From a5f7815dc582e1802494ad39ccd465168a11afaf Mon Sep 17 00:00:00 2001 From: Enrique Garcia <40355845+garciagenrique@users.noreply.github.com> Date: Tue, 19 Nov 2024 15:27:24 +0100 Subject: [PATCH] remove old flux-v2 folder, all the tf relics and the tests for a dask deployment (#297) * remove old flux-v2 folder, all the tf relics and the tests for a dask deployment * no more tf files, no CI with tf check is longer needed * revert last commit :harold: --- infrastructure/cluster/flux-v2/README.md | 15 - .../flux-v2/flux-system/gotk-components.yaml | 7962 ----------------- .../flux-v2/flux-system/gotk-sync.yaml | 27 - .../flux-v2/flux-system/kustomization.yaml | 5 - infrastructure/cluster/tf/.terraform.lock.hcl | 64 - infrastructure/cluster/tf/README.md | 7 - infrastructure/cluster/tf/eos/eosfuse.yaml | 48 - infrastructure/cluster/tf/graph.png | Bin 167236 -> 0 bytes infrastructure/cluster/tf/main-helm.tf | 11 - infrastructure/cluster/tf/main-k8s.tf | 93 - infrastructure/cluster/tf/main-openstack.tf | 66 - infrastructure/cluster/tf/outputs.tf | 1 - infrastructure/cluster/tf/providers.tf | 45 - infrastructure/cluster/tf/variables.tf | 59 - .../secrets/dask/ss_daskhub-db.yaml | 16 - .../secrets/dask/ss_nb-vre-api-token.yaml | 16 - .../secrets/dask/ss_nb-vre-iam-client.yaml | 17 - infrastructure/secrets/rucio-vre/README.md | 1 - .../rucio-vre/ss_daemons-vre-cafile.yaml | 15 - .../rucio-vre/ss_daemons-vre-fts-cert.yaml | 15 - .../rucio-vre/ss_daemons-vre-fts-key.yaml | 15 - .../rucio-vre/ss_daemons-vre-idpsecrets.yaml | 15 - .../rucio-vre/ss_escape-service-account.yaml | 20 - .../secrets/rucio-vre/ss_hermes-secret.yaml | 16 - .../secrets/rucio-vre/ss_iam-client.yaml | 21 - .../secrets/rucio-vre/ss_idpsecrets.yaml | 15 - .../secrets/rucio-vre/ss_root-account.yaml | 17 - .../secrets/rucio-vre/ss_rucio-db.yaml | 16 - .../rucio-vre/ss_rucio-server.tls-secret | 17 - .../rucio-vre/ss_servers-vre-auth-cafile.yaml | 15 - .../ss_servers-vre-auth-hostcert.yaml | 15 - .../ss_servers-vre-auth-hostkey.yaml | 15 - .../rucio-vre/ss_servers-vre-idpsecrets.yaml | 15 - .../ss_servers-vre-rse-accounts.yaml | 15 - .../ss_servers-vre-server-cafile.yaml | 15 - .../ss_servers-vre-server-hostcert.yaml | 15 - .../ss_servers-vre-server-hostkey.yaml | 15 - .../rucio-vre/ss_webui-vre-cafile.yaml | 15 - .../rucio-vre/ss_webui-vre-hostcert.yaml | 15 - .../rucio-vre/ss_webui-vre-hostkey.yaml | 15 - .../rucio-vre/ss_webui-vre-idpsecrets.yaml | 15 - 41 files changed, 8815 deletions(-) delete mode 100644 infrastructure/cluster/flux-v2/README.md delete mode 100644 infrastructure/cluster/flux-v2/flux-system/gotk-components.yaml delete mode 100644 infrastructure/cluster/flux-v2/flux-system/gotk-sync.yaml delete mode 100644 infrastructure/cluster/flux-v2/flux-system/kustomization.yaml delete mode 100644 infrastructure/cluster/tf/.terraform.lock.hcl delete mode 100644 infrastructure/cluster/tf/README.md delete mode 100644 infrastructure/cluster/tf/eos/eosfuse.yaml delete mode 100644 infrastructure/cluster/tf/graph.png delete mode 100644 infrastructure/cluster/tf/main-helm.tf delete mode 100644 infrastructure/cluster/tf/main-k8s.tf delete mode 100644 infrastructure/cluster/tf/main-openstack.tf delete mode 100644 infrastructure/cluster/tf/outputs.tf delete mode 100644 infrastructure/cluster/tf/providers.tf delete mode 100644 infrastructure/cluster/tf/variables.tf delete mode 100644 infrastructure/secrets/dask/ss_daskhub-db.yaml delete mode 100644 infrastructure/secrets/dask/ss_nb-vre-api-token.yaml delete mode 100644 infrastructure/secrets/dask/ss_nb-vre-iam-client.yaml delete mode 100644 infrastructure/secrets/rucio-vre/README.md delete mode 100644 infrastructure/secrets/rucio-vre/ss_daemons-vre-cafile.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_daemons-vre-fts-cert.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_daemons-vre-fts-key.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_daemons-vre-idpsecrets.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_escape-service-account.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_hermes-secret.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_iam-client.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_idpsecrets.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_root-account.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_rucio-db.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_rucio-server.tls-secret delete mode 100644 infrastructure/secrets/rucio-vre/ss_servers-vre-auth-cafile.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_servers-vre-auth-hostcert.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_servers-vre-auth-hostkey.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_servers-vre-idpsecrets.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_servers-vre-rse-accounts.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_servers-vre-server-cafile.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_servers-vre-server-hostcert.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_servers-vre-server-hostkey.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_webui-vre-cafile.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_webui-vre-hostcert.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_webui-vre-hostkey.yaml delete mode 100644 infrastructure/secrets/rucio-vre/ss_webui-vre-idpsecrets.yaml diff --git a/infrastructure/cluster/flux-v2/README.md b/infrastructure/cluster/flux-v2/README.md deleted file mode 100644 index cffdd104..00000000 --- a/infrastructure/cluster/flux-v2/README.md +++ /dev/null @@ -1,15 +0,0 @@ -# Flux - -Flux was installed manually via: -`flux bootstrap github --owner=vre-hub --repository=vre --branch=main --path=infrastructure/cluster/flux-v2 --author-name flux-ops` -with version v2.0.0-rc.5. - -Flux version was set to `v2.0.0-rc.5`. Higher flux versions are incompatible with the current cluster version. To install this flux specific version run -`curl -s https://fluxcd.io/install.sh | sudo FLUX_VERSION=v2.0.0-rc.5 bash` - - - To bootstrap the repository you will need to pass a valid GitHub PAT. - - After running the above command, a new `deploy-key` will be automatically set up in the repository configuration under the username of the person that run the command. - -Manifests inside the path `infrastructure/cluster/flux-v2` will be automatically deployed to the VRE cluster. - -Refer to the [official flux docs](https://fluxcd.io/flux/) for information on how to add manifests e. g. helm charts and add kustomizations. diff --git a/infrastructure/cluster/flux-v2/flux-system/gotk-components.yaml b/infrastructure/cluster/flux-v2/flux-system/gotk-components.yaml deleted file mode 100644 index 3f2cdef5..00000000 --- a/infrastructure/cluster/flux-v2/flux-system/gotk-components.yaml +++ /dev/null @@ -1,7962 +0,0 @@ ---- -# This manifest was generated by flux. DO NOT EDIT. -# Flux Version: v2.0.0-rc.5 -# Components: source-controller,kustomize-controller,helm-controller,notification-controller -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - pod-security.kubernetes.io/warn: restricted - pod-security.kubernetes.io/warn-version: latest - name: flux-system ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: allow-egress - namespace: flux-system -spec: - egress: - - {} - ingress: - - from: - - podSelector: {} - podSelector: {} - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: allow-scraping - namespace: flux-system -spec: - ingress: - - from: - - namespaceSelector: {} - ports: - - port: 8080 - protocol: TCP - podSelector: {} - policyTypes: - - Ingress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: allow-webhooks - namespace: flux-system -spec: - ingress: - - from: - - namespaceSelector: {} - podSelector: - matchLabels: - app: notification-controller - policyTypes: - - Ingress ---- -apiVersion: v1 -kind: ResourceQuota -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: critical-pods-flux-system - namespace: flux-system -spec: - hard: - pods: "1000" - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical - - system-cluster-critical ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: crd-controller-flux-system -rules: -- apiGroups: - - source.toolkit.fluxcd.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - kustomize.toolkit.fluxcd.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - helm.toolkit.fluxcd.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - notification.toolkit.fluxcd.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - image.toolkit.fluxcd.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - "" - resources: - - namespaces - - secrets - - configmaps - - serviceaccounts - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: flux-edit-flux-system -rules: -- apiGroups: - - notification.toolkit.fluxcd.io - - source.toolkit.fluxcd.io - - helm.toolkit.fluxcd.io - - image.toolkit.fluxcd.io - - kustomize.toolkit.fluxcd.io - resources: - - '*' - verbs: - - create - - delete - - deletecollection - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: flux-view-flux-system -rules: -- apiGroups: - - notification.toolkit.fluxcd.io - - source.toolkit.fluxcd.io - - helm.toolkit.fluxcd.io - - image.toolkit.fluxcd.io - - kustomize.toolkit.fluxcd.io - resources: - - '*' - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: cluster-reconciler-flux-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: kustomize-controller - namespace: flux-system -- kind: ServiceAccount - name: helm-controller - namespace: flux-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: crd-controller-flux-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: crd-controller-flux-system -subjects: -- kind: ServiceAccount - name: kustomize-controller - namespace: flux-system -- kind: ServiceAccount - name: helm-controller - namespace: flux-system -- kind: ServiceAccount - name: source-controller - namespace: flux-system -- kind: ServiceAccount - name: notification-controller - namespace: flux-system -- kind: ServiceAccount - name: image-reflector-controller - namespace: flux-system -- kind: ServiceAccount - name: image-automation-controller - namespace: flux-system ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: buckets.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: Bucket - listKind: BucketList - plural: buckets - singular: bucket - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.endpoint - name: Endpoint - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Bucket is the Schema for the buckets API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BucketSpec defines the desired state of an S3 compatible - bucket - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - bucketName: - description: The bucket name. - type: string - endpoint: - description: The bucket endpoint address. - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - insecure: - description: Insecure allows connecting to a non-TLS S3 HTTP endpoint. - type: boolean - interval: - description: The interval at which to check for bucket updates. - type: string - provider: - default: generic - description: The S3 compatible storage provider name, default ('generic'). - enum: - - generic - - aws - - gcp - type: string - region: - description: The bucket region. - type: string - secretRef: - description: The name of the secret containing authentication credentials - for the Bucket. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout for download operations, defaults to 60s. - type: string - required: - - bucketName - - endpoint - - interval - type: object - status: - default: - observedGeneration: -1 - description: BucketStatus defines the observed state of a bucket - properties: - artifact: - description: Artifact represents the output of the last successful - Bucket sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the Bucket. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the artifact output of the - last Bucket sync. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.endpoint - name: Endpoint - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: Bucket is the Schema for the buckets API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BucketSpec specifies the required configuration to produce - an Artifact for an object storage bucket. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - bucketName: - description: BucketName is the name of the object storage bucket. - type: string - endpoint: - description: Endpoint is the object storage address the BucketName - is located at. - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - insecure: - description: Insecure allows connecting to a non-TLS HTTP Endpoint. - type: boolean - interval: - description: Interval at which to check the Endpoint for updates. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - provider: - default: generic - description: Provider of the object storage bucket. Defaults to 'generic', - which expects an S3 (API) compatible object storage. - enum: - - generic - - aws - - gcp - - azure - type: string - region: - description: Region of the Endpoint where the BucketName is located - in. - type: string - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the Bucket. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this Bucket. - type: boolean - timeout: - default: 60s - description: Timeout for fetch operations, defaults to 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - required: - - bucketName - - endpoint - - interval - type: object - status: - default: - observedGeneration: -1 - description: BucketStatus records the observed state of a Bucket. - properties: - artifact: - description: Artifact represents the last successful Bucket reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the Bucket. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the Bucket object. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise BucketStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: gitrepositories.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: GitRepository - listKind: GitRepositoryList - plural: gitrepositories - shortNames: - - gitrepo - singular: gitrepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1 - schema: - openAPIV3Schema: - description: GitRepository is the Schema for the gitrepositories API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GitRepositorySpec specifies the required configuration to - produce an Artifact for a Git repository. - properties: - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - include: - description: Include specifies a list of GitRepository resources which - Artifacts should be included in the Artifact produced for this GitRepository. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - interval: - description: Interval at which to check the GitRepository for updates. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - recurseSubmodules: - description: RecurseSubmodules enables the initialization of all submodules - within the GitRepository as cloned from the URL, using their default - settings. - type: boolean - ref: - description: Reference specifies the Git reference to resolve and - monitor for changes, defaults to the 'master' branch. - properties: - branch: - description: Branch to check out, defaults to 'master' if no other - field is defined. - type: string - commit: - description: "Commit SHA to check out, takes precedence over all - reference fields. \n This can be combined with Branch to shallow - clone the branch, in which the commit is expected to exist." - type: string - name: - description: "Name of the reference to check out; takes precedence - over Branch, Tag and SemVer. \n It must be a valid Git reference: - https://git-scm.com/docs/git-check-ref-format#_description Examples: - \"refs/heads/main\", \"refs/tags/v0.1.0\", \"refs/pull/420/head\", - \"refs/merge-requests/1/head\"" - type: string - semver: - description: SemVer tag expression to check out, takes precedence - over Tag. - type: string - tag: - description: Tag to check out, takes precedence over Branch. - type: string - type: object - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the GitRepository. For HTTPS repositories the Secret - must contain 'username' and 'password' fields for basic auth or - 'bearerToken' field for token auth. For SSH repositories the Secret - must contain 'identity' and 'known_hosts' fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this GitRepository. - type: boolean - timeout: - default: 60s - description: Timeout for Git operations like cloning, defaults to - 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - url: - description: URL specifies the Git repository URL, it can be an HTTP/S - or SSH address. - pattern: ^(http|https|ssh)://.*$ - type: string - verify: - description: Verification specifies the configuration to verify the - Git commit signature(s). - properties: - mode: - description: Mode specifies what Git object should be verified, - currently ('head'). - enum: - - head - type: string - secretRef: - description: SecretRef specifies the Secret containing the public - keys of trusted Git authors. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - mode - - secretRef - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: GitRepositoryStatus records the observed state of a Git repository. - properties: - artifact: - description: Artifact represents the last successful GitRepository - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the GitRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - includedArtifacts: - description: IncludedArtifacts contains a list of the last successfully - included Artifacts as instructed by GitRepositorySpec.Include. - items: - description: Artifact represents the output of a Source reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of - ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI - annotations. - type: object - path: - description: Path is the relative file path of the Artifact. - It can be used to locate the file in the root of the Artifact - storage on the local file system of the controller managing - the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the GitRepository object. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - observedInclude: - description: ObservedInclude is the observed list of GitRepository - resources used to produce the current Artifact. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - observedRecurseSubmodules: - description: ObservedRecurseSubmodules is the observed resource submodules - configuration used to produce the current Artifact. - type: boolean - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - deprecationWarning: v1beta1 GitRepository is deprecated, upgrade to v1 - name: v1beta1 - schema: - openAPIV3Schema: - description: GitRepository is the Schema for the gitrepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GitRepositorySpec defines the desired state of a Git repository. - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - gitImplementation: - default: go-git - description: Determines which git client library to use. Defaults - to go-git, valid values are ('go-git', 'libgit2'). - enum: - - go-git - - libgit2 - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - include: - description: Extra git repositories to map into the repository - items: - description: GitRepositoryInclude defines a source with a from and - to path. - properties: - fromPath: - description: The path to copy contents from, defaults to the - root directory. - type: string - repository: - description: Reference to a GitRepository to include. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: The path to copy contents to, defaults to the name - of the source ref. - type: string - required: - - repository - type: object - type: array - interval: - description: The interval at which to check for repository updates. - type: string - recurseSubmodules: - description: When enabled, after the clone is created, initializes - all submodules within, using their default settings. This option - is available only when using the 'go-git' GitImplementation. - type: boolean - ref: - description: The Git reference to checkout and monitor for changes, - defaults to master branch. - properties: - branch: - description: The Git branch to checkout, defaults to master. - type: string - commit: - description: The Git commit SHA to checkout, if specified Tag - filters will be ignored. - type: string - semver: - description: The Git tag semver expression, takes precedence over - Tag. - type: string - tag: - description: The Git tag to checkout, takes precedence over Branch. - type: string - type: object - secretRef: - description: The secret name containing the Git credentials. For HTTPS - repositories the secret must contain username and password fields. - For SSH repositories the secret must contain identity and known_hosts - fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout for remote Git operations like cloning, defaults - to 60s. - type: string - url: - description: The repository URL, can be a HTTP/S or SSH address. - pattern: ^(http|https|ssh)://.*$ - type: string - verify: - description: Verify OpenPGP signature for the Git commit HEAD points - to. - properties: - mode: - description: Mode describes what git object should be verified, - currently ('head'). - enum: - - head - type: string - secretRef: - description: The secret name containing the public keys of all - trusted Git authors. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - mode - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: GitRepositoryStatus defines the observed state of a Git repository. - properties: - artifact: - description: Artifact represents the output of the last successful - repository sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the GitRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - includedArtifacts: - description: IncludedArtifacts represents the included artifacts from - the last successful repository sync. - items: - description: Artifact represents the output of a source synchronisation. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the artifact output of the - last repository sync. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 GitRepository is deprecated, upgrade to v1 - name: v1beta2 - schema: - openAPIV3Schema: - description: GitRepository is the Schema for the gitrepositories API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GitRepositorySpec specifies the required configuration to - produce an Artifact for a Git repository. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - gitImplementation: - default: go-git - description: 'GitImplementation specifies which Git client library - implementation to use. Defaults to ''go-git'', valid values are - (''go-git'', ''libgit2''). Deprecated: gitImplementation is deprecated - now that ''go-git'' is the only supported implementation.' - enum: - - go-git - - libgit2 - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - include: - description: Include specifies a list of GitRepository resources which - Artifacts should be included in the Artifact produced for this GitRepository. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - interval: - description: Interval at which to check the GitRepository for updates. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - recurseSubmodules: - description: RecurseSubmodules enables the initialization of all submodules - within the GitRepository as cloned from the URL, using their default - settings. - type: boolean - ref: - description: Reference specifies the Git reference to resolve and - monitor for changes, defaults to the 'master' branch. - properties: - branch: - description: Branch to check out, defaults to 'master' if no other - field is defined. - type: string - commit: - description: "Commit SHA to check out, takes precedence over all - reference fields. \n This can be combined with Branch to shallow - clone the branch, in which the commit is expected to exist." - type: string - name: - description: "Name of the reference to check out; takes precedence - over Branch, Tag and SemVer. \n It must be a valid Git reference: - https://git-scm.com/docs/git-check-ref-format#_description Examples: - \"refs/heads/main\", \"refs/tags/v0.1.0\", \"refs/pull/420/head\", - \"refs/merge-requests/1/head\"" - type: string - semver: - description: SemVer tag expression to check out, takes precedence - over Tag. - type: string - tag: - description: Tag to check out, takes precedence over Branch. - type: string - type: object - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the GitRepository. For HTTPS repositories the Secret - must contain 'username' and 'password' fields for basic auth or - 'bearerToken' field for token auth. For SSH repositories the Secret - must contain 'identity' and 'known_hosts' fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this GitRepository. - type: boolean - timeout: - default: 60s - description: Timeout for Git operations like cloning, defaults to - 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - url: - description: URL specifies the Git repository URL, it can be an HTTP/S - or SSH address. - pattern: ^(http|https|ssh)://.*$ - type: string - verify: - description: Verification specifies the configuration to verify the - Git commit signature(s). - properties: - mode: - description: Mode specifies what Git object should be verified, - currently ('head'). - enum: - - head - type: string - secretRef: - description: SecretRef specifies the Secret containing the public - keys of trusted Git authors. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - mode - - secretRef - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: GitRepositoryStatus records the observed state of a Git repository. - properties: - artifact: - description: Artifact represents the last successful GitRepository - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the GitRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - contentConfigChecksum: - description: "ContentConfigChecksum is a checksum of all the configurations - related to the content of the source artifact: - .spec.ignore - - .spec.recurseSubmodules - .spec.included and the checksum of the - included artifacts observed in .status.observedGeneration version - of the object. This can be used to determine if the content of the - included repository has changed. It has the format of `:`, - for example: `sha256:`. \n Deprecated: Replaced with explicit - fields for observed artifact content config in the status." - type: string - includedArtifacts: - description: IncludedArtifacts contains a list of the last successfully - included Artifacts as instructed by GitRepositorySpec.Include. - items: - description: Artifact represents the output of a Source reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of - ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI - annotations. - type: object - path: - description: Path is the relative file path of the Artifact. - It can be used to locate the file in the root of the Artifact - storage on the local file system of the controller managing - the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the GitRepository object. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - observedInclude: - description: ObservedInclude is the observed list of GitRepository - resources used to to produce the current Artifact. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - observedRecurseSubmodules: - description: ObservedRecurseSubmodules is the observed resource submodules - configuration used to produce the current Artifact. - type: boolean - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise GitRepositoryStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: helmcharts.