From b13b4126bd0fdf229bb994dc589b9368c3c7dd7a Mon Sep 17 00:00:00 2001 From: helm Date: Wed, 18 Dec 2024 15:51:46 +0000 Subject: [PATCH] Helm chart update: 2.34.0 --- checkpoint/cloudguard/Chart.yaml | 4 +- checkpoint/cloudguard/README.md | 78 +++++---- checkpoint/cloudguard/defaults.yaml | 17 +- checkpoint/cloudguard/templates/_helpers.tpl | 80 ++++----- .../admission/enforcer/deployment.yaml | 17 +- .../admission/policy/deployment.yaml | 4 +- .../templates/flowlogs/daemon/daemonset.yaml | 4 +- .../templates/imagescan/armon/daemonset.yaml | 4 +- .../templates/imagescan/daemon/daemonset.yaml | 4 +- .../imagescan/engine/deployment.yaml | 4 +- .../templates/imagescan/list/deployment.yaml | 4 +- .../templates/inventory/agent/deployment.yaml | 4 +- .../templates/runtime/daemon/_helpers.tpl | 16 ++ .../templates/runtime/daemon/daemonset.yaml | 5 +- .../templates/runtime/policy/deployment.yaml | 4 +- repository/cloudguard-2.34.0.tgz | Bin 0 -> 29017 bytes repository/index.yaml | 156 +++++++++++------- 17 files changed, 228 insertions(+), 177 deletions(-) create mode 100644 repository/cloudguard-2.34.0.tgz diff --git a/checkpoint/cloudguard/Chart.yaml b/checkpoint/cloudguard/Chart.yaml index d395f1c9..7a267875 100644 --- a/checkpoint/cloudguard/Chart.yaml +++ b/checkpoint/cloudguard/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 2.33.1 +appVersion: 2.34.0 description: A Helm chart for Check Point CloudGuard Workload Security home: https://portal.checkpoint.com icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png @@ -35,4 +35,4 @@ keywords: - gke - autopilot name: cloudguard -version: 2.33.1 +version: 2.34.0 diff --git a/checkpoint/cloudguard/README.md b/checkpoint/cloudguard/README.md index e4c18621..4612e88b 100644 --- a/checkpoint/cloudguard/README.md +++ b/checkpoint/cloudguard/README.md @@ -139,7 +139,6 @@ The following table list the configurable parameters of this chart and their def | `platform` | Kubernetes platform (kubernetes/ tanzu/ openshift/ openshift.v3/ eks/ eks.bottlerocket/ gke.cos/ gke.autopilot/ k3s/ rke2/ kubernetes.coreos) overriding auto-detection | `kubernetes` | | `seccompProfile` | Computer Security facility profile. (to be used in kubernetes 1.19 and up) | `RuntimeDefault` | | `podAnnotations.seccomp` | Computer Security facility profile. (to be used in kubernetes below 1.19) | `runtime/default` | -| `podAnnotations.apparmor` | Apparmor Linux kernel security module profile. | `{}` | | `autoUpgrade` | Enable auto-upgrade (preserve, true or false). 'major.minor' tags will be set for images rather than 'major.minor.patch'" | `preserve` | | `podAnnotations.custom` | Custom Pod annotations (for all agent Pods) | `{}` | | `priorityClassName` | Specifies custom priorityClassName | `` | @@ -265,64 +264,63 @@ The following table list the configurable parameters of this chart and their def | `addons.runtimeProtection.policy.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent) | `{}` | | `addons.runtimeProtection.daemonConfigurationOverrides` | Overrides for multiple daemonSets with different configuration values | see below | -The default nodeSelector for Admission Control, Inventory and Runtime Protection policy agents is: +The default nodeSelector for the Runtime Protection daemon agent is: ```yaml nodeSelector: - kubernetes.io/os: linux + kubernetes.io/os: linux + kubernetes.io/arch: amd64 ``` The default nodeSelector for other agents is: ```yaml nodeSelector: kubernetes.io/os: linux - kubernetes.io/arch: amd64 ``` -The default node affinity for Admission Control, Inventory and Runtime Protection policy agents (deployment) -to support nodes with arm64 and amd64 architectures: +The default affinity is configured to support nodes with arm64 and amd64 architectures: ```yaml - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - arm64 - - amd64 +nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - arm64 + - amd64 ``` -For Admission Control enforcer agent, it also has default inter-pod anti-affinity ensuring the pods are scheduled on different nodes : +For Admission Control enforcer agent, it also has default inter-pod anti-affinity ensuring the pods are scheduled on different nodes: ```yaml - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: "kubernetes.io/name" - operator: In - values: - - consec-admission-enforcer - topologyKey: "kubernetes.io/hostname" +podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "kubernetes.io/name" + operator: In + values: + - consec-admission-enforcer + topologyKey: "kubernetes.io/hostname" ``` On EKS, DaemonSets are configured with node affinity that prevents Pods from running on Fargate nodes: ```yaml - addons: - imageScan: - enabled: true - daemon: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate +addons: +imageScan: + enabled: true + daemon: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - fargate ``` The `daemonConfigurationOverrides` object should have one or more objects with unique names (case insensitive), each object must then have a `nodeSelector` data and any additional overrides, such as resource limits and requests. The values defined in `daemon` object are used as a basis for the overrides.