From 96465fb0990dbe820392846a24b0ece855529571 Mon Sep 17 00:00:00 2001 From: Igor Roytman Date: Tue, 20 Jul 2021 21:07:07 +0300 Subject: [PATCH] 2.4.0: IA memory limit, telemetry fix, update references to CP (#62) IA: change memory limit for imagescan-engine to be max image size + 500MB telemetry: AC and RP fix agent version --- checkpoint/cloudguard/Chart.yaml | 11 ++-- checkpoint/cloudguard/README.md | 19 ++++-- checkpoint/cloudguard/defaults.yaml | 2 +- checkpoint/cloudguard/templates/NOTES.txt | 2 +- .../enforcer/configmap-fluentbit.yaml | 2 +- .../templates/imagescan/engine/_helpers.tpl | 6 +- .../runtime/daemon/configmap-fluentbit.yaml | 6 +- repository/cloudguard-2.4.0.tgz | Bin 0 -> 19440 bytes repository/index.yaml | 59 ++++++++++++------ 9 files changed, 69 insertions(+), 38 deletions(-) create mode 100644 repository/cloudguard-2.4.0.tgz diff --git a/checkpoint/cloudguard/Chart.yaml b/checkpoint/cloudguard/Chart.yaml index 7f593729..1c35b7f1 100644 --- a/checkpoint/cloudguard/Chart.yaml +++ b/checkpoint/cloudguard/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -appVersion: 2.3.5 -version: 2.3.5 +appVersion: 2.4.0 +version: 2.4.0 description: A Helm chart for Check Point CloudGuard Workload Security name: cloudguard keywords: @@ -15,8 +15,5 @@ keywords: - threat intelligence - admission control - runtime protection -home: https://secure.dome9.com/v2/ -icon: https://secure.dome9.com/v2/assets/images/dome9/d9-logo-white.svg -maintainers: -- name: Check Point - email: dome9@checkpoint.com +home: https://portal.checkpoint.com +icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png diff --git a/checkpoint/cloudguard/README.md b/checkpoint/cloudguard/README.md index 05866a09..61033bee 100644 --- a/checkpoint/cloudguard/README.md +++ b/checkpoint/cloudguard/README.md @@ -2,7 +2,7 @@ ## Introduction -This chart deploys the agents required by [Check Point CloudGuard](https://secure.dome9.com/) to provide Inventory Management, Posture Management, Image Assurance, Visibility, Threat Intelligence, Runtime Protection, Admission Control, and Monitoring capabilities. +This chart deploys the agents required by [Check Point CloudGuard](https://portal.checkpoint.com/) to provide Inventory Management, Posture Management, Image Assurance, Visibility, Threat Intelligence, Runtime Protection, Admission Control, and Monitoring capabilities. Note: notice that some of the above capabilities require enrollment in the Early Availability program (contact a Check Point representative for more details). @@ -73,7 +73,7 @@ This command removes all the Kubernetes components associated with the chart and ## Configuration -In order to get the [Check Point CloudGuard](https://secure.dome9.com/) Cluster ID & credentials, you must first complete the Kubernetes Cluster onboarding process in [Check Point CloudGuard](https://secure.dome9.com/) website. +In order to get the [Check Point CloudGuard](https://portal.checkpoint.com/) Cluster ID & credentials, you must first complete the Kubernetes Cluster onboarding process in [Check Point CloudGuard](https://portal.checkpoint.com/) website. Refer to [values.yaml](values.yaml) for the full run-down on defaults. These are a mixture of Kubernetes and CloudGuard directives that map to environment variables. @@ -91,7 +91,18 @@ $ helm install my-release checkpoint/cloudguard -f values.yaml > **Tip**: You can use the default [values.yaml](values.yaml) -The following tables list the configurable parameters of this chart and their default values. +**Maximal image size for Image Assurance** + +For Image Assurance feature the default maximal image size to scan is 2GB, and the relevant imageScan-engine pod memory limit is 2.5GB. In order to configure a different maximal image size, *addons.imageScan.maxImageSizeMb* parameter should be set with the maximal image size in MB. Pay attention, using this flag defines also the memory limit of imagescan-engine pod to this value + 500MB. E.g., to scan images of size of up to 3000MB, helm install command should be appended with: +```bash + --set addons.imageScan.maxImageSizeMb=3000 +``` + +It will define memory limit for *imagescan-engine* pod to be 3.5GB. + +## Configurable parameters + +The following table list the configurable parameters of this chart and their default values. | Parameter | Description | Default | | ---------------------------------------------------------- | --------------------------------------------------------------- | ------------------------------------------------ | @@ -119,7 +130,7 @@ The following tables list the configurable parameters of this chart and their de | `inventory.agent.tolerations` | List of node taints to tolerate for Inventory agent | `[]` | | `inventory.agent.affinity` | Affinity settings for Inventory agent | `{}` | | `addons.imageScan.enabled` | Specifies whether the Image Scan addon should be installed | `false` | -| `addons.imageScan.maxImageSizeMb` | Specifies in MiBytes maximal image size to be scanned, imageScan.engine main container memory limit will be a double of it | `` | +| `addons.imageScan.maxImageSizeMb` | Specifies in MiBytes maximal image size to scan, its value + 500MB will be imageScan.engine main container memory limit | `` | | `addons.imageScan.daemon.image` | Specify image for the agent | `checkpoint/consec-imagescan-daemon` | | `addons.imageScan.daemon.tag` | Specify image tag for the agent |`0.4.2` | | `addons.imageScan.daemon.serviceAccountName` | Specify custom Service Account for the agent | `` | diff --git a/checkpoint/cloudguard/defaults.yaml b/checkpoint/cloudguard/defaults.yaml index eba78d7a..ae7beb41 100644 --- a/checkpoint/cloudguard/defaults.yaml +++ b/checkpoint/cloudguard/defaults.yaml @@ -168,7 +168,7 @@ addons: memory: 500Mi limits: cpu: 1000m - memory: 4000Mi + memory: 2500Mi ## Configuration options for nodeSelector, tolerations and affinity for pod ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ diff --git a/checkpoint/cloudguard/templates/NOTES.txt b/checkpoint/cloudguard/templates/NOTES.txt index af20562f..87464560 100644 --- a/checkpoint/cloudguard/templates/NOTES.txt +++ b/checkpoint/cloudguard/templates/NOTES.txt @@ -1 +1 @@ -For further actions please visit https://secure.dome9.com/ \ No newline at end of file +For further actions please visit https://portal.checkpoint.com/ diff --git a/checkpoint/cloudguard/templates/admission/enforcer/configmap-fluentbit.yaml b/checkpoint/cloudguard/templates/admission/enforcer/configmap-fluentbit.yaml index f0479e39..38d09608 100644 --- a/checkpoint/cloudguard/templates/admission/enforcer/configmap-fluentbit.yaml +++ b/checkpoint/cloudguard/templates/admission/enforcer/configmap-fluentbit.yaml @@ -15,7 +15,7 @@ Uri ${CP_KUBERNETES_ADMISSION_CONTROLLER_ALERTS_URI} storage.total_limit_size 100M Retry_Limit False -{{ include "fluentbit-http-output-param.conf" $config | indent 8 }} +{{ include "fluentbit-http-output-param.conf" $params | indent 8 }} {{- end -}} \ No newline at end of file diff --git a/checkpoint/cloudguard/templates/imagescan/engine/_helpers.tpl b/checkpoint/cloudguard/templates/imagescan/engine/_helpers.tpl index 8fcd3abd..3401e799 100644 --- a/checkpoint/cloudguard/templates/imagescan/engine/_helpers.tpl +++ b/checkpoint/cloudguard/templates/imagescan/engine/_helpers.tpl @@ -22,10 +22,10 @@ resources: limits: cpu: {{ .agentConfig.resources.limits.cpu }} {{- if .featureConfig.maxImageSizeMb }} -{{- /*the memory consumption of imagescan engine is up to 2x the largest image size it is configured to scan*/}} - memory: {{ mul 2 .featureConfig.maxImageSizeMb }}Mi +{{- /* the memory consumption of imagescan engine is the largest image size it is configured to scan + 500Mi */}} + memory: {{ add 500 .featureConfig.maxImageSizeMb }}Mi {{- else }} memory: {{ .agentConfig.resources.limits.memory }} {{- end }} {{- end -}} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/checkpoint/cloudguard/templates/runtime/daemon/configmap-fluentbit.yaml b/checkpoint/cloudguard/templates/runtime/daemon/configmap-fluentbit.yaml index 4b6f8041..828f453b 100644 --- a/checkpoint/cloudguard/templates/runtime/daemon/configmap-fluentbit.yaml +++ b/checkpoint/cloudguard/templates/runtime/daemon/configmap-fluentbit.yaml @@ -39,20 +39,20 @@ data: Uri ${CP_KUBERNETES_RUNTIME_ALERT_URI} storage.total_limit_size 100M Retry_Limit False -{{ include "fluentbit-http-output-param.conf" $config | indent 8 }} +{{ include "fluentbit-http-output-param.conf" $params | indent 8 }} [OUTPUT] Match rp-profiling Uri ${CP_KUBERNETES_RUNTIME_PROFILING_URI} storage.total_limit_size 100M Retry_Limit False -{{ include "fluentbit-http-output-param.conf" $config | indent 8 }} +{{ include "fluentbit-http-output-param.conf" $params | indent 8 }} [OUTPUT] Match rp-telemetry Uri ${CP_KUBERNETES_RUNTIME_TELEMETRY_URI} Retry_Limit 3 -{{ include "fluentbit-http-output-param.conf" $config | indent 8 }} +{{ include "fluentbit-http-output-param.conf" $params | indent 8 }} {{- end -}} diff --git a/repository/cloudguard-2.4.0.tgz b/repository/cloudguard-2.4.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..fe42ee8ee02eb38eb1a3a51f766fa52b4293f08a GIT binary patch literal 19440 zcmY&9z zM{}@e?|ohCH*4LsXksx)K>vLJHV}uEiY~8>iiWUyps0|wfFZA~o{*D?o~W>vp`oyb zk*l+nyKSJpj)$a*ovRz@xWmbN<;`DK2}?