From 18ced300d02582b5de3f01f3644721442ca0ddfc Mon Sep 17 00:00:00 2001 From: TrueCharts-Bot Date: Sat, 23 Dec 2023 18:23:28 +0000 Subject: [PATCH] Commit new Chart releases for TrueCharts Signed-off-by: TrueCharts-Bot --- enterprise/traefik/24.0.0/CHANGELOG.md | 99 + enterprise/traefik/24.0.0/Chart.yaml | 39 + enterprise/traefik/24.0.0/LICENSE | 106 + enterprise/traefik/24.0.0/README.md | 27 + enterprise/traefik/24.0.0/app-changelog.md | 9 + enterprise/traefik/24.0.0/app-readme.md | 8 + .../traefik/24.0.0/charts/common-16.2.15.tgz | Bin 0 -> 96099 bytes .../traefik.containo.us_ingressroutes.yaml | 275 ++ .../traefik.containo.us_ingressroutetcps.yaml | 218 ++ .../traefik.containo.us_ingressrouteudps.yaml | 105 + .../crds/traefik.containo.us_middlewares.yaml | 924 +++++ .../traefik.containo.us_middlewaretcps.yaml | 72 + ...traefik.containo.us_serverstransports.yaml | 128 + .../crds/traefik.containo.us_tlsoptions.yaml | 113 + .../crds/traefik.containo.us_tlsstores.yaml | 99 + .../traefik.containo.us_traefikservices.yaml | 402 ++ .../24.0.0/crds/traefik.io_ingressroutes.yaml | 275 ++ .../crds/traefik.io_ingressroutetcps.yaml | 218 ++ .../crds/traefik.io_ingressrouteudps.yaml | 105 + .../24.0.0/crds/traefik.io_middlewares.yaml | 924 +++++ .../crds/traefik.io_middlewaretcps.yaml | 72 + .../crds/traefik.io_serverstransports.yaml | 128 + .../crds/traefik.io_serverstransporttcps.yaml | 122 + .../24.0.0/crds/traefik.io_tlsoptions.yaml | 113 + .../24.0.0/crds/traefik.io_tlsstores.yaml | 99 + .../crds/traefik.io_traefikservices.yaml | 402 ++ enterprise/traefik/24.0.0/ix_values.yaml | 441 +++ enterprise/traefik/24.0.0/questions.yaml | 3336 +++++++++++++++++ enterprise/traefik/24.0.0/templates/NOTES.txt | 1 + enterprise/traefik/24.0.0/templates/_args.tpl | 194 + .../traefik/24.0.0/templates/_helpers.tpl | 22 + .../24.0.0/templates/_ingressclass.tpl | 24 + .../24.0.0/templates/_ingressroute.tpl | 34 + .../traefik/24.0.0/templates/_portalhook.tpl | 24 + .../traefik/24.0.0/templates/_tlsoptions.tpl | 13 + .../traefik/24.0.0/templates/_tlsstore.tpl | 26 + .../traefik/24.0.0/templates/common.yaml | 24 + .../templates/middlewares/addPrefix.yaml | 12 + .../middlewares/basic-middleware.yaml | 57 + .../templates/middlewares/basicauth.yaml | 30 + .../templates/middlewares/buffering.yaml | 26 + .../24.0.0/templates/middlewares/chain.yaml | 21 + .../middlewares/customFrameOptionsValue.yaml | 12 + .../middlewares/customRequestHeaders.yaml | 15 + .../middlewares/customResponseHeaders.yaml | 15 + .../templates/middlewares/forwardauth.yaml | 29 + .../templates/middlewares/geoblock.yaml | 29 + .../templates/middlewares/ipwhitelist.yaml | 27 + .../templates/middlewares/modsecurity.yaml | 14 + .../templates/middlewares/ratelimit.yaml | 13 + .../24.0.0/templates/middlewares/real-ip.yaml | 15 + .../templates/middlewares/redirectScheme.yaml | 13 + .../templates/middlewares/redirectregex.yaml | 14 + .../middlewares/rewriteResponseHeaders.yaml | 17 + .../middlewares/stripPrefixRegex.yaml | 14 + .../templates/middlewares/tc-chains.yaml | 24 + .../templates/middlewares/tc-headers.yaml | 57 + .../templates/middlewares/tc-nextcloud.yaml | 20 + .../templates/middlewares/theme-park.yaml | 20 + enterprise/traefik/24.0.0/values.yaml | 0 60 files changed, 9715 insertions(+) create mode 100644 enterprise/traefik/24.0.0/CHANGELOG.md create mode 100644 enterprise/traefik/24.0.0/Chart.yaml create mode 100644 enterprise/traefik/24.0.0/LICENSE create mode 100644 enterprise/traefik/24.0.0/README.md create mode 100644 enterprise/traefik/24.0.0/app-changelog.md create mode 100644 enterprise/traefik/24.0.0/app-readme.md create mode 100644 enterprise/traefik/24.0.0/charts/common-16.2.15.tgz create mode 100644 enterprise/traefik/24.0.0/crds/traefik.containo.us_ingressroutes.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.containo.us_ingressroutetcps.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.containo.us_ingressrouteudps.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.containo.us_middlewares.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.containo.us_middlewaretcps.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.containo.us_serverstransports.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.containo.us_tlsoptions.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.containo.us_tlsstores.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.containo.us_traefikservices.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.io_ingressroutes.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.io_ingressroutetcps.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.io_ingressrouteudps.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.io_middlewares.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.io_middlewaretcps.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.io_serverstransports.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.io_serverstransporttcps.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.io_tlsoptions.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.io_tlsstores.yaml create mode 100644 enterprise/traefik/24.0.0/crds/traefik.io_traefikservices.yaml create mode 100644 enterprise/traefik/24.0.0/ix_values.yaml create mode 100644 enterprise/traefik/24.0.0/questions.yaml create mode 100644 enterprise/traefik/24.0.0/templates/NOTES.txt create mode 100644 enterprise/traefik/24.0.0/templates/_args.tpl create mode 100644 enterprise/traefik/24.0.0/templates/_helpers.tpl create mode 100644 enterprise/traefik/24.0.0/templates/_ingressclass.tpl create mode 100644 enterprise/traefik/24.0.0/templates/_ingressroute.tpl create mode 100644 enterprise/traefik/24.0.0/templates/_portalhook.tpl create mode 100644 enterprise/traefik/24.0.0/templates/_tlsoptions.tpl create mode 100644 enterprise/traefik/24.0.0/templates/_tlsstore.tpl create mode 100644 enterprise/traefik/24.0.0/templates/common.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/addPrefix.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/basic-middleware.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/basicauth.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/buffering.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/chain.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/customFrameOptionsValue.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/customRequestHeaders.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/customResponseHeaders.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/forwardauth.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/geoblock.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/ipwhitelist.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/modsecurity.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/ratelimit.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/real-ip.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/redirectScheme.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/redirectregex.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/rewriteResponseHeaders.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/stripPrefixRegex.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/tc-chains.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/tc-headers.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/tc-nextcloud.yaml create mode 100644 enterprise/traefik/24.0.0/templates/middlewares/theme-park.yaml create mode 100644 enterprise/traefik/24.0.0/values.yaml diff --git a/enterprise/traefik/24.0.0/CHANGELOG.md b/enterprise/traefik/24.0.0/CHANGELOG.md new file mode 100644 index 00000000000..a521c17e227 --- /dev/null +++ b/enterprise/traefik/24.0.0/CHANGELOG.md @@ -0,0 +1,99 @@ +**Important:** +*for the complete changelog, please refer to the website* + + + + +## [traefik-24.0.0](https://github.com/truecharts/charts/compare/traefik-23.0.8...traefik-24.0.0) (2023-12-23) + +### Chore + +- BREAKING CHANGE default to 443/80 ([#16368](https://github.com/truecharts/charts/issues/16368)) + + + + +## [traefik-23.0.8](https://github.com/truecharts/charts/compare/traefik-23.0.7...traefik-23.0.8) (2023-12-23) + +### Chore + +- update helm general non-major by renovate ([#16369](https://github.com/truecharts/charts/issues/16369)) + + + + +## [traefik-23.0.7](https://github.com/truecharts/charts/compare/traefik-23.0.6...traefik-23.0.7) (2023-12-23) + +### Chore + +- update helm general non-major by renovate ([#16361](https://github.com/truecharts/charts/issues/16361)) + + + + +## [traefik-23.0.6](https://github.com/truecharts/charts/compare/traefik-23.0.5...traefik-23.0.6) (2023-12-22) + +### Chore + +- update helm general non-major by renovate ([#16359](https://github.com/truecharts/charts/issues/16359)) + + + + +## [traefik-23.0.5](https://github.com/truecharts/charts/compare/traefik-23.0.4...traefik-23.0.5) (2023-12-22) + +### Fix + +- expose custom options for homepage integration + + + + +## [traefik-23.0.4](https://github.com/truecharts/charts/compare/traefik-23.0.3...traefik-23.0.4) (2023-12-21) + +### Fix + +- bump to release middleware fix + + + + +## [traefik-23.0.3](https://github.com/truecharts/charts/compare/traefik-23.0.2...traefik-23.0.3) (2023-12-21) + +### Chore + +- bump everything to ensure patches are applied globally + + + + +## [traefik-23.0.2](https://github.com/truecharts/charts/compare/traefik-23.0.1...traefik-23.0.2) (2023-12-21) + +### Chore + +- update helm general non-major by renovate ([#16341](https://github.com/truecharts/charts/issues/16341)) + + + + +## [traefik-23.0.1](https://github.com/truecharts/charts/compare/traefik-23.0.0...traefik-23.0.1) (2023-12-20) + +### Chore + +- bump patch versions on all charts for new GUI release + + + + +## [traefik-23.0.0](https://github.com/truecharts/charts/compare/traefik-22.1.4...traefik-23.0.0) (2023-12-20) + +### Chore + +- update helm general major by renovate (major) ([#14631](https://github.com/truecharts/charts/issues/14631)) + + + + +## [traefik-22.1.4](https://github.com/truecharts/charts/compare/traefik-22.1.3...traefik-22.1.4) (2023-12-20) + +### Chore diff --git a/enterprise/traefik/24.0.0/Chart.yaml b/enterprise/traefik/24.0.0/Chart.yaml new file mode 100644 index 00000000000..54c989342ff --- /dev/null +++ b/enterprise/traefik/24.0.0/Chart.yaml @@ -0,0 +1,39 @@ +kubeVersion: ">=1.24.0-0" +apiVersion: v2 +name: traefik +version: 24.0.0 +appVersion: 2.10.5 +description: Traefik is a flexible reverse proxy and Ingress Provider. +home: https://truecharts.org/charts/enterprise/traefik +icon: https://truecharts.org/img/hotlink-ok/chart-icons/traefik.png +deprecated: false +sources: + - https://github.com/traefik/traefik + - https://github.com/traefik/traefik-helm-chart + - https://traefik.io/ + - https://github.com/truecharts/charts/tree/master/charts/enterprise/traefik + - https://github.com/truecharts/containers/tree/master/mirrortraefik +maintainers: + - name: TrueCharts + email: info@truecharts.org + url: https://truecharts.org +keywords: + - traefik + - ingress +dependencies: + - name: common + version: 16.2.15 + repository: https://library-charts.truecharts.org + condition: "" + alias: "" + tags: [] + import-values: [] +annotations: + max_scale_version: 23.10.2 + min_scale_version: 23.10.0 + truecharts.org/SCALE-support: "true" + truecharts.org/category: network + truecharts.org/max_helm_version: "3.13" + truecharts.org/min_helm_version: "3.12" + truecharts.org/train: enterprise +type: application diff --git a/enterprise/traefik/24.0.0/LICENSE b/enterprise/traefik/24.0.0/LICENSE new file mode 100644 index 00000000000..4139714f204 --- /dev/null +++ b/enterprise/traefik/24.0.0/LICENSE @@ -0,0 +1,106 @@ +Business Source License 1.1 + +Parameters + +Licensor: The TrueCharts Project, it's owner and it's contributors +Licensed Work: The TrueCharts "Traefik" Helm Chart +Additional Use Grant: You may use the licensed work in production, as long + as it is directly sourced from a TrueCharts provided + official repository, catalog or source. You may also make private + modification to the directly sourced licenced work, + when used in production. + + The following cases are, due to their nature, also + defined as 'production use' and explicitly prohibited: + - Bundling, including or displaying the licensed work + with(in) another work intended for production use, + with the apparent intend of facilitating and/or + promoting production use by third parties in + violation of this license. + +Change Date: 2050-01-01 + +Change License: 3-clause BSD license + +For information about alternative licensing arrangements for the Software, +please contact: legal@truecharts.org + +Notice + +The Business Source License (this document, or the “License”) is not an Open +Source license. However, the Licensed Work will eventually be made available +under an Open Source License, as stated in this License. + +License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved. +“Business Source License” is a trademark of MariaDB Corporation Ab. + +----------------------------------------------------------------------------- + +Business Source License 1.1 + +Terms + +The Licensor hereby grants you the right to copy, modify, create derivative +works, redistribute, and make non-production use of the Licensed Work. The +Licensor may make an Additional Use Grant, above, permitting limited +production use. + +Effective on the Change Date, or the fourth anniversary of the first publicly +available distribution of a specific version of the Licensed Work under this +License, whichever comes first, the Licensor hereby grants you rights under +the terms of the Change License, and the rights granted in the paragraph +above terminate. + +If your use of the Licensed Work does not comply with the requirements +currently in effect as described in this License, you must purchase a +commercial license from the Licensor, its affiliated entities, or authorized +resellers, or you must refrain from using the Licensed Work. + +All copies of the original and modified Licensed Work, and derivative works +of the Licensed Work, are subject to this License. This License applies +separately for each version of the Licensed Work and the Change Date may vary +for each version of the Licensed Work released by Licensor. + +You must conspicuously display this License on each original or modified copy +of the Licensed Work. If you receive the Licensed Work in original or +modified form from a third party, the terms and conditions set forth in this +License apply to your use of that work. + +Any use of the Licensed Work in violation of this License will automatically +terminate your rights under this License for the current and all other +versions of the Licensed Work. + +This License does not grant you any right in any trademark or logo of +Licensor or its affiliates (provided that you may use a trademark or logo of +Licensor as expressly required by this License). + +TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON +AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, +EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND +TITLE. + +MariaDB hereby grants you permission to use this License’s text to license +your works, and to refer to it using the trademark “Business Source License”, +as long as you comply with the Covenants of Licensor below. + +Covenants of Licensor + +In consideration of the right to use this License’s text and the “Business +Source License” name and trademark, Licensor covenants to MariaDB, and to all +other recipients of the licensed work to be provided by Licensor: + +1. To specify as the Change License the GPL Version 2.0 or any later version, + or a license that is compatible with GPL Version 2.0 or a later version, + where “compatible” means that software provided under the Change License can + be included in a program with software provided under GPL Version 2.0 or a + later version. Licensor may specify additional Change Licenses without + limitation. + +2. To either: (a) specify an additional grant of rights to use that does not + impose any additional restriction on the right granted in this License, as + the Additional Use Grant; or (b) insert the text “None”. + +3. To specify a Change Date. + +4. Not to modify this License in any other way. diff --git a/enterprise/traefik/24.0.0/README.md b/enterprise/traefik/24.0.0/README.md new file mode 100644 index 00000000000..4245c176e54 --- /dev/null +++ b/enterprise/traefik/24.0.0/README.md @@ -0,0 +1,27 @@ +# README + +## General Info + +TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE. +However only installations using the TrueNAS SCALE Apps system are supported. + +For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/enterprise/traefik) + +**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)** + + +## Support + +- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE/guides/scale-intro). +- See the [Website](https://truecharts.org) +- Check our [Discord](https://discord.gg/tVsPTHWTtr) +- Open a [issue](https://github.com/truecharts/charts/issues/new/choose) + +--- + +## Sponsor TrueCharts + +TrueCharts can only exist due to the incredible effort of our staff. +Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can! + +*All Rights Reserved - The TrueCharts Project* diff --git a/enterprise/traefik/24.0.0/app-changelog.md b/enterprise/traefik/24.0.0/app-changelog.md new file mode 100644 index 00000000000..309af0b405e --- /dev/null +++ b/enterprise/traefik/24.0.0/app-changelog.md @@ -0,0 +1,9 @@ + + +## [traefik-24.0.0](https://github.com/truecharts/charts/compare/traefik-23.0.8...traefik-24.0.0) (2023-12-23) + +### Chore + +- BREAKING CHANGE default to 443/80 ([#16368](https://github.com/truecharts/charts/issues/16368)) + + \ No newline at end of file diff --git a/enterprise/traefik/24.0.0/app-readme.md b/enterprise/traefik/24.0.0/app-readme.md new file mode 100644 index 00000000000..02206fafcf4 --- /dev/null +++ b/enterprise/traefik/24.0.0/app-readme.md @@ -0,0 +1,8 @@ +Traefik is a flexible reverse proxy and Ingress Provider. + +This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/enterprise/traefik](https://truecharts.org/charts/enterprise/traefik) + +--- + +TrueCharts can only exist due to the incredible effort of our staff. +Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can! diff --git a/enterprise/traefik/24.0.0/charts/common-16.2.15.tgz b/enterprise/traefik/24.0.0/charts/common-16.2.15.tgz new file mode 100644 index 0000000000000000000000000000000000000000..6af973278519e59dd44758e93099da0b0facf75b GIT binary patch literal 96099 zcmV)FK)=5qiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ%avM34FxtQQ6bQ-_WAza!-X(F?6Q3-p-TGRVxuWczIs0vB zz$%c$s#vHlpeVCFjySJzUhh1~30w=P3rR_oWOuW6r!7_ii9`ZOWF|5b9+}NZxPLN* zF{>}&EcjvbPovRj^g12!Z==!3{@duaTR${A-A=RDIA}K;KQx-HPOtp~XgmQfxhJ6v z#y>P3-Bz}9-^l|b{0YSrlduowtqP1H^D}@9QC9I0^)Alcv1l%guK5N0RTwi zAVoh@K^9jSutkLW8okO~x90zzGb&2mvxjahwFm2N8;OAyEX07JlOJ-lyOkB#xsfz=&GS@qRt1 zwQ;r`@fLuZVy)g3;;=S?6np9m2m2wClWPx*7Qjbim;?;m;UEAkUI0d{qSb(q+a#(A zDw!DpMvx+((@4KIRkE{2Oui{{Xv=#WMZp5#G4D3HJ0UTDJDCIsV5(^7%Q4m8m-Lc( zH4>rFBQdRs9=}ju#oT?5Lp)1nAS6B-@Z}`<0$)Ekyj1V{;Hc4P=o)fTin+~51ZIRX z5D}jO82W(k*K#)nIP`+V$KeEcVKfo7eS)Z1yYd?Xl)=!i!GMHFz^DKL^f(CmUMVMpPBq z%t?@NA?kdP!;1?Pl%dc|u}fdc%F*1*R=Yxcv{c8VxhH>X+Gh$6KAnIe{vFAp{I5P} zHX846w&16eYh7^eu_XlupHB99;bYH3l!Euf7rX?DpW>HXJ2h~Hp#N)(8Tt@%R2Qi-G08P*t^*k(djEkLRbwqrTR-0|6i% zQ33Pg`{Us+j{+(n^g*@JXtj)}Ga!EXgjLc<3G|5gaskN^9A_t@dT}y^;RNZW`61-< z@;#DXof-t15tyT8A2D-V}blF*W(qUB#F6Fva-*yF3Rx>@C@s1&x?{i z=rkIQnfN(FGr`^t#a%mx$ew_||!ZDsmdXTh3w)7wRgi*r>#NN~g z)n-*8c^qI!k)9S@Dj%W%d5kE|c$ggJ z95RhIBLRxFJ}cf(Z;JdRK=Gv@g4~Z{OvLu01$Xs6mh3hAT5v*=giI^Vp2vS(lUro* zbB5v>4n^DVV(6iPE2;DvYKFe{iAVSOGztjx_pi>5Pv4)_XZ~(QzvJ|tacS66lznS& ziDEp1LRQdkd?6DJo^9&O1<#NX)4EQz<;)>(^=qNF)?Y4&>D;C=A9E z#DtdmZ=)QqY?>F(Hk*^a|JdEl$oBW>Ec2ol>w#RTT#fskgi4V|a}+P`rYJ_jCWAfR zgUa>)-3K49Pn@N#z}qWZy}JLx7T9U(xr?)yhQ$jrGHSmt7ifGgFlE-ZFVVNOce@ML z>%QK@{IZV7F+{V7El#l%j06K6KsN1zeOXzS6aytWhA_S;7;_j0WI`X%R5im_`^;vJ6M8d34mNHM#<^82MAk`doBt z<}1U5O^1kz(?9(VaNZV6@vutC4C$ZMv_u3cy(6)&O6Z@}JdAUVUIv(XUjQ{*C-=T; z<9~{&$7T4%ch`ft$5yR?xySPJU$M#^0Q^M=XV|Mnb8i)-Xzne8v}CDTjnsU|;7}-c zPuCs*xmEzU#UUT7f!=Z0ClVw=EXOl50BXq5XG|FmCxcHX;*IGVImDF@0(bWJ_lFX2j>(=9uaiT-rcs#ez^80tcnM`>_9FC< zO&dI8GRJ%$G2N(JuTm1kcy3C_ALiQ*I1wPh$?%--cVcHFA>i`0F2nbF@a3yqO=8Qf z$+=EL7||(N$xt7^s)nj1YUrVjDb?9Rqhaj{ZY|r6kQVp&+bVdiWsTj6EnBA|xsO~C zy#Tf#Pr-XxDfg|Yd|Gy=xX&r#ng+`{DJP1djNMCFnYyeV?0^V+w}6CZ*wf=fo9~+z zqPZuwcdo6dGu;Vd00s=j$low#6pIs2F<OF@SFQmnKq$4n5C!U(0c{0e zy~@>yN6-`H_#b(A9t==!cqQDzPr1H{V%E5&b*-1h?Y+CbD zgoH_(-4sEeGxUEOcNG}kf(1#$u;Y+27z8++fG=M_UAp=TuZXW-!DwN5FV=;A`uFC1rj1a#?r}&1Od6@F9RIjQh-C=$ry}ca>uvsioqv_;RKbVR0C<> z>iQ+Ghe99JGQYomt>}J8c~~A|uv>rF(J&Fc{|{g zc!@a7;^@lLyZ}LpfHy^aJ4u)r$#l*E->w0OGV+u-(28##A{0uhim5|5e-mOoxWjBJ zr^FNm(H@9Y+a#peN3nJg5%M@609S-C@Ig8>%3?b^s#)pRBpv+}a4}AIQ|wKF4YGzGM; zpDAU$m#jC+e4IKRi1lCP2v=2q_fn@V;rOX6z4AyAhnl6-E0%jhWfCNaCE>aD@>t=` zp^6*tjds1=t2eawM#J;ly;196?2Wxvb94kp2kk@HJ?g+i)HygnM;+8@jr{|!1-q?o z`>5CKjz%r-(1TvfKj@;RP8uO%bV>+Y7gb%};M%A+n<=iS2V1??VW-<}j#{0@VXq4t zqjuA8dWVPYE;>Z0dDv?m936Rw&0eF~K^?DqWL*F~4tsL3h@;ZD7IXpy&jbl7Wpt%Gj6bJRF$HoV5+$ZPwfE`p7t zR=eXJ!NUe@kG&D}4x5c$tJyg0cn8gcLl1REjim^~Aj09=w3Vf;Dcd}(cQl^erq}V{ z5j<=)+kSi8X|#GHzuRk|LkL?wYWKQ+>!9oRJipO8Iz;1f3!+w|chDT8al3<#mf}gh z7&33VE~2Wq##F|ZXheI5hm8?DY$9~fIvRITvpYfuu+uw$u!Gv2!^3W`(`=6#jc(f? zqk}FS`$zs!w>fSd^m@&sgQbYxCL`prU|mF2aci!&EH2P)wc+Rh!Ztea&|$}Gv^xIy z;K*-`+r3Wfu;n$I?QZAjsC9HW?si6~1%1@%bsLAU+3b0p(NawBCTMLAz{_eJoApMD zVe_EZ88t_vgQHQ`Z?}<;M!oK+G4i{eZfn$lN4-{SeAsKW#@#kNI6ytvZT4EdrZ+~s zU;a`IBSIPH=O+P1;o7+RquL$Btfp(Hcw0ORHhXRF;IQ5E4@RR-y9Yb1!*SQ|c1NQT zY@pFWd*u0}qmkEYv>KfQ)atg{qtU3_KH@Y-y`^~1V2q(ZdKlWOav|28qZT~sb&tBu zrr&NI9**GAsMl@x#-rwe-}FX}_Q816K0N60)#s1Luf&~LT72R+nk9QqB^ZFQRH$ny>% zLVmA38XdLTsOQ7OZm&J^y|&jx%Q=MdPeS3R!6l$t9`kG^zOn=Ump=UwA_@W{6p*_L z7gFX?Dq~0qM!;AIc}*1no}h_wyjVdKRjVdztqa$7K6N>4b9~tLk>`(l&5k!3cMegj z(>gk8HAlU11C3z=9k#mTPUm3U^}5XlXBpm6W8CXCTCIcL;o;gCtm~F4p#6$t^e%z1 ze_yKK;TTPL#d5l*u-7EHfw=~>jF)et-fFa(jiaX7dXKog((UoR)*m1G9lw3pZ8ed9 z(1sn)YaNYYt1}vR4-OlRgVA_|dhIr9G@6GU)Iy{2$Xf@8dy!h3q>un*!gQ41G*WKU zQxv0mWd|Im;ah1@PrB+s-$yG@7;{yGL;mXw;_$B; zPQ7$YwWi>>Vp!oN`Ix7C)RLcbMtu)&m0>|BPtplP*95PHR)It1|Fj2$No5Zp=GE)< z-MWHvF3bG&Pt#FypOINnI$t&(qJM7L0F^4!d82VC~l&00Jk8Vun*hhApo($wuI^_&5_*iS`vMndnuN;sa z?zRM4J_OJT0c!$u4Drg{9;@pfr#uqs#v29aU9|6y6>2KcnJWrPZt!|Fz6w)}rJ(cDf+#$t}KEj^jI^rfBsup(5B) zPyzgmf*D|F7IEgU*J}hR)ijrg2xVTb_?kMvsRzV^fmJ4l9oO|!>^KOkwD{P!UI2sP z0J3QvtczM|RoKtGmA39lNMgQXrP0fZ;Rb(y!zG4Jtx*6?`gjatG{&Ecz?Be45G7oK(NLQf4p znJwk|Vwjz`b?}z3DUgPGVM64qNKSD+`jPaq2GE@udL_R@i~_7iTLvVkI5$cYBuG8R zfex|MPVx%fn$>J(p4V7F&4QG!{d^*g5b(%sghSpM=6GupeOlN{4fYZVD?W57tX##k zl4-_;CD(h!qJFJ(x#EzaiT1444#X&C?_mfhC@yeIOt*sN-O9u@gHqQ}QLbbwp^FxEKDq!oBgA6^rnn3jc}; zS~+jcq*E(AAK2_rC0E=^YhnsHsZNS3hXhPwl0@d)M27t=YYKZ-8#29#Rs0V76U6!s zZCn5u(kVaeYEcco0=2}*xd>=jr9@^Dr=B{Eq z3V^C}ix!!$Cbq?bS@AOGpuC`#|96Upf2WvfahO=M*BzUQYI%g0P;!eq&+|a#Y4x?* zlu{s>WEY@7jFsxv+q3KAenx_tK!)z%0>mU?>u6r8+~d?P0fYlq$8a2yOxVB$YAHlh z07HOa9B?U}L3!HBcUS~j5~Dr$v`+hWBrt{{LrP779!p>lEWjO!Z-tik7I8E=Ayi;4 z4EF^S@kB@**Sf@+Zo=CTJ0(dN2aP>sPVQ7b$Bq;dxth%vpb z?12CJuNaO0`@dhC1VobLH5lPK#S>b;JrqGwM&hCSG(z6~jw)CWWgHm}C#vXQTH|>W z2GJC@c1u-PLF9WVuA=->wN>jtqNMPGsB&)3%j_2>18 z`Rih+{`z<--w9CCm($dEQjKn7+NQgpbcmxxDaaV~rXoX!(y(ESLUx75CT{?jE;-NE zP6cW%Fau8OBZ{+^P7Na;|AIq*B{WIzcM_PXDkS5ws;ZPL)SI}(b*jnTwXijcWFjxV z@YGV23T+N^Rr1oHk<&a;s-}j<+o@pC;v`UvkB=6oq@#D+78)H2B#j)rUK%x-1v`S? zEed@h>ct3%*jmnebTBKRQ<4NepJEh+tZud?RWY3%5`KP5*Tbh2IP1MVIE7RPj^ZSr zJA@}wrt?04th()yP_7fp++jL}Lyyet-qlkFFSDA{Xi`xRWdv`bVLO|%mMXZm?&!(- zQ9Jj3r4kYU6w^2nEa+{bg_nZxsSHn3j-}dQ0xon4snqF6zDhM8`SuqsQ^-F*89^jt zeM#*qGaMezAr3ean#42s`C|y}x0O3Ini3*(n>pvHP>4Ha9Z-P)reH-5qX40&`z&GW z0MW(rASx9n{#7}Dy6=P=r4DpaK9!E!Z`SLVGb&lEz#Uf)Yf~mIGw=|aiQ&}-<$-*2 zLGDmIQ240AQUNmptL&}(adI+k4@-eLkBZ zA48^#2v2Ao@UA@lcEG@(V#LL_(7R2dq3r(!kv=f5>2BR(AhRT3I0}#@E)q6HF+eiY zz-zjz`R%9(9H4>Vy&MHD7VweGhkz)+V<1D}~W6MuN0dgG({(r_j_lFGfBJ8HRy9u*bg+_i5YusGT6AgaI6igo|98 z2e0{N0>z-?ak{wPyaDiz?$dS}q5$ux6~_oL-^Kk2^~aN`_>c8X*gO33#2;rq?Kn$F zp&$q`TG%Ac@PTw1*}T98$8~+7^Qtrv)NVjbTiN}D+N+Y|X-3R4GH5c?icjF{g8vJL zUpON3ltFVgYw`bQaG8B$inu$GmxQs4%?6(e=gflh{T$7gE`@ zMo5Tedurr_?+V2}(p;BH(@ToLIDnHn_=&`tJ*!G5WHuA$4)_*nMyhBm#oQ6v%e)WB zgr<(#(D$VYEPxYGt7*h*yq`4|(3;!=Q%nlG*01c8$%>zxP^-rai}ONw50e(%h{04` zEN;V+7qjBwzimD%YXc27Dq^$$+S_>ol$Nn6Ko*ibmk?nJN6W{utDqh-qs(1k-tn#4t?NYg|QoLWX zRmv5WnVNas>;8M@`B=LH^4c(m->!ck6c*qb0z+*+I3a7GqL8RB3ZAPmukq)CLBomR>k?s%|lN$b&`9=H_gH!g(KziMDju#`*G6y6rxwHb4XX$p24=Q706AxC>EyWe!iyL)kkQ6=sgj zbTfidGU#&4QISbVN6ZUD zlKhd{kbD#%+gNsG+lDYLG>v6!OqCg8G4|+6Lu!%3pw23&MW`7GF(dIFh={NLw#<)J zx0Loe@hv;Nc4)E;wA9#H)o~08eaEGvrlPoJR`PNYmooK}J0QT638u>zp7Tu}KG>cV zRt-)qb?JbTo#YwE97Dn7WH|P_kLTuqlgv@fRqd&kit{a|$7I>Icfdt)tFp5op&F`b zSk+8nD!QaC){MJ^p-%NXqfW(6LQGR{a^=M!x6CODX7aS1+Ik*|71>CHVlMU2ivG(u zmW%5gATY7%S|HX1`ES0_@*T}iLk-2zx-L}#rcfrIx{%~C^1&SvqPO1qQ=GC1uDSeb z&fHamH}aK9MYbW_o#skM$a6NJ&t=}jTXCiz*2W|W?KY<{_G@E^1ASb<|Nao3#WCju zE)-}c3Hr=pXhGo{o(TROD@K%#;0Iku&7d6tN(g_PbV44JHb-F+g!&4Pl<=5SCJB8R zx~^~dP!1Zapy>-bN}y@?w>6=qyr~ReT4G(8UO*B*gbdG7Et-_UbxW-c8^x?PlWu~g zkgYP7dkYr}<;_8AI;v&PmFzi+VZg_@MnYQWMX7Q4)zTaCmEBd$=v%ZX4-0_4uRI%9 zv~2uhJ`FBa^L22})@Yi8&NgmEb@Npe*=`+nPzG;|Z>;qK&kQZ8?Ew{9yr*Mk_JD~t z;rz#rkd=-}G8T!i=3h-g7^ji!$Ok@(V&sV+?{s(9O;%EDuQl+pARAe-nELXYNe+O+ zF-aYl3ZN9-{H5Es{u%{jw9iEaX&Sgar2BCa*6CCo?W%IA=K|-!37bmojp)+=&4xLx z+@pDzu&K~E%_05{IOeN>Q_q93$fmAT6%nlwBAFpMPC|f1I*M4|Jp@!{DCMeX`J(bx zZb+DY>v;~JO29$WW-5ZnHO1~By^#;Zhr#9p=+)d#(lCTk9 z#5a6AZlaicUfcvCb&o?4PF2gbXKYVJO)1@}tecyGup)47)$CF$!Wrrl*F;f1+A4rY z9LUw+u7M#A9^|gBb9c#Wc}OyuT0@#~6SeYuRjnQ#2LYJF7)u8(qnk>Ts6HH&{(0I^ z7KNIAnKblrF^MB6H}A#R^i4*0S-I}Vc%pBtklXm&l4^H=Np<@TBW&zpC{Rgb)6YCJA;Yvhd@4{NC+lKr3>0|2Ze8t79}+kA4&VE-!~=ebebv5 z-^7Ry2^X6bctr@&oib8{CWWN78uFQ+5=C1!Q82`ycMxAKEoqDJUzzAj4L;vg8_VdhP( zoeq6g1{&!YNpH>v^Nv~MMPGZ$%_%R->FY%E(wvo!LrHa_|MGe$K5gj6q`Z`lIUimw z7le6)(pyrLSAe_~BxjMZWJknj?Sk_}9FvgqQ;SveQLy0~)}VR*V|ctZO&-MRt@=;P z@f~7Wt$OCbEkppu6M>=${yZ^Bo}|(bYBj#ai)^_y9}68FS~(0Ib`{045r_I3kaSpA z7eU4o%M-O$<07E>8IllL{mmd?eW|LXcl-4@&i;6gLV02eqez0V+&=hw!LTDZHM!bwOqn$=rTO(e zFC{%6C0?gkq;S>Sb2dOSU4YP>NT>QomNV3|_CQN2XSv(*)Reb3Wqo@biJ8!K;u*98 zgq)oJd3I6WHdt~oN9G0q>w~bTHe2mhQxeAtkk1h(G*LhIppLDa6#4GUR^01lbaKuQ0Sx3!-#^NO=4B? z!f5iK!w@d1B}^Xbav=Jgk&nz2^O-Dp{*3stihh~NkzgI?%2Nm-6TytOEOtNMin@rn zQm_unHRn@ASxgoRS$VUu!Iud`%LIvec4uCTG_Eq$zOvb+O7`*F;fITl*Jl_11gB@i z>#L6^*XN()O>g4brz=%4GadOt&|LfEa_~-A3P+HlIxvp(f_)mt{2#%;bS|ggf`4UR zVrso%c!q>I!5{t0GE=3sH4=Kok}(*VkIKhrPw&8n3Lz9B5Y(HZ8A@9V&;)u5-MqXp zS~zFR#DQX?O#NHbjq7sI%=POMhDJ;67h<|_+ziQW+RV~xNd+3>3R`i5?Y}_HY%07| z9h`{6N-D;b#2|@$@zd5S#2Bca)>Ei45-ATkNDTx6_0kYV9IuxGQ$(?0${E3d4n>eY z1u6DmlrVL=Do#I~Hk3=#p6!^5c$elFf@pHXCy*>6`=Ii-8{nG4r)sik&j;~Z&%i#Y z!bqJ)spRbDcagEi0MoeUZBgn=x{I#2(rsQ+w%--5bl${eG8^%=JC-Lkp=XY?%7OjU#V62Cy|F&dCu@@!^J#4cXYztLFVq^H}X1R)jREbu3rGrWFJ&p z-QGJ~T?4B-7;G4+I~WYt#j946`6(o0)(w2? z>PGYKJz`U-+sh=#f;C2y82Ts|H-}>FYz;w7WaekdXk^+AUj+5SF<&5j2UARhf+?IM zFhVFy$4cJCJ5B<==?fUXt#4Cd6yQ7ryjF~E7l@qGwJ3ld0N!c!o?xO>IDU6Ficxbz;-)MZ2;ZaD~KqeqSa}?|q z=Ny;zjXpqeOyWIo2V<@W?8!qhL%BWRqfs*111wIDj{-8e;E?-rp*t94O{tQ@ogAyP z{6LJg<@KEMydhH8%+vnv{Eg_7v!{|K3?DVa6jP{C9AL+6tuauxY4l(mbIs)l&-7!tD!ldH4i>oainkL$C`;rWM4aQ+jx{BRA<{&7CM9)h_r5dN(I z)^VCg{r+HuCHFH!BH;CJsa~tZS2+`Hw;1K+sPqBhe`w;RwT3?+{(Je!6;jo*RNj>T znV=Y>%mKSRqcWcypEPqlP&B#mpf^P~Q_OC}EOMRQ@~IOu$)}VndsW@~bc+^M!~KOI zuD|>y5vlGvmHAsik_5%>A8JC+u z_2T&L*+sRWfEx*J2QK+W{ZoHrtJh=)mNfhB_~W~?m5rY8K?hUJfHmklK-)x8S3#^! zJEnvpX(!?gBvqAl-c5bqp=x#~Wn9wZ+d!5=ZmMq@yMZy}%tQ&xvil?Wm(-oPVy*yj z72MY5wH_|ssraJTgY)YveTatqU2tg~sj5U=LN~IkV&`l z!Mi4k86_Bsfi9l%Y5*@?Uz?pwMoJTAWc-M<;Y_=lJIP|wwK8m{n=ozH|3e16{Jjom z@OKizJ6iY1%y?2MSn7@tumdg-SA)dWx|{;32eoc~*fzE9jd~=KpO&Ic+x`9h|B#X7 zfBz3&`0pv3_&td&@!~(+(9plv|3e*zakBos?vWVP?{MgoJ6aDB+y4)X>RHh52$=+^ z4<@v%c^^@xuFN0Ucf44kW`MSZqm`Inw7m!5??T0%2;kb{)J~_Z3PiHg>Znu!_A7Oz z%zpYt9`*m?IP(Fe1h{Vn2K^yCL|9Bq8oc#@F|Cbd_9Epn%p9{YvxGkGMkCe z8n-?e1!QEt;Bbm!%zlc=OpN~VX(pmUj@yzB77%oDi_X$Rrfe2P>mD7;>29e>Rq>I$ zWmTnxC=SX1JL0M@?V;m2$(xc$TNHxD9-zd$w7qDpWR#Y=^BppgKQ$LAU?W>z@yFm5 zY4o7~R=eT~ z4^uwBEC4j25enVodp*ZOW2@D)HNZr_sxYBwGEz|F4W-Z* z?)Y*cYXMSJxccA@5pP50iJ|iHe7m*#ozFO@a2kpgqG>4*Gx+&N=6|^19HI}Z%|@e9 zwMry20$BMW@h`EW6E`~a5Nb17Lx4zT2 zT+K)k7mEas5p}be=MYiXz?yDrmQ*N#C~BzNobFE#Rk4sFIX7QbSahknKFQz{lT497 zUbOT863B{cl0X*zHc8+G*t?yQMED)tlL~3w^$3xc|2AnsNf6(k3cOZf|M`a#BC^jn z)lca;cbu>(U!gkSzZwcFT#jD6#}m(Q3B3ogYBsNqU@l63SrwL*vnHWjptsJYT--|5(w9?xk^1#7$(}he=pDSFYnK zF9+BMSlm3XCcH8tnu+Az{vaI4b+|?4$NjHgD__3UR2oE3WnO*WtjoDr7tPh}fR~yo z{>t@u2mLpEr^R7f0*}pInqk`n&1Bs97mk{ z=KQvu5CHAW9}wtMAV{c?PmA^6nBiGY)4His1$FRmVG0(vp{F$Aq)Z{(_lCbRIp6wk zzyz_BSmr~PpicE0UXSv6x_mt%{xCvbiWYT4o^qIEE>0J4r;rY$|A!6_?Y~jhr?is1 zoBb7?dza#bjsK-Cx9`6(qo!jG9K7|w_1}Qk#bgffsGcw!=rOK>*FN@A#ngVPF(K@P zeXfF6pepwgu47d#jEd`Vy{>9{0ID7g0#2jq3GtDLj76~ykgXPj5Qmo4{M1z4uI}!- zH`3!VK)jdXN$p%q=kUo!H1{rLICqleI1DNC27 z&N%NbPldJmn4c)6aLT5<3#sa^lj_oiqp$kUlQ47de`#xKRH`n;i|C!g$Sw(YUAhh2 zZ-jKn%DN+@V^0c4NPS#qgmk+_v~|D~Zy2%)?-QlT45_;bNAkKe>&8H$(zJ+BR6CAM z^|xTS+)m^shhQe|0N6iv3rDn4u=LIq1v326;gC3-C=Q9kNlI43>$6mR5+=EfO&YYy zYAQylI#R+Y6)B1t>c^_XSKE=>;#*=6adSmb$;4XHET2311IV|5oXL ztxh|q|1}O8TmA1j9;yFjMW<|dxbh&vAw@Am{(Ut#Tif8v&yA6lcQ5xV00dl1G$F3} zNLm>Z`{m0TQk;m@wLggMSn(M9Ff2yU$IsoU2#L^12%n=#5wM?LmSb^Iaf7-lFtF|r zw_48>uBTUx^M*u9YRncVBxLBbu*SzpcuYTvc&DKpEazb{F6MTm9C7^@2d_}iaw zfaroUG}GTvIPX_1=|p81ST5-4LXJ|)Wiws9F0ulfU&1~CRN+jauV4GlOIh~c;J1V@ zQ>O+Hm!_<(Yz%P#s_ODRodAXd+?N1!#s{_XisFH*Yiw-7^0<@`rl=y|?H+hF7vxJj zd~13+w|iF9@Yk;unF=8VS>8M^$!pZatSSO6K2~crK6|VD&qq!Es%oheK$?62{M)!$ zRQIdd-o7+1=tDVI^<={L&K*4Nr6 zH@iQr=Klt}hqC{b{J+`kX8C`+cd+IE&+&Y-=YM+I-ShOXd||)TpLmc{C{_AAr zqP1ZAf|Hol^OV__jTYvIM3&4u?-)`je|7K&W|3A-T*1sC-4e9=TohgXR z)&GpDt?CFx+vxfwj$OPBZ3GzbqH;0Yb^%_K5g}#S>$zptv(Z48S`#eo>v4vKH7y7C zwiMX*hHmfhF}4H!`~5GMA5P7$;Xj8r??0S=yf~{!>jD6$m&2Q1&dvrmm&fnVhG$ow z&aV2PO2R7t_TifUJsww=4PKg6T93yooi#dCS)+v;0f=H8vN5RsWxn^9c{PP4l87o= za(VXT{Pe2iE1i4d>uy%PFTkrXv9;|jn8UIN$y}kj)wre0-w%)8GCbzJ2V(-jPv=)> zzaC#)m_gJpZa#dxe*59$<>}4v!C94WT9rw6=rSOkoA;M&6b;F1OdW%YAxam zSgqxvm2B_)tIb{t`ioe+YWFmGamnl<)~@BW)wU*`(0V-*|Dj}`?XyDuQ+KmGwfuL` zZRh2`t^W5c&lAdjYWCbq{!?}S6n?m@Rx+-~KKi@|UP&2<)6ujd2IuO-$Lq73FJHv97_u~I zrblumvR83`SIXN<#qItZP_5>pOYW&utSip{tx%kw_l!XA^mGMD??(VZ^4=q8ULZYg zW%VbO)z>mqE|vdeeEs8$|7+O)+l`F;*X$j1w&%ak@)-F~U*o7RF*6BzA7uWQ)yr-F z;!0IHTn73$4RFQ!?{p8c{vXYDqq|-I&+(Y`f1SPf zbpslpnLqc^0js8(^0)ir>4C1(V?yJ7aRZice>9{T5yFZz#wBD(32rVdR>-DWX0y@A zDw_7Iwa*?@w1P{%d-*{s2&)b^9I8K9AFha*K12-s^6~B2&G78x>g-yisTNuLs7Ugr zZe8+_btSjXA|mdz)7Z%ig_!V}ilKLl!%4mJD;6Q3=1x%eyS@+huMEK84lZcrHY9gC z-7t(I8AqCke6-?DF1ZeU;dWKwIOuCwb#%ANKPLoX;hPm8DDMb?K@uaiP}Oy?c5`}urK$vYWK|J;mIb-4e)Hk- z+8YI;OfIa{&{n8KD<7=lz}&S8^qeJ%Ui}xOG0lOJ{qdJs@#A*JsV!% zoDUui*S_%F0OvDu*uBwbijQm}y&&B*aQ2VutK*yFt9P0(g^KI_2$a2z-86Q6e10)J zIleeMeTsI~Mfd4M=Zo%_vws$mZL4yxuX1ZgaL0&p4_ENwcE3H%WvTox?`(Z){lDAp z9c2Cg8qIC|@3TBc{+DA7UhBI_xWvMjmhzU{%_so?hw{QFeWlv^T7jBX3b5thJ%SVs zAe%199g%~g>r_EqSngfTLf$rMd=V?ey4GVJshi+wC4c9Kls#2spv*E_Z5$jNR4bUF zS*nYybX}~;+d_o@Vns*f%3lRX3~P8RDuBvm(SX#yEl!ia9{NjJtft&k9QSd};5e(3 z^7T9lwV*97dzLw!Ip;G2w~FDem}_#NHb2!Q+zrn(0mu+S?4mXuGBZ&PFo~DgxC$-u zc5*~9s$xn@Eo0dP<+_iUDY^kGBHX+xpLY3%?X{B+t}U)pwyf>}8_6)pUe*Q&LU|6_qObkFxGb%(#Z?1P#xlP{a-E>hfOcDlb>9z=V+j zif344D0b87D)rZ!lDp9SlDC{nAHGTI(Dx$CI;H1E)-@QDz(?`sm$!ub3>(RPr;5PK zmI^mD9lkl%p3VVjPB99K8ua@Psi|LNFO-8J8al=C#))CtE+9$X;;~A@Sg*h7?6cfE z?P;v|OzrDe8NBwEYeeEB*MUCpRpzEqL%$Vvei0#1y~8n@Brx`??g6xEkhh1Jx9=7# zYWY`P!fsx0*hPxkey3cP?3Nwz z&wtyEZT{b9dCKB{IYW7oxL?iYv~0?Y=_`P$rR=1ZrhzS%XO#$&G8;DlcpioMlkfDh zS(?dDr^>8|{Iw6l3nG5glN<%EEazUDfm0N#8Y#J&tD5J5smIk)6~xk7S1F;(XqZI% zqKp+jm|ogCgHe`{=EFL)v|FKN@+TmWPp z;;zzbmeEd1{i{hQ%iWK1THRYpxD@bx>88OKfLKAb{U5-TX;_&itlp}#mF0P_ z(QlTK%pQZN)PB5D$BTl>`FM)kbX@cnfVe{~CNs?=`@QD9G+|EovRos%#)ojm z^6{VT*4F?3S)M11|14y5E4_bBtv_cBs66V)=kr+QBnyLp+znzp#{rt4GtNcSHGBG8 zX}RO<@yFBi>ziM%&acmwIMWW#u0Nii+CSf&KWA|1@N95=b$tEdst>Avt5yIwA6y^5 zy*L}*ygfeoUb9)!Imos z)+=>9E+)l_w6fdy$!{Zm@_T=B@}Cz#N;j7JQ9LW;zt%ykkv;$G^tR`J&+-T*>%<&) zobb^HO2Xq`U=YY?6g@-uu3n--iK%0s(y05&N^kH=e+ZYGiYnL#Tp;B?gcOQCi%WNf z1(ENe^-5ZguV#7AJ+C6zlP+o|a3#HUofndS7Z!8wV&`S87ljo>FsmrZ|0*oPaS|~p zDT*>gC07`{mgX=R>`EECT*%H*+S0UNDJlv-b^W)sv8KcmC9I!czgB9sS_MY<6IWBY z@HlT)ZgJ@M)f9OTqsk01=sTq6n?VXjZxU|bOD9c$M|BOdZYmVa9o?0(DdgPmrU_$Z z^LV8Oo{Mm^gtGT2o*?kr#$1(1z56&0yUXseGnm65xDd51OjD!5?rt`!V;z|CD1I3! z0^OwiW0&t~F`lVjt65*3(zMWL#-8&_Xk{0BAi<7P5YI|A=(KD7%Fxed2kQ{=>sJ%q zE|ktF0I!vZVN=c*{LbpHBYh~l*EQ$4ynFlureKO0xy#2S{NH4>k=R^4%eO32iBfF}la+NYKV}(~ue}Vz_1?Mq@Tt>X?u04Xxo9?H3x9t6Qv2#mQ zxBK>X-+tD8n?}g%-+P%3Bji0`zH@ZlEuTLri`7SU_Igd9HP?hb&nsRV4#e_j11o5Q zEk(qCrk1EWj?m4m8sh6kgsPw#5x=TmUCPU+tr4M95{uWnMQg%&#is-zQKHT+h?;+ss3-YxW^j+R_gz~PA>m{V|)M8vpiD&H-r7hHUOk^ zdQA&})sq)60hrb|YXdM~zY8NkIs{uQz}5=zEn5N1Ox>CRwq}5>8DMJ$*ua$BngO$Dr=P->`iF@dg45v?oVaPAff#4 z$xD<(!pdSJfJ!i=ECy>D0@6-d%GHy^S?Qsm--B|lk=?51Th;t|Rr6#-5mUDuK;MrM zrD#p9*z9bk-Uh`a-h4!2c3)gXotF^TR_*`80DF(U0cd6ZpH?e-|4+Ns-0uI+@i_ax z80<|70RrG3QW8)-+t{gq*%l;Ix?V)`mUeq9us&HAkemEetSsknC$1I89}Y@NumLAe7{Ax#!B9&8m!(XBNT^-Awhk$ z3Tk1_geT~`m5}}n5|Xu)|dj}t~jUdpGr|Gm@5<$vrnw)a0i%cJr?TEd->q7Vg;0tiMyf<#I* zk)11@6e58+G}A)KP*loXFh;O;m$kQG zw_`B$!E4n!ja!uy@xvU&G4{ELrJ>lbT~Sq&_>GmGuO`y-=`TxQSes&2a4pwjtYn#- z%JsAs*IvGURr2l6#ayyP($&ZoNVq0zU78;%m1WGwNkB$0C@FJ=L}tDErTMy2c1;KV zu`=t^2}{o}TW03@Mr6vTq|Z}Hku}Q)M$GGL!F{jLSmlo`a53ZW<rr z9v@3Ocu`{B$Oew*D25YcHBvyWRaj(QB?`Op9?eL+*ko^J0^&nDv<5C;{!Dp2*L}+5 ze;iJ@y7(OVzYe;sod0*L(b~%Y&+!Ng@3|c8O;~=_y!pmFzf}jK=;OdlUx1`_AqivD5I&A&wq-hUyHV<;=5^P*S#HpKU2n{RQit~o6>BeCDpXJ8urz+F3Oar zn|c-1i8B1?gWYV|%qILs53w@p39eI(NX)809Cj2Zx5}i5;=Pabb@`(6kw7&=SHN&=*3`5u?;q>b6V>|Wet z;Y|2cBC&V#wF=eMg*_^UCCIM^?0?={y(Z+<%w|y<(AHvYU{7F0?O;F?jY|O$C3BnCcGrEPE4Oj0tueVU&pBEqJO(19PA3pu`K0SK(mJI zlzPs+FTlQet!@>{1$9{8lzW3yKI7j2GB*M8!X6CJ35wYY*w(;`Dr*jJX}kGlv3C29 zZ8=CNL-9$9z?w~4DA&X#pmFUlTnAKSFMyj)*$g%*cg?LJyX~^Yk=wJFyDYN{XxSdM znv;G12Bk9l&!%#}|FA~>_s&5!|6jMg&Hwj2kJuA7l>7bL%lp25&i5C}_rCF5@83zD z_ic{%t#18|$MbJ8zxy^2ej5nC4TOKpl-vfwZv)}MHV}T}PnrHVOZYH_lV8zjO33Yr zZ4A1vVz?^)tKH7r|J7=Bn%nsAXL*FK_kPJ>Z$dF#Hkn@bme6HAUw(1us+#NECAtbm z@%5ssYOT6)bZPy2UqZTkY@h00Qs~bx<$uO#f+-tO?j&+KdYvE zC+D5HD_t4X)$8oxjV|pvilE>e=GC<^bWG|U#(VWd;jaRJVK-PYp3pJg0S--Q|t7D!m%9^ zt`nH;RCu8f?fjtRgSGQz)(_iu#0ClB0ioOurSd`D#ga!J?E=~3WdgX1rph*yyM#X5 zpl(;{h=@P5E*Qv!_*!362*O>R5#HmXg1dqyMJ;O|QzvHEgfK~ANqE11%p4d@J5<}>=Os6^F7fr_%}7upB^W#YsBJ2SycV4)?T&NQU; zKq<6p%Rp-E_CN}Knc$Hpm4q&V%fB z*O&X{-1m)(u@LP*DsC7~xeH#4I9x%WtP4IK0}>b3t6OVbz$hzn_BrD7LTt5J@L~#N z$0P^Gr6s5Sa%}7Xqymm)cE;sU{teXTW?jMGTE}y034%5)a#&g)*G1Ka_W*n!Fn?@O zV7-}R)yU78+{b0Jh4ZA4T9nI3Edb6OX->+WP~zjUHyi}y08WKD>Sx$R7Z!EHCR?S{79(6$@e zx3QsZ_p?9nezx)Rp6pY0{u7~?V#-j+K9L}qJ?aXGRq>w(&8+`#quJd0e>}@0JURxM z!QO<+M>Ky~&yK;TRJ0x%-dCg{_%EIoxUZ;a=(%p_?Y+voWgvpXw9^ zvpSvb>&&h-X_Edw)hejoA{152&$~-tM)SIRuSv>q{n}{ZE^eC{f45#hFoGUt3t5jc z62pmFW_m$OV}E98UfJA8mUkJHsHNb!iNcE4FZ4V_>3ibaiNMOK7|p%9RpoJ>bt&Hg zvUk-&-*0!OTD_Q&BxEv#Makv%n_NC366JCcIS}%?8;Mw57>rWo%t`L_CQW?9i{7Gz z<;5=EmrO```dFXATXY_>5Ah`-QPpa1*Mj3JDvqXT(!XUI2Wu%eMZYo>rhIyPuCu>5 zt*X-5s9I38J|lk409HDi)I6=z+2~|=zNtH2oW7<9Y}If~H-~aKrcZ_PlPQO#`XBL6 zF^vvJ;1&8`r+1Lk|GKSh{-0-ggnAbd-#3Fj5`(=F6)-=CUREb8n$$~` z#F7f@XpJRRi$gj~3a^UfEUI?z0M5cuda8f`DHW!10E2wv--G}EfcPNA8z`!6!!-XW z>d*I~IOs(}os)r_VZT6z^AgI)?85dW22Yr^rljS9{2=*m_f`n5`NP#B-@pG&Nw}<6 z_jLVxJgdma@XwmdsL=Uvw}|G2%0N->{uvIB=MV>Q6d>i3X1_{v9WydyF%BoL%4HSJ zraN9A1^D@62(w5yFIS=A6kd%;&Jve|Qv?GxT?~kSHpe2huC0TYe>a%bm$dp6he1o^ z|Mw)sj6CehN9S23|2G@C`(Jw9ZT!!(JgbGnnVbes6U&przh@v%T5&T`JnG`EO~mh{ zsI3#cla_v=$eqj(gq563DV^WU%ys-M7@-(uA9nawnTSuf*3+DG!yU-Jswft&Qv6{8A1d`aYH}Z<}eU;HSC1wt$Lh^ADgW9=m-}(C&oJQcF^*R(?eD^to(%*90`;v? z{SRYQ=b~?R2`h}BAk6stFyXIvN3jk#LorkpH{g zcJ}^fzuZ!5N#m06PZhK&5P=Dsk{JJ9eADKa zFKG^(6G@CK5}+!m%72^?u#}ph^wNdW#4^fvWeLESlUeyXvISJvs=bv~zh`On`;Z@v z^>?`dDOR*7yFt-$b8O=+4t*R>6!$Q{UXqCz1%Jtr-gdcfm-{m>cM_m0H0H%&gx|#^ ziI%Lp3ILDZtye5BBhjqKf+&jT*h9yjN0P88ImknK(R!^bWdF?SbE*DE681>9FY~O> z{|*}MURM9>^*USq?>QcE|KGK(w0o+$hU4Y?qDu5c^5GAsT4+*h>{q;;Lx|Jz_%sa*Z1e^>%mnz6{JDp9b#f$ zWuiM~d>d06$)4=<0+_k>N|hMO0-C5xcJ_qfKyOTSRl8t^P|||IOw|C2$PdJi<2FH- zdzl7X)DJ^bMYl{JT@T8_8Ifr`H#6Mtr8A_U{rp@hD6|rOZuYo91|(*NVi{O6GyB@( z%uDA+o6bGWO>(4iW&)>gR{fbkhVI}(-#O_7xWFKq!j>~6A+py-_1)FrM6Q6{+_!Xf zWEm*tGxEZ%hsX^)X zN)J*8DN|z2s)=POKl3nWGz+9|e;C7h%QNpU1 zuw09;>Pavql!;DAxaOxbxl0O{`c9U4Qkx%+UC^DCmWO5yjG%XmLSN5eyL{dHwsiiQ zX{yM(WVWi^w0yQ2-d!L)ES-DHn10bD;sU_37P+V)qy%~AOIq;`;mOpk+5~m^c8NnV z9)s8Dx6*ChnUPX|5xFMPnV^2Up1uWBqac4?5mp5rw%>~hWBWYfDYO4jT>iI4v$eJVJjWyS*P$5fO?UvvY4fr^0BY(k^#VxCtm6lemS&4cwaEXDY}k( zu0*{erxjOnEx`9X)_f_S2Sxm?TkiJc^Vv>5U3Y&@x1S-+FT>XXrYysWa$G~&8T2B% z2Tv0?uz=P*r8zh`EX2`iT0A{29Q8UV^wQe5D4%x2m$^6a95Qr^7R8kx!XZV)dY1ha zw!gGdH{@L<2BadR@~J~fC#_tjgkE>;DX zDFm;z>{(Il^E|{1%wde-C_vO^ldqGHhfKXQcoltfuE!2hIBb|@c zB!{&+t}Kv|N~gLf|ICs>9^utotC=WSM{IbY?Kt5ZcsaiYqx(l3fz)gPBOTCx>qToh=8JPZRq zF{F$sC8D#>!u>0diDb>s^MQ5#xBny1?}0G4?x(-c2f!zY3LnZC1q(nzajG2=U!Q+l zb4_O(G;*4r^$vP=P^LOk9}pj?IW&TNEt60w$tsQTYjtxj98nZXB^t9`-F9vwzVuZf z+S;we?aZv!SlZ)l5yDKDr|698;s zw43?mmX{K2wuZ3N+r6stby?lr%`aa)v)>rM%JV^W%@th9lTok%Ox50$Cmw+G4h4Zb z;rVQ`*+?df)p8WeSxPQ4)1Kl?B&jyA3;iK1n}--q znl~B2>VAl`7@{%0T@&#K;P)NazOq5$CG(?%x38u#2dL5Dy#x z&x-pc@r9SbgYXVbfDLalG%vR2(1FMe1v%>zbBJ-X!|99)4na%%k&}}rf_W$R29Q(f-?G2s-lt*?xt3!}8msdCjWy`MT zAe5_>F!G-NxF)yAP2o2aG`3D7G}#$1YSM??=V-!^`KeNXWQ{kf!SBe1qbK(_W6Rmv zM*akzDqp`=I42NG-d#G1FJzX>vceWkbBUgiJWYP53uf2+6M|DWSo zZ-05xJD}Y*?s@-*TRG#H`ttXGxah4DEbi8Lq5D4yh9n=*TTtjJ@BeU{E4%+==2v$4Hs?Z`#jw?Q7{W*m!VVIhVg9@ohk$Z#Vx52G|!ufg$QLLS|)b z7)3PAyJ->PyD;IU=x)t-Tl3vFcq2p6iXA@uW(GGH%9YrkP-a~F*t^W}FLU&%$egS{~20&`ti=K>vTY$jVJOaaF#=U zSr^_dnDgFVlTYe-xP)J>F@X1)k}LV@MjJG)Q6WR|7i8m_YzCu^c>c(lBYwQF-;agK3a_6` z$+diboH}b-6Kv9KJen8=0lE7`g0s&Nl=+n{mr&cyS9^uxP~>xU1w0KUnIQp)Vv@Zv zGt(?dLJ9$V} zpTS#n9KkuR?R73pb;xQ7IkVLD~> z6y8%ZdzzrA{X3HYl|)QZP;{v#u0`Q=UB18lPQ!4)n!F3qIh)&7V#{acDjc(5Wzq_^nJ4faOlJqO|o%XbbgE9ALc z*|p@iT&CqG9e?PyTz{G4M+JU-taB)#!G%^53&O1@fPm0h<>Bzkvhc0)*}(4&Li{ zxUlL2WV@$2EXGu&k1opIjK{eosuqtnRWrxJDabd)<-r=~!1oh4x97rt7CEn2-pWrG zC*%>+n!=|h){&eT>3qzcX}*YK;A)}KkMUfcFUu3kl=||Mb6)AA0P&Vej$z%;CFigu z;#uiwwdqLyd|ID93(RkAOa*ExUHhCF`*J)cAMQ z2d!>T{EAh#wJdoY+`$E{0Dvh?P<(~P5|rTvS^3mrUgx4p#`KL zn2PP1Rx9$ZI~^IKBPi{6|37>0-rY8iB#Pg^^C@unb9St3B>C+b&-%=DJMOf%6WeP$ z-FG&d^`S{f;+P^C0+ORi^4)(2PvXUwBrEBRcxE~l2^0zipiosPR23uGfDx2JUIB|( z`Axdmx>o8;CGN81Hf0v&^jswy`G(q_;}TdyLO+GJQzri>*|2|i?*|W)?5X2_>>gU@ z{|ARVYy0m?o;uMp$%Z{P4Yc5Yi<=<(FTjOAj*_94mX0+g0w^gF=hz1pc+T8G)fWnY zCXqJO@Pt!4!Ul_0sAA>CFd5>J2X^*%JB^x*?F-irV6` z6eZCqo(;zm-}(EC28Rp!wEd%Mk;~B?9kXz)C5kzwD^nG-ZAk)PrToX6eA@fp+lPk- zX8z~H?Y*`AcO_2~`HxS7B@2K&gmf}z2!`k8cR2i8#h5TWJRFX@F^2HIVlLb+bGg`}yo$7Wx?8;M~V> zIHRL8Nf05)G(s@+N~^quc$9{0I3FV%jMAyGe&clb22LTpEbK+eAoXzhx z;0yuyiO}XA4$>To{Jee;5X$?>44}z9E9c1iEMk#sQ(c?f(t_m9Ei1W?A?vy`n7Nu8 z%Sqd;MWy`wjdCTRS&O3Zyv+%IMOH8MgJ{yMU1{;=$(or51EpRW5>KS}aunRPg#gqN zil%evpA<}&t)23QD&UCj%ni@gu_|p+>7wOIB9JMzB;A=zzCPB{MVQm!2B#S~DUx7+ zmbt*Sa}&NV!YYkmf}^;HaGIUOv3k=?!%N*^$p)Kv70A7Y3Cw*BH%Gt%Gy4L4Q_<@R zV!AgD4Z6FCySX;4@ja)!EnZ-*mgIJ&ftPQqr-&l7R1btKrrle#d?9;GHn~be4p~ox z?-G`d?MhlB=4pzfQKxKWwd|I_j!UXn;=nSa=z^Njn*Om_W)!(_i5xQ_qMg2SD;!V7 zY*1uF0^o#7BE~v3e3f!-=e_8d318{3 zEYo88T`>&+6e>W;G(;>Zshj`lT13a>euk3ao`Y7g3IWWS9TrDphyp)`;k{Rj0olM$ zvW!5sKf6GcY`R2Nt7NBgK6B4pROmRWhBV(kSICPFxI%HWLANwwb0xgq?a8tPe^ZNg zVLK=_X|sVpqVh|%;aV48e^|@4+kTs;am&PM*lWDNFAw`4(AMLJ}YL=_h; z$DAr7xkI}CL9FC$%;L`dnNil<;3){FaLdZO7lh)7?7& z(8$kWc*j5A#p1gI-8j0ZtAZ=g>>>QI$fYs9pF0}ICNP0wNR275lpRC z<;`YY0GvuFtK!yAb=APoH^ttozGM---ujt?UwowYFeeN-n&LQW<0JDe>Y4>04L>P7 zlzr&vBYox8Btw*PaC4QvuBtLBHVZN+)6jb$oLeq*IvB z7R0syQ#+@fRc4PL(?D^7>-DF9dV+h5K199pBI8z9NWlq(0Fto!$?aLD$g0glh!0@ij3(e7~h6kX!?~Mbc;(LM6PFs^Dn<*t0 zOJy2=dn=`!(@QW?YO`x?qjcFQ>+Fs8T>cj{H@5b|t+V!#eaKD=q3lu2rZ>D#CrKb0 zCf}Xe1b9X9UDad|q~WiWd60U z1Kx=7SYHfWUkv=_7X#I)_sX1hXo9G#NlA=Bhbu8%-)z?N%BCl=fO+h$*Aw3>>~>G) z9a`X4;)Er1L6Q1tKFY}ICT$A1Wz;E3EaVzeFom7!5rED>d$|6cMr|{f4f`j^PiPGRBYpNDI4XOkMdF? zfYWKzbHe|&p&^|pRR@VIt)5X?GwgSjzsr~f=cpM?Z6-gNBJWJmUNSD z9aVB2Rq|U1k2JM(SeA1-6#md|@8BE~=#kI8f{WjVAlFkpse~6*kD1^b-ru9g2D};i zcWtC_hs*J%2n-H3rkzq_zuQNv0y!?+%#z>==8e)xMHVIk173Y!1w{UmsR*n+2(?6E>F%32-OD`q(yL^7l& z`^CFgIZTa!2R@DJEBrm_ukt)UYaOG-QzQQi1#}@Fu)6q<+Xq(u$Aj(twfw(|hf4O+ z%&Ux56!QofwNm4dxms);PGmah}vW!ZTp_JWWr6w-yM^p7By3tZQt_*xYI4(+&v zty+#))nN`M2MYoXM!6+|7UWB}`C+*&I8E}t6tPfr6m zrvbQ5{@Xn?^Z)Fu{eM>UIPyO}fdSav!1t64vY83EyiWU+kZp{>B{k=jDa(dqg%aj( zPR8;_kT)6TK%frZtWCjd`EzXw{)3o;*J7ytSn}Tp#u>~}{|+Y8SCb5$j$rVx*cH$k z`EPrFcgM8G+OO&X`*9ul28B!4oN&gx41Ytl5<^mnQ5@?A*^QiA`f zfS|XE$S30pEWJ5H-jjb-XyGJ-Wa!EMJ2b+W@P2T5E489QQBgg}8Te6LM0z+C1OZ(# zyP`Zz#$+%1jmItr@1LU&AWGQ3IFHy6q*IvZQ3&ZEIP2k&k3ochALq~yXM9vb0g6o! zNhpCSr&gyt-kdv_i%JDCd5w9=iSx(XUCR0Y5aO#e$JbXK3EBrEU^nBNLD*UuQ%cMZ=K?wtyF>j~>`! zCKXKpCqn*9uz_GcjRI%(0`W<|^#EfSU}#~bPR;2XCD_rdF#rlSX%04%6f2yd7pIRMuo+|CWzh*%m=v7@WyTWQ;%v_I+L`YXH47}h0G$3ON|SG4ps1Ap zZul}K8{GmDVEy@zCI1~BY^~+LRXi-5x7gIdYlwjubt2y^L!i?q662$D1vw*2qDoK` zE;p<@5ew58e0Ae?RUqP6irrC^J z0SvkCG0h)ny!