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: HelmChart - listKind: HelmChartList - plural: helmcharts - shortNames: - - hc - singular: helmchart - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.chart - name: Chart - type: string - - jsonPath: .spec.version - name: Version - type: string - - jsonPath: .spec.sourceRef.kind - name: Source Kind - type: string - - jsonPath: .spec.sourceRef.name - name: Source Name - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: HelmChart is the Schema for the helmcharts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmChartSpec defines the desired state of a Helm chart. - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - chart: - description: The name or path the Helm chart is available at in the - SourceRef. - type: string - interval: - description: The interval at which to check the Source for updates. - type: string - reconcileStrategy: - default: ChartVersion - description: Determines what enables the creation of a new artifact. - Valid values are ('ChartVersion', 'Revision'). See the documentation - of the values for an explanation on their behavior. Defaults to - ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: The reference to the Source the chart is available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent, valid values are ('HelmRepository', - 'GitRepository', 'Bucket'). - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - valuesFile: - description: Alternative values file to use as the default chart values, - expected to be a relative path in the SourceRef. Deprecated in favor - of ValuesFiles, for backwards compatibility the file defined here - is merged before the ValuesFiles items. Ignored when omitted. - type: string - valuesFiles: - description: Alternative list of values files to use as the chart - values (values.yaml is not included by default), expected to be - a relative path in the SourceRef. Values files are merged in the - order of this list with the last file overriding the first. Ignored - when omitted. - items: - type: string - type: array - version: - default: '*' - description: The chart version semver expression, ignored for charts - from GitRepository and Bucket sources. Defaults to latest when omitted. - type: string - required: - - chart - - interval - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: HelmChartStatus defines the observed state of the HelmChart. - properties: - artifact: - description: Artifact represents the output of the last successful - chart sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmChart. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the last chart pulled. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.chart - name: Chart - type: string - - jsonPath: .spec.version - name: Version - type: string - - jsonPath: .spec.sourceRef.kind - name: Source Kind - type: string - - jsonPath: .spec.sourceRef.name - name: Source Name - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: HelmChart is the Schema for the helmcharts API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmChartSpec specifies the desired state of a Helm chart. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - chart: - description: Chart is the name or path the Helm chart is available - at in the SourceRef. - type: string - interval: - description: Interval is the interval at which to check the Source - for updates. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - reconcileStrategy: - default: ChartVersion - description: ReconcileStrategy determines what enables the creation - of a new artifact. Valid values are ('ChartVersion', 'Revision'). - See the documentation of the values for an explanation on their - behavior. Defaults to ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: SourceRef is the reference to the Source the chart is - available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent, valid values are ('HelmRepository', - 'GitRepository', 'Bucket'). - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - required: - - kind - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this source. - type: boolean - valuesFile: - description: ValuesFile is an alternative values file to use as the - default chart values, expected to be a relative path in the SourceRef. - Deprecated in favor of ValuesFiles, for backwards compatibility - the file specified here is merged before the ValuesFiles items. - Ignored when omitted. - type: string - valuesFiles: - description: ValuesFiles is an alternative list of values files to - use as the chart values (values.yaml is not included by default), - expected to be a relative path in the SourceRef. Values files are - merged in the order of this list with the last file overriding the - first. Ignored when omitted. - items: - type: string - type: array - verify: - description: Verify contains the secret name containing the trusted - public keys used to verify the signature and specifies which provider - to use to check whether OCI image is authentic. This field is only - supported when using HelmRepository source with spec.type 'oci'. - Chart dependencies, which are not bundled in the umbrella chart - artifact, are not verified. - properties: - provider: - default: cosign - description: Provider specifies the technology used to sign the - OCI Artifact. - enum: - - cosign - type: string - secretRef: - description: SecretRef specifies the Kubernetes Secret containing - the trusted public keys. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - version: - default: '*' - description: Version is the chart version semver expression, ignored - for charts from GitRepository and Bucket sources. Defaults to latest - when omitted. - type: string - required: - - chart - - interval - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: HelmChartStatus records the observed state of the HelmChart. - properties: - artifact: - description: Artifact represents the output of the last successful - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmChart. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedChartName: - description: ObservedChartName is the last observed chart name as - specified by the resolved chart reference. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the HelmChart object. - format: int64 - type: integer - observedSourceArtifactRevision: - description: ObservedSourceArtifactRevision is the last observed Artifact.Revision - of the HelmChartSpec.SourceRef. - type: string - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise BucketStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: helmrepositories.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: HelmRepository - listKind: HelmRepositoryList - plural: helmrepositories - shortNames: - - helmrepo - singular: helmrepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: HelmRepository is the Schema for the helmrepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmRepositorySpec defines the reference to a Helm repository. - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - interval: - description: The interval at which to check the upstream for updates. - type: string - passCredentials: - description: PassCredentials allows the credentials from the SecretRef - to be passed on to a host that does not match the host as defined - in URL. This may be required if the host of the advertised chart - URLs in the index differ from the defined URL. Enabling this should - be done with caution, as it can potentially result in credentials - getting stolen in a MITM-attack. - type: boolean - secretRef: - description: The name of the secret containing authentication credentials - for the Helm repository. For HTTP/S basic auth the secret must contain - username and password fields. For TLS the secret must contain a - certFile and keyFile, and/or caFile fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout of index downloading, defaults to 60s. - type: string - url: - description: The Helm repository URL, a valid URL contains at least - a protocol and host. - type: string - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: HelmRepositoryStatus defines the observed state of the HelmRepository. - properties: - artifact: - description: Artifact represents the output of the last successful - repository sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the last index fetched. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: HelmRepository is the Schema for the helmrepositories API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmRepositorySpec specifies the required configuration to - produce an Artifact for a Helm repository index YAML. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - interval: - description: Interval at which to check the URL for updates. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - passCredentials: - description: PassCredentials allows the credentials from the SecretRef - to be passed on to a host that does not match the host as defined - in URL. This may be required if the host of the advertised chart - URLs in the index differ from the defined URL. Enabling this should - be done with caution, as it can potentially result in credentials - getting stolen in a MITM-attack. - type: boolean - provider: - default: generic - description: Provider used for authentication, can be 'aws', 'azure', - 'gcp' or 'generic'. This field is optional, and only taken into - account if the .spec.type field is set to 'oci'. When not specified, - defaults to 'generic'. - enum: - - generic - - aws - - azure - - gcp - type: string - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the HelmRepository. For HTTP/S basic auth the secret - must contain 'username' and 'password' fields. For TLS the secret - must contain a 'certFile' and 'keyFile', and/or 'caFile' fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this HelmRepository. - type: boolean - timeout: - default: 60s - description: Timeout is used for the index fetch operation for an - HTTPS helm repository, and for remote OCI Repository operations - like pulling for an OCI helm repository. Its default value is 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: - description: Type of the HelmRepository. When this field is set to "oci", - the URL field value must be prefixed with "oci://". - enum: - - default - - oci - type: string - url: - description: URL of the Helm repository, a valid URL contains at least - a protocol and host. - type: string - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: HelmRepositoryStatus records the observed state of the HelmRepository. - properties: - artifact: - description: Artifact represents the last successful HelmRepository - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the HelmRepository object. - format: int64 - type: integer - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise HelmRepositoryStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: ocirepositories.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: OCIRepository - listKind: OCIRepositoryList - plural: ocirepositories - shortNames: - - ocirepo - singular: ocirepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta2 - schema: - openAPIV3Schema: - description: OCIRepository is the Schema for the ocirepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: OCIRepositorySpec defines the desired state of OCIRepository - properties: - certSecretRef: - description: "CertSecretRef can be given the name of a secret containing - either or both of \n - a PEM-encoded client certificate (`certFile`) - and private key (`keyFile`); - a PEM-encoded CA certificate (`caFile`) - \n and whichever are supplied, will be used for connecting to the - registry. The client cert and key are useful if you are authenticating - with a certificate; the CA cert is useful if you are using a self-signed - server certificate." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - insecure: - description: Insecure allows connecting to a non-TLS HTTP container - registry. - type: boolean - interval: - description: The interval at which to check for image updates. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - layerSelector: - description: LayerSelector specifies which layer should be extracted - from the OCI artifact. When not specified, the first layer found - in the artifact is selected. - properties: - mediaType: - description: MediaType specifies the OCI media type of the layer - which should be extracted from the OCI Artifact. The first layer - matching this type is selected. - type: string - operation: - description: Operation specifies how the selected layer should - be processed. By default, the layer compressed content is extracted - to storage. When the operation is set to 'copy', the layer compressed - content is persisted to storage as it is. - enum: - - extract - - copy - type: string - type: object - provider: - default: generic - description: The provider used for authentication, can be 'aws', 'azure', - 'gcp' or 'generic'. When not specified, defaults to 'generic'. - enum: - - generic - - aws - - azure - - gcp - type: string - ref: - description: The OCI reference to pull and monitor for changes, defaults - to the latest tag. - properties: - digest: - description: Digest is the image digest to pull, takes precedence - over SemVer. The value should be in the format 'sha256:'. - type: string - semver: - description: SemVer is the range of tags to pull selecting the - latest within the range, takes precedence over Tag. - type: string - tag: - description: Tag is the image tag to pull, defaults to latest. - type: string - type: object - secretRef: - description: SecretRef contains the secret name containing the registry - login credentials to resolve image metadata. The secret must be - of type kubernetes.io/dockerconfigjson. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - serviceAccountName: - description: 'ServiceAccountName is the name of the Kubernetes ServiceAccount - used to authenticate the image pull if the service account has attached - pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account' - type: string - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout for remote OCI Repository operations like - pulling, defaults to 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - url: - description: URL is a reference to an OCI artifact repository hosted - on a remote container registry. - pattern: ^oci://.*$ - type: string - verify: - description: Verify contains the secret name containing the trusted - public keys used to verify the signature and specifies which provider - to use to check whether OCI image is authentic. - properties: - provider: - default: cosign - description: Provider specifies the technology used to sign the - OCI Artifact. - enum: - - cosign - type: string - secretRef: - description: SecretRef specifies the Kubernetes Secret containing - the trusted public keys. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: OCIRepositoryStatus defines the observed state of OCIRepository - properties: - artifact: - description: Artifact represents the output of the last successful - OCI Repository sync. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the OCIRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - contentConfigChecksum: - description: "ContentConfigChecksum is a checksum of all the configurations - related to the content of the source artifact: - .spec.ignore - - .spec.layerSelector observed in .status.observedGeneration version - of the object. This can be used to determine if the content configuration - has changed and the artifact needs to be rebuilt. It has the format - of `:`, for example: `sha256:`. \n Deprecated: - Replaced with explicit fields for observed artifact content config - in the status." - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - observedLayerSelector: - description: ObservedLayerSelector is the observed layer selector - used for constructing the source artifact. - properties: - mediaType: - description: MediaType specifies the OCI media type of the layer - which should be extracted from the OCI Artifact. The first layer - matching this type is selected. - type: string - operation: - description: Operation specifies how the selected layer should - be processed. By default, the layer compressed content is extracted - to storage. When the operation is set to 'copy', the layer compressed - content is persisted to storage as it is. - enum: - - extract - - copy - type: string - type: object - url: - description: URL is the download link for the artifact output of the - last OCI Repository sync. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: source-controller - namespace: flux-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - control-plane: controller - name: source-controller - namespace: flux-system -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - selector: - app: source-controller - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - control-plane: controller - name: source-controller - namespace: flux-system -spec: - replicas: 1 - selector: - matchLabels: - app: source-controller - strategy: - type: Recreate - template: - metadata: - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: - app: source-controller - spec: - containers: - - args: - - --events-addr=http://notification-controller.flux-system.svc.cluster.local./ - - --watch-all-namespaces=true - - --log-level=info - - --log-encoding=json - - --enable-leader-election - - --storage-path=/data - - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.cluster.local. - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: TUF_ROOT - value: /tmp/.sigstore - image: ghcr.io/fluxcd/source-controller:v1.0.0-rc.5 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 9090 - name: http - protocol: TCP - - containerPort: 8080 - name: http-prom - protocol: TCP - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: / - port: http - resources: - limits: - cpu: 1000m - memory: 1Gi - requests: - cpu: 50m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - securityContext: - fsGroup: 1337 - serviceAccountName: source-controller - terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: kustomize-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: kustomizations.kustomize.toolkit.fluxcd.io -spec: - group: kustomize.toolkit.fluxcd.io - names: - kind: Kustomization - listKind: KustomizationList - plural: kustomizations - shortNames: - - ks - singular: kustomization - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1 - schema: - openAPIV3Schema: - description: Kustomization is the Schema for the kustomizations API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KustomizationSpec defines the configuration to calculate - the desired state from a Source using Kustomize. - properties: - commonMetadata: - description: CommonMetadata specifies the common labels and annotations - that are applied to all resources. Any existing label or annotation - will be overridden if its key matches a common one. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to the object's metadata. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to the object's metadata. - type: object - type: object - components: - description: Components specifies relative paths to specifications - of other Components. - items: - type: string - type: array - decryption: - description: Decrypt Kubernetes secrets before applying them on the - cluster. - properties: - provider: - description: Provider is the name of the decryption engine. - enum: - - sops - type: string - secretRef: - description: The secret name containing the private OpenPGP keys - used for decryption. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to Kustomization resources that must be ready - before this Kustomization can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - force: - default: false - description: Force instructs the controller to recreate resources - when patching fails due to an immutable field change. - type: boolean - healthChecks: - description: A list of resources to be included in the health assessment. - items: - description: NamespacedObjectKindReference contains enough information - to locate the typed referenced Kubernetes resource object in any - namespace. - properties: - apiVersion: - description: API version of the referent, if not specified the - Kubernetes preferred version will be used. - type: string - kind: - description: Kind of the referent. - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - kind - - name - type: object - type: array - images: - description: Images is a list of (image name, new name, new tag or - digest) for changing image names, tags or digests. This can also - be achieved with a patch, but this operator is simpler to specify. - items: - description: Image contains an image name, a new name, a new tag - or digest, which will replace the original name and tag. - properties: - digest: - description: Digest is the value used to replace the original - image tag. If digest is present NewTag value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace the original - name. - type: string - newTag: - description: NewTag is the value used to replace the original - tag. - type: string - required: - - name - type: object - type: array - interval: - description: The interval at which to reconcile the Kustomization. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - kubeConfig: - description: The KubeConfig for reconciling the Kustomization on a - remote cluster. When used in combination with KustomizationSpec.ServiceAccountName, - forces the controller to act on behalf of that Service Account at - the target cluster. If the --default-service-account flag is set, - its value will be used as a controller level fallback for when KustomizationSpec.ServiceAccountName - is empty. - properties: - secretRef: - description: SecretRef holds the name of a secret that contains - a key with the kubeconfig file as the value. If no key is set, - the key will default to 'value'. It is recommended that the - kubeconfig is self-contained, and the secret is regularly updated - if credentials such as a cloud-access-token expire. Cloud specific - `cmd-path` auth helpers will not function without adding binaries - and credentials to the Pod that is responsible for reconciling - Kubernetes resources. - properties: - key: - description: Key in the Secret, when not specified an implementation-specific - default key is used. - type: string - name: - description: Name of the Secret. - type: string - required: - - name - type: object - required: - - secretRef - type: object - patches: - description: Strategic merge and JSON patches, defined as inline YAML - objects, capable of targeting objects based on kind, label and annotation - selectors. - items: - description: Patch contains an inline StrategicMerge or JSON6902 - patch, and the target the patch should be applied to. - properties: - patch: - description: Patch contains an inline StrategicMerge patch or - an inline JSON6902 patch with an array of operation objects. - type: string - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - path: - description: Path to the directory containing the kustomization.yaml - file, or the set of plain YAMLs a kustomization.yaml should be generated - for. Defaults to 'None', which translates to the root path of the - SourceRef. - type: string - postBuild: - description: PostBuild describes which actions to perform on the YAML - manifest generated by building the kustomize overlay. - properties: - substitute: - additionalProperties: - type: string - description: Substitute holds a map of key/value pairs. The variables - defined in your YAML manifests that match any of the keys defined - in the map will be substituted with the set value. Includes - support for bash string replacement functions e.g. ${var:=default}, - ${var:position} and ${var/substring/replacement}. - type: object - substituteFrom: - description: SubstituteFrom holds references to ConfigMaps and - Secrets containing the variables and their values to be substituted - in the YAML manifests. The ConfigMap and the Secret data keys - represent the var names, and they must match the vars declared - in the manifests for the substitution to happen. - items: - description: SubstituteReference contains a reference to a resource - containing the variables name and value. - properties: - kind: - description: Kind of the values referent, valid values are - ('Secret', 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside - in the same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - optional: - default: false - description: Optional indicates whether the referenced resource - must exist, or whether to tolerate its absence. If true - and the referenced resource is absent, proceed as if the - resource was present but empty, without any variables - defined. - type: boolean - required: - - kind - - name - type: object - type: array - type: object - prune: - description: Prune enables garbage collection. - type: boolean - retryInterval: - description: The interval at which to retry a previously failed reconciliation. - When not specified, the controller uses the KustomizationSpec.Interval - value to retry failures. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this Kustomization. - type: string - sourceRef: - description: Reference of the source where the kustomization file - is. - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - OCIRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, defaults to the namespace - of the Kubernetes resource object that contains the reference. - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - kustomize executions, it does not apply to already started executions. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace sets or overrides the namespace in the - kustomization.yaml file. - maxLength: 63 - minLength: 1 - type: string - timeout: - description: Timeout for validation, apply and health checking operations. - Defaults to 'Interval' duration. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - wait: - description: Wait instructs the controller to check the health of - all the reconciled resources. When enabled, the HealthChecks are - ignored. Defaults to false. - type: boolean - required: - - interval - - prune - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: KustomizationStatus defines the observed state of a kustomization. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - inventory: - description: Inventory contains the list of Kubernetes resource object - references that have been successfully applied. - properties: - entries: - description: Entries of Kubernetes resource object references. - items: - description: ResourceRef contains the information necessary - to locate a resource within a cluster. - properties: - id: - description: ID is the string representation of the Kubernetes - resource object's metadata, in the format '___'. - type: string - v: - description: Version is the API version of the Kubernetes - resource object's kind. - type: string - required: - - id - - v - type: object - type: array - required: - - entries - type: object - lastAppliedRevision: - description: The last successfully applied revision. Equals the Revision - of the applied Artifact from the referenced Source. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - deprecationWarning: v1beta1 Kustomization is deprecated, upgrade to v1 - name: v1beta1 - schema: - openAPIV3Schema: - description: Kustomization is the Schema for the kustomizations API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KustomizationSpec defines the desired state of a kustomization. - properties: - decryption: - description: Decrypt Kubernetes secrets before applying them on the - cluster. - properties: - provider: - description: Provider is the name of the decryption engine. - enum: - - sops - type: string - secretRef: - description: The secret name containing the private OpenPGP keys - used for decryption. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to Kustomization resources that must be ready - before this Kustomization can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - force: - default: false - description: Force instructs the controller to recreate resources - when patching fails due to an immutable field change. - type: boolean - healthChecks: - description: A list of resources to be included in the health assessment. - items: - description: NamespacedObjectKindReference contains enough information - to locate the typed referenced Kubernetes resource object in any - namespace. - properties: - apiVersion: - description: API version of the referent, if not specified the - Kubernetes preferred version will be used. - type: string - kind: - description: Kind of the referent. - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - kind - - name - type: object - type: array - images: - description: Images is a list of (image name, new name, new tag or - digest) for changing image names, tags or digests. This can also - be achieved with a patch, but this operator is simpler to specify. - items: - description: Image contains an image name, a new name, a new tag - or digest, which will replace the original name and tag. - properties: - digest: - description: Digest is the value used to replace the original - image tag. If digest is present NewTag value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace the original - name. - type: string - newTag: - description: NewTag is the value used to replace the original - tag. - type: string - required: - - name - type: object - type: array - interval: - description: The interval at which to reconcile the Kustomization. - type: string - kubeConfig: - description: The KubeConfig for reconciling the Kustomization on a - remote cluster. When specified, KubeConfig takes precedence over - ServiceAccountName. - properties: - secretRef: - description: SecretRef holds the name to a secret that contains - a 'value' key with the kubeconfig file as the value. It must - be in the same namespace as the Kustomization. It is recommended - that the kubeconfig is self-contained, and the secret is regularly - updated if credentials such as a cloud-access-token expire. - Cloud specific `cmd-path` auth helpers will not function without - adding binaries and credentials to the Pod that is responsible - for reconciling the Kustomization. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - type: object - patches: - description: Strategic merge and JSON patches, defined as inline YAML - objects, capable of targeting objects based on kind, label and annotation - selectors. - items: - description: Patch contains an inline StrategicMerge or JSON6902 - patch, and the target the patch should be applied to. - properties: - patch: - description: Patch contains an inline StrategicMerge patch or - an inline JSON6902 patch with an array of operation objects. - type: string - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - patchesJson6902: - description: JSON 6902 patches, defined as inline YAML objects. - items: - description: JSON6902Patch contains a JSON6902 patch and the target - the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document with - an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. https://datatracker.ietf.org/doc/html/rfc6902#section-4 - properties: - from: - description: From contains a JSON-pointer value that references - a location within the target document where the operation - is performed. The meaning of the value depends on the - value of Op, and is NOT taken into account by all operations. - type: string - op: - description: Op indicates the operation to perform. Its - value MUST be one of "add", "remove", "replace", "move", - "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - description: Path contains the JSON-pointer value that - references a location within the target document where - the operation is performed. The meaning of the value - depends on the value of Op. - type: string - value: - description: Value contains a valid JSON structure. The - meaning of the value depends on the value of Op, and - is NOT taken into account by all operations. - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: Strategic merge patches, defined as inline YAML objects. - items: - x-kubernetes-preserve-unknown-fields: true - type: array - path: - description: Path to the directory containing the kustomization.yaml - file, or the set of plain YAMLs a kustomization.yaml should be generated - for. Defaults to 'None', which translates to the root path of the - SourceRef. - type: string - postBuild: - description: PostBuild describes which actions to perform on the YAML - manifest generated by building the kustomize overlay. - properties: - substitute: - additionalProperties: - type: string - description: Substitute holds a map of key/value pairs. The variables - defined in your YAML manifests that match any of the keys defined - in the map will be substituted with the set value. Includes - support for bash string replacement functions e.g. ${var:=default}, - ${var:position} and ${var/substring/replacement}. - type: object - substituteFrom: - description: SubstituteFrom holds references to ConfigMaps and - Secrets containing the variables and their values to be substituted - in the YAML manifests. The ConfigMap and the Secret data keys - represent the var names and they must match the vars declared - in the manifests for the substitution to happen. - items: - description: SubstituteReference contains a reference to a resource - containing the variables name and value. - properties: - kind: - description: Kind of the values referent, valid values are - ('Secret', 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside - in the same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - type: object - prune: - description: Prune enables garbage collection. - type: boolean - retryInterval: - description: The interval at which to retry a previously failed reconciliation. - When not specified, the controller uses the KustomizationSpec.Interval - value to retry failures. - type: string - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this Kustomization. - type: string - sourceRef: - description: Reference of the source where the kustomization file - is. - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - GitRepository - - Bucket - type: string - name: - description: Name of the referent - type: string - namespace: - description: Namespace of the referent, defaults to the Kustomization - namespace - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - kustomize executions, it does not apply to already started executions. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace sets or overrides the namespace in the - kustomization.yaml file. - maxLength: 63 - minLength: 1 - type: string - timeout: - description: Timeout for validation, apply and health checking operations. - Defaults to 'Interval' duration. - type: string - validation: - description: Validate the Kubernetes objects before applying them - on the cluster. The validation strategy can be 'client' (local dry-run), - 'server' (APIServer dry-run) or 'none'. When 'Force' is 'true', - validation will fallback to 'client' if set to 'server' because - server-side validation is not supported in this scenario. - enum: - - none - - client - - server - type: string - required: - - interval - - prune - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: KustomizationStatus defines the observed state of a kustomization. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastAppliedRevision: - description: The last successfully applied revision. The revision - format for Git sources is /. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - snapshot: - description: The last successfully applied revision metadata. - properties: - checksum: - description: The manifests sha1 checksum. - type: string - entries: - description: A list of Kubernetes kinds grouped by namespace. - items: - description: Snapshot holds the metadata of namespaced Kubernetes - objects - properties: - kinds: - additionalProperties: - type: string - description: The list of Kubernetes kinds. - type: object - namespace: - description: The namespace of this entry. - type: string - required: - - kinds - type: object - type: array - required: - - checksum - - entries - type: object - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 Kustomization is deprecated, upgrade to v1 - name: v1beta2 - schema: - openAPIV3Schema: - description: Kustomization is the Schema for the kustomizations API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KustomizationSpec defines the configuration to calculate - the desired state from a Source using Kustomize. - properties: - commonMetadata: - description: CommonMetadata specifies the common labels and annotations - that are applied to all resources. Any existing label or annotation - will be overridden if its key matches a common one. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to the object's metadata. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to the object's metadata. - type: object - type: object - components: - description: Components specifies relative paths to specifications - of other Components. - items: - type: string - type: array - decryption: - description: Decrypt Kubernetes secrets before applying them on the - cluster. - properties: - provider: - description: Provider is the name of the decryption engine. - enum: - - sops - type: string - secretRef: - description: The secret name containing the private OpenPGP keys - used for decryption. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to Kustomization resources that must be ready - before this Kustomization can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - force: - default: false - description: Force instructs the controller to recreate resources - when patching fails due to an immutable field change. - type: boolean - healthChecks: - description: A list of resources to be included in the health assessment. - items: - description: NamespacedObjectKindReference contains enough information - to locate the typed referenced Kubernetes resource object in any - namespace. - properties: - apiVersion: - description: API version of the referent, if not specified the - Kubernetes preferred version will be used. - type: string - kind: - description: Kind of the referent. - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - kind - - name - type: object - type: array - images: - description: Images is a list of (image name, new name, new tag or - digest) for changing image names, tags or digests. This can also - be achieved with a patch, but this operator is simpler to specify. - items: - description: Image contains an image name, a new name, a new tag - or digest, which will replace the original name and tag. - properties: - digest: - description: Digest is the value used to replace the original - image tag. If digest is present NewTag value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace the original - name. - type: string - newTag: - description: NewTag is the value used to replace the original - tag. - type: string - required: - - name - type: object - type: array - interval: - description: The interval at which to reconcile the Kustomization. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - kubeConfig: - description: The KubeConfig for reconciling the Kustomization on a - remote cluster. When used in combination with KustomizationSpec.ServiceAccountName, - forces the controller to act on behalf of that Service Account at - the target cluster. If the --default-service-account flag is set, - its value will be used as a controller level fallback for when KustomizationSpec.ServiceAccountName - is empty. - properties: - secretRef: - description: SecretRef holds the name of a secret that contains - a key with the kubeconfig file as the value. If no key is set, - the key will default to 'value'. It is recommended that the - kubeconfig is self-contained, and the secret is regularly updated - if credentials such as a cloud-access-token expire. Cloud specific - `cmd-path` auth helpers will not function without adding binaries - and credentials to the Pod that is responsible for reconciling - Kubernetes resources. - properties: - key: - description: Key in the Secret, when not specified an implementation-specific - default key is used. - type: string - name: - description: Name of the Secret. - type: string - required: - - name - type: object - required: - - secretRef - type: object - patches: - description: Strategic merge and JSON patches, defined as inline YAML - objects, capable of targeting objects based on kind, label and annotation - selectors. - items: - description: Patch contains an inline StrategicMerge or JSON6902 - patch, and the target the patch should be applied to. - properties: - patch: - description: Patch contains an inline StrategicMerge patch or - an inline JSON6902 patch with an array of operation objects. - type: string - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - patchesJson6902: - description: 'JSON 6902 patches, defined as inline YAML objects. Deprecated: - Use Patches instead.' - items: - description: JSON6902Patch contains a JSON6902 patch and the target - the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document with - an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. https://datatracker.ietf.org/doc/html/rfc6902#section-4 - properties: - from: - description: From contains a JSON-pointer value that references - a location within the target document where the operation - is performed. The meaning of the value depends on the - value of Op, and is NOT taken into account by all operations. - type: string - op: - description: Op indicates the operation to perform. Its - value MUST be one of "add", "remove", "replace", "move", - "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - description: Path contains the JSON-pointer value that - references a location within the target document where - the operation is performed. The meaning of the value - depends on the value of Op. - type: string - value: - description: Value contains a valid JSON structure. The - meaning of the value depends on the value of Op, and - is NOT taken into account by all operations. - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: 'Strategic merge patches, defined as inline YAML objects. - Deprecated: Use Patches instead.' - items: - x-kubernetes-preserve-unknown-fields: true - type: array - path: - description: Path to the directory containing the kustomization.yaml - file, or the set of plain YAMLs a kustomization.yaml should be generated - for. Defaults to 'None', which translates to the root path of the - SourceRef. - type: string - postBuild: - description: PostBuild describes which actions to perform on the YAML - manifest generated by building the kustomize overlay. - properties: - substitute: - additionalProperties: - type: string - description: Substitute holds a map of key/value pairs. The variables - defined in your YAML manifests that match any of the keys defined - in the map will be substituted with the set value. Includes - support for bash string replacement functions e.g. ${var:=default}, - ${var:position} and ${var/substring/replacement}. - type: object - substituteFrom: - description: SubstituteFrom holds references to ConfigMaps and - Secrets containing the variables and their values to be substituted - in the YAML manifests. The ConfigMap and the Secret data keys - represent the var names and they must match the vars declared - in the manifests for the substitution to happen. - items: - description: SubstituteReference contains a reference to a resource - containing the variables name and value. - properties: - kind: - description: Kind of the values referent, valid values are - ('Secret', 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside - in the same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - optional: - default: false - description: Optional indicates whether the referenced resource - must exist, or whether to tolerate its absence. If true - and the referenced resource is absent, proceed as if the - resource was present but empty, without any variables - defined. - type: boolean - required: - - kind - - name - type: object - type: array - type: object - prune: - description: Prune enables garbage collection. - type: boolean - retryInterval: - description: The interval at which to retry a previously failed reconciliation. - When not specified, the controller uses the KustomizationSpec.Interval - value to retry failures. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this Kustomization. - type: string - sourceRef: - description: Reference of the source where the kustomization file - is. - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - OCIRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, defaults to the namespace - of the Kubernetes resource object that contains the reference. - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - kustomize executions, it does not apply to already started executions. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace sets or overrides the namespace in the - kustomization.yaml file. - maxLength: 63 - minLength: 1 - type: string - timeout: - description: Timeout for validation, apply and health checking operations. - Defaults to 'Interval' duration. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - validation: - description: 'Deprecated: Not used in v1beta2.' - enum: - - none - - client - - server - type: string - wait: - description: Wait instructs the controller to check the health of - all the reconciled resources. When enabled, the HealthChecks are - ignored. Defaults to false. - type: boolean - required: - - interval - - prune - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: KustomizationStatus defines the observed state of a kustomization. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - inventory: - description: Inventory contains the list of Kubernetes resource object - references that have been successfully applied. - properties: - entries: - description: Entries of Kubernetes resource object references. - items: - description: ResourceRef contains the information necessary - to locate a resource within a cluster. - properties: - id: - description: ID is the string representation of the Kubernetes - resource object's metadata, in the format '___'. - type: string - v: - description: Version is the API version of the Kubernetes - resource object's kind. - type: string - required: - - id - - v - type: object - type: array - required: - - entries - type: object - lastAppliedRevision: - description: The last successfully applied revision. Equals the Revision - of the applied Artifact from the referenced Source. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: kustomize-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: kustomize-controller - namespace: flux-system ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: kustomize-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - control-plane: controller - name: kustomize-controller - namespace: flux-system -spec: - replicas: 1 - selector: - matchLabels: - app: kustomize-controller - template: - metadata: - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: - app: kustomize-controller - spec: - containers: - - args: - - --events-addr=http://notification-controller.flux-system.svc.cluster.local./ - - --watch-all-namespaces=true - - --log-level=info - - --log-encoding=json - - --enable-leader-election - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: ghcr.io/fluxcd/kustomize-controller:v1.0.0-rc.4 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 8080 - name: http-prom - protocol: TCP - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - resources: - limits: - cpu: 1000m - memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /tmp - name: temp - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - securityContext: - fsGroup: 1337 - serviceAccountName: kustomize-controller - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: temp ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: helm-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: helmreleases.helm.toolkit.fluxcd.io -spec: - group: helm.toolkit.fluxcd.io - names: - kind: HelmRelease - listKind: HelmReleaseList - plural: helmreleases - shortNames: - - hr - singular: helmrelease - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v2beta1 - schema: - openAPIV3Schema: - description: HelmRelease is the Schema for the helmreleases API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmReleaseSpec defines the desired state of a Helm release. - properties: - chart: - description: Chart defines the template of the v1beta2.HelmChart that - should be created for this HelmRelease. - properties: - metadata: - description: ObjectMeta holds the template for metadata like labels - and annotations. - properties: - annotations: - additionalProperties: - type: string - description: 'Annotations is an unstructured key value map - stored with a resource that may be set by external tools - to store and retrieve arbitrary metadata. They are not queryable - and should be preserved when modifying objects. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/' - type: object - labels: - additionalProperties: - type: string - description: 'Map of string keys and values that can be used - to organize and categorize (scope and select) objects. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/' - type: object - type: object - spec: - description: Spec holds the template for the v1beta2.HelmChartSpec - for this HelmRelease. - properties: - chart: - description: The name or path the Helm chart is available - at in the SourceRef. - type: string - interval: - description: Interval at which to check the v1beta2.Source - for updates. Defaults to 'HelmReleaseSpec.Interval'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - reconcileStrategy: - default: ChartVersion - description: Determines what enables the creation of a new - artifact. Valid values are ('ChartVersion', 'Revision'). - See the documentation of the values for an explanation on - their behavior. Defaults to ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: The name and namespace of the v1beta2.Source - the chart is available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: Namespace of the referent. - maxLength: 63 - minLength: 1 - type: string - required: - - name - type: object - valuesFile: - description: Alternative values file to use as the default - chart values, expected to be a relative path in the SourceRef. - Deprecated in favor of ValuesFiles, for backwards compatibility - the file defined here is merged before the ValuesFiles items. - Ignored when omitted. - type: string - valuesFiles: - description: Alternative list of values files to use as the - chart values (values.yaml is not included by default), expected - to be a relative path in the SourceRef. Values files are - merged in the order of this list with the last file overriding - the first. Ignored when omitted. - items: - type: string - type: array - verify: - description: Verify contains the secret name containing the - trusted public keys used to verify the signature and specifies - which provider to use to check whether OCI image is authentic. - This field is only supported for OCI sources. Chart dependencies, - which are not bundled in the umbrella chart artifact, are - not verified. - properties: - provider: - default: cosign - description: Provider specifies the technology used to - sign the OCI Helm chart. - enum: - - cosign - type: string - secretRef: - description: SecretRef specifies the Kubernetes Secret - containing the trusted public keys. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - version: - default: '*' - description: Version semver expression, ignored for charts - from v1beta2.GitRepository and v1beta2.Bucket sources. Defaults - to latest when omitted. - type: string - required: - - chart - - sourceRef - type: object - required: - - spec - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to HelmRelease resources that must be ready - before this HelmRelease can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - install: - description: Install holds the configuration for Helm install actions - for this HelmRelease. - properties: - crds: - description: "CRDs upgrade CRDs from the Helm Chart's crds directory - according to the CRD upgrade policy provided here. Valid values - are `Skip`, `Create` or `CreateReplace`. Default is `Create` - and if omitted CRDs are installed but not updated. \n Skip: - do neither install nor replace (update) any CRDs. \n Create: - new CRDs are created, existing CRDs are neither updated nor - deleted. \n CreateReplace: new CRDs are created, existing CRDs - are updated (replaced) but not deleted. \n By default, CRDs - are applied (installed) during Helm install action. With this - option users can opt-in to CRD replace existing CRDs on Helm - install actions, which is not (yet) natively supported by Helm. - https://helm.sh/docs/chart_best_practices/custom_resource_definitions." - enum: - - Skip - - Create - - CreateReplace - type: string - createNamespace: - description: CreateNamespace tells the Helm install action to - create the HelmReleaseSpec.TargetNamespace if it does not exist - yet. On uninstall, the namespace will not be garbage collected. - type: boolean - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm install action. - type: boolean - disableOpenAPIValidation: - description: DisableOpenAPIValidation prevents the Helm install - action from validating rendered templates against the Kubernetes - OpenAPI Schema. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm install has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm install has been performed. - type: boolean - remediation: - description: Remediation holds the remediation configuration for - when the Helm install action for the HelmRelease fails. The - default is to not perform any action. - properties: - ignoreTestFailures: - description: IgnoreTestFailures tells the controller to skip - remediation when the Helm tests are run after an install - action but fail. Defaults to 'Test.IgnoreFailures'. - type: boolean - remediateLastFailure: - description: RemediateLastFailure tells the controller to - remediate the last failure, when no retries remain. Defaults - to 'false'. - type: boolean - retries: - description: Retries is the number of retries that should - be attempted on failures before bailing. Remediation, using - an uninstall, is performed between each attempt. Defaults - to '0', a negative integer equals to unlimited retries. - type: integer - type: object - replace: - description: Replace tells the Helm install action to re-use the - 'ReleaseName', but only if that name is a deleted release which - remains in the history. - type: boolean - skipCRDs: - description: "SkipCRDs tells the Helm install action to not install - any CRDs. By default, CRDs are installed if not already present. - \n Deprecated use CRD policy (`crds`) attribute with value `Skip` - instead." - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm install action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - interval: - description: Interval at which to reconcile the Helm release. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - kubeConfig: - description: KubeConfig for reconciling the HelmRelease on a remote - cluster. When used in combination with HelmReleaseSpec.ServiceAccountName, - forces the controller to act on behalf of that Service Account at - the target cluster. If the --default-service-account flag is set, - its value will be used as a controller level fallback for when HelmReleaseSpec.ServiceAccountName - is empty. - properties: - secretRef: - description: SecretRef holds the name of a secret that contains - a key with the kubeconfig file as the value. If no key is set, - the key will default to 'value'. It is recommended that the - kubeconfig is self-contained, and the secret is regularly updated - if credentials such as a cloud-access-token expire. Cloud specific - `cmd-path` auth helpers will not function without adding binaries - and credentials to the Pod that is responsible for reconciling - Kubernetes resources. - properties: - key: - description: Key in the Secret, when not specified an implementation-specific - default key is used. - type: string - name: - description: Name of the Secret. - type: string - required: - - name - type: object - required: - - secretRef - type: object - maxHistory: - description: MaxHistory is the number of revisions saved by Helm for - this HelmRelease. Use '0' for an unlimited number of revisions; - defaults to '10'. - type: integer - persistentClient: - description: "PersistentClient tells the controller to use a persistent - Kubernetes client for this release. When enabled, the client will - be reused for the duration of the reconciliation, instead of being - created and destroyed for each (step of a) Helm action. \n This - can improve performance, but may cause issues with some Helm charts - that for example do create Custom Resource Definitions during installation - outside Helm's CRD lifecycle hooks, which are then not observed - to be available by e.g. post-install hooks. \n If not set, it defaults - to true." - type: boolean - postRenderers: - description: PostRenderers holds an array of Helm PostRenderers, which - will be applied in order of their definition. - items: - description: PostRenderer contains a Helm PostRenderer specification. - properties: - kustomize: - description: Kustomization to apply as PostRenderer. - properties: - images: - description: Images is a list of (image name, new name, - new tag or digest) for changing image names, tags or digests. - This can also be achieved with a patch, but this operator - is simpler to specify. - items: - description: Image contains an image name, a new name, - a new tag or digest, which will replace the original - name and tag. - properties: - digest: - description: Digest is the value used to replace the - original image tag. If digest is present NewTag - value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace - the original name. - type: string - newTag: - description: NewTag is the value used to replace the - original tag. - type: string - required: - - name - type: object - type: array - patches: - description: Strategic merge and JSON patches, defined as - inline YAML objects, capable of targeting objects based - on kind, label and annotation selectors. - items: - description: Patch contains an inline StrategicMerge or - JSON6902 patch, and the target the patch should be applied - to. - properties: - patch: - description: Patch contains an inline StrategicMerge - patch or an inline JSON6902 patch with an array - of operation objects. - type: string - target: - description: Target points to the resources that the - patch document should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that - follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select - resources from. Together with Version and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is - capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select - resources from. Together with Group and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - patchesJson6902: - description: JSON 6902 patches, defined as inline YAML objects. - items: - description: JSON6902Patch contains a JSON6902 patch and - the target the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document - with an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. - https://datatracker.ietf.org/doc/html/rfc6902#section-4 - properties: - from: - description: From contains a JSON-pointer value - that references a location within the target - document where the operation is performed. - The meaning of the value depends on the value - of Op, and is NOT taken into account by all - operations. - type: string - op: - description: Op indicates the operation to perform. - Its value MUST be one of "add", "remove", - "replace", "move", "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - description: Path contains the JSON-pointer - value that references a location within the - target document where the operation is performed. - The meaning of the value depends on the value - of Op. - type: string - value: - description: Value contains a valid JSON structure. - The meaning of the value depends on the value - of Op, and is NOT taken into account by all - operations. - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the - patch document should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that - follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select - resources from. Together with Version and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is - capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select - resources from. Together with Group and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: Strategic merge patches, defined as inline - YAML objects. - items: - x-kubernetes-preserve-unknown-fields: true - type: array - type: object - type: object - type: array - releaseName: - description: ReleaseName used for the Helm release. Defaults to a - composition of '[TargetNamespace-]Name'. - maxLength: 53 - minLength: 1 - type: string - rollback: - description: Rollback holds the configuration for Helm rollback actions - for this HelmRelease. - properties: - cleanupOnFail: - description: CleanupOnFail allows deletion of new resources created - during the Helm rollback action when it fails. - type: boolean - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm rollback action. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm rollback has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm rollback has been performed. - type: boolean - force: - description: Force forces resource updates through a replacement - strategy. - type: boolean - recreate: - description: Recreate performs pod restarts for the resource if - applicable. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this HelmRelease. - type: string - storageNamespace: - description: StorageNamespace used for the Helm storage. Defaults - to the namespace of the HelmRelease. - maxLength: 63 - minLength: 1 - type: string - suspend: - description: Suspend tells the controller to suspend reconciliation - for this HelmRelease, it does not apply to already started reconciliations. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace to target when performing operations - for the HelmRelease. Defaults to the namespace of the HelmRelease. - maxLength: 63 - minLength: 1 - type: string - test: - description: Test holds the configuration for Helm test actions for - this HelmRelease. - properties: - enable: - description: Enable enables Helm test actions for this HelmRelease - after an Helm install or upgrade action has been performed. - type: boolean - ignoreFailures: - description: IgnoreFailures tells the controller to skip remediation - when the Helm tests are run but fail. Can be overwritten for - tests run after install or upgrade actions in 'Install.IgnoreTestFailures' - and 'Upgrade.IgnoreTestFailures'. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation during the performance of a Helm test action. Defaults - to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a Helm - action. Defaults to '5m0s'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - uninstall: - description: Uninstall holds the configuration for Helm uninstall - actions for this HelmRelease. - properties: - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm rollback action. - type: boolean - disableWait: - description: DisableWait disables waiting for all the resources - to be deleted after a Helm uninstall is performed. - type: boolean - keepHistory: - description: KeepHistory tells Helm to remove all associated resources - and mark the release as deleted, but retain the release history. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - upgrade: - description: Upgrade holds the configuration for Helm upgrade actions - for this HelmRelease. - properties: - cleanupOnFail: - description: CleanupOnFail allows deletion of new resources created - during the Helm upgrade action when it fails. - type: boolean - crds: - description: "CRDs upgrade CRDs from the Helm Chart's crds directory - according to the CRD upgrade policy provided here. Valid values - are `Skip`, `Create` or `CreateReplace`. Default is `Skip` and - if omitted CRDs are neither installed nor upgraded. \n Skip: - do neither install nor replace (update) any CRDs. \n Create: - new CRDs are created, existing CRDs are neither updated nor - deleted. \n CreateReplace: new CRDs are created, existing CRDs - are updated (replaced) but not deleted. \n By default, CRDs - are not applied during Helm upgrade action. With this option - users can opt-in to CRD upgrade, which is not (yet) natively - supported by Helm. https://helm.sh/docs/chart_best_practices/custom_resource_definitions." - enum: - - Skip - - Create - - CreateReplace - type: string - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm upgrade action. - type: boolean - disableOpenAPIValidation: - description: DisableOpenAPIValidation prevents the Helm upgrade - action from validating rendered templates against the Kubernetes - OpenAPI Schema. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm upgrade has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm upgrade has been performed. - type: boolean - force: - description: Force forces resource updates through a replacement - strategy. - type: boolean - preserveValues: - description: PreserveValues will make Helm reuse the last release's - values and merge in overrides from 'Values'. Setting this flag - makes the HelmRelease non-declarative. - type: boolean - remediation: - description: Remediation holds the remediation configuration for - when the Helm upgrade action for the HelmRelease fails. The - default is to not perform any action. - properties: - ignoreTestFailures: - description: IgnoreTestFailures tells the controller to skip - remediation when the Helm tests are run after an upgrade - action but fail. Defaults to 'Test.IgnoreFailures'. - type: boolean - remediateLastFailure: - description: RemediateLastFailure tells the controller to - remediate the last failure, when no retries remain. Defaults - to 'false' unless 'Retries' is greater than 0. - type: boolean - retries: - description: Retries is the number of retries that should - be attempted on failures before bailing. Remediation, using - 'Strategy', is performed between each attempt. Defaults - to '0', a negative integer equals to unlimited retries. - type: integer - strategy: - description: Strategy to use for failure remediation. Defaults - to 'rollback'. - enum: - - rollback - - uninstall - type: string - type: object - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - values: - description: Values holds the values for this Helm release. - x-kubernetes-preserve-unknown-fields: true - valuesFrom: - description: ValuesFrom holds references to resources containing Helm - values for this HelmRelease, and information about how they should - be merged. - items: - description: ValuesReference contains a reference to a resource - containing Helm values, and optionally the key they can be found - at. - properties: - kind: - description: Kind of the values referent, valid values are ('Secret', - 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside in the - same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - optional: - description: Optional marks this ValuesReference as optional. - When set, a not found error for the values reference is ignored, - but any ValuesKey, TargetPath or transient error will still - result in a reconciliation failure. - type: boolean - targetPath: - description: TargetPath is the YAML dot notation path the value - should be merged at. When set, the ValuesKey is expected to - be a single flat value. Defaults to 'None', which results - in the values getting merged at the root. - maxLength: 250 - pattern: ^([a-zA-Z0-9_\-.\\\/]|\[[0-9]{1,5}\])+$ - type: string - valuesKey: - description: ValuesKey is the data key where the values.yaml - or a specific value can be found at. Defaults to 'values.yaml'. - When set, must be a valid Data Key, consisting of alphanumeric - characters, '-', '_' or '.'. - maxLength: 253 - pattern: ^[\-._a-zA-Z0-9]+$ - type: string - required: - - kind - - name - type: object - type: array - required: - - chart - - interval - type: object - status: - default: - observedGeneration: -1 - description: HelmReleaseStatus defines the observed state of a HelmRelease. - properties: - conditions: - description: Conditions holds the conditions for the HelmRelease. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - failures: - description: Failures is the reconciliation failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - helmChart: - description: HelmChart is the namespaced name of the HelmChart resource - created by the controller for the HelmRelease. - type: string - installFailures: - description: InstallFailures is the install failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - lastAppliedRevision: - description: LastAppliedRevision is the revision of the last successfully - applied source. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastAttemptedValuesChecksum: - description: LastAttemptedValuesChecksum is the SHA1 checksum of the - values of the last reconciliation attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - lastReleaseRevision: - description: LastReleaseRevision is the revision of the last successful - Helm release. - type: integer - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - upgradeFailures: - description: UpgradeFailures is the upgrade failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: helm-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: helm-controller - namespace: flux-system ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: helm-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - control-plane: controller - name: helm-controller - namespace: flux-system -spec: - replicas: 1 - selector: - matchLabels: - app: helm-controller - template: - metadata: - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: - app: helm-controller - spec: - containers: - - args: - - --events-addr=http://notification-controller.flux-system.svc.cluster.local./ - - --watch-all-namespaces=true - - --log-level=info - - --log-encoding=json - - --enable-leader-election - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: ghcr.io/fluxcd/helm-controller:v0.34.1 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 8080 - name: http-prom - protocol: TCP - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - resources: - limits: - cpu: 1000m - memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /tmp - name: temp - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - securityContext: - fsGroup: 1337 - serviceAccountName: helm-controller - terminationGracePeriodSeconds: 600 - volumes: - - emptyDir: {} - name: temp ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: alerts.notification.toolkit.fluxcd.io -spec: - group: notification.toolkit.fluxcd.io - names: - kind: Alert - listKind: AlertList - plural: alerts - singular: alert - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: Alert is the Schema for the alerts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AlertSpec defines an alerting rule for events involving a - list of objects - properties: - eventSeverity: - default: info - description: Filter events based on severity, defaults to ('info'). - If set to 'info' no events will be filtered. - enum: - - info - - error - type: string - eventSources: - description: Filter events based on the involved objects. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - name: - description: Name of the referent - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - name - type: object - type: array - exclusionList: - description: A list of Golang regular expressions to be used for excluding - messages. - items: - type: string - type: array - providerRef: - description: Send events using this provider. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - summary: - description: Short description of the impact and affected cluster. - type: string - suspend: - description: This flag tells the controller to suspend subsequent - events dispatching. Defaults to false. - type: boolean - required: - - eventSources - - providerRef - type: object - status: - default: - observedGeneration: -1 - description: AlertStatus defines the observed state of Alert - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: Alert is the Schema for the alerts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AlertSpec defines an alerting rule for events involving a - list of objects. - properties: - eventMetadata: - additionalProperties: - type: string - description: EventMetadata is an optional field for adding metadata - to events dispatched by the controller. This can be used for enhancing - the context of the event. If a field would override one already - present on the original event as generated by the emitter, then - the override doesn't happen, i.e. the original value is preserved, - and an error log is printed. - type: object - eventSeverity: - default: info - description: EventSeverity specifies how to filter events based on - severity. If set to 'info' no events will be filtered. - enum: - - info - - error - type: string - eventSources: - description: EventSources specifies how to filter events based on - the involved object kind, name and namespace. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. MatchLabels requires the name to be set to `*`. - type: object - name: - description: Name of the referent If multiple resources are - targeted `*` may be set. - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - exclusionList: - description: ExclusionList specifies a list of Golang regular expressions - to be used for excluding messages. - items: - type: string - type: array - inclusionList: - description: InclusionList specifies a list of Golang regular expressions - to be used for including messages. - items: - type: string - type: array - providerRef: - description: ProviderRef specifies which Provider this Alert should - use. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - summary: - description: Summary holds a short description of the impact and affected - cluster. - maxLength: 255 - type: string - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this Alert. - type: boolean - required: - - eventSources - - providerRef - type: object - status: - default: - observedGeneration: -1 - description: AlertStatus defines the observed state of the Alert. - properties: - conditions: - description: Conditions holds the conditions for the Alert. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: providers.notification.toolkit.fluxcd.io -spec: - group: notification.toolkit.fluxcd.io - names: - kind: Provider - listKind: ProviderList - plural: providers - singular: provider - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: Provider is the Schema for the providers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ProviderSpec defines the desired state of Provider - properties: - address: - description: HTTP/S webhook address of this provider - pattern: ^(http|https):// - type: string - certSecretRef: - description: CertSecretRef can be given the name of a secret containing - a PEM-encoded CA certificate (`caFile`) - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - channel: - description: Alert channel for this provider - type: string - proxy: - description: HTTP/S address of the proxy - pattern: ^(http|https):// - type: string - secretRef: - description: Secret reference containing the provider webhook URL - using "address" as data key - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - events handling. Defaults to false. - type: boolean - timeout: - description: Timeout for sending alerts to the provider. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: - description: Type of provider - enum: - - slack - - discord - - msteams - - rocket - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - azuredevops - - googlechat - - webex - - sentry - - azureeventhub - - telegram - - lark - - matrix - - opsgenie - - alertmanager - - grafana - - githubdispatch - type: string - username: - description: Bot username for this provider - type: string - required: - - type - type: object - status: - default: - observedGeneration: -1 - description: ProviderStatus defines the observed state of Provider - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: Provider is the Schema for the providers API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ProviderSpec defines the desired state of the Provider. - properties: - address: - description: Address specifies the HTTP/S incoming webhook address - of this Provider. - maxLength: 2048 - pattern: ^(http|https)://.*$ - type: string - certSecretRef: - description: CertSecretRef specifies the Secret containing a PEM-encoded - CA certificate (`caFile`). - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - channel: - description: Channel specifies the destination channel where events - should be posted. - maxLength: 2048 - type: string - interval: - description: Interval at which to reconcile the Provider with its - Secret references. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - proxy: - description: Proxy the HTTP/S address of the proxy server. - maxLength: 2048 - pattern: ^(http|https)://.*$ - type: string - secretRef: - description: SecretRef specifies the Secret containing the authentication - credentials for this Provider. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this Provider. - type: boolean - timeout: - description: Timeout for sending alerts to the Provider. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: - description: Type specifies which Provider implementation to use. - enum: - - slack - - discord - - msteams - - rocket - - generic - - generic-hmac - - github - - gitlab - - gitea - - bitbucket - - azuredevops - - googlechat - - webex - - sentry - - azureeventhub - - telegram - - lark - - matrix - - opsgenie - - alertmanager - - grafana - - githubdispatch - type: string - username: - description: Username specifies the name under which events are posted. - maxLength: 2048 - type: string - required: - - type - type: object - status: - default: - observedGeneration: -1 - description: ProviderStatus defines the observed state of the Provider. - properties: - conditions: - description: Conditions holds the conditions for the Provider. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: receivers.notification.toolkit.fluxcd.io -spec: - group: notification.toolkit.fluxcd.io - names: - kind: Receiver - listKind: ReceiverList - plural: receivers - singular: receiver - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1 - schema: - openAPIV3Schema: - description: Receiver is the Schema for the receivers API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReceiverSpec defines the desired state of the Receiver. - properties: - events: - description: Events specifies the list of event types to handle, e.g. - 'push' for GitHub or 'Push Hook' for GitLab. - items: - type: string - type: array - interval: - default: 10m - description: Interval at which to reconcile the Receiver with its - Secret references. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - resources: - description: A list of resources to be notified about changes. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. MatchLabels requires the name to be set to `*`. - type: object - name: - description: Name of the referent If multiple resources are - targeted `*` may be set. - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - secretRef: - description: SecretRef specifies the Secret containing the token used - to validate the payload authenticity. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this receiver. - type: boolean - type: - description: Type of webhook sender, used to determine the validation - procedure and payload deserialization. - enum: - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - harbor - - dockerhub - - quay - - gcr - - nexus - - acr - type: string - required: - - resources - - secretRef - - type - type: object - status: - default: - observedGeneration: -1 - description: ReceiverStatus defines the observed state of the Receiver. - properties: - conditions: - description: Conditions holds the conditions for the Receiver. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the Receiver object. - format: int64 - type: integer - webhookPath: - description: WebhookPath is the generated incoming webhook address - in the format of '/hook/sha256sum(token+name+namespace)'. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta1 Receiver is deprecated, upgrade to v1 - name: v1beta1 - schema: - openAPIV3Schema: - description: Receiver is the Schema for the receivers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReceiverSpec defines the desired state of Receiver - properties: - events: - description: A list of events to handle, e.g. 'push' for GitHub or - 'Push Hook' for GitLab. - items: - type: string - type: array - resources: - description: A list of resources to be notified about changes. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - name: - description: Name of the referent - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - name - type: object - type: array - secretRef: - description: Secret reference containing the token used to validate - the payload authenticity - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - events handling. Defaults to false. - type: boolean - type: - description: Type of webhook sender, used to determine the validation - procedure and payload deserialization. - enum: - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - harbor - - dockerhub - - quay - - gcr - - nexus - - acr - type: string - required: - - resources - - type - type: object - status: - default: - observedGeneration: -1 - description: ReceiverStatus defines the observed state of Receiver - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: Generated webhook URL in the format of '/hook/sha256sum(token+name+namespace)'. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 Receiver is deprecated, upgrade to v1 - name: v1beta2 - schema: - openAPIV3Schema: - description: Receiver is the Schema for the receivers API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReceiverSpec defines the desired state of the Receiver. - properties: - events: - description: Events specifies the list of event types to handle, e.g. - 'push' for GitHub or 'Push Hook' for GitLab. - items: - type: string - type: array - interval: - description: Interval at which to reconcile the Receiver with its - Secret references. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - resources: - description: A list of resources to be notified about changes. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. MatchLabels requires the name to be set to `*`. - type: object - name: - description: Name of the referent If multiple resources are - targeted `*` may be set. - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - secretRef: - description: SecretRef specifies the Secret containing the token used - to validate the payload authenticity. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this receiver. - type: boolean - type: - description: Type of webhook sender, used to determine the validation - procedure and payload deserialization. - enum: - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - harbor - - dockerhub - - quay - - gcr - - nexus - - acr - type: string - required: - - resources - - type - type: object - status: - default: - observedGeneration: -1 - description: ReceiverStatus defines the observed state of the Receiver. - properties: - conditions: - description: Conditions holds the conditions for the Receiver. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the Receiver object. - format: int64 - type: integer - url: - description: 'URL is the generated incoming webhook address in the - format of ''/hook/sha256sum(token+name+namespace)''. Deprecated: - Replaced by WebhookPath.' - type: string - webhookPath: - description: WebhookPath is the generated incoming webhook address - in the format of '/hook/sha256sum(token+name+namespace)'. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - name: notification-controller - namespace: flux-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - control-plane: controller - name: notification-controller - namespace: flux-system -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - selector: - app: notification-controller - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - control-plane: controller - name: webhook-receiver - namespace: flux-system -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http-webhook - selector: - app: notification-controller - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v2.0.0-rc.5 - control-plane: controller - name: notification-controller - namespace: flux-system -spec: - replicas: 1 - selector: - matchLabels: - app: notification-controller - template: - metadata: - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: - app: notification-controller - spec: - containers: - - args: - - --watch-all-namespaces=true - - --log-level=info - - --log-encoding=json - - --enable-leader-election - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: ghcr.io/fluxcd/notification-controller:v1.0.0-rc.4 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 9090 - name: http - protocol: TCP - - containerPort: 9292 - name: http-webhook - protocol: TCP - - containerPort: 8080 - name: http-prom - protocol: TCP - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - resources: - limits: - cpu: 1000m - memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /tmp - name: temp - nodeSelector: - kubernetes.io/os: linux - securityContext: - fsGroup: 1337 - serviceAccountName: notification-controller - terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: temp diff --git a/infrastructure/cluster/flux-v2/flux-system/gotk-sync.yaml b/infrastructure/cluster/flux-v2/flux-system/gotk-sync.yaml deleted file mode 100644 index e8fd4c60..00000000 --- a/infrastructure/cluster/flux-v2/flux-system/gotk-sync.