From 82d0cb69ec9589b9484b2eacf356fd4b8938ff1d Mon Sep 17 00:00:00 2001 From: TrueCharts-Bot Date: Sat, 3 Jun 2023 12:32:45 +0000 Subject: [PATCH] Commit new Chart releases for TrueCharts Signed-off-by: TrueCharts-Bot --- operators/cloudnative-pg/0.0.1/CHANGELOG.md | 13 + operators/cloudnative-pg/0.0.1/Chart.yaml | 31 + operators/cloudnative-pg/0.0.1/LICENSE | 106 + operators/cloudnative-pg/0.0.1/README.md | 27 + .../cloudnative-pg/0.0.1/app-changelog.md | 9 + operators/cloudnative-pg/0.0.1/app-readme.md | 8 + .../0.0.1/charts/common-12.12.0.tgz | Bin 0 -> 174448 bytes operators/cloudnative-pg/0.0.1/ix_values.yaml | 817 ++ operators/cloudnative-pg/0.0.1/questions.yaml | 45 + .../cloudnative-pg/0.0.1/templates/NOTES.txt | 1 + .../_mutatingwebhookconfiguration.tpl | 85 + .../_validatingwebhookconfiguration.tpl | 106 + .../0.0.1/templates/common.yaml | 8 + .../cloudnative-pg/0.0.1/templates/crds.yaml | 11805 ++++++++++++++++ operators/cloudnative-pg/0.0.1/values.yaml | 0 operators/cloudnative-pg/item.yaml | 4 + 16 files changed, 13065 insertions(+) create mode 100644 operators/cloudnative-pg/0.0.1/CHANGELOG.md create mode 100644 operators/cloudnative-pg/0.0.1/Chart.yaml create mode 100644 operators/cloudnative-pg/0.0.1/LICENSE create mode 100644 operators/cloudnative-pg/0.0.1/README.md create mode 100644 operators/cloudnative-pg/0.0.1/app-changelog.md create mode 100644 operators/cloudnative-pg/0.0.1/app-readme.md create mode 100644 operators/cloudnative-pg/0.0.1/charts/common-12.12.0.tgz create mode 100644 operators/cloudnative-pg/0.0.1/ix_values.yaml create mode 100644 operators/cloudnative-pg/0.0.1/questions.yaml create mode 100644 operators/cloudnative-pg/0.0.1/templates/NOTES.txt create mode 100644 operators/cloudnative-pg/0.0.1/templates/_mutatingwebhookconfiguration.tpl create mode 100644 operators/cloudnative-pg/0.0.1/templates/_validatingwebhookconfiguration.tpl create mode 100644 operators/cloudnative-pg/0.0.1/templates/common.yaml create mode 100644 operators/cloudnative-pg/0.0.1/templates/crds.yaml create mode 100644 operators/cloudnative-pg/0.0.1/values.yaml create mode 100644 operators/cloudnative-pg/item.yaml diff --git a/operators/cloudnative-pg/0.0.1/CHANGELOG.md b/operators/cloudnative-pg/0.0.1/CHANGELOG.md new file mode 100644 index 00000000000..b71209616e3 --- /dev/null +++ b/operators/cloudnative-pg/0.0.1/CHANGELOG.md @@ -0,0 +1,13 @@ +**Important:** +*for the complete changelog, please refer to the website* + + + + +## [cloudnative-pg-0.0.1]cloudnative-pg-0.0.1 (2023-06-03) + +### Add + +- add cloudnative pg operator chart ([#9332](https://github.com/truecharts/charts/issues/9332)) + + \ No newline at end of file diff --git a/operators/cloudnative-pg/0.0.1/Chart.yaml b/operators/cloudnative-pg/0.0.1/Chart.yaml new file mode 100644 index 00000000000..9ec753ff307 --- /dev/null +++ b/operators/cloudnative-pg/0.0.1/Chart.yaml @@ -0,0 +1,31 @@ +apiVersion: v2 +appVersion: "0.13.9" +deprecated: false +description: CloudNativePG is a clustered postgresql database operator +home: https://truecharts.org/charts/operators/cloudnative-pg +icon: https://truecharts.org/img/hotlink-ok/chart-icons/cloudnative-pg.png +keywords: + - database + - cloudnative-pg + - cnpg +dependencies: + - name: common + repository: https://library-charts.truecharts.org + version: 12.12.0 +kubeVersion: ">=1.16.0-0" +maintainers: + - email: info@truecharts.org + name: TrueCharts + url: https://truecharts.org +name: cloudnative-pg +sources: + - https://github.com/truecharts/charts/tree/master/charts/operators/cloudnative-pg + - https://github.com/cloudnative-pg + - https://cloudnative-pg.io/ +type: application +version: 0.0.1 +annotations: + truecharts.org/catagories: | + - operators + truecharts.org/SCALE-support: "true" + truecharts.org/grade: U diff --git a/operators/cloudnative-pg/0.0.1/LICENSE b/operators/cloudnative-pg/0.0.1/LICENSE new file mode 100644 index 00000000000..4dfe12ac30e --- /dev/null +++ b/operators/cloudnative-pg/0.0.1/LICENSE @@ -0,0 +1,106 @@ +Business Source License 1.1 + +Parameters + +Licensor: The TrueCharts Project, it's owner and it's contributors +Licensed Work: The TrueCharts "MetalLB" Helm Chart +Additional Use Grant: You may use the licensed work in production, as long + as it is directly sourced from a TrueCharts provided + official repository, catalog or source. You may also make private + modification to the directly sourced licenced work, + when used in production. + + The following cases are, due to their nature, also + defined as 'production use' and explicitly prohibited: + - Bundling, including or displaying the licensed work + with(in) another work intended for production use, + with the apparent intend of facilitating and/or + promoting production use by third parties in + violation of this license. + +Change Date: 2050-01-01 + +Change License: 3-clause BSD license + +For information about alternative licensing arrangements for the Software, +please contact: legal@truecharts.org + +Notice + +The Business Source License (this document, or the “License”) is not an Open +Source license. However, the Licensed Work will eventually be made available +under an Open Source License, as stated in this License. + +License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved. +“Business Source License” is a trademark of MariaDB Corporation Ab. + +----------------------------------------------------------------------------- + +Business Source License 1.1 + +Terms + +The Licensor hereby grants you the right to copy, modify, create derivative +works, redistribute, and make non-production use of the Licensed Work. The +Licensor may make an Additional Use Grant, above, permitting limited +production use. + +Effective on the Change Date, or the fourth anniversary of the first publicly +available distribution of a specific version of the Licensed Work under this +License, whichever comes first, the Licensor hereby grants you rights under +the terms of the Change License, and the rights granted in the paragraph +above terminate. + +If your use of the Licensed Work does not comply with the requirements +currently in effect as described in this License, you must purchase a +commercial license from the Licensor, its affiliated entities, or authorized +resellers, or you must refrain from using the Licensed Work. + +All copies of the original and modified Licensed Work, and derivative works +of the Licensed Work, are subject to this License. This License applies +separately for each version of the Licensed Work and the Change Date may vary +for each version of the Licensed Work released by Licensor. + +You must conspicuously display this License on each original or modified copy +of the Licensed Work. If you receive the Licensed Work in original or +modified form from a third party, the terms and conditions set forth in this +License apply to your use of that work. + +Any use of the Licensed Work in violation of this License will automatically +terminate your rights under this License for the current and all other +versions of the Licensed Work. + +This License does not grant you any right in any trademark or logo of +Licensor or its affiliates (provided that you may use a trademark or logo of +Licensor as expressly required by this License). + +TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON +AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, +EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND +TITLE. + +MariaDB hereby grants you permission to use this License’s text to license +your works, and to refer to it using the trademark “Business Source License”, +as long as you comply with the Covenants of Licensor below. + +Covenants of Licensor + +In consideration of the right to use this License’s text and the “Business +Source License” name and trademark, Licensor covenants to MariaDB, and to all +other recipients of the licensed work to be provided by Licensor: + +1. To specify as the Change License the GPL Version 2.0 or any later version, + or a license that is compatible with GPL Version 2.0 or a later version, + where “compatible” means that software provided under the Change License can + be included in a program with software provided under GPL Version 2.0 or a + later version. Licensor may specify additional Change Licenses without + limitation. + +2. To either: (a) specify an additional grant of rights to use that does not + impose any additional restriction on the right granted in this License, as + the Additional Use Grant; or (b) insert the text “None”. + +3. To specify a Change Date. + +4. Not to modify this License in any other way. diff --git a/operators/cloudnative-pg/0.0.1/README.md b/operators/cloudnative-pg/0.0.1/README.md new file mode 100644 index 00000000000..1ed81ac516e --- /dev/null +++ b/operators/cloudnative-pg/0.0.1/README.md @@ -0,0 +1,27 @@ +# README + +## General Info + +TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE. +However only installations using the TrueNAS SCALE Apps system are supported. + +For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/operators/) + +**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)** + + +## Support + +- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE%20Apps/Important-MUST-READ). +- See the [Website](https://truecharts.org) +- Check our [Discord](https://discord.gg/tVsPTHWTtr) +- Open a [issue](https://github.com/truecharts/charts/issues/new/choose) + +--- + +## Sponsor TrueCharts + +TrueCharts can only exist due to the incredible effort of our staff. +Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can! + +*All Rights Reserved - The TrueCharts Project* diff --git a/operators/cloudnative-pg/0.0.1/app-changelog.md b/operators/cloudnative-pg/0.0.1/app-changelog.md new file mode 100644 index 00000000000..d60d6b4d8d5 --- /dev/null +++ b/operators/cloudnative-pg/0.0.1/app-changelog.md @@ -0,0 +1,9 @@ + + +## [cloudnative-pg-0.0.1]cloudnative-pg-0.0.1 (2023-06-03) + +### Add + +- add cloudnative pg operator chart ([#9332](https://github.com/truecharts/charts/issues/9332)) + + \ No newline at end of file diff --git a/operators/cloudnative-pg/0.0.1/app-readme.md b/operators/cloudnative-pg/0.0.1/app-readme.md new file mode 100644 index 00000000000..53fc6df3fba --- /dev/null +++ b/operators/cloudnative-pg/0.0.1/app-readme.md @@ -0,0 +1,8 @@ +CloudNativePG is a clustered postgresql database operator + +This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/operators/cloudnative-pg](https://truecharts.org/charts/operators/cloudnative-pg) + +--- + +TrueCharts can only exist due to the incredible effort of our staff. +Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can! diff --git a/operators/cloudnative-pg/0.0.1/charts/common-12.12.0.tgz b/operators/cloudnative-pg/0.0.1/charts/common-12.12.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..f364bc9e1bbe3f8ef02830e6d66bcbb0152f0b8a GIT binary patch literal 174448 zcmV)UK(N0biwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ{bK^GBD7ruEuRw7ocgK4zS#R0?&g6WK?M!?!GgjH2$?msj zuL~j}iED~r2v8nxlK=e{o&@+3Wy_jJ#7b%`5@<9UjYfB)(Qxr%fy0B-IgDxR0WN~S zZ2oDt+wEb$&;M<=+u48H!(R6K)x5O*zjG}kOBdh zkiwX>1gM0d*u^15A>~k$gVC_xZjT0o#vOXN$FWC_8%>Zl)@UkBoBTzi31l;O$pq=H z{`LFUomOYqYB$?|Z7iT4Qs{>$=D^Sb`oS^q!zupn6mSd2vjzYmWc@V=06-E4Df*cT zqPWC>K1AqPq1RX{TsqxWr`u{bwln^6{x4yWAo5HCpnCof2E9=~JO4-h(Qf{4<9Pv^ zP4Fhb6Bq!&1dSR0b=&}ef4oK%K+p5pw1)u@UqJvTC}8X^{x}A|{ZU;3h9Rbqy<@eE zUuM-4&m&-gC=A~IV3q+C1A^kE?;>8?^WKRFRYSTFg-Rj4^Fx1; zEI^1oG{!L%WNHAg@Wc1=-7z?7x7(`5c?c%~;w@1efdwWMMA#z$h8|$zO9&U>hi;H~ zemDbe7|nQX4c%Iq8LvQV6v?N#E%;;=a@vymc14O0md<=*u?>ZEncZN$AG$})ow&1 zvWjTtG)UN*axu=~#pElYD0EZo(pRE#v~;u8t`Hk7+3{%UiriLk z|C`KVcQ8DjP7l55blP*f!y%jw`w))ca5(6>?a64`bqAfPH+0*>_F=C#I64}^X~*mJ z`VhK3)Hxa*9onr#Nf3Yt2foYDWWUDz$1%8=zQ=SNBZ5NOXmCVNnfmvMvW}jN#~-fV z9s|c=)v$MZadsttk)^ADHRP(~Cb3T+fCSJW@`VAA7d%x08mJOnW}{D33&~W5my1eW zrUBBw1@FX3ctSo96d!}Z@GyP#CdNr*yhG5t41W*7T;j`7qFkm6{ekX|Jr<5DR)_$L=eaN-9(^^u;9 z(DRPLKmR3vc`?=#gGr;4w{PXI7vPsU3IRcsEr=Y2ec;R02PPCRAoX1s1P{6b^gM9- z)8#Mk_rdk~&4-IK{_h+1?~j+iyg$F%2WKazx0fH!udXi6&UHN#O>p`C?LWXhYg$vE zQJDZpz}4mDjY8ZfY_Yx`p2CQjB;vd<{%~tnFW>oO0jWC|T$MyofEFmE zFyJ+a<`D8gTpEbqVm@9Wf|HnOVJrI_tD+3Qz+d=k$#SFQ81&oi_JaRhpamChhkPB4 z(XR<2R?$wT;Gq4^Z!~m6myuBa8UVcicyV@da(j9*zE%q?3<8O|EN4@O%4A6*c zhf;@m>xXv++s!ed?-9Mn@tys0%-Bf1AafWq4T&uaOr0YUbW!>_Mtr4G19cMI!v{9{ zUP#nCsU`jB$ApS6r#PJYGtpO^A}hKs%+}Dul;}CmSDj#y-_c`Xnho31*xF7SO;1Wjwz9UN+los@rRQE5^8aMxQ3_jePT2otsH)pndwf@BB*eUASle3tH#S=5qrY<*;6+Ul$ zLXG88pl?{LW*3at$7+4>$~q#(5G^A5aOMkzf(y_wr1N8NAS#QJe4vEH;0^}~V+rE` z&&VSiSi<;#RbSOaoRp45jTYi0luNzmCyQh7jxYI@ZPG>b$Oh>ms)X#JC7CZC3EV@= z12SK%*Bg^1Qcm(v0cTx=|3)rF9+<{>0j^I^-kyVn?|A{bhcRlr0L%vAx=xIyDCQ0n zHq{#br}Iw~#UTtXLW<%kbdgjel33ay|NPf;x54$FjWl$MV(L$Q7t##@{D^}@A!klv zzVMEdAhQb-?NVyWGqGXCd`6^c1gr+NKDcv?IUs9u=>>2TLh(W@wG{sY zE&{#c$`xLfkf^-?AIcEo1%CUj3H+&Efc?L-l^F&EH2?TRK{&->h+N9RAUOciUjGM9 zfD1#m4g)&(3E(Y&$pgR<3RwlVO5-V@a|EV12=G0788EvC_#x|V3??zYC(1j*@QInF zS%Fd$u+9Mai`77(r@z|2rx;UXq+WnC>?YhuW%5H<=>dWS0e6nvJAf0)kxl6iJhKMC za$PFe<8$$%!M|NbD7@xIE2j>d004dR2?h5)or_-2Q4sBeNVbhb;(I9OMl_D8J@Tau z;&^sIA{-JNE2p6Uci|`^LbG723oy3#zyvatDH0TIXxd6%fAQi)ga2ptpIIhs;s9py zgUbmMi9{58@j^B$HX8^hodnML_h?srMinBg4p2;ke zsYiwz*1o6RRa$Y9znKxLzcF=GXlZ;Eb)4K{iR09hJByjtuS)4H1>=p>Z&Pm~=W&N2 z?8yG^r#mTxi2|vL3SWUAs%g_|7=B9u?E|YvG4T0f0~mAQ`;bv1h7`wO0YiU^2<2d~ zScMwur+X|(Rv@WWuyvDWN>U2_E(GYfr-NXK%*O_$t?Ze>!wkN%g*KrRI zdjoWcQ0H*i9UUFHhn-=&(?@-GaO8IS?GBuvjytHtl|nz@>q}i^bp?%Wr`2z_Ittr% zr{|5_!+{HXXn-btICXn)*c*6m`^f7IMjgVXMyJ)NSi*BQWed(s{p_WGT} zYL`3q5St7ru8S_K(G*oQ!u?jqV1*unXmr%;9}W(OaMT?f9rawdJDj+q&SWrw-S((A zoF4Vi=x{n>9uCn6dcFRjeS~`5ez%XN-n2KJ9-;1}*X>V+XgKLrvn+9ANZol|L}hV> zsR+$ch#q-fdpbPydR^$E{-6tca5U(SdK2#u^md(KhJ#6a;tl$P?xYQmhTZP;aMgWhmD z>5RONJ8Abu(@F1eG@SO^U2i&t18?F^+Wj_kCzHbgti(D-p8rTv^QwgyAHwMrwhxD1 z`)D*d>K{&r-ATLO>v^O0wBPLP4>6t@9rcbnhr^>@zccYB!(O$tUEpwr zA5CXbxe)6?yE`4V;c(D{N9_Uhy1l_@h`Q}VuZ;%Xeg_@7?jc0T8}=rXqizokJ$N`6 z_9mX&b315MiM8AlLE*>odq9+`=$ck~;|2I{<>}+v69N+y;QI#CpO#UoV+iGn!+7AT zq$~hjP8034UO^LCt0`*Lg==ni+Y+`jJ?weN^`^s4-yN;Q2hJ7RC?Y4m|+kFZ=+;%phQp|GI#F_*Vs|RXV83in09I zMm!n;I9A);#Oy_py_Hse2k)e1&n-LQ!d6wmD{k`mq1-*%2i!rj4-j=*t=3*k!nxq~ ze~f@nzyfn3!Vq*6n0>Hdtq?(8C>%!VXI=}&cgO>fC=^-+UU{?25|~d+D3I@ks?N4# zn8mM&9~X7~QW~7R=OJ7$45w57lfcm@sl8{mBcQV4m)c-WVV)!u2Yz^G4geczsBBIi zB*+ZPeK5gvF8l?oFkuLAETA=fqCJ>U{MHZe^1YBl&h5)t$cPWa2fgpYeVO-As1=G0 ze)K;f@16E?k{o$?G{+o)QxwytG(dqXHkExs5)|jiB6i_rbRI7v3}6lOtxqVxQ^UK; z9Ym}d8OLdUxjQ7B7<})W6VUSt!bx6$(-<*P4q#}6fu>Y7VKU0YC_cu2Y9CQi`%lWXZcR=B1j;uS&M(not1It)jgP=G!~!V^g6XrWq1 zq1Q}^3<#NK$4l?ryL0G=%?TvFYcgTl_BTQGg~_Ti;>3vg)f*m?05YC|;00oT$=5oh zfxTBTzACsT#!Ds$j6pMFiiMAB0UwxrSMsElMMH)`2%yYPibF&ZVe6=x$}SJ71>wvO zKa~`v0ck>)$3L)1DQA#~!hU*3uMw5702W-}>A-~pB3=3f(E|^n1r7_tXNm}5dy1;G@9 z{7X7X1?oRx!sF&SQs5^PEC7|;BuaINAR(&z+T$ryk0$yA7g2y(0d`@aOXQG>Af2a3 zF#zdCH2Y*m11QYKkj`769!jap^}u>3Hq-d};{kulW894+INr>$UHou9%SK~PFXe`pPRSWS$1iG zAD9v#w(|J44HJ)ov)BkkA_@#Zdvp|2zd@A9Ro|1rkmd@^CdJeb0=3^C5JP%^rqOJM z%bGMGTAGNkLN=fi1YEqB_#tbJ$$Gu*mKM&d05#xPmC_0tybZ^gUN00U7flkO+5d2U zb8?)SB{N9TJ$wK$PG}t^UzU5ChR=a8z;Zi^LE;M?mtR6=@f8)pIA8*iLb0*NMiD`p z#Ax5%wUTE^m{|rxiljaaU7E0^8rS-UnGU)H>diqx7YHo4`<>X2gP6>r!}5S zE!oIYTp-psabyUuK`BTnbmv^NleQd;QAn@QRG(>K5-i3^r1p;`FHj9mtvfRjuw2R- zT9^9S551Mp1ijw~V7e-ozGYP#`Bg*I5Snt0Y9ffYur-2Qtv)N=oNr|2Fqb9YYcz72 z1xhuLP>0SG3|gE7Qt+|SVw6;eiL@%Nd;uzCPgv8eURJe9!A_ui$2ENst;b`>ne0)) z+JMY)5_pWo2nuPcSICMfcL?}$;2kp@Q4F7q2X2%v={c$cYvWiv_sE~ksXCJcvMQB} zLorVb?NWEj4_&-4d)G>%h4gGrBdU2ll+nPrE|t+BM8Fu+$_lh1t=%6q8Vf{Y-z6oX zjn*NNOkm;*9R#k1cY#Bn;&>lK*pq)ZQe+&vlv<2EgJp=^b$_c)jspEkOAZuz5%xo^ z95>~@JHuY}lJBH1VQ>rvns&sEVWiHpnIAH$=p2U%0lWWrf#@71AV)rjGNKQKw;^2P3JIogm62 zq7aXBrgsY;xQg26QBScXn+oC}4fWTtbw(Ki9n8n|EVn7bcWggPjAlO5fTe!M^-#!_ zK?Rk2=tZH->C}%X_NP8mr5TUMdhJe8OYId2IYz0LC}T#D$4w8_1~(a&4Dv%+TWWZvEO_H!4Ic6waW^i6y+dM?Hhkh0z5fj%gX@|1HC&W z2XPX%h_Kpqxl}O|KKwbi;~1}s$VjCVF!OI>dLgkFF=4J6D0zs`Ti;Zq2zKuV zw<3AZk-Lmnxjbi-i;Wprb=@vy8RSnB!YOPZ#UAu3?vgXY8tT&+c_^el3`q58%bhUpt!TnM4TCFuVkL+mA@?};m=%vgoXqCN zkcR1zHo)~3Q8u$jauNh!31eT_r?Q{O<1PuE&q25!B#O%@RP@W7A{CQ~yLj#J)~W8B z*eErQs!sixI&Lmx{?c-4>k~I$Fv6CPJnJP#;ZncPd&!M{J;<xwvW(5CE!MFxE{U_^N`uwYS^~BKt`SW z|3MxfLTl;?QUq88!^-$yK3^t!?P?iR`q2+ihV$z-gafvsW}31XjPXg9v2HS>X2vP= zvpC2DYLiayaan`H7D$7VN{CN{)7d-LC0k^kDa_u)hz$w#mkPWj1n*86DMAra&SZ=5 z)N;;GiJ}s<2-cTH)%g+&q%g!pk{X7!9}41fl?PBPOP+WhaMF-ahwlIeL~H{J&R5?U zEcW^1_`O_7iz2U^!m<!VTMB-3?MPLU{ z(-b~1ndrwjWb)Jy)%*yG0bh#-CG(#m;|(@>l&ClAKd;2Mh-I|Oc!hCh!1F7`GmfI( zN<7tPIfS7IntZFi=|Kvco*#>N4}C(9TH-2-MI#pV6(He{7d_*OmYzq=CQ||R&k%>m z=x+uA<7`snAv>*GSqG4z zQqx?PDao(qimI|M;h1tmC0?W&Xy)8-ey*3d4Jr=zXHF3tAGiap)9rOTf;dK;SdKWM z4oO;rI;Le&9PY4Iz(Zy;A+uY~m|JdpV-K~e_Pz^tw6#YyvpdasbluJA((P%T=)|C~ zSowsvM+$11uAA06n_DdTTHOFZ9b2hd6I7XJSr9bv{A$2YgMk~i#;NTJS3Az|0yU!; zDGdw9V9H(MAyr{g9*R)tq0sdaKUmgq!)W#>zco{k5-K+D7!b90%*ZhJ84n6kyTG2P zqF$n$lPXLW6BIK^#C>3)E6Kp)@>Ddwh}WAjBiEIymoBaHdoj5?frRO_Fp_T2gy(-s zf4@j=KKYv@5sE($6pu3>noYGaD_o&Wpve_r6DRAtu}&i=pvpb2c$di#uFoc9*%%HTr#^Gg&>J$F=UFtD=9Pg zbkkHks%H@6xp*fz|bt?ntM0ba{lE zbYJT6mnXrY$6Yx>Hx#Qicg0*?=9o2{R3kih zpwk@;-}uT{yN5ykwMg`dC=pQ;oLkyV*qM{UCuVvJ93bP2WQM2HI8dypl5V2_x%0$J z$~_@JoY^}oW9+>XpRyBJOAgm?zp#0h!~p>~p;5w*U&E|} z6#g!8V!9lz}6#kXnNmyomy?pMUP$+h4*X^S`UWQF0)5 zIn86-2e+w-+M?0=3F24W|IqJtdv^Z!Zl^og-T$za=eOSu{?<_GctoTD_f}@?ejGL~ zq|ZlXCO=T=D#ZMfF$J2DWS$Xuihz55l#{dZw}U_aX#DnD6L=y+xkKI7veOd0*y7E# zOgD2=7Jq3Q#^CrhTiE?DE#Xho{BwenTPE|`)kS`oBEYZLgkol#$>h_?*O!t^H-GRq zaKg{O0t`I@I0+^4X|dzidU&d7+R}9#&;q~n>{dLNP)ZX<$`rDhTj!-h zgS9t9G$oe)kR_;9{g%~Zrh^95lIbs7Ms|E_qalZhNpVGoIV9rr)q~oUJ$@~g3!{=q zE%cHs-S=>T_W55jebVvkY#KrfZ$=PZI5UdHWt3r@mMO*bH8+7W(8`k<<+{(9$jft( z>W9HDmAt89IkUavSj&%jYL&t%8+RL$V>63W$vx6NS3p9WcIBv}U zIqe448zJRztvf=>b6Pk;@?)J5Qtg(EkPXQ(kFz>^VCD)oJLBRfUKx;3J?ns1p6^mYZYQOR!|-r)XZC6` z?MvW@TwMY+4P7GaWKg%k7L%L%>su*+f|ir8u6cd7vD#z|Eu)> zZofCo>i?Z~XQ%&f;}QCQR%^&^%F9p|KO`uo$Xi!~H?>VR!|lz@H1W8dZoD7|GvCWJ zQf;p*%B8T9IROuNUU@s|_jVe!Qg3gg$xQBdCzIFBN%PODBq&DfnZm6!R|;#W;2ss@ zf|GW`zT8CrevkPD66Uo9#n+vP?#C4t)WFcw)w%kR{^Is2kcBga z{`lkAdMV2O4t`BA)peQxF>AwE6Q|G*fFnX)_n7N$BO@z^1ss=WaWRq-QLOnZ9HG>{*Pk2HFtl?C-&#sbSYW}ztk<4l<1Wk zE<4ZNH}jOq|78?%)n8sZ^Jv-sm(}vWJ!p3`_rH(&z1{uqTY0qpFOS7d{TbK#>uK$ov@m-qa$EiO|pwJ*NNlvwBf2 z*dD$Q1$6e;TJXOep;tNoWwLQ0HXa9HFJNth-kDmW>tT$x)vw0>VR-6AB zQ`@|AM%(%&fjz7Z3-0-3HvIyuro1G}oX=f7pS1;A=}j=KuctW{YI+XV_7vo= z4}Y}pK>dFA^ZUy){pKHgU zblA7c8}|2f>QoJ0dX`s>$4hlqS7vbIF$}MakbwQ~mQD)Gyb!)6FMu!kDldcwds*|o z0I$O1#AdWu4$C4WbA?()pV*aZ*CqTGNy+v#S%eh=Mlg*WXwcATV|12J_ z=9(@qrkOp)+f_|l!D&kFrdX2f}J{ckkL#ecVV_TP4%XVm{B_pGJ= znfC$xdG$YI=jgfhxJ|CVxplMvq+$w{^Qy9t&X~m^e;mKRJ^66+6JKdxrAp3!SvuiU z+u8$#i)wup){mC`pi1p1)GpO}ZMIXW-sYNlEpN{-Ue$tNEa#<-Dy{kPjbo&T>wb$&V23cc0S6(n7c0G#B*C(yh=d)(>j&#J4}a#U98fATWp1a|5M2`Rq8mAQ0}qre^I^M_s7M6(iBE+y{&SP? zt9~lyzfQsWGz)OW{O=D&+4zr6uQS}u|7|>a{@-NN?QXyV)cmuS4d~ccq&wfB9cTwV zCL})KsmplyqbAh^V_IY}R*)ejxK0x-kxi}4PP?5oG|gAF_a5YF1)F?p#X(94t2Q?* zsz2HuZg5V&Mil(~;fM3v>+{pA^BbPLXc5r|KxoV_2jEG?U1TIeS4k^)GD3wNSN8aQ zc!0*xws;{N^E_sCnq|u&V~cK_$Oc zNvBU-7bl@eKFedX0t9(NjwuY17|Dq$_iJvhZ;hVI+`c#0x7U}aKeOKlOBf%-Nm!I7 z-D?r--pTSeCpYJ}XBStpO5jh7D!k94AhXqPFW;Y@3w67aU3LC)TMxgvzWs20esw)Q zsRbov`Ye=_)6?_u&F$Iy>pIBjwCQ=Ppj1astCy!d*XZaSm7i{I#<%0E%fJ8Q_U*;> z&G~zA@FwqrsNK4}icGb{?Y8SDLzM~QHQ2NB>zmt)@sr`2Y34O>#*x>9TeYY7#3s_T z^tyrbzu#P)+@4&$QG_WpT-PH|HV3|L?B?X+Ex(fF>^a(%*9)YK&L-W@=l>`o+s@>! zZ*r?ZaLb9ZMksi3yI-E=QmOxoWV_F8{|`F-Q8xas-5Kok|7|>4{}*EoUa9*Qna08| z(-6^edl@4D_@T(WDRNl5sJ>Moxk>^y;=3o1pfRL#9`sQaQf)v{b$I57oMj=hHS1W! zhR6^mE;L<6GXFklpidDDy-VYx&^_hJz<1a~$G~ZiMkA-;Q?y8Jk(Hr~O~5aI;qi+N zbs|^%D%fJE5v?cz%8*43QvEh0O+MxRZ)ImS#hPM;k1GMkM4iyDjk{5JmhLfcm`Of8 zaH|CF3SJWfwRu((a5v0p9FQgiUqwwiWH?a{FpevHT!kKaGZ!BpRnF4F%BW&cX8UkX zQ4JU;!u6|iw#zqc&Yk?>+TuE86U#IjGjmeVqM)WGqs3biNM|3Qgy0S<=X{>&n9^Y*^HE-^viWH#;BH|7Sa*oU zB{GIK_r;0QbnJxtBE2k25Ov+5(DjS_bApJxp))_;I5BdUtQjQ9dl*(}^!56ia*YvA zX|kW3*Udlv5QoKnU=|4f$ZU>FHaqN$UFg@s&Oby5IQoh`$KLSO4YKwSbr0-+_^G!4823EU_*-rNjYi!;cK^4x zv;Vg9l%4;TSC?-8+^-V5N;hT2)Lo)ZsdzKefEMesQk6-CpM3z>yfjVke9ODnV?;?d zU7;wm;^eQn5ngcO*T@(uz?CHpOp{OYVvg35om|ztOim-NDoqf>YF%Z7R?#qt4tN>k z_+WY?;sQolLZ){g*Px|wrm&KnDbQ6EO-nkdJHRP|@MyvsR>M;)zZ#6IuH{cP@_8n%Sx)LkfCb(x%*80Hh9a zSJ_8Zw3GL6t|Xl(w;tt`*;q-q6!5xqQ{W3gtf1P#-@tiDl33@x)kcr>77%e+f*g-%gw^z{a} zFc9g>9A0yf9y7@DJi{~1l7cfmUnUtJKT8ZB%(IYC!~f=pxI&*;R|I9(lwwckY8@ku zV)EBfGYnKKH4O{=TFQp5$%Cex5>OSSEpvpfVgFb9e>AH;Yy5AopFjWE>+jp>rlh0loS8r0Tx|1j>Gk>enzg*m${&Wl+Ml7fFyk9??j^w{Kla2&D!`Z=py|aV;va^FJ zS#Hn&e){&q+4M&7bgK(_Ood~);eoxY$bhlhb>nSY*-q2Tuh1; zX=QikC%=sIlVAIj)BpGlKL@uiim5;KT}Yoj{&LwSjqkW~7$xRi^%Pp{_^mU{~Pf{;X5@U8sYKmKSm zo6QD{{Ey6nV|vwZzm?sQWoTL)RC6K7Wx{QxpqTal#~+P5KlF}GiZ&LALUmj=RB?AN zr3`K`33{yW+S(ik6+==hx&fAw@r<2dO;(Byu#NCm&9T zd%zgMT*~Rp63poZZGI~wn#q=rq?`ewn0y8*HVq9<6vJ<_X7Q2QCz2OhxEjA6L1?8| z`5~b&bP+L99FdlOYml`o1A!(OQ$k}X9e;l4Q*WYtY^)0tNRS0hy);i0z$kKnmVWp? zM6p#TAt){{FVw+fz28$c2b&C3LnwC(7(aZ7JV?oIci2--RN?u&LeTpq_9?myT_oSfh~Ol4&4MxdH9>?LZ&Dg5)%aBg z?bbaEm|AVnTCWCE7z7jO-kr(tlGf6t*ZzOd9-ppynl%8phr#u3Fust%Sm4m7IQGMt zxj`_--aGNZns{m9R<@jh1&@#r&_nE@chC#A|Yt} z@l)I!fPu2D36%N^>ZcD6AW@IaA=TL3^X-ro_I) z+7yFOY;2}mcul^Am*s;DeR#}~q4rBVH{-P|wqP?RLP`z(Rh*kNm1w&~0HWChC!woa zW8cMDZh{EwvplmM!v&%!)~d<^e!6u7ABFVR#bJ01oKCylc9fwZ2KkmjyA>W;r_*+d z7voa-znQDQ__IR(cZa$CpW$G4|KoNZ9%Of_kGpW?8^~=L_5}uk$VNuBxllfd#gdVp z(kU?1Et??y!OioAEO-oV<_Pfp09V9I04%bk@feC$BdwQCd{%{vbyZX|aO&vcg{0Um zDrPz~cv(~27FFP~hnHl36&7JQ@tkBSiXuf>t}u8d!l7ZXCpN}b?u^-Ytf|F7Qc>@Y zvA>PAA|)O#Vf-u**vpP`@A0c-d8Z0;xMcNY`%B``yaDTe-iimD{ko*P9>L z5pt^#E}bmD1ABpH56x_Z0ANm(^r<-~)IqA^xnV&pe>O0KHrP^xy)Csw1T9P`(EMRUa-;H}9T^_VipM8upnoh~Rq)jWS^zOO5g6r)xM zrkW#Le|+l*v5hy1K2a2hFt`XQil@*;W9(U2JW7x}AHGory(&qcKA%bEt0yP>O}y$c zv+-Ij3uciT%LA7Kj~Y$B6>T8d{sMC~KgUyM|A~C&WCOQ9t+xNzx2*rS+u7NF+jzL0 zcg6?%8qrNyfF6nh{IEbF{lbhu-OHM0pq>Js!w}SsKhYF~QAAQpP?KP13+`;euiX~Z zQ)FY-ATe^<0htXvJjI6?sXgZOP`X*lk&`+p%7^W4V6OR_oR+)~vOf zoz#aQgI(50{agm>){WDz$uNB$qx3Txq=m+4EnbzcO#5@&w&!r0re~@Br?vQJkN+GD z2i@HLzdQSHJCCsc^k9G624Kq5H7!7+C!fIt)U9vU2Gn48M&Ql}{OXNB&CNS2aAyVX ztiYWWxB-^jS%Et%5d1l;z%u&}grXMx z_G~{QQpR)RZ(pPz;};ec8-X&xytEi=8iHx33^o5*&RM9TAUor1XPkX`##u5Uh|1e# zq36Yj5LDAH(kqItx50%H@Y9nqT^AQ#=c`(k_n1KL=o?= z<);xln z$&{r4r6%vA5@pRJSSLHxJc2c|QrTCGypp|BxH*i7mrE4KzK5JWD=C+Hoylx0N&GsO z+ev+?fbrW?(^1VMSeAzBr(!8tqUkDRS8BNFfNVDD@g`NO?Q5VJ{(FY3#+#+jbLKnI zmp?FmyWvt%-?UH^`UCW33Pw6IAx(ewL(d@QtCA@pWFWJ{V;lr17Q5Fip!eHSKDWS| zsZtH`%_}YZ@CrqN??OArvhm)i-jS8yr{YTKd!tfMRzfuPU4y>NO1AJk9e?;h{lNbZ zABi!FT@+F{(^pY6WjePjnMpR2ST>t**^LtYMl^7;L@}Hpqmcq?t->O^nO@kHcW8m* zhfVfo!681TLp5;u?ay@I(wFv>>HmJn^8{}p|4*ko=;q>oyY0bF|KG;5_We&6f-#=$ zx+lqa&a>$168M_>x~#Pso!tcXM7>>ts-wHhqU-7J7P$(N=jx09-yq7z+swZxFAPvV z`F&vxJeW8Czm#R9BVLV4h1!)+KWIsa>PiBwd&&32(F3RU1Grk|fR>@+Nvu@~N&ZLU zu5RDXwp`RjV_2k?k|BW2mLOQQQI16ENUYPQL3X{*X$#&0j@V;w7uE}V zmRAz4n3oHnX`-+(DxGB2Es~tHDk;=*^D_4znTlrR%tN2UiNL~ad*r$9^P zLyq)WJH({A?sHyy@TWj5+D43oA{qj=P;(HBFZd(fQ8>z%xKFeV)kPi z9>j||zUP3VhF4a!Y`B8{l@W(DX+SuEDx^xWd*tPwVvIs6w$dg`(csKrlq+D1BDZy3 z)8#+nB*@)ZT|U861j^>}oYE-e@d(m6$tD&Qt+e>J;*6RkwepKh;letRv~3GaUT&=x z))FKajb*=QaCx2XtEgAn8V-xFGVwAh^WT;oU5HsGK_eRgMzC}M*so%dpa`!+qx6D1 zj?vWrwlN$e-|D7 zB}PZDnbu>IIsSL~Fn0MccKI-#!jiju7`uEJ;Lni{FKR(&65OWmv&YpZAv7%AQx>9J{h= zo!ewr0ugt-iu&SjRn=F^V?6`6atJnJ_!bzacZa0qhJMQp-Kljj_Lt6?$yJ?o{(A!%A{W{SJusTK~Cpj1}wu7ze)l@T~biI=w+VoBwOnZ}0Md zZRO$d-#=JU-p0BlhF|(xYlUx1zKM9n=LzDrSaZ!#ZmaHQ0=n}cQv>NyVcix9>jZaO z6+Y7u&HSL`gNXBG>L1&*)CK|J5pil3rSj2g#hOPR?UkeZJrxr%6%E*?=T|X3vISsP_xP*u|YXV1!c`d1LG`IBJ|qkDan{ znWG>=F==U-yt)$4YnYFFWvJ*?#CVswnpLf5Oa;E$2cE&!*ycFQjOW&|&7kTyCCFvN zs#8v7VjvCwke|`7MI{`4K#Z47zmQ|_Pe(=?JO9cscnK_20qR^qss~D<)vN-ku-gYI z^crFR=4lOac#M}6e;0>JndO>*;%szbi{i}sO}LbvLNoZDfAOP9{!1FIG%crhsR*^5kHmK5u&?gr~R@9DoQxxJ@QHe)5wpPb9uJgvm zSez#iT5begq$TAZcm+aC1%0w-6#OZ`abdldG1obavLff7BE}bdsm+4tERY?O92}dL zjQZ8sm?2aJ5=pO&)lhy{0pVrW2$yZDRUl~6B8R2%u`a46yhq^s2>vlufqI-{)X4Kp z?qe0VFqsq*gK`~eD*-$?B{hz&2FPr~;I2`Tre{SVjv7HlPZz0&=dG>Nr_-k(Dq!l-_ ziz5@nZDRi>MXk=}O0pQSMl@snl7hXFqD>r9wS$vaNOwCmU-VARFq;}c zZW4I!#OiaN=I5_s3Z0L?fGgHjOiT5@7%vc=ql8=~!4oe4T9yC3(;Z~ve+Gl$PXF7+ zvr7NdY!D{_dL|vvYGYkJ(5n39>4Fw|we&%&#^=%r^Fvag7v>8+t8QpDSE?Uca;r>7 z%wxVx;7(Cs97f4`a!F@REN`ll-(qY1?UC!MRNyrDmmQ(OFbd z`6V)R8BMi#p?s1HoqMa^p|EoJ(DQgiKMXe0Qo&D^E6FRMV%q#8=*e_-voDgotWNQ3 zsfP1}cAk7?66sqXk#EK$`saE|_5Y>2t^6;&(J-t34|=^_{Qp)Sexh&u@pKcX{Gw%1 z!iFuL<{N)Jtv<6S3)DH8$BWiFS;xD*vD7iz4p_QZh(bT)dcOptteztGeH{r{l4xbm_YCCzS3v?Plf3ZuJ^QTId!_>O$T#*>3$rw$fod4_0QLt!{ z`GL9|rzxU(|F7c!=MJIBDK-DUt|OArbrB)&u!qchl1h#DyeQe}5RmeYbXeCbSU!4(m zb7YbOo^9aR2==NGu~4S}#S^$O1#ngVzkWNX|MmMj{ckG|*Y&P`IN68-$e8ByYJi+= zD^);MqK*!z%E~n5zxW(IKaJlEyO^0~*$Zt(K; z%}wwh{Lu5mnVjeP*KWG+ru%NXThko}NZ!y3BmYf|lc-|eHH_POAG@xum|j}B(IH6Ar`_az|`)@ev> zrVgf~_k{VTS}U~{H4m?};Y=a@rwG=oX|Lthq-|dn`2}8o7{M5Y^a@Q&@(`ro(@3(J zFyzcTtxBh}BLn-=cq+~Gy7C)Q*#Tlv)Fn0V$LQC@kCB&7IE|KA8hw(MVLID)OL5g~ zI<55d*#j**YS4D1tZGX5RMv0L@WlY*95O*J8^PRFbLyqo*fL9%UNcwh=P41O6@t)^ zcIF*)yb}Vh{#kerYNl{$h+SF0ZJkT;j6lAox-L!euvxxke5>SN&8CvP72GOUw{mXP zm&_Hc^Od}(D;9Y1ikOIB=~mHVdh1@xzS->_`LnrQwF6q>ZAILvKLxMQuceEv#gW4N z;75{DPLMzCfY1Wg7?yB%Iky;p*0BG|?0<2e<7ONHtIq#)huQnzhVAao{@=>OEtP9N z*qhh^7Hso*_kbnqR_+3)W$Nq$r==;s!jctZf91b>`hGfoF|a>LXz1f!K=$i z#A)x<+W=N{-&h!;K6%OD@(hQ^uYq$J!Cw>PWX>EhL1=iGIb|H?U*Vl|wHnS|=t^px&VB zW>gdK`kQ6DovhtX*7NRURmALOv@%HzL z^LNxUtC+@qI6Jc_X&pw-w6JHgcV>r=)js$e;M)w0pV=p$fH{g0pcp{U0}zDh9t3QC z;|pG`;KkkZ9Ou_nc4#`h9H{)xyTViHI)deu2<=-)(>h`jt?~%&;qLa`V9hWYwNTzMsm-p>w z$RKuWnzq}8mu#Vsbt#(~P^_G<_%bERMKPw>#euoK=%h>49&qNAMn*~qt>Ie)l37G+ zr?S*rX{@p{mvrQtXACR#qPSJ{v9i&U#XGY{O(Nv_FyIO3xuz?0sB?M4s?67~eqM~7 zR2@C|8&K~7_tzbyzc0qX!-(+6ych)!0Ec}4GQytP=`?svhVZ4Do#J{6J@X`*+&mp) z4@e%GKsJ|gD2-&9uIQD#tq4vC3WX8v(>>L8juAx?qyIy2SfypJnZsy}(;LcNsx|^` zu2xu@<82VaoNq$eOJc6Lr`;`>nN{%v5%yX}+1h>6sP1KP{bi0q3sIl&6IF8DBJAyh zDUSI{!(-Jh#`}O^CBq50#~}qYe&9Fy`=KX>n{l6z1riWzBHL}55|&TD%&A8MqrJ>8 zyS&hOvo*M**X)(U=A~0`udn9p*E(A7V(iqM!Hql_xft+?T$}R51CZRKAg~#pag!-V zGFfb@Q7jiJAbU#AWO2%qVQJW)Xq(&cdGOKxs+=1}nuPrGjF+Kn)#H&DqVJqBPdF)B zXobJU(E9-fFmzFD&zp+FfYO*^$OLbHc-m#=mCl{Ad8>qi)@as4oW>AM{kxioKLWq6 z!1ZNB3RLk&iBMflV+LHsaI@N*iFB^%OMePibHoD+z*cd8k3GJ>`zX9aU3sfG+Zy;I z@J1GZ&w~3SSsWSFH;(suXSB^Yzb7Cg1xi7h`IW0*&Nj+YJ7Xj9ip7~_O`X6}Hmu+i zW*UP67p`5U(3xAAb@usGpn?pm+5)k)pIq{QtX5k-2x~F=%Y>loK*r@-HoAmXo^?gn z%xLBM{p;%D1qOo{{Sv@ct~!-Qme=G|I5+d;66b4dBLp)1X;YiA}}ahwqAfxu2w?vJNDxS-=WaR8iB!r z)7aRJP-Lg9s7@cT&ent`^K+$u$U1LigI|>oXXg|769lOI@kfJAJwC^5UX>Fu!=F`! z4VsGWt#43iSh4&vs=0cE$bX8wP>awahK^XLD! z(W`S>*sk%J^8XhMN&f6+L80f&|8F-}mjD0Sl3OMENde|7Rg}V!{8Jn$tf!Wg^X)GG z|DWoy`>MAB@I1|fDXyqyd0i*w;wfi`PR zlj{f-rJ$~}gJ_>wveoftR0wPDdY1+LWp+NLa+peMj=wR<4VT91xg25dn#cDP&gsgq z$oj#NPYJ%P-%5nNEwu9d40ucCbB26rbB*O7hW8e3z@DdClw!7$jcf7xE4#U zl&c$UP=`f@6vb2MqA~WK7AU&+Y`8`l)T$Ppbf`bW(!-wI@&oGfs(hsuBd}8F>jjC= z=1qjL3_<;9HhJU7GQHgBMp<=F4{j@hT6ZW8Gaz0;^GnmdPfF3?j&5YS}Y<;OVWxgS2tBgx>O-;sX- zKNSDc*cU^9)y^Rsgu;6Kn72;=3}OVm2X#PBff5X&38gTV)G9iKQgyt|qJqu>YxAWf zjs;TWytq8OJOcm2qgecDT)CKmj@_ZzV!(`nEIcP$0*6UY`gQnT>j4xKR5BC&2d(XbXqC0BYYyPtq;iZ0-s5sadqonoR@&WEzU8&eGu%AX7KATCM!K zWpyIQOz&VGFu&k~7IQc-%>$4>3a%k#HmnVR668tfan9vO)nzvfc-9G#5}<{i8q566 z(kYkPq2Odk;US8Y4k1qapB@nhlZ2}7s4VkEy|G*?vfPFcu0GzbMn}T6L#%8rWGtMf z5P4~x*2-a`GJ||no7_1D0%<~snBHKa^Rmfd))OPkPskeiSBwJe&%FXt8K-`976G#% zyG8*fuSMPx>s^|r3#+OM+H_@Atr~fXXhbRygcE`BImZud{v4 z=}D=e5n`pH*J~rp1lAsSHLHO!EBXkOg-Bc%=e#p>1?Ly3nkg2)1B!W8lFx7|sZ#$l z@}E3K16-y5^+q}UZ#3%c^uKL9*7=_%&o-k*ou{4IfI_#SL^@(xS1D@tVVv5!--Lv?`d_lZ`{L>a2MR~Oh7qNAYHLv}EqP$3pgwQjDqEj3_NH0J}?^CXA(8?z- zl2W@Ufl<~Y@Erlol);#yB3u9>my}du98H7P-b!7TEfD1zqqbZ7caw|UdJU>P* z4IcLSK{80)Id5-*=5XobBxbA)^$cL}7*F7YW^mB@;wwls?(vy^7@r4F~TNue{>c{*{OS7aw?K+T+K5@D}^P3`X$ zI(g~5<)~yUaOqAnOi64WVLTtzhjoqq0ve{qOo|$zWIMe}hhD|EJp??#_R0=c&^F)a%XafUAQ0zcM{A z)19sAg2Zh5srsM|td35o){rul(1uuFBU5lUq8eIAJVHGzLT0BTR;h^guzw~sk(jdU zSyV;iYR@W7k)$Vh*7K}ad&RR#W9G`zVrOo}1b>-t{#g~sawah;_GKuNHm={6GMUr= z0)KLFOWj-R?CsM|0Ikyhx}9wP|52~g-|2tbc+5$`cXp#F#!>7;%Kld8N4SU_V^1Ed z1}m=eHd!aaUeS^5bRiJei#xKAAI@4Xju9pd+QG8p z0?|22$W;=cwP>zu#z}xa2ksZ)EJo=$vN}lnqDnQkMRz1W4O5xadyE6$eOLosiAluk zZ5!#IaP0pFhZF{5?42YO6BjZ)6y8Db)A(eKZp^=?cQxwzYI~c+l zih*&T(pr4N>NOVvhtD&=oA`Vl6SO^;s#QR$27L4fR z4!r6n)<4)8sS`Dv6SbiuGE52jov z)2aUnI8CQ4_SVEv<(_&9o@xFn(+L-@l>^Jnf0f2kyJ`RgH0#o9+e;UUTuenJa^YfT zh19v#{Ej%8`l3*IRCKt>f%w%6pEL-+dZ9G{Y0p}$XB8);3dUg%6kIU=JBU#fu)m!D z*8$G0^O!!%^ZJOGbEkGMm&R%TB4%sp5i3X}euZY}(>w0@bN;`7!sdV4&7*(4Qhzl6 z_wUXBt$ytN*4`g>{!l+(I-&{NooTyAImejZP>yR0yh{iLOqhxQVnz+_e}*A|K{SV9 zvOux#3NCUX5q@{*GTjGUQ0_>Q^8oy{`PUYY%w*jG69gay3rr{*09}i;GT3GYAv+?c zF=A>EC$o@Q49}%hi69XnzLSS^Pe2@TU32L8-z6L>=AI$l7}x~33K zR@GKqR`VDQ-rB(Ocbha>~k~d?s?XySpJ96?BG_I z_3uP7)Mt$UZTH%_{9mK~F8+5bPqiosqnXNvE4@5IqR5@dV}2^6K_4P?%u|@CJi!e! zdrmHQj&cAAi0@U-saE)03Zy`JcoA5m(JW@BUxAKg`Ad zcZa+Azm;e8{3n717&oN;+LwfS;s83;DL!6?n2dBPOROV~pO^bIL3vo9WgMX|KN2=BUNZ+ULSgYclYX2M6iK^y5 zLGf1Rf3Kfg|GWL}ZvJoMsXzaTTKxI^^d@6SL?(Xur}|>#=wGIhe?=ODod$aXiSIUH zLg#vRvo_O|lrn!YdnqS1B;+2)QUcg$e1lW*S(zdO^7wNfhcJHF=a~p*n1X+PxBQnQ+P$3STU_b9|J*a=+kVRA zzew$Ja0}zvleYj?$^TwE7ysGm?Cig-Jl6g!8*C8xgg#OD%PeRN+?SQHr*=lSqK<6p zXpfz8N2Xg5&S8j83jxRndZm;He8jCa;*gug9sXWf{7``2!f*ub+&{EqPz%5Gk<_> z1uEt1$WC&91~#;krm^2pxTs~;Q`ut! zz>hIrm{&%;jM0=BW}d5jX+NWfD>UWzK)Nxa`sdU~fye$Vuc@oc2~-Mh=cvfst(|=+Tz)TudO?h)Y>v(05&?cH ze#(P_O}`)cmjhn?8~Y(}_JJc?Hs4tI5ggN#AezIyy=T>PvR*;* zJVDa?qhBrsFwFw$=W+IYJD&WTHOUQhSt)-I-|+di!hELK+QVTuf7vSiod|0G-pTm` zO2}A*PafkZpmT>FR$!xF-k}G5?;J)2I69)%WqKu3abnSO>BW%C0?EV3I4Bk&|-}!#45~ZBCF!Roc&`^qX@oDEzSwXn=)QdNkDi4epbn6eR1&u@odt( z?S0-u2qqW@*%TI{ZIuk#XwYFS<j6K1^keU>`CTW&5B`=J)PntEJ&(umdR<8UTzODM-RqgcjfXv z(|iffmNC|fKB?glus1#)T!_g_MM}m-_j^NwB$uOCnNvPB&!MGf3e#lYg=plK%v3Fx z$Me>7uG>mws_LY=r-G$k9B1_-K9b9p`Y!$$Lpm?OUGHMA)Ex5QzISrknMDd+P%7?4 z7?se6-?5*TH_piGg61{48SqB&CvR?i9v@i^{|_@}p40z7$e;fn4cj~a&sLtC|A&qC z#+*P5*tg;c5`EdQGpN)tV4A3=eQK=v5~l(m5`W#aeKaui8lObdG$JBZqu3+MC2Wcqn#oOfa3V-w`=@F`9}bfNcD2WQ|RJ zHI}Scp@)KvTagptQ8qiLqTxm;Y_#w)jF;)f#oWS<0#Id^*D=a7CV8udJzi;z*RaI% z7S$>nywn2Uxcx21rpN}*4O6jdUOISd+24=1zMp1$uV;DJvb!H)b=R}G*QNdnYRh%a zPVZ}#NH2tRvN#(i9}_v51*Winvb|!TQjIGt)1`=FfIj(zruUz&>{YR=r)1Nq*irB~cAo6)%glf- z>~Xp^Rok6qu1%XY)60g!uuplI1ZQfsTacRV242Mxc-x4At6~4W^~uvtfUS!E>W_vw z`>(UJ|F-hv?7z1gi~W+U^R3u_qA$-A41mI-Pyjv@&HPq7E1p&Q*K)D(87;N^0tq8j zwexg~9r#3KdCJ__`5B@U#3;yRK+z!=sGtdC3D$IPKNAEv~UPntffjY61F+U>-uz`L78KEXX`I>O<)NYQEiDaqh9eTUdnC_qNk8 z3H@IaB!kqd;-U%=DH;}64v0D`6a)^l=NC~z+2WW`Kk(^;1Dsh5qq*-A2RKXLL%7I! z?81l-u0fgtO+!bL@$wvl$2f$GiKYFlliCqv0s;0WA&xMBALlN3-AO6z{yhCUNF|`)yIqL ziyz*e-=3X+yf{@oa+t#8)L8+5zE~_y!jRc|kO+m6F%h51zPM%WRU6HhB5u|nz2-jpvNcDzbyKqy+|dF?$8S&>H&;Cgs_ zb$)Vod-?wDKW?usFQqhhI!=YMn(=E1pv}+eJ4&q|!+DfH;=gzRF2Pr3dAaF(N3W6)DPI^2_vmWO}*ms?JGp4<87#56}|DmIjh@Sry@} zn^@oDXV5SO`2A}CRm$I{Co9FH2+t}vpr*0Di1sO}$Ex)|@TbUqaDzu*{$Jz%*Y;?X zUH?1X-Tu#39&7#AgT0wWUxWK57JQ>On_lea7~h#fFN)DM#gQYfO}wTsrk1FCDXyqa zE1*xvb$~OcG?M=it3pmCNJrWfgVJha=~MHF0NPzR!BS$}zAhXrdy9`RT;u2(3p<*>V=8 zBD(S!B!@pe5^uzvX1gW1HQTFN83o1dge?J~raQpkW5KqTs1#>tyz%LdmAu*XZTgJ!Q`-{V&2XedhcBhuvW>cmMw` z{%1RnrT_84-eC4W4)2>#{$x*{C;F41c{2eplhiFLL7NIMqt6`2Wrw&d`jwnUD^THbXTKC>LYz{>C;D&)Q@CW;qS#+( z_iCnR8N|o3=;qKaKZ2g(V1l+a1)m;v*+7R+5;Xw2ZSd6OG`{>6x%G79j<^H7TpbJ`6Rkt5O-qX%F@@d8qxS;P-KXot$$J_U?10G>|M0F5+gY|#SOh*H%K2ZlaH zf$#b>;6bab^c@H=d zp~Mi}oQ^r_AI`=?2SS)qS5`46v(TK6^Ut47QuAWNypB~D8ERzPT z%Kl?_SM&ee86NDf^M9@6;rYL~A=|9B zzbME8Hw^v_wP3{bUdK(j?54@&{PQUjPju0T0Dpx5nk#w>7^%)dOcINz6qYlqnk_jN z1d*F)JbMRJ4M#5kYBbcTRaPScou)pyt&1SJ`20{S5)oei&tqNDQ zjFZ@N*v)^>n;m9f|r`k3n2wJf$38@;HUmk$2%4iV72rbVYN6eP)u8v6rBW27y zR0#>JKrB&4sQPb?{WkmCV7u~xEOx9FP~_oQpnDX9Mn)cTd-;!w_=TH+%(N;BSWW+U zL)_aa;39T0khsNyl7$x(d0mYQ%J+rs`pnP?=A|__OkGB>vf2ho4Hei=m*~IjD}ex$ zHugf+KWr^vP|X(vYc~H;V)TRs}Wr? z)x1r6ka_Vn@@~IoALtRWOeZLWuZ91Lt;&|b-$D!OGE{GaDMT}?QAH`5Vxu|=r7ys> z;uzG#EuDb`9LW|L$&!9QQGPP-QCn=K&Q+2!`7fFC%=ioy8Nle;9yAU#+4m2svl7ICtQ*VH@p4NS%`hme1^wO8OcLGn!Hd~!flcQ0V*-d{rx zMLuSi@##8C;M++8(+LWF%zDo}52mU7iZ!2Ci(wKVpZ~VRTj4A(K|-;^&>8>EPt)E@(nyqFX`|1snY-Du}&V#|7*CjySs1r ze;uyve^>G-?Aw)yxzh^gCf3e(!L>=fX`Y^TEuqV7z1kKh9v9rAHe8c=7Crh0x~E_~)J%&!{!h6i!icUs#TQ2J)Si zR4fdpK}OCc`q$Bhs{YYSvSukyd+DZW5RJiLn;O4RlOD3tf@~X1p-YU7W)Z2IU!C!8 z_3XLQOWPOSSq=qh&`PmbML?_)p}C&i`Rej_5iqP}+O=?(zI8H2JJyy#grGP)uo*3p z|CH(7IG*vNMu~r@icGIAe=l)@@Z1pMX}3s7c}?6$8}DCvmBGPd0QMl+l14l&HehF4 zG)bXkFFg{%uVG)2V{S1r&pRP3@cnbm^n(so4KV76X_g@X7#ioQAtRGGV|LLrjfEIQ z6^VjueulXNHvpk_@hrJaflEh6QZ-u*<)t24EsfKfUKI8>7PI(m_E&DWfc(D2$VAp? z5>pDh??<_zd}$X7FHlmudxx?;)!<R#t~g zTeLh~Qh(A=yl$8x;QBsrs08BxYK1uhcM#mUQAQbCYKlnQ0Cct}w+4|UR*u91dTohp z=X>pk^toe$YCS&LKxD$kKpD!eZpbP+P|}M{J;27Y-O+kvHc;a%C^O&DXI{*2$F7Aq zkynjA4u%DeETxN@+O=ujSYn-e7mF|6j$UsL^s- zam}V3@WdId@Zj2F`Yx^oj6St`IiR{2i3Ac34Ylt8M04;cjQKZ|?gY=76n&gZszss6 zdEwtvnAl6=FQOQUo^LNl^JUbb z;u|!JvR;t#cqw9OX+z-{gQFCoxH`7+DoznW(m}{joQ};NeIz<5#J;l;Z~=QsGIr2d z1tea=6uJ=$`k)4qnYbx%BjBcKFvb!h9a5Wws4tiWuO{m1<7;N-QXtpUjaR}f_8D59 z0m6g$0>bzN#b(N)@?LTbF6J;v0-sr~N_SszzZFvF0MS$ucuaVmt!;^Q#G4EWL z!EnK;t*%D*@t}5jy4OX8x=LYrU`l$db;Yp@Vr`Hb%_(uN>mpkqBp9@&9(^oILJsUg z;jHcnZFEKjW4Or{VzkMmLHQEtY8GX|6fy@AN0B(4-y;u26l!S-j|wSPwA(zJN4>7s z_nTyBRA5}5ZKa{yZnJ!<7T9ZBLsbkB2dJ$QfFicy1*Y$7SqBvMLzb!+UfD8`2J0Hj z$`^`k$HWq0SmYE(nH6Db3T%2*SALXaSA>$*)Y;Kgc_s(TqDB%}wUu^iKReoOdjG6RNI6q|=SCSZ@wf>hAGkD}-7n8bEpkPCe){&quV?2kK3tz( z{c(1pr5@dMegA|dt}fFJmGPR6+{D=*C#Mbvs~-ovHPr-)y>xU;ixzpw5vwk3$Mt=I zOEIfYK)yj~rlgO=VrDXn@)VOn3T~k1&QgelQ7m(22zV287ZCuITHnACN+3w@g3Ox) z(HNI;Ba}^G0%j>pXvDtPFiXkgsL>R$7TEb7Nf6mQ1&p(FM9Wn(de_RIUZ7 zdlSOzgOdd_l9$m36?&87y%xIp$zQK`Rq+@a?1{4Dq6Fb4+k&hJBjs;tmFv^DBw=jB zI5)1c&tAZg8UqLhdbOU4t7)@lLPZLE2t<7kh>pqmj~1 z7J8P-16OtbpTT4rM2klLq)%1+&*9MU|Jxs|QS-m%likkMkp%F&xGYlo)Asd{ zJo>q$F@(KsnEp8IhR#O*k{=Nu+X?4?zB@SEI z@~lY6`$(@_{APwDg0^arCFOK_WoR7JF%$%bL%UQpnG<%DL7~}xw z*T4@FNaAU_p&6{rmG_r9vsR=j`K>&r3Q4PCfyZw3kD`;kF*?TqDmwZor$%qmB=?QDaPB-O7Yh~83L*UF^Cc= z!+z)~&g|4%17s{isR#Mna?qbkJmQ;jpUS~2-z95DEr|oFy|WjW(*2unYxA->KS;jv zIF@DhoIHV_C5euF91`Y2YQlD)M0S3oqL$z$OfI;FEj0H6WyZWImNxR_XL#|sspw-c zqH89`?^zx=Ye1OFliY$@zHj8Tkw!6rS6<3dB!Dsl!KIMVno%}J1+QUgf$!}i_*RIV zYS=*vnv%mLCU%uzEu2i@m`Fs#L|qN0WcmrP^rTWyo#Qa12})VSuM}W$Jw|@om#hTv z;-b~{x*`MO)V+lug;5GgM#8z5*|Pmuc7z6SD`FCyUHCIR#7RfhoJN$-Wsz}g$z~CHi!=bWq#OsOzexOL%|IsbPrPpl7cjbUN8#0vixbABba#; z=wBBsc&!6goUINyjWj1@g;+7M>PGB17oc1)3E&GD1xcD&+=*=JgZwP9`+|ti1;`oj zOuAaFnb0XO9=1HD8BbvERwVKJTraBGmQKz1`+AdFd5l=qEHsV>DJt732HB7KR@`RJ zTx5;QYH^i86EmV*iK!fvG@J~k8v#mc2s^7lByViM9xJ*<#r+QnY2FQk5%li85O!Ir zjQ$7s33_$!gDUJlhP!)1?fz%?U@%VsJRw>c$^1LdW^p9`$ zGDz)VTem^{x`*_g6kvaLOEb4&3|)<`H;W&I8MnCB$H0q)p)V&y7LhDw+o9yV|( z60ez7&AsI7tP)nKoxs6+Yny~7&!Y5yoW$+X|9$=bfA?UxzW-mzqtJgmsgFYc%hH>D zM~8r%LhbPnfud7@IMpn91Yj7H{^LGX(0^HHMH)BKk0+USa_Oeon+DSK4Na>^|K2o5 zkexmlM||YqV)TZ9R9K$`)z6~zpQT)^bp%w<|J}jijz<6Yb`B5M^nVqPLjT#MKFSeL zoTKwQIsil`zp^0E?h$}{)z%Tf%edJDmvQ>aSf$OV$->rAguj4U9Mgz_MF?eC{2O$An4}D^{Dl$eEuvP2 zBKm}O$1m)UcxYhr?xAwy(aZs278xebb)Q8sH~`4z6}eRfeh4fv#&V(q8v8YWVA}uSg@JcFL9-N|MgL1}BAPjZRnY&v!