EYwc9HC(2XjV+z+tNYa0mrglE-O4HHB$%^xVe9AP zqt zrKPpfVp{dfXcRjbbY5(hLs>+!_VCx_*F<|G{+0il)a-K_(s>434US&!{$GNJq<$5# zW)k$^C_+ztU#LZ5v-RSMD6XV{zyc>xAogGdYZRkzz0(A&P~z*@)wI+9gDHt;bds=) z+@OsW`hV|PCH_lq?|J`G|9^;Q1D)VpNGeF?D~DJtI|&-iX&ebDp5pKlPY4gZ4Rk)G z9PxRYvMlF_Pe~ku&kLI2Je<;GvW+qlvP~NEMe{BWm zZ4xgKOQ5De38f@MF-=I|1&3$v&%`3V5P7c^l{_oKZIC==ku6 zdqJA9-$|Hz0gVXm%5oX|-3zXG$Rg7H6WJu%&HvM*{lnKs!7RE_8_Vbav**wH<^6xJ zH+and{UFZDlm#jxwRO90&&RynXb`zeqfDU;nnLGs}r}A>dQUFxSmlN<-d_ zWzqMFg*HT)EwFx1GB!_zNRe!XVm6^68j<{(2!W#zk@W)4+t@(oul{j(>UkFz7ecf4 zB9f9MB1uSz(%!||I#lpromYm`A?gPof)Cp3MkV7Lnv{5|5j!cK`YjrR7Dt#*y(dVZ zk4(c0G*5+|YDxiKIHf=7cCY&0B~79s5<7T0d5u$VMsh5)XMwUrxMs@)>A{2XJdUL= zB%EjKTC;^zjZo)bB#s&SnPqX*kw|Q8pyMPri2ywhgtSyd(u`fvh;W28&9x~{^eZJ9 zN7qvtPEm*xp#p*NA1*pvk(i|@A=hd=R0=}ihRXPF=|uv~aDpc!3q0?oGn`HXAn||s zaXunAO?d(BQoVuUkSr6CG-ivLP!5H%D#62_Y>a?24kAZa?UM_jk{i{oM%$LGSOfj@aZ9K@hDXBg4(n1I&KNm!t|f%eB^n$VmIL_Z0v#4=7Jk_ZZr4B5{o zbVzuZQP?J;*3Tz&^dXh$Hjk5Zp0BRpee#z-tG?e=wNKtBbfKm^Hk1ky7LkCnaeje5 zA(^QgVI*E4@k!BiA@{$uj#{74h3#Jb{oA)4WoIe!Y`@$;?TG*X@6Of*T87CKXOV-6 zc=6Dfq%2Y-sn8^4kw&B|ekVDtL(E_jvRTR!lH>-T!a{W6@<|gWk|Y(H+#e<|nGSG@ zM>K9ZooXh^jpkSTr*0;$o@}?DMt9MGJ=mc|=RgQ~wVq#;yQ@ZDNXHy!Leg8JSRX8J z%EdB_sgRHQ?hzfEoX1uRh;lGMaFTBYf=_}AxuzkV3BD1}Fk{K@Y!npg$3-2UI88H_ zW)#f1rYI~o8o~|6eGNQ|MZAn^TRbfY_lPIYaZbkbn3FQ1ZSk}r+#jAafeSjf7^|^JNPf+-%aba)ZShnP*28gaJaJ0TNOna-a#Ojqe{!rL+~c@wgPYLs z-I3RLa_K2UxTET<6js=tNYErXhk$1^-xy+wGa{q~KYRdeK_w&^#1Y|f=HCi0(J4Na^oM6%9! z9>)kuf{Cy?0*ZH_$SGra$809FM^io}vMtonH?E&tY$Hwx`sG+x`)zXr%4Ce?TgE4u z=h++r;{~Xu1L-`D<&_0~QQLt-7G9D}@*p}T6Uy^!fz&OBH+V)k+Kfn=kr3x38j1x9 zxlLpwiAZ)*G=ylvbAqF-QrFF7Y3zM}yZPH-tDub=Ipm_Q;}xuK-hCZ?rMOGRjV+en zeJATAgw*-hvm$(nCHvu|&7D2#nLNJ4;{K;mD2m6KkZQv^!r>)JqKld#KtCvdD1`OI zR4k8FEkqJAG38;7SoWEm#``D7MpIsI*!8UCauc9E)fnrTcP9)y(ndJzC}Av`{6(Xt z#iD3CVL1&;hYixQ6j0V3#ca|Y^!nd*d(XT5Z@W09zEzw1H1Yd>f3Ita^+l5755`m< z5{~MKs`nQs0GvQ$zc`(X3O!FKg)=! z2KpezoQswHqKT-qRPauT`+o>gLz3mM)|xt1Wy%&!X|Sz#?2EI0co48Utjj*$=-@)yb(D9$WF7t$Uc z@RWoBCou_gmbtaWp5lUEg>IRPWd ztZZ&U3gTbr*)2-Ey&_pgBhp0Ga%V{^XrKewfbwFxPU5#_ADd~CErQHiKsqf?ZFNhmoY zr1;r<43~a8vxWI-TLi!)bmY|kZF55d7%DFK5$#w0~MAmKhJJolC&KBy#B$?