>9r+Ri!G7T|QQs9OY{BhW1-7!g#M2>?+bT!`@`4SJngSwe4I+xX{0 zfpS0N-1!Vr(>WG!%GlD{3k^Bq6h={DT|{Z!tsnkyh)|7 z9QX;y<;^|1^uj2I0gh)ci7GPoaWG<+MBvDuM(HFcQ`?s-fWRYjBAs9Z2PrRZ`Up+N z5CLz3pb#0ojxL&Od#4y?Pj=GNfBTr{nnmBc;#?wHM zrBqLtPgs%`3NU4DMhPJD5?usY4oP1i4Yi~s@lbJ;0@nHf$b1^fe>Xz!eUkV;yZhTa zX8fOnox`>Kw~D7q{u8g4D+6+JXbtWCHF| zL_-aUImAO3GHVgBN<`F${TqpiNabBmA}Wd&Y9vKo?4q@0z1k{n3XRe_T4l_wSl}CW z^G_;3mQNCuV&8`#spI-%36tgW-`IbE=Lx>dFVb}G(2w+~^Z(h|KCtfpZLR%(R`S&O zv}m(H6K|9Vt;z!9E3*sE6HM3FFEAccCUFk|jPQt_7vq=YKL>jt&A}i}eSEOjlQsD| zqdp#Fa4?f&{t5Gxu%JmC(oOiDI_OMcj$tTy1WxHei9htC1o((?rN=0a0m6Bdff)KB z*(wMyR5W=p8Q;Sk6#xmKGay_t!TpT&gFupP`SGJaL*g8qa!3z)RGRby4D%k@s2|CG z!S`+Q@D>0brHEc2)U!_diRcUUh5f}x?4r=+fD^m}Hff%EFG{dS|9i0K0gn^W>vTkQ zk*fQOUCj2jJg~{fjBqgKMA<3I^KKy82fHNr0^;-$=Cpz)H;R(Q0hM)bsgzrLWPV?d z#sA~zzJG^6{4pT&+^{3mO#U!4!z?p03bKuQ|zHf;8Ri2I^ z9>EE^p2V;f&1KDe62otS`vt_0Y5s7P#!)b9fqBB}Wwc&3;=Cw9{Nc}tT`pP->0i=3 z`X|{29(KXmr;M2|lQikV zafWB$y#?|^X^M9zN~08Ev^W|ROoOJY67W+PovND$4RGR^aQ|K(yr&I)cu9RIhbiV) z38emIwO?_OfE)itX2^D%hJw%|mrc4QZDE4*8NCFd6S>4hzClV645{PcsF=$JeySQd z!Zn+q6c;K*41VbYPFZ1^Q?K{0q(e=*jUG#*Ftz zZLlqmt|81G}|AXE2{jb$LOuQF6%wUoPEX)GYhlenMxsRh{$bxMEAu%gg#;_4p<&;dF z8e4^#X^Ev(QlzIIh0>!ZfZXm(qa{p|037V{zzH{#0o~KPo>27NT0g^4CK+Di*@!=4SVA;_vR?IxocEoxg2(4D$}yj3N1dB7XDsJ5{7k^McmLG=Q;%K+B)y~RAO>Ti9X+2GwNQ`u zL!#{>nLQOwb4WxnI=+lq5`3rJ^5`RWxAcBim@rs4otATk{#~*(*rHe1D*s!UKNpSvm5s4N)s21Y z3A%os^l|fln*CWx-S)Kczjk)_EdP(gwg2Bro@!Q-WJ5KBpSO&YEg|=I-QMGB@UN*j zKlfrd^n+Q&q0xq#XwW!x(R8K$3viOr{DuM%9@B;cU;=tH0RGgEVj68qchO6rvpWWg z4y<$~ye@OKP9~QtGw%k$J%>R$h4~Dy*b{BLq_&&G;5WrnueKk^)4x{0svEYoy?OOd z1^*B4Ph~Vvc62bOGEl?+4|aA;|BvmhowfaUB~Ly75AT&Iu{4SmnF%en0Kr+9EL~+yrSI8LpbybTT+qI`l#Q3K0SIq{lCwr-Td)r ze{XlEZ!+ZxBGNHOppsjMKKAc@1erUvm!t^AEt>rsLh(2a;c*xt!k?FfMwaGylp^e@ zm)k_M_Wr|bxoVUa{zrHpD22(-Bcr#atlF*Y3yPg ziaJ4>PLXuEQ>6JMNuPF-luwhia+Q*_JdS5S zEE0Q!^LT>N9W{h_nMiA0^dpTGgdiAnpQEnbpu82=(XUP}(8D|~?p)L5;0d_&Nx*l+Z9W zTD4|X*y86^$PYtHY|O(;Nv6(Rg>3bN(<-XOYeYV+wn4&LB5IYJRwUHZDoS!zpG4IO zdK!yR1vep8aRkgyY+LS$zrTKc#xE)#(V&sfL_QCMSuRy&W>ZL%85h>faQLPyv9s-x`k$!amKNVf-X z(Cv(j9Q{N2ka2mN3fcB};#mfdz{BJo<_W}*UcI>YQ51Cj2_DJeCQyqMF0>6sE6x$w zd(p&N@BcPWh5paj@LP!UC|Kwiutxvi+TGi=;y>=L4;Da8dHO3y;a_=167_et zRD2{HKrP9WLYYmkWrdt?+53Kv2Tf1xjpOrif)CWHP zY(6Y8#GQUsj)6DL{JhcL*iR;Y%n}!)CP&AtB9AD=eyHcb4eH7ii@Y{Z*x0zfo^g-^ zQ8O88H>YaMcf5M#RoZ5O6RR6!X+o7I7ig!{7V)j;{Q4=Ldj9|9_y4!7`2Raw``deK z{=bT+p8q>o&l0?V3jS<+{(GkvSFZujQt!S*PFOk19Ov92KCla}E`OmlBhsF#^`DRZ z-1nYu5kn;o+|7|8cOtUjHk38vFnCtod+C6~i8#6iW|$T$;u* z6!k(gEvCHU*Z4ACaiMR+fhV(@3;ULO%qX%r11!cjuG@0HK4dFcfntXDi`86}@5bY#OjQEl_s^xUHrdTJ4^u8C4feY2Pb z;{hDoxP2Da7_}YhRzb4=Kc_#1VK8{a(>x2 z0C6dXG^OrjInpTK_rfQ`cSB zl(WatMW4-0_BJC87s>LxzSl8s4E8-MRE}c5e|PP%`t|EGqi?K?+2OBWpHWH| zo~raXAV`x0(wpqeDrh9LS6MqJCrxR8dUiJ{;pK0Ph(rgT#)~zQLNztw$RQf>x5&9L* z&cmiM=IQC#&CT7fXMevtfAtIiR_sK;X$R%z?DYEVmYTrUGV0Sj`nyJ*5fDEK^#?D90*W z5-j6JkA8f__lY1KXE{VDN|Pfn{AZN$_b>_aS%&HBle3$h{R8?zxF*k06@Y)F_ox(q z@=@6>cYty`i_4v5u9EV*7>WK1@H5202*@u~dRFenO1YY)`L%%-t*X0^khA3;HlG4P zMTP=?Ykx!Fh3pmWg-3Q}Pl}BlCAQh#+5yOVn(+TLML74fYa!V$`TS>lcgM{CzO%i) z|FxQj$7kl@qeO0imw;v#2*KkBCSaU~G|RG#GSwh1t+w#f6w?{hD>S~QyM(B5BxOlM zgj6(hJAi^3U5d6S!bVt(SA1Z_(#HhmR+-`stDf`ia3uO9 zzOoODDr}>_jW}(3;0yRTNwHK7Y#i54or^xr_&?S*fU{2+=7}Hk*;Bh8)bf8b{^QR6 z?&13Ue9PDnd z`Tr`OdH6Mw^I++hK{ui#!r{Fm&fi9sB7B}i_~yUpF&WK*@Axb>tD0gbg(F2tNy2|l zM=*FmlQAms%F-f=*?I@?Sa-?;j8)XBi8p45=VFvN{j}yv`g~jgpjT3-Fi9!oatu%- z*i8YdL)r+iTEW?Xo1UhRU3o*=+%N`LpEs5G>P1UX>%Rb3?!nNb+Zmz_J3J){7tLZ# zCRDRY5u{1r!|&Fu|PTK}t8 zdA8?7o(6}E&^JJwxBOSHUHLnlW@(%bXN@ZkCjb2B4B?!{z-ixHG=%xx5T-#I!rUhD z*RRjmO#8m9C)%{ z_4zZ)M=~wMhQ`Jo8(j;>dc>X(8+G^5uu?wMU}u3?6w6YzsDb>yZ~%a6`G0$7XWzX4 zv30n!w*Rc;X)gaS5&&Q$haV?V4#QvJj0I??!k8!a4UdOgRyQ!dFdkTtC>?^s^T)Jz z(3&-gvM;V)tMLVVHNwDi^Z`7;nP zAq~Tv13dB*u%&iAq+W0pZ7-qc<1{o!oXxklX$aK?qZ%c=98$4EHyk!yNz|~dG}2(& zaI>#QNCIY_g~Z!5FR7-$Pje4=kA9xesEb~d3{nqxA-tcE zpE&meXhEwQ5wW8SRJ5j5K&=MIggVb)2^6ZZHG670*eavfY(%m=8vFU|T^16F8|OZT z!&%Aj@XwLXdL|jnrxAi7kz*3&=RBk0M8|4=;bC$%GtZc*I5qCi(+=WWdYV@ zevc6jMr50y8wO1&z4*|vcJxM|UI%Or zwHI4Edr#e^dx#$)Ou#lxW=>kPM8lpX2D*DzHKWRQWW!)gWww&bPLAkv@+{mTiZHrJ zmxwa`P=MfCV&!TmV?4q?%y2vKvf&-kilqx{Q&G!wXDH=8C6mF`>GuZErLh|WZf%^N zrp|Uwwq56E=VZ$*XMzIHm=yC(ai`EJZk<_^!hHvh2GVwJgUs=VISY?Fy~SN1Onx#mThq=;c_^HpZJY}qhsLx@B8iUUp~Cw z>i*@!i}&H<_`?Prb9QKVnr0CUnM>6qLpX>2xbW4nDS1tRzx8o2(i>`Uy4_Aeh;SMg^j!qM7Av9DXuW=x_LSTIS+_?Er1bW-g_0dFtgq2S;k{{^2}jB#Vr2(2g#E zm6{efBIW0aC5kU+CY6VYiybH`n3ZHAue6GbO{K*tKW}lK!+r-jzR{UKqvzGoI?88Z z6xi8jf_xgt*_+Vf{6P+}k_OgH4_=zU(Tc9FCg(OIwyUASJl)UL z2(GT@6xRaT*TeYr?C*~HghAKWl~L6l5JaH%QZSaGv(+G!Y{srk?FGm5lMrmu!w?s- zI@&jLI2@a7tyS5bd*briEMc}KSSO=MNbxR?Tjy*;ROZGhcu#?SaE0SDLdca& zIAhZ&q1LZ()^WWT1Mb{4+L7v4ICGK7XlN-^Dwk6TID1i)O!5|8PLp^hH^s8CB3+yb5 znKaLonW%~a^sv4N=<3lh7rCb~F|Q~t+Vsp&3WgHfIGEZzXSUCg$p$IodvDV6gUSNg z>8&KQGpgJA`1N1uX~h5M%=;srTK>Of>3_S2>-Y~Vd0Oy)J`3ho088>usOpnDzs1tE zDBhL1)F?&vFTu9Gs>Jbe!<$pwWiXuz(VDZbAO1Ar|KiUZy7X__It10(|Ms`c^Pke$WnmY@;CY!|w0@gXP!$b);!1M~JdXza< zzHPv0JGn=R$9_YKiQ3DiSxpeWQliOvt;tp%oX=&*Y!<0clIc0pBpo|CUuh^lk<^C% zt71ei>TJ$|h>#v_B#gESUyD-rKh8vizXbzryIZJ zIxx-Sg5p#KU|uUB+FjT}SRmKlC@ASo9RlXE0ixaJ4iUvb%!R6~zFbt-JI~WTjrjk9 zF5or%f9r7Dl>fJP_SfhCD|uS5!?`@bc_ALfulFF?3*)0y$YzX`{aKe1Cz9z;*K9{@%X1{twpn|J6M8>t77JF(1(K4gmCkpR^q=Yn1p2nW&T* z2<^Zb?5daA2EE(W9Kaj@9>&N35!08=ft(~siYX^GA^F7@)g`n40=)GfAn-wuW;4Q5 z@CX70ux@5f;Nzt>AcW7of-pNJwKuHM;Z2-`A%!c+%TEDZX=aM<>5X}`GB>oSL#aEM zR$Fw8@vXfLsiDvTZEotyro_oj!<&vqlYdyjwFUp5TMDe<|GQfUrvJ~*?(RDN!%Ch8 z{J&x`w!H}Gh{ogy!er>3HOM*~cXa#G$U2OA(W{_tq~HD@nBmhdpvL8~d4O zwOi?l;6i{kD|aF?!cm&|`Apr6rX`yZZE@{y@J*jG{*V1AfqDPV&xdHC!~Z7vzqby} z^Z#}H#}z$1|2LlG2?AuWS(?nnm_M65Jp#^QP^;JizJ7hi%Q5y$eh|Kl;U_HF^vKU~ zPu(eKQ6Axpa!gKXtSN1D5`H)8#Iek*ZsMO*UVC!G5y z9&nXaM%5S$*-_y!)!{3p}M^-8nI>Au<$N*o2ylm4(pLEaBPr-3W=M(Eq} zc1)e)DFdCYALmoY|H*eh37^*g%e?=&eYn5B&i}WPN8|r|u$Q<6aEL#|E+G4|iF(vvlXn|1w`e#oUzxSQofI@IrksnspJ1JnJy~+*YW>@!+pd5WBcH6 ze=Yy7e zX5gW8l9MgLqaF5m-rEji^fFoe#)FH+yA4ZISMs$9)UMT*L5LD+Qj<`acgkfF&*+X* z7`-S+S9oaF)-j>5sjj$oTfLM4!_2vD0(7e{^aTY$Nmn_LWB&o3C-^eINYl&{ExUG8 zV224%?@$<->tm*wfNRuq( z5-Vj-X~o#Ad%d+B4#nzB#DnLELi=E*$}T0N3m+Tf1<-kbvl?vV%Lh1PyiFjXEIX6P zlxD|L0B1DZFgzKx8t_x*C*cL3F?AU#iqhu&Mf+*O-m9u7%n|ZIz33>2>s3``7bVF) z(dm>7D*UMR+{5_ zop9EGISJH?q8|N0N4TUNFB{ zD0-rxXg2RyWxS_@bdrQ-z8k%aC6$EMS(I~}AIg`n(fl#J5LN=sOm$h?Covoh_R`0L z^oI^el$4E)?DvueiE|e<4aIZhRWS`F5R-bSH<-jRU(+JJjT;S%0~X>P#h|s3R+kZq zovRQf1T695$lUJeNKSj=JNx6x$0G;s@-(z|Be21J@SM_{d?gDqdN?sEp-(i>%KKUL z8_ZFZCPl&GodsSgzOa$Jovo#T{!e7er?mg>9ULB5_TR(x{oj>5mi|vhduc`h0_;aI z1hBp=*%(l&pQ)OHswOCVHOI+eL!hq>PsSpixmeN?c*pplB2nYeSf;HJIEtI1sjNBF zGq)e26_VUS-i`J$u~q_>YkKB=ibw4`!UvCNv1H)r`0L0jhrD7eNinCQNXE^j%gv=a zQ7S6hoU>6&fKev9P;}_IK!tYnq`Fa^X4EUMDFi4uXr~qxN)creref4WEmDYSgqqVz zFngV4Ofwo|{m?jyQxW3rxmBpb(M=uY5|xVMb*y-cx$sltz)>U%J~t1BJn&Z=^lp?u z76xv08VAQ^Zk0o*6H45;g7@GQz)umvog}zp%5xSzel;>bL?7Z!)IAQ}40`y3( zNgCv*J)LBuz;^{f2m4MVJ87f^*e`>O))Amx(sc}2l(LQkwLPHV`EsZ&JVEz6rEY>7SMkIPNr!T zf+UJTmPQGNIdbK_w=b{)PvTS>BH3Bmj9_lYKu@Mo82P7uhM0-M(gztyE;D+=s(10* z`K$AjyVH}a8^f(p-OnT=F^fyAm1d8dR&}5+2o^$^oqe46u?CsCD7;IekLue_&Algw zwaA6j2i<5iNurMv$emQG+!Gv#xP~R*10t>p#IZ-z`*AkGWOJP0D30*V1Ku$Avr!Zv z4|vlkgsIDT82Bu@jzSuTq*2`LC*>&y^B4r(#AB>`{$TZwXM zuFTv2R-wFmdvfz@DIoT>9G2B@NfB04Y3S%D~@E;R|nOwq`@k>J51Uy0z_@w$c zokB`&FB*U-K~V@n^y!pH4t%zG#y-m?N+|2vt_f>B`RV-4`R)1H4I{hYpA{PocM4JbENPh5C;>O8CvVOSt*;JR&f8O?Ci2&CUlPpCn0?41tfBKuIPM zUCBHI?dBFpbCLJH^OC;HAzgm}CR0-+qr52173NZGGQE6~oS=6I=9ICN7op3Vl<9!Y zA>@VJ45<;#NL9Yn7?k!P-rbyC-z^ShVF-jH3J|a71M&L$^4-#&Gm`I8@eV< zM=?Y*gyGnpYZqxkip)WPn}fUSvy)eMmltpTes_I&$+@|=?Ntb?hFyyR?S4z!QK9`P z#v|LsoxUwI)|BiHCDs~hEb1)RT(k72&i)gP{UN-8F${1zN9b4j)YyM^4tMs<_%DaM z>-(Q8c{KYEk(TIyD}g+gV+zuy(GOt{GJ3RZzaR?!l6mz@b4{VpvSz6R04=E^K>bHl zRYF5m-vK0~WAid+m3_r6|0&S4He^@${e+rYszln#BqPL7?yD=$(K-04glha;MPS;? zVV0r@r@12;LSv7b0v`q5hdD9A{%|>{V1GC-4%sA*uhKXQW@Y9^In-WJ)&t)8;3CCW zIYcnQmB|-Lg$SxvF1@OE5fK4L3%lWNZvI;z0 zcvhJKC5^uToKi#9BEm%7{vSsJ7|enNvVS*-|9g07?*H4{>-^sW%_S}dz@l-D|*?} z5)8Lmh;h8oHdP zo~)Cmr+Ueu+V^3%SU<~o>g2yH&GDiEAnW44>>TWx{y)1rYx!>_k0$@o!CqqYFADF6 z5dL^ip2qtV!F(D8@WLO%m-1I3dD&;?w1BRIXKBbRJkW8`Tbxgbnh^p#OJ}dwvrhMP z40^nzF1;{#cm#6_%?DD+Rf4g&;bA`?LadpilwGp_0-PivJt3zjbG%Ddh!-wfRDxCo zUP2$4<=wtYpwZ89Q@uolgXVR5L75~iC=wxg*MkULylYt=jiq_j=$V1|6)(Cxw9Bs! z7dWV(bxDCw+l-U*CHqsEu==Plu41CKAs3f>-dZHBnY=pc0v&Dksv@MCg;Fut#bGzaE);jH+Be} zJ>XApI`(lyG~yX`+QGbbglTd^kPZfggGS*rHtvBNh_Psg0)wBjI0_;hQ>RtZaqt+$ zu~v)r=9ca%ehvY`q(I;!h?r}K1Qw|+hA*j;8~o&tvlzZ4GjEnom@BalZcnc$>hE4% zF_uGzktS*+^Cg*#?_u8K@$p8GlvhYVQM`wuC5GWij8f7*WLP1ytD=8CJ#L}2rEo4T zZ-GA;5HVXJ|4ZN_S%i0)js!(V07b0nbIiP>M=;J16V4_1nA@2;ute*asldG6eL{4Z5$I!Ot5SCaS{x{`0OZ+wFtGB|5)q8i}JROdvuY@W>Vw@xRF| z#gj~T1EBzJ4POw=sv=A+!#oQ-e)8UNIr(XJI64cexwgv*f>o?aLZ}DGRteD61r6#L zVdS|Ih`G{THF1gHtjrb4RfAYzjL_}h0{fTzZ%gbd2w8ryRzgw9F-P|p2CbYt)b@%W zHSy~{Ye^{tjNyRG_+z#xR{Y zohmBPlnd3IsV2~yuk)6p_JIUegD2Hg2#vzfzCqV!aQeW}ri)tCn zqcjx19l=+G{7aG0+<4ewj!flJ^h`~#;F2C>er*P!BRV#SQy(Afd8CV&{r6zcvl87j zm!ChV$q;;g`ebJNrszsk8VlCOi7TJDwqj%|Lj_61EqXz?o;h9}u)RpvO>lw`+aOIC zVQ5jWR-V>GDaY(%N4l~bjuNDzIYEtD=4VpH?153m{7kCo6Wpkve2H+QzJc%M z67;|DQ)mAxVx2tI{jcqv-TfWw{@1}e{_9E}O?AuANI(nwtg3OY0B^IlQj#Z&SH&a4iU%ivj z!&eK@OmgOBGIgW^O#!3`FRpvL$CSu>wf+6ZE)9b5u6*nRRKZa!39U4+m zll0Lg``4ap2=D}eJ7TtC9!KTg?0kvl2rACg1F8I4&K3pc4v+Jq6Ve?&yfFMg7_l0F z(J5xQi2z`kpX*3Q2XVrkq*;m!Nkkoql9X(g?}P9LVNUWagG$-`j*en?c6!Y#J#@Mq zqlQ;1+;1E{@-O*cg%?8__8lH4s(F+8Rk$yLRC~==cA@k%1-b8fXvm|2!@jwf-SO@InrB412Dwg&@t_REpZw{?_aajf{UjSR3@XrRV#+U z5yY~ATQ}RExtktDO6X6Vg0YW-5%59gV+`{p`6JFFj<(psWi4J(_J^(8Ik)Jk+mBIG z9vt#Iq14s8BS25uj{5x^4&kTmE!tc^@4wpnC7qo2w+pYX{tNK->}_dh|^9Uq3{D`vU2!fA9QlL-&w?d7kEP(Xbpf1-;Fy*pCu$o?tknOB)V* zV7v1YZ2lalKISjBdi&(n+bE8R^v_=IZ*7e`?gU{4@|!HPF$|eBf7ZY1-}Ybk-}ZkM zZM`OtjZ#tnD(c@x{nt_dZPfoYl4T=OSVuWZ!2OIYAzo%{XO9#*`;?^#5v2L+-932F z(fvT=G&0>u7-@JPIu6M!@G%^wxtj7^Xj`6=zW;X?m)DO`3j8nx9@Ahvz+5s1;1PmH zKfz3}WqyhDPJk&E6|NzQ#ww7Q!>+Bc?P9I5$W1m>=l017fu+NNM#`?~)hats(Tfc; z+Qy>YF?wV-&|oj9^5ro{UXE|aZG|{hXN^e*%NN8PlEvs)oR$*G z#^^VZH%1Ad%=dD(dkG0&cM&(h$>W@B!b{)MiUKFXTsb0&kfOEUac75Xa=Ky86EkBc z+1UnZ9H)<@*+H6*eT>|(&gi)h3yH!KSPK5ju{Usb2v}9O$Lu#PPO87PrSg@k! zfc|+-0c!03hgSTLo$cLq{x?+fk>RO6tUZwOh3f2fYqm^9uDYNjAQ}{ zkA>RzK+1CPXtMZslcIAa?joJIk(t(hCsG@kHG?(KFQR`G2*NpLShB3_D|S_UaRi#S>lhO6hIS9yvE zmb_i5;dNa8=mXhFsp*{$fDiafnz4h$DxmQa#?ViA&<8z`%*aQ;Pk@h5G$cwPBdJR% zG$+iQrx8s}@C`F_X^@+l!)sxd-x*q50IKw-sP3h};BpG{JPNt9s&YK$Xx$36Yc!#o zLljiqUKvV(UImScJMM@^<9LK%91Ta96r5xXDH_p(n;`rFhB+9M#vJ#_4V#V-y*&Om z6|YRg&Q!OfD0n-~Id13GDYFVJ-*?p<=fZ{ceU#u2y8kNOjR?C_jT)?f2Bz(NTbGtE zN~e4geqSNFr;65|wb5ATI*p(x?8n{164ACW0*_z5V6Tcy@uw znlPx9DLiVlSlMp-Y#zTD}5^>&xDQ@z68*a51BL;|2OOF)|N880y{ zahYm5w^glr?wPFuX)&*fu6(KKc3dryzC>Pmlvx?3ro@d$zsjHH_?mLkhBiBvbk3Gw zdDKV>tFh5e?`OwYlhhMQBG`-5N3a=-n>O0}4m)x-G^9ePe)JPey*lorBm_PSXZIh+ zv=%)TzBs$R`|14R)!oh6^>62=M(WWGKMYTK;_52fP?fCdsZE^!c6#Osu;z9kTGPFr z_)E{kv}}@BY_a;(_WUrExRi_f6y)0!VJ&?mQ8V*NQlyxS5V(hdKS7WvqeSP#DF{aC zV?qHiZha32X$}E;jBqfDk|8PMCn+Am983_*S;W3K5F=#Nmw1UpO{;og zo?4oBgyGmF4eM>!i^eFXracO8>1#@nlSzNvo&$1aP!yVZ-O%2po7B=p)hFT|HC;!;?a^Z&pwA4kc&kzd(U7yos8d*8hOxp%mZ|F)7x&;MHt_HvF66@Wj) zVWHNaWgic!)Gsv6F+|88!Ydz-Jm7i73z1w^cgnSnA5^F+AEpI+3UpI0D#RHTgpSXq z9`vea$JU!H63MEqX6*IRu^YBkRL>Usa}+}lct7)iCAaCDbcimKvpi38&)gU709>Ux zV%vy8D#z6N+SaI4WQfhQq_9rzF}bKQmB2+|PVz-25$ZOJY6TOsqS>EHvN^_Awkx;v0w!-yU)MQeM6s)5$N% z*herAAns2CdNGO6A5r={qSfoDIxil31prUIrCidllJRzUC&_v92lT+I@U~)I>e`-B z#WK?EkudWk&+%|QcsA7Ok+-e-Ns_9k0YJc{wV^M)~!--+~iU@GRJ7vCp zirU(N67&opa@fv77W>yA^q0ln?hnYmq z&3O$#)+AGUP`s@M{kbB{KwJ4v+Yi;#dSeHqkyed&?&5`5)wAEWlNL){V?{1RM?NBT z&!U^V(x8j$C+_{eYn<~o@fH_XW4XICBJy~V9*#^NA4$}s0UPs-yyuznoKbRWcTopw z#k^M&Yg)x5UPUQSb5^QypV#Me)*(fd z(nMhbHtKqWDf=b`PvELV8ajz%mco^XK|_Ejv{@RWzT!tgCKs!2)|ELT$NmEZ2qp;9 zoQ*^=aO6XBtOx@jRaUC?8Eta$u3F)I`Y*r@#2}a;oQ?rqF=;|wH8PlwBZR1fdP%Gy zHL8+ZVKD%C9T(E1(3R4fWoNCg<4n|C(ecKMPHfA4`V#e@Pi>CY;wZK>IWT#l6HA>J zBB)a12LDCT6pDw-l`ox*a+&))*b3J8?l}m z1Dy?;)9bfv!kT-=GN4%WA6_Lk4C zPGdWpPM-b?KrdM_-GfWX)Pa)Sn7W6QtC7u}=2*^P5DlWBDnaDN0ODW-!<&)`Zgjwj zv(pCF%9==Lh7%KKkV7}lB`B8+0{8+3QI4>~g6E3kQtTA&%Wm>>3383Ms3v*BU)7T>5lN9idFrR zUwoycRF9B!RZR}Ac6_YsQVNAQOg{mPNl|@OgGk@FfUSf7G=FN&e`ywrZX69@FbiVX z<*AbTckmMonw|&O__$`^UHHrOBE z?P0Lq!)2WYi{oC}cUpk|*{#gnNig({ZLeL(KqA(@=U_h2oHnFmALuOyWiWJR`}ONH zQi_J?XH|`?n7`STMjA4&M#?&^-fU#%*+3I%H2j=Kn?%j-8wY$f9>rY9IW~ODjtph^Fe)* zEucI{^AEHE$WDG^MPRvG0O{4Twg6Ga$0Jh4>ua<^!3Z*U3Z5VQ$##uy#g&;%^+qeu zElKh2wwk#-%recVtl_Zm!D!}BHpg(;7lzbK_v)zB^#AMEXMFk}m4P0m2s5`G@)zBy z4Ui^8*PagODK~#txE)a>dDv2h@E0)2G8Qqm3?YoOU!Wht9C5sg7gnUtg!xFz=tG7F zlJsm8(ctYPnc9WNlEuhT>?Jk1W@c+Go15^Ls+1p$5|CKyE zq}Z*>*})JdFsHHQeIopZ)Ugzy$24aS3NS&F93l{5z2uw1X!>SU5||9!y}pQCO8HppR! zJkYy_G4v7anU4M8eU`&%lup=n%`|7PF9m9=WF@==C?O@a$SV z5xu#%x#IQLVlZE-TV0JVy2gRpf zq=8NwvObsI9H^3idLa#|;7 z^uQN-neOlYI9A~D==KD(w$E5oM2xa3Q9QSV2z%4+81Pr)%Gf~u5AT2Xqxmxbv8P)8 z-`U+eI56YCZ0+u?<^NSYmBx(_W~le*N17=^k-u{oM)n0FW~-34h0=wnwZLF`V8dR0 z#rm^z(5MD_fz@N0Kg6kTyPqq^GQYwZpw}8Q7yvIyA}oy|$eH(DS?6Wd)GM`Re(-Kk zJslG8C^5Q>@}<3Qo8?E)XH1l#@P0|-#-Xi8j*T2A$CHg+nhewBjU9uw9y>mEj2urj zcBR&ed52HcA%E}@Y&?dF-1|hsh|)M;(f|@rKm5=&95_OYr4HFf4$&mWx=ga6 zN%xZMhytc{3%`E)h^h-N`6L@IG-EdY2ver{YEQD^awbhPMbs&>b}i+cW$k6jtDZ$; ze+b1z#v?#0oyHMN@HzSN%!s&7ly@Z!^8Ue}#S5PBn7=8>Y)sqd6=c?B{<1uoF|!>2 zpk^u-@9d<+A}z6=;^`RxX7XP(>8_eS7l1A}dGqEOOs3?;_1UZQo4a2wZ*JLVrUw5C zXV-8bDwNqf*jMHQ^QX_BYm{zEe6DYQ{rV?f`vK053R{Ro=<4L==J(6%SKkmRrUwWE zPJ!9w_3aVx4t5X!;yqKY+;oB0zmJkW8hPwjH(-B!p+M=kdmoL!fBeUv&MtpuO~GK4 z0`Ke-3??{AhTzptfXr^x>-9WZ;Qf2hO@OzdQ^f-xK7fDwH$sCn#|*L4H|KXJ?{0rN zwhI6C8K)O1`{w+&vtvpr_L@wi7E!zoG$n54;V5q6dzTfp>Lz@!A6) zz?UzMk8dtdUY%dO2G;~h5FtP~u(VA3*eBdBO28P7(|qQE4}T?J64^4P9AC|R3ewRl znlV1GhOX(?5QZ-ak0b37Mp`gTKM9#*A^9}+qonYG*hC#U5db}SY1cH_N>~ZfZm-t^ zH!+0NWH?B3u)ReVmeK+MheHzZf|SLDEa5tk=PI3o?M@wy!vS+ zI|3ix`aMA)b$xkxyRxmJ5<6jP$kP-Td&HA(2b5cLJjOHhG4{i8lz{Gp`eAiP-o|Hj z0Ka;mn=aBVpCnjAVt3eBw@^6lAip9R9EavrT5 z-uLoJa>@|d{2zJ{`#)aC17FzuMkCPeQaAsN&nor5f^L_}emjR-+lR_WK?PFa<0OLk z$(F6@anXF`J`Uk}!LDS%p1wIh{q>j2cQCSVGg{F&jvNVdVekSBG$?&>A)|f1E33%RBB6#l)Xdf zmnI=nglxXB^mXNc=m!DJXeWX+Nmxi}%W_h-QtWKm?kW zuufjRJ-@hncXM`qaq{-81c>y3vnsAiHz+41HKj|1VEGJ;+daw&&x{>2h)fFxV|~FS zk3qLfFC%oj6U4ZkgZ5v&BmILSa1b`CYp!%W!-JF}neE{X59gG=}+0fFYt-%U8gk`cceAdFIrc7_eJjF%lOc)lHrATYK#-?`h!w$?c4DUjC}T|8=mtZ~A|3A8xPj zf34)9_rJcg+h4*#vFhrV+lg_pdtbV>{X4((r6b$;#+Py(`HyokOq_I--_bI=)c}}w zZ1TkS%$Cyu8(xz>G{3nvYIJi=J4da)wzj*wb>KzoFhYcpJTXqr+i>V(%wmkYF2%J3{&sfrUvI1y=$YFx zpp(z9ezM`SYV)>Ged$lsT-J?04W69t^WLm;L%Zh7TtJk|ejb?0g~USaI4eC7cpxCXy9$T-M6fXeR;wg5mEu7JYU_S~QZTi?`{^7nJ2 z(cDAr>x|A_krk5*Ouwfnr-FD*$5Y;6WTV^gKBReN377zpw#RK6AEN z6ySrhjBAu)3M_ty(iGR1b%C;lYs|N~JNY9#P4s`}ituFm|Nj2ozNP=~?XLCzRXpFN z{?C12D)oQoMYsj^f6ayGd)NOpWPfn|pI^*dj{eVqtyKSCN(XFs-$egc-5;yFvdC4su`dkjUrIF6A~9LLBkUZV$d zyq2a1tMDWp=hlOr&=%B#b(r(%!44R6>A?;-bLzn*kml5bb!c-1y)j_0+07v|SAQ)a zI7S=@nf>zs`A%c+nB3l>sk-=grKTz)>M)wimr_AxWR&j-NlTT_3SG5U&s|jQ9rvA6Lv)2Ds@_di_9}6o~rTw`A4=twq zsh4n9r1>>a)5806sst#0SFG#wzf$!4LWt^5Vhp@3?>p4r^lQuw^b{ItA&jUKU`gkt zq^_}g8Ueeg+Wq=fkYSci0M2J*Qqo}uK1iaN^_@)R$0&})7X;oXQT)M3U|WDa2A=0Y zynyA! zl%^d<)0W>gO0jQ}R&$;-EloIQ!?3t$u5aM05zLhh{09)rSN1fJ|4|y}i-`ZV`Tq_M zwoLhd=Wu&1|F7ct9_4>_$*My9cZ6VDO!`;uQk4q-q|EZfe-&EWqaOuZ1LCTWbTpc1 zTwG#Ps0C_at{7-H)oRXQOp3K>t~fbq(&DmX{TFv%tHt?0|K-o_DE~D9`zLv5rF0FrP*N zWRht0HD^}`4DXq_lld9ON+mrW{DjGV9iLxm%!S<@7h`l2M*%EJ*jE7f;IdEZEpJ+> z_nfHEVPN9GWfIQ-+2~^k&aXg(0GecEV}l_GCV37M9M8xmL+45y-RlNaJ^5g1f7D*^ zB#l0J&yf7^65LNP7^awJC-hh+E(c|}n+Xc(k1mKZnHRT&{%S(vAKGM4!~e9NfVw2r~1orbn!(9;qAo>wMIY{N!XB&JvUqmb9YLws?j_m6L_?p*ZF1pd4Y{$8}GCG0Pyji1R5u#(CPxvwj9 z`2ynf(S+JCmB0_Z_y3=|{h!Ka{X6kH1mHQ9vrUs|5ZHN{x4*4IpE6> z1P}pQ{Q84R1XeHB>fjHd4k{K87AfmrOfPK0{})vPYxTcFGynV6_U_vLx01)n|Cgo& zGOqbY)tkuD_I=EH`*XrOOd&}1z_x>*go&>{u;1d~O>c>$?!=*0${{P<2t{wmH zV155%B@gF}Y`lRSaPXTP?}g+5b0YPMc_amb%H6+eSH~&f;2^*wAB(J2h;H_xZNg@G zr&u;#9f=spU{lw{i1guAl<#zG-LTN9>|s?ED;<)e zToEaxk!n?fOSzJ%Rvx7YD~Q<|ZYB1LnyUe7py{eeM43Ncq-|1vjwX9}mMzq038bp= z4N^cAEW;6%ED`o`6lgM~Fak&c!HF;fxWJSv(B`u(O&}4@$rQ6D+&|JN0p3gC$#$Js zRnI!I+&0tPuF8mTes!wwgv8NtR_;2TV1mJB0!wIPQnmT8szd6=>I3b@dkdcr;Bf>K zjjTK{{CifcW@^HZHJvfF2j^Tap`74Of#mW?tz1 zyMTI`vORz4_rG`c_pJNh|PEg z+al@W<0y@#JGfp>^~LuI80{X+(R1W+la{hY66(=34D2d_92s{(c~z(=_=RKO?5Ebl zl1(}+XlT|x786P!$UERd*vpE`1+_1%Gz6^em0v}+B?A02fjJp+JV{X(O35{Dp%XcE)>(UjR;NnWy&IU*^+n z|6j!VSMUFEaA3v%+*|Met9e$k|1V(ldj>%4-@_QOot*t$x|ajsCrOH#qR46}FDj}% zovg5+xzN33ANy^bLB@XOS?yODfGQDT%}YZgnF&#v`1wq= z{Y*=YjkM*8jg=pZKCo?-Tf7RXK-v5~xlxH-rQzE*;$J z)nYgQPlh=}sDGy$c;|Hisp0?o2V0i^$HC6p|6?VOBK9EeBN4Ni%1`z|nimK7EO^q` z&u5_eK0oDzY!(@(1k3lL5E$QZgpZ_7z*oMPa!C_4R*AZCh-hx1H#=R#8O$R&Jr4C$6&Lfxi16= z0$->zz|T>Ru+D#qejM8@(10bHG$07d3IK)^iI`b>ZOhIqpj7f&Hpf&B%TQD%Fk!T0 z=E6@A!d?l^mZf+@c*h*kkOF0*&ICuXaHQeFjjET_IXm$_s#SPeOEH*U;Kwn{J=s@J zE&Kq0^Bw}(@mivO7NH!p+5U6H>=u%%h&Hr|tvfuSVwsms zEW@2U0Oezy87^4v;gHyY2DZk9M^b5f04fPQ16c*r4Wpkv83?}mZSO=^1 zzs2l+;;GjEw)eMp_O19I>-cZ0d3fA3#!QxE{o{I{!|GS?)>an4rssbEnC^n2XY745 z1D*r@C9AAW^}z=AIKu_6t#DuN1UUAyMSK9uv?|04TDKL-wA2_TCPg-fSOv7L_j7?uS$m5pCA=QkWuNf{kfSKf9*vPIt$tC1kekR8JMAd=|aU0~-%z zw-an6?5hw{`yRx+XjR_g+juBu+O$)3pQ6HET53TbrO3DzQz~y8PNt~UHA>rcm%^wt zo;&Er8dhjV;5J&BthsuN`N*82HiZNkM?EExQ)}|k%5@%k8zKu8Js9T=8iHiO2}VA; z%HbgTB%>mF3_^QOsGvxwP5Mhj1I*kJ-gEHwWYt@9%}@uT=!r2!3!o~!=)I$5qR7F5 z_eX6Ib4=h6lV^jxyq#stHq9oY zX$Yj&lb$SSa{2-UUz$o;Yk8LLEgMv-y5bd8-*kbLcSbg0qCJnZ7>;4W4sUNV7(@fj zzgi!v;%b}3N^fhP%}W_J+1r+`>n0KszXm%oEh~8;BX}9HH!@1Vo7hKnv~`fsMLrXt zO+Z0=g}D)~MnH5N#axo!bTe*Zc6XrOh!6%res(a7(|bSeMW0TIE_urJODD@vDDxi2sA%Z}4SYh2+! zAQ+Olbem7$#mNo0IX!uEW^&!erebV}Wz9#5ps0(lEq6U^O0JD%f7x>5Jr5gVYxSPT zL{~Ryq`*)+hz_E`1m`n)*TF@-a)zx7uVuWtvE#yG@aQ^KI8 zq7K+@%cUs0R)jgusu09gVx2;Zj`o40Q_jFXmw9zP(`>O<{9t6cHd%h$@|$AY+@OuO zFpN52bk+P4Y7!0_mqhiMru>8T?C6*Ul~>KDBOjd=2YAJ2XXq1-5S^Q18yD}oOZVjf z`r)8qz~=3mrZi$28o(B^RG0q1u$@^QEnNdcAh! zBYMX`)bMzDuLCwWj9Fu{hW-oiGg+aL$Vx)Jn{w!fGv#PoK-Rnkgs7)Xsd`cNQml3X zl1Oa#(kY?g^-8r(7YW-*w$uaf<0Q(Vu8kPIf5`|wGe=$-3Uz2Vne-zObzMv@=yIYq zEE*6rA}rfMq*6}ytq--6$iqw*&UWb_$cn{ zDcw=8rBKPeJLb(qX`f5&-H40vTBj^AUzg|Gx0dD6)W@*<0B7Bt7wcwe90f!gIf)1 zO?f6l&p=p?x-TH`$1o0jWZv=#AqsSOo|K8j-jw}wtzrXV-P&}SG*1WbX-_LQq zseL?7GV9$*;)*jfb)Kw$DVT&Tt|@{cC^uxTch$gMj%Qgb0$vLP zYeq(Tspz>PxLipyP<%IWw&DW#VC@88duaF_v;ajXSIbTZPeaRQgErd|B}_kS5z%l) z3Ouy{b4+F%YqcGaI{H)$jQNw?%Wy_>Jy5iZ?5Z0^c^~Zs`rb9??Fa1PJ$eKJ@*%ry z=?Z|ac1y*E+qg|rh$x9$wT(~W# zvhWIFoi!HS<=khj=cUGsW7yq(!wZq#Z)>}bVa0uDmDZza`}@YpeIxu8`x?8^Xj^ZI z3Xpoih(=p#=DxD>O7L<&?_lFv1z5eEvY@wdfu=Rw!XUi5C{F7!;_0;jX|SidM=}g* zD^#?#_^KvUt33aA(Ek)UMC16r@A&`whbQ|^{LjH z*Krgj=mF;3O5Cyg+G6o#E^tm7OY#xDqOIBnJ!;qr?_QHzdPwI>$`K76VBL@(!faQf z#i?PnsDssK92mbr|^z8&bov$l9>>lr-*NyMnXQtaZ_H1+*G39f&^AsXbH01Oe}I zsGK}iy3MS0U1uIW@HM*Q873Yp zTfNgJHF1LR{VZ!_SQ*SoGY6#8S2b-i^(pVLv|NNaQd#W0>!J?OZPA)!hQk=|&G%uF zP2he2g0eJ^XBW7!p)Pee=mCf9fE?{YLgG6f(s&N@m~Nd4J5CQ^?yDhd+0|#cb)UDX z?M$T@%oUv_hT&Zlfmv3EP;nOI2SFDO2UK+rHXTk;0a?Ip$0bXZBpD37#rcO_+nV)) z#fAqEkSR0wYE9F#30(8{=8(5uq*YawlJR0qi=4&%zQs<4ao&)+$*dkN0nX zttap$1l)5%OXC@*U^+{RI7?88GBN}&KT~oa7s(?a%%%4cd{EzSf)Y^Mfz&%M4*rZY zpjE=2|EyxM_;magz3bEKLm*o>EX4jpoFo7y1cN9hSppw<79+_+c-E#efA%)I15y6C zo6pjLFGgO68KDhpvjWq{azciB1(5~d76G2$A_C($C&jRGQv6pTzOD0$5fP1uJ513_ zW=yi@EwXJy2K#^RXSXO%QGrO9M}alxU>kRph`|Z`{*Knn~Mrhy(RA`JS}!`NA`fz@!qEC{MLktX|>v7K}={ZcE`ljOA0z+ zqV~YugburMPdKrg?T#1+ux}aGzxCt2|B>gMy^kXYkojc$kFd)U9rKF$087nX8ob@5+E`v)gS zcKp|q!_EF*%fq$}pW^jwecsnXyIxkMdu@V}>5xqJSmf6;P}{v8oSOYDHZN^sH%IfB z#5iSb4Bw#yL4tYJ54rZF}Ek8$j z2{yN5KhLt?_}hB0x$j@Jd;4g1CgWD|N(&-2=Z*P?(TUp1=^ldbDq{AZ>uI3>NaTlB z>7f^q1{>)A(ZR^}|2{m~-}ry8Ss|T0mEfSZccKq%#aHggpBXTL)#T~noK8Bf! z;8o0y zX3n1TW`1ENH@krjh6BMlUFmUn&-zOsDVSLRz}y;uA-Jj^KCi#fI@&y%&0mhS@x=th zTDy46-yrI(_wc7A5~si7an0N9SV0yq8tV z#=yfoP0Mj0gF?8=&0TF3Q93<)hR?x+$QW3TbBCvbhr&=vzsV@DWMUwMNx~PS#dD`u5&6ZeGMe%sX?D#AG>|2>-8eq%AyMC)snr}XkjNrW9n4%6tIa)&pwDLB@xApXjGyzXh<|0}ou8XemA{~P+_mm%eWY5m*>jqL{nG@yqrA;LIbIP)bC7a3H^5mr3XPM{YCX-*+HYiRZ$L`(;L>z= z2;NV4>h?!GlOljHT$6gw2b|w07eZZO^(pN%%B&!>U@mw~RAI0H7(|Knqa{*O*K z{vT_3cpMWk-#sN8R#dTlu9`AAuDI*r7d&Nwvu8jYO3xSx7pEKP%E7E?r!X5n1G?!N zFRKgrz6umpUQ&1T(28_9G%gexzV<@hie{_b2@51_d%~bQrJAo}%Loa)Mi~NuPF;*s zm_O=K5au`K&76vcP~ETp2Gt&tkpiK9T>8ILA|d z3gSi_0l-H4ZN-2sYE-WjOjz(r#?J zV;jHKT6j<$o2oHHDVzOP_gdBTUl>mA}H<{;%UP=>LVB@@0v= zT02jcvTGygn~cX(c!%EJ{+m(p98dp2a0<3-R48gAvYOW_^Hq}q&Bd@Tq;3@`pT;Ra z?R5r4tGpN>U%x)v1xkTrTe|XV4>n%*y_Dt8SiUxi!(omxOyUCPkJ`%u-f0b7&64Db zr8DPUsbZP>z)Kg!qXSG)JZhotIn!l@NfE`VQ=Gl^S5TKut?)}cxamL z&FU+~ZMa-u^-Z@zY7&o8_!uT=dCaP&R<;5%oEJST0oKgQfSluGHbv|_yF92`V_hL` zh0q+|qGd3u0dlYqwsJ)9EDx6gLf}d@)e2FZw4!j9$Hk*CIX~-wI;(0wIMiU&1N^g= z$2bS1z5n(RMMj~)N-gVW9Ve=QF`}5GLV_lDO#A_0Kt;W&R5TrKo#0OY?Kl)<;I1l0J8LasC1#IZCWfL zqiHd=nx9?r|p8IL>5`qxHKg0#&%K*Udp)qy$nV=%#_c*A2Z zf|vjyXNic9GlGD=q<)W!$=`VeqfgODy);GFzt-ErqNftKa4tfQsMJ119;bJKf@c7> z(Wer+pvY$^7!0gh;yz#1DgW|Mbx?tkpypnlRgPt5Ru*g3+^W@$1~2&4PXK~9I4zSQ zdmV%1Y|H-Y%-Bi`Hnq5={h9~>{NV@UrYX{5a+bY_jw?;`_I?Dv(*-5q6Ooe(4Cs(p zR)~A_NSLocjy}!eyiDNzhn9Pi*XDRAhc`MR zwa#vAvr5sC4~6W7R`<+_y)16ncBS9k&~PefH6b3{C_L67=43I%oEV6aJ$1&4thg?e z$fd?Ah#!@G)85sEK7)aukR3R*j)rq8HI$#&&oj>;JnoS8a9VG|jqbaAs?UF1v=H`e zzr^YN!pFfz|BsUsTmO4}u!;Y-md7~%xl_LE;m>XH$({v$L+Sfy=$U}EoBFyiSdz5| z$XZKZPx-e;BSZ)pC#_T{Hy_R3O;BM-VB4v-0Wtrv{LFx57gW_t;sUIh+H`>AYj(gaaNv;;>tm~|K-(1AH4ta>f%ZB zeFlHuJYO`t{zIMU*gF46aB7clvQP*4VDTecBb?QBYEEQ&i47++o_hK(?*3ML{@Xt~ zJaEo`8~e}oJTCp0x63{7fahgt$ zd{S^4={+s9Hu=96&gwc1Bwm*I>yh}{r=I@*N>IMM6?hZG6jCujO&+Kb!Ln z2M~*YH9Uah*yRG;nX1=b*@Es13PZ3726&4D5TFHkGV?6hkX z=BQX*{PzQ2{P)96{?D~M2K~RJQx52y13u~CmzWgGG6QQNJz1XMjH7SX5Kr&Q=DnG{ zgfUdg!#0TWMs9Q=Ut6%6oFkhhiOeOkZACSxi!N0gUSYt&8aT#M5=?JQ2=3Ha!2Avs zJh0_?lCTsmR7Q65RIA49Dz;aSjZ8C3mi4j3$gUo&Ved!qk{-`u6GEI*03n|o3q&N! zmp+b39HPJvH_ly0HCk7>2YLfDv}$T;B>0?ctXWHO;mjP)EmUz2Cy|p!#)ZgmRE4{?q>c{wDv+S{`-t z&|?rN-^zKqT;DsG-dVri3wJwb=mG(GBn6rVjN54B-Twr%o%Ur(0h6R{@mY44!wB)> zMpUV-;xRLP9q?rjJd%RT zM>T+Sm88j$jfR-My0)cKqwVtAO5RHuzm7DIkH0e+bkS8f`UjW#LeaDTXjb^N{!LIP z6^OB^j%AWQHhVsB8e)x=f}PnU-#<-33o6INN75}6gy_)(q$-|4-x1u5BgfLG4hxrV zG_+0dwFQH(>9pt_n&LU)VLw=&&=ueFwQRlGfKhSP5~x^|7)ykxCxF`UYU^=A zC=Z}k*LoDc)|YOU+wbUJk|Q26h|u8&}#4hPY?H<`~TC;{r_4X+ zz}b0{=x0P0R?XBA@@6AYtA%9 z|JzZkMe}7;wENhtj?t&Ob0%ELEe`yT0oq0elRE=lytq9HI5HVGh zcAIq!_DA4g1P+dj?5VtP==cT?R}c`fs*6j9AlKjDL$|oqGO5SM1!o9dOU6|%3x+y*Mr!T8HI zTK4DztG&6R8>pcJoR_9L4Bw6Ay(T+Nd#e!$-yUl-Tz9M0>=$)mun11uT;b`hI8)6c zg1dNNqB!47o_j@om({{mciUFct8Wu}s9dGzMzdV*ve(z}9sx4T5lAr$*#&}P5~p`0 zV8PUxh*A-$pB`dr&OSYa>mSIF`!=N#E~_me@cVr&-n$5x)3SGe+@Xbf7opfC3~DmA zOpnw0b@E3U!L7TkLi;3KQi8eA)wA7FdfW1ux}WK;l@%Aj17LCnicK5NAxskdaFxgN zI6-&lB^8l)PI9+sCQC)0k0H$9ZJfkKjK~m1k=n)EOs;my=Lkk`)8z3T#>J~RL0r*3 zs4PB9&&eB{(&B@%?W6$P6@}?y0AE0y76Y(9s4dE`zsjFfOj7JxjGut?+qjN%;UbWR^8D3z&&w6sFbaWh405<#jj;*A}~hC{cNe*dnoDqg_! zRtr*84C8EmG>o&46}S&Tz?N^IIY`U{8_$DoH{AMRBTkt&ow*6doDpz^^>%@;nWdk< zNDz4TY>gsFRIFA0{3^^n=%Q36A5zz6$fdr#N5P7On7mFvkSxxTS1ocpOBK%44*{rXIlVs{k& z-Os7(a0>6yWm>$=-(XxZ=Vfzxr#ux>1LiCpU_Iyi`t_On)(MTQMMUm0uwhNWWO1?M z=^T8xdFHF)4o6Te+6@2mtWhlS49i%bLyvW1(+;9lZa|!Z4+0F$T-JB=m0j_`+THqM zb(%U8vsIU5$jTFBE*?%0m_kTzG$D8}Vbv)+%pO|vM=De3k5Y8%kvKN4!k@Rg363V9S;1K;= zgE*rx55FZOZKF#ppC_Vskc>(zqMuLwsiyxqVkaRkd@W@F*cAWa@X(I`c6zeEiT}Ko z$Dsf3_>{{W;7gKzV*x!`vTu!|Z<4Pi1DB`GMyen248tVoLhy}on3PqeO72eSb@vga z@QcUF*QO2K?+-HnDgF(bqdYK9^RHl>%<`2aXEsLTIi&ZJpV{Mc`vPSNexwJ^KsRj! z!F2%(G@d2g&~evRDQ?r1FHxiV^~Rtme9nrUaq)q7b_2#Z_hH2Cu^Aazxpp=@zSC2~ z|7U3tPto$nzb5{Fc)EXVpZ_-b|JL-F{GU&GkH@vww!^>(o{}Ou_p-I zT|7tW4uEXpDRFm ziT}Bl$B_T7<&^g#`xy)9$qIhfDEgNARP(D>`5Pm#j7Jp|>r?ml3XV}}qXuaI)X;yF zGc(LE#Iv+mh6yyC{}1<%?DPNe!AAeTmdB+3e9D2C^M1I1vy7fDEAR}ZcYXlX{jWIT z8-4K47i@OUo`aEI*9;DA0_$}~G)ov1m`<<+WYO4crIc)1`02e?Iq|9f-3Zm?w=F&8 zfafqGkA_y4y~Lrm+H7=M6Z8691HYmSpWNpFM$x|cZg*9|scQzaV2tVxEw)2Y2NcyD zPQQKV>b}-N#Sk0Mj`0}W6=rk$ZSHbl0j8MH!q+C*;Di-Q)eBCUp?kzGbB5rjSph!$ zFuws0C@)J@g+0{4s=MwHNZiPI%Re>p-vs99D#sz>N)M93a4`|E>HL3kII`n^9~|s& z8w<-9c+~P}dy`=cm7Fp~TjUuZ1Pl(0`nu9ExSIR0i+{`hPqcIro2u zqYeFE%VX02a>|z`^<`5}m$2(&=$njdjk}rtRzS$L?o3Uu_Ms)&F5$^=R1J)ebT0{o zQgZtnD(N`4Kr`bPY~hU7!8~#~rOw+!_38@{>UQQ>Uxtn~pu9(qT3!09RW)uQRaWG` zTUABlF6$Zg)^O3y6DlZ%3pqtNkIY-uy7-GP%IkIv$RInEf3;ky40<<+ zNV(Mq18az^^xLsfM&dM1d3v_u4tbFXfgqhtZ&9veV}4@-?F^o! z)|6|Chlfy$Su4sp4W-2FEx-wvT~ZvO^YJ)NUxuaW1~S zXA^CHSsI7;vs;v>s6b>G#3Ii<~W&6(XzV#|I;G>|7icj(*K_v9c|>lwLFIW_Zy$`WraPl za-OVcr{M2dkTVUm*Oq2OFX+kI?KD%91y^s$NQ0gFl5LZ!^dq_{uFw`z`DI5=3!ea= z*|i2h3!7_CMhn~GyL2|Cf5KUTGn7wbLNxKzHuSA@-;h3hybHHQvgGnRL}0THe$84MSy$mKK)fR%Bg$L+Ls6 zjdoP58cM)iHLld$)d1pJ%{zY5?M&&nS<3bHUA36`TElq%G~3qk=SkwuyvO;vyM27C zEHoC>wEwDQ$DK8tq%@-P3r=w8-WNotGOf70RHLsc6*Z@XzAZ21Y%)HENpcIr`xhc; zhfdea#N+nLK%YR6&BH)+>Y)uS*zl0G&@vKxrf0(W0*XAI8sfIIib{$Y#GkqNuq3!; zGi!jEC31nqWJ#FIX4U|+ObE6V#Ilh!z^f%QTMA^Yoi#vRW?Ned=(3qLz?_cBlHjry z)w(8}y&OMxpJSrxo)9<-K@VH=IfU-_xj|A<5I-bY1uR~7&L_;6&~ z|BsGF8~x8(9z*|g!KV5(%!DSWA4O0t=l+HoApu<{rI0?Bp0z{LL0&s0mCAlY`6F^^ z_)oH$?O9pDA;e<;ifJbj@I*;uw?hcWjp(G<1J={DQh<+>@Q1;^qECk$ zQoh=$b6=ti~x8W!OM1poKLX!pNw{y6%&6{w=Uppm6^yhW4*jB!4N zjQxK2S1>v~J^fc;p!U;^*0(hvX6K-iH~FbCs}M>;%x~81DrG@^J|u3$2W<>~yG-#@ zE_i8UDwe;~yasJtpsBL4WIuEZ0GWfULYK|l1}e1FEqFTXj#-ksmkT~!zU(!F#boJj zX(JW=idVbJ1ee8ayVqjx0#%DPQYjbGr`Ds4?amB?lW&ln0pC|hVPX3qE zlg;^W9glJT<5LZ`r9OMm?>Vqi1@_bqfpQ>y8+uB-zZZ8*ws@s8A)~AzbQoV;$;0^E zO7yT#7qW$g4yCd(Kaz4xR-Z?$A^8rY>YMKu@`-sWy$t#1Go{ZBfddUN(P zVuiKL&|>t_4KJ)}C&c_zcD5X5oMb<7&Ti))-{u!Ng3KpQy$e9_Do&90iT(^gaE-%z zmJút=Bv9mcS%X`kGB|J0GA_oq=osNEVA{~(d%EAW^*$9{Cm7H2mxpOQqFd)8C zkj#4e*Y8V=ZI=J!73S*l|Lh;R`F{>K@gLUm81kQ->VCz(nmh2PCis;@>09)hq9~qC z9ieZF#Q*Dxf{sQ))HcLG@vcP#^@>JW*G7}Jemi)vw{IH%>wyMLh1dS>f8Q{z*N@vDUS7Tb`Sm|<;=g@C?A8Bo z@VBi1Y!~>NX#hDaj%)K4*Jv^B8f;(B#^d-iia0i2?p^J@-}`y*_1-_hEbR5 z2iT?Jy{mZdeZ2Q`y!SfZ`)91m#54-{WQ^nMq zfPp_YW+hMZX_o(_47)P<@8EbN|9!K^kpI*%r&sx}#ya+?$$#ZgHmbj6Rezd3?a!zD zYaZN2wX;#}d8#^+=5YW}CNE*c{L0g$)uSO_@vtn|MxD&d^RF!>y5t9(lQT|wA%<2w9Z`A-*|6ustx=5;QxCF;(y8PsA zoQ}Jl499xo0-V0&l`UDr*0PPvYKULPYA7Q=@zXW)+u~msi7#!}b`?OG)$XM9W^{C$+Jj1FyoR4UPf(Jfd^m;o=rS$d=5H|0`08ze6!zcCv_Sb7hH4Dv z+tRMji*A1)O}8f&(X7C^Zt7{g)cRSbBf(-sLH?`75X8@L0<-gS@9^cTZzijp+6ZOI za&MTN5a(t~TmC&Jb?nTYS28Fy5h8G5#@V$*{zlx|Z9NCm87a=Q3^5-r`I_U}gIJ&Z z+R|}L-(JjEL3(K#%aYu%!Et2=8zv>Jkhys(69;<@o9jf=i^u`hxymLpK*Rn+uvh@6#;*r{fjpf7?GfKDFL;ipB>bhUi-ycuv zsY(586sy1a$riP%$dpY*Iws8wEvvAl$Q(P0THc*?G@-~km`}7BhX;cM*8_P5n#yj&WcEu2M#p6mDRWtq1=HZIz|Ka|zL;pAVpV#vk^#AI&i+<_9 zKlbQTqyKCaeJgyjc_?)m)uLRwQz74xv*i;#86>1as*RQEor=ZzS@?9)vD`901G<3CWsZ`1$N!;SsdS{{S` zU$d$1mjzTt8h&bAKn`T}2Z5f${&B!JG5@?V|M-%x3HT?beFf3}c+1t%^R_~i7jGNd z2w{RQP+r92ID`dSC~#oePv4;g#Sk}f1UGR6H*o|vaRk>LN05`BGtE}%%_fxKCY0dj z9;ke(&VMgrQsgtXgnybvcc|F=SY~kSco=N5|2nYme+~|gM;ra$S{`=3do5Cvg5Sy{ zoy(p6Uc|&$J;QSGsH0$oEME%eTl^1B{D#~gv zycHsKkYxC9i!ih_o*8S0-~R#9mX@p(Ud;kiWkxX%ug4K6hX?rh+N4tJAU{=rQ!UUq zrxrUcoKqm2kpfS73f`rLD@`TL9(RD=fy9A+1oEvC9)iVha@{D?RnLFbxR)Dt^7!q? z?#NTKbb??~OdhXr^l~1Dv;&^r*iv27cd=pDb21t;@#NS0bJ7O3xC{SpM1q`idXF z{GZ1-kBi5P1QN1@;4hx0`~T6%ivNAEzkhtVk^k56)Jw8r9fWiptWt*MzSUPQQ@+X( zC6T}22b5n4XaW$tL35Pb7PDr4Sys=_{T)a1x{4-f4eVS%2-wCkt)HxRJ92Leh&qVd zaQ6*K-8}s9(*OJxhI=2GNT1K+5S@o1o~6a2cEAnv|L}C**8hx7N1OZqwLI4SKbvkK z<{SJ%Y48~5fG&t-G(xmKGi@vv)AwZ&@b0Jc3uOAI( z*$A!1Z#7hkahN^|fTp0?zQBu^zL~4pzUkX!9?4QTMLTu{pF^2d!Z=$K*lgHVe-CS3 z_VNtwdVfQd(nF<_@m8L9tkTuV=HUu%kkgt|n|j54)?kuY6c*4uMbEOHEcP1D_f&KT zXB9BL(Cn`g7dDhHMVMc^d`tl3tEeK|f2nUwc=BY+$XRR5J%H2tN;*rK%}LwpOOM`n zXJpMAU1Whf2LZr22&}e)9RLZ5?@~r*!<}0)vPi~09(+x+ODLT2+ZQ2b3Dsz zzxWQIlx^GuwN_}dPnA?)i9S^uE&H6K{C1iCSpAB=1lsq01SK}vV%sfWoLTV+G{mzO zcRk^(tT1FQpWgcsl(-Z^iF)DmScP_pBL4+T4SrBsU>0t z8!5nplAZ+tmpRL>^n-{XA=^3nG>dZ-HM1#22WSH~0bu_QDo9YO$7Wol6WRdngsV~f zok$M1R7bKA+L`>js>46;-AN7oU-sHpJx%og^kCoh|K8mHuI1tMpYE9}p)Bgh29)hJ zp?~^KyExur`=*5zWmN-;;O+egE?Gp_B>rC{gRcnzP8tWvG5O4wCXl=oYGmWHS0m1t zAtk*sdl~($>AARGkiCrwkm_kWi5+XkP+n^qISn4oo=Mj{o~M!OLaO#$Ju$O~l=f4s zcpwS~1F*fN<8`2SAv$?Q1=pCdv>Y)tZ;~SzJp!ouv^ACG_%xJPIS2^){8rizvc^J~ zQdTYDY|_KJ6YRrSH)SLfgBTMrb&L9-cQ}3@?FrV+Ftusimd00CI=a2+IM=(Btuxe2 zXQc4prY{RAFa5W@3fWySw=7+O{m;S4$;i3?J>A^@uH|71|7TPH-HDV*mP-(Sd;JW> z@@WoVQ4yP>kJErGS%THV|GRo5t)=q@315Dva9zG&rcY(YQr%N58W_atHM~cF%yMHy z+>@4AbV)G-;|>=D@n>yh#Os*q2D{X&c(q>oLaGXzsy9-t`ZBGx{G+fT5_qh))2aYb zM{}4wv%oni?qZy|j_?=Fh?W!ZOT7b{1+dn3cbTUrhon|eUqdC4uQ2+w;IitrR z*KD0zK(pRi?S&9U=kf-bJ+c$N%9WxG(K7GuG(xdj zf8f!5YZixpO)!)04&ygg#urfFe-M$UW0fb)mi&LIvtZNt@8H1B|G9sBw7LIV%flJG zwzm5@{yBWJz5k!%?$?5oxAM!Yg{g;Ix7ZW0xeYgr>TcY+diPCXwyRwWL_0qNAItC7~8%eOe_SN#~ZwGGC5WZ;T6j}@u6U` z^6!xVI4=H^2v^Rh#@j0BKf4Is`v{{b=22|U%e~c^7c|iS!;?c>|97yz$^W#TN6>$M z@x99;fh52D1hna1ju)_ohg06H*6ISPKoCH^{+9NucP*g+{8=rJnZrDWw+R9{8lxPg zA=;rd4RRxD+Kfb}R;wMWsYY90MgyXdJ|0?1|E=q*$OPsn5}^Q=_3PlbSt3jX;7v2n zd2tUUUCJ|*E29iFNAz3qfKUpiv!sZ#M9iq6?{q>!l#uTlUMlK!L-=BowN$Ag?-G0q z6A-W|OKx4wl)u7Ilpn$hdLbnSf((Kx>E zo30hS*_L#zC-SuB_MWl_ESm*IT%_Mb~uNG$X3qxaNjE>xeg>wz}~ZY=2j7AS2-?lh!Z`;MG=6kSJ*4`qs)+ z&wzGlVOhS)>?ji;`Mi9`l%>P){sj+!s@#6%Fn~(HC`wRPBP#*f@(x#)tKT3dO2V_u zml(VZ5)E+n&Vstk>u#6UzF2iq93fu~_1?C(ddb3jv*hm{J1aM!9xdqlvhp!K7s3zw z(MHZOE5~Ue{;mL08+IE|%ibfwCW&U|A9R8Gr` zEI2Pj#uYkp{!a8E-pd}pfLTV*YphH;(Y%y4@n2*(W!0wUR;^XsQRNC;xdqWDM~w%9 zH)5g!uU|P+{TXv<;!rA9B}epWR%LaTUqN=KPO5sI1sC(?01iR%zKWQ}=^KqKv4vJ~ zP}E9#hP9pO!_wRJxyReuO=qy$5V@9i65maj_XJFtZr0Y+8Y8LMnaY_-776iW0D@mM&0nDLY!JNsT%bIK2~Q5B zeqLUAGi2M`f4efWAN#Dp>W(~rdhD8*eX6UWmU(b-r6)C<7D5Ea4f-ToLyXbcUL)9W|35k%+3~**j}A^Y z`oDEN*8P7dRWyCD;IP#9tl190Q~@%3fG$T34e&m+fHnE5N_>C)`b_;e^8|WZ5smA* z|B+J1wYLju-2caR{+Gk!{f+<6S{`fvYt!2Y1<;y%YBazAz300ChYaXwcNMooenDSB z6PB|mTy+1x&*69+hdkv>10`tk|2sOg_y6(n@h1M`TAqsiZ%l8Wl)z~CsnP^%5G$4u z{BxrFGGzSKS%oKqUMlw8$g%sl5GKLEtFkVy(?mxtvs?N!_uj!QoXS!Fd3n0$yUJdUZ?8Uae9}aYx+81DHO*je=&oJd?VC+<*WMS#u_N1 zukK{u9BD^-FFP#(@e+Kq4^HVz&})49Y(o;!5M`B?d4ikDs4UyrqNJ=^y28^5EKvb# zOmRFNdq!8a#1_PTLa8t=uk$`;3I*EPmk z@EPW_7wi-!!2B-#xw<}G`F}RMO=2>6gNt_vMvv!Flp{jw^8_`W|MngI&&k0i{{MO& zi~mUE?`Jj3n{T>9jL`Sp(@2#!w6myGlVsfS`FbCGDQ0wG*s|IR}7xl)T z3I+UYKV9iRL4?FOJs*$bG%ng50~_f7;poJs|3^m$8~@+6JQn@G=FN=Nr~1-b>wfgJhSO0l*Lzj~d5?cq zKm7cshG32pebPQ@XfemuG&7tgI;Rv?Z5WD1O|u;_J4HN2c*cyZhT`vQ6yh}Ud3DBP z;QH^127Knz>Z5et6+b<$ua)LSPD|W>*W0Upik2lxYjAmV6<-E&EshfmixYY@j8pY* z;28O<=5fw_9Ayuq0ocCNe*f3W(P-q>UT~H2sa2C`O_E&0G91x|5!mGbxPFmp+`e)7 zmoD#|p2%hY{B&*tAv|lv@H?5U``@&*7ys5AYxDH^w3Yv^GZYeK{zZ30fBOIZeaHT5 zbhz>VT+3t0f67G<&a5L({F+rOUqF$^(^6s1 z%Ub;Q%~3$rI)QdU%z-u6jM$ zr1b7;eI|X;LiEZkNS!gSdZ4Eyd@a6r1~&C)@9q z#eUaMNB*w|?C*>JAC6r9e{{OB|6a>u@qaxmTfh82F#^6lLH=(JpkGC>j`n9TNpJ`Y zq`#E$@x-m4#&>H=YteSO_1K0V_jm4e%mb`!CSSikGvBmx>u%BbHJ;@mdI!@xZpK~p zt-`2#Ay?9;AOfsFx&6IJAKzXE{Bz1bfAy!M{3qjdcM1pHr2jc|^#2E^oA?jwc`W%) zg>dgx_DfZC-zO;dmB9Ba^GQ^11hT)BnppNAoyrOW4mZ?ykAwf#T# z4^B7!e`|RR{x2qcH4#}w<9)<}u4(GqL`*f|@LQ$YaplCVzUIMFX{dS8R zEl1=FA8pOgfBP$SVxTTH>oV0<^^4CM@eyeEj^sz&X4_ zdmmvKB0^r{sNTW9;c4Rk?)}ebbh6?9Yk3&Kx%%yb?s7KSfX((Y{63q9Lv7)F4@qFN zdDuq0a3Jr?)l(D-VUi%`%Rdx<>dy08&vtqq{gW90!0`;Uiz+Uqe~=!b`pcRqGSWPy zW!sHuWZiar!35Z;=5kT^EBFj9G}|xACHel8~(qJr~bIj*TIl2gJC#ZX*U|BtkDf(ijikm5+GiCF`xX23I> z4L#Yry=S}@KxL4S2b?=c_-3GF%@qJ8$IG=R1_+hW6F>FxUpgii*OyBPe{JIb?_2tx{gX}p?=?M4#q;LXHMqFGTCp0cyvBB${tF67Ety)10c%dIm&q@#xzA?{(krjFfFw#!T$!3TS&046PP3Mk^V_f z*t9-H2zwzi{k4*k<ZqR8XhSs_hU<*a%9jI7=)`&BWaHT5_wTD8A6d#k7aWO};>`hRTS|5N(E(f_aI z;rIWqf9i|=^A+>d=|4qCXZkOP{->t@duw6<%!|S3dvEWD`Q8t6akyz_34`i_1`il; zI8q#;>jK`PYZT_Fc!$Oul2kgp`oZS~NCpM8>h9wm$MEot{QQ0Lng;sM|F}pXA)Q?Q zji-VBAMGC=+4f(X``ngs9RZxOA(?!UK0g8w>;@o5#Vk(=2!b8(Fp0wnm?D@GkfTpCM2a}Q0}x#O z#uQd~R)COppfz!QasJE8-T(L1b=ef{j~Uc4)f7&FxaYk~@GVS+@#hOV6Bm4T9Q2iK zgO>?GqE$YKJid!ln5e<&b-8YhRf)&o0Rc+H;}pOYm_6uoPD+o+Qq(CrjN?T@iO-f4y%fg`D z%5%*5>h9mQXd3NWXK^+@sBzpFi$z_{`!dVaV2w@AVuSS>DxlKJwYop=3aCl4`u zQlH_(((~E>Y4-o2Tw+FaQ6xuoFm= z{^#__mj4e9M;rT(wLEPkV79}DbIZ%354*_f@K;%m=P`+KigKTcx^YzT(|N6h8?Q0C zZf1Dp=Ei-83K*vW2wtEB6=kvvkF=Fj6vb0d8b`-4u(Fm3M?;#8s^Nby+U%HW!vdfZ z)GoKltj(X|G_ox?e}{4L3g@rloKU7nW>c1i_;NZ$Q4H(R%~eLU)i}MQ4Yx+QThoGY zQM@}1FM@jwidvxCOh8*cTu=X(bo>)fll|X`t^e6SJw4gPe_G4K^*<;lF)2_QqMm&I zva&^kaR}W{t)jCaz9tI$oheZGa#=>62 zlp>~M5`chN4+S8YU{YMcVnSbi{*4ia00e}otOF2)EOX2hW&sEyG>=1vj#iRJ3XTA( zE|IOiRCEGJD|V!LqAweWdOrj^S1(uT`?UO1n=x=AYcrxKCd{9WqH%hw5FXA*fu~Iw zvMPGjda7qARoK)TTZEB#n26Tm;s%ZpEFh0BCj3y*XK2VnCV#AZNy8?tizNLq3 zTlw#T#BW|*ujKyk@bGwK`+uIEoNVO3bv#VG6EYv_-w@Cz{C#tqkSU&}#oLSmMR+;( z24Mc`o0tu*SiK^HH+YrPRF>4W)4}2@`Uxa&UR~2A9c=jBy+1vg4RS#PsCJbkV?FOxHT<`Q* z+&?S2&zaW84Pc9g&md$jYSnB$D+cv9MM^Hsis3zaY}g(@W6M*ch5x9@*O zrzac#kF`9e{MWl7@Lx;*Tf%Jk&m;d`zy7I8{*%jV?8z{YtsDFEcGOBL{eN!3L1JKix zQ5&%O*O5`%%73QDx|X#aCy$A3LIIo;pLf9rS{)tnoX+tU>=Zb!-SFg2u;zizDx6tNNU}9Zbyb*$w?~;mr( z@P&+oJ94Ei&NOuZEW++eTpS%+4zo0RdrpP)ee+!>JsUFX?$=xr)yxC>48uZ1m=(*D zEgs?32KdcCWzIwJ3eQq16Gj$C(U3DRfa>|yXfgWF450eT|F*w>VxRvHPmVYFzt{3~ zpnxkk1MR~UGomG8oOZOuw5oM6#3kM1*0wQNZibCd?vS&>+nXr zT<2TMxtquTG|>N&&%c)?y6b=&=>O4)lmBUdbN|1lM+BVbj-6t!v-t*U!u!w$`xa7X zg>WApz?}BZ2#V;RIZ7jxv$|I}>Y}yv52$B`XeODMhXvQYa)qU-j@6A_ZF4wgIHhW< zyb;^zlm40+fHM12N5-CqOk!u8^94fL1H~5Kd5dPZvdoBmPp%l$-T~4bEz2*YcpHXEm=iti%b}zDJM5*VbTQ zv}UgyEt7^`z{W!*HXZ*~t9 z>DTf9A|JhQ{61w_yAdA9lC5+5v(-ywgmis;EXcTA{#JyQW;T+|!(rMgh{PMu{&e@2 zq+hy~cmi)x!f7n6Eq<1XlvSi+14A`A^3-PM+@=n8-dP}lF!JKj?)d97Z2{{oQ&-sPz~aFgat@zO^1O`$;ksp0y&w`m&<6TE`~QmX4E;?g)4{ zb^XEYn;nm8<^OCR?tM%bj{75@Ci#D4>wor7505tb|Ft}Z{Lc*E3%ZC6NrSF{9?k$Y z#M`3U<&XLUL0RsM$?&(3m^L3m@|Uq~VEPDPQlOk)Zr~gcn8uvQd{?K75>=8oRGufa z(}WBRGt_=sMXC-Qe~3J0lk$WS1eVbS9Sn+OCt9G5-5=;#uAL}7o+XKpomFTV4g6BG z$K4XgIG=)2NH#L~Ei1e0BQg@gummW&{;_lntI<3PqYz8u==WFSZeq=TWYf}x%s5_2 zp-!(y-<3SPQQphup_2D>fzu8j$hK1f@8k3i#A$(5zBg$Wl}6m=X-AU_<%XkVg38-4 zy`%Njg$O1pC1XsOE;7S}#J34j@s8ABwN+`aI=1jQHoC_nbWUrQA{kF%oVqe~4LE`E z)orXQ_Kzj*0exx*Dvx4@Dt~TkDJUMM1j(;~Y=9NnPm=NKjG4=^deT52a+5 z)6yw=V6o+50z%e81Rf?R1yHZa4{B!G!WK@4&Fi9SE^Jr1YPZE2S5%$kKDVf&Ng^~b z9Qf%bhEam@!viv#R+lw8b7t4*oV8I2xMKEf{^g6#tv*mA_PyfT5K{z?FuY)L%V@x~;$s+Xi;?Yy`tvpxek%9LwtLXoPF{L&f^! zvQkBy0!tWWT{86d;sVSVix(y=ukkD`*g^&c#%eTMw~!zT08@DFF%N(ecG_VY z7XV5FCq`ik3??{!g?&yDijdu!dGSA$rnFU; z{ie2w6<4?X;wPP%D{WFs!p6~Re~*bw^gkR9)up36(|X%fT{?OdoL5x|C-@<){y4>+ zTTN!DK*gnMIjO`CU2)z^T;642f7bhWURla>TU%jc$ir&cTfleqZCVwc&k78T2?L^m zav>GMl6Z`BHh)0hwJ=8>w-pwn+HqfT!4q(&mQ_Rj$OX1?k&JthG5!zT-R$O1?qqFD zd-x$mIhn*68}1YqF_o4c<)FCWp}H5#G3YRiy&u7O6aj*#T)72ubO-Y&PVd0O1Qq~> zTno){&6LyHg}h_iB4`3PX=&Jqi{2JKGmuZHoFN8&#_SHB(V090|G>A;tQ*x}f|BWw zO!g)i-v?(P%h7I}k^&~l4*N07?s6C*yXfu%iti>xa0Y_I!1>6GQqgY4Y*K?Wz+RGB z7&1DybBo3}N4xAT(+S2n-C@7z+Cb5>3`f`E0yjs@@sFFgo`E-Lj`C-K9sXcUR{}o` z{D+S%aMIbHE$}O6!M?=Y$V+4spZuLL{4n0dQWVO*SXiz)NluLR|1V5DA#FoU;o5*INdXWAwc(d@2IE?`Cs;Mn-0 zNG}Y)F1Yyn+uz?dYYH>V4`TC{f8*QX za2V)=!Lx8;0_C)KZqV!y=Q#>l`x;qKBfTTmiN!)Jn@F56QJ^G#I+{wsOv-qr?wse6 zDg{7|Nw{sy2+z+F1Qt`%jOB2`@&!8u^d_Fyl=HGARsAl`Ct{#Gjb=J&;Fi5hI#27n8ePTvj7RNnzq z~fabVTr;IU+4;OkfRhYqzDV1LDU zsJx6bAf6HWhPB}Vlvmdg2*(9wIUlz87;ZY$Xc%opQ$dHBeyb=(!#vZ|Mb~*Q$CcT5S;2MQ0oc`F#c50?D5_@l zwa1T^N}=Ju@vY$_@o#+Fpysu;N?QZ)h1nnc51b~}MLTUxj(CYPL3tdoPIGdPKH&U5 z!7u`WbzTT`7`{JMulK3Z|FT;(anrVx3b;Z4dvb7mYU_VD{=aK_jQd}f8&P;P{4Q6y zxJ7NL0oE5yVA!2pnI0ngmyGM6ITa0Ja)t8(CV@JMo92P?_PGV=a)#9H^1GyUCIk*q z0zqg5@KP}9Gw_}g!EplbKumaaBz7Mjr{Lmp@7FXgzZN5GLS zVP!nP)zC`}FxMZS901r(yBBmF2j=AwTm5lcLCs?kAYAMH%cLoDN6B(Qx1R zoZ*~*J~}!yKd1{3t9*2E`QjaK@$_K0e?lAG+dnZ%k$GsAIyFl9ZTjR6Gp`}eqkmJr z%(bu9@bw`+2fLzw)K<~<64ZgY;YJRGg6@ZV;D!d-MXC6#akyRpT{9GTlZ+Q zb^ki;fb%L&Bft{478u0SEJ0J07Jva2p#p_vWFr48UTQg8JA?)zFZz(qfYqi5W|$n|wkP^x+{7@N5Lg$j`(QJef@APe;kqf-qH5Qg zetHOM0!9AeGohySU9%2rtk3Oo?e9K}(c0}A#9$ofr1-m_i86?vjsg{mk0f!30x+c1 z#Tk^=&U3K6%?oK1g|326%C683XTH;`fg9Go)3v1hst70i?N*pRIWUdr`YzC2E?iEG zU&A7YXdK_$i$vaipE=&XTD#jK46DCICC3a(+}~oH1pe~!y4^Dm5}4=pHJjH7MY>y9 z^-|=I8IFb7!**3)WvOxj2>Xu*bj#G(C>XfIh{wQQf_h`Faw8rCdGD^ZTvtn%j7-5u z|1RA!^v1h1`(Gn(tEr3AYM=0BmTZXf;x$a+9m=b}R4j^8Ql*z>}=RdC1Z z?d@TabfBS>8sVH(AM#vh+|_~o4q<{WP+st#bVO8Ug9W-IWQIg7A@E$3UmY^v!$6zG zkrbB_$pZrHU|V2%4g*4JvgAw_r>U0B39;asS8pk@h|b!JEEXddy;VvIaxfm~tW@%C z#g?GZHIO~(=WfXbcdx|Hl{lL@uJ?L?hihlxb`xD^ALm62 zu@wYl9&$Ve4m55+M)BP{q{=~YSZF!EY0%vcc=@?Nc?uIYst66mM(md@8+R4SIil_Y3$vP7=1oCF^4v9(oQm^gFYh=}t=z+OxgA zAIKT=7gi|b=+J4VtowUhOz5sSPa}DFcAKhhY)cJKDSHzHQ!vXIxO5zbGD;`j&hpeY z4=dn`rEIj%`9Iu`=z2D0DH_fi%H}9bAQ#`nFl>>y3M0?GZ(FxmDTI3#k1=@tjMXsq z`l1zp_CE54f!9Uu*6*LRJ1njh4odxSAXK@5QtI-OFw1_;lYoy{{IcKGv84A`bNugPC;rpP z@!=-^>sp>a8m~On?dopZn@mxt;WktxdeQRCu-BcLokeS}dqlL9}u%6PUgyhCYHT`6MFyd{qz$D;M)}57dT}$Mae;DH zIHoX%c!~&sf&lNZkw9>ZabnsIDPB=_P{DHym}=RM)>H-O(c4-t^D!}A#eZt(zl`ep zOH5X2|2x{>KN;Ed|M+;cq5tc6n(04X26PF$$1mcr=*|ORnqpet4p^yqBmYtwps*?| z%(br$kAJO-SEsYl16vyer!+Fv3BM7QTD!1v_o$~Y5h1)qH!{3;MGt1y2ZqxUdyUN- zW8Q+CcW$v10|xW+_r~2QOT;&KCx*S1h@O(lp1xPvck|TJe{nhbQ8TGnN&ff!{o{Q* z|Ia4=&zc@5B&ZfWTN=nR>za;kAc$QZ3c~`8w9~eT;m1si`m{Hyq(v=F2XI!KHph!w z;yU|WW!Y3xHKRv<{1~>EcejKbraL~@0BUq*!K)hy@*06e;y?_>%{ZdN@LbEE(^gpL z+1+`4gY2s|c?uT}@fW~MEGrqL-qMEffA>!t`k!WZE0+Hc9sj?>4gFus(}w=j1<;lL z(>3Fx|MUaVW0|qWJ>;LhM=j_-txm}*Z`hpps^Uv#-D1|T6dd#mLDw2Hw2G_-yL z4q!sQ;RJtzrv?3&?oA7`fJXiQp`HJKba=ec|F7k#qyLg_N`fQZzq+vk$2+dY{Xi$e z8kY`qRSs+3OG?_RrnPOM=9fchzVmJJ3s?8ex+8P>G)9aTkhm37Es3TUOIpmJbRhV( zh!Z!$NpO!I13F$-NO#Hkqrw!h@d8(P1nLVwE5Y^L8XUh*;zR`Nc!-mP1x|g)H?EL?u!;SubJx?3?Uo3!*bYCtT zAKjNNYUcp?%5xNWU6!sr3uvuw>CNfHNJ7>2Od$J~F(_HZ`PA-6iV2B6LcvWj** za7nK<2NvlSF$qk$zx>Ga|G!q`4W~#g1xolRnxM*_JLKU-L^>}r%QBo7C>pwE`#z_W z9_eAtd4_YW?F6MZng?LN@;qgnedM%gJ}NCh`+g5ZE$Ba;$W`ip4)zZY9R1J9!G`{? z(y@^&adh(SmmOg2H96Z<-{Pw2~W#Dhr zsy}itN4nbchL}IrI!iXJ;vn>N0LifT-efhW58BzcJbD;&^!=VYHqZC*wBY|ao-KOw z&!49A-+_Dn8yy~P`2RYdHs?RK06L!j_@eRiD}@ErZL!nH>~-T>DC@*4KR zj|0^9*e6?A(OpmpuGL@NZ4j@dUk4dT{&x3468O!9(9?Tb(0?grukQY5bn58;jyCr{ zYk4Z;{}SU&*7-=bs>>cy1|F&k@zc|pOAh7RAG-u3T~A&TAGL=sQK+}GmbCy@e%uoM zeajP`r1IRYHzD?y(@W}l} z$y&)@!AUtnS*VJOEy3=c-{Ja1Of}}7o&Xbnh+DNYovGr}($>w=tPYwUi(Ot}< z#N!O*u)z7E0zec0KeX+?4@Re>js5ppo@S1&W?!xcot4F7Wx(N-(+?0l3~tPFhfoQf zrcg*A3wB%n*!N6xoM0?1rvBHdtqsn>6|4wg3+U# zI1~-R1(OJpM~X}J8sIdn9Z6$MT$KT3@7FAX1rOxMGse7znUxO2lm4e7A57IF^2Eq# zDZ*We;az^Z2EZ6iLvvQ+dUJD>lNhHZa(?44jFb1?k1R>W(1wGzw+r4&6}_<*%)Q|> zAbM5}$lpTEuT7rOpgkb~f-)fwi`+AFj?=Lp6 zU7py7{aJ*&d^XHUuFVUi>TG$v&o?f}4NndKCk4*VlVs)b-$us=cK)}M82jF(x<_N`VJy{x4 zv;Voovb6NynE&x$|IqgT9~~ZV^nYu4I>`TgJy@i`cL3l8J+Th=egr>brsoH`^iR0* zJw;qTxMdPbJdVqpf=ce@6=Z0bs-9sK#YK!$n7mb87`GY98Pg5PB$RVpCN~2WNKaKm zxb`R%^*+4mfU0#gCBgLcW{&?kQwW`B8Le%83c>`>q7)YK9PMUzO<7qq2dXak@Fx(f zMM}E>V}n_V@YX{s+OSCtZkpCRfua*PLv6 zS5KI4WP)ZvDp^WSobv?GF!U>XO2S4<&}M&Uh5}0IW9ocV_FoQy4S$V_i6tf0AV@2f z7+d36k}$P}(z9&ICGWyrr^8UoM>WJUNXR8(k9m>n9)m=57Wq2mI93E_DE`#XO1k3I zj?AqsMeD*>p}HaCHd7_BXmn&Kt5hUkjk+QeKsc)n6 zsrB5ySl57z7xM_nv?G_(np;$MR=+u`wx_qYcVkv;%{DvIkZ&vZWQjj#hN`#iE4Bxs z8I^yjoTE*>MF)wW4p!_$HQv|WUFXZISH1C;+*{863a8z6R^9IEa8zzo6x(yBR*Z1~ zVhG%kD?Ba;r$dl%!QR$~2}!-cR8H6X7P6JU6Lrc`9q|C-T<69GGrK1NxHk>i=9cZr zK3@I*93?2ndmnFMct6Xo3!K9{^a~D|-SltDg1YUEK*Rmt;r@Z`|95!0(f_aKVf5iQ zHs9bU-*kg=zBRA@3o1!4(|x&e&Yu18M~&KuFR3A4QG|Dqh%SbuQNGe784eKT4^EcL z-)GMN5C^q0X4^o20GUTl7&!2A;WGfVdaSS)8X1M)88?EcJuSB$Rfhv~ZA|^@DD+v5 z=W&E`gCTKqQa-OhOe|0{tDT{=bCPW6ratwe-G7*)2&F{~lcgajn_3u#q2u$o93ZT{ z#i1z^-1Gv>J$h__#mEZ~hKP{Y*vc%s#nvZ%&2#eeJi+e}jNYcnW5EApDyNDxI4be5 zzb~zQ`(S5EsV&g(p=|d?=u~ma{FJHax&v-!1-Qe75M;OijpGyqJ0LKD@B`W{vyDB; z{7(t{vU6;-)^WKRb%(dJ@E#TY0wfys!nG0op5{|4|4CMGjlvu)9s{b${`>TBWZQon z9iMLGzjZuq#2dK`hJ>wyMro$4Fe3_OIU2{j1@WhTWkA^;(M-yoDb>S00%VpWpd_ET zOao@-(Ut|QY(nb2b*L?AEQ`Oul1$5@0em3Apo-7K2P@m zHJuK`ZQcLCX)>^{6DrdY$u0vB2q0p-N5^L?68xATht-H6hwH}!Ib0zcEQRXj7(7Vz zUId_8gF7JPw$k+6!J)UbtO6AVT)d!R#{SIGZUuU#zg>}Ho^2K#8|*$tuPQT6xrv+f zQbzi#ij-1%d42;VCndqNC=lb4oey+tgwlfC#frd-cU6Q5B+eRWc9xg8v|-RLd$q%g zaBo%i?Cjt`S38y2s|?Zo=bo+;)x0>3*15yJK(|JxjEmi_GFUDDCv}J~ zfB$G?`+w~pY~nwz=h5{)*J8T+Rr$z8^v$$95`YC1J6_mVugg&oyT>a*X!i-FCvG4^z6a7E6{eKRQ4)!cawNCWFZli4Pl0WZ!$U3E!#g+Tguhr0NlElK!{H7o$@+8@GP(-Q zhNiku2GGrETiWnzY{WS)=O@{~tqMS)Zhhli8WFaJT|gpn%lsjcNbH}K?tdL^?|*J2 zb+Z52CK=nA)|lu9g>9n zRnj``)<{QX!){()@R9w-js|~Z%2)I!_4m)9uoBrdhY{xQzxQIPVt(rZ@RRn9{kaDK zd}P0@s=hU!BUF@p=?ac2 z`jY&f*kJN30fVBJ?S9at`t=_r7^PhK_O37f?@{^u@9=P||2L9at$%wOxSHSkpa6jV zL-X>sv%j>@NbGqR!B^8XPLNu)=C7A#SyyDvtNac8eM&egulb7VrZiD`r!=XkL}Xc* zz6r}KbLc-_N-!bz85K2}u)4}W+!14{ob+;TQCQvR@hSW>kEjtWm_a@^S;fC!21KgU z4Pp1_x*7=Oc@2c}Pz_t7-WpQ9{HN0dE%ET9PEGRv(D(m6I6d3G|G1gdO8(1f;M%gp zFG`xre>IDGna{&*;y1PDlSDLJgBiAQUa7>u$^h~mUF6_40qV+`+$2_45DV z^r-y)rdx(HE^SNi!Y)mM(?>hzz`_CjRFaNACwa?fDd$w<3+Ezk^imfufSkxMp(y|m||-fRNrlZC0O1Y4KUrc z|7*FHE(&5+wCsMt-`i1`ubSp*#jmsaF0aAiFvDgT4us!tZo51rTXM8Y4brPhQ#6r9 zhYoO>*w7n=%~K9;x5kwwzw~`(YCG~afz^+EMGsWBLD}qo_8(N=L*uiN*{ke4KCUnFNjc%I3YR5I1ETBnD z*>z0O3W4J@A5fYd*k2zGXx9MCmeig9qVQ9(Us$QSbDx*pAoI_p(aYZKU8oqTebCQi z#l?Nl|Ed%StYk*>TdZgstUK_xnx!5rc8{u{<}DP;r-jlGWox8S=bfZ0lB{i|;Zpr$ zB|61LP@=I@if&1QqtXM(nfkS^lVv_ZL{h-cXkS01grYv^e+_XGdVS3u7+sq~Z4t!n zG-)HF|<9<-9gq z_PO>g_U3C{!K#@ovj%4J4Vp=9ay`01C`NJndF)VJWF7~5fBnH z;4gEQe_yx?8;;5>)(;C4btSPXD+S%{02D16Yv{I zaT=qPgTqeDx<2pK9J={}XLn2UqWv$cna~;hbBNk%-OF2`3P|UIC zocstUNe!7D+ZQmzM%|Ru(FYxl+}|45aWl8(91sXm!W8F z_kWHK4@&oc54Z83HhlVAQZeqSpp+80GH~nuYCARW*ca*g5tlBA^R3HPU!qKo?xyxOsA6}qM}JE z7Z~9bvoVUnuVg66P{bilUD5}FESt*f!J}!?M7qe?j{K1%&mrYFeYiw0PH>8H5b!or zZ)<{Be-XXQG;A0VnwONL^eY*P4J+nA=xN0AF^MI*kOg2m2NXd@JU&vK3^WS)2TApq zn!oguGIoCRw$}ZB_W<}m^#qg;DD?EKt^>Ql$-B2AcUNOboHF^opXZimel8wT@?Xai zd;W$;`SORF{THvix`R(E|NeVVbnJi2ZvN*#!E>ok9iLaz?*)_o`^)$Ly<=5w`TiHH z(vS{@y9$;KEWm&M(+#%a=df7pt5w<;l&aRDM=qSrqIn>jRI~a#g4J0qqDPWw)td7u zhVxnEPWSf}mvYP%0W$%9|GoDs8Q$kI9RQZ0sDM%}1pG3>{WqYY*YOJD7;MvGsR94R z5KTzR5MKrXHraoU4*d9E`=|Tc`+plr66jsZQNBZbbqLUzI2*=*6wNThB&~x)B#9+z z!x6kg+(JU)Ur-=7KuMAeVf0>sAqqKqm@6`QjKqTKy)uDYju}#q< zASq&lE^x%_$yEaq(*PflnBOf``i>+CP9IbpU8zySJ?$y0P$pmTO(o4c)5`+%&Gn7K zf<+q)%eKRfa5KL`8!+xSl#NlO3cqr5@@;LMzjBLJz{nXmQD?