-GSO{_pG^ z?62wnDjpV6=B-TG!5Bs`A+d#B%>4Rj3Su`+?@&T-{$Z5P5}1M@1I$<{1+JH%GzGJm zBy{RSKcJC*1U0T8rt+HWCB3p3kOWf1uj+lA||) zz)c_!U83`sZUcg^h(8+nz=vLPA7@I+A8wx^jfrv=Fif6-tswH@C%ItHr|g30N0+Zz zrvtu#n}a^YJBQH$<<~J-U%Zq8={b8<6oZPZ% z|BaH&1aS28aA(&Mz~%B-ER@P((etR^|6$&b^D|kmG)qEjoueP-|IZKeKEc-9rum=0 zr!XO_mk)B@N@+dJNZ?&0af*DD)OU>2eZIauH*?BALH#ZKpbp(S1P8_-cF%V|6!9;Mojd2AS8Vzt+Q2Con zzK97-GB?Yhhlie+Lh~tD78vjE(g4Zg-lEHY(NROwID{k=KG_iqg24+GgCGl8fx)D& z1mbg<7+ey13bszrbPA)4W>O-X3K&qsR$M9&L}T_IPXc*2OG5ez zk0*IUwljG}#;4RMt~rAdFs4>jMAK0&WDKgfl^*y)oLm0KorbDM2?uTWt&rl9lUbIz zi67FE1Arac9Swe^?O+Z5-@p0O4HnD%M4xj0e`j}pU)TQ(277}w|G$c-RJq~9IPKlJ zfuhQg`0oVzf$1VobrnLlP|9437AP#tR~s8A-#TUv0$D-NvARRaZHQdczFNAL`4_wg z#BM)^9&myv$b>Q^wI%_UwrEi`**mSs(Ay5Gr$Pb_8H_F+`NCc|&GNvW(4z)H?#C(n%P=C_BSnHngb1Snih6 zVD2CM%wMpCm+VbJW=qmOt01y&vX{llEUDNJfSjq4zcZ6k^0bs{ijNHd^yH6n(nUFa zA^=@*{QC6kq$OT)(BCsRa8kcz*>)yh4$xf_|koFh73&Tp=%$!DpiK z!^4lP_AR_W%GDSGq08gz>pw59UVKHQs2sp`FF9rxS8tDibFh2(4`)Mix#dOe2}c=rx; zBj9YRqvC+~@4 zvYWY>+657q!YNAb9q|6Y@RvxmOh%6FX0`;$?B&g9A812Yw)VK!kA^12g3p0SW*iBr1(1+4%mxP zz*j^>n?AjGxe&D$f@(8*&8n>_Hlf%&mp>_-z>hPSW~`zY&yK)wFeN|e0zLx!gEzqj z0AVlB_{%#-s&@fBXxCg@pffLLn(G#)sP^RBrFZr$Gd|Gh&C;oj9AH9Lc+Bs4G9UYwk9MiBqSH-uP#&xV4J z{V#62A0Ae~>B(FBw~IHY&-yf`E#dP>W&fs^%%T&D$kt!v4)rgm$i*F zuTMW*o}IsX>|JYIpz0eJ^Zl#Yci?UeGrkKzx0@vaOrH%wx0}X+4-?>Qe%40k!TGOT zQlhP#;12zUI|RBQLPCC$`0gD%o+$EDiS1@vP2Fi0h_2_sm~_HJQA7j1rp{9Pk}5%) z?MOUS>;1Tj{dj%x`f4TTCte2ChbKYjzHDV_+b7P*J1uIr#A(VHb9=yr+QLbp3hDHXKL#e;LCevrfg{(*`P zM?e4L=iNRYh(7;7*3*O2CsGHod6dX1@8vZL6HugrDrBNW198)PsgSc_M{ox4FuXZhYL zYEfWsSw)|Vd?=!}kSdxF58dRBZ`FAGAxQDUz6agkN!)QlBOe|>*C#*yTz&-Ii3O4_ zZSAWppgc{K_q)0%8iNaS3@#pT3{Y!hfU3tpa=0%0C0Eypz;}nDaU&H@Qt6}pzn7)UW1f^ECQ(5Z?FLXvT->Sy0;ew z#mV}XvX#Fbk4F6rHQgDlry?yTHkj(CD3$_$P3BYhFw)tr=?|&y*lZMaeLC9u2?rOxxWh&=d<)lR)hM9g3n_JPT8; zcowF5@d`PZ;nkWPEW;DyxUd{-g|?&|tioJO4z|EpNDj8ZSx^oxfV7|-tU_BT=#2)0 zu5JdQzW8eZ$-09i7@+Bvl*zE|pY8L>)Tj;-wH!=`f1-ct{I{&k|X+ zQqEmg>|`_8g4n6Cnky1JWwz_PD(mh}Q9jLK=B0hU{UjQs5M4Y+WH z{5!ho<`F!L6DQ=HWE)Jk#KLkL-`zY69{-zZ`YxYgkEQpms311Vy$#9Hy;l6= z1RU&OS>+CfEJZE-!Qp{rzmF zi;7(+X~ZRs5gV7xDuGn!aNWdJ7$%Jb+e3}>9p*dwSC1UC@Eeu7<1s#qpCr$YI-Glz z^>daDX@|wB^$xrfo~ok+TSb*`6tQoF@DLB8t(QQUIlN+}@1W`li2ri+K8To{oV@D3 zo5gnoEM|3!-X^a6#MKHsy&NOkrlo*{ql`2T#1!*ZNA89di#dKGk{4##wocbo!e(xd z_l>@}Q|FbOhURhw%!k{gqnPB8ZwJIx_4kCrBfq*sO=nY^(qdlO7jD$&OBM&`>=9`A zU|tcCNxFI=hu{^~6Xq)XMciOjFi#14dV){Z{y9h3Q#QEfoxnr zdL=;rS8(@&u+V$=0PY6LIfD{}s`?flFwO(wzTFvzvl@|_*LGk*n?>8j{v^CB^2{Dz z^}aG97N=40MpaX&r$c8uVRx_}6OuWMMh6pr|D!&Sh9Awv_%bc5qDPpCNM+;4o2NM) z$LK*SR78ggCfPMfE}19J+gohHo?%GTcb^0LFB#j7OeR`m@Ou+=csQnu(qJe}tIA4q zOF?)}M&2ghxJB+7tK#41w!3!7plRk^wkEs$G2FTF_r!3${!mbD@vhz&0u4uY(Ta;R zvyRqM9@>Uu&_`u5_ zUM=K+B^v;woeg~FKLu@x5m>>M?{&Wi=K$W3V%5{Y2jQ{jXJ27v)i;mp}V97(-bnyGvBD6HS<~XhTjf=TTbnq**<&#{)S`!TOb)Y{E zN){XYhRiBUPNcXh)us;^!>gk!=*dz?t{-zb?Y^M$tc+jm7QL_rrSNt|p^n5BiBV-) zWwsh@F$vS@!5|^@MsvWo3?z-uSpPwn!Qwvji6TOUWEEgR+mHz4o3QBa|G{u+W=qM? zIi}1q$&u%ws`JcBYnQA?`%?3vH>7q(t`XcYre!~TB6vK+jvzYSyACHiR#WGCd1+hw zxUYm8SaB5lQAB^qy;r_mc$@mP-Il{Kd-0Q_r@;aF_VL5Wx0||mL(T}7Yp?qnUxG3V8V_o_kB7&AWKy*BdX7Sby?0DiX_~_AR;n2tqa1^x^{L$%XiH%3VX(NrurnHm-GrDCA}j_ni?9k5z6YS) zuTDRO>>$-)EMs}?tg#2BaJr>pDBQYj&7(`2{(MXLy?gC>RFig9*qYibx&Rkc$Y5iZ z-C-_gia-K|)m`ZsV*MKvCu2%7NmximD?=s37Oig!Kk0`OcXxnw=NELcD1x9uH|xpK z>R_HKxt2pfhYZ?AsYeXQTxe@ZWxLljCo8fZ50eDb z@v_dz4Zhw$(mRN+&KU*#X`gnoYq~24Es=|^>1K0R>+;P^_Epaba5H}aU7VvW9Rkcb zsab#$<2xS|(mDxY@f~dmh#+Slszu{F7c=85@oY?zef%&BYuU$nI_F)+LU&SySOnMl zAnXPh=pYkjwfCe`S&0!AG`WHl#H`G`)S|-{Fv;l`)Kc2m5j@FXW{i& zE6nj#dYrBo$5+SbxJu53SP^IO?i~jXxLM=3ph4>oYbS#iEbqB}6NB03AlLpYflcxF zF982C#l`UhMTEb@E2M9xotI!s+bZvdi)2iJibe#J@iJ#plcIuTrY-VSrPecGe;Zoy z)cY0+ilOf;_JUJcN0`6w8#LkIcSCY=Kh2Kc;~*G8-JXCb3I9hG)Jf%yZE=yo0`>5W07}fH6e_XYa^k|57)rZ!?bA+jppCGRoeJaNR zBhr~~P5sAnmx$BYD){@nS_2KUVaaEduWRbm>M;SrQFk`-MK|uAzITkqb2UqK1`~w= zOece12PIh6V>7VPhc-GTJmedhD&pO6l-KvVtO-86y6M)lrJ(ANaGB%$RyJsEJ#K4~ z3{@MtQU0KXUF76fHjf7a+c~@b=&Jt`(b;u0t#H%P#6 z)%fITYPKshD_p)cEvpHH;KAV-^W2rGJG!d!8EsT(;Ps8o$j~>5F;oC*Y zYz<(iB)KeBw^~2T6BLlXX~ax2pl|f|51mgl2_EL>9m;G(Mv8N^OO3Lj$FUfkm3`3J zTk3dgzSX`0!Z%K_F93vg|AY6XYAqJw5VOH1|VREs1JaZNkENLfI;HXAA}$IWL8 zt7j9L*D+PsRdcnMMT1}1d_MN)0G&=x>MKaD86Y{ksJaC7Zt%`QUNaj$r{hAax?bN# z8iP*4ORAUrzpa#50K?HuJBb${@B7!>?A~qgD%hJ&?Z@jTpU$`1;&*#L)WW5b#oo^& z7oX=7_HWomGNqSuPu_u}$L>%Q6QH{bFj>(G1peJDn%!OKmA5TYG`wn`fyOe}h@hG* zfJ-!tAMf4u?Hd4#FCh?bBWOkc6Qaz00F`|+3vJ%qTNAdcRN?I{&L`Z`E}>u9{vqG& z;%FR~15F=1LSdDS{E-T9b`4FJB<#dLw|%7CJFQ(!2pp8F7Q%be#$9o$5nOU%+q;5m ze)10(TM81YJ6%clsweo}K8&b>W2t5(u}UqUF9+qNJ8PH0zx)UQcM$o`4b)p!RVNd5!AieW)q0lnPHK}}hs!z159JMFZNOtOGAM;5tPO zwK(7>EHw9qRZXQ|M;{V2+aO$tQEsFV5sdbd+=(f5w_fOD^@X+;RUWf(i!C|t2VouC9i={$-CCB_F2m{00 z`~MkKsXe8zE1eCl`qrhGoJjn$%#x05ZFx469K_|J`&`nbsLg0Wla#rZZkza>Sh4R4 zjb4kqt$~wSbAJ$P1_w@_hj;pe_={4P1Lw&A;R6m~0ndoKJA3EES}oj`JAQaNBbxBZ zMHWHKAflnr_yxLU-I?harv#>nroiMIC0BHE^8?DxY}w+|PP+3RdkXJ9>PV9L>hDP| zak(AV(_nT=6lw}tqGj%E?o8?v`rSeIc1C>*#+W=t_MHv9Vx}Ay{$Dl7lVV+?-5N`G z2j=^!7BEu;`hrJ>p~MI@N9+Dn#(|dbrE*5lF(r>0Sajy(=%a!tHd^v~EBhL$LA--4 zi$U~9*1ajmcq+(=*#b$_h4u7=G z^y*7}tSZkLm!?7U$w2j&M`tEp@znRj?XF{hSAQI`y7;{52`wlQ`7v5>8}X=_feFa$ z4A9l%v1zddz#P>YzvySQL%SpKr|d8kuG<+CX?5KFp1EfFicYYiHI7Sn-|>YmJ|6(N1)^tUj{gY2#}70}>tT=FdcbRe z67&0BG0jP~U0~BAh-_nrken_NQY5~D6N%Bu_NvtHVCt~Oa!kG$ugSMR7RDgO^%%hD z`I`}bGA#in^S%cR!(;oRW^JzGn;>SCcvMLez1YH=oMuA_vSPgl zu?I37lX(Ds%oC3iRYLlFt_0un4_)kUKX9d~2F;n0+67~> zUB%Xt+L*I^$3FVnUj9jw=EHJ)Uz6MEj%4mu-kurkYD;3cpT`96 zUhasR|6*W2ndYVHxk}68w?nnsH#q}T>*)ufNM{0kM3#3kjJr1=^nLv+7=R!QZ#JsW zb$z+W*P~-0O;rtS#D?_d`^8=K7{oSC5_R*lOPYba51ptFh4_Uy+rRU!ntgZh=0L2v zWD&u?`mFAQbRI#Wp(fnm@k}seIX@D^w}Ae2YsJ*v5Rk()E_c}mFzlpkMP4#kiksx2hYUaG) z$bH8Lo9*ozT|nj0PpUn^<&pWs(ggjg`=rX&&#f^?89l*eGIxN7(`QbrbGqoEo9uYP zw!N0IE`(@^bE@RzqY~DgSdsybSw>#^t7QJ*b4}sRdQE}ofBGiI;*0kJ3NInu5=8Wz z?R7|`^}6mCHac9u|D6+gr!}`p;tDX{DXln0Id3fbd4Y&nQz*>!-JG znZHg%{sQMmC4o%c+?qbx9mq@Ab{U6OA@Hr`8%JYS&&hCrbX#3L{&X$bvSw7fEX@A2 zCi(f=kRY1y(ekzKZSbLmrmy0)VO|5SeA@GUiGzCwfuA{VVi2m< zepD1W8(iKi*2`RFZ8AIZh9}Zpj5kjoq+|ga3E2%hu%>Qcii?Y5@Miz^lo0q z{S5M2lY7oZnajEIsa*FO%GXa+{qR|LqLW+mR3$&8H_qcjx98b^SvwOhvWdnFN1aL; z8ecPSPF#E$)C=F8_&aKZBR>D4l@a^9`eBnE$)Uh<_E0G9T=vTtQ_W~Ao^iw2pKP+_ za51gm$4?*?c&}>@EhQMbspVab@FfRQh>n8)uas8gGsfx!pCHJ@HB`NnqIeBDqFG#| zY{ElZ5~<$E2vKqAphDqaI{TOCy8L+aGoU6KYTu~8* z6YHcc(&-i|DuP*p-OPuqe8ECz5UpB5JR@}U?iG0+lKCo{@Q;X6d$VW{#xS8jJwIiJ zxtZ@kFfK&NFqA8#OnG5;27VK-P*b0!kw|C+csZ=7o;mtF2zz<>?X1K}6(3{i%n(?D zt0)@a(L8EbSUXwcQZ(1t~32Qz|mgLsXd^i{e@}_Id8sm z)-MIi9a`JLFmC7bCpc8zd%v54`n%X04HUxcTc)$}tv)pN)!`V!I!h3!WNjzpUB`FQ zf~!?T3Zd?*!NQ)6AAQcpYC!1;c2Bu2x^BY?jbq>4xV!m=F%hN@lJWo z_1Kf5Oj%R158k`KwQLl#XINc)*?Z>I!#a|?i1wpMDVX_-S(-@lH|hLvrLW=REcS5` zQFMHNLU_VV5z%27Y6)Xo_>-}p&$4SI`Ic6KwFHk>Tt>+E2B~{;`hF@+38f>$q5vhy zBgOQ*wGRs9MTgR^!(0T&0-9JK@_AxBp~aGxOej)7mnBbc!>_ujh!hOqe%F?QSKtf{ z!^?XS(p7=zJG-Stw>&VG3)#mJwB`0d#92Wz@o7Jy1O04Eel4=f$_NUVb&;rLnT(sj z9QuBSYdDw~wnh=@GLJj@7Enb{wNm7@jE3GeWrxJdl;mR072eVd0iW_T^S> z*(_<6z6pyMVDD&qGimdjjp*@^dV*j!$e*l{xr31l59qQcp?F;L)Cy|CJj27Q_IVGT0NUM3347NLv5XESajw#X=y$m|^nJ+s&J)9O$ylzb^FK+dB);=>%W z!7It)9Ng@ft>@RU_Oc?v`XXUlufGvg=SNbprC8dOYD@s~&`7URaZ{*2QeVJu)h*Tg zKq5gE)@pB*@2e^lvx}wrIi;0q9SURlMt!eUu{Xyc?mVeegoBh+m-d^k5V%F3=~wH7 z@O$FW7hvm9b=ZB%-{3^2*WW9>rrrS z!&@Ge?0zrclN)!!Mu{o@O+RkDpyE~5hKl(>KdjR4V02xo5UVe1lJlE!b}pJt{qo*d zO-Yx3_jF`XOUW5j;p$DXrXT$z-hP{(k!>aHpUTTlc|cYV)p{f5l)a`-329-Ac@+-D z(bbRY7{uE z%W&(|SfN`Ty!5Ng)_ncf4tB4mI@QRwjHUIEtXx7oPpmfzg+F@85ZDhoEGkr0vZD^W ze3Vl!X~V=MslfXo==gKEBNDB&w1tZ}Q&~4KQ$*M?!{tYUjAmiJse&tYaaki2+~tPL za(MtJb1$-EG}0iPjv(H`ib#V=mNNwW zA-L0)QCHL}0s?PHyI5T2jnpZ~V(*j_9_dxbxh9{dny6R_`y1g^fM;2hcI`sCmGSMl zhRcHNP!g{NkTNYdnl)d)z-3NEc38w&Kuo2CRqVzQF~jFNI`C!3ned0m1|zR=-QXoL z$$g}0L(et-EvSq?7|dFja~@v?5J8HF=S|EpG+EP?svuKs+(#+TduKt8he+@;mtz zt))v$d-E#=i-41Y4SuY~KPZb%XnPK6y1wHjOp||$LX1ZiMQ4PuJpx+2=%>a9Ekqgl zcm!R#qX={rAN4x(A_+%d_k>Ci1GBBR)-i7%w=n2^%kpb%xD2fbL>;k~0yb{ckO6)- zT%Vtmn3_d$#O)gvtmdh2pqfvAcY%wF_inx0(l?46_nrgNNCmS@_=d{Dl5zM||2ZKV zTL5HCwrY|wcR*U6(diaNhtN&J)5WTL+D%^zY#$JQss zxbHYG@sb%Wjzq%N;K%pgo)+LA8RQLDBu@n&YIX6HO-qQF^nHB%?ZovFnxFfd2nPMXemJ38xB^o_>ilf7rO-GhJX3N+jzd zc9@JV!c?iDQz6DiU&c!F4q*!z`~jOC7_z|{iUI!ht6ZR`Re1}EewO7+YEli0b zF~A8c4+?_sHtbG_EnjDFlrZt_BlE26p@O|gSFtT2N^M3_{#{{jN=8RV7^`KN&lmpc zf`#R^8=?4Eb*$>X4nZSJQ%1)xg-okBt24<_Y6y&5r}a>*(zBnv|;$HHgWZt?;=C zy#x8q*)5cgoG=#^=4YDk_xbvq6>5V;MRTt+e4ez6#k#QC_z-6-57O|19{o4Affjus zQ!DDZ8iv$w{rdQmWQ{u(oAdZDV!;HSbQWX1x?etbaej2FKT9w=8Q5-aZK%4uOe6{C zukwBk@x2`-5uKJV#-w>e%JR9W6^={8u8_+0hm)MVio-D^yMnh=;D9$1$CDO~<+2Vh zolwsao<|m)@vu_x^x$CWflQ0fW+&;DcCtbZpr@Ed6}xDMNJmhv?$vovh6V^+m{RBj zSb8##q)p*QljIN0b%Q*36w{^C#r2_!g^8avN8Bmn!>WJcHy5KH@H2W6jDcd2FF;uT zPHT67bIeE2*Y4g8h=Rn9E}k05PACi99a6?|l*3}B`)j5_ZMn>ggR?_HJa`FXc5>caK9>_pNOaT}Coan#8UWFx#8aB;{*g&lsi zw2s+lMfZ8n_u(oql(KPr+74$a4>58*H6jWAWoTR!%*kD&I`&~dsc6Qx_m^DsT+zfj z-MC#~vVi}KOi%k`{)%H<9pgyKBICzO4#HL}{wPSY`M!^afr$yYr~H0@GPO54#cFlM zt?fCFX4354Rfa)NsnQ!o9lPxv4*!<$V&2X3MeI4`kRZtMnPiL3F%(U85T5Yajn>JP ze0Dwm7j^HV%WoAboyQ)!$wY@h?%X6c3?vs`ulmv1NefE&^Ey2fH!;Pm6PKbMdGYx^ z^BXQW?)rpm$8Y@>Q!h+D<@;jHD(oKU`c%OA*(KT0LvBR>*Eh&yBl=CQgxJxo(W=Bm zutuHzcK*9KuZ^h#&K5nzWAhoa#NpPShbq&bE8a1J#Qr5$Ha=x`~0dB*+JGI>S0 zI(_nmHcMRDL4J{oAXXIRwL7lhf-PLv7gdbu%)qjs%Q5U}tUR|mo zA?VAOONXzO97!$-2@Wl85aE9%SF?rw(UuMRHpp0Z zzgMjmk6JDYJgW@u4gzFoo`o?+HzKVbG?hs3qUCE=6t*u z?~^=F&7&xUlI(vfYoO0eejwSyi!02b$lnxeysfLC%L5FqWN#$o!3t@E#~R(aJ)Cbm zqzTZM4DYwM<6>T>cM;Z$itVaa%kRVf`TEaxr|ZZ2|MXnI_o7dS1oEcuxl>~NWOVRf zu3Y9kLCMT2BgkitCeyOCcGP4)=D=2f6QBdA0A_ipTM&r8TIioR`-eOBQ1HJzfcdB! z`2|3cUV$R$LR+VVvC%*n=75%fbH3otxcUFtctWeU`wMd6qaz}om}w)XT8Aqa#uE3i zfa+Lv!u(Id7#;mhb9%7|WEC)MR#7;ym2H(s(cRhnuF(eR@EH-_cmw`FoSw#?$5#;W zDi-1U{H~qGezJ!vAhM2q3cw!~^DQ~*D=yxxXrvhwickF_QrvCJeM0byTE>y|0Rwm! z%0QS9H33`xBuukXlSB&$gyEk#J#-LWc%wM{bpjknU|&`C_1ZPjjr*CAP2j^>FbdxAEnW#HV~3gJo^;pZSag4rB?Ra+`Xszb7$8;p_tR66H%OY02{BZIvYaVSJ?` z$qt%VJi?9h8zL-WEAo@l#ff~(he~as5bL1K`t$5ZLJuKttS82?9>&Okt&p-`zR6BP zllGB>eE9bAP@ix(BbBp`-w7U* z?sv-b`)aa?>E$0g=$kO${2KbCZJoMA&XU7U(>E|eUvF-#(lJTsWl16 z70AT_{KCs(^XJ`O4~x&;kQ?&`JddAx8GzdVZE5YkD6kt^Ke2Uu?I<;6!xw6_P0^*W zbqoH;#&>61WaGW29){1ap1W`yVFjm^G4Z+XFX3$YhXVaq))?8cz}UfAY*`Xq-Nm$z zBlJu0e(E}NfX{^p*ZbzmCjT+83Q-$E$~ksGz%Cv9PfA&s_eITbrm2r1$KN=8rt43( zVzQ8xuBfySTK=`d5ke+Bwp?xBP6?k5UfctbiDjXJB7?}=VQWyYk!k&L{JZuXh!}eh z`(5n88{_WDB_aZ1zOx`~2$mCGI46e=gSN_9W$O8K^AsXJ?hN2vH%F;;%4c)&`$nWV1E?wq7itB(u5&cr@;8Vzc=)|jL2L_fTGPl1#ZNb;Z3P+wg zJRfwkMO~dN?c!2lK7e4-os;_TI8uVg`Fi*Se<@(?;o%w?{~-TKom4}z&i%bO&#iL#ku5{j3wNv=UZ67qLh zub6hydgn<>FpIUzhU@%Vp4F=MO2tH|K0 zx>QqM(4X!9%tt3p+lf

bAshN&*+n0+(0f@qlN|17I`*Aw=|ihW>qd8i6sq^?mUX z2E)VHl_FrLN`pyz4;MVE8knj=U3a&1Lab|@3D%)fNrycAXQetP;fih3e8SnhlKJ3c zGo7YByVooG7Y0fgIWE771qbkqTAUuR$ML*++HD~ZRQ-hjlIN&T0#XJFSixX5N(!Z+ zlt=>E7@7X5h>Ou&7sYtE}T<5e}j^&FDG_b3@{{%BdM2?DX@WZ*H8`?or zBAG(ADtveY@hs@Z@4$Ck91#2}Lkv0+IACmk#4k`$i$)bgO4;ux_}5$7ov}8%{00Kk z)`^`+BpI|;N|9Dy38mS-+g=Pk3J$wFF17Q9Wb~(snmK5rUpFnpEAWupnx5f?K9ZOw zo_~Ojd-U?y^TFvPbF2e2n?SHG%KZ|69rh?qBNycB{5{@2&L)+7G0Xg4B(Ih%4qqfG zb-A;~#T_5nrvJAPt9Eod$mCQvu4vLI9DTTUjW$9x+*(M9dwhA`{Mo zp9ZTZmi94#0hw%>_4k^81KN`!Sl{$GVC%xDw^`FE!7nezwfkD1=yF-nJdKhNd`3wt zi66QLMam|#^<1AwlIV_CP%UIKho1u?p*@kFj~@lzH1|F<|#G2n2c= z%52IOPG-=&DD`UXJNLr0@%W?=G%H>-&)LsA|8iRF>N`gp1mz1S44|E*_kdK<)^9ja zBrJP3Z5wWOV&GJIlF=RM`yWINT9P%6;)?#lA!ijB9ewHv&b4605DX9IH`N9}}u{EeOe^tz!DS z=p%WJL%}R8yQm|7K_!fSo>BD&&)q4k`gD-G?&w-9;`R0PKMmboQ2L_Rr=46k=P5eu zI8NvyhQRvd4n4Vi*1@tcqvjr*+L9@|qxAI_w^~Vix$(v7)zvxA)vzKZrvX&gcNzHJ z%5#$|=aZqv*mG1@TcvOVu^2J07d5nNqd6#D2uVB#+?qp1aJ-l*qdjk;|ES*Q&3uqU zx}n97HhMUU3Uk4eWuma%&_N_Jj5KUDA+xCU4eW6^&uH75r=%3t-S`4LkzP~8y4aqq z6s2-=s4pwRCd&gKh7AKS)L{ZgfAa|2Bbk0cMEj`aSCJvlHUA_Sq9+$b&EJ}ine3Z* zn6_r>#^2;f9ykEMxFhjXA$VM|{VHjI?2V45cGj6nN?;_=a?~TM#H;DUUywUCgs*)G z6gMf1yX{*9rO!B2}9zkp?QR#DWT&vW9K*#Z9 zzBxuR-b0 zbvrRR5yOs~LWLRTE_^)^L)7`fQV*Y6=M!x#aeJ4DW53tBUV}3!!u| zqc`44So+iOsUfweTVDoaJyTUcJjR|GnUn2o4}sByiK|d+({{!$U)X{{QGZIK?&0Xu zB7*<4(Ho34XWEkd&wzY8CcB;PD}51|;yqn9oi+S@F6|chZ8@nQh*=(d8gUENS*75V zR_);g7TxD4+qsIH6WT6v7ghOk_bd^Qy@d~)==mN|tchXP1WNCQzDueyt=uZPZXuZCE|W9N)}tou{Q+tsc6|s3O>GEntl> zNK~5tx$#70>JKM`p6VTL7_oWGDhMcXXJnZO_4xiU2K4wnX)x*IJgs35@3at-N6@FE zPW0b|+Z(LqXVpM#3Q1styoG?Pv*Sd?I-00rlxkw9-LzLs*Ww=jr;7=sMrsEwq0|K zmJL6-j2d`+Bhd`&pJ3Piq@Na~Q>;j*~#RAAh(TOe@vkj!>m%ct!LDPxL)ryi0MXny=C7(_#ryrt>l!X5c=hgwOyu zIf-z?1>&wk&p!Q7zA0S|TJLB^84}Z|iXu5z(&46PHnievn2@&Z@4ocrMP>e5ZJ&s2^isB!=GwBgT(iQG~Q~$=2+EL9POScR`mI zmA7J*2QwFdNL9YwF4BYhx9R9}DD4lFwTQOV_VSU2`}@P6+$@pr9^`qd zj=>RrSFC+-ufI+9v0>ui9Iql<6pr{O)_AQyx+!Uvvx(m+UI2pv#4u!c{z6&SPalUDifN zm;+{nq()+^udix8J4KOj?@K-L6OjCx1tk;k9%vrh8+1 zm#gMNLYv#~XRj?f{93yrx`9J;jM7NnIycT$_tCe`s>+*1>;9CIIO2-9+bhUJK{(%Z zVlAQjvwhcFsz_{7-ish}Mdg8|*}0vR-!#c2b}ddoBf8?T$2^HoC%5=h>HGxlgtn~j z$`C%C@50&#ay4^NJm)B;xT4QWm(gjY7e=C%!F0vl_ED`0ifL?v`GY=Qf}0*AAjG&X z=h#$PquPqP!QqBuVj3*R@aH}F#6H4IHhD8Mz|IdmT>pzhp5c(OJ){Z*I(tP{o`b|l z=-h1n{R@zuRqO)Q2QyPZ{;|`(Y!lRj)-GoB>r548%P4Uly1t8(RS6+Ci!XMjA%cHv zqD>=I3L*PgPYw$Fo4=UKF$iUjM||em7EfA2R}HP=zfBW18+>_wUil6&rnJ2SGF92P zZvP>yFQrXr(L5r&#It>{M=#%7-FIP0`Bsrtb%AQ0g8lmHf!E92s@6a!;qdXrZryGq zeVh&Td&N%fB1S48O)wwW7eC8jr$67NGl^Cd6`mqlelLum&HL|jeKNdOr1ii^`7pRE zoIE<kysHpM8;&=IW9;q{oZ4LPG$X|H)F`msAnf>V_# za{y)pq$D?YIR{#khjny*g0R6 z)p^Y8arHen{1DW|Nx}i8^8)l|o4mhm5>?$pWD^ayVvkKO>ChuflgWEfmUsUwpcm!9 zn@1xq({Hu=+&&TzB1HAG(F5?w9}zM99S{Of+vmW%#2-GosX`HF?;+gRxT*s;-ruzyPIa?} zHpcE7AnbL@klkKXRAk#e@8|f9yqUq9_yGC_=x*r(%jZFbxrlsm_pM|edA3zapz_6?L ze}~dhNVCwfkAi`k1$IN0^$17ZjKQKjI-QP-2hb#xU9f_;hl@VwbfK#$pLecrndy*g zx|&&iVILf_mGf#{NxH~vdVJbVBBb9Yh%R@S(f>eWYvWb_e7c8`r=k7@?CEEg(dN8!hl z8Ulm^r&hl@Nr==t;pygaIk)b%W4VRhR^Tu9QUMGNvM1&awKMe@?6FeKgxrvzvVRw{Cf z)t;ZH!2-zZJWiH3Wx^jI?YoP(KrkjEq^}d7Dm?oPQehxTSV0(wb0I3rl{`IGI{IaS zIF^bYCSvP%p?8Hr=O_U%Najz=iVsOn<;79Y(v>Zp1wA7}m7E5_S=ZAl2JbqCwkvF@ z^x(B=px`{YAtDPW}Nq$7h3TLup zo849lal>l;O{h!cz}%e7+>5j(u|4#M?B7ZD#nK+&h{$!14Xe}*`GfQa zQN?HX0o)w|9UYH7hu%+DeH#r;mU*ve0w6(Qm86x$7WPuhaP^6If@e}x{~Y<eh)y7Ax8HY5LWIpv2IfwAvfYu~EdAMMULnX7 zzk|&o3*2Fs7QlstT0FvjRw`m3VA@+rHwriwO26;!IVt(OURaqqT~2mZjBdOngdG>p=dBJ-%` zJopAS+8Fwp?~09u(1k|s5Y_|u*)tNME$12aW(r%B*D1wzi&maEvo>COB<+mIYd01i z|66cW0*?su^UDtdya}<6AP!N9>rU;-5v#7BI2J`D3JUO|TkK2|jE)T1d9($F+OzCr zTkgZFYvZw`xM5Jo_Pz3jd_9neXMUE1D$D>BZUXieAx7AUu~*d@s$EYslB#;_zp8DN zgZ&-<8&h684v&&X zl}~8u`2hkLQXXh1%Kvz>Q*?5P2n^E~E)=XbInu1=XuFQtwj{bS!01kpV5sV=Iw7nR zd-=syuz^F-6$a_i(n!Gb+<0Up;tzH2b;~yz!5R)BwHNR*d1JoHp=%kx)Yh z8TrktUwZl~!{&>Jb*K`|`prw(c8|94jP7{SZKc zdnYI;|B5`O&d0dW_o$#9iT;>2auiQxowY}9NJJdFr!r)DlAg9WJ<(>`QkqjwVMaCM zc(3nCRv)7}p6xT5bb;du3TGPKXygVRSI1~|mhbASB|Aj!rTqD8WD;e0rMzJ>TPLwI zF;03-@31E9=n@zLC9K)z=TJsFsE;OFf4lVJUlVwOy@bId3nt;erGI~R-Q|mXqq*8V zvX-)LM2=m)Cp7bbmpUr0@t!i9gB7zGh7ZKVH0knQfpgZ^m$3Q2_#*?-x{w^DsyTn; z?8G1!0hsfD>e_nOM+}5rg#%J(o2A--htEjd%SBN?vuVUli@B#m|3-ix&`E#8d5s#e z2g8*(-Jn)$9=W(4aO){y=g8F*ewP_rqum{qnBFF(Kf|Q~aU?DmIiG9nsB!F{eJC+; zCPc&*?!WX$j@2NxWNbym#FT>%GD_?j@bd ze((r!DJBgLe%^*Og0Hcc#hwh_hrH+!Ubv7x`{i1@`bonX7v+(JA6;-EA4nh#U-8_p zB`C+B{~rL+KrX+Nm>2VHUsLFLXc}K8XcUA{?IQrxS^jDkWx*6OSyn0Hxv_f_gd|6h zUfK11{S}_tlix1>Jh!}mdGY7@>6P}uPf%2hLyXd^kfoo*jYVV5+^I z!YNAbkHG%mO`v=VgK1CzWp6Mjg!A(&8B7?=VFc6kGC?=mIKxl*P7%=2bm~UN0Cs`r zX2!dIHjVoe=!V(kUilbMC(IWxbnivxnxVQN@g|-n@a-gl=>&!T5!hE($czY8()XeA zT~Cao){bEkAm83LUhctnGA27MjR~QXv-k;&$iZN#WwKK?B=UG!``86e|0am~>BQ0B zcRl^p7i}n5P4LSvKb~H^{86WQXy#3d2MYk`O%UbDa>mL-Ndi4$&@1s?kuP&)yi^p-f1d>@yc$5D@(8{mVW1GXXvEJY~a>jx?4!CY5aD}bK?r+ZZd+1AJMHmMZY zbm7Xt4(Jm|X&(cQD5u(a zuY;qw<01)oco0Ywb6$Tr#O^$@b$g?-2fT%B8h1%dxnl6yH0DPo?Wb~;)UQE`gJC(wWsGLzkLNhT3YRm`*(Kvx=O2`?N z!ZDU|r>W7>87pVt$!&hj0=)58Fyld(wgn%OA>G(XfyQGy9X$i11Wo_PorYyr8WR}C zFiCsDx=KKx+>XtJv(r(qOrYxnypV2qT7k1mDg{kp=7!;o7O@I`G_Yl=gV&Y-{PIbq z*V4kVYu7`7ZWM-}NtjzQ!U#5=c7R%7Ke((PTUc$_qP_SwgI}>`@ zB@@}5B4#W~va}~6b+JiI=N_}n)Q2)R*}{eR-0Q_UB^`SP#xOGh6GW6gD1FDn4A}tB zrZ+Ir`W{ozN>c=8k%x&GPrg4bfdSQxSvjT*Qa+lSW!spIgAmi$Ypqd*#*i@}%N1|g zoU$kbqMHiJkbuRMkbN((1LoFSKKx`>!KkD_&$TaaDpI844w?}#a^&C%`WL}qEQaP48ZXI_9z1T5Z0{$$&{SH2Le~=e^5x5#Y)>-1hQE-d< z?1mGBZgD3xW8>sC^p0*yV}(cL4&D$c6xJCLsje{=(zjsv78nZQL6z&o0eF-D0Z84(MnM*&&~osR zvN9i|Ge|c6$aJC0LH#_afK(0$C18tO4G@UDDnp^eUJIN%ox;*;;hzVN=4!=<%_+nO zvydoCvt;IF;P4ufA9i7 z(cy7Uxd}YRhN$o?TT7h>Jd77FE{?#CQ1AHi^7pIP`Y_NHQmclAzbt8v&sX&{mR4)lD4*2oxh}0%O)YbyEbD|gbm$y9 zz7ktiRgZPw$p@-IW!4QR@9_6)_*|m@nYvLhf@y~TaK{bu{pnAI{qNr4;ZTqNuy?Tb z|6Ivat(O@J4n-Zk7JqEwv>Dv3&`%l*D--4hPY@J zW!FlW_P6L3Mv8@>8pi#+axg(dBTBt4u$oU|zQN1F3j0Z=)B*;S)IicOgKWb@QZ>+g zx)zk+-Fxlr+9p!(`L}QF_I(;fRu0PAD)Mh;6?sOF;~*LXan2OjxNY7fZsbjf(oB>s zG8WsMxRD>i(}Y^9aifhN{~O%^aZLAmy&p^L*oye2G;_xo;X*?;hUhcku%fm`3_PC! z=Rf~bLX&a|WjJ!bmPXh!2FSFtU}rOM<2bwr-7e-UVA4$kAA)Xogc1*SJ@o&x_wUPX z+*qS1zW?S^;Kw*yl7Av~v+UWL&+~0XauUthvPx2t$t2lhup1;1H5)wuS~8QFQ{QWx zs=ceuvz$knCpm?MO9Oo&n-nG63A?5y7Q3+kEG(=W7S>9K35}#cz21o9i1akcp@Uu2 z>)pP5hI%&$98O0&J0mK``9SH6J4&2_!YFp!(m@o5L6wfH`Ek`FT6QcDAmJ9KisFEF z(U7K8j7eSm+|sM0b0RcE2wf@e260oEN&yF1@O|CRu{hKUDyj`UdFC~=l~KC(V#I||s#C}DY=Vo7gFFB_p=&oJtj z&v!*JYIBHcJA~1AV_xmjl{))Ct2ciX_glac{I+ZO(w=933@a58E_=pr^TBr6oH5*U zoB7a}+-D%T(ulk)0jpiV;F~$C7fsZdHOIvnMZKPC@N&u+D=4nzT8d-%LH=zFee=h@H9qbv(f$IzOf%|Cz23AGoUCL{?(B8%7%TRvK|oY8je%1(u)qXf0324C1AiSGCpX zT_F_RK8SmAFm;O0aOD3)L&|HTp2F6@-QbDez|(^N+W_aKMZi4%zyEBv9RG2!j{kU^ zrw#wNA=!(GfJ$7v#~I8!lghdr3|}J+&in>51p+PZ%XrZ9sFTe z`kW;rY(rm6lu-ZSBtgpyU*7A{{ua3_`e~51^K@vn>zk) zA$oRz{i%lezbU?+$@)F0PkeAb-!}31e)Y~x zX$|Ub+?2U_@e&e%cHb~gkQ_r^QsPJfb6uVlyWIMHbUmg}nO4aNk!Km>lEnRLBGhuK zh*>gei5oaGq?EoIvzd^zjOH!0*C-_eiDsAOpJmTbZf;814w@BFwOHhLwdZ5!Q0{4tGNc> zM`-hNvDJ0hol(xOo%C}^YaFC6`1BRRSyB&hyS&JA$OuJWftOJ5A*!icA;qGoSr|H! zoOko|1ItBNgVs_}uUMl@td@mRt5Cbz^(%2KQ9`hgZXuv2G^kq(vjh!9x)|y{Ub(%h zr-l6IESKZ~>;LZUSM9&uXKVTYC{G*v4+vmE>rWF+olJ%|CC{Jkp+@X_AI~)XGyq)% zOSdQsTs@$+64yd`Aa7qW+){tDJbk*6@8=7U{NcQOcJON-->3Jq;Qv;qc_{zi{@!8L z|9ALo&Ho?cY0Up70-J1MldR4d)9;M2W&fyQ`d8kEGr7JfvY9;z0HPq_jUG~4*6(^Z z_Ll8r#Uj8Td%5Q()5o@%Y5kOz;Ql^8huPnZ)6XKhwSD7OW;qk5valh#1M9~6Lh22i zaz>{`krX1RER-vADaLqS0s*_jmW7 zm*xNA!CL-5%CqYHuZ~#iGyn@zs{r=XIu#)Ja;6U8#;F8p(X6Zm*f*`!fC7}!1HSWz zyFx`Em_ViTCRM<-nyCwXS6YqxD+9&IelyyDn^J3apg_WM`apGgXD9@2r5`{eSX<=3 z_h*Lu=VU}7?H|hs$C53b0BoN8KPbol@9)0YTgU%D$}?Z0yVbY!;EOWvYH8&=%V?0! z-FP-cR4U>tkOT+Pcb7}kdXIO1Sz$5o}%vviW$7U!zpAv2hPb-WG>@~ zZN(!4fOj-W5KbU*0(&!6j16UE;dft-3;XO@rQqGoa(!shRcO}osyz0bnZ7)B3e)|)w zS)#90n}s8BAD!4z#RF3Oj941YoJq5QDi&9l3fTE3i?JjyYnKwal>fV^qOX=hqZV~- zQQ>OJt?JW_p#;BO78&&{hI=~w974ft=71{!_rcxj%WMU5%-rfXfIzu>=3m>ps0)3W-0jJ!s=LQ6k z_Zd!O5-UpWa=pJ`Vm-Jqt^X;bo?eY`k!#X*x?yx(8=n@|Ziv>;4Ee7)*1e_w{Q574 zhZXt%YllbI8Ksz3V{BwVrlD~{|vEP!jUiim7K;Br9|_G0dOcfq&AMs zasp#FYjNqv4wrkzvCad6leeymk_aCX8I4K&HnYNGm2zDFW2+Er4Kn-=YYhjyrwxKT z9B3Er^p?f<&QnOHqQ$Xl_dZK#L}fBXSlo~Rw5R7ZU{9$6Z_`(tGd?#&%2O1?PiTy9 ziCMuysKA+U2`N6nn!*rg!}7e1PXT7XjqV5%W0ohe?(xr8Z_i5-sMZR1+M81tO1=CO zDs22&u(UeN8ZqS7(UPPE-ShLXz>F?9$uQSq8%Anl>LMJ~>o=}n_(FmGj#C{pU`Q`e zbF3m`hEN{=46RCu(VjPgv{7z9u}OIg)#8bz`Rcf5iET$e4iKc%woB8!^pl zG9$PJ`~0?8{LgQ@-azf@ZFyBO%fYg6C0mU{7vcycgRaX1zk@gkI3<;WBtu;bC$J(N)7tqKDyE%l{TzMXYP$~SX~yN&6-ohxpH?l9vi78&NJcl-paKeWl*wcEPi?>C4gf61%7<_+dI#o}S1C0vz9xXtlWGqDPw3g4`Q z0ei@?MY9FcdB$4Tt#;Q#q0J~#(86pWg;i(%RWWzXmMfj zNK&a3p((oKEFJZ$Q*RK(J~RKp5bsY#hbGED++SeltAX{=RX76Od9D1eWyV#*mK=|1?m9p`Jo`|iowO3W>qEXvlJ z8QVFwZ1+$Q|L0(@TK{GL`8xjpQ66I&vh>ev zfYdU3SNBeoaD*FvMNN@kf1Tkeals!R+0=MStPRyIT(*J#R&yHj)e*R?)gQ=|6}EnB zZTobJc1InAgc3D*LUc3xm$DetBo&jNV7ZM1Aufd{N&9#7hGrzDxX<`#NBy;03A@`yUot+R@it-{U6L%p5$U5-Ti#eQ{h0!xlePVs4aC<}SuoSr zbV8*bp{e4@hUP1m`xE`l1^|W=rLKjb_Y_!@*ngNO^FSA0wgZ0v;7v;KQ-b4!ro`0% zc$;b88j8&ued`L|f)uqaVU>Pn1I6g6L=y^`K#t~2W(nH#$K!BZ z45-}u_20HUKf^!KKXN7^gJQ7*E$CpTc1PB>t=Vk9{u;EeeBlkTt9N8qL2BA_C2;kh zc`)~2N;7s^31IW59?$~-+O)sQ5bMA5z&+pH)uV(p*8nU5{OezxpV{Ers|i(9gaW#n z&&=<`$p49yiIht8tRes8`uVWW9Q`lGWWrKG2x$!@HFUtDg^SyQcpGSE>(L04z zz9MpU8el*;kE{c7a!ZxPI!h&DNeo&Wjqnwbo+hOJ1(n$lXGt=^(T!GyIF@8I)nMG@ z-0!MYE{FyLx}f&XC@m;svC#1nDY-)|C8EEGI#R;qsudDDfwD$ofA_@eC4;g``UDB2 zY(1t+0<7+%vM|g6=9R^A$5yQaQD%qYD?_f%blsRsBi#yz#5;PFx&^y-B^Uf_qyt(UI+z)@Ci*7r=;?a2(pd33$9Sb0{ZuNEWH&yLO604yLBDb3chp_q!h5&_| z_0MA4T%jWg9Z@Bzbg(s)fx?nTSW%%aDi!z9cRE9>20<15E3!AQw;_~5%`cip2|=SA zbDTmRuT9b)^;MrZp}!C=wp=*yn5B#>(3Q#Lsh*DM?T)1za>mf=kfA2?3*oGQG9VF~ zkjiuo6htQz5>qTmGBx<3(xJ*+Mt2?HBpc&iLT*U{DiaktT;5Cx4Rp#QVs9hp=xP|s z_4Vs;afSrToRg46ykRjpvP*CNhQk)UvBvBUU9i~aDR6~eava?NN+gPKs^<6ZoTX=J zOx~0D9ojT{;g%w%clPInOoN9y%=CCxORe5(QBv%ESfOt3zgdxbA9hxw;fKt5WJ~g?C^raEd4RWC`D{+#>MuECu@j~JfCa}QupGHag zuYYw!P?z)EmMCpTquOxQMoSq}irLPr4?1@svzjkEB%Y^Ap*~5l5H0ahZnA9Go~W8} zrAqZkCwN3I@e?+k2(9BA;(krj8_{9})kaHig|N=~ z{C(hm|L~i@hU)QU_uQ5r4#?eRuhH|`4=Ur7aVn?xVg@j<3Z(lFE@d&fA_<8kCmLp$pq#mdT8fbc-b+!OzFYoL@#OZQaT5PJ;i$z)b6~_^| zAe^$;m`F>{eD~j!3}u*0Na^+44jL+^ zX~DT)<_yMtw~nA*KMOpw^}k!3&=@Q-mkQup_fuMix^ z9qB-)slG1hbM@`L@Co%J)%CeH6DlO?Lau{uaRa++G9q-h%1T1YB-)(hLVk@!-B=v- za;B*;k&h)=FN@TFRDk`-915}&7XOFO#ZTL4kV`aT(xi^s{F%`db+=L1@3}gz`rJ~p z%TM^)mA&@vL(#<^YGzX8y!sE@@K1Hcm25IA3&MDa1j0HzE)_I}oMPyXAj8Xb6o&V=ip3?pA6>9)BH1m); zK-v3ZEZT}B4{b-&hi`~2FU@Obd{24qCK9H2ndglOg|_)Q6x(mpQ;4PQR;~V-V%zoM zft@X{3lj4swuQ5xp!Pd;V_8r_xAST|QLnzq$~dkz@NtFH*frb)#NE&|J`<=rF==+y ztF2`a7IbW}h9L(nWhv&<3fffHZ-+IV&cM=IV*hTQ1?0cGV7jORFkk+c>pwm_c(#uJ ze3Ykr|9jO6Kn>CS)-{0IDSxyoKyg|7!Bv2Q%GNqSI~|}NV{0W~{jBO~FaMYG{r|TX z@_+wewr=&$Gu_y+1o|oL-BSj&q(~w$?Zv|7kD(O?2532LN;J|4RMG zX9tIC`TrA3zhz)=q%+vx29+{I@?Y z?gW@8|DWwYE6e}g-SzqZqdXwqzcWjVzQBS;t5yLrPA8a8eNp%X7|J3!8LBY+0I0K+ zN($MkY-E!c)%0YH#f5HPTZDCt#Vb>)I(S_!6=(fke#C_q_rgp#ef|B}Y z!vY=^$kxgZYK$rAo z!A(JHpAMfLtn?4M8H;S%;Mt!U?FdO5^zc_|0oXIA>hU@6?RY-kRuI zg}$WgK$baI>U&dcwV#fwJw0nawgMuK>rF$a)+nr z_~Hy*vV6gv&Q*&x-F(eB{e`6xCy@8^IF}5#1Yc}k;|#ax%%mfPn|0HL;HQ4eHY?8A zgvc?;1$sjyr_o~5ndmkxS#j?TPVp$@%Zv3Fwd2XJQjldXi#o~(pHLwn>cC4VrNkTs z(Oa^p8{KocqzNSWR1jOtd*_NslrgU8#!0Si=jNh+y?}QDEcoM#i*GJpFR=ZfZS5e| zy8eScjrzZ`&{pICn5X}%f0yk4=ld_#`u}4*f%_a6{&W9`y`3?jP5M9=Cwyc<7_f>t zNF8uDVX1i++bSh(mGX-BVCN~iz+4cNP$6|MID`7vlGU6D%ycyXh%$7;hp%}~PSlu% z8M=)~py`nDiK&_*P>~g;Jue1;kxfY$c7GhlXo6EZBtoixfb7XQ>Cse3Ww)srtG{(B zAh_b)zGn-$uOZKp1xi~Ok(6-NOU8s$%FRC#lwl$67>@-U9S{BVgkW*Yao0axnfTf*sZsz7sn{1GGD zL@Q?*CqiwfCAz!?*vCmy>Qf()poqn!r%Tr$9LGJyfxKaa$17G{!*R?~(N}GCQ+K}T zpFh?P5Sn@|yLI_vOJn@@;(Y$tlwgUefMImYBfZU1efHREIl$X2Z8NfzNHJziE{rg1ISNA2;xdK~JQ%o|^R}i}B2`a19jrt#m!AJ4`?jAfV z>wjzi?_)jlv^t{=%{`|vnpsA;Q2a5C$ZIOv9r2i^G0_S27i%SK9)7Rc+GK41RQA77 z%69(lc_{A52IlPlz300J<@%oo&)56^Q6A63qbnYI%Wh(yMIjLf)7DmDt)t5ZUhF(Y zUs)Y6#S;=kw*p~ND}BQ#EA^=#VFiDe0+r#TAZE&ocv0`nVb0M@1Fzf2kwIgQB{+Dy&-XJs$fW~7?9i*$Li zRgKbm@^>{WH6|YuUBAPw>8#CtqozSu`*lctiEND6=eNDjZ@b>B7SNi8Qj3=;!9s*Y z=;fh?!c=C}+z`6n*JncHO2yUmRC$5AV+Qh3zlT3iePH!R8dp7o|EJmLG4#K^-NS=2 z|9`%_j{kX_r^^4+Y_uB24_=)a96!xQq%F%=gHpWO@qG0|aI=Nfh47+k@?~h*HD5Pe z^K|z#XbR{5UER#elNy#vT%2j}WtnUFNH)R8#*c|a~)sY5}p>nW^d~($i96H)Ur4Vd?vK5(c-+4WSGQR|@ zd1yYg51T{3N~4g|jC4_# z-*r*#6?Cr&jv|uD%eM;-O!riwCfF(~fz)n-tUSSG$E}Mobjp7hvLPN^U;!Jl+x7i) zPvSww$t`6$yi6Fo$urcw-Rq*R4KaGsza$C4g7jUvL681F7rk6)1u>*yw1q%EJ%&_B`O`Lmcr zvxuS$Iapo;%d23qsl<4EoMdBso=?#8eYDlQbOyGNAj3C3Bp2sQM>{*8-yVH_`#(Rw z?eV*#!)FKkJC2u_aj5lhL#!-||ATX{!tDQ%GfBz=e3CLDl0^sfpF$)P7L%98o&Asl z%ovx-?kJD(b72QmOPo#M8bK`t<>z=1m7%ELj!KwoT*UUM@Vix*)%$jia8=wy@2bAu zzJ}-D8W9i(7`;+mw`6JnL(V4O<4ICs(f$~k?QW~a>M>O0X&qB>LLF_@chaz*a-J-V z5}p)dP{_EecV!p$Lf7tzuBE)LM}%GTgZ@J;c~?`z9HhBH-Unwe>}H%*`)EK}t@MgG ziG|NGHyuGV?Sffw3beLw6XL&pySjyH-`Zc%_N~07M>Q^^;`<3psbtC)D6f6vhsL_P zVDTIM8>-xvd!ls(6V<22Igj?ur%uT*fdkNizqXk@ruGba#3)c?AdpQhIgL}%y!U<$$Mi@mb zbLp!JDlNP1!i-XoxZ#wL>_jy#C~m8gBSE*bF1k%mW`C}1fQ22DTlJLGP~4Ne&u|*Q zbz`WaxF(@txlv8B1bIrTu9Nkv4pBa=DW36DV z8M52WHE`#Yqn{6bLL^oO_X5CCH^K?%f(3KxZdK5EMYL}VR%9+w7y6&yQ3Y+yu3f)b z#VcOfaZ1pEyHT-6ofX|n0oQKXjk~fCW0k7MbJk~WnvK<}n9cfM<<{WRdf*)WZ-0M( zzm)%J_wd>J{P$5F9Sd8zU%E0yu;%XRLJDC``>J9{VaT2~2p1Y(m7BJR9ah}0O8E2G zAoRagmsZBGmUDK8?g$#=+oBF%jHvBEY$L8O7Z&WMaQFKYO=I$YTm9Eg$(uBNUzxGc zyg29jW=g0UhbjY1t3Xhb22%74S59)Nlr);6uzci@j>1${4Ln(Y+AZrVu9L0WAy>2& z`o5hyZOnGOl)JLnob5b*Pp z;Hsk!yAlnd8g1%U|3s2~k0;62jP^6U!ygfsYu^83mnY(a#YL8gCD_5d`2W31{`b8X zYya=#JW5IE1o5BFwKy{fbY4RAAWg`OAW+*|%Rta^hJB9HK%5!87wT*w`*Xd_36U?9ykcC-Mdr^BaD$~O`f2AL(#oK2`YFY^ zub=v-ng5rPZQVl+oag^}@$5y}|Fgfl=KqiK=%B+&S~l?itib(K$=J4#^QY3f@l23T zM#Xo5QzQgYJ%0&W)@RvX@o7xZ<0GHQd;&)sWxn(A9dJ~(OC^8$lh`bM`)O*|jP7=+ zGXt}#rWOe(ENT$#&QxLzIQB}=RGe0jenGM-w`kdiiTiHa)H9uA& zO`iE-4vJ>Tf1S8+1y=y)$p6FVFZRp+pTp1AKZ6+oB!ve^JMpR~OQ zXg&`ly!okY^I7_Bu=~tw&-N<=3P1b+x50xUE`1@~;-T%G@DMS}Ukh&@eYJNV$JL8s z{@Zq7=i9_Jvn=(rus!XlJp{gpU0r~v#?Js zC)9OPSu&ZpEwNc%v93%s8e;MuRf$behwHHBQhha^=bm@_D+3Hk%1&jg{_6j%p}PD3 z#Yg2N0H_pLX4bK2;Bs`sO1eC^X+aPY(=8VnS^vUyU?-2uJjs$)1|j94lp z&(-fWdK7ALGCWsxqHz~_Q>u*iVJsZ8gj&!{eM zo7EHH1t%HiRkH(?jiMoElRpcV&RXgURz^fFY#i0$XE6f^H5ozvR;!!qOcSV*6Q`-S zAWUwl9%mUqbDGXFg3uC%&}<4_fiZ;UMt0W!;&W%GHacCj=FrlyEUPT{(0|x=p9{Yx z_JE)tETo@+8AmuZk=I48!&1oXW4hCu?LT|R=fUm2{oQBf`ybB_4-eM%-(x%vYX7;U z`px#A`J}D==UwP4UkNMQf0lk5>_79`v;TZROWA7y$ffNycek#ky%tX7p$-e(QilE2 z#QBqdlraG^vzxKlT;Z&V@}D6R{B~ut$iJ*n*Qd!2xm3U9wzYkS0C%3E>$j(Gk04(+ zl!J`0sGJEm*vsMgi*gp1c~Z5QXClls<#|GC2422~vOc=~{XWg|-voSKKmnF}X#w-% ze-8F5_dj18K3~iK$9O97Kf$uECI+Zf%BNWw2tI755QM|^)PnFuSvd%ayFo<=KJpZW zD(FSSg~Ex>3LL5#L+cQty751heh~E4t?hdeM`(#;)}clZ^)&N;U6W}Q89-Rw|xE{`65D^kOCcWT<@JTXc7dR|^lrz=QgY_e?! zMzXq^{RW)*IylGZhFI*Dk#5bt>fi)?L1J4{)Ht#sdClewxBHkR8R4SuI&mOMBDB%j z>CIzn3ssh#6C9(2;dp=(oJNGBvkL(=yeCBBBpFmuV@&4Kl#J2*n&J2h1FBo&F2193 zTy2|pt}!AyO-^n)aC^V;mmO@8A1Z^o`cC| zdb^E`x4*o$MJ^@vktN&8j;J~FETzb;L-tEFQhH^%PZ(n`y&9^Jj1xlv`D9=vSCv)0 z4Et=rZ_Qw5lAaA1X-9o$Md->b0<3;kM}xNO1<0@(-cmcfDls-SoJEfXv{|gNAwFdm zAGKkVEO48avbDsGBB9Yq^n*C)nL8Wk~ZG zDtuFmv&vMzGS(@Osv=^2sawy1q>@iFM$2Hy`L{V!`OaSY?t881g*;HLP#l z#AbX}D<(Dz^M^B3JDgHU1!>e$0an%0Xuq|Z=2Zay!)`0stw6g&pi83pJ-Qo{6w$w;A$?B- z8ssB^B96saQQ24DoFSI#ENr#kP(K5+YSp!?sz%i{gX`v8 zHB(cn8NUBb1 zZX95!2%i9N+=5l zMgOX4rp{ZI3v$k4a&}S89*ROKqBq+Nhgkutl5}#GfkXd#QMc{kH$O73>)?0&zE;T~ zYR3g;s;RVI(1Cjyj(^5URo|XYxwc)ulhSEaQ(n#WdC=m|jPsw{Xf@^E=HLI`Eua4! zzSv#o|9O;0OU7?cR(JSw8!dYBqgwQuZgzVWg@dCX@8@3mPPg}Ru^Zh!)P?SJdkw2M zx@X0LZw4nk(~Nj$B#xsFagq#hbaQG>cKq32PqP_!yLF}gWVt)uJ{oH@ht|Q_D^*cy zFDG0SBdtj~`!-Fc2&fGxoemL|8v=a}6jLE- zIyy-(ozy5!kCAx!L+ZWZ5bEwT)ZIUtv0Y|gWSG%#_BDppYoS$h?nB{Jz2O_R4!E9Vb zHLk_at^Z&Z13sZ-{P)vc)aGlMDIW;&!zMmC8zOzN{5u*GC^Hf>B7k^6<=IA9h~iI^~{j}ESJmY{P&-^@&CJr zW%tR5_DkivSv1$p2e5a4Gl@PMo*DB0zG=VRGe`a(Jm0I>e+MrP*Yf`{9fh zJgf`+K3;*}hUC^Wl}hm;63GWUWnJ2Lm3r{Un)W`(bw5voTW4wi=v@7^&n*4VTnc{h z{C|hf_bU1So~`r0Kgwe^u)e^%q7VQ>ISVU*rqu$00G3AEg#x(i&kIEZh~mC~p?DTK z0s>iYdw7hn0MpkxGT=KH7tbLIa*rT+i!y8h?mJc0Z-YrSGUz(8G29dL~o*9t6$Y8xq7BKW1W1dG9{ zvS8md=?u2pM^qh5mun5;x2{3hjosRI|7}Zn$5Vb!g1+Htmj8E*-y{sj4_^QO*};p0 zO8x(XXKVTY7!Pc*@61xKO7L6KSy1E`%@z>$j!fGLdH4BZ;@vj$1-tvLBGO$a3kh=v zZy{N3TUA-R3$-ls_c5smWhqK&f*{dUnCorcg#`n& z=CT3+cFW)&-~NYb^d~sHl}ulnC?7tr;?jaX;4EJ*?w*n?VbcjoqEOS89a&V`ZOjx?`&|+xzkOTWO8!R@YpH+hg8q5i2>B0kw zI7{z4sHT!8pT2_rz)wa0*BM23{!UZ6lHjiv_kVT|%KHD|^XKdQ?~n3;YEb_BZH){&fk-X!hIYU$n-Ho2mTJU?@^3bzRn)Ew;8u`DmJRTwbWAE_rStb5se{aqIAL9XzY@8s# z_HE54ZLb+?35=kKr4rK=jY%>=gmY)789_h=%0-ToWQro3qA}!!Ll}ZR72l!h$VwN; zvW-*6^R;bAW9Wy&ZB!I7&PkN`lH<4--5pI5G$1I$LK%;ep{``#<4MxJr=+oT-$i{V zZRQD^qD{e3pWq}Zxca6Z9O`fRYAGFBqzcppjHf=vNO~YxnoPIR zAcweJYzm9JRd;ha>TWyr|4gD0kpg9ytChk+XE9U?29=6Z)QXSDdo;l^8WZ>xh~^IS zSa?}vtKrd*ZxZ#8!HXqOoSM-BSxxX%5ei0}h&+)>FEP~EFEvz1cT+t=Kc+vX=<{3s z-z#EKfCucB7!3FQb*Yo5AH6_r;{OR1QtbRaCbu*quc^3?EijM&AM78N&;R!h*Y`gj z<(bFY3IYh2o3YWs9bV%#r}6u3^hCD}F55#Zt4|lO%a=6BKf>0=y`X<8d&{)z&ku3e z-)ZM@k!za9@3$&v-MW}f&{u6px$fj;P_m}hRaf;HhOE4bHCz4{O`;!|je^it}4dp~GsKk3_pN+B2&H&02UVl9)M;^Q0k>D4pLGB zXF-`@+V>P;FCZDJ-TrRHLvqF&G_9;sI=qYC4#;1X#&4kN-0+ z@2UOI=l{}N3G1I}mfGg-TdzZ#S1MnUendtzfO z5JpZ#Y8NEyT?% zQRB1a`%9XFNa_TQo%zCYrfivshKrmtj5$YS^QF#1(pjBoYuKa?T~BHizqOV2Q9efg z_s1le&{4`bS$!XK`thjoHqZ>RT zqTl&UpYn@5(@L!vlO#c-gbnoJEu?SaB*Bv25(H)Bir;Y>cRoWY8R7QQx{Yo-UI-j8v9ftMo$rXwz7oGly${qNBJ^W68 z@C)C8|F=JkM?32O?4RN`-6;SKaCDPrXh;(xI#2uJF6%t)5AaRrXehh;3b9i@{wo9q6&4qbxWbyg4o*gxS>zM=pqoIyK<$7{5U@MHy#t9;t@g2n&?3bksq$4;F|@ zM1^85B$CM#2|!J3qL%ytW}My9n8XdB*lV0&-RN;5 z7@FW4f-+8Tu_O&}CoI<4Q57SVOeX~_j}}l685C?cKmtw=*KYzG^*asUs|6aeBw=?- zGDKJqfiNfAD9(u)3FRooGFLyU`7{8su6``gM$xYt$_7vjd7mXTqH01JXJa~`lEg<1 zz~(TL`C2jtRFEBuN@88eklS<84H( z4ZgxzhB-;40fN{N4RJ&hDlx=);WXZ1ya7ta*@VGoVXwL%1LZNwFqf1FMAHTkx0EHC zR3Idq3X6w+r*kp}8}SrN;%)5x-NW79?p|+q&wXL`tNrMp7bOt>^~Kex1=s0(2|;E< z#wWTzJYcy*I8nk}>je5!m^BCUbV5=o0ILdBS8OQn6g_pagkV8*WL6}PP(nsH`Jc+t zgYak3XMEJ@oHI!y(&;F&Y~o~_Fy)vD@$dioKU-?QL*B_0z0FA4 zF)%Em(AVsa+!DSGO#|MgBN53hNu`d08xS9!o{oTD6=ndu+pMHT(7|$5jNIxEIqvIq&m+Di2E{QVG zNZjxI`@jBo1CIXvU;jrT03*q9OeUD$C{n2h-tTmJt9&}0nIh<#@QKh1Y$XsH6HW$G zG*YZzpef6BaU?*EWPqn_0H{D$zs(~RyVW=4VgekM-ja^m&_d~{F%?=M5ztOG=S^AK zD{VD%lOb64zG8(=C<6C}<~T)l5^7tA4Q?xyc0wg==!8xbQ|pAi^*fzc!y$=ayO?W| z-Y#|YJ7hVRV}#R`-V!b_clU^glnaTne2~y6nRXld3osHHiIgNk3WVbjWeV5y zt4OossP=A5qp{i&NT+XwPW|msyG~rwBmnF{YH_u^w%3r=Y`Z%srWL@k+e8@&9FI88 z#vL7zsX);bONGI+q3Vt|uAU#%Jjs%2!K_Ug8emJEDCdfCCsWlYfmMO{RU#rz2h|y2|cW}N;);tnT* zBnjdAh3k%!A;&b;fOBC5UP!W?j^Yau%aphHeRip|V0Q3qHhwb!26dMR6qUhA& zbz3O|NaQAhoQ3>MTaR{o<19-k5gkF)N=lMU^}T)^jc1diB@1s?!2Y|%eA;OTf)fxg zP}ayULBG@a-l8*NsmN%Qvs@%ot3?EpQCk!GaR^jgz~WD_pjrg=ktR*VNkkMbt7D_7 z53}Q7!aa4Pf)|+Zg0%C(Cg#xw&6Qtx1XZ#-d_F% zon4`e%eUX2oxVCnZ_hi&=Ss^tzCveLO2U6}e06r!H%;DNqOV_FzWU;Obb5Am^7{Df z%@sO+{Th9De0h0%etq`p3LT%HqLa7hr)Sq^Z_lr`JFotFarx@%3cbBVXKyZEpS?QW zMrY?IufI7xJO2u8es^~L_1kZ*(d)A}XV=H7&6W@C?U$W5uP#r%K0d!b{^IQQ+4c9^ z=*zR~a|Q9sx0mP`T^wItpPhX3`uGxEd~iI#xre3K|fzLKyo`b-zYD{HObHZ*(3L|F2LTC<1!tRu2UiY@sIZJ^#(U@>=|9RR^^IR?8 z^hVvO>Va?&0-xGxZWn`#+@K`0`k})XPLhr`nK+4PMu{1G)gG4&uI|{~f$x})-d_~{w~PLbczxz3AfxIY%}%3NnU-cNx))YNtIdz3sMKI z2G*S-HHE>Vy+YcA;8bYX!k93{^em&R%p$^IvJHs4nFE|jwH$Fg(F1FOS2thx2fClHaABdKsSoSa?msHDY!0>%O$FhmnvL2E|NgK4ea=#~ zcKuH0Afz~7vFLX?&-&<`!Pe3yMJTe2C^4=AJner9PG9da{@=@2$ER;z^(XN|^f52~ zZ}0hw^7+s1!8-oqQ66^+@><{1?{q%<44vbN5_VV7m`q5g)3XUeP2#+x4njSfm+J_< zd-7$TBBT`?;7=#EC4ARsH6^h;TyuqJ1TZgqJ>j^&UKM2|7z9;X@p$7W94Z z$)&b~bUT{HpgT=)+7J9!@w5)1VF0P;oPNP?XT z7J(ddcIR$peqv1WH~bj>AMsf1M1;%U1gCgJcwha}pW?|162Q#j|9gt-SMom|uH(NS z=~4XOx|R2L_xIt1$0r1I49+Lf?|jzztgyKYrS>?((b)6a`AX@g`k-rGb+`W5`OI0( z$~Jel%8(`m*hdD&Iao>*rx7WvCFd0X%pI4pfxhk?WKnc34haKR&sfUrXlLi{?yiqv zuzkiyJH{dq_Uya2-`|BM-=v8$=zJ?3d{q%RQ4@Rzy7q_@op*qy=#Enfhfh{n?|fD` zTLWY{wNV5gFu1hd1yjAN4fXBLXULk=z8QV#+2rW$m+1KXd-RvH^V4mkoLfHw_%9S1 zNvv>oMFL-wbG0}RaDvlOjzKzVZ%J_1NIO_p54lWQx|^r@ILe0*^?gzpL^vGENz%a(aaJ z78-_2CJIMkl%>~nLWIPV%mbs(G%^WPcT)b)oDRA_IZ-@@q|*At;Ea*O7doZ@*t*Tt zf`vJTi~HzI+OyVCj=`$eY;-`tUrlY|7||P$A>#xw4yUIPXF?!*Sb$h&9AKi4P7>{F zvSLL*)=w&Qk`CLY8?$yJTz+|SaB%QHv|AlwRD}BZo9mN)Whst><?B;! z9Lq?0d~x>e!By!+3C+jhHY`S{knNYiReKH2%=I~toa*B@d#fJYlseV}L!K3Iz`WBt z^pXtUp&=znEG#AjozMh>V-u%HcfO6r`iR>EznER#gN++o-yzpaQtfvzMQ*=ZV}J@+ z&Zjt?KGobQ!x7Q-9e>V+_QnWhJ-C&7&wrQlFgw z2Pwo*DSRSWstvWCMzPVMD|(=Yjgi<8fjbUyYw5hSI5mUsgV9R3us2^#&L6}{#6~Io z#X%D`xCex%4j=(L4hY*GS}WAUKFd=Nf{Fh|Z`6X(bjXfC4-!W^J0mKskX7n`o>Dp8 z@uRbLVscB89YIGu%%d@tB$7ENJ2;~~7;LI{-X#9at@=g@eYJcES>ZGj*Gfcbj-#9F zxm20X<*Tb}M|J_nDRxqUY=tPA4(*wfJAx%?49S1>$rG>=C4MGUY8{XWaAWq-2~JH# z)jW$0GfUA4o{;1O3-aKoRu~mMg}(O4_En^6gUV(?$f_BQt8+>OXvGk-;!f^Me9Q#4 zwe7Tdd%_ltCZsO%E99joZ(f;lC^?7Csrb1b55$B3@`0OzNr9CB_`~7hA=*?;x10oH z)~pb8r1tgu!`=VkGhQ2gX30h`T&R;l0~jWI+QTImbNoOA8Rf`x8Pgf?swHDp1e z97N`Ao+#aWKobb8fRlI!L2=TcD+pxBQ$b8niXJE=Z7E{UJY8V zUtg)OQewg^>ldSOI~R`*vO7Y9X+xA~Oog&njmPybWNJ*08cA161Fzs_oiI_9`rji1 zLa8DsC3kuWZJC%GG6kecu4I#%ZHXUfPvFy($)}dH8aNijAUB!)2qa9`;gbb;t0(3V zIufH>iovC*R1GyKQ#w}-0xlkIJ5qGs46}~V$;cK+sGp3pk@YnC=+vgal}y8*y?z76 z5`ycaGRXwfq}@8GFKuF7Xr`PLpsR+hy68Rb7YZ6QP6apGNl@$00CnKt45{Z}IW%_dIX|8w8mjt4k7ur0A%Jqgh zXVR2D2X?^H03kM6p^U~xw~X`fh~N9#;KdkH=01*bRV9hfSp`by4MDGo+z{wh8u4kS zHwYL>Oy8X}7F)oQiwGJ69!SN|feET~i5AUS?OSE4t#+T7lMBPfzM!e1n09MW+f?h7 z&T;`82%Q|ejtY7mR)v&C+cwHGmKp*xOBC=J9RejKnPh-tw?hHqh~AR4+F!&;tdu>R z2tOLp5^=btXX3L_4MB5N5d=!c4Vj*u&VD~zPnoZdsON@EkCTzIXUCJ~ugb>3sZ#CL z9*Bg=j~>dh(e#QOf{>nETDaAD+$q=5TL+ z)+(Kywq73i+DfalQ)eF>Yw@jEoch}xNFEogd%$vtBWfaU)E0X_c`h<=*GTgS{U`bh znW8IGm&Wl8&Cr!$g{V>|;1uF7&V_5+YBhPxl2{leaxx*3(+IseJ^_pv{8aE^xRs{G zcQ<7E&LR~~X{}*wqnR=cHksoa3bY=bX3S|Yo6Fb88X@4poJ$%rc^_)U z|B&-X&-kPbe?yuUXMa#4!)vnwhAv1d`Lu*Gt4(hR^iCngc=wFDra9OZn}A^gM-jp~ zr2;+56mwAMrl}5Kf}3yVwMEn{oTK&(&A3t*!Ntb8S4P6w5CftJ4K^YNW?buc36E1^ z7KxpRr4h-b*kQMX-%@h7bI14%O-DUN*F8-+0?vBG&S&tSS&Y2Z+%r4Q6J-LoQd>4I zf;M*BYa7}`)6t4KcKkUeHkrwt>zlo(pn>y6WvEV^Yb3zaDfIYw4a{ zU4Es1{OexVnOrHkBW3uA>!wEe)lR{TMmNH{_EKx0dp41G7Y$Hq^lqKX#cynwo$Cm$ zg<6-A8r8{p6M3}Q5)=IXHAzQue1x9Y%jX)OP%HYmaP7*~Sn4E{=RL($8xL5vHnIGG zerGs`TB#kfb_BdNW@a+oM%aij!&=Olv*`n5tA7_sGd+cWvvO(zae2g`jXTK*c8Ue7 zIyBr34nkxi`tYGYzX#T#XULD1x^ZjO<nc#S@8+UiMjLD47{Ce&}SKTV=MK@ zZdDvb;1UYOg5pyf8~SQEo}T%L<(YD z4vdd>+&H=>*9VOBcHhAlXp{CyA6xFS}(iONN zZE2ps@%1HKZZzD}-0t5-f{=ofmI9I-FD(WGOk!s?<}v4Z+VF+4v}cIS@HkLU;KU-% zAjjU^6==-v<|EmhA5vpuLtI549lJWUR_+z|0=0e~)1i)E0Qhh+A(g%~q6T>J!Rh&x z4u9~{AF(0&`uh4}cTcgL)AOs{y~;8+OW0O+a69ugPQ~utY?Cbv8!C=p1AnLzPlY!W zf;)*M?pCv*)WH;Gx*D@R-`7(ww#yK1#?2Z|OD8~k`(2+tpPpaM`>ceDZ_FjN4Ir)4 z^Q#TC>BR($^FcpilbxR#8#AhJYpPp6r z=Q)7GMq?)CkE8vXAXt}h9BtZE;;%~Q0L}#2xFORGYl7e!(<4P9P?xt0Qv?^0!=O9Q zUoEugilGHp4YhG;70+S|f!evbisutHUc#rf>#KO$IKdh)^>Ldy_ri=~5ACqB0APHB zCzvkDw~wJQNatUaNY)G))Z0&jMH3;e*$qh-W79hNO}AO5fuH6eGeYmv|&T=>H<mMSD>M91!b7VK@fqCXkS&>9FnR+4Q3E18 z&EJL_m)=zcguP4jkb40OCyux4g&E`zha{dY6alo1uvuIpET%!AGS1jnua4c`+eZ|-) zAqd3JCt~5*s$%oLT#U`$Td;l|0Dx6b-CbgRrnqIz1XQNG%L~EaI(ez0b@Nt=yx53g5}`I=p3Vv92xFPu^k$ z`87;%bK-yod{_x~;sAUQ*|lJ#MMm3PSeh~I4K+!V>I2e)GKdpZdTntntH255W+z7` zz8$9qM>iy`v^4j)HF*_TE+#~dS!}BQ;Ur;q0*yfMa9y#GC5kG&T$nTOcQ1)%v}Sp0 zmiHTBc}O#Y`yc1Jt?Vv2&Ef>>O&LDxO}P}Ne#4t`X40t{DA6gX3`$Jg{WfB$U&_i9 zl2ur;5_|v^*1SDCBjef9^NJM8uJrAi7MmlyuX29;=9O*hCl4GOJwdBj=FSbb9^^5G z8)?wmYF&E%Lr7slQ)l6}*2Y?{VcYY99y(`fyQASRp_=cUPh&cw5+^JoxWzestsZ-- zLA+HUJ`qohTr8Y*I z4TYs29W{jjZ&z?Hy1P|eB2=U#IgV}!?^7a&`hq=+cFc%&wmx#^3Tx7o%{F`%+tCH! zC77z(&}SDe!zSb4ICmLTQkQ~Vr;t%{%-r5LSqcfTkVSjgb?+0@|M?@* znHq~MpXKbIi}8s?&z}SxwMyyNfc*`H{_Cr=uTYWJfDbr>MMg6+QARk7AeK^c4Z zP7SAY`u*-59BAoxe<4#SWc3b$vUFN^#f@D$O`Ss>-fl)%kRDA1Nd;AFzjcJ(z5Dvj z@yVOh!*}moN%%kURs z>U-6$f=3+g%3`G_YdE@_R=QFB8{ENJYnyr1Bz^oiD8APR*QkPaG7WS9rg>LYErCCtz!GGHMePvdqQTzs$?vT0B*0d|ZHV>2`*Um)$yE zaSQ>8Pf2R_XbFHY`PoxbtxUQ;w6I|u{%ZoIAu-S$K|`D*y#bDH^s$i6Np*{EF&EoN zjIp9`KY=pTlVcoc;LL1&R|}(*xJHqDAK!^Sp5R|t3VAt1eA62;-W#!<+r1r=+=%er zD5o)TS#8vg5b;faEGNllMeIz^8_9zRcW+tmb<}q47^z#NnQLs*UuQWK^we9-Bp$ob zi>9*&!C%h*P{}%2OD$_UX-g+-O<=7FG-2vDstKSVf^E52OvAhsVw^`GqQ{I@0G1;V zgpMvvo%WzCMwgr~hN5W+V>fwbSPbCW=qj(NkVUAR_yUXpgfogFoForo@@Umz84q%D zho{1n%OeI(aFXNkWXRnY3X2Ds3~R1YG-E24EYUHE`d`PF=O*G1>V%nf43`}Xkxz(~ z5`~l@@3VwPG_1(rVPdB&GHtTB)NHRnz$kg>-!QqwoI(o8#pTh%L>mTkd2DrJE!`_i zx0dc}>E48?->7uIBZDzxH;bO$TbHCR0cI*v7+5Cwpls>ugsUI9D`2$P)oz$ltIrp_ z)(!YwMy+r~nZxUAo-(=>kBS$@X`pw<0vK)(?r+;Tcskiz}vPJ0z{t30F6%9p_43u z#C5O+8v?~F%H7}XINkeR!999V$C2NXUY_2h>@Mx;;=)Ie;kpI5(LJt%fk*1%%-jY8 z4}HzuPE9!