From 85d31111ebd6236a7cc47d449077f47495e809a1 Mon Sep 17 00:00:00 2001 From: TrueCharts-Bot Date: Thu, 8 Jun 2023 10:57:31 +0000 Subject: [PATCH] Commit new Chart releases for TrueCharts Signed-off-by: TrueCharts-Bot --- operators/cloudnative-pg/1.0.0/CHANGELOG.md | 54 + operators/cloudnative-pg/1.0.0/Chart.yaml | 31 + .../9.0.9 => cloudnative-pg/1.0.0}/LICENSE | 0 .../9.0.9 => cloudnative-pg/1.0.0}/README.md | 0 .../cloudnative-pg/1.0.0/app-changelog.md | 9 + operators/cloudnative-pg/1.0.0/app-readme.md | 8 + .../1.0.0}/charts/common-12.13.0.tgz | Bin operators/cloudnative-pg/1.0.0/ix_values.yaml | 820 ++ .../1.0.0}/questions.yaml | 0 .../1.0.0}/templates/NOTES.txt | 0 .../_mutatingwebhookconfiguration.tpl | 85 + .../_validatingwebhookconfiguration.tpl | 106 + .../1.0.0/templates/common.yaml | 8 + .../cloudnative-pg/1.0.0/templates/crds.yaml | 11805 ++++++++++++++++ .../1.0.0}/values.yaml | 0 .../metallb/{9.0.9 => 9.0.10}/CHANGELOG.md | 9 + .../metallb/{9.0.9 => 9.0.10}/Chart.yaml | 2 +- .../0.0.1 => metallb/9.0.10}/LICENSE | 0 .../0.0.1 => metallb/9.0.10}/README.md | 0 operators/metallb/9.0.10/app-changelog.md | 9 + .../metallb/{9.0.9 => 9.0.10}/app-readme.md | 0 .../9.0.10}/charts/common-12.13.0.tgz | Bin .../metallb/{9.0.9 => 9.0.10}/ix_values.yaml | 8 +- .../0.0.1 => metallb/9.0.10}/questions.yaml | 0 .../9.0.10}/templates/NOTES.txt | 0 .../{9.0.9 => 9.0.10}/templates/_webhooks.tpl | 0 .../{9.0.9 => 9.0.10}/templates/common.yaml | 0 .../{9.0.9 => 9.0.10}/templates/crds.yaml | 0 .../0.0.1 => metallb/9.0.10}/values.yaml | 0 operators/metallb/9.0.9/app-changelog.md | 9 - .../0.0.1/app-changelog.md | 9 - .../{0.0.1 => 0.0.2}/CHANGELOG.md | 9 + .../{0.0.1 => 0.0.2}/Chart.yaml | 2 +- operators/prometheus-operator/0.0.2/LICENSE | 106 + operators/prometheus-operator/0.0.2/README.md | 27 + .../0.0.2/app-changelog.md | 9 + .../{0.0.1 => 0.0.2}/app-readme.md | 0 .../0.0.2/charts/common-12.13.0.tgz | Bin 0 -> 129903 bytes .../{0.0.1 => 0.0.2}/ix_values.yaml | 8 +- .../prometheus-operator/0.0.2/questions.yaml | 45 + .../0.0.2/templates/NOTES.txt | 1 + .../_mutatingwebhookconfiguration.tpl | 0 .../_validatingwebhookconfiguration.tpl | 0 .../{0.0.1 => 0.0.2}/templates/common.yaml | 0 .../crds/crd-alertmanagerconfigs.yaml | 0 .../templates/crds/crd-alertmanagers.yaml | 0 .../templates/crds/crd-podmonitors.yaml | 0 .../templates/crds/crd-probes.yaml | 0 .../templates/crds/crd-prometheusagents.yaml | 0 .../templates/crds/crd-prometheuses.yaml | 0 .../templates/crds/crd-prometheusrules.yaml | 0 .../templates/crds/crd-scrapeconfigs.yaml | 0 .../templates/crds/crd-servicemonitors.yaml | 0 .../templates/crds/crd-thanosrulers.yaml | 0 .../prometheus-operator/0.0.2/values.yaml | 0 55 files changed, 13151 insertions(+), 28 deletions(-) create mode 100644 operators/cloudnative-pg/1.0.0/CHANGELOG.md create mode 100644 operators/cloudnative-pg/1.0.0/Chart.yaml rename operators/{metallb/9.0.9 => cloudnative-pg/1.0.0}/LICENSE (100%) rename operators/{metallb/9.0.9 => cloudnative-pg/1.0.0}/README.md (100%) create mode 100644 operators/cloudnative-pg/1.0.0/app-changelog.md create mode 100644 operators/cloudnative-pg/1.0.0/app-readme.md rename operators/{metallb/9.0.9 => cloudnative-pg/1.0.0}/charts/common-12.13.0.tgz (100%) create mode 100644 operators/cloudnative-pg/1.0.0/ix_values.yaml rename operators/{metallb/9.0.9 => cloudnative-pg/1.0.0}/questions.yaml (100%) rename operators/{metallb/9.0.9 => cloudnative-pg/1.0.0}/templates/NOTES.txt (100%) create mode 100644 operators/cloudnative-pg/1.0.0/templates/_mutatingwebhookconfiguration.tpl create mode 100644 operators/cloudnative-pg/1.0.0/templates/_validatingwebhookconfiguration.tpl create mode 100644 operators/cloudnative-pg/1.0.0/templates/common.yaml create mode 100644 operators/cloudnative-pg/1.0.0/templates/crds.yaml rename operators/{metallb/9.0.9 => cloudnative-pg/1.0.0}/values.yaml (100%) rename operators/metallb/{9.0.9 => 9.0.10}/CHANGELOG.md (93%) rename operators/metallb/{9.0.9 => 9.0.10}/Chart.yaml (98%) rename operators/{prometheus-operator/0.0.1 => metallb/9.0.10}/LICENSE (100%) rename operators/{prometheus-operator/0.0.1 => metallb/9.0.10}/README.md (100%) create mode 100644 operators/metallb/9.0.10/app-changelog.md rename operators/metallb/{9.0.9 => 9.0.10}/app-readme.md (100%) rename operators/{prometheus-operator/0.0.1 => metallb/9.0.10}/charts/common-12.13.0.tgz (100%) rename operators/metallb/{9.0.9 => 9.0.10}/ix_values.yaml (97%) rename operators/{prometheus-operator/0.0.1 => metallb/9.0.10}/questions.yaml (100%) rename operators/{prometheus-operator/0.0.1 => metallb/9.0.10}/templates/NOTES.txt (100%) rename operators/metallb/{9.0.9 => 9.0.10}/templates/_webhooks.tpl (100%) rename operators/metallb/{9.0.9 => 9.0.10}/templates/common.yaml (100%) rename operators/metallb/{9.0.9 => 9.0.10}/templates/crds.yaml (100%) rename operators/{prometheus-operator/0.0.1 => metallb/9.0.10}/values.yaml (100%) delete mode 100644 operators/metallb/9.0.9/app-changelog.md delete mode 100644 operators/prometheus-operator/0.0.1/app-changelog.md rename operators/prometheus-operator/{0.0.1 => 0.0.2}/CHANGELOG.md (55%) rename operators/prometheus-operator/{0.0.1 => 0.0.2}/Chart.yaml (98%) create mode 100644 operators/prometheus-operator/0.0.2/LICENSE create mode 100644 operators/prometheus-operator/0.0.2/README.md create mode 100644 operators/prometheus-operator/0.0.2/app-changelog.md rename operators/prometheus-operator/{0.0.1 => 0.0.2}/app-readme.md (100%) create mode 100644 operators/prometheus-operator/0.0.2/charts/common-12.13.0.tgz rename operators/prometheus-operator/{0.0.1 => 0.0.2}/ix_values.yaml (97%) create mode 100644 operators/prometheus-operator/0.0.2/questions.yaml create mode 100644 operators/prometheus-operator/0.0.2/templates/NOTES.txt rename operators/prometheus-operator/{0.0.1 => 0.0.2}/templates/_mutatingwebhookconfiguration.tpl (100%) rename operators/prometheus-operator/{0.0.1 => 0.0.2}/templates/_validatingwebhookconfiguration.tpl (100%) rename operators/prometheus-operator/{0.0.1 => 0.0.2}/templates/common.yaml (100%) rename operators/prometheus-operator/{0.0.1 => 0.0.2}/templates/crds/crd-alertmanagerconfigs.yaml (100%) rename operators/prometheus-operator/{0.0.1 => 0.0.2}/templates/crds/crd-alertmanagers.yaml (100%) rename operators/prometheus-operator/{0.0.1 => 0.0.2}/templates/crds/crd-podmonitors.yaml (100%) rename operators/prometheus-operator/{0.0.1 => 0.0.2}/templates/crds/crd-probes.yaml (100%) rename operators/prometheus-operator/{0.0.1 => 0.0.2}/templates/crds/crd-prometheusagents.yaml (100%) rename operators/prometheus-operator/{0.0.1 => 0.0.2}/templates/crds/crd-prometheuses.yaml (100%) rename operators/prometheus-operator/{0.0.1 => 0.0.2}/templates/crds/crd-prometheusrules.yaml (100%) rename operators/prometheus-operator/{0.0.1 => 0.0.2}/templates/crds/crd-scrapeconfigs.yaml (100%) rename operators/prometheus-operator/{0.0.1 => 0.0.2}/templates/crds/crd-servicemonitors.yaml (100%) rename operators/prometheus-operator/{0.0.1 => 0.0.2}/templates/crds/crd-thanosrulers.yaml (100%) create mode 100644 operators/prometheus-operator/0.0.2/values.yaml diff --git a/operators/cloudnative-pg/1.0.0/CHANGELOG.md b/operators/cloudnative-pg/1.0.0/CHANGELOG.md new file mode 100644 index 0000000000..fa507763cb --- /dev/null +++ b/operators/cloudnative-pg/1.0.0/CHANGELOG.md @@ -0,0 +1,54 @@ +**Important:** +*for the complete changelog, please refer to the website* + + + + +## [cloudnative-pg-1.0.0](https://github.com/truecharts/charts/compare/cloudnative-pg-0.0.4...cloudnative-pg-1.0.0) (2023-06-08) + +### Chore + +- move container references to tccr.io + + + + +## [cloudnative-pg-0.0.4](https://github.com/truecharts/charts/compare/cloudnative-pg-0.0.3...cloudnative-pg-0.0.4) (2023-06-07) + +### Chore + +- update helm general non-major ([#9457](https://github.com/truecharts/charts/issues/9457)) + - pin container image ghcr.io/cloudnative-pg/cloudnative-pg to 1.20.0 ([#9137](https://github.com/truecharts/charts/issues/9137)) + + + + +## [cloudnative-pg-0.0.3](https://github.com/truecharts/charts/compare/cloudnative-pg-0.0.2...cloudnative-pg-0.0.3) (2023-06-06) + +### Fix + +- fix webhook port + + + + +## [cloudnative-pg-0.0.2](https://github.com/truecharts/charts/compare/cloudnative-pg-0.0.1...cloudnative-pg-0.0.2) (2023-06-06) + +### Chore + +- update helm chart common to 12.12.1 ([#9349](https://github.com/truecharts/charts/issues/9349)) + + ### Fix + +- use hardcoded and fixed cnpg-webhook-service servicename ([#9429](https://github.com/truecharts/charts/issues/9429)) + + + + +## [cloudnative-pg-0.0.1]cloudnative-pg-0.0.1 (2023-06-03) + +### Add + +- add cloudnative pg operator chart ([#9332](https://github.com/truecharts/charts/issues/9332)) + + \ No newline at end of file diff --git a/operators/cloudnative-pg/1.0.0/Chart.yaml b/operators/cloudnative-pg/1.0.0/Chart.yaml new file mode 100644 index 0000000000..7a6ded3153 --- /dev/null +++ b/operators/cloudnative-pg/1.0.0/Chart.yaml @@ -0,0 +1,31 @@ +apiVersion: v2 +appVersion: "0.13.9" +deprecated: false +description: CloudNativePG is a clustered postgresql database operator +home: https://truecharts.org/charts/operators/cloudnative-pg +icon: https://truecharts.org/img/hotlink-ok/chart-icons/cloudnative-pg.png +keywords: + - database + - cloudnative-pg + - cnpg +dependencies: + - name: common + repository: https://library-charts.truecharts.org + version: 12.13.0 +kubeVersion: ">=1.16.0-0" +maintainers: + - email: info@truecharts.org + name: TrueCharts + url: https://truecharts.org +name: cloudnative-pg +sources: + - https://github.com/truecharts/charts/tree/master/charts/operators/cloudnative-pg + - https://github.com/cloudnative-pg + - https://cloudnative-pg.io/ +type: application +version: 1.0.0 +annotations: + truecharts.org/catagories: | + - operators + truecharts.org/SCALE-support: "true" + truecharts.org/grade: U diff --git a/operators/metallb/9.0.9/LICENSE b/operators/cloudnative-pg/1.0.0/LICENSE similarity index 100% rename from operators/metallb/9.0.9/LICENSE rename to operators/cloudnative-pg/1.0.0/LICENSE diff --git a/operators/metallb/9.0.9/README.md b/operators/cloudnative-pg/1.0.0/README.md similarity index 100% rename from operators/metallb/9.0.9/README.md rename to operators/cloudnative-pg/1.0.0/README.md diff --git a/operators/cloudnative-pg/1.0.0/app-changelog.md b/operators/cloudnative-pg/1.0.0/app-changelog.md new file mode 100644 index 0000000000..0ae4fbd5f0 --- /dev/null +++ b/operators/cloudnative-pg/1.0.0/app-changelog.md @@ -0,0 +1,9 @@ + + +## [cloudnative-pg-1.0.0](https://github.com/truecharts/charts/compare/cloudnative-pg-0.0.4...cloudnative-pg-1.0.0) (2023-06-08) + +### Chore + +- move container references to tccr.io + + \ No newline at end of file diff --git a/operators/cloudnative-pg/1.0.0/app-readme.md b/operators/cloudnative-pg/1.0.0/app-readme.md new file mode 100644 index 0000000000..53fc6df3fb --- /dev/null +++ b/operators/cloudnative-pg/1.0.0/app-readme.md @@ -0,0 +1,8 @@ +CloudNativePG is a clustered postgresql database operator + +This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/operators/cloudnative-pg](https://truecharts.org/charts/operators/cloudnative-pg) + +--- + +TrueCharts can only exist due to the incredible effort of our staff. +Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can! diff --git a/operators/metallb/9.0.9/charts/common-12.13.0.tgz b/operators/cloudnative-pg/1.0.0/charts/common-12.13.0.tgz similarity index 100% rename from operators/metallb/9.0.9/charts/common-12.13.0.tgz rename to operators/cloudnative-pg/1.0.0/charts/common-12.13.0.tgz diff --git a/operators/cloudnative-pg/1.0.0/ix_values.yaml b/operators/cloudnative-pg/1.0.0/ix_values.yaml new file mode 100644 index 0000000000..d6f6117901 --- /dev/null +++ b/operators/cloudnative-pg/1.0.0/ix_values.yaml @@ -0,0 +1,820 @@ +image: + repository: tccr.io/truecharts/cloudnative-pg + tag: "v1.20.0" + pullPolicy: + +workload: + main: + podSpec: + containers: + main: + args: + - controller + - --leader-elect + - --config-map-name={{ include "tc.v1.common.lib.chart.names.fullname" $ }}-config + - --secret-name={{ include "tc.v1.common.lib.chart.names.fullname" $ }}-config + - --webhook-port=9443 + command: + - /manager + probes: + liveness: + port: webhook + type: https + path: /readyz + readiness: + port: webhook + type: https + path: /readyz + startup: + port: webhook + type: tcp + env: + OPERATOR_IMAGE_NAME: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + OPERATOR_NAMESPACE: + fieldRef: + fieldPath: metadata.namespace + MONITORING_QUERIES_CONFIGMAP: '{{ include "tc.v1.common.lib.chart.names.fullname" $ }}-monitoring' + +podOptions: + automountServiceAccountToken: true + +service: + main: + ports: + main: + protocol: http + port: 8080 + cnpg-webhook-service: + enabled: true + expandObjectName: false + ports: + webhook: + enabled: true + protocol: https + port: 443 + targetPort: 9443 + +operator: + register: true + +persistence: + scratch-data: + enabled: true + type: emptyDir + mountPath: /controller + webhook-certificates: + enabled: true + type: secret + objectName: cnpg-webhook-cert + expandObjectName: false + optional: true + defaultMode: "0420" + readOnly: true + targetSelector: + main: + main: + mountPath: "/run/secrets/cnpg.io/webhook" + +portal: + open: + enabled: false + +metrics: + main: + enabled: false + type: "podmonitor" + endpoints: + - port: main + interval: 5s + scrapeTimeout: 5s + path: / + honorLabels: false + +rbac: + main: + enabled: true + primary: true + clusterWide: true + rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - delete + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - pods/status + verbs: + - get + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - secrets/status + verbs: + - get + - patch + - update + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - update + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update + - apiGroups: + - monitoring.coreos.com + resources: + - podmonitors + verbs: + - create + - delete + - get + - list + - patch + - watch + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - postgresql.cnpg.io + resources: + - backups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - postgresql.cnpg.io + resources: + - backups/status + verbs: + - get + - patch + - update + - apiGroups: + - postgresql.cnpg.io + resources: + - clusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - postgresql.cnpg.io + resources: + - clusters/finalizers + verbs: + - update + - apiGroups: + - postgresql.cnpg.io + resources: + - clusters/status + verbs: + - get + - patch + - update + - watch + - apiGroups: + - postgresql.cnpg.io + resources: + - poolers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - postgresql.cnpg.io + resources: + - poolers/finalizers + verbs: + - update + - apiGroups: + - postgresql.cnpg.io + resources: + - poolers/status + verbs: + - get + - patch + - update + - watch + - apiGroups: + - postgresql.cnpg.io + resources: + - scheduledbackups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - postgresql.cnpg.io + resources: + - scheduledbackups/status + verbs: + - get + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - create + - get + - list + - patch + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + verbs: + - create + - get + - list + - patch + - update + - watch + +serviceAccount: + main: + enabled: true + primary: true + +webhook: + mutating: + create: true + failurePolicy: Fail + validating: + create: true + failurePolicy: Fail + +manifestManager: + enabled: true + staging: false + install: false + check: false + delete: true + +configmap: + config: + enabled: true + data: + CREATE_ANY_SERVICE: "true" + monitoring: + enabled: true + data: + queries: | + backends: + query: | + SELECT sa.datname + , sa.usename + , sa.application_name + , states.state + , COALESCE(sa.count, 0) AS total + , COALESCE(sa.max_tx_secs, 0) AS max_tx_duration_seconds + FROM ( VALUES ('active') + , ('idle') + , ('idle in transaction') + , ('idle in transaction (aborted)') + , ('fastpath function call') + , ('disabled') + ) AS states(state) + LEFT JOIN ( + SELECT datname + , state + , usename + , COALESCE(application_name, '') AS application_name + , COUNT(*) + , COALESCE(EXTRACT (EPOCH FROM (max(now() - xact_start))), 0) AS max_tx_secs + FROM pg_catalog.pg_stat_activity + GROUP BY datname, state, usename, application_name + ) sa ON states.state = sa.state + WHERE sa.usename IS NOT NULL + metrics: + - datname: + usage: "LABEL" + description: "Name of the database" + - usename: + usage: "LABEL" + description: "Name of the user" + - application_name: + usage: "LABEL" + description: "Name of the application" + - state: + usage: "LABEL" + description: "State of the backend" + - total: + usage: "GAUGE" + description: "Number of backends" + - max_tx_duration_seconds: + usage: "GAUGE" + description: "Maximum duration of a transaction in seconds" + + backends_waiting: + query: | + SELECT count(*) AS total + FROM pg_catalog.pg_locks blocked_locks + JOIN pg_catalog.pg_locks blocking_locks + ON blocking_locks.locktype = blocked_locks.locktype + AND blocking_locks.database IS NOT DISTINCT FROM blocked_locks.database + AND blocking_locks.relation IS NOT DISTINCT FROM blocked_locks.relation + AND blocking_locks.page IS NOT DISTINCT FROM blocked_locks.page + AND blocking_locks.tuple IS NOT DISTINCT FROM blocked_locks.tuple + AND blocking_locks.virtualxid IS NOT DISTINCT FROM blocked_locks.virtualxid + AND blocking_locks.transactionid IS NOT DISTINCT FROM blocked_locks.transactionid + AND blocking_locks.classid IS NOT DISTINCT FROM blocked_locks.classid + AND blocking_locks.objid IS NOT DISTINCT FROM blocked_locks.objid + AND blocking_locks.objsubid IS NOT DISTINCT FROM blocked_locks.objsubid + AND blocking_locks.pid != blocked_locks.pid + JOIN pg_catalog.pg_stat_activity blocking_activity ON blocking_activity.pid = blocking_locks.pid + WHERE NOT blocked_locks.granted + metrics: + - total: + usage: "GAUGE" + description: "Total number of backends that are currently waiting on other queries" + + pg_database: + query: | + SELECT datname + , pg_catalog.pg_database_size(datname) AS size_bytes + , pg_catalog.age(datfrozenxid) AS xid_age + , pg_catalog.mxid_age(datminmxid) AS mxid_age + FROM pg_catalog.pg_database + metrics: + - datname: + usage: "LABEL" + description: "Name of the database" + - size_bytes: + usage: "GAUGE" + description: "Disk space used by the database" + - xid_age: + usage: "GAUGE" + description: "Number of transactions from the frozen XID to the current one" + - mxid_age: + usage: "GAUGE" + description: "Number of multiple transactions (Multixact) from the frozen XID to the current one" + + pg_postmaster: + query: | + SELECT EXTRACT(EPOCH FROM pg_postmaster_start_time) AS start_time + FROM pg_catalog.pg_postmaster_start_time() + metrics: + - start_time: + usage: "GAUGE" + description: "Time at which postgres started (based on epoch)" + + pg_replication: + query: "SELECT CASE WHEN NOT pg_catalog.pg_is_in_recovery() + THEN 0 + ELSE GREATEST (0, + EXTRACT(EPOCH FROM (now() - pg_catalog.pg_last_xact_replay_timestamp()))) + END AS lag, + pg_catalog.pg_is_in_recovery() AS in_recovery, + EXISTS (TABLE pg_stat_wal_receiver) AS is_wal_receiver_up, + (SELECT count(*) FROM pg_stat_replication) AS streaming_replicas" + metrics: + - lag: + usage: "GAUGE" + description: "Replication lag behind primary in seconds" + - in_recovery: + usage: "GAUGE" + description: "Whether the instance is in recovery" + - is_wal_receiver_up: + usage: "GAUGE" + description: "Whether the instance wal_receiver is up" + - streaming_replicas: + usage: "GAUGE" + description: "Number of streaming replicas connected to the instance" + + pg_replication_slots: + query: | + SELECT slot_name, + slot_type, + database, + active, + pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), restart_lsn) + FROM pg_catalog.pg_replication_slots + WHERE NOT temporary + metrics: + - slot_name: + usage: "LABEL" + description: "Name of the replication slot" + - slot_type: + usage: "LABEL" + description: "Type of the replication slot" + - database: + usage: "LABEL" + description: "Name of the database" + - active: + usage: "GAUGE" + description: "Flag indicating whether the slot is active" + - pg_wal_lsn_diff: + usage: "GAUGE" + description: "Replication lag in bytes" + + pg_stat_archiver: + query: | + SELECT archived_count + , failed_count + , COALESCE(EXTRACT(EPOCH FROM (now() - last_archived_time)), -1) AS seconds_since_last_archival + , COALESCE(EXTRACT(EPOCH FROM (now() - last_failed_time)), -1) AS seconds_since_last_failure + , COALESCE(EXTRACT(EPOCH FROM last_archived_time), -1) AS last_archived_time + , COALESCE(EXTRACT(EPOCH FROM last_failed_time), -1) AS last_failed_time + , COALESCE(CAST(CAST('x'||pg_catalog.right(pg_catalog.split_part(last_archived_wal, '.', 1), 16) AS pg_catalog.bit(64)) AS pg_catalog.int8), -1) AS last_archived_wal_start_lsn + , COALESCE(CAST(CAST('x'||pg_catalog.right(pg_catalog.split_part(last_failed_wal, '.', 1), 16) AS pg_catalog.bit(64)) AS pg_catalog.int8), -1) AS last_failed_wal_start_lsn + , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time + FROM pg_catalog.pg_stat_archiver + metrics: + - archived_count: + usage: "COUNTER" + description: "Number of WAL files that have been successfully archived" + - failed_count: + usage: "COUNTER" + description: "Number of failed attempts for archiving WAL files" + - seconds_since_last_archival: + usage: "GAUGE" + description: "Seconds since the last successful archival operation" + - seconds_since_last_failure: + usage: "GAUGE" + description: "Seconds since the last failed archival operation" + - last_archived_time: + usage: "GAUGE" + description: "Epoch of the last time WAL archiving succeeded" + - last_failed_time: + usage: "GAUGE" + description: "Epoch of the last time WAL archiving failed" + - last_archived_wal_start_lsn: + usage: "GAUGE" + description: "Archived WAL start LSN" + - last_failed_wal_start_lsn: + usage: "GAUGE" + description: "Last failed WAL LSN" + - stats_reset_time: + usage: "GAUGE" + description: "Time at which these statistics were last reset" + + pg_stat_bgwriter: + query: | + SELECT checkpoints_timed + , checkpoints_req + , checkpoint_write_time + , checkpoint_sync_time + , buffers_checkpoint + , buffers_clean + , maxwritten_clean + , buffers_backend + , buffers_backend_fsync + , buffers_alloc + FROM pg_catalog.pg_stat_bgwriter + metrics: + - checkpoints_timed: + usage: "COUNTER" + description: "Number of scheduled checkpoints that have been performed" + - checkpoints_req: + usage: "COUNTER" + description: "Number of requested checkpoints that have been performed" + - checkpoint_write_time: + usage: "COUNTER" + description: "Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk, in milliseconds" + - checkpoint_sync_time: + usage: "COUNTER" + description: "Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk, in milliseconds" + - buffers_checkpoint: + usage: "COUNTER" + description: "Number of buffers written during checkpoints" + - buffers_clean: + usage: "COUNTER" + description: "Number of buffers written by the background writer" + - maxwritten_clean: + usage: "COUNTER" + description: "Number of times the background writer stopped a cleaning scan because it had written too many buffers" + - buffers_backend: + usage: "COUNTER" + description: "Number of buffers written directly by a backend" + - buffers_backend_fsync: + usage: "COUNTER" + description: "Number of times a backend had to execute its own fsync call (normally the background writer handles those even when the backend does its own write)" + - buffers_alloc: + usage: "COUNTER" + description: "Number of buffers allocated" + + pg_stat_database: + query: | + SELECT datname + , xact_commit + , xact_rollback + , blks_read + , blks_hit + , tup_returned + , tup_fetched + , tup_inserted + , tup_updated + , tup_deleted + , conflicts + , temp_files + , temp_bytes + , deadlocks + , blk_read_time + , blk_write_time + FROM pg_catalog.pg_stat_database + metrics: + - datname: + usage: "LABEL" + description: "Name of this database" + - xact_commit: + usage: "COUNTER" + description: "Number of transactions in this database that have been committed" + - xact_rollback: + usage: "COUNTER" + description: "Number of transactions in this database that have been rolled back" + - blks_read: + usage: "COUNTER" + description: "Number of disk blocks read in this database" + - blks_hit: + usage: "COUNTER" + description: "Number of times disk blocks were found already in the buffer cache, so that a read was not necessary (this only includes hits in the PostgreSQL buffer cache, not the operating system's file system cache)" + - tup_returned: + usage: "COUNTER" + description: "Number of rows returned by queries in this database" + - tup_fetched: + usage: "COUNTER" + description: "Number of rows fetched by queries in this database" + - tup_inserted: + usage: "COUNTER" + description: "Number of rows inserted by queries in this database" + - tup_updated: + usage: "COUNTER" + description: "Number of rows updated by queries in this database" + - tup_deleted: + usage: "COUNTER" + description: "Number of rows deleted by queries in this database" + - conflicts: + usage: "COUNTER" + description: "Number of queries canceled due to conflicts with recovery in this database" + - temp_files: + usage: "COUNTER" + description: "Number of temporary files created by queries in this database" + - temp_bytes: + usage: "COUNTER" + description: "Total amount of data written to temporary files by queries in this database" + - deadlocks: + usage: "COUNTER" + description: "Number of deadlocks detected in this database" + - blk_read_time: + usage: "COUNTER" + description: "Time spent reading data file blocks by backends in this database, in milliseconds" + - blk_write_time: + usage: "COUNTER" + description: "Time spent writing data file blocks by backends in this database, in milliseconds" + + pg_stat_replication: + primary: true + query: | + SELECT usename + , COALESCE(application_name, '') AS application_name + , COALESCE(client_addr::text, '') AS client_addr + , EXTRACT(EPOCH FROM backend_start) AS backend_start + , COALESCE(pg_catalog.age(backend_xmin), 0) AS backend_xmin_age + , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), sent_lsn) AS sent_diff_bytes + , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), write_lsn) AS write_diff_bytes + , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), flush_lsn) AS flush_diff_bytes + , COALESCE(pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), replay_lsn),0) AS replay_diff_bytes + , COALESCE((EXTRACT(EPOCH FROM write_lag)),0)::float AS write_lag_seconds + , COALESCE((EXTRACT(EPOCH FROM flush_lag)),0)::float AS flush_lag_seconds + , COALESCE((EXTRACT(EPOCH FROM replay_lag)),0)::float AS replay_lag_seconds + FROM pg_catalog.pg_stat_replication + metrics: + - usename: + usage: "LABEL" + description: "Name of the replication user" + - application_name: + usage: "LABEL" + description: "Name of the application" + - client_addr: + usage: "LABEL" + description: "Client IP address" + - backend_start: + usage: "COUNTER" + description: "Time when this process was started" + - backend_xmin_age: + usage: "COUNTER" + description: "The age of this standby's xmin horizon" + - sent_diff_bytes: + usage: "GAUGE" + description: "Difference in bytes from the last write-ahead log location sent on this connection" + - write_diff_bytes: + usage: "GAUGE" + description: "Difference in bytes from the last write-ahead log location written to disk by this standby server" + - flush_diff_bytes: + usage: "GAUGE" + description: "Difference in bytes from the last write-ahead log location flushed to disk by this standby server" + - replay_diff_bytes: + usage: "GAUGE" + description: "Difference in bytes from the last write-ahead log location replayed into the database on this standby server" + - write_lag_seconds: + usage: "GAUGE" + description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written it" + - flush_lag_seconds: + usage: "GAUGE" + description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written and flushed it" + - replay_lag_seconds: + usage: "GAUGE" + description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written, flushed and applied it" + + pg_settings: + query: | + SELECT name, + CASE setting WHEN 'on' THEN '1' WHEN 'off' THEN '0' ELSE setting END AS setting + FROM pg_catalog.pg_settings + WHERE vartype IN ('integer', 'real', 'bool') + ORDER BY 1 + metrics: + - name: + usage: "LABEL" + description: "Name of the setting" + - setting: + usage: "GAUGE" + description: "Setting value" diff --git a/operators/metallb/9.0.9/questions.yaml b/operators/cloudnative-pg/1.0.0/questions.yaml similarity index 100% rename from operators/metallb/9.0.9/questions.yaml rename to operators/cloudnative-pg/1.0.0/questions.yaml diff --git a/operators/metallb/9.0.9/templates/NOTES.txt b/operators/cloudnative-pg/1.0.0/templates/NOTES.txt similarity index 100% rename from operators/metallb/9.0.9/templates/NOTES.txt rename to operators/cloudnative-pg/1.0.0/templates/NOTES.txt diff --git a/operators/cloudnative-pg/1.0.0/templates/_mutatingwebhookconfiguration.tpl b/operators/cloudnative-pg/1.0.0/templates/_mutatingwebhookconfiguration.tpl new file mode 100644 index 0000000000..8c3d90f10f --- /dev/null +++ b/operators/cloudnative-pg/1.0.0/templates/_mutatingwebhookconfiguration.tpl @@ -0,0 +1,85 @@ +{{- define "cnpg.webhooks.mutating" -}} +{{- if .Values.webhook.mutating.create }} +{{- $cnpgLabels := .Values.webhook.validating.labels -}} +{{- $cnpgAnnotations := .Values.webhook.validating.annotations -}} +{{- $labels := (mustMerge ($cnpgLabels | default dict) (include "tc.v1.common.lib.metadata.allLabels" $ | fromYaml)) }} +{{- $annotations := (mustMerge ($cnpgAnnotations | default dict) (include "tc.v1.common.lib.metadata.allAnnotations" $ | fromYaml)) }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: cnpg-mutating-webhook-configuration + {{- with (include "tc.v1.common.lib.metadata.render" (dict "rootCtx" $ "labels" $labels) | trim) }} + labels: + {{- . | nindent 4 }} + {{- end }} + {{- with (include "tc.v1.common.lib.metadata.render" (dict "rootCtx" $ "annotations" $annotations) | trim) }} + annotations: + {{- . | nindent 4 }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: cnpg-webhook-service + namespace: {{ .Release.Namespace }} + path: /mutate-postgresql-cnpg-io-v1-backup + port: 443 + failurePolicy: {{ .Values.webhook.mutating.failurePolicy }} + name: mbackup.kb.