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# This manifest was generated by flux. DO NOT EDIT. ---- -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: flux-system - namespace: flux-system -spec: - interval: 1m0s - ref: - branch: main - secretRef: - name: flux-system - url: ssh://git@github.com/vre-hub/vre ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: flux-system - namespace: flux-system -spec: - interval: 10m0s - path: ./infrastructure/cluster/flux-v2 - prune: true - sourceRef: - kind: GitRepository - name: flux-system diff --git a/infrastructure/cluster/flux-v2/flux-system/kustomization.yaml b/infrastructure/cluster/flux-v2/flux-system/kustomization.yaml deleted file mode 100644 index 3842229e..00000000 --- a/infrastructure/cluster/flux-v2/flux-system/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- gotk-components.yaml -- gotk-sync.yaml diff --git a/infrastructure/cluster/tf/.terraform.lock.hcl b/infrastructure/cluster/tf/.terraform.lock.hcl deleted file mode 100644 index dfd95336..00000000 --- a/infrastructure/cluster/tf/.terraform.lock.hcl +++ /dev/null @@ -1,64 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/helm" { - version = "2.8.0" - constraints = "2.8.0" - hashes = [ - "h1:abRryu69lsIGXctqjMVoaKqi74eE12Vzd2FLpds1/PI=", - "zh:1e42d1a04c07d4006844e477ca32b5f45b04f6525dbbbe00b6be6e6ec5a11c54", - "zh:2f87187cb48ccfb18d12e2c4332e7e822923b659e7339b954b7db78aff91529f", - "zh:391fe49b4d2dc07bc717248a3fc6952189cfc49c596c514ad72a29c9a9f9d575", - "zh:89272048e1e63f3edc3e83dfddd5a9fd4bd2a4ead104e67de1e14319294dedf1", - "zh:a5a057c3435a854389ce8a1d98a54aaa7cbab68aca7baa436a605897aa70ff7e", - "zh:b1098e53e1a8a3afcd325ecd0328662156b3d9c3d80948f19ba3a4eb870cee2b", - "zh:b676f949e8274a2b6c3fa41f5428ea597125579c7b93bb50bb73a5e295a7a447", - "zh:cdf7e9460f28c2dbfe49a79a5022bd0d474ff18120d340738aa35456ba77ebca", - "zh:e24b59b4ed1c593facbf8051ec58550917991e2e017f3085dac5fb902d9908cb", - "zh:e3b5e1f5543cac9d9031a028f1c1be4858fb80fae69f181f21e9465e366ebfa2", - "zh:e9fddc0bcdb28503078456f0088851d45451600d229975fd9990ee92c7489a10", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.16.0" - constraints = "2.16.0" - hashes = [ - "h1:GcpVjl1LbyGDGGaR0KDJrdVaTKW2ge9g51Ej4yrai6Q=", - "zh:172830e270e49b3d6c975383f6c2f1683524ab667e48a481285d535392f29cf4", - "zh:1b2919c66f6bf49a24adb3f0663e198383562829bc1c06c680cf0a2019571d4f", - "zh:2c0b1c6032358c11539d1f99ddd803dc37b06127e8d220e9b9a81a233a290a58", - "zh:2c6b49d0014a4398e35d05ce2303d10482c91b49320555e2389a8b85f28117ea", - "zh:497e76411feb3f79b8eaa3bb29a387c6d89b888f7d9d028142dc5590ff149e45", - "zh:771428ba9ed855743fd7e6b7ee7d3d837e401c787da618a8cff5f6e7375a6245", - "zh:cb15f6d7eaa6aa385215f6d77dcfd5615e40d170800ce9fbee3d73b5c6ad379f", - "zh:e8de8530e27903d4581b4494a267ab84ab3faeaaa598986fea74a99cfa3b37dc", - "zh:efd5d1b02d3b68d0b8913372421d292766ba572e54b60b16bc38b439b9865095", - "zh:f4568bda22c959dc510f9fb8c1ac141ded7c99df4ba430efcd470b13776ce9cb", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:fa08fa52d3b4f93d24373a34360855787971532a1f5fe085a4549b04ebf329cc", - ] -} - -provider "registry.terraform.io/terraform-provider-openstack/openstack" { - version = "1.49.0" - constraints = "1.49.0" - hashes = [ - "h1:6I8IFY2JDKc6ntkF3C5w1rgIATpbdmvgWrnV7kcRq5o=", - "zh:18b0a5d528fe3eb30060cf478db5a5efaed9d9837f4afb35ba58f0196ba6a51c", - "zh:3cd7f28730ed216740a7bc62169a0d630f95ecdaee1162952aab67011fcf8831", - "zh:60a827813523fd77e75d0145cd066cb4c2a89453083a5bd9e0712a8423bdc14a", - "zh:70a4e4af076ce946943d36cb81c47569d8b30722f2b89768006565a4f512fdbb", - "zh:83563688ec5a5435649191f3e80fc96b93571b7333eee12e2d448149f21ba7c5", - "zh:9067cba5ef3f89e81f01b7e68989ffce2460c239a697ece2cd08c77c73afaf87", - "zh:92589eec7fd057ad5bb00a5c5968eb93d2a4b07380c5be794410349f0188787f", - "zh:951db60626bedcd4538b88d284f9b70ef41166dfbdc568ae781518e24be0b077", - "zh:9d7340122ae1a7ea5b0e5c469e89ffc43c24f4391fc870b27efe4dba461f8b84", - "zh:9f31056e278e8bd0a4b0fbfe5b02a625ee9d072177c36148cde3295adbd4a9d1", - "zh:bf7a0beb72d9214fe2a61db76401057462f1133a48f8ce0a666756660d27b2b5", - "zh:e44dcadcc0680e7b7af94a8a4dd1e421835497178976604455182dd98d6ffe96", - "zh:f5d03f5ada85d41cb94bd7a2b956ca2eb9d7d6cb6d5382bf78a5e641be3eadb0", - "zh:fa7134711a60f8518b82c0246f5a72efd24d23e074f3aec4eda90c013c0d23b5", - ] -} diff --git a/infrastructure/cluster/tf/README.md b/infrastructure/cluster/tf/README.md deleted file mode 100644 index 7c6a0d58..00000000 --- a/infrastructure/cluster/tf/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# Terraform Infrastructure - -The OpenStack infrastructure is managed by Terraform. The Terraform configuration is split into multiple files and explained in the below graph. - -![](graph.png) - -`terraform graph -type=plan | dot -Tpng > graph.png` was used to generate the graph. diff --git a/infrastructure/cluster/tf/eos/eosfuse.yaml b/infrastructure/cluster/tf/eos/eosfuse.yaml deleted file mode 100644 index 8a4c369c..00000000 --- a/infrastructure/cluster/tf/eos/eosfuse.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: eosfuse - namespace: jhub -spec: - selector: - matchLabels: - name: eosfuse - template: - metadata: - labels: - name: eosfuse - spec: - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - hostPID: true - hostIPC: true - # tolerations: - # - key: jupyter-role - # operator: Equal - # value: singleuser - # effect: NoSchedule - # nodeSelector: - # jupyter-role: singleuser - containers: - - name: eosfuse - image: gitlab-registry.cern.ch/escape-wp2/docker-images/eoseulake-fuse-mount:9b667f57 # replace with private GitHub image - securityContext: - privileged: true - capabilities: - add: - - SYS_ADMIN - - NET_ADMIN - volumeMounts: - - name: dev-fuse - mountPath: /dev/fuse - - name: eos-eulake - mountPath: /eos - mountPropagation: Bidirectional - terminationGracePeriodSeconds: 30 - volumes: - - name: dev-fuse - hostPath: - path: /dev/fuse - - name: eos-eulake - hostPath: - path: /var/eos-eulake-home/ diff --git a/infrastructure/cluster/tf/graph.png b/infrastructure/cluster/tf/graph.png deleted file mode 100644 index 1dd5c50de55126763ada6b4db3ea7f6af38c88c0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 167236 zcmaHT2RxSV_y3d9kR&Bih>EgjHYJ&nWbY8!duNoDtdLPwlD!GpBrCG_&WOj}d;HH$ zsqgRmef^)$^Xg+f?)$p0>zwy_pZ7V}xAK8}Ktl9ij=fRvP&xP5*7OR*6L=g>c*F9;XSuTO;2xpzxwZ0 zQZ61N{yXkFE%o)@1qB5blWn&wEiDuC^5j%hR3@jU9$Q=I+1cB}ec*1aoSb$IYNbU* z%41_=OxX9LC53Zxa#l4N2&EkyiWQZVWK>if8q_Wy-o->}V0wBwr8VO4Cn)D2CKi@Y zA*yyFLcUj;Gc~I%hQFPPU^nIeY0{PURbE~`;r)A}_Rh}axVS2uD@5*OQH?qtcsq`z z+m5BmbRo}qqjrc${Df4~*+y97(k? zgY=>=Nq8JDp=)I&>sYErpltGjnDBFOaPY7D7gPoVP2us0VSAV$~xG(;s%jJ{a<{{8zB)})66kjMRx0SM~o#7Ejq z-Xi9gd8vWxVQ-#sXRcxIbZmZpH+nYmJlxxErCrW)wB{UF{YLNL zt}G7^4;2+vOKga0QXPG%a-r2s%ifmL9(~N>^~3vR5aC)J`}>`?xVSjFTPLbr(~l=^ zXKQVWt#rc&CYvsQ6pyQKO~`3kC@C$?svwz~4$pI9sN99qWXKtZggb#i)#k3Pt!+<< zL*c+igY~4!oL$JkygS=Xdiq9m+TjGNyIh+%d3ZZ@@k^I4x0X0;Ef2Yz)f+5vAi8v^ z8JQ&N^dc$y)#+x^-Jhi2M;6%of5^m_ma1*7&2^6W@ufxWOzTXd(T}d;Hp$4T#IBXB z75C(uQ%3*w8TOa|IF_@Fv9`7#^2bNda(@sab&$Sy@19+q(!fXkw0uE1RomG2@85^d z4!>uDsYM=yZwLKwrRm;T^jL_R?BmCQ151%>69rRgt(637(-s7W&XV!sKPFG_MxY4K za?`znt=Ynr@6_qf>Vjztb~mRi`zasy&f;}O=AFHVpkhGf~P67T1@9MhBa)T>oRsZ(1=XJv42 zXK?cuTWR9nX8N9#rDYE9qQBq7uQ21_#&Pok`@>7i$DiapTo05yYfn#)#nw#T)Zp&S zU|Ua5l9EyW{Z3W;R8cXph}j>q&adKwnBjoF};#I|bWxDvn+@CN_Fe553p@pMXg_gaBdFX4T z8?P3ZmLg_}4#(MX>ZR}DH>fKs^A%^Of|ZP#0r5(fW9iW@q}w0*jPhFhzg{_d^k@ON zgymYl_0$<-8<*L_IbIdB+8Ywqrw^|%h05#tYv@BKTUl0goK|)08tn&Sc$j8rbN{DaM ze_$~5u&$IQR#jT)0%dh==c@5jRYWPqAw}mtVQ18LuLq```4Q_95-8| zCg1C)HRp7yCWAX8P>QDeNmGOtH*Wb^;Q=U}npe6r!)ZDBwpHby(Fio1JG^MwYn#Pd zN=v|&siUOp&a=g9s`wW!gtsmYI_>Rzud8d_8r*Yq7^7BergvQMGPm1}-Rz%pj8A_) zM!nfp%^O!##O<&>LTdeqlsdMcK=C2>f@@N8a*q9)(S7oB@r8$r;>=26Y-MHDftEPD zHA;SPc;O3O$+|}IN~&@D&e~x5_O`jx!;Y=FQZ>X#;kQ)O)QuY(1b9Az_$QD3nlaYX zYe5zPu`ueMsC=`PIpx>YBRx6#Aw-uiuVhENuu(!LW!y~J#T=dbQRy%q(LQF;4Z1e8FQ<&9L>QqYNxc9Q{ElvIS1YHWinb zt)14aH<#o2Xj@t2Mp+MCEMxUQmNunivps#1c+SSdYHpx-IK98WKb32)=rMuX^UUMN zk6TpY%OxZxitOy{1bo_C_uFd{XY2p;&~Y)aVDUTk%0{D;>d45*rE&R$AJ_c2Kgy{& z$Sl|>v-O#{AlFSx-i`2VeEy5sEMIvu#AzessT1v=2ScTt#gwo<{0>#N**-X!P8s!F z>MZxX^R@K77BPCX2j6xym}Z*&Y`zd&JEvqRV(!`V=gQXomLa=Ke0z`g;Gb)Gy{Wsq zjw)8&PvM@9u@LA)VQIW_^C4pH!>@JeR>ba#+MZ?q%G`suK|yGqIa@yxy9qJ}uxnNS z&O_5F>k<6ded>N8A#8d1^R@OXH*^~#c?z}{>sWbsQUP%!kcW)4pXC4>p6F0AZilfx z$?rE3k$UHu)Pwz9H9+oN5)Hus=-gm|tAiTyu+KB?Y3e0Jv?mw%(o z)AKkUGLIi$t6;b?<?l1jHO;)PYhlrr$$NMi^_i>xVcLZ5(Jx*c`O(n8*&l=*cH1yu*{-tIfbPrC z%Nscgbjig|UY^w>0iRyK#`^y}rujl8fxd}}B&9^SNdfhx-J!F)cb-0dYPZ}h#Jp;4 zZLM!%A?>so?^N*Vb^roeKY#u_(_UJ6h4;C9Wo0E3wr0DV@?W#wyujXn_#Fy0)rrs* z7{JabC0{e3poq{W12=aH8m)T+@6^VQqllD@OwjC?5uARDR&hH3rj^yaQk4LUMxKKZ z-8-;)TLdOoogu-7JFUXwtiFwnyz%pq%QE1&Mw`|YBo51u+S}R^0Ez-e7i>mX?8X*s zvydo{uB}>E(v*uBcX)d;&;GI9xZ&pW(5Tl)NgnO(F*rzw}?LC)~mQDcv?6j5V zlw4F)bR&<$Z1mOYY=1H=ssma~t)*Q~&5&>HqZeIEB#*sCr;7E{ne5gbC7kq<&7@qT z{v_m~dWvkb0h-+1-C5Y#pYc%yirfgSwcR@J>57na9-fGmKA3ZW$j7#}`GD19Yg;ph zQ_cISzz@g^wr0lhFJ7dZ`b!U-Tkrh`aOoKvcLGaZMn7~?R9pW_5IkdV z{O;Ym=Gp#21OO1)w6U?FV-eZh-0Y3|r2C$Ti0J!CK?)cS+4tyZGMF4L0S-n+|CMc^ zyjG|d25)akEd_;l&v^%naG$~#K82PEQb2J&s3SFuCK)@{B|l-6rMModXb88Q3y_2y=0X`0&3q#UQkMAIdYE3uu_ zY!?X#lGD;=Q?}lU#%jHfEB5yB`OzCvQkt9$WPDkwYFB_fT6qn3)rOl1``Xm-iX8#Z z?AjJHmBnFjG!XbVT?%JxWx@9pxB$@y#{=HXxm=u_EUc_IM6iy#6#ROxzr5V~FuA0} zv3qmb-|x8qLc&*PdJ&^_=vJi+2~l%YKq8_>X6VWupFD|% z?C4;*VZ~)sRp}siqDS}2%G56JfI;YR-~Kb9&h1x?Z+99}9?mz);F+eT=4%1+rLSHc zn~;{Vu&`+5v0>kPapz9Cx+Eu^2C$U1BQom+P4u zCtg#hHAU@hL`|LGTQ66TF;{L3R#ai?T#%>HKH)L`U53N#mdp(v62HmG$#wHXSM&Xs zLmJ#UfBrngZ4PQiLGp7e%gZ&JmLID}YKhc8cQk_cfTz-K78Dm3@AG)bym>Y!VhScc zdIj4j$ZPv?FTUcPe{ptyBra!pZ-&&3S%h@3CMS*d=>>Gaq;dEG3%!BonKDj$^Jb_V zE0f$)kqU-i#7kQ{(!qyuMaTOefX~2r7xyk3Pm}$Mti63cwHT~$^;ViKe{2Q#2Ye0J_C@eIW)!?>W`~>LKKQOXDBk!4+pRaJ^ z#tj_bXHWQc7yK;iX!B~u%+NsAJ6JoFN8skp3k#P3o8jtHnYjqofqJF987V zV7c+bYUSqU!qaeZf6QiMVEFLRVe;|jz*;zEA&)bBf&ZSwzvne0LjTI&@&8L!|Z$Hd$Nu=>3+ z*vDP;jErO*9ZOuUDJq=6xzeP=x1~VLZgK}nbq(|S5;&ePINUatQAqBk(#rsYKp5E$5V~wthZPwxb{S+6Ez2zW7s3g4>|Y}i|X9MXILm1I`G>KJu~ z&}_VsUq8YC#%AXeI!X{(;_~3SJBj@?BLwmZ_sd3205o?Edp_5q(^8dy34|kra{@`0 z>&9AEI@Qukcc)4_+z3=BEIOSnpPHC3#3+uImEGx()XLpK2fd&L&%N}s`t|GADbY0s zTT6?JS8NVLPR+l`&{QN~2Q{O6#gm-8JbgPm;1E`YfB``;XIF70ui{=M%zD|=+iN-K zu!e>_Bn^OlVEY%_RPmfc`tC6OE`Pat6M8n)7D*NXnG!rm?1X=s$SdUX?R8>`6|187G;eCY_wn)B4`tvaa$Hu^CIw!o;M#ZY*EKWcJ46F?hyqfQlOKa! zAD#Q-it0J!e~G8FjJ}2j{{n>d8&xLkG>Ey9`0133dV|c#=#rAntGd;2H?#JT`^Qr3V>nA3fWA-zKsJ-oRgaWdHj)*9F zh?J97FiADjmmm1%rZZ-Qu5cFUm*B@s4c2jFB1u%ggH74yzw_qHD9#K+d&ZKKn|qt< z$|F!7zkmN89z>|5sHjEgUUBW^dBBh5uczrJ7OF`*&p+gjMg+mYz`&&R^v*Pu!p{I0 zNE%bHKI{c#GJJM6i&^|JebM|&L>jy2frEah6ZwegoiwnV0nkzQA1hnO@3vvjsD<1S z0~COS!qGP%V|dMyUb^(oy5!@>k10oLz#hZ5sHv#n?{4Mw&XgTWzw%iBIF9^9U_CIK z5fKsZ!^8hLFetI+=GmaB5MMdh@w&PB(azl7ZaU5t_76Idwt^lw!~weRscznE+8B>Y z7o*D;2vIik%rzcNJ5BfH&Y3f3AoG*3-ujG48KbpEf}-ZkRy*@3q1VJ)i;^x1qJV&um3iW z6x2V%XE%gQ6jalOe=x|NI}($c@iq$!E_qoN!ZH^|su5vx2WV5y(HHQf0jlX23v^p4 za&mKf#6WTeDskcDF?a)?mn#|sY6O>*H8xI%NYvim9($frVgeq7({$Js#BCNXF6xlF z*dJkR`k(@D?hNiZfG#TzlByg7q4EOn(K0=Mk~h;3Y|6@WbzoJ(*FQ!^k|>mFLt-Iy^TKy{%A%zP%`86I zSV+Z)`5gOja1{Lj0f5Vh?#Uz#&cP7gHjW22jw75MNO7@>q~wQy06ZY-q5+`A0Ui55%u=W?3r+EY^;R!2~-Bwk2Au*u*Ma^tszhXF>?J4_e0?$N{1q$v&`4`-jS(znm};=&{2r= zNhv9xUAzme=Nb~=wy<*QJ0fR=XCYS=X%vZ-0_8x`$*B}fdV0l%J2JDsqazM-*`=XLwW*x{$i^bMO%Av-p!0)!;fyU)G$+$4pI8o*fSO1BriMZH1T zkODEpR6|sG7A>%`v0*8aOG^h;Q)Ws^cnj@D)17wox4y^}_en`fX~?;zq@_j5 z-O9?!l450Ly|l$m(wKkcw~*qD{|~)WKX+jGK7vs5i34RI;v;74N zRhMUGkopX7RO3(Np;2|oA3ySgS;w!0FHic*#@6KHUstmo!?)j)0xq3Iq)X@y<+Y9H zI0v(vf?*5Joh@Pghb5uPZv78mv$`QjT@+d}(ASr;z5V=z&@uI#t~}!?L_mOSJ197q zv!57+>WE!V@<&f)%GVD>_G-^sB(}7)q_mTz#^&bA!n$7asv9$V_U+)t5ETE4XcdeqUI$1>_9P>X5qfaY};YNU&_;_4E>Y>O-cI<-|E_0a(a5> zfc0csqW1@_w9cI1$w@sRX`_APD|U@z83#-1Z0Rxh?N8q4%&Pl`9SG|84=>m-CD9x8 z7s#*;*u)TPaqn#}$;it78hV8ck|qz7l2#lcQ7Nh*DKPx&c>cQYS2bq51YcU zCji_79!4%a_p1gWZu$lxHWlv4(LOmPC9!tlgXc83`PX{OlC<7yH_U7NlhYkI5fJ!h zMT7!6Gyhz%YX=eqWxg9Z4`Zd4zP>R(8sKr3G&j%Q-kz12InWemN}Cq_qDJ{hEy(qV zo>JZP`$6&lQGrv~lZiyrM7?KbW}wcM2}JwJiHq5om%`q^Pq0E3TfKeWu6PkVdr}gWjGUa# zbaG_YU{51zVA_n*pJLn35ame$sQO*Y_upv@E(%fx<5@->4%uOqEt z0C|dti06R^IgbG#d;)Zpy!m-_TwdndxUBc*T+Pf-$Ob6()eok$icg*Cm1Z)p!wdVn zx)Q*P%y|rc-#3_zi;HW@g7V;76soM}2~4@Dck?r8LqkIVRR3kCK+D!-`ndGG-+381 zN}gnEb*6Qo*dC#FEiF>v}#h(@q~f8M8#6Z8M+ z1-Qt`0<8ncE9L&*<#zs&wCoR<3Cj&6IW8`48sMt_G<}>g8yg!nAKxIrl(RV!=A3g3 zGGF_ndk;uey^Uk8x>nj7Epc%lEG(=mM7IvEEqkY^ayZp~w>YREJh|kPlL1^-M zAb>cGv*q`x6?jttzlH41E4T5YclhPk++e`u{;xDL<*URkK6SeIpO*1@pq8GR8dNu? zm==BDE@elg4+}i%#G&Eg(li(AAlJn6Oo)#c>PW|Ip?ssA{OybFl6Fu?2p2aMO1^i$ zy75K{L1{&;O*<%vgLc6jY1|*K6MaVuc;dZ#E|ARKi#bT>%cM-ho*q0N;0LOe1rm7( zN}vPgQ92a#8v$&LLEzsfTW>=`#^)3EKYTf;b1EnOF#$6xYpgs?9B8it1F9>lt5g@g zkRAf4MZd1p03q%TI4R^rRn^tZk!nzWI>3jUxF_qC($mspVK`8_EK;2_J9Ft^5T`$U zy!K}}IN3?^qe3|hcJ)-bg^ixiQxa+~S8i@ba?lQa~`d#p=9(N;1oe89Th_ICzkf;7nz|O$l|I^cd zofO2emxk3=_^TH6SKo4ddEMP>sB9bM!0)!)Iv;eBLeZq)dK z&BZeU$6f9s{U;e2P37nI-Q3yd)&9qkn>n*qv;2T0vEpY2=f33o6hzW%z%TDy{Qz&M zdO}d%A5{hm)NXcFH5t)^(e-BpKsx}@r)(gk0c0_vS3nAr{y6!;P0qL;%6#fF&>@jc z+57Y~vz3L#GaH*OBV$5A!5dZmh1NO-Y`1SGeQ-{%*q`*WDosLn?24w2R3!ofHcrkY zAoY-WfPHl1lchQ!sz|Z%^XGkzs!*8H)6)YBNrrL$?y&(r5G`5bh$Qll9yObtCDNl!D8}RYcUX&ux%6_V0Q})17625(bd>5a9fD2G=|CNI8{-lNh+pxdD zvfN7cDw9%BjR|`Sh&KsP%|MC+=2)js%P1)1KMSgaz16 z1d8Ca6b0THfFx0F{ABh4olx4bgx-{%Ug$iDghaPupHM>t7u3WgCtwEY^uWZR1nFH3 z)5EjYXO6T#L0x+%{N+mw;C)>`g{BHKAUZ=1o){f{_r;w%@KqhhfwSMHIn)6%suZlV z8fE{FYC0|I4SG{e!Z$+f<2ms3Ak!fjzyBJlKgd%wnz8&VDk=c;q#(3Ga^Ke5n>;&f z1hHolG)<&k0#NPUxmPsc{~*!byZ~vq6a(RBW1^0xrVj-LoQRKq`C^mrv9ITr6$G&9 z_kaA;x|T5sk^8@haK=$D*-%D@10LLW^ei;9Wf%|g&h!_`L2nTvY8C8@H4T#cL^Y>0 zFl_5Dyl!!j_*JLjyxR@kbs!#W-?xK#r^D>p`QAZ1g24N^gSKNdAsb$RIYhbe7Y8o3x@zU)?cIgA*d^72LPj769{V&@X9{WfnJwLO z1h^S92n-2{pL1L*MCulwU-BRbkkNr;d4LdL{Xi~(xgkAbFbH5(kQR)~c%&pHAr=69 z2Z@ksYUu~60Vs=L@W5+0*r|}Aq0IgQkGZ#>Uvgm~7vTC|X3+RDh%hWHOh!s-7|Bb@ zMAxCAB8@uji$?ivC<$fCKY%ie+kSSW&ch7i;#1+NOoX3FH!HW3wRXba21P~9&DZST z?edvJo#L|ZA8!Oc&~43s7_u^Ra%3D!2a$x*xm_J(X9(y>7l2*ShYxq=o{w{_)LipR zF=<3DXrOgazvD2TzRiZMa6l+9E8f7ofvSh&x4+^Uk%z5o8EK;hF8TNd(-RX-ZEbJ+ z2N=8oc7-N!l*shYHEpJWIDC4;RA_Smg)_+tOWF#er_UF*fe4>dAgj?pROi+QK3T9h8 zfIkZw2?`Zn4EI=BTN}sbKVVATPlTa&1o9oIiG~lhE)wr|r<5IL>19a_92|-AG{GRs zgYiFn=$Det!b8&d()#ou6wEcRho?xpv4`($dnrcVOY5+_be^LAu)%z2Dka zwg@FONp2D~2JCKNoQP`00h;=DWC+9c{fWMENTE`opUhms;1q~Afl4iN%Mp-d?3V*1 zRaGM^Vj!-E&Y4GTg(KZH5Db_!_Yf5sEaq#pD&qcSlZfsPsD-rLW@opm&P_~YbhaAX zjhp35%gI4|D+Odi34ox$yP%4c+X=Gp733kHDcaz0s!cki65GHydwY9XL0ZdGo5tz? zz3jdx;gj{mJa*Dbc}73F#@Du>){?-#&p5=8=>nm$p+N$cam z4^FQ_f8Mx>QwVi5 zfOxAd1GXWty;;r!VRBzmLX}ks{(-Kpp+l08nko*e|2|0obcZyztEY#mbZ~AS+!YmW zT}^B~0dn{pD+k9d5l)-=5726dHc3ZjQ(coIVy={+&~q?OJWN_yd3yg(Kt?+(XoSZ? zj{wqqfpmh5E^UO*N*w=_B~4CGf2JH1%b$B@X!tj!1kgMK4L(vJy@JKzV;_eYc>gIb zay$8_W-@M{bJgr;Sd;b_qYUeCBEzF0iz=KeQL-L%$b$}|Wl-StK(D4=-SiSKV|U#C zg23zFG7sQbe*Y}~6d%}=-C7k}$)nQUmGqVFMn_q--NlfI+5MnDge?&B$kNIx2__XV z5?N-TMaBJ)Pvp_wx&_7KKxBo%E#P{rw{Q1sA?g$f2{Kx<-|a+YM2wJ^CnhF(I{+8E zL`ES-71YwzCEs8U)~5UH*+j|~3kSzLQ-a=Xs75x{su-QAke|2F)kPPnk&lm!K^JO)hB!i6v=brty?sDIV7P|Vn4n*= zWEUN^D*}T(o%^G)kuSczJX>Y09snI0=D*r*d3kvOxnMEo>)h8{83y0Uy4B~hAawgf zS$Q)u6$df_e9;jL=mgAA`vGqb#dlvI3qhhH-@_+3**=E|U!O)jvMbCdE7xL5ggQp6 zo(@tK7|bky>>QZm(`o9PHzgGm6sk&q&Vp}r^`gn@mp!Xb=ZHl;FKV-r-AnPTK?lZV zuMms1g3zAsFr&W-MUYhJcz`y6o@!7dmRHi9R7iK{Jwhz#5EQaI=}|E`F;NrR7sb0k zrWDGEdon!m0|VIF4%iFQ1_wkQ;;h!RSZUfjd(F4`cT1P`BbUuZTIT07b`*4s66kl{ zQ|;u$_OZ!`IHg*2rv+xLB0(HT(tsl%FNlcV4(7&8%xn43__g{;HKZ=cG#e+qliIIZ z(>Q*RMrT$(R?YZ_gZPv!x?EgeEiDt7va;?8G&(c+ZZ5>Oy2QuvZ5GR!eN; zoW)quvT1>tj5db~`h1po?d@7lIm_<`<6?VUAx5*V#<#Kye)W0&LZAN{(nGhy8mxGq zf+Y^PE+NjZ? z!$v)%XV%~4F9XRAt#SeKCns=EfV}}wK=pB}>)SV1q$+*NrQ_3A@CH~+=)kcj zPseXl6m6>45FgH__^KGVn^K#GKEIXX>D-aIe9E5P1_)8fbEdzCZ)gIsgI6IW%mqSQ(>tQaH=I{sBs-1l!#R zmHlZD2e_lFlDD> zq|R83!JhFbR*p#gtgs^A=@w({K*#e$Q$#m=OPEjHiuZ^O`MznZzO$Y2wWMS1Qb$gZ z<&M@4jd1CLclF34crv8*YsC)4llRlg$DNTCr14w6I@-rDs-Ir0y%$+MV+B=$Cj&q5 zPwfXC`O^oM!GF7(L|A>fiC+Kqn`YVof`F zSzEm5XvVI5pj)alHjyn~CvCEV1f1N-VQ2DWik+ zjb(&I!Hbz?+;#qxIYU_Q{fU9TlEpR;ZH7H_1~UX2vh8{H3&=aMW~HK_qPTH9Y;9t{uPBQI_K%G>tfNdI)cNRYX$e5C z1s!=skq)a0uvI}my=d{ZRN`9)f)O{0goT2-vWxLK5nU#U)K&8|@$z2m>wb zGPyMcU>7tbBq(SW*$Kc2+e%aq`W9sr6*-O7>VP!Md%i19LQplwu6Q#zmv_|PD>WoIIBlp9@qiSbZYq97u>%R{ zy2wE@*d>{(sZU{>4pd!m{9xKqWr_!MvdkU2Lt(ocQh)KP%sP%gZsh0d3uQfo!@PN& zW9W7vwL1UqeTpTFvK~fe=9m~Eze(uwXhyb+#YZ_RB76_HKPWKFRCl3;(UzM8@DAcv zgZ<|uXrarJDa`un?}d3SIXM|R)RIAm19MCnRXT=}*9Oplc6?~w2b`%pd86UXt%m-F zssh>Ci&%`<_W*{hZZ>00h6Dw5lLx$Rs8ui9+Wjv@IWWgq2M)f?N-@AI#;}6&$41=AN2)o=f=$m;f1hd7E70Q>Y;p(DZFP>AKT&%yz;w@lv-cL7rb;?%I2}3Pn38g6xsnTaye5MC_g2Zl@@2e5)#Q z)~<>9iW`4EKIRl=+UtabjA4w|Y-xoyForgzp`wvF*wS$M}?jsQIaQPjCy zo#C<@9_qP+!w*Ncc0JaYE-vRTUUVNCQis-Y{+Q-6xLQ%3&#MXkrmn7&#j1V)j&Fm5 zKYspv0j_Y9mbUU8vrfIBW=dirdeu>P`DUv1}B#9|i`-(A1Q^hb-Q?b1Hp+ zHBT4_M+Xhjrl7=j&*iiHP-plM9bIm43CrzcZ^E0qckiCW!s3S(JQkue7)Otu!^3;| z;lou`3-?#>qJs^ZhBv9GvgD7wi-_<6;SlAVoz2XD?;h>NyH%By<*>jFv}EM)`ndGM z%~t?5Cg??$0#5L&rR`t1T|%+ua42FcoEoE+QCDe4s3olopV#FVB&$U?k%vf z9|QC|K95sn>j=UbY2Dw>LKDhN8~^?Uz+^mo6aO&Ey{$4ozWFM|$e*yH!4UNHa>ohkB<~md6;6RsbkZ_!{h|_g)#Ahu_)o`rn``76_bM^ zXZz{%u>RjG`9KJO$=lh9mQ7}SzHS1ueU+RX!{6WkmA5y1b4;2lh*(KLz#{imW=aY+ z)Xuf@K>6LUk$d#$1xUghJTNO}3wI?Y-zY4+kp6&s<%%~fz|A00u3TSa#;IbOpIMb3 zyA?Ib$z*|8%>5x4$*4w6Mg{{+Fc~-Z73fc?p8r_^23y7LwQnS#uhPQYX38H+Y(+Qq z^8&U5D;m45(sH&=(Eoj=_`_!`L{^Iw z$bxwB+uL(N9Ptkc@qoE8S_6#+)vzi@$orgK(3|i@Xei;gs;cj6@E{;=TN#}~9`)Qi zjo-_!@RWtfKPbp8C52|ff-{`m6azM@vpa0E0JI(npTWI?hu4zIe%Fo!5AUlJ4q`jb z*>Y;Piy8Pkw;*cR4#0W|2nv#uksVoBSP*{jK!BeggZ$bxTcf)IS>P{PIy%=VDNj&7 zj1;i4x-AjG=?1ARl!G_z>uR@9I&C9l? zri@T5I)cJ-!vH6O+nbFWp>Jz^JNf0ym#%!){S`b~q0VrXjZKcuvA(v}f6v$ESN)}Z zVE7mlGd3*L%3t&54K7!nGh!VRE#LTs$eW8_J^0fLfH(_3l$R73M_?cAhgS5Ps3-{L zIADbWLPGbF+sWzZ8dBacf~_?)G^`q7z#vqPfmB)ln$+Cfe9Vgus2>JOSy>sEl+;*u zJM_&PXAnCg194S8!O;D~!l((DL?Z$uBDp;QI8i!WH^3gq=;&}585tLA?n^z2iHeGf zP`V4xqD9Jo5<%7vA5id_n=~}v(5>-f=1DMTC&@lY-ozy#p(Ef0q^pf60(SFrV&d6c z+`dDfc?EgM=-Al1ekNvSa6mG@W9Z@Gm+;`%DJb~iA*iUnPYdo(my649WDI!&u|1sA z5)1l0ze4ymfgVb&r%$635>BFq;BuKJS1Bmm-HsvylLHXFNMCQVxvabK75mYnM}!<^ z*Q>lQxr~l#d0%G3(aY%>h(7P{1N((dU|ahYE-P%v1uLL4(?24DR?WGxy!^}I1UL67_(O%>g)=l}NYbpjSBuz*ouV7YxA zc+!dqw4MY!a23a;AqFsd8$_anl$38N3fUjp^=61$J^<--j*lP5EZkn2(a=A8#t;B# zF~N^B0tenOxBRNAB&a*7vYLHgOhXx-V8ls8yarQSTzmcOBmi^~qihv-* zT=AkGwFM)m`7dlUGqcgJ)liTahMt3(y1IKhI+R7l#mIzsUt&Ifp5nnBQBkbnkr9r~ z{TQI~7KtRUNySf-Bd~WTR_Yx-pJ)scQB_#-SzwLMHLDM+g?J(}Pe%?Lxon{3m!V#c zfjCG^^H6TDQAI-p*Es?L4_5t-tF*Ldz*>;U8nB<^*@o&z6(B1vF|orV0uIOZpB}J~ zWyIEfFQ6kElW%+8MP(S|N_JJ~dgGoiJBs{vajb3z&m$FtS5J{Z3Nk2&PIBvard7fQ zd0zlc^IdNJUUa|pU?n`^5fp5j;+K~vOiD^>*jO@nQpfq_LIk%ho)-aq)iSy@6WZ9l ziMcKUFs|a9F3UI02H*nkzQSR4jMQoSrBq|TqS5{(bR(Y4hP7Qb1 z?sf!P_U{@Q(ZQJJ;ZOpNjm5F~#l^3%&)Xw8tpJNE2y3Lur{dmO9@mF_I~Ra30rBPTY&FQX8*z}8DV;Z!ZqJ0p> zOB_fcPE;oBar>8ii0_jM_a`l%MAl(Tk{@gxKLurg`w|j3kRh55l^rSCoJ=NU*2ea| z!toL|SCcBHUW6xr<+~C2d{N{%Z2Cw@PtUVvMhxWDaaYmUub*{WGc3?jNOx0Lku5WH zy1xRtHu~$=um`DQ85}s_t&pu9ou7Z{@@<2%?TsZy$88%MTif!+#`FS8lJtW`TZ74GhFea=&2i>C!YPE@GV4_%wMO<|)%X(U87jDeZ(|S2E zX7x2bbq3h&(&D>&{xIA1@0c0Qe?72$ubN&B1zx1sJUv)SYFxT=8>Rl$^^~xe$hKr zY`blEvDT{{uc{0#y?*1yPnbCy*z(_~`wlj&(s!h(ctLDD^4iPzbOHGT37C`txTNgWlXTpa5W9z{0HZx$FTIE(~U!hHv22I668yT!Ie~sAkE4 z-Iv_2HRS|j&T(*X)YR7Ah4BHXA%W#Nv>-y?`3V#|2L}*+3?xwa_}n)zpwZCKfB@_V zp0U(_1u+%!!rvsP88a>><|qKoQD|-VrY~8?fP_|9RP^f)wn1;i8$pG215v-Y;!4)r z?@M9Fp*3O1mut2R_Ae9^TakGSGh5Fp*GF*WRolYIA>A;A4%Q=EeQCY7czH=oO-&a^ zfLcSa!R{Jg`4()co)mA$i+kLDBX@ImYtBC)00T9@uuu+=_oUP2!HQ*=Wsc>PY<(Ep z*|NRWxshtWv(h%&1}eMxxw;HzmN(yX+cGJusAM|sY`(y1{-yaUwR+6BWaBtAJCwm@ zTe}Erh8|5XWb*9SW-FD9i{0S7kf9>SRmr&KXAH&z+_q7vX=zo^fSKX2WrbLz4eZJ| zcj=NRz{F3mvTCTc&Rk(^cDoOF1K?5y=K{Qla@;&s*3CZ*pLqg-J(TI`cT7_p?zaq1 z=*z$8>(x@8>@qRX%?BI1TD0Pze#AENdd)|lp3 zeSOM6MuE+c(bJ!Wb5N?QNu9hQWkWf8d7Xv;4}tLVfyWn8E9YsjT0 zss9A|s}RyN9Cz%BpyL|2w~&SgIdZ@Pjq;cIB9-Fs&A80Wb8zs;)SKA}t7wLqI|RV1 zA(-}Zkk=iz4?7#=kd&WqE9_g(hzkgw0TE;y>L@wZHwj$J71fUNWL4ZDxd#+^0nP_F z!eu@Cd4p$_C~-Kmn&h6e^aW(QcO}uzeEtAoHV7+P~uge8LHV$#lX-st-%a=);d(>GhoYBADnYxVrf|k z2x~f5yruyR#L71qfzOF;GfPW1*<^UntSVYsvLZa{-Md=^{6>hA7OxUP-x>;~ms6m0 z^dM$cB(lMgBUBHZ*~LOw+h?Qt}-*92hoq4t3BKW zwx%FK0HKR8lO_Nfn(OmF*@31&BC+8#5$!P#glYtKoK}K3<^tWC*-w{Q8et2SFXSYU z{?I679fRR0Mh&;3Eo`7)$3Ham6JEPdy*@r-D z^XD@M20FjGTJ=4M`Unbyt##P%`U2p-ohFyQbQ@1Bgsu{BbRLe5iTV7wZQ7FT7!*XE zo^)qD4P`eamwNozKQK`9aeXjgQqBFFkbxj&$8E)jbyK%+YRg?tWNOvo^_f-^3yX-9 z!wDkIaQH&0kuLES9=i(wu58FMkJW{Y00f*+w+&PBnuAW5v(TbGG&JN4{p&~J#3__B zG-LraRGPNYHH?~U+~l>I4sBnNRaN!9Ar`FOo+KlmrFF`v08L@Lg*dW&fyFJ9I@l5N zV}vlFc$`R6Dl_4@6z-L_$H19Ej$n**+O>rY7jhR3*m?yNQ@-Rm2l&l75)$9J(!GI6 z$ClRHQ?$Ibh~Gns;7!U`(rX4v1mc}vAp`?Aagm4*RGZR`Soz%8Rq$Nja1(IDbZ=*E z1oq&SgA%yVz%|#^r>)Y+w)cX8(Ygk8E-!>@@a67%QwhWGTmH^T$cPRacMn z8kgokC+58dWTflsHlO0+J|-n$L2Uj8niFE-;L&gH`yTb)IK4#RjQsP9-X*A1xMX)z zAH=pkt6sx(Xe3>zrHm@8t2+%T2+A4K(iFuUELc#uiEVbp zBoJQ6SEsuX2ZzB91JbVI_#+PYOjt5eT3AA&>Z{vnq_jfS^K5u4jz5u-r zKVfR`0(?LQw=kXEIGmK6_EIqB1=x6%AE}?)X@X%mhNv7Oz`maf?~4{^bYCJDf90M6 z_{eBAE&p?Jl1kO)CnmHu>CC;MlZUCgfD!=FhIg%2#Otgy&j#h218#c z|2_{Ae%OJvH!y%&Iv;(=bWXm%6>LjY1e?#9XXt#$jeqxK0~&YNNWvGsYdmkmS4quK5CWHJDC?s-?B{J}3!* z9v^|P;~{mzCbY#zC<{G!$8=xd{{5BDT=MW7(IE#F5y0g+*x3rwwVArE#r&N-2+hM-^gvRdn2DtLQlVsoEOp5EMS75#2 zt+zJ-MD2N2!>2YUX9{hhk^0D;A~=`}WCPe)c-(?7GcIo=3zz>vB)0Ox>}Nkv$+Qa&dQm*K|0hc%+nWNfmmnnA)sXq#RYO! zRvCcUSIBt*pzic?ee%LVyslm?v=j+T8+CxjG^kf#k6=npyGv1(Q|YBfw;$^1C7nET zhBfRqz^ey0ft2u$Hvvbw0j-i4U-!ODTvqe_g`j{LA z3NZa<6=xnnqNXug;}3GzU5ImCT;Zo9b8r%z)+{><4=H(YU}o-cZ$uEKFc`R001wQ`wXS~_n&-Vmg= z2mXi|LS4I4F36khN4o|3iJSJ)~Q8#BO4uq5>eC_MH5EdgB@{=p^Wzs_7fB}2&XS-EKf8qE~OE>8Se1PZxsQD z5<}qvR0hVU0;ZsFLE8zA=h>Rh#&CutCZoX7b)w{lfe-BPRRqfJ3E?jEhc#mGq@<+T zb3gIrl*!uka>S=n@*Jvy$E*z>gUkzL`5d&LE^-5f9EN1-B4@;Gc%CP1b>wauy%Lo4 zB4kh4@nwF>8!>}|or#$l9-QqK)xA7`*mPHxgI$lYfr3YXKZIL=bY>;j|Hlijb7;?${+(o03hsHPJjhps3v=8VE27}K&7 z?7A(VjNE*Qe5wp0k^RvqT%hB>IA*pU@@{-WU4>q6Za7{*mz;t^5Ikxv>ChlQmP|}f zUzqAlCmn~AfhN1TG7I0^f&(gF8~?sJ=2PE_Tk8GO-jW2MXhtGzxykaD+>D#w&Kfp#$M_LMs<4{q7@I@|mBs)UFJj8&Xb8~*M8C!Ggd(iE?9p#R^95g6C z7$_DtHbgBEP*fyx#g)~}uyo2^wS}mT8k(56`SA3aGeMeffd(B#VIPN(f{{|yY8lo| zGzdqIxq)g8fS=jR6cHX?ui^Rn^;bB^VsxA*m04-^-9YeQjyS}O`=FbFls%?<$`}?GKCHFu0l*_2^;KiXz6im4Y8b< znmUbwgmunpI<5pcx@-XsA0q>{ah7Kp7pUtrF`mB)L}DD+PmG9QP^T!a$RB0+ZIP#! zLS8hgq2L%fk~>foLx`YPdhb{0;GEw0c;9Ot&ep*M4YTPP%g(@Btb;`2_F(BMKna3H zsGYh@JNt)DzQjA_SG*o@04;{BKu}%%YFg>89g=+j8_BhnM@&k9fE)Y~kkewTR1nlh zFe5|>hnhlt{e$hb(!EM(4LKgud=e#@+}@;@19AWDTwp-J5VXDe?JLmDH=KXV%J-xl z9eF=1(t2H)`2a#TN)mPm-|inABn48?G_`X32eUk+JWy|I8W=FLBvBes0#Z9*GjhhD z@5?!aIA6fJpV#m-4)zI-5~gsN4j<#@=APfDn{nmpVpjk>h1YYak$%!(pl&>Fgo&YQEr0C#O16D*zaAT*?8U{vTg& z0?+lfxBdS#&!s^cP-!MZgGw|hG)sj@go>0>C?uK(O4N=tN2wHBl8~VR%|enS8WGZ< zB;k24?0Y}w|D5~3U;EzoKIi1;_g&w$KErigpKA?0RxnAn6a{H>`{$Q$K|6mXSX;fl zyZ0BE#N{WGWD5`}wGPXIxU9LRZ1yfM&RNMJ_JfS~seH4|30I;LKaWaCSx36P79BmM z%`(T=w_Xf3_Z7RNd2D*8_gk#mU)=7Pv%HGx_o{P^N#5GuS38~S^lN+MM3w0r&+&(6 z4x;ZeDb^3T%t#R3tjzdM{TnmsvbxNiUx7(ZMV~((*!bGDb$c1*Wa{pkKdz!7NzTpf zMX|Kq?Q%)_)iti^ljSE|UUp#mkw?eJcjE}e#>Of;4HPYL?`a@2yfOY>k(KxI<-rpt zI&#`5GbV>-3GnB(Xk9WhoAI0irE1%@t?1RdcI)<`CcNh)@e#DuX|Go{^nL@}1IKR| zjP%kQpRot8&n#IV5|)BwbMa?4`j-*a(bo(;g=L^E z+A4Xlam;StreKgr0I=2%`IH#cgr<{)+SAyL`S|E)R%lh{%HPDKyL{SiAD<4ZU*F6< zKiB7H-Nee&Bfsd`BLPKTVY=qAG;u`f>V8$d3d{8SgEeWM2+y+zy5D|%PKb4S?B$3v z>wStlb1ZJe#bJ_?y4r1RUa*o`jBj-9dDT*bPsI=059#28FQMopvO?#@Y#chxWrJvN z>+5R2?U`xg320(nw_fIZ&kf?Y@2Z})u}IO=m99qsRn^~%Hclw0P(_If80`ZZZQwhm zcJcKQ6}^gUle>O2dG=SAW}+Z^^Y-n?!ky6#$JC||G#T4OL`P<}`cAC-Wi9$m#5VVy zJV|BMcAc9QU3-=&Zx%Swkx?k@IFu&d@)b9bsI-2m@d52f{LxtiWCypH1Rh}1P&Hnf{+OB)c zy(QMC*Vg1&7O&~v((Emw={^gG_c%ZMXl7A*#hMd8uBTU~F&rc%5$24GYfu%4ZP@XF zhB_7Y!{5D!r|qc|EXCnr3*z<<&C2^({NPA=7Ik!hv#pve&~JYEs+-ToqOhRls`yF; zV?|Tcrfu8Ejrwd6maULgxqBt%^*)-E2K2vEiGSLk6irb^OFpWat9wR1f(E0CoD9)_ zM0v5*&mht|HR9%15-$w>mc}e6%8HDO`%0kPg`3Ku?vLxEzx6xI*2|Q^Hyz{5vDtU z#NZj5V;PhvYJ=bn8DsUVA!T93YRk0W+3 zSh}=R;p!nOl0Z%8;kZ7mzig2tfB*h{QPR*`i{6t3vVv#$g%#~?h!#u!9hl?>l6?bX zg!K)5ZK91PNNaXyeTQ!D>xIHfp1lpOEo24VvBBK zaj4+B^zPk`xFJXL~vB3WQ``>!|4MEt; ziXUt2;~RzE&v3qNA1<0IO=B3BzlEZt8Z)#KRM zwYmfj5{@GpGeKArvqjyudbR63pR5090jL&R@91I@y{d;%_>#TgO?OjLez+F|{8Y{I z2uCbL#_cloh0~wn^o^0BwU+(V)6T*p72-5CM6fpVgLU5kV5O3#c?`juO8?jjf}QSkH^vd;OYrmHm8fc{uP8#MC*4V4z8ZkMThIPa0R83UxdcOM8yCNMr# z0h16|25$NDRgb9B|H<+3il1+OpDQgZJCqvzF5uX7-e-im*~_^JC3ddbDS!w7?A_6y z-bU9eIk=Wp6^ka5vo*uEJ7jhj0O$mhs1^GGM=w%8oVfWYJnv@Ant`!!Q}N}Bo;7&| zVzKT$cyKlD&+C_V<=@@+mEy?Ujl3vms<+S!-3vB<-w(dmQ#|Gi+_!GvGT1@_X)d*}jNg#@ zX`=PRZ%Ora?%r##)9McF+l^>3VCYbNWwYy-^EQS~%A2<5q_1}K$V4C_cuZqQs^B(~ z0prIn-V8iabo11U2S?tm=iHP3cf7!5I@ifQ?~bAS>fDJ5a`tW$65I9%fII~7Flxds zg9^&r6dIwsaE%;=-GJu}kVpe_zTfuV#Vc2Oq-%Zm5$gno@rs_&igNla0>0O0%)bcy zr>T)HEK*hQsPu!H>mj+z)2SlxNC9*o09q*NC!@MlnGRzbJ|v`-1N7z%;9pYh&to?b zI^P8f8bO2I$JK)WDlbLAL}K5_yS|r>ggA>zFHKKO!c|SYoivmA^ZRQ!yc$ZA&_ePR z;=~&WYpJh-N3F_Fm$JWmY*4Fuaw`=N*$GFjGP&0Wf4K4tmxK{IF0T*s-UHy7N> zcKPjavMsT7+7%X7>RK~M zDwlh3FbDnyUUqX`brFSGd*+3@AmTvtye#AFbYB1UjeDl)m=ZZB)|8FHA8f*l1oyFY zZ)*0>l?4HFhgr{^v`u*v?zRU?Y2RERfulz+S(SFOecKJn{=mlq0vB}D7dol|NJAj| zL?tI6^CerVKQy7^d&(|fzb+%VJ~%}2Y&JGFXcn6zBw6R=G|k4QL2Sg)vwn7AzK|mD zg5XgsE1rrn#8xt_Tu#yuaC22)g=tQPi_kCVG+=g<1h+ADn5GN8Af3aFPnW{f0C!uo zYV~r$tNs^Z`tCV(cd)mQ+So?tdG(9Abkv*P?j2%aXxL2BrcIm4lP61v&3?y^`^-6} z(eYE!F>#+n_|0!KUAhjwI?BxVArvk{gRiy*$8nvSE>O&QsY14Kj=pj3#WtTu-G)D zJ;14M14Ha!-w5R=NsRR9x0bBsh3GFqN5MZZX^CuLQkUGEb8cn5E(Kbf2XP1w9yv0& zfZqw%(dMt2J0W5^h;C180BVe{YoCdtVA``GjnZP4%rBHlBbPq4j`T8AdQ$6t4tUE` zr1Gi`9zMJyBxE4$LvC2xh97I)X=-Fl`u^nk71!c;aRd;wb z4jM&>*5FXA)BO9FL89G-9N8%7Fye!V)oN>Aj&|SeoKaj{oQ%n)7nrM1Ri8Y05{O9T zk-yiyxjm)c0Y1O_lsZUg8fc8hg;RPqO7iZ-Q*$yiw~5+TTiZNQZqk;%=)2o==rB6I z%U${}81U5<2luK7phJJ&yfox2y9ic)0LO(wRnkvcxdW0bzX_*AVa<{9ntJB%4bN

_}`KUVW$k!J-PFs5I*M&6@Qn>ZI#hRR@?won9D-xz*!-h2wy@rMe`Kqf{iZd}l zbFEl^Kfh&1B0%_0M@4l*xv)MX*ePpOG^NnhjW5I++H7kAyL!fAOCXeF+`lsorBWw3 z%^hqry5?K?`Eo)MtFJ#9@d2A%@YW!_b?N~s!|1ryZP-A9*`A;Su+oROH$X|LJ=#C7 zxuH6AZwMP<1qG#S@qS8NvJTw<0+%v54Qc23915DF*sS}6L)4Y~`367~pwF!^pcHDD z*|R&4Zo2g8)85n56VTXZ>>~?;q*~kl1}L1kX~{vzu<0D`@Es{&rx_ahZ$7in@m(rk zI{)>XZVi$2sNI@1XuuBSwj9}6VWJOh2RH>x1l2_^R*x}Saf*RsR#f~gg0RZsCJ-U6 z1-_dAr_FJ(_495v_xQN2{5n#>Z6F*3J7P&TZ`J}LWL2aU6gpEGx$hR*pMZlfH4Z60 z%)AaAI@GI6GYV85Xv~DQy(YLQBS^aCr?W@JAX9$|ac*p>$*Dt!wlg*^5r=6>i(Wl@ zt~Ba$ztd0gh7u+qF`(*j#KEk3$-|f91DqoFqRT}~8l-{RA|JTdJ51DrbtP`IUZ*FCpr?~UXs8&3}(7aP0q>b$%`iNf14AQ{c?hh$Qj<9+RHWk)CFT6c%1X6?qaL1 zU;n6G7Y@$TmoM8%);T&NX5O(_Dx`88$r$v!QFeY}EfeJcG~cSXm$(XL^L#_YZ78iJ zE4_QoQ9av*YR-4KHgg0MVs`A=brpCD3D6swDOwy_(XFqJCLv9Rf<2i7M8R|C@9TeV zs{Vf6JIz+{)p}FT@im8`t{6Yrdc?Jd1{ zzPb5+$V5dEd_H{qIJJ#bwCNh7U-+gy@>3Ac_(ZztS&NUed(Vc1++E#ba8|QcS#MiH z&&Ix6r?20JITij!69zvgre>H{aT!i+7&jSuA~+1e1PV;x%yQhCZX6m%<=PzDti?G(nTZ$ev0~j_x~*mmUHz*f3h+%cFpHe2e^>$6^UNlN#;?d^$5C$~~vG zYT2?sqc!AHP&MX9x&X-_w<>!!l8taRhD`;+^PmX+u*Z67YdgD(OYUCCDJ7i_O-j$m zkml!P(p5tSr1JZhsx{0O?Xhh`;=Cnf@CdP^{1l`n2WJSC%KA6f1m6wg`QQOc{~Ugo z95y;26|*xuR8$S%ee5Ae`kCAskVM`V|Afl(4Wa3Wg4}T5 zIj4+`jD)aZO9WGXfATIdfz+eNph-tQ1G$YKK1$lW5}alo!wlYOhFLXd&kk_ip})5z za^V9r%hg_`PW=Xl4v!#H%8z#w6GvdfL=!|GLfcWCAM-iDQF5OQ5uI6N%L zyK$&%o9Pu@&P#pd%xTX$8#-9IEzywefDX*(c#?j4$5uKqxAie@6~k9)D@a@Xi%{&Y z?__P-w*(UHubC-Yyr_G+M4k1^tPr&PG5Njb$d=HD4<9~0Pr?Zrk@ooUoVpX8I&?Vf z8F5aKcAS%GRKJ{0y14RZRt?X~_Q2IiDD5$kyhAzY2RKXw{x`W1@I*C=fU-TC+kN+J zv7SpKpEk&N_NdGxc^i568_`4GrF>zBWUH^iBgXEWx@@;hH|dO>_iRU-Dw~v*8(CNs ztXXV0#mDr@k@i+0+osP-@qzDju~nCrUcA7}OsQw+F_{G>K`Yc`1wZCEo+=}MpTaqJ zd*5^J$oap&BBY(&kcHUgib=*b+sIHmbJfGGn1eZMcINEDo3@(yl~Y@Q+PT<{ZwzPV z%9U;jT5sP8{Vzxxw~R0W)=kt$-U>(@fR)PSRK$@!-BhqM%7Y|3cGI-D_3E1skZck6!`%g2A9N+ zzH=|p@Q|seEFRzhW$gFA`CAUe*Ubo@g=MtomL;Zgg5WrHD_Z3ah@m|Gj-bNN-SrB zc@ipZfypBOf=V$kGxNq!g_m|zF3f$n%{5`o-LjwInLQ<6^Dug~I&*gBxos%HkZGrX z@7j9{FBn-(iM3)*ANT8xYVF zVKIS{@t$^6T?D4v%q<{Jpy&rYP*QEBGi`JW0z$Iw=m)V(8%{$&fRxsM|5m0CfHcM!WEaACh; zJ!Zwl#@-LUb|XH1qtcPeFJG7;jnZ1>?dzNFx@6Wgr(xLi08Nb`-;pr(Q085`cI`C% zAZ>`Y%rJcCPveKU<*`#Dc5?EQj5Rw2$^2DiAmyN`CvDui&1eUljFb>pB!c5+AyRE zQ=nsJ)`#}_z1F33=TfYe2}A59-O*X06WmP!fx2XTz{uYF*E?D>)aHAtf}OANEy6A` z-pNs=KF6@Y3z;-vm%`<2r?Aw!2$GVxD!DNVEC-)E51}iLb74I88dkH8`g< zQcNY#K!dL6&zdE^4|x(r(=LREqNm{4-F!Nn*Ke-&PnvbwdT8HPx8YyxRMTUTlj2^X0vd7-@qK1ZdOW49pFGBHNdV?CnD$J^xj84Q`0|v{(Nwf z-tabu+l{`Q54(ORBg64&p5+zUG^fLASs8I|N{{@WXj2WW`MnvvTG433y0`D&@1S;} zGZTZuoRIZ(iXTSMOw)OOir!=BcB*9bFbj&S-G?jmckY(F*Ge;0Kf6$Ws9a3Q&6%b~ z9v<4@Eb|E_qQAR-T{K(}shv7?N?7`6`T)6t+1@GId}lPGMMl?U4%Dz!L_^?Ve8!-| z$5q-DAqCmt(+?hz-&lLX@3~pd0R34l{n5;d#&>~IL)pKl*eZ+RBU+_H=&4H^E=hDF#iNwBm|Ud)_LUN1|4`XNa>+t0xCc6!)ioq=7d2W%FD9Vz9!O zq`4W>Y6taDo)vQ7vgDC&daTk|H7^{v;eqG%GUgyGHYyG6^B&a&&Z$R@-k`Iqod+;6{YauO-K|=arjYw!L_I z{uLvOkv+TlJqZ}n=)@N4zZNDs<@D8mpff}0`^?NC$ln2Ol+H~%$$8;R@4ozuW7IxC4Nv%uHjuv{%)#~_LR;36gbp*;Ng?AFG4)Kb#sE3VF+Ja?zwD-jlnfnl{)FG0qb~ACOiHJ%emQJ$X7q-uA@)O-+qXJv zkag|5v*+drSY%o>cx*XNJ@j3nwo8~_}10F zdardJOH<-QG3s zu<8#Z8|Cu&Bl~>jsQN$4D!!6=ZEKu~Ar{Xm)Xk0@x5O-#vAH8Zk>dCr*6S^96WjQ003-eLoXUQ#$HBDDiq246Ew?w_@QsB<<+*!L zgSHmitbVB;J;X3AD?FrA`1#Auhc(KdjVRGF8Aem`~6#o|!=Db|}e z-(1qdIdYVCeTAvz${-yl?ewuDZj?P-KN~u(l`vBPoujp$I(6zg#Mx#eZbTgkGf}!x z`q1`$t(-@clKu3p9?P#>h>G|<^4rJBGJ%@o$G<^rCM0!$LIMG#AoWfQ4&l)pG{$Qu?`LsJMUG)T9r5+vFnF;jL>0Y9K^I)otwD|+h710*2 z&$xM)!oW&86b=V|&)|XSQrZ%s#3;9z02G7DT>7BED~EyIA!H6jXYnrRZ1T$A zJ{CW*{U4i*X->CDd1*k3LLVV!qlMT3$O!yh&GGHD*b9#QblG7&@l(xjU-Qa%nXojX z!sX5G@RmNbthaB+nQLuz<2v{?8rzOm{(_+eK_dTdyH^^8wn|(4j}~B5>_N$l z=d-_U(Vlm5@s7oZDpZdijb8Dws@h}wW0lUoS4o|x#-BK0O58~uJYafs>-J7&i<5Q$ zg!Z8s`{ge~DkZD*4`OwL>t{nJ!gSm7e^pl_~3SW%+tS?vvecKFbt zV9M*3ty?P%8kAD}>juL`GLNJrk~>Y8l_y&R5`SVdX>8liSmY`@JHPBz+5UrOnP>~I z$ex!YI?d2lEq94G3((|L&p9|@T_;rVD59o4Yvh#KVztlpNZ>& zJ?n}*pQAy2q|&jLjw8cQQSa4lU!WRs={r@;AP?uhKKu54it6@$P{5L@UmicK%-J6o z@wW}}$*jnn7N2K56*Viwe!}qKm(o8sm;g%BbMTl4DzZ*YCH8Q~PdI>@M{TKvG2r?J z?xjpV*krZ&MV1Kun>m@o$BuE~xN>fyuP2Mrl=%v?D3Y8_Te-W0Cl z;}V~L#d|(vUc}#476H_mv!Baa)jF@#V&v-h+)%TXk)Lk`k-ryTF^YPqr$GO44YFCA zD@Je>5et2ddBS|?TqiZT?dS-jtt23*~ z5;5>RBW+jAths%LwtX~W@?f)f5b424tD|P|sa|{8fKK1u-=8=ndt;I^cfca0kF=OP zIoT_}=M|%{%SKA(7k16(@}M#o_lU{w=)ZjW-9_=%T|uEh>1p8M!y!bJK&@sSQb8PS zqH?b>jI~%<=E~wIU9`;yKc=5r>tgq%i@2$Sn=C^aQvuS~AB$tK;PD3y9vo!eTV-lG zUZj(4XhuRjoeImV`<^;@@HB7yke=5YtXs4!1N3uTfYtJY<0&;moFA|8 zyfOe)pOnk>FuNs8K!a%luLePzITM?eG&G)<8DfYW(Bw)gD@_THx1Yw;{m_GF%3R`` zHE$k`Qa#wrnja%St#XOwlVzpo^K|tiYm6}@gO1>OwTqZxVC@uFK9-Rs@U$T9eKre*#$Dd6(*gp8qo2Pt@X!!keAt6JV7P7Om z`&LyoHhu}eq{Eq$a)t_Gnf=W zX=W5LS@A@?uCK5%7k^5(BZEx1rkF`DK}f(^&^f)8%YJR3STe?=D51^Gw{I zNV^dA@Qxab#C2(|5!N$+f)B`Ra}x$^mCSTKy{g={>xC-x>sNJmS+yC!qxiJg?dWGN zH6!P(Y`9m5ef*UxkJoq_7vgEV&?qeX1!$0giAkWD!FpukgZDT1S?lhmC$?5EL!E_g zN^ia93Daw~e(c1*PM!?650Bk7-Ht80wb9btQXgGoG4f0G*QZ~{Z;SwESdML!!