%Z?CT5CX=P03p`C2j{QQ#4Wws?tAOh6&YAke?n+ykhUPB7gIE9s4_L)n zhvSjCAlquj<`kpt3^npV$ClH~T*@&>^gFWcw-M~9jUrTjW2IP967YlOF*eDZONorV zO6VCAf(~?E_S&4>3~ZJ-!aOz!zx6S#rMJG@^6b(|-xCszaZ1JH(K9KJ zuq1bQszwAB*@E(3(dkzj1n>Y|AexSPDUnKVL9W2EcK1U$MHZ7pShkGJmrw>U_5G4X zZf4y<4`;M5=t$V&&0GDTf3rvYT8M61UirR)IV5&t*{2DKF>06zY)1EAp`=$!YK46#RJTy zRJxvL&^PU5oY5XsQr}Tug4=HAGb|;Batb}kdZy(rNNiouMf>R#CS8=X;K z_a9Qd8j9(e^7os$Mq7cLExmtP}qHwGz)(AM88mck5mEo4gg>s>J7L;Z%t&5#h)F>(SE4Goyqp@P7 z9_{>?I(^aL#l}@Zu@Kv1q-)pzu~6)Q!~R80(Khhvu!gNnsR+QE7mREB=yw;|@(b{n z#l1fZ`G1!202$T3{pV%+*2p)-jkJpId>y)6MjrvY%2Th_*NVTkgm1l~x&k>}p!K1K8R&B;rE!jJG(M+KS3Qc7N=mO?_2e z^YAU8MH5!0)Jsm<(gj-1$E0x!zOEzGh@J(2dG+e{4-Xb-m?@2!r$^|2J^APV`T_TT z+3o$0pEiH!nSVXCKW+Wz=8yfE@3)>lY2B|{v*qa!wmub(%Y_tJUP`p-c&z{GEHH|C zE;xVlEqJ^yE$iBPOj0l-U2fr@FS70vn%Z`IOOcCO_~YK+3@se@{^rQR{Cn#^+tb5h zKG!lm*n}5l1Gbqa9$`(F-jPeKj5Aj5hed7gc&OArwBYiEjCF3Cghe>1LMf#GIg_r= zDd9w)CE0z*^Tb%z7lmr7byX-}>H&tz)R;pJv=jBNSG@BzQEs#&qh7#pbcr)hO28F! zZKnt}A#!Z2(GVl9rFQFsX3T<`eQq=BgegkV(U6TjWPF24m2n#5R~$o`PVl=Z)fozT z(g-OqlG)mBIGyUV5yt_erdfYz(tmuO)F_|Yb0a|3();MbsMNYlu6BKZq6}LERv$^s zM+BReJ*_Xl8>2w`fQP{Ul;j4dX-rDnRJooRk@2dNdlcM50kP@X2X zMyBTpG9DBzLSHU6s02k1XIU~W-Llihi9jsNn7yCwCc7!N(A}5`0-veBjJ=~hG_hfE zkRuir)Pz^4HP#U$oS=aH8PTJ@gPvVvxQ`EOw=r}RFtFIkQ za34l>vt5Wnjq=dyFEFDd5&$%LwoUi%BIq$tOqX`QhQg;bLM*H*7DIM8PSR7bHHrsgw#g zJ@{p~HB%4o5$pSHO7YM!2+ki<0`5y6vj<(XBemX7ElC`q*Orr=!D-ByAxLHzqt8T#THx6N|5)g4G;QXQGq75SXise}xgm^j20yyzuF^3#l#|lg^Zht3 z9U?4ILa>lf)YK9btydxn4!q{OkIi>~lNM`hy?r%)Cv(Jjtx&W0Da>1&N7J5Ef+DVr zQ}2+{oClgu8t$o{vzP#%WE`DnANAPQGjwDGB0$g-?Uf0jg zU%&s`hHAG_9@YlRSZod}O|a4}6_lkl$C9cSq8OD6Pq9f)O;|yTAjAhew~Z3qX8C3= zA;7SC{K8Yd>Vh=Z;s$I&CP0YyDxo~An!N#CZm7lIP<(yET3t>eK1leDnea84WC?B) z*HA&5+y54K(!g@5&)fxU?dl1TZ2)pj2Zj;^Y>(4?bUZ0In94bT!d;BK1M?>20pg{32NE6s!@Fpj*BVJHdC^eHG! zdxM-NHiA$~YQw0(8wotjj@}GBXtHP&@&C$&wqNA|{zyf;!- zk+!EMm_kgoKp5>E?V$h=`>^a;05}$D#h^ zkf9z$C&x=61(gwV3V#fU0H6-lK4OY+6oa?LxC6Qmj?lgEq+6TYr>Afq`pV7gOjEr6 z`PF+8<+63Ig7Q;QzYY4VKTr<>^b+&J_~RI$-STQIsTgVo;TD3t&y@PA53}9r$zU2> zvm4~n-W7HwhG0Db?k!~r1jd6eilYhR&NlGC>mcf)85L;4ge)*<&w~^gcacOFq!1E` ze4>Ef5jq-6v5jb-^b22N0d_)c_=P?1@<>ew4o^rb1=@7>igAE$yTIb|TGpa#8xa}x zx3K$)$5QF}!4Vx1 zHj0-Mk+Bq7!kbsc*#77mK{$p*=9rGg7MIxQ`{5cazW2})Hv!7eLN^1-Pe}-n`Irs*UsTb#9 zEjinEYT0Z#RT7d+vi=v;t07 zJon;x#WR!eJXDxVqmCruP82h)F6&N!^mRIN7D^l{F=jvJL<@Ooa+au%7WFAKJu4zx z{oJ3m6;Dr1btP~tGVcv+ReMuE3+1kv^;A?;*l)U?+1S?LwbZBYu`2!a{n{7krjitEbm}Vx>mH=C`!B^ixP`w?Lw!Y8OZFJ70`p>KPR49e` zlo4^xB>dS&UrD`>U*Aif6wiuLtmpOs2tH0Vch+%RaDBky(PW=@Y>f(ZmMVkAAkuTD zY7q9OTguWNXqB}vH2xJFe+6cMYXS>$5}*268F7Qc^QF!T^8s}o z?R;D7I%{2LfoHAjw0+jPPSdm2b!wiquCvy4?)7|(x=xT7Z-TR)nY3gR8Z8Z1d%#xa zi2F`Ea?74K(9&$mozMm6ACX>z+s@qD;E-NwueZ0mdw⪻#afE&$3sw?9+78@nEM` zh6A{Rlt6QBIC#>zCz(VOA`zB>qn%EOJ7_IZln;udu^6$`oTI2k?JqZih+tvk)9onO zMDdZsrmPXRe z4=%A#sSi=_b3}6wwe!BJX0Nih7CQ&G&;516$~cziHzj??{TRwQfgEnmupS)L?{y!A<36$LdXWEv^Kmej|$`k?ao{8T5tCFq)EEMcRmzk>SG zkW0o1)?Yp_s-@aQ=cOfIpRqJP>ob$HE?x=!_3>pE*)XRYh3b)99OkM@jZl@K!)ul$lw#^M=wgiQS@ z)=OA~rOAt;ngqo~SWLE|kg2|)p=cId_9mqxi#NsA5~26&J4Wj}M!$nQMq@1Wy4rLI zO;?V*?SD=9pTBrSlM#iS$Mnbuv$J!_2Y5ah0KlA{uKeTH1A6hjX zf{OBbiM(C)PgVUfDZM~kPcRf8{8dS1pn`v)3{x(YC1O0q{yXD)^T8+xR3Ie^Z*ijZ z038Wyyb}s~S?Ss~HDeTC);JCK1}#O^6RZVmT{#u0DbUp`xb?A00FC>V&I~8VYd_onbo&>N?B^%KOQhw za-$U9Zb+D=#FU7NEA`OKw|yN{TWBh2Tn@7>T7c~`AvhJNYklM!URk$pzsQs0Aa4Hp zudN_AP62RjS+;)GmgT*kwPo4(tS!rXJZsCc-LtkVo1e91xwb6-Kla{!xp5my6#qX@ zfpWG=c1n`l$#!bSGk5mqu{()3-Hxm6%*w!- zkoqDex!c_#{z=CoLEzxve1B{)I?b}vEVmtO?-dnqT|it}mfuIq#q7|< z5FFW~PL-+tm>M}KpYTxy5DZkQm{4(j``9}l*HvPVCA}iAtU+q3Z4a@ed6BxN*c9xA zv>K?Z!*dj?VLc#Qm#_<>lQ>*5o>IE8N-2H`8oJl|p2Ci#|N4-<0;~@wme^36I@a$8 zk$1$KJ(tFKY+V|o7U|Me#^@?z>{J;8e#FbY_YxVtWq*!+k!M9>WLCzwQ|p`rwUjYM zuvYQievL=dI^M&45EHL~oKTb~PZFx>;8Yq6g>BqwJ5YR(Q=b_z* zrPym21S<9q!U-`G`5@AgOC0K>BPR{*m3uu2_xWSMCH~Ze|G|XsDoiAh0GSyy~|I_#|o^8T5+jm4<7Y+9@qv1O3uG8+SqtosdMyK7i7@c;v zdUV>|;^?%yPP=O`I_<90?wXEHyW5L)x4#PfT}0XwM5OJ9!tQ~t?gg9o6oJ-7pFQvB zvmJ0HQ}J19ZvmF`iFM zTvzq4?dYohEgxOgzcr()`qx$c>uNLXFuK|dOGa0lVf)e5W@t3J+6-N7hU)0NTf2>} zHp7mi^LTZ&8FrkotNPc)IW``hX4z?$%|@qLt{k0axx?r*%Vwj~ELV?Cv+Oj>Ek>tV zcADk3qth(As(-)D7)$mXGqk#@e_h<=R>$2{{o6c#^Hu*UF@PVh^k4gBboKwb`hQ*h zzpnmYSO2f8|JQsxe^1G?(?32B??_i6qWS15M64WLg@~>~MCa+)W^@%IT8_@E(N&0O zIlB6PU0mGS(P?*`c2^ypcDFD(?XJb>w7b=#)9w~Wr`>hhU4zkScb#_EbadKXSO4$x zk4@|9|1B9^9NP1aL)#Kp>@K!5HdPR!cNNT2(_g937zt1&F9g(GbKyKt3(J&8Gh{bQ z-h>mNCwe`Nho$Qi)#9JXc25$@J;*aY^HcQXR)C(#MfXBas>S$5>8^ z9K`!$uC<(`gG|Lxzw5Zy3Q}8h&3*95E%74DrOKt5pC?@FD?SrDAjjpnytO`Pt)~~i z(GLH&+?f{ngN(#k6saOLPqa1q2;=yb53w(!5`pO25=RkGb>LUsstI7Ml?CZ6#mg`0(~(ai^%+m722^Y&%32KBb2GB|dU#I`itRY3YtK5?=A~JMjDR44_e=bBJR7Yff1ubmH5e_FEI7J`e(tDA-fP`UL*$KM}MM+7OV-6GKnLe#~|+@{b5?+`D5H^#8Xen z%2URQr7YvQkx`NGoZ0(0QThCXpGk?LHzHDLyp?KHrSJ6_!&3szC2~n2xpF4z7v-=j zm#VR&O`cHnvAFc3)FRYvrDhUy1&#vd;cw=U{dsP64|}$KCXJKvwJ?1r(bBb{<0>!p zSmokD7wiz@<>hQ9V#$q2=11s& zbrJX5AO7~~8$sH}xBuGuec0~K81olU_bOx*HNYBbc+RiZ7>xrXai9h}66z7>9~Qqj z%f$rlAKso1aQjFCy|r&O`dW?fq2A#IS^IUMK0kV;iD{KsWTi)j?54;vm76+Wj>Wag z4O2NgPYP{Bet8XGEmF7=aX<#$!_DB+5F)yfdRy7P*Ff>zAR*%7>gEb;XbQ~{=T_7j zgP7w3#i?ex#|eN_>?K9ZL#I4RL^`40a)1XAiK^^P5MFZ2?XNuoU9WtOY$;Ycf~wM} zU{T_VM8gGE%%@kT9E{*rIi_z%i2gvj+=mMd7CvnR-(aL@EVwooQ{xnr!v+kaa)z(T z_~}oq%si=q6?SJ7{&`qYfl!Vi@y2ohRisw_^ot7291^(hy7G6Fg6(@P;_B&MwTl@r>H&gN=2-7PQeF#rD{QC)pI6Zr%C#>veH;1C1=`xJz6E z8|G>>!h2hN+a8q$zcbNdm~3v*K+pA1yyvql5yME$7LJN0O-1-p_=2;o#cIZ7${rsd zhqXCdVKIWO!{SYoHp1do?$PyuN3NNM!`mDH6-Ea}C6DWch+pSo2uG`c&Kt#vv@&vR zYYSZq)QB&eq5`k;Gv;i;aO-@~Biy4CZtUVj{x*F1;`i*~n-Ka;yf-4% z(mQ2jEK-9$QIv`zl<&z=W4{2&#P~Gix{HU(Ll(<}4_GaGBv>>R(Y+%+PPMC`fuksZ zDwuk&3bS-STC5azH&dAnv}GejQIXDWL~iMJ{N@^jevu>jter@C3V^V&&nb59 z=%3%d2EznQL}}O}r(n?9A05d5S%}>7NXL|dgVKhZ0xcb>19)&4)l-792f>LhIVhH@ zaF2LG>^qe^?%1~<3Zd}x+t(~|(*D8JnC$fU*n)N_Q!{w~%`g#0i!{pTnHj2lveG;K z^aoyE=tk##;~#fwb87$XJ)J3Ui^dVX;| zL~9Nj84zh!8k(Q>T0K}Dd?Qx=#Xhx_DDeZ=Q+clPjOMuh@sf>rbT87Sg6fVOpBHAj z;-`$S{0Rx+7MN{6*9ei%3NsDCH&u@n;Rj~2Na`3cX%z@FT;F>9SSyG&F<0;`d#jSQ z=CFX$5x z!^tT-;8|w(d$1{%q_I|r&}+3FyY$P8@>=;ctWEoR1c$7^hMh%*m4#M-fcCvfA8fo& zj{xnqD#juQV+zFSgU2(_#HvX)6%f>pI#*-lP}LQyy>{8W-x7}VK-038GsD9;juPR2o3$?3v!J;L)Rx1;J6%y zJqfzQt$a9X z!_cH!AYLG!dn_6WY+p(}CXH$x52qeP{vgHU@uSM`WjYyHoE;!$>0=1RJpK~?(wi5G4rx%`{R7i|CB)DnRY$S8q{ zUAN_yw;n$JeKc~DE(w1HCTyWuXn}ksWF+aNLSrjhxZ^+Ed2toHJAODhw(lR0mAdPr z{!nOS*6^Xq6UT{~$nu~aC4FtExXCo<6!=hY(w#*aV^T8j^HQsUTj$?ne92=PDO_SSN3*-u4 zThF;Mz6-A|eC`AC+zpqg=>=+Vc|P%r)A-UfxiFvDW!bp*i2u1r*Ex!HN zfk-12im}l&@xY4?58v#Gq)U*;pvCl z+v^*!daE?0sBOH7R*|I`NZ^k4N%s__2(UMWtKIuPN(wC>NT@nL!`=JqUh&|&UsO4l7#-rWh(N}*;)bD?dzLhD_c1$aJY!a(cCO28x9jT zQp|OR459!PnWlm!9(gRfgktuC$SLZhDVE@S0dj0U=jVRB=y*jO-qgXHE!zees9qh}SdC*$^(}eeI;5(l%&uPSOHu0KIh|g@?uTPC_L{Tc61#eb4 z!H`{*3E46TgdGcRz!5{nOC%7lQX}##$B21OiLIJ`6zPM^Rf;tUjB-kmMW`Yd>`jpv zIWQvSX*3^_l|0oa2MA<7QiTcA!^wpRA(?1aa3}Ei_&9`pWVr&5tUCwcmv>xFvu=i7OZC5!H5yJp^}<19>=-RWm;}%9CJHxhXe-{MiZX??&}vXw%oykNcmW9cEZAA zTX|vW)!XZ9rgHax=ZPv}G1ZVoFeJae{c4o9kJ^U- zV#*Ar&ADtCEzs8N5?**=)QlS$@g!L&VX)?Yue*#qT7Chm!u|Q1S7ipD%Q(o$*d0KP zvVNf;;|MdTByJJ+#-M_R54WS!FpLm@As-6NHr~T${IIA}#1e{A$MK$~#$2 zhFpBlVX%Pzsdt^k@@htCE7-gDaLZI73B~g~#@(BoNB5Q;rV~+Ockn8`we&*->1_=m zMZVOIumFUg-(I>+7peSb;fp<$!ScB)_z>}w@kFaobjgLurFbY`i-qAb(HKY%m*Q-j zJwz(SOu40pzBH+o@VR^wFp#SEV5UczW3wdjVaR?=)ni&t04v1M{JXb;$Md_@*t;q$ ze@#e!wPF>V_PPJG58^CWW0|0pi0r>1m?K@Ain38q*d!th2wp3HwqICoQrsvt*gJch z^HjsuZsj`ZVd2tNU-XqQmB#4 zMnLc5??pDztzf_o?6(ir zKLX2I{|qg79e-^GtlN1emVgRo56j>j5+B?iLY11-iPQ!PQ(Jv_mFHjumsy+$zdYj^ zJ&iZ^6l%4)KN*!<%8P#+3dc`ac4m1Z3C&QDI;fsSWEZwu~ zp5&^?PT7k6rDatdf}R5j{LLQikJZ0hfe(Jmk|O6x2t@d^mMN5}3VwjUQ`NXYEE!Zz zed!+ucG+JrrXyw1%lnbzFBqde({zJMbq6SVaITVK7K*R~_7AO62toIZ1~@^0;dpd6 zwZAUCSJmk<5e=!(&cbvTQ2wOde7HR17z-1=t^e7TX*y*mn?F-G#&IXjp#%pUrxfVC zaNw+PPQ$d~-y?QTx2zXrU62Vd!#N(ZOJBKeQt+IoMhIVH*=n^ZoAN9ZsUD2PSmlDW zHy-6mThSupP}~j+r=gyFo=A{WT&H&}sFDcPO~g<7HDdDl$=U%t7i{ZKcV`Z_6i zI+kUC0!aI`I+cHfY&sNKU$F};EOkLeS+1B2m;*`e&lc}1c(`2o2*~$3i%!qN0-y6m zAJ9Mte-kkQ&}$DK06tBer!I${-MHclXi$k%`XF+{auKOXDu4B}=~7Jr`+_f-LY0Ql zd^Bgd02D9MU$wuGG=%t51^#ryvD)y-{Kn6A9+rQT2i+X70a zV?nk?Z;9~6RSy(g1Nb|#a_n&(-oH;>9a9mn2-p$T}& zO8X8J44?M>of*k7-N~Ukq`750+O>S0D&ytU92A-tmZCgayGpGv&?f$Nqav~LQl19P z4&-@+ZQf}*RC(<~ozAL?5zKn*3~h08G0_L9(=((kGNe^Q0> z&IFjrIQv_c8vS(-3?HtW;>O$|#db(Z83@=S(gv1h>2e+riXA(^J_`cFD3{T=s;V<_`x!YIt0hf~2>^#}G62>2;sZuL9 zE?RZo7&m(Z4ob#XCtb*3LF_x&?Z3)BoZT0Jz4 zIo!r%oRSU$p*{o+uN6StT6S!@g}q$&rvN{<<3WKH1w(^lN@RzU3=cC(&mk5M;_jvi zQ;2jxASr{|!`6aesGPrmQ0eY3gDtAkAG^KBoFKz7w|1(#Wj=m2&rOZYk;%p0HExm~ zvr!@GB$38%V<~;`FGXpkifhF-go+$_XX%HGrb%)FV5AlDcQ#|O?``7k z%|JX!3U#g6*e@pKfw8BY77TyBAW00xIO1+R^rAlG85o}O6bV1Ox-7+54%4DhNx>y; zyFBp2L=clx!|MC_oiC=Q%*Z+&2srznhy$xvM-GSeTV|2&W77NzhIq>;7S4o2=w#!L zAXw@}G*+Q~JLtv3qX>V>q8pGJIc2fL^ba6s^f>Y-Q`tX`JQL^MHZ9QzYvWErHr73#S35tt9<4eNs1Qx2h>iKP`=4;!$jQl3KHdy}D%a{)Lsdhcj!lqy$x=_`!HPz_^(#4OjcT2eW}Ajh3M`r4BPIhz&3iovP!Brz zmVZb6_)oc}m>oI;k&H5-2>pRjZ=xD`WaxSb#4vxKO1jEy^$SxC#8R}U$kvQ3Bu7l8 zxXIAl?6$#ywTHkN%4@DttGqea<@a}S;X*ri_PNN3ZXeqS^h{=|i=+4cM(X@l^2inVl_*X)FnonQlew5n*BxiV|w^s zkJiRZ(u_;MM-vEnqra598O?rZz0w-tV6scBumApqNDX;k;dF7kNalj|`vBAvgOVUN zBUp3Nc@*6g#~3@%r;p-xtv7D`@$PL`=X;89U#m!|fHehU?wi(~eidqZ!P1p76y@o; z)}V`%D_WwLhmY@drttgO@4GKgDSUA&V!cJR0%ytxPFsFDAv|Q=fqsfdW-WU8Cn*0b+oslfJ!gR7$(#>e&wLvMFyzck^{PC>nP+OJsn z4$)PD=;3T>QH-=Q`L<;`8hW^ua;=D@Ra?e*4q`pWEIu@ng4~ZJCH<3VZb@3L+%Fwzq!-{2uT35f0oB;dVRvdJ=oXF!xYNN22JTetQdYcNK z3ViTz7byLcn)UeXmzw@yQdI`(I`Enu%5XMv#>2zpsJ6ap<+N%jCFYg#w*w<3N!B|twW2wa^+2~CM z7jBRpVq7j&H8+w zQqX_{xOUPgxSG7REez}C$`<`nhh^dYOinz)=&|gLCb~CVBv3E!F=N}BAtd>;XyK&R zRx6}JuMKs>eYOE>)|ox(8m{xilbq^f8t17zDzj54ZE)F~4r~nr53!4YHhiE(1UXhP`d@4ECp35!l=iCJ!D= zwc%GljpgHglolmXrM7s~VpUC_qv%*Q5D76kj_vsX9Naxu66$oRh z!7@X6lPiesJJzjW7UX5tcD>e;5p8JPJ}*%L(XLp93J`+0gl8^p#w9}x$QKt(p~l-8 z)x6=Ts*3upNKDhb29O9iYPq>g4=dqK_Iw(8q@>sgli+XNhNLTD+HPKb=Ieob#*~?y z7$-yA)%?HXc3l~kn2TGj}zi_E2L6oa*IXIhM z!+=Nz>Gpb9386E}s3e$jN^+-HuIy)g%Jf z%s!ko^`lH}O>!}|N%RNIb_tvhB)Bn)wR1_Q4{w=w=&Mh|sIIHIC0HO^H=LWilcp8K z^d5`|@-&Y3l>vAEQ}okYx?;k$(H5xTO$)MV)k&E47W2JirYpN0HVP1=7WxycF#uCS zaU&x zWc?1r$zm$#9<>{J|d7T%0}S|5OZ3w_zABThKNu}7W7sHCV_ zjc9LMw2l#h&|hfhxnbbI+7M^3dcto#Vy2ev)=H8Ky|g*p zBvq|Qvk-0l8PxJIq2suL{mTe+4c3ew5IFn|JeT>ql(LiTl!lvHX`A)La=|q~(={Pg zQ0+Bqq+9{WU^JC6GdAsllqWVN4YKXHYQ6tNe1`B#rD5GCzX(ndEQ`a!y@kMqI29dx z*I7nh0(gNGdQEYkxLz7!Z<_NE>%W=l-ACkDhfgQ;+D9U;=QD=#{$)0PJE%#3ut6}m z>;1u^@4^$U+Na6OpjYv%lh96r%As(w7qn1$bf+Di%y;##tXsPtqsm2V4{6TE%xo9F zXHfMr!ngIkeh}63*YVUPeab>kmd|Q0j~U=3`}>O&zZVMAom=UZaXz_p$7 zo63~7H2}I?TCQTv``>0Sd~PJTZ@zBbO0~%H4d8U?TKP$09#dZAeLHuJF-C6la1hBk z~8;}i3>20$C#K| zKzxSS^y6Qx-&!Fm$ll?HHZ!CZqA)H-1GFIb*-h!Kw`MoX%5hnKYZAAy%N7riBmJ?)@_|A8jns|6=;2>~~|E7ald%^Q{T-wh{g$J{&WQ0IqzcZU7p>e#aQKj{V zsL0AL%znDVu7j+Qe9n#rKZ*8oXORDsF7KGXqOFYK9shtp^$YfEaaJr09wBHaajxqj zu`Fv!Rkj#|!D?PvGl{CXmILPU)lA0*c7N;kMu~JBNSLw?FZX-;cKd5THOHq`!$3XO zjGEjH2Yi56(mF)nt?FMbl#C+)p+R*u7I)J|Wd7;GCzn64nLF^th=2`lUkrDp0DOy)|mmF))e-e}QO>UcoC@s<7CTawaQw{;iT}YuUkA!zWsU8yo zd_3C~lZm|?B%%u(K4+(ALG5!P^j`oizT;W9RiRg&19S~8Sp3kR(y$`6*|Ly@!sPTV za9rd_YIR4z;Et80AsYHt_)2TD>r2aA!vmXaUitW>n1ZF~i^KbEaInt(p#Hti%4!F8 zAaKk0gtq5(0cVgpVdPVROdDnX_b!Ohw>Y7uC<>!%KwMfT)M#PyuORlfb2wapcjhJH z(YGaWCM)WJK50j%b8MyexQ;+-X;JD=iTIQV`*F;AL6bmqfLHHb|By9uS?m`x`R{K%x&{P$!el0DB#&r-f54&+Mgg$|!FF7>mNKxowCDVA zIzXyIn@pV#uRKrAK4c?xzr%=A<&T0$ii9p{ikbxV5_zk)t^gi>>t++))5DDR@0=xI z2jFiOWbBgrJ~&`S2o^-|j4g{6JlfTio4%il`Bxy0to9%D^hgG`GqqchWsL9*1?MJ0 z4rGj6nP|TF?gF2J>?GhjE~-g5<)iNPe0{_3lQ6y~=#MRLb6pAMtkh8xzaOgccQy>S zAj^@VN*<_!C8# zXfO2+n^<;nU#B~f^H4)wr$wz3zaaAvSr z`OgdKy3|BKUx|`F>{^SLlf|TD7ooWNXYx3FOv(R6;%F0afP%i6u6|`VjCCW=;<%2)rQ~WmpAce~QQdYAkzUunaYSf#_ zyo3{g;BTNN`sbPhZb_~j)Y}QO1S5n$wY!o--fYA}*pOYO%+*q)aHtt6-#8+!t zG!cm&|HTbQh0qDWx#97 zxw7;PUl>Kd)*DOqEz2rh9+@GF=e?bSLsewh{jA_&%rW*}2-Pp;MskQ2VyRy~N{`TV z$ecJADn)C$gTVG*bp7sXdUpuy8nlnl!3)Bj_! zCtLs^3r=3YYjqfIi5#z(f338%tsVgK4d#p5F}&4e5RahICR~S|#cWFsw_jomm%_5E z=V8XQrF2>qo-RG!VE@a$Z4-vLzd7>ErBadQT`e730`USlI0zXnEdureA*BIi4Ha+K znvInlWIJYHK-Bdg`RKtv$aw53MPhtY(~mF0FavDoZM$RERq54r{XQJpjkFS9H4fMK zQS_c}_^C1}0#y^|;trDwx7l-uZ?J>UQ#&t;U+d`@7lPmC5pwaQ=t^_fjcvPRUzlJ* zhmQF+h}nh~8W@_Y%5^%)<)U&&yHZ9G!3?30Ybs2{_0#%)E7#^+TfV2CwypN77DiHI z<#Dc?{$OXbZ&~e6jUJaqyS4aX{&#a9e>V8Pga00u!1++tzkQDYs$HX^5wgQJca&vr z;n<|qd!c7Us~Xg1S8B9xv$_aD>vZISf6`$p%U=`;nqf?@?if3Gqh{!TnE=>wDrH*q zlT(m%Z*<~kd`YyhT4&`TWRAgvUr0iO0&Baw^*w4c8|EUOS!-WDzA{-84izbYrLAQM=gzHeCh zyep$V6_C@44JeGEjyzc)n0T>-*LSB4ulC5A*v1|)wGg0SRTggXwUDqAOlprjS?w5k zHD%OuTYj(sasj~*ZuQ1uUcdV`W5J`Bgk(x6ppOa_hH{>iqI7I)A?RBKNHEq3N&?Dm zI@CV14^5PS^5=Q`ge`D0WItOElN_eM2bt-e><&E|+(Ucgo2jx!rU}^^tIh%_QaDVK zh)+*lpE_0-O7+20Dhi(H*?8J8e!5+P7~|`fK#mP!D9*8XpEx)I_2Th17d1hS^yob1 zyF{)doj>8}PYrzWD%2Jb+KV68zgN)zV-LoFpk0?xACRNOFT$s_0k{77_i6094)ArxVL*v;`$P4JOaDP@U%&R zrY9?nEtU`oZ5qldMW}VP80^nA#cVSYh|<{*BBMf&B?dQ4WfKSN#=v)2ERBvv8+Yc- zzv_>I6T4elv7wH(s=C3)OQ^jHaVnV*6NqXnzlr!bADE_eJLXaB68gbWe&%M}Ag;z8 z6O+A2+jFn63M1I?{qAZ+ z5)jJ#bea~wxOjjcJx(QUqv-UuNZig;Z6p!dYNh+qD$Z~C9F}mYS0bQbuULrZ#w%Zl zZ^6!vQ6=~Ztn3)k!v8L|cW4$J zV@EcjnVVAc%S3OuDb?QCYN$Q!{gNJ`rGZ=GIjivE`+KIJoOmwn%|?CO3}ddBT^lmD z^lHu6!EJCUu)g$K5mPgrN}!j`z|p~bXD6O2AzwH_vd#N5A^RCz-;MEX%Ph6QDK zLX#P?(c;ScrQu~Z&b^vx4WEyZGjFxME`I&`+NX&VYF`($-i`8ge@k!p=s%P&ztF zmW?m%f?Fv`AVD21YQ95Y!bRnXSRLEG?3jSSj3#22yRR>TY1hB&x^Gdf!2f@f^g4Lo zKO}t!zk7KphJ}5^O!afV*w;^*5M8W7a%zi1c!4G6USNqnN*b&{cb~<+>BDf#m0~uu zx!Kel7QAf-L5JP(Tmv>~2or&uGmILWo6+K4gZ{zS^fV(dM4x< zwJz0<|A6#trR_S86bl$+UF*NyYqQM+e)W2*Z zreW)%In~SMpj?Y7Ka?N-v8f8se1in8B@YNrjyMC4rX(oXkf?$C3#5=!1&a=os%_Op zcy}QrJR9q0V2$m7Gu!nJNsqG4S>HfL*eW;1%ifxBHuG?&ZQ==H4}K3=@PoOxHhQZW zeyG6mq^{_u>a>A0E?4@Y^I|o?G98H-18F}{cv=cA_$Eo=-tt1cf>=Q0x9X#OVb2 z3o~MT_D+lI!2n32yX`NVNDd<>9>Wm>L9vQB;l&JV${mjeZ4)SXxZHrVld(LBI6qC^ zJz5NuHZ^yaoD=!@DmRPyxPNl-X4D)mJy?-8 z$vBm?xfCJn#Jyb*gy>X+p15($&o|_jwi~@$c|hvy=Ps&ItZPABlVN*p>t$@S9~^0_@5=u#M|`)s1*~@ z&`_m;;>yNM(5yVo0R2TaOA>Fc!Da9Vqdsl3h70rJH_6gopnvMa9WYDtq^rrUk{dnc z%=!G7%`SZ5z3X5LZ)OG~xC8FM!m(1cD~X$xa}DJ4Ze(`;J_nk$hl$e8OSZXRaxV3P ziSvg*o~!UU@X4#+m4b`)e*O(3(um2$4;Jp!Z=)aykfmvHY1Ohw7Ft9`M%c_@&tg-m z1z2Q#O5X6s58&kWU9~ZuXDnEi=&;R}V$ZQc-r3!N&s0$LY;>U9U>xq9K>(T-0#a7N zmfM%Y0y*m5TKM4LzvK$?8UJnIH|3n?yU$o?5r@WS(BVSJWklQ*-+)_4L@Y&3B=Pa{ zBiJ~#45)zV{4K4%Y05YG?SmOXgM7`%0;w2`WT-SA>q%t2!i69Vpmw^4zXgY%0=lI0 zvgtQp?AFZaX*1O1;_X2%2~^ zt3|9tSBIZZ#Ac}Sg}Jgf2;M#=6?syDnIZUa@bcnw|Kn&_TpAQviSvHFJYgzZG#p{Q z3o4$gc}wH#v^z?yfNl5jgCu6}13md(JzuqU-`!McW6vInmcJ95)HCXmXWYh9QwEMW zs3d)Y0j$;r#;pK2Zbxco%BqdpqCUWs+L}`Ry@V$5YdAD_{4Ku)3no1cLLS;%Jx@uB zk^2__*HHd%6)PJDE(ut>J9lYyFsL7iz<3amBGB+iKtaxd!}}0yMAZLd!g6w3CBkmh zs=zEq44Ak;kwbmUm?BGvJ6a8=+m?5N->Bq3WYB$_00dw-(D4m9^x`a57Y8{CcasAo zt#9^qW&it`FoGbI)uN!UyV=EQ)auvy^T?>;gB}NZd}h2ynK!ST4MSJH=mU;7bH%!v z8Yj*gOZFqdF5LF9K4nuW(94+v`Q*VJHna+h+u)EUcr z=2ncd-E2m5^WBJ!(D*hI>eIs`Xp$42`!3af!PK}5mYnm`Zdov6(D+R`seQpTNO{9> zOnr`*Whsb0+7FLWAf(n2F86)C`}JV{k7e5lSBb-gWXZV;AB+6~+7OGqaS!Y9r(bDb z11;_th*umAcoX-!k*HjmI==B<(g@^x+ET5&0n@N{ix+f0xbu%f>>tMDaIx*Xu3S{P za~e|m#VI15m^G%9OBhMEa+y0?t^m(n7QW|aqow0$1Ivdp+2&oVrjJ{Of6v6=PBdyk zvoz)&4m(`#oLD(oa0a;EMr_QTS5h?*RWPO-+S=GWQ0`=+Tg0L}5|vvYZF|6#^8+GU z$_Kn!FlsM)3TnTpkCK5S?{;z@(q#LQ+ii*6{V%>6m=)@p888>(8#o>S;MJN3WG}Na zpuz!v6HA~X{h-+3%N+mwhjx2Qg1jKmE?(J?RrrUvO(0G^yz;R9eR=bZqy2W<`?b=a ze)#ZQ~d-Ob(YYuFNwk9;;?JiMLQCdVi;F zK>BRxOoL$twNAA_SiHo@cdf>+>}`T%^#@HpV-KuysU3@0-9{+*F+%@%8>{~jbOgqv zQE2!jyc41okR(i@TP_~7jw3%T3k|CoZkNKzZJ)gBaX8p@I?Z3ugyc{DcBb1z-ziMe z*Qd^V`<~aM=bcMn99n65f$f}M7!1aT?udI#966g}Dop!iNQ&u_Gc^p~cT;kgf3eek zO{XX>R>XsU52dFhstyq;iB<+k%e)Rp-on-X#cyz<;*mjKk-b#PDA#qspLO%f*!(Bs z@R!Zoym7#P=r41vNH&p9hdHA1cwk8+B{F4GY`g4RlnwH$$;FU`KrjdBK`l>ei3LU{ z2;s(W=e$yYyI%LNFUd&1dDYD|ROp!IlnY-vWp2d+1l)nS9G@W-YKY{>fRL{n!`(iN zrjjn)rkXd77eu*cEB-il5@U+>PbzELrNofKRd`w#3vEMs6 z)}>}*)INyqz-W#M0E184H8Bv<)oY}-Y&E;FC+h(7S{?eGPz)=^AejeEWGv43k#O7p z58R{Vaa6@jKHt~m4Li`B823M(Q^iI~C&n1%O$61njd1%9xQFG+XX#MvkDxrQt*OKG zw}3XNC|S($`9I*^i8GCro+YPKUyFaj>FR06)&|8qW;|*Q10qu>JMiTVT6fnmK3_d% z8d)I~&oN7UmQyz`lv8eA3*r(eY|l|20{GQ1MoL;>R#(TJGktK&N_9muT|UN@?ipYm zn`H59V-WbhVI*N&c)SVsTvnSY-2hvQ*2)v9F~_S`f;>+&CWOpZLIy}E6ggR`4G5E) z@?~F>FN`pg&9?WnI$CJIMX{HLd36_B_` z^?`%F?}&(Nbp!D(Ka;L%63`Q+xJvO=x-{RhF#h%G+L>LAGY6|1i>>2zmCHpHIQxmC zj6t>FyO(aMe`@zmnwHePc9G_u{byxzAZMpJ5p_(qeQ|Nc+4xa+PB&Ni zw2K%tb^DvBjI0T_8x5b8E!GogJy3_)#4#Eo5H#<}EVr;nXWyopze3f-ONv zCPttWo{z0;G@g@nvU@r&m3QNarIaK7;|OC7_3+w*Ev;_mR%{He1B_v6Kj=GK$45dF zKyJCuP{K3MyW2PLe0tOFX)P`qx~X&&PE>Hy8AeYy2DSm%iI>Oa#an`JF^{}O0Fk$m z_k!LOvGeFbT7vO9%IM?xyQRI>-9kwnZj)YhUQ#6K%;i6lQAxwXKWD$X*EYN6;(KIW zbvqCdiE@AAoo2vA0k~^ur}?J1!ywp^jcN?KvBFrDpRl|9eq=ZqD`P=bi9nCmw87JR z7DBRz2XuB1j5)51Ofg#81M}y-nN$oi4)AHJeTyMc4O?6;A<*6|pUGhgMOMfxGIqg>QFmb;;oow`#)ARN5THm`IyzL(1oBPAlo%zE&(oMd{{8|}i^%)jk z*q~icBcV*f2e5_rQ(Mt(*5Vog-9Oqd^s^{b>rx3D*6zdW6AsXOCq*y%N>TYq=P?h< z_|WTt{E_R0`_af6t@(nYa7tk6dJvL6Z(Ak?>8Ds<%JLA7l^TA?3jr+2f;V#zuPzjedgV9jb!H zH#*_X*>DPH_mQSFt3h`;_ED`qnr>*az{>S#DC8}`)_rWNAUQS|!{$(AS5N0v@$jwM zo4PArrj43AJY%S{FGy{i2>zhqn2MYB*KUP56`0ZQ35*M2{AyJH5#!Fqwu+^ey4mUl z)Pkue3S_Z=(n^bJsBwv?#6HN?n8E(;&9_l_p;Qg`59 z#o}5<(I=Qr#!DV%7D1J#X9NqEJJLLAF+&P)MIHko=@Y9>`{9KhfFd@H(qZ*T4L5E| zuGo~nktu1dPgH8M{h;Y~5nI_Okd0=SObIZZ(ls~NbOwVY$=-G1VKK&_wa}jw39V<+ zAFrh~s_&&Qai+gOar!SBz$uHGychODWH@TTv+s)CZYBCm1c0$Ug{Zqg8CaoLQZdOz zYpa?l2r+xNW?5t02VSNaU?TCu7Z<&1x?U1WmSMj~#~F!s<(F~SHs)=Az75WklrfXwsrKP&HK>20-hP%j>*Ngne>DXQQv){{lSrIe z$L_$v9eVs#dj^f%50bj7$C=r{6|9jA;PVt@I_tcj<`arjzrtajF(e&wH`_58-|gY1 z*MJiuYvQqHAfAnT_C7S`Th;heux8M6$fr9a`qTuU^j>MfQX&#+z_G++4nRlWvPqAK zEls)QVI1US-T8%Cd@62C?-f_v7x%t!Y&J1+3;&3$5o>85JVA$W!j2Yd%a%o$atD+@jX%s z)3CAVRWRuEIVP*2uhzNiNG1+JIrb!&dVk#G$p%g-^fvC4kG64D-7wB1jVV1^m0mN{)*US&jBk6%@g9$D^jWb5Rx8nFPIrM?Tp_3wxLq=VzZJRBirQ zuFZ{!i>Jpa15x_Xdx2G{i=|<0-eZe4iuYUEza!lj0msT{*kiCKtJzQvQ z$>#&1X-j+|WQ1vQL5dS#u#=Y>sn?0?zUJvbEpm5eSA!ErH28ND$BB|1~!Bt zpvf7r$Qn)$5=<1yhH^Tm)^%3a27mQ|Sd-0BGC-`~O81ar;{Y)YUP5xNxXww zNYrgdbfW30su-hc{9jjcw<{2Zc={q&FL3*|C0nGN`R_QVLzcm!J!M?{nk{LPqwERh zCKLGuaUvJ35-Xh(CWW5TrbMy-Dm$m&;BC0}J&x72Q&;7|!rLujO3_C+K9z2OHeruL zS349Ih1D<1kvqjT-)hiM^~<}MU7`lb>2i#bxa9)H>tI7WlVYHhM~`V>#9JXE7|wkK z29ETi>@3>5ctB0u4(L)1P8-e%BB*Kuj~SP1VpLyE8Nl|R($6oXTH#C)jWOj_Wsu$J z*R2dZuzDqnzw!>kBA2`;MyL^uPcB(HEPz%Z;^)1AyD`kDT~(BSnz~eeZY4fbo*`qs zH-hPSH?nBHoh2CROi#~z{FU~`V_>EN)5%3kmxk^?39HC44dZ1OpJcX;-u-QfXxw?z zO^Kl>9Zb>DHA;r8QTw3nUQ_+p*e-+`oS>^;_3hK0HD9H=(Vdn{hEf?Szk*#{sofuv ze420hWn~6Ij0_T4qCL--yjG?w&I@b-&VlUyoy7~U>6`4#Kr#1TXMA-WBJ(s>!W*lE z%N+6PaQ`@APxmjgEVwjr|9RA*ez87T?e95E9S7}0+qmK{7vBqFcK-XR>*XKjbf$~< z)pL_dPoI?^-+k>*DCpxoIz07V8(R)qE!v4j$K5O}L>eMx=` zT#m1+|603aCC+)^Rq8;&3gcUk-80+|PytDWA4{O-%djxsxAzFdBoXvWoWKwI``@CJ z$^I5g>$FoP2nVu`=Ss5MMzaLo8l_iX4XOrZb@_m4$XpN9K^)z5V#T~9zB`B-^{Oc5 zlyUqRBqF;o{3g~&=tXBk4;DI4qp}&5`kJ5q#s)KEwGEe)5QjUMql)Dp0K!GBeKK*Ajlx)HxOrdqOw!5XLhPg-ozLFNWPe z>EL%&Ax@9%(6nEe%~*#-VuIe%>k{>Yr30Dy$EQua{NzJYHDzq~5cwjMU(Kf%f{Sk5 z0W*SHwMUmC*HVJ5YCW}wGs?AI)yZU&DJxi8;KF#<3}-zfF`Zey+B^JCbyTXER{RP0 zG*D+iTaR(v2%kk2n!!;_N5J<0sVCGg^@hov}BdYYk3N;;5Srp2V!`YA&L0ih#%|3TgF@7cTpKT0IOK>TIDH zqoFgEt>@JX;l#(-ypsx|C+8r2TiZ79uRn28qaZ!X?e#OzScRei^&;E!ILw}T3x|bH z&}Q@2(q^gz4}MNZV7a#r5Y9;njXo>*cXs8RIpJYXd8ii~QipRx#%8a3`R9F7(vn>* zHZwr>OGJvBJy=9AQ+K-w|C27W{Vk=Upc6><0Mtxh^V{=+5egy=z0j!0eDqtTI%CCW z03hRHI|o%Aj${j7l+&8gh+<0XVF{6pj&kqCzwap1;RC_&mrtKo2;%lBk#J7NI9u^I~uqhSZ8 z2UHdGrE?)(zu;LnzhoV5a$}qcyE6TBU@6m~euqP|Zk=cpyl2>IX68ghqUrX_&=aM0 z&FbpmFh0i;Q)*0mRp6qjyj^3(+*5BW^M&lBmzG0dMo53 zy&v%JD_-#-G^%-k}Q%1uKSrBRAMU~lEYux{GG>5=r69Zh5C=A-J zIR(2SgH?(|H#AQ;2XSL&0#C<}hdLOoBR$^H=v*zU-0MA`=Y6Sm>LIGNwjug9YR2?B zRu-Fw2g?5B3C-$;Au5#b(JL7gptR&TcU5RtH_z!(BJkMy^qK!EGBMOH7d!5s*S{nw zQ$D1_AYJFyh^PFqtv&FmT_i<y)B?RI()1 z4MF3QjZ0A*FdeH&LMlbwo>mE*>z2gWD&qYuTH62^mQ5>DH zL5t5x#sw@!3uqtD2KN9Ek-%@cDq~y`;24iB+O$O%*N0lHE*dZzYEau9VSgcDXV|$X zY3r0r-az<%6gysk%iktu@1fKWrMd1-UY@j{7G!g`tko|mWK|#SpPVP!_iP4|_k3P$ z^o%3?qCcX_9S{423xRJQB#6owKyTuR!|-uXB}dX$W#)>#64P&KiBfZxrQzoHJQ_lq zHdSL=KeKczoCt3vtauVO(0_-?q=p=9ugyz%1Dt9KkK8c z>{bP4u`=Sw)zyWg_0~0y^#b^RO(55Qy@!Ek?K;*M6IP+0X2dnaf+gC5y?Ky-oB>x? zzV1%0Uq^d~o7u6rTxScp_P(4v?VYe+*XOC*Tbo)@cYYoocaNKTG&ahWiFucH9b8ZPs3ll zD?TNq8+&e=f*$|zf~toDWIEn@pntklM2o!=`7Mg@@Ap=qo;jYp_%f=$8WzM5$j6ko z{d~P73XcqEG}m(ok3J9nBw-9v>REye$rJ`Qf=o8Ymt4=G%LR&>EiM2C7Geo6G~ywn zSGTiuo`@g0tpc>Fc)AgEcsZ=YiSo!NqycJiZ?a^->fwg#^yp5yPa{w0K4JJI2TPa@`MxY~lu44C?A83jdXYn1E~&)czv{DRO;UC_-TVR|?_{2Lu%ivZEgy#Luuj zwxX~q3@4(@nwD*9n4v2)U^RD0%w<$}sX@E2hx%oAcNc_-SR#raYx23;B3`$Nj++g= z)5gbFxtc-|{?WBauhG<%Ua1@~q!oZ;k;QkX&kr{B@_k^P3r+6!w)|7De+4VC^5;3G zv-am@4cH_Ywyaq6(Yfwskurv5Jd+f1Qo0e+TNn+joY_ESv`Srr*Rg(ZpJ@8+f6ZF2f*oZvEucd!Q+4Or0XTPqn`( zm@d?fCN;i|>Q2AGUdgxoAuW37glH#(PV-fR;QAXnP=}-}c$EHfd?RhZfQthJ-;^;L z+ShlcQipV@=gEGWK$uVf-xuU6O51#e&t}?190CM-`Hvd}0Sfz>upvK`b)NhCH&Noa z(JWgoMZ~Dk;I3Mk#F*OjnbR?6ism!bj~KJ&4x~^3oWyEK(1V~r0!#PiI(jf{*&zak zKelR~qoj-g%=8iG)jP8z{s>Tf-O|rD<=T;`Hjy39vI&U_T0Tsl*N&;9f1l6T_^CV0 zx#uAZ-a9uXH*|7UNu+ky>Uh4Xl$T2H?L}TdrBIyXb0ZBv`8`CEyN(thzMQbF!~2O} z3WV*SoquQ=2V-)Ge#Apl*iNuURiR0`7H=l5AdJ(;+9Z?GoPG-mnlqlCf^ylxP5@7{ zUCM*}B>b=rv-X@kM6^rN8CSeHg{O3DaWMAFSJe6>G()D%2)gB6JYyo}pQP+-kSh2x zajOK+EuQ^I2vr7{xPXx`)Rh-(g|oh8p*h0uWRTaaj$Ujukn9BT%g0J`DEVsile4;Y z42WGHOTx2eht=sM35x2*{<@m$aAzRQRB zj*1fr>TP#5=(-skR$L`9yr)k$PaZ4}?LQv9C%2#H6`PJk#I>@ko=4fEOd6N_LrCvx zvmZVJ?#B;W`HvqIOw2DDTQxks;iBsMKR>8~d;W%`PYi~panFoCV-I|NdL+0GTxW$! z2Ra8m5&ZM)$DNmp#9*OeIzFX(ul0Ks_3o`O85L=JQ}&|P818#hY7qH9?7icYWKs91SzWem8(p?-+qP}nwryKoMwV@x zT}BtC-go9VF%fhBf*bcsX5>2gAg2o0Njn7*UkV_yufkuc44yUYn?L6{Ck|-IUiy_rUpUb^1@x1;!#xud%zSmD z$|$RaKo$**&Sa*Y&jQ`-{BctHLz67z7LXz_8gOkK(H)>97=P55)tSGQ7sRR&@9c{- z2}q4q&(}{Gn9*e#gWzXm-VxWqYbg)OMsJm*A?**Y!WfdsMYAanSbdGaC8`c6&#GO-iQI~%x~ z?D^9=Xl0uiHbFFr^@pgw(JuKS!3y=kr7(3>es~}^3vcsznI9gAp4+*tJ^nvDkd~6% zbNB=<^56=5VL0b=3>~|ViTj4Iv6jZxK*1k(b3?bWC>BRvCJ<>vO$8_2)?+7NGDt5T zK$0gN06rCES|yDtJ^zN?yCQz=P{s0B{Q5VEF9aP6VJ`C-_a!*co8a6P-g>&u>;@4_!mu~ zA)U(VYI>HvomL8THo4PXw4u_AC(Zaof%}iD##P3EM8E!r07a)uDwj>HP}hX}_0X=r@R;Js_c)(PPo zVfVRyH>=ryG~vkQSFOb+>JDU9A@{#UB8pEX*?T$XkwA+heus&;#K6w7zMf*&&-<{( z>VPaKi9#4TPs0jMVO^aCc0wE5{eVGzr`wcu{|^{6x3om`0|tqtpmr2@6J*`^rD0ne zclz?XQ8+Q~Xw9{}41OG4Sa8XcK^~}a!sVnKA(V)#9aZX8Y5?V`aB_>|JRP$dV79Ku z1?#Qd?Ds;DjsF;$w*NTw?CqDbOVVln)eDbPzuLwHg^WEZC4jIPp`hO1|OgzGb079=9QrJqbb&2@DtS# zIv!HinOBCUu|N!Y4e{Hg+?S2BzeXCwt&7uN2DEz+(s(<9uoNN_4tp;P=v`-R2g^TS z?Z43K-g4FgoQEl(`U~N9qcqe0k~_k|7(Be}4$REy^gU+E{}EG`2b17a3ebB-T79~F zP?@=T?jyzs?KLI5l5c2ZA9N_g7s(6e1i0HG4D8)mA)!ZbJ;&mQVLb{+T?yJ@PrCDB zSnU6eXj-786+EW(z)VZ}3)@@3gck#y*#RkZv?Nk7fDOemRhx&d=UHlt>O^z9?*`9@ ze$zf}4Rie_U9k-O>VcasSV&(1@;6tmA?j*6aJUT&b(1lt`2B9hNI4r3o1OZPAKvhs zi-R8Kw6C!B5V>h=sp=l@F-*?%*w#@+_qa+lt~VCuNJ(V`C5~z6O|aUy}xJlS?y`N z{eWefBv+*efjqm?gBu*?VB0>YTWilX$MyQvh2xSb$UgDoq4e3#$E5E44P?DaM|&aP z8g18vxTpuDHw3b_3C4sPK2knSI#rsPzujs-RTc7IO?s6^2QKcvZy%ntN*3pTw^k2u z9w1cdijm{iDKIkAJK!j2oL(y7S5rv@zh4%T>76v?lv+i-_QQ$zLBsIshL1b!yk=Fl z786=gF(T0jiBqkTwa9=^CnV#fRXJ?V*rTIy66@SzXe1LrqG91si87ZQyBtaq;B)SOA4 zFrh;DA@BH_4`{fWdtXdg>PyyRp%0xxeWQsuuF^sqe>Ym=PG_e1PGDcn`q;nkYH96nG7sj0?MpDGlv+ zzT``w=I56c`8@d0(Z2DZa0)N>h4l4>g#;#!%>rLx$Obj+JqGPgv||t79C>!8U7`rT ztn%$@9yj+LZBRsS+ycT(qYD{+kR!~r)7@w4YQaZkLJO!oD2Tx*NI8tb8e6z1Zn9Q!y zJj}PWQr2K~1!e1aCATrj*r2@);DOKJmT#-?jx1Ka&T=&t6bbzo_BmBn2T?!7H)Y&< ze}2<3)YcwSgMCwz2gGC#hML$=0!6Pae>l># z()jK9q-RBgs83l~pAz_u*K`ZFbGXWVm+W+fHQdoo0rXchY6lm;nvo8a1N%9CC^rY{p zEX8&hSH^&n;zP+naFS{Y5hpfdtl)Mtx`HGnVMBQnX_&gd^*xy7!=#AgZIs9L7Pdq5 z=o_l~O`y0Uc&JTr>Cz+@JwL%ED^77)gPmK`Z1NMJxV&P?E3Q$diedkOg4k^T0|m`S zqc`+o9ehQFZFL>Pm9VHgm0JbD=$5n_v=!IH;!aBE{uc_`7FgwDt>$Z!U3M}~EkB&- zQ4{&qLsClIS?9oGcr9tVCWARDJ2FRaKFF;FKt3*BU`1z6O(GbsXk$#VNe)acN@{@Am-qDP^xG4}RSPIj*dyO(mEUaK!8K>dP({94?! z-L|ul?=ds~Qc|CaB5gd2&Fc_Fq`gZZQlM5x-flmu;OXxAGuR%qT_rlNA zC^z>Ng%p|gjI6sH*YnU=gPR*~YUtt?{(g1^PbX&XuEE6BJ#_H%A$Qv_{Z6}q+l4O; ztvK0r@@J5ze+HR0PHyGgB=^5BwqwmtjaSa2G9%vd$Ul@2xp>68e5GI!v0VjylyB*R zj>t$6LaYp<;LrhW##LoWaTLPSJbK}aZk%Ge@gvSSW0q6w>BS^bjT9$z-FNM{dH;G$ zvGy4ZI3&muiFAp;+Q?BT`kgD9ks%Wuxx6_s0bvpqTbgALs22QSzQ>6I8gjnNyMil? z_d`+W%rLb2$5B$`b1^?c2GN-Q;`1h8tZzwIK|EL5ao3Gf!S$zUvJX5OkQ5p{CG#b= zyO>TiT@*EK951%)v!(J{yMOZXzV0`WR$C4o;;d06qeJ9u*Q4sKVd_6s$LESYTG3Vc z8Hw>{TS^meHuNT5Y}j?b*f5*hFyS`&L!xSub6&P1c7nCI@n`!pBky*KCa#7Lw5j~b z4#<}dBYmHly`6H~#N|L)F;1wkR{7zDSEOmbD<~O%o81%sHhUgWq~j-a*Y31<(YtUd zuV3AHjuw2cyJ<8a=pP7xj;YpVk#Qy5FR`|E2W;-(r5|GfM4kpG5Q*Ugm!Ww*jIQqm zmhm~$25pHM#EX&NoW8(jFyImBI226eX%Nh%m@8lxo-Zb+jh)DdKozh;=fc48#|7C>M$Gru$+kY4#in0G;gkqKD)-2Ov#mhBsSh%L0j(?m7 zct4^8Hk=;;f|pB{X}PA||FLlV9}CC-#ukp(?{)9h8xA{CSr5KT^`oj&+^FrUg^~33 z+HF0C?4&I%X(j~8&X<@?W>98D)!)qlHb9b1JXvqow~|1f)svvWnwlz#zaqWQd-eZ?VNSR2hGFM^jcn(RL$-CpBh|6} zl0j^s+3v%>aIwT8p+IG9}mJ z@l*o5QW?r4qeoLP7Bl|H!p35zoa>hUQAj{Cl_$rLQTweXgVbkY`&h*}ioqX6$DoWx z>fn`2M7&r;wj0E;H+!wB6|{mhu7?qPBj9HK`N$f6rHs>*JB|x8!;Va_JEk8c(~M&6 z_PU3(5P-W7R-5?#jpyQH2YRFIRLD^?Q~gDAPD-X!_z!wp>|5zf)&&jiy@e%_5T_7{ zOg&@pTXh>0|8O04?A~9zlQO>g;;O3UVZ*y0u(ay3x9ZmQzz-oWXf-vx1&iN0*`^suh1lsUz<) z!QMP2vGiJ&#=x-dm6R`y?DNO1mMNE~8ym}qw$9$c>Wvzsm;fmdf1L+=Pcv(piEoxQ z_O>2U74|a8^ytcpbZH@!r~azU?!3RYHG#F7-xEX6>f1BjwSI8QyVd?Dl(}LIcd*Bm zDi7vgCe*eXD0UKA!x0oxyYu%H$TIc)qq(CIYDqPErg)7klZff0Gs?roM*K5a`rB_= zOSE2L#$w5W>cwq7`sHgnWUfwzaoqB|sRbT2!P2{kf!Xfb#Kc9u zVDLEM;;qc(^ZM!|+r=82V@QdmaSRPUI#xfmu8iX<_NN#}pIFaFO2Z2ru%BjMV&7q$ zi|mFxtB}^s)2R3QmdhHt-U$(TV(~0`d9>*qL=p!st`!6Z(!-yBM+k2E<{dU)pRI3i zmmS(qGV+&Q>&e8P;2dIEtCI6IV@Baf91pQ|qUNF;{b*icL~&=AzZSbs;ob6od=t_2 z0=2bJe7?68sOv?pWWIhi^svT3BT&?;7CD>*P!cE&}TJcWl8 zl`JF2FnWb7BQExSM^*wUi56FT<{`Z9p4X>8GTVZ>vujGw*Ak+sD;Ttg9YQVpLgG{G z`Lqd4K^W=Ai*7aR`jK@_`#O{``3abuF{lP3Xmw@eD!TB$AjGWUcCio5Ta8*zCpKED z<|WI%d2Dq9TkwsSvJXHFIO!f|tCZoGAr#AR(BhcljB^aI4;PXN3lDa&%M{8mdYn`j zKB-(=tk6^sf~$y}uiDoJRaA(Et1rVDV-YvJN+}_Iwk8#Q?h3OPnB(}fERP>#8Azftko2_=KR>l zK3jiX+Ej(x88LJkqv{~IVJVqAIxRD*yiuFZMwKwik?Hs>f|Rz_5IUs7`RVCtm)J54 zj7v)xohxGK1Ecy=Mee^9GG&VQbm}O}A`qibSnhKsA5Y3Mv&N3UbORlT^~B-|+Y~NK zMk}I4to!2Pix$vp++e2TvF-KRT@Qd1nf)tsg5)(ENv^e<;TE^=&NnG7ed@MjrE|u=v;7_(yU*UMPp-sY)r_bm zo+yQpWlH@}mbDaXp1dCvlv@gNB3*5dFXQU9Q=#eYSroRK7#vX<9DG!v^Y5)zje?bm zDAj(>EzqXt9wK$9Z@Wrkh1)nvp`u4$!9EDt1!J6)A2y?uJ{s4JoNh!dRTp5gRr*8$ zPR|g^?NbefkeKY&GH`yMZ4dyczRlx29mUeZm5d8RM3`37;I-sDj2SnoO9t^-)LM)S zi6^s+muOIX&3bt72r%GS&G(0XZiT+}GaQDh8ACn~RhgSiMb552t4sr0#<*|tDCN%c z_VV!tqi1KX;EAugDt*;V>!aK2Tt%s7!2{aTV`~fCOilXn1&55|I{5ay`_K7R%#>w& zg;sx0W)=E`uL7b9FW(vR-lWg)gzEsYx`!$pqZ)g|Q}%A99FXbo6%ZpXsb#OY?q+jB z@fd@A*+y1zENqsg7u~&P!LCsJJG&s%tS>97Y6kqtA~PhxuW~G{i}H(`M~z1x;RBKk$MR zcF2A|uS<$Cj6JeA34fO=PxC@BR$4Sa=cF8c<`{G$R1n9uCR%ey=qU5EG8y$`3Fydg z#U9v$%O8nXL{ly1r4U9MxDV}O{Q+BU{)wI8(pI(8uyfS47~iB(ZY|TCt4U!NHN&y{ zCV0c}UC8)eRI|*z>ju?EPLSQEgJwqLJRr`Bj}mn6-)oqja*bgo zh03(?3od@d8L=R8>Sd9m(MXM4F|(RQn~H>paZjGAbEKN6tg)&3U4BK|U?fxSxoKz% zc;HLVjsqoPRtxyB_1P&JhOSX=-_lV=$`lU5SRG?O`RmC9+@X5N34pz{L-l4s&|E6T@h^Lg$b|qzyR??9rT16Ufyvk#rj(2$pk@>zQ|#I zStw%1P_Po75k+75u_r74^2^4!?M>1}{RJYu88e1PKFxG+$c#2qn=1^%EP+bjLDSj6 z#8WfH$cwyLj4sd0OSsNYy@z$F>WG=zlJCL-y7>= zc<;xf$hfMws^AZc<~kE!UY<*w>M}uyZ^-h+B%l9z!Zz0Nx3xuQRa`i#pa3+aj1Hbz zx9&mMeGsPn;S~T#2UW%x#Vy-nl^zrT`=`hs?hnIL zJezwPRS!MDHfgU0=uFREQM8Y`pVwArbq_JGHbxfUKsI>Zyp8^{#~u&sG|wL4e8&7_ zEtmXe+`+!pPyDm%$2-7c1|?S{{bb7cm8^bSbXa_k-5JN*Ax0%BCF}~g>JkV^>z2?y znWlP1k&VsFo{HH&w?93lFrU1brev+K?L~=>t{D)hT5PP)Tv4J2p6~97+4jaM?<8Cm ztK{NaD6Vhwz69(4U@eNVS5qz1dx-0QOENwgwTVfyY~c9IDXshrabxK)~YVzN)JFD>PCBH&)4M~@UV;J?Ue%(b$O)=LYJ&bd-K|hd` zt%fjH86!)m=|w?@O>)NV99NQ}L{b&qSy|N_sqlDLP+;jc>9GCiyHJXPOstxPI)T~Q z*_B!2Vwj(Zwd+9Yx?W1im)I9)G~0UdU3#!>uz9Ca?0GKnP`#xRIC~?0%Pv{lzF9Ts ze2Tk?ehDLaDyeuj>Bw?O-<4p_4V~`|Siqp$a9}ek!B?b}AxR;}iC(8|vc#p5P+~~Z zDWJ%{9?Z_>^Wkv>SPC$sO1b;oarqT03GG@kN+-KP9JI{?jx$WS$3{%zzc zn>UHeg@H^=%T0b&CX30J<|_&eGkpNs;Qb0YIc(zloKqn&iku%AYHo=H`b%$bdMeyu z%eAS6673nf(UR#=1YcmG@b;IS)SOxW$f3Vo2HOgR=&L|Nch$EQ?bR4D2bXYJ>fj_sQ>JV3mDO@ zxX(=9+7DC+>01AZ=u<8+j2e}TYj3NT%`0Y6tBnXnSwtpbClpwk97n1|$;3tPjKUdK zIKoY4%IF)$;7A>x+$_X-Q3wj(uZHi6S*llj7SVuX>2(f3*2GSgmcvYvX%kBtrIg|P zbmzy}Y=cqU>V4SI`n>B_Z@ttzw@SdGaX0RY>8_6&_Nde?mvFX8gw9pmznW?yw$hqo zx0-l-Z>uZd{*zoTF|N!*A!HPntS&9$#csR_R9As^`LCV&+`}PI{0785||`;qX<4=PEzS_e49c6q|Tp zS`d!02vHiy;({4VLh;e{Pcw*=pk@iu8#s>-iy<;o=^l5b_bO+v-ambp9tkA3iFdoJ z$hGF;!7rPSPuZT!3b-g7J<`uHN~xiL?`%hiw;woY7gnuY=Bvx9o6B~!k6Nr(2#xZm zL4|02FW_JWO}G2a_^|xXd0wcUZoZNp)%!VzgnDUiCQ{aRZLQ@Rp&Aj>Br;S4V8cvM zw$mY`MqAWoay_Xi=h#08wg4<8+o}*qA?ogBMc;^M0grdbt*cE_9_j)`Ac7GzA-{4&Z5CqHz~1^bCSk*A=T>>-dk<1Zegx@YU~g86fwLar#;j`; ziA*~0qL)}pBC_m#0DgYhs!)vrK;2>*{oQuZVkcTteruarbFpx^V0U+RkaPNa z;OKIPT`Kf>2+~Up9}qo6cMMeaw%~@BA%YOyMzB#`VYhyn0lzt;zGjkJ&$Pv;8s)|O zHBI6S51(JC_WL3QvXWQ{17p9BA~;XkEIGl>Gm=SJ`*sb3TEhB`V#0&S^J$knc_Nr! z#Qb9Bt;qD;gZPd~xoRglgTkmw2=Mr8a(p%ehSiXgBvrjIL+?{lSFk>xw}Y6)6AABB zsOh+}bEb-C*h-8bC8z?kx{IdW^)T(5+Ymt}NQ0S`5}+pnG0g>Wyjy+dA7E@&lMj8jZmi(1 z`&Od#zF4K5=9Jn*sqjOD88xLDoe@#B`i!rXs(?0GE-Lb4OgtXvN_2umD3Tbi*=xTL z<@7`pHN&40M`<2iot1h9FjRkZvv%V&qJN(HXY#Wa3s)3CjnPi0%gTBnf0ARWB0f() zNPXOY7JoC-xee)m-78$LhKKjdvAb|?vp@X<8GE*6Pv7_0z>*SFUIJ(KPuf6th%#5+ z5Oq7`QW*{QLgIa}hGo$e6W_$$erJKd7AsArWUwg)P=B@xnr&;W*Hs{#Xx-MjR4hno z>J7uty@{EpF|eSzk||UrKLg2^&1X|L?ed7@Dn>e@1$T9PEL!|@Z&POM9A+ME>^v&U zU{-(0gV8Kl(D?0P# z5XiHq9aOaPc#Wc{U`2}d`~iqbpr#pmx!j+e*3Yc?X=I;-i*Gy5VbAZ&9x+W2%ZSdT z9+Rj$GN*2o< zs>!ZaAJ|)HSH9!OO)06rbVij^$NP!^9Kh!_u^@yQ%%{#+Pew|{Y~&_x(O4DraZ^Xi zqx6h}_$-5Ws1G!*%W~K#Q#}2+Vpg1qrCo{40H$)0I=qUv)JII|G0_xIeWT|nf+r}$ zhhT{uX`Ey73S#6{%__I`ruX3&w3_YL&ld(41+6o#j(b_{Ut%*wvhz;w7gs%4Bn@da zPqKA+S4KsUxrWBiwKl@3x!P2DQU<8uM@bTjo55t+Vq+2LOh?G#o@tngqQ%B7!{?01 z+emj~Iaa1nS*VK;`B!C4?QeqNhGi<5Uh1c0=##%HT-~pb)$qlR{b=S$tKyF0cD;hB zG;5bq%^sBLn|1os*wxx2Z!7+FOX2QmPbfM*%{W=s4JlJY6AluUVdgrp$ zG}dw$Y3yB$s2pWB>Jar&%W1XrE%i!Q|7^nSST+pJT$O2Kiup2J;|0b{^;8kITMuY! zPsP^u^jf2g1Juh`cH>n|+;VbyyjJfx8g!U8FkUKs3-HukpBl^hmr>LX>$!;cF3SIn zo|<7}oMDSoN-^eIFI~3lW9W=3(nc4@-C2a$KY}23nUO|H6_ezOhfqg|xcInf@pb5? z8|Fyoj2=r3y~n=SumMGbHiIVJBXFw9HkfnhwATkwo zCg!oN?^H{2IhHom(v6uDF}z0T5RQ5;HFg+*hFDm+9lS*KV*+aah+Y~pFAGG`Y>C1_ zR|#2G{e8Viyb)@5zU%NasAuR(h3BVOU9&(krSCu3b#;BC zBU0PXq6FvUCX1Xbm#U%=eCUcbn`+CJmDtjfub-kX@86A#ks3f7 z`)VetmA-3*g)dG%=SXr0Rd=_;nyhCdvo_N52)m%G&RbQ|%x1*aj4fMStX5Ap8>(~b z9@)3)dAfRcGqPSq{D(cRxmbsOX))c@^xE8iMD+4HIP=)#6Cels?d3Bpgw92t66Hb4s2i4E`Ve63uO%-9BGW7bE(7rQQbTUfTqn z@UrhBXPK1z>eR0%MNT}he9C@;sY{CVkdftP0Q>CsM~j!+o7cO|yU+V|VO)15$7wt{ z^F9IK$$}L%QM1L!Q^XO*zl0!&li`BOByDo5wx8ekjSu-XpHt1jBXKMmGSj?N>4r+A zgv)h_rNua3zL+^CyC6!`uaXBwJ79g~n^HQ*<9_*}T%Q;J@px6A|J!TZAE6TB8CCzV z<*7$cltg!yu(aLO3K=Jx|G|Zy{devCdY_NY?L&xNPuEK}u@}cGkJ$Gb zT{l-!1~ke*okh=E3f;wCoq_g~!2_h!>BvOKneV=>G5h4kv9>Erg5sw};cRvv_jFaS z+x7y`MyBL8kBe?j9-b~wpGPXs_er+-u5QIkt@;?lY#co_G=?fWy;kDF(uN-7J$D~v z?1-x|H6-+#?!@%zuFvN4Nj@vKMSL^i`upSgs{hUFv&$jC@>BD$wF7Bb&T@Ada&s4+ zm90zfo?`x7Gv8nTt~v{N^R}xymvxB-tpoQ{$u`lLWpd$N}K84A(u(SO2C7;0sV-h{O|8qa{UH9{0HeQ;6$f-8v*sLQV z30qUTs(Xl4m5$5r+nJp$%yO>O?L90sz{XdppMri(R(o){J`#79rXMsmK7u0;)m*$V z6m3)Zk{-*P5&hUY+EddrUiE{1Nz0`5m$dt77DpzPdtr!S??1&!MkzI{wdSKcU4rhtP)Qjc2Z*X?%uNtxC0gO3%1$Uh!iLuJ4D5Eo({1J>^URn zKjPYb9yo2q1YF-%oM8>!Q+<~Wxuf2Og_9dn!&?`#`^A*}KcQ2X_ZUN6A! zL<$!YNYhEln%J$sAz^Da+CJ*aOPYlkj|uyDnUgfKqKC;6Qxyn2l4|pXPpA}fbx)w$ zsm!8^5C5|;e_FilTNdBQ&-Z=#5He0)9rC)^$W|I&sN?JB(*8QxEZVRC`e?O#$v&O+ z%Kkjjo>iNMdhWHpXP-}+>*>h9COHT@v?hiu z_9qcy>hqFL8}<#pe6NU-h_qW4ne*|C^knqL>x7dAu4QQv5oeL&5}<}4);eqZ@eQCd zPyb$V{XKQD>NNFZEL)yqRL&d!T;2K$|#JEXxRDSVXcve#U+8xEDAonY&`(3-$%uUgKRLGC5*4?f2){((FVB%kI~Hitsdx zxA8Yzz?Jxht)%QI*i0Y;KF^|{V0Wp6Dec%2j{?*-VDpe%9gCv{DxuifmCSSsZ#T9o z+{5m}DDXj5%^ql=Qt>6^qFyql&h;w8RK%J!d$V3-D|_jDq+M34#u8<6 z_u)cGZemDlY@NRWl}Blo7X0I>t$1}nD`*?0VV5Z*lw@tDw(;Vs+p7b=`NUH`;#kJ~ zC|%^|D*UW`F)9&mhcG|I+uMgGGZH9y&7cyHG{?+86DkZEnsoyGewa3IjQ>B zR|TP_prm$b@bKB_p9DSW){IozKyV=FjKL_G8`4 zHlHo_pF1;O&aWz#-PD+8NNqV1eT)wu-8>{fAQ1od=wMubpS9vqp=OXIj$U8!*Vhkz zueX?Ctott6a$>hu`yx5<_uP2xZ|Y+DgTv%;C?ApKpHV?hnGPc?3juHO5lEKm9BnD& zX>6(*<1BnWkwiN^E=lfyYnUZsL`JH|_D$_9<+$-7P5*oKTR&94a>J-`e4~~@aw^k+ z87tDW=3Ar@m2tA+OWHkypgnUhMSDtfRH1fL zv`;-5y{KKx?~r zj?KSZA{0j4MigNOo$nu8X@Eazcv{rl(>Ul~7ngOmp#akd0365vQ8M@wxFCK`H2g$%tJjapV{i znsICyjL({nSunwzN)?&rg;nIb3`X5uoY&ax?`0zwg<9+Ky;S_WFV*$<0uQ;g(X)M7 zVOpr~s4{Mw^AiW)`8amw`FJ~Dd?Oi4KFiw1A25VCwH5$LkDdj$ zYXyT*-&&6nqjrQMWcvDz2lNuxL8!V{I7uZK7%wfk!Z#&tkj_PB#UY$+M3RwMW_hrD zvGzJCSt!{IO9}8ODd~QxQY4QzYuXg+YXpWKGhL!kVi2QAk)qKH90;~BZ%5u%q|-7N zSYr{RoOP7C!eXRzi?a_)tn!sWgdd|VYo$0tfordA*h`LFI> z$bss1&cRh+GirAOv+CD``uZ%W~kFbWeseD44s{tUFM-Z^8<4?!v zpp4X}71Ck0NEbrxU3xlgVwzpDmZ)mk^q9T`i&3V)kW@o-7SpnuBx(A@lvqR?Or(Nq zjBE<;4NEh=U>!BVIpuJmRUCt}MN3r6Ekfow7k#W=1(tSo>WVx94{6Y98Xh576vTr^ zi!YPKhu^DIVU|i=+|OxWh*g7~YEYC>8SYMVDhthhaL%#)sLO;u{c|e>KW#}wgY!6^ z%DE1KtN9>~wAMZjOU_R4%?uULBf(c!H9^>dmv6PDKyByOEKXcLXNisn%+u}#Y_*wN zsjYrjb8F(#yt~73+8ujroxyU53QWLQ`@?5~2%Q8Za2ljc{o;;zo8>lc-Owi;NbK4S z>}vgNfnSczvRfCc^n1H#xd-s_aW6j?HZ2^69WCEbn|fr5(QZUD1+}^vTMwu7T4Z7` zzf2l84YkUvpPwh+_S%OeY^Z=tZY1tP#V+#9_aROL0?@C?9lePjVrH-E!oMeo-TG}r ziqycj?!ReBu#!iii}La(`Bx>{R(j>x@?JDE|FuIOsmQeT(W+IZ_i`E?35@CETf;{F z)(O=>o}8#cbU3fdWU17Uf8tOIgIq}~_EMAf4qRbp&9A_!CH~Grpiy@?Ci?2gIZo?t zmukwX@wZ%37by-d;)Xc6rFLLE$+;sB%uzmcRjapsdqBRU>HRucE_SySdet` znOlDX(x@ddmfq|U)uMZ?wQTK?3@o9x*{u|x?fHroYln*8EnAe+crQwCd0fYCq)(vN zs@7N-{ArSZWZS4a!l5Png2!2O?RYsf%k*ruSApGDSWIa>U>R@932Z@oy1gdJPD!g* zz%ugFu6&nqWNaA%E~c9c03d*EiJy*QZuI)Hm3d@&k4$S4v+>iwIcN=T-&rU%GHi2U zT|Z&OHyzR7q)IEgFk(jZ=bkGyQ4H&BDpbj>{-fneMVIC6;1a(Vj}L zAP_-2$!LmEF)S7H3g{`%Q`YW(>Nb*;Uz&jy)}x*z0AJlEIZpBEN2tA0S4<| z^PH)h@foBU=vKP@!Tay6RqqA3&SY1uy}dlnt91n7L&*KUW& zO^0DJI387H?X{+urKvDj(+x2gy)m`>rnYF}VBJfBqwq^hxIA_`8!L&NBWQCvOp2@L z3fRB3@NB3zs6Ene8Y34sOfOcQs$g|}6%_vQ9&lj15_+kKq4`E12S(_fcMMX;;Y&N= zp%k;M;j;yzc#*8ax*Et(#na4!z^$Vb>#Nl>W38-!l~S^Z^^_rB;d)i2jcNtgld134 z7>*j%D`SDyEX&vlTI1#Z+E5I4UeO<;KFcA7uXprnXX=|C+)iMLL~5rbtCjoOR;kYr zzsI#c8tQta0xxE1u8Nh4!5WI;TvJJKBcrwIR8Q33JBv@5my|q=KQ>n36l9%VjS+uE zM@ue3e1-7O$@y| z_ag^k@p9&|O#Kq5?RJ;b+MKZEZniCN{mgO8n|p3v_oIHvALFIC8^zjcgiEntsj7kZ zj84zgS|^Wv|R+midl*=oPO|m-p?*w_wVRKbUGR*%OTPoke1hgR$~HUT!=qs4w0 zKXnTbC8o$Zro3}-E0&v+RUjMN*c#PNP8Q6TSivh%Lbpxpe-6I96kjLVHu58O0;=)3 z-Y7E5_B!M)g7lF*(~I;&&bQHl0Ik^X%;FvI=Qg6jt$I8!^FCoFJ=iPIDcpJol2f_O z767WU!@?RKorM_w?j1U^mXO#H}Iq> zx}`8zNJ_DCf{x$Hl0kqvHAenrL`~o<`v#=X7uH>8s=#+SK!>_|9w$`|)HPHD-=}Y# zV~DeQVTVe5)c|jaOpxYo@d~fFNu4i1>%mePV+(=J8a?@HPxLX>_g}^am-ukB1#lHS zOsZ1a0r*lRW836h|fB9V68U`~g&7uiANad__KaFmH-`G6%bx#DyxR?GP_cr%e zZ}s8veg1c6^U>Sw&ad_11m91HErbdj!Onsy>1*4!+TOTz;OnDI{O`x-&HDbHTyHn4 zL-Fx>Ka=BrxjsCc!S5$D`thXC&-eavs^9PNzQh@sI4dG{Jld~GdFo9WNnyST})dN2fuYWYs)p_e7Ke2nBzT5N|Tw(?SCUkgmD~IS|20 zfL@c?5U!{6LZ;PwD-_*yL*qt!hT3-H(rQM#E*3@%Ry`qZFRK0{{Ovvq=b&en!wHKn zAOsVWB$v5HTTEk3nD_8o>Fl7?=T{Bvj*6iU*gnmJQQl_Zdhw+(Oiq~%ZeNo0SQr>i z+EPwlKQGQ$7wK^u*>I3Es9gz`r&pGB&pC9nNcpv1GxHE+X~Tl zQ%A9rTZQ`keYRnej-2@sX`eG-?#ng{Aiw8UoWPtw(?BUYUBag7b(8=bYH1qq3uIGr zQ0gQb$@ii$_Gq9pQB$ZMP`e|TBeM7tBUr{h@Jdr?~mL ziC5-R6R0n?YNSks<1`!FZw@@l~kjTDCbUr&d+9J_-aE7AJx`>NN>3m9Kj)yf7B zZOt!EF*J{mgg7{3zhr1;?3!ez7|CAcVD}vDTj1mIakQ}B=36I%KV9mt%CXMx1hpuR zbC8k^C^31)3cPON@<{qB=t`zWSvy*D48;45ooaSa=p^cF$Hn)}{)%qH8YIeP>4MaS zjB(H>65c7^1i^~!OyvaPPlnIO4T`-DvPr>vLDEa_kvov+6SBWah{tf8P?xFw&Z)T1 z#Fle8cvH?nj61yP3D9jZBry(EdiQZLRS8Y>Z*B%zc@Q+!AW5vhiVce#8`lQ6pHKMd zMg%@_IIc}DuII#wO`KhfB=>Lp;TJh{k9yi4Z|#RX^JXo0;pJe;igLbKpTG-C6)*xG zLEKK+sxFoX|2L=f7cZ}wh^Q%`E4cBft($Q7FveB}?T#hb z0oB&Oz$y&pCNj(1hgWXLK9vzXzI6ryGvoS~;6PlTm12UsJ4J;B51_u@wV*r7$9jMB z>igh;lWrYu!aL< zn81_64nAcw0Lg)1g;W_IIAgN+!;NkwR77g88bR0mrzW(?ZX70<-^ID+WdM0UEFur??0yN;B4itny_=?S)JB&dx&1>h>IGY?Exo%tndMGpgaEzU+nMBFL;6nYvjW} z5T7D1NeFd!7INyHfE0ux=CEdAdh{#ohwi_wf7-G3;rpz}ht#lsYRny6AARpHvWL5p zhr7|E{pqp((I>kj`!C;IqX&Y_B3+pr0W+)89bmsE&7EPO3mybpiW?OB8e)+JPUDa} zr~+ni$O2|S&U|1t6g>jAiwgfjqT?H^O6~Eg-hkbL&Aq+Cfj+SW%m|i%ob_~r&Upgm z#?MKhy5zYT3!XBPooxob+=Tbx37r0&9pqE^|4b!ZfzyG81@-5(2B&&~Q)4kb0#1Xj zBl@EgUV+AI(mocjM5pj{awa?