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - backups + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: cnpg-webhook-service + namespace: {{ .Release.Namespace }} + path: /mutate-postgresql-cnpg-io-v1-cluster + port: 443 + failurePolicy: {{ .Values.webhook.mutating.failurePolicy }} + name: mcluster.kb.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clusters + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: cnpg-webhook-service + namespace: {{ .Release.Namespace }} + path: /mutate-postgresql-cnpg-io-v1-scheduledbackup + port: 443 + failurePolicy: {{ .Values.webhook.mutating.failurePolicy }} + name: mscheduledbackup.kb.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - scheduledbackups + sideEffects: None +{{- end }} +{{- end -}} diff --git a/operators/cloudnative-pg/1.0.0/templates/_validatingwebhookconfiguration.tpl b/operators/cloudnative-pg/1.0.0/templates/_validatingwebhookconfiguration.tpl new file mode 100644 index 0000000000..e16d46ee01 --- /dev/null +++ b/operators/cloudnative-pg/1.0.0/templates/_validatingwebhookconfiguration.tpl @@ -0,0 +1,106 @@ +{{- define "cnpg.webhooks.validating" -}} +{{- if .Values.webhook.validating.create }} +{{- $cnpgLabels := .Values.webhook.validating.labels -}} +{{- $cnpgAnnotations := .Values.webhook.validating.annotations -}} +{{- $labels := (mustMerge ($cnpgLabels | default dict) (include "tc.v1.common.lib.metadata.allLabels" $ | fromYaml)) }} +{{- $annotations := (mustMerge ($cnpgAnnotations | default dict) (include "tc.v1.common.lib.metadata.allAnnotations" $ | fromYaml)) }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: cnpg-validating-webhook-configuration + {{- with (include "tc.v1.common.lib.metadata.render" (dict "rootCtx" $ "labels" $labels) | trim) }} + labels: + {{- . | nindent 4 }} + {{- end }} + {{- with (include "tc.v1.common.lib.metadata.render" (dict "rootCtx" $ "annotations" $annotations) | trim) }} + annotations: + {{- . | nindent 4 }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: cnpg-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-postgresql-cnpg-io-v1-backup + port: 9443 + failurePolicy: {{ .Values.webhook.validating.failurePolicy }} + name: vbackup.kb.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - backups + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: cnpg-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-postgresql-cnpg-io-v1-cluster + port: 443 + failurePolicy: {{ .Values.webhook.validating.failurePolicy }} + name: vcluster.kb.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clusters + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: cnpg-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-postgresql-cnpg-io-v1-scheduledbackup + port: 443 + failurePolicy: {{ .Values.webhook.validating.failurePolicy }} + name: vscheduledbackup.kb.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - scheduledbackups + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: cnpg-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-postgresql-cnpg-io-v1-pooler + port: 443 + failurePolicy: {{ .Values.webhook.validating.failurePolicy }} + name: vpooler.kb.io + rules: + - apiGroups: + - postgresql.cnpg.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - poolers + sideEffects: None +{{- end }} +{{- end -}} diff --git a/operators/cloudnative-pg/1.0.0/templates/common.yaml b/operators/cloudnative-pg/1.0.0/templates/common.yaml new file mode 100644 index 0000000000..3b4deaf3d1 --- /dev/null +++ b/operators/cloudnative-pg/1.0.0/templates/common.yaml @@ -0,0 +1,8 @@ +{{/* Make sure all variables are set properly */}} +{{- include "tc.v1.common.loader.init" . }} + +{{- include "cnpg.webhooks.validating" . -}} +{{- include "cnpg.webhooks.mutating" . -}} + +{{/* Render the templates */}} +{{ include "tc.v1.common.loader.apply" . }} diff --git a/operators/cloudnative-pg/1.0.0/templates/crds.yaml b/operators/cloudnative-pg/1.0.0/templates/crds.yaml new file mode 100644 index 0000000000..50f8ad30c1 --- /dev/null +++ b/operators/cloudnative-pg/1.0.0/templates/crds.yaml @@ -0,0 +1,11805 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + helm.sh/resource-policy: keep + creationTimestamp: null + name: backups.postgresql.cnpg.io +spec: + group: postgresql.cnpg.io + names: + kind: Backup + listKind: BackupList + plural: backups + singular: backup + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.cluster.name + name: Cluster + type: string + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .status.error + name: Error + type: string + name: v1 + schema: + openAPIV3Schema: + description: Backup is the Schema for the backups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Specification of the desired behavior of the backup. More + info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + cluster: + description: The cluster to backup + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + target: + description: The policy to decide which instance should perform this + backup. If empty, it defaults to `cluster.spec.backup.target`. Available + options are empty string, `primary` and `prefer-standby`. `primary` + to have backups run always on primary instances, `prefer-standby` + to have backups run preferably on the most updated standby, if available. + enum: + - primary + - prefer-standby + type: string + type: object + status: + description: 'Most recently observed status of the backup. This data may + not be up to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + azureCredentials: + description: The credentials to use to upload data to Azure Blob Storage + properties: + connectionString: + description: The connection string to be used + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + inheritFromAzureAD: + description: Use the Azure AD based authentication without providing + explicitly the keys. + type: boolean + storageAccount: + description: The storage account where to upload data + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + storageKey: + description: The storage account key to be used in conjunction + with the storage account name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + storageSasToken: + description: A shared-access-signature to be used in conjunction + with the storage account name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: object + backupId: + description: The ID of the Barman backup + type: string + backupName: + description: The Name of the Barman backup + type: string + beginLSN: + description: The starting xlog + type: string + beginWal: + description: The starting WAL + type: string + commandError: + description: The backup command output in case of error + type: string + commandOutput: + description: Unused. Retained for compatibility with old versions. + type: string + destinationPath: + description: The path where to store the backup (i.e. s3://bucket/path/to/folder) + this path, with different destination folders, will be used for + WALs and for data. This may not be populated in case of errors. + type: string + encryption: + description: Encryption method required to S3 API + type: string + endLSN: + description: The ending xlog + type: string + endWal: + description: The ending WAL + type: string + endpointCA: + description: EndpointCA store the CA bundle of the barman endpoint. + Useful when using self-signed certificates to avoid errors with + certificate issuer and barman-cloud-wal-archive. + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + endpointURL: + description: Endpoint to be used to upload data to the cloud, overriding + the automatic endpoint discovery + type: string + error: + description: The detected error + type: string + googleCredentials: + description: The credentials to use to upload data to Google Cloud + Storage + properties: + applicationCredentials: + description: The secret containing the Google Cloud Storage JSON + file with the credentials + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + gkeEnvironment: + description: If set to true, will presume that it's running inside + a GKE environment, default to false. + type: boolean + type: object + instanceID: + description: Information to identify the instance where the backup + has been taken from + properties: + ContainerID: + description: The container ID + type: string + podName: + description: The pod name + type: string + type: object + phase: + description: The last backup status + type: string + s3Credentials: + description: The credentials to use to upload data to S3 + properties: + accessKeyId: + description: The reference to the access key id + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + inheritFromIAMRole: + description: Use the role based authentication without providing + explicitly the keys. + type: boolean + region: + description: The reference to the secret containing the region + name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + secretAccessKey: + description: The reference to the secret access key + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + sessionToken: + description: The references to the session key + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: object + serverName: + description: The server name on S3, the cluster name is used if this + parameter is omitted + type: string + startedAt: + description: When the backup was started + format: date-time + type: string + stoppedAt: + description: When the backup was terminated + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusters.postgresql.cnpg.io +spec: + group: postgresql.cnpg.io + names: + kind: Cluster + listKind: ClusterList + plural: clusters + singular: cluster + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Number of instances + jsonPath: .status.instances + name: Instances + type: integer + - description: Number of ready instances + jsonPath: .status.readyInstances + name: Ready + type: integer + - description: Cluster current status + jsonPath: .status.phase + name: Status + type: string + - description: Primary pod + jsonPath: .status.currentPrimary + name: Primary + type: string + name: v1 + schema: + openAPIV3Schema: + description: Cluster is the Schema for the PostgreSQL API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Specification of the desired behavior of the cluster. More + info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + affinity: + description: Affinity/Anti-affinity rules for Pods + properties: + additionalPodAffinity: + description: AdditionalPodAffinity allows to specify pod affinity + terms to be passed to all the cluster's pods. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may or may + not try to eventually evict the pod from its node. When + there are multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. all terms + must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + additionalPodAntiAffinity: + description: AdditionalPodAntiAffinity allows to specify pod anti-affinity + terms to be added to the ones generated by the operator if EnablePodAntiAffinity + is set to true (default) or to be used exclusively if set to + false. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the anti-affinity expressions specified + by this field, but it may choose a node that violates one + or more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the anti-affinity requirements + specified by this field cease to be met at some point during + pod execution (e.g. due to a pod label update), the system + may or may not try to eventually evict the pod from its + node. When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + enablePodAntiAffinity: + description: Activates anti-affinity for the pods. The operator + will define pods anti-affinity unless this field is explicitly + set to false + type: boolean + nodeAffinity: + description: 'NodeAffinity describes node affinity scheduling + rules for the pod. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity' + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node matches + the corresponding matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to an update), the system may or may not try to + eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term matches + no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the + NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is map of key-value pairs used to define + the nodes on which the pods can run. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + podAntiAffinityType: + description: 'PodAntiAffinityType allows the user to decide whether + pod anti-affinity between cluster instance has to be considered + a strong requirement during scheduling or not. Allowed values + are: "preferred" (default if empty) or "required". Setting it + to "required", could lead to instances remaining pending until + new kubernetes nodes are added if all the existing nodes don''t + match the required pod anti-affinity rule. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity' + type: string + tolerations: + description: 'Tolerations is a list of Tolerations that should + be set for all the pods, in order to allow them to run on tainted + nodes. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + topologyKey: + description: TopologyKey to use for anti-affinity configuration. + See k8s documentation for more info on that + type: string + type: object + backup: + description: The configuration to be used for backups + properties: + barmanObjectStore: + description: The configuration for the barman-cloud tool suite + properties: + azureCredentials: + description: The credentials to use to upload data to Azure + Blob Storage + properties: + connectionString: + description: The connection string to be used + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + inheritFromAzureAD: + description: Use the Azure AD based authentication without + providing explicitly the keys. + type: boolean + storageAccount: + description: The storage account where to upload data + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + storageKey: + description: The storage account key to be used in conjunction + with the storage account name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + storageSasToken: + description: A shared-access-signature to be used in conjunction + with the storage account name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: object + data: + description: The configuration to be used to backup the data + files When not defined, base backups files will be stored + uncompressed and may be unencrypted in the object store, + according to the bucket default policy. + properties: + compression: + description: Compress a backup file (a tar file per tablespace) + while streaming it to the object store. Available options + are empty string (no compression, default), `gzip`, + `bzip2` or `snappy`. + enum: + - gzip + - bzip2 + - snappy + type: string + encryption: + description: Whenever to force the encryption of files + (if the bucket is not already configured for that). + Allowed options are empty string (use the bucket policy, + default), `AES256` and `aws:kms` + enum: + - AES256 + - aws:kms + type: string + immediateCheckpoint: + description: Control whether the I/O workload for the + backup initial checkpoint will be limited, according + to the `checkpoint_completion_target` setting on the + PostgreSQL server. If set to true, an immediate checkpoint + will be used, meaning PostgreSQL will complete the checkpoint + as soon as possible. `false` by default. + type: boolean + jobs: + description: The number of parallel jobs to be used to + upload the backup, defaults to 2 + format: int32 + minimum: 1 + type: integer + type: object + destinationPath: + description: The path where to store the backup (i.e. s3://bucket/path/to/folder) + this path, with different destination folders, will be used + for WALs and for data + minLength: 1 + type: string + endpointCA: + description: EndpointCA store the CA bundle of the barman + endpoint. Useful when using self-signed certificates to + avoid errors with certificate issuer and barman-cloud-wal-archive + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + endpointURL: + description: Endpoint to be used to upload data to the cloud, + overriding the automatic endpoint discovery + type: string + googleCredentials: + description: The credentials to use to upload data to Google + Cloud Storage + properties: + applicationCredentials: + description: The secret containing the Google Cloud Storage + JSON file with the credentials + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + gkeEnvironment: + description: If set to true, will presume that it's running + inside a GKE environment, default to false. + type: boolean + type: object + historyTags: + additionalProperties: + type: string + description: HistoryTags is a list of key value pairs that + will be passed to the Barman --history-tags option. + type: object + s3Credentials: + description: The credentials to use to upload data to S3 + properties: + accessKeyId: + description: The reference to the access key id + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + inheritFromIAMRole: + description: Use the role based authentication without + providing explicitly the keys. + type: boolean + region: + description: The reference to the secret containing the + region name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + secretAccessKey: + description: The reference to the secret access key + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + sessionToken: + description: The references to the session key + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: object + serverName: + description: The server name on S3, the cluster name is used + if this parameter is omitted + type: string + tags: + additionalProperties: + type: string + description: Tags is a list of key value pairs that will be + passed to the Barman --tags option. + type: object + wal: + description: The configuration for the backup of the WAL stream. + When not defined, WAL files will be stored uncompressed + and may be unencrypted in the object store, according to + the bucket default policy. + properties: + compression: + description: Compress a WAL file before sending it to + the object store. Available options are empty string + (no compression, default), `gzip`, `bzip2` or `snappy`. + enum: + - gzip + - bzip2 + - snappy + type: string + encryption: + description: Whenever to force the encryption of files + (if the bucket is not already configured for that). + Allowed options are empty string (use the bucket policy, + default), `AES256` and `aws:kms` + enum: + - AES256 + - aws:kms + type: string + maxParallel: + description: Number of WAL files to be either archived + in parallel (when the PostgreSQL instance is archiving + to a backup object store) or restored in parallel (when + a PostgreSQL standby is fetching WAL files from a recovery + object store). If not specified, WAL files will be processed + one at a time. It accepts a positive integer as a value + - with 1 being the minimum accepted value. + minimum: 1 + type: integer + type: object + required: + - destinationPath + type: object + retentionPolicy: + description: RetentionPolicy is the retention policy to be used + for backups and WALs (i.e. '60d'). The retention policy is expressed + in the form of `XXu` where `XX` is a positive integer and `u` + is in `[dwm]` - days, weeks, months. + pattern: ^[1-9][0-9]*[dwm]$ + type: string + target: + default: prefer-standby + description: The policy to decide which instance should perform + backups. Available options are empty string, which will default + to `prefer-standby` policy, `primary` to have backups run always + on primary instances, `prefer-standby` to have backups run preferably + on the most updated standby, if available. + enum: + - primary + - prefer-standby + type: string + type: object + bootstrap: + description: Instructions to bootstrap this cluster + properties: + initdb: + description: Bootstrap the cluster via initdb + properties: + dataChecksums: + description: 'Whether the `-k` option should be passed to + initdb, enabling checksums on data pages (default: `false`)' + type: boolean + database: + description: 'Name of the database used by the application. + Default: `app`.' + type: string + encoding: + description: The value to be passed as option `--encoding` + for initdb (default:`UTF8`) + type: string + import: + description: Bootstraps the new cluster by importing data + from an existing PostgreSQL instance using logical backup + (`pg_dump` and `pg_restore`) + properties: + databases: + description: The databases to import + items: + type: string + type: array + postImportApplicationSQL: + description: List of SQL queries to be executed as a superuser + in the application database right after is imported + - to be used with extreme care (by default empty). Only + available in microservice type. + items: + type: string + type: array + roles: + description: The roles to import + items: + type: string + type: array + source: + description: The source of the import + properties: + externalCluster: + description: The name of the externalCluster used + for import + type: string + required: + - externalCluster + type: object + type: + description: The import type. Can be `microservice` or + `monolith`. + enum: + - microservice + - monolith + type: string + required: + - databases + - source + - type + type: object + localeCType: + description: The value to be passed as option `--lc-ctype` + for initdb (default:`C`) + type: string + localeCollate: + description: The value to be passed as option `--lc-collate` + for initdb (default:`C`) + type: string + options: + description: 'The list of options that must be passed to initdb + when creating the cluster. Deprecated: This could lead to + inconsistent configurations, please use the explicit provided + parameters instead. If defined, explicit values will be + ignored.' + items: + type: string + type: array + owner: + description: Name of the owner of the database in the instance + to be used by applications. Defaults to the value of the + `database` key. + type: string + postInitApplicationSQL: + description: List of SQL queries to be executed as a superuser + in the application database right after is created - to + be used with extreme care (by default empty) + items: + type: string + type: array + postInitApplicationSQLRefs: + description: PostInitApplicationSQLRefs points references + to ConfigMaps or Secrets which contain SQL files, the general + implementation order to these references is from all Secrets + to all ConfigMaps, and inside Secrets or ConfigMaps, the + implementation order is same as the order of each array + (by default empty) + properties: + configMapRefs: + description: ConfigMapRefs holds a list of references + to ConfigMaps + items: + description: ConfigMapKeySelector contains enough information + to let you locate the key of a ConfigMap + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: array + secretRefs: + description: SecretRefs holds a list of references to + Secrets + items: + description: SecretKeySelector contains enough information + to let you locate the key of a Secret + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: array + type: object + postInitSQL: + description: List of SQL queries to be executed as a superuser + immediately after the cluster has been created - to be used + with extreme care (by default empty) + items: + type: string + type: array + postInitTemplateSQL: + description: List of SQL queries to be executed as a superuser + in the `template1` after the cluster has been created - + to be used with extreme care (by default empty) + items: + type: string + type: array + secret: + description: Name of the secret containing the initial credentials + for the owner of the user database. If empty a new secret + will be created from scratch + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + walSegmentSize: + description: 'The value in megabytes (1 to 1024) to be passed + to the `--wal-segsize` option for initdb (default: empty, + resulting in PostgreSQL default: 16MB)' + maximum: 1024 + minimum: 1 + type: integer + type: object + pg_basebackup: + description: Bootstrap the cluster taking a physical backup of + another compatible PostgreSQL instance + properties: + database: + description: 'Name of the database used by the application. + Default: `app`.' + type: string + owner: + description: Name of the owner of the database in the instance + to be used by applications. Defaults to the value of the + `database` key. + type: string + secret: + description: Name of the secret containing the initial credentials + for the owner of the user database. If empty a new secret + will be created from scratch + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + source: + description: The name of the server of which we need to take + a physical backup + minLength: 1 + type: string + required: + - source + type: object + recovery: + description: Bootstrap the cluster from a backup + properties: + backup: + description: The backup we need to restore + properties: + endpointCA: + description: EndpointCA store the CA bundle of the barman + endpoint. Useful when using self-signed certificates + to avoid errors with certificate issuer and barman-cloud-wal-archive. + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + name: + description: Name of the referent. + type: string + required: + - name + type: object + database: + description: 'Name of the database used by the application. + Default: `app`.' + type: string + owner: + description: Name of the owner of the database in the instance + to be used by applications. Defaults to the value of the + `database` key. + type: string + recoveryTarget: + description: 'By default, the recovery process applies all + the available WAL files in the archive (full recovery). + However, you can also end the recovery as soon as a consistent + state is reached or recover to a point-in-time (PITR) by + specifying a `RecoveryTarget` object, as expected by PostgreSQL + (i.e., timestamp, transaction Id, LSN, ...). More info: + https://www.postgresql.org/docs/current/runtime-config-wal.html#RUNTIME-CONFIG-WAL-RECOVERY-TARGET' + properties: + backupID: + description: The ID of the backup from which to start + the recovery process. If empty (default) the operator + will automatically detect the backup based on targetTime + or targetLSN if specified. Otherwise use the latest + available backup in chronological order. + type: string + exclusive: + description: Set the target to be exclusive (defaults + to true) + type: boolean + targetImmediate: + description: End recovery as soon as a consistent state + is reached + type: boolean + targetLSN: + description: The target LSN (Log Sequence Number) + type: string + targetName: + description: The target name (to be previously created + with `pg_create_restore_point`) + type: string + targetTLI: + description: The target timeline ("latest" or a positive + integer) + type: string + targetTime: + description: The target time as a timestamp in the RFC3339 + standard + type: string + targetXID: + description: The target transaction ID + type: string + type: object + secret: + description: Name of the secret containing the initial credentials + for the owner of the user database. If empty a new secret + will be created from scratch + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + source: + description: The external cluster whose backup we will restore. + This is also used as the name of the folder under which + the backup is stored, so it must be set to the name of the + source cluster + type: string + type: object + type: object + certificates: + description: The configuration for the CA and related certificates + properties: + clientCASecret: + description: 'The secret containing the Client CA certificate. + If not defined, a new secret will be created with a self-signed + CA and will be used to generate all the client certificates.

Contains:

- `ca.crt`: CA that should + be used to validate the client certificates, used as `ssl_ca_file` + of all the instances.
- `ca.key`: key used to generate + client certificates, if ReplicationTLSSecret is provided, this + can be omitted.
' + type: string + replicationTLSSecret: + description: The secret of type kubernetes.io/tls containing the + client certificate to authenticate as the `streaming_replica` + user. If not defined, ClientCASecret must provide also `ca.key`, + and a new secret will be created using the provided CA. + type: string + serverAltDNSNames: + description: The list of the server alternative DNS names to be + added to the generated server TLS certificates, when required. + items: + type: string + type: array + serverCASecret: + description: 'The secret containing the Server CA certificate. + If not defined, a new secret will be created with a self-signed + CA and will be used to generate the TLS certificate ServerTLSSecret.

Contains:

- `ca.crt`: CA that should + be used to validate the server certificate, used as `sslrootcert` + in client connection strings.
- `ca.key`: key used to + generate Server SSL certs, if ServerTLSSecret is provided, this + can be omitted.