#X4(j(%hvykfCPfq{A^%k~&hLVW zw~?&BjbvTWcx2gqy?K&aJTq6E>bMU^lwUZ9X*#d~MrlT_!1LQ&w$h~43a$m95c1P;gSFBjse3+-Pi9DA?B$KQt zesOb?818%uVTfr`oPju}qw@w(vpR#!zA&G*FW}}1vzF{hpcJ8Kbv2u((H-yED)>@6}vLm8<&8IgKMk zk}I0AWG3&KW)%F~K|z;}0a&UGYdRZAmaV&*zRn_F?MCTpt1%kGv1lf5CvbDuK=4wD_&SjW(oKM&4 z#-$VIL;kgn@>Sc7AIU;=;uYn#KRQQan(^G~g1{K=w_tTwJyKm|nJTOHgP<&f8XlvB zCB80gccZFQUy?=N?Hs7mb=^}^>!;$1{0$t)zr54dSG=}A^m7Bp`Y*3JeChVTqQ@32 zDhn;SYR3G{Odtr$Ny9MDDG_~|0eF|^Qejxx2j zV8o|bD6rDQ5c0=@oQOw{zg@+LN zfM;n;hA4ts0cD6j9lD8u_3GQINfAIlMkMkAdMHkf|U-wXPF zL`D=Re!u5udpn+&&f{2K7hMGuh&^5)EWw|ciY7okm_?uN$JcnlpCURg@DMb63KuT& zr`s~rJSRC6KOVnf`AJ4NN%E%>ALVXTAcV6FFFb^3PGs=V<(TT&m+=B|jdUV`AT}=0 z*B4$kiv+#S-H^cZA~Kp=5zUZ5vAg(~V#Q+vS>A&<6yu1W=lMi`@5lzM{ zn@O*88HkD7gCryT3*O#OV4IASkSJgyGW0eKTiP7A;Y3<;`DH`UzhU$@kTv|s9tm#) z$*wDmRJ@}NWSu$|GfQP}SVI9Gb4;%^#+W%Q&e8f;sw$ z#q$|)k6*XZ@mTX-$M0+-yO}o-BC69-VRs_R1)dy53qjCO26f_;3Bl%I-0?e}hr^I? z{+dN(6}tOS63tjtO;OOU!=Hx950H^<1+1MHV4_TvyZ-1bkm*RZ73hs#t z&O0gwGIAi9xL(WHS+kBD^bKb?BwaUgMjnkASAT}IW>b;4(CSfWq;F2ulp;(O@(5=s zv1JG}gX#vdk=;PZXqBRn&WH0OSr}3ZT0(~fVsjy>epa`7ArLa+B;gcdP{LdU4bzS! zMiX;nwv9NO5tP#z;R3)lPGC|_L~ZGCoypVTlyOesO8!DN3o68v(2SRfXf=zov=r+~h0Rm`v@73ixb4mt?WD#Y-!oblV2?F{a5z_W3i=&)cx0jRRRrGs>O( zt7a2&Ou1@;y?J|nbQa_vq?`&_!dXmilh>iwd)Uklz5WeyJG4yhuriz1t+PD9*c^|A zL>jX!6e}m==F~tgcQP7*kXaCQfDkFla7?nCJHw`eSb{JXJ8i;qG+U@(?GWL*G*mA- zo$V4eUvxUa^G{1fTZYgsH}FJH_4fiqDXeyLXmHQWJMtlAS&l3)FP>~(&POE7W2me{ z?fb<=2Yu6`;0EL~^gCyXK<`E8V<2Q+VDaJSju3E|lf7N!`wGBvr;L*;3#66QawO4=OiABEf&rqrDYhB9ld=Oc-}YP{0v@n3h`@_ z5kyrGSfUa)l!@?vee;dy`RGJ@G^^KKl0yefmHmaQPOf@#fi{%@0WyphXvFfVtTce` z?P%ItfW*kkh`G>x7v`V}QwA|bEQuFe0s7@%BqPhC4eKbwf(39&Ri~tT(iZH2L!1bn ziqMP!m5QCOGztmoUfA)Uq#u~)qj!P|QYTW8P%kPtUF`%8T4Vf2cSDu-0XbiB`3h`A zgXb8CWGJ*~d ztme%&z>^N0$g#G2DL&;PNpMD)3BhRYS!3?jju_#hc`dN? zY{bbzjAMaD(F^H$?anp3YjVyAwD~f;U1F&9BqL*zX)*N+8;>a%AfZ^q!nxSxz^E;s