~1=j9CcwC);buH^%#wj;klbRxDK5UF*;0K`98;UM> z9~NLHtrAMN&aoKaXfa2|b@%I_;<|U-l!ig|TA2t9WTKfnx>x$s+PB8)+@y5;;a&p1 zu*WgFNpR&CMSBV>Ga$5Hm(AP~TO=p2Y$kp>jB(8FDNrC$*;^JOm@Cb>=#%nk2Oxth z`9yGV)8RJ`OqTf1d7dIlF-xz=0~!n#Bo3N8V8y60#VF%6CO+uWOspf0VMw{;Znc2n zpaFcP4_L9iWG@D%k*his{Gj#>#vj{Cf{xi}#_*v{`rcW)UeGa?0v`^*+2IjKgc};? z7-o}lV1D*LQ&PNN3@XlVVBY>`@PT@5=M{kP!R9vqXG-p!vHO7t^1{XW5iShO*LQ=8 z_y2^1NEGKhH)6qZ$5IOHA$Gb6-rXD?gZH_x8>(U}=0!3ts)Mo~lHf{PMVxui8&l@0jYM&^(I;D_{ZhB)*x}DG#wS7bd^1$3 z4%cFnAlf=XC`P~z?^%HypvgEkG>(b&_2NcsNxT%$Q+ANK;FmDM?0+HQ42?xcao_y~ zHh2wu2roJMsp-=*G7ZbzP(kDb@doIvO3w`f9XHPp0-w1eUQ^nn{G7A^ovSVewSz8L z6@w~R1@hVsazn-c(YR4!?hk>?{m<ssEbOes+>s?Q5DOi*>w{pEsT^>gq-8-NoiUBv zW|A@^lL*9NpMiq+2RtFuR|VX!>!<|l{~_E^T%*)q6NB>m^`8WN1!MWY2z%$~N}jFZ zKejnBCbn(c6Wf{Cw#|uc+cqYdaN?ZUw(&dPd)K|c_g&Ak*89il)u*ewR`;%5)xG!r z)GnEJ1?av2dP~WjSfA*yL0&VD?*_DiPih_5-PrG7qxQt*Wdn>LVm!}~E@|7?DDPkr zmSk`|id_x)cj;*N7yaH(qFYFQp#P(XzJmoBmDHU#7#&PLzzgYayVE%;4Y3(?CfHn| z^vSFse!Otk7Z$B;O>gxOm_(R#(Zqlt^iVXIW}CTVYOTONAsH%IU+_XX7shbKM)%`H zI+LuTp-tkO8a!}I22z%nx&D>C)h}X$mUdwjL|(~&=Dwil3};9#*?QSwF*c!z)a@Z7 zm7V+TyAN7M0pbQ!6k<@Iq7Z`{y8l;E`fLADlmLJPYybdcL&quC?_B*7Yv~FcpzQh+0YlrS2z!_M(9k6pV zvDwclF+Dlqf3zFB9SJ~KlHNsF zggX)6*9cv%izbu$aw~q1G0X2Bw|`UM@FLX!>YOW5ED?cdRpVRMKq47PKMGHFMRt9R zuWF&}tk^6Up7-|C>q!id7a(MmC|67AF(f^MIVY2;C zgD^5(L{uD%#d&cHB&au{4i$!L{5mnbbwvA~q z@IDVS=$S~67x+^5>e(TUiIh(!7vGeD}w{51Z0=p*?1wJt%>JfI6rKg$FEGkTA^ zw}l-F-D^7LIbgay?ofXYMK~nM_l(Xta%KW8t;+%i*}lV@JC3>IGIF8SeTsoQSv3!A3-uF4!i8vl0HdZXc^a$zC_Yf#=MsvX*HFK93@Syt+D$l{#Q>L zoz6RwESFV(;z*jLAx)FPfq^3QSR%>Fo}3?BGFHD_uuN>6h||wYHbg(-9~yAkt4_mo zpxwvd$rP=iOYFo&{rXUl=39Q;m(H23kVpJi{dQP*%I;I?M1L z0`t~YTW;~MkL|P6%-u{)pY3^#JSn~fb!4KYGPmuQ(E5%Iz-&{u7<3D_tY;s{POhvB=c^;0#&PUa@E^7?qJKRT|4 z?ay1|K6**IFq(vEINI`6yHnPS7(Py=gMT@coi5Pw)ag-!)zeaG5OHT8gJ2RF}<|B9cG*{4iIMQh2n!aG5olbKse-M3wSy=Iee{3kDlD}KD zbxe)aR#}f8Gx_?=aFc=UU64qLJ2nD51Suk%Co{$vyF(RA|K*X;8(G-gXO$WGsB2ln z`sN=Z0k*epeF?qijY4SG)iYq)>(C3*9}MSG5d(m1^hqA|{8>{PzSDgf+&yh;t?K5b z;|osV0f%{lP{x%SlV@_d7MyR3`xi+TcAises}iEcWdA=kZbhzvp2T?W%Hg+p6QfLZAkf}FQEwyyU|`lv%~&N1lda~2wI zw4@mB!Ew}9dJx_X#Xk#=VOfs58<*epHb9`7QVT;sqN@EO4&oC}aBde;cuYq=_VU^w z4yYMYvs|e$!T@}`o);#Ets~fJ0oM$oo=q`?Ln!T+fEE-~HAHcoMHAb2{D3EAh-klF zGpfMT=N+_`>^kyxUWKb8$RSV14X$YD@?v7QOTAtLtsoMcoqoj-n>B|erRsLO*XS~+ zBS8gMoa_64|-!GiopY2h;&KW-itg^>^KcUoi zdFXGswTx4BzHy2E#}#!lCK>;aC+Konkf0W+ukO=#;n{uu`Kj>c%4~0|@WtKn`D3S# zXOtNO#&plU47Pu+d3cged?@Lsh$*PlM-Uul02k;TkyuDTr0@uonqhzaj2j6k2J#R@ zunr=eb*K8Hk9^ypytY8E7+9Z{8^ux^op|=4h_PRaE;b+8wQ`aJ9gpUO{2nv~L_;zD zmB6=Fl-Em!9K$JZ zlzCt=xa^3uX{q(T5jaR1n4kCVcBEFW)3822|MgvJJRSS2rsBl;Fu1ZbtJ*^{hm3f~ z<|J7b6CxNw)%$?>W>ReM>xbk9vkph!4U;biMzR0<$zHK~0O5y8<>$@V&=s;^>epS_ z&=63#FE;?>Bg#5I@^B*mf|pyFudOklNutpQ7Ku;jw`K2QnTlnPN<$f=cz>)fmUPrA zS7}DAb&hV|+lcqp^mMPsmEBeua_6SWnm-k0xjOS0pbqldCXY!V4qbPzdSo7GpW+?3 zx5fP_u;(FRC)x4KG7?L@ybM970F{I4q_v1$uyrc;^_5I<0X;RT{YlqxUU~vytcvU6 z0ycz^gBk!rQdp1l1jg8D$teDQRnWa zG@(c&8I^COYBSFeb5W$LNu2k#X*zo9hG!FLyb0YfC6|$~_A_PTecsDwcNZc#vjJMA zG5A-%a*QI>^>dqn{frgvw*Q#-B)4cQIA8*H}ZT~y$udjxaC{1|D7#zt7ftrHL6M=f9-W; zTCfoyOD!4RPSgD#E{Bmz0v6UhfGQny=@gQ+-%Doz!BB*fHepwzv{ve zO0y1g3Ixy+jI%w-1fF82rUU6NJ(0BX{o`#61nRmK*~0t!A-D6|wqdnDS5h;?tb2L# zxVjK*9JPbTTy1xK6CJAYOgXbL3tgdBI_l{8SA_DZ+%VMLV5D*wgS3q9IV69&a$_4- z1eHuXfz>OuH?-I!E>^t)i_HP+^sYNynffBMrKs41BAZ?g3xz>4M)a?Q6FEU9j5Mx}a`++wIhy(%r&3p8Em)27(6410zLlKf49hQ=uoX?SGL1dctZPqplCT+Z z8V~0%8Nj*d9?4!oGoWn*S_~;05n=or5@#rY%{I&?6APNs5@{gJ)#j zF)P(#?4GJ_!_+sIgJonb4N1$0b&99&0~S4A_^6Kt(Px&N8>i8R<1f!(A}VOO?o-}?pD z_9Qi~05jTn*-msadP8@ICtwYKhSJ@(cWV^4mFQIgYPMgNh_Ot`0k zp;!8>Nr~?xl8%Sfv`4DS7 z@9gughwTBpNr|;fE2F&1llfvM_;uRnxx~T^LMA?2sB3G-NK{9T31Bj4US-DBm{S}g zvH{8>rBShHEI%}5$JKVIyrbgjfICKvz!RlHhCF$zGZHF{zx7b<3p0_MR@S2cf-!N8 zg2Uu60puZ}NJa%l)+mD_yfQHGHIaUv174zlg4IfUreVd9f?Swl;XGY+A$m{uOwVYB@B3%ncPbA-)B1mX10IWU1Y!(1k^5CS_7 zc{*qij$zID5&QRa(9Sg^^MD8K0fbpS-gMAj1XiJOwFc$KzoCr4%O~6Um571$F_5T= z``08?6iRcNR$dbUPhn2c1PY9mhvf(GE`u@afaO~3-BZV2J7(rRHPWayw&7_R586PL>vHqRcwx~u7b%6K8~}=ss{pv^0oDQ-1_~Qk&kq$+ zvQm4k4NUi$QC8}#z9q@yQH%6Lf_T>C6!BQIm9lOVWrV6c48usLZJl z`hPcJ9Zo7SbZV}S>fp$38vQc??J)ci97OpyS>v~TUqfWOnh^&2e?F1 zqyZ#6;YVW7ORwRm(FWhF2E&tXS3CpdnPK71iYH6JT(A>%(0OU_dLafIsXNJza zr_^+llv-Gm@%XZGT@NR}p)XeN%Cb6jP1bV#=p?<{%O(BVZQga*z8H}D1UK-z<yVm0sM)!AmM&G_9! zHv%L8Wfm{bGZ3qkp^d@Zh&mpvJ2WFTA5V6dHiZ!s7<7=vdv|=YL(k>HV~2l!)C+d< z(0_k~3WyfRBcrRnlc#lRO5hw=!doQjqHwL*b^33&@g>0VZSl^=x8%R%rPCZdrY+F z&vy6aWWWZVV{52qo1iJVLLM|w4wr82R3lCED(>H{LPSX1F?adH(2)a9&U2#jWaww5V z&-}htS!j*BIXe~`D0P}iiy0XONpx$$ zmjMB@OGZ4GauP|ei~@K2Xtyy9=ekf8loVM9({93B51<2KZwyqhndxxJQBf+&43|f> z0lh(~Wtt3!9!NyjAHu*5_yumb1Clo=s%VG|u4Nd_7)~EB%D^Qn6ss$Wx$7(A-@2R{ zT~mWahz;J3N=x@<(R4mrCZ7-p$6)x5sA^agSttB^=-YvB_!GN`C+D_>&n+7tA`{OG zj-gMCypm{gTB21zEF=pD1m6+Mn)5;1uC_o zF#4a+^3cD5m4>uYO6^9HeUtzwbm1Fa=bfRpUu5 zUA8kvQ1LZ%5TZ*R1}Ny&=N|I7HbJ79i1(rFyZb;SV5^*lQrA!yYWPuuHhD71YSW&a*`t+4lut_5(!&w*r;UPel!Goj9^n`Vhq zcA6?rz)zgk-2rj3OU1IL#O#*q0H?Zz4KrD4&EqD!4pgf1A8+Nx^9|mPlud6J<@sX7q-i= zd4%jPTq~Ddy0H|oIA@#0B2ABH#{pe?&&y<3SS9iCQ}$k(n67QpE^`!i$h2M^e!iJv zM7vXueE_U4mv0k$PU6ZcBrg~$PP8z<=LbV@%OH@1*0}*#%PL{OY{j-2xYm~{KP%9o zxcAP+Ha?vxJZVt#vby9LXVaVOgi2_!$dENr&V%R%_0*a@Ru$0>4CUC3Bt6-9gKkjE z{|@XA!PO>iAH89ioZC+G)=+Oze$<{A34TH?koM=iQmVntvhQOu@8XQon>vn}+A7e$ zW-~RD!;nZb=B&lKRlD(Gp%Rp=3dP770)o_6%sp906Aq!1&g)R^a!jK;& z8g5q+0+_`cPA*E;2N&Y{a@m4aNCrT#JMkQFL{k>)xUT1vnWDJnp@{tu43NAe;2QKd z$CbJed-Rg5#$}~JEvTm(+U$u>p})<9DQ^muB+el*a)E-FTh+;~VE7I(`;Sd0n+&w+ zNaga^z5pkW3L=k8wL-}y-&1J+;vOL#!L3|e^CNApdUxbOUmA0Yt^{`tat+e<)4sn4 zLV7-|TwV&*`Gps0)N3$u3e1SYz*$D~1^2#so4tyk-4m884o`y)?Z0;C>C&x;>!yB{23pIQq9HP^?bzM8=3w#(Y7QNmPOu@^XDzDb z1ODeVG?M_u#w}p~k*LFceARa3BY+)HV!EcTbB8Q=#tkVzVhNqNDO?vw3$p4M=g_>z zW%|b}meM_9R_4wd)-x?)rs4f)k5EgC z<@X>UXDjCNdiw|EErx{+tskW>pdQr3RY7|c0w?k>yQ6TRgs}XwFJU)?6$9Df`b)QA zrfD^=-I$j~wzplp&yS5e1H^9s;CoTXZ0jPGGi?fpMz$ik@(ulLFtG_NR`KCfkR6Y} zM&O(@eKgc2YlK8lhL3VG&(aI$b#(j_&F?_Akj#0o&+zYOM@W z1~WqnHHuuD{Qw zuH3g(t+=--N|8meS*tD;1eeEaYNm&R`uV$})qDy0qTwlU0Daz;PSBre;@^XhVjVq) zo?%A2dz@c;I6v!fEJo}<R6Ssn4H==;09(VgOk-J{&mG&1fM1!kh}t|3Tt*q%wBe9B1kT?W08tS%petCiC~H`y@UU??)iQRNTU z(1|!C`&L%J`@p4Ab9uu{{HfY*CTr;4O^l>c} zvV|_txMZ{uM9)kSxM|cyb}xo>2D+gn6KTxb9zOLOe)=P_9}YN;{cKv*Arp=$1^|43 zn{soFjZwHDe&Z<2C%eVQBwNUd4c`4lY)|}nw^26fNE>gp9_PQyq&kLiPf%c*)F{-E z8ajJVOUJS8LJZ>r5!)j0cKr?Ak1hdw6z^RFX<2_(a4bm7+^Us)0jk^PU62y6tvD!# zK@{d{#xyey+0GWJYI*@GW#uT7z!&}aw>s@_p^q00mu?MLeok+7lBlJRmJN`qd_KqJ z*SR^$EN2UbA5hnsMF#|KALOMBIS19pD3s2|{(ON**Izj~Icl6os8|FJ5tv!0p8l$r zq8oEzawBfu9HSe?T2S_yFj&tEdT@p_frJn{GXd9>{S9iq*L%~mlwvSgB-IZ`^-CbP z%+zd4P1%}vqg?V(gttp>4>77i74PvYXn4F4&6l^3O`a%LNQHTG+M;5aXr#adSu0nw z0kHATezA&Nxkhmni~MJ`Wc!%cd9l$uY9AcveL zOy`u=*BWe-fp)Lg%5`0qo@B^^J3jI5m$_gnG-leRZm(LZ_JyguLS|-Gmk&ABNNf)+ zyMZG&DL^>cvZA0TwZ?)WQa-bVv*HtAr-%NcTI8GDY9^)BlB|O9O{HMDq5X_5Hb}}O zd+hr|#CG>!#)DqmVf8gRq7BL4l`?P+PJ}En;sBUA!(B>{|t_Zfh=(z(s|Xus;~T{ zjlwj1wQqfLd}=o*`<0$|n4-;R2x6)UbhoKi4;k_{v*Q&&7R9XJ?SMq8rLEJ$U{=`Jc`Alc)7Dd2wTvwimb*BCyBZ{6PiC{Zy`Z0O`h;kn9z3g5w} zI79_OGwxquOo@f&F8nTp!h*t+e2k%X2Ddk*d?4xmD}+_!SK1{FJQr*x7*=ROJ(>8gh9C zomNuWS?kRM*waW@&=q&?-nuej(p0aman}qzzH0<4gj5}LNvTa$Lbi2&0>J~$HGJl~ zAKOdY*Yo20-pPK~*YiVsttGdiE9Nez5>(tJbF^n0yppaiz?dp6S|1S-3nJZ+W-G>N z1VR#UAGrh))4dzW7y!L}O?ry%1CFE{Fs2b8CJH))-3q${8V!Zvv3+*{s)Vk6+rCXW zfYGS@xPhTk2FD|ezdG}*m_@0`FLkLb20Ky9^wD1v(+JFosL}&mr`4h-5Mq6~Gq5NK z5}2TcDN`Adealpx;dU>-Yp?+nYVnI@`&@MNwTEXYil}a+JWu zH5}wx4V{A8fH7t@CUE0n=o0;F5szOgr{7Wd6oT-Z&M68FaIp4q6K~98rffn5vj=?# zCa>}>I`7%hqf7_*^6{L_e6+R2kRLth%|qYWUpV;(gV8r(#9vO6KzTV*S;T0x;ViH2 zhPRt;VDdD(;I3!Rvdi3kc$%z2S@1+^=eqd*(P?e%@sHxQ;ULQ^L&^uHbL?~6r_PKy zvD`phIYL|CQEyf++Gt144kiHjKj?Q>I=Mv(7Nq^0>wf(T3;uc2CcmY&sLX$sWmoa8 z@}=Tkf;%`svUr&A)4iyPNK9dw`-$6}e*^?NNG}-z#lbq>u4fLDq428Nk&wLiwcvGi zKIKQt>3R6bz@OfBx3bp$Z|;-d+$@^waosy`TLFh|L``)+u6Vdh+x>mRq6IFI|` zu)(&`a!^P(*@hwEom4@D0(Gy)2d;_g&Dypkpg`WZv~eu))$tGAb00hfxi3rA<0*yY zoSx2XBa}P(m}&ItYK<-)T`%xW0iR+!9NulMkP$?)0REpVAHHtbFnLPy$-Jb0Ld>s-nzrC~k2?xa0lpLpg;%tAy+xSAf1U({Q5z==M@N;lbGE|7m`?icE%!NdHF2R=yIexpz zAHaIq9^pwT(g@%OX(r@AqI7Dc``nS}##EV2?Xg}+PmoIT=u*qBF!A#}!eXlv4zy3p z@8>*&gxr*7rMeal+zK;R+JII?NM|Ud5NNbBzT6s zdClYRzdZfGvxUb?a(*(C$vBwX+h=`53?D1Eoe3_<76h{1p|cW48x`Ox;N`vWBI?kz zXxBOl|G2=jo@ua1q(j(t7|zhPUb*K*&y#KcV{ED0{w#HapUzbSGb4qGUVwkz9QVLlKxw zK>yxY;=v`tpx6K2zjQ=$&fpV`AbU4`F1?tGo9lg1P2ak*8YBzS+gb9U-b=g651L*5 zvh`$C!3sU6Z36fWvYFdnXDajZf|^XK^Z12fSi)-78-FSdZJ@?LAjJ zYbkjC%}fXGtOq`7ZGu@Muo2r=f4LU%oDIO^>TJDA<2>eW!27{g%mk__pXG!l!8xyz zvMgl$FVbn;Z=Z`c?Ezb7xE^8LV-u6z>GQj4aT)dAH+OpSmG+?6Dw^D}_v`O|vkj2Aw>jTVyY1~DP!Q^2}`wii2T(0j}A)!#A>4k@FxB7^8 zgCgL87)R$$%lB@#X766kw3_R+Ijx`y=5*YyDrnU`b09pD@G1;(QLQKpVVg=E1Vlvq zTizblj9ySnAnR1FW`|C@O5)uAHkB_ugh_q%IwizKS2YmH@_ zD&fna8yTss^aP~6RJM%nC8z8WAZUJj7aqT5+X-zhgB&w6N3_p4qIweI zBp&%fc;R)Z4s`?P-s*wPXyQE^dq8cd#pp(f>^Jd!P{W;~K^(RYgWvJWprqrGUr%w# zW1`uqCBpszX;8pzWYh3q|7k#=MRAHYg`3x;HS`N$+{0_~jZ-)IFP>Y+r!o$Sm$hlk zQ_ID9?jI2AXtNEL6uWo3mZ{S7!!qkB)fBUk>95Sj=Sq{h)fE&oF~3ivU6aE@95y^ z#o1|xo7>0f9Kdl*E=XSKkCm0r6EmROVhx!d*awl(T6arJD{DG z$)_71ZgpcvKv+G1ytqX&npnS-H>3?d-gVv=5ZSu!6AW|8V8EmUg}P7tic`Zb2Ek2V z8Bp=qP$)vNYQ+tC4{Jz|=pN_W%c`pxWyS2(P5u}8!&3DO?U1yPJy33WA!O_;_7iIN;sGKF;oN51F|fb$;s?TrZv6yI3BG!K%POuq2ib&qoip0% zA1is72NVULX9P7it{cMoj;=Sl8zH*rpbu%zgEePh(E9d%dx2?I#5rF#W%0?lCGW>X zst@skgns_d4exn^1cU-!_mlBgeq4f{547Cx&+vcJG+w_11YRNgUNNQiudluFK06qK z8+Kj)4^*VtmGr-;NQmM`1f~)#$j5qVR9s=O#%qOhQ$OeL9;W__4XI3S{+xd2d~$8g zg4{;dg;ML_B)ep(JCn)tiaNzxHhv@ONbea;%AAxbhwiAinjDng@$>`>wAGz2C8(h` zE;q-ZJiNd~w0XKWlqI;Sc3{eEqEYd^M{u0ZR~USsxtTtrl>5%$wn+u>(C7Sf=2e*!2{G%mx0pQ#H_bG~)eaOvhtp8+OxPu%s9sq_A^O;+W z@C>J$l+{5SgWXXPb&Iwm-V#yT>t~O5m*`=&odXEra(p7>pjcbOH(@ta{az2J3E}u% zrgD17gYRX^6;28iMO>vL2w`*aBjiAGj{V9ymZf_asgV{ipA>FUWXOb1WU~twapG{~ ztMQySz$u5a>-VR#Fg+u=d(Y6ZibMU;q`xw*X1dmu(C)|!Xr_me@kgFbLE`=29v-tx zhfFqaHl3yuE`;2jL>l-+QBMthBA{?{x!S;W14A#vjRpI-aUeyM6J9Yyzaj4BI#Os& z;lo5j%qZpl#-4k*nRu)b5mKUuIsv9x3Z`Ew){_ZQGmNM0K0Pqhe4<#~55il@(JQRJ zgO5`d3Bne9bd8p%E$11yzjSV8RH99p3bt}5WSu(A-(JwwDbN4S4*EJnqGhAkaiA%?|8T4mRm@pvF6si#FqOnLA^YC&<8msoqLKEO4} zh&Im=tIveHrBXl$k5tC5@Z>aw8IwY$I%Ih18n>SCHk&Y#h-klv_ScoH(6(buu*btT`4}+$sz2 zj?LjX2&g_aR*@QiaJ!XPjQL+rs8W4BGaYL!&Jc=oiI{fuL)pN%Du+{xjP)%LzM-sQ zNx4nK%~3Ae+E1p;e30-Gm#%d_bh{B*QieOa?kOM@V%`I!K{nO@9l1|O(>Le%&ENVS zmX=Z5Iy5=u1q|yi=<#+>`QR|Jicl0Ur=IpASIqbqe&FV2iJACr8j;N6uLs%jbTkET zxPe9#yZBh+ZLrJUk^4o$lY6u&Es3@4#A(27Y=KErS#4-lZ^E z7&(_Jt-41i>U>l+u2<)4OAwCYtfMF9$Gz5#qg`jm8V+z~W2jsDKxcXRSK4xeq)lPo zFl#(Z`==U$t1BlFh)%g1;Jh)a%R^hdBSUQ;-xNAnejZQO{q^N<6WQ(;hYdq-XO9Xu zNz(7`3S277BOR7FSN4i7W?k+sdUoeNLu__g0D|yL=U2OME)6{Ue7(A z&VKiMW9~%$&mNyQi(|>6w;wxC{`?z0Hmxzu=c776J|I_M#g#V8e4+4@kp4zT?#QWO z-OZ1o_MO-6*f#@0vt_02b_qvNbdv5u=kdbZBkmc0@@B%Ih)ttx8IOj!?=q@M%hS*2 z!G#sm5j^>v&)ILAeF&?d@7(HBa%30T zMVJL$cA37eA6C_&4UB8i@^HoCjLFHFw4T4fEObAudhLo&cpBRspsSbszAUOIQ?vhz zJ=ata+a46ZPD#6G6L|o36m&$rX}a8)+Yp=8aZ#7nFsv8eG`U&YD)9HsDOqQ)2$}Ek zhF;&C`n1u0-F*ZNfEBL))Y*P@`?%h0#`N5ZB0%-SxU0xQi49N4y}tD;@QnZ$o?>5F zCgFPCK{u%)zf#kDn;b6RzN=Yxo))KV4Q6qi$DdrU*9p8WAdk_|V%;IH*I4tafvy(H zZ;c{Db=0w>C3^>BEHvh}csIwr3XZO3VL5i9TPIsCZau>Q<;rh~IAwe<0m0@TDa6#! zmz)e7Plk((@`Q>62ROTCqQ4q=#5slERhU{<3d)=jc=SKa4uTDk*(uIs0iMwGA7;nY z5I}Ca36sHTXpO>R&m}Y7T>xZuUQk315xxH;coqSfox|7!1cd(=vtw#_QAx5CQj2XY z4;OS28vGWa7}ariR#D%gz7$hDJb={1Oz(ZLr8pw zGY63z0#Z4o?UKJen801q4546v<6UFk|319^^SrC7*uB8Z>GmFl0)h2)0VVR$BEnKn z0Z2fY@&^H)qGU{hlistdr+;N81%;Iqh^XETEH_`gW+^%g1+qD8Q%i;{AdM^B=u1^(%81Mdw zXNZMNYmVjFqimfYkPT)x^_o)V^cbLdMJdnw<20Pna?po17R!(}NV_j;$qzC)AJ9sKtD$HrFrJ#DNexD$fN*K-7&r&c9r9_T&vMB)hd9a3e)l7Yj z^~4g#_DsRJwpY!)Sy-zaRbxeDs_@;~0>+M*|F-YPTP zT*n>FjL~;^e`{;B8h$h|B3=t+Z3;S1@j^uV za;T2hGAR2zpq1%8#*Oo%%DQ+@S!O%OoqWw~ez}d=euv+^?w&5|m!4i-aRwxvb7khQ<2W`Kt^X1$Y?_F5Kq-}Qin(-T+G3PThbz~gWu@nY#w^T# zLAPWZZ+t?sN`;{SkE5>sAc?XLz)z^k+~Cl5vyBcGbndpbfn;X}IHTXO16DtDF8VbV zXOLkILkt?McO73Hw_BlxMxc8fmh1!%>#4Sx(+~1ZU8_-u^%2nU(PUIS1>mx3;D}yf z1cyKHGzr=I15qxO2qD;t>8M*Ty}jkB{pNh263U;?f)E1H zvvySZz|&3bNbkR)F^ASVPHKmq!wS_Ya95-mA5E@7Gtw}XC{3FB_8 zkB$hEfxY8|@hGnP%RPRo&gzkM#|8F!=ceEz(?$|!oqbi|H598qUZ{^4rtgMQ78aPP6JU5dedeI}h2_infmh}vXHhu8PJ*&R*@j5D91@u=Na~cUi~a~A@cJW17d?z= zG8XoUpf(qCI42HO!VWU!P7Td(k7678?@-YMtts+SaayJeTC)Dn!oUgI;!Oc&X`5TP z2KTIP5xVa^vULdt&PmBTNf%&~mi&}f?@`-a1t&0%LfJbJYjA3HWl1|Mz6XVyi7YX|Tr0x)H7>|?vX3~@iEjCQFw9SdQIg}wkFsvDqEU>be_lHqmdsdrq8rAbQ)l@CEXYkZwHF{pMTW@ z87VLH0r8(AH(a_*sGSFDNwS43erNF0fYjCg#6Elpxl}I2{kDi?x|3<=R%<}T>zOT7 z5UXffzW#EEX)c4{bJuY8OK113yOv4ACR0{M!TAF})|vaJeiRtT%9Hf3y{nwItRSfL zVle3RiXdpAo*?Lc|3N$0`1OwrULXm^;2Ki$3?!aF2&hP&1cfM|()=cBW(0A=~PimAXh;R^C#x?7C*lQtf6 zmwLNe2c}8`rczatHR@xm??Yf6r#bh1Eb(=WDDU&&+$|1neyv-2VhXgp#POD z@bN)p)!VV;|M9s`wErL&D3mMk5p5g)K$Cu4@DfxQnVx!(pE`1rfG$06w{tHX)2?u6 z62?>3=UQL$vt9A?i?Z*m?)?UsV9@6ky9q_n@A(68<^S<<`n23OXv}W^GT}er zQ4`RTQw>7aV)|aDyNlUj47;7DTXqH@ze;hHo)U7^_zC(#wMi&FFM8 zp_%i6WY_*Xe^$6red&k{oEJ~o9FwNag6`M8D7Ja_n+5gfZ{S*(P;WmpdaL3={aZ&X zx;EP_(69OUd)5;x8Q;g}Wk=~^#x1@nqin((a|?wdD<`zE{Skam;jT=1?J%3yb8O>= z;nXl;D8l=j&jKN2H^KrFaP$|8ENX?K%b`ON?0Skc8^|ClaOK}1ji&2B&38uXrvr&j z~(Df5GxKJu@KH{fUR+zLUN$!DLo&WpXhfdTyZ+ZAzI7K zRn(qaE+a!dJ!rb37jc%Hoq_VC#I5}iVr0c+34A>}#K#|O@YCiBk(x@Ou2WEL z^{df+`9}6t6g%hJ`??QA*;_4_csWjiC&{o7LOwrf7V7Iy%t zRFg1d(q&u!a0HU7rd6wcp==lAT*XXQ9e|?onQWXizp4JG(i(k?)&Lvb1r!$L5Ogsf z6K<0Y|2S%C1I~e{U#vnGY6~woP)&zZQg(%6n-3W ztgoy)gE)Dx{kdcpAVRPk2l6Wm-UTNHxLH`gM&m<3R$LVxhkg%jJVwa)aO^T~lv7K_Dq5$eZ4r zBtR;yLQ=w(Csox6AuJh(SThB+U_;k*e5-DOY5&&$OLL*opKTI}-8KkA%>fF%HXV#s zUIbGG^mq9-uTMD|%`>>s?=qngRpb)YbTA6BRfr#KkklDo$C|{>@G5i)sTc+b3oe&mcn!YO7{9YO4J=c{7VmAxncY+^^aNKq++ zJ|zwVM(`x5PS4^Q9VHQ=#uD~%%jo#Ni@C<+IO)jziV&OGJl%Da3AO}QJ0k!RyAYe?wEbuz#M zP7^BeQOLY$orJoV-xs+I#V*Mmi0R|@9U#dqzcGt$5bB8`kZubM!&h|fjHFq(SW`C* zq`|JeF(e~=xD2Y>H&0jIxq6Go;=H~)PX>q7q-I@~WEXs4RA;65u$oo1J-Qh6jN&AV zZ}uFsiY<^g@pX=Ldqc5`akXiZ@;9w3g-6ZZ)t3J0XlO?4jN*C02xw`4K?ea^eJ`F# zj6>;=Q%Ye@$2$1?i;qr%0NfhySad9OCxK)2cCBIUf;B;So=VJEN(cP?g6Eq*d`+l!*R?Xk}G zzx_L^3zcQe0qNj9|9zI}EP-qC8t&~UAP^)jX|pMT+)pMM^|wBphEsU}Dh^kjpsA>H z?aLpP#ZztXjbA&z&BoQZH|cY+)q@^US+y9XO@HWnG@KabY`XjQ)_;1thbD4IYOejl zmTz-(dgPHW>~;Qa-*ZU{Gr^Ktzvz~WiFX@QBH|>+yQ*yur<54-7!%7xOf?&dw@q;G z&}r13>;|G#Zt^%(dWkE$hv3o)MN>*r1l_3_{)Pv3gOCoFFWZjf%y~sLzQlux`~&px z*dTax1)YY>^qS~!c^|94jki&IY3yKk9WS%j7*Fm3-zxj6n2w@sl3c!GqcchpWL7Vr zQzgcaIR6&p#i*a#w~ONBP0dhxBxyGkV7R+@+y2uHSLN78Jxl!m_8|o>-u*1vzEfo>Ej~K^+Ep6(%kqwZ-l(gNo6NS(uLfQ)XgFz4UMREraqsuX7Dx5w~r)+NzLtmwgpIfpL)m5~SHE&=f ztTL*-X3cX=V#`_|hw}VEyLxzu5zNRP9*aU-)vJe+1T-x%GFo^VN2 z%1A0#5I5fl&OAX{<&JxfAoBsKR6 z(P3X?cV%EV)Bb=+ol1pa^e{aD*5w_lMYxxyIneofJ7Hr}8Eb)|^FmE&80O0qq`Vcb z#*5}OGkkP!dR@k~mY!6frhO0@6!Gw`%&RiI#FHg8`j<47$gCc^5d#z`{1tw)DNEZd zZb=&{!B&Ipb^82Ur<^e8s_ZqK$=kLSP}ya=!rzmbJtHDDq_Ph})bUL4E0 z9RlqbZjue#HA=wiQ(o_0*6ym~KshaxJZoXSA@a`kX+&QyxZ}F8C4E2zJydqs0L1xD z{crU6XsCB|(t5vu>|F>fr3FU~+}d8a7;h`i$I3mo+1D7SQXh;3fk+3tRzPiz zJVnTVw=k0F}S2pjB?62khHb+`QHnlD~^F#kj{%S%Uwe6dB=|YHux!2Tw^q;XkMXbxuJ=1$X&l>LJ zRC1%hliv=`15gu-k&RKX+-Rlvr;d<#LslLfM_bZy2f}Fl^hd#k_QUP-X^o+Kn~u;J z6?-GTZ1!(ZbscbS%che-EZ=}|uHc&rl359e8Z(Hp3W5_#%n~Qh3eiqt ztW=z1RSrIqU7=BQv5FFX`tk=n)Wz~H?$pBR?-EG-ejBpKT^(wcVG5VCxXULbPT1$- zhY9bR>IZB~)vK(-S-oFCV5DO0twwCDm%>FoBE~JF%UP=2Era(J2fZ;7m3L)my14oG z`1kQr?p-a&^`A@9#WYVN`$=+X|g9&6|nO z@WALVP`8gLJWvRFElem3&M_jLH_aXJi>oe#soLI59eDUY3uK0cD@d%A`A;bnIN|Td zBrcAEaedX0>*E8Jhjw4Xg5>>H)+9_LHjmw*&n$xHht+(#F<{791doIZWN8k|9-dPW zP#Q>|hONu88qX%4enL~M=Cz)ZtNbr4`SP4*zx?<(6k<`PbF4TA8jnJJAWGxqDtGC1PgoSM z!@&Po7E>FiLGHXpXHhsS; z$ydlyG;XfcCh1ncrA`Fib-t3v?$1u8aZ|@5K9xUBy^0%K^^f+of~bLs3Kv}He|2GX zqGFo|{XA7T77pF^GjrcO1R44M>>8QK(oEB^cJ4bn#AgGr`!(H^w3>bkb1t5fW4sJ8 zGFas0_oFPVD520nE+U(I>1yMl>d_-)br zt#n%8$>}+MQn|em&|`q^HgI!96#5xa$nS2Zix4)C>5Q+Ni~j!R<)gUSE}`Mn3#wsV zj{PYA0tqtB!Q4rzuChiO=3Y#K{=<4iB8bOnZRY~%M%btI3}yla7X-z|F9@G_q}|wW zQp!6z6@@X(qDmm73Cb_loP=)L@w8H7UsVml&T6@cLy8)3$QVyX_cS=yzD^}`gf4vt z@)5R#*FT4W&NX?s=Isgnjd$z?v2Di~zzO*6Z}2okQZwpuN#cT&=NV2Q8SAqL1r~tH zwqP+RF<~PNg=$X>wzY%2WsU~Y&CW^)E>leHS>4|?Eg0ZO{9&^&y%0QfTbh4y?V0wF zcjzCdaa85L_Jr8o$J!Seq@6&Yhk7X(w~n<}?=4Ed2zchs{n-{_8%w2O{yj3lOYFk4 zk-+Vr@$%^nltbKn2+S@p15x)h7VVYbyLtlJMd}HD{W#>T?XNuu_&1Kufs6cHzvZHR z^V`nzCBMrWFEb9l_bG{?;|>+f52w=a{OJlLm<^qj>qzIC-QCE-zIK5PYTF3M`S5HE z!$Vj4>XB?mH`*j^R9`N9q{$=OL(9repJ-;?mie=gi%)v2Ctz zTb(?f_RAuH?^9-kVHcOngChg>$m_;C2oR#uA1?u^4zB^1#puMr69@y=A1eSR9|t>h zVJg^j=;d1-RpgQtXi|bRbnkg+lh}t1C&(T_fB57 zhfqyMIHm=ZgEM9{8OYbQ@!V?uC{a`y{WW`lbKsOsA7rCpFf2Qu2f*Z1NqVR#Y?GD% zWLm*=fl&6~WLjc~St4uawigS{w%%4TgKE_5C_ps}9-nlX9Gh1@jFb5?ixs$jI|`jL zhP3&mvQntz_p_oa6=FRBRf_SDoAcI$rCtVG1ckY^wu(ICov2aAikyHGua|VNZXNw7 zm)zq~ZmQ*E>#dB1S59gzq^!Dofcx9wGzuCj9d*GiEw%Z|j%r^9?!+eVa$G*!s)~nL zO8ou(-urRQQFP9)73!qUi705)udKl<^9KUT5!he4x>+gKnhyCYwWE1rXNtp)!Ey7f=TS{Qc2fw>fg zc`ti3%kx07%Z1C22bzD!plJz&G^M!00Y4>alp&G*Jb>F* z&?Xv@!LHUtORtZ6ivMdD^aFSVB|g@1_~xVthnp0Asaj$p<_l9q_w4yNqJ0T}0JL2^ z0(g0rNFL21df`1Awd39;!ZURChYR{y`3$8g5N(np2)OmOWrxkSB%=f$8scL)t{dCz)B=L1VZ#y%36 zfU_SKe3VrqM4f=Mx@F2Li4NJHv8atiV}Rlw#D9W<2N5q6bBUzTr7aG|NolNViOq&{8nUcR?Za>#UK}VG50?mf{~f-Mn(Bl}EvRM8 zfI~aX`cM3xOPK%2s-Doq+RvCfQOKZ%uv17#Y}9Rh66tCE5)(FP#dWTCune#Q^J@yx;K-aq=2#Fq%FfzQP-E6#pOveHddfQ&!w=HmHgwL<(bHGMIE-vI9*&v z>Dn4lP`~!ttZo2hMnB47@euumL9g2MV@A=xtU%3$Ao@scEYsV;wwH!x$K3V-Pf)%h zzz0t^isCO$lGHE9g+B)c+dZXUN%mtZb-`np#(KjqK?RXFN*B{HiJRZi{+Syuxqe&~ z(4taN-Bfg@+4%2r%A2=y>lIbLzC1vq9ojHLUnwGYO`59Ct^ZIJV|uAv1+zQ~Ri8jE zPbDt2o22fJbTdtOD;awV!#9ol6RgktFBlrpeaM7%=W2$Xqd^DgZKHR25pQ=vVn zhIzUWN?V>McUf5<^rpJhY66_&ypW;qc6bs&?QTb|fZ`&NgYRv@{^eSiV3geh&8&MS zTd+T;RNe8C2^YcTzhECV=v4&zo(A9L+abjYxAC5iU%%SDffB=%#HM?G_kXLBSK4|630!Ji?t{79`uZcn)Dro@Ue_8vgowXAxJQZQ zdPQ$@F75a&TX;#QK8nJ+>BGP&*19#)@fQNn*b7OwWxZ3vO9k#9V=p0&d_dcod18#! zoW1Jz>$EH1!6)u!LFI02F`esZ6GNdG_PX3~NY!74LjLrBcyzu|K<|LJXM=LU>?|9Q zvYsz7MOY)$Iu$0!Eyawkfm$ch&NKorIm^JTz~7%${Lv!=n}N+D{#Ua&Gs>gB_JZtQ zA{x%SmEg;eKXbCKFD=QCN>62#wN=gFuH=w#A@YqZF9SzCVBD!kvQKC4@_DKXd{$Gs zr{sz^=~n?_B)q~T9)Zf8q#GGa-op2P!Y(%yjcj+qiqPhhu2D>P(I1(vbl72f>%1pe z3^NgJjw#xwLF4X=k4OCdU$%G~dL88fHTyyy1L-4zh&>c4?$f^C)};-kXm#`r`KFx^laC!^b2b|D`C#UG}zn!YTxNYCOp_16aZO@I7pWy^QUBdGV{_G@soo>=! zM}v_afe447|H$&|8(d1AVU|mA$_hxxD3GNyw)jvp4?>jUa9iwYEbw?El}~_Anfc>U z?Y2wq1jzqoTq6md7a0Z1mFkvdsCOX3b7SwT@uvp1tVP5Q2@L)6=h%78e#*d4mfhe` zVJf|-JI{c9xr;TQ4rNC=Z6#rFnLO9$U2?d3yP0}!NBs$$(+ zz1XwYR_50fPS=FfI^3;WmxCR(y)PPBa^kC5V#~39%iaM=k0|7zrz!T#sS}#aPG|ti zcw;mGl#c-#;FPH(uz!m(esB}GHO4BF-?#uy5CP#R*jYern~~QoT<0aXq?|i7qvXsS z{SR3Ox$32?FgEF|M1OJ0KK9-Svw})6W9V%$nPdhU$q(^vxDg}uHISv;}HVF6ZfZSbfqSp)!QX(dD z%v~vS8K=7#TIcV?u%gR;ihUwZ+})(1r%%mz2~^ZQP&th_jL&abpJdxPPc3=myZ9O9 z+zq~moTS)%=A8wFj-D90QU&<^4(`*Qt}d(rNF$-}DyWlpE{PX7J3i-a zSeOMa@dL9*2Mn-}9lOAlrg+ikGx*j)LEpx#R?Vfn@KwgmqPynR0t3D6A@O zFkKg%T{yd>WUnUca7qkc-9=&hJ-%p2TRfxBQz+}lyL?%CbVvbhA%4aHfzaA(1(s-sJQQ>WB&f1WIy`mOUFXBxj61 zX+wrP>-q_qlyr}tQRey2CFArTzv?H_*fmWb*T|OMO@>QRGG8+$2j|Ln)P;vSCk?mFhj@x}wm` zA{oZDrb5rMG+_k^ldtpd?<*~Sze82XwM#bsniK-irM4R1QaNvSaV9fh-7^&E+p+4Oy6XJOAzrh` zSb9%i8}S!BNRir$Ranlvq&f@>J#`iO4SRWd5MvLUjh|d|%g0V?+6L1WSa$X*Rp(#znC1l-KaZ_L(If@eYRLH_9-xPirOlt&B74p6NTixVWW*^_za1O>W;S(Qi0 zT&K$p6c_oY5+s0CYCHkRZw9hO(bO|V6Syb-=GL|V$nAmKkBfZ_K&KAy_LJ4h3B;SW zQn$c=L(;)WBh6^6g>php*JD^>m<+(Dy_=8X#o{R=;oa#eJK^0658wkV^ys6EIjoae z&LpRb^VTPrh}V0!3w$SmxC!<@7ebxbB;x5Sfj6!h=(13<2`;x#u?co81J7Ubm4Wgj zvh}J2+t(19!)ybOKZkc?z<`xq0-s6aQ${({(k`&h0V<|{9ue?~om{%*EPHaP8f29- zJz{kN@BL7nXd?cUNzZa&E1QBlPdOfCk!WIC!)G{oWt{%^_0c#T*j##+%`U3(i4ueK z^l~N-(0`f<4y?R+T_v~f^~xkrFtUS{R=R|_baIqwh6gEyQkk_-mTk?EGS zt5}B+m}6@_Df=iNk$LF=qc@5_->KRPfe}PwIW)A3rcHv4Db{xMW9}C*N%jdOQP)&z2O0i>wiCQ|t1;ZjZPaihdLCNFc5JK? zn#2`@CfJ+ko5n4zkR5`_iXP&X;pn3=XO_eO#JNDAaxiDegs06qA$^Z5T;s zB`-);nGZH;ZF82{0dR10VjT;po)jywxee-11gq&RtsAn|&TC?fc%go-kN%wXbG zfq=k9DEMiN`YXb^QU>GLUd>Y*y5m*rW3MTp)5Z*{?1<%ia~v@cgA&7yQYLCu*l);N z;G@kmbkORbnxNlv+@{!+4m?cn-$Oe;fpfnSX0e~zECi8jB_i&!J9qeAG=0rz2K+sW zu&#%Y9)W`JfYbaH28vFXc`a_;2M$_$yW~A$C^-Sr$`0_`rr9td$^#2@)Ti0qdEMWF z*?bJ^yFppTQ1hX}xh52|gHRnWvOqY2f*S!z=&=zwWw<&yv5{JpFH~uc%}(lEwR8C% z74?qm;PRb!RO&*HtmNI=q{XjPm#ideFwHj1Z%J${Hv2n+Og@M7hhjll$* zsf$I6pOUM0#HRZs>%~$afq`k3BL4x$U85F?4|Ej0Xb_{828lq+s(DY%NYsLjzc!~+ zw{C-S2cp47ADx?er)iqD$-M;9*TiL>Kcy}d%#bUn%fV~_6B6uCRNOi;!qUwq7mx~> zcWVN(d$ayv77#c;z9(5&klvble?ovR$91_;td0N!ZrkP{vPBkIa1&_vkypjr@tLUen9BL&ftbR4qqy&gy+Auf*3grw)BLN5^^fSh#Cm1yKAE1`S=?_@x zc|anB%IKo{H~vEIf&V`OkC&ZF4ruSpAwWMVJ-`b#QT6RSB2;eCrIvK)n?2Cmlk{H# zLbt!{-_MM+)KX3{@dHbO!c1Y+kUHQU#0-d-iaI?0uL=)wvmJaL;~fZiz4`_seQz@z z`PxgtC|$w4xxW(=u!D|*B@7yJcfZ?L@gnQyCSYIj)4{Q93Gzy7JUfj6BpflMp#MZ`0bFO7@q^G(xB)B@RVKB|AbyFirHt3xbyiD8{` zRl-V~KTIfAv4J*?W)Re&5f@hp=IjPn)S*bf*qpw-d|GD6sGZGu(5S)tSHN@h3up^XI(N z;rv=)3SaTwT1gEwxCap2<4j2&oI4hPg5pLBemDVby&4AI#_xojmM7nx0%tbe-c;kl z(4`T4@Kem92k{(hhAfi0dhi>&q`A_%&oJVxy9konjRurx(>uV{y^E)B)uB3;t2E}a zt$?lyMMCbpaCs3>VL4lFsbUN3Xcu%NJY%|aWvx&A`4-m1M|=^gM)Ma`;?}X^wUG-C zdxXv0;38_ns~q||Rqf?l#G zBCrktW>{lvjEAEbNjAf>LDmO~fO9U7LZ^5R6~RDgFtmYt0Q@`|%|zd;>?ymja9YA3 zQCeow04IhiSn}tUeDf2SLkR_BIXzz)Aa9M+*F&k-CiKewdW!$g$A%;J8*KmYN(^yS zAz10%V`O>@i(Z!}Dh5Ozg204SsNf<O4-kxc>|BC)_Xt5r1OdeFIFU*Px_tCpu!sHwqt; ztp0#ndV31|5a?pj6FUg76AC6TBf!hKb0e#-cS{QH=xN2}+u5p+JERz0`Q}jq^z{l& zl|Lpo3W$L?4SCfD=IqYcif(&CBX5ffLXLDNvB;{s?8Lmtb9>qV9V&mm(UaZi7CNs6 z+iFrQ(j$cNr=O&TNgi0G@k>VN#lQq73@Tuol5=eH5fdAU_2xMpKn!*oQigu3QU;H0ipiL`I??2zwdF3I-*ZN2_)kpJ&b zl&ga|gWG&8vLdOQ6JMo)hR+wN7i*S+}dg41!1z)2l>ID@w^<>u$TUU4vqf>e*KEe2KEP^W&@hqE{U(5$RV+`bAv751A^*nd((vTH@cA^N zd%3oMNPXQqYOpQD7eM1$)p9JO?{~Pv7~;7Z6s*?_jdLIq2-Ojqbde}P_8R241hwJ_ z{s42c(X{1BO?~dT3`S_+e0GMk?$t3uP8@7iX+y^K=M)Qzx!vk%jJOZ9=;DSC#uFix z7+H)G0i?R=4{?Jr>t<7NN6J(1-)hxnk}PGE{}RL=Vs=pa;S1}Nrt%h(cO@>sz{Dft zLMF3XuuJ+UR@?VI{qTZ@p5!FQg)m1Bpg~-*hu~P!b8KE&+utWyXt^Eg-fCFNOvJ== zfRLaDC}nXY`=X?wDrKjXzkAw^&b8i|zrHEq>mkft#~zB*-(c8)3$;;dIpgBO9fK${ zu&^(9>faueu7Mr{)bRUWoy@UJPqF4a=!XR^Op2f1awV9$} z2hI`L;aZ~Lqza)BF-lkiz3n)Gu@O~q#%>;T8Vftr+C%5;XLk`Q7kmp@o_B;LQ%CxI zu*EWKn>jhm7R&8zkS%oy`mq{@Lp@q-HO7J3%*a!Br-{5V5L`){);l=XO|FH20WS9phb95xcu? zBW*N#vX&f|^nDn#Fgu-h74g3AXB2JL#=SDW7^XfTeJuO>K8BWg8-52yV5MWph$4+f ze`wB~k?nU4#5ml*%c^I=^l37LbFS^lqJ2gu0zbC8-6~%KTwE3(UlldFUUv_~**#t_ ziyYgXZZC^D*aq~&;QCO~dHG4>BPZsH|}zn>hP<&c1+i{(_T(VIm?{cmzC9wRQBah|(2J=Qs~RvX;jZmw?{=)MK6Sumk2mQn+477GF%)W3vtw(KFB zBx~3_5V)*jkB(a2>e}hCi|jteKES-)cssu-DgF8J*-gx(O%={3qeR6f7ISf4i~$#W z~XFhja&p8U*9WL4N zrFFjyN#S4>bi^g=2v56W{an!#q`JFm$;Zv-rp|PhhdJS@HN15Fg+0PC8O0KuHwLgE zVX@%fJeKux*}6%Fmb8IJK*`w31!b?oKSc0Ukuf+pPeC??V1GoGqx;t@6>@dE+utAW z2f)rdIafkekJxX3J|r&@`bOF%5O}vO_mvMi>n2}}33yw(VTn}PKQX5nq3}<6_nJ>8 zXo#qq`GNhF=#l@uC*`q)6SSxF(1vMys_cK#N02wpOM}eZ@yIIMEP0?g+)7>-Fvn(7 z_~_rY_eaKiqO9DGT2#eUex|Xzd^a;Q&4dY)xcWEVQ)uP;Ap8KmW}ai5CRtJyn}u!Dj546`(Ua#B_jqueJN)^HNPfj+XF^f`8G81+P;P@%d1VcZZV*l7@BAQIVn952U)ay?$ zsV5G}pzan|lqoGU^Gglv_TIAkMuXr6X@$pc%83pTbhC62Goxy+lP3+StR#C3PihN$ z!*z!p7~fLK$s5^$rZczMB>24qPUyp2E{U+7@Pxpq9v5rRlk(sRV#KCra4Curk5O&D zTL-;OP2FdFvwIT`$Gpm4!9OKx+mI-+bzxd%gCglOX2x}WZu?l%D*Lp**AWHoqmOc^ zsXv-aklI3W$6PSY+;I{o6%p*ac(t?l8^rN2qOiIZ?LuGkx3^nsp_e+aD=3z47)j{y zbt-Wj8HT(_>lbGiTjQ9zOXtmVUU-)GidkE0czbfwi$ZOSrY_o!F5ezL?a7#O`<)UZ zo5oDtz{8s@rCe-J895}wGKh2BNw5+K*JjA`grRZy=zN&Y^^jv#EHzQCsMjtsC?Uk? z*HgI1Eh(_*w}|qTlM*mf?nBHes6dWFc2uH85#eShLk2OV6Rc5nrTS6(X7M&1Xv1+C zK}t1c8*ERxlLGK(RmV8P;Xl*!r5!|CzhM)-lvyV;|J0+OJg=L*MC+tsQvUoDfX{~l z!E|q|)_&((gNNi|dsNqw70P)-g7mosWK;bJ_lmcjVB z-1==u-Kf#5(z4|`5WAfyL427=Vuvy^r-CEnzRDM^I3ZQ_X+kv%}X(4F%6YKfTz2+yB?#5`OdIzKvn+uA9O1MWk#*gq> zLo3cNnVGcQ`AEkbnH;>8k*cxBo*TsMin`YyApr$FA^}UA9EJ_Akgak40RuIVTX9^@ z%k|As594j_Er84+1koF-VgeC^g3GOjgAj7aI-*}Iwyc0_)cp#hgsH9R$PfCMFLA69 z$YjE^ie%1gbgp?E9tP-Rfh|Sk%6RHyZ##B%#+U{&DVG|gc*NxTomY+^vMkaBaj#6w z9#MK(XE$7wdvp)cn1!R?0$q_^KU_N7;|Qed;kfLMj*^RSlXh{w+Xc**qWqMu?M>8- z_i@M3tLKeoTn#8L%8{N&IPotdB&~f^TB(hGqJ%2k(h^obL%BJzJq?CRVMU6ssCZ0Yj-re{HM4XlNqZYb zYEo@ov_3Q|%KIbwDa((lpBG@%I&(16>-~3VqVB$&^SZ{b>MfZOkj5ob@9lG|rdzOBYgk`n-=_P!JX=w&^_#eShj)~jOt}?Yb6;g#2Ht) z(nLEo>0}iaNlTtg%SVXmsKF6AYg9@~aYjEbEaNrAjKBFqv%FG)WI}jo+fx;JaRmP$ z62>WrecO=#X4JPWZB7<~f~DV)4`Y?%7z!x8?ne!TK_<7kEZC)RJy_)x)8Z3tOkT6b z&H`YyDd$|V%&$cvI%#Wv-ama+FkfNE^4<}Tpj#YkS0Ay^3Gk=bz92SoTZ2pJWFSXp z!P!F9Vl&VZrgZY{-XqHz$vzJcR`-yGcTkGJgQ{1lYjJ22P%Us`coY}8q;q3I#P6kt zFBz5@>Z(M{;pVS=53=(&$Fq9Nhh|DPkA{puE2dAf%HPW~Zx=?Lx(=WWZk>6DGAU!E zlw(Gmy;db?0WtKq0VME>ST!xDy6-*QR;u-tTH$RGD~+GqW4bOyjNJ9I7pp;LX!0(>~i`v8EE~l$z)}||28*^XvbY{w^oO5?q z&SjUDoOZmM;xjP&gG=T-5>pR-f*h$4!6bE^Vt0>5Sa2EHI@Qk}a%R2!OWz^;ca|B| zvF5Zs+cY>1%UmEf{z@H8Sq+bXM!c1x`(ZB8fw1kg0}R z$!KKi-@uAg^Pnxk>}r%$l!9+25vW&z!a(0Gg%gckqCbMWuPNreB;uDsoO`B*{i$w-9Gz&E}?VXd1Li^UhcYbwR zGq?94C|@Qc&04pPm9b{Y=*|g`Kmlz_lm)nlEg zpGJ#G)#b*8RIFl_{PM}`jvuHmD5!>2VI|EqpQQos2#QUhaPFQpjRmVIuS&)OT8;X# zYLK3NCx>@6Gw3Yt_uR=UHnW&UC*P0gZX3%rn%B>;N~ul&V^X4gO|=0O`}p+9mk*h# zF*>HpljV?0B5-=UOP+iwt>sW9scoH{$;IVU&g`~Ptuq~SuGyCMrqMn8Ttf0w?y=IG4dY?+_1IzjiAd?Y*wKGP#D zT$~}}E;lXc=j-ezr`Wx6-T~X`delRhb7Ry13t&WQ%jBNDKvG9+Rg;!8^U~ z)7>BVz9X-XVT=sPr=E;n^#~9?@T$*~E+%~h-=54={cBAF3sB)564!>HIoGYs1lky;sEZ&nLb4|FMsWqOV z8OgpW>JrN^I(PmU_KTUaG8=gj%_(y88fWyVrEG;GzQ^i>Jd5EA#TGTEMv_rJKE-)( z=^Jd3AQAjGs(2nJR9Fr4oh+{q&yrOig^i*}9Yvx;6`v8n?O_$ErS4cp z@4Y=W$yP8 zm0Ek`G?x!G2z-PPik%jS<)RA7jzz7OSA|jyJI(OzB;XVdTZTVz8OgWtR0XKwX*pg* z!z)@vA6E_x_#61Bwe^~z*odm(Z<=GY>Erb2#Wd2a7-YvoUAp;C(ONaw)=Mu=Fd1Zf zLcA<|@batZ{88#Euz{KWzFCx2Y_3QjTK(>2Ns7$BI_1bv6?{8*S;1yTtkvgA^inXb zd5!|EsJXSw^oN*QCaiJxppj?~+_&a<7~{ZYALa#jR0H|$ynl3`Yca?U2_=nKw*T4K zqJ-H$uZrBa)M39_?T?@F*m33BxxA1tt70|EPT#VZ{=JD(5O(J%rN*fsQ~QtUfq$M; z&(hzQ(a2P}w}5C=ZVnGIIevfZdBl92EFxd}C(LnF7ZpGn)^^l*sx6JE zgc)i|O|mw7p!e|I96n{4=MFc2oY^(Yg^R{mm=rk8L0B52zmegRJWlvkTZr0h=8n!S z56Ujb{$uw(WRRz;TGODeV?Jr^TA7Yzh6HvRuR^gZ@5dKom^cVK7B?Rc{$Nni0q&l0 zuzMCp2|Qi(QgKp!I&*|Y{Rdmb%QQNe z43=xnKC|@6a77)0as^FY7}Zni&(G6Suu0VkxCo66GOHb;0mXR+C_JB`S2n7R1iDuL zhcD%Ot3QvxPERcc9`6cHReniEvSWInnKvri((~T;@5%2kagH?QUnr|Z9OW^d$u>VQ z2l0qiLrCzmQjn5?EX$RyKr z?)*75|K7CiQYJC^l!AFI;=Wv-|FY;n6Mi^LdAhc3M_7u_+=c*u!-qacVRt@xoqsde zy`t!ToSUC&sQQX> z%fqhHd7AS~Y3RBbjoW|0t?kJ$IFzlUs(%I{xUE%rfUjgOn3H<8I-DW%Mx)`;kHSoY zvP~lgKT}^2=QR}=3t|6L(8$COFS{l0YORSF8CL8{)UKm^h?wxp6&pHQ8TkM*vSmpM zB;oHgN&9MCnjs*eieY@mzueY2ORD}#Oj2x|B?L}Xoo0XQ9%(GX17HJ#EvibnI&{aj z(6a*3h}!8d`g+##S%M}ZMpWf``e5dP1cq7PCGK@Tg%Th|jNV1h*2%UpEXSTg-iwI< z!w3fPaOTO(DjRXSF=12XJJ+_eo;_Txb0MHG(?%bQC}tr=>FlRcvE7G+FD6LrxuEGk>*uFl-anxbE^v%gYTCToQ++8PMWd&_e@VzqQ( z4=-Jh_4ZyZIM##ZDmolRhiAZ2T0coL)l7B_c+@Laxxoz#Xo{kPijdNtZX{TCx z?G{`fpsW%Qg{3v%X%;XH@mn`5(k!FG$p4e0yU&pg%siZ;MgJ$eFHuR?>ec4;#M%oj z-U2kVByvz(FFtb#vy+$J)TF1ZC9U}P2tAgR8S^t@i>GQ*4sx15XXXPw1%QB996iEB zr$-;%b58qrj(SdplYI?6vca3IKk36W_FPO)pm-4!Xot-*+iC=pi_!ysTa23{ylqR9 zAg8-X2zD{zS@+f}pG{J82|<*wjcFA)pBA))g&L7)si5Me$wv|@bFF=B+BrU$aAI6x zf78ar+$^i$ckEv#99npdVl_GlDV-V6`y6Rrx6_#jFE;Cm z{EV5sV&#pKx!hkXpUcK9u<9nErXfa|)I(%8l}oFqyZPO37F+~| z@>yl67dt)lbOdeFo8`7j_y=7&cpp*rbQK>N3wxl0Q05JFv_wd7lhhv_ZVbyTD?%CSIec4Z!>+76)!6w# zHx9sslkBh#fQR17xm|U&T;UzTK7m4Gl%8|b(wA42Ik9LwNc?o$G!EMTO}d^mE{I*v zrP9x%#blG-Cw}552AV26T%G*a=c1jW_pfM|ioEd&xI@pHC31kvHls1tvS0-+B1g?q z+Y$DV@3>}qU+MI{gYDnS)V3C{i-dGpieIYnlH2YCpkIq@Lz9KvdQWtOq?OY3Z7R2M zXEH&@NVaKw2U)+NUI#gojp39g8O1lhOQ5EH;W_=H;l~Y`JPqy`D4FeDj{jc(p+H{0S4&|4 zD1?f10CWq1$^(IHg~1}1|58VQ`sv2`*2B>UYova&w1`ylIKDi=@_2F=xXn+E{8k?8$Ge>QVs8Ys+j-ZXK%_=V)n=C zB<_=L$T8)$O|I#3Q>{n+lt7IjUuYjWGXV2z z@O?oke$R9++S4Rqw`V*5LWtDpdcSKExrIA*H!t(;g}6J~ch3F{17u>`yN#1x_nMh* zGjns9eeb-Q=zOP0C^KiO(jF#C`&5N3+`sI)H`{kau36jmg2=mxHN1y-k^TR?C^h)Hyl)f7E zL6`DMkfgZH6faasdWp(XT@UaU+f?EY=t-3bmnAq|DQio1y*gG`ip-V;^xlyB`a{No zZu-`jU7J;ReB@m19sY2-f_N66?!VQ{r9?MIC69Nr^qg%Qtjtsqj@C9&aCo*O9LGOn zz6Fbbr}h4wQg88i=k;jQJJ$pFib0V0*d&;q)FXr@XjuUO@G3>^M36mJER$~7F^iT`VZUy0g7vc>~B#08eGq23&`jxJm z0FG6%LiG39-{KtX2N^Ngy3h{1H& zeD~gL%~(B$EuwwG3dk#xZimklV%)*8&X0qW3$KDQFbz@17#avOsL&-B?dokKw-mc3 z%aU!WdNn7v3q4kaOo<+V9p>)wV>jyzMUYFZ^I&L6u*^9DGw&~7k&F`+EBvkUr@bJ2 zL$$A<;pAmr)Lwf2CF2p9U(La?)0@T%E*?C;n!BU%$qh+&f>O;0K!tKc>c@JQAt%VX5XqFsI{cFJefym*s#lt5W2CYk@hpi=qKHEHE5@R< z?OK*;xpd#Zphv|k?G3mgDMa~jUhm(v)Eg@4sx+bG=`Bv}0i|TQB+)M8MqPq_hUW9P zI;})O{Q8^`n#7I&qBYwNLhnVcE)tSx+pfgdM4&9e5iyC9icRrM= zQY@0q=caf?Ic#T~#kt;OT2@zv|1HbWty0`4^qT0N@eX4)M5H&AvsB?!;c!Ev`Ulij zh}b4eh$MkgY}=cmj2GNpqIc(4?+}&}N7u%&YsvVE#0|4iuX!nxA155VewU3G8jDvxGArjk zwje84@)om#RotWvVdWSIFX=-v9h0JA_lqePi8`%|t=C7?xHLP_XdMA!h9i%JNbYYK zE{yn()Vq^RznstCf{thH0VxEFD7K$OrF^Pl_)XQOSX=S2w!i9gqB^K|j-VEZxgg6t z(Fc}3ax@KUK|r7<eIQm>^l0Ua4JNNn0iliifKE$)DQC}S_ z%1M-0WThk6Y^u1SM1Ms#8RM95AMYfjIM>F>dA`s>1IV@cYQFbcr>d1!yD(?yGQ+FN0mnK}rxc{5Pm|;BvGZV|!tFI_$AJSCM zl9OMgIoE>qO54q=r$>E(+* zqbp|f{e6eiExIfhgsT0(iSmZV2`4z-mP4&pO_>SViW6ZQ=aU6CVYIs#Iu+A<#;GJ+ z8EQ@NlEoA|+^p96ASgFcYm7Tih$V`upQ$LFLoL%+1)FPrM#9*!b*P9*eXUEDn_(JO zazi*yEIy0937;uTzi>>gUhPP`&Zm0C1(D6nnpBjL@HLf5 zAqrdFq|h)|srt73LgS`FeBazlG@FM7-+g(0QN`cw7~}axMYK&mXa$Nioh-Ih?71pv zB8$s*O6pFV=NBVzwCr|GB}u4|$6wH_9P7}S?3iR-K|WUGy(;=6Ns>g=r(M!eUGjco z4T>t8IZsu^HGECVbx4@bKWT_x4H0EbP(ZNg6Cp9*ZA3-a1;u%yMqxR1b~(7uFFax7 zohi7_FLu%Uq=7$CTz%YGV2aj4ZykYxBqY)ZTT(6xqEk|ewVGBnbrVbCMvzlwT7iNF zD7#gt^*+w1TVA&_{RmG-cG-T@pb$1wHbTWwaM8l);UPp#Zg2uDbO+EWSQ#{1Er{2 zmxy*;zXRx)=Rl}r>pLok9FuA%SjgiLk4XRV=s6ni=2+}=B<>D92Vn4V2ssKt$6(JR zuphGQ#~8tFAnopUiIP4`(LH>~QUGHW_6VkYK7U+IbM(aE3J=Oa!wno2t zcK+(JK%&~;hZLWlVIi*G&d(Iby@#@#$P_K%4; zF4rQ_Imcrx@ood^Fyt<{dH`xHwWv20-d^gYhVsbb<1!KYQ^i-p50T>IegZvDm&{vpT5^%2+A_r$PJy)HZ z@uvIJ)F7R=F@=XQCkmS^(xsa=EOm>~dlNsaUUIpqFuua6$r_K7_o=n;RoMz6;~SGt zF*SJ5=!0D3{HcE;mZ#E|>)SF@^@eMj2Ixc2Ok>Mp6;b`3GFxTaWwedy^4 z!YNLERMwJ!Db8!Jxu#hM|FBa9=x$qXu7-R|09#=)RWP-KJiK_`xz%R zF1SI4U5Tk7b5EK4P8C0a&rA3BO-%QCz?lhbv#;+>YL2^X>NOACTqj;TO(fx|%GK_?s7fs6Jd&ebd1dpcwU zQpWM(^*bbp6h3L89^YisM6U@VBEnhIyMN@$r&*G(Xa^I6dTlqV-ejC8*SJ}psw$;3 zRfS4e>ff~V-D)7M;?tFaS`X82|AgzBHN>uZdk$=IEXiBC>EeN{YMy1sn%2H}S-T&4 z)bSnjBB@ZuC*_=8RfARjRGdVlxItjF#FW?E_)1IfGm96a3ARv)p_xIv_AFC?=m>QU ziz%xahkG>M5RPGKHgwN2#HMs-EI$1VEw($)v9!X-v9;PyX;dm>@>cYQ)Li14n@?Fudy~Z65 zyyXH~T_G{&%IUr435xlGN{%^Awn%JnlAuf@f-RK?V`JfM+?t{1cZDN88cTGIz4RKS z>>8ltT8mAqv8d`<^(^7ax!2I^vpN&Et%9Qa)@C&|LcT>D{jX|UA6HZkT7-&TyIm-H z6ln{0+nv02L0-FG3RR}rn*Gz{3^%2~pI}i8Y3C1QvF=aax0Cnn@P*8b zMSc1B3rj+K_eqcuzQJ~7_Fj?)+^xQ@A=yYn6<`a|Jo)P6xrHtJsEGr!h1!ZGl)F}~ zm0G9>XEL{1Hc6S*VXtgR--`A%!T`;q>fNXcTugz*bg9aY6k}0kKe5%2sn{F2MY6aO z_8mN6ug)z+QoA>+sgl~UTTQXlA-<5i?OI9RM%328k1f?gi_1r<;`>L?o0MbFU;Gqy zsJ*@`tloD?seSjCt4uGjMDO5HI5&#g&==TW-|BMLwXsEX>Z1$~tZ!uim7d6Qy(=0~ zaX2ktN@gunVlJ|Y2B1r<{e5Oe9?$gHNAe#w11`Q4zLPrfy@zu(-Ud|`KbUI{7Io%r zG*4~`?oR0kC>J&R+bF3m9`)h39rT116)7pncADGerZFi-3reA6Gf3P}8N|shgLp&s zu<1&663Gsa2PAvc=tljn$EP%-HdVY-;#GaOd>y!z`Ohh<}8PUl<3jA-6 z(5XOzv9!9UnF4*OxFx*PF48i^3CS{{r%lt@QQKC!N{`J2V3I5|%x;WxIDTlZ`QIB$-r zndw~Vl5R1TI>Ej3xFa95PZGt6qHDHXDxU!&Odb(qAE4!zs6Y`;qC9cr@hS-WmPVQp zw$P^(CAU)i0EcRVu~dxw$fFVkDM*rU-D9g@&Snpkg2g*s3Nth zPOQ#07MF3VhEXCxNVQ$E>($YU9mVA4xWMxl7nlq3%2`)F*!bb#m8w|Z1t&}D6(#1o zt~I`?0I0eLbf|h|!){0;V2i{CFsWU@3xT3IcJ6{5>C%Pjlfg_$rwmT8fC!pjzNvaQ zeF6;M%@b(~anmd-(15M}B_<`5ax+ndNHr-aoB6IhCY9Q@cdWD6r6eLkU~Vlt|4LhY zG(q)Dkyfr9MDQ+`xgmU)KT2lEtSt#y25*&*9wcP6w#7gq`@GfPw%NuI*>_v6lENE1 z<!sdvMGhcK{-Kr5UszbxPtjD*zYFAAs;WAMBTQpP>zrIK~p!ek%CyXI4NuZCdTD z5t1n1c}#Yci(hsGEu%~vZSf`v{>I74$;me_U#kC~oSd}(|Mgcd zUjE_v%a>n$^UaHwU;XL%A5LC8|LWz-KcJI4nQ^P-LSp`hlfmC=PwtVl&t|jPXE>vV z48KJwgyokGpyPnI`P2$bzz(y(+kkHeQ#TOl^y_%xqvbg-MT`5I$Rx z^r(>T7CB8~!WHoH(>Eta-yFRtwhAZe^{e6vBk?Bt7Nxn8dQ-e1-=Y>#cF^r-#SSk% zuFRLk#@+9tp*8mHy9)5tna*;ZP$7TVe^!-oDz|uZNSbTVR59Sz!(!)0tYA5cZDcr7 zH-wv#4}4ZIC_T@c=QzpM__+obt;q(LjE!X^J-s;p`Kx*3=k{6K7^}Hv#Mt2Xtpef~=cZTV%rjUdu|b!<>QklJ z{D|B9HF_=G*m@xBbMF}E)gdYTcz~33brVtt%^(Do~)*>f+)S_x!~- zU;U|d|9kQLPhU;7VhJ5q8mV1VYt)^>N^dS*l@1j` z-Xfu5ZBtzI2#2L{Le5y49uij1n`3H+iJNHdg7magp*2lNF*#kM=$ephh7)?zP$8Lw z3mZ&RB^siIPJ$OD%;Ku5ph`iKhQWQ}MGU{guL98$Z*9C2OhCFl=pbvj1o=I<6H>NFmji>vr} zL-VF&vsvh6o+Mjz%V{M=yZxG;Xb)=b&n3`;#oK3UQ>C^j`Y~MvX(~vRb27iC+0TU2 zrO(IueD8&w3^bp=ZDex1DV`Vq?4&f8h_k^T%5y_p5Z)a$+cfp;zfr1Sng@5oKW0cizlu4#ucV%CpFDa ze^mYBoR_3m0SZ}?&Yi^>lV_*EE5T)>bH{Dq?6kZPl#^3lwYW3iL~%gR1YM=RWLslj z3iMX*4n^;{pzXz;8-Y)SpqKMhnm8TWZ@mu$EX-ue=+S)of0+oD>6?Eq->*OT_5aVm z{_1&4|9|rJ*C&(y|32EI)c@Cray-TV)!X?`S*2CoY5c3-_f-A6VYGDo)q{Ig?pFf^ z`+2>cBmG7_oJv`*)uG9DIbD!oI`22$5LpO#CWJ~A)Y*y9HO*rUB1Gk``W(wd9DgAb zF*A6blvmP3SMBloVtw(yWw6H zQ}XMD&KfUt6{Wz90a?^H1p<|tKg$wJ;2lYGOM2=V`jPF52wJ+BG+>~9l#|nR>+Px) zH@j}<%fHea(mll*;JE!>=L^1EF6!Q2yDYX_>th;wc>wjOKO#a{Z(jKe+*AV5X>fgC6 z@AwVvull)5`K!mUulp4S&b_LB)hI(Wzv_h})J$exI%}W>Q8`vvnrurgiT*+{pW?lo7kVU&iA8rRxAdnbk_U}sB^CG@&F%hO+78YZN+zP%SDo>_* z4T2C|Ri&+xth#xqtp!zD0g{Kd?;E=|t4-XhmvL4A=ybH#M_p|JeeU*qFSPcFK050- z85Tb6S?xPo>wzonTxa_#JJ;B;!UpSqB`M(r$1YX}wvLTgI#+U4_NdRkOItEzm37@+ zzzXY1zvb%c*YvPynf_5d*(cM!C6Md`+Z)_F+^))~e$ay~C~;85l91}`r$088&89dg z!nHE$wQ)I0sd#JCfa=otYSMV>(GVNcaWh87bEs$IP^YzI$CwuwdzJBqiN&j;n?Q!aVT0}Xb7D#uSYshU~ zP~+jgMyNTewqB_5^nSHNjd4SDM5cQqK)(rymFJo=DMb-VjB}mb-U*Vk2HzZm+dtyZMUp%xs)E zF%4Eh6hg%U2PjHrpFQ_}0+~R45kR5%A4dnMqSUkH|+3DI5z) zZ{U_SuaXCE>AP>jR!cRmd59!39Y50}J!%fefcOlEPgD8>;`11YPeY$X;XaKwV$q)k zXcwN(yBw!%xkfXpUyZid?YOl$hn;PKsa$V{e$N`y&i>mc#IdSxY@2^|?0)U1|c}Kn5SH(oVjK(toI>I`;uPw+ws*TM3>ZheG)`u1vo0qX6E5BvmJ?91^E{y-syk4wZKsn;AnP!>R1%b(&hp1H>NmQ&@%%i4XpKE zqJuX!Ih*k7h7g0@tOOho;;x-sQl;Jtn?^Xgr<2BOPP&(26YEmJZkqJZTx|wgSuIr| z8C^I;5l-~{W^G~BqgD^$L?l-cf(xYqCYaDN@g^U0i0t_UUufmzt1?B}1CclPK0c@& zkIA&;=37ePiI&^xiHrN!?p#-raDV1Yd;-A?@QDd&&@9=RaXT*OCha|0fXQH@)6i;h zVh|f7Dr`oQYCc;;j=;wTQ>a1}MbD?JjaM6a!R*oAEUK`QZe&O+PdS0*XI5yiQd9sT zvBhQgC*&qusoQY2F^`a*zpKC6m@qbf*HL$NdA;bejGK&D;5TIUDQp@mkK#t@J>2rF zD-Av&iCC_yU>QdG+JHSK=OkxyygooPw9T|}KZU>s)l-6*_#AMB{UCY4nr#iQ4N|U; zx-q7eD4*xrTt+7C71PIMHj(1Xx&kV?+gppEL(NH^QImTffBzHQG^tf`TmIxs2-tj} zp9+{pI6!G@fEp>&EP=YS+S8Mhg@eQ2d?K}3$4v}Ap#;GAM5X~YXBt4mk=kdXuoACN7e0MA(6})ucyi~6u~R+m zykWY0b0*_Y3e#JuxZ@!{yN85@Z;$M^LnZ9IioUs>pxQdpd64*1mnZj?zvkY#gc0NQS8j?Iw0^DflS5U{mhm7j?Aq`P97GoMF1{O8<%utugI& zuQ+zkGCk#v7veXbW%O9c`IzOS&r`h`)%dS$Hik%Tcv4g2DJw=Osj+QZ*XG+_S`gK% zx2&e{T3}Y|85<=jtC~UGFL6jB$=?i|$j$!dlJ;BtPPoFgq zWw^xJH-)4Ho5ybqQ}aR-)f6-(>)nBN`X>Oo-D?E%$}&cuMIJHV#~BJ~eWFW|Hej`}WDdO)U~iIcr2 zuE!1u+zT-T)Waj5ZLz`~;>&j7gS#Mu0U&Q1OfZNmbsst+vA%6kz9xzn*i_>1Jtuw_ zs5OM_1(3VYU84`v3uAVH8bfGa3|bec+JWQs!|4Kbmmv^35W2{KCEndWgvT8MiQ5)~ zgK>=C1$(1!ow06W5VwP2ZCjyi9XHRt@Ufj@nZLiDR)uCP8d~u(SG|6~7nx18lI;=>Vr(-W~w>8*>sC$U8 zBTN{EqS}>KYQIsYU&t#18uBQqsu4?l#__9`l94sgPuR?=14DCQXjaefl%cux z6}wd_ZL>$8X-w9MJzui>;~YU7bgR^e=IN*zeQCIYAFkksEBN6G{)t|}51~3A>2byX z#Xuu%5$HDA+ z@$KBKxE5CtHUX%zTmD_g@DQmjp3nx3IVM-D%1uqZ*6yzGG|kupm42Y5ofx-# z!97?@^k1pFEM?QunAFI;3nDTq(%6GHnFZNOH@wRI(hdL{lzVQkWFO zOOYyaIq8~%LK1#cUGqbI7V>h)Hpy11VDfU(#i+P;zt0QBvKx{LrW!qu;ZhUmQzN=c zC1S3~4b8$#$@r_lc&CYN-6lGES_?