From 651862203b9a87da5a6c633b692f3e1c5cfb92d1 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Tue, 8 Jul 2025 21:00:25 +0000 Subject: [PATCH 1/9] Add NGINX pod and deployment with securityContext --- 01-kubernetes-fundamentals/nginx-deployment.yaml | 5 +++-- 01-kubernetes-fundamentals/nginx-pod.yaml | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/01-kubernetes-fundamentals/nginx-deployment.yaml b/01-kubernetes-fundamentals/nginx-deployment.yaml index 8eeaafe..44aa1f1 100644 --- a/01-kubernetes-fundamentals/nginx-deployment.yaml +++ b/01-kubernetes-fundamentals/nginx-deployment.yaml @@ -19,6 +19,7 @@ spec: image: nginx:latest ports: - containerPort: 80 + # Add Security Context to the Pod securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false + runAsNonRoot: true # Ensures the container runs as a non-root user + allowPrivilegeEscalation: false # Prevents the container from gaining additional privileges diff --git a/01-kubernetes-fundamentals/nginx-pod.yaml b/01-kubernetes-fundamentals/nginx-pod.yaml index 4779afa..d8ecc50 100644 --- a/01-kubernetes-fundamentals/nginx-pod.yaml +++ b/01-kubernetes-fundamentals/nginx-pod.yaml @@ -10,6 +10,7 @@ spec: image: nginx:latest ports: - containerPort: 80 + # Add Security Context to the Pod securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false + runAsNonRoot: true # Ensures the container runs as a non-root user + allowPrivilegeEscalation: false # Prevents the container from gaining additional privileges From f5cc58363fa177d25a6ba14da5fff773cf18daad Mon Sep 17 00:00:00 2001 From: Felix Momodebe <163891496+felix-codexyz@users.noreply.github.com> Date: Tue, 8 Jul 2025 17:30:05 -0400 Subject: [PATCH 2/9] Update week1.md --- 99-reflections/week1.md | 36 +++++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/99-reflections/week1.md b/99-reflections/week1.md index db0e639..6e55288 100644 --- a/99-reflections/week1.md +++ b/99-reflections/week1.md @@ -6,28 +6,31 @@ This week, I worked through the Kubernetes fundamentals lab where I deployed a b ## βœ… What I Learned -- -- -- -- +- Pods are single units; Deployments manage replicas and scaling (rollout strategies) +- Security contexts is the first line of defense for controlling how containers behave from a security standpoint. It defines privilege and access control settings for a Pod or its individual containers +- Deploy contains 1 or more pods +- Deployment availability depends on pods availability. If a pod is no running, it deployment would not run as well. --- ## ❓ What Was Challenging -- -- -- +- Getting the pods and deployment to be available (running) without compromising the security. +- Error: container has runAsNonRoot and image will run as root (pod: "nginx-deployment-dcb68cf9f-fnx7j_default(65476189-63a9-4c3a-a9e2-20a077318343)", container: nginx) --- ## πŸ§ͺ Commands I Practiced ```bash - - - +kubectl apply -f nginx-pod.yaml +kubectl apply -f nginx-deployment.yaml +kubectl get pods +kubectl get deployment +kubectl describe pods nginx +kubectl describe deployment nginx-deployment +kubectl scale deployment nginx-deployment --replicas=3 ``` @@ -35,17 +38,20 @@ This week, I worked through the Kubernetes fundamentals lab where I deployed a b ## πŸ” Security Improvements I Made -- -- +- Set `runAsNonRoot` to `true` to ensures the container runs as a non-root user +- Set `allowPrivilegeEscalation` to `false` to prevents the container from gaining additional privileges --- ## πŸ“ Questions I Still Have -- -- -- +- How do I get the pods and deployment running (available) without compromising the security. +- How do i fix the error from the `kubectl describe pods` command +- Error: +``` +Error: container has runAsNonRoot and image will run as root (pod: "nginx-deployment-dcb68cf9f-fnx7j_default(65476189-63a9-4c3a-a9e2-20a077318343)", container: nginx) +``` --- ## πŸ“Ž Related YAMLs From 9303e4dd6fc81ab116d0102c74bad9af6f43f65f Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Wed, 9 Jul 2025 00:22:10 +0000 Subject: [PATCH 3/9] question: Pod fails due to runAsNonRoot image incompatibility and Pod won't run due to runAsNonRoot error --- questions/questions.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 questions/questions.md diff --git a/questions/questions.md b/questions/questions.md new file mode 100644 index 0000000..c1aadc9 --- /dev/null +++ b/questions/questions.md @@ -0,0 +1,9 @@ +## question: Pod won't run due to runAsNonRoot error: + +While applying securityContext settings (`runAsNonRoot: true`), my pod failed with Error: container has runAsNonRoot and image will run as root + +## What I expected: +I expected the image to run securely, but it defaults to root. What’s the best practice when securing containers without customizing the image manually? + +## My confusion: +I understand that security is a priority but what is the use of security when it prevents pods from running? From 8ab6524042d998f3041b9cc5d75e7653e46a5748 Mon Sep 17 00:00:00 2001 From: Felix Momodebe <163891496+felix-codexyz@users.noreply.github.com> Date: Tue, 8 Jul 2025 20:26:51 -0400 Subject: [PATCH 4/9] Update questions.md --- questions/questions.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/questions/questions.md b/questions/questions.md index c1aadc9..beb94c9 100644 --- a/questions/questions.md +++ b/questions/questions.md @@ -2,6 +2,9 @@ While applying securityContext settings (`runAsNonRoot: true`), my pod failed with Error: container has runAsNonRoot and image will run as root +![image](https://github.com/user-attachments/assets/938b9c7b-760a-487a-b5ff-323f185cc965) + + ## What I expected: I expected the image to run securely, but it defaults to root. What’s the best practice when securing containers without customizing the image manually? From 1e6f583d12ec26d434172df667f07e48dfbcbb1b Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Wed, 9 Jul 2025 00:28:09 +0000 Subject: [PATCH 5/9] Updated questions.md file --- questions/questions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/questions/questions.md b/questions/questions.md index c1aadc9..60d59b9 100644 --- a/questions/questions.md +++ b/questions/questions.md @@ -1,4 +1,4 @@ -## question: Pod won't run due to runAsNonRoot error: +## Question: Pod won't run due to runAsNonRoot error: While applying securityContext settings (`runAsNonRoot: true`), my pod failed with Error: container has runAsNonRoot and image will run as root From 496950ee956a69f3cd77455bfbd072675d5b05a0 Mon Sep 17 00:00:00 2001 From: Felix Date: Wed, 9 Jul 2025 00:37:14 +0000 Subject: [PATCH 6/9] Added GROW portfolio badge --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 330817c..7cbe0a6 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,8 @@ +## 🌱 KubeSkills GROW Challenge + +[![GROW Portfolio](https://img.shields.io/badge/GROW-portfolio-blue)](https://github.com/felix-codexyz/student-notebook) + + # πŸ“˜ KubeSkills Student Notebook Template Welcome to your **KubeSkills GitHub Repository of Work (GROW)** πŸͺ΄. From d3eafd0aab8d1502d15552170abd13d1ba11deea Mon Sep 17 00:00:00 2001 From: Flux <> Date: Fri, 18 Jul 2025 03:21:15 +0000 Subject: [PATCH 7/9] Add Flux v2.6.4 component manifests --- clusters/dev/flux-system/gotk-components.yaml | 13032 ++++++++++++++++ 1 file changed, 13032 insertions(+) create mode 100644 clusters/dev/flux-system/gotk-components.yaml diff --git a/clusters/dev/flux-system/gotk-components.yaml b/clusters/dev/flux-system/gotk-components.yaml new file mode 100644 index 0000000..243c478 --- /dev/null +++ b/clusters/dev/flux-system/gotk-components.yaml @@ -0,0 +1,13032 @@ +--- +# This manifest was generated by flux. DO NOT EDIT. +# Flux Version: v2.6.4 +# Components: source-controller,kustomize-controller,helm-controller,notification-controller +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest + name: flux-system +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: allow-egress + namespace: flux-system +spec: + egress: + - {} + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: allow-scraping + namespace: flux-system +spec: + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8080 + protocol: TCP + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: allow-webhooks + namespace: flux-system +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app: notification-controller + policyTypes: + - Ingress +--- +apiVersion: v1 +kind: ResourceQuota +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: critical-pods-flux-system + namespace: flux-system +spec: + hard: + pods: "1000" + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical + - system-cluster-critical +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: crd-controller-flux-system +rules: +- apiGroups: + - source.toolkit.fluxcd.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - kustomize.toolkit.fluxcd.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - helm.toolkit.fluxcd.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - notification.toolkit.fluxcd.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - image.toolkit.fluxcd.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - "" + resources: + - namespaces + - secrets + - configmaps + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +- nonResourceURLs: + - /livez/ping + verbs: + - head +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: flux-edit-flux-system +rules: +- apiGroups: + - notification.toolkit.fluxcd.io + - source.toolkit.fluxcd.io + - helm.toolkit.fluxcd.io + - image.toolkit.fluxcd.io + - kustomize.toolkit.fluxcd.io + resources: + - '*' + verbs: + - create + - delete + - deletecollection + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: flux-view-flux-system +rules: +- apiGroups: + - notification.toolkit.fluxcd.io + - source.toolkit.fluxcd.io + - helm.toolkit.fluxcd.io + - image.toolkit.fluxcd.io + - kustomize.toolkit.fluxcd.io + resources: + - '*' + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: cluster-reconciler-flux-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: kustomize-controller + namespace: flux-system +- kind: ServiceAccount + name: helm-controller + namespace: flux-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: crd-controller-flux-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: crd-controller-flux-system +subjects: +- kind: ServiceAccount + name: kustomize-controller + namespace: flux-system +- kind: ServiceAccount + name: helm-controller + namespace: flux-system +- kind: ServiceAccount + name: source-controller + namespace: flux-system +- kind: ServiceAccount + name: notification-controller + namespace: flux-system +- kind: ServiceAccount + name: image-reflector-controller + namespace: flux-system +- kind: ServiceAccount + name: image-automation-controller + namespace: flux-system +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: buckets.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: Bucket + listKind: BucketList + plural: buckets + singular: bucket + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: Bucket is the Schema for the buckets API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + BucketSpec specifies the required configuration to produce an Artifact for + an object storage bucket. + properties: + bucketName: + description: BucketName is the name of the object storage bucket. + type: string + certSecretRef: + description: |- + CertSecretRef can be given the name of a Secret containing + either or both of + + - a PEM-encoded client certificate (`tls.crt`) and private + key (`tls.key`); + - a PEM-encoded CA certificate (`ca.crt`) + + and whichever are supplied, will be used for connecting to the + bucket. The client cert and key are useful if you are + authenticating with a certificate; the CA cert is useful if + you are using a self-signed server certificate. The Secret must + be of type `Opaque` or `kubernetes.io/tls`. + + This field is only supported for the `generic` provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + endpoint: + description: Endpoint is the object storage address the BucketName + is located at. + type: string + ignore: + description: |- + Ignore overrides the set of excluded patterns in the .sourceignore format + (which is the same as .gitignore). If not provided, a default will be used, + consult the documentation for your version to find out what those are. + type: string + insecure: + description: Insecure allows connecting to a non-TLS HTTP Endpoint. + type: boolean + interval: + description: |- + Interval at which the Bucket Endpoint is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + prefix: + description: Prefix to use for server-side filtering of files in the + Bucket. + type: string + provider: + default: generic + description: |- + Provider of the object storage bucket. + Defaults to 'generic', which expects an S3 (API) compatible object + storage. + enum: + - generic + - aws + - gcp + - azure + type: string + proxySecretRef: + description: |- + ProxySecretRef specifies the Secret containing the proxy configuration + to use while communicating with the Bucket server. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + region: + description: Region of the Endpoint where the BucketName is located + in. + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials + for the Bucket. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + sts: + description: |- + STS specifies the required configuration to use a Security Token + Service for fetching temporary credentials to authenticate in a + Bucket provider. + + This field is only supported for the `aws` and `generic` providers. + properties: + certSecretRef: + description: |- + CertSecretRef can be given the name of a Secret containing + either or both of + + - a PEM-encoded client certificate (`tls.crt`) and private + key (`tls.key`); + - a PEM-encoded CA certificate (`ca.crt`) + + and whichever are supplied, will be used for connecting to the + STS endpoint. The client cert and key are useful if you are + authenticating with a certificate; the CA cert is useful if + you are using a self-signed server certificate. The Secret must + be of type `Opaque` or `kubernetes.io/tls`. + + This field is only supported for the `ldap` provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + endpoint: + description: |- + Endpoint is the HTTP/S endpoint of the Security Token Service from + where temporary credentials will be fetched. + pattern: ^(http|https)://.*$ + type: string + provider: + description: Provider of the Security Token Service. + enum: + - aws + - ldap + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials + for the STS endpoint. This Secret must contain the fields `username` + and `password` and is supported only for the `ldap` provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - endpoint + - provider + type: object + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + Bucket. + type: boolean + timeout: + default: 60s + description: Timeout for fetch operations, defaults to 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + required: + - bucketName + - endpoint + - interval + type: object + x-kubernetes-validations: + - message: STS configuration is only supported for the 'aws' and 'generic' + Bucket providers + rule: self.provider == 'aws' || self.provider == 'generic' || !has(self.sts) + - message: '''aws'' is the only supported STS provider for the ''aws'' + Bucket provider' + rule: self.provider != 'aws' || !has(self.sts) || self.sts.provider + == 'aws' + - message: '''ldap'' is the only supported STS provider for the ''generic'' + Bucket provider' + rule: self.provider != 'generic' || !has(self.sts) || self.sts.provider + == 'ldap' + - message: spec.sts.secretRef is not required for the 'aws' STS provider + rule: '!has(self.sts) || self.sts.provider != ''aws'' || !has(self.sts.secretRef)' + - message: spec.sts.certSecretRef is not required for the 'aws' STS provider + rule: '!has(self.sts) || self.sts.provider != ''aws'' || !has(self.sts.certSecretRef)' + status: + default: + observedGeneration: -1 + description: BucketStatus records the observed state of a Bucket. + properties: + artifact: + description: Artifact represents the last successful Bucket reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the Bucket. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the Bucket object. + format: int64 + type: integer + observedIgnore: + description: |- + ObservedIgnore is the observed exclusion patterns used for constructing + the source artifact. + type: string + url: + description: |- + URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise + BucketStatus.Artifact data is recommended. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: v1beta1 Bucket is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: Bucket is the Schema for the buckets API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: BucketSpec defines the desired state of an S3 compatible + bucket + properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + bucketName: + description: The bucket name. + type: string + endpoint: + description: The bucket endpoint address. + type: string + ignore: + description: |- + Ignore overrides the set of excluded patterns in the .sourceignore format + (which is the same as .gitignore). If not provided, a default will be used, + consult the documentation for your version to find out what those are. + type: string + insecure: + description: Insecure allows connecting to a non-TLS S3 HTTP endpoint. + type: boolean + interval: + description: The interval at which to check for bucket updates. + type: string + provider: + default: generic + description: The S3 compatible storage provider name, default ('generic'). + enum: + - generic + - aws + - gcp + type: string + region: + description: The bucket region. + type: string + secretRef: + description: |- + The name of the secret containing authentication credentials + for the Bucket. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout for download operations, defaults to 60s. + type: string + required: + - bucketName + - endpoint + - interval + type: object + status: + default: + observedGeneration: -1 + description: BucketStatus defines the observed state of a bucket + properties: + artifact: + description: Artifact represents the output of the last successful + Bucket sync. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of this + artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: |- + Revision is a human readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm + chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - lastUpdateTime + - path + - url + type: object + conditions: + description: Conditions holds the conditions for the Bucket. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: URL is the download link for the artifact output of the + last Bucket sync. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 Bucket is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: Bucket is the Schema for the buckets API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + BucketSpec specifies the required configuration to produce an Artifact for + an object storage bucket. + properties: + accessFrom: + description: |- + AccessFrom specifies an Access Control List for allowing cross-namespace + references to this object. + NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092 + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + bucketName: + description: BucketName is the name of the object storage bucket. + type: string + certSecretRef: + description: |- + CertSecretRef can be given the name of a Secret containing + either or both of + + - a PEM-encoded client certificate (`tls.crt`) and private + key (`tls.key`); + - a PEM-encoded CA certificate (`ca.crt`) + + and whichever are supplied, will be used for connecting to the + bucket. The client cert and key are useful if you are + authenticating with a certificate; the CA cert is useful if + you are using a self-signed server certificate. The Secret must + be of type `Opaque` or `kubernetes.io/tls`. + + This field is only supported for the `generic` provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + endpoint: + description: Endpoint is the object storage address the BucketName + is located at. + type: string + ignore: + description: |- + Ignore overrides the set of excluded patterns in the .sourceignore format + (which is the same as .gitignore). If not provided, a default will be used, + consult the documentation for your version to find out what those are. + type: string + insecure: + description: Insecure allows connecting to a non-TLS HTTP Endpoint. + type: boolean + interval: + description: |- + Interval at which the Bucket Endpoint is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + prefix: + description: Prefix to use for server-side filtering of files in the + Bucket. + type: string + provider: + default: generic + description: |- + Provider of the object storage bucket. + Defaults to 'generic', which expects an S3 (API) compatible object + storage. + enum: + - generic + - aws + - gcp + - azure + type: string + proxySecretRef: + description: |- + ProxySecretRef specifies the Secret containing the proxy configuration + to use while communicating with the Bucket server. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + region: + description: Region of the Endpoint where the BucketName is located + in. + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials + for the Bucket. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + sts: + description: |- + STS specifies the required configuration to use a Security Token + Service for fetching temporary credentials to authenticate in a + Bucket provider. + + This field is only supported for the `aws` and `generic` providers. + properties: + certSecretRef: + description: |- + CertSecretRef can be given the name of a Secret containing + either or both of + + - a PEM-encoded client certificate (`tls.crt`) and private + key (`tls.key`); + - a PEM-encoded CA certificate (`ca.crt`) + + and whichever are supplied, will be used for connecting to the + STS endpoint. The client cert and key are useful if you are + authenticating with a certificate; the CA cert is useful if + you are using a self-signed server certificate. The Secret must + be of type `Opaque` or `kubernetes.io/tls`. + + This field is only supported for the `ldap` provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + endpoint: + description: |- + Endpoint is the HTTP/S endpoint of the Security Token Service from + where temporary credentials will be fetched. + pattern: ^(http|https)://.*$ + type: string + provider: + description: Provider of the Security Token Service. + enum: + - aws + - ldap + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials + for the STS endpoint. This Secret must contain the fields `username` + and `password` and is supported only for the `ldap` provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - endpoint + - provider + type: object + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + Bucket. + type: boolean + timeout: + default: 60s + description: Timeout for fetch operations, defaults to 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + required: + - bucketName + - endpoint + - interval + type: object + x-kubernetes-validations: + - message: STS configuration is only supported for the 'aws' and 'generic' + Bucket providers + rule: self.provider == 'aws' || self.provider == 'generic' || !has(self.sts) + - message: '''aws'' is the only supported STS provider for the ''aws'' + Bucket provider' + rule: self.provider != 'aws' || !has(self.sts) || self.sts.provider + == 'aws' + - message: '''ldap'' is the only supported STS provider for the ''generic'' + Bucket provider' + rule: self.provider != 'generic' || !has(self.sts) || self.sts.provider + == 'ldap' + - message: spec.sts.secretRef is not required for the 'aws' STS provider + rule: '!has(self.sts) || self.sts.provider != ''aws'' || !has(self.sts.secretRef)' + - message: spec.sts.certSecretRef is not required for the 'aws' STS provider + rule: '!has(self.sts) || self.sts.provider != ''aws'' || !has(self.sts.certSecretRef)' + status: + default: + observedGeneration: -1 + description: BucketStatus records the observed state of a Bucket. + properties: + artifact: + description: Artifact represents the last successful Bucket reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the Bucket. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the Bucket object. + format: int64 + type: integer + observedIgnore: + description: |- + ObservedIgnore is the observed exclusion patterns used for constructing + the source artifact. + type: string + url: + description: |- + URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise + BucketStatus.Artifact data is recommended. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: gitrepositories.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: GitRepository + listKind: GitRepositoryList + plural: gitrepositories + shortNames: + - gitrepo + singular: gitrepository + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: GitRepository is the Schema for the gitrepositories API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + GitRepositorySpec specifies the required configuration to produce an + Artifact for a Git repository. + properties: + ignore: + description: |- + Ignore overrides the set of excluded patterns in the .sourceignore format + (which is the same as .gitignore). If not provided, a default will be used, + consult the documentation for your version to find out what those are. + type: string + include: + description: |- + Include specifies a list of GitRepository resources which Artifacts + should be included in the Artifact produced for this GitRepository. + items: + description: |- + GitRepositoryInclude specifies a local reference to a GitRepository which + Artifact (sub-)contents must be included, and where they should be placed. + properties: + fromPath: + description: |- + FromPath specifies the path to copy contents from, defaults to the root + of the Artifact. + type: string + repository: + description: |- + GitRepositoryRef specifies the GitRepository which Artifact contents + must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: |- + ToPath specifies the path to copy contents to, defaults to the name of + the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + interval: + description: |- + Interval at which the GitRepository URL is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + provider: + description: |- + Provider used for authentication, can be 'azure', 'github', 'generic'. + When not specified, defaults to 'generic'. + enum: + - generic + - azure + - github + type: string + proxySecretRef: + description: |- + ProxySecretRef specifies the Secret containing the proxy configuration + to use while communicating with the Git server. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + recurseSubmodules: + description: |- + RecurseSubmodules enables the initialization of all submodules within + the GitRepository as cloned from the URL, using their default settings. + type: boolean + ref: + description: |- + Reference specifies the Git reference to resolve and monitor for + changes, defaults to the 'master' branch. + properties: + branch: + description: Branch to check out, defaults to 'master' if no other + field is defined. + type: string + commit: + description: |- + Commit SHA to check out, takes precedence over all reference fields. + + This can be combined with Branch to shallow clone the branch, in which + the commit is expected to exist. + type: string + name: + description: |- + Name of the reference to check out; takes precedence over Branch, Tag and SemVer. + + It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description + Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head" + type: string + semver: + description: SemVer tag expression to check out, takes precedence + over Tag. + type: string + tag: + description: Tag to check out, takes precedence over Branch. + type: string + type: object + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials for + the GitRepository. + For HTTPS repositories the Secret must contain 'username' and 'password' + fields for basic auth or 'bearerToken' field for token auth. + For SSH repositories the Secret must contain 'identity' + and 'known_hosts' fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + sparseCheckout: + description: |- + SparseCheckout specifies a list of directories to checkout when cloning + the repository. If specified, only these directories are included in the + Artifact produced for this GitRepository. + items: + type: string + type: array + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + GitRepository. + type: boolean + timeout: + default: 60s + description: Timeout for Git operations like cloning, defaults to + 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + url: + description: URL specifies the Git repository URL, it can be an HTTP/S + or SSH address. + pattern: ^(http|https|ssh)://.*$ + type: string + verify: + description: |- + Verification specifies the configuration to verify the Git commit + signature(s). + properties: + mode: + default: HEAD + description: |- + Mode specifies which Git object(s) should be verified. + + The variants "head" and "HEAD" both imply the same thing, i.e. verify + the commit that the HEAD of the Git repository points to. The variant + "head" solely exists to ensure backwards compatibility. + enum: + - head + - HEAD + - Tag + - TagAndHEAD + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing the public keys of trusted Git + authors. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - secretRef + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: GitRepositoryStatus records the observed state of a Git repository. + properties: + artifact: + description: Artifact represents the last successful GitRepository + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the GitRepository. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + includedArtifacts: + description: |- + IncludedArtifacts contains a list of the last successfully included + Artifacts as instructed by GitRepositorySpec.Include. + items: + description: Artifact represents the output of a Source reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of + ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI + annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: |- + ObservedGeneration is the last observed generation of the GitRepository + object. + format: int64 + type: integer + observedIgnore: + description: |- + ObservedIgnore is the observed exclusion patterns used for constructing + the source artifact. + type: string + observedInclude: + description: |- + ObservedInclude is the observed list of GitRepository resources used to + produce the current Artifact. + items: + description: |- + GitRepositoryInclude specifies a local reference to a GitRepository which + Artifact (sub-)contents must be included, and where they should be placed. + properties: + fromPath: + description: |- + FromPath specifies the path to copy contents from, defaults to the root + of the Artifact. + type: string + repository: + description: |- + GitRepositoryRef specifies the GitRepository which Artifact contents + must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: |- + ToPath specifies the path to copy contents to, defaults to the name of + the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + observedRecurseSubmodules: + description: |- + ObservedRecurseSubmodules is the observed resource submodules + configuration used to produce the current Artifact. + type: boolean + observedSparseCheckout: + description: |- + ObservedSparseCheckout is the observed list of directories used to + produce the current Artifact. + items: + type: string + type: array + sourceVerificationMode: + description: |- + SourceVerificationMode is the last used verification mode indicating + which Git object(s) have been verified. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: v1beta1 GitRepository is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: GitRepository is the Schema for the gitrepositories API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GitRepositorySpec defines the desired state of a Git repository. + properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + gitImplementation: + default: go-git + description: |- + Determines which git client library to use. + Defaults to go-git, valid values are ('go-git', 'libgit2'). + enum: + - go-git + - libgit2 + type: string + ignore: + description: |- + Ignore overrides the set of excluded patterns in the .sourceignore format + (which is the same as .gitignore). If not provided, a default will be used, + consult the documentation for your version to find out what those are. + type: string + include: + description: Extra git repositories to map into the repository + items: + description: GitRepositoryInclude defines a source with a from and + to path. + properties: + fromPath: + description: The path to copy contents from, defaults to the + root directory. + type: string + repository: + description: Reference to a GitRepository to include. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: The path to copy contents to, defaults to the name + of the source ref. + type: string + required: + - repository + type: object + type: array + interval: + description: The interval at which to check for repository updates. + type: string + recurseSubmodules: + description: |- + When enabled, after the clone is created, initializes all submodules within, + using their default settings. + This option is available only when using the 'go-git' GitImplementation. + type: boolean + ref: + description: |- + The Git reference to checkout and monitor for changes, defaults to + master branch. + properties: + branch: + description: The Git branch to checkout, defaults to master. + type: string + commit: + description: The Git commit SHA to checkout, if specified Tag + filters will be ignored. + type: string + semver: + description: The Git tag semver expression, takes precedence over + Tag. + type: string + tag: + description: The Git tag to checkout, takes precedence over Branch. + type: string + type: object + secretRef: + description: |- + The secret name containing the Git credentials. + For HTTPS repositories the secret must contain username and password + fields. + For SSH repositories the secret must contain identity and known_hosts + fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout for remote Git operations like cloning, defaults + to 60s. + type: string + url: + description: The repository URL, can be a HTTP/S or SSH address. + pattern: ^(http|https|ssh)://.*$ + type: string + verify: + description: Verify OpenPGP signature for the Git commit HEAD points + to. + properties: + mode: + description: Mode describes what git object should be verified, + currently ('head'). + enum: + - head + type: string + secretRef: + description: The secret name containing the public keys of all + trusted Git authors. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - mode + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: GitRepositoryStatus defines the observed state of a Git repository. + properties: + artifact: + description: Artifact represents the output of the last successful + repository sync. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of this + artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: |- + Revision is a human readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm + chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - lastUpdateTime + - path + - url + type: object + conditions: + description: Conditions holds the conditions for the GitRepository. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + includedArtifacts: + description: IncludedArtifacts represents the included artifacts from + the last successful repository sync. + items: + description: Artifact represents the output of a source synchronisation. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of this + artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: |- + Revision is a human readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm + chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - lastUpdateTime + - path + - url + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: |- + URL is the download link for the artifact output of the last repository + sync. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 GitRepository is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: GitRepository is the Schema for the gitrepositories API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + GitRepositorySpec specifies the required configuration to produce an + Artifact for a Git repository. + properties: + accessFrom: + description: |- + AccessFrom specifies an Access Control List for allowing cross-namespace + references to this object. + NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092 + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + gitImplementation: + default: go-git + description: |- + GitImplementation specifies which Git client library implementation to + use. Defaults to 'go-git', valid values are ('go-git', 'libgit2'). + Deprecated: gitImplementation is deprecated now that 'go-git' is the + only supported implementation. + enum: + - go-git + - libgit2 + type: string + ignore: + description: |- + Ignore overrides the set of excluded patterns in the .sourceignore format + (which is the same as .gitignore). If not provided, a default will be used, + consult the documentation for your version to find out what those are. + type: string + include: + description: |- + Include specifies a list of GitRepository resources which Artifacts + should be included in the Artifact produced for this GitRepository. + items: + description: |- + GitRepositoryInclude specifies a local reference to a GitRepository which + Artifact (sub-)contents must be included, and where they should be placed. + properties: + fromPath: + description: |- + FromPath specifies the path to copy contents from, defaults to the root + of the Artifact. + type: string + repository: + description: |- + GitRepositoryRef specifies the GitRepository which Artifact contents + must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: |- + ToPath specifies the path to copy contents to, defaults to the name of + the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + interval: + description: Interval at which to check the GitRepository for updates. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + recurseSubmodules: + description: |- + RecurseSubmodules enables the initialization of all submodules within + the GitRepository as cloned from the URL, using their default settings. + type: boolean + ref: + description: |- + Reference specifies the Git reference to resolve and monitor for + changes, defaults to the 'master' branch. + properties: + branch: + description: Branch to check out, defaults to 'master' if no other + field is defined. + type: string + commit: + description: |- + Commit SHA to check out, takes precedence over all reference fields. + + This can be combined with Branch to shallow clone the branch, in which + the commit is expected to exist. + type: string + name: + description: |- + Name of the reference to check out; takes precedence over Branch, Tag and SemVer. + + It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description + Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head" + type: string + semver: + description: SemVer tag expression to check out, takes precedence + over Tag. + type: string + tag: + description: Tag to check out, takes precedence over Branch. + type: string + type: object + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials for + the GitRepository. + For HTTPS repositories the Secret must contain 'username' and 'password' + fields for basic auth or 'bearerToken' field for token auth. + For SSH repositories the Secret must contain 'identity' + and 'known_hosts' fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + GitRepository. + type: boolean + timeout: + default: 60s + description: Timeout for Git operations like cloning, defaults to + 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + url: + description: URL specifies the Git repository URL, it can be an HTTP/S + or SSH address. + pattern: ^(http|https|ssh)://.*$ + type: string + verify: + description: |- + Verification specifies the configuration to verify the Git commit + signature(s). + properties: + mode: + description: Mode specifies what Git object should be verified, + currently ('head'). + enum: + - head + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing the public keys of trusted Git + authors. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - mode + - secretRef + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: GitRepositoryStatus records the observed state of a Git repository. + properties: + artifact: + description: Artifact represents the last successful GitRepository + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the GitRepository. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + contentConfigChecksum: + description: |- + ContentConfigChecksum is a checksum of all the configurations related to + the content of the source artifact: + - .spec.ignore + - .spec.recurseSubmodules + - .spec.included and the checksum of the included artifacts + observed in .status.observedGeneration version of the object. This can + be used to determine if the content of the included repository has + changed. + It has the format of `:`, for example: `sha256:`. + + Deprecated: Replaced with explicit fields for observed artifact content + config in the status. + type: string + includedArtifacts: + description: |- + IncludedArtifacts contains a list of the last successfully included + Artifacts as instructed by GitRepositorySpec.Include. + items: + description: Artifact represents the output of a Source reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of + ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI + annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: |- + ObservedGeneration is the last observed generation of the GitRepository + object. + format: int64 + type: integer + observedIgnore: + description: |- + ObservedIgnore is the observed exclusion patterns used for constructing + the source artifact. + type: string + observedInclude: + description: |- + ObservedInclude is the observed list of GitRepository resources used to + to produce the current Artifact. + items: + description: |- + GitRepositoryInclude specifies a local reference to a GitRepository which + Artifact (sub-)contents must be included, and where they should be placed. + properties: + fromPath: + description: |- + FromPath specifies the path to copy contents from, defaults to the root + of the Artifact. + type: string + repository: + description: |- + GitRepositoryRef specifies the GitRepository which Artifact contents + must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: |- + ToPath specifies the path to copy contents to, defaults to the name of + the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + observedRecurseSubmodules: + description: |- + ObservedRecurseSubmodules is the observed resource submodules + configuration used to produce the current Artifact. + type: boolean + url: + description: |- + URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise + GitRepositoryStatus.Artifact data is recommended. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: helmcharts.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: HelmChart + listKind: HelmChartList + plural: helmcharts + shortNames: + - hc + singular: helmchart + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.chart + name: Chart + type: string + - jsonPath: .spec.version + name: Version + type: string + - jsonPath: .spec.sourceRef.kind + name: Source Kind + type: string + - jsonPath: .spec.sourceRef.name + name: Source Name + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: HelmChart is the Schema for the helmcharts API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HelmChartSpec specifies the desired state of a Helm chart. + properties: + chart: + description: |- + Chart is the name or path the Helm chart is available at in the + SourceRef. + type: string + ignoreMissingValuesFiles: + description: |- + IgnoreMissingValuesFiles controls whether to silently ignore missing values + files rather than failing. + type: boolean + interval: + description: |- + Interval at which the HelmChart SourceRef is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + reconcileStrategy: + default: ChartVersion + description: |- + ReconcileStrategy determines what enables the creation of a new artifact. + Valid values are ('ChartVersion', 'Revision'). + See the documentation of the values for an explanation on their behavior. + Defaults to ChartVersion when omitted. + enum: + - ChartVersion + - Revision + type: string + sourceRef: + description: SourceRef is the reference to the Source the chart is + available at. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: |- + Kind of the referent, valid values are ('HelmRepository', 'GitRepository', + 'Bucket'). + enum: + - HelmRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + type: string + required: + - kind + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + source. + type: boolean + valuesFiles: + description: |- + ValuesFiles is an alternative list of values files to use as the chart + values (values.yaml is not included by default), expected to be a + relative path in the SourceRef. + Values files are merged in the order of this list with the last file + overriding the first. Ignored when omitted. + items: + type: string + type: array + verify: + description: |- + Verify contains the secret name containing the trusted public keys + used to verify the signature and specifies which provider to use to check + whether OCI image is authentic. + This field is only supported when using HelmRepository source with spec.type 'oci'. + Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified. + properties: + matchOIDCIdentity: + description: |- + MatchOIDCIdentity specifies the identity matching criteria to use + while verifying an OCI artifact which was signed using Cosign keyless + signing. The artifact's identity is deemed to be verified if any of the + specified matchers match against the identity. + items: + description: |- + OIDCIdentityMatch specifies options for verifying the certificate identity, + i.e. the issuer and the subject of the certificate. + properties: + issuer: + description: |- + Issuer specifies the regex pattern to match against to verify + the OIDC issuer in the Fulcio certificate. The pattern must be a + valid Go regular expression. + type: string + subject: + description: |- + Subject specifies the regex pattern to match against to verify + the identity subject in the Fulcio certificate. The pattern must + be a valid Go regular expression. + type: string + required: + - issuer + - subject + type: object + type: array + provider: + default: cosign + description: Provider specifies the technology used to sign the + OCI Artifact. + enum: + - cosign + - notation + type: string + secretRef: + description: |- + SecretRef specifies the Kubernetes Secret containing the + trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + version: + default: '*' + description: |- + Version is the chart version semver expression, ignored for charts from + GitRepository and Bucket sources. Defaults to latest when omitted. + type: string + required: + - chart + - interval + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: HelmChartStatus records the observed state of the HelmChart. + properties: + artifact: + description: Artifact represents the output of the last successful + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmChart. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedChartName: + description: |- + ObservedChartName is the last observed chart name as specified by the + resolved chart reference. + type: string + observedGeneration: + description: |- + ObservedGeneration is the last observed generation of the HelmChart + object. + format: int64 + type: integer + observedSourceArtifactRevision: + description: |- + ObservedSourceArtifactRevision is the last observed Artifact.Revision + of the HelmChartSpec.SourceRef. + type: string + observedValuesFiles: + description: |- + ObservedValuesFiles are the observed value files of the last successful + reconciliation. + It matches the chart in the last successfully reconciled artifact. + items: + type: string + type: array + url: + description: |- + URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise + BucketStatus.Artifact data is recommended. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.chart + name: Chart + type: string + - jsonPath: .spec.version + name: Version + type: string + - jsonPath: .spec.sourceRef.kind + name: Source Kind + type: string + - jsonPath: .spec.sourceRef.name + name: Source Name + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: v1beta1 HelmChart is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: HelmChart is the Schema for the helmcharts API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HelmChartSpec defines the desired state of a Helm chart. + properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + chart: + description: The name or path the Helm chart is available at in the + SourceRef. + type: string + interval: + description: The interval at which to check the Source for updates. + type: string + reconcileStrategy: + default: ChartVersion + description: |- + Determines what enables the creation of a new artifact. Valid values are + ('ChartVersion', 'Revision'). + See the documentation of the values for an explanation on their behavior. + Defaults to ChartVersion when omitted. + enum: + - ChartVersion + - Revision + type: string + sourceRef: + description: The reference to the Source the chart is available at. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: |- + Kind of the referent, valid values are ('HelmRepository', 'GitRepository', + 'Bucket'). + enum: + - HelmRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + type: string + required: + - kind + - name + type: object + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + valuesFile: + description: |- + Alternative values file to use as the default chart values, expected to + be a relative path in the SourceRef. Deprecated in favor of ValuesFiles, + for backwards compatibility the file defined here is merged before the + ValuesFiles items. Ignored when omitted. + type: string + valuesFiles: + description: |- + Alternative list of values files to use as the chart values (values.yaml + is not included by default), expected to be a relative path in the SourceRef. + Values files are merged in the order of this list with the last file overriding + the first. Ignored when omitted. + items: + type: string + type: array + version: + default: '*' + description: |- + The chart version semver expression, ignored for charts from GitRepository + and Bucket sources. Defaults to latest when omitted. + type: string + required: + - chart + - interval + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: HelmChartStatus defines the observed state of the HelmChart. + properties: + artifact: + description: Artifact represents the output of the last successful + chart sync. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of this + artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: |- + Revision is a human readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm + chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - lastUpdateTime + - path + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmChart. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: URL is the download link for the last chart pulled. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.chart + name: Chart + type: string + - jsonPath: .spec.version + name: Version + type: string + - jsonPath: .spec.sourceRef.kind + name: Source Kind + type: string + - jsonPath: .spec.sourceRef.name + name: Source Name + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 HelmChart is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: HelmChart is the Schema for the helmcharts API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HelmChartSpec specifies the desired state of a Helm chart. + properties: + accessFrom: + description: |- + AccessFrom specifies an Access Control List for allowing cross-namespace + references to this object. + NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092 + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + chart: + description: |- + Chart is the name or path the Helm chart is available at in the + SourceRef. + type: string + ignoreMissingValuesFiles: + description: |- + IgnoreMissingValuesFiles controls whether to silently ignore missing values + files rather than failing. + type: boolean + interval: + description: |- + Interval at which the HelmChart SourceRef is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + reconcileStrategy: + default: ChartVersion + description: |- + ReconcileStrategy determines what enables the creation of a new artifact. + Valid values are ('ChartVersion', 'Revision'). + See the documentation of the values for an explanation on their behavior. + Defaults to ChartVersion when omitted. + enum: + - ChartVersion + - Revision + type: string + sourceRef: + description: SourceRef is the reference to the Source the chart is + available at. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: |- + Kind of the referent, valid values are ('HelmRepository', 'GitRepository', + 'Bucket'). + enum: + - HelmRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + type: string + required: + - kind + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + source. + type: boolean + valuesFile: + description: |- + ValuesFile is an alternative values file to use as the default chart + values, expected to be a relative path in the SourceRef. Deprecated in + favor of ValuesFiles, for backwards compatibility the file specified here + is merged before the ValuesFiles items. Ignored when omitted. + type: string + valuesFiles: + description: |- + ValuesFiles is an alternative list of values files to use as the chart + values (values.yaml is not included by default), expected to be a + relative path in the SourceRef. + Values files are merged in the order of this list with the last file + overriding the first. Ignored when omitted. + items: + type: string + type: array + verify: + description: |- + Verify contains the secret name containing the trusted public keys + used to verify the signature and specifies which provider to use to check + whether OCI image is authentic. + This field is only supported when using HelmRepository source with spec.type 'oci'. + Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified. + properties: + matchOIDCIdentity: + description: |- + MatchOIDCIdentity specifies the identity matching criteria to use + while verifying an OCI artifact which was signed using Cosign keyless + signing. The artifact's identity is deemed to be verified if any of the + specified matchers match against the identity. + items: + description: |- + OIDCIdentityMatch specifies options for verifying the certificate identity, + i.e. the issuer and the subject of the certificate. + properties: + issuer: + description: |- + Issuer specifies the regex pattern to match against to verify + the OIDC issuer in the Fulcio certificate. The pattern must be a + valid Go regular expression. + type: string + subject: + description: |- + Subject specifies the regex pattern to match against to verify + the identity subject in the Fulcio certificate. The pattern must + be a valid Go regular expression. + type: string + required: + - issuer + - subject + type: object + type: array + provider: + default: cosign + description: Provider specifies the technology used to sign the + OCI Artifact. + enum: + - cosign + - notation + type: string + secretRef: + description: |- + SecretRef specifies the Kubernetes Secret containing the + trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + version: + default: '*' + description: |- + Version is the chart version semver expression, ignored for charts from + GitRepository and Bucket sources. Defaults to latest when omitted. + type: string + required: + - chart + - interval + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: HelmChartStatus records the observed state of the HelmChart. + properties: + artifact: + description: Artifact represents the output of the last successful + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmChart. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedChartName: + description: |- + ObservedChartName is the last observed chart name as specified by the + resolved chart reference. + type: string + observedGeneration: + description: |- + ObservedGeneration is the last observed generation of the HelmChart + object. + format: int64 + type: integer + observedSourceArtifactRevision: + description: |- + ObservedSourceArtifactRevision is the last observed Artifact.Revision + of the HelmChartSpec.SourceRef. + type: string + observedValuesFiles: + description: |- + ObservedValuesFiles are the observed value files of the last successful + reconciliation. + It matches the chart in the last successfully reconciled artifact. + items: + type: string + type: array + url: + description: |- + URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise + BucketStatus.Artifact data is recommended. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: helmrepositories.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: HelmRepository + listKind: HelmRepositoryList + plural: helmrepositories + shortNames: + - helmrepo + singular: helmrepository + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: HelmRepository is the Schema for the helmrepositories API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + HelmRepositorySpec specifies the required configuration to produce an + Artifact for a Helm repository index YAML. + properties: + accessFrom: + description: |- + AccessFrom specifies an Access Control List for allowing cross-namespace + references to this object. + NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092 + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + certSecretRef: + description: |- + CertSecretRef can be given the name of a Secret containing + either or both of + + - a PEM-encoded client certificate (`tls.crt`) and private + key (`tls.key`); + - a PEM-encoded CA certificate (`ca.crt`) + + and whichever are supplied, will be used for connecting to the + registry. The client cert and key are useful if you are + authenticating with a certificate; the CA cert is useful if + you are using a self-signed server certificate. The Secret must + be of type `Opaque` or `kubernetes.io/tls`. + + It takes precedence over the values specified in the Secret referred + to by `.spec.secretRef`. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + insecure: + description: |- + Insecure allows connecting to a non-TLS HTTP container registry. + This field is only taken into account if the .spec.type field is set to 'oci'. + type: boolean + interval: + description: |- + Interval at which the HelmRepository URL is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + passCredentials: + description: |- + PassCredentials allows the credentials from the SecretRef to be passed + on to a host that does not match the host as defined in URL. + This may be required if the host of the advertised chart URLs in the + index differ from the defined URL. + Enabling this should be done with caution, as it can potentially result + in credentials getting stolen in a MITM-attack. + type: boolean + provider: + default: generic + description: |- + Provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. + This field is optional, and only taken into account if the .spec.type field is set to 'oci'. + When not specified, defaults to 'generic'. + enum: + - generic + - aws + - azure + - gcp + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials + for the HelmRepository. + For HTTP/S basic auth the secret must contain 'username' and 'password' + fields. + Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile' + keys is deprecated. Please use `.spec.certSecretRef` instead. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + HelmRepository. + type: boolean + timeout: + description: |- + Timeout is used for the index fetch operation for an HTTPS helm repository, + and for remote OCI Repository operations like pulling for an OCI helm + chart by the associated HelmChart. + Its default value is 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: + description: |- + Type of the HelmRepository. + When this field is set to "oci", the URL field value must be prefixed with "oci://". + enum: + - default + - oci + type: string + url: + description: |- + URL of the Helm repository, a valid URL contains at least a protocol and + host. + pattern: ^(http|https|oci)://.*$ + type: string + required: + - url + type: object + status: + default: + observedGeneration: -1 + description: HelmRepositoryStatus records the observed state of the HelmRepository. + properties: + artifact: + description: Artifact represents the last successful HelmRepository + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmRepository. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: |- + ObservedGeneration is the last observed generation of the HelmRepository + object. + format: int64 + type: integer + url: + description: |- + URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise + HelmRepositoryStatus.Artifact data is recommended. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: v1beta1 HelmRepository is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: HelmRepository is the Schema for the helmrepositories API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HelmRepositorySpec defines the reference to a Helm repository. + properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + interval: + description: The interval at which to check the upstream for updates. + type: string + passCredentials: + description: |- + PassCredentials allows the credentials from the SecretRef to be passed on to + a host that does not match the host as defined in URL. + This may be required if the host of the advertised chart URLs in the index + differ from the defined URL. + Enabling this should be done with caution, as it can potentially result in + credentials getting stolen in a MITM-attack. + type: boolean + secretRef: + description: |- + The name of the secret containing authentication credentials for the Helm + repository. + For HTTP/S basic auth the secret must contain username and + password fields. + For TLS the secret must contain a certFile and keyFile, and/or + caFile fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout of index downloading, defaults to 60s. + type: string + url: + description: The Helm repository URL, a valid URL contains at least + a protocol and host. + type: string + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: HelmRepositoryStatus defines the observed state of the HelmRepository. + properties: + artifact: + description: Artifact represents the output of the last successful + repository sync. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of this + artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: |- + Revision is a human readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm + chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - lastUpdateTime + - path + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmRepository. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: URL is the download link for the last index fetched. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 HelmRepository is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: HelmRepository is the Schema for the helmrepositories API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + HelmRepositorySpec specifies the required configuration to produce an + Artifact for a Helm repository index YAML. + properties: + accessFrom: + description: |- + AccessFrom specifies an Access Control List for allowing cross-namespace + references to this object. + NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092 + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + certSecretRef: + description: |- + CertSecretRef can be given the name of a Secret containing + either or both of + + - a PEM-encoded client certificate (`tls.crt`) and private + key (`tls.key`); + - a PEM-encoded CA certificate (`ca.crt`) + + and whichever are supplied, will be used for connecting to the + registry. The client cert and key are useful if you are + authenticating with a certificate; the CA cert is useful if + you are using a self-signed server certificate. The Secret must + be of type `Opaque` or `kubernetes.io/tls`. + + It takes precedence over the values specified in the Secret referred + to by `.spec.secretRef`. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + insecure: + description: |- + Insecure allows connecting to a non-TLS HTTP container registry. + This field is only taken into account if the .spec.type field is set to 'oci'. + type: boolean + interval: + description: |- + Interval at which the HelmRepository URL is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + passCredentials: + description: |- + PassCredentials allows the credentials from the SecretRef to be passed + on to a host that does not match the host as defined in URL. + This may be required if the host of the advertised chart URLs in the + index differ from the defined URL. + Enabling this should be done with caution, as it can potentially result + in credentials getting stolen in a MITM-attack. + type: boolean + provider: + default: generic + description: |- + Provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. + This field is optional, and only taken into account if the .spec.type field is set to 'oci'. + When not specified, defaults to 'generic'. + enum: + - generic + - aws + - azure + - gcp + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials + for the HelmRepository. + For HTTP/S basic auth the secret must contain 'username' and 'password' + fields. + Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile' + keys is deprecated. Please use `.spec.certSecretRef` instead. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + HelmRepository. + type: boolean + timeout: + description: |- + Timeout is used for the index fetch operation for an HTTPS helm repository, + and for remote OCI Repository operations like pulling for an OCI helm + chart by the associated HelmChart. + Its default value is 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: + description: |- + Type of the HelmRepository. + When this field is set to "oci", the URL field value must be prefixed with "oci://". + enum: + - default + - oci + type: string + url: + description: |- + URL of the Helm repository, a valid URL contains at least a protocol and + host. + pattern: ^(http|https|oci)://.*$ + type: string + required: + - url + type: object + status: + default: + observedGeneration: -1 + description: HelmRepositoryStatus records the observed state of the HelmRepository. + properties: + artifact: + description: Artifact represents the last successful HelmRepository + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmRepository. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: |- + ObservedGeneration is the last observed generation of the HelmRepository + object. + format: int64 + type: integer + url: + description: |- + URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise + HelmRepositoryStatus.Artifact data is recommended. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: ocirepositories.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: OCIRepository + listKind: OCIRepositoryList + plural: ocirepositories + shortNames: + - ocirepo + singular: ocirepository + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: OCIRepository is the Schema for the ocirepositories API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: OCIRepositorySpec defines the desired state of OCIRepository + properties: + certSecretRef: + description: |- + CertSecretRef can be given the name of a Secret containing + either or both of + + - a PEM-encoded client certificate (`tls.crt`) and private + key (`tls.key`); + - a PEM-encoded CA certificate (`ca.crt`) + + and whichever are supplied, will be used for connecting to the + registry. The client cert and key are useful if you are + authenticating with a certificate; the CA cert is useful if + you are using a self-signed server certificate. The Secret must + be of type `Opaque` or `kubernetes.io/tls`. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + ignore: + description: |- + Ignore overrides the set of excluded patterns in the .sourceignore format + (which is the same as .gitignore). If not provided, a default will be used, + consult the documentation for your version to find out what those are. + type: string + insecure: + description: Insecure allows connecting to a non-TLS HTTP container + registry. + type: boolean + interval: + description: |- + Interval at which the OCIRepository URL is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + layerSelector: + description: |- + LayerSelector specifies which layer should be extracted from the OCI artifact. + When not specified, the first layer found in the artifact is selected. + properties: + mediaType: + description: |- + MediaType specifies the OCI media type of the layer + which should be extracted from the OCI Artifact. The + first layer matching this type is selected. + type: string + operation: + description: |- + Operation specifies how the selected layer should be processed. + By default, the layer compressed content is extracted to storage. + When the operation is set to 'copy', the layer compressed content + is persisted to storage as it is. + enum: + - extract + - copy + type: string + type: object + provider: + default: generic + description: |- + The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. + When not specified, defaults to 'generic'. + enum: + - generic + - aws + - azure + - gcp + type: string + proxySecretRef: + description: |- + ProxySecretRef specifies the Secret containing the proxy configuration + to use while communicating with the container registry. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + ref: + description: |- + The OCI reference to pull and monitor for changes, + defaults to the latest tag. + properties: + digest: + description: |- + Digest is the image digest to pull, takes precedence over SemVer. + The value should be in the format 'sha256:'. + type: string + semver: + description: |- + SemVer is the range of tags to pull selecting the latest within + the range, takes precedence over Tag. + type: string + semverFilter: + description: SemverFilter is a regex pattern to filter the tags + within the SemVer range. + type: string + tag: + description: Tag is the image tag to pull, defaults to latest. + type: string + type: object + secretRef: + description: |- + SecretRef contains the secret name containing the registry login + credentials to resolve image metadata. + The secret must be of type kubernetes.io/dockerconfigjson. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + serviceAccountName: + description: |- + ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate + the image pull if the service account has attached pull secrets. For more information: + https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account + type: string + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout for remote OCI Repository operations like + pulling, defaults to 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + url: + description: |- + URL is a reference to an OCI artifact repository hosted + on a remote container registry. + pattern: ^oci://.*$ + type: string + verify: + description: |- + Verify contains the secret name containing the trusted public keys + used to verify the signature and specifies which provider to use to check + whether OCI image is authentic. + properties: + matchOIDCIdentity: + description: |- + MatchOIDCIdentity specifies the identity matching criteria to use + while verifying an OCI artifact which was signed using Cosign keyless + signing. The artifact's identity is deemed to be verified if any of the + specified matchers match against the identity. + items: + description: |- + OIDCIdentityMatch specifies options for verifying the certificate identity, + i.e. the issuer and the subject of the certificate. + properties: + issuer: + description: |- + Issuer specifies the regex pattern to match against to verify + the OIDC issuer in the Fulcio certificate. The pattern must be a + valid Go regular expression. + type: string + subject: + description: |- + Subject specifies the regex pattern to match against to verify + the identity subject in the Fulcio certificate. The pattern must + be a valid Go regular expression. + type: string + required: + - issuer + - subject + type: object + type: array + provider: + default: cosign + description: Provider specifies the technology used to sign the + OCI Artifact. + enum: + - cosign + - notation + type: string + secretRef: + description: |- + SecretRef specifies the Kubernetes Secret containing the + trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: OCIRepositoryStatus defines the observed state of OCIRepository + properties: + artifact: + description: Artifact represents the output of the last successful + OCI Repository sync. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the OCIRepository. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + observedIgnore: + description: |- + ObservedIgnore is the observed exclusion patterns used for constructing + the source artifact. + type: string + observedLayerSelector: + description: |- + ObservedLayerSelector is the observed layer selector used for constructing + the source artifact. + properties: + mediaType: + description: |- + MediaType specifies the OCI media type of the layer + which should be extracted from the OCI Artifact. The + first layer matching this type is selected. + type: string + operation: + description: |- + Operation specifies how the selected layer should be processed. + By default, the layer compressed content is extracted to storage. + When the operation is set to 'copy', the layer compressed content + is persisted to storage as it is. + enum: + - extract + - copy + type: string + type: object + url: + description: URL is the download link for the artifact output of the + last OCI Repository sync. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: v1beta2 OCIRepository is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: OCIRepository is the Schema for the ocirepositories API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: OCIRepositorySpec defines the desired state of OCIRepository + properties: + certSecretRef: + description: |- + CertSecretRef can be given the name of a Secret containing + either or both of + + - a PEM-encoded client certificate (`tls.crt`) and private + key (`tls.key`); + - a PEM-encoded CA certificate (`ca.crt`) + + and whichever are supplied, will be used for connecting to the + registry. The client cert and key are useful if you are + authenticating with a certificate; the CA cert is useful if + you are using a self-signed server certificate. The Secret must + be of type `Opaque` or `kubernetes.io/tls`. + + Note: Support for the `caFile`, `certFile` and `keyFile` keys have + been deprecated. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + ignore: + description: |- + Ignore overrides the set of excluded patterns in the .sourceignore format + (which is the same as .gitignore). If not provided, a default will be used, + consult the documentation for your version to find out what those are. + type: string + insecure: + description: Insecure allows connecting to a non-TLS HTTP container + registry. + type: boolean + interval: + description: |- + Interval at which the OCIRepository URL is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + layerSelector: + description: |- + LayerSelector specifies which layer should be extracted from the OCI artifact. + When not specified, the first layer found in the artifact is selected. + properties: + mediaType: + description: |- + MediaType specifies the OCI media type of the layer + which should be extracted from the OCI Artifact. The + first layer matching this type is selected. + type: string + operation: + description: |- + Operation specifies how the selected layer should be processed. + By default, the layer compressed content is extracted to storage. + When the operation is set to 'copy', the layer compressed content + is persisted to storage as it is. + enum: + - extract + - copy + type: string + type: object + provider: + default: generic + description: |- + The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. + When not specified, defaults to 'generic'. + enum: + - generic + - aws + - azure + - gcp + type: string + proxySecretRef: + description: |- + ProxySecretRef specifies the Secret containing the proxy configuration + to use while communicating with the container registry. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + ref: + description: |- + The OCI reference to pull and monitor for changes, + defaults to the latest tag. + properties: + digest: + description: |- + Digest is the image digest to pull, takes precedence over SemVer. + The value should be in the format 'sha256:'. + type: string + semver: + description: |- + SemVer is the range of tags to pull selecting the latest within + the range, takes precedence over Tag. + type: string + semverFilter: + description: SemverFilter is a regex pattern to filter the tags + within the SemVer range. + type: string + tag: + description: Tag is the image tag to pull, defaults to latest. + type: string + type: object + secretRef: + description: |- + SecretRef contains the secret name containing the registry login + credentials to resolve image metadata. + The secret must be of type kubernetes.io/dockerconfigjson. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + serviceAccountName: + description: |- + ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate + the image pull if the service account has attached pull secrets. For more information: + https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account + type: string + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout for remote OCI Repository operations like + pulling, defaults to 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + url: + description: |- + URL is a reference to an OCI artifact repository hosted + on a remote container registry. + pattern: ^oci://.*$ + type: string + verify: + description: |- + Verify contains the secret name containing the trusted public keys + used to verify the signature and specifies which provider to use to check + whether OCI image is authentic. + properties: + matchOIDCIdentity: + description: |- + MatchOIDCIdentity specifies the identity matching criteria to use + while verifying an OCI artifact which was signed using Cosign keyless + signing. The artifact's identity is deemed to be verified if any of the + specified matchers match against the identity. + items: + description: |- + OIDCIdentityMatch specifies options for verifying the certificate identity, + i.e. the issuer and the subject of the certificate. + properties: + issuer: + description: |- + Issuer specifies the regex pattern to match against to verify + the OIDC issuer in the Fulcio certificate. The pattern must be a + valid Go regular expression. + type: string + subject: + description: |- + Subject specifies the regex pattern to match against to verify + the identity subject in the Fulcio certificate. The pattern must + be a valid Go regular expression. + type: string + required: + - issuer + - subject + type: object + type: array + provider: + default: cosign + description: Provider specifies the technology used to sign the + OCI Artifact. + enum: + - cosign + - notation + type: string + secretRef: + description: |- + SecretRef specifies the Kubernetes Secret containing the + trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: OCIRepositoryStatus defines the observed state of OCIRepository + properties: + artifact: + description: Artifact represents the output of the last successful + OCI Repository sync. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the OCIRepository. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + contentConfigChecksum: + description: |- + ContentConfigChecksum is a checksum of all the configurations related to + the content of the source artifact: + - .spec.ignore + - .spec.layerSelector + observed in .status.observedGeneration version of the object. This can + be used to determine if the content configuration has changed and the + artifact needs to be rebuilt. + It has the format of `:`, for example: `sha256:`. + + Deprecated: Replaced with explicit fields for observed artifact content + config in the status. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + observedIgnore: + description: |- + ObservedIgnore is the observed exclusion patterns used for constructing + the source artifact. + type: string + observedLayerSelector: + description: |- + ObservedLayerSelector is the observed layer selector used for constructing + the source artifact. + properties: + mediaType: + description: |- + MediaType specifies the OCI media type of the layer + which should be extracted from the OCI Artifact. The + first layer matching this type is selected. + type: string + operation: + description: |- + Operation specifies how the selected layer should be processed. + By default, the layer compressed content is extracted to storage. + When the operation is set to 'copy', the layer compressed content + is persisted to storage as it is. + enum: + - extract + - copy + type: string + type: object + url: + description: URL is the download link for the artifact output of the + last OCI Repository sync. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: source-controller + namespace: flux-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + control-plane: controller + name: source-controller + namespace: flux-system +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + app: source-controller + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + control-plane: controller + name: source-controller + namespace: flux-system +spec: + replicas: 1 + selector: + matchLabels: + app: source-controller + strategy: + type: Recreate + template: + metadata: + annotations: + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + labels: + app: source-controller + spec: + containers: + - args: + - --events-addr=http://notification-controller.flux-system.svc.cluster.local./ + - --watch-all-namespaces=true + - --log-level=info + - --log-encoding=json + - --enable-leader-election + - --storage-path=/data + - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.cluster.local. + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: TUF_ROOT + value: /tmp/.sigstore + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.cpu + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.memory + image: ghcr.io/fluxcd/source-controller:v1.6.2 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: healthz + name: manager + ports: + - containerPort: 9090 + name: http + protocol: TCP + - containerPort: 8080 + name: http-prom + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: / + port: http + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 50m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /data + name: data + - mountPath: /tmp + name: tmp + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1337 + serviceAccountName: source-controller + terminationGracePeriodSeconds: 10 + volumes: + - emptyDir: {} + name: data + - emptyDir: {} + name: tmp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: kustomize-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: kustomizations.kustomize.toolkit.fluxcd.io +spec: + group: kustomize.toolkit.fluxcd.io + names: + kind: Kustomization + listKind: KustomizationList + plural: kustomizations + shortNames: + - ks + singular: kustomization + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: Kustomization is the Schema for the kustomizations API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + KustomizationSpec defines the configuration to calculate the desired state + from a Source using Kustomize. + properties: + commonMetadata: + description: |- + CommonMetadata specifies the common labels and annotations that are + applied to all resources. Any existing label or annotation will be + overridden if its key matches a common one. + properties: + annotations: + additionalProperties: + type: string + description: Annotations to be added to the object's metadata. + type: object + labels: + additionalProperties: + type: string + description: Labels to be added to the object's metadata. + type: object + type: object + components: + description: Components specifies relative paths to specifications + of other Components. + items: + type: string + type: array + decryption: + description: Decrypt Kubernetes secrets before applying them on the + cluster. + properties: + provider: + description: Provider is the name of the decryption engine. + enum: + - sops + type: string + secretRef: + description: |- + The secret name containing the private OpenPGP keys used for decryption. + A static credential for a cloud provider defined inside the Secret + takes priority to secret-less authentication with the ServiceAccountName + field. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + serviceAccountName: + description: |- + ServiceAccountName is the name of the service account used to + authenticate with KMS services from cloud providers. If a + static credential for a given cloud provider is defined + inside the Secret referenced by SecretRef, that static + credential takes priority. + type: string + required: + - provider + type: object + deletionPolicy: + description: |- + DeletionPolicy can be used to control garbage collection when this + Kustomization is deleted. Valid values are ('MirrorPrune', 'Delete', + 'WaitForTermination', 'Orphan'). 'MirrorPrune' mirrors the Prune field + (orphan if false, delete if true). Defaults to 'MirrorPrune'. + enum: + - MirrorPrune + - Delete + - WaitForTermination + - Orphan + type: string + dependsOn: + description: |- + DependsOn may contain a meta.NamespacedObjectReference slice + with references to Kustomization resources that must be ready before this + Kustomization can be reconciled. + items: + description: |- + NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any + namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + force: + default: false + description: |- + Force instructs the controller to recreate resources + when patching fails due to an immutable field change. + type: boolean + healthCheckExprs: + description: |- + HealthCheckExprs is a list of healthcheck expressions for evaluating the + health of custom resources using Common Expression Language (CEL). + The expressions are evaluated only when Wait or HealthChecks are specified. + items: + description: CustomHealthCheck defines the health check for custom + resources. + properties: + apiVersion: + description: APIVersion of the custom resource under evaluation. + type: string + current: + description: |- + Current is the CEL expression that determines if the status + of the custom resource has reached the desired state. + type: string + failed: + description: |- + Failed is the CEL expression that determines if the status + of the custom resource has failed to reach the desired state. + type: string + inProgress: + description: |- + InProgress is the CEL expression that determines if the status + of the custom resource has not yet reached the desired state. + type: string + kind: + description: Kind of the custom resource under evaluation. + type: string + required: + - apiVersion + - current + - kind + type: object + type: array + healthChecks: + description: A list of resources to be included in the health assessment. + items: + description: |- + NamespacedObjectKindReference contains enough information to locate the typed referenced Kubernetes resource object + in any namespace. + properties: + apiVersion: + description: API version of the referent, if not specified the + Kubernetes preferred version will be used. + type: string + kind: + description: Kind of the referent. + type: string + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - kind + - name + type: object + type: array + images: + description: |- + Images is a list of (image name, new name, new tag or digest) + for changing image names, tags or digests. This can also be achieved with a + patch, but this operator is simpler to specify. + items: + description: Image contains an image name, a new name, a new tag + or digest, which will replace the original name and tag. + properties: + digest: + description: |- + Digest is the value used to replace the original image tag. + If digest is present NewTag value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace the original + name. + type: string + newTag: + description: NewTag is the value used to replace the original + tag. + type: string + required: + - name + type: object + type: array + interval: + description: |- + The interval at which to reconcile the Kustomization. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kubeConfig: + description: |- + The KubeConfig for reconciling the Kustomization on a remote cluster. + When used in combination with KustomizationSpec.ServiceAccountName, + forces the controller to act on behalf of that Service Account at the + target cluster. + If the --default-service-account flag is set, its value will be used as + a controller level fallback for when KustomizationSpec.ServiceAccountName + is empty. + properties: + secretRef: + description: |- + SecretRef holds the name of a secret that contains a key with + the kubeconfig file as the value. If no key is set, the key will default + to 'value'. + It is recommended that the kubeconfig is self-contained, and the secret + is regularly updated if credentials such as a cloud-access-token expire. + Cloud specific `cmd-path` auth helpers will not function without adding + binaries and credentials to the Pod that is responsible for reconciling + Kubernetes resources. + properties: + key: + description: Key in the Secret, when not specified an implementation-specific + default key is used. + type: string + name: + description: Name of the Secret. + type: string + required: + - name + type: object + required: + - secretRef + type: object + namePrefix: + description: NamePrefix will prefix the names of all managed resources. + maxLength: 200 + minLength: 1 + type: string + nameSuffix: + description: NameSuffix will suffix the names of all managed resources. + maxLength: 200 + minLength: 1 + type: string + patches: + description: |- + Strategic merge and JSON patches, defined as inline YAML objects, + capable of targeting objects based on kind, label and annotation selectors. + items: + description: |- + Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should + be applied to. + properties: + patch: + description: |- + Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with + an array of operation objects. + type: string + target: + description: Target points to the resources that the patch document + should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + path: + description: |- + Path to the directory containing the kustomization.yaml file, or the + set of plain YAMLs a kustomization.yaml should be generated for. + Defaults to 'None', which translates to the root path of the SourceRef. + type: string + postBuild: + description: |- + PostBuild describes which actions to perform on the YAML manifest + generated by building the kustomize overlay. + properties: + substitute: + additionalProperties: + type: string + description: |- + Substitute holds a map of key/value pairs. + The variables defined in your YAML manifests that match any of the keys + defined in the map will be substituted with the set value. + Includes support for bash string replacement functions + e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}. + type: object + substituteFrom: + description: |- + SubstituteFrom holds references to ConfigMaps and Secrets containing + the variables and their values to be substituted in the YAML manifests. + The ConfigMap and the Secret data keys represent the var names, and they + must match the vars declared in the manifests for the substitution to + happen. + items: + description: |- + SubstituteReference contains a reference to a resource containing + the variables name and value. + properties: + kind: + description: Kind of the values referent, valid values are + ('Secret', 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: |- + Name of the values referent. Should reside in the same namespace as the + referring resource. + maxLength: 253 + minLength: 1 + type: string + optional: + default: false + description: |- + Optional indicates whether the referenced resource must exist, or whether to + tolerate its absence. If true and the referenced resource is absent, proceed + as if the resource was present but empty, without any variables defined. + type: boolean + required: + - kind + - name + type: object + type: array + type: object + prune: + description: Prune enables garbage collection. + type: boolean + retryInterval: + description: |- + The interval at which to retry a previously failed reconciliation. + When not specified, the controller uses the KustomizationSpec.Interval + value to retry failures. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + serviceAccountName: + description: |- + The name of the Kubernetes service account to impersonate + when reconciling this Kustomization. + type: string + sourceRef: + description: Reference of the source where the kustomization file + is. + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - OCIRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + type: string + namespace: + description: |- + Namespace of the referent, defaults to the namespace of the Kubernetes + resource object that contains the reference. + type: string + required: + - kind + - name + type: object + suspend: + description: |- + This flag tells the controller to suspend subsequent kustomize executions, + it does not apply to already started executions. Defaults to false. + type: boolean + targetNamespace: + description: |- + TargetNamespace sets or overrides the namespace in the + kustomization.yaml file. + maxLength: 63 + minLength: 1 + type: string + timeout: + description: |- + Timeout for validation, apply and health checking operations. + Defaults to 'Interval' duration. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + wait: + description: |- + Wait instructs the controller to check the health of all the reconciled + resources. When enabled, the HealthChecks are ignored. Defaults to false. + type: boolean + required: + - interval + - prune + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: KustomizationStatus defines the observed state of a kustomization. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + inventory: + description: |- + Inventory contains the list of Kubernetes resource object references that + have been successfully applied. + properties: + entries: + description: Entries of Kubernetes resource object references. + items: + description: ResourceRef contains the information necessary + to locate a resource within a cluster. + properties: + id: + description: |- + ID is the string representation of the Kubernetes resource object's metadata, + in the format '___'. + type: string + v: + description: Version is the API version of the Kubernetes + resource object's kind. + type: string + required: + - id + - v + type: object + type: array + required: + - entries + type: object + lastAppliedOriginRevision: + description: |- + The last successfully applied origin revision. + Equals the origin revision of the applied Artifact from the referenced Source. + Usually present on the Metadata of the applied Artifact and depends on the + Source type, e.g. for OCI it's the value associated with the key + "org.opencontainers.image.revision". + type: string + lastAppliedRevision: + description: |- + The last successfully applied revision. + Equals the Revision of the applied Artifact from the referenced Source. + type: string + lastAttemptedRevision: + description: LastAttemptedRevision is the revision of the last reconciliation + attempt. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: v1beta1 Kustomization is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: Kustomization is the Schema for the kustomizations API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: KustomizationSpec defines the desired state of a kustomization. + properties: + decryption: + description: Decrypt Kubernetes secrets before applying them on the + cluster. + properties: + provider: + description: Provider is the name of the decryption engine. + enum: + - sops + type: string + secretRef: + description: The secret name containing the private OpenPGP keys + used for decryption. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + dependsOn: + description: |- + DependsOn may contain a meta.NamespacedObjectReference slice + with references to Kustomization resources that must be ready before this + Kustomization can be reconciled. + items: + description: |- + NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any + namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + force: + default: false + description: |- + Force instructs the controller to recreate resources + when patching fails due to an immutable field change. + type: boolean + healthChecks: + description: A list of resources to be included in the health assessment. + items: + description: |- + NamespacedObjectKindReference contains enough information to locate the typed referenced Kubernetes resource object + in any namespace. + properties: + apiVersion: + description: API version of the referent, if not specified the + Kubernetes preferred version will be used. + type: string + kind: + description: Kind of the referent. + type: string + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - kind + - name + type: object + type: array + images: + description: |- + Images is a list of (image name, new name, new tag or digest) + for changing image names, tags or digests. This can also be achieved with a + patch, but this operator is simpler to specify. + items: + description: Image contains an image name, a new name, a new tag + or digest, which will replace the original name and tag. + properties: + digest: + description: |- + Digest is the value used to replace the original image tag. + If digest is present NewTag value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace the original + name. + type: string + newTag: + description: NewTag is the value used to replace the original + tag. + type: string + required: + - name + type: object + type: array + interval: + description: The interval at which to reconcile the Kustomization. + type: string + kubeConfig: + description: |- + The KubeConfig for reconciling the Kustomization on a remote cluster. + When specified, KubeConfig takes precedence over ServiceAccountName. + properties: + secretRef: + description: |- + SecretRef holds the name to a secret that contains a 'value' key with + the kubeconfig file as the value. It must be in the same namespace as + the Kustomization. + It is recommended that the kubeconfig is self-contained, and the secret + is regularly updated if credentials such as a cloud-access-token expire. + Cloud specific `cmd-path` auth helpers will not function without adding + binaries and credentials to the Pod that is responsible for reconciling + the Kustomization. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - secretRef + type: object + patches: + description: |- + Strategic merge and JSON patches, defined as inline YAML objects, + capable of targeting objects based on kind, label and annotation selectors. + items: + description: |- + Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should + be applied to. + properties: + patch: + description: |- + Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with + an array of operation objects. + type: string + target: + description: Target points to the resources that the patch document + should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + patchesJson6902: + description: JSON 6902 patches, defined as inline YAML objects. + items: + description: JSON6902Patch contains a JSON6902 patch and the target + the patch should be applied to. + properties: + patch: + description: Patch contains the JSON6902 patch document with + an array of operation objects. + items: + description: |- + JSON6902 is a JSON6902 operation object. + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + properties: + from: + description: |- + From contains a JSON-pointer value that references a location within the target document where the operation is + performed. The meaning of the value depends on the value of Op, and is NOT taken into account by all operations. + type: string + op: + description: |- + Op indicates the operation to perform. Its value MUST be one of "add", "remove", "replace", "move", "copy", or + "test". + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + enum: + - test + - remove + - add + - replace + - move + - copy + type: string + path: + description: |- + Path contains the JSON-pointer value that references a location within the target document where the operation + is performed. The meaning of the value depends on the value of Op. + type: string + value: + description: |- + Value contains a valid JSON structure. The meaning of the value depends on the value of Op, and is NOT taken into + account by all operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + target: + description: Target points to the resources that the patch document + should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + - target + type: object + type: array + patchesStrategicMerge: + description: Strategic merge patches, defined as inline YAML objects. + items: + x-kubernetes-preserve-unknown-fields: true + type: array + path: + description: |- + Path to the directory containing the kustomization.yaml file, or the + set of plain YAMLs a kustomization.yaml should be generated for. + Defaults to 'None', which translates to the root path of the SourceRef. + type: string + postBuild: + description: |- + PostBuild describes which actions to perform on the YAML manifest + generated by building the kustomize overlay. + properties: + substitute: + additionalProperties: + type: string + description: |- + Substitute holds a map of key/value pairs. + The variables defined in your YAML manifests + that match any of the keys defined in the map + will be substituted with the set value. + Includes support for bash string replacement functions + e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}. + type: object + substituteFrom: + description: |- + SubstituteFrom holds references to ConfigMaps and Secrets containing + the variables and their values to be substituted in the YAML manifests. + The ConfigMap and the Secret data keys represent the var names and they + must match the vars declared in the manifests for the substitution to happen. + items: + description: |- + SubstituteReference contains a reference to a resource containing + the variables name and value. + properties: + kind: + description: Kind of the values referent, valid values are + ('Secret', 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: |- + Name of the values referent. Should reside in the same namespace as the + referring resource. + maxLength: 253 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + type: object + prune: + description: Prune enables garbage collection. + type: boolean + retryInterval: + description: |- + The interval at which to retry a previously failed reconciliation. + When not specified, the controller uses the KustomizationSpec.Interval + value to retry failures. + type: string + serviceAccountName: + description: |- + The name of the Kubernetes service account to impersonate + when reconciling this Kustomization. + type: string + sourceRef: + description: Reference of the source where the kustomization file + is. + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - GitRepository + - Bucket + type: string + name: + description: Name of the referent + type: string + namespace: + description: Namespace of the referent, defaults to the Kustomization + namespace + type: string + required: + - kind + - name + type: object + suspend: + description: |- + This flag tells the controller to suspend subsequent kustomize executions, + it does not apply to already started executions. Defaults to false. + type: boolean + targetNamespace: + description: |- + TargetNamespace sets or overrides the namespace in the + kustomization.yaml file. + maxLength: 63 + minLength: 1 + type: string + timeout: + description: |- + Timeout for validation, apply and health checking operations. + Defaults to 'Interval' duration. + type: string + validation: + description: |- + Validate the Kubernetes objects before applying them on the cluster. + The validation strategy can be 'client' (local dry-run), 'server' + (APIServer dry-run) or 'none'. + When 'Force' is 'true', validation will fallback to 'client' if set to + 'server' because server-side validation is not supported in this scenario. + enum: + - none + - client + - server + type: string + required: + - interval + - prune + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: KustomizationStatus defines the observed state of a kustomization. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastAppliedRevision: + description: |- + The last successfully applied revision. + The revision format for Git sources is /. + type: string + lastAttemptedRevision: + description: LastAttemptedRevision is the revision of the last reconciliation + attempt. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + snapshot: + description: The last successfully applied revision metadata. + properties: + checksum: + description: The manifests sha1 checksum. + type: string + entries: + description: A list of Kubernetes kinds grouped by namespace. + items: + description: |- + Snapshot holds the metadata of namespaced + Kubernetes objects + properties: + kinds: + additionalProperties: + type: string + description: The list of Kubernetes kinds. + type: object + namespace: + description: The namespace of this entry. + type: string + required: + - kinds + type: object + type: array + required: + - checksum + - entries + type: object + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 Kustomization is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: Kustomization is the Schema for the kustomizations API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: KustomizationSpec defines the configuration to calculate + the desired state from a Source using Kustomize. + properties: + commonMetadata: + description: |- + CommonMetadata specifies the common labels and annotations that are applied to all resources. + Any existing label or annotation will be overridden if its key matches a common one. + properties: + annotations: + additionalProperties: + type: string + description: Annotations to be added to the object's metadata. + type: object + labels: + additionalProperties: + type: string + description: Labels to be added to the object's metadata. + type: object + type: object + components: + description: Components specifies relative paths to specifications + of other Components. + items: + type: string + type: array + decryption: + description: Decrypt Kubernetes secrets before applying them on the + cluster. + properties: + provider: + description: Provider is the name of the decryption engine. + enum: + - sops + type: string + secretRef: + description: The secret name containing the private OpenPGP keys + used for decryption. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + dependsOn: + description: |- + DependsOn may contain a meta.NamespacedObjectReference slice + with references to Kustomization resources that must be ready before this + Kustomization can be reconciled. + items: + description: |- + NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any + namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + force: + default: false + description: |- + Force instructs the controller to recreate resources + when patching fails due to an immutable field change. + type: boolean + healthChecks: + description: A list of resources to be included in the health assessment. + items: + description: |- + NamespacedObjectKindReference contains enough information to locate the typed referenced Kubernetes resource object + in any namespace. + properties: + apiVersion: + description: API version of the referent, if not specified the + Kubernetes preferred version will be used. + type: string + kind: + description: Kind of the referent. + type: string + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - kind + - name + type: object + type: array + images: + description: |- + Images is a list of (image name, new name, new tag or digest) + for changing image names, tags or digests. This can also be achieved with a + patch, but this operator is simpler to specify. + items: + description: Image contains an image name, a new name, a new tag + or digest, which will replace the original name and tag. + properties: + digest: + description: |- + Digest is the value used to replace the original image tag. + If digest is present NewTag value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace the original + name. + type: string + newTag: + description: NewTag is the value used to replace the original + tag. + type: string + required: + - name + type: object + type: array + interval: + description: The interval at which to reconcile the Kustomization. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kubeConfig: + description: |- + The KubeConfig for reconciling the Kustomization on a remote cluster. + When used in combination with KustomizationSpec.ServiceAccountName, + forces the controller to act on behalf of that Service Account at the + target cluster. + If the --default-service-account flag is set, its value will be used as + a controller level fallback for when KustomizationSpec.ServiceAccountName + is empty. + properties: + secretRef: + description: |- + SecretRef holds the name of a secret that contains a key with + the kubeconfig file as the value. If no key is set, the key will default + to 'value'. + It is recommended that the kubeconfig is self-contained, and the secret + is regularly updated if credentials such as a cloud-access-token expire. + Cloud specific `cmd-path` auth helpers will not function without adding + binaries and credentials to the Pod that is responsible for reconciling + Kubernetes resources. + properties: + key: + description: Key in the Secret, when not specified an implementation-specific + default key is used. + type: string + name: + description: Name of the Secret. + type: string + required: + - name + type: object + required: + - secretRef + type: object + patches: + description: |- + Strategic merge and JSON patches, defined as inline YAML objects, + capable of targeting objects based on kind, label and annotation selectors. + items: + description: |- + Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should + be applied to. + properties: + patch: + description: |- + Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with + an array of operation objects. + type: string + target: + description: Target points to the resources that the patch document + should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + patchesJson6902: + description: |- + JSON 6902 patches, defined as inline YAML objects. + Deprecated: Use Patches instead. + items: + description: JSON6902Patch contains a JSON6902 patch and the target + the patch should be applied to. + properties: + patch: + description: Patch contains the JSON6902 patch document with + an array of operation objects. + items: + description: |- + JSON6902 is a JSON6902 operation object. + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + properties: + from: + description: |- + From contains a JSON-pointer value that references a location within the target document where the operation is + performed. The meaning of the value depends on the value of Op, and is NOT taken into account by all operations. + type: string + op: + description: |- + Op indicates the operation to perform. Its value MUST be one of "add", "remove", "replace", "move", "copy", or + "test". + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + enum: + - test + - remove + - add + - replace + - move + - copy + type: string + path: + description: |- + Path contains the JSON-pointer value that references a location within the target document where the operation + is performed. The meaning of the value depends on the value of Op. + type: string + value: + description: |- + Value contains a valid JSON structure. The meaning of the value depends on the value of Op, and is NOT taken into + account by all operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + target: + description: Target points to the resources that the patch document + should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + - target + type: object + type: array + patchesStrategicMerge: + description: |- + Strategic merge patches, defined as inline YAML objects. + Deprecated: Use Patches instead. + items: + x-kubernetes-preserve-unknown-fields: true + type: array + path: + description: |- + Path to the directory containing the kustomization.yaml file, or the + set of plain YAMLs a kustomization.yaml should be generated for. + Defaults to 'None', which translates to the root path of the SourceRef. + type: string + postBuild: + description: |- + PostBuild describes which actions to perform on the YAML manifest + generated by building the kustomize overlay. + properties: + substitute: + additionalProperties: + type: string + description: |- + Substitute holds a map of key/value pairs. + The variables defined in your YAML manifests + that match any of the keys defined in the map + will be substituted with the set value. + Includes support for bash string replacement functions + e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}. + type: object + substituteFrom: + description: |- + SubstituteFrom holds references to ConfigMaps and Secrets containing + the variables and their values to be substituted in the YAML manifests. + The ConfigMap and the Secret data keys represent the var names and they + must match the vars declared in the manifests for the substitution to happen. + items: + description: |- + SubstituteReference contains a reference to a resource containing + the variables name and value. + properties: + kind: + description: Kind of the values referent, valid values are + ('Secret', 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: |- + Name of the values referent. Should reside in the same namespace as the + referring resource. + maxLength: 253 + minLength: 1 + type: string + optional: + default: false + description: |- + Optional indicates whether the referenced resource must exist, or whether to + tolerate its absence. If true and the referenced resource is absent, proceed + as if the resource was present but empty, without any variables defined. + type: boolean + required: + - kind + - name + type: object + type: array + type: object + prune: + description: Prune enables garbage collection. + type: boolean + retryInterval: + description: |- + The interval at which to retry a previously failed reconciliation. + When not specified, the controller uses the KustomizationSpec.Interval + value to retry failures. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + serviceAccountName: + description: |- + The name of the Kubernetes service account to impersonate + when reconciling this Kustomization. + type: string + sourceRef: + description: Reference of the source where the kustomization file + is. + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - OCIRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, defaults to the namespace + of the Kubernetes resource object that contains the reference. + type: string + required: + - kind + - name + type: object + suspend: + description: |- + This flag tells the controller to suspend subsequent kustomize executions, + it does not apply to already started executions. Defaults to false. + type: boolean + targetNamespace: + description: |- + TargetNamespace sets or overrides the namespace in the + kustomization.yaml file. + maxLength: 63 + minLength: 1 + type: string + timeout: + description: |- + Timeout for validation, apply and health checking operations. + Defaults to 'Interval' duration. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + validation: + description: 'Deprecated: Not used in v1beta2.' + enum: + - none + - client + - server + type: string + wait: + description: |- + Wait instructs the controller to check the health of all the reconciled resources. + When enabled, the HealthChecks are ignored. Defaults to false. + type: boolean + required: + - interval + - prune + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: KustomizationStatus defines the observed state of a kustomization. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + inventory: + description: Inventory contains the list of Kubernetes resource object + references that have been successfully applied. + properties: + entries: + description: Entries of Kubernetes resource object references. + items: + description: ResourceRef contains the information necessary + to locate a resource within a cluster. + properties: + id: + description: |- + ID is the string representation of the Kubernetes resource object's metadata, + in the format '___'. + type: string + v: + description: Version is the API version of the Kubernetes + resource object's kind. + type: string + required: + - id + - v + type: object + type: array + required: + - entries + type: object + lastAppliedRevision: + description: |- + The last successfully applied revision. + Equals the Revision of the applied Artifact from the referenced Source. + type: string + lastAttemptedRevision: + description: LastAttemptedRevision is the revision of the last reconciliation + attempt. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: kustomize-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: kustomize-controller + namespace: flux-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: kustomize-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + control-plane: controller + name: kustomize-controller + namespace: flux-system +spec: + replicas: 1 + selector: + matchLabels: + app: kustomize-controller + template: + metadata: + annotations: + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + labels: + app: kustomize-controller + spec: + containers: + - args: + - --events-addr=http://notification-controller.flux-system.svc.cluster.local./ + - --watch-all-namespaces=true + - --log-level=info + - --log-encoding=json + - --enable-leader-election + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.cpu + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.memory + image: ghcr.io/fluxcd/kustomize-controller:v1.6.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: healthz + name: manager + ports: + - containerPort: 8080 + name: http-prom + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp + name: temp + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1337 + serviceAccountName: kustomize-controller + terminationGracePeriodSeconds: 60 + volumes: + - emptyDir: {} + name: temp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: helm-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: helmreleases.helm.toolkit.fluxcd.io +spec: + group: helm.toolkit.fluxcd.io + names: + kind: HelmRelease + listKind: HelmReleaseList + plural: helmreleases + shortNames: + - hr + singular: helmrelease + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v2 + schema: + openAPIV3Schema: + description: HelmRelease is the Schema for the helmreleases API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HelmReleaseSpec defines the desired state of a Helm release. + properties: + chart: + description: |- + Chart defines the template of the v1.HelmChart that should be created + for this HelmRelease. + properties: + metadata: + description: ObjectMeta holds the template for metadata like labels + and annotations. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + type: object + labels: + additionalProperties: + type: string + description: |- + Map of string keys and values that can be used to organize and categorize + (scope and select) objects. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + type: object + type: object + spec: + description: Spec holds the template for the v1.HelmChartSpec + for this HelmRelease. + properties: + chart: + description: The name or path the Helm chart is available + at in the SourceRef. + maxLength: 2048 + minLength: 1 + type: string + ignoreMissingValuesFiles: + description: IgnoreMissingValuesFiles controls whether to + silently ignore missing values files rather than failing. + type: boolean + interval: + description: |- + Interval at which to check the v1.Source for updates. Defaults to + 'HelmReleaseSpec.Interval'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + reconcileStrategy: + default: ChartVersion + description: |- + Determines what enables the creation of a new artifact. Valid values are + ('ChartVersion', 'Revision'). + See the documentation of the values for an explanation on their behavior. + Defaults to ChartVersion when omitted. + enum: + - ChartVersion + - Revision + type: string + sourceRef: + description: The name and namespace of the v1.Source the chart + is available at. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - HelmRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace of the referent. + maxLength: 63 + minLength: 1 + type: string + required: + - kind + - name + type: object + valuesFiles: + description: |- + Alternative list of values files to use as the chart values (values.yaml + is not included by default), expected to be a relative path in the SourceRef. + Values files are merged in the order of this list with the last file overriding + the first. Ignored when omitted. + items: + type: string + type: array + verify: + description: |- + Verify contains the secret name containing the trusted public keys + used to verify the signature and specifies which provider to use to check + whether OCI image is authentic. + This field is only supported for OCI sources. + Chart dependencies, which are not bundled in the umbrella chart artifact, + are not verified. + properties: + provider: + default: cosign + description: Provider specifies the technology used to + sign the OCI Helm chart. + enum: + - cosign + - notation + type: string + secretRef: + description: |- + SecretRef specifies the Kubernetes Secret containing the + trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + version: + default: '*' + description: |- + Version semver expression, ignored for charts from v1.GitRepository and + v1beta2.Bucket sources. Defaults to latest when omitted. + type: string + required: + - chart + - sourceRef + type: object + required: + - spec + type: object + chartRef: + description: |- + ChartRef holds a reference to a source controller resource containing the + Helm chart artifact. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - OCIRepository + - HelmChart + type: string + name: + description: Name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent, defaults to the namespace of the Kubernetes + resource object that contains the reference. + maxLength: 63 + minLength: 1 + type: string + required: + - kind + - name + type: object + dependsOn: + description: |- + DependsOn may contain a meta.NamespacedObjectReference slice with + references to HelmRelease resources that must be ready before this HelmRelease + can be reconciled. + items: + description: |- + NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any + namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + driftDetection: + description: |- + DriftDetection holds the configuration for detecting and handling + differences between the manifest in the Helm storage and the resources + currently existing in the cluster. + properties: + ignore: + description: |- + Ignore contains a list of rules for specifying which changes to ignore + during diffing. + items: + description: |- + IgnoreRule defines a rule to selectively disregard specific changes during + the drift detection process. + properties: + paths: + description: |- + Paths is a list of JSON Pointer (RFC 6901) paths to be excluded from + consideration in a Kubernetes object. + items: + type: string + type: array + target: + description: |- + Target is a selector for specifying Kubernetes objects to which this + rule applies. + If Target is not set, the Paths will be ignored for all Kubernetes + objects within the manifest of the Helm release. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - paths + type: object + type: array + mode: + description: |- + Mode defines how differences should be handled between the Helm manifest + and the manifest currently applied to the cluster. + If not explicitly set, it defaults to DiffModeDisabled. + enum: + - enabled + - warn + - disabled + type: string + type: object + install: + description: Install holds the configuration for Helm install actions + for this HelmRelease. + properties: + crds: + description: |- + CRDs upgrade CRDs from the Helm Chart's crds directory according + to the CRD upgrade policy provided here. Valid values are `Skip`, + `Create` or `CreateReplace`. Default is `Create` and if omitted + CRDs are installed but not updated. + + Skip: do neither install nor replace (update) any CRDs. + + Create: new CRDs are created, existing CRDs are neither updated nor deleted. + + CreateReplace: new CRDs are created, existing CRDs are updated (replaced) + but not deleted. + + By default, CRDs are applied (installed) during Helm install action. + With this option users can opt in to CRD replace existing CRDs on Helm + install actions, which is not (yet) natively supported by Helm. + https://helm.sh/docs/chart_best_practices/custom_resource_definitions. + enum: + - Skip + - Create + - CreateReplace + type: string + createNamespace: + description: |- + CreateNamespace tells the Helm install action to create the + HelmReleaseSpec.TargetNamespace if it does not exist yet. + On uninstall, the namespace will not be garbage collected. + type: boolean + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm install action. + type: boolean + disableOpenAPIValidation: + description: |- + DisableOpenAPIValidation prevents the Helm install action from validating + rendered templates against the Kubernetes OpenAPI Schema. + type: boolean + disableSchemaValidation: + description: |- + DisableSchemaValidation prevents the Helm install action from validating + the values against the JSON Schema. + type: boolean + disableTakeOwnership: + description: |- + DisableTakeOwnership disables taking ownership of existing resources + during the Helm install action. Defaults to false. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + install has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + install has been performed. + type: boolean + remediation: + description: |- + Remediation holds the remediation configuration for when the Helm install + action for the HelmRelease fails. The default is to not perform any action. + properties: + ignoreTestFailures: + description: |- + IgnoreTestFailures tells the controller to skip remediation when the Helm + tests are run after an install action but fail. Defaults to + 'Test.IgnoreFailures'. + type: boolean + remediateLastFailure: + description: |- + RemediateLastFailure tells the controller to remediate the last failure, when + no retries remain. Defaults to 'false'. + type: boolean + retries: + description: |- + Retries is the number of retries that should be attempted on failures before + bailing. Remediation, using an uninstall, is performed between each attempt. + Defaults to '0', a negative integer equals to unlimited retries. + type: integer + type: object + replace: + description: |- + Replace tells the Helm install action to re-use the 'ReleaseName', but only + if that name is a deleted release which remains in the history. + type: boolean + skipCRDs: + description: |- + SkipCRDs tells the Helm install action to not install any CRDs. By default, + CRDs are installed if not already present. + + Deprecated use CRD policy (`crds`) attribute with value `Skip` instead. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm install action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + interval: + description: Interval at which to reconcile the Helm release. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kubeConfig: + description: |- + KubeConfig for reconciling the HelmRelease on a remote cluster. + When used in combination with HelmReleaseSpec.ServiceAccountName, + forces the controller to act on behalf of that Service Account at the + target cluster. + If the --default-service-account flag is set, its value will be used as + a controller level fallback for when HelmReleaseSpec.ServiceAccountName + is empty. + properties: + secretRef: + description: |- + SecretRef holds the name of a secret that contains a key with + the kubeconfig file as the value. If no key is set, the key will default + to 'value'. + It is recommended that the kubeconfig is self-contained, and the secret + is regularly updated if credentials such as a cloud-access-token expire. + Cloud specific `cmd-path` auth helpers will not function without adding + binaries and credentials to the Pod that is responsible for reconciling + Kubernetes resources. + properties: + key: + description: Key in the Secret, when not specified an implementation-specific + default key is used. + type: string + name: + description: Name of the Secret. + type: string + required: + - name + type: object + required: + - secretRef + type: object + maxHistory: + description: |- + MaxHistory is the number of revisions saved by Helm for this HelmRelease. + Use '0' for an unlimited number of revisions; defaults to '5'. + type: integer + persistentClient: + description: |- + PersistentClient tells the controller to use a persistent Kubernetes + client for this release. When enabled, the client will be reused for the + duration of the reconciliation, instead of being created and destroyed + for each (step of a) Helm action. + + This can improve performance, but may cause issues with some Helm charts + that for example do create Custom Resource Definitions during installation + outside Helm's CRD lifecycle hooks, which are then not observed to be + available by e.g. post-install hooks. + + If not set, it defaults to true. + type: boolean + postRenderers: + description: |- + PostRenderers holds an array of Helm PostRenderers, which will be applied in order + of their definition. + items: + description: PostRenderer contains a Helm PostRenderer specification. + properties: + kustomize: + description: Kustomization to apply as PostRenderer. + properties: + images: + description: |- + Images is a list of (image name, new name, new tag or digest) + for changing image names, tags or digests. This can also be achieved with a + patch, but this operator is simpler to specify. + items: + description: Image contains an image name, a new name, + a new tag or digest, which will replace the original + name and tag. + properties: + digest: + description: |- + Digest is the value used to replace the original image tag. + If digest is present NewTag value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace + the original name. + type: string + newTag: + description: NewTag is the value used to replace the + original tag. + type: string + required: + - name + type: object + type: array + patches: + description: |- + Strategic merge and JSON patches, defined as inline YAML objects, + capable of targeting objects based on kind, label and annotation selectors. + items: + description: |- + Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should + be applied to. + properties: + patch: + description: |- + Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with + an array of operation objects. + type: string + target: + description: Target points to the resources that the + patch document should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + type: object + type: object + type: array + releaseName: + description: |- + ReleaseName used for the Helm release. Defaults to a composition of + '[TargetNamespace-]Name'. + maxLength: 53 + minLength: 1 + type: string + rollback: + description: Rollback holds the configuration for Helm rollback actions + for this HelmRelease. + properties: + cleanupOnFail: + description: |- + CleanupOnFail allows deletion of new resources created during the Helm + rollback action when it fails. + type: boolean + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm rollback action. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + rollback has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + rollback has been performed. + type: boolean + force: + description: Force forces resource updates through a replacement + strategy. + type: boolean + recreate: + description: Recreate performs pod restarts for the resource if + applicable. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm rollback action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + serviceAccountName: + description: |- + The name of the Kubernetes service account to impersonate + when reconciling this HelmRelease. + maxLength: 253 + minLength: 1 + type: string + storageNamespace: + description: |- + StorageNamespace used for the Helm storage. + Defaults to the namespace of the HelmRelease. + maxLength: 63 + minLength: 1 + type: string + suspend: + description: |- + Suspend tells the controller to suspend reconciliation for this HelmRelease, + it does not apply to already started reconciliations. Defaults to false. + type: boolean + targetNamespace: + description: |- + TargetNamespace to target when performing operations for the HelmRelease. + Defaults to the namespace of the HelmRelease. + maxLength: 63 + minLength: 1 + type: string + test: + description: Test holds the configuration for Helm test actions for + this HelmRelease. + properties: + enable: + description: |- + Enable enables Helm test actions for this HelmRelease after an Helm install + or upgrade action has been performed. + type: boolean + filters: + description: Filters is a list of tests to run or exclude from + running. + items: + description: Filter holds the configuration for individual Helm + test filters. + properties: + exclude: + description: Exclude specifies whether the named test should + be excluded. + type: boolean + name: + description: Name is the name of the test. + maxLength: 253 + minLength: 1 + type: string + required: + - name + type: object + type: array + ignoreFailures: + description: |- + IgnoreFailures tells the controller to skip remediation when the Helm tests + are run but fail. Can be overwritten for tests run after install or upgrade + actions in 'Install.IgnoreTestFailures' and 'Upgrade.IgnoreTestFailures'. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation during + the performance of a Helm test action. Defaults to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like Jobs + for hooks) during the performance of a Helm action. Defaults to '5m0s'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + uninstall: + description: Uninstall holds the configuration for Helm uninstall + actions for this HelmRelease. + properties: + deletionPropagation: + default: background + description: |- + DeletionPropagation specifies the deletion propagation policy when + a Helm uninstall is performed. + enum: + - background + - foreground + - orphan + type: string + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm rollback action. + type: boolean + disableWait: + description: |- + DisableWait disables waiting for all the resources to be deleted after + a Helm uninstall is performed. + type: boolean + keepHistory: + description: |- + KeepHistory tells Helm to remove all associated resources and mark the + release as deleted, but retain the release history. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm uninstall action. Defaults + to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + upgrade: + description: Upgrade holds the configuration for Helm upgrade actions + for this HelmRelease. + properties: + cleanupOnFail: + description: |- + CleanupOnFail allows deletion of new resources created during the Helm + upgrade action when it fails. + type: boolean + crds: + description: |- + CRDs upgrade CRDs from the Helm Chart's crds directory according + to the CRD upgrade policy provided here. Valid values are `Skip`, + `Create` or `CreateReplace`. Default is `Skip` and if omitted + CRDs are neither installed nor upgraded. + + Skip: do neither install nor replace (update) any CRDs. + + Create: new CRDs are created, existing CRDs are neither updated nor deleted. + + CreateReplace: new CRDs are created, existing CRDs are updated (replaced) + but not deleted. + + By default, CRDs are not applied during Helm upgrade action. With this + option users can opt-in to CRD upgrade, which is not (yet) natively supported by Helm. + https://helm.sh/docs/chart_best_practices/custom_resource_definitions. + enum: + - Skip + - Create + - CreateReplace + type: string + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm upgrade action. + type: boolean + disableOpenAPIValidation: + description: |- + DisableOpenAPIValidation prevents the Helm upgrade action from validating + rendered templates against the Kubernetes OpenAPI Schema. + type: boolean + disableSchemaValidation: + description: |- + DisableSchemaValidation prevents the Helm upgrade action from validating + the values against the JSON Schema. + type: boolean + disableTakeOwnership: + description: |- + DisableTakeOwnership disables taking ownership of existing resources + during the Helm upgrade action. Defaults to false. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + upgrade has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + upgrade has been performed. + type: boolean + force: + description: Force forces resource updates through a replacement + strategy. + type: boolean + preserveValues: + description: |- + PreserveValues will make Helm reuse the last release's values and merge in + overrides from 'Values'. Setting this flag makes the HelmRelease + non-declarative. + type: boolean + remediation: + description: |- + Remediation holds the remediation configuration for when the Helm upgrade + action for the HelmRelease fails. The default is to not perform any action. + properties: + ignoreTestFailures: + description: |- + IgnoreTestFailures tells the controller to skip remediation when the Helm + tests are run after an upgrade action but fail. + Defaults to 'Test.IgnoreFailures'. + type: boolean + remediateLastFailure: + description: |- + RemediateLastFailure tells the controller to remediate the last failure, when + no retries remain. Defaults to 'false' unless 'Retries' is greater than 0. + type: boolean + retries: + description: |- + Retries is the number of retries that should be attempted on failures before + bailing. Remediation, using 'Strategy', is performed between each attempt. + Defaults to '0', a negative integer equals to unlimited retries. + type: integer + strategy: + description: Strategy to use for failure remediation. Defaults + to 'rollback'. + enum: + - rollback + - uninstall + type: string + type: object + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm upgrade action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + values: + description: Values holds the values for this Helm release. + x-kubernetes-preserve-unknown-fields: true + valuesFrom: + description: |- + ValuesFrom holds references to resources containing Helm values for this HelmRelease, + and information about how they should be merged. + items: + description: |- + ValuesReference contains a reference to a resource containing Helm values, + and optionally the key they can be found at. + properties: + kind: + description: Kind of the values referent, valid values are ('Secret', + 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: |- + Name of the values referent. Should reside in the same namespace as the + referring resource. + maxLength: 253 + minLength: 1 + type: string + optional: + description: |- + Optional marks this ValuesReference as optional. When set, a not found error + for the values reference is ignored, but any ValuesKey, TargetPath or + transient error will still result in a reconciliation failure. + type: boolean + targetPath: + description: |- + TargetPath is the YAML dot notation path the value should be merged at. When + set, the ValuesKey is expected to be a single flat value. Defaults to 'None', + which results in the values getting merged at the root. + maxLength: 250 + pattern: ^([a-zA-Z0-9_\-.\\\/]|\[[0-9]{1,5}\])+$ + type: string + valuesKey: + description: |- + ValuesKey is the data key where the values.yaml or a specific value can be + found at. Defaults to 'values.yaml'. + maxLength: 253 + pattern: ^[\-._a-zA-Z0-9]+$ + type: string + required: + - kind + - name + type: object + type: array + required: + - interval + type: object + x-kubernetes-validations: + - message: either chart or chartRef must be set + rule: (has(self.chart) && !has(self.chartRef)) || (!has(self.chart) + && has(self.chartRef)) + status: + default: + observedGeneration: -1 + description: HelmReleaseStatus defines the observed state of a HelmRelease. + properties: + conditions: + description: Conditions holds the conditions for the HelmRelease. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + failures: + description: |- + Failures is the reconciliation failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + helmChart: + description: |- + HelmChart is the namespaced name of the HelmChart resource created by + the controller for the HelmRelease. + type: string + history: + description: |- + History holds the history of Helm releases performed for this HelmRelease + up to the last successfully completed release. + items: + description: |- + Snapshot captures a point-in-time copy of the status information for a Helm release, + as managed by the controller. + properties: + apiVersion: + description: |- + APIVersion is the API version of the Snapshot. + Provisional: when the calculation method of the Digest field is changed, + this field will be used to distinguish between the old and new methods. + type: string + appVersion: + description: AppVersion is the chart app version of the release + object in storage. + type: string + chartName: + description: ChartName is the chart name of the release object + in storage. + type: string + chartVersion: + description: |- + ChartVersion is the chart version of the release object in + storage. + type: string + configDigest: + description: |- + ConfigDigest is the checksum of the config (better known as + "values") of the release object in storage. + It has the format of `:`. + type: string + deleted: + description: Deleted is when the release was deleted. + format: date-time + type: string + digest: + description: |- + Digest is the checksum of the release object in storage. + It has the format of `:`. + type: string + firstDeployed: + description: FirstDeployed is when the release was first deployed. + format: date-time + type: string + lastDeployed: + description: LastDeployed is when the release was last deployed. + format: date-time + type: string + name: + description: Name is the name of the release. + type: string + namespace: + description: Namespace is the namespace the release is deployed + to. + type: string + ociDigest: + description: OCIDigest is the digest of the OCI artifact associated + with the release. + type: string + status: + description: Status is the current state of the release. + type: string + testHooks: + additionalProperties: + description: |- + TestHookStatus holds the status information for a test hook as observed + to be run by the controller. + properties: + lastCompleted: + description: LastCompleted is the time the test hook last + completed. + format: date-time + type: string + lastStarted: + description: LastStarted is the time the test hook was + last started. + format: date-time + type: string + phase: + description: Phase the test hook was observed to be in. + type: string + type: object + description: |- + TestHooks is the list of test hooks for the release as observed to be + run by the controller. + type: object + version: + description: Version is the version of the release object in + storage. + type: integer + required: + - chartName + - chartVersion + - configDigest + - digest + - firstDeployed + - lastDeployed + - name + - namespace + - status + - version + type: object + type: array + installFailures: + description: |- + InstallFailures is the install failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + lastAttemptedConfigDigest: + description: |- + LastAttemptedConfigDigest is the digest for the config (better known as + "values") of the last reconciliation attempt. + type: string + lastAttemptedGeneration: + description: |- + LastAttemptedGeneration is the last generation the controller attempted + to reconcile. + format: int64 + type: integer + lastAttemptedReleaseAction: + description: |- + LastAttemptedReleaseAction is the last release action performed for this + HelmRelease. It is used to determine the active remediation strategy. + enum: + - install + - upgrade + type: string + lastAttemptedRevision: + description: |- + LastAttemptedRevision is the Source revision of the last reconciliation + attempt. For OCIRepository sources, the 12 first characters of the digest are + appended to the chart version e.g. "1.2.3+1234567890ab". + type: string + lastAttemptedRevisionDigest: + description: |- + LastAttemptedRevisionDigest is the digest of the last reconciliation attempt. + This is only set for OCIRepository sources. + type: string + lastAttemptedValuesChecksum: + description: |- + LastAttemptedValuesChecksum is the SHA1 checksum for the values of the last + reconciliation attempt. + Deprecated: Use LastAttemptedConfigDigest instead. + type: string + lastHandledForceAt: + description: |- + LastHandledForceAt holds the value of the most recent force request + value, so a change of the annotation value can be detected. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + lastHandledResetAt: + description: |- + LastHandledResetAt holds the value of the most recent reset request + value, so a change of the annotation value can be detected. + type: string + lastReleaseRevision: + description: |- + LastReleaseRevision is the revision of the last successful Helm release. + Deprecated: Use History instead. + type: integer + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + observedPostRenderersDigest: + description: |- + ObservedPostRenderersDigest is the digest for the post-renderers of + the last successful reconciliation attempt. + type: string + storageNamespace: + description: |- + StorageNamespace is the namespace of the Helm release storage for the + current release. + maxLength: 63 + minLength: 1 + type: string + upgradeFailures: + description: |- + UpgradeFailures is the upgrade failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v2beta1 HelmRelease is deprecated, upgrade to v2 + name: v2beta1 + schema: + openAPIV3Schema: + description: HelmRelease is the Schema for the helmreleases API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HelmReleaseSpec defines the desired state of a Helm release. + properties: + chart: + description: |- + Chart defines the template of the v1beta2.HelmChart that should be created + for this HelmRelease. + properties: + metadata: + description: ObjectMeta holds the template for metadata like labels + and annotations. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + type: object + labels: + additionalProperties: + type: string + description: |- + Map of string keys and values that can be used to organize and categorize + (scope and select) objects. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + type: object + type: object + spec: + description: Spec holds the template for the v1beta2.HelmChartSpec + for this HelmRelease. + properties: + chart: + description: The name or path the Helm chart is available + at in the SourceRef. + type: string + interval: + description: |- + Interval at which to check the v1beta2.Source for updates. Defaults to + 'HelmReleaseSpec.Interval'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + reconcileStrategy: + default: ChartVersion + description: |- + Determines what enables the creation of a new artifact. Valid values are + ('ChartVersion', 'Revision'). + See the documentation of the values for an explanation on their behavior. + Defaults to ChartVersion when omitted. + enum: + - ChartVersion + - Revision + type: string + sourceRef: + description: The name and namespace of the v1beta2.Source + the chart is available at. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - HelmRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace of the referent. + maxLength: 63 + minLength: 1 + type: string + required: + - kind + - name + type: object + valuesFile: + description: |- + Alternative values file to use as the default chart values, expected to + be a relative path in the SourceRef. Deprecated in favor of ValuesFiles, + for backwards compatibility the file defined here is merged before the + ValuesFiles items. Ignored when omitted. + type: string + valuesFiles: + description: |- + Alternative list of values files to use as the chart values (values.yaml + is not included by default), expected to be a relative path in the SourceRef. + Values files are merged in the order of this list with the last file overriding + the first. Ignored when omitted. + items: + type: string + type: array + verify: + description: |- + Verify contains the secret name containing the trusted public keys + used to verify the signature and specifies which provider to use to check + whether OCI image is authentic. + This field is only supported for OCI sources. + Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified. + properties: + provider: + default: cosign + description: Provider specifies the technology used to + sign the OCI Helm chart. + enum: + - cosign + type: string + secretRef: + description: |- + SecretRef specifies the Kubernetes Secret containing the + trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + version: + default: '*' + description: |- + Version semver expression, ignored for charts from v1beta2.GitRepository and + v1beta2.Bucket sources. Defaults to latest when omitted. + type: string + required: + - chart + - sourceRef + type: object + required: + - spec + type: object + chartRef: + description: |- + ChartRef holds a reference to a source controller resource containing the + Helm chart artifact. + + Note: this field is provisional to the v2 API, and not actively used + by v2beta1 HelmReleases. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - OCIRepository + - HelmChart + type: string + name: + description: Name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent, defaults to the namespace of the Kubernetes + resource object that contains the reference. + maxLength: 63 + minLength: 1 + type: string + required: + - kind + - name + type: object + dependsOn: + description: |- + DependsOn may contain a meta.NamespacedObjectReference slice with + references to HelmRelease resources that must be ready before this HelmRelease + can be reconciled. + items: + description: |- + NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any + namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + driftDetection: + description: |- + DriftDetection holds the configuration for detecting and handling + differences between the manifest in the Helm storage and the resources + currently existing in the cluster. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + properties: + ignore: + description: |- + Ignore contains a list of rules for specifying which changes to ignore + during diffing. + items: + description: |- + IgnoreRule defines a rule to selectively disregard specific changes during + the drift detection process. + properties: + paths: + description: |- + Paths is a list of JSON Pointer (RFC 6901) paths to be excluded from + consideration in a Kubernetes object. + items: + type: string + type: array + target: + description: |- + Target is a selector for specifying Kubernetes objects to which this + rule applies. + If Target is not set, the Paths will be ignored for all Kubernetes + objects within the manifest of the Helm release. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - paths + type: object + type: array + mode: + description: |- + Mode defines how differences should be handled between the Helm manifest + and the manifest currently applied to the cluster. + If not explicitly set, it defaults to DiffModeDisabled. + enum: + - enabled + - warn + - disabled + type: string + type: object + install: + description: Install holds the configuration for Helm install actions + for this HelmRelease. + properties: + crds: + description: |- + CRDs upgrade CRDs from the Helm Chart's crds directory according + to the CRD upgrade policy provided here. Valid values are `Skip`, + `Create` or `CreateReplace`. Default is `Create` and if omitted + CRDs are installed but not updated. + + Skip: do neither install nor replace (update) any CRDs. + + Create: new CRDs are created, existing CRDs are neither updated nor deleted. + + CreateReplace: new CRDs are created, existing CRDs are updated (replaced) + but not deleted. + + By default, CRDs are applied (installed) during Helm install action. + With this option users can opt-in to CRD replace existing CRDs on Helm + install actions, which is not (yet) natively supported by Helm. + https://helm.sh/docs/chart_best_practices/custom_resource_definitions. + enum: + - Skip + - Create + - CreateReplace + type: string + createNamespace: + description: |- + CreateNamespace tells the Helm install action to create the + HelmReleaseSpec.TargetNamespace if it does not exist yet. + On uninstall, the namespace will not be garbage collected. + type: boolean + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm install action. + type: boolean + disableOpenAPIValidation: + description: |- + DisableOpenAPIValidation prevents the Helm install action from validating + rendered templates against the Kubernetes OpenAPI Schema. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + install has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + install has been performed. + type: boolean + remediation: + description: |- + Remediation holds the remediation configuration for when the Helm install + action for the HelmRelease fails. The default is to not perform any action. + properties: + ignoreTestFailures: + description: |- + IgnoreTestFailures tells the controller to skip remediation when the Helm + tests are run after an install action but fail. Defaults to + 'Test.IgnoreFailures'. + type: boolean + remediateLastFailure: + description: |- + RemediateLastFailure tells the controller to remediate the last failure, when + no retries remain. Defaults to 'false'. + type: boolean + retries: + description: |- + Retries is the number of retries that should be attempted on failures before + bailing. Remediation, using an uninstall, is performed between each attempt. + Defaults to '0', a negative integer equals to unlimited retries. + type: integer + type: object + replace: + description: |- + Replace tells the Helm install action to re-use the 'ReleaseName', but only + if that name is a deleted release which remains in the history. + type: boolean + skipCRDs: + description: |- + SkipCRDs tells the Helm install action to not install any CRDs. By default, + CRDs are installed if not already present. + + Deprecated use CRD policy (`crds`) attribute with value `Skip` instead. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm install action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + interval: + description: |- + Interval at which to reconcile the Helm release. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kubeConfig: + description: |- + KubeConfig for reconciling the HelmRelease on a remote cluster. + When used in combination with HelmReleaseSpec.ServiceAccountName, + forces the controller to act on behalf of that Service Account at the + target cluster. + If the --default-service-account flag is set, its value will be used as + a controller level fallback for when HelmReleaseSpec.ServiceAccountName + is empty. + properties: + secretRef: + description: |- + SecretRef holds the name of a secret that contains a key with + the kubeconfig file as the value. If no key is set, the key will default + to 'value'. + It is recommended that the kubeconfig is self-contained, and the secret + is regularly updated if credentials such as a cloud-access-token expire. + Cloud specific `cmd-path` auth helpers will not function without adding + binaries and credentials to the Pod that is responsible for reconciling + Kubernetes resources. + properties: + key: + description: Key in the Secret, when not specified an implementation-specific + default key is used. + type: string + name: + description: Name of the Secret. + type: string + required: + - name + type: object + required: + - secretRef + type: object + maxHistory: + description: |- + MaxHistory is the number of revisions saved by Helm for this HelmRelease. + Use '0' for an unlimited number of revisions; defaults to '10'. + type: integer + persistentClient: + description: |- + PersistentClient tells the controller to use a persistent Kubernetes + client for this release. When enabled, the client will be reused for the + duration of the reconciliation, instead of being created and destroyed + for each (step of a) Helm action. + + This can improve performance, but may cause issues with some Helm charts + that for example do create Custom Resource Definitions during installation + outside Helm's CRD lifecycle hooks, which are then not observed to be + available by e.g. post-install hooks. + + If not set, it defaults to true. + type: boolean + postRenderers: + description: |- + PostRenderers holds an array of Helm PostRenderers, which will be applied in order + of their definition. + items: + description: PostRenderer contains a Helm PostRenderer specification. + properties: + kustomize: + description: Kustomization to apply as PostRenderer. + properties: + images: + description: |- + Images is a list of (image name, new name, new tag or digest) + for changing image names, tags or digests. This can also be achieved with a + patch, but this operator is simpler to specify. + items: + description: Image contains an image name, a new name, + a new tag or digest, which will replace the original + name and tag. + properties: + digest: + description: |- + Digest is the value used to replace the original image tag. + If digest is present NewTag value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace + the original name. + type: string + newTag: + description: NewTag is the value used to replace the + original tag. + type: string + required: + - name + type: object + type: array + patches: + description: |- + Strategic merge and JSON patches, defined as inline YAML objects, + capable of targeting objects based on kind, label and annotation selectors. + items: + description: |- + Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should + be applied to. + properties: + patch: + description: |- + Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with + an array of operation objects. + type: string + target: + description: Target points to the resources that the + patch document should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + patchesJson6902: + description: JSON 6902 patches, defined as inline YAML objects. + items: + description: JSON6902Patch contains a JSON6902 patch and + the target the patch should be applied to. + properties: + patch: + description: Patch contains the JSON6902 patch document + with an array of operation objects. + items: + description: |- + JSON6902 is a JSON6902 operation object. + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + properties: + from: + description: |- + From contains a JSON-pointer value that references a location within the target document where the operation is + performed. The meaning of the value depends on the value of Op, and is NOT taken into account by all operations. + type: string + op: + description: |- + Op indicates the operation to perform. Its value MUST be one of "add", "remove", "replace", "move", "copy", or + "test". + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + enum: + - test + - remove + - add + - replace + - move + - copy + type: string + path: + description: |- + Path contains the JSON-pointer value that references a location within the target document where the operation + is performed. The meaning of the value depends on the value of Op. + type: string + value: + description: |- + Value contains a valid JSON structure. The meaning of the value depends on the value of Op, and is NOT taken into + account by all operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + target: + description: Target points to the resources that the + patch document should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + - target + type: object + type: array + patchesStrategicMerge: + description: Strategic merge patches, defined as inline + YAML objects. + items: + x-kubernetes-preserve-unknown-fields: true + type: array + type: object + type: object + type: array + releaseName: + description: |- + ReleaseName used for the Helm release. Defaults to a composition of + '[TargetNamespace-]Name'. + maxLength: 53 + minLength: 1 + type: string + rollback: + description: Rollback holds the configuration for Helm rollback actions + for this HelmRelease. + properties: + cleanupOnFail: + description: |- + CleanupOnFail allows deletion of new resources created during the Helm + rollback action when it fails. + type: boolean + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm rollback action. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + rollback has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + rollback has been performed. + type: boolean + force: + description: Force forces resource updates through a replacement + strategy. + type: boolean + recreate: + description: Recreate performs pod restarts for the resource if + applicable. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm rollback action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + serviceAccountName: + description: |- + The name of the Kubernetes service account to impersonate + when reconciling this HelmRelease. + type: string + storageNamespace: + description: |- + StorageNamespace used for the Helm storage. + Defaults to the namespace of the HelmRelease. + maxLength: 63 + minLength: 1 + type: string + suspend: + description: |- + Suspend tells the controller to suspend reconciliation for this HelmRelease, + it does not apply to already started reconciliations. Defaults to false. + type: boolean + targetNamespace: + description: |- + TargetNamespace to target when performing operations for the HelmRelease. + Defaults to the namespace of the HelmRelease. + maxLength: 63 + minLength: 1 + type: string + test: + description: Test holds the configuration for Helm test actions for + this HelmRelease. + properties: + enable: + description: |- + Enable enables Helm test actions for this HelmRelease after an Helm install + or upgrade action has been performed. + type: boolean + ignoreFailures: + description: |- + IgnoreFailures tells the controller to skip remediation when the Helm tests + are run but fail. Can be overwritten for tests run after install or upgrade + actions in 'Install.IgnoreTestFailures' and 'Upgrade.IgnoreTestFailures'. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation during + the performance of a Helm test action. Defaults to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like Jobs + for hooks) during the performance of a Helm action. Defaults to '5m0s'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + uninstall: + description: Uninstall holds the configuration for Helm uninstall + actions for this HelmRelease. + properties: + deletionPropagation: + default: background + description: |- + DeletionPropagation specifies the deletion propagation policy when + a Helm uninstall is performed. + enum: + - background + - foreground + - orphan + type: string + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm rollback action. + type: boolean + disableWait: + description: |- + DisableWait disables waiting for all the resources to be deleted after + a Helm uninstall is performed. + type: boolean + keepHistory: + description: |- + KeepHistory tells Helm to remove all associated resources and mark the + release as deleted, but retain the release history. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm uninstall action. Defaults + to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + upgrade: + description: Upgrade holds the configuration for Helm upgrade actions + for this HelmRelease. + properties: + cleanupOnFail: + description: |- + CleanupOnFail allows deletion of new resources created during the Helm + upgrade action when it fails. + type: boolean + crds: + description: |- + CRDs upgrade CRDs from the Helm Chart's crds directory according + to the CRD upgrade policy provided here. Valid values are `Skip`, + `Create` or `CreateReplace`. Default is `Skip` and if omitted + CRDs are neither installed nor upgraded. + + Skip: do neither install nor replace (update) any CRDs. + + Create: new CRDs are created, existing CRDs are neither updated nor deleted. + + CreateReplace: new CRDs are created, existing CRDs are updated (replaced) + but not deleted. + + By default, CRDs are not applied during Helm upgrade action. With this + option users can opt-in to CRD upgrade, which is not (yet) natively supported by Helm. + https://helm.sh/docs/chart_best_practices/custom_resource_definitions. + enum: + - Skip + - Create + - CreateReplace + type: string + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm upgrade action. + type: boolean + disableOpenAPIValidation: + description: |- + DisableOpenAPIValidation prevents the Helm upgrade action from validating + rendered templates against the Kubernetes OpenAPI Schema. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + upgrade has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + upgrade has been performed. + type: boolean + force: + description: Force forces resource updates through a replacement + strategy. + type: boolean + preserveValues: + description: |- + PreserveValues will make Helm reuse the last release's values and merge in + overrides from 'Values'. Setting this flag makes the HelmRelease + non-declarative. + type: boolean + remediation: + description: |- + Remediation holds the remediation configuration for when the Helm upgrade + action for the HelmRelease fails. The default is to not perform any action. + properties: + ignoreTestFailures: + description: |- + IgnoreTestFailures tells the controller to skip remediation when the Helm + tests are run after an upgrade action but fail. + Defaults to 'Test.IgnoreFailures'. + type: boolean + remediateLastFailure: + description: |- + RemediateLastFailure tells the controller to remediate the last failure, when + no retries remain. Defaults to 'false' unless 'Retries' is greater than 0. + type: boolean + retries: + description: |- + Retries is the number of retries that should be attempted on failures before + bailing. Remediation, using 'Strategy', is performed between each attempt. + Defaults to '0', a negative integer equals to unlimited retries. + type: integer + strategy: + description: Strategy to use for failure remediation. Defaults + to 'rollback'. + enum: + - rollback + - uninstall + type: string + type: object + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm upgrade action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + values: + description: Values holds the values for this Helm release. + x-kubernetes-preserve-unknown-fields: true + valuesFrom: + description: |- + ValuesFrom holds references to resources containing Helm values for this HelmRelease, + and information about how they should be merged. + items: + description: |- + ValuesReference contains a reference to a resource containing Helm values, + and optionally the key they can be found at. + properties: + kind: + description: Kind of the values referent, valid values are ('Secret', + 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: |- + Name of the values referent. Should reside in the same namespace as the + referring resource. + maxLength: 253 + minLength: 1 + type: string + optional: + description: |- + Optional marks this ValuesReference as optional. When set, a not found error + for the values reference is ignored, but any ValuesKey, TargetPath or + transient error will still result in a reconciliation failure. + type: boolean + targetPath: + description: |- + TargetPath is the YAML dot notation path the value should be merged at. When + set, the ValuesKey is expected to be a single flat value. Defaults to 'None', + which results in the values getting merged at the root. + maxLength: 250 + pattern: ^([a-zA-Z0-9_\-.\\\/]|\[[0-9]{1,5}\])+$ + type: string + valuesKey: + description: |- + ValuesKey is the data key where the values.yaml or a specific value can be + found at. Defaults to 'values.yaml'. + When set, must be a valid Data Key, consisting of alphanumeric characters, + '-', '_' or '.'. + maxLength: 253 + pattern: ^[\-._a-zA-Z0-9]+$ + type: string + required: + - kind + - name + type: object + type: array + required: + - chart + - interval + type: object + status: + default: + observedGeneration: -1 + description: HelmReleaseStatus defines the observed state of a HelmRelease. + properties: + conditions: + description: Conditions holds the conditions for the HelmRelease. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + failures: + description: |- + Failures is the reconciliation failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + helmChart: + description: |- + HelmChart is the namespaced name of the HelmChart resource created by + the controller for the HelmRelease. + type: string + history: + description: |- + History holds the history of Helm releases performed for this HelmRelease + up to the last successfully completed release. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + items: + description: |- + Snapshot captures a point-in-time copy of the status information for a Helm release, + as managed by the controller. + properties: + apiVersion: + description: |- + APIVersion is the API version of the Snapshot. + Provisional: when the calculation method of the Digest field is changed, + this field will be used to distinguish between the old and new methods. + type: string + appVersion: + description: AppVersion is the chart app version of the release + object in storage. + type: string + chartName: + description: ChartName is the chart name of the release object + in storage. + type: string + chartVersion: + description: |- + ChartVersion is the chart version of the release object in + storage. + type: string + configDigest: + description: |- + ConfigDigest is the checksum of the config (better known as + "values") of the release object in storage. + It has the format of `:`. + type: string + deleted: + description: Deleted is when the release was deleted. + format: date-time + type: string + digest: + description: |- + Digest is the checksum of the release object in storage. + It has the format of `:`. + type: string + firstDeployed: + description: FirstDeployed is when the release was first deployed. + format: date-time + type: string + lastDeployed: + description: LastDeployed is when the release was last deployed. + format: date-time + type: string + name: + description: Name is the name of the release. + type: string + namespace: + description: Namespace is the namespace the release is deployed + to. + type: string + ociDigest: + description: OCIDigest is the digest of the OCI artifact associated + with the release. + type: string + status: + description: Status is the current state of the release. + type: string + testHooks: + additionalProperties: + description: |- + TestHookStatus holds the status information for a test hook as observed + to be run by the controller. + properties: + lastCompleted: + description: LastCompleted is the time the test hook last + completed. + format: date-time + type: string + lastStarted: + description: LastStarted is the time the test hook was + last started. + format: date-time + type: string + phase: + description: Phase the test hook was observed to be in. + type: string + type: object + description: |- + TestHooks is the list of test hooks for the release as observed to be + run by the controller. + type: object + version: + description: Version is the version of the release object in + storage. + type: integer + required: + - chartName + - chartVersion + - configDigest + - digest + - firstDeployed + - lastDeployed + - name + - namespace + - status + - version + type: object + type: array + installFailures: + description: |- + InstallFailures is the install failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + lastAppliedRevision: + description: LastAppliedRevision is the revision of the last successfully + applied source. + type: string + lastAttemptedConfigDigest: + description: |- + LastAttemptedConfigDigest is the digest for the config (better known as + "values") of the last reconciliation attempt. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + type: string + lastAttemptedGeneration: + description: |- + LastAttemptedGeneration is the last generation the controller attempted + to reconcile. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + format: int64 + type: integer + lastAttemptedReleaseAction: + description: |- + LastAttemptedReleaseAction is the last release action performed for this + HelmRelease. It is used to determine the active remediation strategy. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + type: string + lastAttemptedRevision: + description: LastAttemptedRevision is the revision of the last reconciliation + attempt. + type: string + lastAttemptedValuesChecksum: + description: |- + LastAttemptedValuesChecksum is the SHA1 checksum of the values of the last + reconciliation attempt. + type: string + lastHandledForceAt: + description: |- + LastHandledForceAt holds the value of the most recent force request + value, so a change of the annotation value can be detected. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + lastHandledResetAt: + description: |- + LastHandledResetAt holds the value of the most recent reset request + value, so a change of the annotation value can be detected. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + type: string + lastReleaseRevision: + description: LastReleaseRevision is the revision of the last successful + Helm release. + type: integer + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + observedPostRenderersDigest: + description: |- + ObservedPostRenderersDigest is the digest for the post-renderers of + the last successful reconciliation attempt. + type: string + storageNamespace: + description: |- + StorageNamespace is the namespace of the Helm release storage for the + current release. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + type: string + upgradeFailures: + description: |- + UpgradeFailures is the upgrade failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v2beta2 HelmRelease is deprecated, upgrade to v2 + name: v2beta2 + schema: + openAPIV3Schema: + description: HelmRelease is the Schema for the helmreleases API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HelmReleaseSpec defines the desired state of a Helm release. + properties: + chart: + description: |- + Chart defines the template of the v1beta2.HelmChart that should be created + for this HelmRelease. + properties: + metadata: + description: ObjectMeta holds the template for metadata like labels + and annotations. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + type: object + labels: + additionalProperties: + type: string + description: |- + Map of string keys and values that can be used to organize and categorize + (scope and select) objects. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + type: object + type: object + spec: + description: Spec holds the template for the v1beta2.HelmChartSpec + for this HelmRelease. + properties: + chart: + description: The name or path the Helm chart is available + at in the SourceRef. + maxLength: 2048 + minLength: 1 + type: string + ignoreMissingValuesFiles: + description: IgnoreMissingValuesFiles controls whether to + silently ignore missing values files rather than failing. + type: boolean + interval: + description: |- + Interval at which to check the v1.Source for updates. Defaults to + 'HelmReleaseSpec.Interval'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + reconcileStrategy: + default: ChartVersion + description: |- + Determines what enables the creation of a new artifact. Valid values are + ('ChartVersion', 'Revision'). + See the documentation of the values for an explanation on their behavior. + Defaults to ChartVersion when omitted. + enum: + - ChartVersion + - Revision + type: string + sourceRef: + description: The name and namespace of the v1.Source the chart + is available at. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - HelmRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace of the referent. + maxLength: 63 + minLength: 1 + type: string + required: + - kind + - name + type: object + valuesFile: + description: |- + Alternative values file to use as the default chart values, expected to + be a relative path in the SourceRef. Deprecated in favor of ValuesFiles, + for backwards compatibility the file defined here is merged before the + ValuesFiles items. Ignored when omitted. + type: string + valuesFiles: + description: |- + Alternative list of values files to use as the chart values (values.yaml + is not included by default), expected to be a relative path in the SourceRef. + Values files are merged in the order of this list with the last file overriding + the first. Ignored when omitted. + items: + type: string + type: array + verify: + description: |- + Verify contains the secret name containing the trusted public keys + used to verify the signature and specifies which provider to use to check + whether OCI image is authentic. + This field is only supported for OCI sources. + Chart dependencies, which are not bundled in the umbrella chart artifact, + are not verified. + properties: + provider: + default: cosign + description: Provider specifies the technology used to + sign the OCI Helm chart. + enum: + - cosign + - notation + type: string + secretRef: + description: |- + SecretRef specifies the Kubernetes Secret containing the + trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + version: + default: '*' + description: |- + Version semver expression, ignored for charts from v1beta2.GitRepository and + v1beta2.Bucket sources. Defaults to latest when omitted. + type: string + required: + - chart + - sourceRef + type: object + required: + - spec + type: object + chartRef: + description: |- + ChartRef holds a reference to a source controller resource containing the + Helm chart artifact. + + Note: this field is provisional to the v2 API, and not actively used + by v2beta2 HelmReleases. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - OCIRepository + - HelmChart + type: string + name: + description: Name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent, defaults to the namespace of the Kubernetes + resource object that contains the reference. + maxLength: 63 + minLength: 1 + type: string + required: + - kind + - name + type: object + dependsOn: + description: |- + DependsOn may contain a meta.NamespacedObjectReference slice with + references to HelmRelease resources that must be ready before this HelmRelease + can be reconciled. + items: + description: |- + NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any + namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + driftDetection: + description: |- + DriftDetection holds the configuration for detecting and handling + differences between the manifest in the Helm storage and the resources + currently existing in the cluster. + properties: + ignore: + description: |- + Ignore contains a list of rules for specifying which changes to ignore + during diffing. + items: + description: |- + IgnoreRule defines a rule to selectively disregard specific changes during + the drift detection process. + properties: + paths: + description: |- + Paths is a list of JSON Pointer (RFC 6901) paths to be excluded from + consideration in a Kubernetes object. + items: + type: string + type: array + target: + description: |- + Target is a selector for specifying Kubernetes objects to which this + rule applies. + If Target is not set, the Paths will be ignored for all Kubernetes + objects within the manifest of the Helm release. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - paths + type: object + type: array + mode: + description: |- + Mode defines how differences should be handled between the Helm manifest + and the manifest currently applied to the cluster. + If not explicitly set, it defaults to DiffModeDisabled. + enum: + - enabled + - warn + - disabled + type: string + type: object + install: + description: Install holds the configuration for Helm install actions + for this HelmRelease. + properties: + crds: + description: |- + CRDs upgrade CRDs from the Helm Chart's crds directory according + to the CRD upgrade policy provided here. Valid values are `Skip`, + `Create` or `CreateReplace`. Default is `Create` and if omitted + CRDs are installed but not updated. + + Skip: do neither install nor replace (update) any CRDs. + + Create: new CRDs are created, existing CRDs are neither updated nor deleted. + + CreateReplace: new CRDs are created, existing CRDs are updated (replaced) + but not deleted. + + By default, CRDs are applied (installed) during Helm install action. + With this option users can opt in to CRD replace existing CRDs on Helm + install actions, which is not (yet) natively supported by Helm. + https://helm.sh/docs/chart_best_practices/custom_resource_definitions. + enum: + - Skip + - Create + - CreateReplace + type: string + createNamespace: + description: |- + CreateNamespace tells the Helm install action to create the + HelmReleaseSpec.TargetNamespace if it does not exist yet. + On uninstall, the namespace will not be garbage collected. + type: boolean + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm install action. + type: boolean + disableOpenAPIValidation: + description: |- + DisableOpenAPIValidation prevents the Helm install action from validating + rendered templates against the Kubernetes OpenAPI Schema. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + install has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + install has been performed. + type: boolean + remediation: + description: |- + Remediation holds the remediation configuration for when the Helm install + action for the HelmRelease fails. The default is to not perform any action. + properties: + ignoreTestFailures: + description: |- + IgnoreTestFailures tells the controller to skip remediation when the Helm + tests are run after an install action but fail. Defaults to + 'Test.IgnoreFailures'. + type: boolean + remediateLastFailure: + description: |- + RemediateLastFailure tells the controller to remediate the last failure, when + no retries remain. Defaults to 'false'. + type: boolean + retries: + description: |- + Retries is the number of retries that should be attempted on failures before + bailing. Remediation, using an uninstall, is performed between each attempt. + Defaults to '0', a negative integer equals to unlimited retries. + type: integer + type: object + replace: + description: |- + Replace tells the Helm install action to re-use the 'ReleaseName', but only + if that name is a deleted release which remains in the history. + type: boolean + skipCRDs: + description: |- + SkipCRDs tells the Helm install action to not install any CRDs. By default, + CRDs are installed if not already present. + + Deprecated use CRD policy (`crds`) attribute with value `Skip` instead. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm install action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + interval: + description: Interval at which to reconcile the Helm release. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kubeConfig: + description: |- + KubeConfig for reconciling the HelmRelease on a remote cluster. + When used in combination with HelmReleaseSpec.ServiceAccountName, + forces the controller to act on behalf of that Service Account at the + target cluster. + If the --default-service-account flag is set, its value will be used as + a controller level fallback for when HelmReleaseSpec.ServiceAccountName + is empty. + properties: + secretRef: + description: |- + SecretRef holds the name of a secret that contains a key with + the kubeconfig file as the value. If no key is set, the key will default + to 'value'. + It is recommended that the kubeconfig is self-contained, and the secret + is regularly updated if credentials such as a cloud-access-token expire. + Cloud specific `cmd-path` auth helpers will not function without adding + binaries and credentials to the Pod that is responsible for reconciling + Kubernetes resources. + properties: + key: + description: Key in the Secret, when not specified an implementation-specific + default key is used. + type: string + name: + description: Name of the Secret. + type: string + required: + - name + type: object + required: + - secretRef + type: object + maxHistory: + description: |- + MaxHistory is the number of revisions saved by Helm for this HelmRelease. + Use '0' for an unlimited number of revisions; defaults to '5'. + type: integer + persistentClient: + description: |- + PersistentClient tells the controller to use a persistent Kubernetes + client for this release. When enabled, the client will be reused for the + duration of the reconciliation, instead of being created and destroyed + for each (step of a) Helm action. + + This can improve performance, but may cause issues with some Helm charts + that for example do create Custom Resource Definitions during installation + outside Helm's CRD lifecycle hooks, which are then not observed to be + available by e.g. post-install hooks. + + If not set, it defaults to true. + type: boolean + postRenderers: + description: |- + PostRenderers holds an array of Helm PostRenderers, which will be applied in order + of their definition. + items: + description: PostRenderer contains a Helm PostRenderer specification. + properties: + kustomize: + description: Kustomization to apply as PostRenderer. + properties: + images: + description: |- + Images is a list of (image name, new name, new tag or digest) + for changing image names, tags or digests. This can also be achieved with a + patch, but this operator is simpler to specify. + items: + description: Image contains an image name, a new name, + a new tag or digest, which will replace the original + name and tag. + properties: + digest: + description: |- + Digest is the value used to replace the original image tag. + If digest is present NewTag value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace + the original name. + type: string + newTag: + description: NewTag is the value used to replace the + original tag. + type: string + required: + - name + type: object + type: array + patches: + description: |- + Strategic merge and JSON patches, defined as inline YAML objects, + capable of targeting objects based on kind, label and annotation selectors. + items: + description: |- + Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should + be applied to. + properties: + patch: + description: |- + Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with + an array of operation objects. + type: string + target: + description: Target points to the resources that the + patch document should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + patchesJson6902: + description: |- + JSON 6902 patches, defined as inline YAML objects. + Deprecated: use Patches instead. + items: + description: JSON6902Patch contains a JSON6902 patch and + the target the patch should be applied to. + properties: + patch: + description: Patch contains the JSON6902 patch document + with an array of operation objects. + items: + description: |- + JSON6902 is a JSON6902 operation object. + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + properties: + from: + description: |- + From contains a JSON-pointer value that references a location within the target document where the operation is + performed. The meaning of the value depends on the value of Op, and is NOT taken into account by all operations. + type: string + op: + description: |- + Op indicates the operation to perform. Its value MUST be one of "add", "remove", "replace", "move", "copy", or + "test". + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + enum: + - test + - remove + - add + - replace + - move + - copy + type: string + path: + description: |- + Path contains the JSON-pointer value that references a location within the target document where the operation + is performed. The meaning of the value depends on the value of Op. + type: string + value: + description: |- + Value contains a valid JSON structure. The meaning of the value depends on the value of Op, and is NOT taken into + account by all operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + target: + description: Target points to the resources that the + patch document should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + - target + type: object + type: array + patchesStrategicMerge: + description: |- + Strategic merge patches, defined as inline YAML objects. + Deprecated: use Patches instead. + items: + x-kubernetes-preserve-unknown-fields: true + type: array + type: object + type: object + type: array + releaseName: + description: |- + ReleaseName used for the Helm release. Defaults to a composition of + '[TargetNamespace-]Name'. + maxLength: 53 + minLength: 1 + type: string + rollback: + description: Rollback holds the configuration for Helm rollback actions + for this HelmRelease. + properties: + cleanupOnFail: + description: |- + CleanupOnFail allows deletion of new resources created during the Helm + rollback action when it fails. + type: boolean + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm rollback action. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + rollback has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + rollback has been performed. + type: boolean + force: + description: Force forces resource updates through a replacement + strategy. + type: boolean + recreate: + description: Recreate performs pod restarts for the resource if + applicable. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm rollback action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + serviceAccountName: + description: |- + The name of the Kubernetes service account to impersonate + when reconciling this HelmRelease. + maxLength: 253 + minLength: 1 + type: string + storageNamespace: + description: |- + StorageNamespace used for the Helm storage. + Defaults to the namespace of the HelmRelease. + maxLength: 63 + minLength: 1 + type: string + suspend: + description: |- + Suspend tells the controller to suspend reconciliation for this HelmRelease, + it does not apply to already started reconciliations. Defaults to false. + type: boolean + targetNamespace: + description: |- + TargetNamespace to target when performing operations for the HelmRelease. + Defaults to the namespace of the HelmRelease. + maxLength: 63 + minLength: 1 + type: string + test: + description: Test holds the configuration for Helm test actions for + this HelmRelease. + properties: + enable: + description: |- + Enable enables Helm test actions for this HelmRelease after an Helm install + or upgrade action has been performed. + type: boolean + filters: + description: Filters is a list of tests to run or exclude from + running. + items: + description: Filter holds the configuration for individual Helm + test filters. + properties: + exclude: + description: Exclude specifies whether the named test should + be excluded. + type: boolean + name: + description: Name is the name of the test. + maxLength: 253 + minLength: 1 + type: string + required: + - name + type: object + type: array + ignoreFailures: + description: |- + IgnoreFailures tells the controller to skip remediation when the Helm tests + are run but fail. Can be overwritten for tests run after install or upgrade + actions in 'Install.IgnoreTestFailures' and 'Upgrade.IgnoreTestFailures'. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation during + the performance of a Helm test action. Defaults to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like Jobs + for hooks) during the performance of a Helm action. Defaults to '5m0s'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + uninstall: + description: Uninstall holds the configuration for Helm uninstall + actions for this HelmRelease. + properties: + deletionPropagation: + default: background + description: |- + DeletionPropagation specifies the deletion propagation policy when + a Helm uninstall is performed. + enum: + - background + - foreground + - orphan + type: string + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm rollback action. + type: boolean + disableWait: + description: |- + DisableWait disables waiting for all the resources to be deleted after + a Helm uninstall is performed. + type: boolean + keepHistory: + description: |- + KeepHistory tells Helm to remove all associated resources and mark the + release as deleted, but retain the release history. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm uninstall action. Defaults + to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + upgrade: + description: Upgrade holds the configuration for Helm upgrade actions + for this HelmRelease. + properties: + cleanupOnFail: + description: |- + CleanupOnFail allows deletion of new resources created during the Helm + upgrade action when it fails. + type: boolean + crds: + description: |- + CRDs upgrade CRDs from the Helm Chart's crds directory according + to the CRD upgrade policy provided here. Valid values are `Skip`, + `Create` or `CreateReplace`. Default is `Skip` and if omitted + CRDs are neither installed nor upgraded. + + Skip: do neither install nor replace (update) any CRDs. + + Create: new CRDs are created, existing CRDs are neither updated nor deleted. + + CreateReplace: new CRDs are created, existing CRDs are updated (replaced) + but not deleted. + + By default, CRDs are not applied during Helm upgrade action. With this + option users can opt-in to CRD upgrade, which is not (yet) natively supported by Helm. + https://helm.sh/docs/chart_best_practices/custom_resource_definitions. + enum: + - Skip + - Create + - CreateReplace + type: string + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm upgrade action. + type: boolean + disableOpenAPIValidation: + description: |- + DisableOpenAPIValidation prevents the Helm upgrade action from validating + rendered templates against the Kubernetes OpenAPI Schema. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + upgrade has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + upgrade has been performed. + type: boolean + force: + description: Force forces resource updates through a replacement + strategy. + type: boolean + preserveValues: + description: |- + PreserveValues will make Helm reuse the last release's values and merge in + overrides from 'Values'. Setting this flag makes the HelmRelease + non-declarative. + type: boolean + remediation: + description: |- + Remediation holds the remediation configuration for when the Helm upgrade + action for the HelmRelease fails. The default is to not perform any action. + properties: + ignoreTestFailures: + description: |- + IgnoreTestFailures tells the controller to skip remediation when the Helm + tests are run after an upgrade action but fail. + Defaults to 'Test.IgnoreFailures'. + type: boolean + remediateLastFailure: + description: |- + RemediateLastFailure tells the controller to remediate the last failure, when + no retries remain. Defaults to 'false' unless 'Retries' is greater than 0. + type: boolean + retries: + description: |- + Retries is the number of retries that should be attempted on failures before + bailing. Remediation, using 'Strategy', is performed between each attempt. + Defaults to '0', a negative integer equals to unlimited retries. + type: integer + strategy: + description: Strategy to use for failure remediation. Defaults + to 'rollback'. + enum: + - rollback + - uninstall + type: string + type: object + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm upgrade action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + values: + description: Values holds the values for this Helm release. + x-kubernetes-preserve-unknown-fields: true + valuesFrom: + description: |- + ValuesFrom holds references to resources containing Helm values for this HelmRelease, + and information about how they should be merged. + items: + description: |- + ValuesReference contains a reference to a resource containing Helm values, + and optionally the key they can be found at. + properties: + kind: + description: Kind of the values referent, valid values are ('Secret', + 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: |- + Name of the values referent. Should reside in the same namespace as the + referring resource. + maxLength: 253 + minLength: 1 + type: string + optional: + description: |- + Optional marks this ValuesReference as optional. When set, a not found error + for the values reference is ignored, but any ValuesKey, TargetPath or + transient error will still result in a reconciliation failure. + type: boolean + targetPath: + description: |- + TargetPath is the YAML dot notation path the value should be merged at. When + set, the ValuesKey is expected to be a single flat value. Defaults to 'None', + which results in the values getting merged at the root. + maxLength: 250 + pattern: ^([a-zA-Z0-9_\-.\\\/]|\[[0-9]{1,5}\])+$ + type: string + valuesKey: + description: |- + ValuesKey is the data key where the values.yaml or a specific value can be + found at. Defaults to 'values.yaml'. + maxLength: 253 + pattern: ^[\-._a-zA-Z0-9]+$ + type: string + required: + - kind + - name + type: object + type: array + required: + - interval + type: object + x-kubernetes-validations: + - message: either chart or chartRef must be set + rule: (has(self.chart) && !has(self.chartRef)) || (!has(self.chart) + && has(self.chartRef)) + status: + default: + observedGeneration: -1 + description: HelmReleaseStatus defines the observed state of a HelmRelease. + properties: + conditions: + description: Conditions holds the conditions for the HelmRelease. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + failures: + description: |- + Failures is the reconciliation failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + helmChart: + description: |- + HelmChart is the namespaced name of the HelmChart resource created by + the controller for the HelmRelease. + type: string + history: + description: |- + History holds the history of Helm releases performed for this HelmRelease + up to the last successfully completed release. + items: + description: |- + Snapshot captures a point-in-time copy of the status information for a Helm release, + as managed by the controller. + properties: + apiVersion: + description: |- + APIVersion is the API version of the Snapshot. + Provisional: when the calculation method of the Digest field is changed, + this field will be used to distinguish between the old and new methods. + type: string + appVersion: + description: AppVersion is the chart app version of the release + object in storage. + type: string + chartName: + description: ChartName is the chart name of the release object + in storage. + type: string + chartVersion: + description: |- + ChartVersion is the chart version of the release object in + storage. + type: string + configDigest: + description: |- + ConfigDigest is the checksum of the config (better known as + "values") of the release object in storage. + It has the format of `:`. + type: string + deleted: + description: Deleted is when the release was deleted. + format: date-time + type: string + digest: + description: |- + Digest is the checksum of the release object in storage. + It has the format of `:`. + type: string + firstDeployed: + description: FirstDeployed is when the release was first deployed. + format: date-time + type: string + lastDeployed: + description: LastDeployed is when the release was last deployed. + format: date-time + type: string + name: + description: Name is the name of the release. + type: string + namespace: + description: Namespace is the namespace the release is deployed + to. + type: string + ociDigest: + description: OCIDigest is the digest of the OCI artifact associated + with the release. + type: string + status: + description: Status is the current state of the release. + type: string + testHooks: + additionalProperties: + description: |- + TestHookStatus holds the status information for a test hook as observed + to be run by the controller. + properties: + lastCompleted: + description: LastCompleted is the time the test hook last + completed. + format: date-time + type: string + lastStarted: + description: LastStarted is the time the test hook was + last started. + format: date-time + type: string + phase: + description: Phase the test hook was observed to be in. + type: string + type: object + description: |- + TestHooks is the list of test hooks for the release as observed to be + run by the controller. + type: object + version: + description: Version is the version of the release object in + storage. + type: integer + required: + - chartName + - chartVersion + - configDigest + - digest + - firstDeployed + - lastDeployed + - name + - namespace + - status + - version + type: object + type: array + installFailures: + description: |- + InstallFailures is the install failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + lastAppliedRevision: + description: |- + LastAppliedRevision is the revision of the last successfully applied + source. + Deprecated: the revision can now be found in the History. + type: string + lastAttemptedConfigDigest: + description: |- + LastAttemptedConfigDigest is the digest for the config (better known as + "values") of the last reconciliation attempt. + type: string + lastAttemptedGeneration: + description: |- + LastAttemptedGeneration is the last generation the controller attempted + to reconcile. + format: int64 + type: integer + lastAttemptedReleaseAction: + description: |- + LastAttemptedReleaseAction is the last release action performed for this + HelmRelease. It is used to determine the active remediation strategy. + enum: + - install + - upgrade + type: string + lastAttemptedRevision: + description: |- + LastAttemptedRevision is the Source revision of the last reconciliation + attempt. For OCIRepository sources, the 12 first characters of the digest are + appended to the chart version e.g. "1.2.3+1234567890ab". + type: string + lastAttemptedRevisionDigest: + description: |- + LastAttemptedRevisionDigest is the digest of the last reconciliation attempt. + This is only set for OCIRepository sources. + type: string + lastAttemptedValuesChecksum: + description: |- + LastAttemptedValuesChecksum is the SHA1 checksum for the values of the last + reconciliation attempt. + Deprecated: Use LastAttemptedConfigDigest instead. + type: string + lastHandledForceAt: + description: |- + LastHandledForceAt holds the value of the most recent force request + value, so a change of the annotation value can be detected. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + lastHandledResetAt: + description: |- + LastHandledResetAt holds the value of the most recent reset request + value, so a change of the annotation value can be detected. + type: string + lastReleaseRevision: + description: |- + LastReleaseRevision is the revision of the last successful Helm release. + Deprecated: Use History instead. + type: integer + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + observedPostRenderersDigest: + description: |- + ObservedPostRenderersDigest is the digest for the post-renderers of + the last successful reconciliation attempt. + type: string + storageNamespace: + description: |- + StorageNamespace is the namespace of the Helm release storage for the + current release. + maxLength: 63 + minLength: 1 + type: string + upgradeFailures: + description: |- + UpgradeFailures is the upgrade failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: helm-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: helm-controller + namespace: flux-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: helm-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + control-plane: controller + name: helm-controller + namespace: flux-system +spec: + replicas: 1 + selector: + matchLabels: + app: helm-controller + template: + metadata: + annotations: + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + labels: + app: helm-controller + spec: + containers: + - args: + - --events-addr=http://notification-controller.flux-system.svc.cluster.local./ + - --watch-all-namespaces=true + - --log-level=info + - --log-encoding=json + - --enable-leader-election + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.cpu + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.memory + image: ghcr.io/fluxcd/helm-controller:v1.3.0 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: healthz + name: manager + ports: + - containerPort: 8080 + name: http-prom + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp + name: temp + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1337 + serviceAccountName: helm-controller + terminationGracePeriodSeconds: 600 + volumes: + - emptyDir: {} + name: temp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: alerts.notification.toolkit.fluxcd.io +spec: + group: notification.toolkit.fluxcd.io + names: + kind: Alert + listKind: AlertList + plural: alerts + singular: alert + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta1 Alert is deprecated, upgrade to v1beta3 + name: v1beta1 + schema: + openAPIV3Schema: + description: Alert is the Schema for the alerts API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AlertSpec defines an alerting rule for events involving a + list of objects + properties: + eventSeverity: + default: info + description: |- + Filter events based on severity, defaults to ('info'). + If set to 'info' no events will be filtered. + enum: + - info + - error + type: string + eventSources: + description: Filter events based on the involved objects. + items: + description: |- + CrossNamespaceObjectReference contains enough information to let you locate the + typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + name: + description: Name of the referent + maxLength: 53 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 53 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + exclusionList: + description: A list of Golang regular expressions to be used for excluding + messages. + items: + type: string + type: array + providerRef: + description: Send events using this provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + summary: + description: Short description of the impact and affected cluster. + type: string + suspend: + description: |- + This flag tells the controller to suspend subsequent events dispatching. + Defaults to false. + type: boolean + required: + - eventSources + - providerRef + type: object + status: + default: + observedGeneration: -1 + description: AlertStatus defines the observed state of Alert + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 Alert is deprecated, upgrade to v1beta3 + name: v1beta2 + schema: + openAPIV3Schema: + description: Alert is the Schema for the alerts API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AlertSpec defines an alerting rule for events involving a + list of objects. + properties: + eventMetadata: + additionalProperties: + type: string + description: |- + EventMetadata is an optional field for adding metadata to events dispatched by the + controller. This can be used for enhancing the context of the event. If a field + would override one already present on the original event as generated by the emitter, + then the override doesn't happen, i.e. the original value is preserved, and an info + log is printed. + type: object + eventSeverity: + default: info + description: |- + EventSeverity specifies how to filter events based on severity. + If set to 'info' no events will be filtered. + enum: + - info + - error + type: string + eventSources: + description: |- + EventSources specifies how to filter events based + on the involved object kind, name and namespace. + items: + description: |- + CrossNamespaceObjectReference contains enough information to let you locate the + typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + MatchLabels requires the name to be set to `*`. + type: object + name: + description: |- + Name of the referent + If multiple resources are targeted `*` may be set. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 253 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + exclusionList: + description: |- + ExclusionList specifies a list of Golang regular expressions + to be used for excluding messages. + items: + type: string + type: array + inclusionList: + description: |- + InclusionList specifies a list of Golang regular expressions + to be used for including messages. + items: + type: string + type: array + providerRef: + description: ProviderRef specifies which Provider this Alert should + use. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + summary: + description: Summary holds a short description of the impact and affected + cluster. + maxLength: 255 + type: string + suspend: + description: |- + Suspend tells the controller to suspend subsequent + events handling for this Alert. + type: boolean + required: + - eventSources + - providerRef + type: object + status: + default: + observedGeneration: -1 + description: AlertStatus defines the observed state of the Alert. + properties: + conditions: + description: Conditions holds the conditions for the Alert. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta3 + schema: + openAPIV3Schema: + description: Alert is the Schema for the alerts API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AlertSpec defines an alerting rule for events involving a + list of objects. + properties: + eventMetadata: + additionalProperties: + type: string + description: |- + EventMetadata is an optional field for adding metadata to events dispatched by the + controller. This can be used for enhancing the context of the event. If a field + would override one already present on the original event as generated by the emitter, + then the override doesn't happen, i.e. the original value is preserved, and an info + log is printed. + type: object + eventSeverity: + default: info + description: |- + EventSeverity specifies how to filter events based on severity. + If set to 'info' no events will be filtered. + enum: + - info + - error + type: string + eventSources: + description: |- + EventSources specifies how to filter events based + on the involved object kind, name and namespace. + items: + description: |- + CrossNamespaceObjectReference contains enough information to let you locate the + typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + MatchLabels requires the name to be set to `*`. + type: object + name: + description: |- + Name of the referent + If multiple resources are targeted `*` may be set. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 253 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + exclusionList: + description: |- + ExclusionList specifies a list of Golang regular expressions + to be used for excluding messages. + items: + type: string + type: array + inclusionList: + description: |- + InclusionList specifies a list of Golang regular expressions + to be used for including messages. + items: + type: string + type: array + providerRef: + description: ProviderRef specifies which Provider this Alert should + use. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + summary: + description: |- + Summary holds a short description of the impact and affected cluster. + Deprecated: Use EventMetadata instead. + maxLength: 255 + type: string + suspend: + description: |- + Suspend tells the controller to suspend subsequent + events handling for this Alert. + type: boolean + required: + - eventSources + - providerRef + type: object + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: providers.notification.toolkit.fluxcd.io +spec: + group: notification.toolkit.fluxcd.io + names: + kind: Provider + listKind: ProviderList + plural: providers + singular: provider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta1 Provider is deprecated, upgrade to v1beta3 + name: v1beta1 + schema: + openAPIV3Schema: + description: Provider is the Schema for the providers API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ProviderSpec defines the desired state of Provider + properties: + address: + description: HTTP/S webhook address of this provider + pattern: ^(http|https):// + type: string + certSecretRef: + description: |- + CertSecretRef can be given the name of a secret containing + a PEM-encoded CA certificate (`caFile`) + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + channel: + description: Alert channel for this provider + type: string + proxy: + description: HTTP/S address of the proxy + pattern: ^(http|https):// + type: string + secretRef: + description: |- + Secret reference containing the provider webhook URL + using "address" as data key + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + This flag tells the controller to suspend subsequent events handling. + Defaults to false. + type: boolean + timeout: + description: Timeout for sending alerts to the provider. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: + description: Type of provider + enum: + - slack + - discord + - msteams + - rocket + - generic + - generic-hmac + - github + - gitlab + - bitbucket + - azuredevops + - googlechat + - webex + - sentry + - azureeventhub + - telegram + - lark + - matrix + - opsgenie + - alertmanager + - grafana + - githubdispatch + type: string + username: + description: Bot username for this provider + type: string + required: + - type + type: object + status: + default: + observedGeneration: -1 + description: ProviderStatus defines the observed state of Provider + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 Provider is deprecated, upgrade to v1beta3 + name: v1beta2 + schema: + openAPIV3Schema: + description: Provider is the Schema for the providers API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ProviderSpec defines the desired state of the Provider. + properties: + address: + description: |- + Address specifies the endpoint, in a generic sense, to where alerts are sent. + What kind of endpoint depends on the specific Provider type being used. + For the generic Provider, for example, this is an HTTP/S address. + For other Provider types this could be a project ID or a namespace. + maxLength: 2048 + type: string + certSecretRef: + description: |- + CertSecretRef specifies the Secret containing + a PEM-encoded CA certificate (in the `ca.crt` key). + + Note: Support for the `caFile` key has + been deprecated. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + channel: + description: Channel specifies the destination channel where events + should be posted. + maxLength: 2048 + type: string + interval: + description: Interval at which to reconcile the Provider with its + Secret references. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + proxy: + description: Proxy the HTTP/S address of the proxy server. + maxLength: 2048 + pattern: ^(http|https)://.*$ + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing the authentication + credentials for this Provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend subsequent + events handling for this Provider. + type: boolean + timeout: + description: Timeout for sending alerts to the Provider. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: + description: Type specifies which Provider implementation to use. + enum: + - slack + - discord + - msteams + - rocket + - generic + - generic-hmac + - github + - gitlab + - gitea + - bitbucketserver + - bitbucket + - azuredevops + - googlechat + - googlepubsub + - webex + - sentry + - azureeventhub + - telegram + - lark + - matrix + - opsgenie + - alertmanager + - grafana + - githubdispatch + - pagerduty + - datadog + type: string + username: + description: Username specifies the name under which events are posted. + maxLength: 2048 + type: string + required: + - type + type: object + status: + default: + observedGeneration: -1 + description: ProviderStatus defines the observed state of the Provider. + properties: + conditions: + description: Conditions holds the conditions for the Provider. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta3 + schema: + openAPIV3Schema: + description: Provider is the Schema for the providers API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ProviderSpec defines the desired state of the Provider. + properties: + address: + description: |- + Address specifies the endpoint, in a generic sense, to where alerts are sent. + What kind of endpoint depends on the specific Provider type being used. + For the generic Provider, for example, this is an HTTP/S address. + For other Provider types this could be a project ID or a namespace. + maxLength: 2048 + type: string + certSecretRef: + description: |- + CertSecretRef specifies the Secret containing + a PEM-encoded CA certificate (in the `ca.crt` key). + + Note: Support for the `caFile` key has + been deprecated. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + channel: + description: Channel specifies the destination channel where events + should be posted. + maxLength: 2048 + type: string + commitStatusExpr: + description: |- + CommitStatusExpr is a CEL expression that evaluates to a string value + that can be used to generate a custom commit status message for use + with eligible Provider types (github, gitlab, gitea, bitbucketserver, + bitbucket, azuredevops). Supported variables are: event, provider, + and alert. + type: string + interval: + description: |- + Interval at which to reconcile the Provider with its Secret references. + Deprecated and not used in v1beta3. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + proxy: + description: Proxy the HTTP/S address of the proxy server. + maxLength: 2048 + pattern: ^(http|https)://.*$ + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing the authentication + credentials for this Provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + serviceAccountName: + description: |- + ServiceAccountName is the name of the service account used to + authenticate with services from cloud providers. An error is thrown if a + static credential is also defined inside the Secret referenced by the + SecretRef. + type: string + suspend: + description: |- + Suspend tells the controller to suspend subsequent + events handling for this Provider. + type: boolean + timeout: + description: Timeout for sending alerts to the Provider. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: + description: Type specifies which Provider implementation to use. + enum: + - slack + - discord + - msteams + - rocket + - generic + - generic-hmac + - github + - gitlab + - gitea + - bitbucketserver + - bitbucket + - azuredevops + - googlechat + - googlepubsub + - webex + - sentry + - azureeventhub + - telegram + - lark + - matrix + - opsgenie + - alertmanager + - grafana + - githubdispatch + - pagerduty + - datadog + - nats + type: string + username: + description: Username specifies the name under which events are posted. + maxLength: 2048 + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: spec.commitStatusExpr is only supported for the 'github', 'gitlab', + 'gitea', 'bitbucketserver', 'bitbucket', 'azuredevops' provider types + rule: self.type == 'github' || self.type == 'gitlab' || self.type == + 'gitea' || self.type == 'bitbucketserver' || self.type == 'bitbucket' + || self.type == 'azuredevops' || !has(self.commitStatusExpr) + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: receivers.notification.toolkit.fluxcd.io +spec: + group: notification.toolkit.fluxcd.io + names: + kind: Receiver + listKind: ReceiverList + plural: receivers + singular: receiver + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: Receiver is the Schema for the receivers API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ReceiverSpec defines the desired state of the Receiver. + properties: + events: + description: |- + Events specifies the list of event types to handle, + e.g. 'push' for GitHub or 'Push Hook' for GitLab. + items: + type: string + type: array + interval: + default: 10m + description: Interval at which to reconcile the Receiver with its + Secret references. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + resourceFilter: + description: |- + ResourceFilter is a CEL expression expected to return a boolean that is + evaluated for each resource referenced in the Resources field when a + webhook is received. If the expression returns false then the controller + will not request a reconciliation for the resource. + When the expression is specified the controller will parse it and mark + the object as terminally failed if the expression is invalid or does not + return a boolean. + type: string + resources: + description: A list of resources to be notified about changes. + items: + description: |- + CrossNamespaceObjectReference contains enough information to let you locate the + typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + MatchLabels requires the name to be set to `*`. + type: object + name: + description: |- + Name of the referent + If multiple resources are targeted `*` may be set. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 253 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + secretRef: + description: |- + SecretRef specifies the Secret containing the token used + to validate the payload authenticity. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend subsequent + events handling for this receiver. + type: boolean + type: + description: |- + Type of webhook sender, used to determine + the validation procedure and payload deserialization. + enum: + - generic + - generic-hmac + - github + - gitlab + - bitbucket + - harbor + - dockerhub + - quay + - gcr + - nexus + - acr + - cdevents + type: string + required: + - resources + - secretRef + - type + type: object + status: + default: + observedGeneration: -1 + description: ReceiverStatus defines the observed state of the Receiver. + properties: + conditions: + description: Conditions holds the conditions for the Receiver. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the Receiver object. + format: int64 + type: integer + webhookPath: + description: |- + WebhookPath is the generated incoming webhook address in the format + of '/hook/sha256sum(token+name+namespace)'. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta1 Receiver is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: Receiver is the Schema for the receivers API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ReceiverSpec defines the desired state of Receiver + properties: + events: + description: |- + A list of events to handle, + e.g. 'push' for GitHub or 'Push Hook' for GitLab. + items: + type: string + type: array + resources: + description: A list of resources to be notified about changes. + items: + description: |- + CrossNamespaceObjectReference contains enough information to let you locate the + typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + name: + description: Name of the referent + maxLength: 53 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 53 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + secretRef: + description: |- + Secret reference containing the token used + to validate the payload authenticity + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + This flag tells the controller to suspend subsequent events handling. + Defaults to false. + type: boolean + type: + description: |- + Type of webhook sender, used to determine + the validation procedure and payload deserialization. + enum: + - generic + - generic-hmac + - github + - gitlab + - bitbucket + - harbor + - dockerhub + - quay + - gcr + - nexus + - acr + type: string + required: + - resources + - secretRef + - type + type: object + status: + default: + observedGeneration: -1 + description: ReceiverStatus defines the observed state of Receiver + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: |- + Generated webhook URL in the format + of '/hook/sha256sum(token+name+namespace)'. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 Receiver is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: Receiver is the Schema for the receivers API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ReceiverSpec defines the desired state of the Receiver. + properties: + events: + description: |- + Events specifies the list of event types to handle, + e.g. 'push' for GitHub or 'Push Hook' for GitLab. + items: + type: string + type: array + interval: + description: Interval at which to reconcile the Receiver with its + Secret references. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + resources: + description: A list of resources to be notified about changes. + items: + description: |- + CrossNamespaceObjectReference contains enough information to let you locate the + typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + MatchLabels requires the name to be set to `*`. + type: object + name: + description: |- + Name of the referent + If multiple resources are targeted `*` may be set. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 253 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + secretRef: + description: |- + SecretRef specifies the Secret containing the token used + to validate the payload authenticity. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend subsequent + events handling for this receiver. + type: boolean + type: + description: |- + Type of webhook sender, used to determine + the validation procedure and payload deserialization. + enum: + - generic + - generic-hmac + - github + - gitlab + - bitbucket + - harbor + - dockerhub + - quay + - gcr + - nexus + - acr + type: string + required: + - resources + - secretRef + - type + type: object + status: + default: + observedGeneration: -1 + description: ReceiverStatus defines the observed state of the Receiver. + properties: + conditions: + description: Conditions holds the conditions for the Receiver. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the Receiver object. + format: int64 + type: integer + url: + description: |- + URL is the generated incoming webhook address in the format + of '/hook/sha256sum(token+name+namespace)'. + Deprecated: Replaced by WebhookPath. + type: string + webhookPath: + description: |- + WebhookPath is the generated incoming webhook address in the format + of '/hook/sha256sum(token+name+namespace)'. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + name: notification-controller + namespace: flux-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + control-plane: controller + name: notification-controller + namespace: flux-system +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + app: notification-controller + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + control-plane: controller + name: webhook-receiver + namespace: flux-system +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http-webhook + selector: + app: notification-controller + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.6.4 + control-plane: controller + name: notification-controller + namespace: flux-system +spec: + replicas: 1 + selector: + matchLabels: + app: notification-controller + template: + metadata: + annotations: + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + labels: + app: notification-controller + spec: + containers: + - args: + - --watch-all-namespaces=true + - --log-level=info + - --log-encoding=json + - --enable-leader-election + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.cpu + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.memory + image: ghcr.io/fluxcd/notification-controller:v1.6.0 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: healthz + name: manager + ports: + - containerPort: 9090 + name: http + protocol: TCP + - containerPort: 9292 + name: http-webhook + protocol: TCP + - containerPort: 8080 + name: http-prom + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp + name: temp + nodeSelector: + kubernetes.io/os: linux + securityContext: + fsGroup: 1337 + serviceAccountName: notification-controller + terminationGracePeriodSeconds: 10 + volumes: + - emptyDir: {} + name: temp From 5d9c4ee06341af61e3d64e9b0d636c536c50e0c2 Mon Sep 17 00:00:00 2001 From: Felix Date: Fri, 18 Jul 2025 03:35:32 +0000 Subject: [PATCH 8/9] Added kustomize manifest file --- 01-kubernetes-fundamentals/nginx-deployment.yaml | 2 +- 01-kubernetes-fundamentals/nginx-pod.yaml | 2 +- mkdocs.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/01-kubernetes-fundamentals/nginx-deployment.yaml b/01-kubernetes-fundamentals/nginx-deployment.yaml index 44aa1f1..b78cfa0 100644 --- a/01-kubernetes-fundamentals/nginx-deployment.yaml +++ b/01-kubernetes-fundamentals/nginx-deployment.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: nginx - image: nginx:latest + image: nginxinc/nginx-unprivileged ports: - containerPort: 80 # Add Security Context to the Pod diff --git a/01-kubernetes-fundamentals/nginx-pod.yaml b/01-kubernetes-fundamentals/nginx-pod.yaml index d8ecc50..65666e7 100644 --- a/01-kubernetes-fundamentals/nginx-pod.yaml +++ b/01-kubernetes-fundamentals/nginx-pod.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: nginx - image: nginx:latest + image: nginxinc/nginx-unprivileged ports: - containerPort: 80 # Add Security Context to the Pod diff --git a/mkdocs.yml b/mkdocs.yml index 7377c7d..ab3a032 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,5 +1,5 @@ site_name: My Kubernetes Portfolio -site_url: https://.github.io/student-notebook/ +site_url: https://felix-codexyz.github.io/student-notebook/ theme: name: material palette: From 0e946540463a6edbd6588637e20f8dde16e4970f Mon Sep 17 00:00:00 2001 From: Felix Date: Fri, 18 Jul 2025 03:43:25 +0000 Subject: [PATCH 9/9] Add kustomization.yaml and notebook zip --- clusters/dev/kustomization.yaml | 12 ++++++++++++ kubeskills-notebook.zip | Bin 0 -> 115183 bytes 2 files changed, 12 insertions(+) create mode 100644 clusters/dev/kustomization.yaml create mode 100644 kubeskills-notebook.zip diff --git a/clusters/dev/kustomization.yaml b/clusters/dev/kustomization.yaml new file mode 100644 index 0000000..3f963b3 --- /dev/null +++ b/clusters/dev/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: student-notebook + namespace: flux-system +spec: + interval: 1m + path: ./labs + prune: true + sourceRef: + kind: GitRepository + name: student-notebook \ No newline at end of file diff --git a/kubeskills-notebook.zip b/kubeskills-notebook.zip new file mode 100644 index 0000000000000000000000000000000000000000..b75e009cc4fcd007d469baa26c3be638bccdf4ff GIT binary patch literal 115183 zcmb4rW0Ymxl5N_yZQHhO+qNrhRjSgqZL`uwrES~!s&4n~`@Y*f`h9PYvCcSucI>la zuQem)ToFe>8W;o$;Lk;ye6014FaP<041fc`z(8wm>f&N)XHM(vV(8>zYC^B70to=D zW@c-lXJKpM>H!S^2yzSz006T7`$OTkF_ho8L;S;-ogbqoKL`LoF9ZMp{{L*u#?Xk? z&fdk;na)7Z zYa7DuakyKL{Q05{kPn?y6m059MRp4!$q1 zus9Jgu`%M{>eKYw09`-4fJ*c<;zScN^TsA|wgRS0<^Vq`Wo+}3mON)nQZSi;7dEQ} ztge-VgA&cn6*QUaj5fg~x*a5rOirl2&x-?xjGl4+3O<7K)eWF5*wed8bWub`KyMKyw6HP0AH~^H`A*=~Yx1rWo5P4&&*zEJ`TWnm{C5 zqEV)@ci~Al;)~LnDHeEQb4I?uIi(}Hg4Z7P9in?&X6m>YTEe;)Idu*sJTeNz5B;(e zDU+E6`6c{AJB?7{i!C?5tMF;o+`6z->&pM7K)A0_!Kij0Q#i-Y)U~NX_ zOf2dhUB!PTopw})k=I)Cu!LL)d<`Ps|HW!P_UzL(!u&F__-45dabkdVrXsuCV4^9Z5LKWQ0b?4H1K>nbIU_DJl)Nj!&flq+~NuH91A>oN@=6zFGK zCnkVe`VfS9V5{lBec}zvXBSRJ?g+t^@-<|AW`eYSUPJ%ogE;-8U$Dx#8|sMO&p+-SiiHkS%OqQzGj4Rd5KgqU&RbR$^URv|BQog8 z>&z9adadXe%@{)^K}8XjMmZfi>M`M2W zsxW*P3&ouBS7v?~p0`a7IlThEP>*H;QqiEGGty{QTGmVV%RHEF=GQ$dZuo5cW0Nb< zwB&KpV>Dicq^{&EM@`PfMp0eaakf)f5p1Ax8hLU2zRcSRl*_2;m=c{ByM^89lOg$! z{JEqwOz0)GxkEE!8|TEH@YOUSj^ynr&Z7E>$xOTjVol4F!XhaxWp&8x;bh8{(kFl| zY2#$(MINZYLqDfvl&M$afEJkqRj-7-kqiRnP>BmB{Lq%9{U+D?NDF#ouRv)KBU%wE zOO~*L@EV1wJ_z2;kNw`aGyBc;PQlgQC@pKgn38J_M}aDuJ5Lzo_Cx<|ZH!RC+B(4C zp06l4aeV=qEXi$m^Gn^N-Zb2^Ju&9wBjMw@60T%ahyVp_5+Y<;xsZiesKhax1YCPs zWrr>nETEL6(5(*#Lf;V#b6rv?4DFDHw%o2tK)73Pn5sd+cK|Y(ylxKD_hZA@acxl5oMy~swz z*(Q&27pyG+>@_t0Inr5I3Pz$v_gZ)Y9uX#7Bv6qWzqgOAZ`t#S6K!*F;6aLZWQfR? zCH`At{tf`-%Gg-AQ%U3fj5MSt^VV18eR@2H990#{WUy_-;=?kW$R$igPoLXAmMQ9_$`qA6*e^ZB@RGj=3m$upA8$`D0s^hFN8VQ&Pnyk@*>l`QiJfqq=`DwF#htrKY-S-s=4=bi-PPFywvzJZa!jvhE4R?jRN$yI7 z>-3fD(l$vi$k1D&!x9Qc%?qy5eZ_)P81#S=y(gLsQL1NphoE~Csm~VYc3U>4$Tg{= z?4Gv8(S|OP2chV-k}{T1b`9EeKYFxeOjPz$Yz$_q8R(LEfVBqdM1(360|;r@{uvAM zB7hbY;ARMIl{1qTNP8^!fr}ulQFS|c-brE>z_{<0+6y0rv7clU>v=|7^LweIC8_57 zleEr_|J7|R(Sg@_t(sIYn16xRLD_Uitkx8NPakR9&A3oQsww#ypW z-B0h`4wq#no1Vn&`urc8(FpIVX!