zJ6D7ES3B=#bRvhiyJ3F%b58sabHcaOEK#45i5xuLhn%6S9lB4IEiiRW+yUGKWE@U3hzlAJa{6nl>13g75jrLG|8G3<7)udf3PSOzScbYoeHcV8VJ9KAU^@&{tsewW0A^J0MD z`)9{z+uqN|=l^>9?i~HRe|ozA=KT2R481)?2XEgT9-kk-eRGE1evkIw{2Tpv{N`{Q z5h{&(A5yrd&oV@3u$%|pnF_k08#k7GFw4>q#W3{_OXI{%+7KrDdojWmq%+LM4ZTW4)AWrR%7(Erf?OJo+;I z3>@!9stb130KVWknW4?Mr-v_JpKU2u?L_R?rkGPW?Ij;_k{DZ`SfyEFVm@%c5Xpfz zWum7w`xJfpp{7-y5z?Juo|DXcDyEu8L(w%2#wH5poaDUAa~xhevy;vyUE7gJ6z~Uw z-iN`?ZjdGu?~*LwC|?YS)l~6^=Nk%nK9b)uVloeSzD}s%%`k=AIwS*VWQJ)x)K_>& z#{X$yY|NEo>O5(o+b0&I%K$A8%yVZf3Vx%-7C-k=g%JJ|ARam8|a@Ze-HWr?sm)MxH50h z#)f{Wypg0Uja%XbY!cgI8%uOTSIXt7gbFHT`z;lfx7AsT*lyW!2=3^P>13YC?WNos z6D04RO9QxQSf$gn(iTmYBC9--bb!|FstXQWHL;HVy^Rg92>cU(DDZ&;rItY2JEozo z-K1OHczY?MJ(%nf=EifV3em<_Lp!tIfv#M3y4d7fqH_|4(EOcF4H2C7Y;2&T09;Hq zHY&s#%GU__XtvN5ec?V9M9-#k?Iu}}@VowHr~%}>2Gv0e3zuD_{S zj-!iem5Z&`t-RwzW^T1wnd^7;t>`K%TPYp&YVVGc8-eEi(yfFds=1AY3v!Kq>LX$2 z;zKl}N#WdE-&3HHO*1wkN<$bC?cf+0pEGs*Z3+~j3C%n;4tvrubO}Nl*n#>tX9cSXWC}AzP2W{( z3WgL3KH@PU>9RI)HsNSr{O=~MiQ2j;n#f#o?xc5CgYv}Jr+HQ(sg7vNmM4Rb+!cYJ?n5e#l2bb6Xx-8#VFy3ic@{#W5V%{*#H^ z3$p8kWcsL6Iex1uXvXGAo-!&O0#4`2J{KC=aLj+m*gO@}tP0!_=atXpWsN$xtB_X8 z8AoAZA0TQ`k8_M7nn5V$1=@rRjF=N{UGCAYS(o1mT~*_*;yI7iA4+;e49nYOOZ( zT4e9PhiXevx2n{yEBYvfPe~lh+fJ~!IP1zz?-_hrv9#Rz;&P|Ui=xxgCFZ7!%*~gX z`(J3vOHJKk(_*=C$X8i%N}PM9(odoT>G8Z`Cg^OHs&rr^B7*-N9~x&4S0qcYZ&*%- zDz+cHPV{=AZiU1V$-ohXC2H+!XiEYU5?F{^0bxX9cD)X|5(HdRDY`(p=5Ma9kjnTz z9X!ujXS=-0$gFeOLR1K+*D`sH1Z?+6>TeVckA&uCy*pL%cUOXHlWQPCoHPUiCYUpJygEB zYhiC^8@NHMd-}5u4!WeKQZkYJza^hi76G}d4C7utL`Z=UOKq=z94uM&_3J2TO+ZaU$x~otMf+hWwg|T;Uh!VpZ+$F5%b6wLsn*;b zhWo9`ZxT@j4QbfnNt-#7U-(u@f1HznIfDp4{ zq00jdrvri5c;@md163Iii+jzGV_9Qg={xj24L-19jSC;j6|zAC}c@UQaD-{Rl0(M%%oHAtZ9<+G?0U5?x~CA zUMGt=VUfl`hduat|MboAn;(YNZ=l?mw40)vRuZGDelX|@p)3^cY#Ys!;vAJG@cEhf zEZ8~aDYys%Di&R2A{&k}7R$4$GiNYFkyGtR3`bdKCsuzUN4)BuN{MqS0Erb?{CG)a zs=m#v1VfNT?tC{kJOQN^Io*nN=u?_&w#!?61vpD8A1*bNO;;X9HB=N6NY&x!%^WUF zu`v>_bvbT+G{E4CB%Ed}VRL@KW;2?Dy~lbBdLPZf6d%Z(Ksr9HPz70Xv5hV=GGjS; zkJB_>SbtwUP-*iAaQ-1A z-UJ34tS^asu4fbTB4|KRd9;h)Aj%G;%7m=dHgcDVS4R6TGyD*B*m$hghBt4|kA~Hl@tIq8}FY4yo#Wvi{fIV4=IVnEq z8_MpWa49AdujM!nSpD18PEM}o}f)m zAYd5zUm(z%$y3^*tajKyo3I_7rzDetIHOlICKJMic4S;SsO8*naW8~WVghcfW{l+~ zD6T^ZxA%o>fpOce<)IqhsjNC*Lw_1Z@opSq1i*8XY749oLU&??