}Lq?grZkB0TaCb zeoCBx)FTLP#0cH>g1~`m*a$_THrd@^&IOe}dk{naTy?In0`rMg^?uoSQp`A^=kmO( z#7Jz5j<)D%)##`}|1W*^^B>Ln|M>9i)c5~5-apvt|4k&Rg;EdB}j$u(JGx`isInWN-{4FSEMdCryp!g zrb!Hj2+(ONHGJSOCxa9w2}&@VsH!IL1D;GLfht491!c(PLCOQ3p;Vrd1ge1%$1_wi zFN*=gBdlL4kEiM?n0>B8Q36F#K}o*i!y)DOc!B^QL!PrUfph5}DyuOaF7wYBM-!k1 zLeM~Tf>R+CG5;T629qfQlPQy4wHaYpme)R}18_Z(FXN~qq21zKiGdW&5G|<1Af757 zmFJ2)KH`aP==q2v`n4XUm*D>Xb?5^~#3WK(k>C-M$5dnlpj;=ixnszR!A2iYG?o4J zTwkcZQ1b=>Lc!N^a_z`A$Qd`nD2WB@4DsD6<^UWi=Tamq)pfC5fVn7&68wOLR?_ac zQ%)w3;|Pjb7$Z@4JODq8#YE5~u$cd1+Uw7|@^Nv|zGxmL2s}(7g(*jff#+!OFc5XZ z1pfn3wxeF%A0jX&DWQUNsWH=3HAmO>NYX#?8rDLcAsX`!L`gwqh$1pUrRHiX08b_; z#*m|AuKNq~ysHM_-l+g4*%mc*UZrEEZZEm*BdfB(Iw1F)P&5t*j) z9*h)g)!ir-T)EIfn<*h!1^N<1?i`Z$QA{Z2^QEMYWUNGKdFE0Q z=Qk{t6;3v-LNL|HrEaWpl97Zw%H9Bd}=uYpE{3a5+g# zoUP^Oe^QPuUk@i3il$N$DRBL=)o6N!mSEfGP0Y3L7@}>IVV-w6b%fo3x*3V(@s`+a zK%64Vw8y#rtBp^z;4Uw5m%+yrEhCd#U6ZS522L@*aGK)&(zZEHsSP!$&FazbtuDKA zG#NAfOKav!vNko?e;9`xji$*`9^g&)|Mrhd{$B^D+xveTNz&MJr$>3E9^l^8`4Tk?qE>pBi~n8M^A<^b#Hqdh&+j33MgUFvf8US)czAqpc)ZpBn@HaM{}m&E zz?@kp2Jo#fdiPq=&yK4JwdMSOW`{f;e zt=i53e=~s0>#)ey>+52QIZ@0tosNpyt~BSRqlRv0!FVP4*Ea8VB8e|H0%FUU;iH+ z9d7miCX#>uf7JjWFljz_1Q2ZUM+*Up%ld1F0L3iZVt{rSAlzeH5U@?FO6~RkVz&SP zXrccPkM=$Ne|UDVz5lb3l;8hfvEtv_{af71U8&9AX|iYVcfOUZ{iTw1_If9?c?#3q zQnjzFHt4pp@!qEFg8@x+7ZeqgUo>+`G(Z1`{$6TO(Uj6jy>HUD=S-2=w(M6ok(u@} z#PxfJe*23%@uu-V`%Klms9Sq~x`|J##7g;W!ev{;vH8?q|7-8E1r7ij_x~qH<^BIw z|8FFf{6ANW11z7!FUA5;(dLiV1hBbN0DGcsZ2+xo099SKH3DqY3Q~LhZ+`4<1ZdL# z$A`zh|KHi!_WXY%NviiB^w5G=kl|?65Fn#?0_ogVh0mlw=@OHpOv847x=u02GFqAO zY_hzXo{b^9Rpo{J_FvW!pReRq``G<#h<`%>nIQ@cGd67s(+32erEr3F!LvMvQ0n?k zocuRSI|zSQv z1(0b{ zF~F%t>4Q0(B+VBPG*bigfm3*&C4DDk!@g7hRm!H+3OfukMD+vV3|L`4pnzzSR}X^J z-whUY1w}UaRRHK`PTgU8NS2ajsOrAdHJJESQ34t3REtxxMNJooay-Hj~c5Bx-gDoo4;Y;OB%y}pJsa>*-RwMBx zW^^haGk-OWA3AD-K=~H6KBD26koVo>jVjY-ol-JEe2k_Hyg{7esM`=tRGF5FdhZQP z;e)HSyVVzU(bzBU5C<8dVjkw`Wj8mo;=kU?Z%kT{&TntOd-uA_V2ZLW8vZ>>5GCMy zN1VJSk+ey-mnM>mCsYzmr9Bs~VDx^P-6>hVC=)|TL@R{uJlyH~$z7{8_nLz>ZTI&Z zOO^Y7oMOHr17O4c|LElO%(wrYZvB5Ylbqu-Se&2PE;j9q0m`K3?1vG3FeEftA)L8# zxSfzxe~Zm4Rc$xMCF|jfufQ#&41okQu4;i)GnjQIBiWRS5(LSrUR>=26E z7&CJ9n`RGv70xzT4@EI%i&YUL(fKHiFk%BqXP}HNgx1wKffU1dxPm%0rFONF^nt9V zRz;~*txxASm>~Gw{)( z+DiN<)!;_Xe+~|g56kC2CtLitiPVJZG#Y9=r!~mTwOzl)tlcrME}kLEgq%+!)U{}g z)H5mFN-^`gO1EO#NY}O4FtlOsN@NzaJuFFOsnXJ%>X7&-Mcp<9Qc3>n-NB1r#P(nl z^8aA}?67?Pf4GhRv5{n%^wf*TV%YVi7gk`h;k>muz};S266M)wnj|tl^~*ok;3jpe zN91DzQ^GlE_q}c<$1nd3o*Aepe{k=;pu)koDg3w2s_!USUYJFye%DY`9WJ7qA=}@N zV3G(3-@mxI{iYu-@E*R=ov3g5H==uBc%( zAxWy=7&q=CBrWD*n;MxQd1H0ITcK`1luYG*wRJ;u0sS;s&3qPe)XiLf`OP2fZ($lI z2v8J}8KQH*IK}CM$D{cwmw@26UkaG7GW-{kUhsYM_nsnGkvsP;@n?vh9%_cz_s&db zyET@a-wO|!jG`GPQ)Zv)j1Z5;`c-(Ro$8gCgpl{s4D@FQVhI@*`{3E&9ZC>nXpq0y zSJ4#TecbCmDJ5d`0Sx5RqIOeiua&E|jR=iUTnrdif)p{1;=y20cJjCSPnLaWN;WV_ zVH%$&*%;nTC*Y)kF%#%V+h28GyAJCG&w;)doVpx%?1k5fQ>5QOf}%)`Q-h9>Ys$1? zU`U#&Y+f4CKi}z}y{h}xsP?@v{tb*MnfwSRNp&N0b(8mH#j>$l)g~l?(N%p;r>I}L z;a{)4CWu1;#qY@_j(EF^w)Tw(Eo{`$B70$u_hS7+;AVt;I3o0Nhdx>KUW?GbhVHYt z$}Lc1QxC{#Vep5kzSCR8mE6>IL?^bGM`%U-Dd#llxvd&5or6$kHZw|QIL^J@4BK6} z1bsfwP~S{|(&eJkRh?qm-4c=@YB>>f?A%P2U${$cRxUIia2R>Ok)e@O4Fm?W zj+fyBYtDPDWg_F37zxzhDP=I9gp3%I*i`t7oG5+&Hdk z&XQV8JE3}jF&^HE3}vJkfLO*6HH5F8TYH8n6FuWUM^w7tZtC_>R^OaR^@aW&o*u_2 zYQQvCSYQ``QY3YWI%QID<`D`!6Ax84h)zNAz+6s~=fdw1%H)(V=VEbwCI%oS)3kgY zlTfv)Tot{Ow`k9m71yKuG8&;k=h3{Vp-~HAS1hbziZXA!fPE*kT$QfuJ0`HSTwqp1 z2n8dk-X{}n)=d@rhZH>)*-9(97$Y~9kj`JcNcG$Sp{Ivc%hBRgdU6>`hO_*K5k^Vu zH@*T}<}=3WmVh+Bd?l7!j8cwa!t{#R1&=sM08ALscL6{|Q7q4S)MA%^brbOMP!`iQ zX-OB>^2$P@HswvP;sy?^RuZM5#{QSX>t&6Ajs8FTzW>kJ{_)oSw~?gOW4?pA%iyCJ z{zWhT2kw_xcl}!!4U2Nt4gGZ)4)bPP_w|b(pU8q}>hEMm%xxgGw#2-1T^m!YooC7F zXgtL7{_;h(YlwXASt3ob61??HlAh7gjK+ryrm@M>I3RiMsxfJU9U#LtFjyX9tD_thOz}C9K)7aEs`O&`&IpYo_goT*6~K6bJzJqq7TU1YfUeKukh>cHmG09mi~}3+-{Ik*=l^rKe{!^q z|FDsyw$Y`Vmn#E;fm@lK0AZkf8P8$KvIXMg1+^=`XbUGsA#}?Vze)Pa`gbhE>N^(R zkVo){lxj1#x?_M%1#A~kb*rY3a(dtCH8hRUhh6bs(PLSms_8H8BKggrVnQx)e z9k%1Ps|tyOL{g@2SA(z;ryaRNNM*%HU;z3#fSNt5dPmFJwpXgonFzZAp#S$z&h~x(uhX;b{jZIrHVRk=T`AO?(MB9iYz1Vp0@r9R zt=2NHyFF0B+pa_*87Lqpz3z27S*YrpET-HQg6o%SP=a@Fg9oZtJuC2?`K1e|9)_G zvW@?=kt9Gu&+-2>MuU1M(58UsPS^({IbM7PzA<;u1aOIq+8BT=cm>Ec*^V=4OPq>1 z>H__dEao_zST>4r26b?ymw#6DeRBlUpv|0k30B_D5T!Uq0#u1_qMVD_T=AFJGH^7c`2mlML$5Z9g*`W^rD=Y>wgo6Zbd9fo}@M_*>eeOl*UzIOQdPQS`CzU+sl=UV$_ zDg&CTb{P*q{bG!Sm4bSuk6q-k73yj?U_=m zM|rm2zPw9F(qs+}^2aIA2N^f2Ra_6VE-Ih33FAuL#WteUKdlEz)?i3gub;mHH|jz0 zb8DQazXtGOenlY%iSlKg{tkFh$-3kU8NSiq*Z-(sw(UTd{v<`gt$&IH;OD|div!3=qjdO z?d0p^Lnl2SG82-{1~NJ){u>&}5a*D#X?NF(TUR6NX?YA+`sXR@I+pR9-B$Fyx)a!X@oeEV&hmb8KD7TUK2 zQGbP4`(&|x4n!92DfO(@1)}_#u_>bdyK~mEw^ubzIeMTl{HC~h9IGO~jHYZtGPlVT zI1s5|-g*|y&gI|iseO>#rRb9~2g>n>UGR)2%;-Y99Xw$HRz(l$0>v{BUOtx-1HT>; zGK9$he~z1vc*2V6ewHt-`!&7tC9I=Tqr0!CsD3FeG;Pbv%Bp1* zYs-1pVd({y#vPDH`R}baLT#$H|LWI3)^7jZKioe)E!%&$_kTB%O7Z`U^s4p#Y8e7B ze^92{0ZeB>E&acAcH4|1qJ`_i8+-!Gex@BigLQ2;!Fg z@$;IDY=-arwc=+x<(IatU9#JdbvcXWL+RERcsLyW-R}u`B-zhMtYey#@3Piu6T93q zzbP7hRn@8Ocnj6*mkrikGQX+NF6VKqo&%2{D;Z|PyJV05;wh(h)1q^z~Kk&fif?A;2|NFqd|FeI#z5lb3Bt=$6;y54bp&aU!`2q#sN$unp6r`|z zPw*@r+WI8Gg(H+U<^rC@!!C~BwT>^_qG|l&1<=)`7QaG6!^;Dh5cZ zTxq=bAzS+M1n`||wEb|9{;7l;R*LLuv7Ka~s#q0rkR4Z5$N&bJsTw0x0=ar9C;O|) zakL7*$x^jv8n(p8Ot-M`LUW6mH<()tkNw8-AntsNt9TV8^b$kl#d8NJ<#b-|9M%3R zH;sNq2`3Rr`gzL+Fw1WBugV+4{q`+kE(Jop9HIw7KZAVi{SNuqE;*%MwcpX?2h7K! z{COHX*@Im`QpV{t;^AwaL9Cv`O&+P9QJ~X@n#Ex2@DwIyS;#ln#wYggvAxVLy=!z0 z=yLHur5p1-Zmg(vu+qGnyO3}1HCtC~fDmtdYv z8M+}cy1oth{W@~jTg9ONEG04e1!um)s7JTKCD&yK|Mj*(gcuy{gzBW&%mM+jTeKmfe80*RIg9``XLE-PUi;l?gL>XorrEai$`{ySDWd#SFAX!nY9*#;*%{IybG`$Dw~mHIzf*0zqm&mxM8TJ zX;pjKWEi@=Z{ygzH?P3O-F26nlJ=Zoli|hP^(ta?H1>^rAeLbwUtJbW8$=8b-v3{0 zfJrz;L6DG{K>e8FStY4*kGU^O%d4iPH&(5xRlfQQ&E@3oTk@fAQ!;@=l=w4L{bT3zI7ch$dOrS_(OovcVltVvefe0{f!tVl=fX=Ft@VyluB zAyNx;wt5ylC~DfZDYOoX?@P2WKv;bWHnkiC#=oC``@KJ18VwS&CFX@a0CrOf#TshI znpJ<(Ip?a+i6x3%q6>=={9bn3T?#WcCOmLntT((fl88)x+@qOSyk@SrTRl~f>4Kpd zWU8##^69T-=%q~tUr&=n%?4oD1LE&cO@@s?%oAyR_Hml2yaKf~nup!ScXHNPjg8o8 zaJ9q6%Jy~kP+A+i?=Qffo`Lxw`A!x!d!!a~s95$63!!ePh44;kdskDM2`x#GDUFJK zSiTwOsyF0TF}z6#s{iUCa{H*uK!wMllNf6jWG;KnGOfg4NbpvQ;_!w_-Nwf(VmNRK ze*}mZvQA_iz$qW!AttnO#n(&BA~HjC9+FV4w)`LSrhkcT{}TJBMR!jt-8-#m=VSuJ zy`K&dO%X=|f4-3OX)hXAy`Jw-&^xc@IiY5$q`H8Qsf@hWz)gEavfMt%roWB6^qHmV z^FKO-D>?vd^8Y$I@cq9|#pmt$-v*M3|McqoVpU#WV%l^(08~X*@8hLB+hpA90+fLf zq50W`sF@Ag#r>D-p@QN%v9lz;C%#ie0UbC**}F(Yb^C*_zu{j*SljYh|?iZJXZ z#D)bfOqle~)N^VrE>N2~qm)y!owJi%XHV zjEPOTx*iaY{_=bb*?*zA*CCQD6?FTpPYLZp!ARt#NxE7GDJ9}RA-||ECDq_RGUaF` z0I)Is*M8~#@8RLr|7#gp1_%M^E>#t*60X{xSI z*-YfM`$h%Frton-rvC}1YWZIZ<-f2hXxjguoSymbKOY@!<^M*K0(w^b_f`1;`_reR zO`u$S{dd6ZF!+{|@mYDA9lXU{myP_LVBQ|!+FgCA*H^j2w|cPC9^WdsefaswuP$|d z;brsQ%+3TZ4+=#Yq!sTjn-`(Y8O&N9U#dFttJ%MIdHK0+q1C?m9Qoq5$B!dhvYy@xP9a5B>XJr$?vT_^%sDmL^&q^wTS-8{o6vnO`r=)86Mc!c)II z39eIhcY<`Pr)qJW%CbWAR`H&HEpSt1KEHeWRRd7n`EK`rSr_#`QJAZ=-^T}T_2g@J z5LU5jx7h5Hz-F6Bb@)%df3*Jh-;NK@O8!45Tl?Q;k`^86x%(Bl0O^_2835{1PvHn; zCVM+qAd|bBH;^vn0#EhR6CqDoc{k{(#;6{9syt8c9HcoZtIF#XbEAFIz~ehlf>4`= zs|KeoK4!I})(N$~_zGOfECCRrCb=L~5TS^XWQHUrkg+Ul!WZbSQ3RgbD$Lx!9{cbA?;jkVZ1LYF zQXp8~%0QqWd8`u*^b4;a2ztF>LBYxpj2lIRE`MF{pdbIQ4iS27T_q^24kp+P3*EAx zA24hjq87vRC8NWI<9&V<5V2zj$<2G6x-o29;?Rcm{>fTGyGGRfm{DL`{I`r5unGU2 zmF|BZ92{=n|KCUo2+t^g1a$Qva1n!Gkiw?nV97ifSRNk*F6?Y9^pHmjqhX-w>w}34 zm=FU5K6}8}U{P!uvMqFUrpu>|A1iHV9|ef?r|cqF@?$Vd;+YPLES$kJB>G0o$+SDISeb z?8af8C|!y_TPS=a2G4DBQVsqm^nF5Ly!-~B0so)upB(%6|Lky!|2LAPRQy2?^{OuZ zn5okh>*vLu;<8UZ-`idC$+LI6-eZb68w&H=)9ffr^__MPW~gen4<^$J_YZkrb=oVK zQe{|`$0PT#RYOHewo`8iZeB?T$l^M$_aDb>xldf^3mkS}mEoglIz2&aB0<*g6^e3mJA}=~q!;P0Uj1=Xh-i?L1pjt@)nyAz3Sx_u_>aebzk1L_et&f~+uL+UFJ3*wJ@OyZyL-HR1P4{5L}hqU6Od zLm0iEX8PJ=LLxb)-7sL2{r~XPi~n$Vcy_Xl|GSYS=W=k2SLXpPXVM^8Nmp0!T2kwW zimGCLCHpmT9{2XYsZM+v0O|A6$sb(yF?c0O028plG^iF*2D@OD*8lKC?Q|62^H_R- z=~D-(UB|EW*gZ996;ME~)eJ^5*shWWAfE?>0?ZjoM!P^_R-A$eG9&}^N{ji3k_mXk ze2i05xHNY%L?I_s362&fxAJq-ul#h_m_k1m4n<0Nw<@y8wS=&@N1ASR;xhQF_VY&86`6u zBf2Z(kUXf;KbY9u6Ud{n*tcR)Hc0?`k23|&15K;BQK68AA-}-OBcPvAG{PT*Y-Nc* zAT8<+Bk!))I@YvjsYha;@{QOpD>d%_m{?BJWSMthn(lubos{FhoNnX4Y$U1Y?)4b2 zddp|%F1E`nO0R!om-m44?z8&s$)f-1`WM)|-I=bd+pXp8>###B>uE3UpXtYLG5>U_ z&+o*baXf0r;>*0i0UVk1sljkK^3j_?-XVv5sSe) z{0Xm;C)zj^EH1Eh@Pl-;I`|1Ue|WQRXhAZ)vj`*c!i|2LCL@5L`T#Y+YK zw^GCY?_j_5{?p0n$#(y@k)+~(A^M>2mI5{Yz&zxw=7;{KQ4F&-g!f|v`dT{l&FxiN z&m?$AA)PO}hg9qg#B3CTq=hl@6&~=?*|&eeaioW?8lEEZ{D@O`ln+ zl>ZuPEOYK}Qj`2YDaU^~IoQU3*+_C;X%b?8Zt$QCKcFxFOL!fTltY|?F-j%?QJRMx z(24+y-S!kF$s9y51!I_HCpXvWh!5?Spzjw%V0UVMU(mgz|$0ejs zKYE2)CI1u5I5W3@Jg@NAn04A3G~)j=|NV!fgR|}X4;x8MqOEcQII>P}_2r33;OGR$ zA9lgBA+rRcDN=iTM$}WX!kaUlTnY?XvL~jiv@bvBN+@;^p19HFiP-%CyM z|LE|fU^Ex*$Ac zTe17Or6&2GK2XHiavOj~`_I9?kN=O3xAK1@srei=p8yNUeO0(d-WSvxLA}n~S;pHu ztY5aP+B(W~U1)h(t_bBa-0A+U?B1qwYLNfdE^%=k&}{!Hz5jf8bhMTKn@COa--_~a~iwaRcDE_ik z#4|q0?(A${KnSOdBR8FrlD#S~NVkr@%<2fnvMAA-OJu!P+KbrUodsX2;*zeC`EN?9 zhtROz(e-%Iw<}tp+gem%GZ*kYF&wE^hi)y#8m{gzM1|~C^_f?T0$%-Qb*QB$-3$E@?2pu@}B4Z4Abbu;XS z2rO;j4G=YkUU#Ur`?SwFb&~%JZUYm+o zCY8F$|HUqVHsgO^{vRD5Y~O#|Na`s6m%0EttGfVNUC~-p!Nx9tRs~pGTpO(J3TQ>t zQllHTcR)Y?q~-r$jFJg{NC`!&ucJZ!@1Gob_dgE~PtUgae80`hYyGidVf$+Uf48K2fJ*Hk_0>?WT=97;Phb^P?SK9X9#4FkFDQf z8u$JHQuLsN%yShX5yeU({~tR8b#IWQvZP=MWQc+Ur)ba{T;Bb1#|cHfKY$ArhU@!_ zI}l^adV>edU&#Mg?Dq!4f6y25|IH8MhZo}i%%5zQz9i_Ni0elZBCQ}BkFRxf{kWun0ig<5;V+3EQ?3Dc48_ZZlV)Wuu zkc@i$zrMb>y1BbrPaXB^|KQ-{@X%ZT2Pel{|KE+IS5t;l#2C0EQz|_)Ba|`(4h9Fk z-YukXf;ghA*Ha$|ed!!L-j5Nur&A;&@i1_!R>UsA{7(!J89ZJE`uUTJvP1E3$_Ztf z9E!mYguZ`SL9TzH;|hL@k_nJM_RixN3jqQX@Et?o8wykY68uP}GSJVIAsuy4lYb=i zJ-{i*D2b<$D7XtC0|`kVf+wj!e8pTofsZMQcrph}c8v}r4Q&Q>h}gJ-6d8?hgkb_G z$_T@p(D^QiAcqNg0EBA7gPePqFajp{d{cl3vEhcKT@0tH>_~Xhf2PJPOSaL53KB6zzg|iZmyff)w(p_))Z{f{=0bg$(?u zs8_J^Cplx#hb+Mn77fZM8RH@5D1KQ%Y!AGerg0+Gj5=2o+z|?5%(4W|O<*TyR#f!} z=Hur$-2pHqe2l1>K^&#Am;)*hvBhs?*P7s4Fv}oCDc3{*8G#XuaDq9MalT+0zaX@N zN=C_q$ZT${U^oYSjA;xqNI6Cf;Ix9o43k6$N*}3cXu2N;z23!GZqP0vN7lkV+&|gh z+dtUbKge_F^=dL5?L~Wjl=d_Y(^24C@`z@L?#iN$>{5~F&297>(`5Xep4`U9VM?2tf z|KJR~ffU2bSKxxsj8N6-=fhoao+RL%$jZPw#1NgKc+mUzzy4Q6AN~7Z|66nb1f0Sc zO(1rMD~&QxMWnyDDtl zu7I=?%;kbk@I(l;o?F|X*Si{xP$ZX&5bt9ItW}!N-w~NoJ_ayN@eEN0Y5r8k2vf#E zHXSB7O6I+M9)i5RS{6XSG873-0tAU%LijUW&0jG!d-<$=9OGy#mIR2%1Tj^qy*z^B zMAe*>1bZSc7sG36bw$l?9)nnyl61^65t{@GA1KVmJr$8pkiseCq6e=>qB>eRdUjCD zNtVnDVNKEBrO^u>Wc)(JB8rFQ6}u}NIho4tr_oqQFxV3i8&Qb^ zv^-Hr!tSeG`B()Ujc|gcEI=v8LafX2hEqN!6#oOoJ&G7g5=7O9ygG_T6yj77o-(8G z+$r1Z3AqrFOsEUpEn;tj#Z;9GK;jA%yXDkC6bnddMAi%S>#hI;fK7D-QR2!owR<$n z8)jL85$iD|Mv|jsF4X{n(YSs(nrUIJ3c3Dfkj{JUNKhozODwdg8G=Et_oL~~h@>pT z(UeSCGB+r~X^dE!vYxyHg%mLTCqz)Ng9boNO+ZnEL|>M9!>LWPm(!HbVQ2_iX#Tlc zb7~!lo{31R#1E4uzY!5qLeJBl-S=}bKJF@kT#l`nDCxX<@!&LoDGX_;4&js&fdL|+ z5qtT{RMpu+z%6TFfL?d9Jupdt1Y$isqAVu z9ta?#LZqu#Wr{V)z;grlRaeceJqK(c2AM##6frTMw2X;0hRd1W5si2Y?!UbPSAV^~ zy156pSMT0j-``(df>%F+^V{3k*B9rnUSEON=RfSqe0tx034VC{?!UnG9k_k>_WSG0 zt4r|qrgwfLP|o=sxV{q_{?+;2_1!=hdHW80d-d+>)sNuv`tIWO`SqJSaQ^x=_~HEB zyYrj->#I9(esc*f-rihZ-(SDIx!dhs{q^?U)!iL<`wm>cxqW?ob-4?!Z!TVccX@sD z4S4>;_5HVRzq<#ouisqXpNld(Hnq23_ugE+yZH9}=KlQE_3P{VA9umm*Y`Jq;@5BA zfpc(s{_g(z;=9-9@4)SM?{44TUG0LKw>Nv&H($TIzWL_r&DG8QuHdS7e|`V@YS8N$ zgi=;CQq3}^_eW}1SakHi|MmYdg{e5n(W{)B8XHIvLxfZnQ)A9!wp3O zp(-q_v9Frg4)(JF7nHvAB4Y@4{}0hE&xbnzrwmc9RpkdRM(~EDV(bRJ-jO@wY+y0y z^^OPNhRCI*wiK?)(yBz83gCS3DHwgNr0u`&uFfytTn#4iI_hXV|35wR&wut0xBkBy zN%<+rYxPb`ulI*PfEzdw%I+>2qY3Ku_JF?Ta2`cun(~)D0QSJGy2$Vn{O#G-(I4vnM*+B-2?AlonI_KOcXODG~vZrGK6kP%od<>OJYOeLPe3+S@OTE z&m;Ws24*gS{O6)Y5k=hRRs5Fch+u-i1)^M8fsscMQ7`M&2Wf#zz;((I9l=PHz#sOW zy;J)jRZc#8__to~KY^g7fWY2=g1@=Bq~%+Y|4;cKgUl!8JNghI6fi%5Fgb literal 0 HcmV?d00001 diff --git a/enterprise/traefik/24.0.0/crds/traefik.containo.us_ingressroutes.yaml b/enterprise/traefik/24.0.0/crds/traefik.containo.us_ingressroutes.yaml new file mode 100644 index 00000000000..bd137f410d9 --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.containo.us_ingressroutes.yaml @@ -0,0 +1,275 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: ingressroutes.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: IngressRoute + listKind: IngressRouteList + plural: ingressroutes + singular: ingressroute + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRoute is the CRD implementation of a Traefik HTTP Router. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressRouteSpec defines the desired state of IngressRoute. + properties: + entryPoints: + description: 'EntryPoints defines the list of entry point names to + bind to. Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/entrypoints/ + Default: all.' + items: + type: string + type: array + routes: + description: Routes defines the list of routes. + items: + description: Route holds the HTTP route configuration. + properties: + kind: + description: Kind defines the kind of the route. Rule is the + only supported kind. + enum: + - Rule + type: string + match: + description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#rule' + type: string + middlewares: + description: 'Middlewares defines the list of references to + Middleware resources. More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-middleware' + items: + description: MiddlewareRef is a reference to a Middleware + resource. + properties: + name: + description: Name defines the name of the referenced Middleware + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Middleware resource. + type: string + required: + - name + type: object + type: array + priority: + description: 'Priority defines the router''s priority. More + info: https://doc.traefik.io/traefik/v2.10/routing/routers/#priority' + type: integer + services: + description: Services defines the list of Service. It can contain + any combination of TraefikService and/or reference to a Kubernetes + Service. + items: + description: Service defines an upstream HTTP service to proxy + traffic to. + properties: + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between + the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs + or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the + pods. By default, NativeLB is false. + type: boolean + passHostHeader: + description: PassHostHeader defines whether the client + Host header is forwarded to the upstream Kubernetes + Service. By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to + the client. + properties: + flushInterval: + description: 'FlushInterval defines the interval, + in milliseconds, in between flushes to the client + while copying the response body. A negative value + means to flush immediately after each write to the + client. This configuration is ignored when ReverseProxy + recognizes a response as a streaming response; for + such responses, writes are flushed to the client + immediately. Default: 100ms' + type: string + type: object + scheme: + description: Scheme defines the scheme to use for the + request to the upstream Kubernetes Service. It defaults + to https when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport + between Traefik and your servers. Can only be used on + a Kubernetes Service. + type: string + sticky: + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as + JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie + can only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported + value at the moment. + type: string + weight: + description: Weight defines the weight and should only + be specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round + Robin). + type: integer + required: + - name + type: object + type: array + required: + - kind + - match + type: object + type: array + tls: + description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#tls' + properties: + certResolver: + description: 'CertResolver defines the name of the certificate + resolver to use. Cert resolvers have to be configured in the + static configuration. More info: https://doc.traefik.io/traefik/v2.10/https/acme/#certificate-resolvers' + type: string + domains: + description: 'Domains defines the list of domains that will be + used to issue certificates. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#domains' + items: + description: Domain holds a domain name with SANs. + properties: + main: + description: Main defines the main domain name. + type: string + sans: + description: SANs defines the subject alternative domain + names. + items: + type: string + type: array + type: object + type: array + options: + description: 'Options defines the reference to a TLSOption, that + specifies the parameters of the TLS connection. If not defined, + the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#tls-options' + properties: + name: + description: 'Name defines the name of the referenced TLSOption. + More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsoption' + type: string + namespace: + description: 'Namespace defines the namespace of the referenced + TLSOption. More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsoption' + type: string + required: + - name + type: object + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + store: + description: Store defines the reference to the TLSStore, that + will be used to store certificates. Please note that only `default` + TLSStore can be used. + properties: + name: + description: 'Name defines the name of the referenced TLSStore. + More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsstore' + type: string + namespace: + description: 'Namespace defines the namespace of the referenced + TLSStore. More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsstore' + type: string + required: + - name + type: object + type: object + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.containo.us_ingressroutetcps.yaml b/enterprise/traefik/24.0.0/crds/traefik.containo.us_ingressroutetcps.yaml new file mode 100644 index 00000000000..589fe31c18c --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.containo.us_ingressroutetcps.yaml @@ -0,0 +1,218 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: ingressroutetcps.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: IngressRouteTCP + listKind: IngressRouteTCPList + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP. + properties: + entryPoints: + description: 'EntryPoints defines the list of entry point names to + bind to. Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/entrypoints/ + Default: all.' + items: + type: string + type: array + routes: + description: Routes defines the list of routes. + items: + description: RouteTCP holds the TCP route configuration. + properties: + match: + description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#rule_1' + type: string + middlewares: + description: Middlewares defines the list of references to MiddlewareTCP + resources. + items: + description: ObjectReference is a generic reference to a Traefik + resource. + properties: + name: + description: Name defines the name of the referenced Traefik + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. + type: string + required: + - name + type: object + type: array + priority: + description: 'Priority defines the router''s priority. More + info: https://doc.traefik.io/traefik/v2.10/routing/routers/#priority_1' + type: integer + services: + description: Services defines the list of TCP services. + items: + description: ServiceTCP defines an upstream TCP service to + proxy traffic to. + properties: + name: + description: Name defines the name of the referenced Kubernetes + Service. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service. + type: string + nativeLB: + description: NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs + or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the + pods. By default, NativeLB is false. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + proxyProtocol: + description: 'ProxyProtocol defines the PROXY protocol + configuration. More info: https://doc.traefik.io/traefik/v2.10/routing/services/#proxy-protocol' + properties: + version: + description: Version defines the PROXY Protocol version + to use. + type: integer + type: object + terminationDelay: + description: TerminationDelay defines the deadline that + the proxy sets, after one of its connected peers indicates + it has closed the writing capability of its connection, + to close the reading capability as well, hence fully + terminating the connection. It is a duration in milliseconds, + defaulting to 100. A negative value means an infinite + deadline (i.e. the reading capability is never closed). + type: integer + weight: + description: Weight defines the weight used when balancing + requests between multiple Kubernetes Service. + type: integer + required: + - name + - port + type: object + type: array + required: + - match + type: object + type: array + tls: + description: 'TLS defines the TLS configuration on a layer 4 / TCP + Route. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#tls_1' + properties: + certResolver: + description: 'CertResolver defines the name of the certificate + resolver to use. Cert resolvers have to be configured in the + static configuration. More info: https://doc.traefik.io/traefik/v2.10/https/acme/#certificate-resolvers' + type: string + domains: + description: 'Domains defines the list of domains that will be + used to issue certificates. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#domains' + items: + description: Domain holds a domain name with SANs. + properties: + main: + description: Main defines the main domain name. + type: string + sans: + description: SANs defines the subject alternative domain + names. + items: + type: string + type: array + type: object + type: array + options: + description: 'Options defines the reference to a TLSOption, that + specifies the parameters of the TLS connection. If not defined, + the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#tls-options' + properties: + name: + description: Name defines the name of the referenced Traefik + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. + type: string + required: + - name + type: object + passthrough: + description: Passthrough defines whether a TLS router will terminate + the TLS connection. + type: boolean + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + store: + description: Store defines the reference to the TLSStore, that + will be used to store certificates. Please note that only `default` + TLSStore can be used. + properties: + name: + description: Name defines the name of the referenced Traefik + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. + type: string + required: + - name + type: object + type: object + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.containo.us_ingressrouteudps.yaml b/enterprise/traefik/24.0.0/crds/traefik.containo.us_ingressrouteudps.yaml new file mode 100644 index 00000000000..c35ee4dc20d --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.containo.us_ingressrouteudps.yaml @@ -0,0 +1,105 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: ingressrouteudps.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: IngressRouteUDP + listKind: IngressRouteUDPList + plural: ingressrouteudps + singular: ingressrouteudp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP. + properties: + entryPoints: + description: 'EntryPoints defines the list of entry point names to + bind to. Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/entrypoints/ + Default: all.' + items: + type: string + type: array + routes: + description: Routes defines the list of routes. + items: + description: RouteUDP holds the UDP route configuration. + properties: + services: + description: Services defines the list of UDP services. + items: + description: ServiceUDP defines an upstream UDP service to + proxy traffic to. + properties: + name: + description: Name defines the name of the referenced Kubernetes + Service. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service. + type: string + nativeLB: + description: NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs + or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the + pods. By default, NativeLB is false. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + weight: + description: Weight defines the weight used when balancing + requests between multiple Kubernetes Service. + type: integer + required: + - name + - port + type: object + type: array + type: object + type: array + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.containo.us_middlewares.yaml b/enterprise/traefik/24.0.0/crds/traefik.containo.us_middlewares.yaml new file mode 100644 index 00000000000..5e14f93fa55 --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.containo.us_middlewares.yaml @@ -0,0 +1,924 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: middlewares.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: Middleware + listKind: MiddlewareList + plural: middlewares + singular: middleware + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'Middleware is the CRD implementation of a Traefik Middleware. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/overview/' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MiddlewareSpec defines the desired state of a Middleware. + properties: + addPrefix: + description: 'AddPrefix holds the add prefix middleware configuration. + This middleware updates the path of a request before forwarding + it. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/addprefix/' + properties: + prefix: + description: Prefix is the string to add before the current path + in the requested URL. It should include a leading slash (/). + type: string + type: object + basicAuth: + description: 'BasicAuth holds the basic auth middleware configuration. + This middleware restricts access to your services to known users. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/basicauth/' + properties: + headerField: + description: 'HeaderField defines a header field to store the + authenticated user. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/basicauth/#headerfield' + type: string + realm: + description: 'Realm allows the protected resources on a server + to be partitioned into a set of protection spaces, each with + its own authentication scheme. Default: traefik.' + type: string + removeHeader: + description: 'RemoveHeader sets the removeHeader option to true + to remove the authorization header before forwarding the request + to your service. Default: false.' + type: boolean + secret: + description: Secret is the name of the referenced Kubernetes Secret + containing user credentials. + type: string + type: object + buffering: + description: 'Buffering holds the buffering middleware configuration. + This middleware retries or limits the size of requests that can + be forwarded to backends. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/buffering/#maxrequestbodybytes' + properties: + maxRequestBodyBytes: + description: 'MaxRequestBodyBytes defines the maximum allowed + body size for the request (in bytes). If the request exceeds + the allowed size, it is not forwarded to the service, and the + client gets a 413 (Request Entity Too Large) response. Default: + 0 (no maximum).' + format: int64 + type: integer + maxResponseBodyBytes: + description: 'MaxResponseBodyBytes defines the maximum allowed + response size from the service (in bytes). If the response exceeds + the allowed size, it is not forwarded to the client. The client + gets a 500 (Internal Server Error) response instead. Default: + 0 (no maximum).' + format: int64 + type: integer + memRequestBodyBytes: + description: 'MemRequestBodyBytes defines the threshold (in bytes) + from which the request will be buffered on disk instead of in + memory. Default: 1048576 (1Mi).' + format: int64 + type: integer + memResponseBodyBytes: + description: 'MemResponseBodyBytes defines the threshold (in bytes) + from which the response will be buffered on disk instead of + in memory. Default: 1048576 (1Mi).' + format: int64 + type: integer + retryExpression: + description: 'RetryExpression defines the retry conditions. It + is a logical combination of functions with operators AND (&&) + and OR (||). More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/buffering/#retryexpression' + type: string + type: object + chain: + description: 'Chain holds the configuration of the chain middleware. + This middleware enables to define reusable combinations of other + pieces of middleware. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/chain/' + properties: + middlewares: + description: Middlewares is the list of MiddlewareRef which composes + the chain. + items: + description: MiddlewareRef is a reference to a Middleware resource. + properties: + name: + description: Name defines the name of the referenced Middleware + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Middleware resource. + type: string + required: + - name + type: object + type: array + type: object + circuitBreaker: + description: CircuitBreaker holds the circuit breaker configuration. + properties: + checkPeriod: + anyOf: + - type: integer + - type: string + description: CheckPeriod is the interval between successive checks + of the circuit breaker condition (when in standby state). + x-kubernetes-int-or-string: true + expression: + description: Expression is the condition that triggers the tripped + state. + type: string + fallbackDuration: + anyOf: + - type: integer + - type: string + description: FallbackDuration is the duration for which the circuit + breaker will wait before trying to recover (from a tripped state). + x-kubernetes-int-or-string: true + recoveryDuration: + anyOf: + - type: integer + - type: string + description: RecoveryDuration is the duration for which the circuit + breaker will try to recover (as soon as it is in recovering + state). + x-kubernetes-int-or-string: true + type: object + compress: + description: 'Compress holds the compress middleware configuration. + This middleware compresses responses before sending them to the + client, using gzip compression. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/compress/' + properties: + excludedContentTypes: + description: ExcludedContentTypes defines the list of content + types to compare the Content-Type header of the incoming requests + and responses before compressing. + items: + type: string + type: array + minResponseBodyBytes: + description: 'MinResponseBodyBytes defines the minimum amount + of bytes a response body must have to be compressed. Default: + 1024.' + type: integer + type: object + contentType: + description: ContentType holds the content-type middleware configuration. + This middleware exists to enable the correct behavior until at least + the default one can be changed in a future version. + properties: + autoDetect: + description: AutoDetect specifies whether to let the `Content-Type` + header, if it has not been set by the backend, be automatically + set to a value derived from the contents of the response. As + a proxy, the default behavior should be to leave the header + alone, regardless of what the backend did with it. However, + the historic default was to always auto-detect and set the header + if it was nil, and it is going to be kept that way in order + to support users currently relying on it. + type: boolean + type: object + digestAuth: + description: 'DigestAuth holds the digest auth middleware configuration. + This middleware restricts access to your services to known users. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/digestauth/' + properties: + headerField: + description: 'HeaderField defines a header field to store the + authenticated user. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/basicauth/#headerfield' + type: string + realm: + description: 'Realm allows the protected resources on a server + to be partitioned into a set of protection spaces, each with + its own authentication scheme. Default: traefik.' + type: string + removeHeader: + description: RemoveHeader defines whether to remove the authorization + header before forwarding the request to the backend. + type: boolean + secret: + description: Secret is the name of the referenced Kubernetes Secret + containing user credentials. + type: string + type: object + errors: + description: 'ErrorPage holds the custom error middleware configuration. + This middleware returns a custom page in lieu of the default, according + to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/errorpages/' + properties: + query: + description: Query defines the URL for the error page (hosted + by service). The {status} variable can be used in order to insert + the status code in the URL. + type: string + service: + description: 'Service defines the reference to a Kubernetes Service + that will serve the error page. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/errorpages/#service' + properties: + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between the + two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if + the only child is the Kubernetes Service clusterIP. The + Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + passHostHeader: + description: PassHostHeader defines whether the client Host + header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. + properties: + flushInterval: + description: 'FlushInterval defines the interval, in milliseconds, + in between flushes to the client while copying the response + body. A negative value means to flush immediately after + each write to the client. This configuration is ignored + when ReverseProxy recognizes a response as a streaming + response; for such responses, writes are flushed to + the client immediately. Default: 100ms' + type: string + type: object + scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https + when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport between + Traefik and your servers. Can only be used on a Kubernetes + Service. + type: string + sticky: + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie can + be accessed by client-side APIs, such as JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported value + at the moment. + type: string + weight: + description: Weight defines the weight and should only be + specified when Name references a TraefikService object (and + to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + status: + description: Status defines which status or range of statuses + should result in an error page. It can be either a status code + as a number (500), as multiple comma-separated numbers (500,502), + as ranges by separating two codes with a dash (500-599), or + a combination of the two (404,418,500-599). + items: + type: string + type: array + type: object + forwardAuth: + description: 'ForwardAuth holds the forward auth middleware configuration. + This middleware delegates the request authentication to a Service. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/forwardauth/' + properties: + address: + description: Address defines the authentication server address. + type: string + authRequestHeaders: + description: AuthRequestHeaders defines the list of the headers + to copy from the request to the authentication server. If not + set or empty then all request headers are passed. + items: + type: string + type: array + authResponseHeaders: + description: AuthResponseHeaders defines the list of headers to + copy from the authentication server response and set on forwarded + request, replacing any existing conflicting headers. + items: + type: string + type: array + authResponseHeadersRegex: + description: 'AuthResponseHeadersRegex defines the regex to match + headers to copy from the authentication server response and + set on forwarded request, after stripping all headers that match + the regex. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/forwardauth/#authresponseheadersregex' + type: string + tls: + description: TLS defines the configuration used to secure the + connection to the authentication server. + properties: + caOptional: + type: boolean + caSecret: + description: CASecret is the name of the referenced Kubernetes + Secret containing the CA to validate the server certificate. + The CA certificate is extracted from key `tls.ca` or `ca.crt`. + type: string + certSecret: + description: CertSecret is the name of the referenced Kubernetes + Secret containing the client certificate. The client certificate + is extracted from the keys `tls.crt` and `tls.key`. + type: string + insecureSkipVerify: + description: InsecureSkipVerify defines whether the server + certificates should be validated. + type: boolean + type: object + trustForwardHeader: + description: 'TrustForwardHeader defines whether to trust (ie: + forward) all X-Forwarded-* headers.' + type: boolean + type: object + headers: + description: 'Headers holds the headers middleware configuration. + This middleware manages the requests and responses headers. More + info: https://doc.traefik.io/traefik/v2.10/middlewares/http/headers/#customrequestheaders' + properties: + accessControlAllowCredentials: + description: AccessControlAllowCredentials defines whether the + request can include user credentials. + type: boolean + accessControlAllowHeaders: + description: AccessControlAllowHeaders defines the Access-Control-Request-Headers + values sent in preflight response. + items: + type: string + type: array + accessControlAllowMethods: + description: AccessControlAllowMethods defines the Access-Control-Request-Method + values sent in preflight response. + items: + type: string + type: array + accessControlAllowOriginList: + description: AccessControlAllowOriginList is a list of allowable + origins. Can also be a wildcard origin "*". + items: + type: string + type: array + accessControlAllowOriginListRegex: + description: AccessControlAllowOriginListRegex is a list of allowable + origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/). + items: + type: string + type: array + accessControlExposeHeaders: + description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers + values sent in preflight response. + items: + type: string + type: array + accessControlMaxAge: + description: AccessControlMaxAge defines the time that a preflight + request may be cached. + format: int64 + type: integer + addVaryHeader: + description: AddVaryHeader defines whether the Vary header is + automatically added/updated when the AccessControlAllowOriginList + is set. + type: boolean + allowedHosts: + description: AllowedHosts defines the fully qualified list of + allowed domain names. + items: + type: string + type: array + browserXssFilter: + description: BrowserXSSFilter defines whether to add the X-XSS-Protection + header with the value 1; mode=block. + type: boolean + contentSecurityPolicy: + description: ContentSecurityPolicy defines the Content-Security-Policy + header value. + type: string + contentTypeNosniff: + description: ContentTypeNosniff defines whether to add the X-Content-Type-Options + header with the nosniff value. + type: boolean + customBrowserXSSValue: + description: CustomBrowserXSSValue defines the X-XSS-Protection + header value. This overrides the BrowserXssFilter option. + type: string + customFrameOptionsValue: + description: CustomFrameOptionsValue defines the X-Frame-Options + header value. This overrides the FrameDeny option. + type: string + customRequestHeaders: + additionalProperties: + type: string + description: CustomRequestHeaders defines the header names and + values to apply to the request. + type: object + customResponseHeaders: + additionalProperties: + type: string + description: CustomResponseHeaders defines the header names and + values to apply to the response. + type: object + featurePolicy: + description: 'Deprecated: use PermissionsPolicy instead.' + type: string + forceSTSHeader: + description: ForceSTSHeader defines whether to add the STS header + even when the connection is HTTP. + type: boolean + frameDeny: + description: FrameDeny defines whether to add the X-Frame-Options + header with the DENY value. + type: boolean + hostsProxyHeaders: + description: HostsProxyHeaders defines the header keys that may + hold a proxied hostname value for the request. + items: + type: string + type: array + isDevelopment: + description: IsDevelopment defines whether to mitigate the unwanted + effects of the AllowedHosts, SSL, and STS options when developing. + Usually testing takes place using HTTP, not HTTPS, and on localhost, + not your production domain. If you would like your development + environment to mimic production with complete Host blocking, + SSL redirects, and STS headers, leave this as false. + type: boolean + permissionsPolicy: + description: PermissionsPolicy defines the Permissions-Policy + header value. This allows sites to control browser features. + type: string + publicKey: + description: PublicKey is the public key that implements HPKP + to prevent MITM attacks with forged certificates. + type: string + referrerPolicy: + description: ReferrerPolicy defines the Referrer-Policy header + value. This allows sites to control whether browsers forward + the Referer header to other sites. + type: string + sslForceHost: + description: 'Deprecated: use RedirectRegex instead.' + type: boolean + sslHost: + description: 'Deprecated: use RedirectRegex instead.' + type: string + sslProxyHeaders: + additionalProperties: + type: string + description: 'SSLProxyHeaders defines the header keys with associated + values that would indicate a valid HTTPS request. It can be + useful when using other proxies (example: "X-Forwarded-Proto": + "https").' + type: object + sslRedirect: + description: 'Deprecated: use EntryPoint redirection or RedirectScheme + instead.' + type: boolean + sslTemporaryRedirect: + description: 'Deprecated: use EntryPoint redirection or RedirectScheme + instead.' + type: boolean + stsIncludeSubdomains: + description: STSIncludeSubdomains defines whether the includeSubDomains + directive is appended to the Strict-Transport-Security header. + type: boolean + stsPreload: + description: STSPreload defines whether the preload flag is appended + to the Strict-Transport-Security header. + type: boolean + stsSeconds: + description: STSSeconds defines the max-age of the Strict-Transport-Security + header. If set to 0, the header is not set. + format: int64 + type: integer + type: object + inFlightReq: + description: 'InFlightReq holds the in-flight request middleware configuration. + This middleware limits the number of requests being processed and + served concurrently. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/inflightreq/' + properties: + amount: + description: Amount defines the maximum amount of allowed simultaneous + in-flight request. The middleware responds with HTTP 429 Too + Many Requests if there are already amount requests in progress + (based on the same sourceCriterion strategy). + format: int64 + type: integer + sourceCriterion: + description: 'SourceCriterion defines what criterion is used to + group requests as originating from a common source. If several + strategies are defined at the same time, an error will be raised. + If none are set, the default is to use the requestHost. More + info: https://doc.traefik.io/traefik/v2.10/middlewares/http/inflightreq/#sourcecriterion' + properties: + ipStrategy: + description: 'IPStrategy holds the IP strategy configuration + used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/#ipstrategy' + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position + (starting from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the + X-Forwarded-For header and select the first IP not in + the list. + items: + type: string + type: array + type: object + requestHeaderName: + description: RequestHeaderName defines the name of the header + used to group incoming requests. + type: string + requestHost: + description: RequestHost defines whether to consider the request + Host as the source. + type: boolean + type: object + type: object + ipWhiteList: + description: 'IPWhiteList holds the IP whitelist middleware configuration. + This middleware accepts / refuses requests based on the client IP. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/' + properties: + ipStrategy: + description: 'IPStrategy holds the IP strategy configuration used + by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/#ipstrategy' + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position (starting + from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the X-Forwarded-For + header and select the first IP not in the list. + items: + type: string + type: array + type: object + sourceRange: + description: SourceRange defines the set of allowed IPs (or ranges + of allowed IPs by using CIDR notation). + items: + type: string + type: array + type: object + passTLSClientCert: + description: 'PassTLSClientCert holds the pass TLS client cert middleware + configuration. This middleware adds the selected data from the passed + client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/passtlsclientcert/' + properties: + info: + description: Info selects the specific client certificate details + you want to add to the X-Forwarded-Tls-Client-Cert-Info header. + properties: + issuer: + description: Issuer defines the client certificate issuer + details to add to the X-Forwarded-Tls-Client-Cert-Info header. + properties: + commonName: + description: CommonName defines whether to add the organizationalUnit + information into the issuer. + type: boolean + country: + description: Country defines whether to add the country + information into the issuer. + type: boolean + domainComponent: + description: DomainComponent defines whether to add the + domainComponent information into the issuer. + type: boolean + locality: + description: Locality defines whether to add the locality + information into the issuer. + type: boolean + organization: + description: Organization defines whether to add the organization + information into the issuer. + type: boolean + province: + description: Province defines whether to add the province + information into the issuer. + type: boolean + serialNumber: + description: SerialNumber defines whether to add the serialNumber + information into the issuer. + type: boolean + type: object + notAfter: + description: NotAfter defines whether to add the Not After + information from the Validity part. + type: boolean + notBefore: + description: NotBefore defines whether to add the Not Before + information from the Validity part. + type: boolean + sans: + description: Sans defines whether to add the Subject Alternative + Name information from the Subject Alternative Name part. + type: boolean + serialNumber: + description: SerialNumber defines whether to add the client + serialNumber information. + type: boolean + subject: + description: Subject defines the client certificate subject + details to add to the X-Forwarded-Tls-Client-Cert-Info header. + properties: + commonName: + description: CommonName defines whether to add the organizationalUnit + information into the subject. + type: boolean + country: + description: Country defines whether to add the country + information into the subject. + type: boolean + domainComponent: + description: DomainComponent defines whether to add the + domainComponent information into the subject. + type: boolean + locality: + description: Locality defines whether to add the locality + information into the subject. + type: boolean + organization: + description: Organization defines whether to add the organization + information into the subject. + type: boolean + organizationalUnit: + description: OrganizationalUnit defines whether to add + the organizationalUnit information into the subject. + type: boolean + province: + description: Province defines whether to add the province + information into the subject. + type: boolean + serialNumber: + description: SerialNumber defines whether to add the serialNumber + information into the subject. + type: boolean + type: object + type: object + pem: + description: PEM sets the X-Forwarded-Tls-Client-Cert header with + the certificate. + type: boolean + type: object + plugin: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: 'Plugin defines the middleware plugin configuration. + More info: https://doc.traefik.io/traefik/plugins/' + type: object + rateLimit: + description: 'RateLimit holds the rate limit configuration. This middleware + ensures that services will receive a fair amount of requests, and + allows one to define what fair is. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ratelimit/' + properties: + average: + description: Average is the maximum rate, by default in requests/s, + allowed for the given source. It defaults to 0, which means + no rate limiting. The rate is actually defined by dividing Average + by Period. So for a rate below 1req/s, one needs to define a + Period larger than a second. + format: int64 + type: integer + burst: + description: Burst is the maximum number of requests allowed to + arrive in the same arbitrarily small period of time. It defaults + to 1. + format: int64 + type: integer + period: + anyOf: + - type: integer + - type: string + description: 'Period, in combination with Average, defines the + actual maximum rate, such as: r = Average / Period. It defaults + to a second.' + x-kubernetes-int-or-string: true + sourceCriterion: + description: SourceCriterion defines what criterion is used to + group requests as originating from a common source. If several + strategies are defined at the same time, an error will be raised. + If none are set, the default is to use the request's remote + address field (as an ipStrategy). + properties: + ipStrategy: + description: 'IPStrategy holds the IP strategy configuration + used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/#ipstrategy' + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position + (starting from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the + X-Forwarded-For header and select the first IP not in + the list. + items: + type: string + type: array + type: object + requestHeaderName: + description: RequestHeaderName defines the name of the header + used to group incoming requests. + type: string + requestHost: + description: RequestHost defines whether to consider the request + Host as the source. + type: boolean + type: object + type: object + redirectRegex: + description: 'RedirectRegex holds the redirect regex middleware configuration. + This middleware redirects a request using regex matching and replacement. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/redirectregex/#regex' + properties: + permanent: + description: Permanent defines whether the redirection is permanent + (301). + type: boolean + regex: + description: Regex defines the regex used to match and capture + elements from the request URL. + type: string + replacement: + description: Replacement defines how to modify the URL to have + the new target URL. + type: string + type: object + redirectScheme: + description: 'RedirectScheme holds the redirect scheme middleware + configuration. This middleware redirects requests from a scheme/port + to another. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/redirectscheme/' + properties: + permanent: + description: Permanent defines whether the redirection is permanent + (301). + type: boolean + port: + description: Port defines the port of the new URL. + type: string + scheme: + description: Scheme defines the scheme of the new URL. + type: string + type: object + replacePath: + description: 'ReplacePath holds the replace path middleware configuration. + This middleware replaces the path of the request URL and store the + original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/replacepath/' + properties: + path: + description: Path defines the path to use as replacement in the + request URL. + type: string + type: object + replacePathRegex: + description: 'ReplacePathRegex holds the replace path regex middleware + configuration. This middleware replaces the path of a URL using + regex matching and replacement. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/replacepathregex/' + properties: + regex: + description: Regex defines the regular expression used to match + and capture the path from the request URL. + type: string + replacement: + description: Replacement defines the replacement path format, + which can include captured variables. + type: string + type: object + retry: + description: 'Retry holds the retry middleware configuration. This + middleware reissues requests a given number of times to a backend + server if that server does not reply. As soon as the server answers, + the middleware stops retrying, regardless of the response status. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/retry/' + properties: + attempts: + description: Attempts defines how many times the request should + be retried. + type: integer + initialInterval: + anyOf: + - type: integer + - type: string + description: InitialInterval defines the first wait time in the + exponential backoff series. The maximum interval is calculated + as twice the initialInterval. If unspecified, requests will + be retried immediately. The value of initialInterval should + be provided in seconds or as a valid duration format, see https://pkg.go.dev/time#ParseDuration. + x-kubernetes-int-or-string: true + type: object + stripPrefix: + description: 'StripPrefix holds the strip prefix middleware configuration. + This middleware removes the specified prefixes from the URL path. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/stripprefix/' + properties: + forceSlash: + description: 'ForceSlash ensures that the resulting stripped path + is not the empty string, by replacing it with / when necessary. + Default: true.' + type: boolean + prefixes: + description: Prefixes defines the prefixes to strip from the request + URL. + items: + type: string + type: array + type: object + stripPrefixRegex: + description: 'StripPrefixRegex holds the strip prefix regex middleware + configuration. This middleware removes the matching prefixes from + the URL path. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/stripprefixregex/' + properties: + regex: + description: Regex defines the regular expression to match the + path prefix from the request URL. + items: + type: string + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.containo.us_middlewaretcps.yaml b/enterprise/traefik/24.0.0/crds/traefik.containo.us_middlewaretcps.yaml new file mode 100644 index 00000000000..85302fa823d --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.containo.us_middlewaretcps.yaml @@ -0,0 +1,72 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: middlewaretcps.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: MiddlewareTCP + listKind: MiddlewareTCPList + plural: middlewaretcps + singular: middlewaretcp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/overview/' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP. + properties: + inFlightConn: + description: InFlightConn defines the InFlightConn middleware configuration. + properties: + amount: + description: Amount defines the maximum amount of allowed simultaneous + connections. The middleware closes the connection if there are + already amount connections opened. + format: int64 + type: integer + type: object + ipWhiteList: + description: IPWhiteList defines the IPWhiteList middleware configuration. + properties: + sourceRange: + description: SourceRange defines the allowed IPs (or ranges of + allowed IPs by using CIDR notation). + items: + type: string + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.containo.us_serverstransports.yaml b/enterprise/traefik/24.0.0/crds/traefik.containo.us_serverstransports.yaml new file mode 100644 index 00000000000..d6fc3a92dba --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.containo.us_serverstransports.yaml @@ -0,0 +1,128 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: serverstransports.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: ServersTransport + listKind: ServersTransportList + plural: serverstransports + singular: serverstransport + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'ServersTransport is the CRD implementation of a ServersTransport. + If no serversTransport is specified, the default@internal will be used. + The default@internal serversTransport is created from the static configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/services/#serverstransport_1' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServersTransportSpec defines the desired state of a ServersTransport. + properties: + certificatesSecrets: + description: CertificatesSecrets defines a list of secret storing + client certificates for mTLS. + items: + type: string + type: array + disableHTTP2: + description: DisableHTTP2 disables HTTP/2 for connections with backend + servers. + type: boolean + forwardingTimeouts: + description: ForwardingTimeouts defines the timeouts for requests + forwarded to the backend servers. + properties: + dialTimeout: + anyOf: + - type: integer + - type: string + description: DialTimeout is the amount of time to wait until a + connection to a backend server can be established. + x-kubernetes-int-or-string: true + idleConnTimeout: + anyOf: + - type: integer + - type: string + description: IdleConnTimeout is the maximum period for which an + idle HTTP keep-alive connection will remain open before closing + itself. + x-kubernetes-int-or-string: true + pingTimeout: + anyOf: + - type: integer + - type: string + description: PingTimeout is the timeout after which the HTTP/2 + connection will be closed if a response to ping is not received. + x-kubernetes-int-or-string: true + readIdleTimeout: + anyOf: + - type: integer + - type: string + description: ReadIdleTimeout is the timeout after which a health + check using ping frame will be carried out if no frame is received + on the HTTP/2 connection. + x-kubernetes-int-or-string: true + responseHeaderTimeout: + anyOf: + - type: integer + - type: string + description: ResponseHeaderTimeout is the amount of time to wait + for a server's response headers after fully writing the request + (including its body, if any). + x-kubernetes-int-or-string: true + type: object + insecureSkipVerify: + description: InsecureSkipVerify disables SSL certificate verification. + type: boolean + maxIdleConnsPerHost: + description: MaxIdleConnsPerHost controls the maximum idle (keep-alive) + to keep per-host. + type: integer + peerCertURI: + description: PeerCertURI defines the peer cert URI used to match against + SAN URI during the peer certificate verification. + type: string + rootCAsSecrets: + description: RootCAsSecrets defines a list of CA secret used to validate + self-signed certificate. + items: + type: string + type: array + serverName: + description: ServerName defines the server name used to contact the + server. + type: string + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.containo.us_tlsoptions.yaml b/enterprise/traefik/24.0.0/crds/traefik.containo.us_tlsoptions.yaml new file mode 100644 index 00000000000..73667667a3a --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.containo.us_tlsoptions.yaml @@ -0,0 +1,113 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: tlsoptions.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: TLSOption + listKind: TLSOptionList + plural: tlsoptions + singular: tlsoption + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'TLSOption is the CRD implementation of a Traefik TLS Option, + allowing to configure some parameters of the TLS connection. More info: + https://doc.traefik.io/traefik/v2.10/https/tls/#tls-options' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSOptionSpec defines the desired state of a TLSOption. + properties: + alpnProtocols: + description: 'ALPNProtocols defines the list of supported application + level protocols for the TLS handshake, in order of preference. More + info: https://doc.traefik.io/traefik/v2.10/https/tls/#alpn-protocols' + items: + type: string + type: array + cipherSuites: + description: 'CipherSuites defines the list of supported cipher suites + for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#cipher-suites' + items: + type: string + type: array + clientAuth: + description: ClientAuth defines the server's policy for TLS Client + Authentication. + properties: + clientAuthType: + description: ClientAuthType defines the client authentication + type to apply. + enum: + - NoClientCert + - RequestClientCert + - RequireAnyClientCert + - VerifyClientCertIfGiven + - RequireAndVerifyClientCert + type: string + secretNames: + description: SecretNames defines the names of the referenced Kubernetes + Secret storing certificate details. + items: + type: string + type: array + type: object + curvePreferences: + description: 'CurvePreferences defines the preferred elliptic curves + in a specific order. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#curve-preferences' + items: + type: string + type: array + maxVersion: + description: 'MaxVersion defines the maximum TLS version that Traefik + will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, + VersionTLS13. Default: None.' + type: string + minVersion: + description: 'MinVersion defines the minimum TLS version that Traefik + will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, + VersionTLS13. Default: VersionTLS10.' + type: string + preferServerCipherSuites: + description: 'PreferServerCipherSuites defines whether the server + chooses a cipher suite among his own instead of among the client''s. + It is enabled automatically when minVersion or maxVersion is set. + Deprecated: https://github.com/golang/go/issues/45430' + type: boolean + sniStrict: + description: SniStrict defines whether Traefik allows connections + from clients connections that do not specify a server_name extension. + type: boolean + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.containo.us_tlsstores.yaml b/enterprise/traefik/24.0.0/crds/traefik.containo.us_tlsstores.yaml new file mode 100644 index 00000000000..12f0ad37d86 --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.containo.us_tlsstores.yaml @@ -0,0 +1,99 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: tlsstores.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: TLSStore + listKind: TLSStoreList + plural: tlsstores + singular: tlsstore + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For + the time being, only the TLSStore named default is supported. This means + that you cannot have two stores that are named default in different Kubernetes + namespaces. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#certificates-stores' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSStoreSpec defines the desired state of a TLSStore. + properties: + certificates: + description: Certificates is a list of secret names, each secret holding + a key/certificate pair to add to the store. + items: + description: Certificate holds a secret name for the TLSStore resource. + properties: + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + required: + - secretName + type: object + type: array + defaultCertificate: + description: DefaultCertificate defines the default certificate configuration. + properties: + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + required: + - secretName + type: object + defaultGeneratedCert: + description: DefaultGeneratedCert defines the default generated certificate + configuration. + properties: + domain: + description: Domain is the domain definition for the DefaultCertificate. + properties: + main: + description: Main defines the main domain name. + type: string + sans: + description: SANs defines the subject alternative domain names. + items: + type: string + type: array + type: object + resolver: + description: Resolver is the name of the resolver that will be + used to issue the DefaultCertificate. + type: string + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.containo.us_traefikservices.yaml b/enterprise/traefik/24.0.0/crds/traefik.containo.us_traefikservices.yaml new file mode 100644 index 00000000000..0dcf470034f --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.containo.us_traefikservices.yaml @@ -0,0 +1,402 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: traefikservices.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: TraefikService + listKind: TraefikServiceList + plural: traefikservices + singular: traefikservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'TraefikService is the CRD implementation of a Traefik Service. + TraefikService object allows to: - Apply weight to Services on load-balancing + - Mirror traffic on services More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-traefikservice' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TraefikServiceSpec defines the desired state of a TraefikService. + properties: + mirroring: + description: Mirroring defines the Mirroring service configuration. + properties: + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + maxBodySize: + description: MaxBodySize defines the maximum size allowed for + the body of the request. If the body is larger, the request + is not mirrored. Default value is -1, which means unlimited + size. + format: int64 + type: integer + mirrors: + description: Mirrors defines the list of mirrors where Traefik + will duplicate the traffic. + items: + description: MirrorService holds the mirror configuration. + properties: + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between + the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or + if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the + pods. By default, NativeLB is false. + type: boolean + passHostHeader: + description: PassHostHeader defines whether the client Host + header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + percent: + description: 'Percent defines the part of the traffic to + mirror. Supported values: 0 to 100.' + type: integer + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. + properties: + flushInterval: + description: 'FlushInterval defines the interval, in + milliseconds, in between flushes to the client while + copying the response body. A negative value means + to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes + a response as a streaming response; for such responses, + writes are flushed to the client immediately. Default: + 100ms' + type: string + type: object + scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https + when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport + between Traefik and your servers. Can only be used on + a Kubernetes Service. + type: string + sticky: + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported + value at the moment. + type: string + weight: + description: Weight defines the weight and should only be + specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + type: array + name: + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between the two + is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the + only child is the Kubernetes Service clusterIP. The Kubernetes + Service itself does load-balance to the pods. By default, NativeLB + is false. + type: boolean + passHostHeader: + description: PassHostHeader defines whether the client Host header + is forwarded to the upstream Kubernetes Service. By default, + passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. This + can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards the + response from the upstream Kubernetes Service to the client. + properties: + flushInterval: + description: 'FlushInterval defines the interval, in milliseconds, + in between flushes to the client while copying the response + body. A negative value means to flush immediately after + each write to the client. This configuration is ignored + when ReverseProxy recognizes a response as a streaming response; + for such responses, writes are flushed to the client immediately. + Default: 100ms' + type: string + type: object + scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https when + Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport between + Traefik and your servers. Can only be used on a Kubernetes Service. + type: string + sticky: + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie can be + accessed by client-side APIs, such as JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. More + info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie can only + be transmitted over an encrypted connection (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: Strategy defines the load balancing strategy between + the servers. RoundRobin is the only supported value at the moment. + type: string + weight: + description: Weight defines the weight and should only be specified + when Name references a TraefikService object (and to be precise, + one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + weighted: + description: Weighted defines the Weighted Round Robin configuration. + properties: + services: + description: Services defines the list of Kubernetes Service and/or + TraefikService to load-balance, with weight. + items: + description: Service defines an upstream HTTP service to proxy + traffic to. + properties: + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between + the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or + if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the + pods. By default, NativeLB is false. + type: boolean + passHostHeader: + description: PassHostHeader defines whether the client Host + header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. + properties: + flushInterval: + description: 'FlushInterval defines the interval, in + milliseconds, in between flushes to the client while + copying the response body. A negative value means + to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes + a response as a streaming response; for such responses, + writes are flushed to the client immediately. Default: + 100ms' + type: string + type: object + scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https + when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport + between Traefik and your servers. Can only be used on + a Kubernetes Service. + type: string + sticky: + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported + value at the moment. + type: string + weight: + description: Weight defines the weight and should only be + specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + type: array + sticky: + description: 'Sticky defines whether sticky sessions are enabled. + More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#stickiness-and-load-balancing' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie can be + accessed by client-side APIs, such as JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. More + info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie can only + be transmitted over an encrypted connection (i.e. HTTPS). + type: boolean + type: object + type: object + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.io_ingressroutes.yaml b/enterprise/traefik/24.0.0/crds/traefik.io_ingressroutes.yaml new file mode 100644 index 00000000000..89aaee75952 --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.io_ingressroutes.yaml @@ -0,0 +1,275 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: ingressroutes.traefik.io +spec: + group: traefik.io + names: + kind: IngressRoute + listKind: IngressRouteList + plural: ingressroutes + singular: ingressroute + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRoute is the CRD implementation of a Traefik HTTP Router. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressRouteSpec defines the desired state of IngressRoute. + properties: + entryPoints: + description: 'EntryPoints defines the list of entry point names to + bind to. Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/entrypoints/ + Default: all.' + items: + type: string + type: array + routes: + description: Routes defines the list of routes. + items: + description: Route holds the HTTP route configuration. + properties: + kind: + description: Kind defines the kind of the route. Rule is the + only supported kind. + enum: + - Rule + type: string + match: + description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#rule' + type: string + middlewares: + description: 'Middlewares defines the list of references to + Middleware resources. More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-middleware' + items: + description: MiddlewareRef is a reference to a Middleware + resource. + properties: + name: + description: Name defines the name of the referenced Middleware + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Middleware resource. + type: string + required: + - name + type: object + type: array + priority: + description: 'Priority defines the router''s priority. More + info: https://doc.traefik.io/traefik/v2.10/routing/routers/#priority' + type: integer + services: + description: Services defines the list of Service. It can contain + any combination of TraefikService and/or reference to a Kubernetes + Service. + items: + description: Service defines an upstream HTTP service to proxy + traffic to. + properties: + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between + the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs + or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the + pods. By default, NativeLB is false. + type: boolean + passHostHeader: + description: PassHostHeader defines whether the client + Host header is forwarded to the upstream Kubernetes + Service. By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to + the client. + properties: + flushInterval: + description: 'FlushInterval defines the interval, + in milliseconds, in between flushes to the client + while copying the response body. A negative value + means to flush immediately after each write to the + client. This configuration is ignored when ReverseProxy + recognizes a response as a streaming response; for + such responses, writes are flushed to the client + immediately. Default: 100ms' + type: string + type: object + scheme: + description: Scheme defines the scheme to use for the + request to the upstream Kubernetes Service. It defaults + to https when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport + between Traefik and your servers. Can only be used on + a Kubernetes Service. + type: string + sticky: + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as + JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie + can only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported + value at the moment. + type: string + weight: + description: Weight defines the weight and should only + be specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round + Robin). + type: integer + required: + - name + type: object + type: array + required: + - kind + - match + type: object + type: array + tls: + description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#tls' + properties: + certResolver: + description: 'CertResolver defines the name of the certificate + resolver to use. Cert resolvers have to be configured in the + static configuration. More info: https://doc.traefik.io/traefik/v2.10/https/acme/#certificate-resolvers' + type: string + domains: + description: 'Domains defines the list of domains that will be + used to issue certificates. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#domains' + items: + description: Domain holds a domain name with SANs. + properties: + main: + description: Main defines the main domain name. + type: string + sans: + description: SANs defines the subject alternative domain + names. + items: + type: string + type: array + type: object + type: array + options: + description: 'Options defines the reference to a TLSOption, that + specifies the parameters of the TLS connection. If not defined, + the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#tls-options' + properties: + name: + description: 'Name defines the name of the referenced TLSOption. + More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsoption' + type: string + namespace: + description: 'Namespace defines the namespace of the referenced + TLSOption. More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsoption' + type: string + required: + - name + type: object + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + store: + description: Store defines the reference to the TLSStore, that + will be used to store certificates. Please note that only `default` + TLSStore can be used. + properties: + name: + description: 'Name defines the name of the referenced TLSStore. + More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsstore' + type: string + namespace: + description: 'Namespace defines the namespace of the referenced + TLSStore. More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsstore' + type: string + required: + - name + type: object + type: object + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.io_ingressroutetcps.yaml b/enterprise/traefik/24.0.0/crds/traefik.io_ingressroutetcps.yaml new file mode 100644 index 00000000000..82f61ac24f1 --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.io_ingressroutetcps.yaml @@ -0,0 +1,218 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: ingressroutetcps.traefik.io +spec: + group: traefik.io + names: + kind: IngressRouteTCP + listKind: IngressRouteTCPList + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP. + properties: + entryPoints: + description: 'EntryPoints defines the list of entry point names to + bind to. Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/entrypoints/ + Default: all.' + items: + type: string + type: array + routes: + description: Routes defines the list of routes. + items: + description: RouteTCP holds the TCP route configuration. + properties: + match: + description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#rule_1' + type: string + middlewares: + description: Middlewares defines the list of references to MiddlewareTCP + resources. + items: + description: ObjectReference is a generic reference to a Traefik + resource. + properties: + name: + description: Name defines the name of the referenced Traefik + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. + type: string + required: + - name + type: object + type: array + priority: + description: 'Priority defines the router''s priority. More + info: https://doc.traefik.io/traefik/v2.10/routing/routers/#priority_1' + type: integer + services: + description: Services defines the list of TCP services. + items: + description: ServiceTCP defines an upstream TCP service to + proxy traffic to. + properties: + name: + description: Name defines the name of the referenced Kubernetes + Service. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service. + type: string + nativeLB: + description: NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs + or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the + pods. By default, NativeLB is false. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + proxyProtocol: + description: 'ProxyProtocol defines the PROXY protocol + configuration. More info: https://doc.traefik.io/traefik/v2.10/routing/services/#proxy-protocol' + properties: + version: + description: Version defines the PROXY Protocol version + to use. + type: integer + type: object + terminationDelay: + description: TerminationDelay defines the deadline that + the proxy sets, after one of its connected peers indicates + it has closed the writing capability of its connection, + to close the reading capability as well, hence fully + terminating the connection. It is a duration in milliseconds, + defaulting to 100. A negative value means an infinite + deadline (i.e. the reading capability is never closed). + type: integer + weight: + description: Weight defines the weight used when balancing + requests between multiple Kubernetes Service. + type: integer + required: + - name + - port + type: object + type: array + required: + - match + type: object + type: array + tls: + description: 'TLS defines the TLS configuration on a layer 4 / TCP + Route. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#tls_1' + properties: + certResolver: + description: 'CertResolver defines the name of the certificate + resolver to use. Cert resolvers have to be configured in the + static configuration. More info: https://doc.traefik.io/traefik/v2.10/https/acme/#certificate-resolvers' + type: string + domains: + description: 'Domains defines the list of domains that will be + used to issue certificates. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#domains' + items: + description: Domain holds a domain name with SANs. + properties: + main: + description: Main defines the main domain name. + type: string + sans: + description: SANs defines the subject alternative domain + names. + items: + type: string + type: array + type: object + type: array + options: + description: 'Options defines the reference to a TLSOption, that + specifies the parameters of the TLS connection. If not defined, + the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#tls-options' + properties: + name: + description: Name defines the name of the referenced Traefik + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. + type: string + required: + - name + type: object + passthrough: + description: Passthrough defines whether a TLS router will terminate + the TLS connection. + type: boolean + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + store: + description: Store defines the reference to the TLSStore, that + will be used to store certificates. Please note that only `default` + TLSStore can be used. + properties: + name: + description: Name defines the name of the referenced Traefik + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. + type: string + required: + - name + type: object + type: object + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.io_ingressrouteudps.yaml b/enterprise/traefik/24.0.0/crds/traefik.io_ingressrouteudps.yaml new file mode 100644 index 00000000000..27c50185d08 --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.io_ingressrouteudps.yaml @@ -0,0 +1,105 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: ingressrouteudps.traefik.io +spec: + group: traefik.io + names: + kind: IngressRouteUDP + listKind: IngressRouteUDPList + plural: ingressrouteudps + singular: ingressrouteudp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP. + properties: + entryPoints: + description: 'EntryPoints defines the list of entry point names to + bind to. Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/entrypoints/ + Default: all.' + items: + type: string + type: array + routes: + description: Routes defines the list of routes. + items: + description: RouteUDP holds the UDP route configuration. + properties: + services: + description: Services defines the list of UDP services. + items: + description: ServiceUDP defines an upstream UDP service to + proxy traffic to. + properties: + name: + description: Name defines the name of the referenced Kubernetes + Service. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service. + type: string + nativeLB: + description: NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs + or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the + pods. By default, NativeLB is false. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + weight: + description: Weight defines the weight used when balancing + requests between multiple Kubernetes Service. + type: integer + required: + - name + - port + type: object + type: array + type: object + type: array + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.io_middlewares.yaml b/enterprise/traefik/24.0.0/crds/traefik.io_middlewares.yaml new file mode 100644 index 00000000000..5a4dc3640fa --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.io_middlewares.yaml @@ -0,0 +1,924 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: middlewares.traefik.io +spec: + group: traefik.io + names: + kind: Middleware + listKind: MiddlewareList + plural: middlewares + singular: middleware + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'Middleware is the CRD implementation of a Traefik Middleware. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/overview/' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MiddlewareSpec defines the desired state of a Middleware. + properties: + addPrefix: + description: 'AddPrefix holds the add prefix middleware configuration. + This middleware updates the path of a request before forwarding + it. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/addprefix/' + properties: + prefix: + description: Prefix is the string to add before the current path + in the requested URL. It should include a leading slash (/). + type: string + type: object + basicAuth: + description: 'BasicAuth holds the basic auth middleware configuration. + This middleware restricts access to your services to known users. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/basicauth/' + properties: + headerField: + description: 'HeaderField defines a header field to store the + authenticated user. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/basicauth/#headerfield' + type: string + realm: + description: 'Realm allows the protected resources on a server + to be partitioned into a set of protection spaces, each with + its own authentication scheme. Default: traefik.' + type: string + removeHeader: + description: 'RemoveHeader sets the removeHeader option to true + to remove the authorization header before forwarding the request + to your service. Default: false.' + type: boolean + secret: + description: Secret is the name of the referenced Kubernetes Secret + containing user credentials. + type: string + type: object + buffering: + description: 'Buffering holds the buffering middleware configuration. + This middleware retries or limits the size of requests that can + be forwarded to backends. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/buffering/#maxrequestbodybytes' + properties: + maxRequestBodyBytes: + description: 'MaxRequestBodyBytes defines the maximum allowed + body size for the request (in bytes). If the request exceeds + the allowed size, it is not forwarded to the service, and the + client gets a 413 (Request Entity Too Large) response. Default: + 0 (no maximum).' + format: int64 + type: integer + maxResponseBodyBytes: + description: 'MaxResponseBodyBytes defines the maximum allowed + response size from the service (in bytes). If the response exceeds + the allowed size, it is not forwarded to the client. The client + gets a 500 (Internal Server Error) response instead. Default: + 0 (no maximum).' + format: int64 + type: integer + memRequestBodyBytes: + description: 'MemRequestBodyBytes defines the threshold (in bytes) + from which the request will be buffered on disk instead of in + memory. Default: 1048576 (1Mi).' + format: int64 + type: integer + memResponseBodyBytes: + description: 'MemResponseBodyBytes defines the threshold (in bytes) + from which the response will be buffered on disk instead of + in memory. Default: 1048576 (1Mi).' + format: int64 + type: integer + retryExpression: + description: 'RetryExpression defines the retry conditions. It + is a logical combination of functions with operators AND (&&) + and OR (||). More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/buffering/#retryexpression' + type: string + type: object + chain: + description: 'Chain holds the configuration of the chain middleware. + This middleware enables to define reusable combinations of other + pieces of middleware. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/chain/' + properties: + middlewares: + description: Middlewares is the list of MiddlewareRef which composes + the chain. + items: + description: MiddlewareRef is a reference to a Middleware resource. + properties: + name: + description: Name defines the name of the referenced Middleware + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Middleware resource. + type: string + required: + - name + type: object + type: array + type: object + circuitBreaker: + description: CircuitBreaker holds the circuit breaker configuration. + properties: + checkPeriod: + anyOf: + - type: integer + - type: string + description: CheckPeriod is the interval between successive checks + of the circuit breaker condition (when in standby state). + x-kubernetes-int-or-string: true + expression: + description: Expression is the condition that triggers the tripped + state. + type: string + fallbackDuration: + anyOf: + - type: integer + - type: string + description: FallbackDuration is the duration for which the circuit + breaker will wait before trying to recover (from a tripped state). + x-kubernetes-int-or-string: true + recoveryDuration: + anyOf: + - type: integer + - type: string + description: RecoveryDuration is the duration for which the circuit + breaker will try to recover (as soon as it is in recovering + state). + x-kubernetes-int-or-string: true + type: object + compress: + description: 'Compress holds the compress middleware configuration. + This middleware compresses responses before sending them to the + client, using gzip compression. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/compress/' + properties: + excludedContentTypes: + description: ExcludedContentTypes defines the list of content + types to compare the Content-Type header of the incoming requests + and responses before compressing. + items: + type: string + type: array + minResponseBodyBytes: + description: 'MinResponseBodyBytes defines the minimum amount + of bytes a response body must have to be compressed. Default: + 1024.' + type: integer + type: object + contentType: + description: ContentType holds the content-type middleware configuration. + This middleware exists to enable the correct behavior until at least + the default one can be changed in a future version. + properties: + autoDetect: + description: AutoDetect specifies whether to let the `Content-Type` + header, if it has not been set by the backend, be automatically + set to a value derived from the contents of the response. As + a proxy, the default behavior should be to leave the header + alone, regardless of what the backend did with it. However, + the historic default was to always auto-detect and set the header + if it was nil, and it is going to be kept that way in order + to support users currently relying on it. + type: boolean + type: object + digestAuth: + description: 'DigestAuth holds the digest auth middleware configuration. + This middleware restricts access to your services to known users. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/digestauth/' + properties: + headerField: + description: 'HeaderField defines a header field to store the + authenticated user. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/basicauth/#headerfield' + type: string + realm: + description: 'Realm allows the protected resources on a server + to be partitioned into a set of protection spaces, each with + its own authentication scheme. Default: traefik.' + type: string + removeHeader: + description: RemoveHeader defines whether to remove the authorization + header before forwarding the request to the backend. + type: boolean + secret: + description: Secret is the name of the referenced Kubernetes Secret + containing user credentials. + type: string + type: object + errors: + description: 'ErrorPage holds the custom error middleware configuration. + This middleware returns a custom page in lieu of the default, according + to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/errorpages/' + properties: + query: + description: Query defines the URL for the error page (hosted + by service). The {status} variable can be used in order to insert + the status code in the URL. + type: string + service: + description: 'Service defines the reference to a Kubernetes Service + that will serve the error page. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/errorpages/#service' + properties: + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between the + two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if + the only child is the Kubernetes Service clusterIP. The + Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + passHostHeader: + description: PassHostHeader defines whether the client Host + header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. + properties: + flushInterval: + description: 'FlushInterval defines the interval, in milliseconds, + in between flushes to the client while copying the response + body. A negative value means to flush immediately after + each write to the client. This configuration is ignored + when ReverseProxy recognizes a response as a streaming + response; for such responses, writes are flushed to + the client immediately. Default: 100ms' + type: string + type: object + scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https + when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport between + Traefik and your servers. Can only be used on a Kubernetes + Service. + type: string + sticky: + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie can + be accessed by client-side APIs, such as JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported value + at the moment. + type: string + weight: + description: Weight defines the weight and should only be + specified when Name references a TraefikService object (and + to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + status: + description: Status defines which status or range of statuses + should result in an error page. It can be either a status code + as a number (500), as multiple comma-separated numbers (500,502), + as ranges by separating two codes with a dash (500-599), or + a combination of the two (404,418,500-599). + items: + type: string + type: array + type: object + forwardAuth: + description: 'ForwardAuth holds the forward auth middleware configuration. + This middleware delegates the request authentication to a Service. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/forwardauth/' + properties: + address: + description: Address defines the authentication server address. + type: string + authRequestHeaders: + description: AuthRequestHeaders defines the list of the headers + to copy from the request to the authentication server. If not + set or empty then all request headers are passed. + items: + type: string + type: array + authResponseHeaders: + description: AuthResponseHeaders defines the list of headers to + copy from the authentication server response and set on forwarded + request, replacing any existing conflicting headers. + items: + type: string + type: array + authResponseHeadersRegex: + description: 'AuthResponseHeadersRegex defines the regex to match + headers to copy from the authentication server response and + set on forwarded request, after stripping all headers that match + the regex. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/forwardauth/#authresponseheadersregex' + type: string + tls: + description: TLS defines the configuration used to secure the + connection to the authentication server. + properties: + caOptional: + type: boolean + caSecret: + description: CASecret is the name of the referenced Kubernetes + Secret containing the CA to validate the server certificate. + The CA certificate is extracted from key `tls.ca` or `ca.crt`. + type: string + certSecret: + description: CertSecret is the name of the referenced Kubernetes + Secret containing the client certificate. The client certificate + is extracted from the keys `tls.crt` and `tls.key`. + type: string + insecureSkipVerify: + description: InsecureSkipVerify defines whether the server + certificates should be validated. + type: boolean + type: object + trustForwardHeader: + description: 'TrustForwardHeader defines whether to trust (ie: + forward) all X-Forwarded-* headers.' + type: boolean + type: object + headers: + description: 'Headers holds the headers middleware configuration. + This middleware manages the requests and responses headers. More + info: https://doc.traefik.io/traefik/v2.10/middlewares/http/headers/#customrequestheaders' + properties: + accessControlAllowCredentials: + description: AccessControlAllowCredentials defines whether the + request can include user credentials. + type: boolean + accessControlAllowHeaders: + description: AccessControlAllowHeaders defines the Access-Control-Request-Headers + values sent in preflight response. + items: + type: string + type: array + accessControlAllowMethods: + description: AccessControlAllowMethods defines the Access-Control-Request-Method + values sent in preflight response. + items: + type: string + type: array + accessControlAllowOriginList: + description: AccessControlAllowOriginList is a list of allowable + origins. Can also be a wildcard origin "*". + items: + type: string + type: array + accessControlAllowOriginListRegex: + description: AccessControlAllowOriginListRegex is a list of allowable + origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/). + items: + type: string + type: array + accessControlExposeHeaders: + description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers + values sent in preflight response. + items: + type: string + type: array + accessControlMaxAge: + description: AccessControlMaxAge defines the time that a preflight + request may be cached. + format: int64 + type: integer + addVaryHeader: + description: AddVaryHeader defines whether the Vary header is + automatically added/updated when the AccessControlAllowOriginList + is set. + type: boolean + allowedHosts: + description: AllowedHosts defines the fully qualified list of + allowed domain names. + items: + type: string + type: array + browserXssFilter: + description: BrowserXSSFilter defines whether to add the X-XSS-Protection + header with the value 1; mode=block. + type: boolean + contentSecurityPolicy: + description: ContentSecurityPolicy defines the Content-Security-Policy + header value. + type: string + contentTypeNosniff: + description: ContentTypeNosniff defines whether to add the X-Content-Type-Options + header with the nosniff value. + type: boolean + customBrowserXSSValue: + description: CustomBrowserXSSValue defines the X-XSS-Protection + header value. This overrides the BrowserXssFilter option. + type: string + customFrameOptionsValue: + description: CustomFrameOptionsValue defines the X-Frame-Options + header value. This overrides the FrameDeny option. + type: string + customRequestHeaders: + additionalProperties: + type: string + description: CustomRequestHeaders defines the header names and + values to apply to the request. + type: object + customResponseHeaders: + additionalProperties: + type: string + description: CustomResponseHeaders defines the header names and + values to apply to the response. + type: object + featurePolicy: + description: 'Deprecated: use PermissionsPolicy instead.' + type: string + forceSTSHeader: + description: ForceSTSHeader defines whether to add the STS header + even when the connection is HTTP. + type: boolean + frameDeny: + description: FrameDeny defines whether to add the X-Frame-Options + header with the DENY value. + type: boolean + hostsProxyHeaders: + description: HostsProxyHeaders defines the header keys that may + hold a proxied hostname value for the request. + items: + type: string + type: array + isDevelopment: + description: IsDevelopment defines whether to mitigate the unwanted + effects of the AllowedHosts, SSL, and STS options when developing. + Usually testing takes place using HTTP, not HTTPS, and on localhost, + not your production domain. If you would like your development + environment to mimic production with complete Host blocking, + SSL redirects, and STS headers, leave this as false. + type: boolean + permissionsPolicy: + description: PermissionsPolicy defines the Permissions-Policy + header value. This allows sites to control browser features. + type: string + publicKey: + description: PublicKey is the public key that implements HPKP + to prevent MITM attacks with forged certificates. + type: string + referrerPolicy: + description: ReferrerPolicy defines the Referrer-Policy header + value. This allows sites to control whether browsers forward + the Referer header to other sites. + type: string + sslForceHost: + description: 'Deprecated: use RedirectRegex instead.' + type: boolean + sslHost: + description: 'Deprecated: use RedirectRegex instead.' + type: string + sslProxyHeaders: + additionalProperties: + type: string + description: 'SSLProxyHeaders defines the header keys with associated + values that would indicate a valid HTTPS request. It can be + useful when using other proxies (example: "X-Forwarded-Proto": + "https").' + type: object + sslRedirect: + description: 'Deprecated: use EntryPoint redirection or RedirectScheme + instead.' + type: boolean + sslTemporaryRedirect: + description: 'Deprecated: use EntryPoint redirection or RedirectScheme + instead.' + type: boolean + stsIncludeSubdomains: + description: STSIncludeSubdomains defines whether the includeSubDomains + directive is appended to the Strict-Transport-Security header. + type: boolean + stsPreload: + description: STSPreload defines whether the preload flag is appended + to the Strict-Transport-Security header. + type: boolean + stsSeconds: + description: STSSeconds defines the max-age of the Strict-Transport-Security + header. If set to 0, the header is not set. + format: int64 + type: integer + type: object + inFlightReq: + description: 'InFlightReq holds the in-flight request middleware configuration. + This middleware limits the number of requests being processed and + served concurrently. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/inflightreq/' + properties: + amount: + description: Amount defines the maximum amount of allowed simultaneous + in-flight request. The middleware responds with HTTP 429 Too + Many Requests if there are already amount requests in progress + (based on the same sourceCriterion strategy). + format: int64 + type: integer + sourceCriterion: + description: 'SourceCriterion defines what criterion is used to + group requests as originating from a common source. If several + strategies are defined at the same time, an error will be raised. + If none are set, the default is to use the requestHost. More + info: https://doc.traefik.io/traefik/v2.10/middlewares/http/inflightreq/#sourcecriterion' + properties: + ipStrategy: + description: 'IPStrategy holds the IP strategy configuration + used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/#ipstrategy' + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position + (starting from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the + X-Forwarded-For header and select the first IP not in + the list. + items: + type: string + type: array + type: object + requestHeaderName: + description: RequestHeaderName defines the name of the header + used to group incoming requests. + type: string + requestHost: + description: RequestHost defines whether to consider the request + Host as the source. + type: boolean + type: object + type: object + ipWhiteList: + description: 'IPWhiteList holds the IP whitelist middleware configuration. + This middleware accepts / refuses requests based on the client IP. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/' + properties: + ipStrategy: + description: 'IPStrategy holds the IP strategy configuration used + by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/#ipstrategy' + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position (starting + from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the X-Forwarded-For + header and select the first IP not in the list. + items: + type: string + type: array + type: object + sourceRange: + description: SourceRange defines the set of allowed IPs (or ranges + of allowed IPs by using CIDR notation). + items: + type: string + type: array + type: object + passTLSClientCert: + description: 'PassTLSClientCert holds the pass TLS client cert middleware + configuration. This middleware adds the selected data from the passed + client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/passtlsclientcert/' + properties: + info: + description: Info selects the specific client certificate details + you want to add to the X-Forwarded-Tls-Client-Cert-Info header. + properties: + issuer: + description: Issuer defines the client certificate issuer + details to add to the X-Forwarded-Tls-Client-Cert-Info header. + properties: + commonName: + description: CommonName defines whether to add the organizationalUnit + information into the issuer. + type: boolean + country: + description: Country defines whether to add the country + information into the issuer. + type: boolean + domainComponent: + description: DomainComponent defines whether to add the + domainComponent information into the issuer. + type: boolean + locality: + description: Locality defines whether to add the locality + information into the issuer. + type: boolean + organization: + description: Organization defines whether to add the organization + information into the issuer. + type: boolean + province: + description: Province defines whether to add the province + information into the issuer. + type: boolean + serialNumber: + description: SerialNumber defines whether to add the serialNumber + information into the issuer. + type: boolean + type: object + notAfter: + description: NotAfter defines whether to add the Not After + information from the Validity part. + type: boolean + notBefore: + description: NotBefore defines whether to add the Not Before + information from the Validity part. + type: boolean + sans: + description: Sans defines whether to add the Subject Alternative + Name information from the Subject Alternative Name part. + type: boolean + serialNumber: + description: SerialNumber defines whether to add the client + serialNumber information. + type: boolean + subject: + description: Subject defines the client certificate subject + details to add to the X-Forwarded-Tls-Client-Cert-Info header. + properties: + commonName: + description: CommonName defines whether to add the organizationalUnit + information into the subject. + type: boolean + country: + description: Country defines whether to add the country + information into the subject. + type: boolean + domainComponent: + description: DomainComponent defines whether to add the + domainComponent information into the subject. + type: boolean + locality: + description: Locality defines whether to add the locality + information into the subject. + type: boolean + organization: + description: Organization defines whether to add the organization + information into the subject. + type: boolean + organizationalUnit: + description: OrganizationalUnit defines whether to add + the organizationalUnit information into the subject. + type: boolean + province: + description: Province defines whether to add the province + information into the subject. + type: boolean + serialNumber: + description: SerialNumber defines whether to add the serialNumber + information into the subject. + type: boolean + type: object + type: object + pem: + description: PEM sets the X-Forwarded-Tls-Client-Cert header with + the certificate. + type: boolean + type: object + plugin: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: 'Plugin defines the middleware plugin configuration. + More info: https://doc.traefik.io/traefik/plugins/' + type: object + rateLimit: + description: 'RateLimit holds the rate limit configuration. This middleware + ensures that services will receive a fair amount of requests, and + allows one to define what fair is. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ratelimit/' + properties: + average: + description: Average is the maximum rate, by default in requests/s, + allowed for the given source. It defaults to 0, which means + no rate limiting. The rate is actually defined by dividing Average + by Period. So for a rate below 1req/s, one needs to define a + Period larger than a second. + format: int64 + type: integer + burst: + description: Burst is the maximum number of requests allowed to + arrive in the same arbitrarily small period of time. It defaults + to 1. + format: int64 + type: integer + period: + anyOf: + - type: integer + - type: string + description: 'Period, in combination with Average, defines the + actual maximum rate, such as: r = Average / Period. It defaults + to a second.' + x-kubernetes-int-or-string: true + sourceCriterion: + description: SourceCriterion defines what criterion is used to + group requests as originating from a common source. If several + strategies are defined at the same time, an error will be raised. + If none are set, the default is to use the request's remote + address field (as an ipStrategy). + properties: + ipStrategy: + description: 'IPStrategy holds the IP strategy configuration + used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/ipwhitelist/#ipstrategy' + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position + (starting from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the + X-Forwarded-For header and select the first IP not in + the list. + items: + type: string + type: array + type: object + requestHeaderName: + description: RequestHeaderName defines the name of the header + used to group incoming requests. + type: string + requestHost: + description: RequestHost defines whether to consider the request + Host as the source. + type: boolean + type: object + type: object + redirectRegex: + description: 'RedirectRegex holds the redirect regex middleware configuration. + This middleware redirects a request using regex matching and replacement. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/redirectregex/#regex' + properties: + permanent: + description: Permanent defines whether the redirection is permanent + (301). + type: boolean + regex: + description: Regex defines the regex used to match and capture + elements from the request URL. + type: string + replacement: + description: Replacement defines how to modify the URL to have + the new target URL. + type: string + type: object + redirectScheme: + description: 'RedirectScheme holds the redirect scheme middleware + configuration. This middleware redirects requests from a scheme/port + to another. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/redirectscheme/' + properties: + permanent: + description: Permanent defines whether the redirection is permanent + (301). + type: boolean + port: + description: Port defines the port of the new URL. + type: string + scheme: + description: Scheme defines the scheme of the new URL. + type: string + type: object + replacePath: + description: 'ReplacePath holds the replace path middleware configuration. + This middleware replaces the path of the request URL and store the + original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/replacepath/' + properties: + path: + description: Path defines the path to use as replacement in the + request URL. + type: string + type: object + replacePathRegex: + description: 'ReplacePathRegex holds the replace path regex middleware + configuration. This middleware replaces the path of a URL using + regex matching and replacement. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/replacepathregex/' + properties: + regex: + description: Regex defines the regular expression used to match + and capture the path from the request URL. + type: string + replacement: + description: Replacement defines the replacement path format, + which can include captured variables. + type: string + type: object + retry: + description: 'Retry holds the retry middleware configuration. This + middleware reissues requests a given number of times to a backend + server if that server does not reply. As soon as the server answers, + the middleware stops retrying, regardless of the response status. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/retry/' + properties: + attempts: + description: Attempts defines how many times the request should + be retried. + type: integer + initialInterval: + anyOf: + - type: integer + - type: string + description: InitialInterval defines the first wait time in the + exponential backoff series. The maximum interval is calculated + as twice the initialInterval. If unspecified, requests will + be retried immediately. The value of initialInterval should + be provided in seconds or as a valid duration format, see https://pkg.go.dev/time#ParseDuration. + x-kubernetes-int-or-string: true + type: object + stripPrefix: + description: 'StripPrefix holds the strip prefix middleware configuration. + This middleware removes the specified prefixes from the URL path. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/stripprefix/' + properties: + forceSlash: + description: 'ForceSlash ensures that the resulting stripped path + is not the empty string, by replacing it with / when necessary. + Default: true.' + type: boolean + prefixes: + description: Prefixes defines the prefixes to strip from the request + URL. + items: + type: string + type: array + type: object + stripPrefixRegex: + description: 'StripPrefixRegex holds the strip prefix regex middleware + configuration. This middleware removes the matching prefixes from + the URL path. More info: https://doc.traefik.io/traefik/v2.10/middlewares/http/stripprefixregex/' + properties: + regex: + description: Regex defines the regular expression to match the + path prefix from the request URL. + items: + type: string + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.io_middlewaretcps.yaml b/enterprise/traefik/24.0.0/crds/traefik.io_middlewaretcps.yaml new file mode 100644 index 00000000000..8623568f5b3 --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.io_middlewaretcps.yaml @@ -0,0 +1,72 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: middlewaretcps.traefik.io +spec: + group: traefik.io + names: + kind: MiddlewareTCP + listKind: MiddlewareTCPList + plural: middlewaretcps + singular: middlewaretcp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware. + More info: https://doc.traefik.io/traefik/v2.10/middlewares/overview/' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP. + properties: + inFlightConn: + description: InFlightConn defines the InFlightConn middleware configuration. + properties: + amount: + description: Amount defines the maximum amount of allowed simultaneous + connections. The middleware closes the connection if there are + already amount connections opened. + format: int64 + type: integer + type: object + ipWhiteList: + description: IPWhiteList defines the IPWhiteList middleware configuration. + properties: + sourceRange: + description: SourceRange defines the allowed IPs (or ranges of + allowed IPs by using CIDR notation). + items: + type: string + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.io_serverstransports.yaml b/enterprise/traefik/24.0.0/crds/traefik.io_serverstransports.yaml new file mode 100644 index 00000000000..803b56395a4 --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.io_serverstransports.yaml @@ -0,0 +1,128 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: serverstransports.traefik.io +spec: + group: traefik.io + names: + kind: ServersTransport + listKind: ServersTransportList + plural: serverstransports + singular: serverstransport + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'ServersTransport is the CRD implementation of a ServersTransport. + If no serversTransport is specified, the default@internal will be used. + The default@internal serversTransport is created from the static configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/services/#serverstransport_1' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServersTransportSpec defines the desired state of a ServersTransport. + properties: + certificatesSecrets: + description: CertificatesSecrets defines a list of secret storing + client certificates for mTLS. + items: + type: string + type: array + disableHTTP2: + description: DisableHTTP2 disables HTTP/2 for connections with backend + servers. + type: boolean + forwardingTimeouts: + description: ForwardingTimeouts defines the timeouts for requests + forwarded to the backend servers. + properties: + dialTimeout: + anyOf: + - type: integer + - type: string + description: DialTimeout is the amount of time to wait until a + connection to a backend server can be established. + x-kubernetes-int-or-string: true + idleConnTimeout: + anyOf: + - type: integer + - type: string + description: IdleConnTimeout is the maximum period for which an + idle HTTP keep-alive connection will remain open before closing + itself. + x-kubernetes-int-or-string: true + pingTimeout: + anyOf: + - type: integer + - type: string + description: PingTimeout is the timeout after which the HTTP/2 + connection will be closed if a response to ping is not received. + x-kubernetes-int-or-string: true + readIdleTimeout: + anyOf: + - type: integer + - type: string + description: ReadIdleTimeout is the timeout after which a health + check using ping frame will be carried out if no frame is received + on the HTTP/2 connection. + x-kubernetes-int-or-string: true + responseHeaderTimeout: + anyOf: + - type: integer + - type: string + description: ResponseHeaderTimeout is the amount of time to wait + for a server's response headers after fully writing the request + (including its body, if any). + x-kubernetes-int-or-string: true + type: object + insecureSkipVerify: + description: InsecureSkipVerify disables SSL certificate verification. + type: boolean + maxIdleConnsPerHost: + description: MaxIdleConnsPerHost controls the maximum idle (keep-alive) + to keep per-host. + type: integer + peerCertURI: + description: PeerCertURI defines the peer cert URI used to match against + SAN URI during the peer certificate verification. + type: string + rootCAsSecrets: + description: RootCAsSecrets defines a list of CA secret used to validate + self-signed certificate. + items: + type: string + type: array + serverName: + description: ServerName defines the server name used to contact the + server. + type: string + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.io_serverstransporttcps.yaml b/enterprise/traefik/24.0.0/crds/traefik.io_serverstransporttcps.yaml new file mode 100644 index 00000000000..10e0a3f0e79 --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.io_serverstransporttcps.yaml @@ -0,0 +1,122 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: serverstransporttcps.traefik.io +spec: + group: traefik.io + names: + kind: ServersTransportTCP + listKind: ServersTransportTCPList + plural: serverstransporttcps + singular: serverstransporttcp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'ServersTransportTCP is the CRD implementation of a TCPServersTransport. + If no tcpServersTransport is specified, a default one named default@internal + will be used. The default@internal tcpServersTransport can be configured + in the static configuration. More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_3' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServersTransportTCPSpec defines the desired state of a ServersTransportTCP. + properties: + dialKeepAlive: + anyOf: + - type: integer + - type: string + description: DialKeepAlive is the interval between keep-alive probes + for an active network connection. If zero, keep-alive probes are + sent with a default value (currently 15 seconds), if supported by + the protocol and operating system. Network protocols or operating + systems that do not support keep-alives ignore this field. If negative, + keep-alive probes are disabled. + x-kubernetes-int-or-string: true + dialTimeout: + anyOf: + - type: integer + - type: string + description: DialTimeout is the amount of time to wait until a connection + to a backend server can be established. + x-kubernetes-int-or-string: true + terminationDelay: + anyOf: + - type: integer + - type: string + description: TerminationDelay defines the delay to wait before fully + terminating the connection, after one connected peer has closed + its writing capability. + x-kubernetes-int-or-string: true + tls: + description: TLS defines the TLS configuration + properties: + certificatesSecrets: + description: CertificatesSecrets defines a list of secret storing + client certificates for mTLS. + items: + type: string + type: array + insecureSkipVerify: + description: InsecureSkipVerify disables TLS certificate verification. + type: boolean + peerCertURI: + description: MaxIdleConnsPerHost controls the maximum idle (keep-alive) + to keep per-host. PeerCertURI defines the peer cert URI used + to match against SAN URI during the peer certificate verification. + type: string + rootCAsSecrets: + description: RootCAsSecrets defines a list of CA secret used to + validate self-signed certificates. + items: + type: string + type: array + serverName: + description: ServerName defines the server name used to contact + the server. + type: string + spiffe: + description: Spiffe defines the SPIFFE configuration. + properties: + ids: + description: IDs defines the allowed SPIFFE IDs (takes precedence + over the SPIFFE TrustDomain). + items: + type: string + type: array + trustDomain: + description: TrustDomain defines the allowed SPIFFE trust + domain. + type: string + type: object + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.io_tlsoptions.yaml b/enterprise/traefik/24.0.0/crds/traefik.io_tlsoptions.yaml new file mode 100644 index 00000000000..b86fefe0e95 --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.io_tlsoptions.yaml @@ -0,0 +1,113 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: tlsoptions.traefik.io +spec: + group: traefik.io + names: + kind: TLSOption + listKind: TLSOptionList + plural: tlsoptions + singular: tlsoption + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'TLSOption is the CRD implementation of a Traefik TLS Option, + allowing to configure some parameters of the TLS connection. More info: + https://doc.traefik.io/traefik/v2.10/https/tls/#tls-options' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSOptionSpec defines the desired state of a TLSOption. + properties: + alpnProtocols: + description: 'ALPNProtocols defines the list of supported application + level protocols for the TLS handshake, in order of preference. More + info: https://doc.traefik.io/traefik/v2.10/https/tls/#alpn-protocols' + items: + type: string + type: array + cipherSuites: + description: 'CipherSuites defines the list of supported cipher suites + for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#cipher-suites' + items: + type: string + type: array + clientAuth: + description: ClientAuth defines the server's policy for TLS Client + Authentication. + properties: + clientAuthType: + description: ClientAuthType defines the client authentication + type to apply. + enum: + - NoClientCert + - RequestClientCert + - RequireAnyClientCert + - VerifyClientCertIfGiven + - RequireAndVerifyClientCert + type: string + secretNames: + description: SecretNames defines the names of the referenced Kubernetes + Secret storing certificate details. + items: + type: string + type: array + type: object + curvePreferences: + description: 'CurvePreferences defines the preferred elliptic curves + in a specific order. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#curve-preferences' + items: + type: string + type: array + maxVersion: + description: 'MaxVersion defines the maximum TLS version that Traefik + will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, + VersionTLS13. Default: None.' + type: string + minVersion: + description: 'MinVersion defines the minimum TLS version that Traefik + will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, + VersionTLS13. Default: VersionTLS10.' + type: string + preferServerCipherSuites: + description: 'PreferServerCipherSuites defines whether the server + chooses a cipher suite among his own instead of among the client''s. + It is enabled automatically when minVersion or maxVersion is set. + Deprecated: https://github.com/golang/go/issues/45430' + type: boolean + sniStrict: + description: SniStrict defines whether Traefik allows connections + from clients connections that do not specify a server_name extension. + type: boolean + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.io_tlsstores.yaml b/enterprise/traefik/24.0.0/crds/traefik.io_tlsstores.yaml new file mode 100644 index 00000000000..47b46854c8b --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.io_tlsstores.yaml @@ -0,0 +1,99 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: tlsstores.traefik.io +spec: + group: traefik.io + names: + kind: TLSStore + listKind: TLSStoreList + plural: tlsstores + singular: tlsstore + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For + the time being, only the TLSStore named default is supported. This means + that you cannot have two stores that are named default in different Kubernetes + namespaces. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#certificates-stores' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSStoreSpec defines the desired state of a TLSStore. + properties: + certificates: + description: Certificates is a list of secret names, each secret holding + a key/certificate pair to add to the store. + items: + description: Certificate holds a secret name for the TLSStore resource. + properties: + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + required: + - secretName + type: object + type: array + defaultCertificate: + description: DefaultCertificate defines the default certificate configuration. + properties: + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + required: + - secretName + type: object + defaultGeneratedCert: + description: DefaultGeneratedCert defines the default generated certificate + configuration. + properties: + domain: + description: Domain is the domain definition for the DefaultCertificate. + properties: + main: + description: Main defines the main domain name. + type: string + sans: + description: SANs defines the subject alternative domain names. + items: + type: string + type: array + type: object + resolver: + description: Resolver is the name of the resolver that will be + used to issue the DefaultCertificate. + type: string + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/crds/traefik.io_traefikservices.yaml b/enterprise/traefik/24.0.0/crds/traefik.io_traefikservices.yaml new file mode 100644 index 00000000000..0f3475bda46 --- /dev/null +++ b/enterprise/traefik/24.0.0/crds/traefik.io_traefikservices.yaml @@ -0,0 +1,402 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: traefikservices.traefik.io +spec: + group: traefik.io + names: + kind: TraefikService + listKind: TraefikServiceList + plural: traefikservices + singular: traefikservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'TraefikService is the CRD implementation of a Traefik Service. + TraefikService object allows to: - Apply weight to Services on load-balancing + - Mirror traffic on services More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-traefikservice' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TraefikServiceSpec defines the desired state of a TraefikService. + properties: + mirroring: + description: Mirroring defines the Mirroring service configuration. + properties: + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + maxBodySize: + description: MaxBodySize defines the maximum size allowed for + the body of the request. If the body is larger, the request + is not mirrored. Default value is -1, which means unlimited + size. + format: int64 + type: integer + mirrors: + description: Mirrors defines the list of mirrors where Traefik + will duplicate the traffic. + items: + description: MirrorService holds the mirror configuration. + properties: + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between + the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or + if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the + pods. By default, NativeLB is false. + type: boolean + passHostHeader: + description: PassHostHeader defines whether the client Host + header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + percent: + description: 'Percent defines the part of the traffic to + mirror. Supported values: 0 to 100.' + type: integer + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. + properties: + flushInterval: + description: 'FlushInterval defines the interval, in + milliseconds, in between flushes to the client while + copying the response body. A negative value means + to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes + a response as a streaming response; for such responses, + writes are flushed to the client immediately. Default: + 100ms' + type: string + type: object + scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https + when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport + between Traefik and your servers. Can only be used on + a Kubernetes Service. + type: string + sticky: + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported + value at the moment. + type: string + weight: + description: Weight defines the weight and should only be + specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + type: array + name: + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between the two + is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the + only child is the Kubernetes Service clusterIP. The Kubernetes + Service itself does load-balance to the pods. By default, NativeLB + is false. + type: boolean + passHostHeader: + description: PassHostHeader defines whether the client Host header + is forwarded to the upstream Kubernetes Service. By default, + passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. This + can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards the + response from the upstream Kubernetes Service to the client. + properties: + flushInterval: + description: 'FlushInterval defines the interval, in milliseconds, + in between flushes to the client while copying the response + body. A negative value means to flush immediately after + each write to the client. This configuration is ignored + when ReverseProxy recognizes a response as a streaming response; + for such responses, writes are flushed to the client immediately. + Default: 100ms' + type: string + type: object + scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https when + Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport between + Traefik and your servers. Can only be used on a Kubernetes Service. + type: string + sticky: + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie can be + accessed by client-side APIs, such as JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. More + info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie can only + be transmitted over an encrypted connection (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: Strategy defines the load balancing strategy between + the servers. RoundRobin is the only supported value at the moment. + type: string + weight: + description: Weight defines the weight and should only be specified + when Name references a TraefikService object (and to be precise, + one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + weighted: + description: Weighted defines the Weighted Round Robin configuration. + properties: + services: + description: Services defines the list of Kubernetes Service and/or + TraefikService to load-balance, with weight. + items: + description: Service defines an upstream HTTP service to proxy + traffic to. + properties: + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: Name defines the name of the referenced Kubernetes + Service or TraefikService. The differentiation between + the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or + if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the + pods. By default, NativeLB is false. + type: boolean + passHostHeader: + description: PassHostHeader defines whether the client Host + header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. + properties: + flushInterval: + description: 'FlushInterval defines the interval, in + milliseconds, in between flushes to the client while + copying the response body. A negative value means + to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes + a response as a streaming response; for such responses, + writes are flushed to the client immediately. Default: + 100ms' + type: string + type: object + scheme: + description: Scheme defines the scheme to use for the request + to the upstream Kubernetes Service. It defaults to https + when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: ServersTransport defines the name of ServersTransport + resource to use. It allows to configure the transport + between Traefik and your servers. Can only be used on + a Kubernetes Service. + type: string + sticky: + description: 'Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: Strategy defines the load balancing strategy + between the servers. RoundRobin is the only supported + value at the moment. + type: string + weight: + description: Weight defines the weight and should only be + specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + type: array + sticky: + description: 'Sticky defines whether sticky sessions are enabled. + More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#stickiness-and-load-balancing' + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie can be + accessed by client-side APIs, such as JavaScript. + type: boolean + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: 'SameSite defines the same site policy. More + info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite' + type: string + secure: + description: Secure defines whether the cookie can only + be transmitted over an encrypted connection (i.e. HTTPS). + type: boolean + type: object + type: object + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/enterprise/traefik/24.0.0/ix_values.yaml b/enterprise/traefik/24.0.0/ix_values.yaml new file mode 100644 index 00000000000..6e3f6d7ac72 --- /dev/null +++ b/enterprise/traefik/24.0.0/ix_values.yaml @@ -0,0 +1,441 @@ +image: + repository: tccr.io/truecharts/traefik + tag: v2.10.5@sha256:b277733b5b8d7f9d2761813d97e161c1f64ec77960f9c06adde13868efbc8dce + pullPolicy: IfNotPresent +manifestManager: + enabled: true +workload: + main: + replicas: 2 + strategy: RollingUpdate + podSpec: + containers: + main: + args: [] + probes: + # -- Liveness probe configuration + # @default -- See below + liveness: + # -- sets the probe type when not using a custom probe + # @default -- "TCP" + type: tcp + # -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used + # @default -- "/" + # path: "/ping" + # -- Readiness probe configuration + # @default -- See below + readiness: + # -- sets the probe type when not using a custom probe + # @default -- "TCP" + type: tcp + # -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used + # @default -- "/" + # path: "/ping" + # -- Startup probe configuration + # @default -- See below + startup: + # -- sets the probe type when not using a custom probe + # @default -- "TCP" + type: tcp + # -- If a HTTP probe is used (default for HTTP/HTTPS services) this path is used + # @default -- "/" + # path: "/ping" +# -- Options for all pods +# Can be overruled per pod +podOptions: + automountServiceAccountToken: true +operator: + register: true +# -- Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x +ingressClass: + # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 + enabled: false + isDefaultClass: false + # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" + fallbackApiVersion: "" +# -- Create an IngressRoute for the dashboard +ingressRoute: + dashboard: + enabled: true + # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} + # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) + labels: {} +# +# -- Configure providers +providers: + kubernetesCRD: + enabled: true + namespaces: [] + # - "default" + kubernetesIngress: + enabled: true + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: true + # Published Kubernetes Service to copy status from. Format: namespace/servicename + # By default this Traefik service + # pathOverride: "" +# -- Logs +# https://docs.traefik.io/observability/logs/ +logs: + # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). + general: + # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: ERROR + # -- Set the format of General Logs to be either Common Log Format or JSON. For more information: https://doc.traefik.io/traefik/observability/logs/#format + format: common + access: + # To enable access logs + enabled: false + # To write the logs in an asynchronous fashion, specify a bufferingSize option. + # This option represents the number of log lines Traefik will keep in memory before writing + # them to the selected output. In some cases, this option can greatly help performances. + # bufferingSize: 100 + # Filtering https://docs.traefik.io/observability/access-logs/#filtering + filters: {} + # statuscodes: "200,300-302" + # retryattempts: true + # minduration: 10ms + # Fields + # https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers + fields: + general: + defaultmode: keep + names: {} + # Examples: + # ClientUsername: drop + headers: + defaultmode: drop + names: {} + # Examples: + # User-Agent: redact + # Authorization: drop + # Content-Type: keep + # -- Set the format of Access Logs to be either Common Log Format or JSON. For more information: https://doc.traefik.io/traefik/observability/access-logs/#format + format: common +metrics: + main: + enabled: false + type: servicemonitor + endpoints: + - port: metrics + path: /metrics + targetSelector: metrics +globalArguments: + - "--global.checknewversion" +## +# -- Additional arguments to be passed at Traefik's binary +# All available options available on https://docs.traefik.io/reference/static-configuration/cli/ +## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` +additionalArguments: + - "--serverstransport.insecureskipverify=true" + - "--providers.kubernetesingress.allowexternalnameservices=true" + +# -- Default clusterCertificate generated by clusterissuer +defaultCertificate: "" + +# -- Add custom DNSStore objects +tlsStore: {} + +# -- TLS Options to be created as TLSOption CRDs +# https://doc.traefik.io/tccr.io/truecharts/https/tls/#tls-options +# Example: +tlsOptions: + default: + sniStrict: false + minVersion: VersionTLS12 + curvePreferences: + - CurveP521 + - CurveP384 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 +# -- Options for the main traefik service, where the entrypoints traffic comes from +# from. +service: + main: + type: LoadBalancer + ports: + main: + port: 9000 + targetPort: 9000 + protocol: http + # -- Forwarded Headers should never be enabled on Main entrypoint + forwardedHeaders: + enabled: false + # -- Proxy Protocol should never be enabled on Main entrypoint + proxyProtocol: + enabled: false + tcp: + enabled: true + type: LoadBalancer + ports: + web: + enabled: true + port: 80 + protocol: http + redirectTo: websecure + # Options: Empty, 0 (ingore), or positive int + # redirectPort: + # -- Configure (Forwarded Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers] Support + forwardedHeaders: + enabled: false + # -- List of trusted IP and CIDR references + trustedIPs: [] + # -- Trust all forwarded headers + insecureMode: false + # -- Configure (Proxy Protocol Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol] Support + proxyProtocol: + enabled: false + # -- Only IPs in trustedIPs will lead to remote client address replacement + trustedIPs: [] + # -- Trust every incoming connection + insecureMode: false + websecure: + enabled: true + port: 443 + protocol: https + # -- Configure (Forwarded Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers] Support + forwardedHeaders: + enabled: false + # -- List of trusted IP and CIDR references + trustedIPs: [] + # -- Trust all forwarded headers + insecureMode: false + # -- Configure (Proxy Protocol Headers)[https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol] Support + proxyProtocol: + enabled: false + # -- Only IPs in trustedIPs will lead to remote client address replacement + trustedIPs: [] + # -- Trust every incoming connection + insecureMode: false + # tcpexample: + # enabled: true + # targetPort: 9443 + # protocol: tcp + # tls: + # enabled: false + # # this is the name of a TLSOption definition + # options: "" + # certResolver: "" + # domains: [] + # # - main: example.com + # # sans: + # # - foo.example.com + # # - bar.example.com + metrics: + enabled: true + type: ClusterIP + ports: + metrics: + enabled: true + port: 9180 + targetPort: 9180 + protocol: http + # -- Forwarded Headers should never be enabled on Metrics entrypoint + forwardedHeaders: + enabled: false + # -- Proxy Protocol should never be enabled on Metrics entrypoint + proxyProtocol: + enabled: false + # udp: + # enabled: false +# -- Whether Role Based Access Control objects like roles and rolebindings should be created +rbac: + main: + enabled: true + primary: true + clusterWide: true + rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + - traefik.io + resources: + - middlewares + - middlewaretcps + - ingressroutes + - traefikservices + - ingressroutetcps + - ingressrouteudps + - tlsoptions + - tlsstores + - serverstransports + verbs: + - get + - list + - watch +# -- The service account the pods will use to interact with the Kubernetes API +serviceAccount: + main: + enabled: true + primary: true +# -- SCALE Middleware Handlers +middlewares: + basicAuth: [] + # - name: basicauthexample + # users: + # - username: testuser + # password: testpassword + forwardAuth: [] + # - name: forwardAuthexample + # address: https://auth.example.com/ + # authResponseHeaders: + # - X-Secret + # - X-Auth-User + # authRequestHeaders: + # - "Accept" + # - "X-CustomHeader" + # authResponseHeadersRegex: "^X-" + # trustForwardHeader: true + customRequestHeaders: [] + # - name: customRequestHeaderExample + # headers: + # - name: X-Custom-Header + # value: "foobar" + # - name: X-Header-To-Remove + # value: "" + customResponseHeaders: [] + # - name: customResponseHeaderExample + # headers: + # - name: X-Custom-Header + # value: "foobar" + # - name: X-Header-To-Remove + # value: "" + rewriteResponseHeaders: [] + # - name: rewriteResponseHeadersName + # headers: + # - name: "Location" + # regex: "^http://(.+)$" + # replacement: "https://$1" + # - name: "Date" + # regex: "^[^,]+,\\s*(.+)$" + # replacement: "$1" + customFrameOptionsValue: [] + # - name: customFrameOptionsValueExample + # value: "SAMEORIGIN" + buffering: [] + # - name: bufferingExample + # maxRequestBodyBytes: 1000000 + # memRequestBodyBytes: 1000000 + # maxResponseBodyBytes: 1000000 + # memResponseBodyBytes: 1000000 + # retryExpression: "IsNetworkError() && Attempts() < 2" + chain: [] + # - name: chainname + # middlewares: + # - name: compress + redirectScheme: [] + # - name: redirectSchemeName + # scheme: https + # permanent: true + rateLimit: [] + # - name: rateLimitName + # average: 300 + # burst: 200 + redirectRegex: [] + # - name: redirectRegexName + # regex: putregexhere + # replacement: replacementurlhere + # permanent: false + stripPrefixRegex: [] + # - name: stripPrefixRegexName + # regex: [] + ipWhiteList: [] + # - name: ipWhiteListName + # sourceRange: [] + # ipStrategy: + # depth: 2 + # excludedIPs: [] + themePark: [] + # - name: themeParkName + # -- Supported apps, lower case name + # -- https://docs.theme-park.dev/themes + # app: appnamehere + # -- Supported themes, lower case name + # -- https://docs.theme-park.dev/themes/APPNAMEHERE + # -- https://docs.theme-park.dev/community-themes + # theme: themenamehere + # -- https://theme-park.dev or a self hosted url + # baseUrl: https://theme-park.dev + # Sets X-Real-Ip with an IP from the X-Forwarded-For or + # Cf-Connecting-Ip (If from Cloudflare) + # Evaluation of those headers will go from last to first + realIP: [] + # - name: realIPName + # -- The real IP will be the first one that is + # -- not included in any of the CIDRs passed here + # excludedNetworks: + # - 1.1.1.1/24 + addPrefix: [] + # - name: addPrefixName + # prefix: "/foo" + geoBlock: [] + # -- https://github.com/PascalMinder/geoblock + # - name: geoBlockName + # allowLocalRequests: true + # logLocalRequests: false + # logAllowedRequests: false + # logApiRequests: false + # api: https://get.geojs.io/v1/ip/country/{ip} + # apiTimeoutMs: 500 + # cacheSize: 25 + # forceMonthlyUpdate: true + # allowUnknownCountries: false + # unknownCountryApiResponse: nil + # blackListMode: false + # countries: + # - RU + modsecurity: [] + # - name: modsecurityName + # modSecurityUrl: modSecurity container URL + # timeoutMillis: Configurated timeout + # maxBodySize: maxBodySize + ## Note: body of every request will be buffered in memory while the request is in-flight + ## (i.e.: during the security check and during the request processing by traefik and the backend), + ## so you may want to tune maxBodySize depending on how much RAM you have. +portalhook: + enabled: true +persistence: + plugins: + enabled: true + mountPath: "/plugins-storage" + type: emptyDir +portal: + open: + enabled: true + path: /dashboard/ diff --git a/enterprise/traefik/24.0.0/questions.yaml b/enterprise/traefik/24.0.0/questions.yaml new file mode 100644 index 00000000000..2cd32b73e18 --- /dev/null +++ b/enterprise/traefik/24.0.0/questions.yaml @@ -0,0 +1,3336 @@ +groups: + - name: Container Image + description: Image to be used for container + - name: General Settings + description: General Deployment Settings + - name: Workload Settings + description: Workload Settings + - name: App Configuration + description: App Specific Config Options + - name: Networking and Services + description: Configure Network and Services for Container + - name: Storage and Persistence + description: Persist and Share Data that is Separate from the Container + - name: Ingress + description: Ingress Configuration + - name: Security and Permissions + description: Configure Security Context and Permissions + - name: Resources and Devices + description: "Specify Resources/Devices to be Allocated to Workload" + - name: Middlewares + description: Traefik Middlewares + - name: Metrics + description: Metrics + - name: Addons + description: Addon Configuration + - name: Advanced + description: Advanced Configuration + - name: Postgresql + description: Postgresql + - name: Documentation + description: Documentation +portals: + open: + protocols: + - "$kubernetes-resource_configmap_tcportal-open_protocol" + host: + - "$kubernetes-resource_configmap_tcportal-open_host" + ports: + - "$kubernetes-resource_configmap_tcportal-open_port" + path: "$kubernetes-resource_configmap_tcportal-open_path" +questions: + - variable: global + group: General Settings + label: "Global Settings" + schema: + additional_attrs: true + type: dict + attrs: + - variable: stopAll + label: Stop All + description: "Stops All Running pods and hibernates cnpg" + schema: + type: boolean + default: false + - variable: workload + group: "Workload Settings" + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: Type (Advanced) + schema: + type: string + default: Deployment + enum: + - value: Deployment + description: Deployment + - value: DaemonSet + description: DaemonSet + + - variable: replicas + label: Replicas (Advanced) + description: Set the number of Replicas + schema: + type: int + show_if: [["type", "!=", "DaemonSet"]] + default: 1 + - variable: podSpec + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: containers + label: Containers + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: Main Container + schema: + additional_attrs: true + type: dict + attrs: + - variable: envList + label: Extra Environment Variables + description: "Please be aware that some variables are set in the background, adding duplicates here might cause issues or prevent the app from starting..." + schema: + type: list + default: [] + items: + - variable: envItem + label: Environment Variable + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + - variable: value + label: Value + schema: + type: string + - variable: extraArgs + label: Extra Args + schema: + type: list + default: [] + items: + - variable: arg + label: Arg + schema: + type: string + - variable: advanced + label: Show Advanced Settings + description: Advanced settings are not covered by TrueCharts Support + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: command + label: Command + schema: + type: list + default: [] + items: + - variable: param + label: Param + schema: + type: string + + - variable: TZ + label: Timezone + group: "General Settings" + schema: + type: string + default: "Etc/UTC" + $ref: + - "definitions/timezone" + - variable: podOptions + group: "General Settings" + label: "Global Pod Options (Advanced)" + schema: + additional_attrs: true + type: dict + attrs: + - variable: expertPodOpts + label: "Expert - Pod Options" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: hostNetwork + label: "Host Networking" + schema: + type: boolean + default: false + - variable: dnsConfig + label: "DNS Configuration" + schema: + type: dict + additional_attrs: true + attrs: + - variable: options + label: "Options" + schema: + type: list + default: [{"name": "ndots", "value": "1"}] + items: + - variable: optionsEntry + label: "Option Entry" + schema: + type: dict + additional_attrs: true + attrs: + - variable: name + label: "Name" + schema: + type: string + required: true + - variable: value + label: "Value" + schema: + type: string + - variable: nameservers + label: "Nameservers" + schema: + type: list + default: [] + items: + - variable: nsEntry + label: "Nameserver Entry" + schema: + type: string + required: true + - variable: searches + label: "Searches" + schema: + type: list + default: [] + items: + - variable: searchEntry + label: "Search Entry" + schema: + type: string + required: true + + - variable: imagePullSecretList + group: "General Settings" + label: "Image Pull Secrets" + schema: + type: list + default: [] + items: + - variable: pullsecretentry + label: "Pull Secret" + schema: + type: dict + additional_attrs: true + attrs: + - variable: registry + label: "Registry" + schema: + type: string + required: true + default: "https://index.docker.io/v1/" + - variable: username + label: "Username" + schema: + type: string + required: true + default: "" + - variable: password + label: "Password" + schema: + type: string + required: true + default: "" + - variable: email + label: "Email" + schema: + type: string + required: true + default: "" + - variable: expertIngressClass + label: Expert Mode + group: App Configuration + description: | + Expert Mode contains settings like:
+ - IngressClass
+ schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: ingressClass + label: "ingressClass" + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: "Enable" + description: "When enabled, ingressClass will match the entered name of this app" + schema: + type: boolean + default: false + - variable: isDefaultClass + label: "isDefaultClass" + schema: + type: boolean + show_if: [["enabled", "=", true]] + default: false + - variable: logs + label: "Logs" + group: "App Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: general + label: "General Logs" + schema: + additional_attrs: true + type: dict + attrs: + - variable: level + label: "Log Level" + schema: + type: string + default: "ERROR" + enum: + - value: "INFO" + description: "Info" + - value: "WARN" + description: "Warnings" + - value: "ERROR" + description: "Errors" + - value: "FATAL" + description: "Fatal Errors" + - value: "PANIC" + description: "Panics" + - value: "DEBUG" + description: "Debug" + - variable: format + label: "General Log format" + schema: + type: string + default: "common" + enum: + - value: "common" + description: "Common Log Format" + - value: "json" + description: "JSON" + - variable: access + label: "Access Logs" + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: "Enable" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: enabledFilters + label: "Enable Filters" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: filters + label: "Filters" + schema: + additional_attrs: true + type: dict + attrs: + - variable: statuscodes + label: "Status codes" + schema: + type: string + default: "200,300-302" + - variable: retryattempts + label: "retryattempts" + schema: + type: boolean + default: true + - variable: minduration + label: "minduration" + schema: + type: string + default: "10ms" + - variable: fields + label: "Fields" + schema: + additional_attrs: true + type: dict + attrs: + - variable: general + label: "General" + schema: + additional_attrs: true + type: dict + attrs: + - variable: defaultmode + label: "Default Mode" + schema: + type: string + default: "keep" + enum: + - value: "keep" + description: "Keep" + - value: "drop" + description: "Drop" + - variable: headers + label: "Headers" + schema: + additional_attrs: true + type: dict + attrs: + - variable: defaultmode + label: "Default Mode" + schema: + type: string + default: "drop" + enum: + - value: "keep" + description: "Keep" + - value: "drop" + description: "Drop" + - variable: format + label: "Access Log format" + schema: + type: string + default: "common" + enum: + - value: "common" + description: "Common Log Format" + - value: "json" + description: "JSON" + - variable: middlewares + label: "" + group: "Middlewares" + schema: + additional_attrs: true + type: dict + attrs: + - variable: basicAuth + label: basicAuth + schema: + type: list + default: [] + items: + - variable: basicAuthEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + default: "" + - variable: users + label: Users + schema: + type: list + default: [] + items: + - variable: usersEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: username + label: Username + schema: + type: string + required: true + default: "" + - variable: password + label: Password + schema: + type: string + required: true + default: "" + - variable: forwardAuth + label: forwardAuth + schema: + type: list + default: [] + items: + - variable: basicAuthEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + default: "" + - variable: address + label: Address + schema: + type: string + required: true + default: "" + - variable: trustForwardHeader + label: trustForwardHeader + schema: + type: boolean + default: false + - variable: tls + label: TLS + schema: + additional_attrs: true + type: dict + attrs: + - variable: insecureSkipVerify + label: insecureSkipVerify (expert) + description: >- + This disables all TLS certificate validation on communications with the authentication endpoint. + This could be a security risk and should only be used if you know what you are doing. + schema: + type: boolean + default: false + - variable: authResponseHeadersRegex + label: authResponseHeadersRegex + schema: + type: string + default: "" + - variable: authResponseHeaders + label: authResponseHeaders + schema: + type: list + default: [] + items: + - variable: authResponseHeadersEntry + label: "" + schema: + type: string + default: "" + - variable: authRequestHeaders + label: authRequestHeaders + schema: + type: list + default: [] + items: + - variable: authRequestHeadersEntry + label: "" + schema: + type: string + default: "" + - variable: buffering + label: Buffering + schema: + type: list + default: [] + items: + - variable: bufferingEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: maxRequestBodyBytes + label: Max Request Body Bytes + description: Leave empty and it won't be set + schema: + type: string + valid_chars: '^[0-9]*$' + default: "" + - variable: memRequestBodyBytes + label: Mem Request Body Bytes + description: Leave empty and it won't be set + schema: + type: string + valid_chars: '^[0-9]*$' + default: "" + - variable: maxResponseBodyBytes + label: Max Response Body Bytes + description: Leave empty and it won't be set + schema: + type: string + valid_chars: '^[0-9]*$' + default: "" + - variable: memResponseBodyBytes + label: Mem Response Body Bytes + description: Leave empty and it won't be set + schema: + type: string + valid_chars: '^[0-9]*$' + default: "" + - variable: retryExpression + label: Retry Expression + description: Leave empty and it won't be set + schema: + type: string + default: "" + - variable: customRequestHeaders + label: Custom Request Headers + schema: + type: list + default: [] + items: + - variable: customRequestHeadersEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: headers + label: Headers to Add + schema: + type: list + default: [] + items: + - variable: headersEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Header Name + description: Name of custom header to be added to requests, eg. X-Custom-Header + schema: + valid_chars: ^[a-zA-Z0-9_\-]*$ + type: string + required: true + default: "" + - variable: value + label: Header Value + description: The value of the header. If the value is empty, the header will be removed. + schema: + type: string + default: "" + - variable: customResponseHeaders + label: Custom Response Headers + schema: + type: list + default: [] + items: + - variable: customResponseHeadersEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: headers + label: Headers to Add + schema: + type: list + default: [] + items: + - variable: headersEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Header Name + description: Name of custom header to be added to responses, eg. X-Custom-Header + schema: + valid_chars: ^[a-zA-Z0-9_\-]*$ + type: string + required: true + default: "" + - variable: value + label: Header Value + description: The value of the header. If the value is empty, the header will be removed. + schema: + type: string + default: "" + - variable: rewriteResponseHeaders + label: Rewrite Response Headers + schema: + type: list + default: [] + items: + - variable: rewriteResponseHeadersEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: headers + label: Headers To Rewrite + schema: + type: list + default: [] + items: + - variable: headersEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Header Name + description: Name of a header to modified in responses, eg. X-Custom-Header + schema: + valid_chars: ^[a-zA-Z0-9_\-]*$ + type: string + required: true + default: "" + - variable: regex + label: Regex + description: The value of the header to match. Accepts regex expression. + schema: + type: string + default: "" + - variable: replacement + label: Replacement Regex + description: The new value of the header. Accepts regex expression. + schema: + type: string + default: "" + - variable: customFrameOptionsValue + label: Custom Frame Options Value + schema: + type: list + default: [] + items: + - variable: customFrameOptionsValueEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: value + label: X-Frame-Options Header Value + description: The value of the header. + schema: + type: string + required: true + default: "" + - variable: chain + label: Chain + schema: + type: list + default: [] + items: + - variable: chainEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: middlewares + label: Middlewares to Chain + schema: + type: list + default: [] + items: + - variable: name + label: Name + schema: + type: string + required: true + default: "" + - variable: redirectScheme + label: redirectScheme + schema: + type: list + default: [] + items: + - variable: redirectSchemeEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: scheme + label: Scheme + schema: + type: string + required: true + default: https + enum: + - value: https + description: https + - value: http + description: http + - variable: permanent + label: Permanent + schema: + type: boolean + default: false + - variable: rateLimit + label: rateLimit + schema: + type: list + default: [] + items: + - variable: rateLimitEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: average + label: Average + schema: + type: int + required: true + default: 300 + - variable: burst + label: Burst + schema: + type: int + required: true + default: 200 + - variable: redirectRegex + label: redirectRegex + schema: + type: list + default: [] + items: + - variable: redirectRegexEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: regex + label: Regex + schema: + type: string + required: true + default: "" + - variable: replacement + label: Replacement + schema: + type: string + required: true + default: "" + - variable: permanent + label: Permanent + schema: + type: boolean + default: false + - variable: stripPrefixRegex + label: stripPrefixRegex + schema: + type: list + default: [] + items: + - variable: stripPrefixRegexEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: regex + label: Regex + schema: + type: list + default: [] + items: + - variable: regexEntry + label: Regex + schema: + type: string + required: true + default: "" + - variable: ipWhiteList + label: ipWhiteList + schema: + type: list + default: [] + items: + - variable: ipWhiteListEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + default: "" + - variable: sourceRange + label: Source Range + schema: + type: list + default: [] + items: + - variable: sourceRangeEntry + label: "" + schema: + type: string + required: true + default: "" + - variable: ipStrategy + label: IP Strategy + schema: + additional_attrs: true + type: dict + attrs: + - variable: depth + label: Depth + schema: + type: int + required: true + - variable: excludedIPs + label: Excluded IPs + schema: + type: list + default: [] + items: + - variable: excludedIPsEntry + label: "" + schema: + type: string + required: true + default: "" + - variable: themePark + label: theme.park + schema: + type: list + default: [] + items: + - variable: themeParkEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + description: This is a 3rd party plugin and not maintained by TrueCharts, + for more information go to traefik-themepark + schema: + type: string + required: true + default: "" + - variable: appName + label: App Name + description: Lower case, name of the app to be themed. +