^}<35e=lc=W&o>Vz@j zZ|7clozFpXOnRzacjC!u2C`sJ;$U5q9ke-yPLySiVfe?w0B(+-@Ai@G9?o1h!0($k zJC>b178-q`F&9HNhb+h@f;|gtz^EGPd(srKHTNIyH`rbjIh;&t*hqO;pU7q#;TV3@DEpjq2q z*ZBX6ICB+$O{+nFM+>^&@#a5*&3lZk#bed~Ba!A$qY8@tomO}K9ti)u-NDe<+SG*B z$<)mGf6JV0CuHIJ2@nK!eB}jq+bNU2*#i$mBUzUDGj8h1>a=@#W?T)%0<^Rdx;{?q zd6|J5^$i{?j#+=o*4X+mQJ%RjNRbo>k`QuG9A$o&a*ogv$@r-~3jF3JJx~RAE^Ygg z@MH?@nUfEip-?lL7bM|Bs-?))?L{22oGl;?1pF-oueo5`=bHh3+vPm=zvzK@%CVN2 zwpGN)?-?lo0suh&b5_Roc4n65|Co^3ZyNAt{9hd757CH;WwaY$fDtu6K?xl}iDd$Z znDNHIrO2ockunmH5}cd=5v$y23=WI$qkk2L%;={v;6WOZ{EQgRyntOVLbXxEt%+>Z zFT-qAzCMEm-x&fR$wI0{Ksr2A&8(7yZ)0MsdhWH`IyhHR>^OIZbk@<`^s*=Ng2OQM z#!$BX`Rt^$7F`4rCKb5{SF?Nz4j_`F6_c3N|` z-a*%qEr#Y|?Y(}(nPy4ZaebxQob2|iVwVcwT~|DnU4i8WR>czI@)BT(cbJ83H7zkW z6<^-qoBGl4uXVc@u-3_ZVCwBW7%uu`=rY~(%CHkJ=f;PLcAB}C7d1_MY)Dfv5U}=N zpfy(jBnE=_g9E5!5?LvDy6c{+>um+agxaJ@{9)SaEw8V`7`eW3Y3wcl)cNRoAdDnJ z%^b*rOMO{!;c+tlct1~V*6Z$_T5rU-JCaAFN8M;0KIC@#8Kux6I314LY{ZJm$he-N z5#B#z{8}R-M3#hGxIT8Y5oiVYO-v~qvd7fHbng7kA)bvWgn2MMak-!oA6!ZWL(``3 zHq$&lO4ZNq60I@V>#c)&cgwiSu`TKY%_b{A`{TNq4%3j}3$n*M`AP=5Sa>pKF$Tfp zMC?=Plj<=YQ2Y2h5Rf7uaM*In?upYT(}@a&N0hX|nHQM5FR1hwzfJ?P)!qHdIWeB3 zO@BgfGbB!ZjkTZ>$*oDjW$B-YM6X_RIjHX{FMlWcVMTnG_8}3L!19FuG=POzL-lg{ zy}La+Te#kLy(g?z^y2pF7RvllxQsas1=j}~#O|p|BYK zAg(|L>6ArnvMHlK1l$WXCv>f0NakjRb-gru`E_Y%Z-0fLR>WbRFno`(NMA;u9&MKY zV~Nk&!}$1&Bw1S0GC8Mvj9bEMpPhKwS*@Bk|0;vU6p@{+K2powF{X7{ZM!2Rp3zOL zdbv^uTx1I~8Q%`RQ!)+Rbq%Wlb3|~oHw0xIvu(4%2^aCqb#FPoJcD-pvvjnxwTO+& z{^xjp4zL2Eq2N9Rl_tA6Wd2u*S03#eIK+p2`XI8Ww_A$M4RTiptPB})^}FA9!=U8h za!$GM2a+G5nby+YU98=2Q$+!)^l{9!<4_d6nUn_M5Z8Wyrlo5EblJ>A(@u(B-u!#( z>FZJZQ23t%_C596L)AbSc;b=^nQckxFd;A<736@~-Ee-X-cTpNXeW?ze)y?Cjqwb2$ zx;sx#_%eQ6KWuhw*cun?@FQdkcIe7P7O?U17;SM3_~rHcIdas(LwhY#6rz`>H*`#Q zTkDF=`O$viXzO5O`j1HU$M&D`e?_W4!eES=tn(Th0X5z4k<$SH>!C zTX`%5oyby2|GqGjrunbU766g?7_+%VTBj$&t+f{D?9R^0rndVHBS#{;=v;BmXx@ma zRq&nUd1HjWNDelp_;?}LLcG#4n?YxBlFGjM7&xQoZf#mQ0Ou{s9KdV!j4IK<(kC2M zPNl*Yl^7-7Ox>&~U2!pjweKo@cZ%UaUIa-hwhrC*IS1bZ9woEBv!lndGCdy%xkhAQQeKQOyr&RoDVxc1go7UvdK+@%TL7X;}B^PrJv>EEwdZlBJi2g6jE zdxC8A*ST)!ijReQ2|bX%pIux{nCCM>7PsyB@y);%t1YmV_ zs<3sb`QAbda?nphWPN%8_iDlR;Lr8J^FoQrK$Ceb*xp+yULjcC6#LdmT9CG9Kv5Td;|Cw5f*yRBuF)O#==x|gWGac^!?#|!SWX4LY6?63vrD@xFe`(l z0dZl&3PU^H9DwJGN<6=!8=0xmkmcMCf{p^G1}AVo;hd6+QYW(3CQ*1Ztmt)EEWZqc zSXGIXMHOLpKQ<;?;*YJ;Fa#GvV=O^o>yCCgONtoQM57C3F>O{bbZvUo>NWrpsCaBv zp&zaDyBl6qJX{SBV;A$=ZY+RBVagzP1zof&XEnG;yedriA6jQTmi9oFuJugT3_E|`M2>YTIp?^k$r_3mwS@_*M=?2gmaDG)^Oo6rW;oW3BDB_7Jw zStP6JkJAk2wlTA^#w%7BL)H{6T3T>fCr@{@yeVaB{$U`DXj;E0SD-e*&zlf=zGCS< zt>*IxqVFX-MrlFEUX4DkKDsGZmq@m;ON=5<*T*kOKz|-Ee7Bx7G$eqwtMW_22l8Aq zuTi5&$$bl;~kbCS$Z*i(Q4E$G8>;`Hx|GuDQ{0Mzy8OlwI^Ez&)uT9 zqNl-l(6FJ;vV=CP4d zM^=1(L%0v^StBJb-3r8~*7aP=oJG8%UKM$=wJ}=!5<3klgMFdom+{Y?fe!$w&%bvd}u^9L4 zxI>@vCU2FPXT~6Rj4gc&3@aTY*H(S;XN#yI&%7hfPmYzzr!0G(<15~z#DDH#;VIsB zIsewObjxCYa)9%+G~6xOOpot6?H(<=#ydK;{RQ-|oc<3CCk#HPNdD$F1V8`)xc`Qr zPNu(!o3W{-o9W*GPgjL;xd8?Qo)LY z-nrez3LqSREqa*`Gp})BS0~|VjcQefaKmzi*Hb~vrNY{%RgCpvCK(B@Xa$Zc+ExXZ zWiqY8@lYq<%QlR)s4I}cYKG@OhlD2f_i-t5pC>0;fNx8gWE5V61nU(PqmQk_FIJqB zT27N(?=3+YdK& zudZeU7%v%a%n-$|mgr8F)Ul+%AwaPOo5tFx&FCMb{9ngYavRyw(|=B`AOQeK{`!8L zO@C7_TSH45S~o)*OA|wvzw?@^RA=q>*bsbTyNxO^II+WV_FvHmK<9>SV~WjtT^*lP zf>PAb5YraECn>kMe{B*{4ms}LR|~*`#7a84nYpEKeH?hfw+~gR|FUTY> zJ()NYV~fkpt1Z+c#7Zg<>*&oYl;T>da6{uOI6RKx~DGF~2UB|A5(2DKX#|G>dH zG?jnaN4>EG3bmUCenO?BW%{jd)+EcJid2z{jikz!H$j0UefW4-;u>HkvZQO#&Y*0^~^0`Q4ylPqC9tsuvk=Y%BFoF_yPgpc97I>wZa9> zbyKwfmc%G9k6T5@kRJ8}I|Bjj|ZUOZ`Nd4|W%iVnEuJAu3C{pm-v2uvky9>Ef-1>Ss{x z2U_K`J$!uPHy;r> zkw$dq9Fni?<2v@gXbj7zUmZlgk(2YeEuU;N$;!zIw^fJ()g)uxdhn91F|?zkD7do7 z$z@t{zPuOeuy@j*$t2mr@=M#GE59-M_39B{Ls&f076HR2&y~nq=}%i^da1TPBTTbx$JuUf}nyN^fIj4afvDx;hwV5=JJ)SpJCBXs%v#=u$- zoFsmIJxC(0o5eCFoNSkz7`?3RZ(QszXPj)@j+|_mybPQ_xkrui6j`^+3Mv_>f!c=2Kfr@ zymz!t?ve3juq(N{{_tb_GHpwhCzI5}X$1!NNm=qQJSQ&thEh+%Yj4oU&HunCFkKy5 zi(G`?Q_v5ru#Ea#UW>P(KY_;X&Km`6A2dPVG}f|$IXjaPH1mvMgV{!zvw9OshF=`z zaQF)ph;sBFIrYE5BKTZGaSQx+DvS*98!G-&p!v^q_#a?yWa#{NKq5=S+I~$8?Stks zQd_jDs1mQ44`r=2c4tK}ilcd**uhpmioj9^ylGT z_f=cmY@)qcRApwG>OF~<&{6s7u}xb&OSCu(KhL}0#J4ZGuhMauSMWNC;|hmQ`eXvrkVp?ngE zcM54~v^ir{ly{!Ra)UBb4~sg&7s>{owkev4Vx{Cn{z5gHwI#FmrfNnCG*3EY@yq>U zs_DgaQWc>nA+54W<`Gto{L#VLh2%P|$o>tCGGnnsE}R3Edp z&9&fAsYDv8j=Tq{luyPU_svDEhLUW@g;ZGY7>aTnEp;o~?ZNa)tG)bk8aN(?(duB* z0D>r-B{J-Aib6dhRu4F-mr*>Hlr{>wq9$D6ky>`NCc{sJgbATxtwm2DBITo$`q&*o zSk(uj=?N$=gIZND=9v8J^WY{inoVlH6ZqIy#gv5PUXgFth4SPqaR`A-r=0F`uUf@s z&4DJ&*b{HxCt_?iHyFGoiZx1kq5_(d{QNxK9EIK872^T~!dzg2NC`kmYMUfVs;Sqo zvLvXDnv*#TSfcVVmikai^59cSjeAc{&QB;#aq-39ug<7YI%foMl%f%ZI-yFFEGvT$&<8WbU_BKnFe1 z8TiLQFYWhK<+!`wW8w`_i%$1sD1Wg^6`Lt{iU!a;`=D$zkgaUH7P3}Y^c__3#300< zRdznM@M-&>f=JX-!1gY!PDW6X0ui1Bk*}q@Gz<;x!}ItMRNxcLt)8W|=09OON9Ssx z)tKh-In@?x+Y5migWG_+b%MQHFI&Y^OVBEs9ZS2NGR)oJ7L{M%hNFjUXkcp@skB_44|ZgNJ@1f%v^KPs7mW znqp6L*<&kkw9KZxzv0Q0KOEC{wDlSymtcP;5UCpyMCkxcz9dX^1k$vWI#Fy;lKT3#0lZt%uC;D#Vlag93QhHa zB@8uK*IfB{RO-Ys>y&j$=@Z4CQsyLA?mMPU8v>06)Cu~KDdx-e-h|dJC3ko^^jMy~fsUI3(--u~*U;6_>vd(lu-7L0j>0_d9JBWr2`d4g)j@}BkuUet*1Bkyvu^Y9 zV9mO4k+KBh7CMf&8156D-b>jtC_Uq&%p?dmYk%_zb~rG%(KQ`KX4<^SS8}#uc`(D<@h~pKd4NiPJACP9o1r7|}vrTJ)MPRk*B~%8qNyl-2kdy|x(ei|X zhK_7(*G0(6SiM|_r1ix@SORv~&rn@Pilf6>MV7%@{fM!~FtPh@Cz0mC>pLbWa4H@L zj>p=v*ki{zb9fkIo_Y{xQA8>fwOeNa;<99kJ?~&M+_9P~_vv48)oGFV5DvHQg67^4 zX57<{GcMV;?4gYpKlFHtGhMqcjy{O{={EY)JU;!IW+so%h|K9uzoY@y1lXMUBBzEO z0;u2Dv*z*G5Vyvrb-E1L3t8TR$?&BTz5zod@3F7UB;rg%k0hEERcK^;JwmIZdt~HI z76;o+_}$Qc#qUZDKAoB+aPc0=QMvnXZ2nXjsGq3PxOCC&5zYbkT*C)&kl4TbO1tu? zAMCFhQWB%bqwL-X)Ky`91=L~>^0*4v4~i>(Lp9(Redd7r7AvsOMxR?hvOqV93trd4 z;CZIEocdyH+>hyXYHqEtJJS8eTWkrWZx^E2@c9AxR|YuUD+2`in*o;oVS)cWX)ttf zu<>*-bTPL08zfLQURw^B5k~Z@AyS&FTp(WUT}>#Ew>Ds6VO~UrO!52#cyROP9&q<* zm2c#6*KT9jak7tQ0?3~D_*fYeg7665LERWpVmRCCT%H4jJ{)H2@FcS(n63mx)S|-w zw-zwwK&992-+c&DBlE)tCqDewm4&NXS6Bw|zU4|eI~1HE&@fNCd^skK9+~TdkZKXn zkYfo4uA2B{kr=&80nuYBq#sH)y74F|lHHkZ5hly4+H_*B`ot%>O3WPV$)3)5ZBfEo z$6$4|rXl)}qk{|+Y5^?zZItb0Q+{d}bvILATbnZYz^~pjOgBrvTCs4@ONh01BAOIw zUjWyyfy1+xS+<(THJb_ezqa??eAJa!eBxC6e*qQtphb$Pp+ z+gC3y>5jB>P)}K$gzLMkvC1?(X-AsY>gMlTj`XR4uP$?ak11U4p8i^vDYDnjK+51` zs&tvJ&3gza#?Bb-puDgxAN8CwoNqZ-%0%W}9-(Tw!VVgF4$8h?FeBdng|S z3^BIf2yGH4JV8iH!V-P?Fnpoj(8u1??dY~V-uM`@4XCe9J&tLn zD-H=pSr?%rGrvE!sc*+r-1uInDr#Klu-7aNE)|gW{)$gGAIEcK4=P+`Top>KWEswr z+(SjB?SEt}3ch8|7!3Qm`=q&iFtWI3Y(|+$EGh?llNFkM7T^QLJ00~7Vedjyg&Xx_ zQ`HUl@nq)4=)yOVHTq7yPaSASo{bGcBDDzn9Vu}K;SjXPL9*ou{ffj6)hBv^l}nYc zF?b4!wJ|_&WF3Ad)A8*s}-`>@Dg0}~7 zY3ssP4UO}@W-gm7CE^WIa)vHR#i|zaxnRQlS`e}K7bnhrSKwkUR>qa?V|k>)64eVx z#|hqJMsx$ zw-`Q60PaB0i6%*E7T55t1u-0|n`>xSQ)nlN3^HLKrxkov`+fl(k?2nN)il};L-M(4 zYnnfcdSwe{dwsL2RvP;D*Bu@r{|t%#8$dVzJBa=ZKxu8A&HomN>iz-I;4NpU#A+&p zLev@w2?ubxc)PBQ(ii3PBHHkdy+#{ty^%fpVZHS#cD}07vJkCaZy=r(4WPhrPw)kG zeGCratJ*C1`qV+wn62m*wTGoa`2~nq1{Y3|j-2M*K$k`2 zVG)Hk_nI{wsiWA#CI|b%+A32MHhwCvcycLb=SHG@C7Ib$_;ziIU_D5cp+;xJati-c zRy=}9>pH#EBMW?C8B!BsDCRW%m4#&C`^YvEq!vAB0GHbVEi~Xn88`6Rv*OFoe|jnV zRf_%q{a1%y`S5t6{ieEZNdHY2Gjq1JxBFcx=|t=PCv4do+WifuSE<`NBeNrX+I&SG zTu0juKZ3p%87DU49z$ornRrlU5pI9KGSS|r(IwH1CTH#G>Y&cj-$fA8<^#!T?C^TL z&^-CBCl79Zy5m>(}0CcoDKdxti#r-(Zj}AxcD6!I((OQBMqDI$??|($&}{ z+J^h(Sd_%6Lb^XUK0%DsSa5(8JY{I;#H!lLuNvYKbm+V8%^RnY6r{uv)&WFU*Mmspfrd&HoL=(aw%&-3k0JUSMzY^X5TnNa|x6b~~RE@gh_m}L@rTn?$DO+FsHkQ?D;JMo<)1}sFct?Eip{xB=$#0d>6?_yZ3z5Kd$ zoxg1iDlx0Z`+5)cn^Q^EvWcB6ASsHs7NT&;P$ZSO?9xs?Hu2>!y0l#orxuA~5DEmY zlNHyMpi{y&KHaBQGrkGK zd3wY^{icpdutgY7To@O_u_^dGSNhjSRkB0iT-D6x_` zb)vn(r9SahjvGYyl`ocp4w+vjr};>Ale&jRIojT-xNL<+==kfV>w7ujjyEAl{}F zXj&@|S1xCI_;;pxM4sxCZ4=+O+LdR}rm8A^eV1~yk3jv0$2@Bpjt5w82#^Ra${C`^ z9=1A9F!w!z;$>Nc(#*u!WqCy`d%W^)Jopy0OAm{p?;Y!Q_x!@IJLgm%@F?HrV~m_3 zAq38TO{e`>GQx`^yxhqOR9~ul*lRiiiA^off1Z*L?v$wTXkkn8QPvqAf87R@12YjS z6zB21&XtZsHrfiOj*0Fwzkge3ZJAhC&}E-oKNEH*oN`a6IreqD-rT8fXZJz0-#^&v zAO}yjgS>wbg0A0kVKsoI%CK*n{>Xsdc#s>sYRQnG_IZymqEw?}8=Z2V2`*z+Mbpm? zXvi}Bpcw18r;#P;CRgKdM`T8WNr~4dWuP65wpZc6FZ*;t9^R+(H+UrGBRuOshr(_| z+g!r3N1EDR8GI_R^Y$UH(a4dTf}z?miN3lD#N&8=PXV$94{L2#@gxnT57H>{e)8(x zckNC&{o-71;X&Y%On2!3ziYz#$z5+l*_l_}V{pwj@_@0 z1^;#y<=|xMVE9{N{tqhiHxr!@m06`V1_U3w?p+6_;P{_(7usnqp-NKB%2Hv4_LzZ2 zImW2kPNbMn10zo)oR+z1Y>D9FkCzu0cIz9`DMDn$$1dEu9N+zWJXC)`gebKbDA8I$ zs|i-s9b)yNL6ntK8Rn@_m(E~x_ovpDbkZ;e9RQ0^w`1c)ZtJb|7m(B-s9e@KD{@iU zb(sc)tD2z>;f~Y}2gFt%i+hzpfII ziz;X=ZE31Dj@pBOqB*O=`OpCgDognFXaH4H=W3kw!nY%{&&hCzX4Hphz(v#<-dU`st-vaHu&yD5nfz3L%7QQTfkABu%U&hq^-RNxVQ}eteR>8+t zt(Yzl@=d}P5HatER^sn+OsO>-l~LFC9+^ar;*s_)lbNv6Cn3>&t7NX{Lp25FQ%+h$ zQE~X*<542aA=+55OZHy7fFu$A^%8jntVvT4#&sK1k^{=3TXkhSh!-dkxI(so58vY# zBKR-{yn!>_-JRzZS#F$QXcivVHyL{VXm4=4ZQNxCxp08YEL~bM{ORtg?TAwuAd-7o zCtm(=_^oO18$)_eHGg*oeyP)L?G;DJBl-_!+JiIW?54!Wy&AV1 zmFxydbouFXigyIB=O>(!X>;uGEXEJ0d)Y=^;nJq=u*sNnoJ=u2Wj}azWT%bhxx86a zt$H<;#{JQje9O|_9q!#o`LJS)xVgodNCKI~mcn%+h9nEfc9^dsn{dEtG`ObPBP?>h z+A4YM#ddqB&4f5$9n0iTf&xs#EQhWT3S3MHYwt2D2+&zqF?TU2adHw9NO^=YP5WuC z4NucznAM~7gf!U#{9pJjN_|1oKVbM$2#09dDIK>FbSE3K>-_T!xKw;9#D{>1Y;95L ziL*OZyZaeI1AyyFuaHFn1F$tIsg!h6C`Z;MP%*l1&hgk*GvKHaviLE31ySNbA@yq{ zz9UWoh55yw!npP;yfz{<$Td{4fym9n0y=Q?9Zo)EM2#+NJ*pdCe_DCFdv<&{e4Jcb z-CgdXiECWSqatNoxX&N>bY;*UC7#n`*VJj7>M|MY3{eyK)`mYJi;aYnS73|~Q`B&l z=QZnv)lXZU@n-8;)8X_eMCD&$rM*S@Wv3j3<7$R+41*dM3o`!tYEZZp=fLW-+FKE? z*$19`-w%&Bd7H-YO{;llr%upZxie>hs;JiQ?mztUj_!Zc746C2`YR-h@Zafu{Vq?> z{k@?6y#Vev9NU^Yng0`%{{{*2jgyxTWD-!n!Q(6~NB3xLOKH}j75b%iCCku z5{n(mbn;*^43e$4ILUZy6Uq{-AxmPd6ntDjvxwM@zCzJkIwh4L_R=?Y_`%i*Td>cq zT_Y224V#zn%#xF?VC#!0GO4WnW-*K2%Gm07EK+xf#F|Nnrj!jO?&|3A?&5v++;9E- z7;wjhi387e;j4so`VjrEu7!t(dg=Nd?eu;}JFNe%i~gxE{2ML}QQ5LyXMpkJ`$E;a zTxpuo`PNz07@~+l9nCa6hBwTXDH74e(thH<{bp_#(x`$}T|vfDcM z$U#Ava=i+~H|ECxG1le{(X=cae7p_VWtU^1#1sfeK+R6}ErcOj(69lpHD%ZUco7*T zD;8vg9rPz#J~*!6C_q#HYj$A1(Dh13I6{83F-Kq|0<}$+c>E(Jm2F3o65%Q)O>&zh zWd_H@{NuiH7-j&hZ9})KN6ErSW5HBq^YuN&EuY$8wr?prKtA^RR3tmju0c zAzHtuly;VoW(r4@v^JqJ%M{V?Bhu52F!!&xB8$^Rd!~<4jcdm1 zh}FW=NoU;yAj!jyI`NFcpIy6gis|d8F{GN_m`x39vx*z5559ABjNc2r&EiFk#0+u3 z3Py_=F>DzT90T`EkXG2{lv8mbXtrU!?thd5>!3erVWXAZdqhahwc|ELI}v#+AkeZW1Fn1`+-^pDyD!;ig?5c&!{HvD)g^dTL8 z9LHKBKNBXDP#VA;15-NMD*g2^vEVbokfm@r3xh!V(65!-CvrEso?hll&40E zBJCu7DH90_bxY(qG72E8Z3#_loLsmYdW?|l$b3sqPqO?#7jb|owCtMzz7sf=IK7Y!Rs#mv?Wt4 zB&{IM`D^RKJ}>?JCYiJ2V%s$U>{)B~CqBs1l0FM?7$tUav$OErlv#=P`pG7?jYb|{2-G|#gSOp zHrqJWHtN}Sb*hB|D$B{qyMlsL?6`PB`J!ZLsG>9jm>sB}6 z(FYrLDIVYI4RIA`&s==&|B#|*+uM-A>{J~zoH4~D*cbx$}oS8-wewieGHg!#Fmt9JjP5HtuKn#^1U zVl=2-jBcP$5+hek$}jH05+hgU{k5bP@jc3P9YA+#zC*y|K5f??1atO4OQca-~YCss5ouiw-e+ zHJ91!;ROmN(3ri)$%T83$@FBhnX})c z|Dtb!ES?Ve30v%VpZ40Sl6z!SvDU5h_z!%Rbi-Ql7xFR-XqX^6Rea^yuAU&Ergs>K zR$XcP_MyZ=_LeZV{Mh8AvV=k*M33e?YmjlJk4a_YmRz-hTw}S}QU2MK_Qa(R2aG}) zXPjmbVHIrzzl0Qm2DQ-;;#WCB5i7cAG2+*Os3yi|#RTRHY!G+X9_gsf7tdZ+Y4&}G zON|~@x8AvQzvjZY8_9&hPwWCnF$yPj+5Q+Md=;C37|H9HALX%R=SOwvTn>(vlQ6jZ zK-F9F`%oJP+-V8<(<3+2G*jIoD7fOn`gq!>`bM^_&5^zM8|^Tj^MLd$TfC+7qcZ12 zh#A9Kc@<$?+p?gs*g zJqb$WId?j4gzRnqo0Ojp^VA#ppM8w~UJ+~W>_Ypuv5t095h;)X24v$~)0Tc9_0~YzLO4nr48Jj%+!#^QFtK>oK~Ryd5Jo7^@&J=H ziWJ?KIMRqcv{Qqc>1qu^eN0Vc<5jsEnqywWP(LB-wFxV&`5W@QJ2Ff1gB?9HC%Z3% z&vmf4(|h@p#+mF7r=)AZKZ(tM{IkHHHolkV&3ww=6Z|va{)yxAN|NIG5~6}4|63~` z8!O}QMg}GZW+P5R4t5hmRzo&pHfClcHclopW>ZFER%0_GP9_sZsJ}k&_jCU1g8k_3-`Z50xd+!va+w*LT zwzb-}x!SgE+qP}nwr$(CR@=7i?z?__N1XpT8)x5#`*SWM$M?K%BpWv=BR&t z&_767D@8t>e|OCP7|VbBpub4^`t&CB#`^4r^ahOj3`Qo#tOiUB>~w~V2K4N7`i9Ib z`Ya~;EdSP1|Friz?Efew`KLWMKy3w1*}wVFCNs5c;p_!;c@vtTTksKl2EFSmivzT8 zG{s*ptJV_IL~wU+o*LV2ZT=_2_ppgy1yd|wplOJ_mw27FSWyA05;VBnpl4i=n8->v ze0;J{17?Hytf~-xgD~th@MRK=B?m$su#Wv2(N(+UmucAM;cw6{UMUrgJ=IPUx}^Zi2X5vS6`Yce83rjLMTqZ}pK>xN zRA@MxgA?el#N5V|qHYv`r}+2?Mxt~=is=t4V-HekcPmXO8KrgmFX%i5R5S@>zgaH& z6iIo;zn7}yz^Hx+Kzq}Gq@_6=DAlaDzcLziw#JBPG>-gve#CD%P0I^|OMgBh*sQR1 ze56bH)vOP~G@^pZA%;eO?E?q~*h%s)SHb*GPB&orcc-8IPfq^_i8fqduKTaU|FQq% z^uI_fZ0z(#`uh4NOeV(k%*+OC%A3(wLDU7mF;+GZa4Ru_Ts3)k(jUa5@)th}?YJ*)$S922$MvW|)ZEJ!n7yv7N|DKcr(|~odlee&^4_p%% z)pUSn?bb=T(rIbk8+iT!uNEMvpr&??R9J9ONR(uFc!$r3_2?95L%rSK%N#{q8r@I%3e;m@g5ag`@4I{p6sC9>qQs zyR*{!WhpwoGZS-s#*8}rLn}ZfH7-kIlD0ZZVV%0Kp>hTUHzV?#q`I(;^SzafQ=mBqw>&d`vJ)xdy(nURi-U7yv!ke=!9 ztN#^iw*ISOrya*{`M26U*mb5B{t{a)KXgwMqdTUq|5~ET#3aUuisa(^>yl|LZ#S~| zg@?O5_Rrv*omU?+54k10OC5GbZQnLOSx@@dTw%T?06LjNpW&|MoA4!tMK!RVgr^`9 zOfwq<78uQ3W>I&es%DzqW;jhj{CWhiSb{a9ivCCJg~Vw8gCYXYz__Pdss2pA&u+0) zQKdiRDp~beB^n>=FlpOSc{JC9xNh){5Y)oGRIs~AHsjgEt7d@&N*$Np9t#@ql!SYv zCJlU{mn%CJ!5=YGoVv@#oQDAU@{lVA>LC}|9;0+Us!}K}AP>9>7@{Jal4;tMyD))& z1&e=Hw*4jT^Z#~=|I^p(tSrX#EUZj)#;go%Myy7LbgaxQj3x#~?8e4yOh)W%Z1l|k zF7fr>6tlYl{{K__f1cvlCGL;jw4Bw>3gPw%BdRf!)taE&{J;~V3u{ZXtH}hm$%7Hy z`;E9&6`P8UJb4e*^{ZD_WeNDIqG-CR-J8f@hOl=BFHg2V>+<)ljfL(W(ZY8>k?_A1 z?-L_2NT2B?w-VDB`n&hbHH5`l%R^jez{)V%*YHt1lH1v#hmS^W$!;DkwhlN}m~P}_ zd(~{xkN`x*I#&NRSpLVAg@yTFE6aZo>Hkk8A5Yw(slU_vANx;J{4dh~yG_&oePt<* z?Y01>hYwP`plD$=ZAy41_J@R|5WsZxZ>r241j@Z;lO*=}(E5Z*H;M3%wcTf!E%tY~ zF1KbEL>E1wr++Xii4y9MXXSEOL<|(2LeiKfSJ`&3)~hPz16vS7Kq`nDVP~}vR4^UT zTR5yvp=xWLZ0I*VZFXjR675ZL=BosY4on0l#Bo&mTe80WTQ?Vwnt~!*9t6BybSU(i z=Ld~gM={{xWAyFUG6~=c2u1D65zkNeJIxhPEB1%V`j_>Zw@=0^Xj!US^S}D;Kb8R_ z{>QD@Kk6a>?uUP*{Qe8Yy??O&RsPUcD5_VB0040L_m$v(iS-X4H47uX@!tT;&P>m4 z^iMcop=UBQG+|(8G&0gRG&W{n)n{U5U}9&YF*o{mVT*qn|HuBf<^JEwg;!nKl5c(h zZZ~ws`AwGV890N4NIZq@lT1V%`;-*Kos>0aX3SjC>{Hx{H} zG;v5s4YAD-U8RjTaq+-BZXt&=q%k zTnrzm5(L7CTHlLAG#6-My(m^dCv;!rEYE;eI{kQ*v=Jr71xo4XYIdS*8J=I==y~0B zC@_t`*Nen0e*exh6x%grvkmc1J|DzV$&S&z%QOt8?q52wLbcyAT_nSVot@n6i11O5 zDFt6ddxP*8GTW>n&m$n4b~0wrduSWwHZ;PyD38}DWwMzO_myJAEEH+*x}Tx7wZLJA zn}8dOZ^e@WtLTsaY-n(_4Ve)v1lDctNhh9abTd#8YE_xK@0y__bryb@?2d_3A{$(F=FK{m*nV5 z18KmKY^z+_IShdMPrTw_lJT#^5?wU}N#oWxU>p1_I+2PvD_F+;S+EdBW?H7*i zX5b@py4yFQ&)<~bR=6{BN?6|!5E9IOkMQCQm+@p<+X#~eWW7qgK~0?t{E6YY!-e*v zs0(Lg=XTE)V;bpI zSgJ)kgUzp(T82&?#piFk%NJ8_(IvWMlPK#ymcd7lG(k7Ztquh@TpvZ-k>oH#+Tbdm z&*K0Md*f+A?I6A$%YNXLZO!|<+VN~LP;KxsI=6C zzV8cS4xI%`+orYh2f)R}l%;~#)mYAutv1`!+%YXll;L#7coxwS)*NBo3D)J~nZm-@ zfh5B^Q6juCnw4tUKN8$jy2#J@37S2}=bo$$ZfKVBAT>;B!prRTnTZI0<@+uz1DZn0 zs)gl4I%>wkVx~sdANgT2f~eZ5A|ENT4K~ujw@W?L4bX^(kVr74hJNv?XX#*?Q*bqr z7j?;fxz?{^Yad>VdPKJB#V>kD29(t zy60fl#)m*_JvnA;$VyV5XBtBr@<4CcX(?>?hH~<76r?`OEDw_>wTP?jVm-9~P3Yng zCUo*JX$0yWLTS`4wyQ+hn>Ol4WLSqbfhlm?+YAd*0;^>Bne;xB8NI_8lYDy_6Rk$Z z_KkXsX0749>SayJ-(Eaw_Z)SwJACT8e_??BTaUmoxCZ1p{JZgSg{QEW=9hF29I9cm zv1TfbILqcW$Fwe+F|iMlVyy!snsvTLJf1Nexr@ubW#zzR)t5wXhvlv8O0D5 zn{z``6kcV}cG}VP_sO=yHZ@tVZQSLGjHNUlVwDl<&9Zn^M?DV>1nKR=nYi!Ya57)}bV~|qW zA`W8)w#T~TxwFz**sG}dA2lD*pO9gZ4$~?+-$gYJ9kU{QARjmi`9u-0bdwjNw77jg> z0!e^hS2rM-d@dnC!Xn9@woPis&$_rg74E$UMPHXiPXy6m(`VO z5T>Ivad6)#5LydjNXK?)0B52}%G;Q6XX6?2K6mGe#xyub>r=Pjs$XHgW|imej^fO# zlD;_E#%$yREqsb>OJv>P)2qs4NICVboEa9+O4>u&EXnzMPKU+^`VCKAtpK zLs;6NY6~+GlA3v{%n}z1ZI-d-v9#G`gxffSh3B5rKJxzL)rL02SG^|f7%m{4<*Y1$ zH%N0B-|Z}>_*_tiy7AyKV{K$%y8TY$KkyDTb>MnPo~5VF2urnH17xaxuQLkLinY_)*$6A^YxaN9q>(ChZ@=}KEK zrkmiOmUu8MHP~IW6xPW&N*`W-T)Qu6K&cIN9gCT0i_dIo&7+Wc95ODwLLOp)zbH1| zTkA2iB+uq$xh5#VEt!0=983QeG^OnEBQh&M{hk%Apog)qun;$JN`aRP8qn6E|g^H)%W`eF>&-n0qB%-SqpK4EUPr-Pxy^{BRf^eC_i^lTzVS}k z>DXW4;ZXYYi#I>f0_jxQsJ+Lan%CB;o<}--o-_fUhl`i%ruN(U{tuV3*@r|(Nf}Hz zH!G)cC;ttYb%jW2ry}TAEcmlQMTm=B-4vV-xX<3Z05?Pnq%%Jh_7J-A~6%U@}s)`vEp8^}43V3rdlLy?L8?4|yIxNHgB z_^w_0s72=-=tZzn9-Wm?+k)0=W6#!RKMpY$rFO1aC5wR(j5)Zc!%0Yuoz>LpO1oA(qiFt?J}m@S2Xe6$Kr{soKc_8Qm z#FW;i4(l;X-*V!4d~Rjzi`@sW*=!>aNm!DHY2-qq!HH0-=`z#v;Kmp2W|)ltv)36&m&g-|Cc@ItUniR)2N!%wqvA7Ipr8?`3wZ1UBbUg5#N3%7Eq z!Us`y#*X1COHvd(x40RX~^@Mt5*gu-Cl1RTcvU;wjvG3-{ICfEm zbDeCpyTKI&(whM5qf`NS-;J3De{oHX1YqI?-E9T~0R96&%mtk12?G#F2!PuYV0ncG zU~}DKZOhUnM-+YHo?^&DWa&zqwX#m`3vVB{FUj2nax zVf!YC)5(eE_2;J~D|gU~s4m6_{jVC_65uYv6p9Dnr+d?=tcw!ic^l2mqYx9gUhVZ`B>FSIrEBUuQ-g zSXycYv|qr@?V7L~n9fQtFun{7A4`?59tHp+Gx`G*0Nd&Vd{*Ku8-VqPoz5)=HVOc> zJpjH;Uk=zV_v*r$13*q+`mWwrlpX3-?H&duz@nrc4_oTWCBSVMVBW6>SLDHUy&bk+ zYH*hupgp7gxpa6@Uk2y^;gSG{eeT*uAbH3$4qdQ*0@wh?zW~JC`)}L;BHHz38SFy* z?ZD_{z|jB#>UQn~&|k2;ZqRm_sXw**T$uqcPW)aDdHS{$_83*{RP1VSS#GP40X%$e zdAw3*DFN!}`s}*lmuH;~TbA7^z3e^o`gH?&L6r?VzbY9iZsYf`Bp%WX;-{iCOMm`N zUj1KO5$L(M5Xaw>ptQdkUjJWkMGnR;|3={bH(U|*thg!+06@qd7D=#_c>bJUBs64k ze8HOX2y!x$9770c@w^-{220Bq1hrL_`l|YR!yTLlw)Y9w#Z4Ep@o*}TKi_J>mDVvE zGxGct%(B7^r47;yh-$kSoM6*^22aAOAX)L|9u6g2+v{8WQjud6dcrtyfK7w@B!Ud% z01d8P2y;?>G@=RlE=VN=qA<-z`wZ!K^NT|YS(hG3Cx!``^&_JgES?zt5a@ln5k{=K zz;7HaqFAAhFyde^19N>GR&%4Q!A)bzlk%c)^=n00&e`%~fYvb59H{I1)WRy$D5ePY z3GtcwbQ~i&VS>r@WA5h519)3>l9*^NBVg4rgI~13KdPe?IrM#sxb#a|On6n_izq8f zZ`^4w4;!`H35#pIxseibEQ5uwzS zLV$dYOdp8#fA7aHoGg6~DV4xS;6shg#GmJbzv~hDsr`bWk-Cjt6GGyH7y~ZBA0~wI z9PkUOBjIBVyZadY^Cl6dV1Dyp|Ee>Lt4_bOOGRh<(n_myQT#hrh0@yFFWdyNyzDvv zK;IeTt9zQ641LE12zy-Ox4#GP{L)FWuNf~Nzl1F@Oia}$cHYwiUddnXo*6NscafS! zY`(5*p$l=HrRG8Y#Z@el3LE|LRzl}k9BZ6hs-`y-eHYJg|22%VV(B<(hi-IA1ktdu z^(9eZGcS)4Xt(sm`up)ZDpkAXwV07^ija+2rwa@$>)L+YiyJv(r|WI%7#gQk0?X6h zaj}|kRV2;(oJLXF0zt;|{ZF6Ph6v+c*xf#scQ8;7opracbTF|&Nu%UlU$Of%2ehzx zfA%_}_i+T6r+_`m=2QgK!|{|$PVlLe%JXwsKcMLeJaWn0NP$?-idojobuxjg6k)x+ zhYBGJ1us;7wCcBlTeO3cwAt5^Z$p-)_RIjlFRw`7}tg|34WlrgSxyeO$FcyLeKx>}^b%^NG7 zntGRnfvq_5P1js7cYNnGlQrih7@=Cc>EQ9UgSs)sVY(c5Gj#`4r!{mTdiO8XCH6%I zk7eR@qgc76lFpSnARLKKm9jg3pHAJ7ZSv=wn3-s}YsB*FfcU(V+x9@c&6$99+LE>V zc?H(bgEO_4+g5LRs|sbZY@bxo%mZ};vD0w1u7-vY{Rl-EL+gUW%c;3zv7c~!mu?5v&sUy*26qv8fA>vWw=6v+|538PNfSnhxq&H|3f0x3}BZfiY!O(P!*gpN!yB4 zL>OC0sHKz{1e=UM`gLC&Cj!bP{K;$Z(7G3U^h5bd@nOyW8jI>RngVs4d)^PZ^clbp z4Be!2<{tg)XkxUgq6~fIV^2lD^35@4I5OX!@DIJlZJ-D#t{IF`aR^~U6m$fFqNVAY zKjBh>O3yme;+*%v!@QZaUml5*&p2m3kwSBQC>d5S)<#JbHbbaGR4Ln0J3~NQz_2mN zO3AS6j30jS(nm|FRnH7Um(DDCEvnK|ceSwqevezMVL<-nX}LPmI&_Zg6b%;WeenFVv;Kn4G&pu|M1v+mRigG(Nb zW{VDN4b!irLf4FvelIx~ngG7o#Kt0g6yEVD)1cD0`UI2!qJu!?H5cRw+2o!Pg^O4h zK-Dcwg*MebY8;eicKgRqlVB74AJ}_XhwfnMFja{qBLwMk(f64+pFhkfZA%pjm-Vab zts1k{!G=m`K3SS{;4G<5@&*q9w7BWv9=@yyI0X`~#eeQwab!PIDv)r(W3k~QZyHAa za+mGDSJDb07p}NHo4KSVX4`5nVDC)Xsw`;<-G6B5;RN1rW5( zdbihHoE6xP|CTPq_?791?6U)jAcjBxr+!a5-ej?|VX6x*cmv$%#zwllYJ+orA&)aU zZaz@CDiwyE*<)qor9x9BQw!2?PSig;sQ3-OL(`3lD1m9>77)vGk{})B@lJF%=&?`plq!LH(@&70-LdSxOf+3Q{#j zV@5oS(vsi4Uk`9gd;`!N4ra zH`H1SuD5y2pAR=6-Mt8c#JXa*nmkC^FT^4l!F7FB?#(-u{WzZ=b0&cHKhyGUiT(+! zqp2K{H1JSun}Eg9s~D`oZhr+tvN^51tN;h^SEU`n%J$p{NJ?-pUI^dxpW0!c-Nl@X`XA z$61{2)L*+<+c!(UdSPjyPnZUL=^Xc!I{171X)zy%6bBR^Euc8OE%6)% zX&K<-O3}B{TcpA(VrTU^))?qCZ{;HUmBcuq)(XC-f zM95TZ@b)V!hF3r2q|eN@Yz3wfso-}<$_|6;q_n(}jMvEL5KfxlmU}K>4*xEZs^OAZ z8duEZ2Xtsm&s!g=>2C|$uk3FS<|{pJmwTjmG98;r`naCl9$3bKbe}N=@6Ii|vk?A? zP03~4bg?`?tC!vPIgaM`_c}a(fSkw-lwmu&*id;dz#Y_1p5s{U3stavw=SBf%D!sUR4F&;x+vC#PUG7JH z4L|}C|B^Uruybxc!Ggc}bTBZaH9DnV=6&{kx;J~m z?vOV=HSPu;0V8qscLjvufJrhmjC#a_+HGXM@5g5AS2ebz&nWsn&sG^1_g+d>0;wuG zOo@O27KaAQsiysgSUK6l*uHt8YdWZ?^NcM*GawZSzTY*~J zUv!WY3-V1$2G)&jS$0SoB<=38+t-_(Kt2#*&#E^WKfGMX*r5o%rH^}403Sz#(yU7n z)@>A;IliIDK;7sILx-DNfBxfk9Fp@;tzS5zF}z|hTk;yOceQTiHA;BN$`jY-Z8B$! zKB;eH6dfp9-cnHM+``R$JkN6&Ln1*IZcVreMcYzeR5M5La1T`qq@=P=ZFzh+$N>`K ziF#&UdAHR0<+m>w&c3MIuMkL%U$5rU*4YrD+@9Nu2-Cyq4+P$1RD4W?|DaZTHO&p_ zh71E!+0!^RjltX*^2kLrZ&lFvgxg6fepvHmQ@tnx_2)?gpdNgLu3lH{@@INEGKf~b z$@mBxb?HE-lMWAhM``S*^FkmIn1#l`webFagp!eap&$Is6>GjVmfbAM&)nZYsGv?- zPDzzc#F&f2GmOppzRQc#?t9IyOvSustcvw?(f;u@jjn%r)d^gX8xd z427gP*|BdLLMOEXD0)?OtGM69x#Uu< z7UfOKR^;*Ld=KPE)~e9Y4ugr|=YdrO&dT;kT`F-=-btVyN zr5St#T+pS~wfgLN8b5}9q3fSn7NNF>qp zy=8fPpTz#|+IIJfwi@j)3fjjwV5?8GH3>h2kk;LxR|qi+iQqFOeu)WcuS)|NOKN>* zQN_Zk72{4c)RjD>fm9@yzt9=H2ad!(lGOF)_MC;3!_sdtnoSQfxT;lk1*NUMXQ5g_ zB-4<1&7IoLZjOsS)~WF8&a#f;OMbD8oB6gg*Md@R8}n6uS`pi5!jr#mU8_sphlK6!4g|)BUVxkwJwn_#dcw&2O)7nH z7|ppxDa1DXw{AfkdT#nx1axq^he6D2D=F0F`$Rmi7h9bLgzFS^?v;6QW3*0}aPz^g(s z5ZKe?SDksso>oujY$>+3dpNm(GjJ0(_xN&Y$sNPH!L^FCD4B;TP~t>4W|mFa2S}8n zj(rWlLD;0MwsNIoXI2A`r$K5hpS6j54%8|i~g3R9DAk$>ax6f)QO-L;=4mVn(MCakb|Xz&T}h!=Rh)NbB5(!9@ZGDoL15k5vw$kSR_>Juo&N zFYWTH9}Z0sMuOxxIrXYVo-n{3vfKLz#P{XdtM&{;wMWXoxwvuNdPH!Ur|n*}pbAS8 zjdh%cc|0LgLVV2h1zKUbsz9+>n?MqCrm8Y=Y+4(aCD4{dF@4TDI0_O|5RBpa zjbzZqD(U$)u|f?cQ(BEL>KD~}r3Z0%{vaDn>KNhDDE^ntvy5;H>+8`VT@(v;sGqL_ z7;mPP%Z@1ci1dkwDxnzSx&~=E{bDrK@j+PQlhoAth1R4baoKnEKouDrLTS+uvAzTv z*Xr=fq8Q*0T+Ek$IXQ<1+@>qjr58-anr#C4%C!*dHDgXgIpqaQ6F&-?_>&gU-gNf0 zBlfd@^43#wWb|Mg0k6+S!pAyG$u2zWT^z$rVe(ldys>2|)YPL{3i_ zA#AW7nIqsR9jw~JhrKgB*h)TGgJ9|;*aECdGJx$GNrZV2OYF6?=jt+%iRxwmbM#F3 z9RRx<KchsY1*&1yPjEI z*cvpB>4!GiSav>?-=SC0h?On=9|U!KDt!Pnq=tX&g$qU_X5lxNa>cBLiAPL5!~VZ%5u}w_4Y+otHq1&)zKMe1zG>} zJ_oM2EnDey(s*p}j~li3Qi@_;Cd0-$QL{oGK`@>nL1M;RBfnAQS)LWV*)8>Gn$}n+ zjB#dS_r1z*3#BMT=8jgQG{dss5MafVVm`y!N8~j#mL)+vZm!{PIOPM2G{q{Py~0WX zN#0-9lz7wi}YOQMSj>Hxx3JC;Bq&O zFrlXSJo%Vyg94vfU7E_uuP7~FdFRw)M72S5Q(ot&2>12UkK(=#6mMGwdS&1hN}|hM zIePHS7?ab|NlLEHg|nF*y;Thkn`G732QAxs$T*sW*2=$1(bbA>)Bs*Uu32+=C#wts za*-OjkUhU^cYs^sNHI7$p4h6LSiD|Iby5(iL~{FP7|(ympY@c_S}nRQX_mW&M1CD) z#S1OM+ZI2@FJ23}R2(|UDt({i=6hj|uLK4LpUAAqLvEV9AsJ?H zIv2}~V{U^h5v@eK34aYAVi zlEibbiHVV_wzsl2^YXOc7gCCqnH$rX|9cp>`r!d5n_<(k7cGOp;a%f8esFPa+gfpK zYrjOjwOpZ^i?mZ|m1ClDo$@<3d%Mn+14%4tU1Bvk@Z@;Ndj!RZCF}Rwi954Vw(ACZ zj&)H50URVGD`oBoy~`?f{ND?d-3(q0^veFw%Xpa4r;O@v&yjM#kl*cqWTa+l7{znH zV)~NbJ~>@dyZyR}sfHEaQcDURLX>)$n;$3)>mmcZ6Rz%h;3?8KPWddNr>c&>{vf)G zO#rIM180*Z688->sKhk;f@4Iq`_UtPeWq+EBu6KE#~W({Tgx*5-P$+}jd^9vTiDUY zMf{gSxsRYzto3)n0~66`7VmI0d|w45IONxr zpdg~8$U`p=SxoIVmVqfnt_q8E9Bk^Us~RqlWJzMh)ZYd@A!6Sdh`Uu}Tq77qquJ=) zB;$o}eUK6$UxEY9@ycsZz&4`av0mv|Wq*!^JHLW=IogJVSMwGlxUx<#{xB=iTop%` zL@~8%jQ&zG^CCR`!@lAmph=TvV=T`Jc}%>aYR+w?oSxD;iHzW%;oT&4MH*|8_+fdXXR% zR(QH^IP6wAgy|*;l&PpKEOxJPTV}u>LaigHTIRsfmKzR|7do+O_1xXn`Zu|>@S zUU{ywCg2%*(vnth_4wMvtov#O{xi?b-ee^`Ryo)uJ{KExUB0Qxka0hQ-d`|uFQG@T zp>KXTztkdz8`U#t`OMLs-B6lC`&sYg=rzN*Z0rbo?^>OU@!m+9lO0toC6&+pcA=D^ zSmr_y>_zuvG(uD!eywDCJ3dB6#qjT*x82-V z?LT-nA=S}yvz}v5@`31c)z!6ir=igD{?ZsdJgY_F{_ev-zK6P$XFMt(big-`V3MYm`m`MvuLKwS0 z7JHh^?Ia+lUwV;r;(?~3MD?b@h-ZLj-Xaulz`dIh6 zwbZZIcO!;_mXz6`c4-wO;!m# zTb)x*^4KP<{l&C(+rqR>CHYG=aGtYAdmDSCxrZz_i{b57O0uXD`ErfK(F9L+=l;mU z#k$I`i6Cm&@wN3ZG9UIkv#|)!E?nU-skhIL8ey(LO#5i((UCbpi%F>^VHajMk07?@ zAiWm>-Ch|%S6If(=Kd5BAm`Y{YH_sPRxz276DTFi-fJt$V*YP)hRkd%dbdT|uA<>~ z%IMJigkgO&j-=5IPBhTR&2Erhb4ZfCczvYKUGsV$6`AAHl9c4~i7%O!Ct+_W_uWf$ zPQrUNY_6L<%T8B}(%Tmy2#ism-+Qh^$J~0Gs@`3BalR}JlT}kJzfh3FGPlYe+m{(l zHy`htF275hdeoCw?-Y(cnOeT1dAkmkd6l>S_^CsrYmx1&(Y|4&m*p6QW;qK~q7_mk zM04o~3fa$W)GYGSC}*8Tz*o5$>=cn|IN^2C(TF$J9gJT#3NLiJbk$E@d@EJGk&_v8 zN_ckbNX<|F>epL4DzZ=HK$rpS)MjJ30a(eXcN<0W`0ktNe_Pmc*|V>tz!7Hdjuhov z(8O$hKCy5nR5CTR{t`*L5@?Y-TNrte?e5b_Z+cexbxqW%-boDiHXY~< z{k}FGrGD9IqqI$4LC(j^g9;`E%08Bn(X$KA*P{9BuouCUVWqbY^6nnTonR+4Tw(-D z+|Uf?))v6&fs0F2fgF0CeLxYM20x1P?stJdt1#{W`+KJYfRQQXtp8BsHQq587E&=m~H> zI*r@H+wbc20=%1-<4^^~^yb>BlSHXpHUNL_ys-dZe+@8kTOw!rw+)(IzCusL(~Dwp z_c9Dm+Qb&^?j{H!>lbT~gdN}faAjeBb&-j6|~cbHu++1Q;#M z{W~-I#I;(k1QGj$SE_Ann}q!xEMlT*j@_Xuo9KEvCs_-dwFyk@^iqo%sgKtE)(%xOw{Xi?j1x zPKS+QGA$qne4_bc^hK+*b4p$?OPjxzGS6g%n**RzSu9w$vtn&+XXBccBB|LjmOI8T zi3mQP#W;a@E7r_y%L(iU*cGSiOqL8?o~F$GePr1Yv>5d*Rxvp5P)l5&jgfZVrWy#W z8f8Ufzc*(5Y7}%1U4yO$BonX&CzKzDY_ImL=naNMZ$eBiSsRP@jhxEkW?houQxiWO zpitque2VHj#KLMu!^1zyDA8*bo= zf6z+(T}ZKcVIQ$IfV{!2OQwtLO7n!FBfzFZV=XV#I(`_`%Maj{RbpG;OF<|2(5nPJ zXl077=h)UK3HB{*66w6+Xn3nci(so}!L&~GQ`;*a4C{S_t4=Fm3=Zqiq6kPxY8L>( z0x(Jg%FhIvuwku2k$+Xil>hNA!!-Z?YLtA7hAf0@C=wkDrXNQy<3m2R9IB%f$}AB_ zL<`fKIAWe%26PewN)ZGu0RhdAT7?=LMk`XvQIRkUv-QP5JpBE-4r>(J$YPrxJl20ir7!*Qhmw+149zmRR|lkVj$+fM$(eWiB6QL%-T#XMcyTrVJ4 zWpq9d+lWdq!xj%f&eICRezb|98-$xD$u|&Lzd(a%a=J=drr5JlFo^RXEHn^xEMN-%G1x zzuraXMbEr zc8aid&$&TQ0aAJOCg{4d`KQ_D@=%5Qz+Nv4<1i)4DY^jm0Ga)$xQPY};@wD!*1=5a;@v9p0;`?C=pH zFW$`r5dyYU;As)@MGP0vLBzz!UP+YUe6v9W+h-vz#h0f#c>O{~Y ze1Y5mX%g{XHfE~`@fq9<3S@mD*N-2t#ic_>8PQmPyV!stcx%V|kyX`-df?UzZ**bf zZrTn{#+|X9axcyK<4GU_Z4zC3iUP-(k-EeCqLPMouyDi}{n3kyLAIg`2`Kk49c+ni zFwr@FKf!Q=oi@Bmg!SrS_-?Fbf^0YY0+c{~cUx$&%TCVBLX~(sO#K3GA~tM(re)g{=13AUBUAb(DqS zq9yVYw=U}fa_(HCI{MQF%+>rgZP)2$HqSeM-um#=6rPzCcPcss6h}p@nSE;|b~zz4 zvUg%vB=Jh$LLjG%R#zycfHx?)_%>kU%C|(0YW^bSa>(>oF0#^#k z6hV4SKO{ajTqwYsU5S#Cr|<;}9LaDLlBIhesbUz}fyBH;n2LFk0chysHC6$u8IkH@ zPY|!O+kFfX1OZj5o~Tp^J(X4lb+)BbcY+`}p-ILNd2$1zLL=5^PQ`{bPIDRh4+Y37+~v zk6K+R@e^zplPqV&;jxxum{=8M=lt}>C_`O%HxUu_%$~>4azr|lL zh6z7N7DzuT7D6)J!X_30zbNw1x{zn8KAH=u3u>7`?D{{|g2(yf%Sf2yiwbF zb+S>z5fZN_Dz^E_>y-Tv_$*{b+%>>Zu_m9XNS-;4tes<6p&>BWa(u3x9eGjk?3}KL zSwuGs8q$|YVkHAdjohT8?vFtl!B019xzkkfcb9BSB;8E=-_IL%^fxl;OXFO6?Ks7i z_%3D*^3yI#yEwe-Zhdqm!~T-TKI}i%8)(@@a}vyD*F(3TaM9>aYgiJ_Mg!5L!fjZM zy5}X!nq1%S_t-$sdg^mQ{h{?VZxU`=VP3Y@{py)v0^rO>5=mr+HnDHRJ#!Hgc+gao z^7A}TaMp7O+f>4nCibWOWLZq}!T#H2TN;Yhw*(GsJ%rGBxz%^AD#Wv7b!sG~LBZl? zTaqcl0=Ov;p|{A>Ox#w}H+vUSt>|4Z{?qIZ?E&-pq#gY~}-i`EnkcIi&I8TXNkM?L^v+EM3q0|}a z%d!Ye)~g}b=`<AnBV5Ox-`HZ&jQDe8A56R7k^Sg|l zc&OA1HSuap!eo&a2M@+}zT`H_`6w{}kjH9keOUc$Rp60(`M6Kf<;I7bc16W=ii2B` z7mh}#Bjo+!XvCH)HO#HFpT~E^NR43+9y`mZ-ecq7qWXr%`Y~qw@K}B*OfQelczy=A z=GYloR+eOc3U?q6`t5w)eeCNx`W)le1e%El5|;w-eF<^P+Ydw=E`OAQyfjk&1nv=2 zzcT&*m#Uedqn`JW`!ht@(1UIE$C#`^gBhv*{-1E5Q}!E2a+_qCT_0LqR5Bg80dX2# zJc@iqc={1hXpww&F*rz&RuGj@7!U4^14!ZsDY=9@%tJHrfIaOYIY4mQB$}U0k=7pQ zfItrEo;h_JV1aRV!}$z#i+OLXuWdJqwKh|4vGyB=9>@^>s27NMW`X&>#D*pI%?}IN z=l`T?=A9NnO}=2c6`PHIJ?4H6K=ApFGjW7dk(5*Gy$j7U6K%${ydEo-1RYb~a#+x% zBfBAEy0%j*T8bJpxHo*+0B!~In}LKg;0sITY8F+}Hdv>io86OXH+&0Y>A9J?wxG0k z_nZQkLJOmcp=E2O8;JlLt}WOh9mU7|1HhNngQ>}8j1tt2t&2D+`A76*qL1W6wyVn- zU(m?9FHsy96^}54K-d-#e|XZ?%|4byMdwWxJSK|0G;3-dk(>tN(#&tKTaog+^S76w zqk77gryK*7?wTR@jCZ>;KE%fsaKIpAbCktbN^wqGYi%1a;W9`r-o|0LQf@FdQH$o_ zb+(K37QMVLA@V()a`mSC>ym9Dp+p21d`t&}JYyahAlKu9ICHvJ!dRtUV^?)C#QA3+_IUzOq8YX)b zp0KZ94&nQAaR{==*t>Z8?jzXa-PYb^ITTJ2?Vgv!?kA4RMkLW>omobmdaC4W%MREv zOyJ@`*zb#JFMDYC9((_In<44;OlO5G)!*1R1%dCnGIPGnl4N$9D&tS`O3v)%q??$Y zEr6UY>{*+ScSaZp;DF#7fyExor&0E@wgl~*wc9&;+`6z<=YU`4Uid%6R4e?YZ+v-; z8tpnhd*{`-|zx-IbIlnjUezIISwd_58bF`*)>QKaGkuC^G`MG)#Xz;O% zw;Uor+@E3kP(M((EDGb`o3eqKD0L&#WFY6&1|v#c>1b>+zx^TZpF1t_L-KPIZF2iv zMmM}@av#PpKL9~iO4(<-2Um;Np8ap?sr29Uruz}aNeuFnvx?;hlqDxl%bzJORFmEPTKEufPske6# zi^Z#wLRLSTl@%PUvnw|jz1gH%z1c0y2tQA@XD^4fx`J(hYK#}17%*v2p@E!5EMY{~ z2DFfCt*Tizk@nk;Y~3Q*Y&~~eij|CG;=zh%ZS7GWhLA9OZ!kzPMh_+Zsk~^6ht%*k z0AuM~-8i!%y+S9Ax|g<`7db3l$)~&Ob*NX3ADI zn9L>k%7`xXwA*?80g8zHWXE>BqDjazR-Z~C zMQV?l+S-c?aeB~yMBUiOC(U$(%v}=RjL#|`uKLcA03#q>}%d9osZkusaM)G zMiOPV8*8d(HE3?kCmk}${+vj&6@MGP0sm<~O;>fPp7exlpOi}LH1!t1${f7Q+Ucb2e3O0Na}Dpaza1za{!~yf0_|VFcC>Po+fws zE;`CPQla)(Ia^Ih%}XQ2m5z!F4kKWD?Q}H$hi88HvH^Fa)j`7L3cpcFD!+OtF_8l!j#FZ3Qb$GjCA{1<-=3{9~ zR~ny2Dn&k-ZPa?Fw+Us8MAf@`lOP2`09)Uzt)kdX&Nwh9YHHy7DKRfdp~!9CQ6@$R zug(HyM3ITNfM=i2<@N5)7N@zftiXcns|q)*Y6F$(G8R?G)TV9p>ei|dBlo!H3y-^@chMy&X7Ww^it= z&Gp`uU#@esQUpHSc_3<%oP+^7S3dtx4vnLOwyn(QUesxvx?Wvgd!SfBNq9B=J!Noh zdsfSb9*L5UC4d=HK~3m4^EWj3tlwJsyLQvl)>4OC$Hs!yEW5hGA#C5LkrIPUG^3)x z*?+MpcHyn~DOSl781(3JpRm2M7AA|Xrc!;{BN+4u)+OG6r&Cc*g*J9g7IFIAc;@IH zS^S_GH_7RJ7lOrulK?38OVh)0ZLe@!_3g`;5RvP8IyY6@18IWnRQL_qE|^H8aFi%y z193(M>>HYp$@mY=xHbP;LI*WP8|Pz>MF2=<_Kqgg`vFWn>Hhq0%Vr9(@_)`|t^x$J z(?fYX3ksi{a#9F1``-7DVA1&M*jA;oNxZ^~b=^P((^^!t1{iU+L`S~~xg=$c79<- z@;5{xqhy!y)vm^7Al|R7AF7UWOCOofE4V*lsQ6%bh`%XEYDsT%6~x5PYk(nnX(d44 zH;&3~CYipS&0fZ4l4D2b2c0Y+lyYoGWn`gcWFlrtt>4lYQePyC92ZY9+q=ni;QZE~ z-ZgYdwbqm^a?N@6Uwf!GLo%e00vh&Wm3QPX9gm}roetT#ihV2*_TAbv&kARTbm_Vr z?bs;Y!pBZaJkhbw1R&focSbx03u_qrk?fz=&5jz*x$z<8-qRL&gdU6y4?g1<4C;zo z$c}H_FX6V=?m9*OKl6{+B=m$_HrzXKof8kdJ?6G#XD0g@BCUJ^2nUhWvPzzikn+}2 zPx-d4yA)F4EPr2rf^=>?H8oF)N#LZyANZ*I_zqdiZdYR1f+V2PHbF(T0?)MIy|3WXMX9 z?U2tVnq+FF^4~uf2vMBBm*BG-h+o^R%%aY-&$nkuE3MSRAVu-WS!f>Z^EK$_G41J~ zvQ>L*g`%z=fUzvUZhWe`IXfy!$N1JnAviJD4b%k+uM}d&;I6gu#ttZRoh2%-H5L5n z@CXh`RB6~oceM4|c3R?=;U^#4)3dMK8#W+vrI?)$bKekf_k`9NXm@bdsgTT3LC>b| zLxx-!C(*)2f3!hej)}UOMcrj!Tvk5+xU~vq{zzBT&3c?m^HJP6cK-%?Dmhd!7|GY(~vx5HQS(Bn7! zdLVd?RJcPW^RE#K{(y_KYRuqFSOQk6A$O}0uB^$H{uqaXHj!@D(;bHr;ohwJj+K;T zp`LEM-+g59qYeB&!7Vh9;3^{;VV9$>Q<=sBHc-Ej)rt8Z*a>Epi3pV_L$i06ML@Uj`0s_FL zo+$ctli1B&J`hM_UCmnCK8feXrlw*aIJ~_~Fm<8yxFSN^CDLe{{%!>4wAg1hCTCp~ z`tfFLOW#YuWrXF_J9HZ4pLKtd_?acv{?#!-s#ZVllE~Etq=ufUFul&ifDs z3=!JWJbIeeS=jTgxfL%@amXf_#islCR?r8_1Q)pBCUqhGvIpCzYBaJo?^*?DN(MUk z>i9OEDtNggQ$w8*&jkB(QrSu^)%KTw)0*44CMsjUqrlHLYKd-FL0~V78P2w#U*}dd zrVg6+mE-u>AlFSZBxr_mRZ%d@49$QgY`w}2(bX%PEvn)`zx%q099K^3HE9G8>eWY+ z{l_@MREroUPu8)AV$%J{ZE;m%!;X`6h1n1LT>7+`Nkj0VnTRONq-rW0Xcz)>Q*fF@ zVM>_Gi*!>2v1%^D-Tg8;Ww+{BVy}@qIrcU7`|!B>Phcc6H;Eehm0afi2o{qY`b8J& zYp*^?RI>~EXLqTR>lzr9HW68gnK6R5aMv4x2T+rH>Y)JGRnXy3mhPY9#H0sl-h z8U9zoA@vrx3$({jZTYPKx0Hq~{BJ2u!Ej@G!Al`MX66hK%T;>Ybku*~?%4rRWRkFI z=_Z$IxwNvBU=C1hp8iBXQ;}RuaPo+mUceoSab7Qe{g!RHSo z7LlYdHHuKAk^3+|sX=;hSa<&z^+EU>4^J0h@f^F=LV?!9zxvGQJ2tDm{6BpL;DO2r z^v44sekr#woX#fFV)C~Q@aA4!|86QTk!8r)-^_i_5Hr@fC#U7VcFo%fsZ?UMxMC?< zX6vN6jA?g4^}L{>$ZCxT^hrY3V+t+HTxYtN#6Zd~99e&kod?t{$Z~IP2Zw(QF46kW z9hwmoHe#5{aW?1(GPA;#%)UZ_5v3t-*&{~>P=`=2$LfIIPYStDl8t4v& zLKV>UUWE)<{mhAS;k0DO6QgWqDujtz=W{3AH8U~4KP*wDPNlVl6mrU(tf4Z&^GnZm z;-5t1r<;12JaD4OKp($5M$nUoA5E%M;Z4I2!v0d6YRXft&ol20MAo5-$lJuD!%Ym{ zEkicXyXc@QN+_xhy8YOLx^vYLkD3uU72H2S>Y{|0FS)dEkI40Z9>g4TrpkvZ-p#!R zU?#H&x43f@;IqO4x8U`51 z_@4OOt*l`xQ=QtqqGs4%k&+iXmLcdjQD#A86&r_9QV!>%oLVq?7Ma+jSt+Re2v8Dr zIZ7Vus|}r-G+&ShnxeWKF!N{u-E|gO8HzrBM!Qcw!{6Dq#p^7WM!}QmZ%ryvmV4So z4X;Iw>gs$aiEk@A)d?)FrGcKxo*ZPnvmRe&?>kHruJHY;s;oU(6@F+)*`#OL!bdDk z*9I%1jQ)r|iCxwuXmpzbg=?em-f3L#a*Z>-zP97#*JAFQEUQwvJC!*oWVw}FD zFzO@$qy_>5WEwuX0I4a09DAbtZ9UNpfIF{oh;lFk9igBhhY2EqF(F|I!W2OQi8l2p z;+Wz-`;iU!0k`x;yOo)u%HCMta-Ieb>hi6F)-T|{NdPf_Dmb$-L2<8z4m9xlF4#KP zWfb(+%j>nub~}JpTY%LW+SPXL#lH#-Ikw@NVF!<1wpmbR)u&TbskKC+hS!|rxs~$_ zTIs1oamYm%g=I9X+WBW6`K~1L`=hlSmdey!Cwl?dY23hCGk9n=Jk!4fMVRZVfzM;7 z@*d*!1)JKLX|`pX6S+Qk!8yxmhCTgFC_*%CEg=DkBac%_{uo1yHMxky-NSjtmo|?6 z{NcOjsbfcmCaAO@)((b_lmc}tfS&_$abn&!W~?7MO=XnSLHsqrl{+I zBpI3E>uo?d;KQac&aBHew7bBQw&Siv_|%r0HkQv)<=sX6_Kc zRiC+(>+@TpjHK{oo8{u;Du>YM)lg2Q&EnENI1b4dp0nfDxQWG11}k%AI)r+kU(Qc+QX1FLx7!1;T$TF;+@7H*#f#lhU2HFx-UHc zUJo#1=`a1|@q_gPklZ6zHRcEa{BO}lCd^c4>i0Vzv#O+`-_Gx}7$X(jdk7qD>h9pu^Ua6Bv7f3w@(kt_wS{L)#7!q%d#^|GhwWkF0exm)D>6?$UT3dI2leJ+oYK^i+A~TN)r(TwNic)l>HnAy&#J zmZ&R}E;rlZb!QNJ~_!EfX{AH`@+E0S_Gg@=0<7d(j9fbW^F5 zYTuhsm)~p@dT$jwr%dZk`MuREW@nEZsk+To*4I_XD)boSd)|6$#^Me>qR72Ck1c76 zjNQ5UU^f`0cw^znr{XfjYhO$VJe{~64V&MqHy6zy4fCaN*`uHR$tg_JO2brPUNT3z z^I%a6C8VTm5eWI1VS;(vHOmtXx7gVx z(np;lg+49I81r3Jzxyy#n=Y&2vBWM)m6&{H-+nJHAjGhJS!O8q}Kq z&%uCyMA^Sh8c?q#M@VC^^X$rC06?JqRFE|ormaDeU;qjCk5aM9B@wlj?t8NJ2fNF> zQSLGlYGcN=Nx}fZ*ftCR#zep)$O#Zgn>$zFHg++8%)jZcNHHGrNBp$GK==PhPyAkd zLJ**YKZHTh1ldB#LQpeGE_fE&1PlB3Ka-oOKlis6bB#hSpIp6eet)^+-4P;pi!o&P z*e|5IJTo7DdGfI*&2$#}zHzu_=yf)jxH*|&)FNgBUZRwkMOJ$|ZjepND52)9WInGV z@qp(PCvAVO`77t7%C*-y` ziw}ml`x63Wlv?=t-WxEf?<(ljz7MPTLNo3uxd_A5 zJoGC^^BR;vz+5rj@%?4du}dn}4NQsi%FYN^)QGr_0mAmqcl?T!I;tG8M$;?YNxD{5!RFZPe3Qt>B*7YfVe@w77(^yqE>bu6i6E zjm4&Q=nUN0HkwLm0-9sv_PiuM6K=|AWt6CYTbBPcy#T!g64pDM@_6yO zpRG^h9(^@IUpYY<5jjTR!lvH3I~mMLJfYf?_^Z1zR-Jy%RKPW1fnb?|e~$1ayBNZ} zDRGc;=mrll$)q4Z6t7)ER+O2-dV zODwVj1N1`^G9UsHGsw9V%jFTp6pBwGA`d7>z9AC=5D!XV^Cylw$se^r3UcEEiIg^& zdvVf=FAV!|mAT0LzPY`6?Zh|!u-Inpp2dvY;RnLonuh{oi}_e6#TtF|p&jY)CUbmG z<&ji%8qBxaE~*K&)nDo?^|6a6IiI8BVHjx)u+K}X=p0+e?7WjnVLp#uF}^Ma_c*`< z-52bamP@?{qDM*Kz6s;M5Rdwi8S?9#XbUW2u05bYV3&0#z^W!;nRxzz? zy$YNaMbnG4?F|%~4@wuC(o@-*N#6}YM^B-zSz8qqsJif)&V8(CQht%kK5jL9kv*=S z`9|gTz_a^iDLxHY&fSYRp^){z=YqJ}=k>&uQHR zu7R0!1zw(t&p-Q~-$}%*5s)8YV}spn`&*%@I;=;_Q-s{ugd$buqPdbR0w5W*qe$iS z+5|BSf+;zd0p*43B40r_V&jR`*f8yO-PUggZ}4P#>rFXMg~~zvQ9onQf>}1??GY3p zcwL~1+^JAN=2%ZgSVtNhv$_Ja2z(?-%dB;L=~i4qqQXCIUHp5TZwD<#4eQyEQhJH$ z!zVpIcBIgylilZ&!9mk~q?Y%|gRp_Jd(?yqwR58G`FuiIV#)$t*5Ug0Q>|S~70M$l z7E#zSPdjzye5SSd=PnBGGpdR@Wb)qrA0j05P=30e-W_GS0NH(`FNsc_2J9|I33+!J zkglym%~~A`WI@VQI))P@;8i`{0pf9afg_t2v^kY#Z}!1?^u)uphfHhQUH){p>}7M` zl)SyVNfGB@Z_0r?^4Gxfn@k7iknHvF!djenv+k|t-j`*k{{ZZK{<6p@L+3=!nK)&1 z*)ev-aqsNO9C*luVQ(>7hN%NmhaO`-u{FMyjFQiD)iIr$yM?*6K!$*O+mN3 zKx8b1E3Wr85o!wqnfzk|)R z<$sq4QSkk4=UVUDmfT*-s+`PH<~ii2AUBT%QBk0n+NFqqHw6`iM?#6f6iu&84F98X zRJ+dKg^BV!>Xi@zEh_0gQzwM?E{VkmZ_Jwa(K+;#0XOgu%%p0nXRyo41 zT@oH#ooRM_+JtlJUCmjsaWN+C3S%CNZTiuMRGHPv?ZBWw$Pg6a1ELh zmY<>SUCfD#=^CYVt|)zLB51c~*n;!UD$Nfpa`g%4QOkUd%+ssa{gId}=2~=pXZM=p z@3C$-w!8Q{|D{P~4oO@N%W)GHl$<(Qchwo>OFBwBEVq80GE2=nck1Rlt1Zh;r(?f< zneTJr1ShVZS9g)Gy-@KRIoM9GvF|JNGA^bOMjNBuP20JnaS2cCwNw&r)pD~2dwg|} zNb2<{PW6e?*Fy6O(ZrV!e++tyOqH#q8TEt6E5P^kWbm#f}9b4!v+{lam*x85S{_vQ?q zYty7OpKwc`LQJYN7mi6C<@(>F;5x-6SYs$$`^k%%o+9FS)FD(=Q%?mBe$0dXiEt&6 z+|Rd$w-&V!1vc$q@mmcXYwDqvY-XGh5}j zf+Er-bFVvm>!2lDcBHI$Cw@o+*JtvI_BlJruurV>pAbLrfLI?dHr08NpXo6!yFOHB zM$ad$hwXY=ibfy_g8#rx=^qCq{%?E0MQmICisU&ubJ?FQ8iuvEA$dJ*%<}EyWm@~= zZ_=bxC?iUR{P3C)G$QtWGkN$Mice+$H5O^OnF95Lydd`=A+W-rK;a*+t?0d`p~VFB zB6dWg@eu<;gMdQ}atP`n5`ymohRDQVh%yE%uYA?(WN0Jy6B}UP;XWCM-=>_=N}H*F zLj#z-u!IzRqPsmTn!n8V0+-&{4sfpT=CTNH^UXXrmCt6GaqGz6a~c~ZLb-u%N#2jz-+I{qAnIU5s>T`$ChvvXSFHKmYA!11y2BO+J=KXO8CI!L)wu=8 z?`Qnaf8C{`Zh|d=MX~^BLXpW*JIBp2_#|q6WRLr~JT$&Tj4d*cV9nfU5{gm8 zT-2EtmGC=B7qz27#DhK)w*xuFN&1jzS}PVC=A3X}>73;@bd`ie@n|C{;IO)E#Iax7 ziW%Fk>rL%M0zmRPe+faq6S|zs;}=vG#MB(u7|ypYOU$x z8|#Vu0VNKV=az2xLz9-3eMnqRKc_*8KEpe6b*y(wGxB?}L>hO|ZZeE--aJ#LU1G_d zry%ZP5r2x)eSI2NzZaj}>Ml6z(LJnIxvh%MlR>-c7uAU6HeSqwS}q41uv? zY*ABi2wwd0@KunUdO{j8tpMT-5)ZZm7jUSo`m`Cg9FrnxG0=y8Zy+>TVNklS2f4|f zfG{CoTF04a{>pZuEK~MWEhyh#JLnj`E|c1>n`a!CnO%R5J3S`osfYierG)jE`w#*B z*qRpdZQhmW=JIu}J3ETxJx_DzR4F6K?w5ZadJ3?1A83~mn*+jbqmL61qF$C$@n5j4 zD|IWODGAi=D1&*1nd}c0rkbo%CXija`jO^r_gPk-lB`H{-|l1DgFv)qA>&~KDx`H1 zJWm!*AKsf&vwgKU^w8v*UoRJ_#8IG)Vs7#7Oz^*)3hMDV`smUFrd~X*Lyw+MC@YWK zT%B`2C2x*+5}eDmj$aNG2z!eDn7Q)Mx~6&RW}KFAl#MM zL?Bj7&`f8rxrGUNdE~0F5c1Io!4-Ecp8_Sx>#KceIH0WVtBHCi-$vNz;&6H-9RtnW#Kk(7lVDn(GR z(vWfz##nB$CR*xLJ-<#rI8x%M?Ak{azDo6toUj{%v|mKpkF-Io8=iFE zU(|r=Sp-3?i|N?jGE!=uN!?#s+_plFFs3%azk;0ExWbgVuR0Eo5zp;wn-xb;h>BmOm!7K?=uJ%p}jvxD3sl0QqDc$ zqbj?0nK7?J4diS?t=>Qi`@Jel2O1rWIJ4rpdsWa`WAU zHa8pR+@6dQoS&nJGvAtXtyV48cZ&LFC&(<5=*@H((MKe*3bF$J9GF+)|9l3YVE=wW z2;wkgGpIB8GVEqOp%t*nU}XIZm86Mxwc`jz54PkrZD zC?TlMPjnt;5v+DUu*qVL9Kz=tt_%P))gTNd7#W2??!KCJBRj9Mt}z0DUU`Br+14xca%gMQOY`O>1`LmyO@!3P zO1>jITG0GlG{3IYCzwqlo*e$z#K)er?Sl@G88@@u}0gc8DN+ z&eT~Ma|ExD^m*A8#=5vwX z;qyXcc~J-g`5Q+~QaV7Y-DOn;jn$#K`{-dQvnfA&c{5+D=+IcUjrv`Z)ObhxI}(%!6rgL~eO@HtWw&-_(a|vkD2?xJq{o=(dIXs2u?dDTk8vJjuw zHYiqaGk~&Cc!D4XYRG**<5oyZf6m|P+;;tfzYlwDt$x1|k~fl!iSr2#7haClR#icD z{i-E&zQK-UX8Q?0s9!dNEy=8PMIbYhSFrr(*TMZqJNmR z9+K9R=2q&KXzTfh5Dy4mir3g23;Xe$l4N^xQMJqHp;e zw|*hXb4y-;Lh%ocfV4yROxir=JtQ<*G5O%#;G^`tYqn zT|jd81DZ^*OX#7R`&@wF^?fcns3jT+C3>&$>>K}}lE{}You-AvT*!W~)~%&op}b6w z2tMu`!cIuowKY-2Q395K#~#6L%$9vr9xR%Zh0(F4@m5Ws%3xO##prcXY5C@MCjl&X6bgONQnza7T}}CK>QlT`oE=k_((}3=XB^pg4YZ@#hM`YXUE8rF3i~!%8}w z<^ps+Mm)mX2$~$x23bWZF*`U9VI3T|x7#_t5|_p}Jr9x{t-^9LGPM|4Mgle=0H>&c z>}R~0Kmzwt-ny74o{=!GFd}gBb~HUW(V1jviV&|Qbs8z8t!x@sC9*Mj4kFmZWCM{8 z9u>A-VNXG)ufThkYxJy6)Rrwhe2e74co{TR%W-g#ip>SgI(rTc!-qdPcQEq;+7l;X z4B2i|QdJT% zQ97N`mj*~9gElnuI|$2q5JIJ^7)7fmmrD|c2ckDo08uaJ!}ft?!lOh)lpiRo8Yd>s zF{dsQgEAnNpu>k8df-b?hKv%_acS0FFkFK(BR@y|q8pm{h=hP=^A#HLE~(F_ilCT)?s|KX6fndPo17(O5P1j-TQECYx%$1n_E* zeOPOOyF+?EVwIUk=6>1~3Y4G2duE<4Ashm3uW}qw9Fl{2fD#;S4+nMiv&EiZlc_uB zJlv5gV3+U|n0u^OUD8zSV$|o3RDB+dQE~2Vg=^B)?kUeu_G0Y|-Ds|OTYVJp+RZhT zw!3bC-ZT`SZBs0%20{|V-!a)rO?WST+bFF&%*Lu5K?s<==Bi@CZB1Z-20ATPDBD%VHKOn92<7OqqmWO>Y9(nwtlNPi=M=81 zGP*IAvSdq`UdmsVA>ZWjW2!1Dh%d(q@Lg=}-@r+Y&~8I?P_al7D4tQWhos27uT4wp z3l<~-P>b_8~rN_QsRaVlTNz)CcA()a*4E5`7wJjXZ8W!AfmjL{vUG2 zY7hTiB%nH>?M86|SQ&+NiYEt)AoMUo2V)?USX%w8@wp$k(NZgb+6GjMfIhv)_v^F1M_UP0qquuI!4^Gz6v1lEtZN>5 zAo8bNhU-rmA!ubE&Ioxd?u2tpNr9(;0=}$ZmLw<*{1;(r{9Opmx9gdF((ce*0AD2p zSy(UGa-xr3rdg$95XUv$kS9iw_0)s7N>6?}o3VxH-l1$?lX55^w{g;!AhmWO2SV3U znLuyXA0{2UBBu`J$b~eUvp}xvV`JCn4$>shzFVxsP7{H0PnI3Z=M!w}fj!O%H zeD}-jT%rh3Hx3@{B9*V##|pW&&fPS26_M zBQ5c}xa>H2&y{aVmWm)I|7d=zC1?$5q(4~hc4@0K;A;_Q1FwJk@~X@P)osPRnYz4Y zHa+R@*(i-Kz0gGCE(AFe9P_j;6RWlKR_)kj`9WETWJ7K=&lu*&xFAQf&1LcEYVYR z=4IND6^q`!2p|Z?gg(mV?fE*RW7>e!4ntA+B8l;&p^|?h3Oa-s7bRpEGDW>HI$WJ} z&LX0NUpUGel!HQSI6iLK2aJ32Pe7_VIpZ0S2jBvHDrnXpv`7(nRF&C#6Ou^b-f0;= zpq9%t$IQp~jopE{13fKeQ{)-RWDtux5lCbaZ)NYCQ%jJ~OKWO~ zukKeP7U#>l4^Fl}A9z|kON%XFdVVp5w=!sNUU=ElJyc=y3cp%p0D!uSZUy6wg_Dl? zAgXyc+{L&moN&V?`$eTmChvEdK zgf#cXZ8V0v(=v_X%e&3Is_GJmTV>MbUS3`d^+5KzsuW*iQ_G@Dqqx^E&aN^Z)H8ZS zbXc1y9O^fUZ*CBaws-aBmkQPE$i#P$7k4>uvo(hl zq{yP~atCwc8njow`J9v%6S(aY&}479S_3_~g%GJ|j!Ajy)9GM(U1vLPDcxH>43a#5 z#5aXBD<A~CfJ0DRn)@>Jj%Nux!3v0O>CJzI1eMM~Kl?y@4} z#eJT_a2dL|^m=5>a#J$+d~rGel68WFX9D|X4?3!IeCD&4&7UzhN+sF2EI)Xg+goA3 zJFZO=?CsAsW|?73ooj8^((1Us#{y`*cyL}n!D_KQ!tJ0&hA_9Mt(Y0^C)5ZQaJ44L zTvUe^VEKuYFzP!xBHwaab73F>gr$zDo;0Yu2~0#^FXsmW_`Mx-BK$fFy0!e;f)vE6 z@T%oc&9C<4Rh@&=`T>gr$Y>`0pK523>c95}LA{dcANen02f5LMV9&tO%hZr)xu{9{J_<7iC_B_`SYWa9(`5OY#^L+I%`XLpfZ4X>}7xMNvt0Dq4AtQ}kUx+nDNJwF_1i^~#fOCDInK8uv-Lxh<+LeEEVKyQ4bO zMJ1f@*TNW^nHjXd0Rsz7 z#x5*N+6WwZ6e!91c!0HZS%GFRNJrj}x;>4`$@c!mAgvKT57-QLsDyDt8WOlxQGg72 z^?B9QuYN!Emhln6N$Kpl@EQMndO*C*$ye$B6TcrTX~uERi7VwmQ7Z?nCv&`IXETNq z>ex%5&YbLp=46Pom2_me^f&2%gR9)m!n@7~=Bb@A#<8|0m6S$TnciDF)9vqjxy+y1 zhtRZVMkPNAptoi(rg>Qt&nxr=hr)W=c&bN%J7Fio^xmt&h4t)PyuuXpYNI-DQTt4j z`sBGz`s+=XUT(fri0~m=n=}?n9EC^?RE$<+ZdD1k+bjz$tbqNJtWC2%+tYN;t&gLg zvk3g{q1M1Q$ont5ArhSik@aKnXy z12vSa=PFClSCPjHGQ-8JgUs9&ZAD0(UhNhfdSipV-d*~RLk-I9a3}A|r?T95wQ^*$ zT$9ti924oMEW!cMOZy1|uFxIm4&gh?h}2`|GW6a16q;n?Cz5oL@FLDWT=pk79}_A@ zC1jEnNAvVk$wkaG-{~yg>H!8zyEIX{QiN%R*> zcVvhp0vn`{H6gdBM-@^yz-^?yvmhQ4P6dJdx3cL1E{@CFzYmVD!$W2Q={u??KhoEx z_wR|Cxc1r~AZkSP2s8~0z{~(>As-7BXrTqb9`tAiAie-GK+eBimo(<%2daPl$`4s8 zi-w-@UYwt(g3BUU?M+}&#pWCG+eKeC5OTT~jViq=#Axop^+nWD!!VikS%Cv`VD~V3 z8`SN7&0}T=@K&Yd7dMWSh0UWJ^F1^K z^xWmObnOd^#KFZ3pn}#_!~#y^Oti2ehaFR%p7I4BHaH8Jyz0G~ zgUTD4l7O=I{2U%oOt*?rw1Mokp#*pKi%%ylh%aW{b+-A2Z>oL zK*loSdUaRj-rZ(u5F!}MlSA__bdZ9^kt<7@5erR>XKFF zS6$dW$V&YZqiGGCA5-z73oMro8_Ll@O+Sr2ubVbjZ?(67tQO8jeFxoSJ$r>~=^}wE zrc92(p|V3Fex`3h40#SsKE68o`kv-Wm#PQp<7N z0ht&8fIxemrW2zVh(nW|HZQ%(n#iUTxxM&-$}F%SnlJ^0glSL}KusO<_0wd_Dz*T3T%+L+yoEEP!tZU9>Srt@D`&ULzGA0G20^?{WYidvHxBk6P#U7HWOEc+8 zyS8bs|Na%Ik`K3(lG-j@YR+CdN}T@cHVjoGu!+L4S>?*$j`;l{!?zWb9L>Tu=YMzS z?D_!hVmzvGRBur8UI|i3@v>Y2ckX3D?aF~sK|H!RJGiV&%No?5Ch-00{khiTlKgRX zWtOXJAph}0Ff@?#bz~SC<~6PGLR2DcSL0Txf;eYgzMEYKU?F0|Di*9`WD6^3|9ZPV z%F(Uy(mu^R;kmd+n}Try0w65tcGv?7WOvU7#0S{@T?1YNu4e;8Mj+{28ddSKJZ^lJ zclmWW#?Ie4NsQ0^p6otAVxRvx7F zPI33_6y+J&EqeIgQ;O1#E0ZknanN~HlqWf5d;(<$`>XXBlrh#r2B~7)4_Kb(ziEdO zoU^p`_>w9Vl8m_#X1#c0RR~(;c7DIXL(Kkxbr?vSdzX{?3&uu}n(Q;%<{A%bUEI|` z5^oG{?wsnUi0XOijiwrDQC=W8qYPeCN=gkTYM9$TJA-Xe@sP8E&6u(Aca62#7k^14 zwpDagb?B9}0K36*3$5uXF{RhsHGt%&jk~7PH#orBRcWP`Uv(htSE%@kuj?)9eS5(7 zQL+!OK%b{VhJCq{|hCM(Qhi}vxi+bb@{H$q#=q;U;pHr>ft$r^_M2|= ze}j4;nX^OAUQ|4lr^&+=W}1Ra6S%=D;Q{?&BYECA&T6~GXBh3=P_T@l?71N$>7Goj z-z$jzG{>-0N2v7b2h-3<(+$;*kARoU$Ke(mY*?kmQW%wM>Pcq92Z0!~fJ6(+;}dvb z6{RjP*VUiiq>Yp{o=3h{jm$hn_o|<{H%xx0coVTMFmz5rKSfBBf+we!g%6Uz&o9Zy z1||?Y*M+Q_vAz@ultH*bk7kis{NgJM73^;F-e+FK?8((Vc_O!N4QVoKPuo;76!K;k zIDaFEig6*ua@^4JJq*l+lM9eCkV$`8Bnwthn6UGM!i<>8$UykPx|8e(UdFR9^ayXD zanIIKoU&cwhwuKRqTCSTk9_?Dj{p=vh=_<<3_$>E(}e?Zgj{XIH`B;H*JRB&aB+H^x4Y}GA@BdNKsq-;EwPCPzjFu-tBN+o zVW>8buh=ZFQj)iin+f%_(xRn~7u5j;oGC0)v-+rHHMeyE$~&1E`lN$~$$9Ga2WACc zcQkOfS<(v5#M{0BdgXi3*X#QbYHlq}*2T&Q@A~MyRPkwklB-14GaZb(K9j# zlk)1rtLU{qk4q--Jc(=&5Hg%9zG8Ht_7GW-Vj`X5;p;xN+%CPL6rX1<#k4QMrQ91n z5p;)#gL7*Lp`*32XBx@k62-d^6<8;-)^w~?8Z|Q6An6|SC#&tNv$I{BrZ1X9bqGU( zyD;Bi8|JjJFTsIZT?DgoXV#*bZ2lLN_VU~G8aj~2J)0($3u=%bSwsMSKt&r(-zZ~H za71$nlsGf(%|08=Y$v|h@lRmQ0cx`g+RZQtI^T#5>}kJG>s-#^;az7gt$HvwSzWRr z>saEld>hxW@)oVa65>|aW!TVNDt@a5*fu;PgQ#Sy#}cy7FsX)!_yRJknN~qOGRY-a z?#e*Jicy1P$|&Dv3^`M?Dk@e1@doVPkmcA8+tKZnkkd7lv`qOZQoPeaKdOX6I%n^$ zXARqhfrNB(2k<|?EDal{O;*I8S-pU0F1J=pg^Hw7ncJb5>+TooF*6DYGjB{7aX~`D z#69?Yl4l{mPo6FSigi`4b7{eS7eH#)JRekEPDH%a6pQ4yY8$FQ3=TG>G4_?!GDKN5 z>Su!MWrP+k2@#^}t@h=Ulu@y<-eu~Qk}L}q(!^Q{S)DY-kNmmQjRh6f(GtwJIgW+> z(3iu73?<_^Ro8Sy^NL;FG6ze^1>$^}Z0wRyNzsxORS9UQ0tscWq5r>h&+$Y39ND8%n#mrZS&Wc)}@KA92ZinHi~D+&snCWP$V@Q zbejsz9`8VTd3uHKQ=YD$0&})?mFtg6OLIrjp*yit>))6%9eRB}MW$_N6r&^}p|g+1 zU?yU1cr(=R7k*k{yHkdysoQj_V~{s`FXv5ozS#SZN&3gJ($~zidd8g!6-+a%k+<}4 zl(qJYC6(EK|1_}Fj34J9%5J2f(5A^2#{}-ks}|Z$t4;rup*V|t$MFANK6f&Viij21 zyNmJR^hUYqeES{Hu-qNp8%vf>ym&0?OfAjGoAoG7^;?D4&RPxb9xs%t)4rm@ry`mH{vw(!N;zD^^)v-f{LCoPP(?~}Vw6#fs#w4lX+L+} zXz60Pm1ujfu=m7QJf23^?MRP+zRUi#)lPRt@oOo)&_a#TUO>5aneY;vC0(U9OPm}T zM9!#9o!5OAov^MpY;$0CKWGi8Yb@AMz(yw+1CV8c0z?^1@ z|LJIIkx`;mryTBPFVL!aw|}91CaORa>l)X3^`dbaD7}jD*(14{v>S^0wkpgKMzI2pzLB4J z9O9})x2z>aR(E-r)qnKIX_dy$fRUt~HZ773`dtHk5VwuNkB2+eVAvdb>Q{)dqr)1f}e)3mZw~rFjK$hRkO|A$v;5tgBFN7Mg0n{19jM49L7};Xf-w2Uba7 zPcIvwZRU_-Js6?%#+kGDu0vwhPoPXyBTU+&pWYoNJnVmOi(W z2TuxCH(x#4{z=uLcoTiD0X?LZhE6N}Ep$z$e2takPPLaAcBfT9(_gUGBl4B|jWJ4n z{X5)L`R#fYFzto4%3}yCiJtlr9g=DgzvfoMm{!J>w9~52sz1zoTp?p1^NI1@gRBzY zD=f^y*mVPp0vb4~i}VYat1v|4R}t!$KoE7pS_Al*HZYO=@yBeFpqwB=EL!OAF&gX+ zqNn>zdCM&jLmx6DyUwf--EN(Isqe{g7J$?FgL`sE?lS&d+3Nv}Mz>FgCpWm%m^dvi|8$nt4OUliqr&r_X z%9H_V!ybVk2eh&56Z-UoR*;W?CSrm%iYi=iB}HY1IaY6!TYnH4BUj^ja@`q^jhjIB zBXYUn4^MfC^XQ@3X^*)&G^hquZwo{kND%*8R4Q=&w9l%9cu*1@^J