$HFC9aEojPV>L(A zq;R6z)i4-LK$;^8EfyCx+1Qlcc3M$C%gwnia#bR2dtj_Ea4adk98|4FA{J~5SRCQB z7Rm_36i6Dmr=OA}hoq>8CFs@R{z(8-Hi`&PbC(Pf4*JGb%g5j9-r9{u_!obiL##m*NUfR=(@<5Y_oV7R4ddM>oa zK|4-p9*w|@#CBAGx2g%8P2jFCzxUxQkXeE6&o~yGRvZR}bDp!Aj8zDCzpF;XJi`gc z(zPXKlLzXI#I&(H2aXNXHF*{vJnP^~sjemKXK}18rBp=2+?e6mBJpC|1QbZ;x%h1_R)N66x~VFJBkvZc&lMs! zDdj5eNSEh0r(sDy2i@Eyu0ywyLt9bm=tB;Nt)ev2f1p!EK{c&T3es)jG?is?22O~G zW#+8hA^27sI(<`59`Q1WN>sWD7jD3@hOakZAyFc zLx)h9G0t@fXAcb8g-i%pDmA5(srJ!_E0qBG-#VCXqArmeTPjK?{~BR;`cXH?gNocJ zFU-r3EAp%fY!kKksV%K-3{aHW=VyWvFBir#WEtL6OU-1(yi7LA-PHl}d1 zqfkCYfkw#-rwxg`7MxDrPe(XV6GuB847Ib2GBuV;t(2=p@f9+)+OHw{ym@SGc%?l3uyZ(2BpuhKR&|2qDhxe%^MO<8R{G|2r`#XX)*~wV|GEi z%f0ihanM@Osgc>77Aokp8eL^_Q2(^S2yIf8cZgbvEQ_F{mgnSF341ZR*DSk4IA-7` zX|oy28YoujSnXa}mVh%<&5$KM+t|9q!uElLa}~d=!qHv)TYlGnQzpT-`CO0d}BH4D_841ute3U+8hE3EHJ%M8#|ZqQh#(0@B~&43jV2I>Onltb8zwrg9R53C8mJbt$vK^o|FDE0^F#0FMPm>~ zImffqW@ufqai@I-8{U(Qi2czk2%Sd>NAk76UA$Kj_{4`z@Luyd5rA?MK`PDCsX;x= zA?la3EbevNa%(kqQy*j$Wna-5%}p!zEGwLbWF39v zTyri`0@rK<1aZDj;|WXr;(VxN&Z~pg*!Fpt{zyoQV|qpSagvkl3diXD-~?To*NCe3 zZbP+ITQ(HMq|!(vZNE#Zv;%$smgo|6?eNe9{y@5vG|ht?=Mbex%osM$k$C|Vi_J@* z%jKInZ!#U>Q!-;${Tg3Q3!JE>uzwwi(or@&2T^EjB?Q+&4C?(|CC_DTJA_ z__uH~U4G&3PD zcsFJ8f87lW7oUxN@xj)tm!djEJ3Z0$6@_HqUmfnBRJU2$5i`PR*>MFbsDPB^qVp`4 z-`}0SLL)MvNn%~g5$Y+r5CwnXzYV)xp@#f26mWj)irrnID5kR~W+6##PmvaT;@;L4!Y4cH17M{}ZoT1Pm118O`? zqDq(MV;872G2RNMpx)sdbSicUs+1tU@;$>@I5pB0;M2+=3#f;0L}i)VAk$5We+9wn zDj4?*bYdS}nr2pjkeI#4d7h#DTm@y6hSofsB0LcroV-L8r&kRS$1uIsnXK%+e4`F> zfwB>kC%oeO-vLe6>{EdqPRWeut8Bo={6a$%-8(DS$YXAb_f66BS7(SMVYW!MWk3|J zcYn!Zr4mVQ)z+=zwti~sO_HWn^L!5(A z<6GpKKh%d>chn$Xq{Ma-)J{v{y;kXDKxE}Db$n6_C)8hI4Wl6{Ua$LAA!364*IB50&Za(p888a6G!&&DR(g>^HvOi`yI1eyhVnRI%-OQLGP za75#4^ovc5-Ni;4i*2X?a-QMwn1;#+SNq7zJ+lnWAm{>Ny|b&rw^?+h#T^gGLgZU6 zXvJL*Fm3x94Yx0F^$jpp9y<~tUn1nw)Odl{^}@{el`L=u@J{7b*nO!h5ar`3w!7-S zj}-lSd?