^jR=eu1J$dYMyH8c+8P}lU%&%L+rj)D@ zeseqpIih8fZZsM3L&m#iXirb@y!Dc16n?Z~co&kV@aym1@0a`PnW;+*pWb7!iR^mX z12!F{vj;wY&CNSNt|rR^*r8_SN!h=xzPWzo;P}`Vm_E3D>gWK6PGoNkaZ+z3B8uz1 zEQh-#laS3}NIH?x0-)v&G@sRVhsi}@FKc+gpO_@Ku@d{Y+R(z`F>U8>|^3QAi=Z09y0B$yv(79H&7}b_TMwlT4HI0(X zbMM7Skc=rvym@FNA_ijK^GBI5Qx;uw3TK$qU2;X1jJt%^8&u2P~!K6eAlkOJQXjIus=k(p%vIXc!c$^JnT#lKP>gnBM#<4?@+$y znPZY}s%y8GeyQ#h7p(o@Dr9HK-7(HT`<*+;(Kg^OSY> z(rT(PB8z@^Nn#1v4^)(@Efh6dU$p@mi$+)92MyG^y-1)tFPgWGf)Ef3+_L7=S2Amk zeV4|>LC}kW^-k>d+l&pMM55Do2UIpaWz7MGWV*CypB_k_oH@9K!fVN-+qO?P+V` zD3P@(?QxtX{|~~t)x5U4_W;#^oK9Qa6h`LaQONvuomP8+;dxL{%ZLuERf_<;1-;#d z2wkw%A%gb~oq19t*AVyelyyKn*P?tE$YJ%s#Qj5>+Mb5App;1G8B4y~&u-dQ*1}@J ze*l{Si!&hGGLrSFgw?7G2)chz#7HiRD48+6SZ6e>0s759(ItyIw zV4o-932vZ>{ws(gOvoN05Xuh8UtekdyLg+}tDO1trXt6RThPE%D)f~KKkwEYm?QK> zS0n?YAUYq#V1p!fSlL^9flac*v=3h&<`Q#Oe(%+Q#O01aD@8A9LQvIRB3i0NK$eR2 zljbTLabev&x;m&Ds0X6kv&@c7^EGAEm3fr~Eb>zG^&=a7z$2Em_?n#B{_@Gf$$|#$ ztMZrMSVZ5}o!Eok1@UgGZNK{%{TV_-!E{vDojeYd5BU+=q4_UZVX^K49UUi{UI3(i z;p{IAOuRFiaqHrV$0koWJM$E4)50OlMpXSks>_)vkzyLWOHZ6oi)p4J`ofmee|9rv z!EIb6D2&ME;-e~=2in-K-B1H3zq~Xhbz@E!$TCdX4Rwk`J}B8%D?XgtY?uX(Zx%x( zg*FbZ^CNDro-1@*H}Fe1Sy*?D>B?LbZt0z1BrwO3i2?b!598K_CeneBUrndm?yrBb zKH~wA!=u$ZnSKTlh%aVgye(42zPC2O;5sKFC$>>DCeFglHJXm8TXGb_E+UU!h#q!? z`$SjkxY= zv2|;0@0$iUyR46aoD)MoT zQ<`ASADk<;O%b)}P`D<|!H}6{%a%|QY$>DqaP_jSHd7)W#3gvitegxZVx$JYbmM%aUq0Z`=}Sz@Zqbf1 zzJwSM^GAiOAy_C?kZ0bHu)lH)&stOqnENJDZ4yB31hq6=4XAFCal%Aws-g9kS}n?P z5zh=A?iABDC1N@`SA=T``M-uCGe-@ImJ#a5SZ6^-hM7-2O7$ea@Tk=mV2q^k(ai_2 z372%fd(9ATo-}})z(!q)VW@fx(z|Zrv5dQSGw4ou!;G%|Zxn~LdU-_PBj??q%t`u5 zAa7V-@%kp;AS+?=c#PI3bWC5p`Mp02280~IaZW;&VPEE8#_ z_GZgC>HujyO;om??Iez{+o&>8L&->C5O>L&dGL{*`T0xj?d2(jf`=MrM+=c|qppg* z%=gVaKwrI@hr~d>Y<=koD5*tltR+bVbFUA1>I25tk?Wjn+!hQ)dH-lT1(T^GNXpdekJx2_rAd=r*cPA1durOton^#`=Q$169>UA*(OrXFU1z!8h(| zc}|~bS6eTk>1k-~!!Z1Zr+xBj_XU}F<|LEa6nM{%Sl{9Ywx+9skXz8x-zeDF3G3rq zC(A4|>W@KUIOCOy z9>N4)kC%dO$chedHAyF;vm+m^$cI{RcWk_zle~}Wf5sW(tnJ42&?qq9$IhyNDx@2~ zIYcNs{Xdtq7gYl5d{l4k;O z_34k{_>Z9}OF@S9@p%)HRUqY*7uWeXm*(y^`GPekd7uJM+61BJ9#qxB@qIP&Vpx|DK4 zepYQJgG~HDFjnFJASO7vA}Y z+PC#z8l5 z`xt6-d$t14S!2*>8S?fnpH8yny6R!ugzqSZ^BSwaxW840DQp+~P zDPGr8*ihnN_=YmUF3pC&MM|l8NYki$B9ryD5AzE#V*($M?{d&?(_k@aeoJko>uF|m z<+tbQYN*x<=k*}1P!u!^Nh1{WaOLN-cl2}HBHso1Xl?7i&dq~BbcvG~aj(gWX+hbXK#@C>%MZ3sWFw9 zrJXy2+eNmFBLtF}IHCQ-6=WdYsfR{u%7#6y=4bZHsq%#tpP49e_dokn75M_WoO~4K z`>eKu$wxuT4BOAmeYf`e3PUajBgYAb!};kSS7W%jK>|9a2k%a%;6LL3ENKQXur(dW z>+f8vL7G{kl}(K%XJ48kDXT3Qo)MwUhO7pZC%{1Rw}1N2`(#OZ33meGG%n0cpq2{X zEKIwHUG}?fka;yF_4J)+ZLA|$wzz!Js4mppO8ybRY?S4@3S@XuFbG#9<*yC%mvBNV zJlo0ghL(x+53cNN25dAs;ub&Q2HsNyX8GxTN`uK%)|S$IK_`gv@@3yKqyH4dru>nX zS}Di#Hx*JFq-{2dD|1w)>@t-L8?<=g)K^$Zx4%zDFu>-=d|+qD zoK;XhbQoEP>ydrs4-HOg%p*(pC>4tuCE2e z0N==0uN+>z@ZA0)t~h8XTr6K2YD3nN7ClMRhSU;koO_G)@4sgh2Mekgpv#|9IJrtbS zOpz$|3wFP?87qtcJTG-?y3rw%l>1kan|>OWdI?32SA90G-(_|u#mj^VNqgq!u(-U% zZd(MA|5`*PcCLuVZcToP1_8w&E_oHx4<+_8Go5^JJ4xdW;mhc>f5RabmWUOS7uJ9q zUMH;iK?@EExQ6b^NZ#L`m`*?3j1qY7yltk)3ZKegtKlzI>paWfAoxnuvokc`=X=+> zYH?bg48};KmB5~(YaTBl!-yKK2`sen76R)<&7h1IgumSIj;(93q%U zlFo(b>sJV`m*R=PTw#Q47#W*TiI6B1e!r6!Lv;~Yv!>+Rq9Sr3`BH<~srsXo6kzup zn8J(wY#I6`@srHImVfDE5(8R&RrRzVuS>m7jiy9;-BJG@j>{HJj|u$Qmx-DF?eq49 zutmgzl6FT!$D6-meKT0xbRv1!