`O>o^goY>szyo#-LM4w`9%14SPfiXKiBhjXLY zizCGjt`vQpDGumPv7JLjM3pg={dityFSm*<94k6&BpYFKI$bLw>hy=t@i+u34EcZ*J_11>T8 zI$U(Ai+Zr0J-S@9L)!M@N<2 zo*=Qw$G-lRS*QggxMpzv0q6mazeLcVT`eiHP9o3shiPMy>3=t^n%!vzMdmQ$!nRPt zWO2om$nK-UVL!j9mG@p^=t}twWFhqosldsfUrch{1lLZ?; zt94^kHqE`)c4((mEGW-oLU}!Zi$$F`oTeIF`;hI`>jDD@q(Ts`)T%KcJ8(G4d1l(- z7DascFYKzJJyFv;oJbI4Y}G)ZcEVJJvr`ZQ9*$pZaEiqdB_o zO`CIN^ZEl@77#aVT~Lq1jaaDZ9e2^uz3b*S?Ck$1mNoWz`)RJCU$AJC7|{gLuRlz& z)Df&FpH?w@dYJ^2E|^{fR@E6bZp=?eZk-EjPNY8AR=@eH0iS-YTB0o}y>PcxTSbPO zz{p5yTX(|n!LBLk*xT%~lcC9YAa+@iDU`?#@y4UBsW(NluRH2Wd{0?OVS6xO3wA|* zWr<|Pr??C))3UHVnQWh;Mc1U&1*(B{+qxksD=5!A3br$1xbU5?TPHaonO~C`Ed-^4 zs>~P+rD*`)Z3GO7|%EF z{|mEoA1=Vx7Zdo4+Y9*mViI%&*3CfO==23HlI7QO2fn_T#CinlqJu;5;1E1G1U~_X z;OmP?KcC?1i^<>?Jh%nNwsW&$t^O;|VEwN>IR-yH7umm`KAMwkFCW=jX={(Tp2|(u zQ>2gI*Ds)?u1cf_wu?E-ndHd^l#QYd9O9q2D{FTL;yOXTEvF-E;SEl#Pr`|{OZ_~K z8>`mvwzfSwkm_n(KBTqJh5aVLxpa>%q))_a@}EYT9Ej>X_$&UN{1pdZyRYDD2by&v zMIjQ=;XBseI%_XB#4)-0y$jmv6p{<-Lg|!( zGZlB%ODtQhvt;}Nh>ZZxvxhZ^KLsAq($ej)<&N1=w^8j-wIHV_C%(j0 z+Ir(TK>S_%Mmf63clQW_E0VK&Cd~lsg&4e7A~p~fz=9~L>zyY>16^9``a+9#nYs4n zC&7ark)Vs*foalDkPVHw`7^p^lAMt-apNu+b#X7mY1iRzpiU3e>47@k*_eSky<6`F z>h$lDI=w$|yc<700LgH#9K&cJ{HsxrmsF|ZR*Kc!b7!^@zsZ!|aD;{RV-RlKitM?< z8|`*;wFJ80hj|7X^+2QE6wIK9%IC@Jp@EY8yPzaT@PAk7LHWO@C$G<5ZSsFl2LA73 zJl{P37iQ-^_`jduhWNjq--h|Wx*4d5oc!Na`qlWqpWjXpFYaRh>VgCNcVPbx?B6HA z{{8$mg8fU|uMGU(f&UxZ&drMT22k;T^}qJS|J@&DO*iTQlr>$gi?UYx+(22|cm~Sa zKv^3oYqe*fta+XtC~E_|qw#!YcE?scjR7%yx{n9{t2sICn*F;2|2sW<_4@3ro&Wpf z^wog>J;w7*;(ztoxh?e9%4t}ke$^i~0KeLITUg(sUfZL=e6{?Wu`d4A8}O4-3l;P69$=DfxW$0Xztd`r~<$tx|om%M4v# zWmMgg7h?}OKLXu!o(^VI@#K6}I4Dic3G~JmtW6+znNa=XE)z&H-R`7NCijIFX_@$i z8wdQmTs-9Zs3@HP4IhMAapP)(1)npInfmW6A$=~#~2@< z$^z_OxUB#vL@|I^Os(2-0ozXyGR7rB6R8)`UY-BfTPxn5|J zWE@O5*x~qZ3`3z?k46Ps$uc5(b{LBE*B%tX4Lt&6r< zO*+-}f_}NeD&B~6{budF-P@G?$IaJT9uHsmVr4X$_ufOd8pUd|*_C$E3!W3`&-cKC zum6dCNf`4c$%OTbABCEa2!|D*ZSIY1uV!81!N|Y6pm9&;TE9?ocKV9EFr6nq=LIj; zC*(ygtf0R4=z<#|7qkFK_J^~;GV?>WFu>TP{v+IaZ;K%= z6GY-L+ryK+u5^yGd1H?QU1h`UNFZs(`1Q#Nd2wk^&v+6fKT9cOHNb@Ds$evIG6T&P zTdm~H*BZlI+)Adjf~}2}r=u{s54SwIZ7f(z5J$xYc?wC&)twa}xH9{$v=(e3WHW*1 z*}uL1@dxta^dmp8Ft=GXj`#K^PBZT!sfcR$`f?%0w+PePtrn2Mb1CHB`^NvUwk8@w~Jq{ z$cz8^pYQj(p+mn|+2<{6=zw9B+&Y~YTTZ#Rl^>;X>90E>8>d_-wD90F__S>*meW~= zhgTd)BH2pm-|C|R&Tx<`)`d)P2FIV9`lol7KlG;eIkz*wo;SQ6Z<2+oKV7jKv)&W2 zSPJFkzm#L(w!GurW}DyUYV+>=V*{87I)TJ+hPoI-Tk(Zjmn6O?CaPQ%l_82MbU>m| zk1>htQ`e1t@IHShSKN@k;xbwB;*DhV&IJcFGv+o5*A*E4fy~TbIu3&!Ar5X?ayMa; z3y-J*+?p6pO$3*w+3Tu3R;}0!`6U@dtpG;k_Y9lwQz}-sZ^{cdS@Hr%DLf~tpm{o5 zBUbN0V7K7Xus-HN%`o8QPGuSj=kh}G`J72(bxFQldRGeJdA=d`)mn?x4v@gJ5rB>Mco*w2i>nA1a zt5&1-Cu?os)`d$IQ9|T|Ds#}~x&5PGukUpTLaJIUU^#YLm!@39z%)PY0@&F~m@1D+ z%1%_patqfk{9H{$1&+u{>9X_R__C~YtKcu2R;H<~x1q_tz~xtZA@YLd#r1j_WpV!O zc+E*xPq08>a|fecx1X9TJyYjMS8DNbvwiS95eqFsi;@P8P#Z&4N<5!$VcB-B+%Rcy z!Sn5o{EqjUKpD>wC|ih?SI*)F!2qzp%|RdF(Zxy?O%D_^)w_YG)03BH!8-<@CJe6h zayoTcWL3%Lc@n0M{=`m8o_*m+sW2x?Q@fNb(R$W)F0&KzgGTM-P&vo52dU6bDCFl=BR4B5;47 z3u9l+7`bE1!i4GqHWCriUt=L`)_EidSO!M6CX!`fwP{1eLxvCEJ_a;H%I8cKG31H2 zWyzXiz}Npt=o8qPfj=?uC(7q3@+TVfiFR0~04E~2--MYG_D0UA;9cT2{nIian3O_x zyFBYs6FP5LS3rEn3U*~ctYofLiK%j_Kg4sAakjEDEM3`Xk_aE05snU})3nrP6>P@u zudgR$3jQo45$QI;BsVk;^jo*I|0(MqD<(Zrq#I)Y|8=>BdH?z9LrGsi!Go+`+zM6r znGb8bAAOIv(*Fltd;TxEr;_8XNEP&|-0>j{XResndCGdE8=+ce<>#vp+r<*YHpXaP z>n0fplep=P=IwXN;z8&g!k)Lv$PO@E zV6%L)@!K43%$uUyt#e(jt-@>IFoyJ3xp}#x1o_hVppu?3Moy7xHZs|rI<3hfq zO1&4V2-%Rt72UIXY15J{Syx1t3Utg^kh&{v3RfBJqMuK5T~y7!!Pv^xuJQ`H+jqFy z$GX`^y4WAay?$rc`Yqk+EpGI#JV!*%#;c7NOF7(%htkK;%&^dQ)1Y0I09RlpcE^G+ zOhj*qxWFqn*-G7Bnw#DpQ3syCtH0Qo9`@e&sBfYUUhT8cET)>QOY(5bf#kDXS7$+# zX-Ca7k*>X2KMH}LBYd%7DW?U?)|i5&qgFhqOJ1-|b|_aZ!V_17&vPL=L$|;-cE#?Q zR1DG(Rlb@HOrIKOMMf7ffgSLzKfwV*t&-d7&g2ODpkS{4Q^3ba8-cZP8VYdyKX>iI2TOzqj9e~c| zikzLjI)X}&+xEb_x9OmK5xi2@lIAMB18u~Ss=wy6%iDzl-L5=pP3n!yqQu^6$9_Y> zupc$rBDCcg6;1QB!fu&V;601xnLQZ;me=R(u$$Zqp4? zWlej7ahU9*ttPmLU@4icjq)8So-%Sixl~7})~O=@MepepS`eF0tveVLi3-xT(ff@v zyBWK#+$HtKMTCPQM9~GC@}h71o=?qt&Do?|t@N);k?~~R-BS0mV)rc5)9ZL4e&bn2 zkA<9%Sw8wa)k{u||H@`#JwL{Hj!@$%D@G`xv29p*2kk2*maKds{k<}p!b`i)U#o3F ze=m4ZXr+74B%wKBc_PBy+<`HMNg-*$=COKyYKk}6 zHG-y90I#yjK>KT8Rkhz;iB+Cni5V}MWiTG*e%FTW2-IqBycc2-Ja$CP#;y=&k>SnY zVjOSu&D09CzQW|d!UDZi%S2CGP?inj@q*?dd)?gbNtSTMj)3+7h%;Nv7^IKF*0U7F zPeA^Gnc97bKU5NyDjwM8)0(4jCs1hvp4{4t0wM8QMjLywkw>wo|E?~jP^vP#+xL}1uH2=e0W-KiNV%k)XUyd1&{;nsyXz)AsIedoI$)19rz z88l7ZG}jGTo@2>|25evbqg$z|bF2F~U8C{dG{#6A$E@{|lNVYsm%MIB0#Ka_8Ef6~ zJNs+%nt4yQg;q#xu`B?&&-H<_tk|>%Fpniw-h4oZik>@0 z0N!ogSnFR3;Y|Tc%3BJxIsdyyBQ)!4V^oa>CY4s;QvqX=W!3k!(GqHC*`qyNnb+0k zGyT7|Tc$Peovlbq&h)q&#&!Y(;9Se=o@P9y1*;uW>Y3ic*GN!FJKiN;3L z)?CL)tB@;I82dOrKGpTcTP~U<)J*zX$FAx6wPhO^p7v+={meB^BuMteYGjIy%-Lo1K6p66c(z2r zRc8)SEi(Y1N`I8cw_Z1T`;is5BHd0>=G_=cVbO0{P`^k%=lKV&qMWD#ubX%<=ClQu zm2{T*R*iu7%)KMclt2>91JBZg%GCUweD|;4JuM-{9*RPe!o$%v;sRzu!Ss1XzfcBY zW)OzF?z*qmc|pIB7iFMhkO9|Xt83!Z(OT= zq+ibGF?{j!&9|CyviQQF^0ew@$KJM}a8s4gNsn6Up6nLu;IP;S!k_>j_+_NA&T+^hJ7fV65PnQq8Wv z=&E9R>3Xj*R{drnb^%Xw;+{##Q&Z2I)?zV1nYSBIX!Scu7tBbyUw=2=Z1oua9yf^o z4nrkxS-#%Ar!m(%G{wkAG@EoHlsyAXIoi+=m=Oi$RP_Vg#%|H8X1UDP7JD^2cSt;5 zM8=9I;wI+s^6_8n>?)v;S=S+<8%B$jWYNm|`CGP>41B{>)0t8y1ox62`lsAP z-v0dQzjxU|Zna4Uto8Uq&inQ|u2~OIw7I78Zt)^ZO#~2a{OPs;+>W+Pi`M=4h8|aM zkr23Gc?|e)SugJz>IEC`h)ky+FkXnB{J763oZ^PU z=nbPp$Y-^JgG9mbcDJB+Op#?q6J|nS=|yn_0b_uuhhGvo$wWdkJxD&Weu*p82~T+K3`{Fy~{(U!HBZ1^(V0fNdX6T~UU@ z5~NZh;ncqqS^E?sGnk}YDPH4Kynw}hqTHw}E~ux*m0~xm3^y#?a&Qi!A)v?$_JwK< z@Dus2e&wl8qvAWCjJ^XT`8!`A`z|`I%IpN#X7c=;7jiv;oPc&?0iLKVrxkj!`JlL6 zC;c^BEQO?U{q1(5P?vZ)IbF@rXozArUr#q)b3(1WEcF&kd3s^`eGeQJx?Hln=7~Oq z_+q2dL9T?d%(B`trjfR$Ste*q*stmJ)D(7hb7}r|lhJv-2mUSep#7SnBXL~6OyPE_ znGv0r3>-nx`Ol#?-6vmy+jb>m9bN%fy?%*Eihdjq_O7@TbtZfLq8goMd z1>ISW@K5#<6p{`tR#`!FCRRQ*vN1Tw@oGjZT*7pRT^M3woxS{baxHxH-;Xq3lPfzS z92SIRK!~Q9WHepdrk2A7_k?0Dnew&s#f%zX+RBd(9D6S$FPMazTI0avxr^QXUaj@P zsE|{wHdd;T79=Tu=E~ATJ>7>)+%=|=G8ftCE@GmZV+wlHOruNgnWUMgQX?>KJoK?` zsrAPK85ev3xyOtPjm_&LDfbfF39{#N9C5{pX3SKstUG)SGtsuNmncPcBumxT2me)O7E>MPYRZ0s@`uqi|WSrJFjb$eaw~$3H9h5vjdR{ z3@vJ=KQxgnh2jw|qc2oJWwjJxX6q@};X4`^TBnMyemUuICU=HcznoM~{H!5ArB6TM zU@-b=iA~*AR1{p-2XHzSBqXE-0qO3N80qfrZjc-tK^g|6Q$jk14(Sqx?r>-v8l;;6 zKA!ja>a25d*4p>`X8(WtG;>Jx^Q7i=yZ+P;m=DhXqmruYvm%rnicT!6GE#22lHAAa z*r7amtvg?xDbXL1(dO8-0~RLzWfVDw9LBZO3y`}1&OFPXvRrQ^Ej+a;yBS@=CUAwV zEd%ZXe%#KZ5}u)}@V(W8+$?){HraB<2 zGq*1UM#ei=^Yn2kAfp3m;tx>MDY0l`VTht2eOArDkXFon*ySRA;dyylF68B4fXD5X zA}#^Rjnl0_qIC;X>rgQhYz`NDH6O$td02u+9hk0n+ zuZ^F@g6PA%YiMCH=F!(JQlM89(SJm==qXndsMiR9;%ERsHhYSp9F)H!v{$8hX3W(x zr3aOK&?1)#e8AQ-YmA!^!M+EMGfUuQ>p{G z?OKk=q@wheD-)^U7~%E4 zaRD_K)BzNY+RcW=_LP9~r~s(%Aps6+6EC2FN*7Y*&E?e0=LAMP3jbZ~@HsN#cD`QR zW3q=GHGrnT9B0jpU>)>5$)5Knmt(U4!3!%4^` z=-x6ihQj?y)^D<4L6_wCJXYW;%4lQ<1;ZMA;KpTB0Gj}p@1-fiF3E)JY^=tHvM54~VgiPA~Ir(u$ zp@)V*P2puttu^3bkDkX!uf4XNc<6W53DlIyAgx`v%Z^{#nAd7}C;^-2B`l!*p5ekzk@d3QYDk>>Xf<#5^?CUr9 z$-~ck*;2%eh#K<@0IAGa9;k@^f$sa+2HKK{M1rOPxG{X9lO)NX{q2FFlA4SWZLqGm zs*rl%7*M?2$zzSVyWNdlH|gCb)7v3X@<@R3_*v-(=ADWxv0AyDrpLmS;ChOFSWp%1 zZIj?#3HBRTp7yRhMZvNkDE>#6nEQXFI;cvUw|LdvC?=#j9;npaY*u<&&P(S{!mFqj zMvobdA34yLc~DRphGg*t7|JtR9TJu;c|v9j8O=Mj0c|ux%2w+$aJ!suR~r!Xq0Nvx zk3%ps{w&ydq0sp-zs_=^(*JaSbG9I@tvD(61?m1snt2-g3zArE>9qdgz_KA{;|TC5 zU2e66GkIQqHo3+Fvyz}D>H$Y&@|yYh$%Gya?KRWoszu0WEBwOAh+Y>8np*vm9Obg3 zIY-SRk<^Nz^j2K_I>YLszb>&ZmB2#<^742ZVWFF2RFPV6x7s6hYN_OilkvQps7|wq zdA@Z=LR5gStDJjLcXZC=5rdwd&eXu0p7oDPtyYPwS_wsTq|G|3k(&MaQ3hCU#e`m| zV>KwF^;gXa4*nv&O~)}}&W4qebD;Oa=$&-l_U=}O`!u5p5#_CS0=rtjBSm-7qWQp? zTR~c7E_5yh9#llpy?iJ#L(RGODkUANZ#Du--)XA0Yc7(W7|0_0-NvZj6NiJ43A?C+2dBlA4fDaRS~2YQ$lk^Z z9SKxx>#6Q_s~)_JZkB$MVGT$U-Nsj;<8};bVY5su46#6Z#r|~3EvzStosee7pH$4L zhp#Nc`O%Qnv;37(*vj@TLViM@WhVB$jte>?JsBfZY|^0k+rgurl3WkT$WQmxV*9=j z(@CHU^hZ+_mtOpF9mWpU^+t(_J>i6ZkAqJJsq*SQp_}-bNw-bC%9#5O60^9vsd@7K zdN{O`_FdG>3&y6OEy%-2T8ycYE$`N^l#CNXZHHKJ(axuN?}M32v5o$qrUO&bGJNC9 zb*{U4X*^BAbQ>|~O2X{vrb-Jo>Yg4mkD5D`NI3H46{BNg=nNHMz*;g-w#K+}fEHoD zev4_U?>W3hNEP;=KXMBTRqS8II3Kz0M8RfO8iWZZ9ESV8A(|<-SMiWW|AzQ-99_%y zOWf(ksdiR-)G@-{MRPZ3hxQIji>y~L(COU^%506-R!$Niy;N6E)Yxqko3Nq5u{0%i z%>Avj^ltS#Ic521FXXE63cif?Zq`ojfw~cc-sB(CS)fODQ^b1gB9D3|RXf?zQk+-c zW0NFF?`VA!`=&$tg7h7WL_s4ziA|%L(N<7}3yp4I$yk6`a;316X@^9U4~vuTcgiZj@3^sOa@- zE{IHi_q4(N?}%=XL~o!xMhcl3p#2V_qx)I4P0+)!q$Pyy0XL}}af+{Y(-VX6c&o)< zwf(eKL2kyN^r^i##`)eY`}rW;eK4Lto}SZ>PYczmrVkqzhlg|clI>!Fm+(CrRaFo$ zDBuj!vu+~pE+>Vh6wx;{zUJtAMB)D^^alJWpSG<0I~U8u^Qy>PSa}WJ2GTO5TFreV zNR!G)L9T+WI(CFMulNY}q71tbqtyeI#kOLHrn0x7i-g$_zf>OVlqI#bT*@bRgeE7; z(E6oQ(DM6T%Uhx$J#)Gp@1D|{P3u1XSlmgt;&=^zEtkdn*u!p=|*L>G%Keu@Ys2LG>f0WU_bC}=6 z+v@vkaoNck4MGf0Qqn4~C4a+RH#>-HfrM96Vm<8hv+-f~Xvfw`h*3+5Zn&~JYVbIN zEz&wFeFxE8=W6p%b8+j|_xuf-r7EvjlEvgb`rH89&rryjVG!9V%prW#-(n$qezYQ+ z^njavIXc`3=JN?kr-4CUd7Njj7u7K`8r)8h*<-0m`cPTB6UZ z6&ne~glL)HPf%d?fKwaBL;iM2?t9d%+*J`-v;l(_P(I==eFuOW?<+IU`=9ivBP;2l zF!VX|-Frb9&yj_B$`#bY*zowfjC9)?wfRHJ0lcKp`7{smr3uJmwmXyDPMe_M28G@LC;$R zUj8cg3SD(+pG+4Id(aSEZ5K&T_z|Rp znh>u8S=M`pD{P9&YJ_0yCJ0rUhmM>idB>b0kvtr##IvzcD-8*=gpI8N%njJzA>^N+X%QA4DB%j)YxQ43N$=d)>Mlhq>@@k>A$Lk`U2Zfq0F1GWW?ZldXYs z&RX*0uaZR12}2T%QkTgOougc9y?a=qw6KYVZm=ljPL9p#3-ZKYXYmo)CY57&#ltn# zG@cp&(5bqb&(~N4a9|z@CT0Ndj*6lk@1$S_n^6+xkP@rNs9!+vp`&%cdmf^_J1i2N zBd_{3rkHO#(eGG?ihY5%q>Q&Jq)&IA@UUTwOjSufOR?31u7fA<@rG|v^?7E8o%xK) zt=}E9^u)8=^nVq#Y;+5p{aBRl^d(O~xgzTj2D^rhEQ#=`rNt_^5Q92f5A81sSzv_| z+%8PJNfnPuBM%;`{zus=Gv{jR63-j@E{CJD9}a6oDb6X=oHkz`P@BR@zI*R zq<$8Se<2R|O8s79BCD(kAH>{UbmXJsOF1b3oB{V>a_l$d2B>O!KV0Wv2D}(`PpOTE zetja%AXJh?@_~PT$ftOc3<_G@20fg>_r5$y4nHS)o*JJMJtv?Ci@T9JG#%DoU5Fsm z{c4HD-kT9gF_xcZ0(_Y}mlldA;MS7Y#-@Ea@5{e&%3{C3QYEdNy!w7x6{0Pgf^LFJ z?ZglGaHMW;Z0(4s9Go4*@fgrgnmkuVN|H!6yKQ1X^Ir&Bo;vCUkYxpCtlHwia z>Eg@y%2Y%A{an>}vn$`WGKE)?;=O8;AxIzGva3a`OpTM#si3(#(QI-9NuSgJ)Wjo0K(f4m7%m4Tgi4E9qZ5TXD!l zo&Ce!-0XsjjxpytJGjH$$=k)U8D;mh!NTrU>#N&rdm=Nj&3}S1#Fo}@nsWAoTd$I< z)=&!k=U7Rx%YY6YiME@QyN<`m**f`%*eDfqni;J)s^jy~Cu{eB!g znG;Yi?txtvc>RK1wJK0%qZ312IF}@`%~Os48q3I4=J(aI+uNgsQgV(N6`EZ2IPedl zHZ5em%u=F-EtSbN(zbrLCuXczg+y3*!0`_T@=p_#E=5 z%hu-z=}8qg@RwU&*GWAtqMy^%vTJzuymXSYp$`8HmyJG*MLP&E%oL2!(Gw;f$Z+pWX8XGzi7f@7v z7^EzxAP-+t$5JPZIi5<6m&t^zE*gt%QNme!qIBMalbLAr)jGo>+*FUEo1^t%02lHp zB+$-;v8_eTH})!cAOMO5I^)cjB@ zDImtLlIMnY>i^qbx2(TB^`~D?yPSsFULCRDSjLeU5*0*~$3qTO2c_N;VcqNH7icV1 z%K;Irgt;fJ4K{CenItqyrKm?mmI$S|=A0$T(vZ6C*yLflyJTp?rU;J)CA&&Lb82Z@ z*p5-VP9-$A4t8mALmT94|LsQ+#&!VbR1ZZ~tjf(NnaCbjT@*Ylk89O`l|w=Njr5)k zFjSdEtcg6U!uFAOPpKhH?K}0=#+a8}qESv!;#N8<^_f&=%wCcFYqZ6~K^XXh&Z#to zWBm?oglv*?5e_3K)5hrZ!cjAKG)8f2`87;`yNBhITij4qBl?$kmMKTABwH3sZ<&_Z z4SMae>t5T0IOR$PgISB@+ z^`9}(oma4P?9RzysD2T4Bj&0!+I@J|8h1u&4rwY!z>h7TfIojeHHj{y(68oR5$8%( z;s7n*>hdZ1FdD}z{ZtH8BQY;eUzcf^?jS3`ieke zCPpl_RyH^z>6@QnnIwx4KdNvuH9 z@B=Xlg|-@oU2ip#%*Kba5dNh%rWA$7G@p!&ST!UjE*-G0uULI13N4A=cUH1embY~@ zA}P!w@yBv-;fg;#GX0d-uGnls3}xWf-AYNmCd2v{J`SC+33vVrANwQ=Ze<Eqe$zx1&da|nHGYMNieCu+e0Kev;@ zewmC|ti>x-y*$UKSIDGOIO#cj;xMMYyhoEO9*PKyk3WRUh|v0I{f9m_cF?8%Lmyv1 z(?{iJ`l$Rn-0X}^C}fHSc{-p(2L2K*v?*ajq4g zB9NT#R{B+I8fBYZMvf;G_mpCSCxC4eIC?gMVAgqu6jZvW0 z%8%wGE3?AT{ttch_=i58iTy(#+peDJ<7HdZGkvW6mp;DN|A#(~&-`s`{$KhS;_yH8 zvHKtTSQ-2O=wmwFukClgrdffciYDhm%4O%rq!Gw-&0lBOt&h4;4qg`ejvnKkAZTlD zufF)(*-6vh2Ctv~{o;Z8IdK0FJF40IIPN_RIUEzo?Wy5K_xksicKWh4i8_&OW$+oLsbqy3AH|F3%X-Zq)Z9S&_@QZd1r$mS28U+vAW6}SoW zS1__%EUS@~Xz@}${iq5yl<{*$a(g+uD`(j!@02(23WMTnEk?OdUiHJ|oYabqdLo`N zKTr6#1zFtu(ui)gW;s<0O1MheYPy5nO&MACg*n!q?r(ccszOqhMbz8FL~EqKVlT#T z<+1Fp0h3{l)Myj2GCXju(aznXT2>LRq=!GLwe~84x-Cq}JcJ%GGK|eV3_%3K2NMMa z3ALJ0QndG0@p&sE4AZEe4uhEo#>VCK`@7086Z#ger|3_@pQB zsX+h~56Cy!{{)zHr3&$Gj;}v_p WT}wMp=txLUPd(rZIFbMb(tiOQqD5E$ literal 0 HcmV?d00001 diff --git a/operators/cloudnative-pg/0.0.1/ix_values.yaml b/operators/cloudnative-pg/0.0.1/ix_values.yaml new file mode 100644 index 00000000000..191b74f091a --- /dev/null +++ b/operators/cloudnative-pg/0.0.1/ix_values.yaml @@ -0,0 +1,817 @@ +image: + repository: ghcr.io/cloudnative-pg/cloudnative-pg + tag: "1.20.0" + pullPolicy: + +workload: + main: + podSpec: + containers: + main: + args: + - controller + - --leader-elect + - --config-map-name={{ include "tc.v1.common.lib.chart.names.fullname" $ }}-config + - --secret-name={{ include "tc.v1.common.lib.chart.names.fullname" $ }}-config + - --webhook-port={{ $.Values.service.main.ports.main.targetPort }} + command: + - /manager + probes: + liveness: + port: main + path: /readyz + readiness: + port: main + path: /readyz + startup: + port: main + type: tcp + env: + OPERATOR_IMAGE_NAME: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + OPERATOR_NAMESPACE: + fieldRef: + fieldPath: metadata.namespace + MONITORING_QUERIES_CONFIGMAP: '{{ include "tc.v1.common.lib.chart.names.fullname" $ }}-monitoring' + +podOptions: + automountServiceAccountToken: true + +service: + main: + ports: + main: + protocol: https + port: 443 + targetPort: 9443 + metrics: + enabled: true + ports: + metrics: + enabled: true + protocol: http + port: 8080 + +operator: + register: true + +persistence: + scratch-data: + enabled: true + type: emptyDir + mountPath: /controller + webhook-certificates: + enabled: true + type: secret + objectName: cnpg-webhook-cert + expandObjectName: false + optional: true + defaultMode: "0420" + readOnly: true + targetSelector: + main: + main: + mountPath: "/run/secrets/cnpg.io/webhook" + +portal: + open: + enabled: false + +metrics: + main: + enabled: false + type: "podmonitor" + endpoints: + - port: metrics + interval: 5s + scrapeTimeout: 5s + path: / + honorLabels: false + +rbac: + main: + enabled: true + primary: true + clusterWide: true + rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - delete + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - pods/status + verbs: + - get + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - secrets/status + verbs: + - get + - patch + - update + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - update + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update + - apiGroups: + - monitoring.coreos.com + resources: + - podmonitors + verbs: + - create + - delete + - get + - list + - patch + - watch + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - postgresql.cnpg.io + resources: + - backups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - postgresql.cnpg.io + resources: + - backups/status + verbs: + - get + - patch + - update + - apiGroups: + - postgresql.cnpg.io + resources: + - clusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - postgresql.cnpg.io + resources: + - clusters/finalizers + verbs: + - update + - apiGroups: + - postgresql.cnpg.io + resources: + - clusters/status + verbs: + - get + - patch + - update + - watch + - apiGroups: + - postgresql.cnpg.io + resources: + - poolers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - postgresql.cnpg.io + resources: + - poolers/finalizers + verbs: + - update + - apiGroups: + - postgresql.cnpg.io + resources: + - poolers/status + verbs: + - get + - patch + - update + - watch + - apiGroups: + - postgresql.cnpg.io + resources: + - scheduledbackups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - postgresql.cnpg.io + resources: + - scheduledbackups/status + verbs: + - get + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - create + - get + - list + - patch + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + verbs: + - create + - get + - list + - patch + - update + - watch + +serviceAccount: + main: + enabled: true + primary: true + +webhook: + mutating: + create: true + failurePolicy: Fail + validating: + create: true + failurePolicy: Fail + +manifestManager: + enabled: true + staging: false + install: false + check: false + delete: true + +configmap: + config: + enabled: true + data: + CREATE_ANY_SERVICE: "true" + monitoring: + enabled: true + data: + queries: | + backends: + query: | + SELECT sa.datname + , sa.usename + , sa.application_name + , states.state + , COALESCE(sa.count, 0) AS total + , COALESCE(sa.max_tx_secs, 0) AS max_tx_duration_seconds + FROM ( VALUES ('active') + , ('idle') + , ('idle in transaction') + , ('idle in transaction (aborted)') + , ('fastpath function call') + , ('disabled') + ) AS states(state) + LEFT JOIN ( + SELECT datname + , state + , usename + , COALESCE(application_name, '') AS application_name + , COUNT(*) + , COALESCE(EXTRACT (EPOCH FROM (max(now() - xact_start))), 0) AS max_tx_secs + FROM pg_catalog.pg_stat_activity + GROUP BY datname, state, usename, application_name + ) sa ON states.state = sa.state + WHERE sa.usename IS NOT NULL + metrics: + - datname: + usage: "LABEL" + description: "Name of the database" + - usename: + usage: "LABEL" + description: "Name of the user" + - application_name: + usage: "LABEL" + description: "Name of the application" + - state: + usage: "LABEL" + description: "State of the backend" + - total: + usage: "GAUGE" + description: "Number of backends" + - max_tx_duration_seconds: + usage: "GAUGE" + description: "Maximum duration of a transaction in seconds" + + backends_waiting: + query: | + SELECT count(*) AS total + FROM pg_catalog.pg_locks blocked_locks + JOIN pg_catalog.pg_locks blocking_locks + ON blocking_locks.locktype = blocked_locks.locktype + AND blocking_locks.database IS NOT DISTINCT FROM blocked_locks.database + AND blocking_locks.relation IS NOT DISTINCT FROM blocked_locks.relation + AND blocking_locks.page IS NOT DISTINCT FROM blocked_locks.page + AND blocking_locks.tuple IS NOT DISTINCT FROM blocked_locks.tuple + AND blocking_locks.virtualxid IS NOT DISTINCT FROM blocked_locks.virtualxid + AND blocking_locks.transactionid IS NOT DISTINCT FROM blocked_locks.transactionid + AND blocking_locks.classid IS NOT DISTINCT FROM blocked_locks.classid + AND blocking_locks.objid IS NOT DISTINCT FROM blocked_locks.objid + AND blocking_locks.objsubid IS NOT DISTINCT FROM blocked_locks.objsubid + AND blocking_locks.pid != blocked_locks.pid + JOIN pg_catalog.pg_stat_activity blocking_activity ON blocking_activity.pid = blocking_locks.pid + WHERE NOT blocked_locks.granted + metrics: + - total: + usage: "GAUGE" + description: "Total number of backends that are currently waiting on other queries" + + pg_database: + query: | + SELECT datname + , pg_catalog.pg_database_size(datname) AS size_bytes + , pg_catalog.age(datfrozenxid) AS xid_age + , pg_catalog.mxid_age(datminmxid) AS mxid_age + FROM pg_catalog.pg_database + metrics: + - datname: + usage: "LABEL" + description: "Name of the database" + - size_bytes: + usage: "GAUGE" + description: "Disk space used by the database" + - xid_age: + usage: "GAUGE" + description: "Number of transactions from the frozen XID to the current one" + - mxid_age: + usage: "GAUGE" + description: "Number of multiple transactions (Multixact) from the frozen XID to the current one" + + pg_postmaster: + query: | + SELECT EXTRACT(EPOCH FROM pg_postmaster_start_time) AS start_time + FROM pg_catalog.pg_postmaster_start_time() + metrics: + - start_time: + usage: "GAUGE" + description: "Time at which postgres started (based on epoch)" + + pg_replication: + query: "SELECT CASE WHEN NOT pg_catalog.pg_is_in_recovery() + THEN 0 + ELSE GREATEST (0, + EXTRACT(EPOCH FROM (now() - pg_catalog.pg_last_xact_replay_timestamp()))) + END AS lag, + pg_catalog.pg_is_in_recovery() AS in_recovery, + EXISTS (TABLE pg_stat_wal_receiver) AS is_wal_receiver_up, + (SELECT count(*) FROM pg_stat_replication) AS streaming_replicas" + metrics: + - lag: + usage: "GAUGE" + description: "Replication lag behind primary in seconds" + - in_recovery: + usage: "GAUGE" + description: "Whether the instance is in recovery" + - is_wal_receiver_up: + usage: "GAUGE" + description: "Whether the instance wal_receiver is up" + - streaming_replicas: + usage: "GAUGE" + description: "Number of streaming replicas connected to the instance" + + pg_replication_slots: + query: | + SELECT slot_name, + slot_type, + database, + active, + pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), restart_lsn) + FROM pg_catalog.pg_replication_slots + WHERE NOT temporary + metrics: + - slot_name: + usage: "LABEL" + description: "Name of the replication slot" + - slot_type: + usage: "LABEL" + description: "Type of the replication slot" + - database: + usage: "LABEL" + description: "Name of the database" + - active: + usage: "GAUGE" + description: "Flag indicating whether the slot is active" + - pg_wal_lsn_diff: + usage: "GAUGE" + description: "Replication lag in bytes" + + pg_stat_archiver: + query: | + SELECT archived_count + , failed_count + , COALESCE(EXTRACT(EPOCH FROM (now() - last_archived_time)), -1) AS seconds_since_last_archival + , COALESCE(EXTRACT(EPOCH FROM (now() - last_failed_time)), -1) AS seconds_since_last_failure + , COALESCE(EXTRACT(EPOCH FROM last_archived_time), -1) AS last_archived_time + , COALESCE(EXTRACT(EPOCH FROM last_failed_time), -1) AS last_failed_time + , COALESCE(CAST(CAST('x'||pg_catalog.right(pg_catalog.split_part(last_archived_wal, '.', 1), 16) AS pg_catalog.bit(64)) AS pg_catalog.int8), -1) AS last_archived_wal_start_lsn + , COALESCE(CAST(CAST('x'||pg_catalog.right(pg_catalog.split_part(last_failed_wal, '.', 1), 16) AS pg_catalog.bit(64)) AS pg_catalog.int8), -1) AS last_failed_wal_start_lsn + , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time + FROM pg_catalog.pg_stat_archiver + metrics: + - archived_count: + usage: "COUNTER" + description: "Number of WAL files that have been successfully archived" + - failed_count: + usage: "COUNTER" + description: "Number of failed attempts for archiving WAL files" + - seconds_since_last_archival: + usage: "GAUGE" + description: "Seconds since the last successful archival operation" + - seconds_since_last_failure: + usage: "GAUGE" + description: "Seconds since the last failed archival operation" + - last_archived_time: + usage: "GAUGE" + description: "Epoch of the last time WAL archiving succeeded" + - last_failed_time: + usage: "GAUGE" + description: "Epoch of the last time WAL archiving failed" + - last_archived_wal_start_lsn: + usage: "GAUGE" + description: "Archived WAL start LSN" + - last_failed_wal_start_lsn: + usage: "GAUGE" + description: "Last failed WAL LSN" + - stats_reset_time: + usage: "GAUGE" + description: "Time at which these statistics were last reset" + + pg_stat_bgwriter: + query: | + SELECT checkpoints_timed + , checkpoints_req + , checkpoint_write_time + , checkpoint_sync_time + , buffers_checkpoint + , buffers_clean + , maxwritten_clean + , buffers_backend + , buffers_backend_fsync + , buffers_alloc + FROM pg_catalog.pg_stat_bgwriter + metrics: + - checkpoints_timed: + usage: "COUNTER" + description: "Number of scheduled checkpoints that have been performed" + - checkpoints_req: + usage: "COUNTER" + description: "Number of requested checkpoints that have been performed" + - checkpoint_write_time: + usage: "COUNTER" + description: "Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk, in milliseconds" + - checkpoint_sync_time: + usage: "COUNTER" + description: "Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk, in milliseconds" + - buffers_checkpoint: + usage: "COUNTER" + description: "Number of buffers written during checkpoints" + - buffers_clean: + usage: "COUNTER" + description: "Number of buffers written by the background writer" + - maxwritten_clean: + usage: "COUNTER" + description: "Number of times the background writer stopped a cleaning scan because it had written too many buffers" + - buffers_backend: + usage: "COUNTER" + description: "Number of buffers written directly by a backend" + - buffers_backend_fsync: + usage: "COUNTER" + description: "Number of times a backend had to execute its own fsync call (normally the background writer handles those even when the backend does its own write)" + - buffers_alloc: + usage: "COUNTER" + description: "Number of buffers allocated" + + pg_stat_database: + query: | + SELECT datname + , xact_commit + , xact_rollback + , blks_read + , blks_hit + , tup_returned + , tup_fetched + , tup_inserted + , tup_updated + , tup_deleted + , conflicts + , temp_files + , temp_bytes + , deadlocks + , blk_read_time + , blk_write_time + FROM pg_catalog.pg_stat_database + metrics: + - datname: + usage: "LABEL" + description: "Name of this database" + - xact_commit: + usage: "COUNTER" + description: "Number of transactions in this database that have been committed" + - xact_rollback: + usage: "COUNTER" + description: "Number of transactions in this database that have been rolled back" + - blks_read: + usage: "COUNTER" + description: "Number of disk blocks read in this database" + - blks_hit: + usage: "COUNTER" + description: "Number of times disk blocks were found already in the buffer cache, so that a read was not necessary (this only includes hits in the PostgreSQL buffer cache, not the operating system's file system cache)" + - tup_returned: + usage: "COUNTER" + description: "Number of rows returned by queries in this database" + - tup_fetched: + usage: "COUNTER" + description: "Number of rows fetched by queries in this database" + - tup_inserted: + usage: "COUNTER" + description: "Number of rows inserted by queries in this database" + - tup_updated: + usage: "COUNTER" + description: "Number of rows updated by queries in this database" + - tup_deleted: + usage: "COUNTER" + description: "Number of rows deleted by queries in this database" + - conflicts: + usage: "COUNTER" + description: "Number of queries canceled due to conflicts with recovery in this database" + - temp_files: + usage: "COUNTER" + description: "Number of temporary files created by queries in this database" + - temp_bytes: + usage: "COUNTER" + description: "Total amount of data written to temporary files by queries in this database" + - deadlocks: + usage: "COUNTER" + description: "Number of deadlocks detected in this database" + - blk_read_time: + usage: "COUNTER" + description: "Time spent reading data file blocks by backends in this database, in milliseconds" + - blk_write_time: + usage: "COUNTER" + description: "Time spent writing data file blocks by backends in this database, in milliseconds" + + pg_stat_replication: + primary: true + query: | + SELECT usename + , COALESCE(application_name, '') AS application_name + , COALESCE(client_addr::text, '') AS client_addr + , EXTRACT(EPOCH FROM backend_start) AS backend_start + , COALESCE(pg_catalog.age(backend_xmin), 0) AS backend_xmin_age + , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), sent_lsn) AS sent_diff_bytes + , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), write_lsn) AS write_diff_bytes + , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), flush_lsn) AS flush_diff_bytes + , COALESCE(pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), replay_lsn),0) AS replay_diff_bytes + , COALESCE((EXTRACT(EPOCH FROM write_lag)),0)::float AS write_lag_seconds + , COALESCE((EXTRACT(EPOCH FROM flush_lag)),0)::float AS flush_lag_seconds + , COALESCE((EXTRACT(EPOCH FROM replay_lag)),0)::float AS replay_lag_seconds + FROM pg_catalog.pg_stat_replication + metrics: + - usename: + usage: "LABEL" + description: "Name of the replication user" + - application_name: + usage: "LABEL" + description: "Name of the application" + - client_addr: + usage: "LABEL" + description: "Client IP address" + - backend_start: + usage: "COUNTER" + description: "Time when this process was started" + - backend_xmin_age: + usage: "COUNTER" + description: "The age of this standby's xmin horizon" + - sent_diff_bytes: + usage: "GAUGE" + description: "Difference in bytes from the last write-ahead log location sent on this connection" + - write_diff_bytes: + usage: "GAUGE" + description: "Difference in bytes from the last write-ahead log location written to disk by this standby server" + - flush_diff_bytes: + usage: "GAUGE" + description: "Difference in bytes from the last write-ahead log location flushed to disk by this standby server" + - replay_diff_bytes: + usage: "GAUGE" + description: "Difference in bytes from the last write-ahead log location replayed into the database on this standby server" + - write_lag_seconds: + usage: "GAUGE" + description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written it" + - flush_lag_seconds: + usage: "GAUGE" + description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written and flushed it" + - replay_lag_seconds: + usage: "GAUGE" + description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written, flushed and applied it" + + pg_settings: + query: | + SELECT name, + CASE setting WHEN 'on' THEN '1' WHEN 'off' THEN '0' ELSE setting END AS setting + FROM pg_catalog.pg_settings + WHERE vartype IN ('integer', 'real', 'bool') + ORDER BY 1 + metrics: + - name: + usage: "LABEL" + description: "Name of the setting" + - setting: + usage: "GAUGE" + description: "Setting value" diff --git a/operators/cloudnative-pg/0.0.1/questions.yaml b/operators/cloudnative-pg/0.0.1/questions.yaml new file mode 100644 index 00000000000..09cd4d68201 --- /dev/null +++ b/operators/cloudnative-pg/0.0.1/questions.yaml @@ -0,0 +1,45 @@ +groups: + - name: Container Image + description: Image to be used for container + - name: General Settings + description: General Deployment Settings + - name: Workload Settings + description: Workload Settings + - name: App Configuration + description: App Specific Config Options + - name: Networking and Services + description: Configure Network and Services for Container + - name: Storage and Persistence + description: Persist and Share Data that is Separate from the Container + - name: Ingress + description: Ingress Configuration + - name: Security and Permissions + description: Configure Security Context and Permissions + - name: Resources and Devices + description: "Specify Resources/Devices to be Allocated to Workload" + - name: Middlewares + description: Traefik Middlewares + - name: Metrics + description: Metrics + - name: Addons + description: Addon Configuration + - name: Advanced + description: Advanced Configuration + - name: Postgresql + description: Postgresql + - name: Documentation + description: Documentation +questions: + - variable: global + group: General Settings + label: "Global Settings" + schema: + additional_attrs: true + type: dict + attrs: + - variable: stopAll + label: Stop All + description: "Stops All Running pods and hibernates cnpg" + schema: + type: boolean + default: false diff --git a/operators/cloudnative-pg/0.0.1/templates/NOTES.txt b/operators/cloudnative-pg/0.0.1/templates/NOTES.txt new file mode 100644 index 00000000000..efcb74cb772 --- /dev/null +++ b/operators/cloudnative-pg/0.0.1/templates/NOTES.txt @@ -0,0 +1 @@ +{{- include "tc.v1.common.lib.chart.notes" $ -}} diff --git a/operators/cloudnative-pg/0.0.1/templates/_mutatingwebhookconfiguration.tpl b/operators/cloudnative-pg/0.0.1/templates/_mutatingwebhookconfiguration.tpl new file mode 100644 index 00000000000..e77dbb4a5fd --- /dev/null +++ b/operators/cloudnative-pg/0.0.1/templates/_mutatingwebhookconfiguration.tpl @@ -0,0 +1,85 @@ +{{- define "cnpg.webhooks.mutating" -}} +{{- if .Values.webhook.mutating.create }} +{{- $cnpgLabels := .Values.webhook.validating.labels -}} +{{- $cnpgAnnotations := .Values.webhook.validating.annotations -}} +{{- $labels := (mustMerge ($cnpgLabels | default dict) (include "tc.v1.common.lib.metadata.allLabels" $ | fromYaml)) }} +{{- $annotations := (mustMerge ($cnpgAnnotations | default dict) (include "tc.v1.common.lib.metadata.allAnnotations" $ | fromYaml)) }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: cnpg-mutating-webhook-configuration + {{- with (include "tc.v1.common.lib.metadata.render" (dict "rootCtx" $ "labels" $labels) | trim) }} + labels: + {{- . | nindent 4 }} + {{- end }} + {{- with (include "tc.v1.common.lib.metadata.render" (dict "rootCtx" $ "annotations" $annotations) | trim) }} + annotations: + {{- . | nindent 4 }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "tc.v1.common.lib.chart.names.fullname" $ }} + namespace: {{ .Release.Namespace }} + path: /mutate-postgresql-cnpg-io-v1-backup + port: {{ .Values.service.main.ports.main.port }} + failurePolicy: {{ .Values.webhook.mutating.failurePolicy }} + name: mbackup.kb.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - backups + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "tc.v1.common.lib.chart.names.fullname" $ }} + namespace: {{ .Release.Namespace }} + path: /mutate-postgresql-cnpg-io-v1-cluster + port: {{ .Values.service.main.ports.main.port }} + failurePolicy: {{ .Values.webhook.mutating.failurePolicy }} + name: mcluster.kb.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clusters + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "tc.v1.common.lib.chart.names.fullname" $ }} + namespace: {{ .Release.Namespace }} + path: /mutate-postgresql-cnpg-io-v1-scheduledbackup + port: {{ .Values.service.main.ports.main.port }} + failurePolicy: {{ .Values.webhook.mutating.failurePolicy }} + name: mscheduledbackup.kb.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - scheduledbackups + sideEffects: None +{{- end }} +{{- end -}} diff --git a/operators/cloudnative-pg/0.0.1/templates/_validatingwebhookconfiguration.tpl b/operators/cloudnative-pg/0.0.1/templates/_validatingwebhookconfiguration.tpl new file mode 100644 index 00000000000..35d35d75665 --- /dev/null +++ b/operators/cloudnative-pg/0.0.1/templates/_validatingwebhookconfiguration.tpl @@ -0,0 +1,106 @@ +{{- define "cnpg.webhooks.validating" -}} +{{- if .Values.webhook.validating.create }} +{{- $cnpgLabels := .Values.webhook.validating.labels -}} +{{- $cnpgAnnotations := .Values.webhook.validating.annotations -}} +{{- $labels := (mustMerge ($cnpgLabels | default dict) (include "tc.v1.common.lib.metadata.allLabels" $ | fromYaml)) }} +{{- $annotations := (mustMerge ($cnpgAnnotations | default dict) (include "tc.v1.common.lib.metadata.allAnnotations" $ | fromYaml)) }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: cnpg-validating-webhook-configuration + {{- with (include "tc.v1.common.lib.metadata.render" (dict "rootCtx" $ "labels" $labels) | trim) }} + labels: + {{- . | nindent 4 }} + {{- end }} + {{- with (include "tc.v1.common.lib.metadata.render" (dict "rootCtx" $ "annotations" $annotations) | trim) }} + annotations: + {{- . | nindent 4 }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "tc.v1.common.lib.chart.names.fullname" $ }} + namespace: {{ .Release.Namespace }} + path: /validate-postgresql-cnpg-io-v1-backup + port: {{ .Values.service.main.ports.main.port }} + failurePolicy: {{ .Values.webhook.validating.failurePolicy }} + name: vbackup.kb.