|OvT{dznQW(elFlO_}S0_`MKc*SE#&O);$Oz9f8s@$NGiDi3OcTs6&4rB( z)YMNUtb7O_3IFxFgWWpracU_agR>lGd2ybUMBt;i$+v`dEB+Bmwb%~WA&6Om_;iM5 zWX3Xip!RZM&O@bxt_xwIWJ~Cx8!5QB&gfGHg$wwOoyxrxp8RyMdTia{^#+u;fyY8h(S$_X0!4EpTHjYPH>1_1LB+;8 z63~dv6M0Fel?&oF;%r-bz)QEV?INdLh!YicPz--?s=`093x>VMFn}RS2 zAs^v6IFTy5ZmA1UN+1eeKya}@X4ZgVGtQ*4m2!j{Zf2}$tk$Eh5l22B84US+R0N|? z++Bzbb!m!8Q0fW<6*RlDUE8<{kWJ9ZPe5sX&(ziFVOKPg_%0!#6UUj_$%q zzKy~uW9Fxa0j=E3nT>pq;FM39Oig8Ek&0b;rao%xj2NNfjvO3C zD&Z&D9O$d-=xGS%N@HfX)?%D2+*?=c?lUA+yDCJ7ZkTrs*{!}UpA2Hvu_wVP`D0Fa zIr@Ex=0z&f#^GGD7qqFjVgu-)N@9>B=uH18tVh-gQqBFkXvNYKJ7 zlkHOZDnQE1*+Og#ifj6+rt6>}GgF=A8P3UMA*~T}Mt7ue*Wc)C?#o z9P(w5vS@!Su)S<0SHNl2h}hFc_8kU!ArVrIMVsq?X;* z|A8c{5Ml_~fhwAf=19>>nT777AL9QNgvHAewmSMvX^g8SrQoO;<+>ihEWN{FHqm$F z>{qd4TcLeP7L8a#_)^IDY$SOrlucM688{k#Lw4MbJ8on^eEc8CN!hV`A(r>-Pf;evWC9!$22E800Oy8d(o~So!%WhrSg(w6<@mbn# z8DOKX1)Owj+ZH)GQlU%T$fE0XUB|<-%>FeESz%aJ@+#&V$LL}wA|o%N(VQ_hQh z$CF0CJdN1XZS>UCefpa-QA({Yor!Ws^;#MxB_Zs9sB3dT1!$Y*-Ij0DW^;3#MkK^$ zwB3QW1NpcYLX`nl)~yWSg3U7(DlySfbnP)LzL!3oSTQ4IP|Kn~s{N0(7rkjtd~w^6 zd|^2*4^e-xvs-NI72<{}Z|&SFwa5MTIYT`q?PGt?HMz1wV(VJFa|+uQq&YBe1ZzsP z1zGqIG{P*3l!1CC$HK6xEtihZ%MJ$ab_I+>5Oqsgh)P>&C;o}kA^XenO?A=6|LARX zgjReXJQILLhvXL|KOy^@jCd4TT|r!y!tz!>+)LH>+VPAf6Ewy&o@d05*bLKz z2k5B&6i4EEdUJ1lU-!wEIQe0Ld3U4w4t%=oEqfzPmXq@C4IK{n^{gH42FeDs%I4up zy>^BVm&4nbKFR{%NwLp86%qq<0SQ zg6AhMf>e}g#sl=T(5}Zgjz>7W1n*guZQC?)p)YAGpEBe4XG&CqKUGixO<$tZ#wEql zphGrG=a4Q&wbpf_5UZDgY3LW3S@SpWxKeNJT$J@O{foXp$0RH{B+`p^hz8I0UQ@|8 z>0JETn|bO6hY}jjcsZXcc?wi0d7%)zu?t!~LT`n#bDT`zl4C9}L5RJnynv;g#u9d2 z^_{LpG;pzjs}D!&dIdUU$Z(n!=4bygF z(-nof53h?PO{xj4tP^6QH6a?Lt{eeI^f{U-Eo3>5@B-^YEks6nL zN;q+VC5{t+BaL(xP8@SU*cx&iMV9ETBxY=M`&{USjrdg-50xM}Ew+IwPmfI3+h+Y}n=B=!S0o{v z`(jn3@JqGj%hbT#4GRdou~r{d^hCU`Bu=ruHB}M&ABy8c661xAC2%a?p-8+$T)nl3 zuoPnI#3zuq`_~4dLOf_FItIkLV3aZDe3}tHWpRYQmoHFm-n0e9=P+{%P-ky&WrZv|;yDz5K5d$Ii(3!Oa6=oiN zg{rLAc-2a!dm^&HD|?