+0AmJZ=Od2md;dM_aR1)%s0g0%l-X~lLb%(tIm$n zvGN~uonx#*^b@~3hhmTGW;xy8eexHa*SsNlD61mGQE4?9vBL&HR~YmLyh5oz&@WNlL@o1`Kr-Ku>nkb>+*J3f7-Uij`4ZYU1 zuNasKXvlH4<1mE?=aF27C3~)V?z;@>We8fyf_I0kh$`Gel7AUm%@qv3$uf6r8>LI` z6wiD^E*pV)jng$htWTd)WZRjg4_h}uM$dOZ!^3K{?BdMDLVr)k+8AX!vV2In_1GdlJ={HhoqKH7&3y8oy6f~tln@U>WyBFBsM8s&y< zLAsGW!+`fIUTn$d%@TV9bpD!Z)J*jtFMFbC?cen25a&wyg%9u@XTpv_W;c6>IY!p0V3TL z1Cy>H*Xg79Mk~Lts0z6@oks^5L+u3*z^H6ruHu@#K4;z-Z_w(u;OmeM?nSW1cEm;1 z$pa5x0y?|a%8&tnwi%>YHLOrC1SEI+nIDP)D@y-8;q7%bstgy1AM%kMnKo<+6O#Z; zNr<%99jj<7g9+Td4Jl2fwR?d2wTWXQpsNRe9|0xRYucjFS!K>?6Ws`8dWk4L3&jLO zn8zuj~$%nuL*DL@DjFW zbh7XP`a59cx@MCkedL9a(z6gy0&i}cJ($0SL=%Ze+4_xIo~N6f*{gbB>kGb&|6^^~ z{B>xfEaEW>8@SX?oYH7*Y;i0LT^ANmA2G-maij)&f8JgHBr02}4m{eDi>HVSW)pc4 z*H@BWej$21yAzLw0UfKknvnkl9ka)Us(&$D-q}={ zd?!|q;%DCM>leWM`FbWWr76^hbW`CgT~41Ih@V#iPSE$B-6(85juod{4ey-pP2#E8 z>0>Uw^~M?jXm%jXoj=MIvo@Mvj^vfq_{TP8czcc;w7G=brQx#gt@Z}xWUVWtbJB{~ zv^jk-`_bxl-R5fD`VUyh)m;dhPctGdbLANzp%13|o|}h<|0^4eqAmLhLY(9J@bi+x zFY7-4TLIhZ1x7zunb4r!hXBHGjV7Kl)JwR%s}I{4p^XY)p@Er;-Y>SN;f*z~5^nyc ztRPjw3r*0-cvs!R1h~jg6grx~04Fk(&CS*V#`Bv%8wML26RvDet*WsDhR zj#uJx&wBta}fL8zA%)rD7t9ZVz5 zZ=}+hVl+4*7gI5A$7l+7f19FZ9+`a zv^n|dB+ACUj$$uFA_&`Uo0W2e%zCAG2>eO#1BT-Ah*e>s55DaSPu15qsaxdq)DQ*c z51hgv@eh`*U(*Y;+Vtmvh>&(y((@TO)K8=ZI69rb&5uuwUk2R%3?BBfKe*sJdgTZi0MJe$lb?pNYNE>?n!RNae05GiVy3+#*EA#jUs`0A9xNTi zpYP_ja0?wzy_o`wKCm>!w^RmfV`y9bL#>_GRVv#^bqG?R9`x59NqkjuBD7EPVw#!^nP z_%%wvy2Ki{#&gboos(Z!c;i}w9It<=y{#AnK2vu0=(8B0%8&!lHO)N0-M`frHmNj% zb_10141Mf8L^URq$_N}ZzHLH0QSh$d zNhEKaCFmF?uu9nh{Dkj+Pk_~v>nFA+ts2WGut$kRA{@Py8~Y`^7t|tLx~}ZbIVF0W zEJC`CncFBH@#Ij`(s77|&fivboQEoU69)e4XNIPOM%Gp-1orcFNkUB|CeE#h`>S^+ zUD6s|JMRE8;jc&E4JGtc{-2P2`rGX@Auqh74u@6C5qJKW) zXp^jQzVzw4P!|;P-f0)x#tT9P2SzBj6RH~3I`TR{cri16T$NjEc#)W*NvHzGaLDg) zh{B8DJ-$CB4)OZjWw1$}$xGSpgQ5I_z&=_hi~S7}&ZHS-!rmn*rf7ZM6T4^q6h=mS zqY^V0=6VRZqw+?-l189ek)HlN?^omBDR-kK+=`dd!&=5!e`xVWitIOE|?k=c%^%RKs;|MT8xQzw0Q;()W_LsU3}No`Jy48gcY%ro2QEXOc$ z_$H}UT>`DvU=IArS7Y?ltXfP z!;*^MrInj6mK2|#Dz}#!r_H%L=ED;m_&MOU&Z-Y~820phD!njMlMtxGF_WSw^Bp0W z?&h96ie(NrgZ3e)&}_uTK_B(|5BBVdRI0yi=KKEB1M89Er6-~7h zNWx@r!+2-kSj2Tq@AA^@miXk;MZ7mhU=FGaNp;p(Z%~v|!z6j#ZxPB+VnGH$3j5J> zsEWxM3X52G{N@c#HkxI!UQ$a;?PH_meotv7oacaC!mCriCpKIk}UX$^DH_TIibpx3W>q&xba%-3YM zFE~2GadoDAa}xinM#`k{?>&y$eRQGdg&q!wWIuy{QI+|fyS|Q`P&I^zxu1hFGy$xl zR(`mZNOT8k^^9;kb_jC}gKupqsUJ3VVKXUMf_7GJ=?VOJ<~;HrV)ONS?ki%vFpvoG z6DIIC@h1}SdeIB>I5WaO3R8r>dbN4bDFCL6|2epLAysuZ*)>lh5T6d>XAU)Jej1f1 zPo!VxJ67-NJUSg6wP4%UQ$Wg>LpQ^-GgWf8%sav|pWT?kgWrW$vQTf;J!0RGh!I=L z2BNJIiS?v=SfpX5VQ#QPqYi(g+AorWq}_&aLa0Mmb8|ZvY2&jlwJR3Qb@UKuPvHaz z;Wwq%dmFM8-SlZ&Ncr)L zht_ZFCDQ@(v@;~EqdtNmg5nZdM*8mmijoIm@;HFaPfo{yj`i#QYHYsupHG(LTB?ac z_A9@{efOVHlw=@I7Up5D??7`uu8j1uGXlH#-_r24xda+V06fR{Kh>OIlbRzyF~s}{ za4V5myU%AiybZ27T_DWAjN&x+(yR<9U7&dMx2U`X(+Hh001Fo7mV3abf=d~gbh4uQ z=6uTLc_$s0#Es@_Jg0d*DsvByyBiO@1C)!!q=5b5<|yLqPHjIbK4I(`2u~KN^$WXe zNPR{f;C~34%wco+2gnbyTOspM^$6g%8LKN22|iV_Uc6V&|0wr;i_lq*>AGgp(r_4I zN(Xp|0nb+B&jTW#wHchc1P*?&v^4=gLUT7a;0L7sJsK4Q26Yhq-@tL{DfsAC zObG5##7Pejn_2OlNK>sMsA!OEOTcWZso9zny5HS0gpvn>eY-11vQ(2?Vr7RD$zukh z=%3v&VgiNXA@T?5kZ*H_Z$su(V#r>3d7JD-K7@?)z`)V+q5KG_#wzd^y7ucz`gvfy z2JYORpv7bu_(&+TW1?v9xbW2)H%jnu3^jT5ZvGXd6KECbZv(QouTCO5rnn1S0qBax zF8IX%=qX=BPj~<@8tTz)yMbC(C;?Tr0Bb3b>&~(RG%wVgfGOFI3V>2~aP<{<-=^<| z`3j>x+D9a3d8 z`*@L;)>$HyGWo}%N!rEV)FBx|*J4<(3#BmW07ie|QI7cSZxtlZE>!wK6aB4s3Oxt8 z1pHn2p9Kn6^ObRjDQ)^#oc=oIAVC!qD5$fP7AxCNq5EK&>%<|FG2ZI;8vcy{cb2@#7sl@e1 z7Bz0To^5Sc~FWL!