\ diff --git a/checkpoint/cloudguard/defaults.yaml b/checkpoint/cloudguard/defaults.yaml index 9c522843..2063977c 100755 --- a/checkpoint/cloudguard/defaults.yaml +++ b/checkpoint/cloudguard/defaults.yaml @@ -41,7 +41,6 @@ imagePullPolicy: Always ## podAnnotations: seccomp: runtime/default - apparmor: {} custom: {} ## Proxy settings @@ -69,7 +68,7 @@ inventory: ## Specify image and tag image: checkpoint/consec-inventory-agent - tag: 1.15.0 + tag: 1.16.0 ## Specify existing service account name ("" to create) serviceAccountName: "" @@ -112,7 +111,7 @@ addons: priorityClassName: "system-node-critical" ## Specify image and tag image: checkpoint/consec-imagescan-daemon - tag: 2.37.0 + tag: 2.38.0 ## Specify existing service account name ("" to create) serviceAccountName: "" @@ -134,7 +133,7 @@ addons: shim: ## Specify image and tag image: checkpoint/consec-imagescan-shim - tag: 2.37.0 + tag: 2.38.0 ## Configure resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ @@ -169,7 +168,7 @@ addons: engine: ## Specify image and tag image: checkpoint/consec-imagescan-engine - tag: 2.37.0 + tag: 2.38.0 ## Specify existing service account name ("" to create) serviceAccountName: "" @@ -201,7 +200,7 @@ addons: list: ## Specify image and tag image: checkpoint/consec-imagescan-engine - tag: 2.37.0 + tag: 2.38.0 ## Specify existing service account name ("" to create) serviceAccountName: "" @@ -272,7 +271,7 @@ addons: priorityClassName: "system-node-critical" ## Specify image and tag image: checkpoint/consec-flowlogs-daemon - tag: 0.15.0 + tag: 0.16.0 ## Specify existing service account name ("" to create) serviceAccountName: "" @@ -311,7 +310,7 @@ addons: policy: ## Specify image and tag image: checkpoint/consec-admission-policy - tag: 1.9.0 + tag: 1.10.0 ## Specify existing service account name ("" to create) serviceAccountName: "" @@ -341,7 +340,7 @@ addons: enforcer: ## Specify image and tag image: checkpoint/consec-admission-enforcer - tag: 2.13.0 + tag: 2.14.0 ## Specify existing service account name ("" to create) serviceAccountName: "" diff --git a/checkpoint/cloudguard/templates/_helpers.tpl b/checkpoint/cloudguard/templates/_helpers.tpl index a5f2ef53..b63d40c2 100644 --- a/checkpoint/cloudguard/templates/_helpers.tpl +++ b/checkpoint/cloudguard/templates/_helpers.tpl @@ -42,7 +42,7 @@ {{ printf "%s-%s-%s" (include "name.prefix" .) .featureName .daemonConfigName }} {{- end -}} -{{- /* Service account name of a given agent (provided in values.yaml or auto-generated */ -}} +{{- /* Service account name of a given agent (provided in values.yaml or auto-generated) */ -}} {{- define "agent.service.account.name" -}} {{- default (include "agent.resource.name" .) .agentConfig.serviceAccountName }} {{- end -}} @@ -100,10 +100,6 @@ app.created.by.template: {{ (include "is.helm.template.command" .) | quote }} {{- if and (not (contains "openshift" .platform)) (semverCompare "<1.19-0" .Capabilities.KubeVersion.Version) }} seccomp.security.alpha.kubernetes.io/pod: {{ .Values.podAnnotations.seccomp }} {{- end }} -{{- if .Values.podAnnotations.apparmor }} -container.apparmor.security.beta.kubernetes.io/{{ template "agent.resource.name" . }}: -{{ toYaml .Values.podAnnotations.apparmor | indent 2 }} -{{- end }} {{- if .Values.podAnnotations }} {{- if .Values.podAnnotations.custom }} {{ toYaml .Values.podAnnotations.custom }} @@ -141,14 +137,8 @@ serviceAccountName: {{ template "agent.service.account.name" . }} nodeSelector: {{ toYaml .agentConfig.nodeSelector | indent 2 }} {{- end }} -{{- $allVirtualAffinities := (include "get.virtualNodesLabels" .) | fromYaml -}} -{{- if .agentConfig.affinity }} -affinity: -{{ .agentConfig.affinity | toYaml | indent 2 }} -{{- else if and (contains "daemon" .agentName) (hasKey $allVirtualAffinities .platform) }} affinity: -{{ include "daemonset.commonAffinity.labels" . | indent 2 }} -{{- end }} +{{ include "common.pod.properties.affinity" . | indent 2 }} {{- if .agentConfig.tolerations }} tolerations: {{ toYaml .agentConfig.tolerations | indent 2 }} @@ -503,7 +493,7 @@ usage: {{- if hasKey $currentConfiguration "containerRuntime" -}} {{- $containerRuntime := get $currentConfiguration "containerRuntime" -}} {{- include "validate.container.runtime" $currentConfiguration -}} -{{- $_ := set $copyConfig "containerRuntime" ($containerRuntime | lower) -}} +{{- $_ := set $copyConfig "containerRuntime" ($containerRuntime | lower) -}} {{- end -}} {{- $_ := set $mergedAgentConfig "env" ((concat (get $mergedAgentConfig "env") (get $copyAgentConfig "env") ) | uniq) -}} {{- $_ := set $copyConfig "agentConfig" $mergedAgentConfig -}} @@ -514,16 +504,37 @@ usage: {{- end -}} {{- end -}} -{{- define "common.node.affinity.multiarch" -}} +{{- define "common.pod.properties.affinity" -}} +{{- if .agentConfig.affinity }} +{{- .agentConfig.affinity | toYaml }} +{{- else }} +{{- $allVirtualAffinities := (include "get.virtualNodesLabels" .) | fromYaml -}} +{{- $nodeAffinityMatchExpressions := list (include "common.node.affinity.multiarch" . | fromYaml) -}} +{{- if and (eq "DaemonSet" .resourceKind) (hasKey $allVirtualAffinities .platform) }} +{{- $virtualNodesLabels := get $allVirtualAffinities .platform -}} +{{- range $labelKey, $labelValue := $virtualNodesLabels -}} +{{- $generatedExpression := dict "key" $labelKey "operator" "NotIn" "values" (list $labelValue) -}} +{{- $nodeAffinityMatchExpressions = append $nodeAffinityMatchExpressions ( $generatedExpression ) -}} +{{- end -}} +{{- end -}} nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - arm64 - - amd64 + - matchExpressions: +{{ $nodeAffinityMatchExpressions | toYaml | indent 10 }} +{{- /* add pod anti affinity */ -}} +{{- if and (eq "Deployment" .resourceKind) (and (eq "enforcer" .agentName) (eq "admission" .featureName)) }} +{{ include "deployment.common.affinity.labels" . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{- define "common.node.affinity.multiarch" -}} +key: kubernetes.io/arch +operator: In +values: + - arm64 + - amd64 {{- end -}} {{- /* virtual node labels, additions should keep the same format. @@ -537,24 +548,19 @@ eks: # exampleLabelKey: "example_label_value" {{- end -}} -{{- /* creating the affinity for DaemonSet to not run on virtual nodes -usage: -`{{- $virtualAffinites := (include "daemonset.commonAffinity.labels" . ) | fromYaml -}}` -*/ -}} -{{- define "daemonset.commonAffinity.labels" -}} -{{- $virtualNodesLabels := get (include "get.virtualNodesLabels" . | fromYaml) .platform -}} -nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: -{{- range $labelKey, $labelValue := $virtualNodesLabels }} - - key: {{$labelKey}} - operator: NotIn - values: - - {{$labelValue}} +{{- define "deployment.common.affinity.labels" -}} +podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "kubernetes.io/name" + operator: In + values: + - {{ include "agent.resource.name" . }} + topologyKey: "kubernetes.io/hostname" {{- end -}} -{{- end -}} - {{- /* list of supported platforms usage: diff --git a/checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml b/checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml index 06fe21d4..388b75bc 100644 --- a/checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml +++ b/checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml @@ -1,6 +1,8 @@ {{- $config := fromYaml (include "admission.enforcer.config" .) -}} {{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}} {{- $_ := set $config "Files" .Files -}} +{{- /* Mark the config as holding a resource of type "Deployment" */ -}} +{{- $_ := set $config "resourceKind" "Deployment" -}} {{ if $config.featureConfig.enabled }} apiVersion: apps/v1 kind: Deployment @@ -23,21 +25,6 @@ spec: labels: {{ include "common.labels.with.chart" $config | indent 8 }} spec: - # the affinity definition should be BEFORE include "common.pod.properties" .since in case the - #user will add his own "affinity" we want to take his definition - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: "kubernetes.io/name" - operator: In - values: - - {{ include "agent.resource.name" $config }} - topologyKey: "kubernetes.io/hostname" -{{ include "common.node.affinity.multiarch" $config | indent 8 }} {{ include "common.pod.properties" $config | indent 6 }} containers: # Main container diff --git a/checkpoint/cloudguard/templates/admission/policy/deployment.yaml b/checkpoint/cloudguard/templates/admission/policy/deployment.yaml index 4651443c..62ac2d6e 100644 --- a/checkpoint/cloudguard/templates/admission/policy/deployment.yaml +++ b/checkpoint/cloudguard/templates/admission/policy/deployment.yaml @@ -1,6 +1,8 @@ {{- $config := fromYaml (include "admission.policy.config" .) -}} {{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}} {{- $_ := set $config "Files" .Files -}} +{{- /* Mark the config as holding a resource of type "Deployment" */ -}} +{{- $_ := set $config "resourceKind" "Deployment" -}} {{- if $config.featureConfig.enabled -}} apiVersion: apps/v1 kind: Deployment @@ -21,8 +23,6 @@ spec: labels: {{ include "common.labels.with.chart" $config | indent 8 }} spec: - affinity: -{{ include "common.node.affinity.multiarch" $config | indent 8 }} {{ include "common.pod.properties" $config | indent 6 }} containers: # Main container diff --git a/checkpoint/cloudguard/templates/flowlogs/daemon/daemonset.yaml b/checkpoint/cloudguard/templates/flowlogs/daemon/daemonset.yaml index 103e44b7..0395590d 100644 --- a/checkpoint/cloudguard/templates/flowlogs/daemon/daemonset.yaml +++ b/checkpoint/cloudguard/templates/flowlogs/daemon/daemonset.yaml @@ -3,6 +3,8 @@ {{- $config = $config | fromYaml -}} {{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}} {{- $_ := set $config "Files" $.Files -}} +{{- /* Mark the config as holding a resource of type "DaemonSet" */ -}} +{{- $_ := set $config "resourceKind" "DaemonSet" -}} {{- if $config.featureConfig.enabled -}} apiVersion: apps/v1 kind: DaemonSet @@ -23,8 +25,6 @@ spec: labels: {{ include "common.labels.with.chart" $config | indent 8 }} spec: - affinity: -{{ include "common.node.affinity.multiarch" $config | indent 8 }} {{ include "common.pod.properties" $config | indent 6 }} hostNetwork: true containers: diff --git a/checkpoint/cloudguard/templates/imagescan/armon/daemonset.yaml b/checkpoint/cloudguard/templates/imagescan/armon/daemonset.yaml index fc8bae36..1205f90a 100644 --- a/checkpoint/cloudguard/templates/imagescan/armon/daemonset.yaml +++ b/checkpoint/cloudguard/templates/imagescan/armon/daemonset.yaml @@ -1,6 +1,8 @@ {{- $config := fromYaml (include "imagescan.armon.config" .) -}} {{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}} {{- $_ := set $config "Files" $.Files -}} +{{- /* Mark the config as holding a resource of type "DaemonSet" */ -}} +{{- $_ := set $config "resourceKind" "DaemonSet" -}} {{- if and $config.featureConfig.enabled $config.agentConfig.enabled -}} apiVersion: apps/v1 kind: DaemonSet @@ -21,8 +23,6 @@ spec: labels: {{ include "common.labels.with.chart" $config | indent 8 }} spec: - affinity: -{{ include "common.node.affinity.multiarch" $config | indent 8 }} {{ include "common.pod.properties" $config | indent 6 }} containers: - name: {{ $config.agentName }} diff --git a/checkpoint/cloudguard/templates/imagescan/daemon/daemonset.yaml b/checkpoint/cloudguard/templates/imagescan/daemon/daemonset.yaml index cc57808e..0ac125a8 100644 --- a/checkpoint/cloudguard/templates/imagescan/daemon/daemonset.yaml +++ b/checkpoint/cloudguard/templates/imagescan/daemon/daemonset.yaml @@ -3,6 +3,8 @@ {{- $config = $config | fromYaml -}} {{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}} {{- $_ := set $config "Files" $.Files -}} +{{- /* Mark the config as holding a resource of type "DaemonSet" */ -}} +{{- $_ := set $config "resourceKind" "DaemonSet" -}} {{- if $config.featureConfig.enabled -}} apiVersion: apps/v1 kind: DaemonSet @@ -25,8 +27,6 @@ spec: labels: {{ include "common.labels.with.chart" $config | indent 8 }} spec: - affinity: -{{ include "common.node.affinity.multiarch" $config | indent 8 }} {{ include "common.pod.properties" $config | indent 6 }} containers: # Main