' + type: string + serverTLSSecret: + description: The secret of type kubernetes.io/tls containing the + server TLS certificate and key that will be set as `ssl_cert_file` + and `ssl_key_file` so that clients can connect to postgres securely. + If not defined, ServerCASecret must provide also `ca.key` and + a new secret will be created using the provided CA. + type: string + type: object + description: + description: Description of this PostgreSQL cluster + type: string + enableSuperuserAccess: + default: true + description: When this option is enabled, the operator will use the + `SuperuserSecret` to update the `postgres` user password (if the + secret is not present, the operator will automatically create one). + When this option is disabled, the operator will ignore the `SuperuserSecret` + content, delete it when automatically created, and then blank the + password of the `postgres` user by setting it to `NULL`. Enabled + by default. + type: boolean + env: + description: Env follows the Env format to pass environment variables + to the pods created in the cluster + items: + description: EnvVar represents an environment variable present in + a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded using + the previously defined environment variables in the container + and any service environment variables. If a variable cannot + be resolved, the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the + string literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists or + not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. Cannot + be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, + status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified + API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed + resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: EnvFrom follows the EnvFrom format to pass environment + variables sources to the pods to be used by Env + items: + description: EnvFromSource represents the source of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each key in + the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + externalClusters: + description: The list of external clusters which are used in the configuration + items: + description: ExternalCluster represents the connection parameters + to an external cluster which is used in the other sections of + the configuration + properties: + barmanObjectStore: + description: The configuration for the barman-cloud tool suite + properties: + azureCredentials: + description: The credentials to use to upload data to Azure + Blob Storage + properties: + connectionString: + description: The connection string to be used + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + inheritFromAzureAD: + description: Use the Azure AD based authentication without + providing explicitly the keys. + type: boolean + storageAccount: + description: The storage account where to upload data + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + storageKey: + description: The storage account key to be used in conjunction + with the storage account name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + storageSasToken: + description: A shared-access-signature to be used in + conjunction with the storage account name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: object + data: + description: The configuration to be used to backup the + data files When not defined, base backups files will be + stored uncompressed and may be unencrypted in the object + store, according to the bucket default policy. + properties: + compression: + description: Compress a backup file (a tar file per + tablespace) while streaming it to the object store. + Available options are empty string (no compression, + default), `gzip`, `bzip2` or `snappy`. + enum: + - gzip + - bzip2 + - snappy + type: string + encryption: + description: Whenever to force the encryption of files + (if the bucket is not already configured for that). + Allowed options are empty string (use the bucket policy, + default), `AES256` and `aws:kms` + enum: + - AES256 + - aws:kms + type: string + immediateCheckpoint: + description: Control whether the I/O workload for the + backup initial checkpoint will be limited, according + to the `checkpoint_completion_target` setting on the + PostgreSQL server. If set to true, an immediate checkpoint + will be used, meaning PostgreSQL will complete the + checkpoint as soon as possible. `false` by default. + type: boolean + jobs: + description: The number of parallel jobs to be used + to upload the backup, defaults to 2 + format: int32 + minimum: 1 + type: integer + type: object + destinationPath: + description: The path where to store the backup (i.e. s3://bucket/path/to/folder) + this path, with different destination folders, will be + used for WALs and for data + minLength: 1 + type: string + endpointCA: + description: EndpointCA store the CA bundle of the barman + endpoint. Useful when using self-signed certificates to + avoid errors with certificate issuer and barman-cloud-wal-archive + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + endpointURL: + description: Endpoint to be used to upload data to the cloud, + overriding the automatic endpoint discovery + type: string + googleCredentials: + description: The credentials to use to upload data to Google + Cloud Storage + properties: + applicationCredentials: + description: The secret containing the Google Cloud + Storage JSON file with the credentials + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + gkeEnvironment: + description: If set to true, will presume that it's + running inside a GKE environment, default to false. + type: boolean + type: object + historyTags: + additionalProperties: + type: string + description: HistoryTags is a list of key value pairs that + will be passed to the Barman --history-tags option. + type: object + s3Credentials: + description: The credentials to use to upload data to S3 + properties: + accessKeyId: + description: The reference to the access key id + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + inheritFromIAMRole: + description: Use the role based authentication without + providing explicitly the keys. + type: boolean + region: + description: The reference to the secret containing + the region name + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + secretAccessKey: + description: The reference to the secret access key + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + sessionToken: + description: The references to the session key + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: object + serverName: + description: The server name on S3, the cluster name is + used if this parameter is omitted + type: string + tags: + additionalProperties: + type: string + description: Tags is a list of key value pairs that will + be passed to the Barman --tags option. + type: object + wal: + description: The configuration for the backup of the WAL + stream. When not defined, WAL files will be stored uncompressed + and may be unencrypted in the object store, according + to the bucket default policy. + properties: + compression: + description: Compress a WAL file before sending it to + the object store. Available options are empty string + (no compression, default), `gzip`, `bzip2` or `snappy`. + enum: + - gzip + - bzip2 + - snappy + type: string + encryption: + description: Whenever to force the encryption of files + (if the bucket is not already configured for that). + Allowed options are empty string (use the bucket policy, + default), `AES256` and `aws:kms` + enum: + - AES256 + - aws:kms + type: string + maxParallel: + description: Number of WAL files to be either archived + in parallel (when the PostgreSQL instance is archiving + to a backup object store) or restored in parallel + (when a PostgreSQL standby is fetching WAL files from + a recovery object store). If not specified, WAL files + will be processed one at a time. It accepts a positive + integer as a value - with 1 being the minimum accepted + value. + minimum: 1 + type: integer + type: object + required: + - destinationPath + type: object + connectionParameters: + additionalProperties: + type: string + description: The list of connection parameters, such as dbname, + host, username, etc + type: object + name: + description: The server name, required + type: string + password: + description: The reference to the password to be used to connect + to the server + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + sslCert: + description: The reference to an SSL certificate to be used + to connect to this instance + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + sslKey: + description: The reference to an SSL private key to be used + to connect to this instance + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + sslRootCert: + description: The reference to an SSL CA public key to be used + to connect to this instance + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + type: array + failoverDelay: + default: 0 + description: The amount of time (in seconds) to wait before triggering + a failover after the primary PostgreSQL instance in the cluster + was detected to be unhealthy + format: int32 + type: integer + imageName: + description: Name of the container image, supporting both tags (`:`) + and digests for deterministic and repeatable deployments (`:@sha256:`) + type: string + imagePullPolicy: + description: 'Image pull policy. One of `Always`, `Never` or `IfNotPresent`. + If not defined, it defaults to `IfNotPresent`. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + imagePullSecrets: + description: The list of pull secrets to be used to pull the images + items: + description: LocalObjectReference contains enough information to + let you locate a local object with a known type inside the same + namespace + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + type: array + inheritedMetadata: + description: Metadata that will be inherited by all objects related + to the Cluster + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + instances: + default: 1 + description: Number of instances required in the cluster + minimum: 1 + type: integer + logLevel: + default: info + description: 'The instances'' log level, one of the following values: + error, warning, info (default), debug, trace' + enum: + - error + - warning + - info + - debug + - trace + type: string + managed: + description: The configuration that is used by the portions of PostgreSQL + that are managed by the instance manager + properties: + roles: + description: Database roles managed by the `Cluster` + items: + description: "RoleConfiguration is the representation, in Kubernetes, + of a PostgreSQL role with the additional field Ensure specifying + whether to ensure the presence or absence of the role in the + database \n The defaults of the CREATE ROLE command are applied + Reference: https://www.postgresql.org/docs/current/sql-createrole.html" + properties: + bypassrls: + description: Whether a role bypasses every row-level security + (RLS) policy. Default is `false`. + type: boolean + comment: + description: Description of the role + type: string + connectionLimit: + default: -1 + description: If the role can log in, this specifies how + many concurrent connections the role can make. `-1` (the + default) means no limit. + format: int64 + type: integer + createdb: + description: When set to `true`, the role being defined + will be allowed to create new databases. Specifying `false` + (default) will deny a role the ability to create databases. + type: boolean + createrole: + description: Whether the role will be permitted to create, + alter, drop, comment on, change the security label for, + and grant or revoke membership in other roles. Default + is `false`. + type: boolean + ensure: + default: present + description: Ensure the role is `present` or `absent` - + defaults to "present" + enum: + - present + - absent + type: string + inRoles: + description: List of one or more existing roles to which + this role will be immediately added as a new member. Default + empty. + items: + type: string + type: array + inherit: + default: true + description: Whether a role "inherits" the privileges of + roles it is a member of. Defaults is `true`. + type: boolean + login: + description: Whether the role is allowed to log in. A role + having the `login` attribute can be thought of as a user. + Roles without this attribute are useful for managing database + privileges, but are not users in the usual sense of the + word. Default is `false`. + type: boolean + name: + description: Name of the role + type: string + passwordSecret: + description: Secret containing the password of the role + (if present) + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + replication: + description: Whether a role is a replication role. A role + must have this attribute (or be a superuser) in order + to be able to connect to the server in replication mode + (physical or logical replication) and in order to be able + to create or drop replication slots. A role having the + `replication` attribute is a very highly privileged role, + and should only be used on roles actually used for replication. + Default is `false`. + type: boolean + superuser: + description: Whether the role is a `superuser` who can override + all access restrictions within the database - superuser + status is dangerous and should be used only when really + needed. You must yourself be a superuser to create a new + superuser. Defaults is `false`. + type: boolean + validUntil: + description: Date and time after which the role's password + is no longer valid. When omitted, the password will never + expire (default). + format: date-time + type: string + required: + - name + type: object + type: array + type: object + maxSyncReplicas: + default: 0 + description: The target value for the synchronous replication quorum, + that can be decreased if the number of ready standbys is lower than + this. Undefined or 0 disable synchronous replication. + minimum: 0 + type: integer + minSyncReplicas: + default: 0 + description: Minimum number of instances required in synchronous replication + with the primary. Undefined or 0 allow writes to complete when no + standby is available. + minimum: 0 + type: integer + monitoring: + description: The configuration of the monitoring infrastructure of + this cluster + properties: + customQueriesConfigMap: + description: The list of config maps containing the custom queries + items: + description: ConfigMapKeySelector contains enough information + to let you locate the key of a ConfigMap + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: array + customQueriesSecret: + description: The list of secrets containing the custom queries + items: + description: SecretKeySelector contains enough information to + let you locate the key of a Secret + properties: + key: + description: The key to select + type: string + name: + description: Name of the referent. + type: string + required: + - key + - name + type: object + type: array + disableDefaultQueries: + default: false + description: 'Whether the default queries should be injected. + Set it to `true` if you don''t want to inject default queries + into the cluster. Default: false.' + type: boolean + enablePodMonitor: + default: false + description: Enable or disable the `PodMonitor` + type: boolean + type: object + nodeMaintenanceWindow: + description: Define a maintenance window for the Kubernetes nodes + properties: + inProgress: + default: false + description: Is there a node maintenance activity in progress? + type: boolean + reusePVC: + default: true + description: Reuse the existing PVC (wait for the node to come + up again) or not (recreate it elsewhere - when `instances` >1) + type: boolean + required: + - inProgress + type: object + postgresGID: + default: 26 + description: The GID of the `postgres` user inside the image, defaults + to `26` + format: int64 + type: integer + postgresUID: + default: 26 + description: The UID of the `postgres` user inside the image, defaults + to `26` + format: int64 + type: integer + postgresql: + description: Configuration of the PostgreSQL server + properties: + ldap: + description: Options to specify LDAP configuration + properties: + bindAsAuth: + description: Bind as authentication configuration + properties: + prefix: + description: Prefix for the bind authentication option + type: string + suffix: + description: Suffix for the bind authentication option + type: string + type: object + bindSearchAuth: + description: Bind+Search authentication configuration + properties: + baseDN: + description: Root DN to begin the user search + type: string + bindDN: + description: DN of the user to bind to the directory + type: string + bindPassword: + description: Secret with the password for the user to + bind to the directory + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + searchAttribute: + description: Attribute to match against the username + type: string + searchFilter: + description: Search filter to use when doing the search+bind + authentication + type: string + type: object + port: + description: LDAP server port + type: integer + scheme: + description: LDAP schema to be used, possible options are + `ldap` and `ldaps` + enum: + - ldap + - ldaps + type: string + server: + description: LDAP hostname or IP address + type: string + tls: + description: Set to 'true' to enable LDAP over TLS. 'false' + is default + type: boolean + type: object + parameters: + additionalProperties: + type: string + description: PostgreSQL configuration options (postgresql.conf) + type: object + pg_hba: + description: PostgreSQL Host Based Authentication rules (lines + to be appended to the pg_hba.conf file) + items: + type: string + type: array + promotionTimeout: + description: Specifies the maximum number of seconds to wait when + promoting an instance to primary. Default value is 40000000, + greater than one year in seconds, big enough to simulate an + infinite timeout + format: int32 + type: integer + shared_preload_libraries: + description: Lists of shared preload libraries to add to the default + ones + items: + type: string + type: array + syncReplicaElectionConstraint: + description: Requirements to be met by sync replicas. This will + affect how the "synchronous_standby_names" parameter will be + set up. + properties: + enabled: + description: This flag enables the constraints for sync replicas + type: boolean + nodeLabelsAntiAffinity: + description: A list of node labels values to extract and compare + to evaluate if the pods reside in the same topology or not + items: + type: string + type: array + required: + - enabled + type: object + type: object + primaryUpdateMethod: + default: restart + description: 'Method to follow to upgrade the primary server during + a rolling update procedure, after all replicas have been successfully + updated: it can be with a switchover (`switchover`) or in-place + (`restart` - default)' + enum: + - switchover + - restart + type: string + primaryUpdateStrategy: + default: unsupervised + description: 'Strategy to follow to upgrade the primary server during + a rolling update procedure, after all replicas have been successfully + updated: it can be automated (`unsupervised` - default) or manual + (`supervised`)' + enum: + - unsupervised + - supervised + type: string + projectedVolumeTemplate: + description: Template to be used to define projected volumes, projected + volumes will be mounted under `/projected` base folder + properties: + defaultMode: + description: defaultMode are the mode bits used to set permissions + on created files by default. Must be an octal value between + 0000 and 0777 or a decimal value between 0 and 511. YAML accepts + both octal and decimal values, JSON requires decimal values + for mode bits. Directories within the path are not affected + by this setting. This might be in conflict with other options + that affect the file mode, like fsGroup, and the result can + be other mode bits set. + format: int32 + type: integer + sources: + description: sources is the list of volume projections + items: + description: Projection that may be projected along with other + supported volume types + properties: + configMap: + description: configMap information about the configMap data + to project + properties: + items: + description: items if unspecified, each key-value pair + in the Data field of the referenced ConfigMap will + be projected into the volume as a file whose name + is the key and content is the value. If specified, + the listed keys will be projected into the specified + paths, and unlisted keys will not be present. If a + key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. + Paths must be relative and may not contain the '..' + path or start with '..'. + items: + description: Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used + to set permissions on this file. Must be an + octal value between 0000 and 0777 or a decimal + value between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal values + for mode bits. If not specified, the volume + defaultMode will be used. This might be in conflict + with other options that affect the file mode, + like fsGroup, and the result can be other mode + bits set.' + format: int32 + type: integer + path: + description: path is the relative path of the + file to map the key to. May not be an absolute + path. May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about the downwardAPI + data to project + properties: + items: + description: Items is a list of DownwardAPIVolume file + items: + description: DownwardAPIVolumeFile represents information + to create the file containing the pod field + properties: + fieldRef: + description: 'Required: Selects a field of the + pod: only annotations, labels, name and namespace + are supported.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in + the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used to set + permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for mode + bits. If not specified, the volume defaultMode + will be used. This might be in conflict with + other options that affect the file mode, like + fsGroup, and the result can be other mode bits + set.' + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must not + be absolute or contain the ''..'' path. Must + be utf-8 encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required for + volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of + the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about the secret data to + project + properties: + items: + description: items if unspecified, each key-value pair + in the Data field of the referenced Secret will be + projected into the volume as a file whose name is + the key and content is the value. If specified, the + listed keys will be projected into the specified paths, + and unlisted keys will not be present. If a key is + specified which is not present in the Secret, the + volume setup will error unless it is marked optional. + Paths must be relative and may not contain the '..' + path or start with '..'. + items: + description: Maps a string key to a path within a + volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used + to set permissions on this file. Must be an + octal value between 0000 and 0777 or a decimal + value between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal values + for mode bits. If not specified, the volume + defaultMode will be used. This might be in conflict + with other options that affect the file mode, + like fsGroup, and the result can be other mode + bits set.' + format: int32 + type: integer + path: + description: path is the relative path of the + file to map the key to. May not be an absolute + path. May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: optional field specify whether the Secret + or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information about the + serviceAccountToken data to project + properties: + audience: + description: audience is the intended audience of the + token. A recipient of a token must identify itself + with an identifier specified in the audience of the + token, and otherwise should reject the token. The + audience defaults to the identifier of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is the requested duration + of validity of the service account token. As the token + approaches expiration, the kubelet volume plugin will + proactively rotate the service account token. The + kubelet will start trying to rotate the token if the + token is older than 80 percent of its time to live + or if the token is older than 24 hours.Defaults to + 1 hour and must be at least 10 minutes. + format: int64 + type: integer + path: + description: path is the path relative to the mount + point of the file to project the token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + replica: + description: Replica cluster configuration + properties: + enabled: + description: If replica mode is enabled, this cluster will be + a replica of an existing cluster. Replica cluster can be created + from a recovery object store or via streaming through pg_basebackup. + Refer to the Replication page of the documentation for more + information. + type: boolean + source: + description: The name of the external cluster which is the replication + origin + minLength: 1 + type: string + required: + - source + type: object + replicationSlots: + description: Replication slots management configuration + properties: + highAvailability: + description: Replication slots for high availability configuration + properties: + enabled: + default: false + description: If enabled, the operator will automatically manage + replication slots on the primary instance and use them in + streaming replication connections with all the standby instances + that are part of the HA cluster. If disabled (default), + the operator will not take advantage of replication slots + in streaming connections with the replicas. This feature + also controls replication slots in replica cluster, from + the designated primary to its cascading replicas. This can + only be set at creation time. + type: boolean + slotPrefix: + default: _cnpg_ + description: Prefix for replication slots managed by the operator + for HA. It may only contain lower case letters, numbers, + and the underscore character. This can only be set at creation + time. By default set to `_cnpg_`. + pattern: ^[0-9a-z_]*$ + type: string + type: object + updateInterval: + default: 30 + description: Standby will update the status of the local replication + slots every `updateInterval` seconds (default 30). + minimum: 1 + type: integer + type: object + resources: + description: Resources requirements of every generated Pod. Please + refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + for more information. + properties: + claims: + description: "Claims lists the names of resources, defined in + spec.resourceClaims, that are used by this container. \n This + is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be set + for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in pod.spec.resourceClaims + of the Pod where this field is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + seccompProfile: + description: 'The SeccompProfile applied to every Pod and Container. + Defaults to: `RuntimeDefault`' + properties: + localhostProfile: + description: localhostProfile indicates a profile defined in a + file on the node should be used. The profile must be preconfigured + on the node to work. Must be a descending path, relative to + the kubelet's configured seccomp profile location. Must only + be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile will + be applied. Valid options are: \n Localhost - a profile defined + in a file on the node should be used. RuntimeDefault - the container + runtime default profile should be used. Unconfined - no profile + should be applied." + type: string + required: + - type + type: object + serviceAccountTemplate: + description: Configure the generation of the service account + properties: + metadata: + description: Metadata are the metadata to be used for the generated + service account + properties: + annotations: + additionalProperties: + type: string + description: 'Annotations is an unstructured key value map + stored with a resource that may be set by external tools + to store and retrieve arbitrary metadata. They are not queryable + and should be preserved when modifying objects. More info: + http://kubernetes.io/docs/user-guide/annotations' + type: object + labels: + additionalProperties: + type: string + description: 'Map of string keys and values that can be used + to organize and categorize (scope and select) objects. May + match selectors of replication controllers and services. + More info: http://kubernetes.io/docs/user-guide/labels' + type: object + type: object + required: + - metadata + type: object + startDelay: + default: 30 + description: The time in seconds that is allowed for a PostgreSQL + instance to successfully start up (default 30) + format: int32 + type: integer + stopDelay: + default: 30 + description: The time in seconds that is allowed for a PostgreSQL + instance to gracefully shutdown (default 30) + format: int32 + type: integer + storage: + description: Configuration of the storage of the instances + properties: + pvcTemplate: + description: Template to be used to generate the Persistent Volume + Claim + properties: + accessModes: + description: 'accessModes contains the desired access modes + the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) If the provisioner + or an external controller can support the specified data + source, it will create a new volume based on the contents + of the specified data source. When the AnyVolumeDataSource + feature gate is enabled, dataSource contents will be copied + to dataSourceRef, and dataSourceRef contents will be copied + to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not + be copied to dataSource.' + properties: + apiGroup: + description: APIGroup is the group for the resource being + referenced. If APIGroup is not specified, the specified + Kind must be in the core API group. For any other third-party + types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: 'dataSourceRef specifies the object from which + to populate the volume with data, if a non-empty volume + is desired. This may be any object from a non-empty API + group (non core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed + if the type of the specified object matches some installed + volume populator or dynamic provisioner. This field will + replace the functionality of the dataSource field and as + such if both fields are non-empty, they must have the same + value. For backwards compatibility, when namespace isn''t + specified in dataSourceRef, both fields (dataSource and + dataSourceRef) will be set to the same value automatically + if one of them is empty and the other is non-empty. When + namespace is specified in dataSourceRef, dataSource isn''t + set to the same value and must be empty. There are three + important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, + dataSourceRef allows any non-core object, as well as PersistentVolumeClaim + objects. * While dataSource ignores disallowed values (dropping + them), dataSourceRef preserves all values, and generates + an error if a disallowed value is specified. * While dataSource + only allows local objects, dataSourceRef allows objects + in any namespaces. (Beta) Using this field requires the + AnyVolumeDataSource feature gate to be enabled. (Alpha) + Using the namespace field of dataSourceRef requires the + CrossNamespaceVolumeDataSource feature gate to be enabled.' + properties: + apiGroup: + description: APIGroup is the group for the resource being + referenced. If APIGroup is not specified, the specified + Kind must be in the core API group. For any other third-party + types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + namespace: + description: Namespace is the namespace of resource being + referenced Note that when a namespace is specified, + a gateway.networking.k8s.io/ReferenceGrant object is + required in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferenceGrant + documentation for details. (Alpha) This field requires + the CrossNamespaceVolumeDataSource feature gate to be + enabled. + type: string + required: + - kind + - name + type: object + resources: + description: 'resources represents the minimum resources the + volume should have. If RecoverVolumeExpansionFailure feature + is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher + than capacity recorded in the status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query over volumes to consider + for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is the name of the StorageClass + required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what type of volume is required + by the claim. Value of Filesystem is implied when not included + in claim spec. + type: string + volumeName: + description: volumeName is the binding reference to the PersistentVolume + backing this claim. + type: string + type: object + resizeInUseVolumes: + default: true + description: Resize existent PVCs, defaults to true + type: boolean + size: + description: Size of the storage. Required if not already specified + in the PVC template. Changes to this field are automatically + reapplied to the created PVCs. Size cannot be decreased. + type: string + storageClass: + description: StorageClass to use for database data (`PGDATA`). + Applied after evaluating the PVC template, if available. If + not specified, generated PVCs will be satisfied by the default + storage class + type: string + type: object + superuserSecret: + description: The secret containing the superuser password. If not + defined a new secret will be created with a randomly generated password + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + switchoverDelay: + default: 40000000 + description: The time in seconds that is allowed for a primary PostgreSQL + instance to gracefully shutdown during a switchover. Default value + is 40000000, greater than one year in seconds, big enough to simulate + an infinite delay + format: int32 + type: integer + walStorage: + description: Configuration of the storage for PostgreSQL WAL (Write-Ahead + Log) + properties: + pvcTemplate: + description: Template to be used to generate the Persistent Volume + Claim + properties: + accessModes: + description: 'accessModes contains the desired access modes + the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) If the provisioner + or an external controller can support the specified data + source, it will create a new volume based on the contents + of the specified data source. When the AnyVolumeDataSource + feature gate is enabled, dataSource contents will be copied + to dataSourceRef, and dataSourceRef contents will be copied + to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not + be copied to dataSource.' + properties: + apiGroup: + description: APIGroup is the group for the resource being + referenced. If APIGroup is not specified, the specified + Kind must be in the core API group. For any other third-party + types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: 'dataSourceRef specifies the object from which + to populate the volume with data, if a non-empty volume + is desired. This may be any object from a non-empty API + group (non core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed + if the type of the specified object matches some installed + volume populator or dynamic provisioner. This field will + replace the functionality of the dataSource field and as + such if both fields are non-empty, they must have the same + value. For backwards compatibility, when namespace isn''t + specified in dataSourceRef, both fields (dataSource and + dataSourceRef) will be set to the same value automatically + if one of them is empty and the other is non-empty. When + namespace is specified in dataSourceRef, dataSource isn''t + set to the same value and must be empty. There are three + important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, + dataSourceRef allows any non-core object, as well as PersistentVolumeClaim + objects. * While dataSource ignores disallowed values (dropping + them), dataSourceRef preserves all values, and generates + an error if a disallowed value is specified. * While dataSource + only allows local objects, dataSourceRef allows objects + in any namespaces. (Beta) Using this field requires the + AnyVolumeDataSource feature gate to be enabled. (Alpha) + Using the namespace field of dataSourceRef requires the + CrossNamespaceVolumeDataSource feature gate to be enabled.' + properties: + apiGroup: + description: APIGroup is the group for the resource being + referenced. If APIGroup is not specified, the specified + Kind must be in the core API group. For any other third-party + types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + namespace: + description: Namespace is the namespace of resource being + referenced Note that when a namespace is specified, + a gateway.networking.k8s.io/ReferenceGrant object is + required in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferenceGrant + documentation for details. (Alpha) This field requires + the CrossNamespaceVolumeDataSource feature gate to be + enabled. + type: string + required: + - kind + - name + type: object + resources: + description: 'resources represents the minimum resources the + volume should have. If RecoverVolumeExpansionFailure feature + is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher + than capacity recorded in the status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query over volumes to consider + for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is the name of the StorageClass + required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what type of volume is required + by the claim. Value of Filesystem is implied when not included + in claim spec. + type: string + volumeName: + description: volumeName is the binding reference to the PersistentVolume + backing this claim. + type: string + type: object + resizeInUseVolumes: + default: true + description: Resize existent PVCs, defaults to true + type: boolean + size: + description: Size of the storage. Required if not already specified + in the PVC template. Changes to this field are automatically + reapplied to the created PVCs. Size cannot be decreased. + type: string + storageClass: + description: StorageClass to use for database data (`PGDATA`). + Applied after evaluating the PVC template, if available. If + not specified, generated PVCs will be satisfied by the default + storage class + type: string + type: object + required: + - instances + type: object + status: + description: 'Most recently observed status of the cluster. This data + may not be up to date. Populated by the system. Read-only. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + azurePVCUpdateEnabled: + description: AzurePVCUpdateEnabled shows if the PVC online upgrade + is enabled for this cluster + type: boolean + certificates: + description: The configuration for the CA and related certificates, + initialized with defaults. + properties: + clientCASecret: + description: 'The secret containing the Client CA certificate. + If not defined, a new secret will be created with a self-signed + CA and will be used to generate all the client certificates.

Contains:

- `ca.crt`: CA that should + be used to validate the client certificates, used as `ssl_ca_file` + of all the instances.
- `ca.key`: key used to generate + client certificates, if ReplicationTLSSecret is provided, this + can be omitted.
' + type: string + expirations: + additionalProperties: + type: string + description: Expiration dates for all certificates. + type: object + replicationTLSSecret: + description: The secret of type kubernetes.io/tls containing the + client certificate to authenticate as the `streaming_replica` + user. If not defined, ClientCASecret must provide also `ca.key`, + and a new secret will be created using the provided CA. + type: string + serverAltDNSNames: + description: The list of the server alternative DNS names to be + added to the generated server TLS certificates, when required. + items: + type: string + type: array + serverCASecret: + description: 'The secret containing the Server CA certificate. + If not defined, a new secret will be created with a self-signed + CA and will be used to generate the TLS certificate ServerTLSSecret.

Contains:

- `ca.crt`: CA that should + be used to validate the server certificate, used as `sslrootcert` + in client connection strings.
- `ca.key`: key used to + generate Server SSL certs, if ServerTLSSecret is provided, this + can be omitted.