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - backups + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "tc.v1.common.lib.chart.names.fullname" $ }} + namespace: {{ .Release.Namespace }} + path: /validate-postgresql-cnpg-io-v1-cluster + port: {{ .Values.service.main.ports.main.port }} + failurePolicy: {{ .Values.webhook.validating.failurePolicy }} + name: vcluster.kb.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clusters + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "tc.v1.common.lib.chart.names.fullname" $ }} + namespace: {{ .Release.Namespace }} + path: /validate-postgresql-cnpg-io-v1-scheduledbackup + port: {{ .Values.service.main.ports.main.port }} + failurePolicy: {{ .Values.webhook.validating.failurePolicy }} + name: vscheduledbackup.kb.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - scheduledbackups + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "tc.v1.common.lib.chart.names.fullname" $ }} + namespace: {{ .Release.Namespace }} + path: /validate-postgresql-cnpg-io-v1-pooler + port: {{ .Values.service.main.ports.main.port }} + failurePolicy: {{ .Values.webhook.validating.failurePolicy }} + name: vpooler.kb.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - poolers + sideEffects: None +{{- end }} +{{- end -}} diff --git a/operators/cloudnative-pg/0.0.1/templates/common.yaml b/operators/cloudnative-pg/0.0.1/templates/common.yaml new file mode 100644 index 00000000000..3b4deaf3d17 --- /dev/null +++ b/operators/cloudnative-pg/0.0.1/templates/common.yaml @@ -0,0 +1,8 @@ +{{/* Make sure all variables are set properly */}} +{{- include "tc.v1.common.loader.init" . }} + +{{- include "cnpg.webhooks.validating" . -}} +{{- include "cnpg.webhooks.mutating" . -}} + +{{/* Render the templates */}} +{{ include "tc.v1.common.loader.apply" . }} diff --git a/operators/cloudnative-pg/0.0.1/templates/crds.yaml b/operators/cloudnative-pg/0.0.1/templates/crds.yaml new file mode 100644 index 00000000000..50f8ad30c1c --- /dev/null +++ b/operators/cloudnative-pg/0.0.1/templates/crds.yaml @@ -0,0 +1,11805 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + helm.sh/resource-policy: keep + creationTimestamp: null + name: backups.postgresql.cnpg.io +spec: + group: postgresql.cnpg.io + names: + kind: Backup + listKind: BackupList + plural: backups + singular: backup + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.cluster.name + name: Cluster + type: string + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .status.error + name: Error + type: string + name: v1 + schema: + openAPIV3Schema: + description: Backup is the Schema for the backups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Specification of the desired behavior of the backup. More + info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + cluster: + description: The cluster to backup + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + target: + description: The policy to decide which instance should perform this + backup. If empty, it defaults to `cluster.spec.backup.target`. Available + options are empty string, `primary` and `prefer-standby`. `primary` + to have backups run always on primary instances, `prefer-standby` + to have backups run preferably on the most updated standby, if available. + enum: + - primary + - prefer-standby + type: string + type: object + status: + description: 'Most recently observed status of the backup. This data may + not be up to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + azureCredentials: + description: The credentials to use to upload data to Azure Blob Storage + properties: + connectionString: + description: The connection string to be used + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + inheritFromAzureAD: + description: Use the Azure AD based authentication without providing + explicitly the keys. + type: boolean + storageAccount: + description: The storage account where to upload data + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + storageKey: + description: The storage account key to be used in conjunction + with the storage account name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + storageSasToken: + description: A shared-access-signature to be used in conjunction + with the storage account name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: object + backupId: + description: The ID of the Barman backup + type: string + backupName: + description: The Name of the Barman backup + type: string + beginLSN: + description: The starting xlog + type: string + beginWal: + description: The starting WAL + type: string + commandError: + description: The backup command output in case of error + type: string + commandOutput: + description: Unused. Retained for compatibility with old versions. + type: string + destinationPath: + description: The path where to store the backup (i.e. s3://bucket/path/to/folder) + this path, with different destination folders, will be used for + WALs and for data. This may not be populated in case of errors. + type: string + encryption: + description: Encryption method required to S3 API + type: string + endLSN: + description: The ending xlog + type: string + endWal: + description: The ending WAL + type: string + endpointCA: + description: EndpointCA store the CA bundle of the barman endpoint. + Useful when using self-signed certificates to avoid errors with + certificate issuer and barman-cloud-wal-archive. + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + endpointURL: + description: Endpoint to be used to upload data to the cloud, overriding + the automatic endpoint discovery + type: string + error: + description: The detected error + type: string + googleCredentials: + description: The credentials to use to upload data to Google Cloud + Storage + properties: + applicationCredentials: + description: The secret containing the Google Cloud Storage JSON + file with the credentials + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + gkeEnvironment: + description: If set to true, will presume that it's running inside + a GKE environment, default to false. + type: boolean + type: object + instanceID: + description: Information to identify the instance where the backup + has been taken from + properties: + ContainerID: + description: The container ID + type: string + podName: + description: The pod name + type: string + type: object + phase: + description: The last backup status + type: string + s3Credentials: + description: The credentials to use to upload data to S3 + properties: + accessKeyId: + description: The reference to the access key id + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + inheritFromIAMRole: + description: Use the role based authentication without providing + explicitly the keys. + type: boolean + region: + description: The reference to the secret containing the region + name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + secretAccessKey: + description: The reference to the secret access key + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + sessionToken: + description: The references to the session key + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: object + serverName: + description: The server name on S3, the cluster name is used if this + parameter is omitted + type: string + startedAt: + description: When the backup was started + format: date-time + type: string + stoppedAt: + description: When the backup was terminated + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusters.postgresql.cnpg.io +spec: + group: postgresql.cnpg.io + names: + kind: Cluster + listKind: ClusterList + plural: clusters + singular: cluster + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Number of instances + jsonPath: .status.instances + name: Instances + type: integer + - description: Number of ready instances + jsonPath: .status.readyInstances + name: Ready + type: integer + - description: Cluster current status + jsonPath: .status.phase + name: Status + type: string + - description: Primary pod + jsonPath: .status.currentPrimary + name: Primary + type: string + name: v1 + schema: + openAPIV3Schema: + description: Cluster is the Schema for the PostgreSQL API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Specification of the desired behavior of the cluster. More + info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + affinity: + description: Affinity/Anti-affinity rules for Pods + properties: + additionalPodAffinity: + description: AdditionalPodAffinity allows to specify pod affinity + terms to be passed to all the cluster's pods. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may or may + not try to eventually evict the pod from its node. When + there are multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. all terms + must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + additionalPodAntiAffinity: + description: AdditionalPodAntiAffinity allows to specify pod anti-affinity + terms to be added to the ones generated by the operator if EnablePodAntiAffinity + is set to true (default) or to be used exclusively if set to + false. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the anti-affinity expressions specified + by this field, but it may choose a node that violates one + or more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the anti-affinity requirements + specified by this field cease to be met at some point during + pod execution (e.g. due to a pod label update), the system + may or may not try to eventually evict the pod from its + node. When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + enablePodAntiAffinity: + description: Activates anti-affinity for the pods. The operator + will define pods anti-affinity unless this field is explicitly + set to false + type: boolean + nodeAffinity: + description: 'NodeAffinity describes node affinity scheduling + rules for the pod. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity' + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node matches + the corresponding matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to an update), the system may or may not try to + eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term matches + no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the + NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is map of key-value pairs used to define + the nodes on which the pods can run. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + podAntiAffinityType: + description: 'PodAntiAffinityType allows the user to decide whether + pod anti-affinity between cluster instance has to be considered + a strong requirement during scheduling or not. Allowed values + are: "preferred" (default if empty) or "required". Setting it + to "required", could lead to instances remaining pending until + new kubernetes nodes are added if all the existing nodes don''t + match the required pod anti-affinity rule. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity' + type: string + tolerations: + description: 'Tolerations is a list of Tolerations that should + be set for all the pods, in order to allow them to run on tainted + nodes. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + topologyKey: + description: TopologyKey to use for anti-affinity configuration. + See k8s documentation for more info on that + type: string + type: object + backup: + description: The configuration to be used for backups + properties: + barmanObjectStore: + description: The configuration for the barman-cloud tool suite + properties: + azureCredentials: + description: The credentials to use to upload data to Azure + Blob Storage + properties: + connectionString: + description: The connection string to be used + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + inheritFromAzureAD: + description: Use the Azure AD based authentication without + providing explicitly the keys. + type: boolean + storageAccount: + description: The storage account where to upload data + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + storageKey: + description: The storage account key to be used in conjunction + with the storage account name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + storageSasToken: + description: A shared-access-signature to be used in conjunction + with the storage account name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: object + data: + description: The configuration to be used to backup the data + files When not defined, base backups files will be stored + uncompressed and may be unencrypted in the object store, + according to the bucket default policy. + properties: + compression: + description: Compress a backup file (a tar file per tablespace) + while streaming it to the object store. Available options + are empty string (no compression, default), `gzip`, + `bzip2` or `snappy`. + enum: + - gzip + - bzip2 + - snappy + type: string + encryption: + description: Whenever to force the encryption of files + (if the bucket is not already configured for that). + Allowed options are empty string (use the bucket policy, + default), `AES256` and `aws:kms` + enum: + - AES256 + - aws:kms + type: string + immediateCheckpoint: + description: Control whether the I/O workload for the + backup initial checkpoint will be limited, according + to the `checkpoint_completion_target` setting on the + PostgreSQL server. If set to true, an immediate checkpoint + will be used, meaning PostgreSQL will complete the checkpoint + as soon as possible. `false` by default. + type: boolean + jobs: + description: The number of parallel jobs to be used to + upload the backup, defaults to 2 + format: int32 + minimum: 1 + type: integer + type: object + destinationPath: + description: The path where to store the backup (i.e. s3://bucket/path/to/folder) + this path, with different destination folders, will be used + for WALs and for data + minLength: 1 + type: string + endpointCA: + description: EndpointCA store the CA bundle of the barman + endpoint. Useful when using self-signed certificates to + avoid errors with certificate issuer and barman-cloud-wal-archive + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + endpointURL: + description: Endpoint to be used to upload data to the cloud, + overriding the automatic endpoint discovery + type: string + googleCredentials: + description: The credentials to use to upload data to Google + Cloud Storage + properties: + applicationCredentials: + description: The secret containing the Google Cloud Storage + JSON file with the credentials + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + gkeEnvironment: + description: If set to true, will presume that it's running + inside a GKE environment, default to false. + type: boolean + type: object + historyTags: + additionalProperties: + type: string + description: HistoryTags is a list of key value pairs that + will be passed to the Barman --history-tags option. + type: object + s3Credentials: + description: The credentials to use to upload data to S3 + properties: + accessKeyId: + description: The reference to the access key id + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + inheritFromIAMRole: + description: Use the role based authentication without + providing explicitly the keys. + type: boolean + region: + description: The reference to the secret containing the + region name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + secretAccessKey: + description: The reference to the secret access key + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + sessionToken: + description: The references to the session key + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: object + serverName: + description: The server name on S3, the cluster name is used + if this parameter is omitted + type: string + tags: + additionalProperties: + type: string + description: Tags is a list of key value pairs that will be + passed to the Barman --tags option. + type: object + wal: + description: The configuration for the backup of the WAL stream. + When not defined, WAL files will be stored uncompressed + and may be unencrypted in the object store, according to + the bucket default policy. + properties: + compression: + description: Compress a WAL file before sending it to + the object store. Available options are empty string + (no compression, default), `gzip`, `bzip2` or `snappy`. + enum: + - gzip + - bzip2 + - snappy + type: string + encryption: + description: Whenever to force the encryption of files + (if the bucket is not already configured for that). + Allowed options are empty string (use the bucket policy, + default), `AES256` and `aws:kms` + enum: + - AES256 + - aws:kms + type: string + maxParallel: + description: Number of WAL files to be either archived + in parallel (when the PostgreSQL instance is archiving + to a backup object store) or restored in parallel (when + a PostgreSQL standby is fetching WAL files from a recovery + object store). If not specified, WAL files will be processed + one at a time. It accepts a positive integer as a value + - with 1 being the minimum accepted value. + minimum: 1 + type: integer + type: object + required: + - destinationPath + type: object + retentionPolicy: + description: RetentionPolicy is the retention policy to be used + for backups and WALs (i.e. '60d'). The retention policy is expressed + in the form of `XXu` where `XX` is a positive integer and `u` + is in `[dwm]` - days, weeks, months. + pattern: ^[1-9][0-9]*[dwm]$ + type: string + target: + default: prefer-standby + description: The policy to decide which instance should perform + backups. Available options are empty string, which will default + to `prefer-standby` policy, `primary` to have backups run always + on primary instances, `prefer-standby` to have backups run preferably + on the most updated standby, if available. + enum: + - primary + - prefer-standby + type: string + type: object + bootstrap: + description: Instructions to bootstrap this cluster + properties: + initdb: + description: Bootstrap the cluster via initdb + properties: + dataChecksums: + description: 'Whether the `-k` option should be passed to + initdb, enabling checksums on data pages (default: `false`)' + type: boolean + database: + description: 'Name of the database used by the application. + Default: `app`.' + type: string + encoding: + description: The value to be passed as option `--encoding` + for initdb (default:`UTF8`) + type: string + import: + description: Bootstraps the new cluster by importing data + from an existing PostgreSQL instance using logical backup + (`pg_dump` and `pg_restore`) + properties: + databases: + description: The databases to import + items: + type: string + type: array + postImportApplicationSQL: + description: List of SQL queries to be executed as a superuser + in the application database right after is imported + - to be used with extreme care (by default empty). Only + available in microservice type. + items: + type: string + type: array + roles: + description: The roles to import + items: + type: string + type: array + source: + description: The source of the import + properties: + externalCluster: + description: The name of the externalCluster used + for import + type: string + required: + - externalCluster + type: object + type: + description: The import type. Can be `microservice` or + `monolith`. + enum: + - microservice + - monolith + type: string + required: + - databases + - source + - type + type: object + localeCType: + description: The value to be passed as option `--lc-ctype` + for initdb (default:`C`) + type: string + localeCollate: + description: The value to be passed as option `--lc-collate` + for initdb (default:`C`) + type: string + options: + description: 'The list of options that must be passed to initdb + when creating the cluster. Deprecated: This could lead to + inconsistent configurations, please use the explicit provided + parameters instead. If defined, explicit values will be + ignored.' + items: + type: string + type: array + owner: + description: Name of the owner of the database in the instance + to be used by applications. Defaults to the value of the + `database` key. + type: string + postInitApplicationSQL: + description: List of SQL queries to be executed as a superuser + in the application database right after is created - to + be used with extreme care (by default empty) + items: + type: string + type: array + postInitApplicationSQLRefs: + description: PostInitApplicationSQLRefs points references + to ConfigMaps or Secrets which contain SQL files, the general + implementation order to these references is from all Secrets + to all ConfigMaps, and inside Secrets or ConfigMaps, the + implementation order is same as the order of each array + (by default empty) + properties: + configMapRefs: + description: ConfigMapRefs holds a list of references + to ConfigMaps + items: + description: ConfigMapKeySelector contains enough information + to let you locate the key of a ConfigMap + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: array + secretRefs: + description: SecretRefs holds a list of references to + Secrets + items: + description: SecretKeySelector contains enough information + to let you locate the key of a Secret + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: array + type: object + postInitSQL: + description: List of SQL queries to be executed as a superuser + immediately after the cluster has been created - to be used + with extreme care (by default empty) + items: + type: string + type: array + postInitTemplateSQL: + description: List of SQL queries to be executed as a superuser + in the `template1` after the cluster has been created - + to be used with extreme care (by default empty) + items: + type: string + type: array + secret: + description: Name of the secret containing the initial credentials + for the owner of the user database. If empty a new secret + will be created from scratch + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + walSegmentSize: + description: 'The value in megabytes (1 to 1024) to be passed + to the `--wal-segsize` option for initdb (default: empty, + resulting in PostgreSQL default: 16MB)' + maximum: 1024 + minimum: 1 + type: integer + type: object + pg_basebackup: + description: Bootstrap the cluster taking a physical backup of + another compatible PostgreSQL instance + properties: + database: + description: 'Name of the database used by the application. + Default: `app`.' + type: string + owner: + description: Name of the owner of the database in the instance + to be used by applications. Defaults to the value of the + `database` key. + type: string + secret: + description: Name of the secret containing the initial credentials + for the owner of the user database. If empty a new secret + will be created from scratch + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + source: + description: The name of the server of which we need to take + a physical backup + minLength: 1 + type: string + required: + - source + type: object + recovery: + description: Bootstrap the cluster from a backup + properties: + backup: + description: The backup we need to restore + properties: + endpointCA: + description: EndpointCA store the CA bundle of the barman + endpoint. Useful when using self-signed certificates + to avoid errors with certificate issuer and barman-cloud-wal-archive. + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + name: + description: Name of the referent. + type: string + required: + - name + type: object + database: + description: 'Name of the database used by the application. + Default: `app`.' + type: string + owner: + description: Name of the owner of the database in the instance + to be used by applications. Defaults to the value of the + `database` key. + type: string + recoveryTarget: + description: 'By default, the recovery process applies all + the available WAL files in the archive (full recovery). + However, you can also end the recovery as soon as a consistent + state is reached or recover to a point-in-time (PITR) by + specifying a `RecoveryTarget` object, as expected by PostgreSQL + (i.e., timestamp, transaction Id, LSN, ...). More info: + https://www.postgresql.org/docs/current/runtime-config-wal.html#RUNTIME-CONFIG-WAL-RECOVERY-TARGET' + properties: + backupID: + description: The ID of the backup from which to start + the recovery process. If empty (default) the operator + will automatically detect the backup based on targetTime + or targetLSN if specified. Otherwise use the latest + available backup in chronological order. + type: string + exclusive: + description: Set the target to be exclusive (defaults + to true) + type: boolean + targetImmediate: + description: End recovery as soon as a consistent state + is reached + type: boolean + targetLSN: + description: The target LSN (Log Sequence Number) + type: string + targetName: + description: The target name (to be previously created + with `pg_create_restore_point`) + type: string + targetTLI: + description: The target timeline ("latest" or a positive + integer) + type: string + targetTime: + description: The target time as a timestamp in the RFC3339 + standard + type: string + targetXID: + description: The target transaction ID + type: string + type: object + secret: + description: Name of the secret containing the initial credentials + for the owner of the user database. If empty a new secret + will be created from scratch + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + source: + description: The external cluster whose backup we will restore. + This is also used as the name of the folder under which + the backup is stored, so it must be set to the name of the + source cluster + type: string + type: object + type: object + certificates: + description: The configuration for the CA and related certificates + properties: + clientCASecret: + description: 'The secret containing the Client CA certificate. + If not defined, a new secret will be created with a self-signed + CA and will be used to generate all the client certificates.

Contains:

- `ca.crt`: CA that should + be used to validate the client certificates, used as `ssl_ca_file` + of all the instances.
- `ca.key`: key used to generate + client certificates, if ReplicationTLSSecret is provided, this + can be omitted.
' + type: string + replicationTLSSecret: + description: The secret of type kubernetes.io/tls containing the + client certificate to authenticate as the `streaming_replica` + user. If not defined, ClientCASecret must provide also `ca.key`, + and a new secret will be created using the provided CA. + type: string + serverAltDNSNames: + description: The list of the server alternative DNS names to be + added to the generated server TLS certificates, when required. + items: + type: string + type: array + serverCASecret: + description: 'The secret containing the Server CA certificate. + If not defined, a new secret will be created with a self-signed + CA and will be used to generate the TLS certificate ServerTLSSecret.

Contains:

- `ca.crt`: CA that should + be used to validate the server certificate, used as `sslrootcert` + in client connection strings.
- `ca.key`: key used to + generate Server SSL certs, if ServerTLSSecret is provided, this + can be omitted.
' + type: string + serverTLSSecret: + description: The secret of type kubernetes.io/tls containing the + server TLS certificate and key that will be set as `ssl_cert_file` + and `ssl_key_file` so that clients can connect to postgres securely. + If not defined, ServerCASecret must provide also `ca.key` and + a new secret will be created using the provided CA. + type: string + type: object + description: + description: Description of this PostgreSQL cluster + type: string + enableSuperuserAccess: + default: true + description: When this option is enabled, the operator will use the + `SuperuserSecret` to update the `postgres` user password (if the + secret is not present, the operator will automatically create one). + When this option is disabled, the operator will ignore the `SuperuserSecret` + content, delete it when automatically created, and then blank the + password of the `postgres` user by setting it to `NULL`. Enabled + by default. + type: boolean + env: + description: Env follows the Env format to pass environment variables + to the pods created in the cluster + items: + description: EnvVar represents an environment variable present in + a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded using + the previously defined environment variables in the container + and any service environment variables. If a variable cannot + be resolved, the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the + string literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists or + not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. Cannot + be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, + status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified + API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed + resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: EnvFrom follows the EnvFrom format to pass environment + variables sources to the pods to be used by Env + items: + description: EnvFromSource represents the source of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each key in + the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + externalClusters: + description: The list of external clusters which are used in the configuration + items: + description: ExternalCluster represents the connection parameters + to an external cluster which is used in the other sections of + the configuration + properties: + barmanObjectStore: + description: The configuration for the barman-cloud tool suite + properties: + azureCredentials: + description: The credentials to use to upload data to Azure + Blob Storage + properties: + connectionString: + description: The connection string to be used + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + inheritFromAzureAD: + description: Use the Azure AD based authentication without + providing explicitly the keys. + type: boolean + storageAccount: + description: The storage account where to upload data + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + storageKey: + description: The storage account key to be used in conjunction + with the storage account name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + storageSasToken: + description: A shared-access-signature to be used in + conjunction with the storage account name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: object + data: + description: The configuration to be used to backup the + data files When not defined, base backups files will be + stored uncompressed and may be unencrypted in the object + store, according to the bucket default policy. + properties: + compression: + description: Compress a backup file (a tar file per + tablespace) while streaming it to the object store. + Available options are empty string (no compression, + default), `gzip`, `bzip2` or `snappy`. + enum: + - gzip + - bzip2 + - snappy + type: string + encryption: + description: Whenever to force the encryption of files + (if the bucket is not already configured for that). + Allowed options are empty string (use the bucket policy, + default), `AES256` and `aws:kms` + enum: + - AES256 + - aws:kms + type: string + immediateCheckpoint: + description: Control whether the I/O workload for the + backup initial checkpoint will be limited, according + to the `checkpoint_completion_target` setting on the + PostgreSQL server. If set to true, an immediate checkpoint + will be used, meaning PostgreSQL will complete the + checkpoint as soon as possible. `false` by default. + type: boolean + jobs: + description: The number of parallel jobs to be used + to upload the backup, defaults to 2 + format: int32 + minimum: 1 + type: integer + type: object + destinationPath: + description: The path where to store the backup (i.e. s3://bucket/path/to/folder) + this path, with different destination folders, will be + used for WALs and for data + minLength: 1 + type: string + endpointCA: + description: EndpointCA store the CA bundle of the barman + endpoint. Useful when using self-signed certificates to + avoid errors with certificate issuer and barman-cloud-wal-archive + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + endpointURL: + description: Endpoint to be used to upload data to the cloud, + overriding the automatic endpoint discovery + type: string + googleCredentials: + description: The credentials to use to upload data to Google + Cloud Storage + properties: + applicationCredentials: + description: The secret containing the Google Cloud + Storage JSON file with the credentials + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + gkeEnvironment: + description: If set to true, will presume that it's + running inside a GKE environment, default to false. + type: boolean + type: object + historyTags: + additionalProperties: + type: string + description: HistoryTags is a list of key value pairs that + will be passed to the Barman --history-tags option. + type: object + s3Credentials: + description: The credentials to use to upload data to S3 + properties: + accessKeyId: + description: The reference to the access key id + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + inheritFromIAMRole: + description: Use the role based authentication without + providing explicitly the keys. + type: boolean + region: + description: The reference to the secret containing + the region name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + secretAccessKey: + description: The reference to the secret access key + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + sessionToken: + description: The references to the session key + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: object + serverName: + description: The server name on S3, the cluster name is + used if this parameter is omitted + type: string + tags: + additionalProperties: + type: string + description: Tags is a list of key value pairs that will + be passed to the Barman --tags option. + type: object + wal: + description: The configuration for the backup of the WAL + stream. When not defined, WAL files will be stored uncompressed + and may be unencrypted in the object store, according + to the bucket default policy. + properties: + compression: + description: Compress a WAL file before sending it to + the object store. Available options are empty string + (no compression, default), `gzip`, `bzip2` or `snappy`. + enum: + - gzip + - bzip2 + - snappy + type: string + encryption: + description: Whenever to force the encryption of files + (if the bucket is not already configured for that). + Allowed options are empty string (use the bucket policy, + default), `AES256` and `aws:kms` + enum: + - AES256 + - aws:kms + type: string + maxParallel: + description: Number of WAL files to be either archived + in parallel (when the PostgreSQL instance is archiving + to a backup object store) or restored in parallel + (when a PostgreSQL standby is fetching WAL files from + a recovery object store). If not specified, WAL files + will be processed one at a time. It accepts a positive + integer as a value - with 1 being the minimum accepted + value. + minimum: 1 + type: integer + type: object + required: + - destinationPath + type: object + connectionParameters: + additionalProperties: + type: string + description: The list of connection parameters, such as dbname, + host, username, etc + type: object + name: + description: The server name, required + type: string + password: + description: The reference to the password to be used to connect + to the server + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + sslCert: + description: The reference to an SSL certificate to be used + to connect to this instance + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + sslKey: + description: The reference to an SSL private key to be used + to connect to this instance + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + sslRootCert: + description: The reference to an SSL CA public key to be used + to connect to this instance + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + type: array + failoverDelay: + default: 0 + description: The amount of time (in seconds) to wait before triggering + a failover after the primary PostgreSQL instance in the cluster + was detected to be unhealthy + format: int32 + type: integer + imageName: + description: Name of the container image, supporting both tags (`:`) + and digests for deterministic and repeatable deployments (`:@sha256:`) + type: string + imagePullPolicy: + description: 'Image pull policy. One of `Always`, `Never` or `IfNotPresent`. + If not defined, it defaults to `IfNotPresent`. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + imagePullSecrets: + description: The list of pull secrets to be used to pull the images + items: + description: LocalObjectReference contains enough information to + let you locate a local object with a known type inside the same + namespace + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + type: array + inheritedMetadata: + description: Metadata that will be inherited by all objects related + to the Cluster + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + instances: + default: 1 + description: Number of instances required in the cluster + minimum: 1 + type: integer + logLevel: + default: info + description: 'The instances'' log level, one of the following values: + error, warning, info (default), debug, trace' + enum: + - error + - warning + - info + - debug + - trace + type: string + managed: + description: The configuration that is used by the portions of PostgreSQL + that are managed by the instance manager + properties: + roles: + description: Database roles managed by the `Cluster` + items: + description: "RoleConfiguration is the representation, in Kubernetes, + of a PostgreSQL role with the additional field Ensure specifying + whether to ensure the presence or absence of the role in the + database \n The defaults of the CREATE ROLE command are applied + Reference: https://www.postgresql.org/docs/current/sql-createrole.html" + properties: + bypassrls: + description: Whether a role bypasses every row-level security + (RLS) policy. Default is `false`. + type: boolean + comment: + description: Description of the role + type: string + connectionLimit: + default: -1 + description: If the role can log in, this specifies how + many concurrent connections the role can make. `-1` (the + default) means no limit. + format: int64 + type: integer + createdb: + description: When set to `true`, the role being defined + will be allowed to create new databases. Specifying `false` + (default) will deny a role the ability to create databases. + type: boolean + createrole: + description: Whether the role will be permitted to create, + alter, drop, comment on, change the security label for, + and grant or revoke membership in other roles. Default + is `false`. + type: boolean + ensure: + default: present + description: Ensure the role is `present` or `absent` - + defaults to "present" + enum: + - present + - absent + type: string + inRoles: + description: List of one or more existing roles to which + this role will be immediately added as a new member. Default + empty. + items: + type: string + type: array + inherit: + default: true + description: Whether a role "inherits" the privileges of + roles it is a member of. Defaults is `true`. + type: boolean + login: + description: Whether the role is allowed to log in. A role + having the `login` attribute can be thought of as a user. + Roles without this attribute are useful for managing database + privileges, but are not users in the usual sense of the + word. Default is `false`. + type: boolean + name: + description: Name of the role + type: string + passwordSecret: + description: Secret containing the password of the role + (if present) + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + replication: + description: Whether a role is a replication role. A role + must have this attribute (or be a superuser) in order + to be able to connect to the server in replication mode + (physical or logical replication) and in order to be able + to create or drop replication slots. A role having the + `replication` attribute is a very highly privileged role, + and should only be used on roles actually used for replication. + Default is `false`. + type: boolean + superuser: + description: Whether the role is a `superuser` who can override + all access restrictions within the database - superuser + status is dangerous and should be used only when really + needed. You must yourself be a superuser to create a new + superuser. Defaults is `false`. + type: boolean + validUntil: + description: Date and time after which the role's password + is no longer valid. When omitted, the password will never + expire (default). + format: date-time + type: string + required: + - name + type: object + type: array + type: object + maxSyncReplicas: + default: 0 + description: The target value for the synchronous replication quorum, + that can be decreased if the number of ready standbys is lower than + this. Undefined or 0 disable synchronous replication. + minimum: 0 + type: integer + minSyncReplicas: + default: 0 + description: Minimum number of instances required in synchronous replication + with the primary. Undefined or 0 allow writes to complete when no + standby is available. + minimum: 0 + type: integer + monitoring: + description: The configuration of the monitoring infrastructure of + this cluster + properties: + customQueriesConfigMap: + description: The list of config maps containing the custom queries + items: + description: ConfigMapKeySelector contains enough information + to let you locate the key of a ConfigMap + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: array + customQueriesSecret: + description: The list of secrets containing the custom queries + items: + description: SecretKeySelector contains enough information to + let you locate the key of a Secret + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: array + disableDefaultQueries: + default: false + description: 'Whether the default queries should be injected. + Set it to `true` if you don''t want to inject default queries + into the cluster. Default: false.' + type: boolean + enablePodMonitor: + default: false + description: Enable or disable the `PodMonitor` + type: boolean + type: object + nodeMaintenanceWindow: + description: Define a maintenance window for the Kubernetes nodes + properties: + inProgress: + default: false + description: Is there a node maintenance activity in progress? + type: boolean + reusePVC: + default: true + description: Reuse the existing PVC (wait for the node to come + up again) or not (recreate it elsewhere - when `instances` >1) + type: boolean + required: + - inProgress + type: object + postgresGID: + default: 26 + description: The GID of the `postgres` user inside the image, defaults + to `26` + format: int64 + type: integer + postgresUID: + default: 26 + description: The UID of the `postgres` user inside the image, defaults + to `26` + format: int64 + type: integer + postgresql: + description: Configuration of the PostgreSQL server + properties: + ldap: + description: Options to specify LDAP configuration + properties: + bindAsAuth: + description: Bind as authentication configuration + properties: + prefix: + description: Prefix for the bind authentication option + type: string + suffix: + description: Suffix for the bind authentication option + type: string + type: object + bindSearchAuth: + description: Bind+Search authentication configuration + properties: + baseDN: + description: Root DN to begin the user search + type: string + bindDN: + description: DN of the user to bind to the directory + type: string + bindPassword: + description: Secret with the password for the user to + bind to the directory + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + searchAttribute: + description: Attribute to match against the username + type: string + searchFilter: + description: Search filter to use when doing the search+bind + authentication + type: string + type: object + port: + description: LDAP server port + type: integer + scheme: + description: LDAP schema to be used, possible options are + `ldap` and `ldaps` + enum: + - ldap + - ldaps + type: string + server: + description: LDAP hostname or IP address + type: string + tls: + description: Set to 'true' to enable LDAP over TLS. 'false' + is default + type: boolean + type: object + parameters: + additionalProperties: + type: string + description: PostgreSQL configuration options (postgresql.conf) + type: object + pg_hba: + description: PostgreSQL Host Based Authentication rules (lines + to be appended to the pg_hba.conf file) + items: + type: string + type: array + promotionTimeout: + description: Specifies the maximum number of seconds to wait when + promoting an instance to primary. Default value is 40000000, + greater than one year in seconds, big enough to simulate an + infinite timeout + format: int32 + type: integer + shared_preload_libraries: + description: Lists of shared preload libraries to add to the default + ones + items: + type: string + type: array + syncReplicaElectionConstraint: + description: Requirements to be met by sync replicas. This will + affect how the "synchronous_standby_names" parameter will be + set up. + properties: + enabled: + description: This flag enables the constraints for sync replicas + type: boolean + nodeLabelsAntiAffinity: + description: A list of node labels values to extract and compare + to evaluate if the pods reside in the same topology or not + items: + type: string + type: array + required: + - enabled + type: object + type: object + primaryUpdateMethod: + default: restart + description: 'Method to follow to upgrade the primary server during + a rolling update procedure, after all replicas have been successfully + updated: it can be with a switchover (`switchover`) or in-place + (`restart` - default)' + enum: + - switchover + - restart + type: string + primaryUpdateStrategy: + default: unsupervised + description: 'Strategy to follow to upgrade the primary server during + a rolling update procedure, after all replicas have been successfully + updated: it can be automated (`unsupervised` - default) or manual + (`supervised`)' + enum: + - unsupervised + - supervised + type: string + projectedVolumeTemplate: + description: Template to be used to define projected volumes, projected + volumes will be mounted under `/projected` base folder + properties: + defaultMode: + description: defaultMode are the mode bits used to set permissions + on created files by default. Must be an octal value between + 0000 and 0777 or a decimal value between 0 and 511. YAML accepts + both octal and decimal values, JSON requires decimal values + for mode bits. Directories within the path are not affected + by this setting. This might be in conflict with other options + that affect the file mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + sources: + description: sources is the list of volume projections + items: + description: Projection that may be projected along with other + supported volume types + properties: + configMap: + description: configMap information about the configMap data + to project + properties: + items: + description: items if unspecified, each key-value pair + in the Data field of the referenced ConfigMap will + be projected into the volume as a file whose name + is the key and content is the value. If specified, + the listed keys will be projected into the specified + paths, and unlisted keys will not be present. If a + key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. + Paths must be relative and may not contain the '..' + path or start with '..'. + items: + description: Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used + to set permissions on this file. Must be an + octal value between 0000 and 0777 or a decimal + value between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal values + for mode bits. If not specified, the volume + defaultMode will be used. This might be in conflict + with other options that affect the file mode, + like fsGroup, and the result can be other mode + bits set.' + format: int32 + type: integer + path: + description: path is the relative path of the + file to map the key to. May not be an absolute + path. May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about the downwardAPI + data to project + properties: + items: + description: Items is a list of DownwardAPIVolume file + items: + description: DownwardAPIVolumeFile represents information + to create the file containing the pod field + properties: + fieldRef: + description: 'Required: Selects a field of the + pod: only annotations, labels, name and namespace + are supported.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in + the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used to set + permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for mode + bits. If not specified, the volume defaultMode + will be used. This might be in conflict with + other options that affect the file mode, like + fsGroup, and the result can be other mode bits + set.' + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must not + be absolute or contain the ''..'' path. Must + be utf-8 encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required for + volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of + the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about the secret data to + project + properties: + items: + description: items if unspecified, each key-value pair + in the Data field of the referenced Secret will be + projected into the volume as a file whose name is + the key and content is the value. If specified, the + listed keys will be projected into the specified paths, + and unlisted keys will not be present. If a key is + specified which is not present in the Secret, the + volume setup will error unless it is marked optional. + Paths must be relative and may not contain the '..' + path or start with '..'. + items: + description: Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used + to set permissions on this file. Must be an + octal value between 0000 and 0777 or a decimal + value between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal values + for mode bits. If not specified, the volume + defaultMode will be used. This might be in conflict + with other options that affect the file mode, + like fsGroup, and the result can be other mode + bits set.' + format: int32 + type: integer + path: + description: path is the relative path of the + file to map the key to. May not be an absolute + path. May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: optional field specify whether the Secret + or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information about the + serviceAccountToken data to project + properties: + audience: + description: audience is the intended audience of the + token. A recipient of a token must identify itself + with an identifier specified in the audience of the + token, and otherwise should reject the token. The + audience defaults to the identifier of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is the requested duration + of validity of the service account token. As the token + approaches expiration, the kubelet volume plugin will + proactively rotate the service account token. The + kubelet will start trying to rotate the token if the + token is older than 80 percent of its time to live + or if the token is older than 24 hours.Defaults to + 1 hour and must be at least 10 minutes. + format: int64 + type: integer + path: + description: path is the path relative to the mount + point of the file to project the token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + replica: + description: Replica cluster configuration + properties: + enabled: + description: If replica mode is enabled, this cluster will be + a replica of an existing cluster. Replica cluster can be created + from a recovery object store or via streaming through pg_basebackup. + Refer to the Replication page of the documentation for more + information. + type: boolean + source: + description: The name of the external cluster which is the replication + origin + minLength: 1 + type: string + required: + - source + type: object + replicationSlots: + description: Replication slots management configuration + properties: + highAvailability: + description: Replication slots for high availability configuration + properties: + enabled: + default: false + description: If enabled, the operator will automatically manage + replication slots on the primary instance and use them in + streaming replication connections with all the standby instances + that are part of the HA cluster. If disabled (default), + the operator will not take advantage of replication slots + in streaming connections with the replicas. This feature + also controls replication slots in replica cluster, from + the designated primary to its cascading replicas. This can + only be set at creation time. + type: boolean + slotPrefix: + default: _cnpg_ + description: Prefix for replication slots managed by the operator + for HA. It may only contain lower case letters, numbers, + and the underscore character. This can only be set at creation + time. By default set to `_cnpg_`. + pattern: ^[0-9a-z_]*$ + type: string + type: object + updateInterval: + default: 30 + description: Standby will update the status of the local replication + slots every `updateInterval` seconds (default 30). + minimum: 1 + type: integer + type: object + resources: + description: Resources requirements of every generated Pod. Please + refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + for more information. + properties: + claims: + description: "Claims lists the names of resources, defined in + spec.resourceClaims, that are used by this container. \n This + is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be set + for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in pod.spec.resourceClaims + of the Pod where this field is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + seccompProfile: + description: 'The SeccompProfile applied to every Pod and Container. + Defaults to: `RuntimeDefault`' + properties: + localhostProfile: + description: localhostProfile indicates a profile defined in a + file on the node should be used. The profile must be preconfigured + on the node to work. Must be a descending path, relative to + the kubelet's configured seccomp profile location. Must only + be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile will + be applied. Valid options are: \n Localhost - a profile defined + in a file on the node should be used. RuntimeDefault - the container + runtime default profile should be used. Unconfined - no profile + should be applied." + type: string + required: + - type + type: object + serviceAccountTemplate: + description: Configure the generation of the service account + properties: + metadata: + description: Metadata are the metadata to be used for the generated + service account + properties: + annotations: + additionalProperties: + type: string + description: 'Annotations is an unstructured key value map + stored with a resource that may be set by external tools + to store and retrieve arbitrary metadata. They are not queryable + and should be preserved when modifying objects. More info: + http://kubernetes.io/docs/user-guide/annotations' + type: object + labels: + additionalProperties: + type: string + description: 'Map of string keys and values that can be used + to organize and categorize (scope and select) objects. May + match selectors of replication controllers and services. + More info: http://kubernetes.io/docs/user-guide/labels' + type: object + type: object + required: + - metadata + type: object + startDelay: + default: 30 + description: The time in seconds that is allowed for a PostgreSQL + instance to successfully start up (default 30) + format: int32 + type: integer + stopDelay: + default: 30 + description: The time in seconds that is allowed for a PostgreSQL + instance to gracefully shutdown (default 30) + format: int32 + type: integer + storage: + description: Configuration of the storage of the instances + properties: + pvcTemplate: + description: Template to be used to generate the Persistent Volume + Claim + properties: + accessModes: + description: 'accessModes contains the desired access modes + the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) If the provisioner + or an external controller can support the specified data + source, it will create a new volume based on the contents + of the specified data source. When the AnyVolumeDataSource + feature gate is enabled, dataSource contents will be copied + to dataSourceRef, and dataSourceRef contents will be copied + to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not + be copied to dataSource.' + properties: + apiGroup: + description: APIGroup is the group for the resource being + referenced. If APIGroup is not specified, the specified + Kind must be in the core API group. For any other third-party + types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: 'dataSourceRef specifies the object from which + to populate the volume with data, if a non-empty volume + is desired. This may be any object from a non-empty API + group (non core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed + if the type of the specified object matches some installed + volume populator or dynamic provisioner. This field will + replace the functionality of the dataSource field and as + such if both fields are non-empty, they must have the same + value. For backwards compatibility, when namespace isn''t + specified in dataSourceRef, both fields (dataSource and + dataSourceRef) will be set to the same value automatically + if one of them is empty and the other is non-empty. When + namespace is specified in dataSourceRef, dataSource isn''t + set to the same value and must be empty. There are three + important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, + dataSourceRef allows any non-core object, as well as PersistentVolumeClaim + objects. * While dataSource ignores disallowed values (dropping + them), dataSourceRef preserves all values, and generates + an error if a disallowed value is specified. * While dataSource + only allows local objects, dataSourceRef allows objects + in any namespaces. (Beta) Using this field requires the + AnyVolumeDataSource feature gate to be enabled. (Alpha) + Using the namespace field of dataSourceRef requires the + CrossNamespaceVolumeDataSource feature gate to be enabled.' + properties: + apiGroup: + description: APIGroup is the group for the resource being + referenced. If APIGroup is not specified, the specified + Kind must be in the core API group. For any other third-party + types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + namespace: + description: Namespace is the namespace of resource being + referenced Note that when a namespace is specified, + a gateway.networking.k8s.io/ReferenceGrant object is + required in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferenceGrant + documentation for details. (Alpha) This field requires + the CrossNamespaceVolumeDataSource feature gate to be + enabled. + type: string + required: + - kind + - name + type: object + resources: + description: 'resources represents the minimum resources the + volume should have. If RecoverVolumeExpansionFailure feature + is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher + than capacity recorded in the status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query over volumes to consider + for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is the name of the StorageClass + required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what type of volume is required + by the claim. Value of Filesystem is implied when not included + in claim spec. + type: string + volumeName: + description: volumeName is the binding reference to the PersistentVolume + backing this claim. + type: string + type: object + resizeInUseVolumes: + default: true + description: Resize existent PVCs, defaults to true + type: boolean + size: + description: Size of the storage. Required if not already specified + in the PVC template. Changes to this field are automatically + reapplied to the created PVCs. Size cannot be decreased. + type: string + storageClass: + description: StorageClass to use for database data (`PGDATA`). + Applied after evaluating the PVC template, if available. If + not specified, generated PVCs will be satisfied by the default + storage class + type: string + type: object + superuserSecret: + description: The secret containing the superuser password. If not + defined a new secret will be created with a randomly generated password + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + switchoverDelay: + default: 40000000 + description: The time in seconds that is allowed for a primary PostgreSQL + instance to gracefully shutdown during a switchover. Default value + is 40000000, greater than one year in seconds, big enough to simulate + an infinite delay + format: int32 + type: integer + walStorage: + description: Configuration of the storage for PostgreSQL WAL (Write-Ahead + Log) + properties: + pvcTemplate: + description: Template to be used to generate the Persistent Volume + Claim + properties: + accessModes: + description: 'accessModes contains the desired access modes + the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) If the provisioner + or an external controller can support the specified data + source, it will create a new volume based on the contents + of the specified data source. When the AnyVolumeDataSource + feature gate is enabled, dataSource contents will be copied + to dataSourceRef, and dataSourceRef contents will be copied + to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not + be copied to dataSource.' + properties: + apiGroup: + description: APIGroup is the group for the resource being + referenced. If APIGroup is not specified, the specified + Kind must be in the core API group. For any other third-party + types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: 'dataSourceRef specifies the object from which + to populate the volume with data, if a non-empty volume + is desired. This may be any object from a non-empty API + group (non core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed + if the type of the specified object matches some installed + volume populator or dynamic provisioner. This field will + replace the functionality of the dataSource field and as + such if both fields are non-empty, they must have the same + value. For backwards compatibility, when namespace isn''t + specified in dataSourceRef, both fields (dataSource and + dataSourceRef) will be set to the same value automatically + if one of them is empty and the other is non-empty. When + namespace is specified in dataSourceRef, dataSource isn''t + set to the same value and must be empty. There are three + important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, + dataSourceRef allows any non-core object, as well as PersistentVolumeClaim + objects. * While dataSource ignores disallowed values (dropping + them), dataSourceRef preserves all values, and generates + an error if a disallowed value is specified. * While dataSource + only allows local objects, dataSourceRef allows objects + in any namespaces. (Beta) Using this field requires the + AnyVolumeDataSource feature gate to be enabled. (Alpha) + Using the namespace field of dataSourceRef requires the + CrossNamespaceVolumeDataSource feature gate to be enabled.' + properties: + apiGroup: + description: APIGroup is the group for the resource being + referenced. If APIGroup is not specified, the specified + Kind must be in the core API group. For any other third-party + types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + namespace: + description: Namespace is the namespace of resource being + referenced Note that when a namespace is specified, + a gateway.networking.k8s.io/ReferenceGrant object is + required in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferenceGrant + documentation for details. (Alpha) This field requires + the CrossNamespaceVolumeDataSource feature gate to be + enabled. + type: string + required: + - kind + - name + type: object + resources: + description: 'resources represents the minimum resources the + volume should have. If RecoverVolumeExpansionFailure feature + is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher + than capacity recorded in the status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query over volumes to consider + for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is the name of the StorageClass + required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what type of volume is required + by the claim. Value of Filesystem is implied when not included + in claim spec. + type: string + volumeName: + description: volumeName is the binding reference to the PersistentVolume + backing this claim. + type: string + type: object + resizeInUseVolumes: + default: true + description: Resize existent PVCs, defaults to true + type: boolean + size: + description: Size of the storage. Required if not already specified + in the PVC template. Changes to this field are automatically + reapplied to the created PVCs. Size cannot be decreased. + type: string + storageClass: + description: StorageClass to use for database data (`PGDATA`). + Applied after evaluating the PVC template, if available. If + not specified, generated PVCs will be satisfied by the default + storage class + type: string + type: object + required: + - instances + type: object + status: + description: 'Most recently observed status of the cluster. This data + may not be up to date. Populated by the system. Read-only. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + azurePVCUpdateEnabled: + description: AzurePVCUpdateEnabled shows if the PVC online upgrade + is enabled for this cluster + type: boolean + certificates: + description: The configuration for the CA and related certificates, + initialized with defaults. + properties: + clientCASecret: + description: 'The secret containing the Client CA certificate. + If not defined, a new secret will be created with a self-signed + CA and will be used to generate all the client certificates.

Contains:

- `ca.crt`: CA that should + be used to validate the client certificates, used as `ssl_ca_file` + of all the instances.
- `ca.key`: key used to generate + client certificates, if ReplicationTLSSecret is provided, this + can be omitted.
' + type: string + expirations: + additionalProperties: + type: string + description: Expiration dates for all certificates. + type: object + replicationTLSSecret: + description: The secret of type kubernetes.io/tls containing the + client certificate to authenticate as the `streaming_replica` + user. If not defined, ClientCASecret must provide also `ca.key`, + and a new secret will be created using the provided CA. + type: string + serverAltDNSNames: + description: The list of the server alternative DNS names to be + added to the generated server TLS certificates, when required. + items: + type: string + type: array + serverCASecret: + description: 'The secret containing the Server CA certificate. + If not defined, a new secret will be created with a self-signed + CA and will be used to generate the TLS certificate ServerTLSSecret.

Contains:

- `ca.crt`: CA that should + be used to validate the server certificate, used as `sslrootcert` + in client connection strings.
- `ca.key`: key used to + generate Server SSL certs, if ServerTLSSecret is provided, this + can be omitted.