container diff --git a/checkpoint/cloudguard/templates/imagescan/engine/deployment.yaml b/checkpoint/cloudguard/templates/imagescan/engine/deployment.yaml index c1fd5432..ec20dad4 100644 --- a/checkpoint/cloudguard/templates/imagescan/engine/deployment.yaml +++ b/checkpoint/cloudguard/templates/imagescan/engine/deployment.yaml @@ -1,6 +1,8 @@ {{- $config := fromYaml (include "imagescan.engine.config" .) -}} {{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}} {{- $_ := set $config "Files" .Files -}} +{{- /* Mark the config as holding a resource of type "Deployment" */ -}} +{{- $_ := set $config "resourceKind" "Deployment" -}} {{- if $config.featureConfig.enabled -}} apiVersion: apps/v1 kind: Deployment @@ -23,8 +25,6 @@ spec: labels: {{ include "common.labels.with.chart" $config | indent 8 }} spec: - affinity: -{{ include "common.node.affinity.multiarch" $config | indent 8 }} {{ include "common.pod.properties" $config | indent 6 }} containers: # Main container diff --git a/checkpoint/cloudguard/templates/imagescan/list/deployment.yaml b/checkpoint/cloudguard/templates/imagescan/list/deployment.yaml index 3e4e4edc..d6fbf3c7 100644 --- a/checkpoint/cloudguard/templates/imagescan/list/deployment.yaml +++ b/checkpoint/cloudguard/templates/imagescan/list/deployment.yaml @@ -1,6 +1,8 @@ {{- $config := fromYaml (include "imagescan.list.config" .) -}} {{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}} {{- $_ := set $config "Files" .Files -}} +{{- /* Mark the config as holding a resource of type "Deployment" */ -}} +{{- $_ := set $config "resourceKind" "Deployment" -}} {{- if $config.featureConfig.enabled -}} apiVersion: apps/v1 kind: Deployment @@ -26,8 +28,6 @@ spec: {{ include "common.labels.with.chart" $config | indent 8 }} imagescan-agent-type: list spec: - affinity: -{{ include "common.node.affinity.multiarch" $config | indent 8 }} {{ include "common.pod.properties" $config | indent 6 }} containers: # Main container diff --git a/checkpoint/cloudguard/templates/inventory/agent/deployment.yaml b/checkpoint/cloudguard/templates/inventory/agent/deployment.yaml index 06321a9d..c68a9f0a 100644 --- a/checkpoint/cloudguard/templates/inventory/agent/deployment.yaml +++ b/checkpoint/cloudguard/templates/inventory/agent/deployment.yaml @@ -1,6 +1,8 @@ {{- $config := fromYaml (include "inventory.agent.config" .) -}} {{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}} {{- $_ := set $config "Files" .Files -}} +{{- /* Mark the config as holding a resource of type "Deployment" */ -}} +{{- $_ := set $config "resourceKind" "Deployment" -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -20,8 +22,6 @@ spec: labels: {{ include "common.labels.with.chart" $config | indent 8 }} spec: - affinity: -{{ include "common.node.affinity.multiarch" $config | indent 8 }} {{ include "common.pod.properties" $config | indent 6 }} containers: # Main container diff --git a/checkpoint/cloudguard/templates/runtime/daemon/_helpers.tpl b/checkpoint/cloudguard/templates/runtime/daemon/_helpers.tpl index 800320dd..b6a709a8 100644 --- a/checkpoint/cloudguard/templates/runtime/daemon/_helpers.tpl +++ b/checkpoint/cloudguard/templates/runtime/daemon/_helpers.tpl @@ -20,3 +20,19 @@ usage: {{- $_ := set $config "agentConfig" $config.Values.addons.runtimeProtection.daemon -}} {{- $config | toYaml -}} {{- end -}} + + +{{- /* App armor annotation K8s version < 1.30 */ -}} +{{- define "runtime.daemon.apparmor.annotation" -}} +{{- if semverCompare "<1.30-0" .Capabilities.KubeVersion.Version -}} +container.apparmor.security.beta.kubernetes.io/daemon: unconfined +{{- end -}} +{{- end -}} + +{{- /* App armor annotation K8s version > 1.30 */ -}} +{{- define "runtime.daemon.apparmor.securityContext" -}} +{{- if semverCompare ">=1.30-0" .Capabilities.KubeVersion.Version -}} +appArmorProfile: + type: Unconfined +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml b/checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml index 52a7828d..c7a85bcb 100755 --- a/checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml +++ b/checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml @@ -3,6 +3,8 @@ {{- $config = $config | fromYaml -}} {{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}} {{- $_ := set $config "Files" $.Files -}} +{{- /* Mark the config as holding a resource of type "DaemonSet" */ -}} +{{- $_ := set $config "resourceKind" "DaemonSet" -}} {{- if $config.featureConfig.enabled -}} apiVersion: apps/v1 kind: DaemonSet @@ -20,7 +22,7 @@ spec: metadata: annotations: {{ include "common.pod.annotations" $config | indent 8 }} - container.apparmor.security.beta.kubernetes.io/daemon: unconfined +{{ include "runtime.daemon.apparmor.annotation" $config | indent 8 }} labels: {{ include "common.labels.with.chart" $config | indent 8 }} spec: @@ -226,6 +228,7 @@ spec: - AUDIT_READ # for fmon - AUDIT_WRITE # for fmon {{- end }} +{{ include "runtime.daemon.apparmor.securityContext" $config | indent 10 }} {{- end }} volumeMounts: - name: rp4c-alerts diff --git a/checkpoint/cloudguard/templates/runtime/policy/deployment.yaml b/checkpoint/cloudguard/templates/runtime/policy/deployment.yaml index 0b249401..976e9626 100644 --- a/checkpoint/cloudguard/templates/runtime/policy/deployment.yaml +++ b/checkpoint/cloudguard/templates/runtime/policy/deployment.yaml @@ -1,6 +1,8 @@ {{- $config := fromYaml (include "runtime.policy.config" .) }} {{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}} {{- $_ := set $config "Files" .Files -}} +{{- /* Mark the config as holding a resource of type "Deployment" */ -}} +{{- $_ := set $config "resourceKind" "Deployment" -}} {{- if $config.featureConfig.enabled -}} apiVersion: apps/v1 kind: Deployment @@ -21,8 +23,6 @@ spec: labels: {{ include "common.labels.with.chart" $config | indent 8 }} spec: - affinity: -{{ include "common.node.affinity.multiarch" $config | indent 8 }} {{ include "common.pod.properties" $config | indent 6 }} containers: # Main container diff --git a/repository/cloudguard-2.34.0.tgz b/repository/cloudguard-2.34.