+v;V z)0>;r4+#g^n+rL4L{YA_3}^STH{KQST2nu8k?(#F^dT!}%itJg2+u-c!O!>T)yvMw zqC@A-D@Sf`%`k}%8WFdh25>>yuU;u%+}KkkM?>mx1`?h*kkbB-S7dS1<7rG7N|->& zMgvaVw{mg)vYzsy;X*(1@&%xtg6bz55BvF@VUjhg+}Y=1SXdU3-pzU2BQ9B{_Zv8a zxk(Pc8t3;adUC>k^PqtPhoTdLSw9o?QI;C|4ARIs;?72H zrHEdgJMxM}(o!Yk@PS^t`a=a=;=+xGE24%eDb3y)K^gx&(51P2jb}(TK-vbARHGhZRH(S8X{#CFb+g~V z8Wxw0@S(Icj49IIw^GR*N9GF8X89FrQmMdF&Q4CUHI+Rr%eM6D)=lT><5@ruVId)i z2BwRUsRG+X=Q4CgyS8oTTUnizwwXP9_A|u2J^J(s!{g_eRx_W`p;;HnQMs!%gnE-d zn1PJziWu61m0l6BTm9`nRRk&-a~iXTtI~^ueOEDAyCR@f=lAQzQ9$H3_e1IHpZICo ztAyr}N^On?240|WJftUC`wSB@880p4aaS=a%nvQ! z7*qbit}c0cMkk0_Ofin{@%>oAvzVmXHLs7gkXUwT$_d5iqM{bi89jLXnA<{*2&Er! zo{KN_Q9K$lu*igtQ}!ZbJM#64fcC`5!Oo{l@@ub>Twh$zE5{yt?9X1az0`*f-?u?a zl{-x?!S1n{;&y7s?bf;sCHQ$=OKtx{hd7~g!sSl_BhJNIC7Y#)fIAwo`06w?5jiNq zXRb5~JkNQf>VArl;xvPDw)g!9J-B!8DaxWL<2p9ymj&cIR8UVLk$Uf>IVe^^A%5ew z+4}nZzWDafNHBXp`OUqPMPIt+51?$6_-IpeXXDlqfq{*M!sahqf&Z>C9eagI&#|x8 zZO8w2B%;wLWh12|$z7VfK81a)PykacK#e#W~cB@Sq!fd?rW#UmL<>F|1iKvIW zTfgKwy44!TuCK`(?45EJ+n{2UanEnMey5&X7e)Ib?hD~Q#NFgBaT)Z`QKJ?h3}vIJ z!Z|e6-rTx2)8BD+x%?IRLTKhMi;Nj5Gq;`r0wuK6p z!5bxGk}5l3ds{W5g$s+RKT;YKT_#DE|k!@Cim)e=3O#5UeTMY*OTpR z5jVGRQ5#5Q>V#ESOrbTTxVW>GzF~&Nh|$11B{ExlyuE`LjMQC1O@+=tyDXplpg4x| z^N_As4N1KL7ltxWq=%g5I`w?g{el7uuvgRA_2S-INwRli8R?~d`s&rp;^%>s z*#E}c;^&*hnILU8)B%OgWH4vq)`nfOxa)l282{vp2T2?8RZ2%C%Sua62|YbOoXmq1 z`E&M($O{*k`S1u)w~5x3^BepOoL+r`DVsi!&Y9 z`jjYjpU-mB(2PGZxBB<*;e!XCr}<)}+LqFLML=g&pv3ct_3p2TDxqL`imR9ta=BII zFQW;e>hW5Z`lyShsU}qVi+fqYU&I9SgGY~^QT4aoX?^!boO)GR3s-U&uKhEA>$SPM za>zXfTwAtk6{OWH+1xXKKutTnpV=caf4sCky>4J*aOkj;1+Fcb=Q%P?8>+;Xq4I`s zEN-Mn*s~&l`yg61EyB$ubOvIJTD~Jwi=vY2Q0-{RAwtK*Y0M2&yH&QHh@-Xb&YN|m z*IyWWMUqPAhGxB3Nphk4j634vnBTlpxPjQOsDb*=pd8HMNqzcRSE=kj9$|d}KmFo! z0ZTI}Y@GQ8q7D{ukx`PiTb4b;_A{I7hN$o0PR>!>6eF|Cpj>#kZJyekh888>>{o_! z;yNy)e0LnBR@_bn^CF}HZI%6{BG!dF_<8J9jNd>umG>%B?b{0#h_%=c$>Vt~wahkW z_gQ=MjF|i9hSY_qp~OMR$JdIWH8OshMDnzCV*ygQ{K-jeaTJvB8x)a&A&#>gKT&fs zjAY!HGX5h-?)fBdSyu54RfVpeTuE5lXpfyT@7})kDW^822JNQTYTny+O5z}JX$?%w zjD+|xu`2%)%)Bxl{l~^f$o@I8#(~L!xk#xfFMPyptc)MeK(ZitnQ5y#y6gfSTaS8V2f4{++yka`-67my!oqD)`-k#b3BGY@M3CP=ZzRSeE7@- z=VzF%-lPKTHwc&s8Vk^J#&yxt`F4sJ;e)$F$Yr#yZhrK_}w zHqDP4GkDM-^@~ItA5%i)k-z?mowKD}HTgyD$bYJRn=dvzC5GfPB0l?2j*Y&3HT=n} ze4Wa49x-=si=5FSWr9P)LeI_Otst58=~w-b8to$f(1L*sTigfE%OCR>wR+iiLYE#gy%UJgE#|O>blOJ=C=b0Q(6d@$6OH9)mrrxH&`Y ztWJH^KJN}!n_TtThrKpaU;lJid##yNEaF0QCg7OPPA}#<^YR$3+qhTuO%h?i&69*6 zTc*M^UCLz54b(3oCu)c(lk(#YtDIlI`#rY(E=y%c%@ewXUzcpX2h+_lkey-`0GZkQ zOxkBDVNpxHU_F7=V%TzCt~*6MfI{#7srU{6%m5HP zEBm%}1C{@C0&=wL_Z9R9wwMu-cf@-ktSlA1*Z-4_|BXr=E`n$0mj4t0spevQaYg1! zpL>vAK)KFKT~Mv$>rJ)p4Q*nKgI{=xN1W=HtO6GVj=t1llH`H(0dBmNACzgj=3HBxIuV&ra~DgW0|!1XX{{4ZgrFUu0YGcuN6SRy3_&0Fpv38cRpii# z6JNI(g_E~Eh)B?cjVf{#g^P%H*RThp?E$8-!}$kKhAW>Fs+I!4=9hi*ntzV_og32k z>KCW~P2V=n`lRk4G~?=C`KiTGUJF}jhCe!1$fe&T^!tMXzKoM{TbGdP($Eb8>;li^ z|J*o2cC>+-f6gnhL|=eho-sRVR{L>mlDNN<^3oaGrB6(lWKxoXAW6LD?`~`cJDj1a z^uRz%bUU24iM5prqGMu|=%A_a{Qc244jf#^o{}bL{w_}}Za3;@nMOteMa^gLeATUQ zApJw(ePzveFA2c$V^p*KOmL;z)O-#=&#o4~xp15Gjb@K@l4aKwHMDZ!-y?~-y}VB& zjHgk3GUAVH&z_;cpGsO3g2^AR78SqY0kVyFZUu zm=C)uphfO6Tm+qKO5w#+@ioRrDW`(WX<~z$HCF96+Mr!)>f`{_AsGkK4m>_FA*an4 zY>1*8>O>;5+RUal+r!1e$(+n|F)}jaMQDGE(WVp8Q+PKQW zLH=(r^7w|9cQ;r{hZln~qvfQf`}1(!^aPo(=_IMU{B?pERktB+EcQUo1s+v))R0$A zuTUaLyo{ULyX~0F33#3Mj>+Q?I)6%#5hj06MwFqOlL|rC(Amkh{Qc?ni&2kWY`A^a zzN@2We$SPUgQi!t3cTcgI>Y&&-J02m23Kgboj7dR49dpYf2Ukn^dGS^kf%L-^yo!# z8Q)bCWxmT~!~cl9^B8xUudBPuA*t4dvht|8e4!(uk8t~(I+nSbFgo;1;|PnmQ&q8v zG}1koJoz@%D}!;0=@4@A3)K)}r*7Ij)4#F(Oz*YJsrFdQL#&IM45zD@y5RZ8$H$y; zF1}(CIhDy00cHvW&Bc|qlWPpPPle?(a-CsAhNKn0EM7NmG!8}PjwwBKFK`LMUo(hE zg*R^u?)5WgXXLeO3yB^$Tc%Fbj#vBHV}*@jf2|p0BeOv9zX3FgD_bjl4ID^0hzaA~ z`_KCIMZvlWD6bUp3~)2<1dvEGwciPeh(tr^3>SuY~>y+5rew;|`Bd^X-1O<}pT1tNd6+4243cTns z9$uK}{tNc;_#GP`|4aRUA(s{rI;B@H0g~)y$3+N9Ph#2!r&!HLzJDser}?r}>@(&Z z9hvgpPb$H=;#pS0ENiZ`0Ph|YyRpR4oH+S#Rdmo2ZOa4ypE9kt`J2x--gOckin+Yk zcOZvgrf(KuEpQfWcIH?k%Qk3NE+Mxb@yEo}^pd!NbpQ($Qw?w{?IeD9yb zk@sfZjq*NSx~zMmW>d9>-rHK-&$$$hvI+hleoc^ZV)Y8`>i36&m^dVXNeaI_3F#w{J*{DwUyxc z&><#%XRr2+iGr4DhJW@d=k}v;PPW5ChXgVz)-8Dyr5h(}&P#3=WN%-?T}k`fJ;k_h z50oCObWENOT>O8<5pa4zzx^9Wf_L3{qt*}@e*c~Y*PEWZ6P>Xs zY^R3f!sKdPK(ZJM%)jjuzW2Sr^W0kZ7FZ|Kz;iHKd;du)J?p>1rr5n1lO@N-Yf0{K zPeNnnB!=?AtC$iqP1=&ch~|tT!!2b6tol9Y^H%*F*D~ye!4AVy#&_-7m7xclZ*3%% z@7*F+oSy5a-SdRMjnme?LuGpjb@il4hjeLfy&`XyIDKNKKX}W}s8b~sp7rsBs>&DE zzIN0(piC04w8pFUEEhuSEF_dmuVNIh^YWOy9V106JP;2jZ1_#8Sm*FTZd(-kdLDL z5-y(Kqot*86HyH!bch%G^l+57}~^Nh0Rma((H-%qWD0Z z0EQ$xsws>r{V{<(q_FNK_YSq)M_6hPLXJ|ue#!6WOJwz{sys=$moHp+N=xwSr*lGQ z>I+h=f4YdF>x83JrML}I*g1;#r_DruT>169_gw4YLR{F?qA`T%3P{0&K~mkn)rSnx zV`f+cB7v?z#-2NW9ujp9QLh0;-Q{)X&A63SDO3{(`=8uMY>eGCWr@YVmy$gP&k3@5 zd%^1rt&gZUZtUz8Kkw7eh8%oT{Y>7N*kf(;ldCuU$GK_Bzru8n1W4uMwU>f7dig^c zYBMT_l3jfq49GOFGMqYDw%<$W<j|S0$YaPXry4F53F~A1%PK z)@5BwUWNY_6hV^Iekm->zPRHoAjONw)_(Ye%cSxsW~c_yzav5j0v0LAXn8p>ct<)5|JyHu2 zoBn=o_?ny+YXJLUlpkK1U=3iwz8{T!bJWAuH!*XK21Pr|%wY+rgUEJG6_e4MR)yz@ z1k5|;Ft=XKdUppx$AEou7M<-U`M#*?_AnvuQ_K zv1K3{!5i}G!mGlb^f+)_-Fg=bznuGRdkIOQn&KxoY8m|)G~FQgZthi z6@c`t#tUW(dw>Tmb6WN2@#E~e+8SaPS6Hvy(HqN^qmu#RT9?wt!DhmG2p$%hK4S`{ zOefJyi}sZM4|;2L*(myE+UfhNqK6ZOjKUT{*#z;0n3!Dlhobt_Ud86RbE_r?myVn? z$$}QwKZJ)^g+*)Qv5R{wxnoIB?S>WMHF$k;(UU zOQx8~UhcA(X0nMj(=vqhlwQT<81sd)(ZeGe7C`aECf>{NfdlV0u;g`-w>{E3`Q*po z0{hD7dPP|K;INvrrS2>x%=IWo8?W&YY7RSO5w9tOaraiq$f2jB)` zCP>Nqe>D#_V@}?s?8O=E@TZ6_JT5XHx7>DOzEexGl!O1jQXxZ<+y5xL_FB6O1|kDW z!g6khgW=3QNQrrTp2S)o;3dg?K+UJ#x#p86dzr1gR~I*3S5L27I2Sg387W*94e*vDMJ74~0TQvgljai4~Z`bL18 zvK!*&-Tb6_&jcJlG;7!lYFXgflCjC6qXEbp?9kkwy|{m}b=5<3{4)%3mt^BGmK6dP zYdvAyxEJpqY>oWz|4)Hg9{#tbz`NxlqeJ=J4C#jb8$G%`^{R?tqacH_&{uB4ikl~| zn_h8vqi5W2By1(s@>tjIl1G`(o`neRbwNnjC>sW4IAUk8;sBtyaP_Jo0|E{;bMYhP z)soLqO{i&3b186f-gjJW*|vtlaq>KjS;Dte1}ktCy~W0S=YW%LpN0V_L_Oqs@fVE& zP3`L%2@*rq>7*=dUm6c~h6^+@ppML^1oXY(GYIcd3rFiXy@xiY^4&Y3q!Ye8& zBJlFr;9|w?>C2l9eyUUTL?s;C&_9L*YPi2oZ$A~kja$OWVSmjI?<*S*#So3jaZ{U3 z4J>ZNbE3;pqqr-f?kV8*KG^*38RITJD2nzo)0G4O|+?eVc|PcrSmf_Tm1DyyY9 z=Oj=>aDS(f+FIciN4LHd@k_FlmoM1O9b`Ub7(~~)#2AtLqPi6gQ+6`?wwMd+YWLzj1#R-Ix#*(WMUhk`S42WN=r>nb)5_IqZ zqz}n8BC|q|#BTZOZD9-iA^0p||3i@XS~jHtoJl^2K5KN`n2#Snu0lvmxl3YR(8wn? zu&Yf>l9w?}PZk0PcV~+-d9fl5nxu4!yWdm>aa^{(a*#`*7G65Ks1y>W?hikpgndCa zRD#>i-hk?2tMs8(@>pu#^ThwI2`OH7xx1uQ5sDo*goe-x47`L04hZed%z5)BMdXby zDAJRhd>DPhPw7vwo3>#SbN~BOg2ebsr2CM2)O5C3$B+`e#*RN_AVh75P$DZVb^H(p zJ>@IU?n@T*TB$T_nAjng1qn+{pCxVpMBdU6jdb=kL?bV6BP?`w^sXmCmNKXQ?Z=O7 zd~i^N2z3|5^05TKax`B=)dxx#Mv;$PmeU_zC2X(P+p*0(< zUF441nxy*pfp!(I6KY$zV(1e}w3*Ag!<`;<5RD}L+sxUs``-7LDm;r=b{+=}>xDxp zRvENr_?mULgHrQYT7NP0WF}IdVbCrp;EK6I{&gGU4#}%Q4=73=l-dm z-%QWB-bm^@)_QqKtgp`ToRTW0*+mmG+_JKym#vezOwXQRz(3oKj#J^bC0DIx@|OX* zI6*JtoWnQ^$}-;KI)F6=iTO9?HdO-kf70u52TjD#?kp||q8xA<(X250f7e>3);J^E z+qZY`eByef{++1wiD91A0iNnnP7?VL&Q&F8lI$Wuz)bG0S87DG|uep>S+kjf;|!(##+%y$UaLX^8LngOvq1sRzTP@C|v@{OusF2p+DgY78~+Sj)KdbX{Fwab0RvhdczT%*hTu&_=cvoEL?{ znWbA(|7{S_4Snum8=}*;&_gH+6DmCBA=!24wisxLV)qO;izWPe>;1cYt!EfTrm*w< zjW%`V2-9o#?p~6zEQaVrK8i@Ggj-J*k^}^csLgdtlr32zd&HFb_8B`@NH@3q2(ySh z-P~&fIwXfPdO7x&8(>_`>Y5swn#Bp4Q=U-kA)r+>ECN|;klG-YFxtHN&z?WCB`3WN z212zf5sEJ3t}+Ke{UxT4Vlza|qQTkLSU>3c5xR;k>VH^>i!tv(qVb{y&PvUVtyu2F zD!}d0Q}t11MAv7vyZAHfmIk4IeaUx)3SSQ6lttEZa(A*&Wm38^Q%H0VAs4_vdXni<#Q1 zYo=|~n<<7;;bVStOXUeb7;<=ylVDL%!2Xv^z} zFfivn4P->}Lv~LICZEp$^VzzJp;@`5niS|cV-vr2^uT?KLO2Wj+{ZwOj|D{FtsJ(t)HQmS79MxTW|S!Ertn;fw$Kx@~RNm|oYZ zb)XT0(1$vQ4Y`D9k``+1v1 ztt2OlAimFtiyMV+`+xpPm02~t>_ggwkQqTSmrzhV?i=*H$<-1Kg6tWT$h{j^be1S+SQY^R(s?`?KYxaQgR-x}y4U zTdz@Am*0Fptw`dpsVmb@{#Ci?bmYoFM-+~;8Ibf^%J9m$k zy&0@~hN|>p#pHL5%D}tQ3VkH$*Ac^OQ$zXNw7A@wI37$qBH(vgX(uW46BmjI%6xlb zB5EvZ${(Kf74_NNj56NmFDXF5aeZ}*(mv<+>nx`kf<92H=Z?dPnq!%8%bMr;dqF<4 z2o1&U11U?}jvC$VV)ERz$Id;b@p#kP+9hZ1ad*SS_@eM7u~*YmI+9xn;Ah}P@pQ8m z`UTLfUF93ut*wlVjLs9T<^-xuVNh;9_mzmcL9L$vLz5qK>hq22n-?w?B?C9-lUqdn(QqeFXxFyt zE7beWs8Sv{#Dsx}Lp{-{rq<6prZEQ>XZrVp1I5(Pz=6}y8>e1RN~-_cx8vmcxKs54 zD+`@edy$KR{@O6Hjw`Y%sSnHm^@b}ekG}no!b7MsNqRmH(X9^FmXgK(Hb7uDIBGvE zuMq(Yfxu|2z^wcCBZk>eIh`G5Y!B|JxOn8vM^%Yc3Cr4QGH@!!m>wQ1P*F2sd-ysd zM~kVTT;!Ff6<>Sj_PMNXX)y0gL~nCk{}fGCC6&w7PR;t0<5`bI}|XC;e;9(Q|{S@}b8-UI*;(oMcF zC?a5@5TaoFH=J>r!7k3?yqFd`ZjWC}`l8U2{V`eF5>0?p08{uY3j zxl8VHK`TIZ?~3LAFO^qMRcApm-+V19y?OPO^Hu~%74{W;1Y@E?w$}*8f>0Qu-Oo@j zrC&{$7*bCXQ(e{Lr^27Y)_jfF7vEan{oX~g=?I>z^TZh04~*eo{d!&PR8X58vE>}4 zU8hfRcgEc6o4hj??R+!};FP;}FW@iyw3}{xTwJARU3xvDL+@739#85ek`=u!_8U+X zE0HV-ytPFISKl*R;z$1e{hPcxOB9k{zh=<$p5>OjsR2vfE(-g{`!GJ~II0^2bdoGp zMC1*!xu6kf1)sjTC8CtluQ;z9x(6|d^!h(3s$0&~*A>)HFn5xY+|VzY;As!SA&3yf z_UDJ3+;qEqgC`QXj!i*R9K&(rejQgBDd0sYOR64S*-WcQAIrZaUK!#NPzv0vjY&1; zVy=enQV_+yzP|KI09@&@p02Ldr?(%FXr&2u9$Bc^_Wp@MvYI9&G744&r$)Jpm-l?i zQa~Q)dw!SDr%(_H!7G9ABIwdWEbm5qfJ_ar?jzCjF8$5ZPQ;*?{oS#YBQ7Wu*j#%YR&mr)YM=R2&ZmZ&^s zs^<#z(^7D?EGp7)hF?ACPK5{usldSd>FM+Q-R7(Vauo~kHHaH&iM9dV= z`ZmRzviwoAgA%nJ>;ZR=hzQGufw!>mxS0e-{}8U0*f_1Ug+$^}bF1?f?6R}~JBo#B zld?qw@2Bk>-XouWJO*HJ6|hts{c~UqLPKZy({;1I{-TZ& zLXIVJUS~dj>igO4Q9NHlR!X0_97AXE%e^9Z9aNNbm_&?RzG6k!)k5&iMiPqi0CSh4 zqIRk+O{xnMi&EHxn4=~*&Q8Uo{WR+3K=XE9(%pOYx`=<7$GbiSYVm*v4S(qjh36x* z5+;ZqaH{?ym1$$mFG$1D_{NG|lw4@-((oReeyZvJ$!-yZ+0WjrlsW6%Ddf7C}>*h8a-(yT38Icb#mo*n*Kz5n}9 zrXEzN`?C8t46hLW2bmM|{Qv9c4TFHqAr4i(+K_(qfB$3SMcTo7{2ZNo!>9e%Um8R< z73%SZi@;RibpGqp&Y@ior|ac*tE@6ZNXcRtY?Y-1soX)y?HMEpG~br?E^^E`luBaH zJ$w1mEh8qSwyUh^$)8%O)|)He$f{`wo$ikuiySeH$r+1!*lT34^O8GT( zRg*bzv~Q`z(&??qShsbTTd8&5^=Z`MjNe+fH;j;U=y+hP>}57uEp&=HnNcDZ$E$r+ zUO}A^EDJE>&z1#{FuR3}lh8Pod$j7h7>%vGdGYxhwT16I0UVt{Ta~DN+JyBn-}N?f zjL}Ve@WIQDU3+_q~t%c<$%ED}KJ; z>-voIbAHYQF9pUo8K4w0CC`-dw`_|cDwSIQdqRHP< z#I}o2?@$4p2k?bux*Svx^;;e2!dmSaX?bSZ>AUA=dg9)0P*Z9!34XTVNn6?Rc1y$8 z$x2-*Glz`I13#v|Dup|bO0~L`HF{;XWA7uH4M-7Km zfBm9s$V+~&D{KDky!hSw2H#@k=E^<=)jqHI<`z1U-(PRnwNtg<#I`^WOd>L`#Gv90 zUbAQo6$4?jLLo)i1@IYO-b36w(g+cT^vu8x0Uoz@HK?_Eoi7;m%)v zK6UpGkyK=J$QTMUx%2f`zDd^~1vdANo_=Hdj2hkEhqawxX@ashh@vO$@83jMEru3z zq3)k@4t%bUx$lS!#2XcONt*qAtJd!};}`z&dc#Kf$!SS;`G~0QizOV7XR9qP4Kv0N zmqH{*vZG^zJakzsoPg>DhNxXn9y`{&zpLiM^Lb}^a5t2XHU9XSb~>Q)P?)#SsH7Qb z!C}`ek)dc(;H@Sg<{u^QIWrMb#)x(c>)N>9B7@MH+HO0TGh72>#PnH5{eKQ-+Aj#g7yIt}MV^-K z#sxH_&e)qGK$=;MLxpN3dkz1*P2?uBZ>UKzTpGS)foyA=rWd$3jX4X|`ZZQwA5FgY zwPiPJ$)CxcU&CmA;ehDYh&eiqKQ#%tPyO$OktSW`C4a_bqi=a;YzS%a`?m2n?Ex;w z;(jro-txIe-j$QZVzVv^oDJ{Q`eUW$!xWOoy=3$a*!L1k?l;poMucuTND9=4WbKpm zxL_BAE;ImIUG4RQhU9Q}>;>o9bQP_d?>aj?!gy@RFVx`L#gUJx=+{Yi30Pz9UJr9& zTTeacU+DmmN$*U;;Us=4^`alMxP|A^g?a-odC7Nsk1Z-*Zh2~A|q3BmFVJD@EP+iV`bjN>$7Zs zX#ZoWV439H2aalE2dfKha-|%dn>n5}rWfo}IkdFESKcRk*)naql~KZ7?Jvum@_)@% z-hb`Xq&XS=U8gMJ>)@6N+USPAwNLwob{Xz_swXP96Ij%bX4HIg<$MVLxE?C z9rU_C5owQ>o~t=yEzHu^Z?_~|x`Lf+<_Ni;bU;6e?J*pBZ--Ut77nzY^@tGETldU! zHt%<<)$X+K&mYd~y)A3Q@}E8VO0W=8#pZ{;_nh;@#6;bU$iTJTBJXp~U9x>$WIy1Q z9N#AVCwzrNjY2iMWq6R(g*U%IXsm$e8XWpwK)E9j3-6S2fQ!Te7_+Rm153? zhvTDdo>QpVHWBHONWrfwX0CU5-IhHm8X50C{H;t|#3OtMZR>J1gDqd`<`2G=5d8hi znj>!M)!DlF_|)e)DPh^BdPd);gT>PF8PyW*U(b!Ww-&p8F*Kj011^|oFDU<(MKVch|!t{RKdDIesZ>Cp#D+k!8%5*}wD_@0pN-3+V^ z|KSqu*3!$auvNmpU@#m=vMYrdg((|K`Xn&5VZL>+s-`BGi~vCG3<9u_gC%ar+gl#y za2fe1C{j4U+B-Tb0^1JZQv4FKcYcV#*g9B#rT@o;DfN`iGDbF?op`!E8Y*-C+5Qe%s72QM6)AN zap6w`ygDB}VpXCWC*zpDjSJHO-InlA6~QjT#JmLPi{ul`l^IvB6a&f39xY=KK}i1& z87#0O_X2rQ0xltEmbjQRn-54y?7XS_+RhXNz%E(JLFD;Dc z8;Bmvlq%5fw#{W07oUL%^r4B#$-&Zm&?za*M7pN^_s!yYtA_$#qFqd7ztokf+5E{k zzZ!3$-T7`@+;;MmDS`0sRB;c>oNR1$-r@UsBsUdpD@=j$Lfc}>)NvGH^&0Na}`MAef$3XS|5><(gmBgIXW)5@=&2~?{+5+Op9t(KZHC3be+L zM%f=-&3_!>!zC}0_hqjA-?cu`lsBThZm2DsD)jJ zM;sp+Sr$Lv$-)vP7)w=Qch69Ff|75B(>)zJJ`9!lG1>NGR(b#zr6UhhXvA=$F`->a z>BEy=uf(np`{R3h7XB3&RZ|bSos>Wji#5DGz~@;;fe56@VQJ#-jNbxrgQlL0pyO|M z0bN*+7#u&baK@%^KdiAd;W-U(lEO=f6oU&?HJRT$b*;a5uS?(a+1Ao>4M52w3^D{+ zX*XSS<`rgq0?^#r4zM+4;R8Yno~RBY2R&a#77fj6_qgEq?9$`6I`Vx*pO-P*Y&^sv z-1~;DXh=tCN>Mb!5j;I68Op62H^je{TY+2GZAmB!Fn9(z_{sNxoUy+-wLEJmDiA-M zcm}eq7%0hnzRru+tlsBM^$y=Z?iSV_HkN--&~Jfg@)& zOrg1^=TkKgUSCIpZ{-T*^Fy7{bM}rM`SJ7TK3(Lk`m{>HdX8scc+IWZP>|9fR=S<+ z#60Vi9V-!_1Og6hu;Qu_G2OFxUHqxn<(X4l)X@cPPqi-}gUJX}MNLifIZO$E;{rn4 zXXHq2{bW{+$h#b~OSTag+Yir%r5Rt}eeq@`$Lw0o4_N}Q%pdbW?{^hc+Dk(;APrNE z`eVnOjn(X~V`kDlH~FU6H@xIXc*&v2{(bjIj;FL^lE8nGo{53^$ke$kM_#4aEZHf& zjs8;PmoMCn`Q%3L8LqH1(PK4AnbJ*6(j9SylLGe*o;bxZznGTTcHbadO_rZ6Vj&_U zzqND9aKyz}B;RM2Av(Nqpi1!m#+)g4`lBQFJI9j~=bWS`+YWoiaZT}@S!v|D(1`0G z{bb>K?rOvDzee^*>}gh$IqGe4egmIxiS@_k@pasmkAFK(xXGA!hUkTJZrNc_rUw8* z{-U=5qOYdwWr+9HsX{3f%CR@RBErI|k?faHz`;>+agiiVap^g7ec+T)^Ub5ExR{0l zI#J4VjP}$M?i2bfWiOPJ(Fq6#x5M!d*CKk}OgqCNx*c+UlzXt20g-G8_A?N%*4CnW z8%O8A9)H{wlv%s?+LEWZBQnR#x1F$jruPV7I5zeh z1#vIPt$^m2;0J!wifXa&vG%VY({6O@*RAuz0`3w!tyvT8F0MMg&ddLv_s*^^+{MJ- z92hrNfLb*Ufbn)%SLekUoP6Du=Zu(ahd@q+n>Yr6g+e5waWi_ci+*j6rzZA{cYZ62 z^lRB9Zb#D|foGQ-@=uwNqd$tN)U!||4xSO8T$7FWo`=fMQY@!xKTk2H&BXY0`0y!@ z%g4@!LM)#sO@os>wt$38xr~`uZ+?f3W1WP>SdQ=ZzWl7`Zw^h2%)QK9s3{Y0wDyBa zIw+nKvuKKmKt6aK#m)APbCyO%z4y*#aQAd1%R4lCB|mH%2tQkI@29Z;t$BO#r7z#@ zj~!c!)o7~oB1oBPFb#lUKq&TG4`l7h_vF}?8$b4n*&{S;Ahf~hv)CRlQPYC4p(k1I z4g5*LXPKQf%P}ic>2GOZj+1}+PmxK(WbcKxlS4Zzf3eE#?EUtOwdnV^1@1GfaSzFv z=d6o%T<-sh|Gt4})iK#!T-li|1~vNDnGZ)QJ{DOo9{cG1I(p%qv|=q@n93h&oo+lG z{=H)$`*$0wXz9YY2SZg{T?@B5XhkRgU}~NFx~*Av9#$K| zi|+0{e>$`Ek>?J)cn{+w0hD^}UGRZS`HKBAACG%v|Jz=Ibn3 zUW@OPItW@3WA1Nr))+dIrXoY+HKIru{IBWw7+N=2zBUQXkqWyxg0eq%TbWN*o|7k| z3#uVkbjtP}*3XQ<0K4ecfIbqQBb*StxoF+6!r|DgNruhG>w6{->3EC={&aJ9$4|9X zUS8hJMDp34kGTrOtP;f)f4BF7XD0@okTX}qK&gIgdjMi^)8~=K@b=`fsMp<|Ps3A( zI(a7Tg+9^<=B#Fa!!o2dIzN4AB$=W5x8dk+lAS2!SX7yu=i%aF0N9Hfs<_H1H2LG! zlNHw9*@?p)(Cb(do3&6AYq^~`9uj|K(wsq$kw{-7ArMnX%r|q~x^#DoHq zec^edu2pOJ+0S@gBCVXNj(lb?50+F17cbNRNPcXT=91hZWH`@3sC9z0VU(VBg- z$1Gf+CfcEWRwgHLc!42|Hq^6Bpf=54sJ%xjX>J$wSmkZ09GAOuI z=J|>Aydt?8_K^3w?HOTNik7V(?0!Shun*dC70_7p#o(a0lb1X+E2N>9uT_rLCV(JEv7`e$qFMvn=3 zhxX!#)*Poh9mxtZMe>I@XD?U07Rq}Y;IQ$WP#LXbLSk{T4Yp8<8)#7KqOACvvO ztzcxezM0VM#lp!Rbh6dNxK^^;l?IPOmUzMvkFsefIYq|DTg5n=3>LhJ9xp9ic=`Fk zoT^DqyUFl{ki_AmZ#<(Pny|HAI~oCrtq|~wNqqs=VtCH`YbTr!&Z`x*YUgq8-+hMh ztLND%=c_SBC{y2Zl1_9+gn$hIvkYI_IiyEP6NQ-B+vGvAK>5nzMrD z@+&?(=jLE)Yh}`}IouItw?k*&&I3yfT=*=H}M z)~2;SNqcUuGJB5nmQxoF`uDrZSW#;#*TYj=iS94-N}FeAvA#Tx zzD6_g0YmQQ6OONm`!a0d*Aaulxr2~d`*fe?2(Z}aOa3~2!n)Z;kO+vMTBs6FTQxV-U6^ZJ=44qg9V7{YJBDO74KZ9E5s6xKXReKk>|pc zh&P*v-d+>}L^m%W-@LV1-tl$pqqr$!O?mNJme1)hB7oE@DnCn!i;f)+ONT0FCWlC} z>;v*lO#aS||GfO!CG%-scw13P-efJ0X9U;Ow`A=c(>oofHwGk;lSG+2cSG-M`0$1m zWdWIhJv@`j@203UL|sutuA~4sr|do)cl^ZiWw>GvDhZz5qj3Tw@#tD zsbQBy*)zXR_rG-l5%6yL1U)HLux0)^S{YqDvk?sgyPl2)%$AAF%FLZ3_{Q}R&pV$J zs>|N)nU&G}5Vyzr*P+&mKJA^j*^x44w!Lb~>(X0*+k{3mMvCcDEO zhZm6S#;Tgygt?R3Ezh>Qm-;4B&spB2E|WRenQhh&W)w~OmnbJ>O|&^ZnAxC~XOI@2 z#g2xMJ?QHod`ZyN6LH;Cn1Cg*yj32gkTNb0D?&**IV=D%n;6I(AKvXmn-{T46tLwb zNSqPZYYa{Rx`tv}uy&*OUoi@i)TR*8`BGch1yJtYzppkEH|jh$W(Bg{((<3Ox`RwA z#JUZ$MvCF_j4#pB-t%(Uuy^Spy4D~#5qWOZ=>5o{&=&yfp_Q5)tIkurRdIieK9`%@YwnoMJXwEfMtT+ZeO`KZQAq+0~0l< zq@(^L!t^9y5}RQV3>Y47v3$*nA_t~!R$WE^8V6$hgW)#$xth~tfa~}mjSwR%2(-h$ za2Mx&F;FGU`gcFG4&&VOY8Vxxs`9y5EUGp-e_H7@nREX>EpoRsnfUjjF{;GQO++n^ z2SfQm+O3Lz2G$Vtr=Zt=LpF3R;IfO^=qGR(sH*j&qv6=zLB&=9>nkNXa`cE)F~M`R z5)`_u=0vCN4CUXMx5ij%58fTGZ}y{6>i%|3Q;~FJVZrBSWy=mn>7Jm%pXc*V6A#u{ zX~)f%6Go?@8~coZ>sER|h+-VGVE$>@+=o89S$}R70Og3Dzh5ME^Q|~KI~jVeKPWBb zrZ8+C;`qM$O{SuBPoi{Mw97HsFW<`4bp8xXG}e5i;XXQ40wX&L_&T)Zm!9+8SNK@; z_|CdnN^Pd2WrwZwKm8Yl0wO2H%VxFp$aaR2HKkJ@E!{^R#!GxfiC7E0sXz!9YHk?? z1mxX^vXtEP<(VfecZK_WZW24`0?|aHqq3i06^zK*bf75{JGl_%spjx87|J5XSo(>T zbK8YF{nOX40YEDIA-8dTa_*MNV{du)i3j?gyV-Idj+e@}hJ_1EZ3wHDfV*X`$w}$> zoP!*$mz3X{KRmXrIQpQC{M))ZVyg|R7lD^b8zfp++}f5~INr5)s*SDXW=Gq!*6*{o zI2EU-r`bn#2lSKs`!7N{OAkatH`lX$h%0cEU;n6c?cJfu=XM?i!37jf%(+y_L&Wu9dyzi6Wg;& zj3=gp;pWyoTUXl6X!qAm#__`%p;Atm%Trlh*s)*-A&A231uO9o zY}1a97LO5MkR^MGRk~7oOE5O+?IHFPh^0UlR#twZngFjZKpsRS47HjPg&9mkVHWkp*FbE2O6V!S#TZbPH8``gR(6?aqhEj7i zQb#p7seIdc_sa36yR6IMl4b>&SBK{Db*b!u^x8($FXKS9t05Q7b6)Xkgc zBy>!)s<*gw?8+karx{JtOHnP-Fdw z2VzcLX;YoiKgqJ+i}&x3k_Vs%JLf(;_4S0FIq{L}XwEZuTy^TySDS~C@j4o8&c8j6 z&lXpqP~1cz-z*59NEtQ$-~!Dojr0&)nd;MIj4yCY6>&QrBi-v4W6_p|33H1(V_n53 zh4o8xDa=@@>;w5`y;AI`}OOJad>a$j1*j1sUBw-rXI@C@pmA^VWbxz`gWbCXC zw!v3e)552cnMepUGkJkVi(J*1HdgWOw@kMDp5JGO5X+CF9M&VbgCI<6$@|$@ZKXa{|wznR+()2VF|Q4MdSLU`e!LJz>@c{!?2% z=WEuq$w=&yRJgv|3yq&-oB2nR*(Xkl%||*L&XKy(fz*}s6=iRu%iiAox)-0q1wheA znZgQ(iGt>)-{uDOr12eJBluSH8|<(`$Y^io?Axi$=5ycJzsLAyUy2jW4|^paV4QVP zg^6cjqqKD<^Ur)*%d$0O+!2s#M#de5Lsij3f=;1%328MEHB;~FTly0}Zjr182x>AL z5niIBH9E8A#n1VJbgyUFO%iN}+K%1#-Z*GQ+F;*K>yMq|>nyW=I}W(X6n#EmCl;f8X{t_N&^8?FXJ zB-r)n+>!A^I{u4%aY9BViSIfb4Is}^-qCSp@K8qIaQ|+#u>c3fm{21FwTazR&Zfc1 zwW-Qtqp49o))nu@;Vet~LYPpiPVI`$*m!a*CZnQ%L10zKcK%t1H0xKl6`ESYn)|nh zv)2lr$!EZRDg+)^4^L5l)E|drDCp4mJ+Ovx*WEO65gZ;0R9%t(Fp43?|6eXZ_}A|} zIi1reuIb>3f|;+(CZ;LPfmZ`IYAFpZ9S6@a1Uy+Cuq(D-*fV9TMkei(0hH!DrlLT2?UD6p{WcA)lS;oQwZ1Dff-#jh-p; zLU}w^@?}bj9Y7Jm@X5xCA<2IHSK^wMkeMC+YJZRQ3V$sBvZ5Cv1G}q`(N0w+Z<>D< zu}>#`5CQJt+`a@S0-M7G)fmTE+~`fLm`1>XfkPmBsF|B@!46J1ic3cD{WJnh_k=eD zGME^s3E*eq=d@{CFBOg6{%wL{1Zh5hyjTVEG$lYQ!=LN%qcrbixm7t8Tvv9ZJI!iD z;4F7UR$Bw)X(J;eFT-k;`l(+C@%bK-p~DAr;K5#w>*t#%vu(O$$ggd20xgu70zsYB zsm(l_8^1><+$Oz~8wbkP6`#6MS-%12>uynHxnvf15ir`t_PL zPFSFp<3xdzP)(_d%G>bTg`mK?mawP&+o!l{QL6g-`Sk{Exm&KhTHZ9^8(Iac{zNAV zuKxe~mp@7*A?~H5Yt6|5-<$f^6UK-vU0dWZ=)l#G*(3F5SxPC``j2P&;(PcX|H}w> zayQzOXPwtUmGCB$AGZG}=1!ab`HKJhADm(++H)X-X4PGCYVZ&~*{1l$MY}}&|Nr%u zg)ez-_l`V-%W@*(l!^)~wbA|`-~Zo#38UapPm}f!6~IQ|+ZqAzKHp?SMFIc)P5=GR zM!Fx6+fPnUUqv_)c)Tnuga04DTl9Vl^ru61_F<5{A0+;!-v7Tp@cXUo7!2UnlTA75 zmuGxIy}Xn3bEMDJUxEN!!hM}71g=V2tWdVL#8TSbx2q8tFJO##w$t@H1p7&Z=3Bxml zgbHNL?cAIH`^~U$+-tNT_n3^S_d~dW`m8ys7sKBGN=o<`AD3YW_%=GKYGAMt6XP39 zeyZ7EiN(kpI`zI-j>9eW*U{fmRz+ptk-LY7J(g#NKjy8%;%ie6lrkAX34j=bZ$N;+ zu3bkot~Aeu1_qYn3!n3Ri=ZzBC+SJ$1OKAlfkwp0Eo-Pr&W!Y6MJ z#m8Wb{sKgK?ir5oq?QYfEiKDIks{ZPt+k^=c2k1MNC9c?fK!uR0Ch1JGlw)b9oWDp zHr==#zQMmTIJOYg6o}VW%>C{eyY~Rkf7s*(vyu?^GCWS{)tDSZoqap^3KnU|jfoF~ z6lyfqa1p?PTPa4##5V^Uq=)tO!!ck-cMAz;R^&eXjdX$k1?7$mtfN6dAU4f6rrBXz z3?A>`SJbHu*SD$YylR^_z>eyT={80BpSX7u!DvUyxl|OT1~P%wI|kVgL&nv2yTZ z{m^PuRz%?^YxfTd$FGYEL-nU0d%l%;WjW>zJQ(cv5|bd{9d=#LANb_t^ahz<5@pnC z094_iPydBbYwcN=EXA&(HZGP0jUjt7v;npiQDYo}@HAiTe!^FV{ zht!42;lnIsqN|2~;*U~@qb1DBTRezk5jrmsSsEFZC_OxG@KSj}%#KP(h=8u&-t-oJ zAt5?Q!!(&-Dq*!IDA4L%QxmC62p_g2G9pk<2S^@fZNbo<R3GX3!QtZt!$AU=*Lbn8+p`JNnr7a$5YY`YTMO!!M+k~HXs z6^(AjcZ2Zn~;xU05*zY$TNi4J7IR`@;}8xe>;N5Y;QD@l9ld_Z}F z!JmMj;Bvq(c%1%CiL5MP2bAc9Pd!jCw#K9 z8!+Oz8W2E>SvYoNd|-;P0uGgUkvdqB8gD*&5J6189D|2(aGl6!(g-+r6RIV{JzfY3a$hw9*Xdq`ZUlYt9F(A|m+~ly2GtBJJ zQd8hgWef8jAo)<<9lQcP@=6Rq$rnKbXul8}=%0G`E>FC?$B81L?0fep7-v#=&$7oN zr^1WEZpKyo6Aze9ec<`MIoB17Bf%R4)K?f1{a;)49+95`~ zS)7a&K85eQskylcp0||KH)ev`!A*ltUY?sMQZ3J})bsLEz}2D+Q@x7yB-;Ye!SrOJ z5}!R|L;oLkW5Ttsir&@DjStJd8kgWMaELr&3Lf!r2z``FDt&F)6Sm%YUAR@^P^p4&_xIDN{+XN-PeEyt>lni4$Ko&Q{ zwMFR@0_&vDmbkKjJy-yEY#cf=i&<27F^k4DVQP(WxG^3mVKqX#gbZd8d0`INhjdnh zx$;e>>;CWTZg<(=10{{lcIB)s;n zMI>~QKSBTCGJt%nPBryLhU|{1lKNqG1yB3F)~zep7T>1J|71&;ssOiR-Rswt7{Frg zzolLzLw2fsJ~*&$Pv^xB>$Xx4N$jAK*otqeqVhzPS}(@y+uH7ga6l-wj>&Kq=?aRh zx~1-WFxw_1JJ=|1<=(v2s-S*UD$*vu7Rn1&J!RZ57VyWI45>E&d|HGDY`s2aKXGm| zClj9cKqp4~44d~}5a-0IV&bC9IaJUiqsM>z*b7DV8w?!Cfv9oez{`))VW)HxI@*dR zmM|_59o^|8zcwV)0z$JJ?UV+&XwVrU?CLdMXGJ#}7Ji50Ff)*XPBakiNs-&XCnpKY z77j_Ql#~=htgOL$P$NK7MLY%Fgnyppha_0qBj1rqRzL;LfMtKaY$&a&fs8vP@|ud1 zdRY8i@Bp-#)nE=h|J!?k4cx<%GF%SE$U7^pvq6h8vC+Z~^$^Mc&8*eX(~2#5;K9Sq zUEgn3seAC?Y9c@;C^3r23G^2mt$VTHbfb+p$}Pi&8gT(XW${nfpKsF@Oa?2|5MpXV zEvuzdvD*v)ju%lI>M;A!`a{$X)w&P%KkzdNaq~+j_R1Ca?=5QQaddF_0WdlF(W8~* zO_g1eMug9SYInEv^*VaIRSQ@0q(zpUx3Gx3yZY}b_=cC2DV&$?y7PFpVJ!zcyVN&Z za5PFzEs477cESH@3tIYHz*QC6Sf<#$*&XYSc7sPNs)fE;L6 zVs7qcB+tU=;nHbOi^W^w+li7Z$>_qTvXh{TkUWZ^{rMiv-v@MbRH5L~#CLtwnOrkQ zWFFGA;5YllY8VS6>AAT{gBz3jAx_g6YFJB=DAx(IFy;Yb0+(1*Qd0(*9HkmFhPdDt zZ_N=C6!epH*u?K(&$d%v<}b_NcdcyUcu&g5Al{$ayA3=gss z_5!e(zum-lErfkESC*-HG0r&TtMP9ECXf`BiY5jF-p$wf@XBe=+Vy?@?04@TZ?1Y2 zR1Gc%1O!|W+{CGm&x=~`am=!Z9z+AvI+~#ZR|tRVC@k3H1s;h(+u>3vqXKqQqeV zyQVnpGry_%zqd*B7uu#?^fs!PhhRzOu&p$)1W~o8Nm<908>Q1 z-MiPoxP}Iu$W5jwz2*ZX-U5w+sq{&WOBop%z8a}7z)ZsBtZ3&6@@GcQs$=F`hSgYT z%+jC+!f*??DKR96JOhM^RPeD;Bmt30`Hb2HJt_W11Goga8x=8$1|VlZc@IxS8N%ck zTCEl4iy9gl8QG5tksLNiunx`1xr}n*FfE}V^TqBuw-P;s@El|js$oAO3T~CFyZbgh zR(}3UQZI6Fh1ScZ6o0d)f){w?Ia$x=Ik8nnA`E$PDBt+mu)`Hhc66Lu_%yl!*)lgt(brrW8xxO&r+Y^$RQW6H`+fuVF^asiog6 z4|(G+Vp}*>BwuHX0tHZ7Qt&Y^C8Ib< zZjyH*E6yrSeJ3YChA}e_Y_<@8fDPqh_8J6RTh%(BT;=ccC@QMwZ24Ew^W8g(O!15k-~_LX@eTZDKDToKOBR)wY=FE;1G*p7GPO0_2Zr&( zY$HMzz3_mVMn#EEGEncbh_p&fvy@$H`n-A=YTS73h_#N`Nvp(onh0Z{osX?L@Cw$N z`%oj1>Nh4PfKa&d^Z7+ZnOChBj%3~N_06ry4e+!H5DAMsH8H@HlUQkwZ z3Gh~q0MAQ5TSZ0rG5UMVMa>%qK5`WgY;ICxZHxZ^**57 zo7eE|;ba6Af)lb<(IW|K&u^2y=CW(c%qf5l;+$a>?Ys@~(pPc1VC5OZhH{v3^FC~I zaKmhi!~oTmT~-I?%)N%eh`>1!13>~GLo}p&xmw|`H`r!abpBp((^T{;hBJIBgsC6D+GSVG1fQ17X4yaSVIj9QQAOe za_R3gB_Ln!uU9}w{f^)+IXSLvH-p*MH3mXt#!!_0NlMBx#rf%Erzjrt ztDE>!om^bVaXZok8>S@~p)kCS75A93%2!hvU47 z%Lxe^F_};GjMyKto(~%(gLXl~eb8``B};MWVoc!htr4(01sKRgxa4h3JBWp?AO=lA;#b!)W1N)1%z?^8t2g?N03J{sp)5c7A z!lhC5i$`yLdR7)dY}v@0H~mP)#2gi~StT>G&EPGC0L(~L-gM0`SN0VQ8G{iD_;Kq2 z#=~Z3IcUvP^ymJ40rbIu2s8rJ2b{>4HEkP$4;@KK93bW``Y9>` z!I-U|&XkB<<~B8a3Rz(3^!czNFqX6cmV>G1r)pGu|~eE&=F= zJ%LrYSEx8^{{H!ejxhs2;y@o6pg}l_i_~D)jVJe>8x}6)#WX2Y|BpNtCVA{0OFx7l zW5v(266pXkQysJ$R*k8$5OO>Gy97$k?xoM3J?qZdryLY2r*PnH5;!tYcR6Bg0`vw2 z3HF5ip(w_SI}Y8h;paeRj8VlAq6sxQ64`TVif>wAR6(?sw1BfM~_&C<9J8j zz8#E~O3$%=54DduV7lk+s72v?t~?Js;&B(;bLG*IU*2LASWb{!k8j@hFCKjv1?dam zxUFYS06G(5xuzZ^-V}SA@h5&9Tsj&&i~}pKOM{2&Qr*g{|z>22Cc*) zxe6{t6W^MsRc_c{{(+6D#FCQuTGt@GSR3!e1*@?C+++PC{gAx)1a7udor>}WjFWLd zUVxTro2ndDt;gDrKnUi5P^rESs|m`vS$BuixY(q3Bgy{y^{eQfld`f7a{l^mGrb!q zcB(RvUABw!f8DUTNKR}ef{E)qT19`x#T$JX%}QIDr!3j|Lre!mZHP->_vQ`3D?dS6 z$|+FgVr4sbCXC+v!3rQv6(ppT&}l$Jjc`HwCpF1u!Y6s!C>(lTn|0; zPn_^at~oCaU}+irG42Q+iII94^1z~C5E&7hsTG^*5Zj1nF*TDSy=~CC0$^$vG(GRz zsRz~_N8Qki$cX%dLxCvU3%1VmwCmO=f~u;Z`)%rFjam~2N+Jo<1P&!*$@PmhKQh_7 zxFx5b?aYSsd-tWAbmc_D@e}q^*$|xjB*!jTSiF;6FDV){j*S^0IM?)dZV3{@LRbYW z%c;jHDJr)4HF&4x_4SNE)MLyn_24Ig`*?%tCLUrC%6DOc=YVe3UFw1DkaVX5fCDa8 zQl|ntMOvdra_pGa^XlKEX2xtNSJ%1 zumq91_3c9-Td0~)YWk=q@6*<1L>4`K>JP!=F;%^$z2gZ)|g+!Fa&P9@>XZ5snL~?K>gH zPKbH{(YA8$Vv+U%)MNz3T!MKJjU7@r3EYm0vxkE4!w5y-rUd2d?ezgDsZK@t3b5JZ zrr=X|nGAXH^i=TXuwBkQB|UeYow2?~_g{!>E@BnCrYQphgOhHFit;{5{gz1r{3+vf zp;r+_cz?M142rRc)oU;k1YTe=*p!Omk!*+DI&e@$rILwy@l^}ZVsR;4Vh0<(?a8@S zXo^6;$cD>~si~^$IEycKeYtE#Gm0D){J+qtWV|7GH%N5NnB1jeiUi=12qUiq!7 z7F>@m2`CCUoHSK+M{BQ|Da$W(_K|` zlK&|NXP%&D!c>o+mzM&{4Z$HaG*)5>v97-u^{O3mIsv%|5;XAnvk`XJH3D!AOkJq` zFsBc4D+y0H;v_obMhAw3D66WjAe|LdZ#aen%iFoR5e*|?q^IKI@=Uw~KBe2Pr=M>l z!_UULhfQRqID<^m9-LLuQ>BqLAUfq67gZ~f4 z^;8mklDejuZ}VAkX-pQvUj`mH2zvMp@hG%Li_y~dP+t|0hkvs8fFTAO_;i)Tq!>u9 zK(uOdqvi!+A)&n}=pbDuignV5ws+Auf$D?dMO`WpwIawWn&TB=H#fj0p{AGSI`I;1 zBy3g%l#QGo8#Ii8if_Xg@GlBf2}adl0Uv5Io&em#CFja~I&(c)yHkw5cI^t_a>rI9 zkSdPgze2{2R32sXGnPVYO#_Af=#S;V6!|( zSo;qijOhMZ6!K0>Pz9wLKfHonnz!6f)$|p=u}oT&g-k8b9S zu&GmkY%n_1u$i@3Y3{6Fe-pzAV8rAMw@0D8262*nAly>`0F8m~nwx#0ih?*YH`|4P zGFabCswoG9J9Rov>Y)e@m4t$Wbt<%hYMe*0CYOv2T6fQdO{&VdVsP_Z0%2hcfexIS zyFM}7vv&(-6B-vt6$wvz7r&8fb^SdV z3d1Y`=?-5CAxB-koCZ~}LCH&%14&VqpWYlnZK#a3Oz|O;gaSGPye{8I(H@7{A)+Hr+a;J)2kw`|&!eNga8Q~51+T7@yi6)Px`l9Hht6?w3s zz2Z7MQXn1Xgv&Km1}*{oxBpbWgq$~8Ca%4}fC!3a{+5eCy%3}R7huF=Vp(E%4Xa9F za*J2k?7zViMBiS3dH)5Tn2+;5Sz_+OB{OI4@fUKp_JDVh?~M?y$p8Us>&#GFa*9GSWE>7AQu5JO7Ghsrk*w^uocS+s%eQ#LnsX1S)?08Bb(AkP;F)6{RQYB5hr^Y#5Cvh)3X1%IRm1=*^^`uwptRCTDMiE{-r+0fR&O6N z3lYD`{IZ>2UA>4yY=r_EP{Ir#ZKmQDB~Fbiru>^4f21{9q*T=+beEcj1Dw+ciooi& z=@rGOHP9eb144pT)<95Q$plVM$HYW{hyY_`g+vNi2dkJ>=zQGPQ22L~V0!YTxhSdI z7iVToyAb1O6#&ddJ9k@-b(fM@atOrt!T0xNpTw$&kck`$3%n;~9UUeVvsc0XB@hc( zZo4Ss^^Yxpc~ z@8r}JKe}atN)i3rkDuj(^wg34NppsmJ^0riX#trg5?Cu*d*BIVP+#JYvR^M4OJlGl zK78_Iz#Ul^e!yMSgyPRYt)ujOPo!5@T&2xHLP3vDMoo}1IdJfx8roD;aBj56`Ip;W zRQo(=<^eyJ3h;Napz{cj9~8wz-6t$kD^pm4skvz{qTK{gAOfvpe3kOGXaU;Dgp+IA z4uTD@xcFKEOw-fvL&XXbKB=NG%L4)kJ~i&=GF;;l!yqo>Poa@>JFU=q2opxbhwma5 z+^&3<3q3(~dl=&<#}~W&y?ggk%wV7{=ua)j$#_*SiRB#n5@sbsBn`9#15QZL0Q;@jVKkzIrGY}2@QP3`BZl(s*|QFGoG*;$(W;(6+BkXuYT-DD1xgK_RUdqh#l0L^J>b{CL>rP2TynBOT9@A3UG~K(G76 zlpfsf$mnQ)kcG$t_oY7Y=*IdR@4QbOP~NQyaaVA2mLeLtzxMF(*l>sA$-)?+cK}5X zRWxNQ;*cX-DyYJtzFYbg2ffL1Zf;HtP`_5Z6bm`w@KO=i8~~h&xc$=iEI(W0`}bGz zqalWXG63VAr4;a{G=i{Bv$doyy3PkL2i*HB7s&4ZXE(*e(9+|fH8L12go)M0CkN74D$P78s^`ixDYRyLY9=MJ(Y@1 zT3Hze^TT^V%eV-JBmOuU&Sf^?0{%yCF$Rn{;h51}MYjNn6OO;0hQ>tOTwFHA=0qL(Ffxh3S`m&k4!jSB z<5+Jd!_gXqiK+Y-V@jfXQwpo!jC;CffX4(A)cwT4=W-kBk!?P76+w zGG?Jpd^Sgpuu_}Q7z^FD61UyN(*bRYLva$z{+Q`R%?skub_po75cFRFLGKL=8m?{H zr20=2u4Nn=6lCAN;V9u``uq1`FTDcGG-Q%30Xi}%OjA;7@SPJOM*6+OX}1LASGRF* z1B}`Qk;UZ@*WFGOfS?aH-jkaZ|{X zHSNQbO<&A&LPA29u>%eH>j+e#utM=43LXxpp6Iu!$;l?~h9mvWBCISd2o?*md6c3Y z0%7%QrGNZJzqUCgN*L2g0E(C~lA;4_t0mKe{9PD-CBKXWU5V^KyZ{P9LE{U?T+WSY z80;=`f)XWZ)JbCn`-k0|`L}n%bN~UX=B~U4#x36#a$UamYTtC5Eg#!FST?53c6wXL zQ@Z`HJ}%{7=e%smO}2A;tCt_H{XBWRv$pYY4+l4`!8-2Wt5o)d2q+zn-nMi{-4TiQ znEZDV*6&jWH9l;5uK4%PZuQ$K>Ty#kBXfn19rLuC-hWMb`BM6;+vwL06D`GqzWeFC z(BJXO%b#V~1JxN0(h*4Bdhi-ETNz)r%;lWRU;K&6`(f-&Cnob9i)jI;GrxT0o0P^$ znFd~4ta850Oq9$kiPa-0D zuoFV(wF96VNmzgMMR@{Sd?3AsE7ko2$Q$AZ`dOKXQIoHTd z2qaWegu)bs{c`i56WCB{Kt~AS2Ut8fi#OMNVsXB*F5|)TBM*<6C93x3lK25ds9ou; zFd^FJ>=?vlwxh~oW{&jN&?r&phFr67wnZkVz!vtIF2W-xYR(yUS~gh-hu92PMI!|! z8{~HR>P&YrY*f(8Xq5s(5(oG|7sdxk`eers>}(UrUy=a}aV>cmhhN?#y@DW&?nICn zgRU@48du!cxkFek#2JFXYXCY-@A*GSFmkRfOD-(rfRU&4RcrV7djif8C3hO~E;77jCZm{(RuA%qp?FirzdxIr{oJjGZzua3kzG zR1yXp54MN1>ELl`uV6qT`7I{jT zt%fygC0f$20Gb+vAaDwXx35s;8I3ExIU6pyFBk|e? zc}7n5*Nnj*q`^dzAMh>3l(y-VkQE{*4w@NJjYMjD{#DjPq*#N$M;8mSXIMti2w2 zT@>m!s7*AS-L1px!!%9AHIcl!c<1EP4X=f?_R! z&B$@Xw3b1Ng>i4jXqyWt`~A2N`%#IbIU(mC3th(WS0b};pdWUiv}<%}IUJ?FqNwy! zD+ESh$NK2eyY6nAsae2_7b_#v6mh?Djo(m`TQ1lSHVI-Nd#|8?9SCwC9Hv6yZkV(3 z;h}X7@9ynm7q`H!3M(@k8-}>c#%IAz3VIg!V1aoB!>Zm`^is*#?hx86W@trHOKGdzH{7gCj?-psN@k zzvIWA1vO<~U*7`-`)NLWP4EsUT6N%GA#C-HfN20dzWxP2cNOR>>Sm5(tiMlPogNK> zD7a=|!tvu&;UxbUACD?}i2H7n2Pp;i#~>*)wHq7O{+N>B-F-s& zVk|_)Y%wBdmCm2viV=5JExhheGw!XatqtjcQ<_G>eihG?XeZ!{!GB^|N1@{u9I~}5 zmt%`-vp)~V-NboA%$zsQ9Syk2&m-3WW!{7;L8^h&A`!* zEDCC_9h`J0XfFm4FHl(%EDzKe+!_IJIWXC(M%#*+E|Z@UACg31V5bf^&ZJq#FufN< z!LPpUcp?&_7@(;%?+2|MghU!p9S9u!ZPK08z~IHylEK%84cnd91l4Kh6qzg-WqwS? z1`a8{(ZoZ}l0!f>G_vScvnKi4*Z_L+zV_v32l$dY?v=!oFBHTs@_JtcCUh7lDzBk| z#5Rc8^D*fBt>6_95RhHQk9SmkDCI{k=3pvkH05C_&#~?1tI^BfahvG6j&^r$fd=^x_1^ATj%YET5Lg+Wlt>UzzHhKwOBt3_7%lZ zw{C4U8hWsE7dwNL^Y^ucK8~^r-RU#S#t$qAZZ)R=fqGceD55 zu|8;PzCc(`wITES4&!$?+jaEd)U_4Z3y_!PGNz9$4HE#|v5MXbqy#3{ze|PxyK;Qy zD6B5Sva_@Gt@xzV(T5Q78o7VAJ>e+Qb3U3N+LFW#1c<*Tj2 z?;lA$ftScKnSoVid}@1^6)hi&w38d}A#_=BBP7x>GOmjOuN+Z1w?oS|A~bY>Qlt=W zbRenQ{?E^INYDou`Ur!c;0);^n~!;EsjKIBoDDvpK_oYDXqF{6(iQ44;evzv!@#j? z8KF@j0KB13eV~R1n|r7q)uJ>+=Vr=hT^#gM-Xh#4x`+6K9 zkd~3t7g!ekvp{zZEQb*4c*fb{^^j^0(As>p(ZaXFP}HLnQ(7^wbAnE*d-_!vmV@#7 z10!8S;E!#2mTU+Dh&p7J(|g(dK6K(l4h2scS`5q>-NxAz(W7NFGxQ5As&D)rj&lp*b1lf*Q7GT`X}&z=UP|T9 z;gVxK@ILWlKkCk?YuEUlcfa%l)qrK)y5)Ct%zugPy2Svb>;*su_ndRMx+C{fI z+JCyZ6y0+ruQnf7`zax0eHj@}heExi9chmVuLkP^l|~29^O#sEOCyrlG7u zgvut5V9hRYMuJ+83bQk;AdwIzSua3K+_uo! zgwV}ucGQiaD8JDeQaF%#!UP(X66x~Yc9o1=zAdZeu&+wK5s_V)^um)vzTp!RdJuC) z6;HkS*`Sk5fKpW2voowK=v>wZiO4-R@9y7!i(VzP!~v__d=1X6B4Q(E?} zrj@#W3?m8@CBr%!C9&uJ7uFh`5!Wm6e(hn7l1rHeVu;9d@7T8bDId&a%vuJSwZ(%npqx=3LAyJ54f-)jm+PMu?MUv0`e_H~643K2C zPVgNIa}r<6!Nx|5FB6m>Yh}NQ;r!`6H;fMO!vlf~^Rl&96_E}wyT&poFOHZW+9v{e zf)a~^5?NFzP9ZfSvguQ|=USVUfwy_hj!5bp+k5fUi9C7OIJM7f(@6k5T!-_E58X+p z96In8n$seLM`?C*?+(yQ?4L{QrLQ2o`r)=58Vr)nDr!Ki(25oHnI)T=w2-4F>=ayb zuv=t^r&{hT)MWjzcfJ~R7)-uY1A<0zx*s@_fYEr_8DWha27>Bh+D|$!LXJZxMS@1T zZ{Q}A(_Q0atp=HZNJr!>g_ATbktql;vq&vN9b^I;xbcs}_um`+_*7AVPfQXsrZi=m z>nJE*?XW}H57D#zT3TAGpT-MwgsB2`I+e*gfN3?EO~Y{{>K-+qG~dF3z|np&f?k?? z#kJG^0-4JNv~A%ReMKoT(jr8iOr}sc*#q!GVBr9mST%<4QB~`KWfSZVV%mb8u**jt zssK{}sSKq<2zUxe4j81X7aUi4EO1P2&6R!RY9J%xr~pvKDdO|LDs|wt`<2q5)XP0t zg=CJ0+VJeo{NPRic-&wNfzmoP*0VbAG^3xAk5Q$6j`5Bl;8FKlE{yoIhlGSw2Z>>f zgH*-G^Wn@YF(yv&z}i2}mH-VRL2Sdr{Kz2t=-4))o3He3IMfr7G0>WlIsiCzAjVP9 zZZg4PVUR$gbv}w>4`I;`!+lI!USQaPUL`OnXdgZc+3hR=eUiw}{D6uSbP(x*PvDgv zq^9Q;H&BKV<~>R^Qc?jMC8#GBkv0&_$e-c=q3S*0dfwl^@lPa#WRyhH2x-ue(oixh z84XP`Qrg;^LPR06A+xEH_6{Yp(B2y@N!siGymG$x{l7hakKf~*^F62WdB5JT>$;xn zS}urY%8xPLuztM(qqJ*)M|Lgr4vAh%T-FHE4?X))p15IR% z{Pas!@30I2c_NY(>u_bs*SXH{ZvS|PmQnd80l$+6pf^eTD2J}M5g8ohv6<^Un#Uh`{&dF)7zJZ44|hQ*eB`4!m8&gs2TM1&(x zC;Bi{{1UPA=Q7Y}X>Pb}vhJHC`*O(UQ2I%*ibrdxgTo7bqTj0`ydcOdpqmFX9p@XB z(g<}GY|}=$RzOgO2dIO`fhyPz2+`eNQe!2Rm zm0ct&gdat9<(qbdzCj2_;eI5ef{vjNTb>r|yPKEO_33|F0MXm&DfllvR`@`GQr2sj zX+Kv#)#4TP;tpNf82xdbQ8){B-!TarpgGe6&Pwr|u{<|1%;HTz#XNm?!^DBc1Hdqi zJx69yfdVLS09_gOk$no?npA2YNC9lvJF^h|&y%lyFqLtUfE)5+Hy2@+JAkrU;ZKsz z`V80y=rK`08xF+cPV;+b_|ra9BUY8wA6P2L*h>!J;B@0S&0_8F>#vTL`nwo?gS2;p z9lrX@h>J#e1?FWZUnSjSGlG30_28~8oE>QzGCuKdCW=O@&V&=WZP&jKNwrCXQWIJGc(%W65EA(kyLwP^KxL}MDyaVy{xx0 z2Mg0V^CkvExXj6d2$A_ilv#@^@l9o<@>#TMr_$P>J@qH-nB0o?RVZIgT^lGqp|F1a z<%ETuLo_lGereJQgLFE>8^pkPjU=e3%(_W&?a! z)0gMKO^OvP+17vc^W{z=Bii0AG716sY`2KIwRdquaANq9rtNEyUPJ$N%pf5!xn0Ix zG~T?>iyF605SbWNt$D0)5^q^ms^tn;Jh~N%5o}8-w!F?w=ZwskX9U3@P2~bA*;N>9 z*pT4?Hk$55l5L{y)i*n#9UGlDSGwCq|N#G!ts9TiO#Rh*a?pp#B$XPuaB=LsPG5X-qRjU9+W~eKl`1d5xIoV+U4qTk#}6sm$0u|rABmME*88UMb6iM;$3{mb5TJ-FA;`F`1q$!ZHb%lyNkU? z4+8C_g~q{!%egV@k|`LMdCnJEI~^7uCKA&E z;w04ojRc~1Yv+IbaANb*$jIY8H7R(OzuGGXDFQJcsL(MY+iRYphq@gc_eNXho6+vgva-QJ=k0H#JoIj_!~~yo?sG)BfJm$|YubhB z(j|EvzAZvOO`z{jCBSgy?Y|_^+Ur50Kb;_4VF#*te(LCyN4Zoh%X@E>{?{5Ih*u%ne za`SRDShjF8dY;1B&0tWSTAhIwkusYoK>%kSH5Qq$W+}2qa2?a!53i*=23H)C9nfx& zjqOO%DInNBJcc{UegFhMj`~b*HtH042N-#?xkYAQpW$sFy34>|B^t4dO-)S=R-zfv zSjxr-{vx{6@r(>du`Mn{{5~mm9Tp2cxmn@gjIM3>>XE&g;a)pg~xV$AJIo z6N}<(h_DnCctOmQiVmi|TYJ|K*2=?k4gDq*wEbR6@~<}!