<-!B&(y0Mupw^qtFvn4k325T%JV`VMEY=`AEJu`)wor}L-eN@qoQMY)-1769#jRxIf=l4msJ zVr$1T6`WhWb0@cYSzOqMFcVl1SagicEf}k3xQ133^iHa9>~IpgT)o+{4s`1nL`@a# zGd^RF+>atE4{V(?K)9(~B4yz>+R#8L)J^G6Iz}0ZC^v9hguSV^oZGRL+{0E+9&;39 zD6}*lW*7|aLNIk|i>OFd-}S$JE(@#(X;bR?YnITQWp3~X6;Gjv0HH46o;h{ofpWns z+IG>VIc&yG9U@zUsSlDtkmAH#>E*19fc9jGC=b~cm~cl63#B%g6t*IL{BN0$Op3K8 z8nkIaN54d8Fq$SBW*~&33f3wubrvy=M&s5I%qED@rd?UpM4Xg>ls2|b+p5YsO=koK zktP$4PUUYY=eV(LgLw}uZd^x%fcA{xd3g)+^{Lg)Yx_-$)@U*jYf2GX*lnS7e5Bq zh%n=5Si=GWYag}5tzT~A3?rItB`RA%)ex{HlTbsnrlAp`I# z&#Cmiq9j7UK(j@ZD0k%pm9BWz73|FOvM**Vw6bLK9-8QGX?$MeOM*D;t|2_Bau);U zm)NKiGMyjBa@5dDgN6m=9T!$;b%_2opAais@GCqi3V{hf8=`db-pbbUKE{)e3jT}E z$B$;7qE5(WGnUBF3dZv|2A5wHpwFLuMb^$|)I~dcy&n2+)VG@&vuud^Gy7F+4lXP= z3r?;`240_GMqy`Xf3K)3rd~v3;D1O*Vke&w^Q&zy%IA=HG7*aPXdxg7T0D_b>GS7~ zC_QEKY?E&Vr5?;@5beNqA1Dx7AFveBFvMm58_mt&>=I;TLV2D!&frH{0fiz+7g-7= zWt>9bo@H=!p(T)VJXr!leBGq8**upCm+*wcv13NW5J4K1ttG%yI_jifRbPIy9MGurRIk9h{>mh_K8AvVR7Hw~Y?=&yLW~|2ldjAgC-9!4z`? z?Y&7_ylJX$qo)UN-@G|GIDfi@&P$aoOx|<)AFJ9HI(l_>gnH=c&7r_Re0@J!h@JNL zr*B_306~#j?KSRVTR;=E`BY2o-qUSl{^*N8G<~0LbqZq4N+h#<`dn8&gytL^2RpC! zUmm^cl)pNwN#~6fid^H|aoZ?5+St+$`|o}@TG7&(6${W%hb9OhcZ?0k;g2Shhn)#j zd1TgR4Yiy?>qHcUMj~r-yVaCmBq(k0`*d=k>UY{1^W=y3NB_^s+tc%-)AxtRXZtT- z9lbw1`hNf2tMm7-kIqkz56%oxb;?z3tSB5B!?|>wW=T#yw7gldT*7e$ z6JC)IdADINDNCt_E3O6_F$KgnDYb%^&69l&>6+kw$A?uPxe83!fI46rcc2FR5cPXK zm4<(fqwqVR^Ucl%>u9&earo-$w>cPJ4Smfc^3?#>J}h4i@M%}(K4 z0KVCIyg6ejpUHnEljtvx&sX}S?3!dz!n@%VXF0c%@~ayOkZS}7zjKz{u#H}?*W26O zg@1d!UishMz1`kl`nx-Wey=|mJRAI_H|Pxp{lB2z9rv~Nne!ZHf9c)2t#ar7B+o|= zq0SRI#+@PRh&5~2?TXR%)yT7K(v?3qI@_XnzDS8EE00*^yEJ1d$#P0~XNW$6Am|jl z^iCxnHQy{K9P%##6#1U!F?`rJsppE1W0uW2mMr_cU2aMzKw7IQQ)zWW#nqv@7A%s; z;#IQ1d$AXF-ZW!b!n6`WSL{dK!WQn%`-~(J$)JgtMiyBmO7QMAO*%u=uls^ObYLq{ z^X*+ia{>1U+A$wLd-lJYe#Q-;4fRZ~PvtF{2%VbhrjWHe7e$xchN>Oil|yA}Hw;$^ z>1D9so4nXmdB2y~crc!ataY%AZW4>BkDJ8OL3XB+w z|9|%0eYv` zz#&J|JV#3)ke;DQ6HdHxhJ7D}#nmf?qOR7nmMA_4yaRTp#uF|Mv4Y&tDYf|E-n$ ze;?28FN2d)a6CBL-vM90YKxt|yiNJ`t)sqv+CLc`d^olXd=kr+grdw~I4mnMh$5>{ z=h-tbRCYmQnHopBvR=(_pm>6$K7bh*BbfyUMFCkLA3S^3>3sd#19$@ZpVWEO$8Z`F z#<6!q{8Xj&?OW$GX=nyTODIem!XZd2N(X8g^-byQnDTj5HB_n>-=rinfk@Ie$t9v! z6myP3>0G_j=~&@PB($Ly#C~eWz@s2>@0X$pSo5*R&2CbKn(4W#Zy37Z={mRuAr5^p zdM^de06;orx7w{}u(r?6d!4H>Ng7RjX@QNtATQ=PoXR1&h{wp|0hl7LO7wcE>5w24 zZ7J4Iyi>uqZ=e?d7)AZ8&J>4?!