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..442c3deb9eb201bf487f48583989806f9821f0c9 GIT binary patch literal 29017 zcmY&+(GYo}^z z?w>Qa?wsz^-G@B(11{8m7r+R`Y@wjVVWptTr{XKfYssz4Vf~5si{U3hK6PDPK2<$O zdkbf4Uu{hnQ3V@EC#cgm2ctcKMGoYtC3>(_UDY$ZeN-wYI`?UZtr>1{rSFe9H0`Mk zb?=KNOXg_AA$Mi2q}ubhwTF^Wr>9f64;nUsvv}mcXJW4)z8uHCd6?S zkX=M;>rNQzrYtK_&q?nFbGEy2Huc~&!tB=jI>daoBUd51`4?2SXVqKaVECtbiZ~lT zubCwF0c)|nqeEHeX#L3v#UItT8t0Kj?Cg^7EHh?}><@3C%j|E-8(|g4-&^*u(C{BP zUiGxw7ZAKDi+E(3&`2)ueNk~Bt%-~%A7HqTdXRolLhtaoipp#cyOHuCCTYo3_#KRI z!(GWkhvbDDI&pYik-A=mwX6oKB7H*@Ad{{=QAw(XKFgAR%7GOV__m=-oYZYKi3*)> z9>F5^^h)_d;Cr%Q0scO?P}a~XxF3x3#J&%xQ4(1|hCqXG>QFS}MAFLfQI;5u?TNvW z=dcO$)=b$#jvwRTkf*OOqy2D9KAaXl$WPmcW{Ux`&eOV8X!VIALY{*Gmq!uc;N7i} zctXSO`ir*AW|3hqnD3#LQON&1?a~Q99@vuNm$*gZ3uc0BT{x9J0h61$eSn_k<{#gm zH}6|z^%)y;SP;FtH41Y`4!6mtQ<+B&jsw+^Cn98wrY6d%TMku-4SxDpU#rAys-16u zpIeY`psQCWh9m0aWZe_`uBryMmZT0rj}hGT_-7Au;co;|yA;SI7+(lWT@?-$R1f{f(?(+|2}218#BE zDQ5X&ex{qmGA@>&TfpC5MZ2pnlUqz72MFIOVGxy zJ|e+Tz#M(l87yo93voRCr$cf6^YK2&MOfq7_IVH_5^GUZtWtcwZSDn1YY2` zHF)8aLK!z6;O4n88OA(wRRVLZi2CPm(EHb0X1)j)*YaVft)kC4IlSU8qAh# z5|!(TMr4}uX|C-==XFX4B=Xb#bCgEvQz9jDdL6K_sS9H7ggmrl-vCOZ8SJ^<+c4NM zO}|zS$8ad|3|^Z?Z3uU}lVi&<@5&QdKA-A$M}}zz4@v#lRo(Q2JXhTvC}+p&CPW4& z2Mgp_j-pQMdM<|S8919$n=kuBK)xXK^9Cb9;Go@TrHJWVu$v|FSRrixdLtb_dhg&2 zSy`C}$O|Lr*DX*Y)+cXS9g?=muuza)B7GEou;ltsBtU@=^Xj9lI<1wm7wOAj=KPJ( z{c|wIh_g$SFAT+-mAXk#B+^Ug;~-1tOF4)0+gshn-lRBiLtc98A zE$WP-_2Vr~*vt%fx^ZqX97Af}CEuGMQCagi6M`+lO*okVWQlLVdmFpN)}g|Ys?cy^ zR89htWUvm`EWZ#gkHm*9vkPteuIOHN_P_CQ41H(}rU;o7;-ddss=cd$;z#T!3$0sc zE6vk4B80qLcqCN)8N#5>INj19KY@L8x0)qLI#yYLW*eoFBrwb=hT?-7@Xdvkcx9w- zu{6jFyUGNzScw>>-nyrWV4|1zVF^P$;cnDwNH#o-F2Xtic8OPTBAliuS=vY=35r<$uZpy zfs=V8Zia>Mz;B+W0Wu!Xb9-Cg=Z4aSV&Xcy5+&e)!qg_E!j(pgz)Gpnk1KnSC@z>1 z(?cU(3ddaW`!w5>()~pLgTz>GNEt%d(8vYyBK53F-YaxjaPZDOoNtsw#A*Dlx{8fn z=`qt?iS)*R-!W_%T?B@;#Y3it}&>HfyfkOtLE6rg1s*v_3wB-w)BT5 zZtlu-(=(Vq{t~C0mb1sG?;*vuN7~f-rw{MZ51l$q@vC&;rcX1enr`HJi%VeVdp;pQ zsC2)^6HN}r+A-Mk8{H8^TP5oXc)gB&^X7g&tf6#WRZvNdsIYsUxpFj@ak5V3iHP=1 zhij-yY`P)cAjr|0s4jP}n7=VjP@D`2OFCzuaaxcpf}ngr4|og|$dC^P+Zk)^aK3~Xmn$=A%K zT(^mnzboEkCVi|X`8o2G&d4@+;QG`sRXmsAL*uG4);YT^H7s;|k%S0A`fzPxM``}L z0W~-c1%i=-nS$vEyei}FKpxzcS?0U`EN`m6b~a;t`^G2a9p0$xTy>18xR@t3ioY@(CV6+HZ2f(C2YD@#v8_V>h=Y@Y`{%*Plz)d zWp#p(ZOI>>yQ+GSoG8$rcCPZEV?rWBB9mCrNzh?)oE(p{{T@TC)}2KHGM1++Bmz)P z2;vGn`)H$l#IWZ|?y1C{JqHjOIf`b88oVs6V5>jzbR0Ok|CRn0d}S68aK>h)H=WT! zgkJO)qvr$THSYpIoKrAgKjAt~_w|iYg%y!}?OVMx+lAGO1n}MdnCCezGG(i@@!J>p z?>kwBB&a|?h5&CR-EVb^qA}uuBiyCYp$gkKs{ZQ*->cuZ(V_61zmsNv?fZ({B)ClC zN3a#?Dm6{$sw&zF;`Odf{u!~yj~B6yxz*3Hc!GP0a-B6!F&luYq?6ejI=Hd_h8Bp0 zAIET`eU7~{S~0_1?y1{sm??y_>H;kRa}gX=8b#Cktp8%?w@gjQ&0P>xPAbj&($9Y_ zyUO@=?)1Ryf?$uG!n&FOE|HYr?2zTq8tszaRfO0V)$vfZ&``)gCzQ~*KT>&t#CFE- zp+3HLesJvM2>cL>A6TRr_Nr@N(|5IeMZ&i=wRV~c=M>>tVk(Bl5zo`dM#V`!7ldC_ z%|9~KmTNPuxI%{DD5Np81cum0XAp#(DE&mVaLG(_;MV$*T@Wpsl>3r};|J~$rN%`4 zV-#ubGI$k#VO8|=!H%uPSZ&ZC+>T6ohgbEfk1yHVfd-*go#@(GnGkf_Vvf5*;XY%Q z11*;sks9zdNa*qK^5#GhMIp`Ho|mT9ugNQtppRS(L};9cR*R_D*Oxk_w-h?IbEWwq zLRt0thlG-E*)#w>!9FAKN4WeZp4F^XB`w%?S`X8CI)Gf}uP~PFXT-A5s@TxJo+Kb` z;PWZP(jq1nn4Kc~Je0_CIs!FjK`oG>S{ZNt<|i$b7P*0CmWLQl&u;<2Hi%Dge0DJtG7_|i&|je#^r1iDF5MSoc11MXVgkQi9QxI5nVFdx zqp`D10f%L6+|n8M+9=Z511f>4=GyYUshfs!UU>aHStkCr8_JXO5d#kQ_kNukeo9?sU6Rf=m0SrswX0F8@)!|p zEq*BP0scjUuui`SbzSxiY{Z}(S?V)z><>SIy%{jleT;BOZqXp>>aWTkJ<+YrJx+`Y zM(s&0_`&lTNv>jQZ>vcxc9$T(T{C9ysB2$ra~XsvOq0Op*oRpDwm%}^b;O}f)~~t6 z4aeTN)pHdZzvD2w$zXi`U@Z1~o6W`RFZCZ9t-(21?)Hhd%#-VjU`5q95f;Q<4kp#9 zCfNSK%3!I-YI1&LW(&lvMxylDca&2!%Kl?z<2$i`JLn+NBgH*7t3q-!ec`7}?ZA)o z10uQg#R$^LxMSd>dzlrx8Yq8PYM5{1k;{KElRju;GB>!0Mx|Bxj4_bMAqN!_DT1;# z%y-kJ*ci_ER8E3U5ct)SR}FSF_)NpX;FJ4@D956|{|u!_BJq2ahe<_)hBNSh_3Wr>|31Nf}l7-+!H#R!0 zvt>#>fzwW<8-puPd+^Vtte^_)fQk#DQ<+OU^WxT-JC@&|QBfc2x)U1%@879Z2oTZ@ z4tLvnxYU8RYs&lLYGhP4Dq>E?%eqeJLAWWcT4wvwftA#`v|ERL=5#=6kFzn;Bi3>@ zd7t3pO${?5(NMNbF#mP2xvf&%>~TF~v2g)P56T~mLSETbgcm+{?VTozps&U<6Y5dW z)SURRuZ(gG2}gzwHW)1c+46^{$mM*LjZv0@)9+xR#2m}{qNFxLH}J=L%1CLf*zUh9 zh5H7qkoM>!8c_FjDh-y1%FcCRa)UW!-*@pN<^E=f!AkzvD_d_MBzd8HP zF(NwgH+YBn}ThX=hm%)cphEO^8$&r(rm;!h@gnd3@O?fIK|ND25AP^*M7DU z6P4g=_E8J103}%*x8WsLhRtilYsc^_)os|lbY;-zq8}DVyWe<7@ett_n1XOd(~i9B z&#BaPI7lOGzruc<i^Eft%+R7 z?2H;izf%*ba}biE#DfqJ5t4Jki7w)gqrYp2CeW*BFS2CfON)vVknp;|<@nP1Jz?sZ=hw~X zt=TWChRu1aQ%k$%u`MX4OY~Qz_BIdWD zmS1YUn<{BOLx5ThU2ly9kumJk!he$v|%t@~ynJ6-*B$-O+0$cDa|LwZ*rX?y9|l`{aT1gbmxfa!&WpCxsxv} zMoWm)7a~05`BS~SKBd^mfc(p*MQ6$p5 zi9f`l`}B5$yr{$4DeVai&8<6Wn5LOz&}7d07RsXyCc_IJOpTSLB@};aerk_ODRb@Y zAOFihbv}I=jP*HvY(0h*^Eh}3&u;pm0&^$+u`}69Pb2QL=G3uBPOOAxw%;$4=aIdT zxzI-sj6X(#g_5$&4QTRIhSj~p#1V`v$wfHzk9dsuvoE%dm=_AGomzk1 zOrP0?WnxCsGxkivJhm@6)d$cA-qyhuCV%WRhP{-#0VyT z>I9EEsc^)2QtCR(wV=25#3yxXH(dK+a{KKw#-`NJf&6t?h83J?XHD?%u#C`DSS06!rqF>@k40K|el+Dt%XiMhcMpti6s8GG?@AM5l2fi6wUw{rKV zB)mdV#@6h(H45$UBQ(51H4uFRN&lHqTR1=PbvV%#T2F1KrKU6!j8LS1p3&k`T)=c# z`NbmS5Un`I8OXxpRgu>pXHls3BjOU<=x~S&g{v73rBareM|Sg=_Ru@z@HNjM_bGIK zF*A9|hLys=v@`F31)e(%iqY4#>WnUX2sc`OpU=Era|cnM9h_(n};;!1X$;%~5BMakKP z<@LPF7p+?&9jQ%19A&t~s6U?%IgHZ-)eS4($abU)S9*csTsP=@>wVA2_{ zbggKSrk}GuC5ANOY0-;6v{*V6@&#MBbg%+HRyx+6gg&%u6+e}b^wR+!5=8JSxNp#; zxK}+IuY)NR~$qwzuDLlF=vod*tw)JRQrxHMymS)Sd2A3x?n5 zZLGAe##3dy>afg%+fkB2)TqIf1hW$nde1OI6gT!AltPmAwa#h|D}pKeps{|w1$l=L z7eI+vGK|ZVu@65qXrU^J!dF@ctBv z=u>dRb-043lzc}xE=d`g=kNpq)t-z>eRmxTqMKFijpY$Pzpo-^U20wPQbD9{J9IT9 zGu98U2wXYzXab07@^MG0Ou6tJeMSN|u*F9(jf@;Zi!!pGl51UvyWw7OV#Vw@=89KJ)tH!|AT$fX0um}2ygbhC0@WKeB=78SFfD@|z397yG! zonx09+!