' + type: string + serverTLSSecret: + description: The secret of type kubernetes.io/tls containing the + server TLS certificate and key that will be set as `ssl_cert_file` + and `ssl_key_file` so that clients can connect to postgres securely. + If not defined, ServerCASecret must provide also `ca.key` and + a new secret will be created using the provided CA. + type: string + type: object + cloudNativePGCommitHash: + description: The commit hash number of which this operator running + type: string + cloudNativePGOperatorHash: + description: The hash of the binary of the operator + type: string + conditions: + description: Conditions for cluster object + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + configMapResourceVersion: + description: The list of resource versions of the configmaps, managed + by the operator. Every change here is done in the interest of the + instance manager, which will refresh the configmap data + properties: + metrics: + additionalProperties: + type: string + description: A map with the versions of all the config maps used + to pass metrics. Map keys are the config map names, map values + are the versions + type: object + type: object + currentPrimary: + description: Current primary instance + type: string + currentPrimaryFailingSinceTimestamp: + description: The timestamp when the primary was detected to be unhealthy + This field is reported when spec.failoverDelay is populated or during + online upgrades + type: string + currentPrimaryTimestamp: + description: The timestamp when the last actual promotion to primary + has occurred + type: string + danglingPVC: + description: List of all the PVCs created by this cluster and still + available which are not attached to a Pod + items: + type: string + type: array + firstRecoverabilityPoint: + description: The first recoverability point, stored as a date in RFC3339 + format + type: string + healthyPVC: + description: List of all the PVCs not dangling nor initializing + items: + type: string + type: array + initializingPVC: + description: List of all the PVCs that are being initialized by this + cluster + items: + type: string + type: array + instanceNames: + description: List of instance names in the cluster + items: + type: string + type: array + instances: + description: The total number of PVC Groups detected in the cluster. + It may differ from the number of existing instance pods. + type: integer + instancesReportedState: + additionalProperties: + description: InstanceReportedState describes the last reported state + of an instance during a reconciliation loop + properties: + isPrimary: + description: indicates if an instance is the primary one + type: boolean + timeLineID: + description: indicates on which TimelineId the instance is + type: integer + required: + - isPrimary + type: object + description: The reported state of the instances during the last reconciliation + loop + type: object + instancesStatus: + additionalProperties: + items: + type: string + type: array + description: InstancesStatus indicates in which status the instances + are + type: object + jobCount: + description: How many Jobs have been created by this cluster + format: int32 + type: integer + lastFailedBackup: + description: Stored as a date in RFC3339 format + type: string + lastSuccessfulBackup: + description: Stored as a date in RFC3339 format + type: string + latestGeneratedNode: + description: ID of the latest generated node (used to avoid node name + clashing) + type: integer + managedRolesStatus: + description: ManagedRolesStatus reports the state of the managed roles + in the cluster + properties: + byStatus: + additionalProperties: + items: + type: string + type: array + description: ByStatus gives the list of roles in each state + type: object + cannotReconcile: + additionalProperties: + items: + type: string + type: array + description: CannotReconcile lists roles that cannot be reconciled + in PostgreSQL, with an explanation of the cause + type: object + passwordStatus: + additionalProperties: + description: PasswordState represents the state of the password + of a managed RoleConfiguration + properties: + resourceVersion: + description: the resource version of the password secret + type: string + transactionID: + description: the last transaction ID to affect the role + definition in PostgreSQL + format: int64 + type: integer + type: object + description: PasswordStatus gives the last transaction id and + password secret version for each managed role + type: object + type: object + onlineUpdateEnabled: + description: OnlineUpdateEnabled shows if the online upgrade is enabled + inside the cluster + type: boolean + phase: + description: Current phase of the cluster + type: string + phaseReason: + description: Reason for the current phase + type: string + poolerIntegrations: + description: The integration needed by poolers referencing the cluster + properties: + pgBouncerIntegration: + description: PgBouncerIntegrationStatus encapsulates the needed + integration for the pgbouncer poolers referencing the cluster + properties: + secrets: + items: + type: string + type: array + type: object + type: object + pvcCount: + description: How many PVCs have been created by this cluster + format: int32 + type: integer + readService: + description: Current list of read pods + type: string + readyInstances: + description: The total number of ready instances in the cluster. It + is equal to the number of ready instance pods. + type: integer + resizingPVC: + description: List of all the PVCs that have ResizingPVC condition. + items: + type: string + type: array + secretsResourceVersion: + description: The list of resource versions of the secrets managed + by the operator. Every change here is done in the interest of the + instance manager, which will refresh the secret data + properties: + applicationSecretVersion: + description: The resource version of the "app" user secret + type: string + barmanEndpointCA: + description: The resource version of the Barman Endpoint CA if + provided + type: string + caSecretVersion: + description: Unused. Retained for compatibility with old versions. + type: string + clientCaSecretVersion: + description: The resource version of the PostgreSQL client-side + CA secret version + type: string + managedRoleSecretVersion: + additionalProperties: + type: string + description: The resource versions of the managed roles secrets + type: object + metrics: + additionalProperties: + type: string + description: A map with the versions of all the secrets used to + pass metrics. Map keys are the secret names, map values are + the versions + type: object + replicationSecretVersion: + description: The resource version of the "streaming_replica" user + secret + type: string + serverCaSecretVersion: + description: The resource version of the PostgreSQL server-side + CA secret version + type: string + serverSecretVersion: + description: The resource version of the PostgreSQL server-side + secret version + type: string + superuserSecretVersion: + description: The resource version of the "postgres" user secret + type: string + type: object + targetPrimary: + description: Target primary instance, this is different from the previous + one during a switchover or a failover + type: string + targetPrimaryTimestamp: + description: The timestamp when the last request for a new primary + has occurred + type: string + timelineID: + description: The timeline of the Postgres cluster + type: integer + topology: + description: Instances topology. + properties: + instances: + additionalProperties: + additionalProperties: + type: string + description: PodTopologyLabels represent the topology of a Pod. + map[labelName]labelValue + type: object + description: Instances contains the pod topology of the instances + type: object + successfullyExtracted: + description: SuccessfullyExtracted indicates if the topology data + was extract. It is useful to enact fallback behaviors in synchronous + replica election in case of failures + type: boolean + type: object + unusablePVC: + description: List of all the PVCs that are unusable because another + PVC is missing + items: + type: string + type: array + writeService: + description: Current write pod + type: string + type: object + type: object + served: true + storage: true + subresources: + scale: + specReplicasPath: .spec.instances + statusReplicasPath: .status.instances + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + helm.sh/resource-policy: keep + creationTimestamp: null + name: poolers.postgresql.cnpg.io +spec: + group: postgresql.cnpg.io + names: + kind: Pooler + listKind: PoolerList + plural: poolers + singular: pooler + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.cluster.name + name: Cluster + type: string + - jsonPath: .spec.type + name: Type + type: string + name: v1 + schema: + openAPIV3Schema: + description: Pooler is the Schema for the poolers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PoolerSpec defines the desired state of Pooler + properties: + cluster: + description: This is the cluster reference on which the Pooler will + work. Pooler name should never match with any cluster name within + the same namespace. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + instances: + default: 1 + description: The number of replicas we want + format: int32 + type: integer + pgbouncer: + description: The PgBouncer configuration + properties: + authQuery: + description: 'The query that will be used to download the hash + of the password of a certain user. Default: "SELECT usename, + passwd FROM user_search($1)". In case it is specified, also + an AuthQuerySecret has to be specified and no automatic CNPG + Cluster integration will be triggered.' + type: string + authQuerySecret: + description: The credentials of the user that need to be used + for the authentication query. In case it is specified, also + an AuthQuery (e.g. "SELECT usename, passwd FROM pg_shadow WHERE + usename=$1") has to be specified and no automatic CNPG Cluster + integration will be triggered. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + parameters: + additionalProperties: + type: string + description: Additional parameters to be passed to PgBouncer - + please check the CNPG documentation for a list of options you + can configure + type: object + paused: + default: false + description: When set to `true`, PgBouncer will disconnect from + the PostgreSQL server, first waiting for all queries to complete, + and pause all new client connections until this value is set + to `false` (default). Internally, the operator calls PgBouncer's + `PAUSE` and `RESUME` commands. + type: boolean + pg_hba: + description: PostgreSQL Host Based Authentication rules (lines + to be appended to the pg_hba.conf file) + items: + type: string + type: array + poolMode: + default: session + description: The pool mode + enum: + - session + - transaction + type: string + required: + - poolMode + type: object + template: + description: The template of the Pod to be created + properties: + metadata: + description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' + properties: + annotations: + additionalProperties: + type: string + description: 'Annotations is an unstructured key value map + stored with a resource that may be set by external tools + to store and retrieve arbitrary metadata. They are not queryable + and should be preserved when modifying objects. More info: + http://kubernetes.io/docs/user-guide/annotations' + type: object + labels: + additionalProperties: + type: string + description: 'Map of string keys and values that can be used + to organize and categorize (scope and select) objects. May + match selectors of replication controllers and services. + More info: http://kubernetes.io/docs/user-guide/labels' + type: object + type: object + spec: + description: 'Specification of the desired behavior of the pod. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + activeDeadlineSeconds: + description: Optional duration in seconds the pod may be active + on the node relative to StartTime before the system will + actively try to mark it failed and kill associated containers. + Value must be a positive integer. + format: int64 + type: integer + affinity: + description: If specified, the pod's scheduling constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term + matches all objects with implicit weight 0 (i.e. + it's a no-op). A null preferred scheduling term + matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to an update), the system may or may not try + to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them + are ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to a pod label update), the system may or may + not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating through + the elements of this field and adding "weight" to + the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + anti-affinity requirements specified by this field + cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may + or may not try to eventually evict the pod from + its node. When there are multiple elements, the + lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates whether + a service account token should be automatically mounted. + type: boolean + containers: + description: List of containers belonging to the pod. Containers + cannot currently be added or removed. There must be at least + one container in a Pod. Cannot be updated. + items: + description: A single application container that you want + to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container + image''s CMD is used if this is not provided. Variable + references $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, the + reference in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce + the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the + variable exists or not. Cannot be updated. More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is used + if this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. If + a variable cannot be resolved, the reference in the + input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists + or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in + the container. Cannot be updated. + items: + description: EnvVar represents an environment variable + present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults + to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: + supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, + requests.cpu, requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in + the pod's namespace + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined within + a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container is + starting. When a key exists in multiple sources, the + value associated with the last source will take precedence. + Values defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of + a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config + management to default or override container images + in workload controllers like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, + IfNotPresent. Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should + take in response to container lifecycle events. Cannot + be updated. + properties: + postStart: + description: 'PostStart is called immediately after + a container is created. If the handler fails, + the container is terminated and restarted according + to its restart policy. Other management of the + container blocks until the hook completes. More + info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before + a container is terminated due to an API request + or management event such as liveness/startup probe + failure, preemption, resource contention, etc. + The handler is not called if the container crashes + or exits. The Pod''s termination grace period + countdown begins before the PreStop hook is executed. + Regardless of the outcome of the handler, the + container will eventually terminate within the + Pod''s termination grace period (unless delayed + by finalizers). Other management of the container + blocks until the hook completes or until the termination + grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. + Not specifying a port here DOES NOT prevent that port + from being exposed. Any port which is listening on + the default "0.0.0.0" address inside a container will + be accessible from the network. Modifying this array + with strategic merge patch may corrupt the data. For + more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network port + in a single container. + properties: + containerPort: + description: Number of port to expose on the pod's + IP address. This must be a valid port number, + 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on the host. + If specified, this must be a valid port number, + 0 < x < 65536. If HostNetwork is specified, + this must match ContainerPort. Most containers + do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in + a pod must have a unique name. Name for the + port that can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, + or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. + Container will be removed from service endpoints if + the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can + only be set for containers." + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one + entry in pod.spec.resourceClaims of the + Pod where this field is used. It makes that + resource available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is + omitted for a container, it defaults to Limits + if that is explicitly specified, otherwise to + an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security options + the container should be run with. If set, the fields + of SecurityContext override the equivalent fields + of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges than + its parent process. This bool directly controls + if the no_new_privs flag will be set on the container + process. AllowPrivilegeEscalation is true always + when the container is: 1) run as Privileged 2) + has CAP_SYS_ADMIN Note that this field cannot + be set when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running + containers. Defaults to the default set of capabilities + granted by the container runtime. Note that this + field cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent + to root on the host. Defaults to false. Note that + this field cannot be set when spec.os.name is + windows. + type: boolean + procMount: + description: procMount denotes the type of proc + mount to use for the containers. The default is + DefaultProcMount which uses the container runtime + defaults for readonly paths and masked paths. + This requires the ProcMountType feature flag to + be enabled. Note that this field cannot be set + when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only + root filesystem. Default is false. Note that this + field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. Note that this + field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + the container. If unspecified, the container runtime + will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this + container. If seccomp options are provided at + both the pod & container level, the container + options override the pod options. Note that this + field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + from the PodSecurityContext will be used. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. All of a Pod's containers must have + the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork must + also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has + successfully initialized. If specified, no other probes + are executed until this completes successfully. If + this probe fails, the Pod will be restarted, just + as if the livenessProbe failed. This can be used to + provide different probe parameters at the beginning + of a Pod''s lifecycle, when it might take a long time + to load data or warm a cache, than during steady-state + operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. If this + is not set, reads from stdin in the container will + always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close + the stdin channel after it has been opened by a single + attach. When stdin is true the stdin stream will remain + open across multiple attach sessions. If stdinOnce + is set to true, stdin is opened on container start, + is empty until the first client attaches to stdin, + and then remains open and accepts data until the client + disconnects, at which time stdin is closed and remains + closed until the container is restarted. If this flag + is false, a container processes that reads from stdin + will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which + the container''s termination message will be written + is mounted into the container''s filesystem. Message + written is intended to be brief final status, such + as an assertion failure message. Will be truncated + by the node if greater than 4096 bytes. The total + message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot + be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should + be populated. File will use the contents of terminationMessagePath + to populate the container status message on both success + and failure. FallbackToLogsOnError will use the last + chunk of container log output if the termination message + file is empty and the container exited with an error. + The log output is limited to 2048 bytes or 80 lines, + whichever is smaller. Defaults to File. Cannot be + updated. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be true. + Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices + to be used by the container. + items: + description: volumeDevice describes a mapping of a + raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside of + the container that the device will be mapped + to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting of a + Volume within a container. + properties: + mountPath: + description: Path within the container at which + the volume should be mounted. Must not contain + ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts + are propagated from the host to container and + the other way around. When not set, MountPropagationNone + is used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults to + false. + type: boolean + subPath: + description: Path within the volume from which + the container's volume should be mounted. Defaults + to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from + which the container's volume should be mounted. + Behaves similarly to SubPath but environment + variable references $(VAR_NAME) are expanded + using the container's environment. Defaults + to "" (volume's root). SubPathExpr and SubPath + are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, + the container runtime's default will be used, which + might be configured in the container image. Cannot + be updated. + type: string + required: + - name + type: object + type: array + dnsConfig: + description: Specifies the DNS parameters of a pod. Parameters + specified here will be merged to the generated DNS configuration + based on DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. This + will be appended to the base nameservers generated from + DNSPolicy. Duplicated nameservers will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This will + be merged with the base options generated from DNSPolicy. + Duplicated entries will be removed. Resolution options + given in Options will override those that appear in + the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver + options of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name + lookup. This will be appended to the base search paths + generated from DNSPolicy. Duplicated search paths will + be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to "ClusterFirst". + Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', + 'Default' or 'None'. DNS parameters given in DNSConfig will + be merged with the policy selected with DNSPolicy. To have + DNS options set along with hostNetwork, you have to specify + DNS policy explicitly to 'ClusterFirstWithHostNet'. + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information + about services should be injected into pod''s environment + variables, matching the syntax of Docker links. Optional: + Defaults to true.' + type: boolean + ephemeralContainers: + description: List of ephemeral containers run in this pod. + Ephemeral containers may be run in an existing pod to perform + user-initiated actions such as debugging. This list cannot + be specified when creating a pod, and it cannot be modified + by updating the pod spec. In order to add an ephemeral container + to an existing pod, use the pod's ephemeralcontainers subresource. + items: + description: "An EphemeralContainer is a temporary container + that you may add to an existing Pod for user-initiated + activities such as debugging. Ephemeral containers have + no resource or scheduling guarantees, and they will not + be restarted when they exit or when a Pod is removed or + restarted. The kubelet may evict a Pod if an ephemeral + container causes the Pod to exceed its resource allocation. + \n To add an ephemeral container, use the ephemeralcontainers + subresource of an existing Pod. Ephemeral containers may + not be removed or restarted." + properties: + args: + description: 'Arguments to the entrypoint. The image''s + CMD is used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s environment. + If a variable cannot be resolved, the reference in + the input string will be unchanged. Double $$ are + reduced to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce + the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the + variable exists or not. Cannot be updated. More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The image''s ENTRYPOINT is used if this is + not provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. If a + variable cannot be resolved, the reference in the + input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists + or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in + the container. Cannot be updated. + items: + description: EnvVar represents an environment variable + present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults + to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: + supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, + requests.cpu, requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in + the pod's namespace + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined within + a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container is + starting. When a key exists in multiple sources, the + value associated with the last source will take precedence. + Values defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of + a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, + IfNotPresent. Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Lifecycle is not allowed for ephemeral + containers. + properties: + postStart: + description: 'PostStart is called immediately after + a container is created. If the handler fails, + the container is terminated and restarted according + to its restart policy. Other management of the + container blocks until the hook completes. More + info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before + a container is terminated due to an API request + or management event such as liveness/startup probe + failure, preemption, resource contention, etc. + The handler is not called if the container crashes + or exits. The Pod''s termination grace period + countdown begins before the PreStop hook is executed. + Regardless of the outcome of the handler, the + container will eventually terminate within the + Pod''s termination grace period (unless delayed + by finalizers). Other management of the container + blocks until the hook completes or until the termination + grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: Probes are not allowed for ephemeral containers. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the ephemeral container specified + as a DNS_LABEL. This name must be unique among all + containers, init containers and ephemeral containers. + type: string + ports: + description: Ports are not allowed for ephemeral containers. + items: + description: ContainerPort represents a network port + in a single container. + properties: + containerPort: + description: Number of port to expose on the pod's + IP address. This must be a valid port number, + 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on the host. + If specified, this must be a valid port number, + 0 < x < 65536. If HostNetwork is specified, + this must match ContainerPort. Most containers + do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in + a pod must have a unique name. Name for the + port that can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, + or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: Probes are not allowed for ephemeral containers. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: Resources are not allowed for ephemeral + containers. Ephemeral containers use spare resources + already allocated to the pod. + properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can + only be set for containers." + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one + entry in pod.spec.resourceClaims of the + Pod where this field is used. It makes that + resource available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is + omitted for a container, it defaults to Limits + if that is explicitly specified, otherwise to + an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'Optional: SecurityContext defines the + security options the ephemeral container should be + run with. If set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext.' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges than + its parent process. This bool directly controls + if the no_new_privs flag will be set on the container + process. AllowPrivilegeEscalation is true always + when the container is: 1) run as Privileged 2) + has CAP_SYS_ADMIN Note that this field cannot + be set when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running + containers. Defaults to the default set of capabilities + granted by the container runtime. Note that this + field cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent + to root on the host. Defaults to false. Note that + this field cannot be set when spec.os.name is + windows. + type: boolean + procMount: + description: procMount denotes the type of proc + mount to use for the containers. The default is + DefaultProcMount which uses the container runtime + defaults for readonly paths and masked paths. + This requires the ProcMountType feature flag to + be enabled. Note that this field cannot be set + when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only + root filesystem. Default is false. Note that this + field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. Note that this + field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + the container. If unspecified, the container runtime + will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this + container. If seccomp options are provided at + both the pod & container level, the container + options override the pod options. Note that this + field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + from the PodSecurityContext will be used. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. All of a Pod's containers must have + the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork must + also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + startupProbe: + description: Probes are not allowed for ephemeral containers. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. If this + is not set, reads from stdin in the container will + always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close + the stdin channel after it has been opened by a single + attach. When stdin is true the stdin stream will remain + open across multiple attach sessions. If stdinOnce + is set to true, stdin is opened on container start, + is empty until the first client attaches to stdin, + and then remains open and accepts data until the client + disconnects, at which time stdin is closed and remains + closed until the container is restarted. If this flag + is false, a container processes that reads from stdin + will never receive an EOF. Default is false + type: boolean + targetContainerName: + description: "If set, the name of the container from + PodSpec that this ephemeral container targets. The + ephemeral container will be run in the namespaces + (IPC, PID, etc) of this container. If not set then + the ephemeral container uses the namespaces configured + in the Pod spec. \n The container runtime must implement + support for this feature. If the runtime does not + support namespace targeting then the result of setting + this field is undefined." + type: string + terminationMessagePath: + description: 'Optional: Path at which the file to which + the container''s termination message will be written + is mounted into the container''s filesystem. Message + written is intended to be brief final status, such + as an assertion failure message. Will be truncated + by the node if greater than 4096 bytes. The total + message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot + be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should + be populated. File will use the contents of terminationMessagePath + to populate the container status message on both success + and failure. FallbackToLogsOnError will use the last + chunk of container log output if the termination message + file is empty and the container exited with an error. + The log output is limited to 2048 bytes or 80 lines, + whichever is smaller. Defaults to File. Cannot be + updated. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be true. + Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices + to be used by the container. + items: + description: volumeDevice describes a mapping of a + raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside of + the container that the device will be mapped + to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Subpath mounts are not allowed for ephemeral + containers. Cannot be updated. + items: + description: VolumeMount describes a mounting of a + Volume within a container. + properties: + mountPath: + description: Path within the container at which + the volume should be mounted. Must not contain + ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts + are propagated from the host to container and + the other way around. When not set, MountPropagationNone + is used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults to + false. + type: boolean + subPath: + description: Path within the volume from which + the container's volume should be mounted. Defaults + to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from + which the container's volume should be mounted. + Behaves similarly to SubPath but environment + variable references $(VAR_NAME) are expanded + using the container's environment. Defaults + to "" (volume's root). SubPathExpr and SubPath + are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, + the container runtime's default will be used, which + might be configured in the container image. Cannot + be updated. + type: string + required: + - name + type: object + type: array + hostAliases: + description: HostAliases is an optional list of hosts and + IPs that will be injected into the pod's hosts file if specified. + This is only valid for non-hostNetwork pods. + items: + description: HostAlias holds the mapping between IP and + hostnames that will be injected as an entry in the pod's + hosts file. + properties: + hostnames: + description: Hostnames for the above IP address. + items: + type: string + type: array + ip: + description: IP address of the host file entry. + type: string + type: object + type: array + hostIPC: + description: 'Use the host''s ipc namespace. Optional: Default + to false.' + type: boolean + hostNetwork: + description: Host networking requested for this pod. Use the + host's network namespace. If this option is set, the ports + that will be used must be specified. Default to false. + type: boolean + hostPID: + description: 'Use the host''s pid namespace. Optional: Default + to false.' + type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: Default + to true. If set to true or not present, the pod will be + run in the host user namespace, useful for when the pod + needs a feature only available to the host user namespace, + such as loading a kernel module with CAP_SYS_MODULE. When + set to false, a new userns is created for the pod. Setting + false is useful for mitigating container breakout vulnerabilities + even allowing users to run their containers as root without + actually having root privileges on the host. This field + is alpha-level and is only honored by servers that enable + the UserNamespacesSupport feature.' + type: boolean + hostname: + description: Specifies the hostname of the Pod If not specified, + the pod's hostname will be set to a system-defined value. + type: string + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of references + to secrets in the same namespace to use for pulling any + of the images used by this PodSpec. If specified, these + secrets will be passed to individual puller implementations + for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + items: + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same + namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainers: + description: 'List of initialization containers belonging + to the pod. Init containers are executed in order prior + to containers being started. If any init container fails, + the pod is considered to have failed and is handled according + to its restartPolicy. The name for an init container or + normal container must be unique among all containers. Init + containers may not have Lifecycle actions, Readiness probes, + Liveness probes, or Startup probes. The resourceRequirements + of an init container are taken into account during scheduling + by finding the highest request/limit for each resource type, + and then using the max of of that value or the sum of the + normal containers. Limits are applied to init containers + in a similar fashion. Init containers cannot currently be + added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + items: + description: A single application container that you want + to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container + image''s CMD is used if this is not provided. Variable + references $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, the + reference in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce + the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the + variable exists or not. Cannot be updated. More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is used + if this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. If + a variable cannot be resolved, the reference in the + input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists + or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in + the container. Cannot be updated. + items: + description: EnvVar represents an environment variable + present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults + to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: + supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, + requests.cpu, requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in + the pod's namespace + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined within + a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container is + starting. When a key exists in multiple sources, the + value associated with the last source will take precedence. + Values defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of + a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config + management to default or override container images + in workload controllers like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, + IfNotPresent. Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should + take in response to container lifecycle events. Cannot + be updated. + properties: + postStart: + description: 'PostStart is called immediately after + a container is created. If the handler fails, + the container is terminated and restarted according + to its restart policy. Other management of the + container blocks until the hook completes. More + info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before + a container is terminated due to an API request + or management event such as liveness/startup probe + failure, preemption, resource contention, etc. + The handler is not called if the container crashes + or exits. The Pod''s termination grace period + countdown begins before the PreStop hook is executed. + Regardless of the outcome of the handler, the + container will eventually terminate within the + Pod''s termination grace period (unless delayed + by finalizers). Other management of the container + blocks until the hook completes or until the termination + grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. + Not specifying a port here DOES NOT prevent that port + from being exposed. Any port which is listening on + the default "0.0.0.0" address inside a container will + be accessible from the network. Modifying this array + with strategic merge patch may corrupt the data. For + more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network port + in a single container. + properties: + containerPort: + description: Number of port to expose on the pod's + IP address. This must be a valid port number, + 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on the host. + If specified, this must be a valid port number, + 0 < x < 65536. If HostNetwork is specified, + this must match ContainerPort. Most containers + do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in + a pod must have a unique name. Name for the + port that can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, + or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. + Container will be removed from service endpoints if + the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can + only be set for containers." + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one + entry in pod.spec.resourceClaims of the + Pod where this field is used. It makes that + resource available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is + omitted for a container, it defaults to Limits + if that is explicitly specified, otherwise to + an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security options + the container should be run with. If set, the fields + of SecurityContext override the equivalent fields + of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges than + its parent process. This bool directly controls + if the no_new_privs flag will be set on the container + process. AllowPrivilegeEscalation is true always + when the container is: 1) run as Privileged 2) + has CAP_SYS_ADMIN Note that this field cannot + be set when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running + containers. Defaults to the default set of capabilities + granted by the container runtime. Note that this + field cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent + to root on the host. Defaults to false. Note that + this field cannot be set when spec.os.name is + windows. + type: boolean + procMount: + description: procMount denotes the type of proc + mount to use for the containers. The default is + DefaultProcMount which uses the container runtime + defaults for readonly paths and masked paths. + This requires the ProcMountType feature flag to + be enabled. Note that this field cannot be set + when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only + root filesystem. Default is false. Note that this + field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. Note that this + field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + the container. If unspecified, the container runtime + will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this + container. If seccomp options are provided at + both the pod & container level, the container + options override the pod options. Note that this + field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + from the PodSecurityContext will be used. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. All of a Pod's containers must have + the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork must + also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has + successfully initialized. If specified, no other probes + are executed until this completes successfully. If + this probe fails, the Pod will be restarted, just + as if the livenessProbe failed. This can be used to + provide different probe parameters at the beginning + of a Pod''s lifecycle, when it might take a long time + to load data or warm a cache, than during steady-state + operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. If this + is not set, reads from stdin in the container will + always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close + the stdin channel after it has been opened by a single + attach. When stdin is true the stdin stream will remain + open across multiple attach sessions. If stdinOnce + is set to true, stdin is opened on container start, + is empty until the first client attaches to stdin, + and then remains open and accepts data until the client + disconnects, at which time stdin is closed and remains + closed until the container is restarted. If this flag + is false, a container processes that reads from stdin + will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which + the container''s termination message will be written + is mounted into the container''s filesystem. Message + written is intended to be brief final status, such + as an assertion failure message. Will be truncated + by the node if greater than 4096 bytes. The total + message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot + be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should + be populated. File will use the contents of terminationMessagePath + to populate the container status message on both success + and failure. FallbackToLogsOnError will use the last + chunk of container log output if the termination message + file is empty and the container exited with an error. + The log output is limited to 2048 bytes or 80 lines, + whichever is smaller. Defaults to File. Cannot be + updated. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be true. + Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices + to be used by the container. + items: + description: volumeDevice describes a mapping of a + raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside of + the container that the device will be mapped + to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting of a + Volume within a container. + properties: + mountPath: + description: Path within the container at which + the volume should be mounted. Must not contain + ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts + are propagated from the host to container and + the other way around. When not set, MountPropagationNone + is used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults to + false. + type: boolean + subPath: + description: Path within the volume from which + the container's volume should be mounted. Defaults + to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from + which the container's volume should be mounted. + Behaves similarly to SubPath but environment + variable references $(VAR_NAME) are expanded + using the container's environment. Defaults + to "" (volume's root). SubPathExpr and SubPath + are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, + the container runtime's default will be used, which + might be configured in the container image. Cannot + be updated. + type: string + required: + - name + type: object + type: array + nodeName: + description: NodeName is a request to schedule this pod onto + a specific node. If it is non-empty, the scheduler simply + schedules this pod onto that node, assuming that it fits + resource requirements. + type: string + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true + for the pod to fit on a node. Selector which must match + a node''s labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in the pod. + Some pod and container fields are restricted if this is + set. \n If the OS field is set to linux, the following fields + must be unset: -securityContext.windowsOptions \n If the + OS field is set to windows, following fields must be unset: + - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.seLinuxOptions + - spec.securityContext.seccompProfile - spec.securityContext.fsGroup + - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls + - spec.shareProcessNamespace - spec.securityContext.runAsUser + - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups + - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile + - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem + - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation + - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser + - spec.containers[*].securityContext.runAsGroup" + properties: + name: + description: 'Name is the name of the operating system. + The currently supported values are linux and windows. + Additional value may be defined in future and can be + one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values and + treat unrecognized values in this field as os: null' + type: string + required: + - name + type: object + overhead: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Overhead represents the resource overhead associated + with running a pod for a given RuntimeClass. This field + will be autopopulated at admission time by the RuntimeClass + admission controller. If the RuntimeClass admission controller + is enabled, overhead must not be set in Pod create requests. + The RuntimeClass admission controller will reject Pod create + requests which have the overhead already set. If RuntimeClass + is configured and selected in the PodSpec, Overhead will + be set to the value defined in the corresponding RuntimeClass, + otherwise it will remain unset and treated as zero. More + info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md' + type: object + preemptionPolicy: + description: PreemptionPolicy is the Policy for preempting + pods with lower priority. One of Never, PreemptLowerPriority. + Defaults to PreemptLowerPriority if unset. + type: string + priority: + description: The priority value. Various system components + use this field to find the priority of the pod. When Priority + Admission Controller is enabled, it prevents users from + setting this field. The admission controller populates this + field from PriorityClassName. The higher the value, the + higher the priority. + format: int32 + type: integer + priorityClassName: + description: If specified, indicates the pod's priority. "system-node-critical" + and "system-cluster-critical" are two special keywords which + indicate the highest priorities with the former being the + highest priority. Any other name must be defined by creating + a PriorityClass object with that name. If not specified, + the pod priority will be default or zero if there is no + default. + type: string + readinessGates: + description: 'If specified, all readiness gates will be evaluated + for pod readiness. A pod is ready when all its containers + are ready AND all conditions specified in the readiness + gates have status equal to "True" More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' + items: + description: PodReadinessGate contains the reference to + a pod condition + properties: + conditionType: + description: ConditionType refers to a condition in + the pod's condition list with matching type. + type: string + required: + - conditionType + type: object + type: array + resourceClaims: + description: "ResourceClaims defines which ResourceClaims + must be allocated and reserved before the Pod is allowed + to start. The resources will be made available to those + containers which consume them by name. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: PodResourceClaim references exactly one ResourceClaim + through a ClaimSource. It adds a name to it that uniquely + identifies the ResourceClaim inside the Pod. Containers + that need access to the ResourceClaim reference it with + this name. + properties: + name: + description: Name uniquely identifies this resource + claim inside the pod. This must be a DNS_LABEL. + type: string + source: + description: Source describes where to find the ResourceClaim. + properties: + resourceClaimName: + description: ResourceClaimName is the name of a + ResourceClaim object in the same namespace as + this pod. + type: string + resourceClaimTemplateName: + description: "ResourceClaimTemplateName is the name + of a ResourceClaimTemplate object in the same + namespace as this pod. \n The template will be + used to create a new ResourceClaim, which will + be bound to this pod. When this pod is deleted, + the ResourceClaim will also be deleted. The name + of the ResourceClaim will be -, where is the PodResourceClaim.Name. + Pod validation will reject the pod if the concatenated + name is not valid for a ResourceClaim (e.g. too + long). \n An existing ResourceClaim with that + name that is not owned by the pod will not be + used for the pod to avoid using an unrelated resource + by mistake. Scheduling and pod startup are then + blocked until the unrelated ResourceClaim is removed. + \n This field is immutable and no changes will + be made to the corresponding ResourceClaim by + the control plane after creating the ResourceClaim." + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + restartPolicy: + description: 'Restart policy for all containers within the + pod. One of Always, OnFailure, Never. Default to Always. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + type: string + runtimeClassName: + description: 'RuntimeClassName refers to a RuntimeClass object + in the node.k8s.io group, which should be used to run this + pod. If no RuntimeClass resource matches the named class, + the pod will not be run. If unset or empty, the "legacy" + RuntimeClass will be used, which is an implicit class with + an empty definition that uses the default runtime handler. + More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class' + type: string + schedulerName: + description: If specified, the pod will be dispatched by specified + scheduler. If not specified, the pod will be dispatched + by default scheduler. + type: string + schedulingGates: + description: "SchedulingGates is an opaque list of values + that if specified will block scheduling the pod. More info: + \ https://git.k8s.io/enhancements/keps/sig-scheduling/3521-pod-scheduling-readiness. + \n This is an alpha-level feature enabled by PodSchedulingReadiness + feature gate." + items: + description: PodSchedulingGate is associated to a Pod to + guard its scheduling. + properties: + name: + description: Name of the scheduling gate. Each scheduling + gate must have a unique name field. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + securityContext: + description: 'SecurityContext holds pod-level security attributes + and common container settings. Optional: Defaults to empty. See + type description for default values of each field.' + properties: + fsGroup: + description: "A special supplemental group that applies + to all containers in a pod. Some volume types allow + the Kubelet to change the ownership of that volume to + be owned by the pod: \n 1. The owning GID will be the + FSGroup 2. The setgid bit is set (new files created + in the volume will be owned by FSGroup) 3. The permission + bits are OR'd with rw-rw---- \n If unset, the Kubelet + will not modify the ownership and permissions of any + volume. Note that this field cannot be set when spec.os.name + is windows." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior of + changing ownership and permission of the volume before + being exposed inside Pod. This field will only apply + to volume types which support fsGroup based ownership(and + permissions). It will have no effect on ephemeral volume + types such as: secret, configmaps and emptydir. Valid + values are "OnRootMismatch" and "Always". If not specified, + "Always" is used. Note that this field cannot be set + when spec.os.name is windows.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be + set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. Note that this + field cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as + a non-root user. If true, the Kubelet will validate + the image at runtime to ensure that it does not run + as UID 0 (root) and fail to start the container if it + does. If unset or false, no such validation will be + performed. May also be set in SecurityContext. If set + in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata + if unspecified. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot be set + when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to all + containers. If unspecified, the container runtime will + allocate a random SELinux context for each container. May + also be set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. Note that this + field cannot be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. The + profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's + configured seccomp profile location. Must only be + set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: \n Localhost + - a profile defined in a file on the node should + be used. RuntimeDefault - the container runtime + default profile should be used. Unconfined - no + profile should be applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first process + run in each container, in addition to the container's + primary GID, the fsGroup (if specified), and group memberships + defined in the container image for the uid of the container + process. If unspecified, no additional groups are added + to any container. Note that group memberships defined + in the container image for the uid of the container + process are still effective, even if they are not included + in this list. Note that this field cannot be set when + spec.os.name is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls + used for the pod. Pods with unsupported sysctls (by + the container runtime) might fail to launch. Note that + this field cannot be set when spec.os.name is windows. + items: + description: Sysctl defines a kernel parameter to be + set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied to + all containers. If unspecified, the options within a + container's SecurityContext will be used. If set in + both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA + admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec + named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of + the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. This + field is alpha-level and will only be honored by + components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the feature + flag will result in errors when validating the Pod. + All of a Pod's containers must have the same effective + HostProcess value (it is not allowed to have a mix + of HostProcess containers and non-HostProcess containers). In + addition, if HostProcess is true then HostNetwork + must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + serviceAccount: + description: 'DeprecatedServiceAccount is a depreciated alias + for ServiceAccountName. Deprecated: Use serviceAccountName + instead.' + type: string + serviceAccountName: + description: 'ServiceAccountName is the name of the ServiceAccount + to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + setHostnameAsFQDN: + description: If true the pod's hostname will be configured + as the pod's FQDN, rather than the leaf name (the default). + In Linux containers, this means setting the FQDN in the + hostname field of the kernel (the nodename field of struct + utsname). In Windows containers, this means setting the + registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters + to FQDN. If a pod does not have FQDN, this has no effect. + Default to false. + type: boolean + shareProcessNamespace: + description: 'Share a single process namespace between all + of the containers in a pod. When this is set containers + will be able to view and signal processes from other containers + in the same pod, and the first process in each container + will not be assigned PID 1. HostPID and ShareProcessNamespace + cannot both be set. Optional: Default to false.' + type: boolean + subdomain: + description: If specified, the fully qualified Pod hostname + will be "...svc.". If not specified, the pod will not have a domainname + at all. + type: string + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs to + terminate gracefully. May be decreased in delete request. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). If this value is nil, the default grace period + will be used instead. The grace period is the duration in + seconds after the processes running in the pod are sent + a termination signal and the time when the processes are + forcibly halted with a kill signal. Set this value longer + than the expected cleanup time for your process. Defaults + to 30 seconds. + format: int64 + type: integer + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If the + key is empty, operator must be Exists; this combination + means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints of + a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the + taint forever (do not evict). Zero and negative values + will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value should + be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how a group + of pods ought to spread across topology domains. Scheduler + will schedule pods in a way which abides by the constraints. + All topologySpreadConstraints are ANDed. + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are counted + to determine the number of pods in their corresponding + topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys + to select the pods over which spreading will be calculated. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are ANDed with + labelSelector to select the group of existing pods + over which spreading will be calculated for the incoming + pod. Keys that don't exist in the incoming pod labels + will be ignored. A null or empty list means only match + against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between the + number of matching pods in the target topology and + the global minimum. The global minimum is the minimum + number of matching pods in an eligible domain or zero + if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to + 1, and pods with the same labelSelector spread as + 2/2/1: In this case, the global minimum is 1. | zone1 + | zone2 | zone3 | | P P | P P | P | - if MaxSkew + is 1, incoming pod can only be scheduled to zone3 + to become 2/2/2; scheduling it onto zone1(zone2) would + make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto + any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies + that satisfy it. It''s a required field. Default value + is 1 and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number + of eligible domains. When the number of eligible domains + with matching topology keys is less than minDomains, + Pod Topology Spread treats \"global minimum\" as 0, + and then the calculation of Skew is performed. And + when the number of eligible domains with matching + topology keys equals or greater than minDomains, this + value has no effect on scheduling. As a result, when + the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to + those domains. If value is nil, the constraint behaves + as if MinDomains is equal to 1. Valid values are integers + greater than 0. When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. \n For example, in a 3-zone + cluster, MaxSkew is set to 2, MinDomains is set to + 5 and pods with the same labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | | P P | P P | P P | + The number of domains is less than 5(MinDomains), + so \"global minimum\" is treated as 0. In this situation, + new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod + is scheduled to any of the three zones, it will violate + MaxSkew. \n This is a beta field and requires the + MinDomainsInPodTopologySpread feature gate to be enabled + (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we will + treat Pod's nodeAffinity/nodeSelector when calculating + pod topology spread skew. Options are: - Honor: only + nodes matching nodeAffinity/nodeSelector are included + in the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the calculations. + \n If this value is nil, the behavior is equivalent + to the Honor policy. This is a beta-level feature + default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we will + treat node taints when calculating pod topology spread + skew. Options are: - Honor: nodes without taints, + along with tainted nodes for which the incoming pod + has a toleration, are included. - Ignore: node taints + are ignored. All nodes are included. \n If this value + is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the + NodeInclusionPolicyInPodTopologySpread feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", and try + to put balanced number of pods into each bucket. We + define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose + nodes meet the requirements of nodeAffinityPolicy + and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, if TopologyKey + is "topology.kubernetes.io/zone", each zone is a domain + of that topology. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal + with a pod if it doesn''t satisfy the spread constraint. + - DoNotSchedule (default) tells the scheduler not + to schedule it. - ScheduleAnyway tells the scheduler + to schedule the pod in any location, but giving higher + precedence to topologies that would help reduce the + skew. A constraint is considered "Unsatisfiable" for + an incoming pod if and only if every possible node + assignment for that pod would violate "MaxSkew" on + some topology. For example, in a 3-zone cluster, MaxSkew + is set to 1, and pods with the same labelSelector + spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P + | P | P | If WhenUnsatisfiable is set to DoNotSchedule, + incoming pod can only be scheduled to zone2(zone3) + to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) + satisfies MaxSkew(1). In other words, the cluster + can still be imbalanced, but scheduler won''t make + it *more* imbalanced. It''s a required field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: 'List of volumes that can be mounted by containers + belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + items: + description: Volume represents a named volume in a pod that + may be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: 'awsElasticBlockStore represents an AWS + Disk resource that is attached to a kubelet''s host + machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + properties: + fsType: + description: 'fsType is the filesystem type of the + volume that you want to mount. Tip: Ensure that + the filesystem type is supported by the host operating + system. Examples: "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in the + volume that you want to mount. If omitted, the + default is to mount by volume name. Examples: + For volume /dev/sda1, you specify the partition + as "1". Similarly, the volume partition for /dev/sda + is "0" (or you can leave the property empty).' + format: int32 + type: integer + readOnly: + description: 'readOnly value true will force the + readOnly setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: boolean + volumeID: + description: 'volumeID is unique ID of the persistent + disk resource in AWS (Amazon EBS volume). More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data Disk + mount on the host and bind mount to the pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching mode: + None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data disk + in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk in + the blob storage + type: string + fsType: + description: fsType is Filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single + blob disk per storage account Managed: azure + managed data disk (only in managed availability + set). defaults to shared' + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File Service + mount on the host and bind mount to the pod. + properties: + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret that + contains Azure Storage Account Name and Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount on the + host that shares a pod's lifetime + properties: + monitors: + description: 'monitors is Required: Monitors is + a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + items: + type: string + type: array + path: + description: 'path is Optional: Used as the mounted + root, rather than the full Ceph tree, default + is /' + type: string + readOnly: + description: 'readOnly is Optional: Defaults to + false (read/write). ReadOnly here will force the + ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: boolean + secretFile: + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + secretRef: + description: 'secretRef is Optional: SecretRef is + reference to the authentication secret for User, + default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is optional: User is the rados + user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + required: + - monitors + type: object + cinder: + description: 'cinder represents a cinder volume attached + and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + readOnly: + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: boolean + secretRef: + description: 'secretRef is optional: points to a + secret object containing parameters used to connect + to OpenStack.' + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: 'volumeID used to identify the volume + in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that should + populate this volume + properties: + defaultMode: + description: 'defaultMode is optional: mode bits + used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or + a decimal value between 0 and 511. YAML accepts + both octal and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. Directories + within the path are not affected by this setting. + This might be in conflict with other options that + affect the file mode, like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + items: + description: items if unspecified, each key-value + pair in the Data field of the referenced ConfigMap + will be projected into the volume as a file whose + name is the key and content is the value. If specified, + the listed keys will be projected into the specified + paths, and unlisted keys will not be present. + If a key is specified which is not present in + the ConfigMap, the volume setup will error unless + it is marked optional. Paths must be relative + and may not contain the '..' path or start with + '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits + used to set permissions on this file. Must + be an octal value between 0000 and 0777 + or a decimal value between 0 and 511. YAML + accepts both octal and decimal values, JSON + requires decimal values for mode bits. If + not specified, the volume defaultMode will + be used. This might be in conflict with + other options that affect the file mode, + like fsGroup, and the result can be other + mode bits set.' + format: int32 + type: integer + path: + description: path is the relative path of + the file to map the key to. May not be an + absolute path. May not contain the path + element '..'. May not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers (Beta feature). + properties: + driver: + description: driver is the name of the CSI driver + that handles this volume. Consult with your admin + for the correct name as registered in the cluster. + type: string + fsType: + description: fsType to mount. Ex. "ext4", "xfs", + "ntfs". If not provided, the empty value is passed + to the associated CSI driver which will determine + the default filesystem to apply. + type: string + nodePublishSecretRef: + description: nodePublishSecretRef is a reference + to the secret object containing sensitive information + to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no + secret is required. If the secret object contains + more than one secret, all secret references are + passed. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: readOnly specifies a read-only configuration + for the volume. Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: volumeAttributes stores driver-specific + properties that are passed to the CSI driver. + Consult your driver's documentation for supported + values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API about + the pod that should populate this volume + properties: + defaultMode: + description: 'Optional: mode bits to use on created + files by default. Must be a Optional: mode bits + used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or + a decimal value between 0 and 511. YAML accepts + both octal and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. Directories + within the path are not affected by this setting. + This might be in conflict with other options that + affect the file mode, like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + items: + description: Items is a list of downward API volume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing the + pod field + properties: + fieldRef: + description: 'Required: Selects a field of + the pod: only annotations, labels, name + and namespace are supported.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used to + set permissions on this file, must be an + octal value between 0000 and 0777 or a decimal + value between 0 and 511. YAML accepts both + octal and decimal values, JSON requires + decimal values for mode bits. If not specified, + the volume defaultMode will be used. This + might be in conflict with other options + that affect the file mode, like fsGroup, + and the result can be other mode bits set.' + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' path. + Must be utf-8 encoded. The first item of + the relative path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + description: 'emptyDir represents a temporary directory + that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + properties: + medium: + description: 'medium represents what type of storage + medium should back this directory. The default + is "" which means to use the node''s default medium. + Must be an empty string (default) or Memory. More + info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: 'sizeLimit is the total amount of local + storage required for this EmptyDir volume. The + size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would + be the minimum value between the SizeLimit specified + here and the sum of memory limits of all containers + in a pod. The default is nil which means that + the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: "ephemeral represents a volume that is + handled by a cluster storage driver. The volume's + lifecycle is tied to the pod that defines it - it + will be created before the pod starts, and deleted + when the pod is removed. \n Use this if: a) the volume + is only needed while the pod runs, b) features of + normal volumes like restoring from snapshot or capacity + tracking are needed, c) the storage driver is specified + through a storage class, and d) the storage driver + supports dynamic volume provisioning through a PersistentVolumeClaim + (see EphemeralVolumeSource for more information on + the connection between this volume type and PersistentVolumeClaim). + \n Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the + lifecycle of an individual pod. \n Use CSI for light-weight + local ephemeral volumes if the CSI driver is meant + to be used that way - see the documentation of the + driver for more information. \n A pod can use both + types of ephemeral volumes and persistent volumes + at the same time." + properties: + volumeClaimTemplate: + description: "Will be used to create a stand-alone + PVC to provision the volume. The pod in which + this EphemeralVolumeSource is embedded will be + the owner of the PVC, i.e. the PVC will be deleted + together with the pod. The name of the PVC will + be `-` where `` + is the name from the `PodSpec.Volumes` array entry. + Pod validation will reject the pod if the concatenated + name is not valid for a PVC (for example, too + long). \n An existing PVC with that name that + is not owned by the pod will *not* be used for + the pod to avoid using an unrelated volume by + mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created + PVC is meant to be used by the pod, the PVC has + to updated with an owner reference to the pod + once the pod exists. Normally this should not + be necessary, but it may be useful when manually + reconstructing a broken cluster. \n This field + is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. \n Required, + must not be nil." + properties: + metadata: + description: May contain labels and annotations + that will be copied into the PVC when creating + it. No other fields are allowed and will be + rejected during validation. + type: object + spec: + description: The specification for the PersistentVolumeClaim. + The entire content is copied unchanged into + the PVC that gets created from this template. + The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: 'accessModes contains the desired + access modes the volume should have. More + info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can be used + to specify either: * An existing VolumeSnapshot + object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller + can support the specified data source, + it will create a new volume based on the + contents of the specified data source. + When the AnyVolumeDataSource feature gate + is enabled, dataSource contents will be + copied to dataSourceRef, and dataSourceRef + contents will be copied to dataSource + when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef + will not be copied to dataSource.' + properties: + apiGroup: + description: APIGroup is the group for + the resource being referenced. If + APIGroup is not specified, the specified + Kind must be in the core API group. + For any other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: 'dataSourceRef specifies the + object from which to populate the volume + with data, if a non-empty volume is desired. + This may be any object from a non-empty + API group (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed if the + type of the specified object matches some + installed volume populator or dynamic + provisioner. This field will replace the + functionality of the dataSource field + and as such if both fields are non-empty, + they must have the same value. For backwards + compatibility, when namespace isn''t specified + in dataSourceRef, both fields (dataSource + and dataSourceRef) will be set to the + same value automatically if one of them + is empty and the other is non-empty. When + namespace is specified in dataSourceRef, + dataSource isn''t set to the same value + and must be empty. There are three important + differences between dataSource and dataSourceRef: + * While dataSource only allows two specific + types of objects, dataSourceRef allows + any non-core object, as well as PersistentVolumeClaim + objects. * While dataSource ignores disallowed + values (dropping them), dataSourceRef + preserves all values, and generates an + error if a disallowed value is specified. + * While dataSource only allows local objects, + dataSourceRef allows objects in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource + feature gate to be enabled. (Alpha) Using + the namespace field of dataSourceRef requires + the CrossNamespaceVolumeDataSource feature + gate to be enabled.' + properties: + apiGroup: + description: APIGroup is the group for + the resource being referenced. If + APIGroup is not specified, the specified + Kind must be in the core API group. + For any other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: Namespace is the namespace + of resource being referenced Note + that when a namespace is specified, + a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. See + the ReferenceGrant documentation for + details. (Alpha) This field requires + the CrossNamespaceVolumeDataSource + feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: 'resources represents the minimum + resources the volume should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed to + specify resource requirements that are + lower than previous value but must still + be higher than capacity recorded in the + status field of the claim. More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + claims: + description: "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. \n + This is an alpha field and requires + enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the + name of one entry in pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the + minimum amount of compute resources + required. If Requests is omitted for + a container, it defaults to Limits + if that is explicitly specified, otherwise + to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query over + volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is the name + of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what type + of volume is required by the claim. Value + of Filesystem is implied when not included + in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine and then + exposed to the pod. + properties: + fsType: + description: 'fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. TODO: how + do we prevent errors in the filesystem from compromising + the machine' + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: 'readOnly is Optional: Defaults to + false (read/write). ReadOnly here will force the + ReadOnly setting in VolumeMounts.' + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + wwids: + description: 'wwids Optional: FC volume world wide + identifiers (wwids) Either wwids or combination + of targetWWNs and lun must be set, but not both + simultaneously.' + items: + type: string + type: array + type: object + flexVolume: + description: flexVolume represents a generic volume + resource that is provisioned/attached using an exec + based plugin. + properties: + driver: + description: driver is the name of the driver to + use for this volume. + type: string + fsType: + description: fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". The + default filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field holds + extra command options if any.' + type: object + readOnly: + description: 'readOnly is Optional: defaults to + false (read/write). ReadOnly here will force the + ReadOnly setting in VolumeMounts.' + type: boolean + secretRef: + description: 'secretRef is Optional: secretRef is + reference to the secret object containing sensitive + information to pass to the plugin scripts. This + may be empty if no secret object is specified. + If the secret object contains more than one secret, + all secrets are passed to the plugin scripts.' + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume attached + to a kubelet's host machine. This depends on the Flocker + control service being running + properties: + datasetName: + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset for + Flocker should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker dataset + type: string + type: object + gcePersistentDisk: + description: 'gcePersistentDisk represents a GCE Disk + resource that is attached to a kubelet''s host machine + and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + properties: + fsType: + description: 'fsType is filesystem type of the volume + that you want to mount. Tip: Ensure that the filesystem + type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in the + volume that you want to mount. If omitted, the + default is to mount by volume name. Examples: + For volume /dev/sda1, you specify the partition + as "1". Similarly, the volume partition for /dev/sda + is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + format: int32 + type: integer + pdName: + description: 'pdName is unique name of the PD resource + in GCE. Used to identify the disk in GCE. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: string + readOnly: + description: 'readOnly here will force the ReadOnly + setting in VolumeMounts. Defaults to false. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: boolean + required: + - pdName + type: object + gitRepo: + description: 'gitRepo represents a git repository at + a particular revision. DEPRECATED: GitRepo is deprecated. + To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo + using git, then mount the EmptyDir into the Pod''s + container.' + properties: + directory: + description: directory is the target directory name. + Must not contain or start with '..'. If '.' is + supplied, the volume directory will be the git + repository. Otherwise, if specified, the volume + will contain the git repository in the subdirectory + with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for the + specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: 'glusterfs represents a Glusterfs mount + on the host that shares a pod''s lifetime. More info: + https://examples.k8s.io/volumes/glusterfs/README.md' + properties: + endpoints: + description: 'endpoints is the endpoint name that + details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + path: + description: 'path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + readOnly: + description: 'readOnly here will force the Glusterfs + volume to be mounted with read-only permissions. + Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: 'hostPath represents a pre-existing file + or directory on the host machine that is directly + exposed to the container. This is generally used for + system agents or other privileged things that are + allowed to see the host machine. Most containers will + NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- TODO(jonesdl) We need to restrict who can use + host directory mounts and who can/can not mount host + directories as read/write.' + properties: + path: + description: 'path of the directory on the host. + If the path is a symlink, it will follow the link + to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + type: + description: 'type for HostPath Volume Defaults + to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + required: + - path + type: object + iscsi: + description: 'iscsi represents an ISCSI Disk resource + that is attached to a kubelet''s host machine and + then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether support + iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether support + iSCSI Session CHAP authentication + type: boolean + fsType: + description: 'fsType is the filesystem type of the + volume that you want to mount. Tip: Ensure that + the filesystem type is supported by the host operating + system. Examples: "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + initiatorName: + description: initiatorName is the custom iSCSI Initiator + Name. If initiatorName is specified with iscsiInterface + simultaneously, new iSCSI interface : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + description: iscsiInterface is the interface Name + that uses an iSCSI transport. Defaults to 'default' + (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically TCP + ports 860 and 3260). + items: + type: string + type: array + readOnly: + description: readOnly here will force the ReadOnly + setting in VolumeMounts. Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for iSCSI + target and initiator authentication + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: targetPortal is iSCSI Target Portal. + The Portal is either an IP or ip_addr:port if + the port is other than default (typically TCP + ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: 'name of the volume. Must be a DNS_LABEL + and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + nfs: + description: 'nfs represents an NFS mount on the host + that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + properties: + path: + description: 'path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + readOnly: + description: 'readOnly here will force the NFS export + to be mounted with read-only permissions. Defaults + to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: boolean + server: + description: 'server is the hostname or IP address + of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: 'persistentVolumeClaimVolumeSource represents + a reference to a PersistentVolumeClaim in the same + namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'claimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: readOnly Will force the ReadOnly setting + in VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets host + machine + properties: + fsType: + description: fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies Photon + Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx volume + attached and mounted on kubelets host machine + properties: + fsType: + description: fSType represents the filesystem type + to mount Must be a filesystem type supported by + the host operating system. Ex. "ext4", "xfs". + Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a Portworx + volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: defaultMode are the mode bits used + to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or + a decimal value between 0 and 511. YAML accepts + both octal and decimal values, JSON requires decimal + values for mode bits. Directories within the path + are not affected by this setting. This might be + in conflict with other options that affect the + file mode, like fsGroup, and the result can be + other mode bits set. + format: int32 + type: integer + sources: + description: sources is the list of volume projections + items: + description: Projection that may be projected + along with other supported volume types + properties: + configMap: + description: configMap information about the + configMap data to project + properties: + items: + description: items if unspecified, each + key-value pair in the Data field of + the referenced ConfigMap will be projected + into the volume as a file whose name + is the key and content is the value. + If specified, the listed keys will be + projected into the specified paths, + and unlisted keys will not be present. + If a key is specified which is not present + in the ConfigMap, the volume setup will + error unless it is marked optional. + Paths must be relative and may not contain + the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an octal + value between 0000 and 0777 or + a decimal value between 0 and + 511. YAML accepts both octal and + decimal values, JSON requires + decimal values for mode bits. + If not specified, the volume defaultMode + will be used. This might be in + conflict with other options that + affect the file mode, like fsGroup, + and the result can be other mode + bits set.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map the key + to. May not be an absolute path. + May not contain the path element + '..'. May not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about + the downwardAPI data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only annotations, + labels, name and namespace are + supported.' + properties: + apiVersion: + description: Version of the + schema the FieldPath is written + in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field + to select in the specified + API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits + used to set permissions on this + file, must be an octal value between + 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts + both octal and decimal values, + JSON requires decimal values for + mode bits. If not specified, the + volume defaultMode will be used. + This might be in conflict with + other options that affect the + file mode, like fsGroup, and the + result can be other mode bits + set.' + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file + to be created. Must not be absolute + or contain the ''..'' path. Must + be utf-8 encoded. The first item + of the relative path must not + start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource + of the container: only resources + limits and requests (limits.cpu, + limits.memory, requests.cpu and + requests.memory) are currently + supported.' + properties: + containerName: + description: 'Container name: + required for volumes, optional + for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about the + secret data to project + properties: + items: + description: items if unspecified, each + key-value pair in the Data field of + the referenced Secret will be projected + into the volume as a file whose name + is the key and content is the value. + If specified, the listed keys will be + projected into the specified paths, + and unlisted keys will not be present. + If a key is specified which is not present + in the Secret, the volume setup will + error unless it is marked optional. + Paths must be relative and may not contain + the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an octal + value between 0000 and 0777 or + a decimal value between 0 and + 511. YAML accepts both octal and + decimal values, JSON requires + decimal values for mode bits. + If not specified, the volume defaultMode + will be used. This might be in + conflict with other options that + affect the file mode, like fsGroup, + and the result can be other mode + bits set.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map the key + to. May not be an absolute path. + May not contain the path element + '..'. May not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional field specify whether + the Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information + about the serviceAccountToken data to project + properties: + audience: + description: audience is the intended + audience of the token. A recipient of + a token must identify itself with an + identifier specified in the audience + of the token, and otherwise should reject + the token. The audience defaults to + the identifier of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is the + requested duration of validity of the + service account token. As the token + approaches expiration, the kubelet volume + plugin will proactively rotate the service + account token. The kubelet will start + trying to rotate the token if the token + is older than 80 percent of its time + to live or if the token is older than + 24 hours.Defaults to 1 hour and must + be at least 10 minutes. + format: int64 + type: integer + path: + description: path is the path relative + to the mount point of the file to project + the token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + description: quobyte represents a Quobyte mount on the + host that shares a pod's lifetime + properties: + group: + description: group to map volume access to Default + is no group + type: string + readOnly: + description: readOnly here will force the Quobyte + volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: registry represents a single or multiple + Quobyte Registry services specified as a string + as host:port pair (multiple entries are separated + with commas) which acts as the central registry + for volumes + type: string + tenant: + description: tenant owning the given Quobyte volume + in the Backend Used with dynamically provisioned + Quobyte volumes, value is set by the plugin + type: string + user: + description: user to map volume access to Defaults + to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: 'rbd represents a Rados Block Device mount + on the host that shares a pod''s lifetime. More info: + https://examples.k8s.io/volumes/rbd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type of the + volume that you want to mount. Tip: Ensure that + the filesystem type is supported by the host operating + system. Examples: "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + image: + description: 'image is the rados image name. More + info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + keyring: + description: 'keyring is the path to key ring for + RBDUser. Default is /etc/ceph/keyring. More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + monitors: + description: 'monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + items: + type: string + type: array + pool: + description: 'pool is the rados pool name. Default + is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + readOnly: + description: 'readOnly here will force the ReadOnly + setting in VolumeMounts. Defaults to false. More + info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: boolean + secretRef: + description: 'secretRef is name of the authentication + secret for RBDUser. If provided overrides keyring. + Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is the rados user name. Default + is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Default + is "xfs". + type: string + gateway: + description: gateway is the host address of the + ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of the + ScaleIO Protection Domain for the configured storage. + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef references to the secret + for ScaleIO user and other sensitive information. + If this is not provided, Login operation will + fail. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable SSL + communication with Gateway, default false + type: boolean + storageMode: + description: storageMode indicates whether the storage + for a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage system + as configured in ScaleIO. + type: string + volumeName: + description: volumeName is the name of a volume + already created in the ScaleIO system that is + associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: 'secret represents a secret that should + populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + properties: + defaultMode: + description: 'defaultMode is Optional: mode bits + used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or + a decimal value between 0 and 511. YAML accepts + both octal and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. Directories + within the path are not affected by this setting. + This might be in conflict with other options that + affect the file mode, like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + items: + description: items If unspecified, each key-value + pair in the Data field of the referenced Secret + will be projected into the volume as a file whose + name is the key and content is the value. If specified, + the listed keys will be projected into the specified + paths, and unlisted keys will not be present. + If a key is specified which is not present in + the Secret, the volume setup will error unless + it is marked optional. Paths must be relative + and may not contain the '..' path or start with + '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits + used to set permissions on this file. Must + be an octal value between 0000 and 0777 + or a decimal value between 0 and 511. YAML + accepts both octal and decimal values, JSON + requires decimal values for mode bits. If + not specified, the volume defaultMode will + be used. This might be in conflict with + other options that affect the file mode, + like fsGroup, and the result can be other + mode bits set.' + format: int32 + type: integer + path: + description: path is the relative path of + the file to map the key to. May not be an + absolute path. May not contain the path + element '..'. May not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + optional: + description: optional field specify whether the + Secret or its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the secret + in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + type: object + storageos: + description: storageOS represents a StorageOS volume + attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef specifies the secret to use + for obtaining the StorageOS API credentials. If + not specified, default values will be attempted. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: volumeName is the human-readable name + of the StorageOS volume. Volume names are only + unique within a namespace. + type: string + volumeNamespace: + description: volumeNamespace specifies the scope + of the volume within StorageOS. If no namespace + is specified then the Pod's namespace will be + used. This allows the Kubernetes name scoping + to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default + behaviour. Set to "default" if you are not using + namespaces within StorageOS. Namespaces that do + not pre-exist within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere volume + attached and mounted on kubelets host machine + properties: + fsType: + description: fsType is filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage Policy + Based Management (SPBM) profile ID associated + with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage Policy + Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - containers + type: object + type: object + type: + default: rw + description: Which instances we must forward traffic to? + enum: + - rw + - ro + type: string + required: + - cluster + - instances + - pgbouncer + - type + type: object + status: + description: PoolerStatus defines the observed state of Pooler + properties: + instances: + description: The number of pods trying to be scheduled + format: int32 + type: integer + secrets: + description: The resource version of the config object + properties: + clientCA: + description: The client CA secret version + properties: + name: + description: The name of the secret + type: string + version: + description: The ResourceVersion of the secret + type: string + type: object + pgBouncerSecrets: + description: The version of the secrets used by PgBouncer + properties: + authQuery: + description: The auth query secret version + properties: + name: + description: The name of the secret + type: string + version: + description: The ResourceVersion of the secret + type: string + type: object + type: object + serverCA: + description: The server CA secret version + properties: + name: + description: The name of the secret + type: string + version: + description: The ResourceVersion of the secret + type: string + type: object + serverTLS: + description: The server TLS secret version + properties: + name: + description: The name of the secret + type: string + version: + description: The ResourceVersion of the secret + type: string + type: object + type: object + type: object + type: object + served: true + storage: true + subresources: + scale: + specReplicasPath: .spec.instances + statusReplicasPath: .status.instances + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + helm.sh/resource-policy: keep + creationTimestamp: null + name: scheduledbackups.postgresql.cnpg.io +spec: + group: postgresql.cnpg.io + names: + kind: ScheduledBackup + listKind: ScheduledBackupList + plural: scheduledbackups + singular: scheduledbackup + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.cluster.name + name: Cluster + type: string + - jsonPath: .status.lastScheduleTime + name: Last Backup + type: date + name: v1 + schema: + openAPIV3Schema: + description: ScheduledBackup is the Schema for the scheduledbackups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Specification of the desired behavior of the ScheduledBackup. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + backupOwnerReference: + default: none + description: 'Indicates which ownerReference should be put inside + the created backup resources.
- none: no owner reference for + created backup objects (same behavior as before the field was introduced)
- self: sets the Scheduled backup object as owner of the backup
- cluster: set the cluster as owner of the backup
' + enum: + - none + - self + - cluster + type: string + cluster: + description: The cluster to backup + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + immediate: + description: If the first backup has to be immediately start after + creation or not + type: boolean + schedule: + description: The schedule does not follow the same format used in + Kubernetes CronJobs as it includes an additional seconds specifier, + see https://pkg.go.dev/github.com/robfig/cron#hdr-CRON_Expression_Format + type: string + suspend: + description: If this backup is suspended or not + type: boolean + target: + description: The policy to decide which instance should perform this + backup. If empty, it defaults to `cluster.spec.backup.target`. Available + options are empty string, `primary` and `prefer-standby`. `primary` + to have backups run always on primary instances, `prefer-standby` + to have backups run preferably on the most updated standby, if available. + enum: + - primary + - prefer-standby + type: string + required: + - schedule + type: object + status: + description: 'Most recently observed status of the ScheduledBackup. This + data may not be up to date. Populated by the system. Read-only. More + info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + lastCheckTime: + description: The latest time the schedule + format: date-time + type: string + lastScheduleTime: + description: Information when was the last time that backup was successfully + scheduled. + format: date-time + type: string + nextScheduleTime: + description: Next time we will run a backup + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operators/cloudnative-pg/0.0.1/values.yaml b/operators/cloudnative-pg/0.0.1/values.yaml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/operators/cloudnative-pg/item.yaml b/operators/cloudnative-pg/item.yaml new file mode 100644 index 00000000000..4af7bd34c94 --- /dev/null +++ b/operators/cloudnative-pg/item.yaml @@ -0,0 +1,4 @@ +icon_url: https://truecharts.org/img/hotlink-ok/chart-icons/cloudnative-pg.png +categories: +- operators +