Go to https://docs.theme-park.dev/themes/ to see supported apps. + schema: + type: string + required: true + default: "" + - variable: themeName + label: Theme Name + description: Lower case, name of the theme to be applied. +
Go to https://docs.theme-park.dev/theme-options/ to see supported themes. + schema: + type: string + required: true + default: "" + - variable: baseUrl + label: Base URL + description: Replace `https://theme-park.dev` URL for self-hosting reference. + schema: + type: string + required: true + default: https://theme-park.dev + - variable: addons + label: Addons + schema: + type: list + default: [] + items: + - variable: addonEntry + label: Addon + description: Currently only supports 'darker' and '4k-logo' for *arr apps. +
Go to https://docs.theme-park.dev/themes/addons/ for Addon information. +
Go to https://github.com/packruler/traefik-themepark for more context on plugin + schema: + type: string + required: true + default: "" + - variable: realIP + label: Real IP + schema: + type: list + default: [] + items: + - variable: realIPEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + default: "" + - variable: excludedNetworks + label: Excluded Networks + schema: + type: list + default: [] + items: + - variable: excludedNetEntry + label: Excluded Network Entry + description: Network to exclude setting it to X-Real-Ip + schema: + type: string + required: true + default: "" + - variable: geoBlock + label: GeoBlock + schema: + type: list + default: [] + items: + - variable: geoBlockEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + description: This is a 3rd party plugin and not maintained by TrueCharts, + for more information go to geoblock + schema: + type: string + required: true + default: "" + - variable: allowLocalRequests + label: Allow Local Requests + description: If set to true, will not block request from Private IP Ranges + schema: + type: boolean + default: true + - variable: logLocalRequests + label: Log Local Requests + description: If set to true, will log every connection from any IP in the private IP range + schema: + type: boolean + default: false + - variable: logAllowedRequests + label: Log Allowed Requests + description: If set to true, will show a log message with the IP and the country of origin if a request is allowed. + schema: + type: boolean + default: false + - variable: logApiRequests + label: Log API Requests + description: If set to true, will show a log message for every API hit. + schema: + type: boolean + default: false + - variable: api + label: API + description: Defines the API URL for the IP to Country resolution. The IP to fetch can be added with {ip} to the URL. + schema: + type: string + required: true + default: https://get.geojs.io/v1/ip/country/{ip} + - variable: apiTimeoutMs + label: API Timeout in ms + description: Timeout for the call to the api uri. + schema: + type: int + required: true + default: 500 + - variable: cacheSize + label: Cache Size + description: Defines the max size of the LRU (least recently used) cache. + schema: + type: int + required: true + default: 25 + - variable: forceMonthlyUpdate + label: Force Monthly Update + description: Even if an IP stays in the cache for a period of a month (about 30 x 24 hours), it must be fetch again after a month. + schema: + type: boolean + default: true + - variable: allowUnknownCountries + label: Allow Unknown Countries + description: Some IP addresses have no country associated with them. If this option is set to true, all IPs with no associated country are also allowed. + schema: + type: boolean + default: false + - variable: unknownCountryApiResponse + label: Unknown Countries API Response + description: The API uri can be customized. This options allows to customize the response string of the API when a IP with no associated country is requested. + schema: + type: string + required: true + default: nil + - variable: blackListMode + label: Blacklist Mode + description: When set to true the filter logic is inverted, i.e. requests originating from countries listed in the countries list are blocked. + schema: + type: boolean + default: false + - variable: countries + description: Country codes (2 characters) from which connections to the service should be allowed or blocked, based on the mode. + label: Countries + schema: + type: list + default: [] + items: + - variable: countryEntry + label: Country + description: Country codes (2 characters) from which connections to the service should be allowed or blocked, based on the mode. + schema: + type: string + required: true + # Allow only 2 Characters + valid_chars: '^[a-zA-Z]{2}$' + default: "" + - variable: addPrefix + label: Add Prefix + schema: + type: list + default: [] + items: + - variable: addPrefixEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + default: "" + - variable: prefix + label: Prefix + schema: + type: string + required: true + default: "" + - variable: modsecurity + label: modsecurity + schema: + type: list + default: [] + items: + - variable: modsecurityEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + description: This is a 3rd party plugin and not maintained by TrueCharts, + for more information go to traefik-modsecurity-plugin + schema: + type: string + required: true + default: "" + - variable: modSecurityUrl + label: ModSecurity Url + description: It's the URL for the owasp/modsecurity container. + schema: + type: string + required: true + default: "https://someurl" + - variable: timeoutMillis + label: timeout Millis + description: timeout in milliseconds for the http client to talk with modsecurity container. ( + schema: + type: int + required: true + default: 2 + - variable: maxBodySize + label: maxBody Size + description: it's the maximum limit for requests body size. Requests exceeding this value will be rejected using HTTP 413 Request Entity Too Large. Zero means "use default value". + schema: + type: int + required: true + default: 0 + - variable: service + group: "Networking and Services" + label: "Configure Service Entrypoint" + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: "Main Service" + description: "The Primary service on which the healthcheck runs, often the webUI" + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable the Service + schema: + type: boolean + default: true + hidden: true + - variable: type + label: Service Type + description: "ClusterIP's are only internally available and Loadbalancer exposes the service using the system loadbalancer" + schema: + type: string + default: LoadBalancer + enum: + - value: LoadBalancer + description: LoadBalancer (Expose Ports) + - value: ClusterIP + description: ClusterIP (Do Not Expose Ports) + - variable: loadBalancerIP + label: LoadBalancer IP + description: "MetalLB Only: Selects the Loadbalancer IP to expose on. Required when using PortalButton with MetalLB" + schema: + show_if: [["type", "=", "LoadBalancer"]] + type: string + default: "" + - variable: ports + label: "Service's Port(s) Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: "Main Entrypoint Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: "Entrypoints Port" + schema: + type: int + default: 9000 + required: true + - variable: tcp + label: "TCP Service" + description: "The tcp Entrypoint service" + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable the Service + schema: + type: boolean + default: true + hidden: true + - variable: type + label: Service Type + description: "ClusterIP's are only internally available and Loadbalancer exposes the service using the system loadbalancer" + schema: + type: string + default: LoadBalancer + enum: + - value: LoadBalancer + description: LoadBalancer (Expose Ports) + - value: ClusterIP + description: ClusterIP (Do Not Expose Ports) + - variable: loadBalancerIP + label: LoadBalancer IP + description: "MetalLB Only: Selects the Loadbalancer IP to expose on. Required when using PortalButton with MetalLB" + schema: + show_if: [["type", "=", "LoadBalancer"]] + type: string + default: "" + - variable: ports + label: "Service's Port(s) Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: web + label: "web Entrypoint Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: "Entrypoints Port" + schema: + type: int + default: 80 + required: true + - variable: advanced + label: Show Advanced Settings + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: redirectPort + label: "Redirect to Port" + schema: + type: int + - variable: redirectTo + label: "Redirect to Entrypoint" + schema: + type: string + default: "websecure" + - variable: forwardedHeaders + label: Accept Forwarded Headers + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: trustedIPs + label: Trusted IPs + description: Trust Forwarded Headers from specific IPs. + schema: + type: list + default: [] + items: + - variable: trustedIPsEntry + label: "" + schema: + type: string + required: true + default: "" + - variable: insecureMode + label: Insecure Mode + description: Always Trust Forwarded Headers + schema: + type: boolean + default: false + - variable: proxyProtocol + label: Accept Proxy Protocol connections + description: If Proxy Protocol header parsing is enabled for the entry point, this entry point can accept connections with or without Proxy Protocol headers. + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: trustedIPs + label: Trusted IPs + description: Only IPs in trustedIPs will lead to remote client address replacement + schema: + type: list + default: [] + items: + - variable: trustedIPsEntry + label: "" + schema: + type: string + required: true + default: "" + - variable: insecureMode + label: Insecure Mode + description: Trust every incoming connection + schema: + type: boolean + default: false + - variable: websecure + label: "websecure Entrypoints Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: "Entrypoints Port" + schema: + type: int + default: 443 + required: true + - variable: advanced + label: Show Advanced Settings + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: redirectPort + label: "Redirect to Port" + schema: + type: int + - variable: redirectTo + label: "Redirect to Entrypoint" + schema: + type: string + - variable: forwardedHeaders + label: Accept Forwarded Headers + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: trustedIPs + label: Trusted IPs + description: Trust Forwarded Headers from specific IPs. + schema: + type: list + default: [] + items: + - variable: trustedIPsEntry + label: "" + schema: + type: string + required: true + default: "" + - variable: insecureMode + label: Insecure Mode + description: Always Trust Forwarded Headers + schema: + type: boolean + default: false + - variable: proxyProtocol + label: Accept Proxy Protocol connections + description: If Proxy Protocol header parsing is enabled for the entry point, this entry point can accept connections with or without Proxy Protocol headers. + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: trustedIPs + label: Trusted IPs + description: Only IPs in trustedIPs will lead to remote client address replacement + schema: + type: list + default: [] + items: + - variable: trustedIPsEntry + label: "" + schema: + type: string + required: true + default: "" + - variable: insecureMode + label: Insecure Mode + description: Trust every incoming connection + schema: + type: boolean + default: false + - variable: tls + label: "websecure Entrypoints Configuration" + schema: + additional_attrs: true + type: dict + hidden: true + attrs: + - variable: enabled + label: "Enabled" + schema: + type: boolean + default: true + hidden: true + - variable: portsList + label: "Additional TCP Entrypoints" + schema: + type: list + default: [] + items: + - variable: portsListEntry + label: "Custom Entrypoints" + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: "Enable the port" + schema: + type: boolean + default: true + hidden: true + - variable: name + label: "Entrypoints Name" + schema: + type: string + default: "" + - variable: protocol + label: "Entrypoints Type" + schema: + type: string + default: "tcp" + enum: + - value: http + description: "HTTP" + - value: "https" + description: "HTTPS" + - value: tcp + description: "TCP" + - variable: port + label: "Port" + description: "This port exposes the container port on the service" + schema: + type: int + required: true + - variable: tls + label: "websecure Entrypoints Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: "Enabled" + schema: + type: boolean + default: true + - variable: redirectPort + label: "Redirect to Port" + schema: + type: int + - variable: redirectTo + label: "Redirect to Entrypoint" + schema: + type: string + - variable: forwardedHeaders + label: Accept Forwarded Headers + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: trustedIPs + label: Trusted IPs + description: Trust Forwarded Headers from specific IPs. + schema: + type: list + default: [] + items: + - variable: trustedIPsEntry + label: "" + schema: + type: string + required: true + default: "" + - variable: insecureMode + label: Insecure Mode + description: Always Trust Forwarded Headers + schema: + type: boolean + default: false + - variable: proxyProtocol + label: Accept Proxy Protocol connections + description: If Proxy Protocol header parsing is enabled for the entry point, this entry point can accept connections with or without Proxy Protocol headers. + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: trustedIPs + label: Trusted IPs + description: Only IPs in trustedIPs will lead to remote client address replacement + schema: + type: list + default: [] + items: + - variable: trustedIPsEntry + label: "" + schema: + type: string + required: true + default: "" + - variable: insecureMode + label: Insecure Mode + description: Trust every incoming connection + schema: + type: boolean + default: false + - variable: ingress + label: "" + group: Ingress + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: "Main Ingress" + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable Ingress + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: hosts + label: Hosts + schema: + type: list + default: [] + items: + - variable: hostEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: host + label: HostName + schema: + type: string + default: "" + required: true + - variable: paths + label: Paths + schema: + type: list + default: [{path: "/", pathType: "Prefix"}] + items: + - variable: pathEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: path + label: Path + schema: + type: string + required: true + default: "/" + - variable: pathType + label: Path Type + schema: + type: string + required: true + default: Prefix + + + - variable: integrations + label: Integrations + description: Connect ingress with other charts + schema: + additional_attrs: true + type: dict + attrs: + - variable: traefik + label: Traefik + description: Connect ingress with Traefik + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: enabled + schema: + type: boolean + default: true + - variable: allowCors + label: 'Allow Cross Origin Requests (advanced)' + schema: + type: boolean + default: false + show_if: [["enabled", "=", true]] + - variable: entrypoints + label: Entrypoints + schema: + type: list + default: ["websecure"] + show_if: [["enabled", "=", true]] + items: + - variable: entrypoint + label: Entrypoint + schema: + type: string + - variable: middlewares + label: Middlewares + schema: + type: list + default: [] + show_if: [["enabled", "=", true]] + items: + - variable: middleware + label: Middleware + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: name + schema: + type: string + default: "" + required: true + - variable: namespace + label: 'namespace (optional)' + schema: + type: string + default: "" + - variable: certManager + label: certManager + description: Connect ingress with certManager + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: enabled + schema: + type: boolean + default: false + - variable: certificateIssuer + label: certificateIssuer + description: defaults to chartname + schema: + type: string + default: "" + show_if: [["enabled", "=", true]] + - variable: homepage + label: Homepage + description: Connect ingress with Homepage + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: enabled + schema: + type: boolean + default: false + - variable: name + label: Name + description: defaults to chartname + schema: + type: string + default: "" + show_if: [["enabled", "=", true]] + - variable: description + label: Description + description: defaults to chart description + schema: + type: string + default: "" + show_if: [["enabled", "=", true]] + - variable: group + label: Group + schema: + type: string + required: true + default: "default" + show_if: [["enabled", "=", true]] + - variable: widget + label: Widget Settings + schema: + type: dict + additional_attrs: true + show_if: [["enabled", "=", true]] + attrs: + - variable: custom + label: Options + schema: + type: dict + additional_attrs: true + attrs: + - variable: key + label: API-key (key) + schema: + type: string + default: "" + - variable: customkv + label: Custom Options + schema: + type: list + default: [] + items: + - variable: option + label: Option + schema: + additional_attrs: true + type: dict + attrs: + - variable: key + label: Key + schema: + type: string + default: "" + required: true + - variable: value + label: Value + schema: + type: string + default: "" + required: true + - variable: advanced + label: Show Advanced Settings + description: Advanced settings are not covered by TrueCharts Support + schema: + type: boolean + default: false + - variable: ingressClassName + label: (Advanced/Optional) IngressClass Name + schema: + type: string + show_if: [["advanced", "=", true]] + default: "" + - variable: tls + label: TLS-Settings + schema: + type: list + show_if: [["advanced", "=", true]] + default: [] + items: + - variable: tlsEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: hosts + label: Certificate Hosts + schema: + type: list + default: [] + items: + - variable: host + label: Host + schema: + type: string + default: "" + required: true + + - variable: certificateIssuer + label: Use Cert-Manager clusterIssuer + description: 'add the name of your cert-manager clusterIssuer here for automatic tls certificates.' + schema: + type: string + default: "" + - variable: clusterCertificate + label: 'Cluster Certificate (Advanced)' + description: 'Add the name of your cluster-wide certificate, that you set up in the ClusterIssuer chart.' + schema: + type: string + show_if: [["certificateIssuer", "=", ""]] + default: "" + - variable: secretName + label: 'Use Custom Certificate Secret (Advanced)' + schema: + show_if: [["certificateIssuer", "=", ""]] + type: string + default: "" + - variable: scaleCert + label: 'Use TrueNAS SCALE Certificate (Deprecated)' + schema: + show_if: [["certificateIssuer", "=", ""]] + type: int + $ref: + - "definitions/certificate" + - variable: ingressList + label: Add Manual Custom Ingresses + group: Ingress + schema: + type: list + default: [] + items: + - variable: ingressListEntry + label: Custom Ingress + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable Ingress + schema: + type: boolean + default: true + hidden: true + - variable: name + label: Name + schema: + type: string + default: "" + - variable: ingressClassName + label: IngressClass Name + schema: + type: string + default: "" + - variable: hosts + label: Hosts + schema: + type: list + default: [] + items: + - variable: hostEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: host + label: HostName + schema: + type: string + default: "" + required: true + - variable: paths + label: Paths + schema: + type: list + default: [] + items: + - variable: pathEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: path + label: Path + schema: + type: string + required: true + default: "/" + - variable: pathType + label: Path Type + schema: + type: string + required: true + default: Prefix + - variable: service + label: Linked Service + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Service Name + schema: + type: string + default: "" + - variable: port + label: Service Port + schema: + type: int + - variable: tls + label: TLS-Settings + schema: + type: list + default: [] + show_if: [["certificateIssuer", "=", ""]] + items: + - variable: tlsEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: hosts + label: Certificate Hosts + schema: + type: list + default: [] + items: + - variable: host + label: Host + schema: + type: string + default: "" + required: true + - variable: certificateIssuer + label: Use Cert-Manager clusterIssuer + description: 'add the name of your Cert-Manager clusterIssuer here for automatic tls certificates.' + schema: + type: string + default: "" + - variable: scaleCert + label: Use TrueNAS SCALE Certificate (Deprecated) + schema: + show_if: [["certificateIssuer", "=", ""]] + type: int + $ref: + - "definitions/certificate" + - variable: clusterCertificate + label: 'Cluster Certificate (Advanced)' + description: 'Add the name of your cluster-wide certificate, that you set up in the ClusterIssuer chart.' + schema: + type: string + show_if: [["certificateIssuer", "=", ""]] + default: "" + - variable: secretName + label: Use Custom Secret (Advanced) + schema: + type: string + show_if: [["certificateIssuer", "=", ""]] + default: "" + - variable: integrations + label: Integrations + description: Connect ingress with other charts + schema: + additional_attrs: true + type: dict + attrs: + - variable: traefik + label: Traefik + description: Connect ingress with Traefik + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: enabled + schema: + type: boolean + default: true + - variable: allowCors + label: "Allow Cross Origin Requests" + schema: + type: boolean + default: false + show_if: [["enabled", "=", true]] + - variable: entrypoints + label: Entrypoints + schema: + type: list + default: ["websecure"] + show_if: [["enabled", "=", true]] + items: + - variable: entrypoint + label: Entrypoint + schema: + type: string + - variable: middlewares + label: Middlewares + schema: + type: list + default: [] + show_if: [["enabled", "=", true]] + items: + - variable: middleware + label: Middleware + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: name + schema: + type: string + default: "" + required: true + - variable: namespace + label: namespace + schema: + type: string + default: "" + - variable: certManager + label: certManager + description: Connect ingress with certManager + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: enabled + schema: + type: boolean + default: true + - variable: certificateIssuer + label: certificateIssuer + description: defaults to chartname + schema: + type: string + default: "" + show_if: [["enabled", "=", true]] + - variable: homepage + label: Homepage + description: Connect ingress with Homepage + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: enabled + schema: + type: boolean + default: false + - variable: name + label: Name + description: defaults to chartname + schema: + type: string + default: "" + show_if: [["enabled", "=", true]] + - variable: description + label: Description + description: defaults to chart description + schema: + type: string + default: "" + show_if: [["enabled", "=", true]] + - variable: group + label: Group + schema: + type: string + required: true + default: "default" + show_if: [["enabled", "=", true]] + - variable: securityContext + group: Security and Permissions + label: Security Context + schema: + additional_attrs: true + type: dict + attrs: + - variable: container + label: Container + schema: + additional_attrs: true + type: dict + attrs: + # Settings from questions.yaml get appended here on a per-app basis + - variable: runAsUser + label: "runAsUser" + description: "The UserID of the user running the application" + schema: + type: int + default: 568 + - variable: runAsGroup + label: "runAsGroup" + description: "The groupID of the user running the application" + schema: + type: int + default: 568 + # Settings from questions.yaml get appended here on a per-app basis + - variable: PUID + label: Process User ID - PUID + description: When supported by the container, this sets the User ID running the Application Process. Not supported by all Apps + schema: + type: int + show_if: [["runAsUser", "=", 0]] + default: 568 + - variable: UMASK + label: UMASK + description: When supported by the container, this sets the UMASK for the App. Not supported by all Apps + schema: + type: string + default: "0022" + - variable: advanced + label: Show Advanced Settings + description: Advanced settings are not covered by TrueCharts Support + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: privileged + label: "Privileged mode" + schema: + type: boolean + default: false + - variable: readOnlyRootFilesystem + label: "ReadOnly Root Filesystem" + schema: + type: boolean + default: true + - variable: pod + label: Pod + schema: + additional_attrs: true + type: dict + attrs: + - variable: fsGroupChangePolicy + label: "When should we take ownership?" + schema: + type: string + default: OnRootMismatch + enum: + - value: OnRootMismatch + description: OnRootMismatch + - value: Always + description: Always + - variable: supplementalGroups + label: Supplemental Groups + schema: + type: list + default: [] + items: + - variable: supplementalGroupsEntry + label: Supplemental Group + schema: + type: int + # Settings from questions.yaml get appended here on a per-app basis + - variable: fsGroup + label: "fsGroup" + description: "The group that should own ALL storage." + schema: + type: int + default: 568 + + - variable: resources + group: Resources and Devices + label: "Resource Limits" + schema: + additional_attrs: true + type: dict + attrs: + - variable: limits + label: Advanced Limit Resource Consumption + schema: + additional_attrs: true + type: dict + attrs: + - variable: cpu + label: CPU + description: "1000m means 1 hyperthread. Detailed info: https://truecharts.org/manual/SCALE/validation" + schema: + type: string + default: 4000m + valid_chars: '^(?!^0(\.0|m|)$)([0-9]+)(\.[0-9]|m?)$' + - variable: memory + label: RAM + description: "1Gi means 1 Gibibyte RAM. Detailed info: https://truecharts.org/manual/SCALE/validation" + schema: + type: string + default: 8Gi + valid_chars: '^(?!^0(e[0-9]|[EPTGMK]i?|)$)([0-9]+)(|[EPTGMK]i?|e[0-9]+)$' + - variable: requests + label: "Minimum Resources Required (request)" + schema: + additional_attrs: true + type: dict + hidden: true + attrs: + - variable: cpu + label: CPU + description: "1000m means 1 hyperthread. Detailed info: https://truecharts.org/manual/SCALE/validation" + schema: + type: string + default: 10m + hidden: true + valid_chars: '^(?!^0(\.0|m|)$)([0-9]+)(\.[0-9]|m?)$' + - variable: memory + label: "RAM" + description: "1Gi means 1 Gibibyte RAM. Detailed info: https://truecharts.org/manual/SCALE/validation" + schema: + type: string + default: 50Mi + hidden: true + valid_chars: '^(?!^0(e[0-9]|[EPTGMK]i?|)$)([0-9]+)(|[EPTGMK]i?|e[0-9]+)$' + - variable: deviceList + label: Mount USB Devices + group: Resources and Devices + schema: + type: list + default: [] + items: + - variable: deviceListEntry + label: Device + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable the Storage + schema: + type: boolean + default: true + - variable: type + label: (Advanced) Type of Storage + description: Sets the persistence type + schema: + type: string + default: device + hidden: true + - variable: readOnly + label: readOnly + schema: + type: boolean + default: false + - variable: hostPath + label: Host Device Path + description: Path to the device on the host system + schema: + type: path + - variable: mountPath + label: Container Device Path + description: Path inside the container the device is mounted + schema: + type: string + default: "/dev/ttyACM0" + - variable: scaleGPU + label: GPU Configuration + group: Resources and Devices + schema: + type: list + default: [] + items: + - variable: scaleGPUEntry + label: GPU + schema: + additional_attrs: true + type: dict + attrs: + # Specify GPU configuration + - variable: gpu + label: Select GPU + schema: + additional_attrs: true + type: dict + $ref: + - "definitions/gpuConfiguration" + attrs: [] + - variable: workaround + label: "Workaround" + schema: + type: string + default: workaround + hidden: true + - variable: metrics + group: Metrics + label: Prometheus Metrics + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: Main Metrics + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enabled + description: Enable Prometheus Metrics + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: prometheusRule + label: PrometheusRule + description: Enable and configure Prometheus Rules for the App. + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enabled + description: Enable Prometheus Metrics + schema: + type: boolean + default: false + # TODO: Rule List section +# - variable: horizontalPodAutoscaler +# group: Advanced +# label: (Advanced) Horizontal Pod Autoscaler +# schema: +# type: list +# default: [] +# items: +# - variable: hpaEntry +# label: HPA Entry +# schema: +# additional_attrs: true +# type: dict +# attrs: +# - variable: name +# label: Name +# schema: +# type: string +# required: true +# default: "" +# - variable: enabled +# label: Enabled +# schema: +# type: boolean +# default: false +# show_subquestions_if: true +# subquestions: +# - variable: target +# label: Target +# description: Deployment name, Defaults to Main Deployment +# schema: +# type: string +# default: "" +# - variable: minReplicas +# label: Minimum Replicas +# schema: +# type: int +# default: 1 +# - variable: maxReplicas +# label: Maximum Replicas +# schema: +# type: int +# default: 5 +# - variable: targetCPUUtilizationPercentage +# label: Target CPU Utilization Percentage +# schema: +# type: int +# default: 80 +# - variable: targetMemoryUtilizationPercentage +# label: Target Memory Utilization Percentage +# schema: +# type: int +# default: 80 + - variable: networkPolicy + group: Advanced + label: (Advanced) Network Policy + schema: + type: list + default: [] + items: + - variable: netPolicyEntry + label: Network Policy Entry + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + default: "" + - variable: enabled + label: Enabled + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: policyType + label: Policy Type + schema: + type: string + default: "" + enum: + - value: "" + description: Default + - value: ingress + description: Ingress + - value: egress + description: Egress + - value: ingress-egress + description: Ingress and Egress + - variable: egress + label: Egress + schema: + type: list + default: [] + items: + - variable: egressEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: to + label: To + schema: + type: list + default: [] + items: + - variable: toEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: ipBlock + label: IP Block + schema: + additional_attrs: true + type: dict + attrs: + - variable: cidr + label: CIDR + schema: + type: string + default: "" + - variable: except + label: Except + schema: + type: list + default: [] + items: + - variable: exceptint + label: "" + schema: + type: string + - variable: namespaceSelector + label: Namespace Selector + schema: + additional_attrs: true + type: dict + attrs: + - variable: matchExpressions + label: Match Expressions + schema: + type: list + default: [] + items: + - variable: expressionEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: key + label: Key + schema: + type: string + - variable: operator + label: Operator + schema: + type: string + default: TCP + enum: + - value: In + description: In + - value: NotIn + description: NotIn + - value: Exists + description: Exists + - value: DoesNotExist + description: DoesNotExist + - variable: values + label: Values + schema: + type: list + default: [] + items: + - variable: value + label: "" + schema: + type: string + - variable: podSelector + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: matchExpressions + label: Match Expressions + schema: + type: list + default: [] + items: + - variable: expressionEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: key + label: Key + schema: + type: string + - variable: operator + label: Operator + schema: + type: string + default: TCP + enum: + - value: In + description: In + - value: NotIn + description: NotIn + - value: Exists + description: Exists + - value: DoesNotExist + description: DoesNotExist + - variable: values + label: Values + schema: + type: list + default: [] + items: + - variable: value + label: "" + schema: + type: string + - variable: ports + label: Ports + schema: + type: list + default: [] + items: + - variable: portsEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + schema: + type: int + - variable: endPort + label: End Port + schema: + type: int + - variable: protocol + label: Protocol + schema: + type: string + default: TCP + enum: + - value: TCP + description: TCP + - value: UDP + description: UDP + - value: SCTP + description: SCTP + - variable: ingress + label: Ingress + schema: + type: list + default: [] + items: + - variable: ingressEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: from + label: From + schema: + type: list + default: [] + items: + - variable: fromEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: ipBlock + label: IP Block + schema: + additional_attrs: true + type: dict + attrs: + - variable: cidr + label: CIDR + schema: + type: string + default: "" + - variable: except + label: Except + schema: + type: list + default: [] + items: + - variable: exceptint + label: "" + schema: + type: string + - variable: namespaceSelector + label: Namespace Selector + schema: + additional_attrs: true + type: dict + attrs: + - variable: matchExpressions + label: Match Expressions + schema: + type: list + default: [] + items: + - variable: expressionEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: key + label: Key + schema: + type: string + - variable: operator + label: Operator + schema: + type: string + default: TCP + enum: + - value: In + description: In + - value: NotIn + description: NotIn + - value: Exists + description: Exists + - value: DoesNotExist + description: DoesNotExist + - variable: values + label: Values + schema: + type: list + default: [] + items: + - variable: value + label: "" + schema: + type: string + - variable: podSelector + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: matchExpressions + label: Match Expressions + schema: + type: list + default: [] + items: + - variable: expressionEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: key + label: Key + schema: + type: string + - variable: operator + label: Operator + schema: + type: string + default: TCP + enum: + - value: In + description: In + - value: NotIn + description: NotIn + - value: Exists + description: Exists + - value: DoesNotExist + description: DoesNotExist + - variable: values + label: Values + schema: + type: list + default: [] + items: + - variable: value + label: "" + schema: + type: string + - variable: ports + label: Ports + schema: + type: list + default: [] + items: + - variable: portsEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + schema: + type: int + - variable: endPort + label: End Port + schema: + type: int + - variable: protocol + label: Protocol + schema: + type: string + default: TCP + enum: + - value: TCP + description: TCP + - value: UDP + description: UDP + - value: SCTP + description: SCTP + - variable: addons + group: Addons + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: codeserver + label: Codeserver + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enabled + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: service + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: Service Type + description: "ClusterIP's are only internally available and Loadbalancer exposes the service using the system loadbalancer" + schema: + type: string + default: LoadBalancer + enum: + - value: NodePort + description: Deprecated CHANGE THIS + - value: ClusterIP + description: ClusterIP + - value: LoadBalancer + description: LoadBalancer + - variable: loadBalancerIP + label: LoadBalancer IP + description: "MetalLB Only: Selects the Loadbalancer IP to expose on. Required when using PortalButton with MetalLB" + schema: + show_if: [["type", "=", "LoadBalancer"]] + type: string + default: "" + - variable: ports + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: codeserver + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + schema: + type: int + default: 36107 + - variable: ingress + label: "Ingress" + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable Ingress + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: hosts + label: Hosts + schema: + type: list + default: [] + items: + - variable: hostEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: host + label: HostName + schema: + type: string + default: "" + required: true + - variable: paths + label: Paths + schema: + type: list + default: [{path: "/", pathType: "Prefix"}] + items: + - variable: pathEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: path + label: Path + schema: + type: string + required: true + default: "/" + - variable: pathType + label: Path Type + schema: + type: string + required: true + default: Prefix + - variable: certificateIssuer + label: Cert-Manager clusterIssuer + description: 'add the name of your cert-manager clusterIssuer here for automatic tls certificates. Cannot be used combined with tls option below' + schema: + type: string + default: "" + - variable: middlewares + label: Traefik Middlewares + description: Add previously created Traefik Middlewares to this Ingress + schema: + type: list + default: [] + items: + - variable: name + label: Name + schema: + type: string + default: "" + required: true + - variable: advanced + label: Show Advanced Settings + description: Advanced settings are not covered by TrueCharts Support + schema: + type: boolean + default: false + - variable: entrypoint + label: (Advanced) Traefik Entrypoint + description: Entrypoint used by Traefik when using Traefik as Ingress Provider + schema: + type: string + default: websecure + show_if: [["advanced", "=", true]] + required: true + - variable: allowCors + label: "Allow Cross Origin Requests" + schema: + type: boolean + show_if: [["advanced", "=", true]] + default: false + - variable: ingressClassName + label: (Advanced/Optional) IngressClass Name + schema: + type: string + show_if: [["advanced", "=", true]] + default: "" + - variable: tls + label: TLS-Settings + schema: + type: list + show_if: [["advanced", "=", true]] + default: [] + items: + - variable: tlsEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: hosts + label: Certificate Hosts + schema: + type: list + default: [] + items: + - variable: host + label: Host + schema: + type: string + default: "" + required: true + - variable: certificateIssuer + label: Use Cert-Manager clusterIssuer + description: 'add the name of your cert-manager clusterIssuer here for automatic tls certificates.' + schema: + type: string + default: "" + - variable: clusterCertificate + label: 'Cluster Certificate (Advanced)' + description: 'Add the name of your cluster-wide certificate, that you set up in the ClusterIssuer chart.' + schema: + type: string + show_if: [["certificateIssuer", "=", ""]] + default: "" + - variable: secretName + label: 'Use Custom Certificate Secret (Advanced)' + schema: + show_if: [["certificateIssuer", "=", ""]] + type: string + default: "" + - variable: scaleCert + label: 'Use TrueNAS SCALE Certificate (Deprecated)' + schema: + show_if: [["certificateIssuer", "=", ""]] + type: int + $ref: + - "definitions/certificate" + - variable: envList + label: Codeserver Environment Variables + schema: + type: list + show_if: [["type", "!=", "disabled"]] + default: [] + items: + - variable: envItem + label: Environment Variable + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: value + label: Value + schema: + type: string + required: true + - variable: netshoot + label: Netshoot + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enabled + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: envList + label: Netshoot Environment Variables + schema: + type: list + show_if: [["type", "!=", "disabled"]] + default: [] + items: + - variable: envItem + label: Environment Variable + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: value + label: Value + schema: + type: string + required: true + - variable: vpn + label: VPN + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: Type + schema: + type: string + default: disabled + enum: + - value: disabled + description: disabled + - value: gluetun + description: Gluetun + - value: tailscale + description: Tailscale + - value: openvpn + description: OpenVPN (Deprecated) + - value: wireguard + description: Wireguard (Deprecated) + - variable: openvpn + label: OpenVPN Settings + schema: + additional_attrs: true + type: dict + show_if: [["type", "=", "openvpn"]] + attrs: + - variable: username + label: Authentication Username (Optional) + description: Authentication Username, Optional + schema: + type: string + default: "" + - variable: password + label: Authentication Password + description: Authentication Credentials + schema: + type: string + show_if: [["username", "!=", ""]] + default: "" + required: true + - variable: tailscale + label: Tailscale Settings + schema: + additional_attrs: true + type: dict + show_if: [["type", "=", "tailscale"]] + attrs: + - variable: authkey + label: Authentication Key + description: Provide an auth key to automatically authenticate the node as your user account. + schema: + type: string + private: true + default: "" + - variable: auth_once + label: Auth Once + description: Only attempt to log in if not already logged in. + schema: + type: boolean + default: true + - variable: accept_dns + label: Accept DNS + description: Accept DNS configuration from the admin console. + schema: + type: boolean + default: false + - variable: userspace + label: Userspace + description: Userspace Networking mode allows running Tailscale where you do not have access to create a VPN tunnel device. + schema: + type: boolean + default: false + - variable: routes + label: Routes + description: Expose physical subnet routes to your entire Tailscale network. + schema: + type: string + default: "" + - variable: dest_ip + label: Destination IP + description: Tells the DNAT mechanism which Destination IP to set in the IP header, and where to send packets that are matched. + schema: + type: string + default: "" + - variable: sock5_server + label: Sock5 Server + description: The address on which to listen for SOCKS5 proxying into the tailscale net. + schema: + type: string + default: "" + - variable: outbound_http_proxy_listen + label: Outbound HTTP Proxy Listen + description: The address on which to listen for HTTP proxying into the tailscale net. + schema: + type: string + default: "" + - variable: extra_args + label: Extra Args + description: Extra Args + schema: + type: string + default: "" + - variable: daemon_extra_args + label: Tailscale Daemon Extra Args + description: Tailscale Daemon Extra Args + schema: + type: string + default: "" + - variable: killSwitch + label: Enable Killswitch + schema: + type: boolean + show_if: [["type", "!=", "disabled"]] + default: true + - variable: excludedNetworks_IPv4 + label: Killswitch Excluded IPv4 networks + description: List of Killswitch Excluded IPv4 Addresses + schema: + type: list + show_if: [["type", "!=", "disabled"]] + default: [] + items: + - variable: networkv4 + label: IPv4 Network + schema: + type: string + required: true + - variable: excludedNetworks_IPv6 + label: Killswitch Excluded IPv6 networks + description: "List of Killswitch Excluded IPv6 Addresses" + schema: + type: list + show_if: [["type", "!=", "disabled"]] + default: [] + items: + - variable: networkv6 + label: IPv6 Network + schema: + type: string + required: true + - variable: configFile + label: VPN Config File Location + schema: + type: string + show_if: [["type", "!=", "disabled"]] + default: "" + + - variable: envList + label: VPN Environment Variables + schema: + type: list + show_if: [["type", "!=", "disabled"]] + default: [] + items: + - variable: envItem + label: Environment Variable + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: value + label: Value + schema: + type: string + required: true + max_length: 10240 + - variable: docs + group: Documentation + label: Please read the documentation at https://truecharts.org + description: Please read the documentation at +