_Y%-^VK9c1EV2R`Jfjh)?Ua2_-GtYGoaa!iI64PuhQd5fIa2gp}P)b3#UZ#K*^u%^xSDd zK;uv^2qiFr;fK-b`;-0A*$1WaI*LI>6*<}wKtIy3#(qu#wtfI<{kn6 zW+W7+nYZ1qeIIgY`N{MW0|bN1w=TGrS*~Bd1ihY*JmRDE%n()%Kov~ZcuIS_>fw1z z15-O5Vi3{<_lgxJ<|8!DGtlgYU{Dj~ocWE87t-s|Iq3B`Uw|GKe<8UOz5VeRT_XCU z6Fy^nHKHS|T5xGdv?94k-D?HL+T zlv-QB+TjyBAsd;>&_lTxOqiL=%0l=e6{cvp*)-mOW0S6q+;R0}YfdB*(bOq)(jJXxlEt9kVU})k#T|yj)Ro72+T))Zi zQzoEotXB69_%X9}U%H;juAHgj$IRjx?Vo%)*ezK<&Rx56|6W>7yAddnc}*OszW}q| zYQgI&I9rsE2pZ7v1+t1(hxB6TC?MF1}t%aTHvtP-uUBUqSkRt`3XryP3<2fDN z6{H~!r>sv^R@PHEP03Bk)Js(@CeBxleQSAT;H3XQo1q{=l=XQOETLnr*Z)6%v-R?M zPXE8Xy}h#kxtHhb*Ue|(63=&JxXB3)kl=l9=VDmA8QKBQHq}DdeAe0j5*ejLNcmN34w(D(x*FfE+uREFUTo8Dunmb6$>jv`n1(t9 zJc&>y^?_ojGB{1$3~JSf>Y%{HH8P?*9jp!zZG<+0U5&}eXagp2koIZ7toGa zWSlK;j7_Gs8)KEC0M^WrBb&rPn-BD&bU#$J)@zZj*hFuPe%0oD(}CEN4y@onHf9_v zffa3vHB+kPY1)KmWEZuu6@SXRzby5Z&wj(8tS>bx>b5UAVd_W}GHy1af+l3RDjb%@ z-de*GfVq0j);Bsb2=Nsb#{&+gI`9|+P@L3!GFNSvaPcYP65yXHnX6&yCKn|E3I+3B zGu(IkHRvCraLQ-v`bs5X)@1x|Su`NzB91`!a=Qz^H}#hab(I&j}aZK7}@gQaJG*;#Kf+m5sRUCr(dC)JLR;WWXv zfY@@ft*Y&2yR2f>beF+bI^mTCAN!PBfZurf&6RBJl&AN$E!VWAAZoRylX{iYQKO8y z=_+swVtVLkZsXiV)k{!fB91UG5+Rbld#9}+z+E%7j`C7XCoc@i8!qphq3 z-mbZORJwk$Ws=6rlxrCht^id)s=ugLM#?$GU#8}55w#gC^o7gdV>cKz)5NaB=-Fjk z3|@IPhp{si?`9ASD@XM*hmo~vq$dvYmHmyq?`5LO*Qyjn3w5JQC|K+Nj042_?*lRh z-HG_UnWOCPdU>ho*=!6=iQ;~h={Ws9{bdZxKUGlr@(WtWS-^j)evI9B8yXc&_~VhP zSwWlGGVa7#QO|)oMa`Z@=e8Gi#h~eJqUDI?`MKLzl?RlsF3_T(tUPY_jU|FM z&gso;bBM^cV#wsCwOJLg*W2w3Uj0~zp}oWL=zg`#Fm5s)883&_aL4$%b zKZD*R>m6fTH_W5We!^{#4}J&N*Sbnc@odosX0}V_5e{VPM_{Zt01i13QmXVJ0dvF{ zoT3eBVCzAd4HgIW%p-4gl3XF^#u(Unt9-IbzraYw=uY32uH(KT742D0AxYUhGyhlkX>j;)e*``a z4iEMQrw1R7cm5U1t7}u`TF$t`*7!+drV~8^GBNU)w7~)g6Ch@(AJZi8zt{q#yA|+d zme~-gcRJxFL!3*Rl+oCH7_}g~YKpLA6G7B{t9-(I)}%eT@}-$ae32~`(_nqQ`m;*r zv%W5Om=wUB1pN(Qm6KxIKS>Nc8IfArw~Ps&fpb&*T*7&7)j0<`S15yXmC``ju4>m+ zotp+gpxmp#6Vu~tlW#3Fr`&UyvVG4%9@!tAAWHh@)5j$#GGxPTfq9+)y#|47;( zUlDpyGZ`ge`8*PONV!i2*jsEy#P21+LiM{RVv-2Of8ube-eJUUG*zdEBhXXnlf_Tl z4}y^-{PU;${dt=?lkBi!