' + type: string + serverTLSSecret: + description: The secret of type kubernetes.io/tls containing the + server TLS certificate and key that will be set as `ssl_cert_file` + and `ssl_key_file` so that clients can connect to postgres securely. + If not defined, ServerCASecret must provide also `ca.key` and + a new secret will be created using the provided CA. + type: string + type: object + cloudNativePGCommitHash: + description: The commit hash number of which this operator running + type: string + cloudNativePGOperatorHash: + description: The hash of the binary of the operator + type: string + conditions: + description: Conditions for cluster object + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + configMapResourceVersion: + description: The list of resource versions of the configmaps, managed + by the operator. Every change here is done in the interest of the + instance manager, which will refresh the configmap data + properties: + metrics: + additionalProperties: + type: string + description: A map with the versions of all the config maps used + to pass metrics. Map keys are the config map names, map values + are the versions + type: object + type: object + currentPrimary: + description: Current primary instance + type: string + currentPrimaryFailingSinceTimestamp: + description: The timestamp when the primary was detected to be unhealthy + This field is reported when spec.failoverDelay is populated or during + online upgrades + type: string + currentPrimaryTimestamp: + description: The timestamp when the last actual promotion to primary + has occurred + type: string + danglingPVC: + description: List of all the PVCs created by this cluster and still + available which are not attached to a Pod + items: + type: string + type: array + firstRecoverabilityPoint: + description: The first recoverability point, stored as a date in RFC3339 + format + type: string + healthyPVC: + description: List of all the PVCs not dangling nor initializing + items: + type: string + type: array + initializingPVC: + description: List of all the PVCs that are being initialized by this + cluster + items: + type: string + type: array + instanceNames: + description: List of instance names in the cluster + items: + type: string + type: array + instances: + description: The total number of PVC Groups detected in the cluster. + It may differ from the number of existing instance pods. + type: integer + instancesReportedState: + additionalProperties: + description: InstanceReportedState describes the last reported state + of an instance during a reconciliation loop + properties: + isPrimary: + description: indicates if an instance is the primary one + type: boolean + timeLineID: + description: indicates on which TimelineId the instance is + type: integer + required: + - isPrimary + type: object + description: The reported state of the instances during the last reconciliation + loop + type: object + instancesStatus: + additionalProperties: + items: + type: string + type: array + description: InstancesStatus indicates in which status the instances + are + type: object + jobCount: + description: How many Jobs have been created by this cluster + format: int32 + type: integer + lastFailedBackup: + description: Stored as a date in RFC3339 format + type: string + lastSuccessfulBackup: + description: Stored as a date in RFC3339 format + type: string + latestGeneratedNode: + description: ID of the latest generated node (used to avoid node name + clashing) + type: integer + managedRolesStatus: + description: ManagedRolesStatus reports the state of the managed roles + in the cluster + properties: + byStatus: + additionalProperties: + items: + type: string + type: array + description: ByStatus gives the list of roles in each state + type: object + cannotReconcile: + additionalProperties: + items: + type: string + type: array + description: CannotReconcile lists roles that cannot be reconciled + in PostgreSQL, with an explanation of the cause + type: object + passwordStatus: + additionalProperties: + description: PasswordState represents the state of the password + of a managed RoleConfiguration + properties: + resourceVersion: + description: the resource version of the password secret + type: string + transactionID: + description: the last transaction ID to affect the role + definition in PostgreSQL + format: int64 + type: integer + type: object + description: PasswordStatus gives the last transaction id and + password secret version for each managed role + type: object + type: object + onlineUpdateEnabled: + description: OnlineUpdateEnabled shows if the online upgrade is enabled + inside the cluster + type: boolean + phase: + description: Current phase of the cluster + type: string + phaseReason: + description: Reason for the current phase + type: string + poolerIntegrations: + description: The integration needed by poolers referencing the cluster + properties: + pgBouncerIntegration: + description: PgBouncerIntegrationStatus encapsulates the needed + integration for the pgbouncer poolers referencing the cluster + properties: + secrets: + items: + type: string + type: array + type: object + type: object + pvcCount: + description: How many PVCs have been created by this cluster + format: int32 + type: integer + readService: + description: Current list of read pods + type: string + readyInstances: + description: The total number of ready instances in the cluster. It + is equal to the number of ready instance pods. + type: integer + resizingPVC: + description: List of all the PVCs that have ResizingPVC condition. + items: + type: string + type: array + secretsResourceVersion: + description: The list of resource versions of the secrets managed + by the operator. Every change here is done in the interest of the + instance manager, which will refresh the secret data + properties: + applicationSecretVersion: + description: The resource version of the "app" user secret + type: string + barmanEndpointCA: + description: The resource version of the Barman Endpoint CA if + provided + type: string + caSecretVersion: + description: Unused. Retained for compatibility with old versions. + type: string + clientCaSecretVersion: + description: The resource version of the PostgreSQL client-side + CA secret version + type: string + managedRoleSecretVersion: + additionalProperties: + type: string + description: The resource versions of the managed roles secrets + type: object + metrics: + additionalProperties: + type: string + description: A map with the versions of all the secrets used to + pass metrics. Map keys are the secret names, map values are + the versions + type: object + replicationSecretVersion: + description: The resource version of the "streaming_replica" user + secret + type: string + serverCaSecretVersion: + description: The resource version of the PostgreSQL server-side + CA secret version + type: string + serverSecretVersion: + description: The resource version of the PostgreSQL server-side + secret version + type: string + superuserSecretVersion: + description: The resource version of the "postgres" user secret + type: string + type: object + targetPrimary: + description: Target primary instance, this is different from the previous + one during a switchover or a failover + type: string + targetPrimaryTimestamp: + description: The timestamp when the last request for a new primary + has occurred + type: string + timelineID: + description: The timeline of the Postgres cluster + type: integer + topology: + description: Instances topology. + properties: + instances: + additionalProperties: + additionalProperties: + type: string + description: PodTopologyLabels represent the topology of a Pod. + map[labelName]labelValue + type: object + description: Instances contains the pod topology of the instances + type: object + successfullyExtracted: + description: SuccessfullyExtracted indicates if the topology data + was extract. It is useful to enact fallback behaviors in synchronous + replica election in case of failures + type: boolean + type: object + unusablePVC: + description: List of all the PVCs that are unusable because another + PVC is missing + items: + type: string + type: array + writeService: + description: Current write pod + type: string + type: object + type: object + served: true + storage: true + subresources: + scale: + specReplicasPath: .spec.instances + statusReplicasPath: .status.instances + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + helm.sh/resource-policy: keep + creationTimestamp: null + name: poolers.postgresql.cnpg.io +spec: + group: postgresql.cnpg.io + names: + kind: Pooler + listKind: PoolerList + plural: poolers + singular: pooler + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.cluster.name + name: Cluster + type: string + - jsonPath: .spec.type + name: Type + type: string + name: v1 + schema: + openAPIV3Schema: + description: Pooler is the Schema for the poolers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PoolerSpec defines the desired state of Pooler + properties: + cluster: + description: This is the cluster reference on which the Pooler will + work. Pooler name should never match with any cluster name within + the same namespace. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + instances: + default: 1 + description: The number of replicas we want + format: int32 + type: integer + pgbouncer: + description: The PgBouncer configuration + properties: + authQuery: + description: 'The query that will be used to download the hash + of the password of a certain user. Default: "SELECT usename, + passwd FROM user_search($1)". In case it is specified, also + an AuthQuerySecret has to be specified and no automatic CNPG + Cluster integration will be triggered.' + type: string + authQuerySecret: + description: The credentials of the user that need to be used + for the authentication query. In case it is specified, also + an AuthQuery (e.g. "SELECT usename, passwd FROM pg_shadow WHERE + usename=$1") has to be specified and no automatic CNPG Cluster + integration will be triggered. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + parameters: + additionalProperties: + type: string + description: Additional parameters to be passed to PgBouncer - + please check the CNPG documentation for a list of options you + can configure + type: object + paused: + default: false + description: When set to `true`, PgBouncer will disconnect from + the PostgreSQL server, first waiting for all queries to complete, + and pause all new client connections until this value is set + to `false` (default). Internally, the operator calls PgBouncer's + `PAUSE` and `RESUME` commands. + type: boolean + pg_hba: + description: PostgreSQL Host Based Authentication rules (lines + to be appended to the pg_hba.conf file) + items: + type: string + type: array + poolMode: + default: session + description: The pool mode + enum: + - session + - transaction + type: string + required: + - poolMode + type: object + template: + description: The template of the Pod to be created + properties: + metadata: + description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' + properties: + annotations: + additionalProperties: + type: string + description: 'Annotations is an unstructured key value map + stored with a resource that may be set by external tools + to store and retrieve arbitrary metadata. They are not queryable + and should be preserved when modifying objects. More info: + http://kubernetes.io/docs/user-guide/annotations' + type: object + labels: + additionalProperties: + type: string + description: 'Map of string keys and values that can be used + to organize and categorize (scope and select) objects. May + match selectors of replication controllers and services. + More info: http://kubernetes.io/docs/user-guide/labels' + type: object + type: object + spec: + description: 'Specification of the desired behavior of the pod. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + activeDeadlineSeconds: + description: Optional duration in seconds the pod may be active + on the node relative to StartTime before the system will + actively try to mark it failed and kill associated containers. + Value must be a positive integer. + format: int64 + type: integer + affinity: + description: If specified, the pod's scheduling constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term + matches all objects with implicit weight 0 (i.e. + it's a no-op). A null preferred scheduling term + matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to an update), the system may or may not try + to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them + are ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to a pod label update), the system may or may + not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating through + the elements of this field and adding "weight" to + the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + anti-affinity requirements specified by this field + cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may + or may not try to eventually evict the pod from + its node. When there are multiple elements, the + lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates whether + a service account token should be automatically mounted. + type: boolean + containers: + description: List of containers belonging to the pod. Containers + cannot currently be added or removed. There must be at least + one container in a Pod. Cannot be updated. + items: + description: A single application container that you want + to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container + image''s CMD is used if this is not provided. Variable + references $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, the + reference in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce + the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the + variable exists or not. Cannot be updated. More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is used + if this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. If + a variable cannot be resolved, the reference in the + input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists + or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in + the container. Cannot be updated. + items: + description: EnvVar represents an environment variable + present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults + to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: + supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, + requests.cpu, requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in + the pod's namespace + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined within + a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container is + starting. When a key exists in multiple sources, the + value associated with the last source will take precedence. + Values defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of + a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config + management to default or override container images + in workload controllers like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, + IfNotPresent. Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should + take in response to container lifecycle events. Cannot + be updated. + properties: + postStart: + description: 'PostStart is called immediately after + a container is created. If the handler fails, + the container is terminated and restarted according + to its restart policy. Other management of the + container blocks until the hook completes. More + info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before + a container is terminated due to an API request + or management event such as liveness/startup probe + failure, preemption, resource contention, etc. + The handler is not called if the container crashes + or exits. The Pod''s termination grace period + countdown begins before the PreStop hook is executed. + Regardless of the outcome of the handler, the + container will eventually terminate within the + Pod''s termination grace period (unless delayed + by finalizers). Other management of the container + blocks until the hook completes or until the termination + grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. + Not specifying a port here DOES NOT prevent that port + from being exposed. Any port which is listening on + the default "0.0.0.0" address inside a container will + be accessible from the network. Modifying this array + with strategic merge patch may corrupt the data. For + more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network port + in a single container. + properties: + containerPort: + description: Number of port to expose on the pod's + IP address. This must be a valid port number, + 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on the host. + If specified, this must be a valid port number, + 0 < x < 65536. If HostNetwork is specified, + this must match ContainerPort. Most containers + do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in + a pod must have a unique name. Name for the + port that can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, + or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. + Container will be removed from service endpoints if + the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can + only be set for containers." + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one + entry in pod.spec.resourceClaims of the + Pod where this field is used. It makes that + resource available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is + omitted for a container, it defaults to Limits + if that is explicitly specified, otherwise to + an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security options + the container should be run with. If set, the fields + of SecurityContext override the equivalent fields + of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges than + its parent process. This bool directly controls + if the no_new_privs flag will be set on the container + process. AllowPrivilegeEscalation is true always + when the container is: 1) run as Privileged 2) + has CAP_SYS_ADMIN Note that this field cannot + be set when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running + containers. Defaults to the default set of capabilities + granted by the container runtime. Note that this + field cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent + to root on the host. Defaults to false. Note that + this field cannot be set when spec.os.name is + windows. + type: boolean + procMount: + description: procMount denotes the type of proc + mount to use for the containers. The default is + DefaultProcMount which uses the container runtime + defaults for readonly paths and masked paths. + This requires the ProcMountType feature flag to + be enabled. Note that this field cannot be set + when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only + root filesystem. Default is false. Note that this + field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. Note that this + field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + the container. If unspecified, the container runtime + will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this + container. If seccomp options are provided at + both the pod & container level, the container + options override the pod options. Note that this + field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + from the PodSecurityContext will be used. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. All of a Pod's containers must have + the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork must + also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has + successfully initialized. If specified, no other probes + are executed until this completes successfully. If + this probe fails, the Pod will be restarted, just + as if the livenessProbe failed. This can be used to + provide different probe parameters at the beginning + of a Pod''s lifecycle, when it might take a long time + to load data or warm a cache, than during steady-state + operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. If this + is not set, reads from stdin in the container will + always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close + the stdin channel after it has been opened by a single + attach. When stdin is true the stdin stream will remain + open across multiple attach sessions. If stdinOnce + is set to true, stdin is opened on container start, + is empty until the first client attaches to stdin, + and then remains open and accepts data until the client + disconnects, at which time stdin is closed and remains + closed until the container is restarted. If this flag + is false, a container processes that reads from stdin + will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which + the container''s termination message will be written + is mounted into the container''s filesystem. Message + written is intended to be brief final status, such + as an assertion failure message. Will be truncated + by the node if greater than 4096 bytes. The total + message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot + be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should + be populated. File will use the contents of terminationMessagePath + to populate the container status message on both success + and failure. FallbackToLogsOnError will use the last + chunk of container log output if the termination message + file is empty and the container exited with an error. + The log output is limited to 2048 bytes or 80 lines, + whichever is smaller. Defaults to File. Cannot be + updated. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be true. + Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices + to be used by the container. + items: + description: volumeDevice describes a mapping of a + raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside of + the container that the device will be mapped + to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting of a + Volume within a container. + properties: + mountPath: + description: Path within the container at which + the volume should be mounted. Must not contain + ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts + are propagated from the host to container and + the other way around. When not set, MountPropagationNone + is used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults to + false. + type: boolean + subPath: + description: Path within the volume from which + the container's volume should be mounted. Defaults + to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from + which the container's volume should be mounted. + Behaves similarly to SubPath but environment + variable references $(VAR_NAME) are expanded + using the container's environment. Defaults + to "" (volume's root). SubPathExpr and SubPath + are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, + the container runtime's default will be used, which + might be configured in the container image. Cannot + be updated. + type: string + required: + - name + type: object + type: array + dnsConfig: + description: Specifies the DNS parameters of a pod. Parameters + specified here will be merged to the generated DNS configuration + based on DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. This + will be appended to the base nameservers generated from + DNSPolicy. Duplicated nameservers will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This will + be merged with the base options generated from DNSPolicy. + Duplicated entries will be removed. Resolution options + given in Options will override those that appear in + the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver + options of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name + lookup. This will be appended to the base search paths + generated from DNSPolicy. Duplicated search paths will + be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to "ClusterFirst". + Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', + 'Default' or 'None'. DNS parameters given in DNSConfig will + be merged with the policy selected with DNSPolicy. To have + DNS options set along with hostNetwork, you have to specify + DNS policy explicitly to 'ClusterFirstWithHostNet'. + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information + about services should be injected into pod''s environment + variables, matching the syntax of Docker links. Optional: + Defaults to true.' + type: boolean + ephemeralContainers: + description: List of ephemeral containers run in this pod. + Ephemeral containers may be run in an existing pod to perform + user-initiated actions such as debugging. This list cannot + be specified when creating a pod, and it cannot be modified + by updating the pod spec. In order to add an ephemeral container + to an existing pod, use the pod's ephemeralcontainers subresource. + items: + description: "An EphemeralContainer is a temporary container + that you may add to an existing Pod for user-initiated + activities such as debugging. Ephemeral containers have + no resource or scheduling guarantees, and they will not + be restarted when they exit or when a Pod is removed or + restarted. The kubelet may evict a Pod if an ephemeral + container causes the Pod to exceed its resource allocation. + \n To add an ephemeral container, use the ephemeralcontainers + subresource of an existing Pod. Ephemeral containers may + not be removed or restarted." + properties: + args: + description: 'Arguments to the entrypoint. The image''s + CMD is used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s environment. + If a variable cannot be resolved, the reference in + the input string will be unchanged. Double $$ are + reduced to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce + the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the + variable exists or not. Cannot be updated. More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The image''s ENTRYPOINT is used if this is + not provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. If a + variable cannot be resolved, the reference in the + input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists + or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in + the container. Cannot be updated. + items: + description: EnvVar represents an environment variable + present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults + to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: + supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, + requests.cpu, requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in + the pod's namespace + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined within + a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container is + starting. When a key exists in multiple sources, the + value associated with the last source will take precedence. + Values defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of + a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, + IfNotPresent. Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Lifecycle is not allowed for ephemeral + containers. + properties: + postStart: + description: 'PostStart is called immediately after + a container is created. If the handler fails, + the container is terminated and restarted according + to its restart policy. Other management of the + container blocks until the hook completes. More + info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before + a container is terminated due to an API request + or management event such as liveness/startup probe + failure, preemption, resource contention, etc. + The handler is not called if the container crashes + or exits. The Pod''s termination grace period + countdown begins before the PreStop hook is executed. + Regardless of the outcome of the handler, the + container will eventually terminate within the + Pod''s termination grace period (unless delayed + by finalizers). Other management of the container + blocks until the hook completes or until the termination + grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: Probes are not allowed for ephemeral containers. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the ephemeral container specified + as a DNS_LABEL. This name must be unique among all + containers, init containers and ephemeral containers. + type: string + ports: + description: Ports are not allowed for ephemeral containers. + items: + description: ContainerPort represents a network port + in a single container. + properties: + containerPort: + description: Number of port to expose on the pod's + IP address. This must be a valid port number, + 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on the host. + If specified, this must be a valid port number, + 0 < x < 65536. If HostNetwork is specified, + this must match ContainerPort. Most containers + do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in + a pod must have a unique name. Name for the + port that can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, + or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: Probes are not allowed for ephemeral containers. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: Resources are not allowed for ephemeral + containers. Ephemeral containers use spare resources + already allocated to the pod. + properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can + only be set for containers." + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one + entry in pod.spec.resourceClaims of the + Pod where this field is used. It makes that + resource available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is + omitted for a container, it defaults to Limits + if that is explicitly specified, otherwise to + an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'Optional: SecurityContext defines the + security options the ephemeral container should be + run with. If set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext.' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges than + its parent process. This bool directly controls + if the no_new_privs flag will be set on the container + process. AllowPrivilegeEscalation is true always + when the container is: 1) run as Privileged 2) + has CAP_SYS_ADMIN Note that this field cannot + be set when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running + containers. Defaults to the default set of capabilities + granted by the container runtime. Note that this + field cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent + to root on the host. Defaults to false. Note that + this field cannot be set when spec.os.name is + windows. + type: boolean + procMount: + description: procMount denotes the type of proc + mount to use for the containers. The default is + DefaultProcMount which uses the container runtime + defaults for readonly paths and masked paths. + This requires the ProcMountType feature flag to + be enabled. Note that this field cannot be set + when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only + root filesystem. Default is false. Note that this + field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. Note that this + field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + the container. If unspecified, the container runtime + will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this + container. If seccomp options are provided at + both the pod & container level, the container + options override the pod options. Note that this + field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + from the PodSecurityContext will be used. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. All of a Pod's containers must have + the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork must + also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + startupProbe: + description: Probes are not allowed for ephemeral containers. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. If this + is not set, reads from stdin in the container will + always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close + the stdin channel after it has been opened by a single + attach. When stdin is true the stdin stream will remain + open across multiple attach sessions. If stdinOnce + is set to true, stdin is opened on container start, + is empty until the first client attaches to stdin, + and then remains open and accepts data until the client + disconnects, at which time stdin is closed and remains + closed until the container is restarted. If this flag + is false, a container processes that reads from stdin + will never receive an EOF. Default is false + type: boolean + targetContainerName: + description: "If set, the name of the container from + PodSpec that this ephemeral container targets. The + ephemeral container will be run in the namespaces + (IPC, PID, etc) of this container. If not set then + the ephemeral container uses the namespaces configured + in the Pod spec. \n The container runtime must implement + support for this feature. If the runtime does not + support namespace targeting then the result of setting + this field is undefined." + type: string + terminationMessagePath: + description: 'Optional: Path at which the file to which + the container''s termination message will be written + is mounted into the container''s filesystem. Message + written is intended to be brief final status, such + as an assertion failure message. Will be truncated + by the node if greater than 4096 bytes. The total + message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot + be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should + be populated. File will use the contents of terminationMessagePath + to populate the container status message on both success + and failure. FallbackToLogsOnError will use the last + chunk of container log output if the termination message + file is empty and the container exited with an error. + The log output is limited to 2048 bytes or 80 lines, + whichever is smaller. Defaults to File. Cannot be + updated. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be true. + Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices + to be used by the container. + items: + description: volumeDevice describes a mapping of a + raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside of + the container that the device will be mapped + to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Subpath mounts are not allowed for ephemeral + containers. Cannot be updated. + items: + description: VolumeMount describes a mounting of a + Volume within a container. + properties: + mountPath: + description: Path within the container at which + the volume should be mounted. Must not contain + ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts + are propagated from the host to container and + the other way around. When not set, MountPropagationNone + is used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults to + false. + type: boolean + subPath: + description: Path within the volume from which + the container's volume should be mounted. Defaults + to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from + which the container's volume should be mounted. + Behaves similarly to SubPath but environment + variable references $(VAR_NAME) are expanded + using the container's environment. Defaults + to "" (volume's root). SubPathExpr and SubPath + are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, + the container runtime's default will be used, which + might be configured in the container image. Cannot + be updated. + type: string + required: + - name + type: object + type: array + hostAliases: + description: HostAliases is an optional list of hosts and + IPs that will be injected into the pod's hosts file if specified. + This is only valid for non-hostNetwork pods. + items: + description: HostAlias holds the mapping between IP and + hostnames that will be injected as an entry in the pod's + hosts file. + properties: + hostnames: + description: Hostnames for the above IP address. + items: + type: string + type: array + ip: + description: IP address of the host file entry. + type: string + type: object + type: array + hostIPC: + description: 'Use the host''s ipc namespace. Optional: Default + to false.' + type: boolean + hostNetwork: + description: Host networking requested for this pod. Use the + host's network namespace. If this option is set, the ports + that will be used must be specified. Default to false. + type: boolean + hostPID: + description: 'Use the host''s pid namespace. Optional: Default + to false.' + type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: Default + to true. If set to true or not present, the pod will be + run in the host user namespace, useful for when the pod + needs a feature only available to the host user namespace, + such as loading a kernel module with CAP_SYS_MODULE. When + set to false, a new userns is created for the pod. Setting + false is useful for mitigating container breakout vulnerabilities + even allowing users to run their containers as root without + actually having root privileges on the host. This field + is alpha-level and is only honored by servers that enable + the UserNamespacesSupport feature.' + type: boolean + hostname: + description: Specifies the hostname of the Pod If not specified, + the pod's hostname will be set to a system-defined value. + type: string + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of references + to secrets in the same namespace to use for pulling any + of the images used by this PodSpec. If specified, these + secrets will be passed to individual puller implementations + for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + items: + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same + namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainers: + description: 'List of initialization containers belonging + to the pod. Init containers are executed in order prior + to containers being started. If any init container fails, + the pod is considered to have failed and is handled according + to its restartPolicy. The name for an init container or + normal container must be unique among all containers. Init + containers may not have Lifecycle actions, Readiness probes, + Liveness probes, or Startup probes. The resourceRequirements + of an init container are taken into account during scheduling + by finding the highest request/limit for each resource type, + and then using the max of of that value or the sum of the + normal containers. Limits are applied to init containers + in a similar fashion. Init containers cannot currently be + added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + items: + description: A single application container that you want + to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container + image''s CMD is used if this is not provided. Variable + references $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, the + reference in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce + the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the + variable exists or not. Cannot be updated. More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is used + if this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. If + a variable cannot be resolved, the reference in the + input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists + or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in + the container. Cannot be updated. + items: + description: EnvVar represents an environment variable + present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults + to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: + supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, + requests.cpu, requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in + the pod's namespace + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined within + a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container is + starting. When a key exists in multiple sources, the + value associated with the last source will take precedence. + Values defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of + a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config + management to default or override container images + in workload controllers like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, + IfNotPresent. Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should + take in response to container lifecycle events. Cannot + be updated. + properties: + postStart: + description: 'PostStart is called immediately after + a container is created. If the handler fails, + the container is terminated and restarted according + to its restart policy. Other management of the + container blocks until the hook completes. More + info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before + a container is terminated due to an API request + or management event such as liveness/startup probe + failure, preemption, resource contention, etc. + The handler is not called if the container crashes + or exits. The Pod''s termination grace period + countdown begins before the PreStop hook is executed. + Regardless of the outcome of the handler, the + container will eventually terminate within the + Pod''s termination grace period (unless delayed + by finalizers). Other management of the container + blocks until the hook completes or until the termination + grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. + Not specifying a port here DOES NOT prevent that port + from being exposed. Any port which is listening on + the default "0.0.0.0" address inside a container will + be accessible from the network. Modifying this array + with strategic merge patch may corrupt the data. For + more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network port + in a single container. + properties: + containerPort: + description: Number of port to expose on the pod's + IP address. This must be a valid port number, + 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on the host. + If specified, this must be a valid port number, + 0 < x < 65536. If HostNetwork is specified, + this must match ContainerPort. Most containers + do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in + a pod must have a unique name. Name for the + port that can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, + or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. + Container will be removed from service endpoints if + the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can + only be set for containers." + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one + entry in pod.spec.resourceClaims of the + Pod where this field is used. It makes that + resource available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is + omitted for a container, it defaults to Limits + if that is explicitly specified, otherwise to + an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security options + the container should be run with. If set, the fields + of SecurityContext override the equivalent fields + of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges than + its parent process. This bool directly controls + if the no_new_privs flag will be set on the container + process. AllowPrivilegeEscalation is true always + when the container is: 1) run as Privileged 2) + has CAP_SYS_ADMIN Note that this field cannot + be set when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running + containers. Defaults to the default set of capabilities + granted by the container runtime. Note that this + field cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent + to root on the host. Defaults to false. Note that + this field cannot be set when spec.os.name is + windows. + type: boolean + procMount: + description: procMount denotes the type of proc + mount to use for the containers. The default is + DefaultProcMount which uses the container runtime + defaults for readonly paths and masked paths. + This requires the ProcMountType feature flag to + be enabled. Note that this field cannot be set + when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only + root filesystem. Default is false. Note that this + field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. Note that this + field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + the container. If unspecified, the container runtime + will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this + container. If seccomp options are provided at + both the pod & container level, the container + options override the pod options. Note that this + field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + from the PodSecurityContext will be used. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. All of a Pod's containers must have + the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork must + also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has + successfully initialized. If specified, no other probes + are executed until this completes successfully. If + this probe fails, the Pod will be restarted, just + as if the livenessProbe failed. This can be used to + provide different probe parameters at the beginning + of a Pod''s lifecycle, when it might take a long time + to load data or warm a cache, than during steady-state + operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to + the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. If this + is not set, reads from stdin in the container will + always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close + the stdin channel after it has been opened by a single + attach. When stdin is true the stdin stream will remain + open across multiple attach sessions. If stdinOnce + is set to true, stdin is opened on container start, + is empty until the first client attaches to stdin, + and then remains open and accepts data until the client + disconnects, at which time stdin is closed and remains + closed until the container is restarted. If this flag + is false, a container processes that reads from stdin + will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which + the container''s termination message will be written + is mounted into the container''s filesystem. Message + written is intended to be brief final status, such + as an assertion failure message. Will be truncated + by the node if greater than 4096 bytes. The total + message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot + be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should + be populated. File will use the contents of terminationMessagePath + to populate the container status message on both success + and failure. FallbackToLogsOnError will use the last + chunk of container log output if the termination message + file is empty and the container exited with an error. + The log output is limited to 2048 bytes or 80 lines, + whichever is smaller. Defaults to File. Cannot be + updated. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be true. + Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices + to be used by the container. + items: + description: volumeDevice describes a mapping of a + raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside of + the container that the device will be mapped + to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting of a + Volume within a container. + properties: + mountPath: + description: Path within the container at which + the volume should be mounted. Must not contain + ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts + are propagated from the host to container and + the other way around. When not set, MountPropagationNone + is used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults to + false. + type: boolean + subPath: + description: Path within the volume from which + the container's volume should be mounted. Defaults + to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from + which the container's volume should be mounted. + Behaves similarly to SubPath but environment + variable references $(VAR_NAME) are expanded + using the container's environment. Defaults + to "" (volume's root). SubPathExpr and SubPath + are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, + the container runtime's default will be used, which + might be configured in the container image. Cannot + be updated. + type: string + required: + - name + type: object + type: array + nodeName: + description: NodeName is a request to schedule this pod onto + a specific node. If it is non-empty, the scheduler simply + schedules this pod onto that node, assuming that it fits + resource requirements. + type: string + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true + for the pod to fit on a node. Selector which must match + a node''s labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in the pod. + Some pod and container fields are restricted if this is + set. \n If the OS field is set to linux, the following fields + must be unset: -securityContext.windowsOptions \n If the + OS field is set to windows, following fields must be unset: + - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.seLinuxOptions + - spec.securityContext.seccompProfile - spec.securityContext.fsGroup + - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls + - spec.shareProcessNamespace - spec.securityContext.runAsUser + - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups + - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile + - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem + - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation + - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser + - spec.containers[*].securityContext.runAsGroup" + properties: + name: + description: 'Name is the name of the operating system. + The currently supported values are linux and windows. + Additional value may be defined in future and can be + one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values and + treat unrecognized values in this field as os: null' + type: string + required: + - name + type: object + overhead: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Overhead represents the resource overhead associated + with running a pod for a given RuntimeClass. This field + will be autopopulated at admission time by the RuntimeClass + admission controller. If the RuntimeClass admission controller + is enabled, overhead must not be set in Pod create requests. + The RuntimeClass admission controller will reject Pod create + requests which have the overhead already set. If RuntimeClass + is configured and selected in the PodSpec, Overhead will + be set to the value defined in the corresponding RuntimeClass, + otherwise it will remain unset and treated as zero. More + info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md' + type: object + preemptionPolicy: + description: PreemptionPolicy is the Policy for preempting + pods with lower priority. One of Never, PreemptLowerPriority. + Defaults to PreemptLowerPriority if unset. + type: string + priority: + description: The priority value. Various system components + use this field to find the priority of the pod. When Priority + Admission Controller is enabled, it prevents users from + setting this field. The admission controller populates this + field from PriorityClassName. The higher the value, the + higher the priority. + format: int32 + type: integer + priorityClassName: + description: If specified, indicates the pod's priority. "system-node-critical" + and "system-cluster-critical" are two special keywords which + indicate the highest priorities with the former being the + highest priority. Any other name must be defined by creating + a PriorityClass object with that name. If not specified, + the pod priority will be default or zero if there is no + default. + type: string + readinessGates: + description: 'If specified, all readiness gates will be evaluated + for pod readiness. A pod is ready when all its containers + are ready AND all conditions specified in the readiness + gates have status equal to "True" More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' + items: + description: PodReadinessGate contains the reference to + a pod condition + properties: + conditionType: + description: ConditionType refers to a condition in + the pod's condition list with matching type. + type: string + required: + - conditionType + type: object + type: array + resourceClaims: + description: "ResourceClaims defines which ResourceClaims + must be allocated and reserved before the Pod is allowed + to start. The resources will be made available to those + containers which consume them by name. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: PodResourceClaim references exactly one ResourceClaim + through a ClaimSource. It adds a name to it that uniquely + identifies the ResourceClaim inside the Pod. Containers + that need access to the ResourceClaim reference it with + this name. + properties: + name: + description: Name uniquely identifies this resource + claim inside the pod. This must be a DNS_LABEL. + type: string + source: + description: Source describes where to find the ResourceClaim. + properties: + resourceClaimName: + description: ResourceClaimName is the name of a + ResourceClaim object in the same namespace as + this pod. + type: string + resourceClaimTemplateName: + description: "ResourceClaimTemplateName is the name + of a ResourceClaimTemplate object in the same + namespace as this pod. \n The template will be + used to create a new ResourceClaim, which will + be bound to this pod. When this pod is deleted, + the ResourceClaim will also be deleted. The name + of the ResourceClaim will be -, where is the PodResourceClaim.Name. + Pod validation will reject the pod if the concatenated + name is not valid for a ResourceClaim (e.g. too + long). \n An existing ResourceClaim with that + name that is not owned by the pod will not be + used for the pod to avoid using an unrelated resource + by mistake. Scheduling and pod startup are then + blocked until the unrelated ResourceClaim is removed. + \n This field is immutable and no changes will + be made to the corresponding ResourceClaim by + the control plane after creating the ResourceClaim." + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + restartPolicy: + description: 'Restart policy for all containers within the + pod. One of Always, OnFailure, Never. Default to Always. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + type: string + runtimeClassName: + description: 'RuntimeClassName refers to a RuntimeClass object + in the node.k8s.io group, which should be used to run this + pod. If no RuntimeClass resource matches the named class, + the pod will not be run. If unset or empty, the "legacy" + RuntimeClass will be used, which is an implicit class with + an empty definition that uses the default runtime handler. + More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class' + type: string + schedulerName: + description: If specified, the pod will be dispatched by specified + scheduler. If not specified, the pod will be dispatched + by default scheduler. + type: string + schedulingGates: + description: "SchedulingGates is an opaque list of values + that if specified will block scheduling the pod. More info: + \ https://git.k8s.io/enhancements/keps/sig-scheduling/3521-pod-scheduling-readiness. + \n This is an alpha-level feature enabled by PodSchedulingReadiness + feature gate." + items: + description: PodSchedulingGate is associated to a Pod to + guard its scheduling. + properties: + name: + description: Name of the scheduling gate. Each scheduling + gate must have a unique name field. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + securityContext: + description: 'SecurityContext holds pod-level security attributes + and common container settings. Optional: Defaults to empty. See + type description for default values of each field.' + properties: + fsGroup: + description: "A special supplemental group that applies + to all containers in a pod. Some volume types allow + the Kubelet to change the ownership of that volume to + be owned by the pod: \n 1. The owning GID will be the + FSGroup 2. The setgid bit is set (new files created + in the volume will be owned by FSGroup) 3. The permission + bits are OR'd with rw-rw---- \n If unset, the Kubelet + will not modify the ownership and permissions of any + volume. Note that this field cannot be set when spec.os.name + is windows." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior of + changing ownership and permission of the volume before + being exposed inside Pod. This field will only apply + to volume types which support fsGroup based ownership(and + permissions). It will have no effect on ephemeral volume + types such as: secret, configmaps and emptydir. Valid + values are "OnRootMismatch" and "Always". If not specified, + "Always" is used. Note that this field cannot be set + when spec.os.name is windows.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be + set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. Note that this + field cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as + a non-root user. If true, the Kubelet will validate + the image at runtime to ensure that it does not run + as UID 0 (root) and fail to start the container if it + does. If unset or false, no such validation will be + performed. May also be set in SecurityContext. If set + in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata + if unspecified. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot be set + when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to all + containers. If unspecified, the container runtime will + allocate a random SELinux context for each container. May + also be set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. Note that this + field cannot be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set when + spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. The + profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's + configured seccomp profile location. Must only be + set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: \n Localhost + - a profile defined in a file on the node should + be used. RuntimeDefault - the container runtime + default profile should be used. Unconfined - no + profile should be applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first process + run in each container, in addition to the container's + primary GID, the fsGroup (if specified), and group memberships + defined in the container image for the uid of the container + process. If unspecified, no additional groups are added + to any container. Note that group memberships defined + in the container image for the uid of the container + process are still effective, even if they are not included + in this list. Note that this field cannot be set when + spec.os.name is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls + used for the pod. Pods with unsupported sysctls (by + the container runtime) might fail to launch. Note that + this field cannot be set when spec.os.name is windows. + items: + description: Sysctl defines a kernel parameter to be + set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied to + all containers. If unspecified, the options within a + container's SecurityContext will be used. If set in + both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA + admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec + named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of + the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. This + field is alpha-level and will only be honored by + components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the feature + flag will result in errors when validating the Pod. + All of a Pod's containers must have the same effective + HostProcess value (it is not allowed to have a mix + of HostProcess containers and non-HostProcess containers). In + addition, if HostProcess is true then HostNetwork + must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + serviceAccount: + description: 'DeprecatedServiceAccount is a depreciated alias + for ServiceAccountName. Deprecated: Use serviceAccountName + instead.' + type: string + serviceAccountName: + description: 'ServiceAccountName is the name of the ServiceAccount + to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + setHostnameAsFQDN: + description: If true the pod's hostname will be configured + as the pod's FQDN, rather than the leaf name (the default). + In Linux containers, this means setting the FQDN in the + hostname field of the kernel (the nodename field of struct + utsname). In Windows containers, this means setting the + registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters + to FQDN. If a pod does not have FQDN, this has no effect. + Default to false. + type: boolean + shareProcessNamespace: + description: 'Share a single process namespace between all + of the containers in a pod. When this is set containers + will be able to view and signal processes from other containers + in the same pod, and the first process in each container + will not be assigned PID 1. HostPID and ShareProcessNamespace + cannot both be set. Optional: Default to false.' + type: boolean + subdomain: + description: If specified, the fully qualified Pod hostname + will be "...svc.". If not specified, the pod will not have a domainname + at all. + type: string + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs to + terminate gracefully. May be decreased in delete request. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). If this value is nil, the default grace period + will be used instead. The grace period is the duration in + seconds after the processes running in the pod are sent + a termination signal and the time when the processes are + forcibly halted with a kill signal. Set this value longer + than the expected cleanup time for your process. Defaults + to 30 seconds. + format: int64 + type: integer + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If the + key is empty, operator must be Exists; this combination + means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints of + a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the + taint forever (do not evict). Zero and negative values + will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value should + be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how a group + of pods ought to spread across topology domains. Scheduler + will schedule pods in a way which abides by the constraints. + All topologySpreadConstraints are ANDed. + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are counted + to determine the number of pods in their corresponding + topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys + to select the pods over which spreading will be calculated. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are ANDed with + labelSelector to select the group of existing pods + over which spreading will be calculated for the incoming + pod. Keys that don't exist in the incoming pod labels + will be ignored. A null or empty list means only match + against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between the + number of matching pods in the target topology and + the global minimum. The global minimum is the minimum + number of matching pods in an eligible domain or zero + if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to + 1, and pods with the same labelSelector spread as + 2/2/1: In this case, the global minimum is 1. | zone1 + | zone2 | zone3 | | P P | P P | P | - if MaxSkew + is 1, incoming pod can only be scheduled to zone3 + to become 2/2/2; scheduling it onto zone1(zone2) would + make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto + any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies + that satisfy it. It''s a required field. Default value + is 1 and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number + of eligible domains. When the number of eligible domains + with matching topology keys is less than minDomains, + Pod Topology Spread treats \"global minimum\" as 0, + and then the calculation of Skew is performed. And + when the number of eligible domains with matching + topology keys equals or greater than minDomains, this + value has no effect on scheduling. As a result, when + the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to + those domains. If value is nil, the constraint behaves + as if MinDomains is equal to 1. Valid values are integers + greater than 0. When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. \n For example, in a 3-zone + cluster, MaxSkew is set to 2, MinDomains is set to + 5 and pods with the same labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | | P P | P P | P P | + The number of domains is less than 5(MinDomains), + so \"global minimum\" is treated as 0. In this situation, + new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod + is scheduled to any of the three zones, it will violate + MaxSkew. \n This is a beta field and requires the + MinDomainsInPodTopologySpread feature gate to be enabled + (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we will + treat Pod's nodeAffinity/nodeSelector when calculating + pod topology spread skew. Options are: - Honor: only + nodes matching nodeAffinity/nodeSelector are included + in the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the calculations. + \n If this value is nil, the behavior is equivalent + to the Honor policy. This is a beta-level feature + default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we will + treat node taints when calculating pod topology spread + skew. Options are: - Honor: nodes without taints, + along with tainted nodes for which the incoming pod + has a toleration, are included. - Ignore: node taints + are ignored. All nodes are included. \n If this value + is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the + NodeInclusionPolicyInPodTopologySpread feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", and try + to put balanced number of pods into each bucket. We + define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose + nodes meet the requirements of nodeAffinityPolicy + and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, if TopologyKey + is "topology.kubernetes.io/zone", each zone is a domain + of that topology. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal + with a pod if it doesn''t satisfy the spread constraint. + - DoNotSchedule (default) tells the scheduler not + to schedule it. - ScheduleAnyway tells the scheduler + to schedule the pod in any location, but giving higher + precedence to topologies that would help reduce the + skew. A constraint is considered "Unsatisfiable" for + an incoming pod if and only if every possible node + assignment for that pod would violate "MaxSkew" on + some topology. For example, in a 3-zone cluster, MaxSkew + is set to 1, and pods with the same labelSelector + spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P + | P | P | If WhenUnsatisfiable is set to DoNotSchedule, + incoming pod can only be scheduled to zone2(zone3) + to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) + satisfies MaxSkew(1). In other words, the cluster + can still be imbalanced, but scheduler won''t make + it *more* imbalanced. It''s a required field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: 'List of volumes that can be mounted by containers + belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + items: + description: Volume represents a named volume in a pod that + may be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: 'awsElasticBlockStore represents an AWS + Disk resource that is attached to a kubelet''s host + machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + properties: + fsType: + description: 'fsType is the filesystem type of the + volume that you want to mount. Tip: Ensure that + the filesystem type is supported by the host operating + system. Examples: "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in the + volume that you want to mount. If omitted, the + default is to mount by volume name. Examples: + For volume /dev/sda1, you specify the partition + as "1". Similarly, the volume partition for /dev/sda + is "0" (or you can leave the property empty).' + format: int32 + type: integer + readOnly: + description: 'readOnly value true will force the + readOnly setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: boolean + volumeID: + description: 'volumeID is unique ID of the persistent + disk resource in AWS (Amazon EBS volume). More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data Disk + mount on the host and bind mount to the pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching mode: + None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data disk + in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk in + the blob storage + type: string + fsType: + description: fsType is Filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single + blob disk per storage account Managed: azure + managed data disk (only in managed availability + set). defaults to shared' + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File Service + mount on the host and bind mount to the pod. + properties: + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret that + contains Azure Storage Account Name and Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount on the + host that shares a pod's lifetime + properties: + monitors: + description: 'monitors is Required: Monitors is + a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + items: + type: string + type: array + path: + description: 'path is Optional: Used as the mounted + root, rather than the full Ceph tree, default + is /' + type: string + readOnly: + description: 'readOnly is Optional: Defaults to + false (read/write). ReadOnly here will force the + ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: boolean + secretFile: + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + secretRef: + description: 'secretRef is Optional: SecretRef is + reference to the authentication secret for User, + default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is optional: User is the rados + user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + required: + - monitors + type: object + cinder: + description: 'cinder represents a cinder volume attached + and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + readOnly: + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: boolean + secretRef: + description: 'secretRef is optional: points to a + secret object containing parameters used to connect + to OpenStack.' + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: 'volumeID used to identify the volume + in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that should + populate this volume + properties: + defaultMode: + description: 'defaultMode is optional: mode bits + used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or + a decimal value between 0 and 511. YAML accepts + both octal and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. Directories + within the path are not affected by this setting. + This might be in conflict with other options that + affect the file mode, like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + items: + description: items if unspecified, each key-value + pair in the Data field of the referenced ConfigMap + will be projected into the volume as a file whose + name is the key and content is the value. If specified, + the listed keys will be projected into the specified + paths, and unlisted keys will not be present. + If a key is specified which is not present in + the ConfigMap, the volume setup will error unless + it is marked optional. Paths must be relative + and may not contain the '..' path or start with + '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits + used to set permissions on this file. Must + be an octal value between 0000 and 0777 + or a decimal value between 0 and 511. YAML + accepts both octal and decimal values, JSON + requires decimal values for mode bits. If + not specified, the volume defaultMode will + be used. This might be in conflict with + other options that affect the file mode, + like fsGroup, and the result can be other + mode bits set.' + format: int32 + type: integer + path: + description: path is the relative path of + the file to map the key to. May not be an + absolute path. May not contain the path + element '..'. May not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers (Beta feature). + properties: + driver: + description: driver is the name of the CSI driver + that handles this volume. Consult with your admin + for the correct name as registered in the cluster. + type: string + fsType: + description: fsType to mount. Ex. "ext4", "xfs", + "ntfs". If not provided, the empty value is passed + to the associated CSI driver which will determine + the default filesystem to apply. + type: string + nodePublishSecretRef: + description: nodePublishSecretRef is a reference + to the secret object containing sensitive information + to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no + secret is required. If the secret object contains + more than one secret, all secret references are + passed. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: readOnly specifies a read-only configuration + for the volume. Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: volumeAttributes stores driver-specific + properties that are passed to the CSI driver. + Consult your driver's documentation for supported + values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API about + the pod that should populate this volume + properties: + defaultMode: + description: 'Optional: mode bits to use on created + files by default. Must be a Optional: mode bits + used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or + a decimal value between 0 and 511. YAML accepts + both octal and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. Directories + within the path are not affected by this setting. + This might be in conflict with other options that + affect the file mode, like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + items: + description: Items is a list of downward API volume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing the + pod field + properties: + fieldRef: + description: 'Required: Selects a field of + the pod: only annotations, labels, name + and namespace are supported.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used to + set permissions on this file, must be an + octal value between 0000 and 0777 or a decimal + value between 0 and 511. YAML accepts both + octal and decimal values, JSON requires + decimal values for mode bits. If not specified, + the volume defaultMode will be used. This + might be in conflict with other options + that affect the file mode, like fsGroup, + and the result can be other mode bits set.' + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' path. + Must be utf-8 encoded. The first item of + the relative path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + description: 'emptyDir represents a temporary directory + that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + properties: + medium: + description: 'medium represents what type of storage + medium should back this directory. The default + is "" which means to use the node''s default medium. + Must be an empty string (default) or Memory. More + info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: 'sizeLimit is the total amount of local + storage required for this EmptyDir volume. The + size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would + be the minimum value between the SizeLimit specified + here and the sum of memory limits of all containers + in a pod. The default is nil which means that + the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: "ephemeral represents a volume that is + handled by a cluster storage driver. The volume's + lifecycle is tied to the pod that defines it - it + will be created before the pod starts, and deleted + when the pod is removed. \n Use this if: a) the volume + is only needed while the pod runs, b) features of + normal volumes like restoring from snapshot or capacity + tracking are needed, c) the storage driver is specified + through a storage class, and d) the storage driver + supports dynamic volume provisioning through a PersistentVolumeClaim + (see EphemeralVolumeSource for more information on + the connection between this volume type and PersistentVolumeClaim). + \n Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the + lifecycle of an individual pod. \n Use CSI for light-weight + local ephemeral volumes if the CSI driver is meant + to be used that way - see the documentation of the + driver for more information. \n A pod can use both + types of ephemeral volumes and persistent volumes + at the same time." + properties: + volumeClaimTemplate: + description: "Will be used to create a stand-alone + PVC to provision the volume. The pod in which + this EphemeralVolumeSource is embedded will be + the owner of the PVC, i.e. the PVC will be deleted + together with the pod. The name of the PVC will + be `-` where `` + is the name from the `PodSpec.Volumes` array entry. + Pod validation will reject the pod if the concatenated + name is not valid for a PVC (for example, too + long). \n An existing PVC with that name that + is not owned by the pod will *not* be used for + the pod to avoid using an unrelated volume by + mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created + PVC is meant to be used by the pod, the PVC has + to updated with an owner reference to the pod + once the pod exists. Normally this should not + be necessary, but it may be useful when manually + reconstructing a broken cluster. \n This field + is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. \n Required, + must not be nil." + properties: + metadata: + description: May contain labels and annotations + that will be copied into the PVC when creating + it. No other fields are allowed and will be + rejected during validation. + type: object + spec: + description: The specification for the PersistentVolumeClaim. + The entire content is copied unchanged into + the PVC that gets created from this template. + The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: 'accessModes contains the desired + access modes the volume should have. More + info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can be used + to specify either: * An existing VolumeSnapshot + object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller + can support the specified data source, + it will create a new volume based on the + contents of the specified data source. + When the AnyVolumeDataSource feature gate + is enabled, dataSource contents will be + copied to dataSourceRef, and dataSourceRef + contents will be copied to dataSource + when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef + will not be copied to dataSource.' + properties: + apiGroup: + description: APIGroup is the group for + the resource being referenced. If + APIGroup is not specified, the specified + Kind must be in the core API group. + For any other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: 'dataSourceRef specifies the + object from which to populate the volume + with data, if a non-empty volume is desired. + This may be any object from a non-empty + API group (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed if the + type of the specified object matches some + installed volume populator or dynamic + provisioner. This field will replace the + functionality of the dataSource field + and as such if both fields are non-empty, + they must have the same value. For backwards + compatibility, when namespace isn''t specified + in dataSourceRef, both fields (dataSource + and dataSourceRef) will be set to the + same value automatically if one of them + is empty and the other is non-empty. When + namespace is specified in dataSourceRef, + dataSource isn''t set to the same value + and must be empty. There are three important + differences between dataSource and dataSourceRef: + * While dataSource only allows two specific + types of objects, dataSourceRef allows + any non-core object, as well as PersistentVolumeClaim + objects. * While dataSource ignores disallowed + values (dropping them), dataSourceRef + preserves all values, and generates an + error if a disallowed value is specified. + * While dataSource only allows local objects, + dataSourceRef allows objects in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource + feature gate to be enabled. (Alpha) Using + the namespace field of dataSourceRef requires + the CrossNamespaceVolumeDataSource feature + gate to be enabled.' + properties: + apiGroup: + description: APIGroup is the group for + the resource being referenced. If + APIGroup is not specified, the specified + Kind must be in the core API group. + For any other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: Namespace is the namespace + of resource being referenced Note + that when a namespace is specified, + a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. See + the ReferenceGrant documentation for + details. (Alpha) This field requires + the CrossNamespaceVolumeDataSource + feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: 'resources represents the minimum + resources the volume should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed to + specify resource requirements that are + lower than previous value but must still + be higher than capacity recorded in the + status field of the claim. More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + claims: + description: "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. \n + This is an alpha field and requires + enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the + name of one entry in pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the + minimum amount of compute resources + required. If Requests is omitted for + a container, it defaults to Limits + if that is explicitly specified, otherwise + to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query over + volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is the name + of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what type + of volume is required by the claim. Value + of Filesystem is implied when not included + in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine and then + exposed to the pod. + properties: + fsType: + description: 'fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. TODO: how + do we prevent errors in the filesystem from compromising + the machine' + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: 'readOnly is Optional: Defaults to + false (read/write). ReadOnly here will force the + ReadOnly setting in VolumeMounts.' + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + wwids: + description: 'wwids Optional: FC volume world wide + identifiers (wwids) Either wwids or combination + of targetWWNs and lun must be set, but not both + simultaneously.' + items: + type: string + type: array + type: object + flexVolume: + description: flexVolume represents a generic volume + resource that is provisioned/attached using an exec + based plugin. + properties: + driver: + description: driver is the name of the driver to + use for this volume. + type: string + fsType: + description: fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". The + default filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field holds + extra command options if any.' + type: object + readOnly: + description: 'readOnly is Optional: defaults to + false (read/write). ReadOnly here will force the + ReadOnly setting in VolumeMounts.' + type: boolean + secretRef: + description: 'secretRef is Optional: secretRef is + reference to the secret object containing sensitive + information to pass to the plugin scripts. This + may be empty if no secret object is specified. + If the secret object contains more than one secret, + all secrets are passed to the plugin scripts.' + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume attached + to a kubelet's host machine. This depends on the Flocker + control service being running + properties: + datasetName: + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset for + Flocker should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker dataset + type: string + type: object + gcePersistentDisk: + description: 'gcePersistentDisk represents a GCE Disk + resource that is attached to a kubelet''s host machine + and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + properties: + fsType: + description: 'fsType is filesystem type of the volume + that you want to mount. Tip: Ensure that the filesystem + type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in the + volume that you want to mount. If omitted, the + default is to mount by volume name. Examples: + For volume /dev/sda1, you specify the partition + as "1". Similarly, the volume partition for /dev/sda + is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + format: int32 + type: integer + pdName: + description: 'pdName is unique name of the PD resource + in GCE. Used to identify the disk in GCE. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: string + readOnly: + description: 'readOnly here will force the ReadOnly + setting in VolumeMounts. Defaults to false. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: boolean + required: + - pdName + type: object + gitRepo: + description: 'gitRepo represents a git repository at + a particular revision. DEPRECATED: GitRepo is deprecated. + To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo + using git, then mount the EmptyDir into the Pod''s + container.' + properties: + directory: + description: directory is the target directory name. + Must not contain or start with '..'. If '.' is + supplied, the volume directory will be the git + repository. Otherwise, if specified, the volume + will contain the git repository in the subdirectory + with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for the + specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: 'glusterfs represents a Glusterfs mount + on the host that shares a pod''s lifetime. More info: + https://examples.k8s.io/volumes/glusterfs/README.md' + properties: + endpoints: + description: 'endpoints is the endpoint name that + details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + path: + description: 'path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + readOnly: + description: 'readOnly here will force the Glusterfs + volume to be mounted with read-only permissions. + Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: 'hostPath represents a pre-existing file + or directory on the host machine that is directly + exposed to the container. This is generally used for + system agents or other privileged things that are + allowed to see the host machine. Most containers will + NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- TODO(jonesdl) We need to restrict who can use + host directory mounts and who can/can not mount host + directories as read/write.' + properties: + path: + description: 'path of the directory on the host. + If the path is a symlink, it will follow the link + to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + type: + description: 'type for HostPath Volume Defaults + to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + required: + - path + type: object + iscsi: + description: 'iscsi represents an ISCSI Disk resource + that is attached to a kubelet''s host machine and + then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether support + iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether support + iSCSI Session CHAP authentication + type: boolean + fsType: + description: 'fsType is the filesystem type of the + volume that you want to mount. Tip: Ensure that + the filesystem type is supported by the host operating + system. Examples: "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + initiatorName: + description: initiatorName is the custom iSCSI Initiator + Name. If initiatorName is specified with iscsiInterface + simultaneously, new iSCSI interface : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + description: iscsiInterface is the interface Name + that uses an iSCSI transport. Defaults to 'default' + (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically TCP + ports 860 and 3260). + items: + type: string + type: array + readOnly: + description: readOnly here will force the ReadOnly + setting in VolumeMounts. Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for iSCSI + target and initiator authentication + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: targetPortal is iSCSI Target Portal. + The Portal is either an IP or ip_addr:port if + the port is other than default (typically TCP + ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: 'name of the volume. Must be a DNS_LABEL + and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + nfs: + description: 'nfs represents an NFS mount on the host + that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + properties: + path: + description: 'path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + readOnly: + description: 'readOnly here will force the NFS export + to be mounted with read-only permissions. Defaults + to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: boolean + server: + description: 'server is the hostname or IP address + of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: 'persistentVolumeClaimVolumeSource represents + a reference to a PersistentVolumeClaim in the same + namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'claimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: readOnly Will force the ReadOnly setting + in VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets host + machine + properties: + fsType: + description: fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies Photon + Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx volume + attached and mounted on kubelets host machine + properties: + fsType: + description: fSType represents the filesystem type + to mount Must be a filesystem type supported by + the host operating system. Ex. "ext4", "xfs". + Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a Portworx + volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: defaultMode are the mode bits used + to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or + a decimal value between 0 and 511. YAML accepts + both octal and decimal values, JSON requires decimal + values for mode bits. Directories within the path + are not affected by this setting. This might be + in conflict with other options that affect the + file mode, like fsGroup, and the result can be + other mode bits set. + format: int32 + type: integer + sources: + description: sources is the list of volume projections + items: + description: Projection that may be projected + along with other supported volume types + properties: + configMap: + description: configMap information about the + configMap data to project + properties: + items: + description: items if unspecified, each + key-value pair in the Data field of + the referenced ConfigMap will be projected + into the volume as a file whose name + is the key and content is the value. + If specified, the listed keys will be + projected into the specified paths, + and unlisted keys will not be present. + If a key is specified which is not present + in the ConfigMap, the volume setup will + error unless it is marked optional. + Paths must be relative and may not contain + the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an octal + value between 0000 and 0777 or + a decimal value between 0 and + 511. YAML accepts both octal and + decimal values, JSON requires + decimal values for mode bits. + If not specified, the volume defaultMode + will be used. This might be in + conflict with other options that + affect the file mode, like fsGroup, + and the result can be other mode + bits set.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map the key + to. May not be an absolute path. + May not contain the path element + '..'. May not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about + the downwardAPI data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only annotations, + labels, name and namespace are + supported.' + properties: + apiVersion: + description: Version of the + schema the FieldPath is written + in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field + to select in the specified + API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits + used to set permissions on this + file, must be an octal value between + 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts + both octal and decimal values, + JSON requires decimal values for + mode bits. If not specified, the + volume defaultMode will be used. + This might be in conflict with + other options that affect the + file mode, like fsGroup, and the + result can be other mode bits + set.' + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file + to be created. Must not be absolute + or contain the ''..'' path. Must + be utf-8 encoded. The first item + of the relative path must not + start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource + of the container: only resources + limits and requests (limits.cpu, + limits.memory, requests.cpu and + requests.memory) are currently + supported.' + properties: + containerName: + description: 'Container name: + required for volumes, optional + for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about the + secret data to project + properties: + items: + description: items if unspecified, each + key-value pair in the Data field of + the referenced Secret will be projected + into the volume as a file whose name + is the key and content is the value. + If specified, the listed keys will be + projected into the specified paths, + and unlisted keys will not be present. + If a key is specified which is not present + in the Secret, the volume setup will + error unless it is marked optional. + Paths must be relative and may not contain + the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an octal + value between 0000 and 0777 or + a decimal value between 0 and + 511. YAML accepts both octal and + decimal values, JSON requires + decimal values for mode bits. + If not specified, the volume defaultMode + will be used. This might be in + conflict with other options that + affect the file mode, like fsGroup, + and the result can be other mode + bits set.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map the key + to. May not be an absolute path. + May not contain the path element + '..'. May not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional field specify whether + the Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information + about the serviceAccountToken data to project + properties: + audience: + description: audience is the intended + audience of the token. A recipient of + a token must identify itself with an + identifier specified in the audience + of the token, and otherwise should reject + the token. The audience defaults to + the identifier of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is the + requested duration of validity of the + service account token. As the token + approaches expiration, the kubelet volume + plugin will proactively rotate the service + account token. The kubelet will start + trying to rotate the token if the token + is older than 80 percent of its time + to live or if the token is older than + 24 hours.Defaults to 1 hour and must + be at least 10 minutes. + format: int64 + type: integer + path: + description: path is the path relative + to the mount point of the file to project + the token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + description: quobyte represents a Quobyte mount on the + host that shares a pod's lifetime + properties: + group: + description: group to map volume access to Default + is no group + type: string + readOnly: + description: readOnly here will force the Quobyte + volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: registry represents a single or multiple + Quobyte Registry services specified as a string + as host:port pair (multiple entries are separated + with commas) which acts as the central registry + for volumes + type: string + tenant: + description: tenant owning the given Quobyte volume + in the Backend Used with dynamically provisioned + Quobyte volumes, value is set by the plugin + type: string + user: + description: user to map volume access to Defaults + to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: 'rbd represents a Rados Block Device mount + on the host that shares a pod''s lifetime. More info: + https://examples.k8s.io/volumes/rbd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type of the + volume that you want to mount. Tip: Ensure that + the filesystem type is supported by the host operating + system. Examples: "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + image: + description: 'image is the rados image name. More + info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + keyring: + description: 'keyring is the path to key ring for + RBDUser. Default is /etc/ceph/keyring. More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + monitors: + description: 'monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + items: + type: string + type: array + pool: + description: 'pool is the rados pool name. Default + is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + readOnly: + description: 'readOnly here will force the ReadOnly + setting in VolumeMounts. Defaults to false. More + info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: boolean + secretRef: + description: 'secretRef is name of the authentication + secret for RBDUser. If provided overrides keyring. + Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is the rados user name. Default + is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Default + is "xfs". + type: string + gateway: + description: gateway is the host address of the + ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of the + ScaleIO Protection Domain for the configured storage. + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef references to the secret + for ScaleIO user and other sensitive information. + If this is not provided, Login operation will + fail. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable SSL + communication with Gateway, default false + type: boolean + storageMode: + description: storageMode indicates whether the storage + for a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage system + as configured in ScaleIO. + type: string + volumeName: + description: volumeName is the name of a volume + already created in the ScaleIO system that is + associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: 'secret represents a secret that should + populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + properties: + defaultMode: + description: 'defaultMode is Optional: mode bits + used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or + a decimal value between 0 and 511. YAML accepts + both octal and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. Directories + within the path are not affected by this setting. + This might be in conflict with other options that + affect the file mode, like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + items: + description: items If unspecified, each key-value + pair in the Data field of the referenced Secret + will be projected into the volume as a file whose + name is the key and content is the value. If specified, + the listed keys will be projected into the specified + paths, and unlisted keys will not be present. + If a key is specified which is not present in + the Secret, the volume setup will error unless + it is marked optional. Paths must be relative + and may not contain the '..' path or start with + '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits + used to set permissions on this file. Must + be an octal value between 0000 and 0777 + or a decimal value between 0 and 511. YAML + accepts both octal and decimal values, JSON + requires decimal values for mode bits. If + not specified, the volume defaultMode will + be used. This might be in conflict with + other options that affect the file mode, + like fsGroup, and the result can be other + mode bits set.' + format: int32 + type: integer + path: + description: path is the relative path of + the file to map the key to. May not be an + absolute path. May not contain the path + element '..'. May not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + optional: + description: optional field specify whether the + Secret or its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the secret + in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + type: object + storageos: + description: storageOS represents a StorageOS volume + attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef specifies the secret to use + for obtaining the StorageOS API credentials. If + not specified, default values will be attempted. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: volumeName is the human-readable name + of the StorageOS volume. Volume names are only + unique within a namespace. + type: string + volumeNamespace: + description: volumeNamespace specifies the scope + of the volume within StorageOS. If no namespace + is specified then the Pod's namespace will be + used. This allows the Kubernetes name scoping + to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default + behaviour. Set to "default" if you are not using + namespaces within StorageOS. Namespaces that do + not pre-exist within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere volume + attached and mounted on kubelets host machine + properties: + fsType: + description: fsType is filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage Policy + Based Management (SPBM) profile ID associated + with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage Policy + Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - containers + type: object + type: object + type: + default: rw + description: Which instances we must forward traffic to? + enum: + - rw + - ro + type: string + required: + - cluster + - instances + - pgbouncer + - type + type: object + status: + description: PoolerStatus defines the observed state of Pooler + properties: + instances: + description: The number of pods trying to be scheduled + format: int32 + type: integer + secrets: + description: The resource version of the config object + properties: + clientCA: + description: The client CA secret version + properties: + name: + description: The name of the secret + type: string + version: + description: The ResourceVersion of the secret + type: string + type: object + pgBouncerSecrets: + description: The version of the secrets used by PgBouncer + properties: + authQuery: + description: The auth query secret version + properties: + name: + description: The name of the secret + type: string + version: + description: The ResourceVersion of the secret + type: string + type: object + type: object + serverCA: + description: The server CA secret version + properties: + name: + description: The name of the secret + type: string + version: + description: The ResourceVersion of the secret + type: string + type: object + serverTLS: + description: The server TLS secret version + properties: + name: + description: The name of the secret + type: string + version: + description: The ResourceVersion of the secret + type: string + type: object + type: object + type: object + type: object + served: true + storage: true + subresources: + scale: + specReplicasPath: .spec.instances + statusReplicasPath: .status.instances + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + helm.sh/resource-policy: keep + creationTimestamp: null + name: scheduledbackups.postgresql.cnpg.io +spec: + group: postgresql.cnpg.io + names: + kind: ScheduledBackup + listKind: ScheduledBackupList + plural: scheduledbackups + singular: scheduledbackup + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.cluster.name + name: Cluster + type: string + - jsonPath: .status.lastScheduleTime + name: Last Backup + type: date + name: v1 + schema: + openAPIV3Schema: + description: ScheduledBackup is the Schema for the scheduledbackups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Specification of the desired behavior of the ScheduledBackup. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + backupOwnerReference: + default: none + description: 'Indicates which ownerReference should be put inside + the created backup resources.