+e7Jtqj06XPE9y7BPJMu z*Mrl#AXr-B_EqePfA;k>*xk8JLtRIpLR>5~B3KCzFExfpd$7)iEYYffpmc5bt_>pb8=mDX1_ek#06+y1 ziTU1$q=iM9g@!mvUqIa5!4K;Ef}OS)ad7j@_M99sC5(L#_=wQ2dSj+i0TiX~`L!1|C95Ka{tFs%B?1T@JranJy2oU%mRsfdgNg zR~Ef=eVTKfG@@`MY~6mH2eSq}T__Tdh#!1*5UX05+uPeAU2bVbk!MFRI21_*MMbM1 z6oobb%_koD60cK*8lCa@O=$ARI6+SgN(_WQbbPZZ0~$>}UwQ&l<3AL!!lr(vzOrFC zUM@5%&M?lQ&Bfte<`dW^i`xfc8i5C%qh|AYw{anqqUTR0B|O3Qp0xKG7_RexjSfaj zx-~{bMkcjfSRuY(lV0pwU92AFytNp`^R@qTcJF9whhItHEF0rUfx2aC(O44O9t4hd}B zNHJUhQCGYWl1B0qg+qf#lM7}4&~8WZ(8QhK!84BH#E>73vTKnlTtM?F9(0M8#(@8r0eLr995BWWQ_yrA zY!(~uHrfXQZ2UM_K@)Ftz=zNvBxc3q?Z))-`n06-BhCDxqS+LQO2D4V+Mt1NoC~%A za)P*FlRmCev{#fY4|z`C7^)vGyzOg)n!%yG0!8-J$}{gQ0>Manhx5ZR+e}(gQf8$R zNK46iQo*@GaLBG_SpoFr-Srq|(2PbHCqP5Cw8~*tUB1~jXqRUAZ=|?Zue_(gj&Pdk zoP1273gf?3qC;9MLVLV`pVPF09o2G)SDvf^E=3#ZXpBaGLvq*8Qk6|8xZ5F9g6Y{X zgIsjVuScTSglYWvEsIGQQL}YDsrc&md19Sz0} zwUg(I){JF5dsg^pAmk#ih|2Xr&%wdLU(F)D%kgWYcboki;=pS6tC((4E3P9(0y+(v zr!>N@LV5lT!Y*%Mr+Ye2X)5+pxD%wN9XA}r@J3^d@Bx%-Ai7LQ3r)`{i4Thhq~u3( zDf;{IWYJOas`(TX0J}1@9WXcf8^;+|4*dT8g8O{3L&yte7M8uq?cdHI_eMLmN0R-B zk&)G)TL7~l0K6jtH)UTur@a%GVCBb<2M%i`5GxKJZO|Oz^Te%cQ{&zg90L}+YF9u3 zt%JfY=z+oSf9YxRoWByW50#+0L^iCr+cd|h_ez{ zz~3o=k7Q^9xas40enD)20`ziJj?k<|YnuGwT#Aeoy2!@Ud2>T-n+&EoPNU@cn~acj zfp@&6HO`|V_#zh~IX=Xglvx8Ezn3$4x!X2*>XkOft}`TyYr(emRq$H4s44HTDw6aw zmE?xWc2$EDV5h#(dnc9Rkx`5niNU~QCc2g;Guy^05T4qL>g;kN)G9mP^+b3T9i}O1 z4;zM{=MQ`;Dk@~U*`GGXkmpkaOXscItp~=T&maMl4bw32E#@t) z-M9=%J_7|+cs21gw3j_P{_f8pcvKX@EU%IZldVlplBBEjp+j69a$y*Z7hPTufgW`l z+<`6^y-hQs{ksY)5SJjt%!6-dxH(97|7PxMxH>{PYOl>r5W25+QIY(9P*@vGZXt>Y z4TB)0d4NGq?E_FqU>kBYn#k;@smYFe?z5=H%`RBhD?7c#?KG^jt!W)!_qK8 zDkrtB+TnzLrXcQmls# zR4U+MQmXF&VIqYEhe}Wdr+)e7P_rQM>m@v+Wv+UdugK(FR#D;jGpQe{R^YwofHqWZ z++l$B6@=j{+=9`EgD-HGmX`9wGuB_g3#*{BwQ6(0=@Ac9=jy&oW`1Awq~31#VHwEs zSbjsEiHXS>=pq@QqC*6uiC6?yaVK-R)yJ=sm(U_m{v+k6TWZ@%qNW4JbY=pnX|i83 z#IH^h!H8ThmTj1tyIsEYOE`P{lJgfMwkwxDd|)P1VqYK8#qbQb=tLGki$_HHoD2Q( z=Oj4h^0cdof7pDryt?NOlgPO^^Yam2jkoALonM?9Gdhcz8EGe_&9#<^9FAx2#0|=Q ztmyC9_|f}}Q+lVAnQ)uAf86yhNV{y{1|zW>b|<@g$Q)`f-7K^5g_c%nMZcNI#`(Gl ze>zUvRBNdj2jNA>F~CpIE1Y3qC4D2H!)^B?&3j?t!54R47z+4pw52|LPM3JS^_*t) zM}~L0)(Sq(y##K&^K5931;-uqt879-hCLS7AQ3+C_H>v=rI~oC-2qUcrmHvCJMNlY z4XQ%c;iZ)sWSY8}_Ur$;=BNnW0p*GMed_mlztxp@&j++k`c{_Ws^~*3`tHRwdSGSH zL0~sXU98vLsMxyZe+9H`xqfAQk9xXk&uE-PW!!}`S*V_(%YV1UlXfbO?TDV9x%9es z2$~0Q7RDloAl}$(3)ms5gHZS?mpcp|`G|UNGS z?D{&RpAC2pFJ%cDY#WP?k1u|-;jCfLE_*G_Z<{xE1dQDS*lL2%95fV{K0mzpZ*V{g z&Oa{e0#bsHg7|FtrW3Q3pa25O!PNIbiM6MG1Mo!HsPl9cGSKPjhFV)tV(E*ePeA^{CuF&vbdV zz3T2-JFmJho4Avwze(OR6Omls9T<0E?S+Y_HuXjJhOcvVs=Qe9iagdXI#BsHuA|d0 z%Gfpn0t9})6pfwwJXay>o-jXU@ukt;WrQ(Bm%EQhTOeb*+3N+ zEn6nU0^yHIL4qtoa~LL84Uift-$*{pz+k_8!LbW%zid>cxgG{Qe1W z8oEd8CeTRBjQdlK#z1+ZTq0#BBU zl`IDdJ>`k?EZ9RpdKdw{#9G>te-K&+CPl*Y@E5wV*a)@ay=UB7wWYd)LPu zWtIVKuf+`kFO?rDws83SEFz-jxeVed1d5GzRAiWVUy}&Sz-Si6!i|BbKy~;C|9Ct| zYaquTr@>Br&=Fz`@nqFD=G^I06qUCr$1@~2xbt`KeeJFGZ8dRwpDmv4aqp#rVS}Fd zL0wYDurhuXB=3Lq03R@!`(S9mw*Y*@;nk4mrFeLQ)+MEcWriJa}&ZUO$~ z931V^GdXpTR!iy>ctG-TLvI4o9Uao<2qgXUsXJ+^T-!*GjJa|;OuP?ECSjt>`6!@z z%;wgbT|QSLm{gD1{&;9&%-`kdiv3JJb<8KQFxZV|TtA2kY2?-;Mc^On1?6t1jT<&}4rc1>>mym|`Nd@ydc};g zPjk8^&fj$Ey%^kT{^5z#R{p|z)Wy9^Dvpo31-#%qe;8+qjV;wJoV{&mXy_8W z{fOTuaTJWZUj_Fm0Qx!jpV}vui^8L;|mrH73ooPx5 zT>!&?e1U&|93Rhy*MTBQ@C%~LBW$Yp?aAfW4gRwAj=&QgXN~!`F7*_%9{x^%FDw#yRZDp-6i)l>&-KuIeCZk> zxSj@yV>Ab2W$o54H3dKczznR6pYgb|3(GhIaQhq|`O~h=*ScHre#&*hu@9pPkBsAD zH;$c=o2Mqrears4lvM|!m51N(O@3*&>{LgG<_z}?}U9 zn>0dYjtvX}N9^Xz+>{ex*25jyZkg)&oy%JA7hx`?g0)Fc$ZLK3w<3O zp^N+%3MIMLyUPQ0vX>2W4nJ8gj)EJ)^sacu&4bLUD;ESI&*w>IX3eQ}FOfC_^Z-#g z1rUR+pTz2=!0I;72$ZJ;!?7U+2Vr{KGCMHw(Mk;B+pIw+NXNOgawTc!ll`lAyQ6tF^P>mN{rw-;zfy8Fn> z`t4`VQ&NJs_=|m7Yal9X?&+z2W@&p1cO~G=KCCfVjyZgh&+Cd9Z9v2%2tZd#ko7+< zTN6r3K#q`mTn-%g^JlS22PiTmH{2Zd0QL!ZQFr@ozbL*gjVT{|UXaXVDQwj$%O|-s zvjBXi*9YEo+=7J(%BqC`7w~rZb8wtFa|T``p$0Lvb=I=g=bvFlN^Cj!Z>KdA zSk_dETm90J+f22`65x;ux!s2@qp7`p&8s`5N|ogr2Bs_$_b#p$F|A<P#7-II3e&g*bcd0rQ*i5JJ9PU>kir9p(}YI{ z3Ko7)gwxE+n9DyFQ-$$u^GdTLTh-#ULsGVL9k#={sKfdN+GhBh(ntZ7_`rb@8_s!2 zW|TWoySi9g^J~Q!RcHBo4TBiR5j@5Xo|eQw7_zUx^K~4u-Q8+xJ76ur>#*ASlwYW6 zT%aX1+1h+(#JLEQ#+^xr52|b;BS2SU(arog?Rh@0yuqq9?e`iDDj$k5^U~MSx?O(m z%pDGo(CWb2t^_NvJk&H{FCqv2OZKrJ-Ln|LmEhQ#`%j(aueA(V;|5Q$?)?Ns7~b|f z?R{)&=8;1C!3u(%i%m^$ zq*QLIEpO6-8(Go)vh1VMj+LxSLPWzHs)E_XJGwnSEbiX%s~0n4KJ7IFs6DM4T-n)* zf@xF4V!!KS){YPBsa_-@^)r<&+m`XAth#=pMT^uahEAqe?rFNEXMYmN=+*R&sTFH(Z2+ zj@n08zkG~-kV?vFNm}2cl2=-t_jI)Be_DXa{EFQCubycrN$B5Ipgo3upqiYs< zMF2Bwop9SxwgvMitzs&?xn>^}?irf~75{nxU6u`FLs>lKzbfsBoI>BgK#Hu5k?zLX z-$E4Dii=<8xJ2MVCdU6g&u@yT(dRC!CUdN74DVHJ*8)~nWrTFrtIkmkp6u@Gs{L5P z_?n;paMg{OD|22H%3?dill?%w;Q$o#6ZpSoI<0f;;(aiWJA3F0PW+#=J|4I z;iatTL(s`Gk<$`0N$2mY)#ypI-(1IFLu*ssl;HCQN1y^RX?)J09&++BH{NSgTeHQD zqs}kN>+IA0xo9qlB>5+=J}S=D)ZF~lEK1)73~VbxK7Zb5l3bL*hcS<%YO2W-N(JO$ zp^HP-IP^XEi%(V(hW4_CmmKiLYj~2aTtYMl;Q03aAxuq(N2q3;{+vB}8m^DZ&EquA zgF^dq%#bhi^iuigprE@`>!>aF|A@-S9G094t*|5769#xhRM!FLvI(7*t&k9U`)&+p%#)jztr zXdxcV8FJ%tt~m|nQVTzR;6>vCd6q<0{Za9Iar;E?>hr9t#mC*>J8wc0ml?GgeGnuc zM?8l!w%R}wYM#~ut_62F)`gK`H7`#Qwvy0afe#h(KNsFx6h#n(zIt&NF*d~3>1bx8B&*IRQb#6DUw3Q3^G1Aavl_ zgiN82z(O5M=>y@fV`IvG$Sh&sZ1~(kqpH*W=kuV73X5#?mp{#w7TdT>+m#j{*)_8^ z;FDT$^_l5YOP_jF-i?p#E&RHsh?%Qeu$y%zAMh60IN4K@++a5_=J`%9R`d9~2#tho zxt5LqWTsR@E6>F(_%q8hZ?N`A`cBciFpK4%mZUxuWo8H9bEH7~Lu0me0{W-{Y4onB zj}-9(CqKg*z%YHl7z&6oA-^&N%$Qby8k#_wLEDnd96X9O4x8)sRa8HGy6W5>mNl3C zq7q6w>=8qQEEJkE5Wfs}|2a%wo8GPS$Qm&u9_3mG{BQE{rJ*5XImG|t7ru?CiesCCf#A@GX@ zjSLxI9aeYh44bcgFH>{iDECi*H#;G)yyW1p<^|V^6}8VK6&BsNmAQGv)-NLpI#rdN zOPBhkVFwz1Ge_OK5?ZS-{5}D03k|KofF#*6{{6|A1yv@rNBPjnL3wYYRfvWLC_5#j z13be~vNzAc$j_ki2_9xXkL*(XJYgCY>ka%TNYM+%#otE|`aSgPY*0Z_B?bkBXjN`Z zfECa7jKII}6)pNESdmBy%+Q3^40hkyvH=-=8`8Uh(IGwZGfhCrTYz`K8bGG}_A(o9|cW&pZc+1MEIf3!40puLL>S zk}dW2OOQpEnQVyJ1JnrAOZnFYR48(v@@Odf|B!^nl0^e2@m$D@YTJ5k%iwV1O~G~R z-94*WZDebb3 z3i>%Acp|D8I24z(1s7Vl%K*iZo5>4;8v6rIo|{2uM{qiW9qlbt0bE#d|G5Yf00TIU(P(gy~y+JSO3b0S4;H6 z(hWQELH?ZFqdyPiI0?9^_SQe;Ed|+)KMGls4Hb>4krF6~ zEoywlKf9CEhUW{fTldpm>1Gnoi`U!pFtWuyU=i%}LFFZf3aER!$>67%%`gB_Ne)$n z4MTuXnV{G@ThM7N^t%f!vRJfe!D_>>>q)}R^YteTkEJ#0F=GYsI4GOFIrKwis%Nr;}&(KnM5 zY|cw~`DlAGC2XMGW+-8|(2?I*QqtT~IcZlPR5#lvz-n*0U-#}c8%<-6&J9b4!|?g} za#h8taS5!X-ip0%Yy?m8_0z%uvhTo{Ti~x^IDkNLldq3e(^~`NC?$dfbEMY(jqPep zSOoA2YNHo0kI}wpC`Z?!=w}WLt!#dGR-8QyF*gv2ET#R<2y|wqzXl|LIq#{JUfPr? zUQ@^-Xhj83f^#tXuLRSqU?v33;SRyNtw$&)8@bOeFqB-Wz-f%c(5>*SGEd)k^0 zVZ63j`?DNH`!#lj1fq{#31QXG!AAQXI&vmiHB9=5sekhIbZUIOJu);d3ZkTJzW?d= z{@IHLUc#kCYwSsfKp{-qM%scPD3yfa0gae978e`?x52g5ZZ%fMUV{j1U;T;BwYvi4 zT>XVhR=Hl0yxU_yi7Hbq+DGc8LDGF9n{hP+JogbW;HV9bcnX! zI$;*%z3==iFUi5Ew6?C9>-F+&Q}(^Bp6eIf>My}2fyyl}=GBdiIL^+=Nq9Up3?eKv z^LtZ3Z$iWOpJyu$Rjwx6BdTB44?g)#gBcQ(zDBr6)$u^v#cO60dXJ0%20?Ovxk@pV)H(m)GfgWjq+ zXum=tcf8{Tgof2W8gOz7alIKEo&Z6369j!laHIZu>7(d2b{+JaN!z;{3~y-B?vCd? zsHkVt-L-a^c#pG#{drnZg4QrAyfXBt_d5?-u!dTw1mvG0V<^)V?ev?@@>pBQN*Ve1 zo^zpbDL!4fU&giWtG;W?w%6r#BV4d#;ZJ6Su!o-Vy;pj9oK3oocTOrLDh^pAcvr1+ zt!|-$*q}@GYXz~&pVl5m_~m7g;fE#kpRMBh&&}q|$Cx|E=T*~V?ZNpvxy#1%^Fr4@ z3XG3c3shM-cVF;eCEB7ylb6rpS=PM4^3>MW()J#Kn|qPrBWjq*9H%Y(zR{^rp;XI5 z+N1q!L@WqglFk`sIX2^^DAxL9uV&8w`%uNKk=`AMoy-%<74o?Jnxp z;vNYDDaYqL@cJ`edgq+o!PEd;-{PlFwF3@*g`>krB_#+1kErGH~lLBZde3+s11n0W|&xGqu+9lNW(uIlON7?3lE zt^-5oHU>WsD`Yg?N|uiZod`dom***uWQ>JPiV3~2&Sk~8oLXt<<&+jJlrcIIj9gXp zqm&(!6?2)bR|T+*!Qhtq+X)E?GRGfDtlYYj#AV>sBPB{@Ypao+>5n7kn7lZn3IKsP z@7>pvD;Pk z1qvs*4|gY2{lH1mulmu>JrP$j&wC$BKSpLW-H+1K(`&mr*T;K`y)-UP{iSw_)qWdW z=f;g@+_w;#4$W`Z3k`HfSw*sgcQBe#5galTu+u|0!U>KG1}P=>T5OAJ+-@jj<<->?j zcyI3Z7!NJuvLy*-rtw>KjS_y&d+J(j;Gu2;o^7}zG8|zJ^&Q9EOuCa+A)!71_KoKT z8H+LT+ayf(oP##%=+7^Y2qpuJD%22P+Cif3P2=hCe2@1|O^TrrMJc@o_x4e=nNSq( zIC0{sufEbR3#C~+7v|j$IBa2;su%PnF$59v=IUi<)D~_-t3!*(F6*B#1i(Gnl{Xn% zB+5Vdca#UyT-%+b=b6e#O~Uawhd0KsGve=D`2lwz^BMLY9w)KNC$pxn^HaV=X|c9x zjDk}tB152P&-l~9-$@2VxjIKQ3bx-jFvOwt!0v50!|=yiI&k`C@Ecuk8o%raTSLP0 z=gE4}1xA{QN$18edF3b^4Pr^nwaW?iF!JCV%MO*$3{QCAEH-$1!oaw#^Wh28b9;9A z+zeBn|LWoDfn~q!#=kYfen?Rv6wL$GEh-E+GcuQM>;EJ{(E{L(s(vVX|IYa?>(QQm z^+&izc*n@naO+O%r=IFVg4pf=$qA&oGv0vNLP<5t! zb;l6vby{f#KWbquzR&+8gzfEQ=)MFcHti}vR0-uj0i#%qWwYwxU61S?ch5(7-P*pYz5Q6EJb7~KPZ-s%`z!&>OEwf^uuJ0J@}`#Vd+HD+1 z=n!S_8Y=L07LR2LPaUG-An4Sxd+K)Ft3LqHTyt{Y$XX5@-@5tegG!rGmO+<^*<;zB zMbvW)JW~+c4u3dVBw)8*fJ(RH?Af!CmB-bws($}4_>}-;8kj(-N_%q)y1Wftdc44G zwwx($klN|i_3MLMVp1j3SbLq${#k1*d8W43Uix97yBT@SFSkGSIO6qlc82@NW;!DP z)M=bx8whl8+@=Rk8?Lu%`3K7-PhbBSV5}Cn%+kY3_N8G&w?}dM6WlDVcwJPW6vN#D zK`CtjBHJQ9_@GRe6T5Uu>eT|ZdgR|$^j&@e$F3L0hcm*AyTngo`~qIa(_rjgEbCQl;G#})>5GVca900# zOQNT{+v`+s2J^}l#y`P|VeTiv+b}+qtnANa9=M$;*cG0I1q>Vnj@a`G*w{gj(zYk1 z(gca!6oHVW$IP|H4wUq97~lJb`&!?kZerJ3-D!gq^V@yUyG!Td1iZyI;W8KoO^|_b z2a5he*wC&)b+wbh!-=Z=1ZwYyr%$<%b#@gp`OR=&R}KGs63A`r+Oeh;9j+yPHAp|N zO@H}7K1C~}HyyN;btnb>d=*{%PRPaR{k(>RHE|rTw6`eoPoPvg@a*7nFDzkcMN?!3 zp6l&hBiHxCkOVEC;&U6~X; z<42rgT4m;ECOl)mDGQG#d!|&R9*w)gdaG%H>e3le%sb93WxsAR=ct;pvUJFryPr=5 zg*Ng{o~rxU{i}OTwLwF|kNZN^)%Dd9rl#1+V5;!L0A4Tb(>b^e=TC6U79FS=<_h>m z#l|kdlV1Ws`jW7)uofb=82spv)kh?H9J2^ZLOkbEyuXAM%Pjy~?#o8N=8d0ng!U`@>|lJgrcsOx|4=i1{`Y(m1}8 z!45U2S6gMRg|zMaHFursj4OL)2REWbJ%)Y@n>bn^8n~0D=sE73Xw$4bVrys^#^A?j zy*{DeA=_nd5wal);gM%%kaQp04>!;*F50njBPeJUU6C|FiRV5 zZ)0Q)&k^t?1p+_A4<1YAfiR1z7q3jKmsog?j9Mc5Za01}SQ##`D?`J1@vltZ2@Fxh z!7lunQ+75g+KmHfEd<`zD|0BpG@Q>Z7NZU}z=I+iaC0wTpMCpALvc{R`K^s^!an7p zeCYH<5gZZvO#&0;CYWZ!&HA;p$M$9kH4MJjab2SqH+^|%bU|}ffTw>b(g7{PB3u(r zdZwH2`+hyWl$6oRbNW#B{NZEyd?xrdvt9N`7s~SzIPL#-$=BPe!Nlkfp97N;tt4T` z)XRz7kJ|vr97fr)Jt`kCAL?a)?Uu9lUgP87E#2Ycxm$o6&1dB5})gxDH}!H2?JXYYiMjsOE>twz9Oul6^dbE{P={7ma1VZv2sA zUcP}zi6Tko2o%7oeWnk0iCoT3b+>N#UtoZ`f_#h1)3+?yf=F6|Sw|HxB)i~?<9W%+ zhqYEbN%(`+LXQ(#l|%+V4k*?iSQsXC<_-e;emV_&p;#w;-F*XHZf6yD2V+cIk5te zn1Wjx+9DSff>+Rg!3t>#9`ggpO=ukG?3KSx9Jn`&=jS@9bPw1-d3`txSJXhB)_E}% z7MH;g7U_f7ZK4T*ePr)c)u1_Vn0ze76K>$W@KJ3m0Q-Gw3#hk8%(ksh-Nz+|GNnEw#CY@;qe+EXD# z$DBEb&t|)fWdpk~Vz5J(f2&e{a=3MdH=#Ri4uJ}zQ4D@yrt;qd*?%?Oulalb^C?)3 zL=-0e9*V3KF-X_Mgdf@1%%Ni-aCPUCm~H(IpQ5UByA%+&&5AG&G@|X5c$=@l`ar`s z^F&zGdbb&$#iWX!A3Uj8R&;r>W7MFv`RquWxL%M4z9($1!0sB^sG83F?Oc1TMsrto zOY}xNj&~ys`pciEJ`a^J4bY$6f{n&uvh26NeUE*veTa8MpM%kXAR~dY*|G?*ItZKc z8xbDN+DjM(knR;iN+KUo8S;SpXO&^mUo^IY3_qyPT#$J50O0mL_SZvBajTaO1Sk!b zRQ5gpE-QH5gEc~Q<+}mR7kOPuxrcP-Q*ff7ptU6z@@ZHz8_kiU;F)4tWsz!QI(J}k zcmKgl9!A~$b_EIvzXx6RZ27Y1l~}+QzrAJ2MaA$;!$&Wh^Bo5KI0io&wCaZe9>$he z%~N}Ntv4;TG*EtF955c4DwY7UFiPn?I+)8igrm=A*Y*tBm|p(Ws8rNYw@@%gY{P~R z(c$~lUAntMA4VuF`7r7q+<$6av4pw9uBkT|YOu=d4q`Sq(F}AinrLkci|h(kN~kZZ z=s7>ve(CwjaPz*=pvv$7WtWNfoTV=|ur&Ec z2iM>73IX3t>DiTy%lbb#J&10PRe<|l0OMc%ueko(8kKJ04T7J|$0HLkQQ8yXkq%k+olh`My(`5OM!7LKmC#k&U^AR5GEIiE{h$%ut*r5`XO z*|@U?K$0*y-@2*%6#28Pn6>a7|76nUAq;%OXsnqS_$SaY$Y3*gdnNXmE`;hv=11t+ z(9|th70Ad(=i^K12Sho8ex?*;z~`jvd5cj)I1h%PhK>meip2blB+9O2g|%yUPI@8U z`bBLI!PlWiXVK8C5)~~z9_%yy7LuP7+os3sFo95(J|JP2urs_s;z_ZY4#1HRgYmvV zuL6uc6B>LBN>+w+EFou*`+;-ITw+(zO_5VftJiJ%jYK2GU}(p3kU$)r-q|?<+ak92 z^nLH>e`rn2sCQc zNwya?{89V7srAfQ{Mcd0y%2f}I`Xj5T_g#UZ=LZ1)9S;#CB`TBKOA}X{hrq1&Q{-d zTDTMc?Re^_9J7!P(XT(yVT;6DfM%V4vxTqiY}IzMpYZxGe?>W^Rsfe@QwqJGk5i4< z|Gl1r;}0($tZ~0xju;5msBQC~ihkpu#8)y!kSY$OPu4_#)d4Ht^hqEMWv z?R_p%2E9wxL)-_9ofbiV`t->=klxR8e?QJD{iRWMdq&U4nci478abMBI89sc(ip9hBg2fllngKbq|r&!G|t z#34|~iq~X+IOVNT^rl7;#{l0I`D8?&6{2@@&)o{?%a1T8-eUP7gAwafry^>v{WvH2 zn0-VTR6W8Hsge!{!#>00t$pbSBOzcYKte4&Vrwr?nJiU$EgEO@!Z zEo+j!zm3q(3@nC5djfHgx-1|hv}<52OE6DPR(4tfM+B7oP@NC0bcO@Cf7mspC`1v5 zWm|k#clX~j`sSr+W~FP1AH5RZBkYm;=TqbHw>sQxJhIGL^=tyZEoZV?B$I&~rF@gxRZ@fEt8F7^=qu;P-*he)K{l5E1ks&;o0hZ!*~tIM1Fr zyK?=we8RAb`u&#Z`M<8b{B|SZWsOb^B63vHWZz??x&|Yu!c&JEN2hlS!}V^2q#eT0 z>L*7G*BcZi3-51qSQog^t4nIHJ5R~M;~8nw{bH5tg}h3YSCjGQz8LKzRl%mQ^()hu0X~(AQ`xva0`dM1E(;sq->sU>K#EtL-OEWXud7jT>V`)2b7-!MZ z-NvHWR?o}vbI#vip4T<))gAj~nFbn|uYK=9Y-%u`fY1YT4%g4B{p(p| z0UqU0=W|RtL`ww7I}wcV7B5{9gI$jES$rD(zn-3dL}k{%LTrI2^-0l>XXoRyvkm%O zI&zRU{2JCe>U8IU-zM8`Wy$TG-(fwyRa641wprRPF*#vetf^&Mt$8W{PgbEHSO2b24Hgi`e;8|^(CRU&*2 z!9;H}9lEANX$BI!R6*WhrDdaKcw_l%2eqs}e+`|=`xgD29FcwS-z{DtJf6eLI_T6B zr`B2AC^kLmY(#_X&Hnm$h)-m@zgTWQ053eYuUIjVZs|1^hdR_Y^rH7lCiqbIR!M6%YT<^%$)&Xtyv7okpI5J4+X8&aQO_7i8z9NZ`wt)Uj*L;~&(DbbVX#Zv zrrtBEe~idjyf4!=rt9ffq16FXGbeeh4PRCMTw?xh2%Ccu8P@b|pV+`yzeoH1gyU=3 z(V+-1ngCHb)J!4$4L-cweYs1D{`Wc!SffkBizMSdERICD-}n+H$ZVN@Ab=3-5DKV^ zg>e)%0%nPlCr~%hp%O{>aJ!EUn$Y8bkVp(cGUB5E6QRimqJI&>eLNyf_)|g0auMkd z&*N19dbGxgB#QM`I=2Jp_mh+{N*%c1YgJXZ$RnfLswLWc@SP@|?CWZO2EtBo{ z8;cdW-+shCAG|#XkqCAJHJI($yZ4Wa(SZ;n0pFP3S3&5Emjb@wCrF+iCVmk%b2s?| zG68108gjdo0v8(3s8=*DO8N&>EFEC=iYK7LNi~NSQu&PrD2<}@#T-r1qjQI)Io_jj zI074n^bMVxFIai#Oh!aQ!MD%!=)>F#9!8xnsQxSlIvgc8mW`X3I1^GaKth;NdiGo@ zUpTZ5j#)g=bsf5UM{0T|x?yQh#)GB{nRiG{@GY9m2LG@aEH3ZZUmzo^hB|0wx63m! zH8oW-`|$of@&HZ+@+dvsGU(&H__WLO!+ZnU;T@f${;`^&rmi;uK(s`JSiJ^?MNyd# zA!VrB^Ozk4>X3fgyf(dpWky~xZ@TsydF?%)F?qss>RqF(y79)?ZSC8|8!sPMxX?2E zC++H=X%xbyE&B8J4)kDS=h7U5H6hf@$JUq5ipplxD2K))QNR4LxK9O3GxZs32extg z&l1*&FF^24AIR@xm`S0%pYQZ?o!U}U`}sQ!3_|N(b%{N@@#fYkdgJd-CB(-1)LS{# z-bwiCY-q}K^VE#a_gmfvNrZg9NN*Y7s9C??>}IBy0y8j^lGPWiHoU%T4Xs}S26>JG z%z?*V7iRGq`Djd=}qE;UOU_Y&?bI?s8WdW6c2}yLgpIZ$O(lKr09$ zof4r!3~$^|jLyI<`#WT?RE8ll%UXXUC+en*fSH8_bJMoY3kP{KJWb8NZ9!bxr;sfr zJzMynLDI*B{@_m(ItVG055&v%-8aQxVHCLBxE76o&bWxt+0RnWU2$pG!@~oK_(S7B z%?9DdrzL|Q<}O(uE`M7d0;a?Hn6J{-drVd!Y=uNu3z$Z6BQ|vzGD{Y^J^@iIM( zmzM?#a4KmzK12%MWS;?!GasZ%0I6(XC}QFp%dO!mzr}ZMoU{6^YA&yvJZ#7*Cxvgv<={VDzYY0jZL2i({!(FF7P>{n_Cd!Uv=DSgv97Br zv55B#Z2Sbr6ASwW=+Vr~2hV=b`Cg;``OK|&)olZ-TwizXZ*-n`-&GQyi3=k(&nZ#y zuGVDtr8M`&%2By|QeRx7yEci;N_UZEDUs{lmSD-_-79@bJw!TVBKMwYZmpTJ8KN1T zhnp`6_+J0WW89+)PCVm~9>5go5Rs^{$E%T!Q3x0XGZn|5?1xQQ*l-NGAm@pJN(fx6 z`60PPr0*Moe4$(Nm2+9D@pvIl>mnR|O4}i(khBjJDzb>8>IiqBd9MJte*q$}v8*$m zOWrjZ8rm7&wU5iqF97YPEK6Jp6jDM$KJvJ?K#jj_`U_xpKmodoLd1R-BED${^sS&r z<~vFM6^2hY3*u`|a)RThTS|XFT;J;{gpH8C?8@1{U(XX15m9HbLqZcfEgWl@f*bxa z7^dzY6&y|olVAdS30 zj6;4<$FKXo9mgmA=VSi@qB0)1cCM#yL0P0OA<&7k1Cudug}R;!jQT&F*zB_H zRGGyTI{zLx<>(_d#yIL;W+@cnHx=qs3)&69-qWLg7qk-@)KJ$Q8k zi1denOHweztpAla<(b!@^61gwq9ZvN!AGy*JYfoAs%ig(i#8{Bj~Cg{U@=LQ{+O-PyP( zt==&Ni(maKlSekhdX#J38mV+NyL)-y-zpSJL?Jp){^5(xL)YVwI({?7R+YXaryYp)0&8vmUxb zjxHxqn9apEc}4K6k=l;+XHHHW-ws?7g^=;CR|Mof7859YFs5YAqRdhMntr<|fY82A zrkW9+xER`MdT;=M{V?3=(mwF+x{O00Vx074-$^{{3f45p8gae$&076&1lz0sbCYJ% zO`7GDn0H(2!Ent&DF+$r{}Dir^QEPvTr9hOmwzYm50g?KpfVYzvYye=O!HmSODp~AJa@0nXs{So z{n=liig^5j>DT7Ty=k5y1uFyK~8(%Ti<6;h-m-!NjBceG_)est;K7 z@#fbTPGf78Q9|#Z5;wTLV9VJA5c;0lTI^e4!EH?21FfWf0-S5)|{mWalv#$@t zMDO}(eKPO_w2^qDSdeTyDOR_qzdn&J z<3P!m#t#n~d?)M-KZbkCRl4e^t6$qzdvTTVzy@mvvB72s5vYV9`eDO8-mI}V?W=hT zkxwt|+V__C_WcO`!q+9y-0k&3FAi3L=}8l6Zj#IZn5PSqmfEO=NH0JMfi3ozBGHli$^WA}>_fKriCa{e=C z=c=k7sym)uov>?&?nyWl(>uH(Dk>uPjgo5T9*lNJld6$x`$Du@p-ZA(48I-W0vKkP z81P(@*$OLeDEX46B;`5a7fD1#3#W0eNQZxwS3Y=%)86M-di()@hdCwA6ML}9Eudz! zfchNRP-j8ICh3WJ!O=EmMn4GmCr_UEY!9f124w;5Zo)3U_LGR_q~#xwLz7T|L^rgX z75Vm6#ygA>Q$&=`If{-gSuNnO4t)3<3+XIN;p<-=$M#-F{IEPc&Oj{75>9occg1I2 zhkpjrxF$r2cHS%jAjOVn^unZ&mCihul=)Iy*59Q{P5U1{Rb*oJkk@>vm?9@<629z!^FZax$jHu*6L#@sbrP*+nzY3S!i99p zL(!rL35hhn{uR?BNS{jrLVn6HwJe^t@^T1kKSazJ)F3qCkJnsGJ39l=5+KJNSon!p zVFm*YToq!90j33#U>u1Kg{a>AzWLrvGsUry@#=~#YzSb>|K0p%ll!m@$fFA`VxxEP z%=+Fo%I@%roB3xnD9WiL;pFYSd;2GkKUhC6S)FtqZvl0H(m9ovusyQ|t8!^b+Xhu7 zUf^(iHLL=^Aa}%L=dN9|J%_RyNreBW zET7&W!~c)5?|{d;Z`;45w9r!78bX>fLPRAYdq!3%GqNs1M(Iw&C{mGC_O1|7q;4cL zGf4=^Wff@<{>PWDu-ez){!litnFaT|c65 zjBpNT+TEfL#I34`iu$W}Kg|xX>TW_|6A=@;f7>_T(3SHf><=Nrfxeu7Y(lOrphslp zI@Q!io?)~;yTRk=8v52qOgwpX;o7}{+os=kEj`=y^vu$v0t~K@LRAo24UDdu`Ti{@ z$USjD*F5?eyGS&D{Dx7&_$10RX*Hh(;s|9!&Rs5yxX=_Ia2_N+kcJr2 z(E*Peh|G00gYVkPB~6>(jqz((-c8f=``#_{p6#kP5z@q05K1Ew!6eRCr%UxXFDCWQS{o(1bFK~17Lo}W&8?DmlU&WvAw7Kvy>9r7Nn5uvht3g%cm{y7z6UC5 zwim4D2#SByA1>X!ZQUK7Q<6pQi`BI`l0K;UtfOC;am)XZ&@}+5l*F zfTdx_>t4-V0<{wQbX|`3(zgpQJ$9Is{jfI^2=ThPLd#T80aZ?g%i{}^et)p?FsEmm99FjWJWMz%pp_&5i z{dZu`kpU);$f#^mQbj`2)69oSx*%JTffb-#_>wsr$B!QY)s@h`QC|e>>FGTWIq5~2 zGQfWXB0z?PRcbha(770LZIR#iQ{HIi~bs7zUIs*B7sJwb4%@7wS~7QCCY{% zut(T9@75MMITrJb-qksKE+M&|J%N{6$3(9rC346I2mj&%9EW}4^o)ikNIeSf2(#?r zsW*If^wSHBV?jfNbeDMC2>i zjf5D3?UnUNAgs-de32DOM+VX<4_Dz1}sHr{y~{S*s_$A;9+Ufb&P>FaBBA8lS6Ff zArnKF0iZnUpP?=zm~;gl5Y z1qO09Cwoa_399o|A1|lpN3 z_TwIFKTk=icqa;n^iGU7kIAs&X6dGi#;n<&)#5)s?p`vrea&6j{mBu>*)Y%RahS6) zhp@SSS@WwCVu*YbCyY6Vy>Z7OdAzXFJgY25L2U&`UdBO8n1-r_>wqL#=d0*|*M)q{ z#G~QE28qr!xeeUg8XcS*9a-ixbatF?xFG}yhjX&KE{Ce}Sxa67yoGeK^MQ2p%Y+8! z78N9WQGxF1oLh*V8D%;JhAr7H>D2ltVzi>j0-%m@+zTw3Pia15KMd%72Fa>o_hb%=6x* z9DiRnIZNcqG9!2~|Mr}4Agya+%^BL%vywI3HkP61OEgx1`LSt3%x zNlAF<`P~y=AtCnW!3r*}L6&bHzImg&4WKW0=WSCrRyA!PE8>0~m@jb3Cr9ta+`e7h z=iQf?NRe;$+27&ko?>GpgyAMAP8D*-ePC}$YVLn_w^!~l4?Wk#IV_g4K{AnIg>&3k z|K8Uv)7&0YcdaAia$Q4*&oHxAe2bBmmKJ6Ut~f6}+;Vnd@Z34u4y&O7V(q!sFLSn- zv@9c;>FnomWP>qBk}1Q3Q4vdlrKbu85sN{NgZ?egI>*%tF?Y1NzqRh{VomzM9wV>? zf_8wf7wuC;=B|;4?2wUNWC7%{G$*;&o@>^3ZvjUq-l9oYG4mqzOLKM)C^@R}$W;;AWzd0v zj{2JUdnI?PVpi+ky=Pm^B2@`w{pBXUJ1G^R1}qneP(YkyR=&o4u=tWvQ2aC(&!(JV zrMTj?hV!oxr_?>+Vl+R>p3?_*zL3M|{DnCs7dG56-V4JoEG!(OdgLURPGD9`GMkW| z?fkoDlnuLl%2#;r(unVZCu+1kY%TBB!6AY3!+^_Pm?JSBH>g4UC%!HAdI9`wEX+IjLW z?}Y3)pXlV>sIyML?7K>Qm*Cc|s*Mhi{5cO%#_ipt4_{+?y-^l1gePtVj>*Tn$MxsK zd%(4JB4JXk@yL%pc(LDSdxp2K=T;%1tG-rCmuVCo$uZ~|z1QW|N;TSE1LmrZ)u)E* zVMuS99`p?gwTfO8P=B;&&AOmDgA43zZOP#3cDmp~$sVbB4;>n6Yd^ZW>^F%mR63I~ zRhe-UV&JfD+XtjIzShCeA3V4ZQygT6a}Cl7{!?<)VR5iC)Ab*~-0YD|B=%mDuSM}& zm(fRi(anbbF}ol(0i@kOKc0K^7?cFtOb66V^w$&zGn)3ZPkGgxnJXyiRZ}?r>YMb8 znK)T&TqYiD?kb6cGvKldM@DKiM8qbft5OZcAhPQp$cdqVX?bw?S zr>3+dce>w-)PLtbh1pA}49KG(TJHp*D5QngYXUNaMfow}8MH;K1am8UI^W{j{SOby zb@Ry6Ez@`o+X}`kLxcUhbgf#4>#}94CL!f$V*$lP;1FuLa(JLFTJ2<52>j-IJy z;85yiq7V~;no4)g^1X1Hbd>JVD@CYX!L!iiMQ@86F|_7+QC*Ggz3R(Im5e-{0UT~G z)XqSNKdpK-%8Btagjv*BG3iEHDJHULYVKDFmv6en0vxpUiR%vrDH5u5>c{_T-7Uf3 z?rs3!l4aAIw{uoWS6wS-*11!7P|${+N!boTOZeKlqxZzO)SU=MksE;wK!v>eQBC@@ zn)z{T>$p~cDz+N6GO8)JeJxit-um^fkhRks4(0Jsa0o$i z%pH@P4Am}8(jU&NzQ;%(LBEKrf~QPYrlYLoG#$QW#j4Buy;KG1>BK{Qp9CG}@8FDE z@PpMb=~{-Y;_(peFQ*oZ`D5rFn&o^l7OL{EyOZ%u_P{#YiaCRy5hB1MNrQCQ6ZYa7 zcl2&gc69Px<=LhCZUc@B>vmHgDdDi}yxn%7>5X&7*Jv-AQwO3^t1>$6FDzTnA|s5O zg45oiz%9q(h;Ado#snK>j(br9E9j$bXL;jGgnaHldh}+{O)a1hEtHpvgEQ!^)^&kB zLbSs-ZdCMod-!fQh=wI${K*y2^U!M>kszoelxVNltfN`CjTOvfb+{RQXBS?}ZXI-- zNXu5BZ+*BGi3jG7xEl2Kofq{jUXxqp4pq)|Zx~ueudRx|H5pg@nX~mwNJz+4409AR zEA0TldIk-?DLSbb9MiTtdS^1hHPEE{m)70+SBqXv%Qkq%$(A4lhrmq5^g-{67cU}) zTI#KHMkvz&eDg5(7+w4q;rHCy&?wuprYNekx$@ZCIp;a)1?XyoW9eiVY~~E@QPni% z>)?FeeN*g-+XLa|HHjH$h+DFDF8oqtbzfj{WZ>SMw?eYoRqiL_WRp!5_ZSx2Gr5fE zB^6G~TGTpqyGNw-u-;5Gp9FD_U`wE7OEB4Yf4hagZGk4&dCkM^pKdxzt8xwBc4Blv z5O>{oKHc*@XMMiPTISHbetVV)T3OQetFwsYL*1kc9)2AODrNrfSDEJmX zxg@#lD*dgh_p4a@Bn#r|PJ{$zjy5PQ?UcEXVISj~* zs2UU;YnAJ42rZfs)W&j;WTdC72np1QD!dd$ntkf!;WcrYK8hy7g4_U2LGJQ{k^&ft zK7b1CUa+lOw}^yaEOYm=Fn*C)IM$^qm<}l_?t2U(A^osAw_@Y2MRIDIm z{jy)SsX?04_n9I6_E2+Jm`B_uGWnTe&Y`aUk+F`DUe_SGFrIkP*XwicfE`Z z59YUGFyuO4gUOFA7SV);3sUk<4079fZkL4TUI3^rn53Fx(@aQq@<3PXKXF>c=!m4?D7P)`kX<6ss36-xhHa;%;we(Ek%Brg7u`@Kwnb2#Q5AKU{ z^lmO>sAMb;2D+~rnvG<~#Lcr>W*+`tT3V%5f@HdGKTBSc$cipp9*I{@GGsU(k(UGa zW)F0sPz4}5*|3=Fz)i%v5bjWSOW$*uy$cAH5K#t?=Vy()kb3?c2*shS2`ljwlDQXg zT8TW?p=`@#q$e0@fjvKF^(Hj~!X!_rv802Qk~8~(KU$n^^UHqYuzl$qQ}Do}*Uj|;Hm=WSs@%su<~=>Ivi zdDZtZ%s$#^uVKYkidK;IkUI7E*zdUqiWi)(@@!kh@FUnR)Dza?vNRhyF;xS9wdc>O zISgK|7ucX=f*oL4W>?4Y9H3BSNG&;IWYqZ0n-^e?W6^Mfrh<-1lH~8+UW-$PPrg4g zahW|KzfjKWb9j6ghAXS7S(MGRUe26BnI>SuAn9|F76oveF|qm4&$BhY>{b;+NO?Dv zuM`LXV&L!6xc4@gW@?EZQF1U@zxt00ZoGRBYDC}^$m-~<)YQ_#k=G-VzSsyzENkY4 zv}6+S2rb9YU?78_+U>VXqB{n`4EkmEVs9V|Kty)YFT85rym@)=!)>4s`ZQ9Gz%G8X zHchS}78Wh&%vEb&KJ+&GBDpRZ+{Lhufn5ZN4GG@ts$s={eiqGJJC_hM(8fMWdMKbI zuzdFRYw)0m{g`39u8z*_gaih(KaY5TC4ac~j@cSBf^lO4W1e0^J9_s>2m5u46H*Y> zKr-aFD zOneXd>+ajLS_W2Se_(xnNLQEPa>=?P`RLC~rNBYCK4L} zkO>nG1^{Ku)kEDlJb$hH`6?H*X#)f2N{*f>Ia-X<*mfOF-#Y#2x~cEJm>oSzbnh?~ z7x_2|u7rd%j1iX8sO0?2e7cKB1vf})WP#UYzX?&&=u~AUXOjy0=l_2Gx=$E2tjD1s z`VbI{B(Ddy5Mx0bK>#G~e&Uz;z7P#{Pb0N8?J+=$NJ2y6VuMBFKs-^%2PvFTJV~9G zlp-*ZY9SFif{x(InU|yP`sr`*82Fv2n58g>pEz+s4o$?5$Z#ddZvo5t@{KL9I0zU! z$dX<}2oyE?wwuDg-c7DE7p!!`o5=%v{S!db5pxZk(mT7KTIaYknWjNTeip0h`HBVl zH=}pqNBzr}XD}$XLRbvU28g&eZoK;m`qt=hR>})e+D(R)!y^%~7xYVG+ZNGn{NMnJ zwm4il5$=H(C6Y0?dy8F1aBA}B{n|2jq147jK(*ndzI$7JvM|C-GASc&sHfvOP=hO< zK6qKCAJCJT<`8g|0iwmjD7JH|$DCh%fkbyWW)FUW$e$LUX}D+H(OMJKv#X;#k{- z#{lTGVu%+}0hR67W-SBbRhEHWT;IfG2?EJa!kqML=$RsvQTxE=?R?Mp`&|ye0YN>A zjzm19NAf(fFmAq)8-+4DX!eQF&%Xe zC)yR~m6Zd*b@{V(cvrLPUpSM-NeE>`cjWhHJj0d!gdsC)kSD!SB({(yjDDDAN+~)U z5a^Qh&nu|d)PAvnGvl$!>T2`IfbmE)Sdt!9$UVHuvRLvTqn%ef-yQ%+OXz=j;6Zejn+)3TolWwz#f5b zssDhsI>*O>;J|(q$)FwFSS9iM)));!e*SMX6l_Ngh|B>&%-g9-!at25Fh$$WuHvF+ zLmp&$?@)I$22vzG0oj2SecY8(;_E2?CE&4$ACBdA>t2S2a&~h4Gu0;U;T90q1vcgs zjy76yAYPp}=kls8PvN>?z*uIE*}QYVcBWyQ!k#O|460%P^6TTXS?02x=m6+_07Sf< zy}x#5nVTbe0?FA%j!B|W)K#9%ggfAJwwwTE)7au@+Rp-**>=`P44~4;BNV_ooO7tT z;GO|DM`n~VpLp}wW9JDm4k!j9{=tP|Wjt@sADVv%H~?v-B2<59+bwW)O!E6lQ$l~> zC5(2O56A@*G@+A52YJNBk*cd_-Xysc`S$EbMuI_>fkV9Sq8a5_%$X39ISWMo+KIKK z&P@a@0rr%kU&#Sf_w&1E0KK)x|35sb++(f(9Oghp0&Uy6c^FlF0+iryKSpba_y*x_ z;bhT^LY)aTUJ~V?L1aOIye}C_3yNJS=%PV4Z{C~MFp{@DC!EmCfLPd~lY8LU~2disj2=n)^ZZ1D=^=SIPBrm+#bCSz0~;bBwt94#Z() z8*UiR21Ob&NQg{#ggvVM`w;TBg0`(i5THKA1UMq#C%3CB3OXIg{JwREsCBb(s9~Nr z5O(FT9rMTCAAl7cX9f(50hkoNA(Pv8gO7Ct7#ox<)nc#(fS)diBri zu8WC}pGU^pMoD{o1XHvNoU7SnHfhOygLLFaq>~i~0&U_mQSGm6mIGgL8F_`TK6rARHZe|t94~=;gs*w$X zt&V@}f(|}!y70?b$~D-WTXzT`9T`UCQqb1bt56(thT))65K5L3G{M<- z(co!LHo^{Crl`wulN1MY~;cO$uHzHbe>%(4F{Z#*4wiAca;??7vf zIz6KJ^%<=LhCnFC*$^$fYax1i{+NvNFujhnbh*5`Bck9~vbVAgA^#KlT(b2WfQ# zCIpC{Z6-1rqx)xTXkBT#HnqYkN>bGxebe_`hmYulexIH;iC}pZ@j&VP+R*q= zU30U9uC<#QDmSO63DxgdqNS?u;v!NZLQOd-%9T)8TKQr}gQ|6M((x-tv~=I!e)*Dd zzs40|j-`3t-rvl;<&FcXHZDJwUig{G&sHxY6Le@mE|Wg0(b;p99)O|qN= z36vyILq8yS>;9_rEdrQHx=E2STKyW37v4bzV^P;-o7POASdC36UI zIjx&BB8BhWGb!?dSHCZ*Eh2;_U>(5NXdjA&woB?WIzwaxbx>KncI8S8IuMhSk`(le z-Qp3dC9mCgUSQq2r?jPX6s83i1IZIoD0lszb*g)L6@tZkEiy74?~JwDBqM`y%tbAc~MnG&4|8nL+`i*IHy{eAp`XS7H;kgj96+pA+}#$UJ#0b7zBz; zUJJ8$(3*HWtL0c$3+M^AQIzVPK-V+Q>L(vT^4(9;0SPLh?eVeu*P-+c2d@k8^8QUW z`r|^p?2F1uXNeVN*48OR66H-P$cf6PsNHBNEBix{ceB(EN+FRGXw5yT=jeDJ(FoDz z>UsYjqyqWJ?qix*7s7HaDJ?bN5)8kK-KF-`?MI4QkKH{=6_?Es=Vac%$45h>Xd~>V zAjXA(7ij|Q&w|Hl^-!U%r>&o)rmF3q!ys!Ss z>=*mO5o^u|E?z;~kn-6yg}Ag+Jlxz~n!(4g45OYHB_!NgXP(t)wuO%TCRzmqLU@=s z#nsVS(g5Y~1T0MIzB!Z_RS8b!8w>rB#we+&=^=u3;wWhI(yV*;>Eg`USh6G+XG7!| zI?r9IU*$p9>bSYNproXM=foFs65PKGB&$YB>T~gRd`4rKB?Rxr5x6$q-Zvko!+P_s zU580a5g3)(Sgm;s3^eFYHNo*X0~Ak!rjV}R0?NldzYaP@$6lNh?NFL%xEdY1IBc|K z*OaHcynOu0H8L9Z_IIIwi`%prky}BVar)P?BD=fHR%pH93w)Q^&A-T@)$OnHN$hiRduH2INOv6cQE9sayRJ^Z;xh(%?%MFLs{1 zM4=hta*=4PH!VPB>RarbIdd8wI$2m8HA8*z+gSyX1z^QC!9FLWg)9X(R@aZd;Ua(+ z8wgw=;;sb}v8kXf11(}!IGF4pcbc4~qo{EHy1=sZ?*rn>FEwLiwKU6FMQm%mW~om@q5;}eYJsx;SZi!F-U2G|0BR-Oo=ET`Q*PGF`>)MlxR&|-Gpeb@p5}mZ!W0p<8?0<@<_8Ud8( zZ#VxuS~>@UxT$1!jQF;f{{6QADiit+6cHjo;ld}z$H#}7{6X9^U7RWw9-d4vB0m5t z$(B@pVgrfZhS&p3wixAWg9@J`$@#<)Qban~ja6F=;&AL}00*14rhKm0C9Ax;s)4d{J9% zbNi5^HUNRb!SD%bk^n^?&u}vb7L@JJ6Bk-IP+^xFeJ%Uc>2+r4%*XtIEmDG%q)0er zblE7ve;Yh>j7RdH2nRzQe%mHtL$E)k`(o@H%>0Sdz@S1>BgfW!i?|e5hJ3^taTD#; zy;x*L2@pd}f?d@0n@{<;X=rq88l-;p4@^J6+x5v76>&GsX#p6dqa$5&pIo;M%yFuc3DcYfNqwoLDN9jPsEp z;f0P-lVl?&prN8(3SwlSQW1w1SIH3W0|D&usEO)xt)o0y ztl&JCTr+&Or4A~GlojoE{%{5Fk+Qi0N1)MY72G<;!MLYw!H>lB?I`_#@y!jG(R&AV zDJ{~MAS4gYBhc;sEm(6avuW0IL+;ucH@1PcvqL*oG03{(f048}TXCk0a0$AYrv3Nd$ z3GEMa3WfIwDtOKNY|2ltO(&ARyp;c^b$vCk1Pr=QbD<$fW zm23_z+eVKyQqLj%kKs~o_eno2*Y4AY0Ntbsa`z%_P)DSLOlWi9atb^DpV#DnGt87j zsgM(e4o{ZwJqNf+!HpX=aAYDb20*||3n542?K#)OA>T+O9R^?B+lSZ^8!w^&{WlCi zcnmS6B%-N1p+Dqb$*-!b$$ z=OFG@^%#a$Z`!am%9@YF?ubMT5W9DHU~zNMdA@<4e-jQi)E_m`H;=BphE%<6BsxQf zgJhS#a2oT_^i14VF4bUd_G=U5yEeCO93@Khq`@l%TldIj_LGYm4c6_Y}#_@ zt}J+TyL;|mxw3Q;?Ix0g+4VFDLCQy!KLb_k_@YgyRsQz>S0T;(*8v6!^<>YBP)T%2 zAqw*|7_>kzgOH{<{cs{WT~L8bJ=tDZt%Gwbm5MZyQdD)~W9< zPid;aMNm|{Sg`}yOZUYJgBykx_>VWHyAq8o6 zIz~~S{xkd1%eQzv_+>VY@xOeTMEidom`7>CC3=bG_ZWZyAJE@ci=NJu98b(|BqFO3 z_Z*=3h*zS$jP(<~_X#p68;)>(Byv<#w58e%y?LnP)yYH|F0Za`A}fH~n{JS!1e2FP zPD>R<(?=V~8#+_lhVNY7S_gd=K}A#_3O*CTTv&(9np(P;^0hCQ&1@-!Qrq2No>0Ex z2A71R95!leMQW9D2!Ekn%l!@0atQ1! z>NKT5DGH0OoF+dk!170)(A~iag+E?9Tj{(-#z|U5G zeATI5}XV)`9o&*8N0w+^yHah{x2qF@~^ z?coyNegxDV7IyX&{LEN?bIsG|bTOaS{XPs79&JOzG&p&fKbU8ATpHxFI!GRnt?EG6 z*b$({11EiWTvRkSO$vWOE9oAR$ylP+3Vy69F?^Bx>IP4eA1x+;XXM2-HF|JPPGaSk!ZvU*ABflI!_J&u-(zkZ!%`v=_IC zbsihOe5r*$D0=@6K|v)TkJWO|FR^XdWFF7BaG?fFCj!V#RfpJ?FTaB!O2Pbe6dyIr zy0}3Y5HM?M80;5n-tlR4v>sSiBQEUX^>aIz0O+|R033s*L3C2q%Va&2q$*4TsFl6HpmUU2Sq&18h=Ux)33G zvhv7+(wUdYG6Cf42X^7QTioN_@J1LEcBxZ$A%tD8WjAauZpgPiAwGViw6qb7ceU++ z%fxJaF?%r{sRnUS)LoI(ea6`CJ|f#49o@ds!a+&{WMg#&HGSPd5qEoz@^MD4^T6FS+d&1aK1+IY9iNqdf}}gG}JW` zj{?#k5#84Ht54cKxLWD zn|N>EhebogytP6~=*)dFVKtI2TE5(iBQU0IMp6HILhNw7+)@f9ZHMQ$^CXmL8&Pi+ z00x&UTy;=WLE!?X6$)q#!sSLKSKiO0jhS&S5!uS!Lf)BJw)TXJ@hB}AR*tu!?=6o6{rZwbKZD8{axEA>cf>)G` z=*=BOh{$Ld2Dfb6l7Ua~8`PD?v1Me%k>AH4aPCK)=LO1?Q`)Cpz{}v0I;BpcS9~MR zJr%o6!`t7LbUxJrRb)|=>r$URnclWx!+v6t>*5b8I;O4npFo%mhKM8dJ#ynibxGb17t5qByOW<4@*Q67~=A(tFHs`#SC}6amNoSWV^`B$lpX# zqi_CCK0^|ibLRwpJGQGxbQI2aZ2%3_DX--waYPR(aGKg;k`f67ab!tgJ}|L-_}BJepwjuLTF+K_eaj6jhnY z&mjPuQxFv=!&ArI8-^ApNrW51pcaq2^qRKaN8T1n=OiB@ zgg=htrx&{egvgd)xyhC|I;M=}A7yv}23W6`pmD*w;bG!pl(LkXzEI(^fu=vw+=hp= zys5ftP=twF>JYN>>%7R~Eip5NRD7~Aj)??7*fG=zw5_a?A#ich;cxt=S9QiW}Pc8+IRlk@-!XxGnWgT2>se=#%SiX9Omq?3*Y(2OBU^RQw` z1n3%2852pEo!(cz1OS(UoN?w)Ew}%JQcx(5lGdH6v&&6|1vGARRe=Q9rAyaBL*qf* z6<)ky_KDQ}!2JSNpMbHaf78_QhwLo>_;)=1S$%=FA|wg%;X6+bjr}b7P~Nl@dKM5Q zqY7gr#BNp1oX3Ctn|y)#0@5B_GpGn9vuVj2617f2EekoykmiXKX^1ptKH7Z%O0*MI zBb^~mdWZ|LxUBEKU$7y5!bkGi=4+LE@3&19|KbAZAI72)J0l8nX#_>YeB_BDXjTqZ z#oFMnsOe)E1_43S^|R!srlycKA_MBU@;k-FUKJl%^&&xd@o|_4UZ{o|lDq}>hC1Gt z*pGE?0-@w)&usQ|C?hRR8JaeAOgrDi%+{80F0cH#*gjn%ary#5Gxe{dH+q^%HeW+r zhe+^lbN>fz+_=b0i~`@Fh}+%(B_8tNV}q@FNQ8qxd`x*FJ2j7aW;tl>5Z)tj>K6U` zKX+vFR0RP{etyPcZddIMyLBrS!1L@E0hs4-U--D3wE+QH1^W{H|DaEpbX1(eKSl=kXNN@&*7_Ua; zeE06%7tMJ5G)FEo{|ZO6+QPr5&6-A#PcmQF3NGiyK&Q_b&GrE?hE|c+B)KPm)-sz3 zbbun)Cs>krfL&zpo~|EmOl`~`F%kgpc*Lo2ZEl`LBu5S54f1{r2{9;ZpR7J7uLoNs zs7OL+UMui-^50$B_Qmt8-#&WS*eP2_Oc{VO_?t~AlSE2V z?@RK=EFa>K?J6EKlu5EUwW2q~B8k7@26DK^fCs}RoDz`pTOsKRrS%uyM7oMsmTdK= zBBnxm@guIr`+Lu7+qaMOVe5%KXS0Ynvd1|fBr}pe$s=3hQF%LUc8O>ISLGl)@bTPM zDgvDTvx~RZMo)d_Hv&ZaD_g^St3H%N>dk_r6F{u2Xm1}YdO$yC4$IP|YYOiQBN&9WGk|NCF6QVpK@Gey z{@`l3J9im{onRD>fpcVuwvX!W&eE-@eL+;e5i+jn%q5A9WuCDcqr81qhQAPhV$GBs z)$dWMeFP$mwAVSQ0OFiM<+lNFGiKnmZ?DV%TgI-2MBt>_s1)Wy7|@g|fHmtXB%T-91GQO= z`5O6Oz|86gu7FZqNc93hT-9)>rEA$v@)d5~LE_w8B#Ogd`_dOv-LkP%ASd%1wRN<2MI`z5sU zbx(TTO%Pw*p%UOZ(AFUG{>usX>F+ZxZ}tsDSYhs(NqrVq&<6Pw4fY{&gTz+-`*MIw zqq#BRi&WZi^>q-m@LD184Bv75lBCN(66&n|7$u^PBhiq4cqhp6uGOBbW~6fdfuOLM z;FN&~)&@eb!Eq=RDxz250v0C`xEQfH04Ft(wPiynuXi^w#)P&)unbYm(Iw6%_%o0_ z8w}t;>|YB|_A|iLgTbI3i-NgRg-Jz7!0YkifY$W;UJ*1BGHv8Q=#gp#8e#QLBs(|`57>hZb63X-=1AJ^B13(B+(^*|7{6t#T^~n$R*rJl{pPCr2l@! z)?HSu;F=KsZ&%TgFMZzYm9R=@{=P{txnH7fq}}n!UQpXP&Z#?CB)Ip)Qh; zp$|X{q%L2w+VQrlqu zU_J=y#QQ`dV|9mYun~7|!ANS#YPE5elV759*z`PJ+^C^*edNIP(7?EU^zVB2bR{EV zvD$4$Ur%lAsV8NWU!MSFq+(%c-Yn}c0;w|r^*juZ{F~KGSzi7;7V-~jF(Xut z6K>-s!n^h5KL$^F3!^YBioP{5*pZz?&phH@1gPA6(3iqD!-n>?734a#p#8|ATCzV) z>E74D*5)@Ts8xSO9a#)qg@Vz^r++Q3f<}Z2DsV!jH!Y&vN)>jX<|taq3hFiI`f^Br z)#8y5#9NcpA*jE)-tkT2y~HuCHc52P?|>s03$6^_a1c-1b>A?j7XZ-_%$qp9V(C&- zLJ<^3A7DMM>nO$tH0C`5ytKX?nz8lY^>unc#ca22ZGO<^H94lYzMODitH&_8;w1Ww zHVt;6Y_J2lfNNpqkc44~`&$_G17%-vDLE9)p}kyPgK*0lg=Jf$!<*6%Yil3l4Fi#{ zIo8vuJ*jm<-b{SjKiSKB?yxCm$KmEIe(Gr?^TIe$>&wyF^!5kJtb99nHXC9jWC8%z z_ZX5QilZcqjtp;u=n)TKEe=l6!lwGO+8i));q8L9j*Xw-WJG zI&*xv*&Ds-Nx#%Qz{xIVSuK?~uvLJJssQXB#h@uNsr5ivCyo1qo$?o0np+5^IQ*U+ z@t0_NfbV&aiB_)Ha}bPU^?=M)*PuzxhBpirUqWV=j?9OQ(|{Z^)IOO{>)&$7NjyEq z`BBa`bG>VYjZ;*f!TXE(oF4V>3tQgvk7P@$mE4%}+W$vlLy38rTrKmyzP>&HbWq@G zcJVdngs@#-z8PcZaVo$iRRKUZdPLmJUmt$r>MklpWaCsHQ@D!fK|QX>8Qj zc|`5SNSt(;KbskE74DE<4vZIjzau0~|Y!Jy%?k=L*`wcOMUG zP3P-|EPfgucTvp(!}fm`;Sa?fd+bTRfkx7^1ZpNdWTY z1B(iCw3{%vccjN0Ayi|EZ@7OLEtMyO%y6#HG$|6~DHS{4f1Mb}v3%k4a%K6t4wGbH z3G$R@d6|V1OI#hWJA-^XcHGx&Gji(*1=FN7wrl(QhOe@&RAY5@Q&eUJOOE;rVbED@ zt6Ul23U)=z;E|}VQ5~4y7CM|^Y&f=&`qI0}+;A{3Gm1VcrHa~Z=Vn{I!gY*xF`u2B zl~$aUIO)`P2fd3H0YCWtQF#UO0CBZB*qFLrsAEU+_My9^4yB2eOP9tVnnQph(aa|4 zoJ8<`n7j|5R5t=c8fz|^%Bk}rQ6!)~MNL^*AKs1IKTb~>@o;dYV$T$V5fe9n6V(Pu zZNi-(SsEA>1^(V}OToOr%}6ARKG9$y`C#yI;}DHT0=KOm1FYg?3oxQF|{9ZGd#Zcd1j20@yHr;m{?AZSpBOU%Yh;mOhH>9j9}fn~EkR^$x@N3^#lnO6 zUSZACm7KS!-RN;1O^bGCI;|@2HJ6F>d?}q<{e&Rq^6)fBZ=$=^tR2-7^J3_|F$(Xyp0~(9#-7Yd%_=sYv|Kgla?n(kSQl-@_jeK<$*&C$3|(*jB9(0S zI7$hLgUxad+bM5ae$^)JL}|~+q6wYfR}_%YBf-L}ZYWtK8hRndd-$dh@foJuMS&NS zgFF&J`EVQ+aq57B6e4;M_^!V7{A#4AIXyKAFB7PhaTp{hbYSbED-sUf)49%j!yxd36&ABjibn0`bx+;1V5> zHUTC=L#TpTh?&SUiQ&(A%l|dNj5boJp;hQIRs7XKnx|g9jBZFfTTR7nVz-8lw1;Lj z5vv8lKSQBF6-pHC%t0^Gl6>>og&%fV$^3Y2lS$})+$AMc55~#67UA!xe)*%&MMyz* zk>3@#3t+IQ?6iZj?RXHa)Tpg1=@QoZ=EHmI!WvtDt@Wppsrr>BQu7~aJSgaY-Zt_& zia#g0c@b6UONQ-c{i4WNPLXFC#i~c$nZ1Zc2$Azz@bL+f?IC_aK3tM zCy0)Xse1jO1G{+Xe%ewW+>m3Vr&xy>HyVAdE#BWc=My4T=nH0M<|f>cR0NKeXx!#5 zIb3Wck(1oDLMNBm`US_JzER`Fmf79d3r`M@hf&J!e{7bKX@BSmH#nZsi%{AI!!!)? z>~Ck}(^A+6yS_=jD|Apcdb?9K{&tl2M_a?1GLdTzvQ*CY-N6$c7qq{Ay_iC4sdpsF z9Ko7z`*9Qg=$q@Vr@0y$Z;^r+QPIimllCg2js47TbHOO^ z#O-zmYocekX8kv&Ws_w>Iejv3N(NO`hA+cfAuzbkyMdQi+rSu~}Xnk0$w9m2%*bS)4BNok9sJnNvxCro2<6{q3HZ$jz<2S4TL6O5xvO*x9Kq2}t zE#ew4Y8nc`fV3hfprdf(S*QJO(@&6?J`B5+305%+{2EB)1SSh^NKoN8e(cx>n2w~+ z>Yp$XBNjElKKy4buGF=ts0;$+13%6nEf8R)90HjL_03z^uEWNJDTd7nAyo%)v;6Mh zgEPn}rb3_-y$SJ_bjmZ_k^Ig42ryzLUG!v7nQhGQCA3x)V~O|ae3MylA6Q)P1L;lN zpQ}*-A(f*^?OZ89e3QtCgX2)#QyTL~aYR!0hT9b`(5BIjINQ(Oy%(GZ*2bb6fM5tS z=mV?*p;3V8RZmznNF8va}UNHS_V z1Ri~}lh#@I@@BQnH?a(hcDDK5@83sh%dDij{P5>OWM2J6JSz3eRYXvjzFx=P#xK>G z5hcy$s!#`Amc|FRhe6uWM{psPjJzAe8rLO{nJDQnn;`%WIz%}^LiaX!f`$E$Jr5RDVX^n}gXGU*G84#coV%CVP z%?aph!K3yS5b2D+o-2aIy~4pb=kR zcUj!WEY)kyw4zS!hA@85^QrF1>N?Ty2B)$fbXmKe{>1t5T*3V|qXXbmZM`vn?%W2N z)TeIFk#o6aZ?hi`KX}ML*s_N058KWjhFYJn_tXz-+fnS=EkGf+NH&C#164%fB7wBv zoQ4ztpMbz~D4@K4gKlzj{I@wK^d>;#=AkMIoS4>mP6AbbWoWLl;n`b|bRjWB*H0KI zYpn`9R`4lr2hU&!