|Z@``sMEq4p#2DWJ43XD7Yl6Kyu3L;p4Y%WXhY3~&iXK$3{Yfpwm?!gR@k>%YOf;B)bx*$CP0Ca*{I z=@Y)J-}5t4_doZ^Kfw;DbxVoh=vYf$*)rttv)jAmYiP|GcvYP(0|+#;!X1XHHen`s zQ=WZ3m>g}Se#}>oJE@Y;do0pQ&mMF*`<3vOCUS5b$#GX9ZPC^%&OPaUmd3*>b1nn> zG~_XXtBsho5IAv{CI^;IJQkjwTb9riaJXSvw=vp|D^CT#A*=BUxeus0V+yUJtsGFl ze;bKvl79X82WGws30VH8E6p95@jRmOA~)|2&Q&2O;8dkA3O20nbZ&Z+PU2DGoG(*o z^LM|b>TLEz-(tYictaHNh(?iOxUI&+d+2v@i_jQ$HLyr;ele|;(pAo>gj21yj|9otUU6GwNCm=6?QG(sx5h-`xda|f|Uy* z99SBGGk^ahIG{ALdkr}I(|=(`WuRcRKF+6cf`2E6$n8FjKGw>PCr{CJXShZtH%>Wx zd%fgXT}IsT>yUag{!pcei6I*HI(61NX5ijC?6rDD$QP)hg5RM$u7a2?n|8-%%g$3S z8kCW{q7NFKbKt_8Ua_Ww;Q?XE5UwA|u>W4;AMi<>4G@Q~xpM&`I@HB5%N`vV8x`%o zc3}~yAZA1QU_IYwf3hb``sSuxTK5^HXW#>DJI_}32w>x1ehaLrJZRnn#5g1|eV6*t zea4cTdln2SmE&ey=G3MYeSi@*VB7=LG_O|NJXhHF0uY1ky^REHXCV^R_RK!W=<8_` zAhiQXek?GjR2)h9Y#e`sNHQJ^;bFzz=|nPK(WiES$MuK3uLi#*NC zMiW|ti}`v!4@SzLk5ago8gmWKzmxWxeE?clHBSIYl5QB{OcX@B@7qfVs)MQ#i&cFA zp^P)yfM$N8hB&>->#ZeI3nKk|hjzn3R#Q1ZB1o~M7X2O5PdoVxjib_nh6F8?X$4DA zhTubQuaW{kf%Gdz6 zU3R432zD`-Wi0e4LbwyV`tXvg^cs>o2Z)J(YD6?A>Cz#@wK&XnLF+ADCEvfnR-AAn zkNJ9u(TyX2P&-HOu3>sn0cPijS6DpoUCD+p4>WF97v}OaOIBb+QkZ z=%FD-NChB?D|0VC^te!QIS*H4F3+!SlyL+FDpRCJ6YC5mDcrGlL0Az@5rc~)IOykW z+v|8b7aF4rFMbvQu{!@6y9n<)@>e+wss}_Bv z8!XYjDI*|7?;d<)I2LY;0L=M~<`D*dq~+g0%( z?2x@;&k#PW6phEAs9KKsk>fnjz~>dvXy4OXVNZSdsPgsQzR6|?qtag{LF)V01-+t$ zL7)N#^ z$;~*e-?^f^VV6kGq!W|v#;`iqs#xw`(w9xD|>DNtu)+|Ib-Y z4I7|^BSf8uMATzA&K0|fHDc7rtSe7Iij{tZK?D!p-J0bQJFDQV0E3xCw?^0FfP8O? z`U^+@wi6@gV1!e1W1AbV^>wBHg|>vj+t^(iMNVCUt(YMG>As$^Ix^wye}`{=@)IbG z3+ib+{w~vd#aZg>%E=TOVLI5$ywCl$4Eyn?dT_rnX3P*g?^6PyzpQ1Nw^+$Oq+nWg zOvd+)bcMXqregD5HoZ*}u3zgQ=Z&ZN10&J9Kxfir$2lN|q>>9N`R`R=;Hx{p@1qa^RWPOmYKTK6hEZsrA)e+i zH9er53pg;8@;bIp02jr3!1)0nbp^hD%=Ll!*L-`PPG)q5)C*<^-NF6qtRWeU;DEqhEgtx2{`Rt09Ybs2yl5hsA^v_T z#F?)r$+8j0jOQ!R&O?(OFSVqrgYb|7)J}l^Uj5Pk;GUk(Oi31tjam8Uz~4T+EjqBmS0S#w6{5;NM$i|N2q3IfTK+x(?bxqryiu;K3AoR=@MRTv{aUjycZ4Wqq@~DMMz$%9(Wl(uYwr=Ri0%sS0LD&-iRqum$GY z#S{dNU<;Ua_d%Ki=*Fj*RIP6GNy5dct(^jI(=aqa(Ry-M-K_ z+UeRdz1T3CwD=v^V`j-5VaLzo%HP~~m&d)4L?&H%0-T8;Ak8@vz|ozb%hNMdh&%y& zVL$>Qpyg}xHTBQI;{7v~)#q*h7J^Po4un{4oOMT)+Nc+74So3dtwEI_p{nch{Xk|C zx!^C6cwY>70+}38q9*hJhFk!vx!cc*VVlw5^I>>as(``h!^zk^EwuBM%!}Q09~4cN zg|X?h&fuyPj5)i~|NfGeFmQ9m7%;QC@@oqstV=Bd)D%DFo9F}bTi)iR9P{_Ui#}lC z?!Uto4=h{&P#qY=JNC8aemmEmNB=q0>rrb5IP&v5d?qWp))&%=koA8-enPco~R65 zB^<|xcqHtSI$PAB51&l+KE>H(-ZjbS9SL1}1g;Uorv2C+BogMPvl}ZnKJ$PdG=LpK zyvBa+Np}o{V~K3UuTlPP9B$t8p@9+O7W=)*1?KVaPVVR>{wk;?tUvu zzND&uJSFxfLdtuacjwplc~n1U622z0EuAfAyQ@QM^X+79znXBSsv9gWpG*G;I~Fkd zd^*SjrA2fct-qx2Ati1kC)hFFC_}|qAHidT%3TkXU4ieOR+pcf)eh1QkYMvKo?TLF zZs2Juz$D{|E$tp~-pDU~f^_J^{Qa9v2f^+o)oH+jPHtF&9og5c*{WZjv;lR8Ast}_ zlsIshPB_(qD3ff>ol(YZ5mg!e&LH+t09O7{N{8EXQt&wM3) z{VDgqXWQ95SStI%-sn(Om{N5QO8=!k)=~C{WlmG!k7I(zbl)OsND(@RKy7o*2(SqK z3738@yb1z%b3v29P0P@UNIL)r-T_z$fb9ut;RdXzFA=~OPJz2K1W%^i#Kx5Kpu8_Z z*PSW*1u*{)7=?pBt(E|QA7mGJCZwCdeDIUY0%A~~{~*5z)BgKJTGpS&nH`$6OMvA7 zQa}6i?wPmVl>oyjKd|GKbZ>@NFqzMYbVR)S+)7CKJO~UVVZ%`=;}p8e)Fc`x$VS^J zA)l1$no*!