_szgpcwl)rY_Roe;NvTroWvygChZWq?sIt=zc!Fd{8{Z&*0MM{upJG(+Pn zcT{OyX$Ten^|t}0(bn)wT{UAKCUS{PE-{#m{{CX^C_*yvuY91jTMj)J$&QphQ-1%E zHOo*Sam;S-@ysRxzV{AwL^LMp?dL_@33C<_kD2rB-Nzw_&M`dHH6is)sa>L#j-FOO zIyll4S>n=tE8$?$%dU9^{SPt5mamiBjRf_0MYv$WQS9=LUMlIcvqV8Q9n4jX&?b#5 zrD7-U1#U8J9w>WF4GrQ#ofeV_cdqqhQS}IHdhw3|FKB?7tnb^axNP40N)W&p(oF>j zLUzJIeOSeIN6RZ2l-hU^Y;{iP!}WMHaFZUJG1J(-6H17bW1k#t6#dkkY@#z(b-i%K z!246pHP!ZSOWS~$Bva&k3b6z)u%&hb1htL;ohjGPPoN(n*=PkTQ0_*Z>1Y(P(-ou? zPr7R`Y()gIr_gw>;>On)N=U|OfPZUi>MqckTO$WCQ&e2X#`SpCpe4D$9m&=s+GP7; zoTB3v*^<5L)Rx>v&+d$EQcL`t>u*C4sd%!eEw@m9C_NHZ^=yV}$P@c-#b0steD%bv zLrlLZvGNW)r+NbN7w&Za1<}*QF2$I4iX{I-y2)E|(4rudN_Q;?W8gU-Ijv;)L5~qj zg|$XLxqsYPQN{WAQ0!Gyq6X6w%XmYcI~vZT;tLkt%OA;`{cK_$b)qei2R-Aic~hY9 zS0R79^iRe?exw?EMzeB#;4P>%-w@~!?)>}OnxfSPS%Vb9;;ZmW^i@!fDERjWcIi<5@TJ#8ICazyC#r20wd$4+zXdB87j-fyE@ez%Y4Iq5 z!HZG}<5Ex{>DVx9R;Nhcj}NZfJ$HFRQW#qZKSrHbxxv=c7$>M%j-IEOA6vpfJx2mB z=!1yxSN>Q5$K#_#T|U#@VU!>~baq6N2HV1PjdC7 z{Pm=ugK3puFpt1;<}|eDBE$p5WM7eVlu*c7LgP_)HJ6DsG9H2INN5A`^Kzg_CUzmG2e53+V`|$K=!kW;l<&t zb`GnGx0*9;SmrvnL+xj7j?7{6$rs?HPPb!&Ekv8*4IionE@8Fs>W&1>p$_mdGtNZO z-T*vXTW23YYw-|o-UGKq(A~8IKryG{}u~#pW?4$yHc#jr9^9=Rd8RBCpBrG%zd7H07 z?Z${<0#w&b>|hB^Y0GmCvJ^~8D_w{A30Fi_Wl%6H_fjq6dRH|ILQ%y!upI@|k*oRA zqzXwp^8b46S*@uE{VwfziVRY`mxF7$r0cc_wseggiH|L0{e>EbNiTp9UMJl5+8Q@g z4l~^=V;Y2Ic!RDbp&=YIjy*)@YD+RdPJnZ|BYa8!DB7*kVdKAj7&k~O{-tNVUoL0B z4C;t7?&nD-|2D3W=_}RmyI2MhNj|FXRK7W?A*pkzOv#~CMnbJB2?rmnHfNukg1h2F zm#C_v8lB>kz{_7)XECd?W{lX|?Uhh8pXTX_5x@jl%;;EUtuckHHgpM$sRt(QuT~4{ z#8fI~mkpc2X8892C;77OaaiH2n9GoIN*$M3fTsD$$@O>AqUS+PGp6Ln0)6-RIxwf= zq>)S;L1um6W#ZXckaGT)GqMiHn1fHb8oN=&jMtNiML#I7t`i$1Ksql<9&h&x-+y0& zo^5@)x;YD^AX~?0B?kcHeA1K}s4J@00P?Hx>DtL8$8Iachcn`6YdpWZg(n@sID0*({gmO*g$!m8{`w;L52)`N5P%_RC%K5{%6~54i7jy5=W#Bm&bCnXMMq6*20x8M_l(t<$u`<+&UPks9&ByheI!2I@Ibe3Y zYnE2|k`HlS1>R#B{LkR``mzZOpBWiD&37UD$r}0l+~o^`@yCRyf-7z7NDMy0Rv1p7 zMczzs>&W`XPcg&e5{(Qh>1zZ8^!!uKiNYC{E1L`t$ok~<0b5FK9M+;JX%DGNZTp{{ zcrsCFHKi)i{?=$t;fn9|DAg-yCl;i`bO!d~dJuohrGu;~jgB<~ekDr~b-%aT6bXLrgn&gpGVQ6c{RJCBKUe&DG*Su5X&B+#m`>z z_}7lSe@PlO1<5kn=;!0He?|7WQ;D7q%ro{DsOOISTm_{eVZT+#y_Pw?X4IH^0Iex0 z9l4jov10>ldl_L{J|^BOM<1H7JtP zeHHJ@jfX&zoXcVL5g|y_#sUKFrJ0nc+iQW3l1|2?WPWz z>~Ex=i$E4iC}Ib}Vkf_ySCpRS@f8s11LzEaPVcy`K=;q_z=P7L)g>_aqW%CeVj}2W z+5;YBCIcFbEL@sv1LL_ja0KQ=OO$_{mlIsoQi^9{l+2Z!w>&_#{$6-4FY#9ss1VKG zTIo9{%f5as$$Ndkyr{DW>S|P8BZEL4?-gIsVC4yX1+o7FCYyPwLR)+fK;2MB@=Ti7 zjS#VXC-{gq6U%US|Nc@S)>NQ#Z67eyG-!YT%;3iw)`LG^!F5r>H!X~gW@%e`^WQ0k zHEuuI!|bA`F0F1&TeOG)W{WQlj6j{U2hj23THqNdi-N2^f_Ncjs=misiGXLfkW<>(~j(2;UFTwPRHG_2Ma9w4CiPCZF=4MX9%CT;X)%XAdzXl-rYcm&lH zi}<`%o#kJgVddiVXC%XJOuI{D=CY(I259Q`jChqeQt@ZEH8wC<6TauL?B@?qskxK4 z)j3u-qJ{#7xxzk*J8g$dN{ zXv?Bb&H!iQ!pKt3urqy+|Kbr&-OdJl*IjNfHoiFKaW~1@{0RCAWpqxX;R~7C2Ttx< z-%CKswMN2q!L~Y{{kM#YL6jNPL!0sl2>IyHeOcQlNRe}TeCmyQUusWcD2^35Av{vD zv525#>o7d%%_hpLiYKA68M60w&bSD8f!J|?cJNw1$W&2L*|wP|nC<6)Wqdt0oJ(Z3 z(5L9_vWMY^RqQbZ%&D_a_xC$$HkMtr)4gIgZXHAJj3|`43`sG0X z3r?YXuq^HW(p|z}z}g~r>t-t-0P+AWKjd@DRcY7@EKb;n;4;ys$kLDot# zzcX;TH}V9Iq(97mly4UR{~w)j6m3Ur|V5%#n zdT({BInA{USSm|iBq}WLnJt{+Os3p=bujXh_YsrN=&7+}5dv^LfRA6cR9?%R!6QJ+ zkH+ga@>C`)^Ug&gVTVBdxw3uU4PF`3aNfC*G(o(@uZ-hDxV9Te1YUHGCqs3zO$=Ea zzmpwtczH-s8?RhTh%Fcjtzl0iTv;l%8tUbVLK21;qUa^(QI*^?yVm_TewXk8W}9zy zDS*pa=^psr%lp667ju1f1?U}pDsO*Va9j0n^Vm)m;#|ybuZx}NTGopF-^N4$WoNTXx6?f%&dfG4DiMwu7I)cyEwAATr7oP~>j`;SPXL$P7;PM5? zh++4HS0M=>Ke{Lj;AIj2Gc`M{4E&?j0HHJp0p$5pftrrir6WLB>zbhQ@s!yeF3PXw z42h!Nzl}Qh=yCL0p7Sn!^-q$cZ_)}_gjO(v39-dQl=afwLX><^5j`KE*N9?ql~qiq zhlLLAgBlb1Ywt7dA8BN$Q^@OE)TKNEuP4$CUjd7MK;<21E$cPkU-dO(;rmC(7JNr< z(INQH&n?*A(0|c!rZbEh8%H$k_Ndgrx4~t&h6n^enX(AB6aoH`Fc;D;CV^*7_LbvUht=O;Vaah)iJQt(?#C>SYjo|!uT{Mu}R`PW<@ehD8 zV_2Olz?2Sf06BCd1A1Cr2oT_G{YXT>e+#8!+1L5lMTr#xG(qw^I{rPX8+8WZ09L#Q znvbBp%B-&o0qYa>ZU>IWg88#)+$W7ss{!1eLw^nec+#RF?RD*+`eg@wes=L%3#tV} ziOk1xUs3#w!nVSE}Drzgl4 z#Wgf4()hCO!F=fSPB*1UGm!q)|5k_U;~!L!zvGYB1Mhi+2uM~6q_{QdtHQRYwQQ>8 z3EdtS!&dXB3#o^1VSA0wMemMLxvcsr_N{=uo9x+CfXd!OVgjq%YTKZQVSmqVJ`7xR zD1jua#YKk{{RYgTanif$o%Hf#&mkftPWtNMbNR*9OH}0bk?|zg;WkdipZfMl6#SbE zeKLV;=k7qgZz_Y{ce^z1=_`0nQcRld z2c_I!y6exWM9Q=#|5VNyLgOO-8a2WC9!__L!g>1jo!76qUG+mzAjbFI{5lEU`_*%> zaCv>Ra(DHQ0+Arz;q#H24Pv0v=7@4bsTWd5Rwa*5mWk2{)oLm#LZ>(kHJ&(yX;~}& zt?*Yh-ocD9;F=osaUqWT^Ih257GB+?VFh~nZrT}gX-4iZ%qJRITK&oqhkYet3=+v0 zPzwr?CFkk^YRiWX4(QbLamey2?V z`u76PHMIg-e_StI0>*`HKMyl!E>O{}u!B^MB)P0p0tuOzd#43<-ySj>sUu$*v~38S zIow1_3RJ_GQVb(GyflqtAs6k$5eIwI;&e#^R)9ElBhHHEZkV_W|`|pra#g1X$ntaw@K?Wr_f}1cc_t zK51729MIqU{YFqJbWT8J`GUa3Deno0mUatZ-#Hc!?P~a1ITdqfn_kU7fKFz!lGQ%O z)~_2$IYZ)L+K&}eD!VN9_=`4)nu#DkzFKeR$V|h&7C;n)(yM+~-!h_sd52w4b*YFN zq!ngTlN#Dsa?FruyK-$&8Coyw&0zvsPb6=b#x>l@^vBJERY}O0A4q)u(62|vwdR_E z=wB`u46_;eA~h5|v+{J>H`k(Uk#DTUBto9H4S~A7972q1^v46RapY&%(k@n~TYG#^i_8RsJDqiRZ=FD{Ruomjs%f|ZB#muZLK_gZ09_g)qCv_=KnACGAx!Hwf*?9cld+0C8j zoRZRGb1w0iNmknzE4Y_$BSgaZpRa;dDPg^%-bXxK51W4`WODBn*mgZO zk#)_bs*N(SuSd2k3cnOI{aP4V>1|AMxLMiud)#?Ewe#U^d%b#etyfT5jr1X7KXc1* zJ7vCTUuP6NV9(~h_xZk$pG?eC$E~5$4E4e6-m~!XHxWnr2}R-pEY8vb*Y82a08z)E zh5B+-*x(VcjjQ1Dk)B8T6}k;w*heMGJ65*M4e`tY~k zn&uY^>#lc4j9Zg59|QAXD*?Am+n;jGSeJ2YQO`r^vdQt~q?lvZOC-KpXJ} zicdpw_%uRh>gLb;s6mnhkcdtKYm&qO4+jp1gYQP6%Iu_AR7+Fs2)dpy^0*gtV>8-O ztd_dM>1Cstfu<$jGBGJ#v3(Z0aXuwsh$xm)-Wn;a)^b;#hg{6PKbDmLJt<2K+@t!f z&iiLBv{+9)!3Cf`0LxAn&aEczJ^dOEI|CsS`M{gFS0ua+vzWZZLD<46OM!I{y0SIN z649A6K_b&tttDYsCV*WmpD=8hSFH^_-@A#b2R)%(SqiFxv945tmq?^alpV^Z%3Lu# zSf{=l`AVebI0&Y*j#I)3zW&5YP?nx*kiPFqFW;BChmnDpA&$n5UJIUz(QcRNVy|!q z`{2!^1W?l<`nD$Xb?6JkSK7+wcMX6bP)vz^%O<2q^^{Uy!SB+A9Kotn3B3G zVU}1nHKQqXXALT})6ZRXvZZ`dkuo$1CVx>Ku;8-+VdF z|C0h?`mSvH50YGzPZTBAkX-wa8K#JrG2R}t{L`t`3q^zr)ATd#?^+@BJ3E(d+GkPM zs6RsYNWTvrixfCjo~*ucavOOz4IwXGEI?#Wa_yStEH-|c8l6TGP=z0A$#;@K;mLO* z9-GWXX3@Z)qvZUE{+5(RL5G&~MNh zO{cKvgsm9mNqppP28kc&Ez3RCKFB9MF3@jvOV&5UL@7pFob^_5s0o{VZ?B~)d{rUe ziz=V7qJ13-Xb(=f`_DPrqZuQ_MY;r3#M%VJV#sNB%P;f)lcg-mQ=4^h)lIuVu(f6A zI>JQ3-`$PFiLw;V5hx@n3KICC5xYPVwwX{cE4Wx$nz!