@tF6}ogeH5kU$wViigmp4F^lFHnIlvWm$?dwszbwWq=EtEe|gEa+c&g}&1`AwYDTfoZ7j#*f6 znE8K)@m9t!iVz|tXiv5j1mie3pQhhi81aUi%FxRGO3{X-rFbH@04jMLDs4C?9g0_IW z?S?o4`hKJ;dY^l3#@Vr}IV+L+2puF&2qTdH!bzF~sCy4SoEYKQUOh(IXGZZ$ZsHy} z0Tq#KhFZZ?ufs%MfuFWcS;p(e6;VxDi9KY33$@fmN{tqiKXWtSOpYNV^^XhjLJiFh z-RA*9pPzkx)+jR_K2FWW_N*^QtEY~~;fUAxIy=PTl}K03sRH73U4`R=GKOva*b1W+ zD_0)p4TFYw7|3_f0vcv5XtU!DgM3ykK%@exKm=OJFFaxjJX~;v*f3qmsx3d~;^oW2 zm|}2^4Y)P=Geu=(5g_g&z)nSjl>t3fB3r104XcD|n?ElA`QDqDgLvnKSFO(Xq46hO zk*^X@6-=iM=H;)ArjJUhq8{^~X!o#okJ9eNZP`g~%gF~169@Y?nv73`MhjJX{{g95 z8X`s};za?t5H=H>m?{JmKpJJG%)u41U8SD%)R#QP(xr4NYFgIOu*+89?k-|x&iL%6 zl|rwk!T<64d6%|y!-twg>lP_KjzJo8VsXX)VBu8BfChiygPyIWP3y4h&9N6D?JIsu4*rp6IgZ=*l}u37FrUb<$>FupYmfaE37%Iq2=FE+#ZL(Bi1T zyc_0H&%W-+-}l$QmVc7?4O>5o0o|iKnf@eP%9`r?hv|HB>yJ}Fip(mklUGHPT)_x= zfaxww>>>*AJSx^=k|z%;Drx}j&Bn~DS)POXyi!l_qoTHrC071Xz5V&yeRzLY1N?YV zXZLYuv84X-%|HM3+gTF$0$x^9RJ=D+mgoD6?N^h{KR>Qw3^p*j=2Ng|DYKmcs8GiJ zSvCIo!J5#qW|MSeuJcWn^=%V2wR>5|8oebcl9_GSTmklZP5B#@> zL{@5nv8}J~nfZY~ca$oC|6he$_!oQNpPvrD25O*6^ll@#J#~1VpX>7ngX-7M*2ck5 z9Yj&s9ajE|J=^(TT!0zM2_^X7DmnQdQNpV*&(h~&ps9n!itfvFX8I&2kg!0P)%82W zF0g4+mgG6U%MRF(wpFY~^6o5n%DfvqYm=+g5sr3yh54pSS4d z)IM~`lFEwI5Aqr8u&<3rL^l2_Cu_G21Y1y;3_-Y=0L~&-&H91^4~6o!bCY+`QTc!9 zAr#qI;+?4rK9VUI;P$B*V3-+TwsiO$(2TVK{@xq^I-H5vqaRTax}~l(-WF3rlc_s~ ztDSyFcY{X6;|N358qSiG|D#U5TS%x~7y$)snf*Y>iADm!aF96?4jQ^c>sIO+-rnsw zPFNe!{<<83Z}-YXaCsl~9m(2hBzl1dG&tb;$au$g{=0#OEZ}Z3Vs;$J0%>OXf2^H(T+jLX z{y%nuVP=TzTSkf^dlT8oR%szx#$=5wDY6#Bm?2x1WT~uCDhcgsm`d475-K9?%F;$u zzvmreIp;jSfBojn<2=rpA)n9t{d(QYbzj$YlgAg(0yE(aGAF2$v zH)eeP4A&PBzsl(4gycx8oWk@%sbfc5hXt2JI7DZy4)Ir1Qm8ptuE47ip%;I;k?3E+ zNLDXsuV@zt$*I77zDJUT&j2gkThQVlfSPXY@fX+k$}Qy+0LSWm`x;oSFWWB+m2}yu zBQw866f)}`woR=6Z8+!+5e&}@6|}QzXf(c(HOjPCNSa~x`Q2dh`Hr@=YiD=ddJDuP z(NMr)GGd6p^xTVGU~tRQ3lbybtuY}cVYptYu3RMTf#5lA8Wx`z{&HqP6ds{B(&btIvMBClYal5)rAbyN!`eb;EBaZ3TCg^LdUAPq9)HV4s zsH3Fz=KIX*cwY~CO{Oocz`a20@vIA-)USKM?hoFgxP*&888keF7Dm2>OaV=?k{ob)Ok5LT5>XGAGLbOyKDzP{UQov| zgjMa*CAuK7z?j;RuW>YJ_>#2Cx7^=i&ZM7vZWs0$1qO8#CV0GgfhM02ut3^y#?7^Q z+8N%puV5fEo?+Z$351`bf95fi?2Oz@L)u;4jR@Cjf2hacc z;?LtFM~sY7{N&ZrVDX3^ZO69l*y@LIBj%bfGx$-fZuiFBmYn&}piRTEBh1ogj63<` z#xaeXjNCmosqux)o1N>_-Mlz=_0zqby6J`el7CV=zG8)iWqt*@w~ z*f*2Yc4VqIe+%iWqwWTCVxs@mSi!G2RY*S_k7>2h&Pj`08_d)6rW{a5oiBuE))Oyq zn31i)gG3~N-*Vwv zZ`rB%kTkl*u#+M_5!xh(pKuNh>ay_K3!b(S7iki09+FeVT<1|=1${;4B@U}?dWa$6 zx0XN7&`)i^0Aq_V`#sQ8k@%B6tQ`)jZt*e5JGhj<(e9U(=ST~E0OpxJ`_#%h=eqN4 z)YzFg)!PVhn)`N()j0JVp0cn`Y1VcC&iWfk`;SSK*zK zrQuuuMbfrdKLTe3#Cs#QxFJggrkM&4Z<+|LiFgnP9u%C97!f6G&OhuUua%#wg zLt^*D*|@2;!>XD#w^nWJHrLAfoTJ zF>TLo+p_Z==Zk-P3V6R(=uAs>XppUq!;B4CWFv{&M9M|?;{YD&ZXrfkKzoHM9Heco zIMa9KiwDO<;Y2vP2XG{*%&gN(sGBaGOAi?WEG4u3aj1FjxEZ}FlhSB7nwWHQD?!+zgMYAZ;DV@P?X zTv?$RGWQs`_(5Vp;)kj9h!i9_YHQ4aK5>gb#=XGRXCfb)&|KPCVNl=N$WRiQ8;m?HA{@L)~1e%I8vY*gGj-oI!y<)&gnBZ#%MZ@i~-&2KFQ`^%H@ zu+nf*H&6}GKNw)u#)C(9%7kG?M-9ac8|sNLz}<@*s@5O_ken}Khm_g-o5&Z4;UJe$ zCJEDA#!6CnW{wsO025--T#7n~vgK`Ke)X5XjJr}H3Wmu^z*XopUG&+Jzc&nHJ^Axx zLxi0zq&>ce?ucX7Be`9NSXV0@O3x0WbNgFKL#zr%|MNd>#tZQ?jrXL6qSb^9fVN22Z# zw(F}vPy&9DAqCuBXsz5@=Up7OFW+TE53w?$jK7g@pO9~F!xaz~HGevDO!+of)~`j; zJb{0J8OPqM z8EYg&qg@FyB?C&XM`pcNU-uCP@yHJ1`S|&FPuXc76>T#CgXhQJ0*9hofO_^cSJl4v zW6EaXBHi*BHjA@#ck_2G?@iw z7^q262pENDP47q$7(&ElZ52-mn<-4?1B4nbEMdlX5^J2bO8M9YkV{ffJaZUpUs5flFZ0H9wSJ7r#VVkQYai%`u8`Y*Gl9~+Edc=zRY~A zqONc)zT>XW@N=rEmdvrTI6c1EQ-wjiq*9`o_{@MI!;Mu;{Og+ts&iKW9KKT6L>3goWBd4C4>;KOTo8%NgDsWvy3} z{;_#d9MdcbkqjAW0S()E?Q>e=Nmjnf)~%G3PB8{w4>wA#tLk{@CZd9(^i~o}CLZ*k z-#q9K29TY^+lUXb5GpP@D9=y#jJ#2mt?86xGTmaX!@)EEaMnALX$?<|gJNURPHWDe z;KczvyqO(MPwj^Sizt+*OS2?G7p2WHX#XM>mJhqLap$?_)1=zRljcdqFXR%uwk~rso+Cl zSf%snjD&MMYonZ+Pva&XCt+Nt&qB~7p4@(zv2Z%n*aZU?c2WD{#Fs=m2z$Ge^U<#! z5kC^TSOx^VX>~ZL6i%kp7I-R*=y7pDQnz8)v~zj)41b$hk23ag!R`bl;`zDVs37>w zBHKYi5hzVX1Bud{1sf(SHc7{~@U2wqe3QP;Pv8Xlo=?iRF93v|4w@vb48*%y1DCOF zEavd+kE`039u?jIn2*pInXHS|gb2~No2FY$8AZ)mz`yx)VW~{K2`7{bh}x-HM`+$V!NpJVvI3s@yD;3_>q0OSf&+N}F%5p6guil)zz`Op{3*M&M+dsDwH zGZW&e6-6>LeYVsL*l`>uEK#z(5ZUMKx~?3XrvF#UGP%tU5K8^Wi%R1pMVfD3(npO+ ztvbJ{SKS$477`?RGm!}OgruF))l5Qsb`fM18?+?izy-H+1|dFrlpG^i=JJj(NP0rj zb^JEOBuoJK783D(=DxXtIKzQ7ug8i77GvqeQTx z>y$@6cmDiE5YPOpwc)1EzkS4z=MT7X8Npze++PxnIw?(W(TYf%vGA;x{W*KK90MF6=s0@D>id)RkZt`;Qzs z2lC>B!Jd3}s!IxazveBMZRhg`JJoEEkr-1&Q<;{seGv)Au2I^$7%-opDt$aKO+@yP zWnq4gb||WTc?S_`39^_Vev|fARRc5{M#5A0j~A@P#{-SjTic{1%!BG zMpbn|d$N}?C)|m_>RmpP6kNnjk%)mE1#9EA*1%JWl!f>8d$ywI6U2NW)Fyjay4~ZQsqid z$7-<7J?g3v)Ng<~`yQGU7Y&+>v%39QQbB zX_|{=eLl~=tysHk*}9cI?~~znpOv8gA@RS0di1x&*Q=hGmx%O_H}o?Zhqaws`8C!hml9+c9k(T|ApI`|r_TN*HP2i!#Ee zQ^NQM{zGVy9@5BrCq3Y@?o|759nTAug{`&u=3D-v) zcTBfFuaI+cf2xPhS(#{y+zc*XZ6Mb@z>Q}}=|lP!$0y#zvfsZBEF<>Y6Ya$534nw6 zB@l#QYmm`v{ia}j2Vr%k)k?e4?Y}dTlwZWG%i06>8Q>JiJv9g0dU#5fuo!>$DK;#+9}D?xW~}nR1;DD8{t^&IH~3I@%g*Xv-Mf!wi$)@Logy&n z>ESp^$Zf=9zvkbc5(UpU<;yLN#ldMQK)s?)#sF#JQZl$S{nA16xfg=In{G8eCK07~ z5$3dF0m+inlQiP#gb;<&KQbnvjWwo+nU)deARqn5Z$J7>&L>Y>q%Ism*ejuU3+AgW zdA_~Rh^M6drT@D-Qc_ly1G0zXCz@4id}%X?&)7>^c)bcF7u2fNj@8{ijuR%VBth_` zsuH#v+B$0EWpY#w2<%UWTgVCf@Su?*+L{cyQjc83-iu=Pf;k!49cnm}+y^GGZ z(fy>s0i+e-o%EV=D)0b&ogFbzl^522@Di!Wq>~jJ#<_EQ5lB8l34$lW;LMc4v(kOc_Jwj|Y2s2#^k zX91Qn!q=ihE-aI3n5tO14}QV!Z(rN5UrrnqdM{Sh(AV)E5gE=~tw@(GW>iACD?=%7 zFI$C!RkgiqXe z-cGA4b(i!ezKRG3FM)H!SKLt23wEmwkod%)!o%kNxn6o}a@^+&gEHle;b`>OZ1cE_ zlc24wv%hOYlXRRIn9I<~KO~mKFyhaUO_x3yt zi-1#;+-%@vpyoM9oIObdipQ?-=by(>TLh8-N10t&7fPJiZt*jcbSh37px)kR41R*x z?Dq-BzVUR~0{)mF0PRKZ<8K^WAAaI27^eCtK*H^Qd%X`>&$xo z9_K`H(2y-ZLa)U^dK=7#gnm~Oq@p_|;&)Q<#Jin!FT+?HO`6l^rW?Rp;Uh0tzFFbC z4Jou9BA!bkzmgb-Bc>t7vMTvdIt-ZN^x65tnMc$-pT9jr-)BdLub;{B7DbRKnYdsD zSKb#J5#I!~7A2FE5oj?6Vvn$`!^WTT;6oyfDqI-~BzIu+0M#90e8i8CsW=8r@>4_- zPjGvkSArpeYF1-IQ;m>JaR9PG-y$MZ0nLOyC?goIpcHMjfJ^(qrnJj4Mk)#c8HMFj?C+i6g7jA7Ueg*VC^!M_NQu*P% zcQ#iT>^Z8ldKw4w{x&6bdsdfE-($_=l#+h?iFzZxJ`&L{K}8lqJgU8XK$tQIqqLgF zjJ1^QU-?u(@)cN4;z#S$i+CU|^*`UKz6jVAWNv=Pw2O^{7Ad@p%pDX$H@ z!ayvCsJNvF`M*m~$8462)S3!Xu7M2;V9TlHg5JkDOIi%#$WixgHz4MYmQ=}_r&%4F zI5#Pf>@7Xx^P9=Ij<}wrl39cwZg$&t3a`2|1Ap5ho0`C)2$J5{v$?hQZ=UNlsNdJS z!>>xjt}oZk5+|JGNt%%-38HWTL&p?e=M)h8sZ9A>h$}=>N{p!>8jK9E^ciBMRwn`b zL&n$3H<|^!0UuhAc)!&ZlV$&n^vY}l?8;Au4lv2I>4jmB;4XG)-8(yqfExwp4R@lM zeQvKUrzc=ulbF(fxd2oZ$eX5%Ukc!K+qS(Zpefx6v)6j2rCpf29nj?EUWYpG1Sew@ zT9_U%?$P2wB2=toZZ5J%8uzW8lT=63Xsi0&&S$_RC zBV@U?)MPU3cZl!d_IAh`Ip6?kiHr#^nY~3mx>9HD~2M(O3&I@VM-iaQEv9pnoNW~E`eAUu{=o>mzD4c%* z*vh@--HXWLWKWCK9&tI`)r?I2*-V-8oh|)CrtUVKOQ?L1}i1GAWMmcm06QEw6UCyM~!Q zZ}#im&JEIWLw#*yYUj91p37^xp90jHs`m3NX|*u{oeaJasH&|PG4~ascwaDSj=%QH z@zbCrPorDEbNssEn^A`9UFiK*!Xu+9)(ud^&I^)DBaxONgK!Xl-OeyUDM;~kqpdq7 zNG)Ax>#;4oRKzMx?3o>Ir$SN{1~PM^m_5gOv$0K|j<)y3>;0^FWsLfy^T2rVOotPr z$L=LTQ}Tt*ThHzhW0DZ#td9W4r)Fd_ptYFE8fQ*A#gpg5h#0zz4G4)ZqpiiMon*YN z=*AlW(a}rvZYHiEk|N(LWWC$DYt3CpkNAFWea^P=!N5u+x1x{24QN zof<`N8H0ZQD^sVZzQ;Z2d-^h|fYoDQY592djrt85ZG%sr;_zDW3N>@j7$!+=DMB`)`R&6yvd!OZ38G*Z zz>p7NYT4Cvs6^o%LJQ^jG_Y(BzY3VP8?H}=@Lv-0sA9zO@**!dwPYzSHe%r_t`9Lu zbxe$$Q@%=DiVrtH-|SgImj`WO@5xcyJM@r-K;Ab6pCklQqS5ol#&yNFg;o#-k+|hV zRTV8Y-MU%p0xD4IxjQG?CKBw+z+lxWtN}r@f9R<8I|P4mE)@^DOUwjBmcg%>PW0Q} z+iqWVNcmfeCkMd(LY#r_L)X92&&GJbiE%sBE?f`fM7o}&U_V3MFJ@<=JlNKuPV_D+ z91Du&bw6;Y1l!;?cwhffk-0){rwHVwRiicFZ%&v5vXo^e!q5H2uN(7AK?%u;TN-_N1^$(1L%oS{<8?c+%( zruJl7v?1p9p@yxp;Z+!ahIpPug$ZuKTaSGEZ2KpB4}+$m`27ifakcW^8 z5NI5^#(_Q)j5CGU@XK@q@v!sO{K> z6S(%QpD}j#tAW??H0+r^0~LgF6sA4Di5v-#Et%S$o^v z&s#w@t@Y=|)`?gp%-^(ulREoce&SSPAqjS_%N~_aC>~v_jPq#Ay6ZvbO5(NuHuuaa zG-0#mO{v(!yv9_3-;~)3)mSc{iXJ)A7=TK0E)F3xJ17|}7czd6CU4gNb)5-XuMeY6 zVKr8(_v5El5`r(XdbX}^lLpZhP1Y7K?f-7oyU%AxX#)Ct>T+8lI(l`Gg}_vdW8M9t zNT2?rG)7dOI5UTAbD-5P{xbqcQ4;m4D5_ih_Dw_xCIy#>-=m%cJzPv;JWv{C)^VfH zIfnfLc>)E`c2MnvI`~g=m=t)vqkH}OD)a9(gu8Ri>oG!IK^aP(PtGmO9Rc=*1~Ni0*t`33DkD6TLp0Jr-`%X zo$dSpkLk~6oEZ1L48r9MF>^{esn-%Z$_!G13D>%mnN42jnz!S(4AC?gE~o)zjD_RV zEv8$iou;Wc$*#Dt+mV1V3^TV(zpv|6$ID)LZ9uL*wa8&zW7TYvKd+Y!@!3YLFX#jU z3$)0_Gsh0A@cx<(VlaZ1&Dhtpk6a%pnKRC)wH`WAWWLhO=7hk9KDYJzw%c4^%`dh)eL-qS<_iFU#o86BE9)D$i(gJKj&=&} z@q|6yfBn&8&{xfqLXnFCF7QfafjZ$`pX?CC>6`5^!8v=KgXI9+IGx_7J&~y=)zozN zO#{77lGbEMhnKyD{Bm4S7C20(J#_nI82$P9(c$ZI%?HNpjP_h+sknc})URDkZHRN8 zC>6w4e|i1T%ArnfR)pf*$iUiU=yieV{8zs~p;~vWMfAHNnuMz$HUo1U>8t5g zZ4B*e|J=9DzX`|i;|HT?=G5rH-i%9}oE7C*(Z$n>zg8f2>d(IQH#h{P*9?kh$Lf`0LlU-@d_rf5|t0fXO3P zllwJ4HnCr9t^Y5app;{oHIs1NgwH4zY0Unw2}Y~vQf%~V$Kr>IJBj*k0dEQp!|+Y8 zuX?Pec1Ma0WPkeN4at|hG1MpF))TvEt3(awRm#CleoI&TrTRd<>P;)pKKSapncPK! zeGi?X1*@pJlXJx%QxZRCo*^5)nK#8kMR0YRrNWA|_vG(^fF6v2gs#z~MT=CX#p^ns zY|jWpILBy=4?=i>_TJ5x$4r@PbiOL?aP(D8dB4bK08L+{q-sfn6-SN7zi0@SU#QN3D{`eqH z{T&h$QZ}E$>eDN6R$G{tcnl(d5#7Ud&q-6KYMl7nQi+I z*kg$AlPC_y{rGOlS|MSxa={N;>KMYc2j@&Khug?~G4E*y$~J=nUiC004- zb&uAZTG(H`!kR17Zuq(oetzh*8Xvo{@$H?`Etjj=EHN3lzgLan@_ln3ul9)u2s&qQ z_kF9kp4%QwpMG-fWuL^((Ymj7;`=KVt-kxDx_mGRR1LIZa&Xq!<8KxNW?(s;WK~l+ z9m~)WWPvNadD*Bc6xng$GZlBGa%J%=!>PfPI_rK3#vlI zz8zuL+c_3WU6+1XzP8x-Ub>Hs+NA0ezxDEsC>gifYQEVqm5N@k^p!3J_^VbdHaVv2 z?DTB4>sqDPt6igZM2(Fpk#36md|6dEALr1J<;TG})#G*jQ*WE>v3v5w&P#>6bCFcr zhm}CPhLs<*T%E1tXBjz@B9hUBdXl#K#PGLoR=4!&6zg}_I$h0)>(fI{jR}*m&rw-t z8Dj<6y)C4blwhrnM@gb$H{o|mD|4%qyrinq})#9XJqFKxq{sU6g)+1`e0K>eRUT>j(Nbl z8)fZ64XWu%2h2^_S2uuWS~i+gQV{mp=JTQUGdHjFxo|C{0XJVcc-vPE(HX7b?_c!) zzVmQ%aXA&wO!yLYUwRY30q5i~iG4cBw*cOW>q+S&gv1V)P5wE-H>qg;wjg80HmNb7V{)&L4-KU8`onpV()iNS%x$PbjZT)DEw{``ClSzKMNow zXwCM;TZtF4kV#gI$X5+6%DJ_2+ahcIN8TrGmtmtXbpX_vR|PX#t|JP-r=}VcKxt^qBmPJd4v>j{$(|RrRU%NK_&3a7mWS*}P`urz7;q(o} zJzT8Z`6&L`5x1VYUMxXmomCblH!ILO&WF*9bRIG>0yi`kmuz@```q2nGJ-QF=q5s9 z@sWb4JU)52SKl7_aof^b=!+DOmY&Tr$x+p1nyH1b#!Lxs12=qd+?8swZ`;Aa9!EO& zcxY*o(8noT?{=G1%f~sB=f*qf$6b5&$bZ1QmrJbFF1)!Nf3?*r%vY$dlVKg&<0yBA z2P{lOoV_Auo<5ms=CP#aj!ypIj7y$9ZH>~`Z}ZN*Y`o6N(A3&J>UcnT#_K*WJp9fS ziBYwD^G{+nnh!l!HaU1POkBWj#ZFec9M?XHIk@@4KP4vp)>TMVCTpwSBE7}{uCR{W(~c;=i0WvPz1bKl=$mYc;&vr~)PSoNCX5>phe=|5CWJJwIP z?~;D}r)uN!8-vxVLgxOPf)#3B*ueCMKE2D$bMR7+d~zH%X&6i$#Of#6Yh*n(W>}|c z39=SS0b)_Jgx;eqv$Db`;)%q3S^d1_D$iawsc{!Ggo{r|u#36Ns8D>U_PV)=C*^#h ztOMHKg4{s5TqG7&lM&)f2AdU-jXwU9|6`vnQ`XC& zfZi&jNfE6wCK)Uxq

)e24#uiD_%?G8D}5uWj4ZQmU!$-=C(@5W^{)kXGCoHebb^ z--4=nH8ux3R95gNtX=wv6m~VUjP14oS3}Zvh7T&gxIV)6_mGewALX?O1Nbd*X==re zEF7sBD8u6Knl&2$8a;SvWZ41QyS-*1%Vz%-4CaCJ5);u-OLd!Hz&Uyw`mbG)E<_y6 zqQG4Iv)8f(i|=mwYsXac6+7fP7e0BMvrO;NJ1(_lfcn6JDa|?zNt~d?yl}8MjX^)? zi`~c1y?fu(!9Hsq!`>X)YLjPX8Ogx$Ouo}{Kp@MV3?-x zkP)N1s3fC05znt(2YTIdIM6dq)1_zCyyZo?dTEY!p3mY#i;62lddF#5`;@OXbg#6r z)(M}lzGSUT>h{c$!BXlQ+}sB8rDK)v1dNY}eCgw3Emi}!7`GIp%uo0|D%QlcaH2;~ z6aQSjn3!SEe_FO{XVYnYsbLTpd5~?|Ao>4v&{;_vTBWuK{Uvu;d=PjxB5o=Y|5Run z90dx^a7*>YFO~;aJ$n>m@#Q`ZY^3w_R*>5|s<_jPf0qO#tJ#G=FDYN096GV3_44<{ z+ZQ$0-~W6~=(*H8qMBkUZi1E+E!+&aF$clNQ{5CU z{c^}vTCO*7D7;B^JB8NL+-bt#*n>>YQPE?DfkvJgs&e=Elc!FF9{9_}WdN9^2AE6O+v;> z9b4;FMMkcJ`oE*`Fn?;O0^wBz=)ox!2i^NV-R znr*cp1l8Z2_dhvuaxJXtRt(xYDfxB}GqK@xQIU6*swFqcbu!cK!b>0R@c1bHsp(~P zVq00bn= z?P}Nl`}@@lYwMYQ$wIH>iQCZpT@5U<_w0>5@;Y-o$`>hE8#19`CDmj@8>(9BE0zRqUMeX zhv#d)L$+m|OmgVfbfU}Iw?(c20~&Nc^;c5HmG{pMU29owns@!nnT+^!Ce3z#iS(hM zvZ9M5{!H0eYYCnCgkkd@m7_qfpccYKnd8!HWya$T^B_e^5kg*fts5|Y{P;<=5=1GJ zsdu3$$R3qN?t)KH+dabnTSP=qD+>j?KkoqvssNMY-73@q6EPI4uIMS!seH$&U{cGCXU^ERPO%U=G1BKTE07;6ShV@@+=T%q=0 z)1`JH1B%RD9kM%b1%FI^PeNK@+w%!khngNHGDdg{n0xl|Z=t#^I4*u~)vGbUU4qe| zF~o3iij3gF@lV3#T^q6Us_|tBsV4nGZmeEaMBQN=`=MgaI=j@BJ#IPKT__!DrmP=e zD+Ly0)bPhkp}V4W3gGL8|Bqug1@L89nEvuO3#UNG*U#)a-uTd9y+i)arG^!Yi!Y}F z%T(bfk%GyCs6@}exDlfu=-e-7-rrl|qf%kvqW5ax$LQ$sPe&GRcoi{-5Kh3Z^6oVy zPQ_c(FNJ!qHl0>{`K73RptLn^`UwmZ^|FmF7p&#Ps}zYMigWHgO3Mq z57;+goPI!?i7Rdy{`j$iSnD#YCM#fQX0KSk3nuPyLbv;L%0`?DW*VW_pytesg8)^L z7<8h9x<_OZnF6x5ByZ1$fUqjUIcQ*s)7}-CF4J>%({0a)juS{1H(t0`Jaz;}MZaaO z$Q49HG$M!>Z8#F*l*L5R^!b~ZqL;$%Bj2^P-d5H9WNDn+G%-z-a|)36T5aB{v|dx% zuRX4^`q|Eao%7AqiZ-m>+xhXUpSP}mc)N$i^x5w{YGz_;6zDlD_~RRQv(UHy^pYb;gAfy2np=|4CT?rL?@q;(oIGyw zPp)2%zuw<@z3=&q@I@sbG~c_GukkvW=9V5jX?fL})#+AlIU6eOeCXFGLK2*m+QP?S z%{@jbi(}?6*Ye`L3av-_!Y;n8o@jDz<-)B*u&1 zMX4OFi7UH`RY|^}5aiWM%bs5St)`3Vp*zoO5|%PkI`$F+;IIdG=Cf6bs$cqXx_|r3 z=#3=@hT1*FW5}i4+s}MiKspa6n8}pA<7Eg5KaRAbBCFoKAG+puCjWT zc~q~}_Xl~TdplmWa57YS6Qx?3(&MG?_OSUSbJmiGBdL{TW-pzZSVvaf)(u$auugfe z!Au=}wV7krc|5mGe_TA?kQ*D|-)Lgk`uO$Xtx^NtmsB~-u6>XBL2ksPJkXVjA+g&Y zYs`(YaJdpnw81;;=8nHF_g!alVEI>6K!bc)4qMyPDLD=!<}zw?71N2@ z1*PJ_xkk5U`sxyl`YjDzBlUVI;?D&ja@2bY}I;34uzREHMjVaw+ih{=GKOJ zCdPgiEMd@!T>vwx!2!x^t5T<$3a7FDS>{xCDKc@--=*oa6pbqc87^AD#EVg&Rr_jp zVl^lS^18*c%8?swQz2Oh4V-}rjdzY=#JhA`?*X(T>*`@R1yDl&f8 zI><({MCPb>t;<$rMDS4aLo3U(!zLD_e{3SxMRpb<9tX9Ivc;D%xqpMSWOeWD-s=u=0zcY%%jaO!!8#A@CThFFh`3}>ez{==fG){sO)RK6K zQVoV@#cTD*UXt-R$1i+?(VKI&I-&Y|(mm6PE4TZ&){H$CFx<1}P^){x4tuAq6~F*^ z7+T{*r>a7$raQ9Cb3LYCY1iV@%Qqjp-s8E(l2sEQX@)FXp&!tQKv6!-*6nJggHw3a z$~dbP(X)y@A_e5bOaJfHsduM(CzsXS8J4OxDSTgpRovt?$9e}0{c@A5c17hl1A-*z z&utsLY2D?YKVM~CRuYKAS``C0L(0AZEZF(95mTExD%@&1+6k^gKo9^!$VJR4gpfw- zE~+9SZQs3n_ad*YuGN@6#r>s{z`0r&|GxfV6D487-YrG!w}2McU$?#(c(xm|?AMLD zZ;lRIYs&CDbzrJ__xxQ}H63Xzg=KH;;vZGLM*J9j+o+r7czF!-oG(GRYtR*rjlOZ>NgppXL z;fYlSkTS^?6f=8UKEvZ=@rxIomuNrn>DL+V5o6nva__{Tm8ruA9rha&rvu~L6|3l+ znE~OpVrNnG`eu!mJyT=kVpr=HzFxUj=$TdJhgI@R^OGAq3O---VDX^f_Zh4bpVl#$ zJEm7@wR3{g2g8-D$`QYHaj@!R9%3N3g9v$%kulQQ`@S76rxo>BlIwb|kQy_$ zD~dHgcre+z`!4FOg?Z;?#bIyKZtl%8cCC6fPGo6lSbg{@O&Y6yShcETh5vcYD-k%& zH>kY1&10}fmteKaSM46}Em!M3-)B_yTCL%si^5%VqIz1}&NVnNwAWFok!|10a&%sl z=$@qNqGyHSvZj`x*rCIV*IGRyi(k*lh*_RmTPt7Q5&nK3I?0Tp&?5h+#*8zQ18+V_ zn!a|`x{QpV)sH+`%3M29Ca23v?2^ky>8qiKXO_Qhb-#1ppZ`vE^e_(f=oz~GJ?Ma} zc8B1(=&}#BPgBRev(3@-G%^o=uI^)1 zQFhSe(R+(k5*tm@gWLeU^Mq+alwttdThHmkgNNLH62Np2^;T<+TD5(2DkOJ`hpL_n zw$j_v)>p&~+!~(iU;XFu?X~|=@0?}&6y$LB=iBlXSfa15KNv&Be%xX$@!E3lJ9|@G zaO}2>FPCc{73e_+RnTeTII_YLjBB)DIQ_ZRD_&)e1oIHpYA9!7hf06g#Cs1NvJtJ7bj>R6sIU%# zhPi_!J?8AjaiE*d1N+ON{kHRqQhC1?n71TxbPIQQTMzK!y{>~6>gQp@G5`RW!cT@U zYu-<+YNUS_{9NU{@kx$5x})WjY^#9$~|4W zy-HS_HuA4A>MH{^hFvo8y?cLyZ%SoKYu`S84SqV%A_KeRU6+*%8X;U3yQzGV6BBa`P9-(2ssq&R);d^@X>PJ?d#9KVwFM-K$LO@nd2 zSlsI-uYz=U_}0qTwj*ZUcwu+hx@bq1oxGvTI4F8oKtjDe2xdiGSn#iZ*PX@stE>(4 z( z{Pz}1EgNa<53)WiN&2#vmzQZ=c=;p-=|$X)L5GX3X1V*HH`f3hin+L|!}7p(nkyrg zor>$wu`0c6;x0FfvJWqUA1n=g@>|s0pui{Eo!|QfTq>)+IVWiKYAfr1LrP*FSRHxX zFCm&IoeKG<`!1d1SbUzja^-Q}G=;LWt-?HpjmWaPLbx#qx^CqB$Rbr%E3A5$)x=(7 zdVnT~U3qK zTeex2)BefZKg3EbIy%}kxFoDV2lBr5>Nh8$qFdYd@^iGYC?4WJpk07w$h28$4vN?n zWv?&zdU#f~Hvg-tb>_oIYn*cC8w~sRODUooNRb>H8@tjwp7kDl@C@T0wKql0N{x9^ z{wDB+B6AUJwN$B|F+kFr<~e-5*d^de)r<5BxwB9{pRV)mU~-{|q>dOji|*rClfA~{ zibX|^L-gTAt4`gXsnOfYvD^Jgsn${1+KaZ1^fTa-B!m3!S+cbraXG0~Qu>`Q~1Q)noq? zX%70Cw+fvHrxs5yb4&R;NyFJ zu%xcrY5etV7Az3iUTK_ewIP(RHj}UM0Xte+LK5NU2@9Ow?Ec&mG5%&MKh%H3){r&p%{Y~!m_BsqkVb0K zaex1*l;c|Nlcx{Zp`N?z#TGDJ85A<{l$h;+ZI?P#M0SaQG62vP!#g`h z9XQZB_+~C8hcVpOSvd{Nds((|?w9UxDZ6 zxg9j{VRnflV@#nDhp!txVm#@jtwr6;<&GALHex02qVcyc0*(=k{eyRC)Ke$|{&_t_ z;njcW`}8O9G#59#_tg<`n?oBXRW>ZIys(BLBd1K+0RkW!ukqd@Na7YehQOoNySMC& zgxFSea5#FXPkIHU3`nFzLSCm{LsisRsA|QnXx;kt-*-^rF`M@R(GhknMT(0?gJq$o zPyZ~s4Pl@_fI#$j2B@&Gk?z}#U?MIWEiy(pI9w950_2!X4f7c>3rQS2Ow1TqKPTSh z_R3q*;3BG0MdtUQJuiPd5iSa{_p}Iw|F5|BWBMXWFpMWs`JFp7&R*m44X}MQKqk)8 zQ87St(fDrJcVD08h`J-kN0$s3G)TTPPgPA_eZ_~Hw{AI@!{gr_^V@Qr*bUuS?Xr)r zJj-GiI0-ruB@8Gs&+tu`^=Pbp{Fm!^R?`HFaVoZiJCys4LLAL^Z|!LoZNT@D;WxY0 zE~2PLo#3PIIb58oMSTLUh~(gLp4QWtLx&HW7#lwyaNUtvw8`}8lUzSkRf!p!ch^|v z9q0Wvcir%2uV)^7%X?xlK}c4%xZT5-kSxL*W>Gef`=Frr4^#0<{_(4emZ`*bd<+($ zN0M(-zssHP$F}AjpE?!u`XGit-XkZxFJr!k!^O2|Ay9essoyclL{`(|q9MSd=zRDH zc}T{RMG8to*3P0+rZIe&6KPqL?=AEktrRQd3hi_b6)0e66Y`N@tAt-vJ#|TZ`LsQG=y2%9*3(UW$QA0a$~d{TaAd5QD!Bx&;ZD9MxrxG$~F%qh41JzY$ogr z{Ons>HQuVRq+#1A_=hR??@#=Ex@N~N@(&%yX5NOo>W65-$W5)+LdQ#XQa}Va zl9X+K2ttThmQXF-WW4_Vj-@Up=h|jQW)}Wi2F6tS$_MjzF-vW%>$$O)4yTJvtUz?8Us3daI zHKNMp6QR9PHW7Fh*}D%Jzt*B{(OA5>GKD*JEarECd$G|Kr?} z^Q+m0BFhIvIQ7`6W<47W+FJayEavMZ^{NS}%>F=SWo6U4yK}d8LnWc{zLyeoP`1p4 zbZNZ0xD5T-yUNOTI)r3J){pj^2cHcHNCm>aL~kKGFG(P>j8b&TH0mdA)N5vaX{Idy z8vjaU@6;Uz4E4A$VB)9IGM$)I^yX31{y8~0+NXoIwnZ+n@5qrCjkUOK2cues$rf4> zpvmS|SfIx>(vGgY<1tJg0x}0bn&ThM|48lrpKl>^>i6G&Pub@1Na=2Me_dTGQ(qI; zIfD)(_IfyP)pe2P#>OTr9@M_}d!%;DYpg&2(#$f@OL2st%rxSti03g>2VpOD2&y;r zUTP}kw8hTMEN(tmbHL&Uefd(zaWG6A9A+GlOhL)gQX&UEg46A`i*FfpmX+_OZWVo-wu6swy@0l!l^kNPUnof39iN^Rf~_#OxbDK)!`Dq% z!(w(qwKvYKk>h^a`GwHVO(_Kir&R=Dl>&%5qC*k;L+`?MZ2 z9X4^n&9Fqx$(a{tjSBDR$}JabYV9U5%c;kXbVcHzO*>zyP?l6uqaKrW%bYH9ubc#- z$`?WmAI!bKalQ7I+)PNAMko>eyV!C<=%z>9O0)5+y}QQT7X9bVpReAtXWWl-bWlB$ z-g@XEN<(xx^>>$u)JFd1SUQUuQ!W|7IHS0xu`CG?t48r}Oo86J(0*w2+^ z6GK+UoEWl>b8BqBu=Vz_a764kccQ0178^SbZ%^&8VN=l^6^>fJW5*6z0sUzIYf(8{ zSR6fh|7B{Co7l?s?5VDyvD5a4%x+{ix#E-|W#kUkZr!ftxi))^zNv7&?t6E^LQi>n zx3_4%EdIZ5{wnNlriPDtw5x{1kX=~l+kQ#N-yARO$!^XI zN;;)|W%KoiJwDyeR#-t^RJSHLuwdi*`^C|>e0+T!7;gC-KRycn0Y%Tgq#kVxymhP2 ziq*K72g{w2leYOkPntr*|H_r>OeZg~@tU-s3XGNwQ+^TJxHa*!A^85IP3WZLc zk>f*VT3erxZK2#6;o*sK0Gn&s%|3tyn;WOvIJ?DvOf7h_`1tq;-Cit9xHLos6MK96 zt)2nLj*X-cY*W82g^TdhE?vAh!4;~O7%@YNYAJbS%P*M19>ZIe=OK+bq}K`}J(;eQ>v==JT|w>OzK?OEdy+D*si*U~tGoGJXcn>}luHrZQ)e7y6F~23j zf$8{n90~&pLp^k!I}@`&%1x}SUUI}J*dRc4uu8Xf@_cl^fpdju?%qD#S|)@>2JP+8 zk0te3eS~`bU*@VHATSr&kuVLv?)DrTP?KevQDGzP+b~k`Cf#5TZp|lV{ZU$`ciOf= z*AvH&%j!;qgvvwIsFY7pDfi#MZ(kk|Zz@g$q6QH8w>X*5NAKIc`&Yh$`AJ$aDCD>r zB;h0MQE4s|Xl`BaCw)Mlz~ z`B4^ajf{-MO?%+LfwGZQCM}TTjV&zvD8PX&7Le!}|9Jh~ypygK8!wEy;#9MNn0EH`>DZ59 zxz2?7$3#5hxQlvH#^<8omuCfA6hhQw*-Jymu|uOp^xX4Kucypv^UKHcsV1d2Fa$NUQS8s6BKShd}%BuuAV|tXT4f0eJrOsLK7Vd(ZHa zB`|q*5u@-85)Td-uLYOWmL#J~Ao4A-H*+@n8Kk9uSgqRR<68-MVJddRpjzjj1$=7(s0fs(u=o=N)-3 z2q~FUoh~hv-SVl#H}f$@MtfK%jtoOw06#=$@X5gC2 zT%E1iYL`zZ@2tc0*b+_Z?G zxuv3Gu0ij!#II>|_B*LP#A)V^PKk?1x%oCTA3l62u4Xjt7jfean|CeiYe1*A&s1oS z{@C~(ZP=wKRsYD4uD&U1dRm8XVX?J1_?J0=2WtV4R6p!e$u$@LXo(3N9%D1JUV1DFGvY@jcgYgXESO|Foo(fmOk)2d zsR|mhv8idT+XYijL+JA2XhaEr;zs?YW6=hpG< zPC+*CAw5Z4U$RRc6oW7qjh1=kVpzbaN{nf+*ZA&O#8h~At#S6+@=8^w`PZQL1Az_YITb-XOeCd;z*oambd`Ilt ze%`A`wpmfXGh0zlz&JZGsX^F&20DvqGsP-cPM78HM_&lZiL$>85V*iC>cc6*fa^DD z^e2gckFRgI5Lnv@T=4Q5LHFS>xwEqJgLyyP-7pMuq39p$C=!Qn+L^JJ^vIjv&%#SS zzLo0$7PQM7k#bqEEB_x}ZRpdd52%-YyE!`erBEQKd?}Vi3V_}D>{k{OCm!vzaq}XsaZ`o(`rADr_#ufL^ddG5QDl7nZ23<=W5*il$b4g`|sS-gVVD zdhPWo3QWX4M7gXka#ow#BzdAUtuR0m6}j zjaqP=+jsVD1;+zUlNGA48(weG*C?0ZE@}(Lo25rzu8YgFOT6`8m75|gh;Dk&@4L$j z$wNEy>#=pNWy`GETIXjKmFsbFaT3+Sx^3ENVTGT+?6-$pUI_jo9$n*)P!jZ3xoyfrAF&ADEO>^qS;iM6O9XRoC*Y zkIzK-w9^4NrTD~NqrJtnUPnZFoB=J^kGAG zS5Pt=QetnYO!o9)fFQPm-QT`tvSK!T`0!eU>g|w~FJ`=Z&$rUfd@acwv{O8g=o(a> z=Z({hEOoV6w5W_B$rOyjIy z9G!EdL087bU@q#Q$bxx#Y~H!k;s#Gr?h#Ba=^?_f!mnMh!J-;;_5=jw(;uto1S%?w z)TxI$%#Ni?kXqU%O5GYOX1Q{mzSB;lE4~Qv8Jtu~P&HLm1EBeFF3L|E4`&hR5$7Sx zJm{6hf<}~7pX-!||0r7YMbyq~hhfRv-p{aL< zt)5j`S-<%5rrlVJ@%D^p+oXDkCc&+`^UiB_-8FjQl*A**P02my}B4$ZfCGKsAe&&yX3M7U_YsgQpwp#OmlTC|1!G;x)Y z{lWj$SuEKln+Cw7c4#OqYmXbj%MBIba`fpF2P{b+!Z#`>@(f)4W===CYR=?6F828xYQlskPoCucv{C)O<@8v#K%4b$t=DFyJSdKjSa885l3keG zFiAEY{*FT{5Dz3~p_Zv7I}^(QSQbI|6?O3rjYc)zVPP|2H~Nw+Swh>Kzz%*G_FrQJ zg(B?qifg-XkJ=-OdJ~iV)@#-(-!&r*MZ(ZL;?i8vuxno4yCzMWijZGc+(1m>&P}7* z5#L&TbwLd^+=KdBf4nlrhK5fMYT#f6+Dto|-@Cc~@@M~iC#Dy`W^#6TRIM0%3(4ch zb(8h<`h`vQN{)DwpkBMN1*M}JM3g+cWgaq@z}S+nEdFY(uobY^%WL?}!5UIlRz``n z&_U=G!mC|Cn?hb&nO+QlLAe_mK87Y^9KXzVvar%_x5ex z+9&TluDs89+0JlY@Z3u?#rZ^5t%4acT1xtYg1N8nptCK=-=%!gh7DJ;lr<#9?Uv?? zH7ffUQ8=nNFZ#9v0d^1?Zc@>59t-@w0b$0`PyNG-?_!I42HxSNuqvjNwRfHWm%pWr zW#2Q}_V;L>2BKjUrt3`BQQ|Prp<+FQ{zE#eFW_l^mI}F^@0jT$zmB2fWz~e>^?)#g zy!*LNUPFx9@8MA#o4|}Em_g<}#(8N)&CLu964lOI>$*QSQ`X|x(s;md7U2KaBcwcf z8Q<>S$BO})guFA_5jTz9!M<~Vy03MvHi+V#0Ax!^DtwSV<2xlW zy5FJE@}v2m5F?pFU1awj!-9o`I7yw-dS!L4nGq0Kekf_~@uuHQK)TC*8seeNs&+vS z&jBXk?|E~INgai=zyHU{+vieywy&mj(;GXz+5SUZiCxeiB=u= zvr|-QE&nOg5_5H+C2=93GFph9ktx=+Nt3qITY{p*&hH%Z+t&bvqY7shl(~R{Vd~3@ zl9FVq)-rZ*g@wwLJD^?4nbqhK57YAF3VkDEzly z!qFG*E^E0g@M9^={7Fi(PyH1u_YfoVs<#UaLF)Id_=juHL@1H^eTv|)n;%8qqckLSI z4UIuDmo4XQ6JO;)5F|Ns9h1|p?JjcI3KZQ4S!;suJxmPeNS?#`sS^XAzALI5ag z>+Wm~&zT3R?eJ{dHvmDP_&6d}*N)T#)B>*upS4>d3*wJ@lbT5XGy)>GuALtiZRuL1 z+w!NMh6MiLJWJ5MNAMdP%pSitUX;C-ObZ5_x!`}|;zeUzS}}asZV#RF`?gwR2v43u z?nCmDnD-`gE@2)-p`dZ!kE4+B1OsXEA`YY#CMb9AtZ8Ls#ds>y?%w_TVmJiGLwO7A zb51_$rdQWilrofF_9K6o>I$SU%5=IxJjddkn=B6%jyS%| zSM#5kR8~Hy5w#X}rv*6)iTl5OAV{Tgn1*?gUa*q50XfSC26RIcPD1AJ^1gG{W^`o~ zSv=%nBCFT2NMAyCj;9pA2b#+KSJxHxO0o-rgre%3@~HM_Jo%6_cnv#|oB7=A52}Qz z$t%}--Txc5hsHXbG}*pQD+ zp{9wtUq($*0j^v3p@;5E#7N>_C9AmcC(=06!2^7M_+4g|8S|8Lc`};= zN{nX$o}*p_k%T6lLyMD;T4S{3(Zh#(ajyP&$T%H|J{1+t@En6L(X+Yo#{U59kRxEg z90f*m^w|)ni-@MDE1s_O|FP(xi|2!BtKXXE2;;O30s^lgZ0Ha`wg5}q)6@7d5$X{# ziGR2(j2}dY_sM>zug92vIRXe@8StMOs_oBI-kZg<9AE){-&(IXC7-u~qC<^0lyBvJ zm)6m>vId(~5P0KUDFeW;?orMB$Q&c`Rc8UHPl=RciT^9qCZG`j%vf@2G&+bNbzH1> z8TU(cC%{gSqHI750LQ+SW7{Vf2jls4V1w6yr_VMV*m7?u>H}z$&b)`@PMIuxu`z#+ z$=g2R+5+e#M8-~qJPd*5vxAc`ha3WhGMETN;+LYZBLR!gB)j)%YEP|Mw0iXNFSaELQl`}#C4#IH62gMys%QRXJaej8t<=9(9(QFo!1ym-Wh>l#ncK8UR4U|g^sySp7 zs^lwC2&oUGf~La$v&A3k#T|7n_f*PDoR)P z>(^KBVpX8guBt3?~OM9i_$nhnbP>9k9-br-TpXoxXE=fWZ9tS zt3yNuVX)|vSVw_h0VOUOl%hBTc348Dd?et2!Ujf6QV)-_Za{klic$8%r3uLwI#70_ zJ>ZGY)cP{e^8_DLa|q3PbU2DF0wjB4ViL@I8XwGRn2>4FlpP>3%FjC=1X-3~0PO?n zvDf3%{e+Be2pM85dIk0&OnW~!#85CSSyW6`r!RC!{_AdB2(nCN5(5@rs1ON*nDRXV z&@2A2U&Fwl&RF|z+h4ESf0Nyqf-d+6Ct9_n$c-K>|cU3AX_a zvVd;)Q*|<-#X{<(Rt`^zpiQs;in~NiE+lA;Gq&(ygd9K_-^{sfuiw6vnX^S7%`fBu z{^BkJjn7E$AJVrj^}1iviqs7Cf*oW~E$SXa2a`EdYW@QLzY&T@I8I$h{DogZBw*n~ zNS4!z@4wgw=Anmt!95^3f=wd6n*iFM_#B_Nl+>RXxhjfB{?A9pVzg}?3ld!W(vciK zA(f6mH!xg~N?L4EX`C^Drxkig16tM~Vyyb%&!nwew?dTj-fX@N&~y@JV+*XRi9;G! zhE$wnOBdHPQeKeVYWw^zQ!}#zKs}K^0zQsFT?NDmJ5kNf&W>cR^uVbx{9D^Osxeu~s#4w?_oU}2FjRB~Y!kQcnY{b^f1W2RDOrhbWs z?0iAY_eBK<8;4k8*@A=f#-=j_0FOWVwY1Ww4s(AEsraBd-zZaMv~T>ltP&U(>ATSU zLn8{vgbzx>(shd2QeEAhG!RBnvF=YNhu0)<#4RC@2r|&3j-Lrx-VJSz_qb2^BsjCf z1NuI@zOP5_<}&1tq6ngl!^*uoXiosx+xnu43hFvX2@k3u?2vX~M@I)@(jFxxAq)m3 z5uEpzkAzq(Si1+d(G@M4^$jG6ct}cKWI7? z0z*o;OnVUoRiuu~8h9hd0_1ZI{-l^SWSx`#Rc{4=@a}HjaGqg>mz5`Q{*8<>!sa05 zz%c=s*wR4;iU=sx-WkW+Ir7hPoU&GtADvm{NRX=)435m_#qJU!^DXjdTT!qS@vr_*PL!omGRI{nc+$D_E zYgl|=&;YV0l1mXtq`H|wlk`*QO0%Cp`lC-m8T^(x>{o)P_Pv9|& z10;sJJ3%!QAdi+IYmRH|ZVL;M>_Y)LExq|0diMPEf5CuJzio!}%3LHjG_jD}jG^^* zi1dg-U~F#&>;xuQNtq_=+|O_QT9aAOJ}VFqG_irSj0FeiXgx<{#LBIvf5JVh$yXf5 z^`p2rO}YbP%^qXQq)a8hHzK~*b)T~hS)r0JUK`qX*11oV#XDyJW?`%$W-B0ZTmaFl z7@i)X;Gna!z+0GIU0pr94O_s5)nWS}y5rvM+qX$o`4CzLaCyj7mz`f@AsN&tiR5+T zj1(9(Sn{$G0N0}ZF6Q>gCqaZB|9oTfL|24J9N)t6m0x>05m&sqT`2+ZD&SRctypka zF?o|As9H!UIRo+v3i_xCEmw#!Sb~u55!~tA-xiHz9wR2~2fTJ7KEKcM@Yv<8{}#=p zDTQq(2V6%=7TBb_*4VjC7Dh5!Hsg3ChdBfgtK^|(8LVLiY(=!}+7xg8G)M|)s3IT( z*$ah+cWcOnU!ZD3R7hmYx4ELO_ZD@7J`J&R2!(zm9dp1koq?MHW^@>weaCB!e~UBj zgu8o;wEQ+S$F6J0Q5_B9M>>o3g;e(>!ZCPp5Wc+SY)+f0WDvX%Rj|3j52k8d#C*Q& z?1+N_o{<$(y@_xK(Xc(|5u){qLf~?&4|MPwq(1fZ z3I+a4vUb_M|B@co`wk2bJETplqu^Y=E#N6EZEqp(jM(`%l>Rg*7StXJ*Gnbms{T(4 zz*4gU<;9t0HV#U=e#TY+OS<#tBPYBe04uV+M2wJK@dWY$Ax`7j`}NLPOmc9@!sW3; z3`{OAM1w^%k}oL{A>ElSj$5#+u{J}xf&&(XCXDNAY1zMU<8765dh`R+;i4cG4lxwu zAqtZrobTL=JJ(J4t7W>6OaK1-53P_D-169z&nuyyU>yy?uHk*r+;}>oEh%#{p3BgU zYwIhtLoT5TIFVKCeH_sP*_IYWAjrRoC;^*_%P|EiLUKZug@5K;31o<9Vo0rtvG04{ zNYmA!L->L|i*hmd&e`Nw8Y1<)o2BLO8g!=WtaUQ8Eh>NY-aQge(0(8Ok1Sd)ENP3uZ2TU5im#` z8ustv@SC6g=BhB);fpATXEIT<<5CEaaJ0IZ+ObhVSWt%mNKN1fesE(q)1ddP=aXYZ zl+cN%hlveC;Y&DfVq)UN_=u7co8smt>hUmNp`~AAHgnySnoE(d`~U^LgUSK*EDc`~ zg1{0NNO7pM6M2@+O811r!V`YjxV&9(Ks)Im>)_s;vx&P4O*#gHgVxU50G)XkW;g7w zv38TF6#X#Hi+A(wqh&p5{{MHv)nBLN2SO4kDZ=y3NEZSOEA8nd@TCcb&H8wrH zy7+ph%}urSfokhfRRRST!jR1gFLpmayH|6hAgX+D=o!!u1!!ABo^55+@4~&t)R#Xg zm7^(6=vJmu1KBlFG&0Rb)k0ExB0cWSmQ~lcT&6N?_tKA1A2{I37h2F#m|a?0YDfKK zN8;bEE1Xw&yl2RGvG=Wi`n>33cx`~WJtC-Vm@9Y`pKweqn47OF?CDAbHp4uVwhu<8+~foTeN!CLxufB|+Ia zjyF<;KSs)FofV0<`^7yBgE&k3rv^ClH^92L+GpZ+|0mSqJ#`!oU8>UKzZnB_&H&#+ zRYhJw1gFq|XN!UR&K;Z2xhw@VsPH9w7gizD}o`BOi)x4qU74GldT}&(Bi1<>V3J8va8ob&9ZW~x4gmx$!O041{7`g%Xsp3OWho~w=LA0oXbX~L zvkHDz$MV%dg%pxR6=dqv$torKM0CO2by|lG<(y1Rl2+X1`4%!$?L*w$U&Qh0=eH(vCurQ-t^QB*i^@y_L z!W|}$ko%G(?*tMlpLeP8;rNm1gtDjtt1);?v7Bqu?O(+WLb?c>r@81?e$^8U-0 zE?tk)SW5J1j1}4qCWuNzlYKZO_eTtt-X6P0q5>RCh}@ZX2C1WqrZJ-4djt{nPJprH zU>$lP2U4ObNWF*`W@vsPC==lW%%-(cH|Mgq@VT}YXpKu?LKLky(lBqRVV=iBK-WhR zYN*~TzOUC=_Z2q+I7JCq3G_5PDG=+};@H*IH?6H!t09YYgJb~;bq~otfMb=n^@I)# z*(7_5#`pEP(SQ(CEq4KBhgjmU59KAFp?+}72-h<4Qv?;d!rS>v9hb$6)|0f1{6?-AGjWKoR)mH$2mcuhZf$e@J;Oanj2$)#;e?>ijx`5T%6UpL^m9n{1S#^lE0l@xwJ+gbUSSGbtwo zO_{dtrlFLko1b?{`4`JcR^JSnr>LfsSZ>ID>A91>REd?rO&rsh&Xet(%8y36Gk11} zHJa&v6*u~Oeh47>1D4kvYSz`oMn}&XwDjby0aKD--MEL)*VjCH`xAUxKexvgthpu5 z5x(sL?`! z5YdPz>x{9JV}x1(P22zizdgO%o7^_ANI3VJ^c@?f=Lbt41Z7Hk)I-=oINce8QS3)-Dw}dJiG$ z$3(I4C=W<{NPtaHMzleeK9M*Ss%ShLX#;7J9&~x?AYf#yKc1&K1$yp-O}_WwvTsHc zKj0xnexaZ-{N9*9U4-${2)E}Cz*LJ7n) zs5bj3s5t0p5}MVEkSg{&UlLRiaH}|s~|E#~{dmC|oFSh|ksFNzp7@vyL|%9>-Z_R_%PnP;i>A||ow#Kw|*lI+az?=OC}2Cs!r=Z(1a zg%7v<{Kl_g?1}1=?txyS#aiEy6$%ajGyxGQ)s6Le90c zw4QS>va`&tb#^9|UXL*x^s;_ZZtcpOHa4_=f9;}tr`)GRK7uI7a{JWo*6wnw`BF{j z_uOW)L_Dxw7og|7V&gEJx+&m-2|9A6G<*W8V_h>3eP1vJp4so9&xRHM%bRoP%PXO(7}8^lR@Nr zY;;cOL^TH67Cc4dbQdXX&CxRPwN`_SASC|Ha|19CBn#>)8fHt#Y0ERDWb0VsvjzQ*OM`Hr?I zE5-p;sX`fO0thGxe)9zfTwZz}c*yNDMjVhl_VRpK=u`%;C!3puYK#p0nS_44sa-g)lF zBVe`gg(DDup)#+4dxM#t$^9fi2WalXY~tfIvya{Y!1k}u9~aN% zPyIzO^UCEg{oGPGeHG)2(56M?yULGa~S^AzrWUyyj zBoAK2cFoM{tAUyF`kXQNays3Jjf{*(tu<6#x3^bttmBg6z$xu8-HfQHJb_9med+_3 zwm5bp@nkzaOsv6Wi}92buO3n6P6ekx4(5zTG~FNcVFH} zmY{3r4a4bQ)+(=2WIc}5_n9;_fiWR2jB`!5_M?1u4wag3N(6n_gmf=%$ zuNJ6Wq%PMGm<7E_VdIBoR;ns0r!XowboP6AYXP@s#v$LW?aVwMKL$~GpnwZn1LboU zFJ6q80hzR1DX4fpKO<;Fy3}$D3zN}y;hcHX)VL2Pz)gWP{D}NKhw!^uRBHULV6j7xHX1)$khmkoWbLc}(Zxc^CZZE^4;4n7i$- zvW5t>$}A$}bKp3#)LQ~N=+7)%J}szym|X{FrbGy->>E`JmVQbAlT*oQZHna6z^qpF6+(d8Z`Dz4`Hn;LP=BK7P8l z@61qgc<|j3-g9T(?#s&*u3~3-WYM}8$!w{+*E{TWbGmon!NoFnBCoJIji53sI}*` z&nSNy{JMgf+4iZTSF2@ti+qDu@~T`Wzx2Yv@I`vP&T8u4WBm*!nn-Dw7arfEs3VdBA$(tT1ST@4=YGM(ggORC; zNxvpzI0)p~mNqzqRDH1|{I6ecaIyqUq$4bamNxX1sq(vaoGG-Q?mUsT-0F)pDHIcH zKr8%Vta0n=Pz}Sy`_q0{y$XR0G?XT?N9Y(p7OhQYM}wKcaqy07pUbu9z&gYxtp<9n z&OCEd(~gu{;24`AH$Ywo*IobIrU_#ufJQ00qBPC+)8E%^Qgrd9Q{u5^?xl?=1<9a8 zq@a*-)W+A`DR+q!=pZb-5c?`Kkq-fWeruUSkb6D`r<*mHB#@#Tv$RkQAR`jO0_o=9 zrKK>nZ*r>sFc>XW`=R+BFMuq(p-?C6(nDxYQyA?zSeWoZe1>FQf0;t7m#YoB+;Gsp z$N2|MWenQlf$2Z*%)GS7%AoXIepv{gRc6w%{T{D_KEwu=_7SWPH8CYyg?5Xq+Ea&9 z-nF_zsDr^MTchB>nD>hvjqCI2EF-TH^bEfC`<&?Ru^|4r_|(+2^XJcB_71^g zCSVSj3*D`l7%fmT5wTw_^bcmGKv0Fk+C%-8HVy+@7l<`bgJ?mSt1BAtjoSO#IuC&an&LksTuy{z)@)dn*OTuLa95pb7q;kC&Tq;8Ph4nZ+$}!;4UT zz!GL7lU$t0K^ZYeeZo-yNCWcapAyHAg0!GY*dhVqZS8TcJCYp?*Aj*oL>37JA7Vs( zD;>Nu^02x+_eA!y&r|ug1ZU+A{2c zG8lTzT6$)Kt*^No+^l@>fr3i785$ajoa8~)_}Q!7+`N-~ zIH+-wW`m#-#nVy{iajNA(^c_Lm`v)?mxk%5Pl!sBu$;t$&u`=9|`w@Ma=HomFr# zsr6@PAI&o#9h=p>y-ien>ii?L8usn$9Ug4hckql6b4XGg!@T+xBK7Z49YKL_b1QwNKt=sn$+D;cX;KVc%tAAu>BvCmLdfhLvJp9w!{XWU2)+Lz;n-c?uVb(nw z6DgZ5>#u-DGws1EFF+??Rfz4gzVg0vNuKn^BJt&>)%Q>*g^nXk@1*_%5~88D^!N2$ z!_==cXyD7%lQ(AUYL33mbJAmg&^s})ewRyGAKWUj1w!Bt{7e5O*(#^7=pkcWS*^J8rtD4k9 zbk4x;!mXqm2MbF0lc1kB0NVFOGqy-T?z&d5*|~%((m}UTN=lnrUQxEt7#kErG|?0> zGqg9vwm^D|1U1Q16>lip z(sb09dTNM+CaG52v&OlFJ*YrZYAoIQ)9QNFx^Gww+aN(x@r5SnKGvnn11SV~v|(vx z=XeAsG~%Izo^1mkt<0GtS?BN(qa)rEoI-0KfQiWGZS7fmEpE5V=3LWh&UvxQ$|BtE z>QUR0Oj5W2L{3H9oQ_<8qeqT`;`^W&$C$1q=T7VUeYOUF`1A0YS}usjg~Is2lIXT=p?xTErRhK; z-7g>}EeMjaoKTyLK>t83^&9Dn9ki>$#hVtByFZIMvs&fK<#?$NK7QViB_ z+(UA$J+otKuL!;xJ!`(fp{8Z7!D%Jdw0DW=u!3%FB{3xRteQgvk&5eI$0R8`sA?8Q zp*wzP7pb$f!F^?F0;m=s4i66J;}Mu)vIj<6CE%sVy^-pFqQ$7)6DW<$ox$iu$dd%- z4U^UtwGRiGKatuXI`2V$5`v*p*yi0Ur!sdo4Fh7E`z#Bw?63W@+^w|9fctl=S=D%S zCXJmQT2%W0s~2UB0MjyA$G5vNUt9KNtB<4C0Zw@yb2tVRGPYssy?#cgLdtlvs)K^| z^mzWUk4DBnuopk{*fib28{I7apN5yq0Z<$94%%zb*URB>?7;MM2=0OaeJhAWLgoOD zDYT9%<&9+j+;Vx1p8xW;d9@n;74B6wuKKe?0_ret{W(|pxSAs>EPca|?Y51WLXD_c zj;$&05U7C0RRD;e&^+a>x4khBC1ZxEe)g4X*X$NI?ih3qGc0eiX$9zVz2`*TJf2^Q&_k;+-MkZV!mO{(xWvjc71g+9m;)Q&m?_ zMk2rllpq2Zdx6S%?j2L9y35P^3I%KOi*wGs1@9S*pJy_6@BHm2Hria}IoSPAsmE-; zeD7~O*fM1QqNT5INmF>an5DOwDT&S%^c0on<)OLtB?(FK6ykvTRMKd&G_={B0(?Sm zKo(~q7I;-mdY6g|yhkhm$Mqo(aZXAGyvhTF+^uPo!BeDZfq|8%M=fFJ6_3+R2cQI+ z$ZCLe;H^H22<=K0%bb=rh9-pyOszNfJq02<34S3c_r{FzjhW0ibi`M{`N;~y&+EA6 z2E(^ZQh@5*3akWQC?YCa0GW#gw7BFEoQ7!d4b3uHHJag$AiuNyk{FNVsV5Qz+i{x^ zalQgU(K>wC6zIqL9MU7BvAv%iitxBCYWal{ODoJSIJRiL+KeG57#|@pZxRxEir-fS z;dB&?RF}P{)1T1cc$1jSD`oO1SY*Coo?7gwJ(^n_aL|EH^YPGIPUus zoENfiut)O0NA`RR1Bc2Pn>SGKR>D-yiqhyBtb{&*gpTq_=}l~`n*`F%tdKouR;8_{XMwXb37v_4`pZ7nY^lv;CENZbcBXHwMsVJg{<^8XR%kUm z%jY-ay<-11%j3p7P8-e{NtR) zMsD($sc!bkg&W?UvDqk?-3DEFM&G_Ez1Q6U9Bpfkp4j@YUwOtj%RjhuWLjGpdKLfq zVEuqbWE#BafBQB+_rdD3uu;E{2Z0oHPnwXPK1AYkd1c7C4FAh0vQQclUC(uE&H?S@ z*LL=TcXV3QQJTk%Lj(EzU%|oEpV^Qc2Es4^(%HMPHq)h1@bDC%7Hs%yWBrEZvx|%% zDj*364t%yn(2jd}28SMAKG<>j$nR_STrFCnts4$St#H-8otM`X$C}C)-rn1@=@wr< zr`)Id{-R^9d?9)|K0Xdjo&5zj4-S4=n_QmBDr*ckN#OavE1UT5>Mcl=VG=aI*zV#% zIXELYm)M{dM!4=t$=LD6?}d9q;74Y{1^60Eim|Ez5w~RyTjCJe>x;fQ01n}3&!O=W zq+coJN+m;sqGyw{ZZYoQS$o*;m`a7~wC+{%M683{`rd{GjH0F@WlP!bgJ8kMmw2y| zz5_!6Xg-hPb{AXD1x>$SXNmg7p(c)om*84!<>gnXP0ltN@$v{wp)XJzch$qtdW$&Z zLiVQE21DQ(9sw-W#Qo7g1x0#OK$ERNtt|bxl0u@QABY4X8k4eBuvqUOu%}jOI>>8J z_u4+)=cZFK4$=vEHd4|=RGX$!5wETo9ry?q?l*1iW(Sw+!YXQ*+tgm0!4}e_7DS0p zzwICXJLH&w%$8Z--JlsP((ad{n<@q!gp@JSOhdqRcTA;b!)iG8k>eIL`9uWUsOA{Q6D?D_hqbYXHW}N7GJiLe>oZ7fs=1;aq{xiiwUx z68H83H%ZO+vM5EzHjLYW^eK_p4ZY87mdg&ER`2G=8uKIS7f94WPxJ^Eqv8wyp!rQ7 zcJFz1;d1!WbaCVg*{B`KEB z{$Pie$tyI{f$fd$rZJIx^Qw!#dw0-pPQTn2BB&!)K2qSf zuN&?KQPA4mX3u`$SdwFd`d+&*)Rh~R0nEr$3Z0>n#n*8))k04P$B|xv&eE1u!g37b z7``S2%=eEfrpsdW9}g~{@A)z3bo(x5C-fpAQ`p?@8n;HZ}BO_TMxGn=tP z2f9;FR|VYH)ki01*!0qb6z|{UobVhAw{Q=vddVBf2s6LTI z@aT`YyNlJ^*vUR0nGC(7oI9^IW-WLnr1EpGF7p7SGK~4sMo3*Ie}@$vVl=I$(o16_N~J)6dzyb5iX& z@qzsoC=-q)uTf(=i4I4c$$xn3RTT?TPR_M%Ei{Z;6M{B@|%V~pTkV6TPgh`Gbn`ar9{0g%F|)PYjLHUkPnvVCbz zN5P+E0lybbEco4Q)Kn3suP-kU%(qR^{Zbm?Gt|fB3}%_>L!r5*4_enhI>Z%x3ZmrS zW~-{ICY~&NELroT%%zEQb#ORv<;1nqUtv5m;(fB6J|!t@)Y0HWy4~ z@&-9pS`9&55i^R*_e;t4sZozC~`e-|MAX2h>sH%+C!{qsM6vkWF5S>M0- x$HU2V)A!FacJEVXM&7BJWWV@5uwjAmG