{JB5|nR)+Yh+?uJ)hs(fe4>fMOYD?vAW2Xs-ww2rx0PIk11pTjrY62AG zIKh|AdB@N<*Rz^!7$4(OmcEc4e|3zb;=ENS*QcRnxvClSX4@D_HLV_^gNQ2b#;g6d zwXBb?L_=JRDR`j1LcTH_fA`+OsJQb4%^m-m)VQ|Tc>psF4{h3Emt_2Xz&mxb?Pq8o zyl=^D0V?>zlVmzFv^9m#U_u`HL+$Nb;-Vn;FF_qUx{MnhffMoar{DjQF|1f4ZI3Y) z6~2FqEcHvw$1OolJO=r23|E|ZGE(qTPRi&8;xaq0l z9=h6L0zg#)mtoRj-y6y9b^2w92#IEBFU06cCg37icHlQl+9LpY-kapI9pl~LKES8> zQ^ixhf78+ZWPED*IPhXSHK@@ZkY<0}V{vxo|x|IV+t$3zp6TTH5NLBe_bdzHpxIm#3mn!0ZHZRvHsO z1*}+CLCGfgx`QXMh0=yb*;~NAp_YKY@O^pg8i{P?1~2k%`4uF&UJi{x7A3H5)MeJLWr4+oc&O)ksGc(@jBi z79bbSLV;Rzzg;U2ZRL7U%tTc)7R8nF*Gr85Y|9{fLoC=9vK3#GaDj8BaC7Q9_vg+E z-5q1YG8RYbe!r8s3wY|>3uB%*Bu2t*nN3d<-{mwPi`n2_z`@JeBNk`7H@} z{r{1>P58n5^zivdARyp_FC4MCZ~Acu?*Yg#Upw7do;SNdAGMK)9I+9HgvzhfbtlS5>73tIlLP?IE)tr-%LqyG~1r^Yi zbP2l6S4ekUI%aw#Oi_?tiknPoA42mnS8<4lbmCTyVyQP{-zEo5CjAt$2jZi<`2jQA@Df9`E%j|r&K(TMsu0v}qj zyHKBE)n~qAIMxReT*1Q4u6WFVSW;7Ww1s#h3|W7B)OETIAd#|vY7Cm2j{8;XI!FG3 zXW~qfUZE`Un;^Bui6m28vtsVhC+QCkMJ|wj@>&VX+BzjS3Fo8A`ITETE|&$HhL4{% zV@WsdjfA-e3@j*3l?6xsTu2_o*AAh7YIw~#%Bq|l5s z_wf;Sy?)PZ66mx=i4x9bI8;CXo$0G#pNhQvT`<$O)=o5j8>hxgnr{_-Yl*u`wY8BW zz*Fp&i_tP+ZY(4{(F-~^`yn*>%v|MCH^2BlJsq# ziZPbh%CBO-ps1agb;+IvOYK&m&Wgx2%$RYly$fKb^Eg*|t)n1iy`~bJY`)`U@d^2W zF*0J#+a!rh=H|DZV#ts&mgMi1vQeeqxM#;MH>-_`_WKU=nub9grrYb9Q-aebs3_A6;ZT{F5@ye|!FnH3wysMT$KWvu)!@%xe zH!+9z@y1cnMQrU?AqH@|x+2=;pkEv}Q)%0KojpFc&)Bkm7T_OnF0DgXM54ro+)W*~ zHJ0su@0r~glr5qzZ1=UCX8*I3!PHU^$e6_EqYCAL)>W22m@d7-j5O4iOc_iQ%C~o} z`;R^)W8tWk`~I&(VF&vmNsQ{Jm3?rt}3G~vbY_bUbrikt}<}lIQ7a{#Ce2WjxkqHa3CMsXK-$U{=&Qfo@$`ZE^2oZ z99&jyF@V-~Ol+x$arB^){DX{D!H(-OM%^j)ZE%t95hD6SrNu68w&ySIDU?ZldS_pw zAMJ06<0QDxw5_59{+9{`sg&y?k{VGG zgJ|Bo$uGTtbhz^)AhSQOz^-KyfA4`ahI4S3pw!gL;8t>IoEV$`V<8V-9 zdJ-J?;fYu|VB7)ww;4S{gc0@!XoeO*jSa&8UG)uQ$%p(;3#Sr~Uzia8l*Kaep7+#j z@AiBh+ebY2TS(r^r+bnYW--Al^R*4Ptm79JivL_47Kp1rR0lIqYOC_`GD2_=x$z4r zVN-i=Y{B59=^3KO1PSGhukrD07)|MpUaH@*CUOFnu zQwlTE()9M|5m_~4-8W@cBz+>xT|G=@H@Jp;x&@AI{F5IoA@$}f&oY3pAMnhW?o?nv zy7!Ffh>Nz$6+}Wk$yX&h$M1YaT8jI;d#poMf>#kDC|nKy+V-X|x#sRD)Tihr3e^?EL& z$O$kH{rO)i%w`v81dL7qgN!Gx=Ze9fz)W!Ij~yMFiA@(HE{Uu9WJo{JOue7qeWEVqAwVxRR6VlJ=%*DJDZdGwb$)c+ANaVmWCY(P2Oh zj_2;8x6JE@QV`~!C}c|UAxE;W84DTTwdVrR@ECW(@X<56dQyerFn8S^YLFpTafq_# zFTi^-r&us7|M;)dSKRo5z^#_U&XNI_&#Nu*3j-Kyf)?l!R{!`@-u-|_;OR45gZchROOR6txU2?~%mNb@9^%hl(5>HH z>wiw8#EbR!F=LdTn!kIyWkc~s*kXhzCiB7=zUo;A&VxEkwif6pJr;Ii~NS*;dRAc%CwS zzuksgx-dWRvgn`pIwI7Hr{6HW#toH!BkY^)rDTthSeuq@hhe@!v0|1~j3Tof|UQJ9tLYA3z&TFf1ys z@j|Cm{C*ofU;c7QU`j*`aBi4kz11wt)ZGewo1~q}+hAOLk*>XD=}Z@D$f@UfhTwp) z+vFBQhf(m~uk0&Hy|t0ueYKJWXTN;^dbtVA=trwkJpG3rRQ2kzf}V`+Xilpqks+c~ z`%Nh|mIb|yb*NT-pqez|+F5Pvs$ly5`d}8L&S^`OKsEcFA98_RSfW>`mLAC(rtzB_ zC2D#7YRnlQCL>wyo*l>v5%u3Z*#SbgShOse^T3s}UUVrGbcI>^uW`@Ik*rOTk^A=< z2}xhpq@|G|g%333zVm?|mA9oquY(GHDM^Wu+-&DR?@6}fT>GE%O)d3%+fm?K#$u9u z$L3?yB4u(iAtkNCb(1lJ4=zR$S727S#r~L0-n&kE=_s+F?R4jHkn8UxHwZm~^;CS- zogWZx5oabQtxBs#2`*W9WBE?>#GktA=U2|mMz3w`MIoQ(b-1MM%4D|}LtVL3JG9t) za`EO@zQxl4aFgGy3pMD6)aceL+nVd`dBvso%LNx=DYll6^*5ClVzDxoWdn%H>3it< z%@M~j7DfW!R&s{ZoZTbmLyCf%Y5TZro>oj5w2c_+v!1&Et&^72f{_7A-l&{H1FCqE z{!*DE^PdouZb5mr0(;-~E$Pd)Va86<@Psc2tl{-yncgNJ)Q92-QX&HZBPF_qca-RR zAIv7BFaNP}#8(@BMD3ZRC$_*)iu*P9QDFU!l8~4=tEDd~o6t5clgtY|O00^in9~H4 z5i@WUhzKP7;K{p4r}DZ)f$a~b7>G1y6x!