- none: no owner reference for + created backup objects (same behavior as before the field was introduced)
- self: sets the Scheduled backup object as owner of the backup
- cluster: set the cluster as owner of the backup
' + enum: + - none + - self + - cluster + type: string + cluster: + description: The cluster to backup + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + immediate: + description: If the first backup has to be immediately start after + creation or not + type: boolean + schedule: + description: The schedule does not follow the same format used in + Kubernetes CronJobs as it includes an additional seconds specifier, + see https://pkg.go.dev/github.com/robfig/cron#hdr-CRON_Expression_Format + type: string + suspend: + description: If this backup is suspended or not + type: boolean + target: + description: The policy to decide which instance should perform this + backup. If empty, it defaults to `cluster.spec.backup.target`. Available + options are empty string, `primary` and `prefer-standby`. `primary` + to have backups run always on primary instances, `prefer-standby` + to have backups run preferably on the most updated standby, if available. + enum: + - primary + - prefer-standby + type: string + required: + - schedule + type: object + status: + description: 'Most recently observed status of the ScheduledBackup. This + data may not be up to date. Populated by the system. Read-only. More + info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + lastCheckTime: + description: The latest time the schedule + format: date-time + type: string + lastScheduleTime: + description: Information when was the last time that backup was successfully + scheduled. + format: date-time + type: string + nextScheduleTime: + description: Next time we will run a backup + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operators/metallb/9.0.9/values.yaml b/operators/cloudnative-pg/1.0.0/values.yaml similarity index 100% rename from operators/metallb/9.0.9/values.yaml rename to operators/cloudnative-pg/1.0.0/values.yaml diff --git a/operators/metallb/9.0.9/CHANGELOG.md b/operators/metallb/9.0.10/CHANGELOG.md similarity index 93% rename from operators/metallb/9.0.9/CHANGELOG.md rename to operators/metallb/9.0.10/CHANGELOG.md index 5aabea303b..49bbcbc3da 100644 --- a/operators/metallb/9.0.9/CHANGELOG.md +++ b/operators/metallb/9.0.10/CHANGELOG.md @@ -4,6 +4,15 @@ +## [metallb-9.0.10](https://github.com/truecharts/charts/compare/metallb-9.0.9...metallb-9.0.10) (2023-06-08) + +### Chore + +- move container references to tccr.io + + + + ## [metallb-9.0.9](https://github.com/truecharts/charts/compare/metallb-9.0.8...metallb-9.0.9) (2023-06-07) ### Fix diff --git a/operators/metallb/9.0.9/Chart.yaml b/operators/metallb/9.0.10/Chart.yaml similarity index 98% rename from operators/metallb/9.0.9/Chart.yaml rename to operators/metallb/9.0.10/Chart.yaml index 1dd071e39f..3b2c538b10 100644 --- a/operators/metallb/9.0.9/Chart.yaml +++ b/operators/metallb/9.0.10/Chart.yaml @@ -22,7 +22,7 @@ sources: - https://github.com/metallb/metallb - https://metallb.universe.tf type: application -version: 9.0.9 +version: 9.0.10 annotations: truecharts.org/catagories: | - operators diff --git a/operators/prometheus-operator/0.0.1/LICENSE b/operators/metallb/9.0.10/LICENSE similarity index 100% rename from operators/prometheus-operator/0.0.1/LICENSE rename to operators/metallb/9.0.10/LICENSE diff --git a/operators/prometheus-operator/0.0.1/README.md b/operators/metallb/9.0.10/README.md similarity index 100% rename from operators/prometheus-operator/0.0.1/README.md rename to operators/metallb/9.0.10/README.md diff --git a/operators/metallb/9.0.10/app-changelog.md b/operators/metallb/9.0.10/app-changelog.md new file mode 100644 index 0000000000..f9b54bd8ab --- /dev/null +++ b/operators/metallb/9.0.10/app-changelog.md @@ -0,0 +1,9 @@ + + +## [metallb-9.0.10](https://github.com/truecharts/charts/compare/metallb-9.0.9...metallb-9.0.10) (2023-06-08) + +### Chore + +- move container references to tccr.io + + \ No newline at end of file diff --git a/operators/metallb/9.0.9/app-readme.md b/operators/metallb/9.0.10/app-readme.md similarity index 100% rename from operators/metallb/9.0.9/app-readme.md rename to operators/metallb/9.0.10/app-readme.md diff --git a/operators/prometheus-operator/0.0.1/charts/common-12.13.0.tgz b/operators/metallb/9.0.10/charts/common-12.13.0.tgz similarity index 100% rename from operators/prometheus-operator/0.0.1/charts/common-12.13.0.tgz rename to operators/metallb/9.0.10/charts/common-12.13.0.tgz diff --git a/operators/metallb/9.0.9/ix_values.yaml b/operators/metallb/9.0.10/ix_values.yaml similarity index 97% rename from operators/metallb/9.0.9/ix_values.yaml rename to operators/metallb/9.0.10/ix_values.yaml index 595fc12c41..90820bc3f0 100644 --- a/operators/metallb/9.0.9/ix_values.yaml +++ b/operators/metallb/9.0.10/ix_values.yaml @@ -1,10 +1,10 @@ image: - repository: quay.io/metallb/controller - tag: v0.13.10@sha256:1b33357b3595468aac9d5b9115fc4d35fc475124551180956083294cdeeb94b6 + repository: tccr.io/truecharts/metallb-controller + tag: v0.13.10 pullPolicy: speakerImage: - repository: quay.io/metallb/speaker - tag: v0.13.10@sha256:00406ccb1fa08d48cc0ed0b43db7b3cbc3ccc1c4da0e38fca648e64639b06c3c + repository: tccr.io/truecharts/metallb-speaker + tag: v0.13.10 pullPolicy: workload: diff --git a/operators/prometheus-operator/0.0.1/questions.yaml b/operators/metallb/9.0.10/questions.yaml similarity index 100% rename from operators/prometheus-operator/0.0.1/questions.yaml rename to operators/metallb/9.0.10/questions.yaml diff --git a/operators/prometheus-operator/0.0.1/templates/NOTES.txt b/operators/metallb/9.0.10/templates/NOTES.txt similarity index 100% rename from operators/prometheus-operator/0.0.1/templates/NOTES.txt rename to operators/metallb/9.0.10/templates/NOTES.txt diff --git a/operators/metallb/9.0.9/templates/_webhooks.tpl b/operators/metallb/9.0.10/templates/_webhooks.tpl similarity index 100% rename from operators/metallb/9.0.9/templates/_webhooks.tpl rename to operators/metallb/9.0.10/templates/_webhooks.tpl diff --git a/operators/metallb/9.0.9/templates/common.yaml b/operators/metallb/9.0.10/templates/common.yaml similarity index 100% rename from operators/metallb/9.0.9/templates/common.yaml rename to operators/metallb/9.0.10/templates/common.yaml diff --git a/operators/metallb/9.0.9/templates/crds.yaml b/operators/metallb/9.0.10/templates/crds.yaml similarity index 100% rename from operators/metallb/9.0.9/templates/crds.yaml rename to operators/metallb/9.0.10/templates/crds.yaml diff --git a/operators/prometheus-operator/0.0.1/values.yaml b/operators/metallb/9.0.10/values.yaml similarity index 100% rename from operators/prometheus-operator/0.0.1/values.yaml rename to operators/metallb/9.0.10/values.yaml diff --git a/operators/metallb/9.0.9/app-changelog.md b/operators/metallb/9.0.9/app-changelog.md deleted file mode 100644 index 4b95cbdb15..0000000000 --- a/operators/metallb/9.0.9/app-changelog.md +++ /dev/null @@ -1,9 +0,0 @@ - - -## [metallb-9.0.9](https://github.com/truecharts/charts/compare/metallb-9.0.8...metallb-9.0.9) (2023-06-07) - -### Fix - -- set to rolling updates ([#9458](https://github.com/truecharts/charts/issues/9458)) - - \ No newline at end of file diff --git a/operators/prometheus-operator/0.0.1/app-changelog.md b/operators/prometheus-operator/0.0.1/app-changelog.md deleted file mode 100644 index 39a9cda7bc..0000000000 --- a/operators/prometheus-operator/0.0.1/app-changelog.md +++ /dev/null @@ -1,9 +0,0 @@ - - -## [prometheus-operator-0.0.1]prometheus-operator-0.0.1 (2023-06-08) - -### Add - -- add prometheus operator helm chart ([#9418](https://github.com/truecharts/charts/issues/9418)) - - \ No newline at end of file diff --git a/operators/prometheus-operator/0.0.1/CHANGELOG.md b/operators/prometheus-operator/0.0.2/CHANGELOG.md similarity index 55% rename from operators/prometheus-operator/0.0.1/CHANGELOG.md rename to operators/prometheus-operator/0.0.2/CHANGELOG.md index 49f7d992c4..23b6b1a2e3 100644 --- a/operators/prometheus-operator/0.0.1/CHANGELOG.md +++ b/operators/prometheus-operator/0.0.2/CHANGELOG.md @@ -4,6 +4,15 @@ +## [prometheus-operator-0.0.2](https://github.com/truecharts/charts/compare/prometheus-operator-0.0.1...prometheus-operator-0.0.2) (2023-06-08) + +### Chore + +- move container references to tccr.io + + + + ## [prometheus-operator-0.0.1]prometheus-operator-0.0.1 (2023-06-08) ### Add diff --git a/operators/prometheus-operator/0.0.1/Chart.yaml b/operators/prometheus-operator/0.0.2/Chart.yaml similarity index 98% rename from operators/prometheus-operator/0.0.1/Chart.yaml rename to operators/prometheus-operator/0.0.2/Chart.yaml index 697f1c5d64..9f22b1e0e6 100644 --- a/operators/prometheus-operator/0.0.1/Chart.yaml +++ b/operators/prometheus-operator/0.0.2/Chart.yaml @@ -22,7 +22,7 @@ sources: - https://github.com/truecharts/charts/tree/master/charts/operators/prometheus-operator - https://github.com/prometheus-operator type: application -version: 0.0.1 +version: 0.0.2 annotations: truecharts.org/catagories: | - operators diff --git a/operators/prometheus-operator/0.0.2/LICENSE b/operators/prometheus-operator/0.0.2/LICENSE new file mode 100644 index 0000000000..4dfe12ac30 --- /dev/null +++ b/operators/prometheus-operator/0.0.2/LICENSE @@ -0,0 +1,106 @@ +Business Source License 1.1 + +Parameters + +Licensor: The TrueCharts Project, it's owner and it's contributors +Licensed Work: The TrueCharts "MetalLB" Helm Chart +Additional Use Grant: You may use the licensed work in production, as long + as it is directly sourced from a TrueCharts provided + official repository, catalog or source. You may also make private + modification to the directly sourced licenced work, + when used in production. + + The following cases are, due to their nature, also + defined as 'production use' and explicitly prohibited: + - Bundling, including or displaying the licensed work + with(in) another work intended for production use, + with the apparent intend of facilitating and/or + promoting production use by third parties in + violation of this license. + +Change Date: 2050-01-01 + +Change License: 3-clause BSD license + +For information about alternative licensing arrangements for the Software, +please contact: legal@truecharts.org + +Notice + +The Business Source License (this document, or the “License”) is not an Open +Source license. However, the Licensed Work will eventually be made available +under an Open Source License, as stated in this License. + +License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved. +“Business Source License” is a trademark of MariaDB Corporation Ab. + +----------------------------------------------------------------------------- + +Business Source License 1.1 + +Terms + +The Licensor hereby grants you the right to copy, modify, create derivative +works, redistribute, and make non-production use of the Licensed Work. The +Licensor may make an Additional Use Grant, above, permitting limited +production use. + +Effective on the Change Date, or the fourth anniversary of the first publicly +available distribution of a specific version of the Licensed Work under this +License, whichever comes first, the Licensor hereby grants you rights under +the terms of the Change License, and the rights granted in the paragraph +above terminate. + +If your use of the Licensed Work does not comply with the requirements +currently in effect as described in this License, you must purchase a +commercial license from the Licensor, its affiliated entities, or authorized +resellers, or you must refrain from using the Licensed Work. + +All copies of the original and modified Licensed Work, and derivative works +of the Licensed Work, are subject to this License. This License applies +separately for each version of the Licensed Work and the Change Date may vary +for each version of the Licensed Work released by Licensor. + +You must conspicuously display this License on each original or modified copy +of the Licensed Work. If you receive the Licensed Work in original or +modified form from a third party, the terms and conditions set forth in this +License apply to your use of that work. + +Any use of the Licensed Work in violation of this License will automatically +terminate your rights under this License for the current and all other +versions of the Licensed Work. + +This License does not grant you any right in any trademark or logo of +Licensor or its affiliates (provided that you may use a trademark or logo of +Licensor as expressly required by this License). + +TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON +AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, +EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND +TITLE. + +MariaDB hereby grants you permission to use this License’s text to license +your works, and to refer to it using the trademark “Business Source License”, +as long as you comply with the Covenants of Licensor below. + +Covenants of Licensor + +In consideration of the right to use this License’s text and the “Business +Source License” name and trademark, Licensor covenants to MariaDB, and to all +other recipients of the licensed work to be provided by Licensor: + +1. To specify as the Change License the GPL Version 2.0 or any later version, + or a license that is compatible with GPL Version 2.0 or a later version, + where “compatible” means that software provided under the Change License can + be included in a program with software provided under GPL Version 2.0 or a + later version. Licensor may specify additional Change Licenses without + limitation. + +2. To either: (a) specify an additional grant of rights to use that does not + impose any additional restriction on the right granted in this License, as + the Additional Use Grant; or (b) insert the text “None”. + +3. To specify a Change Date. + +4. Not to modify this License in any other way. diff --git a/operators/prometheus-operator/0.0.2/README.md b/operators/prometheus-operator/0.0.2/README.md new file mode 100644 index 0000000000..1ed81ac516 --- /dev/null +++ b/operators/prometheus-operator/0.0.2/README.md @@ -0,0 +1,27 @@ +# README + +## General Info + +TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE. +However only installations using the TrueNAS SCALE Apps system are supported. + +For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/operators/) + +**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)** + + +## Support + +- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE%20Apps/Important-MUST-READ). +- See the [Website](https://truecharts.org) +- Check our [Discord](https://discord.gg/tVsPTHWTtr) +- Open a [issue](https://github.com/truecharts/charts/issues/new/choose) + +--- + +## Sponsor TrueCharts + +TrueCharts can only exist due to the incredible effort of our staff. +Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can! + +*All Rights Reserved - The TrueCharts Project* diff --git a/operators/prometheus-operator/0.0.2/app-changelog.md b/operators/prometheus-operator/0.0.2/app-changelog.md new file mode 100644 index 0000000000..a93013042d --- /dev/null +++ b/operators/prometheus-operator/0.0.2/app-changelog.md @@ -0,0 +1,9 @@ + + +## [prometheus-operator-0.0.2](https://github.com/truecharts/charts/compare/prometheus-operator-0.0.1...prometheus-operator-0.0.2) (2023-06-08) + +### Chore + +- move container references to tccr.io + + \ No newline at end of file diff --git a/operators/prometheus-operator/0.0.1/app-readme.md b/operators/prometheus-operator/0.0.2/app-readme.md similarity index 100% rename from operators/prometheus-operator/0.0.1/app-readme.md rename to operators/prometheus-operator/0.0.2/app-readme.md diff --git a/operators/prometheus-operator/0.0.2/charts/common-12.13.0.tgz b/operators/prometheus-operator/0.0.2/charts/common-12.13.