https://truecharts.org + schema: + additional_attrs: true + type: dict + attrs: + - variable: confirmDocs + label: I have checked the documentation + schema: + type: boolean + default: true + - variable: donateNag + group: Documentation + label: Please consider supporting TrueCharts, see https://truecharts.org/sponsor + description: Please consider supporting TrueCharts, see +
https://truecharts.org/sponsor + schema: + additional_attrs: true + type: dict + attrs: + - variable: confirmDonate + label: I have considered donating + schema: + type: boolean + default: true + hidden: true + + - variable: warning + group: Documentation + label: 'WARNING: If installed, be sure to move the TrueNAS GUI to another port (not 80 or 443).' + description: 'See:
https://truecharts.org/charts/enterprise/traefik/how-to for more info.' + schema: + additional_attrs: true + type: dict + attrs: + - variable: warningconfim + label: I am aware that I will brick my system, if I did not follow the instructions. + schema: + type: boolean + default: false + required: true diff --git a/enterprise/traefik/24.0.0/templates/NOTES.txt b/enterprise/traefik/24.0.0/templates/NOTES.txt new file mode 100644 index 00000000000..efcb74cb772 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/NOTES.txt @@ -0,0 +1 @@ +{{- include "tc.v1.common.lib.chart.notes" $ -}} diff --git a/enterprise/traefik/24.0.0/templates/_args.tpl b/enterprise/traefik/24.0.0/templates/_args.tpl new file mode 100644 index 00000000000..06e39a46890 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/_args.tpl @@ -0,0 +1,194 @@ +{{/* Define the args */}} +{{- define "traefik.args" -}} +args: + {{/* merge all ports */}} + {{- $ports := dict }} + {{- range $.Values.service }} + {{- range $name, $value := .ports }} + {{- $_ := set $ports $name $value }} + {{- end }} + {{- end }} + {{/* start of actual arguments */}} + {{- with .Values.globalArguments }} + {{- range . }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- range $name, $config := $ports }} + {{- if $config }} + {{- if or ( eq $config.protocol "http" ) ( eq $config.protocol "https" ) ( eq $config.protocol "tcp" ) }} + {{- $_ := set $config "protocol" "tcp" }} + {{- end }} + - "--entryPoints.{{$name}}.address=:{{ $config.port }}/{{ default "tcp" $config.protocol | lower }}" + {{- end }} + {{- end }} + - "--api.dashboard=true" + - "--ping=true" + {{- if .Values.traefikMetrics }} + {{- if .Values.traefikMetrics.datadog }} + - "--metrics.datadog=true" + - "--metrics.datadog.address={{ .Values.traefikMetrics.datadog.address }}" + {{- end }} + {{- if .Values.traefikMetrics.influxdb }} + - "--metrics.influxdb=true" + - "--metrics.influxdb.address={{ .Values.traefikMetrics.influxdb.address }}" + - "--metrics.influxdb.protocol={{ .Values.traefikMetrics.influxdb.protocol }}" + {{- end }} + {{- if .Values.traefikMetrics.statsd }} + - "--metrics.statsd=true" + - "--metrics.statsd.address={{ .Values.traefikMetrics.statsd.address }}" + {{- if or .Values.traefikMetrics.prometheus }} + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + {{- end }} + {{- end }} + {{- end }} + {{- if or .Values.metrics.main.enabled }} + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + {{- end }} + {{- if .Values.providers.kubernetesCRD.enabled }} + - "--providers.kubernetescrd" + {{- end }} + {{- if .Values.providers.kubernetesIngress.enabled }} + - "--providers.kubernetesingress" + {{- if .Values.providers.kubernetesIngress.publishedService.enabled }} + - "--providers.kubernetesingress.ingressendpoint.publishedservice={{ template "providers.kubernetesIngress.publishedServicePath" . }}" + {{- end }} + {{- if .Values.providers.kubernetesIngress.labelSelector }} + - "--providers.kubernetesingress.labelSelector={{ .Values.providers.kubernetesIngress.labelSelector }}" + {{- end }} + {{- end }} + {{- if and .Values.rbac.enabled .Values.rbac.namespaced }} + {{- if .Values.providers.kubernetesCRD.enabled }} + - "--providers.kubernetescrd.namespaces={{ template "providers.kubernetesCRD.namespaces" . }}" + {{- end }} + {{- if .Values.providers.kubernetesIngress.enabled }} + - "--providers.kubernetesingress.namespaces={{ template "providers.kubernetesIngress.namespaces" . }}" + {{- end }} + {{- end }} + {{- if $.Values.ingressClass.enabled }} + - "--providers.kubernetesingress.ingressclass={{ .Release.Name }}" + {{- end }} + {{- range $entrypoint, $config := $ports }} + {{/* add args for proxyProtocol support */}} + {{- if $config.proxyProtocol }} + {{- if $config.proxyProtocol.enabled }} + {{- if $config.proxyProtocol.insecureMode }} + - "--entrypoints.{{ $entrypoint }}.proxyProtocol.insecure" + {{- end }} + {{- if not ( empty $config.proxyProtocol.trustedIPs ) }} + - "--entrypoints.{{ $entrypoint }}.proxyProtocol.trustedIPs={{ join "," $config.proxyProtocol.trustedIPs }}" + {{- end }} + {{- end }} + {{- end }} + {{/* add args for forwardedHeaders support */}} + {{- if $config.forwardedHeaders.enabled }} + {{- if not ( empty $config.forwardedHeaders.trustedIPs ) }} + - "--entrypoints.{{ $entrypoint }}.forwardedHeaders.trustedIPs={{ join "," $config.forwardedHeaders.trustedIPs }}" + {{- end }} + {{- if $config.forwardedHeaders.insecureMode }} + - "--entrypoints.{{ $entrypoint }}.forwardedHeaders.insecure" + {{- end }} + {{- end }} + {{/* end forwardedHeaders configuration */}} + {{- if $config.redirectTo }} + {{- $toPort := index $ports $config.redirectTo }} + - "--entrypoints.{{ $entrypoint }}.http.redirections.entryPoint.to=:{{ $toPort.port }}" + - "--entrypoints.{{ $entrypoint }}.http.redirections.entryPoint.scheme=https" + {{- else if $config.redirectPort }} + {{ if gt $config.redirectPort 0.0 }} + - "--entrypoints.{{ $entrypoint }}.http.redirections.entryPoint.to=:{{ $config.redirectPort }}" + - "--entrypoints.{{ $entrypoint }}.http.redirections.entryPoint.scheme=https" + {{- end }} + {{- end }} + {{- if or ( $config.tls ) ( eq $config.protocol "https" ) }} + {{- if or ( $config.tls.enabled ) ( eq $config.protocol "https" ) }} + - "--entrypoints.{{ $entrypoint }}.http.tls=true" + {{- if $config.tls.options }} + - "--entrypoints.{{ $entrypoint }}.http.tls.options={{ $config.tls.options }}" + {{- end }} + {{- if $config.tls.certResolver }} + - "--entrypoints.{{ $entrypoint }}.http.tls.certResolver={{ $config.tls.certResolver }}" + {{- end }} + {{- if $config.tls.domains }} + {{- range $index, $domain := $config.tls.domains }} + {{- if $domain.main }} + - "--entrypoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].main={{ $domain.main }}" + {{- end }} + {{- if $domain.sans }} + - "--entrypoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].sans={{ join "," $domain.sans }}" + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.logs }} + - "--log.format={{ .general.format }}" + {{- if ne .general.level "ERROR" }} + - "--log.level={{ .general.level | upper }}" + {{- end }} + {{- if .access.enabled }} + - "--accesslog=true" + - "--accesslog.format={{ .access.format }}" + {{- if .access.bufferingsize }} + - "--accesslog.bufferingsize={{ .access.bufferingsize }}" + {{- end }} + {{- if .access.filters }} + {{- if .access.filters.statuscodes }} + - "--accesslog.filters.statuscodes={{ .access.filters.statuscodes }}" + {{- end }} + {{- if .access.filters.retryattempts }} + - "--accesslog.filters.retryattempts" + {{- end }} + {{- if .access.filters.minduration }} + - "--accesslog.filters.minduration={{ .access.filters.minduration }}" + {{- end }} + {{- end }} + - "--accesslog.fields.defaultmode={{ .access.fields.general.defaultmode }}" + {{- range $fieldname, $fieldaction := .access.fields.general.names }} + - "--accesslog.fields.names.{{ $fieldname }}={{ $fieldaction }}" + {{- end }} + - "--accesslog.fields.headers.defaultmode={{ .access.fields.headers.defaultmode }}" + {{- range $fieldname, $fieldaction := .access.fields.headers.names }} + - "--accesslog.fields.headers.names.{{ $fieldname }}={{ $fieldaction }}" + {{- end }} + {{- end }} + {{- end }} + {{/* + For new plugins, add them on the container also + https://github.com/truecharts/containers/blob/master/mirror/traefik/Dockerfile + moduleName must match on the container and here + */}} + {{- if .Values.middlewares.themePark }} + {{/* theme.park */}} + - "--experimental.localPlugins.traefik-themepark.modulename=github.com/packruler/traefik-themepark" + {{- end }} + {{/* End of theme.park */}} + {{/* GeoBlock */}} + {{- if .Values.middlewares.geoBlock }} + - "--experimental.localPlugins.GeoBlock.modulename=github.com/PascalMinder/geoblock" + {{- end }} + {{/* End of GeoBlock */}} + {{/* RealIP */}} + {{- if .Values.middlewares.realIP }} + - "--experimental.localPlugins.traefik-real-ip.modulename=github.com/jramsgz/traefik-real-ip" + {{- end }} + {{/* End of RealIP */}} + {{/* ModSecurity */}} + {{- if .Values.middlewares.modsecurity }} + - "--experimental.localPlugins.traefik-modsecurity-plugin.modulename=github.com/acouvreur/traefik-modsecurity-plugin" + {{- end }} + {{/* End of ModSecurity */}} + {{/* RewriteResponseHeaders */}} + {{- if .Values.middlewares.rewriteResponseHeaders }} + - "--experimental.localPlugins.rewriteResponseHeaders.modulename=github.com/XciD/traefik-plugin-rewrite-headers" + {{- end }} + {{/* End of RewriteResponseHeaders */}} + {{- with .Values.additionalArguments }} + {{- range . }} + - {{ . | quote }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/_helpers.tpl b/enterprise/traefik/24.0.0/templates/_helpers.tpl new file mode 100644 index 00000000000..1345dcea39a --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/_helpers.tpl @@ -0,0 +1,22 @@ +{{/* +Construct the path for the providers.kubernetesingress.ingressendpoint.publishedservice. +By convention this will simply use the / to match the name of the +service generated. +Users can provide an override for an explicit service they want bound via `.Values.providers.kubernetesIngress.publishedService.pathOverride` +*/}} +{{- define "providers.kubernetesIngress.publishedServicePath" -}} +{{- $fullName := include "tc.v1.common.lib.chart.names.fullname" . -}} +{{- $defServiceName := printf "%s/%s-tcp" .Release.Namespace $fullName -}} +{{- $servicePath := default $defServiceName .Values.providers.kubernetesIngress.publishedService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct a comma-separated list of whitelisted namespaces +*/}} +{{- define "providers.kubernetesIngress.namespaces" -}} +{{- default .Release.Namespace (join "," .Values.providers.kubernetesIngress.namespaces) }} +{{- end -}} +{{- define "providers.kubernetesCRD.namespaces" -}} +{{- default .Release.Namespace (join "," .Values.providers.kubernetesCRD.namespaces) }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/_ingressclass.tpl b/enterprise/traefik/24.0.0/templates/_ingressclass.tpl new file mode 100644 index 00000000000..4213783865c --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/_ingressclass.tpl @@ -0,0 +1,24 @@ +{{/* Define the ingressClass */}} +{{- define "traefik.ingressClass" -}} +--- +{{ if $.Values.ingressClass.enabled }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }} +apiVersion: networking.k8s.io/v1 + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass" }} +apiVersion: networking.k8s.io/v1beta1 + {{- else if or (eq .Values.ingressClass.fallbackApiVersion "v1beta1") (eq .Values.ingressClass.fallbackApiVersion "v1") }} +apiVersion: {{ printf "networking.k8s.io/%s" .Values.ingressClass.fallbackApiVersion }} + {{- else }} + {{- fail "\n\n ERROR: You must have at least networking.k8s.io/v1beta1 to use ingressClass" }} + {{- end }} +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: {{ .Values.ingressClass.isDefaultClass | quote }} + labels: + {{- include "tc.v1.common.lib.metadata.allLabels" . | nindent 4 }} + name: {{ .Release.Name }} +spec: + controller: traefik.io/ingress-controller +{{- end }} +{{- end }} diff --git a/enterprise/traefik/24.0.0/templates/_ingressroute.tpl b/enterprise/traefik/24.0.0/templates/_ingressroute.tpl new file mode 100644 index 00000000000..8e1d0f4e3f9 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/_ingressroute.tpl @@ -0,0 +1,34 @@ +{{/* Define the ingressRoute */}} +{{- define "traefik.ingressRoute" -}} +{{ if .Values.ingressRoute.dashboard.enabled }} + +{{- $ingressRouteLabels := .Values.ingressRoute.dashboard.labels }} +{{- $ingressRouteAnnotations := .Values.ingressRoute.dashboard.annotations }} + +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}-dashboard + {{- $labels := (mustMerge ($ingressRouteLabels | default dict) (include "tc.v1.common.lib.metadata.allLabels" $ | fromYaml)) -}} + {{- with (include "tc.v1.common.lib.metadata.render" (dict "rootCtx" $ "labels" $labels) | trim) }} + labels: + {{- . | nindent 4 }} + {{- end }} + {{- $annotations := (mustMerge ($ingressRouteAnnotations | default dict) (include "tc.v1.common.lib.metadata.allAnnotations" $ | fromYaml)) -}} + {{- with (include "tc.v1.common.lib.metadata.render" (dict "rootCtx" $ "annotations" $annotations) | trim) }} + annotations: + {{- . | nindent 4 }} + {{- end }} + +spec: + entryPoints: + - main + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +{{ end }} +{{- end }} diff --git a/enterprise/traefik/24.0.0/templates/_portalhook.tpl b/enterprise/traefik/24.0.0/templates/_portalhook.tpl new file mode 100644 index 00000000000..ec69a695ca6 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/_portalhook.tpl @@ -0,0 +1,24 @@ +{{/* Define the portalHook */}} +{{- define "traefik.portalhook" -}} +{{- if .Values.portalhook.enabled -}} + {{- $name := "portalhook" -}} + {{- if $.Values.ingressClass.enabled -}} + {{- $name = printf "portalhook-%v" .Release.Name -}} + {{- end }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $name }} +data: + {{- $ports := dict }} + {{- range $.Values.service }} + {{- range $name, $value := .ports }} + {{- $_ := set $ports $name $value }} + {{- end }} + {{- end }} + {{- range $name, $value := $ports }} + {{ $name }}: {{ $value.port | quote }} + {{- end }} +{{- end }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/_tlsoptions.tpl b/enterprise/traefik/24.0.0/templates/_tlsoptions.tpl new file mode 100644 index 00000000000..163b5364421 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/_tlsoptions.tpl @@ -0,0 +1,13 @@ +{{/* Define the tlsOptions */}} +{{- define "traefik.tlsOptions" -}} +{{- range $name, $config := .Values.tlsOptions }} + +--- +apiVersion: traefik.io/v1alpha1 +kind: TLSOption +metadata: + name: {{ $name }} +spec: + {{- toYaml $config | nindent 2 }} +{{- end }} +{{- end }} diff --git a/enterprise/traefik/24.0.0/templates/_tlsstore.tpl b/enterprise/traefik/24.0.0/templates/_tlsstore.tpl new file mode 100644 index 00000000000..17908e29201 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/_tlsstore.tpl @@ -0,0 +1,26 @@ +{{/* Define the tlsOptions */}} +{{- define "traefik.tlsstore" -}} +{{- if .Values.defaultCertificate }} +--- +apiVersion: traefik.io/v1alpha1 +kind: TLSStore +metadata: + name: default +spec: + certificates: + - secretName: clusterissuer-templated-{{ tpl .Values.defaultCertificate $ }} + defaultCertificate: + secretName: clusterissuer-templated-{{ tpl .Values.defaultCertificate $ }} +{{- end }} + +{{- range $name, $config := .Values.tlsStore }} + +--- +apiVersion: traefik.io/v1alpha1 +kind: TLSStore +metadata: + name: {{ $name }} +spec: + {{- toYaml $config | nindent 2 }} +{{- end }} +{{- end }} diff --git a/enterprise/traefik/24.0.0/templates/common.yaml b/enterprise/traefik/24.0.0/templates/common.yaml new file mode 100644 index 00000000000..d00c5ec4cc2 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/common.yaml @@ -0,0 +1,24 @@ +{{/* Make sure all variables are set properly */}} +{{- include "tc.v1.common.loader.init" . }} + +{{- $newArgs := (include "traefik.args" . | fromYaml) }} +{{- $_ := set .Values "newArgs" $newArgs -}} +{{- $mergedargs := concat $.Values.workload.main.podSpec.containers.main.args .Values.newArgs.args }} +{{- $_ := set $.Values.workload.main.podSpec.containers.main "args" $mergedargs -}} + +{{- include "traefik.portalhook" . }} +{{- include "traefik.tlsstore" . }} +{{- include "traefik.tlsOptions" . }} +{{- include "traefik.ingressRoute" . }} +{{- include "traefik.ingressClass" . }} + +{{- with .Values.ingress -}} + {{- with .main -}} + {{- if .enabled -}} + {{- $_ := set $.Values.portal.open.override "protocol" "https" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* Render the templates */}} +{{ include "tc.v1.common.loader.apply" . }} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/addPrefix.yaml b/enterprise/traefik/24.0.0/templates/middlewares/addPrefix.yaml new file mode 100644 index 00000000000..47138233643 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/addPrefix.yaml @@ -0,0 +1,12 @@ +{{- range $index, $middlewareData := .Values.middlewares.addPrefix }} + +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + addPrefix: + prefix: {{ $middlewareData.prefix }} +{{- end }} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/basic-middleware.yaml b/enterprise/traefik/24.0.0/templates/middlewares/basic-middleware.yaml new file mode 100644 index 00000000000..ef4671254ef --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/basic-middleware.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-compress" $.Release.Name) "compress" $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + compress: {} +--- +# Here, an average of 300 requests per second is allowed. +# In addition, a burst of 200 requests is allowed. +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-basic-ratelimit" $.Release.Name) "basic-ratelimit" $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + rateLimit: + average: 600 + burst: 400 +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-basic-secure-headers" $.Release.Name) "basic-secure-headers" $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + headers: + accessControlAllowMethods: + - GET + - OPTIONS + - HEAD + - PUT + accessControlMaxAge: 100 + stsSeconds: 63072000 + # stsIncludeSubdomains: false + # stsPreload: false + forceSTSHeader: true + contentTypeNosniff: true + browserXssFilter: true + referrerPolicy: same-origin + customRequestHeaders: + X-Forwarded-Proto: "https" + customResponseHeaders: + server: '' +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-chain-basic" $.Release.Name) "chain-basic" $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + chain: + middlewares: + - name: {{ ternary (printf "%v-basic-ratelimit" $.Release.Name) "basic-ratelimit" $.Values.ingressClass.enabled }} + - name: {{ ternary (printf "%v-basic-secure-headers" $.Release.Name) "basic-secure-headers" $.Values.ingressClass.enabled }} + - name: {{ ternary (printf "%v-compress" $.Release.Name) "compress" $.Values.ingressClass.enabled }} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/basicauth.yaml b/enterprise/traefik/24.0.0/templates/middlewares/basicauth.yaml new file mode 100644 index 00000000000..1bbdc462b34 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/basicauth.yaml @@ -0,0 +1,30 @@ +{{- range $index, $middlewareData := .Values.middlewares.basicAuth -}} + + {{- $users := list -}} + {{- range $index, $userdata := $middlewareData.users -}} + {{- $users = append $users (htpasswd $userdata.username $userdata.password) -}} + {{- end }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%v-%v" $middlewareData.name "secret" }} + namespace: {{ $.Release.Namespace }} +type: Opaque +stringData: + users: | + {{- range $index, $user := $users }} + {{ printf "%s" $user }} + {{- end }} +--- +# Declaring the user list +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + basicAuth: + secret: {{ printf "%v-%v" $middlewareData.name "secret" }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/buffering.yaml b/enterprise/traefik/24.0.0/templates/middlewares/buffering.yaml new file mode 100644 index 00000000000..eade09784e4 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/buffering.yaml @@ -0,0 +1,26 @@ +{{- range $index, $middlewareData := .Values.middlewares.buffering }} +--- +# Declaring the user list +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + buffering: {{/* Only render if its not and has a value of 0 or greater */}} + {{- if and (not (kindIs "invalid" $middlewareData.maxRequestBodyBytes)) (ge ($middlewareData.maxRequestBodyBytes | int) 0) }} + maxRequestBodyBytes: {{ $middlewareData.maxRequestBodyBytes }} + {{- end -}} + {{- if and (not (kindIs "invalid" $middlewareData.memRequestBodyBytes)) (ge ($middlewareData.memRequestBodyBytes | int) 0) }} + memRequestBodyBytes: {{ $middlewareData.memRequestBodyBytes }} + {{- end -}} + {{- if and (not (kindIs "invalid" $middlewareData.maxResponseBodyBytes)) (ge ($middlewareData.maxResponseBodyBytes | int) 0) }} + maxResponseBodyBytes: {{ $middlewareData.maxResponseBodyBytes }} + {{- end -}} + {{- if and (not (kindIs "invalid" $middlewareData.memResponseBodyBytes)) (ge ($middlewareData.memResponseBodyBytes | int) 0) }} + memResponseBodyBytes: {{ $middlewareData.memResponseBodyBytes }} + {{- end -}} + {{- if $middlewareData.retryExpression }} + retryExpression: {{ $middlewareData.retryExpression | quote }} + {{- end -}} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/chain.yaml b/enterprise/traefik/24.0.0/templates/middlewares/chain.yaml new file mode 100644 index 00000000000..17d8853fb05 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/chain.yaml @@ -0,0 +1,21 @@ +{{- $values := .Values -}} +{{- $namespace := $.Release.Namespace -}} +{{- if $.Values.ingressClass.enabled -}} + {{- $namespace := (printf "%v-%v" $namespace .Release.Name) -}} +{{- end -}} + +{{- range $index, $middlewareData := .Values.middlewares.chain }} +--- +# Declaring the user list +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + chain: + middlewares: + {{- range $index, $middleware := .middlewares }} + - name: {{ printf "%v-%v@%v" $namespace $middleware "kubernetescrd" }} + {{- end }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/customFrameOptionsValue.yaml b/enterprise/traefik/24.0.0/templates/middlewares/customFrameOptionsValue.yaml new file mode 100644 index 00000000000..9b9f2b6606c --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/customFrameOptionsValue.yaml @@ -0,0 +1,12 @@ +{{- range $index, $middlewareData := .Values.middlewares.customFrameOptionsValue }} +--- +# Declaring the user list +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + headers: + customFrameOptionsValue: {{ $middlewareData.value }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/customRequestHeaders.yaml b/enterprise/traefik/24.0.0/templates/middlewares/customRequestHeaders.yaml new file mode 100644 index 00000000000..3c43a131a1d --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/customRequestHeaders.yaml @@ -0,0 +1,15 @@ +{{- range $index, $middlewareData := .Values.middlewares.customRequestHeaders }} +--- +# Declaring the user list +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + headers: + customRequestHeaders: + {{- range $index, $customRequestHeader := $middlewareData.headers }} + {{ $customRequestHeader.name }}: {{ $customRequestHeader.value | quote }} + {{- end }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/customResponseHeaders.yaml b/enterprise/traefik/24.0.0/templates/middlewares/customResponseHeaders.yaml new file mode 100644 index 00000000000..a75db8a3382 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/customResponseHeaders.yaml @@ -0,0 +1,15 @@ +{{- range $index, $middlewareData := .Values.middlewares.customResponseHeaders }} +--- +# Declaring the user list +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + headers: + customResponseHeaders: + {{- range $index, $customResponseHeader := $middlewareData.headers }} + {{ $customResponseHeader.name }}: {{ $customResponseHeader.value | quote }} + {{- end }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/forwardauth.yaml b/enterprise/traefik/24.0.0/templates/middlewares/forwardauth.yaml new file mode 100644 index 00000000000..787fa796823 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/forwardauth.yaml @@ -0,0 +1,29 @@ +{{- range $index, $middlewareData := .Values.middlewares.forwardAuth }} +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + forwardAuth: + address: {{ $middlewareData.address }} + {{- with $middlewareData.authResponseHeaders }} + authResponseHeaders: + {{- toYaml . | nindent 4 }} + {{- end -}} + {{- with $middlewareData.authRequestHeaders }} + authRequestHeaders: + {{- toYaml . | nindent 4 }} + {{- end -}} + {{- if $middlewareData.authResponseHeadersRegex }} + authResponseHeadersRegex: {{ $middlewareData.authResponseHeadersRegex }} + {{- end -}} + {{- if $middlewareData.trustForwardHeader }} + trustForwardHeader: true + {{- end -}} + {{- with $middlewareData.tls }} + tls: + insecureSkipVerify: {{ .insecureSkipVerify | default false }} + {{- end -}} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/geoblock.yaml b/enterprise/traefik/24.0.0/templates/middlewares/geoblock.yaml new file mode 100644 index 00000000000..2a647778e56 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/geoblock.yaml @@ -0,0 +1,29 @@ +{{- range $index, $middlewareData := .Values.middlewares.geoBlock }} +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + plugin: + GeoBlock: + allowLocalRequests: {{ $middlewareData.allowLocalRequests }} + logLocalRequests: {{ $middlewareData.logLocalRequests }} + logAllowedRequests: {{ $middlewareData.logAllowedRequests }} + logApiRequests: {{ $middlewareData.logApiRequests }} + api: {{ $middlewareData.api }} + apiTimeoutMs: {{ $middlewareData.apiTimeoutMs }} + cacheSize: {{ $middlewareData.cacheSize }} + forceMonthlyUpdate: {{ $middlewareData.forceMonthlyUpdate }} + allowUnknownCountries: {{ $middlewareData.allowUnknownCountries }} + unknownCountryApiResponse: {{ $middlewareData.unknownCountryApiResponse }} + blackListMode: {{ $middlewareData.blackListMode }} + {{- if not $middlewareData.countries -}} + {{- fail "You have to define at least one country..." -}} + {{- end }} + countries: + {{- range $middlewareData.countries }} + - {{ . }} + {{- end }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/ipwhitelist.yaml b/enterprise/traefik/24.0.0/templates/middlewares/ipwhitelist.yaml new file mode 100644 index 00000000000..fc876aca5fe --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/ipwhitelist.yaml @@ -0,0 +1,27 @@ +{{- range $index, $middlewareData := .Values.middlewares.ipWhiteList }} +--- +# Declaring the user list +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + ipWhiteList: + sourceRange: + {{- range $middlewareData.sourceRange }} + - {{ . }} + {{- end }} + {{- if $middlewareData.ipStrategy }} + ipStrategy: + {{- if $middlewareData.ipStrategy.depth }} + depth: {{ $middlewareData.ipStrategy.depth }} + {{- end -}} + {{- if $middlewareData.ipStrategy.excludedIPs }} + excludedIPs: + {{- range $middlewareData.ipStrategy.excludedIPs }} + - {{ . }} + {{- end }} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/modsecurity.yaml b/enterprise/traefik/24.0.0/templates/middlewares/modsecurity.yaml new file mode 100644 index 00000000000..07a8d5d358f --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/modsecurity.yaml @@ -0,0 +1,14 @@ +{{- range $index, $middlewareData := .Values.middlewares.modsecurity }} +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + plugin: + traefik-modsecurity-plugin: + modSecurityUrl: {{ $middlewareData.modSecurityUrl }} + timeoutMillis: {{ $middlewareData.timeoutMillis }} + maxBodySize: {{ $middlewareData.maxBodySize }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/ratelimit.yaml b/enterprise/traefik/24.0.0/templates/middlewares/ratelimit.yaml new file mode 100644 index 00000000000..cd9117633f6 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/ratelimit.yaml @@ -0,0 +1,13 @@ +{{- range $index, $middlewareData := .Values.middlewares.rateLimit }} +--- +# Declaring the user list +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + rateLimit: + average: {{ $middlewareData.average }} + burst: {{ $middlewareData.burst }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/real-ip.yaml b/enterprise/traefik/24.0.0/templates/middlewares/real-ip.yaml new file mode 100644 index 00000000000..2877d9ce7f7 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/real-ip.yaml @@ -0,0 +1,15 @@ +{{- range $index, $middlewareData := .Values.middlewares.realIP }} +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + plugin: + traefik-real-ip: + excludednets: + {{- range $middlewareData.excludedNetworks }} + - {{ . | quote }} + {{- end }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/redirectScheme.yaml b/enterprise/traefik/24.0.0/templates/middlewares/redirectScheme.yaml new file mode 100644 index 00000000000..09f3093998a --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/redirectScheme.yaml @@ -0,0 +1,13 @@ +{{- range $index, $middlewareData := .Values.middlewares.redirectScheme }} +--- +# Declaring the user list +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + redirectScheme: + scheme: {{ $middlewareData.scheme }} + permanent: {{ $middlewareData.permanent }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/redirectregex.yaml b/enterprise/traefik/24.0.0/templates/middlewares/redirectregex.yaml new file mode 100644 index 00000000000..30f44f9081b --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/redirectregex.yaml @@ -0,0 +1,14 @@ +{{- range $index, $middlewareData := .Values.middlewares.redirectRegex }} +--- +# Declaring the user list +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + redirectRegex: + regex: {{ $middlewareData.regex | quote }} + replacement: {{ $middlewareData.replacement | quote }} + permanent: {{ $middlewareData.permanent }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/rewriteResponseHeaders.yaml b/enterprise/traefik/24.0.0/templates/middlewares/rewriteResponseHeaders.yaml new file mode 100644 index 00000000000..d7bfdcdbe07 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/rewriteResponseHeaders.yaml @@ -0,0 +1,17 @@ +{{- range $index, $middlewareData := .Values.middlewares.rewriteResponseHeaders }} +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + plugin: + rewriteResponseHeaders: + rewrites: + {{- range $index, $rewriteResponseHeader := $middlewareData.headers }} + - header: {{ $rewriteResponseHeader.name }} + regex: {{ $rewriteResponseHeader.regex | quote }} + replacement: {{ $rewriteResponseHeader.replacement | quote }} + {{- end }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/stripPrefixRegex.yaml b/enterprise/traefik/24.0.0/templates/middlewares/stripPrefixRegex.yaml new file mode 100644 index 00000000000..6fd4c8c9970 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/stripPrefixRegex.yaml @@ -0,0 +1,14 @@ +{{- range $index, $middlewareData := .Values.middlewares.stripPrefixRegex }} +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + stripPrefixRegex: + regex: + {{- range $middlewareData.regex }} + - {{ . | quote }} + {{- end }} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/tc-chains.yaml b/enterprise/traefik/24.0.0/templates/middlewares/tc-chains.yaml new file mode 100644 index 00000000000..5566d77c146 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/tc-chains.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name "tc-opencors-chain") "tc-opencors-chain" $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + chain: + middlewares: + - name: {{ ternary (printf "%v-%v" $.Release.Name "basic-ratelimit") "basic-ratelimit" $.Values.ingressClass.enabled }} + - name: {{ ternary (printf "%v-%v" $.Release.Name "tc-opencors-headers") "tc-opencors-headers" $.Values.ingressClass.enabled }} + - name: {{ ternary (printf "%v-%v" $.Release.Name "compress") "compress" $.Values.ingressClass.enabled }} +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name "tc-closedcors-chain") "tc-closedcors-chain" $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + chain: + middlewares: + - name: {{ ternary (printf "%v-%v" $.Release.Name "basic-ratelimit") "basic-ratelimit" $.Values.ingressClass.enabled }} + - name: {{ ternary (printf "%v-%v" $.Release.Name "tc-closedcors-headers") "tc-closedcors-headers" $.Values.ingressClass.enabled }} + - name: {{ ternary (printf "%v-%v" $.Release.Name "compress") "compress" $.Values.ingressClass.enabled }} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/tc-headers.yaml b/enterprise/traefik/24.0.0/templates/middlewares/tc-headers.yaml new file mode 100644 index 00000000000..b0500afc708 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/tc-headers.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name "tc-opencors-headers") "tc-opencors-headers" $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + headers: + accessControlAllowHeaders: + - '*' + accessControlAllowMethods: + - GET + - OPTIONS + - HEAD + - PUT + - POST + accessControlAllowOriginList: + - '*' + accessControlMaxAge: 100 + browserXssFilter: true + contentTypeNosniff: true + customRequestHeaders: + X-Forwarded-Proto: https + customResponseHeaders: + server: "" + forceSTSHeader: true + referrerPolicy: same-origin + sslForceHost: true + sslRedirect: true + stsSeconds: 63072000 +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name "tc-closedcors-headers") "tc-closedcors-headers" $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + headers: + accessControlAllowMethods: + - GET + - OPTIONS + - HEAD + - PUT + accessControlMaxAge: 100 + sslRedirect: true + stsSeconds: 63072000 + # stsIncludeSubdomains: false + # stsPreload: false + forceSTSHeader: true + contentTypeNosniff: true + browserXssFilter: true + sslForceHost: true + referrerPolicy: same-origin + customRequestHeaders: + X-Forwarded-Proto: "https" + customResponseHeaders: + server: '' diff --git a/enterprise/traefik/24.0.0/templates/middlewares/tc-nextcloud.yaml b/enterprise/traefik/24.0.0/templates/middlewares/tc-nextcloud.yaml new file mode 100644 index 00000000000..fcb09becb98 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/tc-nextcloud.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name "tc-nextcloud-redirectregex-dav") "tc-nextcloud-redirectregex-dav" $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + redirectRegex: + regex: "https://(.*)/.well-known/(card|cal)dav" + replacement: "https://${1}/remote.php/dav/" +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name "tc-nextcloud-chain") "tc-nextcloud-chain" $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + chain: + middlewares: + - name: {{ ternary (printf "%v-%v" $.Release.Name "tc-nextcloud-redirectregex-dav") "tc-nextcloud-redirectregex-dav" $.Values.ingressClass.enabled }} diff --git a/enterprise/traefik/24.0.0/templates/middlewares/theme-park.yaml b/enterprise/traefik/24.0.0/templates/middlewares/theme-park.yaml new file mode 100644 index 00000000000..16abf2e2f34 --- /dev/null +++ b/enterprise/traefik/24.0.0/templates/middlewares/theme-park.yaml @@ -0,0 +1,20 @@ +{{- range $index, $middlewareData := .Values.middlewares.themePark }} +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ ternary (printf "%v-%v" $.Release.Name $middlewareData.name) $middlewareData.name $.Values.ingressClass.enabled }} + namespace: {{ $.Release.Namespace }} +spec: + plugin: + traefik-themepark: + app: {{ $middlewareData.appName }} + theme: {{ $middlewareData.themeName }} + baseUrl: {{ $middlewareData.baseUrl }} + {{- if $middlewareData.addons }} + addons: + {{- range $middlewareData.addons }} + - {{ . | quote }} + {{- end }} + {{- end -}} +{{- end -}} diff --git a/enterprise/traefik/24.0.0/values.yaml b/enterprise/traefik/24.0.0/values.yaml new file mode 100644 index 00000000000..e69de29bb2d