&TQczGik*e`^4oVH-%Oc8=$h9oQe`OC8LsP>ZI<4764@6 z3I%~m{4N9X+qto%-I{XZmVHP87*A&$SOy_|$5XLXT=H2G*&k757gxVGC-PFs39XnN ztwixxC8vn~*`~@X#Y;@1Ogq$sNa~iQ*AkbK8D0b}#;t#B?#Z`Wk zO@=Y2k(Sct-3|7I-F((;qI95twX&nNA8b44+P#eT?w}1}5AKq*J=j3m?!%EERx9n? z@*{O}=r~Fzhm}KQr-aLkiY?J9X{m*#Po_bn$VZ_#%&=R~nV$v)HA~6oU7 zaeWEJ+ilSLsQwztiQa!;JxS56v^ZI+x46u}Op=vGFrPZJg5$7ij+0AOSu?f|ZK1w; z?(%W+|48l!`U^O3?*Y;f|MmH+mv8d^A1_z&U+?F!yu2U9bxh8iy!=u|ZVoWQI>6Kp zxZLhs;LzVmb@81!;?Rd2?sR}oQsM4Cp1I<(lVE)(-dY#%n*HnYrsNyfjsSa`4;?WXFK~bX)wK?sHtmLO>5Rg*r}VX3|Fa{DZ5;& zSt{NKs|iXQRFhLzBkAU40Wbc9ub^oWZ7huMhQUEmU|6ALyU**sLuU7m2{X8i{vvzC> z_hj5;!54bHUYUzpY9&7e8ik%~~;mc*nr&YoD*zbVh@2%^KjR2mX3G>_&zlEfi2&TX zLRGnh4?o5c=G>T(TiudcAjqc`G_Ue&wE`RXTotod)f?=vO9oJse~q|AX6XlmvA?)pqJyvEJ@c(h3Sb7nVZ8jBN-q)R)&u^%4g0|?oa zRNn7;IFT&ih_neDtzqZz`-OzeYtZj8yF$+bnC%mDGNY(Rpy=hxF% zPvG)xSPmIC)up{RQE36CO2MY2_2%v6I>i-FH}NZ;ss;R~_j?iVJ4lpA+=t5Gbb=Lw zI39hYUi~D&n^nB7WD*iY2CNy}g=uA3{WJfQ>l(;Y7VQ*Z%?QeN4RnBe2j=&AeEYNj zcSn;qlVw=HV0sH$zvcer#h5BNi60HX#5o3VGn7KgSYIUXJU9&*X!*Te5}-}b5TW{; zUYmhv>Z~Y~pe!}_^r#1%eNk8DQW~N_9Kr1YEfs6XWIw>yRO(id4Qq2Gp7P+D zSoe!6{xzH{rtgn`d=Zt9Glmm(cNtlnX6c#oR6AX5e;Vi3c-%a=GyYA$wL&MO-#TcW zL66scC3t_x_=|lNcLRvQ(k z_wAzwqsA%F+cT{lC||KJrX)J7HjopNfgUwzwM&YD+97I7@e5{9j+AqKP>ti%Zm- zk@|{@yWyRY0lPis*OMfkY%yICU=pl^7^vY?G58t#%JI;pp2aT!s;^R6)Hf5*_+5OOyU}`u06uS`on4i)ERguJ}=T zM{0WRp{e|{OhIOIG{aN+I~W9%$Ao1W?Z$k~KbrZ|+4>5Www=nYFby6J)sV7!rhmLh z=3QS>(79Yx-*2E62x1ETI97`#Pf%e?Nb}tAJ_R63r@EoqAoaAW+zHJNLD?xGX&0wJ z`dOq1==FfWG+x6zsaDw~-u#*J{;SORF%pZ~QYPz;PWxtpZc{*vMQBAKvbX}bf zU|9r;Yu*FNm)h?`aBmm1)g2F6|DtzUk|da)@&5iv>gQmMZ@zX*GW(8-i7-GbrW|#r z6FgmV-xQ=s4)@-d2y^gHwku*_R3MjxeaVIkMNBfFHIGN(`IgiEU+@k#3+`=yMyoyif7 z!8~MUV$JO?tPzE#w&&om?jyW_JL(ShclieKFG6H|jxa`Ou3@u|8ps7ef#p}7O)7lz z+|$q&ZN-BcOxuA&;j^&|#OF1AZLFLH=PJJG#tE4a+w5a?dRs);_HvC0YGQ!guOg}L z9deRGjDrLVKqZw^6}Ebyqq7fpp)>x(zPIAv@URHub23GdU5TbzO^FC++j>|A6P~^* zlqu+Llmo-