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..3ba24f80abf117bd13603a400f4ee61b82d8310c GIT binary patch literal 129903 zcmV)TK(W6ciwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ{bK5x5D7ruEuRt-GyYXI2)?2o}lR2Nq_GEk}v0b*4+5PtH zbwMN~aZM2n0m|{to8j-`jy{S)U$++d>`5uiE$VD z@Fu`x7y!WpjVb?i*Z_ckyhap2&-2-|hXD{@K>)`nVC*jbI0V0cuC4&X5L3wBv0BD2 zv+9xO5imy-25)~d%K(Z2LGi+O5wGoe??j;^6Aqhf79<)&H1Y4MA>D{VrI6nFp+8UN zAjBTJ#4#0QY5*|z!*luW5FE7IZB^qmgyR75mMD(E91{v6>=6J%4>0j1gbVOPH%L4` zoB}tDro6U?5dk5l@*4t#!q98N0EdXfXaElMCaPJ2J7$cAnHt+13E!#|@WrOd@8>UWSfV!pCZbT!p zifHCINZ6WkcA3MA$yY*A=%(1EuSDf&;byB{AvRjFg)cuGgKPgkNEBs% z9fD4~{l?E0{BV4u3NBn)QSkD^@g6IDl*v_gm~!bP>8a z#N?p(bA%JVNQr@wzXgcEU!V{X`3nF)^r;Vn6BNLQYvkh4BMeFTHA1nEz5ILGhW;>+ z?5bE+TY@wh@^eA)&CD?RJu^F~2=+kKM z;XRwfDN8Zu!_$%kF0w&V9Q+g-k3_I6VZN)*&$t<@>9* zhrn@IHS8Uqom|OZWZ~*x4Y?}0N$k@HAOSRpd|?3O1&@`02C4*?+2|A1LNb-%<)TuT zX@K-^!8>sh9+CG1#fM-p+)rP&QGs)!O79_?Zt=FtE;n62i zDiZ(+xVpHwQHcA5E!Nk=V;B*WM4T5c-=Ccnk9w_f2OK~;q8#S?cSqO1J_#s?a0r}s zyW4dX+g@U?oMENrPy#)|o|r&l1SeTWlrN5FFq|SaH7`QOm+yQsht!=3u1caPKywsQ z81NcIa|n4LE)B$QF(0oG!AZ=tu%&&DRZ)gt;Lm-vWVumt2>R`Id(MB((VPpneZG#y z=wpJ2RkV{SIB37~8x7siMI_X}1_0+D&Q8vbZjX;HuhjwzgFvD#%h}YeplyUb12p2= zq10jC`r)0yb~8-qIimMCzO!FmGB#2#$PC6zLt@JUQ|CwoU6g)~5nrj)Kph45@PUoK z7ZUYOYDqu)F`?qiF%BpGRP+_6$cnBDvo-WEC3=qYRp$^m9Y>;g6!?%JHRMcNzD5CZ zDUPLvPjP@^rD5|z#GN582~d2_8xV3l_AwXBN?DcfV^B^(xzGQY_mCy^ZV{@MxR}wv($~gSP#TRWv0u2m`%)$SF}L! z!~G1!2*4-`e3$j0aq~Zi;Qh_9HMJ#pb7sp|t50l>ouZySIg4pnJTW6}>T(lV;q%rf z)L1SB`i8}7cENaksMZIstRrF!(LACLC%#Z9xB$I`ban{#L}gKu50sD?+~FW$EMOeq zDS2cA3mEUQ>dTsllhU!M(L$Vra;f+HWPS+V@g={qO*)Sr*&v-qm5@EOAhY=+fqQ7N zM`rWYdSkLg%1It7;Ht#oU3y zrdq@Qboz;+IE2AjNKrh2E|O|Q5=%SepZ|L9Hn{$?mWGZ|O#O-PLb@h^A8?Q;`bM(GGZZO(8{-B)CQt;4paDX%rRAW9PyE<;GlKS@W_qGQ)s?=I74}!Z8j*xHIJ50h~~dY)W_FnKb~G z>r%lUpNr=W{_P?{;Wal}Id#|s0O*rXD7g3OO!Rt&f@l{+vTYm^-$OAsqH#>^kuPl! z$J0F$;gH~1IR*W{3r7(Vngv^3fU&&?#*nE@k)UWp(^m5Oix)2%{6Dk*%rapU2QZT# zT#T7WB%;`h7qVHg*+4kyByi5h_cPy}0U@wJh>*v(V8#ecQOL|e#Oz~Mob{3MOlFx( zJu=*|_C4*c(u$M(&5Tg}jj5wTOXI7k?BlmJofNN7xh1kofsQ-0+o{$p8O`HL65 zR62M6AGFz6n5 z1J^wmy50SLrDHfml*}-ubx~F2HLmSer<3A}hOj&A?)L}1&bZre?+*vCJ??e9j=R6# z8=!rJI{U-!=-|NJ?+n|WKI*%J1Gm#}ciMcKU9&*YRNA>+XAKFd21KSU$w_444eBB)iyOS!9U4R5?ZNQ~!X6sAXut2ayM1pmI`G<)-mu@@@4B5% zZ_qzD=pO7(2K_PWLJ#$agZ4h`bcSw!T#4!Z6xEghtZcfo)lM<&jE4PjXFMJqj0aw? zhdeYM4#w@VH|P(#<2F1PcDs}PVY@pS^x$ZOhH%gsc848zf>^)2N(>`RC|hcd10RL8 zarMT{d+5`qs-5C($Sl|y_T15aZ|IH2<9=@l``!J?z#9z4<1uWb@u)X;z45`=?Y6t^ z{s?sk-QIXS9`p_v&C#$D?>UTp=#3wTwya!;b^o9X4~Bz-L8s&Oy8HWMcrYFgdc(=M zGx9p_xZN8~#=ZT~aMEvgy~zX)ys##CT?O&^zet4-b0%&e$6dd;8UN#^Dq{ zn$DtfA=ZO-cQR_j;h+Z(+5_lydxOysb=&)18x6Ys4mxn%eTa}Z?2X3<-5wfxaDOoD zjXk&LcF?F2Yq=+a!Vj0{fGAbbHLdi<3-I5{)5oogs z2a|q(G#R*qPMe7g_nQt*U}o+~n~?xqGw=xPxRDAnLYSt(}&HbH?re z7y+MvIp#!!A?PSDyI{^*A%eV6IE>QIycUe_kOv@9D6|T^@@AJMFrS!EAm0mBoo&f5 zi;syP7j^wY8l1f6A)GS|ClmjZz|kkEy=S%~pt9l@+F(s#9wih9et2gN02^tjY)&2| z$PCI|FvfHy`~|EqVF++6pf!A=J(y7Z)(`LUy^urB?aOJ%h!4XDz3;+(nfFkr6^adh z_CF!-o%V8)9C>*(#|(jE6w{_OK!GbZm3=}I6z9kycHw1o9xoycU=8!FPbk0>!@J5I zM64MZ$7z1K+b5hDeD9kR(DMqyNnU{C7%@=}U}%Jarc^ayGRng!LZK(%v)?L&RJTRc zyi99~kFvc>&XIobkaEXOoS^fgYw0~!xTYfF6+zt6M>`fe3`d+$fIdaS6G&%hu3AT- z*Gz~E2$^KZOYhvfGw6rSF(kfgGGW^GcR}^J$*MBq#EALT8y=DXGM<6pIbwgw*E*zu zy;m{5D!3-b3nmDRK{I2Dg^z0vADDbs@}!kTLxw>Jpv+E+Lqri_>!_N_E)S^%;nWX5 zl@z4`X+oFBKd?zDXOM`(etJi*5tXn27F^)zz=b^`UHSykJrANe4hf=_M3SH?==1oR zM&P-PzablWv`8Is{Q_JG-~{}t$qo3akb{QdBQ(NKzzg8;fl@;3MMg=OVM0>{!4!l1 zOFBsf>c3#ZDQGi+jc444P|F`(#D~D9kP)owYzclv0=Lp7l;_rt$U11O9}^xEn`sz>lw)#nNxKbC5)6_GOGF z{wF(rA>FvowWO9_u~Mp~m9L)ZKAmO-)=UNppE>m*^YDavkcDeHW!ZFmZr)yJ*`)=3 zVoHG6%H!KMOgswCVj~cVC@=u+(NRqO22mnceNP5Mnkz7y6caxP)P8?J4Cw)yMza|% zYtn#dX(GZ3*?^7_aPfTXhpaUw>-Dx>peS?*~XJ_o`8%k3xzi7#|qehHbyS5yS!fC)qj#l{*NMFeRQ zqg{K~N}eTQW*H1AlKL=oX~LFjaF63VZczM$7@CX_qJ#^>JszLy@{muZ5KI!*hSp0$ zOnn#W9V`#?#u9=+5(bPZA8-QhVaNl2sW2lT1+h==8ZW><{~4pnzy9?~pA{4&Z^FoL z5r0Zrcl&(3)02wqF)MfPg)G<#MVzD`PG!*_x|2l*2GI<5cS@}!PUIDABwoI3N6K1q zcu8>Qho1cQ0S3OOf++zT$TwG)$5*V_F8Jl<=2HH7bFBY*doBNZef_TI0FY zlC>CW3eiTO-KT>a)_#`9@|Ab6N6Sqmk1r zP^y81I&`LB(BdSJf{%?Bqog`aq*Za{3s50@!kT9FvZ_rAb`0G+uIY+qDR-hGW?S8M(m?IkdE-49Z zv<``60ux{8AaFIja~%2<$GafHp8UI!BIDSl)MD%zEJNh3`&)H#6zEr4a-h(QupesW zxGDGD8TP7|d?$SYgF`UTv?Fc|BXyq5{E$&aXE;;{*!{n1a#1Sc9V+5dsGuKBF6zKMB~9-y&mFlvb~5T!zh>A3JApLxQO@aFxQUW@Sp#rH9n z4^ts(axJD3J=^vR;RVRIDmp6znyiLp%@n4jOWI;n9gcT2b)0XEIt}wY7)hP%1W_gt zg?OAXy<7OeRn$I@dWt34R1gPgsJ{-aGs+O?U_K>Sb=(KVAVyQ4slHM%;|eI`TA(V$ zUGt()=2+?n6#EmO>ClY1W4&mnIHiV)gdC$(J(R&B$m2GLYJ=Mf3kLb2ETC2UjhXrx zHYYd<%{FH+_L>vu2YxtJmh;WU$;F{MB&GqeLKop_9OF2rc0tWP=o5{h0iR+S$u*H8 zDjnMkRY>yI3l54)Zbnq#K?(`QOvz=&5)^0AgK;_}OxI@pX>lUU&*}*KGHA-JRRT?Z zt_v-dT4ey!5_Ms^0ZzOSQh$M((XAw+mz})~?!Q+y#1jj!7mnq=>blHgDNH|4kQ! zaT=D0Jm8@yMlKK7OV@qXq~XuFQNYV~B}K_%>WgpeH{T}m!wF8U?*b@AnPyb`#$V$A zkN21ovB!gb@Ak=FoP;eRd^5USs(y=|ni;p&nLH8kuS!5OTG{#~Oz7+mJs6tk3vk3{ z0i&J^V}9gS>b87yD?}pXFHS;cUMB>_To;wK^>6F22y5jQhuOETiz0gKg~V1>gj2#m z$wP$R`lh-}uzNSS713J8Yc5f5VLY{JbC2(B;WwPnF`LAqG7=L=W4fyc`iz1Aw zhJ89QSy53+bt+?^ru?-e(qI{P$r)h{^>K_m6jC1sq8aP3r-&Fq971p!#V*cV<1*-zwg$CJ+5A)HJS#YGe<`en`v zi^;?t`F0TVME6Z>hZ_fyC;n6=6%Y&j!rHpf=c>M9gsq*B>|O{87y5mEFU08AgA8u> z{1~}3c#vItFvJm<_<=m}0mQk@i9b!pQ>4x!7PnPGO(Ibx1qpy<;R*4z_ z51GBKhHX2A!hTn}zV?9_sz&H3xh_4PL2!NVQ+H;pbm$XL ziR8%x^5pjHa?#h5yy)vtm~jQVoJwDp*XE4)WvSKi{)_xOjBUu;w7is#IY%_p3&K1? zX(|ip2NbCrD#CYoGOqA}$wWWKA(N+usOATa4ES0!D4G8h8E>%3qeQ(?|9K_8MJ%IL z#w(071D-`Io^llRhVijJu_N38pveO=n#}HLdVVaTdh|I=YKf~T7L8ccSAfK>i|83w zwDde`Hkk^je}*_jMt?I17+)NDesHg~Ago1GDwx)V^qK>XzL_J8X-#?y(L|ZbgK09# zi*Gmi3l#2hcrc0t2sIB>6bF;G5uE9RVSY@g!Bpa?;5$}|!P_w)G;lK;-Hq5!dfz0Mwyrh#@sTv0eh%b72!}2x1jyznHU7l zqpOA>lm;Q_bT$Ts#mXmqdQwo+bltSp+1z5u*XjlU>TpuknxM)&%YvYR=T`%M<`3Mk zHBN0xx!OI7=cpOQNNHF&1{1#V5mFTl=b;FN9tvF_@#BLHH;kr_+MQquQbNTREd!z= z1Q;1+KI1_lYUkJ!Rn$wAb0mhze2iiyiMYcvbR`*h^rbp;A)+#;%*b`+>ZMDoEN)Eh zjv-+>EsUhIJKy@r2|IIA_{2~p;5vQ*~){$(wWZ+ zXF?4$AT?V*26~T1mWt6NP0DP$uh~Ln>7RR@R_9}m$+TIH~L(TMMQ_4R{MD^P6 zSzjT~C#lGLsChPnA3d@T^ICg4((Xv4B;axLJS2!HM&yGOVv1zM#`~+c*CH(eGAtR! ze((PgTK?;#1;IhQIu%&0!v3=l$CyXJcjQl@HXbE( z#%8E1bMiPLc8ci5YJ8oPdTVd=iu4m)58|=u>9K+s@leDDFL)CLTtENP8P>n?Igo(wI~j3o2S$WtWTC#2k;jlb=E{@nQe_a^W}hI)s(twpCL zc(KKsYncw{rY!!_HkrZUYqsS3VOqkUr1=L0C$~)IwX2K#Kt+IGuL#A=IF!k!l&>#k zoNj*aZ{UcZf6BRHEH8rc&jlEI1aJ~c1%ErWuTQOwaRs$ zF_D+&Ak`0pT`GA~#qwr*$FY_l^VBMZQ#S54B*$hJr;>Z5NSYl-Q|nvY^Xq!Zx$uxOgiyebxKJczqBNrHg=<$%^shG!Qp&ook@IA^pYe zQy>dx3Vr^3XuT9={{SBoOm&?mK+M`O*2D?)1K`LLy(%D&0Tfp*>IfV;^NMz5>#UvJ z1y)H2T~reAZWp{&-XMO0pU1%b2YWPAIirStPYW$V8R0(kP`zkL1g3`g1Zzdh(}@BiG$^Nj1i zVxj8QUk2H+Wupo9#(ucRPh~Vg)8+q=0HFx@;lvMp`mkJCFqe~}bzSe56fVKyYj(A? z@(Vi~TJegmU4x#N1_Pd--rOFYygNI$-dr91R<&4W{hE4^zLB+32PZvgrL3aD^DmU8 zt=C#7*SkI~m;V~O$BO@@^1ss=WaWQvG}y}jO*~)i{*Pk26?cEiC-#@xbSYW}zt%06 zl<1WkE?dvtck`6V|3wsX)n8sZ^k~`tm*w)mJ!og|{~z^x{jL1p#H00pd0=khPr247 z4=!rOUmUKgC%P9=*wU<1r1N`_!oyO(1*Tgob|TG5xQf z)r)Gu_V9fuptHYLg8%&py~_D7(+C_t(F3q#{`cBB`@hrP+W(t*^!%4&y(ZhA%`*wH z+WgO$+UA`@+SV@#>|t#vC%`2uDkih(7hpBzC28h-?&|rhEznADf?<6<&9P9^bFi|f zAb)-QqkRYJ_q$)uFHZEY>wjF|zPmVi|Ms*YybA!FoL}GmdU|?!dw%rp^!oJb!|Bx_ zaB%3bZx=W0@5#ie8oczBuNse+>J+cc;KySaUKt?)yFVXd;7Q;tl0>IB_SEs)ny?v_(QN6gm zcz^TL#ryM<+w1o~ouA%ZOXp4&YSvw$=avasv4m{4+$F;a5H3=05u3nrE*H&YbLC&| z_L9)Qh{vnBqRWeEW{>f9Rnu1an$!W~dL;g?bf4|BME{eya-LiN8x3;t-|emax0&Y| z^*_lyE9rmceNca1{m#o$GII9W4NrIOF3)d|-rxMfSK3#p zlJj4dPWaTec0l2xT3?0rqeVZcQacK@OSN8`?G&oFxn^F=+f$5JwICSFd1<3cYkqvA z83;=4vy{S%bH@(O=RvZ&;HA)kc#N%Tg%8fv#rvDn+uwiZnH5B7&`G!CN_4N{{w~$G zE7k48*T8Y|rwdjzD(b59|5d2YFNRv7w|csSq^l8tlYICDnipt~TV4HGb@f_~%1ZrD z9Q1yg^S_4wzt_&_f1TlIu-*UN$fNZ?l~z+Fl@qDv9_#)W)ysYVJjE^FB(RH4kKcy~XbfF`)llO%UtiT$@LlES{VSE%&^GQue9uNwWlH237Zbv7p7M#BhaL~R zYA_sBT3nTm`p9*05{k66JT@ypkf-XHz#xf{oTzfY=H~j==()`LdvkqzeR2FN`@Oe- z@m`#SMG4fs7QybFEPr!!b9#Gnb|tF>{@AF(`z#7FTmAOp{P&v5BP*SGPLOD7uz{_VViD z@Bg@cdv<+udM*y$i;4Q?{nM#gHC^xjsI(Rx?BB!6OY#a#aM$^ z>b^~;vG8j)M6}#a#s~m@C~|U&?A9)-Zxu+cl7Nl)?lC0j64DtD`lt%2HlV0FJo7`& zvJiQkbu3~-=?h86?Sj7?x@D z_4=D~jS)_1vY(vS&Cj33VX>c>1;Rfvo8yAb4m)EP`dHZchX?^jU%uzq8@{?h)*hnn zo?Wo0<@C-Rqj@d`m*61dd#W%nixjo}MurHPEnD_#3hw(lB=H?T)%G9bo+lcA%k96> zs5{8+|Ms@_-)5e&^S|;^)6JjzRbp4^rmUE{Wz;DZZ$=u>VtrPsGO6&h4*;9jsp*|> zdG~&dD9NTP6lIp2{53bi3r_qR8AAoQvZR4&@=0FI(OR;TtD2X|X~b2f31V2S%Z$(} z8Ya;mFJl}ZOz%pZ!zfG0^zQ2#v^35XR+2LXx{RV}Nhfs&I7JX1O<2Qfc#7p$gK;IT z4UN2z*wOMM>jkEB4T49;ne{S)o5)#woCi@%@#f}uIm5%{bd?2HBdlh&YRQm-UX`>d zHx~e@L)>NdQ5Egv4V_C#C(5lxIb}9h5-tV2D%}+L0uW26w)Z!18j>W|d2hARBfSMg zT%+KJ{N7B&mPUUf6Q-KECGv?bcaaU|F{F;ucoTcV682yjZdmX&9L%jNZz< zmFkqw=%Zo56z+&AEx;J++9^6pPOH8wVz8=A9V=w(Xyq%_%+bLWq{7C3FG?Annud;H zyX?JF?*h-=WYc zN{znS;1&iVeVxN=4$@-=S)ONjrdd*OrswM<0GX3q)|-%Dr$y-YNe)OfnQ14&^39`lv4t#g0y9h&=u_eO8<{$)n|?W?e+8LKYP7x z{QpLtXFUH|DCm|(|LR(Q&NHAQdq+N>$Fd+<7zFtKGWHjKfTrk_NfCM9n~btu5;%MG z{^acD_P49Eo70M5+UwJs_h%>O&o^hAJY0HxdUh(_VoJp zr=#OvPtQ*dffG*X3Ry=0`1S1V+w0%XZjOIB1P&vXQ+nR7pG`;dU+YOn0-oXQV87nk z!G777{#6JA*u9haVZyjpI*-;EcX=n86k>d-^=dEGBhm?syP?rGU2vTP|W)O{JC-Ghu)z{(Z(E6sE*5q zD(>#3l)()qK@at9+~>LP0C*u`uZbO^BZP@Vw$m_XxRyVeu4f1QuHf&klJG~ z#j#Ik^FwfYd~$unUy2LqyMrPB6=QLsy1G*4NE~|tfcpvKD>My)b4K2|8C@2CVaza+HwUS zSg~>j8n_}oT8guRW zF5M{$5DxrtOX1LhK_F_|9`+rXpW>3cTWvUN;9 zv9_H+p&|a*Vb(|N&v$?^g1MB_nI)Lh3)=ivMl_QxA4xd_L^1gcRBRd=oG6ChWX<9u zwNE53v~V?kJ%Z3mvGPMgVdx@aq&Oli{nj9BR|W!&F{XsZP&)qn(5K#5`Pf(&#*iQj zntExTD1cGq04@FSeTZVKPC`&zUS6n!hkC!KY7RCTsD@DP<}iMEA9;|XYZ^m}rVm!5 zg(XZZl8_`3iWfdXo+If&D30M&#&t&vSH&3~8j^k4=t~&t-($8co%8E)Ux7Ry2qWYK zQs`*ZWlgZ7c)=i62B>*z)?8xr3+TFtkayTqPE_Ifyh70XE%qt82wf!K$B5u0cFlq@ z`j{X>jW;Qcl>YlFgLdm4228CsXsuU+2@HZUbni}Ncu8yF(rf=eXopW%Jb+{55{ zI~ZTdV9asoQylx@)Z8Gr#NIpc!J2q!;a0Ysfd!9{5YR*Hp?A;^DGHgK`ppkLe6Ix3 zWsLdN&FRJgBSb>b<%eUrRlvjnCX^NX7#wPu$;pw516?9@qlu1Ma&>ETeeF+`{db9R zum@YG>pBhyAVnw~?og{TFdQ_}vOfzXt8Knwt{)5^GZoLb0)#Zs9fg7G9PQGW6jwM~2!j?c9uOve<&nmRTNj7nA#ghFcH2>g zh8W~q2JKdOWSvgiDPD|A<^OuF{^HLP`QIJ(a``{|+xs6k^Y9?MV}0C(E8jqF%djsn z2t+nAs?CM+Ni3F(^psA4p>Ej(=?`w6H)O#>a5F=IJN;b|F9EQ~lEz~wT8*?`I`LT* zF4k31&A_RnhZmA!x2Txu(BNfFaa&Y@%N|~m{Z&|m;ly*2r6`INWx2xOl?aE1!H(D% zTe>r5-?63^14%`_JI4Mt){2yPyoB+yKwvLA%Dulw6y>-Otyj%sy%bUC+TZ6b;QkPIstSul;cXzzP6 z{Ia@>;&E;KN;B7l?{U#((9jAbks-`{cb$=peeemGp_revg`Ni>2+=(V*bLWu;TyG= zOV|GxhyTXobsYa*y8qW7bh7JzXE@rf|C@NkDj(zU|KRajR)4`a8(I5#QSn=>zammO zA;>dMva`CfgRPqDs_Mg9R#n5&DwU%86ozd20}OnRi$G1tD&l2V?J=b8Y%g8AMenyO z_jcv}x>jz(>RxSrTt~>QLb!CY`~mC*nmshL5dwfYQPQX8oKOd;isyy}vHV%X3|eDL z5%xCJ5|QUXRCCLQ_~s!(4sasuIqH?zk1|Ju%y7(K?-b1ydw@44Yt&=P91{_9+H|_0 z09Et+o%z15KvIlaA((28Z2j@ABgEF;DEdTE9Kzr%q$r+17hPh{!s1baB=ikC~0vYFRLg)L0(49C*}d@~vnC$@W*6tNA&eGW$>DGbd}f{b{-V z$G&Ckzri;Ce=`ra^G^6+Un9B>3(!MRfFI^4q+gj4sC!w{4AfKLOBjN>@h6&sFp5ZO z32G8-ZNaTA_^sQ5dWx*g8YD(eTL9*ey0f>IdR~p$2CbNkx*{*>v@O}Z6}u@5b~D!N zW-QmQ+G^dn#hSHNvy*xsWU$K`sb9)K-MDf3Eg7cIW0ZbDgS5~Xt;MVIm1%!&+V&i7 z()28~|FjnW?D3z2;h>wl|95NuZRQd7pC0V*+W<^?x~2ta^yCYefV%bd+JGAD)(G4h zf#19lsJVG-1#YdttrfVn0@uKjTPtvD1%f|^6{OyYLWBkIRVk1x{n3on~O+zs4l%eK7%Q*`*6l80h zZH=?9&p1oQ1W|drEcCn>5rS&kMS4Zi_13sh0)BcjrmNz@>wHrS_L`q%>;HA&yHCvk zx@7(Db=%qapHZ*7J^#6p$6EjSV6RgN-~hi%O+fZ+ZC+u$JPF}=^AL&j0_Kurd@>R* zon0>a*-N2HYFS73%@40d>P_?2%X}Bqjdxk)#q)`a7bt#c-R+Z>kN0xg45!vNtI-(O zrN{=IyJU>w5K+YYEBUS&=G-@#L=#)x==;@;jL9Py+ni0GKR2X$Qcp1ayzLn6)=8(YC5V}1k2J;{ZcF?OEg`D>{1Ok9gy`VJzl3uwRsIR z!++0^)p))1dCq(%`tk?HZ#P^j>gyDWLVtk1F~LYjCZy@Fe&`v*d{r_fgbZYMc#MMp z#bWom1@wMf%I6k%GgYb~zImm&A6}s-@Lg!2F1t~p--rf|7AS^OWHeGh ztz}qbH`5Ed@(#^${IJg6%sIrzbf^X{zyF!;Tl(6bGX38Vd7j`6o$_oROPkvWe0}tlS|1V`3>4;aOQlWMw)DKz`qPmhm>t6CbarD5c{Q$0( zIiO{zcoJ(>LX!W{xU1W@vn>~O(HIt~rDO1<^MjjV+kA(2Ppl^Q7jQ}YMn7`K%0nXB(o*r_2^ z8aZ_`3&m!f3^uQqRV!%g<;4Glym!9m1?V2eLhL$Oib}BJ`h%adHPW*3emiD0ecH{z zHU(a;S)0(TQ4S>^w3@4FUmCj$_>B2)K524gvn0!*XzVMwvFCuD3}V)us&#SF_&mAw zip3~9u=9#B&5YB$aERuQ8J&5(ftgp0$^5CqQI16ENUYMPL3X_(YcCN69I?aR&aD^r zT&^TsF)tTD(?nroR65D3TO>uT72LS|IA@-+Yf2n?QoAj2;F)Mk{u6*Uul z?kIIYv8)|)5aWcRxP?L*Kgiu#%l(pmFoQ+z(U>4NiIKBfGsbL{&6xA|o4L|$nSR6T zW#4A5e=Dkzp8!THB|JvWNtIa=`4zn%v>~c5=SXkv1)vG|Pvxr9SNWQic@6viDN#Ce zX>ewd5<0&r?HtMlgjjZWioKDR@K;X2fGqDV4UE3#tE#=fK-=xFvi3#wes> zD{ZnA4bBWkxdOH*a?Iy7Wd0*gg4~_l0s5Zuf58Hew+k7b7d?-(0$!$KAZ9Ww6=g5ch zXM4)*zYtM2hDVe_cQ!{MJz=`D&zNUryKq_lmws=UIsen`_P6%mMjmeKor}Q+>1cy= zxYuDBR&djoy(PG^=hZg{FRfbVHsPf}#2vq)zW7^J_0{rN&%mu5g0&dF1;**!K54n3 z-*Q8DVjT=WFURI7=Ihfn?2Ib)?OLa6((E=uj}6$JY93`+NlvLh0MS1EKbMZNWc|P7 zK?={B|E1F#w6po&M*a3S|Jz0$9{>N773FWNOJew?ueDbAzT_Jb-10m@{1$7j7|L(e zT~9!N9%O1DJu0lEj>X48gWsP_xP z*u|YXV1!c`d6(E@aMU=J9y?~^GDAUxV$#wud37b8S1=!U%23g(i199UHLF_Bm6{R`7dcKmmmEUVE3;4OUw1WII9;ipsxXq6XQg>ET6ijSw+4C+n`DtLZ4g| zSusuGO;G@7MI|2p*;*d)xyl%6cU4S8Lb6?{EE~pEmSgcW$4yrsEM+88R$6NgmtmRSzv9_a>&Qj%T4t4Oa+NW+oUxbN1#P>a zZ5Oodg7%dxXxsJdJ6_Men@ys!{htVX?{Mhzv=q;L|7&m5%jJI>4!8MVH}Wjm&WW%$ z7i{o6dpRlm6*qFyitE|MkqH9Vv44}IR%i1jE&YXdZZboV-?qsVc+OO-X;Wnh8ZNb5 zD%q{cV7qjyCO2AtihY`T+cd?zx!t1y;NN)62b^bE&7@3VyqLR2He>ygg1wQVO&n6S zgOgWCw>vdo^-j$&n>ayk5_s>#>T{aj&rrn_`aXsNu2@wuE!F>GJV$hf5^|LUPrLwX zS^ob{caV+$84P+`{cjV`GW}1pL7W8WnRGy_jaBtPtMb>U3tH&a(g&>?UrHy;4@rSu zm@o9Kx}nuvseWk5tuh@kkNI*vv1lZ>x?%}^w)FHU2eMEMLzj3sx$Oa3)Yfz%SE zZKrhw=Qeqinw7vt=a@<5m&ki&G}YpT@+m-cMzeZ{!ph-8&*KsOFj!AZ1wU0LDX)Nv zY4eYuC)3roQ08qU)Mdh(S?r0;!1z8jC|pX({r{}=A2^1t*(!>s;4==HYo z{~LMuiN4DZ$Ll!d7cGhsHf-=T-{ptn>N9(?K%J9$ylAbHb-deaOC6)_fQ5U7DD*?F z_e(I!>Y2bG7(@5&L?~7q2U*%kKQjTZm{NR3fHTH8uoEf7ym%%Ja0=#iLE-Ya4p#Bn z{|~B*D=(W-;;bwW>Gw0Ri%lP^M9Qg3g#^`+f$b#$;`d~*KvSzhfw5{n*ZO{5lQH}h>&;KL*_kMrN}c4 z!Km_xEDykOVGyu>JC`4hor0tf5?MugiC2t1Cdf$aN+^!uRB7~5P?QUo1)u$?)t~-8 zG%~*`eI zdRIRktwjN3O!H+mK+d+6DxfM+M+a18W%Bpmd=DLh-)4x;WPU+b0Qf`|0QbI!0FFV3 zX-jAN75(D&b_Om<#3fpyi27xhs-=Po!ar9Q2aX6#D8K%fQvkL=Nxvv}(La-$C=Ox# z0Gwk%j4K=<2RPy%>&$&h&GJK+r3#oo5n+Ml06`k$DPSpu^a=$C64XjB-YD^NZgsqG zS;zY}v@RXK464EuwqI#`MWY^g4cE5r@rS>0A=o7?ZUs;zFWA6Po93Wa9R87xmP&r)%@1(6wX>-Q%KQ0d{D`${BW9D zUoePfuxkxdh|Fo^yt%qO7L#Qs_br`B`ENJJ<)7YOmwkGFqHF1qoh4h~ySg)qNmRplHeF5iJcsXPQ zV-(UWG%3kLkbX}i$)>`PGjIGVoz9L7>`UXRG}G(KZ$xDWh(%GC)Vv>~kBJ{6FP(52 zEwMEEBrU^qwjUPa0^f96>FKirT6WZ+?MPYHl<=vn-k#x$0meCGf?PI&xr_MJOR=$K zmMXo3uh`F1B0wtyp&{+e8~S)B1YG^I@OIfu;nEPhvVhw<|x!u;Szl2T5PKkb0f0@fIoaCbSk7=PBV|H|xtaogp3901GC|8$4h z``?D`&es0l$ipp_Yd+ZP*Z~%7^JVvdCF@r10;gr_>;tEzDZk*86=Q$pzkB+AI({)- z?zR&-xm7@|IT$>8z~hlj6$a}mLh334)Lj+h`cJj|Rj zj&TFBec;N3`5HL(*;#&%v*CU*axUgt@aJ%fE|Va*HacIc6%V_2C>FWj|4q~d2zHaX z_R67`6s;4JC{S-ub#JT*c=gS)?M~KqC+m54vMOSBGg_Ig&(#a6V_Fp(i(eqgPpVge zPiRK2fY3)1oP+U8T{RO1x4m}iC zevG{16BnN>_$MmF(j~B|d!W@`2$Mm(Vn6cU4}y{lp;b=>l$z0%x=(9A#euoK=%h>44sd3a zMn*~qt>Ie)l37G+r?S*rX{@p{lXT>pXACR#qPSJ{v9i&U#XGY{O(Nv_FyIO3xuz?0 zs8e~vs?67~ex6-AsXDs%H=y1F?yuWRf1h0f4u)m@ zT8R3DpQw`K7GZA}OmNIs8Xl{5cDV}(Rx+G`dmK_g;|G4DzaM&HxEc2eSs($iCbHd@ zDPj5a%ba>NFxtudvdasdH(P@{dd*%rY+gDA_xftieyyYR&MuvrGq{l_BNqcck!w?) zcmR@n6a+TIGj1})NG6L-HHzgT1!PajnJi9uGAs=n6m4@GJ`XGEZ zh|?INiGNoU@kikI4Y zyN|*<)Ri}iv#o(Y0&ipi_#(JJlEslxeeHO!c1GKb^Lqj^QlJ#1nP0m4y%*A$&MOH`WIWYOY?{Ij^ zv&8=|&wD*<{@-qYl)e99H0W&o{~LKM|GymVHSPnHpBLO{K#;}DO9F$kW$Oh9A(O1%;k7|G(W_S^ocPOKz3uCk2=_(VQQ0%_nfG7v{-}}--U7^*-Xn!Je|yyS z`PQFO{hvaLCP_fna0qZ&{-4gUoz?%_qyAR^-^3&Qe{!&|*K-KaLs5Vq=4eBHKVDS) z7N_ngE{pz6`&rk&mQI7UAFeB3P401g7hvd_&3}M_?{Vcr6SazvSsfcj5lOQ-8id%o z@U||zug-;M1=_4MO|BzUl!Cg>4x)W#$yUdoQ6a3o>s=P~m)ZH0%3&(4IsV2ZH(VOa z=W>L-YaZWIIHxPaBI^f7J|+0Fek&37HqgrRk9Tffrvth%naG~NnhyDCU3hU=E@Zl< zoK$>RAunqT;7TmHRIaYIK^+zqQWQ_1i!QPEv_R3FXTvqhpjNf$q(l7$mLB%xmLE`; zSLG|U7=fiiUoS{}Hm@U$WeDm=v&kDr7U|_iH_EDedT?72)Vizr)~oRKJ~{hey5sh4 zQMfosB6K`M?%lKQ|8<7l-2Pv`*WTLyn|Oqc&&C*>h6|p-?Iei;p61}uZUDhUEoQkx zKSXiMBX$KRMu~_yah1=)nOm@6f}JNUQ#g?t&EmCAo{2^w+Qo*K=xEkb;$v ze;OdDJWrg>M8inN-?M*BXkHQ_HuOySn%W1uR6iuW?VUzl(cC$-bAcW!f`BIDE zl&a%x78P_BSeq{;aV(G`=f%az#UTLiL!W{hL?