~8=2_u^2N7ofpA_YFiS`&Z zGTb0tMU{YkcxB$(GmO4w{@3S)0u@#K|A|o&C`g~mI=D0_4U8?v!&Y+RFn?}z2keCy z=9SN<0_6BmZBmenvsjjE&`+I0*6CH2M0|2_RKo`4~wj=TDJ_vnk8_WTNZg6h_J1v#{4i~xV$ z)dge4Cxj;u4on*o^g6E2e`*MPaP=*)p?U(edi|%PDEjh1%t)ack**(Mvh)X@Gct12 zNdULj3>={03NTS*M3XG>?GhJ(>`Cz-va_>U3qF&ZIs6&^aRM;zi96rj&pv_Q!^D3f zAlj0_XOJ%^6s;dSCqhBLV+dhz$yG*-6x8SvuQU|CqEnidR#AqZPni@!Ivk)Z;I#Om zCS$9OY1~w&sxrwR{w#Ipp?9Z*MPui!fdb_aBsLMx&pJ+4J7v^PaqMqFyYF>N=PB*P-nR!A)Yj?+j ztf;*DM|GF$)pd+_4?tNw(3?}e)Aa=@d%24 z1*bGdLD)%Eo@ECB<%a5^C?I3uTY$$EF#p_|e6jn4%9{LI;rDjo`RnQ(7(c$fPigH{ z1Bd7f50?soSRw2mE7cty^&6h4lIs3>?I}{T z^7)l(4gWc4^dgo&$n2wY$>@uYJYenW%1f9>nse+^rF!%HdK8fFvbqTuJ%QufT14q8 zLQxv&!G6_EF!>${gs0*scoLfxr$Z=9{HDiEo2m63Lw!=5Jn%Wd)t6^K6%?e4zBtHz ztDcHLP3#d=P^U~BZ?Vl~4#&gKGXCC#|BnTKnWSIvksXY+w=k=cl_J=uczUPle+0yZ zL*aJPFxZZR3|BPlWD2zi#*?#toqRbNT=meuElxPU8k@iF zzU|6-v%PF5n7dG6{pF%nfLVe28UwrZx1)BClSh&Ue<6nM@OB#%p%;nxxo>YSR6TTO z;R+x^RTtk^Nt7eN`^lc&XLmMn$qEB48^$h*vo5vknyl$#HVXeGmQrdd4JBnXtwsNq zhBxdG8Tb3SOFJgi*ss1w1Xz8oUj`vVeZ6cfv5I@DcTO38&*T>Nui6l^johGB2zYJF z;T5c_rCSNG?&vvXcrbr6(Jr>B`B{~w!8M~qhOXri%m{stob{#i4rsdHdUIZcbiDts zri#7>C*q2qdG!pd?hNtQP*|E5fh15)Aug?OUwEjbPBl;yGzjr;U3&!8m406V;hvWY z-WL?M_bm})9dpL3cWrcQ$UqBIEl(kM3knF1$arY(7(po@y81Rfvd&=kp-5M>;lQGZ zxXFgX(oz4E`6M&3UQVx+xYZwQV1Syb$M6+g(AWD>!O0gw*(!MT+1fQddbn5oLmj82O0oGPQ&De#C#R0- zCxaA#9T&AU26*6t{MYvnLR@G|$bdxc{HZoH5uN39yi)`-@7wf7B*({R6n5oHAe|BHWSH`alj08R1)D0`S@I&D;BB;@M1b z#0;qAA-y)WzD0EV5ERltE@0YBEiUrljiH=-2XI`}y_48q8Fzs5DM(ivza3C_4Ig}| zx`NEsu}PA26|-_UD4Y4I@u;7X=+1PUi!M5l^pTwt>I!bfUo49Zi577{G?!!X5i3O4 zUDt(vw3zbqH=FJG-aGl`A?>tXiHxD1+xX`3iiyWhO~qb5Rd_=DGauy9-llY)Uzg5! zuR!n0``+u459p8XMWWwxexxsG{t8eS0#;U!&-qS3cn7pK@5;2*9WCh1zjfFub6i+z zGvEkbW8nF{#yoGGzc*XIQc~IgB=L@UUXfFn^7}XS`PK5Ex!_9eQ1Rrv&2eYjI3wb_YJOEFRx=D zM~`q@Q_Vt3f75uSZU^cxZ!e&2lPV$CqA=ZcH7pU+4`0~QwcO;=rX&M~>ip6OZ2zAO zQUryn{`*L9Q)VXgmQlf~xKcI&F+1mx4o>r+jFQKd)2R>cFer(8I8G{+jdm zKlL5q!cmyOdXohQhp~A0vp;EUxBqQvHq%ZMOWLa5Xf}MfhlI-Wb`MJSj5Y?kTd>9k zR~DDSut~_H6TZApLMld3e8(A^`iSmyB&?<0IX)jIy3oy9iRH=AHKWQQwVEmwwlK|< ztc~8J$m8*g@$jcX4o7>V11%@t_3jvR>?ml=I;2(vxF|joe|a$$BTDEK$O@{O7z*U%)mgZ6j{T1y zZ+Ou=e6T~6EL^@RJRbEhZ`xS9wI=Q&&9Y;3VQueNv~HPAk1*MOGxOw=f@iKip+t=b z%Yr!q$6c`T-=2X6OPjCKLJmqFh-^#`TkzxJMc%(oFLdW>rEIKcVd1iG`C=Ej# zM_81Tt}r4d!b73{0en?{?%F%(xr&Frb9w!G3d#rRfBlfjK$AjwCX{9Fbr4!;=M_6l znfH`LVg9N&wZ8hrd(J87gPZ~{*8&i}*DfIb(G(3`+>Fc&;CZk1f?}@~oAsv2vj3;2 zw+xD-dz^4_hv4q+?oM!bcTaG4SS+|ZL4yW&m&M(k5L|=1!`^*=|9kJpQ&Uq@H8XYQ zOh4UyPTdtv*ov1@K$dyGYdLBIaet?Px;FDX-ZM?w8bEsTzSu87gTOB)DpQ$RS*xDy6$4WW$W;7bJAM4) zr7YC^eml-OB^U$#ZF%~eRhDUz^JB5-VBO^9a-G7A$#gEQtMl8M&KxGDpEDI`&eS!AG>zjlJU|)0PD47 z{NLiiy>D8s=`LFs9ud!UEZ4q-#q%w=j<-^(wZX5+>n7-iy#v2GUTZyOV#UjLxY4qvyG>p+(? zD=Pmvd-CNzvCzmfW8%V3G(9kvbi~RVGvcTUmXiOhbxKG*UX#W21gxmxY3Y*pgztJvn>6gW5E1#Qgm?ls{*e(?(4| z){x>tSNOP zw?XMLA}F-bkNpj+3%M>Otn~M}93^f&H3Oc_EPL#up|#1nsy2 zcrsf|zR6?cKUEw6x4ha4l0mQkoAIVWI2>6Mx0d>k1^02@7Gg^dQCY#9!pOeQ7=%Lk zgSkc(Y?LZ?jNE~t1dZV_EVPcALv9ZZRIPREO+Is~X^buu+|KE#w(Y88>e~@~H3K%| zDn1CB5z*IYD+T(R++hu?)Q`#DF0SvEAjStM2!=q*Um8oKqbjF<)({@6Z%F9ff7>iO zdZ+m$5&%Ni;K=H6%P5+gBcVC#<4_=aV2Yem=KuU_RjI+v9WLGSJ70@>&}V7BlU&=< zy{}KEkLem#zKDUaI=z#~TSmx)J^{}DLerqO*4F>ytcUMn%DK~`*VC8K1R8Qz@c)or zdv`dFwR%%a-losLq`z;=Y`vTB0cb#1wzpy)Z_1yM%W13AAjv(4wa>PRM=B&a*SG7A zk%Pn}K4&YCR>c9RmtD!bd%ST0fcgR~$N+yjHf6vcw%g7ZKn#D5Lr@S9 z2v#t)(_Y_AY5tgQy~}E8<+nEr8(8@bW=Yte`Y1RPq5u2(tDHH;J5f_#JKFs<1EbNE z9L2Q~0`t5m&`fTCuZV;Wz#?^S43!qhkJaJ)Blm`vSb6(AdlMJph7_Ok5k_f~`gnZG z9jqaObu69E&zxt~Du(G-Hd9c_HP)G!Ela@W87Sl*kZB)yer|mZ^ztV9*j9*{$oz_q z90gxE)^TO_B}JgmQhElv86OU7s1IR*zEnXRBPm>ch{^!+&^BqsnK1QN?qu2>?*Gp$ zvEH3oSZEZps=6z!Rc3BseTe3=3{QvfN|jOHr2fY%1MBYOt3Ci;ZHrF;p)Te3Hn5vx9JH;K|J==d<9CghO=*(&P_!qk z!;6jaS3^0FxrxOPMj~RMdoqU+)gA6z8ipvO-t2RJnBG3wy=MmO3rIsfxDvdwE;s^x znA8b?YD&7Hz$iru@)ZdT==dSq7)ndgK#AIhUG1aOE?ICf8I)fIQMakxM8hUON!RMBV@rn-2$$vYvU ztgD$_B8!j+mS-N7M>dNC55r-T+~y=Zqr(= zeo=fIh?hLXC)rH>b7#iYIH6f9dX1w}7vCp})5`lBdrEpm^@aI}p-blvtStm~l+Spu z0nI!ulRUow|KI`pX58b3WE*i$?QTVDNKO|&S|r50UZy;W+&_L6n+`{m30>)zCl|c8 z3n`tqm@7WzoM(%u^g$4r`VKp+S3Fdt1wlDk+)<-yLc}@u-aLj@0wi58kEmL&z=$XB z%hr+fx4U>1@*3VP_6Y!gz7IW;&$rBP81RYz);bcWKD8=+2^eC@?u=}u$g{m=AoCKh zKZ4lwwN+UG!lHxcq2w{$YYFTs_h@l5V>f~xb`DU*j?sV(b6gy?d>iB0tR#iTS{;i( znO`&uEAAM`uqS|a8xKCQ^XI|p`sdHaGKpgwNtdH3QONQTVt^3cYa2~r>IvsUh<+P!oaCI zAi{h$ryiL>-)*e4hxHDKeypW zR|gZ1GbsfB&sQ*bw!hf_a%|t5KsUp3`z)%E{6i$?$ow_YsSR^I;C(UL2cfs%_?M9N z6j@B0z{fH5y}FBA!$fjLvbP~^Y*=FrD{k7^MAPJD0F9yDWf}d*xdwJoc_hY6^$}{l zNo>~X9=4}RkMD6(vm}dB(y3doAs=K{Wb`P$D%AGE(PxnW;*sm@I8n4+2`YY+u83u;ejjR|=DipAzp> z6=7ApL8xTCEBQ?nes)s~rmO_+10(O#?SKkd6L~gZjPuwrWd0zcV8g8;W^0gr!j|Fk zkaP8gh0=S-Jbgen{HhAK?=;s42@PL|@x{QX(2ip7_htRz@I}5V;V<6w z6|^-_m_Pm2RJoU_IOh+nRbtk%I?oaa7UIt%eW4?x*C3SMJMmYjx3qv$OlI^C21E23;74u2O%8|0T&%FRId-O;#pqL5 z&0@qTVy37Ovd86N05|owZTL*tu*p|?Y2^s`0yx{%K{EJE-O*#)(x`u?VG^thpQL6P zv8KY7o)AobtjDCehQ@@OSEnEYd^p~B@8E-~+ewWob^*P@1 zOhBxM=?E}Zo;=$!Y2?vkJ!W>^o=*Y%%-;I!5Z+$#72weXpPpikjvqlsfTjq#=SPx_NL zx9jbKL^gQY!7p_1vSGp(!^@Fj(_aeW&Q(4<%CC+Ewpi=NOkVj-bxCTSx>n8rSFhe~ z^3+;KTkfWcbHo|qJ7rewS)M?Jn!mW1X-5zJcgJy!x z4l{Vh@^$-&Tm^*l&Dq-i9PaG=uABj~CDy^eq$6cXIDSb*DNhD9Eu$Wz6OgBtGl-NlrFx_Oe5_rUDVKgc<$`sw5!xbz78nDTm zbXyLEGxLz$&xQr>_n5qV>%JdcNZqFM%ju9%9UgwGwCPZok`#zblDJAF$ICX9GqNpF zV_ZS~f#=X@QI^t4hG!$QZ8=eUV}5#K5aQ!F?cZT6`8+g3V*lRhaQiYe%F`ld9~9|D zzzv^6*q7w}*C`uCgQS(xbC{f_xu)~!5?za7o`&Tp^aPio}`#uE9` zx$^b?Om4y)_I?g$uErzFnwwxz^mlJJp%mY1#a{KVRcBa66`IGMcJ4_y^vjcox8GYX z2#*dCysZv?B*e?~Q-c%_Q(zFgA4T@}kR7`Y17x(hu$Cd4s-W zN1-;?d7&nTo2@IqY8X&C;{AZB%rH78e@nKwQjmWbeg73M#Dj@DUBME zRRfYd^AlKxJ5}>P#bR$;uFR z$AEG=lkh&HtyaPZEc@>hTvy`XsaY@ITBP)7TLESAkgKdi6F=y*tI+a z(3jWud>>t6>A8-6sxVC>G5P^pxNuE)oB!Hf(! z+h_-z?