)(p6$i&9~E zLCsTL-EfFoi`7900;h;5tr%hz7JEmd5GM&fTSzZ21khLREPqj46CgcVLd2$Rz>LuF za-)N>PZdzuNfz6#ITtGm|0R7kc#5iJY-;7V-$*0=1I@Pl&I2ofVX#JF-OLoK;Jl-% zQSf4Jb{46zksXHJ?t)0s5za9rp0m z_&5L%k(l6gpZM?Lh-8H(JA5n(#_$}e0%=Z}NaQ?ZQ=RTw!x@8^T%CbTj-*+Qa+ zTNEb`nKe1GP?bHt=&^H5Few9Pg?{5)AWcrPO#__zO*$gPH%+Fo@C|^#>~F2j&;7AQ zHD51-h<&&@UGCrWr{i-9*LQhly}6mNrg>pBVb5>`XW8~N(AkLFyEP|teyu3K@KC1Y zd@bJ^e?FmLBTse6eoeA)a06OdatHmZy?_A2OcJfzVy}W??ny!Jbo(u+@^)2TlF|8* zzEHCHFQp!9<5KSxW;l#0G%!O8!mDW3osu7bwO5gHq%6vJImA_WVicN&2Yf|+^Q|<8(CbMcM z^#!xNZc}b^%t8VYEVr@2TUPL6ZF8Y@reuCA4Xa*oyE~I8u!DN~v6TBp1gm~&SeN|{ z{2p5Ra%d_d;+CB^v_d_BJ^;-bkV?{C_CpHV9b8;#Db%g1T8jM229w<&t!{IFUTqFc z#-Y7m{t=}@LMu9sM4e;F^?b^3F=cJB`?}Q^WsA%X*yaH+2uoS}nb;W%tOeSbi(V@_ zjXz-fpQFEQ!g%73FLM(2N4>@uMOo{1EjUBxwbP8<^qh!D7hsEt89I-zdxNqi9wiiU zS3@*ry~&__n7$Hc41jLKfZxX%{dVBOqh*Iucz~ijwNHS5;XG=tCNnTb8bW=0Wgf_WGW!o1iE=OLW$PHM;v#-!SfwUy?=`x-XN z!=;8qe)V5ouK4VR<-0?s3dkbS-eSE&A?qy#R1-*o&iO-n4#zB*E;K!!Yo>$(eft}R z@1LI@K_J-c+OWM(odRi<-7%`ep7DCf5E~I?3Cy`hO~!Fy!X-e{PZECQv;)8As#*wb~V)dqS@}0gvl~Jp}Q4z^vcih|MKLRIMd+QrC z!f){$ziqnTZde^+5=+>N8f42E|%WM_pL=Dx4v zyaJ4SF7qgKvr4krSB1O7ofdTez?}D|lSHf`I5hbNJrAJU7q_>n`Y^Gd=TSJqi6@QN zdeBlK-|?%s$a<#(hTDLWu;YQlREe|dHR^xzSQAULqle)YLB8E}NP`Gb%a6tLP;9?F z{>mqz@J?3!ybbk}{BZ>MQ0aIK1wM|M{n9Ioq+H=Y`31&B(10)h|3Zv$3F(EIDLM(7 zl_?p6_N1q1Dofj@Zy4YU?~bR3HF^8rYZmXuyAbf$D%QkqCUxoEq|^fm=Gc$P&rUt_uaPeMy@l)e-%7jHR;E;(+ zj`iSESRb7LilRf^+ayk*ssum^WK|~2r9T!irdhgh!Ldenlp z&J<)VBu&1F#TJ>wT3Ytcn{M{{!HyGSRq!Yi;3LuP;|a{3SvmcRlq}MU>`SwMN(Ady z$OK8Vrwf1`oSnrnFdVZ7#|!V)NW?R=%WodFmuHJYHXJk$GnPiusbA|AO;HRbt|?`! z5090U{$|n5PdcK^5t)JbSX@Q(q>P3(Cy!%?Q$!jjeLf%8)&0DGl2KBqTC_^O(`AFf zWf#{7y~OU?hKSWOX_xWkBD`%?IW*cOGfu&eB$rH+n6Oru1PE2$FW>svhgZC&V8Mbl zxs3W)fGOLu-3`v1u_>{{&wFgV;Sx(o+ong485O!`GPBk5UqWCPThtP(}D`i2cHGb6jw7IDD^zV|}#kCIRBmxgioT9hP~YEC1Nu23sc+BtJ)8uCVI{w?KyWpzS&y1$?$zJ=48@EM_f zS!L|H9$CSB625Q>Bset;#0&kk6|Rt;2U!?wYoH?t}(*Zeg=thL3k zcK-fA$#!_e8_YExXfy0LEZY35d?_0Bg{JJkmPs=q&A?+NaZ*Mm2)+qX=>KlH7<>6+ zlV!wYuB+Q`#?tv$5#(xVkvpKwFd#Z^p4VO=G=y5Jx!i)#^einLxrRa#JqBB|9};I= zTfXfk@m(p=-k|*RTJVI}p1TejMh)o5y&BAAbtj?PgTCCb4H8mGK}Fm>brC+4X`F^3 z#`YB~&raX?#0hHVuZ1mAMVr+EeX68Rrq}s%uVSYV-s|$fh?J$X%;WA*Z$q_&;UTeY zII+hlwo(Ph-){HhX4^+updP9g~#U@nT7#85;O z(2hpIO5d~cjddAcolNnsRyq)(l2Pp5 zo8g{u?c&M1+*hyQw>QOE&k3nGNr3M%LrbNS|4(P{7$sQKq>Gkq+qP}nuIlQtZQHhO z+qPZRg)ZB+Z})rV%zQKJe0QCD|L&DLGBYybi6?Sr#^#aw0;Lu~(65DZ1N;~0k)@xO zk^J=sdeTrdog9g_v4WEkYc;TDUeyn_yttbO$=DSz{KR(9zb53!sTC3Vj9WN8pyFJ=>OJ9}pHM zb8~Tm`uJXKQmlKuT7dttXo|g9AC7ei(Afiv+R*~&2AHfSYm4(25^E`j!L246r3WY@ zUnHy`)B+ms$S{mVGq$p~vPZiALL$3oATT%`0SG$CSbW^hSp0Y5&z;=9%G0&`XQlk7;TZ5I5-GpwB~V2k3B>U!v^SsUG6;T#a0Rji>xH2$ z|1hJzLqoCRZn|%Wx_$fb1x9ZUhQ`D`Sp6O8?B(MvDjZ7YrAk=~BphTQu^vA6fbnbx zR_u{+G6CM?uKr}w4XmRGm=&G~^sMnItxSBBU@}9eWJkU(Tmc77fDp9IbQc{dT8VHQ zRh~i(?o=f_3axEk1O_0KE+~|=(4J0t&qQmzr5(}kQ{Va8-HL}2K9RH@wyCvsPT=;r z-pYbPH@Df0h-rTx+#=>sm@dW50@ZMk2hPfzj`3JaGdVJVF1h#+(sr7}7Ab>}N|GyC zS|Y8q`?%8U=8((?0GPEd$CRkoIqjXvn(DK+q;Y34g@eo{Vq4J}dL~dbZ()Ij#R$Ld z!MM3*V!j5bYCMyDkO$`ekb#M9X}FX~YvW*P=MVlhl%Z@n=oe5)f;Ml|iNWPu-jp>S z%acYD&|o5+`{P<%Ug&su@I7VcZG9i;Fk*gIP%2KSV7dHk{hKk)N~ z?<}iA^N{48$hz{XcA_ekLHLt5LrXk(i8N?er9@Hlr9xTd1?8` zG1kN&g8NtDqREi0p#r)`BCxix6(dK>H^&4N#AApjLwLsz+*BKKb@a`;R_(T68)7H+ zmYXt{uoHrHClfe+Z#b9@?gyY}7lurfu~BaA|udFxu0dOhI_i z5WU2GcDbrwgu6SEOLI93xS+`+V=Ks%s8xu`|*3_S+Gs2t6X z5s(B2Bn^%LcPGkrwto=kiSvq0ty&Uw%oEUvH9;K&4ld2ATnbd1-B9S;@bsT%ck3|Y z9a`fY)?_fheChXh%(yk?xE_r!)=?Df7AS>z+2nb8(Vbrw_-)T7*OrEiDo(dA5EM{% z-MZH`AX}8h|9W22xa0!s1~s#aKPdvY8$9}qa}4}SG}|UR+r*3)tE@|@s|;3a>BMDE zTV43{m6PN}xsaxA=8yT@Lp)gbp>hcKiOK_7>rfD%ayT4L+icUJWbHS=DwpH(9BTR$ zEDVrTLv}s6fPqKvLJmQbXA-<2<=N0%cMI!hrpklGu5GIX#_{!j9OO^B}Knpmrp5H1qoq-955qH@UtV-&pfI+p*2FiP=(=u?o7tO;QPW=<=^Xx zbNSOdKR$Y%t*Fypvm+cL;22Cd@oYlrV+sSwClciR3t;_W#95qx1%?FR_J(fTFl!r`+3VHXJd7O!s>t! zE(ZcyDfL!>wkUT+zCWAPs(9;m`8N?h7(zPILWgD%NB0)n zy6C5S<*w?E4wyInBzbfgGfj@PxYa&8jbs4vUJeI`TUwy>q-o`^-DWhZ*m9p%ifDjz z%i@g^gc@Xk0lD@V_Q{*uiqPFvz8+u`1CbtKlg-&Kg5#RnkL}VBi2R`7j-AlYbJHZ1riIbuomVdrC6K zIWjSc;af_f>;e0^p)hQ07cF85U^~&8qUy09F0SUHyv?C_9_9*7rC*$)@Vrl}eDb<^ zK0!W>MI=(;fi2|m8|iE5*O~m*bHlIjKj-{09?XAo(?NETx_!RLZ2=fcMg;RBZ4 z)@F;qdPlUHHMa!WEz3PmO?8+i81jdszzuE8KE>}))dM%T})U&ajC&;o3^+f%P7~a z2&fUYT`M{>dP~2+4?JON`#8QJNac#z{`7gu4>UfJYCl~7^KoSC;H!EZw6F}BM6l}9 zDp4K@x#(;dXy(g-$9-w8hJ}e)3(#4N`ZO2xFju9b=!lwP$Umv}zu8sTun z{O&++07QZW_go4hkH^Vc-|xqOoS5!fo!%8}6q6)|cpIRXA3zYEc1*7I^S3Im_B=tw zG`=pEy%u%o@*Hx<=UI}%S7ZK+$TLIXQ>VBU7VIO!$};e0{Yc^J{NAGC10KK6T+J-a zVhXB@%9XU0CQ^%wbjar@q!yhBHaPZ#Blek#ki+(8=W#vizE5r&4gw{nS%u|=`C=@R zC%=(xoTyJ}A zNx;-jth$t;ir49rZ}zi`R!Snz5AUpe0@Mpd5f#Gm98YxKbew6E%EDV(I+BNh(&w?( zF4eS=tCMx^!1!z*Q;k8p_l+TQSd3et)RxCux?$SpNaI&pR@0T2`_R)om~*;)Vex;5 zHJKKyuJxQ^?vnI_b=aVt9ERWQuQ$$Lrob8u@ys?@m z#r&M#%?lGGyFiI%1wN9y^xCk5b@Dvm_Ct#4|qrN~o+%0s>xmguLYjjmK^ zP0#T>uyQ4vRf}O)+4M8(`^$k5F-|+5mM?=F2UiVgsHoMpa3Byy`$V=lYeQ;+2bN6E z{orB|kRFXm+|t{xd?BVgJc)-Gof(k5Eqx}e6L}x(bn(`TFR*ILQf|gXC$R}FQn2i; zq2Va%*`G_D=Q|ZW*MQGJTfp@fG2h9I*;N+L-g0PBa`291a0!FTs(6|M__U`IN)>V! zbZe`nTzQtZ6>i9&Ku=i~s-PeA)&(o>1YiU)wVw(Y!`7B=B1wByY88I9T^rA3(!=^| zNFeRlJE@ev|MuwWAR5F^^8Cyhb^tq&d6WDBW_gPxt1)Y}i6Ah)KrK}Fu};qBEMI;3 zNhoBs025Yi`POS6I0?d`IE(w_7Hg*1K=yp)+4Ycf7i1j`7p1ItBr~;54@i9N+qR<0 zjj7*O2j+7IQ*7!Ddlqy1_3#0xO5trQJx8CmPE1F|EF8W@(-6>%FZ@g=w*A(xIE&Jf z(cA+kSHMk?_vpS#9sS%3k{G|9W8vi&4+RHd=q#-0kC;m{2trZfen$&}qb)ulWh_$v z;P3rTz#Bi#k?X1|IMImkLTfoBRXZ?J(>^p+Nf$EKK;IrkbFu%rTzNn#${Rbo`MGCA z7vf8Nwbo2>y15Z^+_6EjUzePRtrPnNsBUJiz5^7Y?UuDp=q~9H$RAnfAZB48Wun_* zW1?#>X&?s|*S;25><0`mm=2w5MeUZ=N#ZW&Fz8q_UE7|+3Z&A1Z>EPOuf;JgDw`&<$ zU5H8^DkVa(c1L@VgKP$}91Sbqi%GWnU3tjk41iazh+1>(pU9W3AsdT5iugCl)C8B# zBvo%fA|OMUj3Cg4u5OO}ff-Q8z%ZST)i8YYP}FHkxy2T`kpqT-^k*7}pTVc0gy2v9zW2VK4 zj^O%=ha%S}%kCP}q<5Q1x&R(Azecf;+EoRAebZ?CMe6k}9p7j}6&P=e!7Mm9tWb03 zIdv~Pgj777Bpv(9MTiu2k7X{@rs{5y!!|4ElsH`07B75tI6+kCyXs1n{(YMFFq@j* z)BIb<^^AlPnMJishJ{DMUu*;b$ZaIrv9>k6(+%@xNye?Vzglk;-(cI6o`2)GvTr!1$W0 z#b<~#YN*elbb+X7IP?$C+!Pi&M&8`i_8*ejc=m;OepX9CKj}TLP5%xa$r;b@d zaI6{@I@Z9@K_U26G7%qODLDJl)%&3Nmr_@QSS@U2a4-#>({C@P8;* z7nZY5E&~@O#u*GDQ$jVLqS_@Hr5Ne_$&z=_ZHPwwQd+kF$G{VF^wGlaq~c zjRulca^vr9ml^~yUhytC5hm`vDn5A59agHbRGZk<$)tA9b6g=d&l8j>tzU9nqM)BF zOcLS&zQ*`lA2|VX73^qj!T6sq$eg~nx;-%zM^=BWmB8f?0Ebs2S0vrq!&crkv01K3 zaHIfSwc?<~WJ#-Vtrz(s`Y)4{pYqX*=+v&BT71IMnBW++TjihdC+`F=O1x}6x1EcZ zmDKhGf%MoRNDOtvEuGofF%Z%@he^6Wo-`&7B^7rI*@Ubfl>g>!oI`{z;Zav$q;gix z7dh8kRwT&9d&M2AA6>uC?Y=)hk};mq?z7P+f8c1dOLL|dBjM{e1hxZt zKqA9jer7Deh#-Fbrj$Yl8Cl6oMKJEe_|R}doZDe{$NhEO5NX&K!a@+ox_kokt0U1X z3ww0M0nW;$n|0KIdW1t-YPUXFS*TRp1sJ+lU)`*a@BuWf#fJBgR~*^m!r|@VQvJ2`4F8Xvy#_W9bA7>uPBr2KdjP16MmI78uU zHh z1x74Sv`X}5T|##N3xD<&@rT)&UCU+s(uPG%n@YL1ga4gUq$K;h)~v{-GG6V3D%cqV^&Bp!vPedfG+reUn*4mke49o_o-n$Rd4_ z1udg%&wCjqkB(!>Ig-*r@8ovi{-4QoM?wu4E9s5Qvt^}8%P%GxvL4@cMYt1Aexq1(J@ zwE$hU*-qqQTaX;oi*$7@NHM$h6umcu>C~<)-fd4g>-wqVus4`^JM$WA=Ywo>+zJ8! zj0nJa`GcddExX%&xFav`ExEfvWwj84kUH}#RVf21ob?K^C)XTaa%=aMQIc$hFHD0g z6$yi}t#P+==x@tZoI`oJ1jm9U_NAJHk5-U;Y!8xYwPM2*W7k`=Hqvqmn!{%qvO*!Z z=r~>O!?v-^>vEya&4z#HLlDfJTzj2$RYM>xSGjb4WS;l(%BZ)Sl?n~T${UR{VaT~sS;EX>XR5#GuS9k z<7ga^vB#jVZNXy}G)3*FoJSw1-aW}O*8Ao^S#lnay=v-Ks!QCe{K(NX&W!T;Bo)an z^j9|0{w?sOPSEXN+)PYO69+wD9ax$k8DKnmQzU|Mnj>}V6wK#zY~QvEI!0!j=jKf6 zo>-%o^@*MO^XsA$!YzyTPqGcf2qXH;D@r$q=$e2%B?dC=Z8oS-l9*INA==fc?EL!u zeyuF&T9cxJ5VWp*o?(=}oG2>^A6vL?D8lhQC+Y~bX}v+AMC=40giS1xaz$y{JDEJ4 zg$f6Z9<4rulc5&0^1dDwt4(iZxTF6?jUUd+0Ne@dmZcig`KN0H(RZ)mxZlAv0is;> z=!i{-k!u$Of{BpsV^`amRRya#gNHgWPcn>}PgptKZQA@695)m=#yE_HXaIP)<`PCy zMRY3ZKF z;5kqilop82MY^TQjxeS98Z|V(UryVkRtL0>zjy0zL7Vs#5@i+mFRFRlJAuKCmkXfc zsd+rC4Q2Bbza%KJDohH< zwoLouXvamG-#;Hjm_qac#zsE{MtO757swLsBz<)w%O`bWpV(YCUGbp}_S!E?)Cvvv zsabZPop`_Tq43q067zp1cVGpzyzIjClr+5* zEnP?&r}q&ZH!5)N34RPMBs~kioSJt3L}XD50Y7NLRmbS4HZ~RA^u^We>w}uj-R-$D zH#uQBwHz(gq>Nl}nKzgF;3LQSBWd*M04TbgC79Kn*CQf8&Vi;+$Dh$#NBzhCmRB(8 z5eNciMb(sq%mo^2^)EefNrA&_b1Jf(lEu!_^}eBn^~#B8@aF+f7FZCD5%KaQSh5}k zx+)~KU(+sU5r&(5&lrngTVYQs0f2RJtV(`|)pXM(VM5U0dF>`VmNn!u;l>(|Xq^*d zLhaLl9h;_r7|l!cFNL1IFZ=9oU{0Dso82{lZdui8vbNZw7(LguZsu@vVUJ{rBud*t zP}U*`8nOj`R7JSgG2MZq+>=vPxcHtsApqqY0L@6?F*vXM9|2z=Ij;1@N0ek(pPpd@!X8iKPHwR-x!y9jJAU(#Hx&sO0DCN*_jg{cLp2|G$kG`AM++p1vwJx3y){g- zWmAqOCh0uq{Yn~r_ez9Gb*t9WacwUuU0E?~$dDC`>wF3qM18<~J7kS!UHMp7!_dc- zq|AO2rWeXmaoaYgn8Goq65bj6r81=zO`Td8W|@Y73wHu$?r~+bNWiAi82s^8*eZ`l zJ6JA8gKcKsBx<`pEIW;sWujHBWaME8|BVCdhsr5* z-xd3qjnOBkUu;{(TC7}AWj)0($)XKwvQwI!$H(fYp>mz45NXvz$b#H2t~D#-or;Pr ze|l$kV`i6?+=Id-&{!}=#K`4XKg^B4&W2`m;Yb)?5hD`HS$s^*CyA{pHuL@yz7?pR z#8c=qF-I?G6Zs;SXJdJ3yVpnDu!I&D?%jA3HfU8+(&21v-9DJ^;>0KP)CZ;0_WcG~ zepYihk~92tB$c|hrN-Ykv=Xxw1pa8tUlXl=nbiYrSY5?NhSL+#F)PD;-Xc8|&zu29 zN4hGF&b8A4$vnx9j%lYfF)%T3cU*9f=5;{mhomZlCZ%EM6&rzj=v5)1HRUDLt7aCQ zcLzJ|n@`63DJ-3B#zJ#8KC%0Vbv&m`nxJyhPli++JZ~nBzU%x(#vNCyd5J46f;)A4 z77lR|?dwkoS1Rk$U--3%^D019*eE{cF-eEW#Yd73Yke+XCyEt;Ve5_zW5=U`qL9op zL)ODI*^9y2sa+z+Jl(BK>9w(O(k+y~SSm#2q*2)$axYWRsu-Q_F9tY-Hz&3{I*rrF zQIB9;arrx2@j9pmK>TDcQfwmUkfb(4?D03BQQ3A|>vad+~JKC3V0a4P|jCSuxDSg>jtVI)g#I)__gmzLVxQ zF=yCi*;{F!TQ^TXT`pA?r}nyg#0mTqH?@y_O&x0CV4Mk0CdI`mT?dysijB<6raS4U zBkv;UJzRYvI$Z1IuKiW>$ksECOUw| zw-;&M%QgtzJnqj%dnvXZJwGgBQls7PF7DW_e`KXyfzF5C-a{Xp%`7Az%3`>L@v;Q& zYN!@VKanZAff`Q|%kv1q{MeUTXv@Z)_Pv4UaPODwL3hhCR^YZ7WPsUphSKem>ICf& zY=skb{q5ciDvqz81BU{b#T#3I9z%{A+$o$7+aVkiTPK2JsI-iwo>3GbhR^N^anbb<*8%3)p@&*~l4Kmj#g(4G z$dXH=jsu7*TYl0rYOo(yTPF;~EzVMI;`$(x?o8!t$jn|wx+u(gah`L&&kxG)<4NR+ zXR<`k?=J%Ca1Z=72(Rv@?||g}OMMjS3>7DPdy2l2!JNJY>JKf6lK%VoLFAb)m`=gW zMYMFR;$4y^z>FqxwTRcp8V4%-*Ub^|N-2(LBV)F*Te)Zn=V)9JQ9%H3JR#(wcFK_} zO+%_&_zs_)y(YI-qiR|6pkmvnY$uDpWglDfY%mZ0<5}$VwXqH4;yzwa05OAC^PgTt zr~Ci%FpxRVUIQP2xy*wOa$C@0&kHb0m-V=jA0M7S)NfMUnGu$~P|w>{2fQF+b;JiW zt!5+#NM?w+l>w;ag)|P(I;6CUrQ;8#m$CJJRf9F9Kg+r*SZ*m%2TdaMw!lJ+e$sQT z|KRzW|M~XHnq=x)uMA^b8^`EU{9ij)5Dv~xx6XgJt->IZq_iH{le^VTAf>+-)W${E4R*A%T08fm@n`crV0vkcif&?A)A4&s*5{FZcnx^3Lb#N};^O4d+C zTRqu?Y+~*KtW*l}^}xGj@y5za0W)F@KXVQPvqNE(Nw*ew1}`{EY_SOUN*+irEC9O! zZfZrS--F=wkE3jSy7}&OQ+GKaym1|=++>j|L~EiKjMVFCfGkB-%v{?|$=VaRIt*nV zRX3nSiWgS~3GV?8Qe=5Tap9-Z)R?zEx$Guq4+LMK8$3RZVBIebzVU;S9+3eW-Yo#( zPvQFXY}JR?Ji#Jx$-?~L^WH12*MW1g6+;whJ+}JJ;qPJG#?0tDHg}*zIryTGX7qhC z(tK;6`omC^WNjA(5W3&hqmrn@MZN`-Baq@#gyMnNW4jkGsLr#^_zjLzpw)v==m@A{ zl3z4mK|erD_FL*fmZe&FuDjitZN=*dwECsp|Y7ut(VK!Z;7ZF&@nwKBS-jJyt;EF=orDhFG31RmcfL4>q3n`295)!Fk z$b7EW6hi^M!n#ZJw~?ygH0$M9?evX_7>T6xBS~>ns$~_-ogc_<2u;%|p%2EFwFi$O zSTs33SYfKBp$xn6&_&Ec!141B3K^ozyVsJla%2PE`D_!TW9U`PYdJ{Ya`o{Wet&qp zz$)8d-6Dv*jTBn7&FmR#P8@WM#d^VWZubmaE}}G=T)GRp@6gx|~D2N-J zEL%6L3SMc;|IYmF8{b4Lrun<{zS4cHj0t`|dZmg?+sexQtyqrwni{wmpF54Y)fcd`p%n9gE7_qpQ8;_^dOs78>%Zts@1G z{v0BiBtlFNfj}x;jcT&xec1SqEnF?3Ym^_iU{X{x9=I(a*iYxlhtUH5a12!Ps@xGE zpQ1lA#Fd6gDf#07*blh%F-_OZSSA|!0pPaz2D%3FdTe99iU_FZD%|^k~qeP$UN|TISxp4s!0BZ&LJ_9^l`8B6o$8 zZ2nO3MvH2;3#NUf^kwEd{cVl@UR+NC*~USuNGD}Mzx;VJs$F$Sq(4Hvd2x%Jla6|# zR!wPVe%c=M>snRksRbI=B67>2XGuZCmIDd| z%)^Yv^9;>*qF70vwKn2+J^|;_JQy=qYP^mmPiKZs1}QRZ<=UkL@JeK>nXEfaUwNzl z8k9yOS=#2-v_sog%Wt$9f8H)})RmGCFg7*>)^-86EN^9ATVz3m?7d}BUE9(Hx^W5a z?(XgccXxMp_u!D=?(PJ4*C4??xVuYm=aF;2d(J)QTHROm{ynOC)uyN#bM@$+qkApp zo^xcM?+k-K30gE!fKX7Go?o2Epm%xrMR|4h$emEut$|TYSP?pe0)vaiORP(1e1no* zWo4a7DQzt3tuqlSS z+7^Um1KH?JeZ_e5nbS;#RB{1FSrqAvJSZ}!L#evTI_s7E<;^VpNU z?k^-f!&;)u%nytZH)^-J)EFVDQ{_e&xke$z#1M!ZldFAOvC^B6i zO_jAv5DZQv<)w;0%FsbUsE%CXZxc8)GI*$nq zBxxT-5j}tmm8duPD=nLG(LtFcI`nWvE;*`IU9#{72lmMTphQ)Ub&%&^YY0*?ZJ5JP z+sU2{E-Xa6-XNHywWz89uo*F|?xCCZiYgvO;{xtXpm{D)iy@$%F z2e9^vwY2*Ub8W_&J%PqTTorUq0eIVn1#Fea=U&CQG42)nndV33F>`rLhXGMbu^C=k zLP3)C%;rObROnK%rapcb4QB2j z0Owj0+miA~1pRnD2H)$-4vDx!OyrC_%&eptwY$j9TveSCzL_6`T+9O{Gu8Wvl)PEO z%&gv2IUT0)s)eOcT&heHWpUtRDV(?oWJY(d5*Y|ZZQG{x(RbJ1J9V?E5xG-fjlGUt zU0F5T#-?_7GGmoK#=H1=W5^M=QCyk+tOY;2VFSc`jgYPf!KMKuYYN)aoZM*oq#AAB zV9K_e9A$sarlhT6WYX{eme;Eg)~5eLcit7XYQjy|saQ=_n$tjU;1sva$E~8@9(c07 zcWQ4i=qnLBv=n!{QvHc)1>dVrN-Y-G)*Sz-{neb^I85y*2&-VqAHtIU<}(lw<+@Kw zN7C{H7cm}q_#>*Yq?@3pb#zn@e>dY{&(w~QaEmb^mJtRW8gQWrew}?rsO-Zl=gfMk z25*dMZPqx4Ub-1f5f(&%jM4d)kUiMFFnpjpB+|tUt(4a@m1qv*;Z#LO^eMv5S zeh5(bdc+h?!1LxS0Hd^l?KzJX*^qq;eLTB!c814(+6LWBn~PWz^eopPn&*#`@gM5U zw74^zde*I915NAcyWh7|`dRM37wpmYIBy65^1h&5Ty`Z?*PsADP0=Qa;e&LU*tao)BE(nGtTN&o0&nYt5c=cBcC%f1M6#WC>}+ z&$fq`Q24WPuB~O6+5a(`{uxS60Ry0C;tE%9J zGW5b(#nZ8UnZD}^A2EA2;H!E{(*gfLt}3e+NpbXP-`B2d@nZ!!DUIF}P+Zii2P>ed zwlxHqX}}tmYIx}*{a{Y!F~3SAvrJv_%+AqM6XmH-Sw1a70yQ*fwUUA&q5{NFNf!=( zu@t*x6_p8zeSsv8UQjIOEhCg7 zi{mcw58qXIhGp=`pUCAHp5P%qqFrnqKq=aIYw#~ix6@(37 zzgQ>;i%_Z(s<@|DlADYr7gu1yO(z9NS}9jzP2`Bk){`Jl78T@M+#Z{%{-86bRvP{w z5HdePF9v8!3+oOzgH{0lYJlnzvMS9&4ws)+yAsNN-+^g-CkZZPJa@kn5 z&1(p-6hnEBfp8(o4lEtp>&E~c^1i$18oly6KyQz!MoiF#{-5K0wEOd;c@ z+;ONUBAr8d?+3;ut_CsX%O{!e3Ya)zg4M-@fIs6lxWvXI&nHS3SGLWM0I0NroFs>a zTKYiw{87WF%D z{=KLDE=f{i0w_d|2GIp+MGwASd0a}wBgolmUHv@aEE|_-4F!ECAgrD;v zdx8%J>X9LJlr)AmASJuG1!iuHw!dwqaeMG_gpK(l7J#G8vb0U#*%u)1uRFpc~qbr6&^5&=)=!eZG$=IpLZ<#>tIL%f_FU+3<@KYa?(1Amu^nh*JIhse@T3nEVGo?TSdFq;O@gZB zX12(X_B=3*>>Wr$YUgB(->6PU4F_^Y?RW%oF_*;)#rw0>?x!@zwX;=EVm~LQAN8)T=qlQRSc8-)Bp%82BZz#pO;JU4WOpB9f1PuFX2Sr(2Bmvm85%IN}$(#`{0e+ z9!%+7<@du17#zjX zj;gy`lLs$PJD+9kuPcPlTM`qxP`qzEy#(c2F(7i&e&_7_(i z-j|&@?OavAAxL7JmtZN>@zeX$GA#Nh1F4rxRiNf?d`&fAW|Yy`DT2(1nUUExh0xn9nLh>J-jnQ%qDB-Oh{y|+YkGRHZftSwpa05y zX;w;`IiVugW)-eF;b8t+4;Q&a!sEBJL#VN-ckDB%&{@o^u|Pt<;~Ab$zU974-_DjRr(%ggMnmK0 zak-E+N6+V%!6zLl^*Z8xW^a%ONOj8N~G_dvSPQq)ZsL zXm(5lk7L9D(K(2!gEJp7RE@d=ZoJEG`#@UpFUJyb82k01M^8Ux(pBYNG+qD>HE}Rp zkz~)Sgw+d8fwp8@lRa^Sg}Vuds`@{SS#c1XUKR3jGDDGB_JRx4V%xjDOJJ}(z@WDM zSH=P{5uSLsIJW38$X(Ss_;e(8x;;VtB9U~0xf0TL!gD!uh3`^T=_Si6Iz7cBnj5Rd z44iyH=5|hD(OyP?Rw*rpj#|3hJYBWU#$1hjn*@q`?3z1W94y9_Cxrm*FG2X0h)yGM zDygqh-Ck>y{o|Jv$>Lc*iJs9e_MJvb6)tm!Yj|T1T&kFBPxEaMW4i?eLwNuS@ikTP zLvkUQ&MhXpTl9L~QA{%xk7##BHkf@e+z!tUbxC%bwU?R$BqzXR^%XLhIF6ELqmv@D zBSVlyggwOM4(74&>K!LxFEp-6T)2v42f>zVCq609-yty~+RcO))6UW^c64?%FBM~# zfda^y(liz+4eU3y)-Q{ZA{&k+;eYHX>VqhYP}Y3g&ebd*GsHii{EP%$a6z#m3B6h4$Os1Qi{$q>_X%c3yG>W{5W}{6H2Zq4-_C+=pOCMZbSXn$x$Ioh(B(7< zrTEXM50hE*+hfSv2v$xO`M#n=+|+`$a-e8_oY;alyg8cgL^R@snvYATT-!h;QG(L) zc(dglTzcJnSv@}@zd%9G-zA3eEE`e5O3jIXJl=IE&<$v}Z5*wbA83&P7 zQzM>I4H6kzFM+=2$(Jbb1QZ;>^Yb_>NiRg2Bu6u1@XLW>P-}HZj=L~K%o*R^sBIio zfL$mIn(J1x5$Z})uip;XEkA7H_G}1$h=oAQD9~x~p2W-#!OO@v6U@G_gfQh4bFrcE=(!n|Kh?&beVvW$(k~r}?ra-<5U7?yKHP572OjRe@7=M=^YMV(A%9{u8XtD6 zw2n7Luauc}S#zXIug8OP92`y2LbcYpNe4AK4uzSCGIW1+;n1lOmdT-*)20GP8xRNb z=$2?}zZ9!#r(5mGCKv6ZRV$!%Pj9)OJg3LLcRKt6A<&xn(VjM^WX>s_&;RP08kvpV z?({qHRIX)oKtKE1p!LU18=P3Jfn{L9qy4VW9>GR#w{!Y3ay}I${`=(gO^Fx=5efLi z8MIF1uUIARy>ZwYfNyQ+;F5s6RxeQa1EYv2bDxZ$$N3f+N1u!XFdf%zhA7N5O#oeM7>4{P8?zPGDTB%FehSt%xSCN?y3~msgMIQUU15G%P;o2IPHrfC@&_p`Z!OE^MZ%*^P zh8V-doX`@Y{7Er9s(7Jnxqb?4J?l}OM2Efw8tA8QS&uds9JD66ASpslDWe@R6YsjMM{llZx)ZF;G7JtY&8RS zl|>m9mN%#JlRFT1r~FdaN@bM6wLi}I2Wf{4iuM?BIRcz=aTe)K5%0tb!l3K8-DnBp zs`xs@ZeNw@b61#Q0yYYNbF*k6T@taPHUbHe{G|{A|7el#`;lSSwJW2H2|!?lk#u7G zEM!9xqFq2Oz!bs<;%tl#tQJ5bc)%S80}TC4G`PpyM^KDB84jS#Vq5AMjg^J?iWS`{ z2W6C3%Q0z@1}yZ%I@n1HcxqpbS_cMpAY;C5p(N|8D=@P4I>0hn>7ZLqmpa|S#TE1f zPkqqpj@ty9@hQ2-B9t4HODxUGetbTv2($6t@yThX7x64b3Ev~5$r+4^JBF=6d)D6Q zo@ZebZwyLBa1F?x9Rkfgjd+SmTVTluMh{BrWZS-Ys;zh;Nyk_YY$-39K1IJ7hz+1F z9MSELqpmQKf=Z5j=6J~JxyA$YiGBmk4n0eOir?aKDMuK zW0z-6BZ!rsgOeRsq!ynNr&nJ$j7vMbqxHNL-A2rD<;_ap^W;yjBpaf{!7A?S+)Cz7R zzy%;FZ@OTWfG98Gy`2IV2DTa|HfN@$1_#gsv9bK6bjgS&YbzcyFU?86!9kHEH^k(#-tm{P%R*o5nXcaJBY3XXBJ;9Zs>5`f2)^i;dZ4KRE2!)GXlJqhw&J?HuB52sWJIY#x@H8(T<60^CE+2aL$$W*fL$TwEMVJa*Iu zn8D&hjQq>)c7NVs!H_)Tm(9H0v)$fa&`?0|cmy@KpU;M^M(PWW|IePZAfEE_r597- zd;$Oo6~Q+(KmS@^YbbdAySA+=+S43AstBRKxH!|2u6U!U+kk&EmcbQwk%O_>2y*Xl zf1|Q7p&jUA4vmnro!i4zcG*;OK)(*Hu4%GoP-BUuX?!qxi9^eaAsSZrM!eh+Q(Pl+ z0<(sbs*V;9K{j9yP|36AKV9%mk!;UdApi+DU|zSk41^7cw>K;F`^FP1Xgqn8W-M`E zm5YYQfp&q5fF(dha_fztOOOte=jlBT`2IRgNa4~2qBzasF86h0c(fQZKM0?x$2fx$T{M@VTRj@ z%!+FjT{H(h;bKUI|1{cV=`(-*KIEQ(L9M0R}))w_@#2zUb>tYL`Sc@gQ-}NyT}_ieDvWiWo1%o^5yn zHoB1IHkn<0&u9>cR^9cSVo0ETVu=UjzyN+0q5RHZ7zKy#-{@aK-TcUp4j(@PrJ1Gv z>G@N+C8tmA>E4g0%1+ju189cI4^28ikJ(^YBxICjq&s`X#a|CeiocUuyt*H6W&3dO zq-kWKp$A+%N%YTIQ8}y~E?=Kh1os-&eimoLM=Od`-fGsInD1g`{@Ki}E6tuJ=Ub6q zn3T%}1jHc`Kavf6)Mg?gYJ3vI2sQC^pHoF1=qx%_JbqNZ-ilK>`+kz4QSakzUaQGV zNO}?$nje%;r`V#);trg-5Q~Be&hT0)qKcl2@Vr*ZaX#E7828fG`23 znXhBuw!TK%4|qMvB{DzqA<~8=R|ak-(RysiUGeVm6{8MiZC*FeK;s0o3Jpapo_joH zP^a?c$0_ZyxO=klg#uBV*J=3=vS*pG~(`5cP*Ga-mcS(5zew9 z39r#_ryc|zVa-epq8}`bXMK4EK{+XX8OteEE|AwP@k6RngSBFbI=xxL(IQhZt1d(n zb%WTG+;$G!9Z-A-fweA5K9Hx3cq+jY^bec7sKaTkMkJu78&96?>TZCg%#n&7V+>{= zz^hMOfVO^!M{|8?O5d~v5(IBW6a<3JBHQc?xCL@Q08BnIocl_zUizkUN%08S7~dqm z;$nN~Qwo29pj4hR7Q>1hX8`3#Wl~-s)n{0GvpuTUI@ObI6dS}(x6%Shc1^vK9r_eEbU7A#1%w&DFp+(DN^K6O-7~c2+4D9X4A@q4{HCF2F;(XU=7C9fz?JT=XuVV_qL4N>BC?qu?haWJO z)ei(k&1(+iqK&M;YuK4Ku>(NdBVv2>fIdUNCBvyQehxo(6=1h+`Z;57QI8}cuS03= zTG9vL@-vVQ) zb(>?0mO#=4Y|r%}YI7Ynh;U?kU${zr=*LT2l$3kR{YQ$-B{D5}%$tdl+%=* zD&KLXYb-z@uy@rwA7?2J$_faRZz81U99!=GN8r)>Mfmk;(bO zR2j@w`Byvnc!Vss8aOfr3MbIae#$CE?UVF{AS8cAyus5`+_uJXi#f4oiE(^-L`%?a zo+Q99t@7w=MRe?)ibt;SCmLP|%gh@VmxQo=dL4Q!41N+FI%JE6AR7EWs7&OF86aZH zAt{c&qg=6+T^@fxGa^Rr_^K6}#KPH0HgGa|q7L(!5YwtdN2b*i*-+HvP*qm^yTsI3 zj*}YgRlw@gN%g_=(5kN#2=JlEimTD8oU4Rd26|)X;6vD|9x07+^}cc`PwE|eoP$1Y zfZ?*+55`ZZ%isZx8syKb+-v8Zr-0A~^W<78)Zu_ksQ2UL9J1#6dk<|L?DRKZEjNib zD5m+OM!*?fyOLD#O|D%RQ`V^aZ5)#Py%5yJC=6KFSk_W6)@ePA&`htosBPF98yP!R z$M5uc8l|vmE3Jik)n)X6!2L8r_N{hlOL&Kpa z+%7WY9@xvs9V10PF>!JV1P_rCTcF@BpO})coFVUVMqCh!gPV|`fK`B;h*XFxA9MCX zSJWE!{U>WU-t$-Bm@@^OuL|fXM8pLOIcKj7L@^0S^~(AAM#}o?1Y{5pC}af^q>k5I zmDPTECthM=Z^S4^B=yrs+=@s@sV3W^Al+cN09~=7F(C%NOFlS`YR0)7cnk6TGcway z;sSF60u>x$@HM0!9Q6hM8Qv=5va->>ov`Uq zXx!xmXndUcBwp+vm`kX5+bEa-dzerwi1sIMlW*fGJ@8Wua3BIzlAy1*9-X9)~;RLZ(}UVDQrkF1VllvZc4m0zEG>xIj*AVpD;CFSn3bm?5wh>Y|+WR#}Cm^HXdL-=K7gqwTQ>={`d zs=cJP+U4MqNB@i-iOU_X8jb^RpMILST+C@V9c+KifUQ~AP4H(4K9zS(Ocvtllj zsC##@5ewPkQ+ws5=FhUmfwvF$FC9`K_8-G^)Ip#1JZSs2Z8+LNXd;+tv^m;eh)*JU zBVP1e+RN8MaL+7Vdg)zD=d?}ETkt-9zX$}nKFhb%1qLU0!3|eS^DqF`+g!LQUF=x7 z%Q|+EdWtR69(HqcuOZ{$7ebL)DdUBwo=Q z_PMkhfbowK@&Y1xA@7l)iF89GqlSA+1ShS)p&WDe#rNm@w*KODA>xFt`#3kbJloYr z$@9~UG3No0x6g@?t~J*(l^BaP)AhOnGP6N-#N4Zpt_`jtxjm5E6bi9)>t6rE0tJu- zrY&{Y_1xz#nv`_L7gCW$Z{_)1S1>(6)l$~mtx#J&h6pb}0~n-m@6x^K8Y)|g1g%J* z>cHwN2aVi{ga+FUia0sTQWQ5Xy@+9A{ege?76_u~_ElPZQeN^7hN8f@M8a4Mf=ckq z1F?XpsQC{-SezlMU;ubnjKQKtONphX#$ky)U^yY-(;GWA+wGu`=A7JtDrq(E?KobG zY$$E3D-^;cD4+R~)TNl4GCX2q&->Z|`=ss=bU&aTU$yU)V>~fc@`5D~AGhxWMGvs@ zgR4d*<-~+08e!P@!MI1e!3cJJ8?Zsvsk)H5th7Jhawh83e@Qs8#g-2OP-OW>b%CCM zycI_iXyv9N=4KnW`YILqMF#{G@jaXj)LSem@B;W>Ae^Vh^=fxGFEaG0LDe`B9yJ#Y zS#Or$!3mTh{k20bvu85mvkEbjQ!@*anef8jk7sJW?GVJHw}MocS}P(Fs!D&^r^oB= zPKTF*f>P3vP4|Kl0)vvGAl%sD2j^?HK(eQq%~7jr8`TzR3+Ja&MP1<5ph%}YNS8=s zT`1EykicBju#&)#ngPAr#lH;9z&G2pqm_5^pscT_GNj%s}pgB=~k;2V1tN_QNRATQ1xBk`_phyiy zP0MM;4aLmYzL;zIzEG{%Sf$D(M`}2D<`IB4_QKSY#oXCm;#rmDDV|J)bEDK(E~XP4 z_<4!SUxgnHH;h3!z?tx!TXTlQrJpdFGI3&YGVgR7@VWIYM&-@0 z@+}!=_Y2`xwZeD&B9x(oTnJ!5IWUDCQq=2!(zVI-$d*5#yU=eVGQ9oG{|u$EOWO7|OiTz) zRsk$}Hc^H!{}R=uH#!M zC^y9J@j~z!EqCOEJ%T*T*-` z3-z^36A7}s0x?Kxfl$}5>&M9&x9u^$g%nu`(5bYE>ingtw{n!a$R=Q6R1AF;ud@-u z$X%Zz&3RVXx@x84R=$0qc5Jc;fG5gxZ5O=Q-VlrAn2kUh3RdD)#E*Tf zX{%?8WGT)tpe;H(8?C6|d@i>-KF(@zYS;{J5O*Hl)IvBr+2nQh$?5z;jvgmO#ty6#kAN?^LY%!?>cj=pJKOI(lXmK0GhtiZ0ZUsTi`n zL~|o#lK%4GDK5ySHzd)Ih3`2>1#>0;UuBi&Ji?2_3PFFSowpQOo*!g~$^z zMUUw9alAxzUC|>^yPpr6YMi)TNean!v zN+E(O-B|cg7>Njy!Xm(*O;%|nTnGf_M_YUH9=E}*x)O5_?!pLcV!?C^=tQ3Szrbx< z6Ju>~$yG@Rl2U<4^0?fKT=c7ih?pTbY8~;nDt**9KRXW>P<{QF*(iDew`tL%L4`CL zTfZ*deqM@5i=`-w>6<^4)Edy?utGChQ4m_wy52xv4!Lg#4BPD~|ODvy|9Fgch$ZDIxk z)CC`Y+GN4vCEt9VP_mqsVM}=l1fu>-i$eyUVavE%ZVo-m9^ZnMIqD}(-Z9R4%DPu9 zWQ=T+ZP@C8!_*gXf@BrjvRO48e77DwG6H6s2>~~YwmC*u-xc{owzXXuwF#pRcIf^Q z)@cukqpTMa#uv{5Ri4lC4+P#MAN=-c@!NS$1q@8}p+8D_f zeM~OjFG8P{3V6Yfe9aw z{XI9?1s`v)xqz(^1DzS^`~{t46e}Qg2jLFO_J5?y<&e_MbF)qVqSq4<%k$ zOuFeCDW1h6US@ER)$M>}1H9mSH3q4I2Yv^4dU^mApZF5$24CplI*ti;79g_#^7P+DUplM=Gugv4pUb*RA6EPzE4D>+xCT}054bkh@ z>O`We-{J*4uHRbgkD7%3IOsP zX=8p{VPo#%{s904dH@0d{C4>>k`V$d^w0M{{W7+HfyBzn#KFPAZp2_@!fC?B#K~gF zz-q|MW^BZ0YQn_E%xGX@%4x#-`*^>`{L6UmK(neccElnGyC-@IOWHV;$nRh4qwgae zrqi&hBeaeICSPGz+P0X^YHang-cS0V7KB1apz0;OWwwicBDbLuJ+Mtd;6NINQr32K zQ|4JUED0sf1!qA?L9Hc@#)JnmaXQaLo}vTGtAF+N}#&n3dWhQlId6_qL?lYI$r zE=rrjs5Xd}`A*iBL;U=h!F!6#Pbv;H_{2+O9j?RWh z2J(`UhNFv$|2*8+@@Hfq^hP$$vp`S;6!mIG`NsI$ULoRBSh@*G6BspQKxp^AOhwHT zEQoU0y(R}=xD(RDa_n+P_ z^zEH9aA0N~YO`Tg@}fNG7rjb!@$ldv#Cl&gZ^JXA#-Kz_PAgTiKfXSoXD(7o!?KDx z@1n2?e)p(i$BSkxF*!$@$pjO!WMg(qK!Ftnu55F&w0u47+o4V2hhV49X>&)DkeG(MO72y^Gxha(Da2lnrQkDT3}ZRY9M<4* ziG=>1P84l&6A@U(>C+=W50_72sxeVR0spp*u38yq?uS(tqshN8M_0LY=uK-vp)m*R z?k}^DGl4TfoLhY1z$;zNWE}XFXFe{RQ}-OCOJlbe;<3n-o>6hp1;MWKTUzYnn*Q4k z+5k~v`=wl9T^jOHmDxUD)F`x$5hfim*9Z*ju?!w|lc>j5NX=+&vn#K&0_V|-92vq) z!pCGUEVj4&+-8t=(OmQcQ&@J;4^O;0>R!}&*-7OL1Nj3_ z>qUJd(jRythTgYKGE&JtzPOQg{d5KYO;=l{6wVcz2%Gp&O>ayu)zjk^I{emdN@CaO z&jRxwrHX~&e~_w5&QBG2?{L5DpQP#?iIa_mgTus>ot@3dkjcP^lZlCe@%_SK%F4iD z%)-HH$jZoIV)CD*ikebVMunlC!I*)Cfq|J(0n*XM`KQb5h>Sr9WP+sT4SQmTnkkgj z+w|fWk#HNK+^}IKr8-yv%S%C4E=zaak2BY%s~KJw*=d`t*>bTzF#LajcCKB9_iGoP zc%}+%^6c7W&fsLJ6O=H5mndA5ThD#vr*urt zx`;$2RiyQ;?dMg@EkGcxQ1bu4ttsmt-2Mw${xj0h2+FkhdkOeu|HSP(l93TB2QwS9 zsR1K9yD<~10h^%#Ba5*CtEuTb-^@m)j2y-W2FCxHTkm*@s(evEkkg*pHEzei63sLT zR(DGOBzXIlR^8QTC&oopHoHWW!qI)=k-VbH%A5-)(C4HBz9K>y0iwcMih>A&OJ}ND zMItgrT0#GjJYiX-P&s1>Lw!MKcky&6$e38rq{0^Q?{O*mA;Ib!&EheO5mKob-!(|; zpoBI&sFr|EW=ggFm*;HaL@DpTL1vIJx6{Nd+U*m+?j7I0az-CA_^_SExX#|DCMz+D zWjkoSfngxlvIy0&fa0^r&GfOqoG}!FFbof65MOMsFHF2e?&^F@;=I47Rbi(A<>>_> zAK@Qhq>+d_?(=lh*J2F=WQ}!Z(=`f&oaR5 zA@)HGT@DcsGA8JF-tt5B`!03y15MQ*?!xsfP?*8`8?u!w*?)#Ii`IVPZIj)zV$mEd za{jL$*&inRnr0PI(*$4Kh7Per;t*&MLmp99>FB^?#4v8u7Fd@iB&h`wl*!fnbtG#m_OzJnM#P8vuMt7pbNW zYAfhSkwbXG0jE|^}F^XzVSQ7LcM!8CZ={n@}Zk!&iJ9oSms zYi4PXYcJ)O(696;bQY>i%XQopLVo1CtuTw}{aoP@$lgLe{e1A9Y9mW+7Gn1uU*Hx^ zk@0js!DLFz(>1yVi}7)X>Y14-4>q=bO?Q5oKP=`Y#oqG(!l6%NQa;Q3F%j7`DdgbE=gaD-&OjT z{gax!Bbl(WGqJq)ldOh@M$8PX%#0jNrc9=6#+)ohCJY=bMjWgR%uF1=smZVLe%U`Y zm48!e7Iu^WQ|dtp>1i4IF=>fkVjTmOh1-$m)AghL$1$$fb)fH~wGkKi`|h4uscO0D zahfslda3DYYI$m@De1i%wUWBFyWhsb&-m8!hKy*3Tv(`mF~dFwJfnmRW7|bJy3jw# z-=^;i-xTRbY0N_4j`OPk&mI)1lI)@F6bSxs?SSPiZFw`A(eBLQ7(uO2P(;6L0s-{B zi4Xrl%U^>9_xE5KIvUs-nVUHM5hz{rKe_w&K%u;o2?_Xx!yXQS&-ebD#Jl|-C}R^R zBS#B+XA3*q--!Da@?Z83#Qj40Fg7AJDkGynAxS$(KTb15Us|s!E;B@kdT~=jD)hD zh_HmRjFQ-Y3Zj6qF@da@gseJ&y`3?Efvqutv5CF4orjHytuuj}g|j(^|x^<$*&xc8yA-VOfm!;6Y23yJHAiwFq+r)rcq#*GxffB=}p zk`oX^B@KPpuwhHr859o@Oc9W)O6-7ezgi%`s;V%J85c3>29KGC{G6IOGdL~gx4>c$ z3|8DY5|dO(yAo9*>&0O-#9qXS3oKQzebZ^}5?!xclOUO!@I=Ys92*gq#RGnZT1Ry1 z#i~vV!OVa)W?u6E{mle5buQLt8~lMW-u|@872i^xs{xwln*`G*NvI?7vBq zzda=WHQj!v=Qj*T6Vv~*F`Wz2Qh=3F#Whbs}Q>8si&B z+%g)qH^bn%Dv+;rXdGBjASP(s$@raON}Mb}xR|n0li@?Qt%QmHz^-2QQ;FahwSS@k zYF>HZzDu@bN<3~BpkZhKQ~t(lxtq@*r8B}lPfsQNdU%;PUK_^eSM>+!P4`Fdh2&sC zDwSc<<_zDX*_M{p+&FWTed*>oEE!eJ-9!Z02A(iK-Nyq>S$E_xi{|#69fuPs2zuda z@3#e?ZwXM=L^%ww4=k0C_Uf1h_|HstyVq&+^+t=@s|=Fog@}^E;hM;Lk>iGSK7AMs zXdm+ktq##pjJ35@Q=F zDG_-89?;Iw!py?OC38}_DEJRb z65<#Yx&6g98{hG9e_G%(nIB>QL*9Nx58A?mFy@_ZJYzn6Z<3!DR7BDHnIoi@BgN0rmP|jgwdP$h5G4l3yu@WL|!~Z_9e-ZvKD*QVOTm=7$ieLBrTPOIhTb-4hFTB<^t!M?GH*>OI>{jf_Bv;6=^MS=1c= z9zB?G;)kAiJIF&2=jWoapvy>&2>sD8`}ww7mIEU)7`avxh*;$Ds<&lu;P%^5%jfg6 zfB0X*uQJnMWUPkz?(;8$`n%tM3eLZn5q|{dZ{6R2i3!X*E(0^|-`n~B+Hw35m2lV- zV5j#x3x7BKzo6KfIJ?<7TG86uSz8!+(0LfxSpU}Z|C@xOjSzqaW`q&B;}xNsM0AV8 z9u)=c_crg9FN#knq7Z3sQ*wEDdpcK=aH~vGMhIF~I!-fAor{-|fRD~!HWKD|n-p<^ zUbR`FP$YH+2x1cpC!JB6b&VvBWuU@=phv2WQQ|7?nml-mxKKmUw)&;joG27&dfTp3R4uiE1rat*Z8F~IQs@@LH;BZ4F{HVC9EYJjo1R#R06!k-} z!0snQBcMPG`-zPj5@g)58e3dz#p;LJ^m|NwnLLH}af+<+Bm6RrWBxc=G2s?hcROKb zkljGhk+*>n-dyx~GK3omuN}y832oR1w&(R{AJKZd9OlHU1pB*HtvZelydOWJe5@%Z z<_!^vc6lw4yB3`H7QDlG;ZX6k*2OGTR3D-J$zU{*MIEm#2htpOd48wt)3jdp7xv~J z+oF@-*;{@$(!a3xPTTLvMQil8hsFQOqe@iUdp;nDJbmhqSqi2J5aFspN32H-UpyfY zh==kRJX=pM&s)gq-PMM!C}lt1K{CWh#N~5&?%<^r;?!= zU$q-$TMWYj^=&mBCQw)&Br5VXn)w=!V>!|&*OXA#ckZqCp7CAJhJ#ka+0DX{j)BPG zn=f!$XVWwBh6HH)YuhEnsr>~0qcQq5J4d1{v0fnnfExq=0OK!STN@bCnz>jQo6y<( z?bYkQN&HN8nP}_*#Eyw73JnOUbW*iiBmy#okuU_1E?5AZlD7msi+&Y_%`1mB@&ZF!t#VgDR zX)fP-8-=X1eCH}^(NU=0F=3h+ZVj#}y)JOOwd$xeOL(#!p$p&<^{W&8T(uzYZ(tUQ zKSRB|rtKSPqzvP2*_#0ehxNt6Wm4^vJwh@bPJ*_>=?r9&n&%uBYJEkA@NTp9hol%> z*2YixYH$LmA1*7(l)r7$JcZa+b{*#abXrb}E0Ug3O=pq+UsV46O@HMZ;mR`@YQ97SxBkh4R*)PEM)^*aFm%ueeq~I=J6Q5AesncHX#U026`Mh%j=L zP)A@WD5_|mnVz1OV4#-I z>-s)?Riro@(bPn)h8Y#AQx+uEX;5Nb{)m;`4&QbLIpc>IQM5?3iFk#KaxK2u)Aq)a ziw|`TX(cMU%<93r8v-XJ5Y|##)EKUO$b0(gJ5@2=vAHcm)&a8{h4Z{sqew7$JgRbxR8Gp7!uz_@@`UO5{N9X2A28~gaZxSI zV4izY-5|r#aq(#H5Dcs$HWuXNyw)PvI&rfJEHY=H27OfxX6kc#^mR2wj;#<1;?*Qz~(eC)D`3+b&#mXscpxO**l zmj$)Ct5(Qch#Ivai51Fj~!BxhnSGJ)Qgj}5QhL!rPPJ|<1V3L`zuQ%Ycf_ReG^ zAR4t}KBze&jjpo0;Z1FS2{C97U?GfTo!)sh)fnTEg3~u+4{zz*!rEs~-OC{B!aZb%Ll(B z0;VaHJ1(>vBQT4{V}xFnzY2*-ob&qQaUTw2P-+N~$3A6GI2 zKZPU@O*L)FXDnRA1Tuh@=e_N{8xNwD9I*Qml@m#owDq-<)u0Q7J7yz!F0$vHCyq}b zrU-b5w3UcmfF4+8+qJG{&VBn}3h^O>#<=@;m?acpz|hRvzPan~NqLtJU*pomCH?Nn zZ6SOfUD(+8dSSniY(zN&?j#z96z0kpq#@qWPA ztji6h)7O?f-TsKscG05OY|&WIkTka0w~$#{M1%uV??I~p?4rrGBNI`JY_FQ5qhn5r z)uJo!x%h@o<;eWrW|y;~gE|stk%_k{qpEz&&nC?^%NNLy5Q3NAKNQEJrNN6kI1IZ7$DYICa(znP-HydYg&i*F7d|eSW*5=KDiGQ&?kw1x8*#K65kc}13w0@rpVP8xK8-M>1VSy-aXOy|tzer~q(kqU_RMEO z5{~X1d+arrLLyI>I5#~c@3-+vsWzDA3w84eCzY+io%WE?*P!dThGUGhTTA9sRpcji zZ%060j1Y}hD_fmqrUrK&o4KXD%f2lu5mXXt7yGKBzgYO0qpDNN4wJsT7N1$r1g(Q| z45PDjZ70P@_nCiZ(y2eKD3e?G@;yZSY-uVgkEu1=(GF=e_bkG}+3{`jW!a`$Fn z0XRm#Dp?`54fI9{jacnel7deY%1!})R#I{;E$i7Eg0LQr+pvq$!vQtd!q*=Dq+6hfSVbk@#H0?;SxcvMMa2a+kIksaR`VvB@)z2>#}|qR!XU0Y z-C5v3IeJA4W8uhJ<>*R~Ri=iV_kslzf3JB3TtaY?jgu{=?tQb)eh2;|n@Nf*1J(c*^8g>=pP2dI zxxFceNkcIw<3Rmuf5UGnvh(oHOS7VT^`BmO)DmwORI z$41sr6YKb`Kk^aG?Q66M3Iucr*bn{}AAk2!Q3^=v!x6!3JuY`OgC7mLB$FpmSP_D@ z65ddg&iX)=gLfR>^0AM5@LLHUf%|FzP~jp_4KhSH?k)d=?-OX+t(yBpQZPtA(Oly7 zx?B3S#nsMG@v(On3>((CiAxw$N~=O?-b7whmaa-cl1itFW6z}m>LOyXBv-jf5>5=s zHtU=OX0+uQW2y3eW-JNk1go;Shzb${+syD5#-ZPSlBS8F#d2f;?QmkOg-yze6`$to zJ*>lH(e3+t9bIq!yFT`(b{1Q>=nXF7OmS*MGsw}Fl}f6XWrJn08l98*@n#k3{z0s3 z44@38o8^rK7d2=l+>b8;hjef@qvK+%g# z6J&U}uK^-DLaDz`VgZ-TdN10-V5vb;ypJ_e*Iz;px@P0OG@U+3m_Upu`+Ix7yDx)m zsg!*&v0B#|Q?Y&b9x<>9uB94UE)6;PGcyKXlB5MAo31_yqFrF!ZL)^3&O9urVCvzC zQ>I?Mp%+R~a$PZ^_=amn^=9?!l+rhiFzSTtAdAn4c5= zi5<)-C5{G&H^35=h9SMqctrh`*18Jc(%_hyRg2gx^hgh(rxuKzPQ5`+&wN zblx0snTpviqnB$_z?!RARATjwVUR@=&UiIHHG_}!gPPKDhFpkcD-jDyhp5JguxA1q zj_mH4?TM*vN?a={lR#D0S7Jskhsqvqf(15o!vhDRsG@M;K+fE4YCdrs<+sE4?-1%< zRg$<1J;tQz`YoXxr1LCJPp-6ii5le5;=$h=Ey4NCii-mpV=UPD(;e)11@3yGHrd>t zpvaD>_k?hM+U-rCF0U=~@eVA;sslyXTJ}*#@0ezNkKUuIWG%(%j^vP%IAi z0IMZg@|n)1$sXA()|QTGH9zKK%*VBU!S6J;okH5;$_(n127yOxgl>UH*+f>9htRj` zDe#_+?6h}YN%y;ObT&!jHK_!z-FmH}IHf)dD#pHJNWjJSWa4N)&a7fwb+H^1JJKLL zQ?+B^5GBz(eiU<|vdW(#C`TGodR2mh>SY!lyNQy!C2l|0?)3p6~b56mvt7i*G{ zBQW}`>hRcC1ROf%Tm#bbS$P@^IcC+&gQxKr-)tyiX8*+%=08q9PXnp1=&?>ER`~Y-M3+ zW8gsN_UF+?Peo~)1qRrbd(|BTih;huUIyLS=@PYMutB|r!bnmsBpS&8;nJ%%0wea2 z39u&d4flu$WGuMOsu`JF;!HVr(uEN)*BjwlmM@>J;rKMto87N4@`tR;tb^YMm^3OB=MFF8+}l{>!2tq zD%m5h(}_;r=_zDw@VQ|aElXE=*D*S8O^n91PPgd&XP5^HJf+@tDpeb0PTnyg-5R|v?2=H=My98aK`Nzqwxk)Mo}PfDhIJ?6?zpSGf(j5ow- zV`=XU6zAKqrf`DWfING0gWbBcyRB233RcU1P(C)faJx8WTj{+aH1fUB2Znx_C!s{fJ=gfKu0A?;B7#_SD1sCSvvb9GuC{)SL=LX54gr zo*`y$;ilByGebjA-sXk zqT}54%i#49ss2rS0rl>mMKm<8zrhK#T%&7g9Xz1wRTG7m5ru;;j$SBA;x8|>a5p5s z>exQ;A=*V{0KS!4-OzN&C{Hy=&G$SON)Xr&de1LH15Pz8DMitT!7o(dITG2CdCa+= z-{clhl5UoHTAL*hC%G;AOlIeUmuDv+&TXI(L7j}|Jx`|K-;2>Sc;Y3cZ5G zJX>`ARF_(%CChyiq*9K)1GGI-ysVK~e2;&1Rm(8hb2;tZgC))<%+p-#&T(%yeb2x3 zdaoQ*$=s|~3nmh+q~?8G;@8!1)tgpHUFsnTE7(=Pt=u^ujaT$8C&Ys^z^4YKBFaAF zQt10y&?Ws$L+pt(>3Tl(3Tw}*=;MTi@&dl>RFqW2)P6FmHybdCl2wwk3Q5r%2@)WI ztTS)(l2a_yY%VmEUu`ny&>A&N77#G2mZ@rVj3Mh%c~pbG(I(m63<%trlU`qn_zr9vBuDhj{vop}xw<=Y~O?9)VD z2`jz~P4!Qp_3>!5hK0&e3>xIblTyC*3R>!>Qzs)LwtmaW5*~;`WUk>_Xg-wR?@wOe zgS_l&zg`4?etCR(4&~&e1w86l0xC!V8D#&u1OBb|M#?-N!%o1~Cbjtbm$_lH z6OG6pCJ0TG#7o5snBPbB%JtyjOAxgKmaNOv{!F<}oXIbBArZ^A)*Nv2Di^NL0;(7j z#Wp+h#yLfyIwy;>P0_^+*q+*^vXX$hkl1)YUC7%^+uAg=8{@kync0`R5FORTU+Y3f zzvu$$La=#As3c-%cJJy*$v5U`XXOu_ShKqWUNPdqvHn&UVvEa$0;mhgf2j*m0Mvzm zt&pHQi+4oJ#;pZZRZ^WdWy_}o;4^B!0Pl4@Xc{#HQD=nE&yK*O0@P1z?@ z2En+duQvW1+mvfUw1}IQP@Zfv*T7O+D(pgFz;EjF8zx|^Fafjk?&Zw}mR(GMh(S}< zlRs)6o@V$P#}RQC$6+D1`)lwvvLY}OWmb<`!2`1c6Jr+okK6jP2_dtsLL+xMoWI@c zAT!jU*c4b>%|6RRAIqpU1VjSX zYI;0hu)_3#3dGixY%LremO&?GHZK?6KbEa#6L;KVrNa?z7VJTCyM+6&C+ig|klj|f z&G^U@-ZlbNW2yZ@xWK7pO3x9uhvj(2$GoD1TIZAI}Ixa5W z5nj4*Ac_+*UJeRcAfdVh!E{hZ9mRxI|xp-xeo*Ymn8R~@Mo9BrQC zAu5>=)evGIBUcUPQdZN1uGrA_R(Mu(Pf)wlwM^WW!9DMDz8*7tsdxa4=ZP_=K{{7z zN%5qvS3Nt$;(flg?*h^ZeH5yQHnTUI*%9yL_ICQ+RjR}$#^SIKWs3?{MA8*JDnbZu zNZ9vPbL+Ix$(r@rb$1iO4#{1#5-pK1VDnI+Js>^Jrsku@>s+lj{T0?74pN=yo=2`@ zi0`3SLIbhVdh)0St2eSD*w5P$Y;I4&TZ`r-Ll+OM0A(PZpQG+uIv@IJ;&YVp>V4h`QWNN@NzSvN63u=VhX@`7KYI?UV;l%cn6EP_ zr_W_U%S}ijoKjOMAw!2sfrg_%R-!XI#2Cp?`Fx2K5 z@t}@=k!u!N7(DlKU-f)DPbamlJ>%CP)9+y+wNW{9X~2;P1vnD_$CkkS+m`S@-mE+o zd2LVx5f86bLt}l(62PgFD1?bC1&Bz*tafP6GvL|SvOivFtmpC#FR=Ezb;0eGY5ZW5wjH|E>vIj($`#4?RU3IpLNBHpc zK$@67GbcOVQ3_=j=i#PAsS=^LkmU|HV2D)V$_P|b*$+63EbHLxXTn&Xt;QPU_V%!+ zONvNkbz1CGNE`?n7YX-dqt#lInPAK+9LOm$2JRHijT{m~;4ZRn10`5qm7(xphytpA z)fI7pxkllw?d6fc?Ltb0=VDwto`N}fi7Xuuj(ZqL3oATQOB`&&*;y(`SMZ!iCaAAC z!>5G~2vj;l!sta>`nAkiOeJjII3Q1~24RiT^$D*b-hKBMHOAW~#XQ=iV(WI~NjqM6 ze=<}BiSY$qLb`Up+-i+X<4qS?w^p6=sNnnlx1`oC3-{l58=>&)_M6aES)r^%q!I-k zG($MQFYmNS!==n!l*Q00cmx0F&l4C#1+@eG`AdL>{txS9`3vi`QW&(J6hLeqQAM2x zNmvpQIsuLx)F2_+$V6kmo^QD_?PH$)=8CsszZQU~ZxclE-LKnZ6XphV-Wl2I6@;d< zi|S>zxi9HCc)9I>MVI>I@b@e8K;|pWR6C$K+)uPTff-8rNRoJ?(8j@_9_l#ToPABk zJ(X3|nhfOL^m-#R{wNH7Ih5y4TX z!CU59j5UDA(G5TrSxgA_H7HcgNfq{k*75V{aYo~X8%B5OJiTY%Noe>D|*1Fu@ znz6yHFN#hRERf;pFHx6`&)W?a;`BHG;qylOFjODTyGq;l6(57mgg~GFw$dW~>gEas zW{$jLtYSz+H|2VJ`f*O3g!p6bIhi-~qW1cmF1=QPJ4&T}b*)3qHiRL--Jvsm=zr5!d%qw%yyneI8hGT-SK^=njr82#`L^)oR(d7|FCX&?RTcTk zAFQrvaC6Q>w+R~4OhlpQ-{L&Rvbxe4XC zq&@8R6jM0*RoYS-w2q38UDgQY()CuLY-CEdX6s!W%JD75p=lI6fs~M7K|@$3xRaU` zmazi(S(q*eU29PsxZ!ARhVaNdY;bW$Eez;;1X0c@9}Cuajy2`Hp2vb;2Ef7mAQjKA4T3Ji7NDvQu0Rvv2Sqe zVVTUCvJ8Cb0D@oP>um1KXtfD{&SB=@<(-{)f=teC&k?fdU)rBSJLSJAKj!!9^xM}6 z3zArIn`{puX;q_%r-<{Nut-0rZ=0>CMcy zJ8y+?pIb=+RnI{yPbXncKmEAVr&)4Htk+Auba0B2mWZ~aQc7uSw%ZUsb*!v)RSN@W z9yX5rR84qEZmKkXeeMLo{%v0=Edecai;4H3by7~)h65TD{JklS`yRUYK(2xwYkBZ| zCL!nK7&tRmLX?&TPg9as5-AE?@!X*p$V^C`sk9qSdtsf=9JE>$+2^I@A^ZB}+IjS0 zAKqqBw3)nzp8~`61U1X8fS~Xb;Cso=_{sNG08}AJi~NP@@J7f=fG}eATyyq-utQ@P zNY-V!`;R+`Ewj976W@>=9|v&-UeX9wJqN|_=to_AboE|sp>DQEyyMzZI!Pgw3sc9) z>aEmO1Dy;l8a}rDCT&OPV&9#-Rr&=rL^QY9@6C7ME{YU)XfA>TnliJxE9bSi)K32+ z4E@WiUhMP9t~-7((k(JzgR}8h1mEzyT9+$7m0iIha!JE#^Lc*Ht<-{dw0VmpT(@oc zoW|eExPq0`zHMetiMsJbA<5|d`=#RNgmXxMJYMS3O`Y`rLB3ZcGnWA&U}H`Jti_iQ z^=}a5l%=HJDTv4`izq6+QxcJulM+<=E6HldbXWrxWx%mlaN9s8;S{HBs2ueqRY6v6 zZmANHUu+F;IEIb$&{3m|HJYjthix#ZFHU*;`3Bf3(&rkKy4{X=*1PL;n`bP9ljH5< zcdl-B&S5jXiuzKY-ekALi67>UF`(O++plp4mqBMr2Bw6V(T^*-e)KP-O(|y{$A53o zBP2;o>-%*QKkNbwl&=iWC2L13%C_6NN+OE<#`h*D3#WrGe4Nnzdm1s3QIZ~Nj~%Ya zM_>oX;z6@-`xo#VCw~iDCSyF#Syn=t%pK04a`|uqX-L~g z#44;@*t79ORebE?{p``>)G<2Fh}ZTx8PJjgX?cw|T(xcxYmW-WYWbk6U`e2Nf}^-hQ7JS9wX5lSOXu0r@&YMs+wm?ulXYx}}D z<+|4+F5g|X#S3tR1}vC!M;qCClY#VW;0HImF+b+QoPVKb*9MQSMvDUl}Ac0vS{9jOU)pqMji?*(PpGDf_(Nr zdn){FyDz7}ZAjSkR@qYH}V)@`(j)k(Yx<8;hZfF3d!7;RCs(z;0#8dK0{D#rRl}l|K zSuOqZ7i0B=5O+|#UPkvpMa4=ZRqQ3t<<7d0NT^|aXO!88&_UJkJSUuRb68#~XDDVs_CuqLR@U2_A5O^t14iHYt%JdbsNkOV56lEV~P_ns=?!Lj6 z8?J@ME|Kjs(|u^`64MvW_aq%|<(LONV7y;58Y6FYRS8nZXCX`?HQJ4r1RlZMP)s?X zhW83D3KHZHvXYD;q=;PL6$xI!u#;XcZzk6r6EgNT&dZyJQMDYAlQs{;SFC1+-kW0C zs38@(w}Y#zC+GxdMSen*&A{Uk?W~-k!;$Zmt!jy7Cj^D;GlRkiOy?IoV|z=JX{w|9 zZGkRW#&8VvR3$iR8`HgF=u|)Utnfy}GE?6%26G!JK@yRIK?d=oIAKO^VhRY6=&lY_ z@sQ=dh_5u#5oRc>^uz;yet=MOoyQu>1a?cB&ejEmWvzdeNqxeCqW&8X7Qx*cqL45r zG93GPO|Ny|Gz3{6Nj>S$R}wjR# z=P5gbsQ^PZ1{gBjZ~qQ>)irYci=$0iY3OAGZoQ{`yO(J-Npg)J{9&A6EWMx>4>b?C^UiWjdML@PzJejQ9G+RtV{qnMSoWb3iLh->{HV?)#|Es7 znrDsALp4#J!rtGg2`%)I;(hjaR7ivAVYZS7OHSwbxY}wQ5l=N951-d-xvjBStV9JY z`6ow!g0sk`em`zwhu1Z-5zkK&GM^JQCiC-1$q^0Xr~=k|9%g83of)A%+;i7=*Iy*< zKPhDqOX>P{Bl{vdhN2F5jRE zb7Y4Kr`-ij_Ils)#?bn#!Eh4`<&zs@TLScu29~(rAh9ife(;rwyGb%7xNi*$f<$t` z)<>pEq%bWZ?urP1J15Ks8C@73Y1G}%8W@?W@D92IvgOx;Oc=x{caVf_N%tCoa2{Cm z5{|dVBsiEBsB_F4WTjIf0Zht#9i!+5DH@NJ-P3aHbsYoCX1Bw)C7l$$+On@Y||H$|YCL$3C5 zFKQz~x8n0NQiMCvTwD#s-7iu6KhBH!B{!Rq*1}2O$R3bm4#OabRh3Gi=A^M(b~aqM~oCF zM3NU!tJoq@c6^TqOMSKj;g58!Xg$UljPfB|DWT`7O+lBCFUHtD1dvtfP1Aoo>$bQJ zdcZOeALEh#O z{a&i+Y@qH!Ivlw7?9dgodRiIhy_m^o$LHTK{>1q^8e+)=lv@B#Jq@4|%DLqf1z8L27ga3O<~}oL8t3uxob|gy>FxB2+(5G9mUk2S z@B~UEB+d-{PAfhwANg*riA5rU%RqEfz5+-1*rq2>m$o~3Fr5cUX$f?}Hix={p*PM<_9Yvo*T{P}@r9GE zi@#QhZ_wgcdb!yKc44|xY& zbQqy)^zMb2E0<%+Nu?R)IZq&WJWUxxBV9f_{^I8U9^We=m*g`72=b-)n)=TL`I4D$ z<7YiabmN&kwu*8Jy z(VHdA6%1PQPe?rSLyFN-datC+jn(8AOsjDb(3kQG4v(Tf^wm%;&F}+NOEk2gupXZy z%j~v7xp%qp@BUK!@;fIdlY;uofMZPs1_+4!&pG+Ki7~k-<7SW&wI_$DUnDDSx=oJwRW?7a|84FGpyh6d^)K)frtTI zYb1Q^XZ-f@NgGPAxxFtjM!6L&E$x&X)flFN9Cr+I~-ta0RgTBq@1!A)Q{0m+z4@Kg$b069}zpgOX=-(n7%c`=~LML zND;iw5$x?lIl_+jv&nl8K zxWtqXd1~A+AZ}MbD8!;t)KE}FOto=LX9<5TRqs}sG>p(HwGc!*5u&sl=+%WnR_EEk zHyn?StDHRToD9}d1ooTEh9nGdNR@nKDU)JT3s&HrTY6aD$1&1oXS1vezn&&_Jzc0{ zK$`9vS`JFFKlf+CZWyzydt;(jIhNWkMfUb4j-+3yp4c44>J!e0E(*zl$k?_i;8|w8 z?dA>xqIP;QVa$k}6L~>;tMMbOw)rONZT0CQhh>%N*b+7vacWs!UM^BqL6_u2s-=)5 zd`2155eZIBT)r2R0gfe+53RMm1%(gy(d-V2!2@J-X%u{6zcFLwnGn^t)7PR>$U4}( zzKL@1AV=40F{h_pNJLh?Y1akLh6>k)btkR%*=x4TkCXbaKYHSw)=( zaZh%keX|wj2y|y)Mu%2HgX)6n&DviHMQqKwDL-5#onPEDJ^y+dc?kwAGmq33Ea*As z2@*;R&TiTpR)UyWMmTmC-vr(;J)PjIBUq=nN7u@ThEbxko?6{C9w_DSew;cez)mHL zb9fzh!fWiw{hC(2@7u1L;hf5O83i#;epqq69}W-Cka4kw+p(aQ*t_;=#6?K_qIopk zk{m=iWSF|sr^}R}Q8W8?k45p*Y~zdQg}QZ>dNY;9$mwqnTN&S?5nWJuQqelQFpsLz z4BpO*gGgJ<5Hp+?bk@W#w=7urzvj`{Xtqe&V}t1&4VuPJsYB&T&;xPG8XFD+nZKCU zx!R*@Hr3L?4PKh;3_1E8e!SR@7wH9N39l<-0hsK2&2IX> z-CUNgEr{~-h*o9hgJMXeG~6h#jk$V^)OOz}=L~ta`SP?L3mSb&QHITKeK&RC37h^2 z_RTw963y~_+m?uy91&{_ibn-o3O(9p?!=8Ic zyFj3tk-F(C@_O%jVd%nu+3HE1cghxrGwwh(Y>`MLy`gjQQ{*(V&6Tzk3<&5mVEcTj z9sFAXuP~KCYaDjer4iM|_7JiF(J$+@rhdc`WZ_nm;o5_xIGDh~Lvq+csGOvn@ih)G zjx!=Yu4AIXSvzI>UQuls>7x#u*@1Xy6uMpbXJ==8!<-2g7bC|u-dQ8Xtq0+;(`k*F z1G!Ka1K@LY&cgZjTINWG(JA7obCo%|X6DqQ`}>mH&dRgJcaFr8`^pv863zl9(_uSL zNBv`SA1|G>E@xIsNjPa^$sdFXavhhkGYhNfU`tfum$uo8dvX1nBdxKajRGuXG@wl= zP={5zh~FND!j8wFd$tLdr{m#AHpkK_>U`JyoI<7$ei563YnljV6ebE8vAeZ&eG#1v zgB$i{(&JbT{7kT(@Z7cD@k(es2a!mJpUK(Y!O1F&1XaJ}mEIdUIRmJCvm~Q7Z+ zlZqdWZ>KqqdkW;=T9MZaM>Fx&o5x=}AMQ1Xh|1TRG6perLRqePQ{xR4C&5$2z#M%X zZC$b;C1Bf51;vl7kBZ6d?2L;a8_X8nRcKjQ^ra0ii}PTKAXJHv)Vj@*;iLA$%1WSk ztNl^s%+6|=)-R@J%x_TD4P4m93Yb4YE!6|@4VQQ0teZm{WadSxvnDljbORIZMOoO2 z!e_JOs>`vHj#Bj2$N0u6#5D#~9gS2;2yvWIwjV%HOwDNL?G!+@AsckS-s1jVPT|dM7G}-%i`IOOB z@fgiQ!cAv;U(P*myK-ML6{kQ?OzoC&I6zPzi?D!<41@(1`>ux_E+h!ZKHMWw#taTF z1gs+^*XC7zW^Rf}HKB)hnT=dXqtWf0K94$IGN=+)p zwG2-c7*DiZ{U$x)Tc&LJ@hS&@1{$0RH%xSaUEq^;}2<#;x>Pr8S$y8sy6%TA`s^52Xyr&#yU|w)`3#PZ825#QS6GNE^lNh(Q zjCg9xTw0Ztwgr3LB-g`Y33cvcF&MVmX=2^M9!DS#dLIT~DV&_4PMsplEv%gxEh1o*&M6*HjzGFv99!H zSSR>(aspN(+6>~oojt9DypJh4)3VPT4$HL#zDnTmYc^S{!Y}MVgGhYF2BTcP(Ba&> zk|D+Ro1YyO$-wG%Z~RcgnUo>S*S{!s5uXsb4wE2*5z5WDQP%I08m6uASQ3N`p}Ptg zu9DgJMR(BJ7Id~4p+26xK0K|i6)P!6%hL<>9*%}Qnk!ya(Mn}qdyOOVXJ zi&6_rQA~u(IL*N?)H#yIT-~?PJVtr_=hdqzh4Y%*3nqX1SooH#G1(wYPG> zNiKYIi;K+;L(YNDp*tYGbugfz$GsTZb!nYx_%oUgah3;(UtpK$Un@3Mw&6eqC60Wcn$Q_}eEiqaxGU_i`HH5`gi_qZ0~=0Eh?qEf6)}VK@{RXBZxayZoC^1@l+c*P|v2$nfOZz`v#PjBaHZ3_mdLc+s6 z^3{qYSjP*cNHpb>8)*&C1=7BK$t<)C6=yk4wa;pY-S5s~%>9~Ld`O=?rqI+Z{e3bv zQ;a`}okIdTCRC!ZI11yCwD0i)1s8I9iFrV+N}`2=m*$h_y( zQGgjGEN33?>c$TDE%TzCIrk)ItQ2-oFO!Y)ph-*T=@;ay-ELo{r@za(9enS6FF0ad zUNm>EI61Nr8n7HbIQNJx-SDo>GuyZhgR+-YBw+a55Zp+#j$nx9cF$WgaAi>6IDUy< zr4Q=p-PLXtffw%Dd5rF6xYQvF-8;iZ`9kI)w%}t11gbLIiQJ-;QJ6~B(yyDT$TIVB zXmklOIbpubaw=KY-&DUn<)b-@JcbE8?_V}D_KJvR+PaGJ%VfF&>ox|0(9F`9Bj7;DjT-wT-lt;m*D;^WRi`DXEQ)d?4yIKT8!Qm077?-ju?+@ z4E&62G9hVqh|p5y*Z(x6NJ||o#f6nm^H$jmK3nUu=}1!t$0b+GW16ESvhaL6w0v2r z2kcg6)LQGaBbs+j-kv6UnASMjp;N!R&@kByjY;%CPbX?(S^SvJ?c09K68$ z1d8=G{e9vYyMa_erOr5)JQlf*OFY)Ov>ZJH{4^K}%ajnkrt9{wS0I?6Kzp|oEy?~} zKQJXI4OC_rHS&}B)A+QO`u%Z=QW#3EAMLIRA?q-fm&C*-j zE4s_qg&3kuUp24YX&pN94#GT_S>dm=Hoo5N^Nib4tJgIpvTOfl*(sU@DX}apUBVHiY2pe5?I~I;hN=RwAgCQ{c45Y z*NMTY(?if{i=2CX{ovTe=gM8lyb^$ZGb79yNI4CGIiC@|>F=ybKcy*2UcSGc+`a+h zFhlFD$3$9Bmk`Vjd#jGwiC@R)&C3(7*KLZ(JEv?}CwQg*1<9NaF+_bdOMZ`%5JOOY zGH4iPA~rB5Ka=gm-dWlHySB6{%=rzOV)P8$o&i2ACCeci2$_~P3#|Z6QedYCVvl=| z;DCrdhMEtA>IyelU}BY5-}}U-!&ywpvq5AzX)?hyBoMSYwblaR50+2hljHrCP(?TTd)Ec43mZl zox4OWDH^Eu#=Q33%`v-=*(W}hVnAq|^YG3#a?NV+n|mG)e7}&lIC^N&`VdnRK+xaj z?9)P4r0+1@UPE7H%>Sk6t3%m-qRn>kt8WkRmOXMsYhS_?+uE0Ts59!{6~fhLl_~Wh zO-H}i6>pGGg?u)(=*G4%ETa3S;;8b(vdZn>2RarV+1$w{{y5FbB8*$!!6c}Tr!v7X zjy(hS`s=|bwf$F+<-(dBgh^I#!2*$+>;qt2pl?_;F>k}vIqcqUuQ8`j)j)RLN%yQc zvOzYxG`7Xx#zvR{f6M4xmECZa{=l6w=fh-hEGisVL4m3_@pfhvD=-|B&gy&M39n9# z@JzW;qpza9lim9FI^mk{F>&GpVU@ABLjksRznKB9ser$nb=DxE@+Q9!zkK!AwdUi5%-$ z#~cOWQL;mt!NF+{?(E6Rmq_r_vyh{ZOQP8Wh931i1VQ6jn@d0guwGQ^0Ws&ml<-kzlB+`V zY{Ej=R;r)f9%vib6mIk#@4jzui_Xuhz{z@hTz;Rb!pNtW$$EWujOO4bJu6EdpuEZ- z+P8}hE~)1z-)@-pN`s4hK@YEDf&Mk}jRtdH&^(ZD%A@AO{aW9Is+YUor!|BT9iHdi zi_Kk1=UX|JcOyfARb#>!!taBS9A)Ygz=l5^pUgU73TTFS2L&+4W@vhqe&B!OXYgJP zs$GLT2ttoehQdzwVAaP*KZ#WHILAFRhi5>D=dJL=hKa)W)G=@Kz0fm-6uE2rh40)Sk8?AkW<4Qz zNn;*;+mvfhD2scHe5t$&Qm8UyMW#nBP!+0(^JXP0vIpxUA&rJrw<)I{*#?;Kfg^aQXJ`tU$eSW>#DU<7#OBr#{MQhR;3&xM_ zCBDN5?9vVVxS7~)10md-zb;7t{Fb-u0(ca`t@L0Z@y;d;yDK!fvgE>d9NjpR<*WN% z`T*oo1o=q$@#4c!FOroXFQZZX`SD2aE6U+&_`AW>42Q>iCG=tlbY$}IW!HMSJKuh`){08?pko3%2)@4O z3qeQI@%%y0a_U57BEBV`yv0rDsOOWG3qZ)Mh8u&p3iM4%&3MgEe>>>P-4x(~0rl2kgIkx;#Rm z$5#)MZoUdsQd@F5CSR}9)mzp1I?-6?JQ5YPg_xa5&4YwT<0zQ`!yhuTlOC{aF+fop zxSCWGd;bKox;Vu1!~@k61B7^*x|Hr*meXVn(|w@T-?^F6cA74K2g)+PU-@KKk`2tq znss;>odL!WBedslg5#kfRNY6vFs4S|0^jsm26jw|>org7a~cT7BhP6$*8y1lJM6I!^b*LWMC(S6V7or_Yhtz*#dk)wW4!Vkc#&kE7SA-5DVDtp z_mXevK@jGl#cg;Iu$3b$S`FGS+-5}+Y#8A9L{N`c>=GdTRWrf~+!X4MHy<)cDLrCU z?vDe!C7$eo?vxwO13)&zh9BPL2UAT8Y&`>t3V>hXgZ%M38VVpM>enAcphv-%-xwHZ zO^h5J0d>=~4vu>Ejz)%nXJ{}Wke7?YPwy(f0{%TxZ|%kC#t(?pw*$%y2>t~a@Qwpi z?IZoifM4SE)-U}ne|e<-GbDdZJ@gOMZvs#=Fwp|;J2tj2Pk?_0?{}gFv=SDV0r9b6 zSRf$uABd&|{PlNuKfW#e8SGza{kebx><3y^0XMXlo7t~q{?tJ4*LHj_O8cEm{zR&e zp#Uki06xSY$c+CDl&zkDg^}S)iHO7BVO}(TN5fdt{8JwQq8va?Fh4-G1c>7o0)H(F z{{^7&kN3uxvXK8YfftUcrAPaqz=43A07U(+ofi{uh5Hx4U$PQ@f%g;Jzr*`uZU08# zivS)4drHPK=HaY|Z$k6`-w?gDI_} z4K1MYvw?+;lOvtOFE3=j5dJstM0elBivy(kk|>Aw10E@?AMw~50aRvSWae!24^hZ0 zrAdwebN~wV(gNYvb^Nm29(@k5e?Z}21V{t{w12atb=I>qGt_hZr)Z|wH9j=H0 zGROS^6BfY_m~4MxMqkh2pJEtkmwE*SAim&5WIte#A^$H7fZ4B>Znk=k2B!Z|V#ifX zu%Q5nSpY2bM?NY6%`X2_`2ao)Y^pTP2M+N}Pk4qnh`v(j! zR%~TtZ}NY%0R#l-+ZKS#bO18L{=t@wdHxH}%Qo{5buxGI03HX}!i3;oGMfK$-MjGr z0N=^>|FG7RV6WSQ0aAK7Xnx$dbcBC^ZfoP2Vq` z>ND#x85$e0>$5O%G8i!HGjcNM8L+bHu^H>J{ld{-;QsIN5&!A=9fdjJFzRzM zG8!2(vNP*3{=(5;;Qm?dKkCRp;wRjO9DnF+{gIB+z6;?#0F3kH`;nv4KY(fkn7qTF z$Dt2U1p_;qu|9)=0SCLjJ`*c50|%!byS@P<3*b+GM@KIleV@|a`(tThN&PoRMx5+y zMvQFiEDT2MOdN*nh6W7mtbidv`i7iFMjR}LoE#jCtbopwf4zwQ+&R;&S1*(@je$F?5BwxNCr5X7LP#HPc08^ou^*Qx8*a6dv^wX@h2F6UB%!Y<~21Z6q?0PJKp(~s$bY_OGzX;L}~VsGU9cL{;^h0Xw*1dOMe0n7;aK_d4C|Nn%%$nVc7 z`TckSnAyL7e%urOUuW0Onne&rvqe5c1REa&Nuwy(rx1J;ibi}S_$Vxt2qJzcC>l_d zpvDJclOLd^SZW~=1S_#nL{MVwFEBP1X+&^lXJ_v@v$J>ahBT?px%bY@o!R|%&bhm* z2&cT*VM`yz?zQ39CA%=j-swmDa|YGw$!O!Q({cZBMmzT=8I^WzHdHoi!;EG#s8;JX z8+Us~kM|`Rl_qI6RJKUNjJ{=1t%hmc+ZvOmeFQayLLtq+o6HtRk4M~Yh-Ksi)H zPiFfktkn2{B-$QkP~F^VrQ-1~oU10Bxk&jG298TwmE`pZ`z?ihTvv4O9p)k?xi4v` zQhPQ}Le$ZNRivqvl2(Ecu5Tu6i-f?BA~2dHIna(Ha9US+_u}`unL|~yl|7NeYu#Ex z_9@=_x}$r%7lh|uICX5CdC-jny4(bfwnbXJQdBf38LObf9N0aH`IqsECVsiCB;`#X z2hwtErpR9&Zoo$$2g{z-bnS`j(bsyV9lZ9PaP>(%b|e9*4?Fnaq?>YYs>*dI)>AP7 zGNRDtp{zwV#X+76N4j`|sX_noj(sGI_w-TZsWE#FGOwZ6$0|(obl0Cx{tzC_^wub4 zB-xz>E4=48MyXHo^vNfkJR+-`Jyji~Dh+Y)-4qdL1?EttX1a=cK#a_({wzCm7%`LCkud*htuZ1W6`Na@Y+s z5*qrKW88yt zdE};iwvCB3tdZ%b!o-T!HYOHB5vi!POkjAJjYL=lyytTtZL@70}uyv%HAMey3E*GiFiGIeFg9Qr(QiN9; zpduUSB2M;GIa^3MS#k`)$FF6