%Y1gQuMACb+_+@K*9&!fz%J8I7pUW z0UE{gQ}?`IsHSPJd3PRQB1Gia&%6I9Jnn%p32%o;a4aPzq^JHc7C3n@1Zk z>14b;fz)?FWt@p5H-X=c15R&H8JJFr5{jA%{Zg^c(d?y2i!QLwUh5gl_JMI6Di?!# zi?tST@VxW52a@&1+Mdr+Q6F_YeHsbUy$65Zg{Uk_yQ6{;7jK`XVj=bbX>u7y)_nmI zJxE&566($sR|#^iK?c^>JGa`=^z33uC^7-86YRx#*KLxJ_PK|GZ9Ww}g$gGbiCFA? zL{R)HvcKN6LbwuBS&f^D4M8_ZC>!Gr$PFN3O?Zei*_1`X!#waqmfj+7NRyXJ^dF1q zW^Q^}W63ejckyQZd>UbYKq`u)9vVr$-|?yVmQ-pODo4j3EW9i?fg+Carw>^`khsod zErdf_$ZxHKPbT$MX0`?fPV;#{+>fqlK@`(<-x#aObqCS!YA_Ko@{Vt`zt>RW5^-X% z7Yzrxe!tLMBU^txfwV2RliJ3{m8kz4sr}ZWT0swLl+22M7xg=4LCYb8 zRBZYZGa04_T_cNRsHz>B-!2=a#|V*wTbe%n<k=}dUq+2QqcY#t&e6XD%$f^mD-mzEI2^gmyVz-XR>C75^a|bu zn*^l?Ej_Jug99<%v$YSB>BzXfy=t2ep#IX`-42phw{ozIBu|KF-}E9;b{4Uw=T zTKhFw_$pUuyZ9XHl--XuCg5loP`NWeu{ZV)%bS-d7hD^WNBc1Tj%^?|{$op^rt|gu z;P;4!eNVywqcG78r=}tPuu+-SKRNUV2cJR$sl|#F0~(iCO`S4#(5!X-C63)AYw&LQ zxChMr`qyRj6IC1j;pQ6yFR;_y6882+bCy>=L91%w-ss#zvMoY2!$SxK!UfVO?GRX( z8#u*iG+7Rw&OfhNPg(rQB?mLUY6mHm?-~bjYS^bCy(7xs;(Zd(EsZ7_Lk#AGiN=wd zN1?qO`?aXzGzse;F*}{GB=6fBhXEqhZQ0*41=8c=y zIn~y@hRr=xT(J}H@<2(COfUBOR>`q1_9VnVZimMih5n;gt^Fr0mynYFCFp74`L1NLWv8vy!l&r2nK%rY ztpK2wZ0J)3m^qwO9C;FE4kru3{S|!b8hxX)u%3|mNITdwpiLw z7SZ{a+FO;_%nF)|!i*hog5S(JVg)AEEr5B#L>OE#ADuI4Rh-3Ay~Hha%kuTqSart4 za@l`hGC!~~Do8$6hq+w#uR-R2>KNNbZ{dAp9?a#kzp~8F9l*MAqg;+wmY=zBuZ`bm zn9Jqp0`fDrh4sQ*E=Nn{XE^|ChPhmhmdnoyFcVi)C3FCWpE2X5+EF3Q<#IGFKTCm3 z!@SmcW>Y*XX3}~5S$r9hBE>Kl@n_LcidmJyT*#!0_;WS5*Up~>%!LeZAzqg`hC5`AO*;8s;aZZ)ljGl)mB9;AZrVrS|K2 zFh2o(BkAi{$!?v!Uw>X*(Q@?bc>2k&A)oa>CW7T>FdCb=@qxf;jg(>DT`#}L~dMao6_$l-|ILi<x{4FotX z;v&a)dlrkeeIEnQRka>5!<;ZXn`z!V!(r3Yd6#P0li^)ipYs==IZ_*;)C>=@fW{ak&bE5V#^_3Z_|&6Jm08s-(sN+0VMLYUR?2B5doIl%?|>Jh*!9oO|N z_d2E1{Fq?&XSw^XV2(jme0C`rWqZKgGk=yH7j9KbV9w&w>*3G6J)^sTKDq$RS={5n z)zMs-^Nqp}zE!CJa}qxue5+Cc<|KYRUfjq(Oj^rUWrTS0K1ad^z?MPDSqCeX^t#-` zqzCs;$b~uoFzFF)RZ0*0?^~v1=5MG3^L^|5z2(hcxiCK|oxk+3{}Jl^rHB2GkUy6m z_CL5ODW3-Kmp`v!O3H=#(edYp&X51Sm&pAOLAKNtu6oTZ#rHq-c6K_w#QhK3-A;Y~ z!$!)pXU~Fkiz+c>B+sOHsjfFTJOig^S3u>X0$0BtU4pkq$3t1;H-ub2RgntTkLG5T zRdlMt)*ZG`yo0=}0sNHH;OJ1)8mg4B1JL}BF0G7z{L*X$c@+mLk!Duf!2yt|1i?p* z_9Cyz?Tpj&&4-`&I{p8AIJn&I zbvy5memg$DeDnKBZ+O``KfWBEo*y2Z{PsU@yB~IYml5dCJ=+G#alvRLlC2GZN`I!V z-4KdMn7K+kqG&t_Zfb~c2rXhVu>&xX%UN5{(=A4K?K?tmurq1hVLojUb-QFc(rUZ$ z>{%n8B5MHDdYWYB4nQL3mc05=CB+(mFW>b2Ah8T;5gcR#@k6Fi8~8cZboyqQQf+&? zAF1&C*Q=}Z%j@%tv;X|w(9c8{$xLYj#TAlnG$A(lF9asYcY}tyH2zs)_ad{{!ijt- zpA0~0?kicD!^r^1lvAmek=X7E{YGy{f@@0DB^}MCOt&mkP`;AirZ+AF&}^!9qy9t# z&<#2pe&!TrrxTZ0i!47WcrbbLQ{>zZz{fv=b`FBH&%Rm@d;_+e9A#zoYX|6;jeUZm zS`!ajsBNlbZ>?an(ALB8uZGqa{QI5xzX1qL{lOF8#Jkfu!TO;BEAde;_oL)!)fHmu zrV6F>M>hytAfkH9S@6|be}9mgk1}#JqaC-^?xN)qtL4c1zC?3T2qfA|Gz$Td%O;-r z!1(0%Ozac|q_Ixqiy<_p`jm49=aRuzUy^xz_T^<94G^Zh8ECwT@nZ2v znPfC&mC#lZbtSUQ==zetWWaSs2Md!}K9PluFH2GhqFR)!)%;TU}+M| zBC;$p12VHh_+1HJRKg6=Vo*Pg8H-Q(x+Xny+OsDV)PN<#*rw8l6z@V`>^7-c;-xdD#R>i-5=LCa>mKGE2puyTCgKBTX zk|AjO2NDdq+`WQi=ytL{?y0Z8E6(KWVhJ9k9@U&EM1qIpL_)O|Xsg-)AW8*w-9hSXfk*;{Ex;)>eJ<;#Wf;gRKPETK zQIq@2tI6H(j}P15@|9lK1rpuitz-9Y9~}YpE6Np zXc9@4qt-0K)qgn60tCAp6+f{)Cgiu6%ZBp99tWVey$NO&H%Rwt9(E5rY{KkyPPe!-FML~=_R(138_Cs8L6=jE*Oh+ zNlGIfWAa_G!fx-U6?vg*p%zK2t;3Hkl7bNx#*pZeA-wdX1N1_J