+V}?;Pd{0Gu`)Xv6^+J9Yj>L`+YZtVZ;M!ZO$=`}SR7w7yLs$O zS;q{byXxuGs7vRg#oSVG-7bq_ff`DRzuHr8xEyKjtsLuVr89Y6B=`J~0w091YnNu# zh>cXK?31{ z$H}ynS?H6 z4(xzOwy!31Bz*3TwHdRV({@EBYjcO#3Qo+5BPJ3zgmJ-uV7K9vNYsxn;-*X8*$O_Z zkX$y06<6rcq7e66lff1b6&LsAgJ(2jCQnkvfOJ6mKa>2s^L6vQVfE(BOpHTEhFnQPA*@rAg;XY=4t=-bn4eZDgNz+$J) zN#WqUM+-^TxsTovi8iZ;ltz@AHS-8EI9V*o{zDnG_v#}xo4h5Zx&wLJ5T}|PJx{lz zw-C2DKxz#mNLoyu53SBscp@$PP-}X63o3;IR%#G{{L6EqL7Vo^VA)df2vo;@eU=Jm zwp=t}mvaC%w$rg*oLSo|SLmODqcT|(#;o12TGwEG=~6`ybhY9I{I4A`aR^lP759() zHs9t;CM`brmzgLVmFf?!#@~CK3lz4cxnCY1RU4~xGoY2t3&+w~kbjTKf9h240kxWf z^=pv+df&j}+2kx-*;0sSQ;5jyQ(e=i<3X2?sO04N2cXIX^iiYq3EFz}0-vREdIeg4 z2eDCWybVIP$lmvSEAgt?wfte1DBerEdn6Ct42^zNmg3D(71i-cDOn0&X((o-^br{| z6-q#H4ByZ*j7D))I>E!ysbrkm_+RWK8-jS5)~+$CUVAc}TizF=c1Fi2r{s8x6!@wk z`{{4-c2)DKVgOpay5#;Z+Y~tli2ryxYXX_9{1vc{HlFnf&gVc<8<6!_ zoQJx>l~k`YQAZR-df8hQ2as#J7D?IbR!;g^}pv6|DkIMT23ox@q7j?ZU9Q} z0M3pV7rgIa4w3u}umrUPf2_I#+iGu z7#Fcz??T}Ie1&M|S9A=+9x_1R3cA;;59B-ubDS>(zlOykpwK4^)1DAHmEj9sHCSX7 zt`ND<>ySR*TqCWa{bF(7t50~=E!yUk1tcXr^98Wyc|42ls`{OIT8LA9+k_Ft7h)}{ z@uuy$GrXF@=>FcrwLazC^9C?zA?B?{m1|Cqtv> z&^fkjbwiGlQmvtd!&NO~3X2nZ%TJ0|v}Qi+bMF=lJPSa-V!?l$y{2&#TzZ4O;NpCx zh-VHiItN$*XKM(=|3`cJ8SZza{yIB^A}e*oCHr^@hhf2>(W4^VGdCj!dHkkg%{|K5 z@l!yz3ZNeI%tOS)8Bil`m_MTBueU|RK`chIw)xWE(Z}#e91%TsUAt+SU9&=9^Nq|W zO8_^eqmv8jjx;R!%to0avlmK5#OpF5Wy{xZOd?CQo3=4wvVl!y@-Wl z;m%Yue_eO}n1KsI#1jSx7BuFW8qljJ<fYyxwoH7l}8Qf=8+kZA$g5`d>G*Q(svnl>y7lD^jU#h+Hu6m7#^PC&PG zH8^9wZUUhLrjq5(k-lU$?qa!y!|{SF%EYT|qf6{PdOg{rAsFEFk>kU2TfDO9=3C8* zGw_2q)Z>pIa(nd%P!w*iRiZmsyuBHrd*5)68y^-MV|Sr4Bl8()kILwyi|YDU9zh98 zG8(*`K;Ep7IT^(*hoE?(80lTCS5DCoAGh!56<|g5zJHkG8FCshUBOfr$kkFewEsJV z$b~yG(MRNlj$d?-jf#WxojCgPy<;h9wC)AQ4K9Kn6EDu<$Dh_gAg>4H<1(2go=Uhl zwJKY;ilNc!sA=JY4n^rX@JG)^I&9DN&|Q8qM2JUAL+q8xbvUhEDN}#a5zcs~&J1Bb zom~}%dj^a0K4lrI$d1&Mwu>_aL;F4@Ny&}TSOe3eQ>($%mTSV(att|qbQ4g1;^IZAV;xyYVEaiJ!Vsa+`16oO^_l*h*88Rf zBY@$o&V%HA>R&w-^VgsnJ(P;d4pSKoZV+$2=8!A2>T!o4({iuQBl6I6Ga{QbRYU#3 zQyKZW?glNh@LdBP47D6XEAiMsYN8Dz8*VuhA;JbyX*_yy`k$0wafWabe+VohM1vf1 z+EX?br(rUzcaUf08jL$}u)a6}zEC(P2TFpepAQAZc|1Gy?UG#m5BfuU!1wOUxu{rX zn<~%f5w~hFrhRP2r6gc2U62z3q+ESzFxzXN{l@bQ^cu3Gfz_>;U8v8OV6&sYvD(q2 zuUXHlb2?!c=riU{!)+lbQ-y4NQQ*o!)#^_}Ibwo3!Zd#RdKQKFZlJSJ}HnBeY*A}ezsi7Rd`6Me1kNY)7 zE%sk!5_`s@F)tYRAK{aASrBpvxr@r|VSET`qTVQB!3v#8N9VyaB5+rH!*uHWbUL}; zf2MbV3mK4;o7Ho0)FN!lAa~i0zAZIWw>lDCp@s)>jPB1^E##}93KT+TQtTnFujM&I zAp{BXi(t?N(p1FO9sGWv{Z3Ux;YiDT5`uv=OU+wAfER-Oh7tQb-#gDwt*x@=#{FmH z5ep4QV>dVQ;G=2fWYzOx6mGj+b+?Brtd@HlZ+>#vOcTD``-+;Tgj6;sb8DL!IoVuX zzzz-8ut0QdQFCnCi6RqjfTSoMZ1bnsu_T(Bi;JbG<#NyZW_KCzY6g`ztset@OJgsz z&p{b5Z_Tj=bH(XDkFpiJYa{?DT$~qjl&-X#K|oY3h@v`1nY!uw2ajdcClDN`xVYC% z4~sPN1j)+7XsghRsMZmIMKx%Nm|PaYw$dee$OjLA7usaKvNuzin)Z>ARz#EB2^%Fx z7yi9{*us~Jjq9Xv^IUjEHLJ5R6C{Nn-P;)9mvrd%|AH|Qed8AstgDw=`E!@jQ<(KZ(~5~hDZqYJx>nLw z+-cFvOr8_>wqy_@j4w*&P8iwf=s6%HRw8R>P?*w(R~p6@YMAsmV1@g9+ab?lgJ4$D zNsY`rCya1f;G?15Gl6~Bc3vxAEpo4$7^8t2I|PUcySF9nY#}+)iodtg7_LEoWXt@}CpEWVyOZl6KYXGcU5HJhyc>0s*Y9c=XD zxj>612QBIr{ynjMMgqRJbr20kw`4WMC^;l1TdB5gW!FJ(C^moZVXmW@<9u=4W8|bf zpbD4uuS9Nv`9;evjrXSQRNZ4hsnDFG_co<-mU1#;bPKf+9@qV_bIniIA?vwMkt8=d(gqC(pS2%t9e#cC zKcE`O4Hi6ACXF#;;o<(AzJD6tdZJh5Ug;nngT zb-_57bE8K)7K)w&L>x%iLJgodd@dZU=D$SspGm%-<^T^+o3`Dam$}!nKJDHbPpvhS z8R9ESaG#1E6(T!+YRpK`w6IhME1U|dDKjutSn&i~uf^+#Gcj26q*udjm1}x2pc3=9 zKMed{@T4C$Qf9c*YQ(gv{lSCc#Z&s1IDN^YmKt8Bnmkb~fuTo357N*=M!3<)(bO;1 z&Ap;2?ObIzKNFI^Ev@=jZq4r@BRkef=2C)7PXh%w;L`n+wI|YB(`jjZmZGw%aZSP+ zwl1{HSaKHo*N~S6&aaRlb&i41o>T+3lsr-REM;dP_ELMUs^T z7ta>HHON$Mqs?>FOw}-Mqxf@F3tsub<*_Ytn^Y9=FrG;1H?O1i&k_r}#BlQfm=J!{ zGDhc?fhnBPT8<3+w!~)-th+IDyK_sC4;eIlOKf{9_`_2c?r@&QK;rU|=jG)s*Ezy4 zT|OeZ@ana(WqP7MS34BLO-=~n>XD-5nW*ofpDnTX1POh&(H#ISuqAd z>u%|>=^QP}_=`gc4G|Pqm&d%Zk^U51a$J0B2eVC>oJ>!YaVs=Y5rbs{J=VVd0W18s=t-;&Kl_} zO%yx<$vk>>o8`+9jhWv@8-z!Nq22!=!9sF`nXgM1R32tJaK}4y<&mYxzc|v7g658B zTZyN;;8_^XwH(Iu9ad{Ln>YV{-kfz;=>Z|_UvTDiRs0>}M@W%DSCdy26~+DWNOg-) zORFG9K+R@F!E!W*{nKI1!N|vL5oU2Xnls`WA!p@qk@THu6L8$Fk$Z?#aSV zDwxL*Ce1QB4T398MGwD{dG18GN~_}m4#L_c!_|p^>a-;S7CA?$;t1{JAXuRW-e6n9uIi5|}Q_8l}YBKm~DKo(qzD~-xteMyZp9~(N%FW>|&G3?*} zjls@-O-hubFWzWY;?mHcWL+h;Gu}}irpTEaF9Pt0qS+r_g>SQBw=6z4TV`&N+?HcU zd|8EHF?syl@ghV=fgJ%}o7RoxX|j)H2!0?=i{5LBU0WaN{aaqx6PX3XF2cF`0^enD z2=WiyS76xoS|-6NKt9xLqTJk9deuhKd1=d0rz9*$ZR7Ep-m-9 zkd=vJnzrVINywN}0;nwQ6k8{pZiP&pvj(^|jlS|DNYfdN(6^errZ;gs3z|n=SPNq) z?OrP$cO!(Ww21rmRDz|Jf}L+#5c??+7?Gi=0q2AL<%_fda?Q9oSkf+PDsu=UcTw6F zWsn^*71AF87;}g)TtN#k54*)gaarkUO<7Y^x*Z8PS0A>4*f*B&iOS95ziGDob+cU= zWUn~4S!k2x{eQSIzzg$jB&8DNy13!AZbrY+J#6Nn+ozyCo8Q%(I4QVsWh;H+5gs0y z0-@IKSf8(v2Igw%2t^YKx^l2ShIq(3LmlUX zsPmo6mq0=|2go)!4~1sf?c)R_3PnD4I-w~M4YGOz)kunICK{~lVAH(S|9wJL-Z-BN zkvaL0@0~N-OL$S^L#GW2Jb^=0+N3I}1Y=E&XI*^K#dH^_-_AjGhQ8G_Qj>L#S zkMec!a2YrvS4Eadq4epEWyw;1+U-sW>HSN5g*TmH_LP{onyp7;e(QADjizl1%V0ib zo=hV1ii8&3DjsWhiCALteOk2O%$gxSxwur(*mlz$4{^GhwpD$Ru5AeA?QAt(iAWFD zrrmD#w)C0|&D+qIIQHu*&9kgLls-yL%e^QGm^k;G3~<WQybR^2Q(_IHr7qMuX*v|PaZ(Wzg zBJt|_KW$?Q$2AXXw9I*i(BnwZTdtWQN=u9#&e3VPQ~0ky%C^Ur&eueB`m6P=CUKigl# zNb+)fLC42i{S|?39)8z{2ZNu-s-V|3k&UxFMq|P3_|ZP5>XsU%aUOUd4DN1WEOc{I z*n{XS#iex2W9S(VNA1RE%+Vwh-Itl1{ZpUhB|_RRApH= zy6~LZ3C!qC|M~!*d-R&pOKCg=g6Cv%~K$?|fwE&SULZYtzZAi&fj&kP_%3 z?U#{Wn?F1fgAo9~&{EB;SaE+4T%8YN*iM}jkk=%0$d-{_br;qE*Ru45Z~vd47~1(C z!2VCJt}b>Af*0tg94-cu5&Kxa3id>t95?>;=wU+})_T%Lp#icRB6!BLi=E+QA-BSf z%gdGvqea&r8p)v$x(7J*PWzKG(8%4E6tlWM&Z648;>Gb7~*@R@rxaSVe%K>WsfBJ%WTno$ZXG0DvC!E(bht|FVJX3hK*QOcTcT(tQp z<3Y4o}b9o@IR9_Y3YA?UVe`6gvdc1j1(*6 zl?peYsZunTc|`e+sIU&u3YC2^42{9C#a{XbttmoYB>8X&X0*6bV&$*ZtspAxLAMEsI?|L8JZ(4vPxiX6dhrVM9;C6vVre(ctGa~* zF@I+&g$~6{{S@AtE%fnOP*yB3*QVIwUStEbEo)uZ@uF!<;DAGCSEs^Wo@jfd6H^?E z?b*=n>$=_NaYX3t_cECZ&-iBOKHMMAdnW&0OT#fajhQZuk{=lC=-4coI3$_)q&mk` zvpE!UiurlcHpOUy#fyKA zitK!O@kdp0j~dcQul1Qca(r0eaxt9okzhp5U}Qc>6QYB71$^JWs<>2or`pF)ucnup^&ij#9ml>DM9P>3N&Fe#!X0cR51~rP4#ks7F}7N*!IV z8{nKsG+toXsYB>&0oSk-pRh)GWMVh}bLfeVY(J3mHZ*Z7D}ZK^AhPiN{aWk8y_4R* zyWCvhM~dhyrDej?pN-igpJf9{$;3A0+^4)f|81+^4;6gW(0mB{!!onujJL@ZRCs%n zKla-k+x%<#n_HeV52>4oq8|*CJz2WdX}!cH;r_(y2oOONw)#}9Gc;^ClkHnM*vmB9 zW|6II0zdAsRvTB*hZppKu}IRFMKb}17qM&9lcf?_SOKQt&h!D+b_+4WQ*E