{7pLQxD*xY$GC;;m2U-o*ceJVr^* zWt*M< z_P0293kmV3p_rZgz;*bLN=M-9BF%Q-unsy=5yy z{f@15kq~(XIAku@1<_{ybmo9IZ~}bqfVObB3!wIW^d#NF&E}p^pPEJctl2~mK&GLX z=qw#R0Wx(%tJTV%TUIA>%=8ZC0rN9HXfcNa(>wtAqu?4+X2aS5C_x^D9_L(sR9$w% zfM=Z$DFIsOsjr3XzxAX{{V4Dl^CjwaJ}hAdn`6i0KU$Ixm|XW<4>o{DiELf5j-k z{@f`bm2v7vXAv+PvTGDz@>=9AvEHR=O8x+TNDG?H3;?i`A@G~Cv?OQ+_|hiME@!>Bl#4dPf_5zJ`El?#A}@n3Aiu> zF`A&5C%58L&+}vC(%@m2A0&g+o$>a@Xa*NPPGZK|P|pAckMRUfXa)zZFTR3=By&W7 zlMsC|k(14#Wv-oSm>u0oJDy)_td;=~;w%PcUZZ;i1RmxDW+f8hhg0j$ByDAC=tlv; z41S1&h34{Qe1c;zPXg*kfvW5yk#lqx_>BJAd4xlxGD~STU+8cfn-n^8ou?Dmc|~@T z2Gq=%CK2`u*wp@Bp_7-+TaHS$0+;SI!<5A4F*fp?yKq=&Q`KezMV3-K;c?26_E4zg za()PyzQiX%6eE6N9Z$$^#Ka zaqv~}t~hSKA>1!xJV$hf5^|LUXeFBKnsE}KFM<16IE_(yj;s#SzNk`-ZP6XcPs3Cu z^}fV`?>?-6uEZqb^)`+4FF5x9gF^~~OY9vb6cZORJrv$S@XO`V3f-7Ruo`(Nq5I)< zZ_#}k+Q%rS&37<_QxpT^KBblTgw<=#1rYO6rs{53wbn2K>*-1uO;yU@YV;#aD4QN1 z15xR#>Oq8Yu%-@t>E-ZG_Y~@X+##}eE3)=H{RXHd`d@d{$?pFS`|WM~_eLJ!))S$8 z1Wc096=$oMgqWfb#gH=7THIo-JY+`5AkE}jJZ7x3M1o}VLWMdBwv-ty4y7e8`3~?s ziuq}jBy_>BCl97vCzFZ)2{=usEcVvKQRSX`3Z7~HD$@xUu9O4I%zu@}QoCvZ1T^c? zYuif~id;-ZC34|nW`)$b)%<}tnfjtoc~o?`&Vl&og-;rUk6vgEK-#kw>siGKse*CX z0RpZ5<^1MDG=G>{>%Y|{;zlhmddc+D6iC>{9`t*)_{+$2s zpRoC#cJtt0uhbvS|NTevf2$umzqfaXozLp$OGh+eyEAR~DCZc{8_IEQfp-a^fC*C( zK+LGY{m(E2FoRtDS5AY@16I7Unj;$#*wi{ZJDDiI_i#CQCV?g@w^t}6~5|GR`k#oRNboBUhp zWl!Y1N67!m^&itstpA;Mzmr@4JKOv(8+q!mHKuB3YiUXbQDcT6Kfv2srIMQvisvg< znqW+gmU0qcN!Jvjsr=wExXL9jCV(hpCCh4OoxgP&Qyr{qOcZ*0V~Q}9jfq0ljeThb z-9FFy6wCiGn(o~Sv;Lh(hWd>0zwKT-m;Yr>XooxPe|NB*{~LLh&wnCVfN?|WuYF0VCk~)fo#NwVhzSXVb;|!z@7d(# zSGKZG`iJ_ezgTbo?Tuajmj96xIVzVGp`J|XOl7_n-n4k9u@HB2G5Cl2aHMJtfb@O( zjOx4jvo?WG~$hWp(SWAqM2pb1VtMItyk#9CvO2PlmESTF8;IA-r9c~d93|eHrOEW34NmQms!vl zxUVZ?Pwk9uMIBk!(H=YHj!et;ij&g5&S8j83jxRndZm;He8ly}x@gug9sXVsW~``31nSi`eS z{1ic&`zTCy4xORg4t zFBY>EqPz%5Gk<_>2`c65$X0TH1J5$~kHW=s-~Tik_H*&Sqrvw4|3)55{_7mHPZj$p zTznTIpZDXL^!{D&k|$lxWE!?a@Osi~FUzQqW;1qphgFVkagmg9Db!t&h%a_5EwToQ zaNn~IJ5JtKu^{*%cd2P8;^gi{7(DP5Cv|$s{e@hDOWD?Ib^qZtUsgG|m-euM>~#;k zrm^2pxTs~;Q`ut!z|S$Bn^#7>jM0P`W}d5jX}_X}D>UKvK)Nxa`sc()fye$Vu;>U#U2viDg=cvfst(|=+T>L15 zdO?gPY>v&~0s($1e!_!-O}`)cmjhn?8~Y(}c7Y>XHs4tI5ggN_AezCQoouHI(v0dz zXvs~Dd>T>PvR*>+JVDa?qhBrrFwFw$=VA7IJ0Aa=HOUQhSt)-I-|+di!hELK+QVTu zf7vSig9vK>(aHG(O2}A*PafkZpmT>FmSCe_-k}G5?;J)2I69)%MS3MuabnSO>BW%C0?EV3KFk&&|-}!#45~ZBCF!Roc&`^qX@oDEzSwXn=)QdNkDi4 zepbn6eR1&|@odt(?OonO2*wx(*%TI{ZIuk#XwYFS<j6k1^keU>`CTW&5~h|J)PhrEJ&(umdR<8 zUTzODM-RqgcjfXv(|iffmNC|nKB?glu-85wT!_g_MM}m-_j^r)B$uOCnNvPB&!MGf z3e#lYg=plK%v3Fx$MaTnuG>mws_LY=r-G$k9A@<+K9Y-;`Y!&sgmhMbyWYiKsyXDr z{pjShGm8|upj6z8Fe;%BzhgfwZ=8|W1J*uXHcnQz%)@!`_x$TB~ArCB>uW-`)FY3$@>-5 zl-9s^G9OGNvZi=VHvxn5BS0aIABwyL1%83$=^XhcM-KU7wAYDs@KEgF7-KqHy(4n) zVl)v+0NME4$QqmcYAji?LJtKSw<0IPqil9gMZ=9y*l6Kp7%$U{i@Ajz1)$0-uVa*F zO!8I@d%V&buVIPjEvjWUc&P=xcKch7O_2?r8>V8_ymatZvcDg1eLv0iUd{5ZWp_Wq z>aJ&VuS)$T)Rya-o!-|fkzNStWN|i3J|=Q93ru1EWP8Pyc^da>PWqC$B=LG}1dkTs zXAS~KGF|o_gQ2Ls5_;m8OCfH{3|WcGqb*rwr5aaQrb`jU0DbZaP47Ql+N)w$PsyfJ zv7_Ki>^#}omze=w*yD6-syxLQ09zLS)gKMB_TR9*wf{EqTm*!cyb6T~RUWkAs(7pR~KWC_-EZ$A?kz>4#a zJ5^D1-(~RHGWoCWrhdl!AEQAp7ymozZqNU29A4nY(dowo1{P!<8}&Z)KbmiM zmYjPm@D>)~^rP)GOhW%-f@F|dRa{g7B1OaE$^lVFg@V9g_WV3bC|ev8>IXi3aDX$7 zVKnny;s9sidk7afk6jq?!8J%zplRqxGG3lz@EC`1F|o9tbzD1wOd!DiDfY4!6OJHP z-nq{A(qla5_jgp8etOzxFKu^W;3iB8KIZ1C9Sbc^6^2oe>UsRb&HrSTK~2D$|1s~S z&dki4|1qJwe|L2KYbhY{wH#Ki-9ruclAjd|jdWofan|>Ylzs@VkB{D-W~{z6SR^xLA`ioPq?&@%szKZjGKE@OP86KIM5r#tHQv-zJ!{q6bhjXb&g8Tf!3iG0@M3bNSf zyYL5PdbIAiFb@7g94FH5n$)0`cWfTM1`aQ2B9OcF*Fx1^0W_r7*~8pb{*_|=&wysN zp}QgvMlGq8i>ayWWl(CUjFQnC=MsFyYNhs76sD~hMVR;$8yBgr9#NIzW5E0Ikr+`p zT@NZ0P9KXylmvmeC$G%isE67~%R0b0o19~M86$#1T9KmcCBID1N2Zs{uId~G_wa!* z`v5IaY-u1lmsJtox{1|2eg+LwfIlwxU#0wQda_bHitwy*18N%Ui)f#sdMsQ21Al_t z2RC^1<^MJAe{GLO+4aBE+3x>r!=Etnps~iKHf+i|r zn4eBej?ikvlr3jbDxxc&L2~%hBk@MuX|`LETeH2Yl~GXKPS_F?NjzF)BhqI z(`UZ_f7l)Na`*pl<9{~uSo$9y>@{ZpR+kmmESYx z1#BBU!k+N(pn`+}YJWo2^a+snF|=B(-0q%@K}(jjwHE=8&QQ#uL7?pt@+0Ue4kl<@Q;=*MNpkLrKMjVpM@2}LELt!1 zg1 z<5K>%I$g-+Wt?8f=IiZKy;FIbIZ8%Qt|x4;iWxAEYr)*rg)SK!Hg9sH&%YSaQ$_*a zcphreVNScDB64MlyauoMsZRTCdh#jXY}wf>>PD9_rr5=S>93$}ROYU*szwFqS@*!$~y ze*-s3%p-Xi4(Ev8CIbms<;URX@(1UZVFRs+97}ia*O^pF>-^S+-V%bZM^dC(TtiByWs7~B|-i77nhXe zkZHu!DaGq0noVzD(qr*4ClHsHhJc`W19?jn!{aa|Zsd?+mFivP{d3863mIDi=ltR= za7QD|W=q4r4ct@|VO^%V)-gI9XiA$t%cynq1cq@+nR79G)a*>2SS)qS5`46v(TK6^ zUt47QuAWNypB~D8ERzPT%Kl?_SM&ee86NDf^M9@6;rYL~A=)o)8hGuc0psGczKRyH zo+n2@Bca`FwYG#_A>|9BzbME8Hw^v_wP3{bUdK(j?54@&{PQUjPju0T0Dpx5nk#w> z7^%)dOcINz6qYlqnk_jN1d*F)JbMRJ4M#5kYBbcTRaPScou)pyt z&1SJ`20{S5)oei&tqNDQjFZ@N*v)^>n;m9f|r`k3n2wJf$38@;HUmk$2%4iV7 z2rbVYN6eP)u8v6rBW27yR0#>JKrB&4sQPb?{WkmCV7u~xEOx9FP~_oQpnDX9Mn)cT zd-;!w_=TH+%(N;BSWW+UL)_aa;39T0khsNyl7$x(d0mYQ%J+rs`pnP?=A|__OkGB> zvf2ho4Hei=m*~IjD}ex$Hugf+KWr^vP|X(vYc~H;V)TRs}Wr?)x1r6ka_Vn@@~IoALtRWOeZLWuZ91Lt;&|b-$D!OGE{Ga zDMT}?QAH`5Vxu|=r7ys>;uzG#EuDb`9LW|L$&!9QQGPP-QCn=K&Q+2!`7fFC%=ioy z8Nle;9yAU#+4m2svl7ICtQ*VH@p4NS%`hme1^wO8Oc zLGn!Hd~!flcQ0V*-d{rxMLuSi@##8C;M++8(+LWF%zDo}52mU7iZ!2Ci(wKVpZ~VR zTj4A(K|-;^&>8>EPt)E@(nyqFX`|1 zsnY-Du}&V#|7*CjySs1re;uste^>G-?Aw)yxzh^gCf3e(!L>=fX`Y^TEuqV7z1kKh9v9rAHe8c=7Crh0x~E_~)J% z&!{!h6i!icUs#TQ2J)SiR4fdpK}OCc`q$Bhs{YYSvSukyd+DZW5RJiLn;O4RlOD3t zf@~X1p-YU7W)Z2IU!C!8_3XLQOWPOSSq=qh&`PmbML?_)p}C&i`Rej_5iqP}+O=?( zzI8H2JJyy#grGP)uo*3p|CH(7IG*vNMu~r@icGIAe=l)@@Z1pMX}3s7c}?6$8}DCv zmBGPd0QMl+l14l&HehF4G)bXkFFg{%uVG)2V{S1r&pRP3@cnbm^n(so4KV76X_g@X z7#ioQAtRGGV|LLrjfEIQ6^VjueulXNHvpk_@hrJaflEh6QZ-u*<)t24EsfKfUKI8> z7PI(m_E&DWfc(D2$VAp?5>pDh??<_zd}$X7FHlmudxx?;)!<n7hy*m9O0rCD=GRz_w9m5^xST`sK^TzejSh0Mr$kqQ5yg7YSSmFHq@{gStas`6K7!p2!jG^YS z1AyaU_QLtUTZ6y;>b)Cw|M~t4`S;zR`_K13cDC?a{O6bHzdD)q+) z+gERXdmsGk3nZ`pPv>8os!;??5|q42$Hk~g=xtqwZV-X9D1&3Nwc)r2hMjG&^)f_m z#$F71`}ozHAPg|~Phaj22Gfp-xQhH1O^OYD%FUnlFZ*x%uljHLzwx$SVaQskpnnEjB%wT5^7drhEqX;w7?Dg&*Jm{#VA7UBl79@0N zSRXnT&dhT&I7ZZ}mDSOr8?uTHl=Na#53sRpceEav z4b(Ub%FK84nHTfhv1=htFCbCz=Y%dppQwlG*_4rAt<2A9)cTeqK{KawJ0<>FZ_E76MISgMHC~^^X=tmz6@N@8XeuNWDlbL@UY?HBk(c_ z=0OO@@DvOAL>x0f6cr@5@KS;q~4ckeC1`^z!(6BJVj_^;YH=GB@YNt!URG*u@jd}FShYM0W4 zCr`iS-nD(ri#h$ve8XE@Lb+ZaCTWmnFcLwbq&LNPB2pnklrjJmSmblNTBA568$O%| z9yC>(n{yP-sLA10vlE9_e1m3D)(cV|FGVaZZ73XLaFikxSI0J9#VI04ItUqx)3Mp3 zk3=Vh*mpJpE?_T7#ts^*fW%9fLN{VTAJjlH6E_8J1l%+Y##ln6Lu!){^#!xw)kIx= ze9g>U3gmja@k*G*K10hhKzI;eKp3B(*i2be-b;?b#T+I{;4{lr>8{Mux)EwuYeLnH zNT}LPG^7H(k}=AC+*1;b;|_vpFrH+%;4G#{k%%5lAK{KNn1Cs6%;Hb3DR?;R<*>gA zd!=i6=BiRf!rQ9bv0JjTB)sh#vg-4k+q1q4qU^nD%t}rpOzvb22koDRX){CD*78NE zBcF%gmj>ODS!>5QXpBpqT2LhNWA9-BYny9?Colri2h5HnGq?>3*=IsliE3E8EiXX0 z2v8m5HF8^Hc=E0|=AG*@7%n)q)z#=e9@H*R_qwQ1S1BwHOi7Qmt~hor zLM=_wv<3$WryfD_aKAU|nNb`9hKHm{=kVi=5&pvm#7QflZI<%8!!licr#;Iy;&w&*WfP z)JOuWw$e`RXGhzU#4Jf5*bC7e*b2GZjq<)j@1HdZDQBwh+$bX^9ydYc1DA%g`}rBE zMXrd?Pv3s{n>hR9l=P8U%uHrco?SqiZ*ie=6W0dIot zA_9O?>l-*i2?Xg~ka?3J8sjo zTaXoDr2H+da(()iB#doX=T*}>FE9Q)KfP*J=f&~Khl@W>uddEs6zuTUw|D_ZO{zM6 zf(*$!$l%n*4XbTev&LyiRC@$o>w8M#lW~9SW&~nq5ESZ};E>+i4Q}*6$i0QEYj6W8 z-s!bFNZTv#V$V=xG*a5hLeElp;HvKbGnh<+Xwk@@^r?#fIUE}PfBS=V{I8WfYW~-J zvfH^jk^p`emqki{+P)r=M?aS|rZ7$2F}!rMi31!bf5DS$sur4t`dNl5lNVC3CqdWG z#r!yvL8$m_sX>n_D7M;Uo=8+~HKwnRp4nj=Mb&JfFM|*|zjOhsT(`MNuifOEpeDcnvib zG=;5-(d3mw2kaztgXvpNXX*zDH6kW8Gm^1|x3Y#1t!pI%g#Vs!-akqkETVJfMK&kQFNN?BY{Td@11Kt>Dtx zjTIPs-vktGKS8lO=5nG9!MuP?B9L{OmY$XAvVKSljFv?8=MLEN+$jt_H z#KX5ZiG~kH!6)GK9UF?}`Zg6u2{Yn5oVh$FkPAjAxpNaAq@kNmz`OqY#c|(^^D)Ht zclP2^x_|R+ZC*C#2gz3+$Fj_xlPB=AB+-$NL&980P1p{U$j)z6)Dql;$pzQ2h2~zM z%$PUD(ng;A3@<)66@3gwbj`&0J<9`U4G2?tl3P&A_l=x3(kLeI%1b$l1W;xmxD+y4 zGs?!O;595Q@V#9G-wKga4Le9dQ*xNZ#I6#og_9{96N!kJsH?%0Og{mZo>U5|a~y^= zK`D#)l>#iT$H-6nl9d2nT(r7gS7bn(y0;LdFiIiGNI3U0Tecs|j?e&ZMNERT3x9@( zIO(XG(}?o9EHaKQ*{p;Z51>l6&t2Ju0l%nv({iG2}uD7b-y?qTXc zQjo^b3r2xgmOpKC1T${}{p*4SuXVtRv(+J|k>-S~5Gy8D-H09M0+b6T0ek_YAW1We zJCRL&ke?-XUl8%R067DmNmr{i6FTL^!qRx&(y1ALUvE+?j}fby zg~st9MP)n1Ap1wY6}Oo)7g^)7T3lt&#Ed9cVk!qE4JU)?Mu3tU!pus1igDNgk6>@qyGVZf?nPGpbGns;qKm0yZ_nUKRj69|E%Is?tk#40y@R* zT>VsJRw>c$^1LdW^p9`$GDz)VTem^{x`*_g6kvaLOEb4&3|)<`H;W&I8M>btnCB$H z0q)p)V&y7LhDw+o9yV|(60ez7&AsI7tP)nKoxs6+Yny~7&!Y5yoW$+X|9$=bfA?Ux zzW-mzqtJgmsgFYc%hH>DM~8r%LhbPnfud7@IMpn91Yj7H{^LGX(0^HHMH)BKk0+US za_Oeon+DSK4Na>^|K2o5kexmlM||YqV)TZ9R9K$`)z6~zpQT)^bp%w<|J}jijz<6Y zb`JN}^nVqPLjT#MKFSeLoTKwQIsil`zp^0E?h$}{)z%Tf%edJDmvQ>aSf$OV$->rAguj4U9Mgz_MF?eC z{3~>Qn4}D^{Dl$eEuvP2BKm}O$1m)UcxYhr?xAwy(aZs278xebb)Q8sH~`4z6}eRf zeh4fv#&V(q8v8YWVA}uSg@JcFL9-N|MgL1} zBAPjZRnY&vg9Bau-`U$=)Blw`ETqg^nX-d1j9@}y3%i*4_0bf>Zkpbqgx>taD4iuR z1wjUwu~G_LFF|PvW-&?V)Q5gRBmD?!TtQ6bHP_3RT#tD%<@{$b0z7)BR7~~L(d|s< zZW7?{s%0s$qKKGaK;*?JNe)eCPn@ zn&GX~O=H)Ca>G_wDD<0va}0bHsF!X^u)`C19L5v(d^QF91Jxv#oSF#)ZUTYm5*_+< z8xVX&=+MXqKJ=3NI8(CqaMKEDOcXNCFnI>Hg2;!T(GTxUGZd@e}>E{3XH=c|P{(a<4Xdf^pY7hAMGheL~O`)(+LqKj7?}TlTBH+ex3T7ln zF10j|w@F$mW}>aE-`uX())5R6IC1C(#I~2s29uuc=D`(UXdu63LFI2Q`64DT$=oc1 z9v*sP#muK*Szx@sO9Lc}dy6jrMMn)y;}DW4_GCva2nH`$41z3V1qKtG5{QpfVk=4L zDcCwe(+e1l$WfYooDGQ=;hptd|!W|Lowhc%e0BOv=bD{wv zHsTwYAQ3|hld@4>m@NycN8@XdfBID@=#(kTxoD|C5RKV;JPG98ED7l=Jf7qY+0Nt@ z8J|*nw&uJ+!1z&BhfGKL=vjeqTE%Gez!&0|@;~l0RGmRMXuDg46jGebvdmHZU@#Hp zq21BoKdRZEcxv$f{>`6muvq3N`jqqkJG=Y)y8dS{*xg_A|EqXPl^Z^c)83sMD5?yJ z|4yJEm@e{ES0Qu@g&R?6fx>dYrn&p_{b%MNkQMYCt2>n3hR8MTtEFq1-{3tUcKb2( zfD=SPCX^wmH3_h^&x@+b-f2aK-gZzu6%ugBV07uo7xubomIppQQ!EVmH!aN@gSMVI zI&*9|9&PSWG)C>s9fh`@J2rQ8I38>63bhrBPM<78e&;h-dk!VO_mQSCMPbs?1Y%I% z{nXW*I6M}uPT6Jx(^;4mr`ZzwGK$CgxEEx{;xM0?xjL$r53jo9mXG4`QY&WjDJ+@# zyFH4>?JSylf~b{c?Ha;4&Duzlmuv)6cMQ3w-Vq>`PQn02*%|(_p+yzO!n>3PbN}Ec z{(>dEWN!*GTaxx!1(9`=y(~^Qkxh_N?ba{Mz{pZEii?4_jl>@i}C&%pK>g^G54t5X!>1;?YH(lWLZ-S_wP8|BH z>(M{H5TNASjhjxu&p-d;^x`FL3VIU+oYPOxn`J>X1}}aAcy*_}Ue6%~-n|3e2soSS zs5s#Ld+?wCiN^pX8Aa^m_1TBx-{1cF%qaX{8*IFA+1F=(oIWEXMPK7(6ar@xzh@LN_H6#dS`5E!(#{r?% z43Fu3`Z09*6C(2b>c%J@Avgt7`^`=9^W2FNsXvswCI45p75 zN!e+OkZ`R@LqbBUtqI8r3CYFztBX|;5<0y#2nj>##qrzYUyiR&kAU;}v!UQ)|BEa0 zhldq#dh*u(_2SLxvp$V!OZYre*}v%}v*?5(vh^3ai2cjyIN%Fi-{}N&yTr_Y^Rqnq z51`v6yx-2@V0b8f9Zl|cGEcUVFH}Z&)VobIRBMPO0<;| z+@W7_hd>uZNXSnT-@Sv!6GeV1vE6K|sXNUA(e*qSlTLUjifEwM)LCj@QYC1!9f^l( zy&qSxAFnT7U#;Z)#LJ-i@FeJ*TwI-AtH&l$%Hw}dPy$nOTC&2Y=f}UiJ|$|2)AP4y zC&zEkF3t-opOOW5Ji{_~7I-|!tAKU<;?3Flhu^PHug;I(oE88P)^SF~RY?uSLrIkE zLR5Hs!p1Zt#S=l*BKI)Wbsdx>db1=1-7axk=yqo*rGl2ZcyNx?50W^*KTy%(=%;`F zwA;r6(dQq?dU|mBMCu@hlM-3wy}U+Y0?HK{Ho~fsR++fw^J@0>+eDeGVixAW$mK;d zN*|*%8z*qBF<%AEZ%7X`YVi59<|#`q){dU37j5DuhF(@h@mSoou}_s$<@0A+kq5Uf zaY7?*U>KdWH=2bZiw!LykpogJw#mg3F+UdH757?-;|rKkr>UzyL5xrclWmZ}lwd7h z0e9{OA)V!WtEfeRy=4`BF7ly>8dR!iK0I`jJHA!p@rNMA3;P~)egvVih5QQq(BqG${*%rUrlyfHwnjRC421IgjK?3Y|!Cz4;=(68XB zVgJeWj0-w{Rr`M(?Cu|E_MgMUowfhhN*?0>^^JLdaRbFN*Dt#f<8ppqsz7)UW1f^ECQ(5Z?FLX zvT->Sy0;ew#mV}XvX#Fbk4F6rHQgDlry?yTHkj(CD3$_$P3BYhFw)tr=?|&y*lZMaeLC9u2?rOvLmS{B0QS> zzrVk?Z^-}q!?pasisze@|CtR;sr+wsgj-VnS4?=mb@^XG_B)sVnPXl%@;?K%Qu)7? z4w&%1iu^B|KbFh?#MsNK0I&+W405TMSYRHf%Jnj28K_OQpaQHT#@9kYQ!G$T0x{ip zD2i(FEKIfHS(xg@E978?S8H;x3{Q;X!g8<`+LCgx3Ue_z*aBlAIoJYcK{>bp(t>iZ z3T>gFHyRAOx*3G};;#WD3sVLJul_}Ve50{OJvnbId@sHlg(fYVyDI>u1M^Z*{<(E?5rXG5s$jXrN8R== zxCRgI?(PuWVfsJM_gD8;bxqCd)2F-7Ui-7weqO+ud&~Sn1t%-5(Rj9R)axtHIDk0G z!_ZysIL;JR$LMpErocE5yNYk14#^Meq2d$INW~!%S1g-HQ5wv(eG_pgpz}k%cO?oE zw^0yJ$ooB`tHG~A!Gdc%7g{H4uk>NmRIrnD(v+mL%gXzUiH_+#X9SmmcqQSLrjJ#M z25x8-XTN5KUp1ynrWsWRP@h!R~g_4CvoDd2>kph>(zAW?hjU(A9NlCjI zTcLf}sxpewDLb34ut|`onna+|q{K}g+~jS;1Rzq2NQ))ki?sg9?coeN!P(hjx&=t)nNx!qFnZ-fn)B_`K$vgnEnhnZEG9n9`53gIR}^7}U{7VD z?^F~@I>IQ1f#i-*528O(?+PuFTEe8MU!54acLPn3D*oo4M0iySTkDQY_dKQ;7V0bY zV=%3ad#^y${;PxYm$4o~i|q}}lkX9pyQUhU9XWXkZ^ywD_&zSEe~rG%zJ06Y_;f6i zvr%jffHdZS?5_83*<`&q=1xm!!Q?qt}Kb0;Wns zwaMtx#{3EmMjILxB{gD1ohwk^e(|GN0?RYDQ&LV!+f%E?mp;+*ec-;|E@m^(dTPFu zlO8q(e*&>KPE_nlaGq+Wz(5&4fb6sg^ngB(B5903Bwh(2U}#r+r z!XRAO36PL#T+i{K9?9G10WrBfv3|q%iTytQJCH7Aof=qR{!Gevb?HA&&4wLPl%ca$?z~#kx#x;Pk z1O}LV2rY_k(Fa09LT#OF8|{g7;lV_FibAJs*3_$kmhm^W69ZjPed+8;&R&l2#~V4{fSJ9Jjs$L+~%YA%$@rXCOKliFd6B`$F&c zCnFE<4u|}KDtW}6^Bc(mb3I;fniG%^WoWttmO40PZUvjDK`& zYT+qi-$63bU93hKS7uUH?kBzNsi@Lw2gn4vTT&q=XN{XCg<~9#I^07aH<>l-dhhFd zkDqBwxr7*${m^>%;$uc z1M?@Hfp49ec`Cm`Di6%{{Rl!JRcl;;ENRJXQk<-yFHI?o2QAhYGgbzJu$y2bLWISD zPeRPRMelxS_p4J+!MjNH7|U3myX$R%$?PsE7;?8R+w@q_q zjU)&xatHUjqpgPn3!@yp*1Vud3R`wRafpLRkBN z14)=h9ChRjlp{V{uoi_$d-~b{q50|GxS4=-m@-`K)lL=8-4v|6VWoc-8&jR4E3$f@ z`E*vAj#)a>I1Txu;)0fbixA@I_+vzG(Vk`#f0ixW#jzzC6!&dh=+C7{$n?Wn2s$UD&$ zr8SJHakYYiqBif2WKi3Zzp`h9!XdG?(ygpeg}+qBV3ER@B_F@Qc zp4}h+5Sy(zU6tnn;m`e4>&C_JQ=;)e<0jWngwf|X z&nT4^IvB8sEh1vb$X~^)IB#=F6O4!g13$vz8Ge*)M=(fDCt#PL!k&|!MIIP-a<$id zsJ?g&f#MMlj!~P#q(aOznqoQPUu_E(=m-zkslqA9OeQAWot{KaN-)&NeZgJ`s#ou3;GW8B;9G z?&E_VcXWC(t5jEO4X<@^Cia(t-sKJ+Ym9R4uzU8e!R49jOXmfqB9pewVXpbM5(tWY zS&V1gJl~eItgl9Na>`9V6*MZbrep-?9WN`2ySk5P&7YIMhy-i1{gi$^Br9?uO!%R2 zcduaR&-66k#qaO$>*v2JBog4ZO6qPt<}S=Hh{Xwgn_=D39v2fH)XQ#o66B?@in_rG zD~3=yPmMYY{n<8R^32XaCPN1AZAJFfC?QxhI9mEnD3;K(A0y7e2QO)iuh4%))<1fA z=mQ(6gM;q*eDQ*rZt|VPjxmuIr`Gorwyv_}TGcb&t;*w{#xUJPx; z*q*e}LQMrxZy9NTXATN@Yx=uT-}{#F(m2r4(g4{ANiywxrCA)=E@9T3#$GJGYR{hK zdib)&`~3r>Hyu$ADcReNy*YQ)4cyfBSM#fYLPa3cBM|2Z@GNiWZUMFXjH|$TLD%(S znnz>x`AdQw^a8rFQSIYPz49P99?xNrdIR`(`Y0k0(*NG{ekq^x@v+;X;>A?yb>R+Q zwpO`1q(5P!zszOoKtF*ivQA{-6_~jMA$GKbLHHqx>HX#K9Ze2&`djzAURV|HOuu%$g|Qqv8!c7@o@M>er0j zYPR%-caR;gA7SE`-ulk8q*JCg4q3dthYRhd4qBOliPX6s)j*mPU3Vt8%|eLkJ_+ND zz5|K;i;KIv{j{u5ZsYs44jAh%>+j&4s9O;Wf+YoHXgmo1>18|s2#{3WgP44(-T>w> zVNqAw?!}*IatIQ~ngRA>veoG_T zAI$9Y!lAFx#w!pJqeqpaukcXoinM_8MaQJZq=EWduB3w?-W`Z6U^6gb^%P~H;AX>#S&|BjObi1+X3;~8C zh3mi`V=lhpGY2A!W#^c&{=Ih?HjG{r^4At&Y!42&vYPn$F3EsegiE81@)B`T%~t1` zkDn!PepfW-`8=Gd2A61{6ddAUh`Iz+pzcBvcG1Q2&2(gjhP!{941#oJG*_8SZ20l! zLv>8AeAy%9aGnxQFHQFW>gpvPS~mW+1-({vbg`6Qokzyqi(Ojm?^eQW3R_@}Ss$N0X~t1fpf1IjZ&ARn{Le+JLW^0M|dN#++1$EL!;=e<@>%mq?D-)NYik& zvCdE-b0t^p5h<1ky4#p(6pcnx7SJLkSli|>1>U9kEt$?ovY*qkN!ujk?;HB2x0xaL z95AD?suFt7Z}73=M`Jd+r*04ro3C^wn+21#7ddA%3s{Fnscok|jh z8^#JhLEA;SR6{FGPXsg0F=pUU382Pm!Kia8bQUKVo6(9cd}NT<%jZ!DJ_m>9yvd-4 zf2~}dB$Veh4gUcLI%wvgP7dUhki&|FjyVKm#iB$-3o$l~9pQajrs)UYbQNb$$E=*m z&@>jq`mDjG_!2`O37Zz-ApbcaW9~}hp({ju*fNg7&hq$Cgv9{Pj213!d72hqiF>@v z0MerBYBhfd544-o)LdvF0;np3yW=)Giszv;A95pJOMoR~7RW1Z=i2B*gVo|V|Hp*= zjG+Isk$Vv&)KEw|L2~=4zf;;FLsA_bOr^(L%11MJSs-P+CW)F>A;BQe!Wfl^ zRXwMh(G|!hEOy-m-G`Kd!+w_L+e}xeOKAH*7Y zx+#L!)VE>Yj%D%Rqn9WaU#-oy}moz>7U-!7@`0_pYazobp z%a#-FJ@{|G%#O@Q(D<|Cw4yhTqWPbV9?CsYq>Gqc=*meL+P*AQ>!Hn?L{5=zXB8r) zTCMCiOsp{}S2NZ#Tn%opMO$v7*tJe`)&kT|A6OZ}$)mG=Q3iHM7Km^4y(T}Q&|K{? z%g)cMF*ngvDh*K{g@_Q)+EHW)C?2xOk!}}FD|I3dfM#QJ`P&uqXl#vNRi>s?_>)~N z(f)LN7b%)z#7;oWxCco8jlJgNwB)bH%4;T~|I;Vx$8aMJ9O5~E*dV&cMn z{q9l(FWlJk<*#d2P&Jlx-V$`jy$qJ3s`w47%=X5=?>-d8e{+b5gsml-DQQ@X+GSGR zvx*d#k~X^jh3fp3jxk&5Az|ibLmch7O8pp*QrlWVxuX!PVJw2O_P073)jv2S350IF zC;jnsf_*6gL?v>e`-<)*+a=J%v!nNzEi!mRZo%?PXzh%m{hJO+)g8b)eG6bdcr86c zzPk)JxqJs>C?L84dM4D>_St4@>-4~s%$E#a>#QdD5j6!Ph3AFk$Ir_@^%CSmBZB+3 z4kOhSf!{hFBnXZuX$!Dg8vr_nXY3QJ-Ai|dOg^CV1Kxfzt@v&B#;2af=tSadlf*tN z7V7iG*;7$~wIllZLE-6cs?9fR6a!Q!I`AXRJ6Va|D(3Ey#v&90jEDlE@Fm}adkn-p zqh>CLsj|UaBS+QMp!3YdMzJ_6mZcyqR)wqulTEEOLPe=ZOZC~~XJbIlu6h9Y%f{ti z4$$AVLHhn?v<6fivrmBnI;Q)cjr=^W+$TXZ5zSMe6CBGXn4EbgC9++Hlqk0w^m*I; zRz0M&B_`}8-k9zqc5R6GGG*9k467yucws(z08`lzCA1}Js0c{2VqML9hy3PnZqPr8 zAWRJHy=q#64^~i7p9hXLX1^PhL022a&8O|^8k7bP+~R;laExA(=RnNdyRgP>5_wVJ zOEk3it$)24;M)D)R{$03mMbC@mrXz)J=8^y842`y@`j5oQBLG11Xc6YlML?C1S|yV za=n(Eh75CcC*-5Q=Zk#PNjgTh{dS+;Vg(29j0V28h8w~(3`GO2W|08zvi=dE3qd!4 zFMH5{jcr!%RHXl%>`NHJ z*_`dn80{QW*r?>kt&Vfi?VD+Q3B{wso=PH`_xCb49z5y42q`~+(-JwPo=wSa@{YUc zNtIvc!eIcV-dG=TPnv9t4aK!&U)Gy8U36}y9u9-cU$S_PPQyJcIHJ}dvJCNYuW8HXk>|5u;!yE- zwgU{_PWV$fi=09n@n0LKddlYTSTlNQ;-mMghr0US54#~oWSr6Q@$5w2GkCl&yjC~j ziG?5qE#6kJTWJiFvHu73TN+aH2m51S8s)F~@p`bnN$Y?U0Z)^nVtY@!WMVCg+0Y&f4p`}!(y zfKPB=6(M$+rQ% zL&zk^_Ff0FsL5d<$0s$2(IA(;@?BM6rg@QmsBpMn?w34+(nzjDo7Ksvv6=Z3y~+_a)|r1)4COw*%f{vD^hT=?${&b1;P4%3}Y$! z!aV=Yz=tYhZd_cEta!cMypnL1px~XWmhon$Zi|{RO+=69gjB17FuLxKt5Eaog0Cf2 zv5w}cCAU8>rl71w(ropiFd;_IB-Hsiqi&=1PQ?ONKMndUnlzcY_RrbOT@Na}Syoad zD0s0JA2#7a-h&uM@L@_$S0qOR(^w!Os(9w$4MOt5nlZe#cvJO$`%`9gySqb_LWWdC zg=b)ccvr$`+WAG$&UPKuNyF^* z(4hRvxW(Z~JSW*JqKF57s$0NV1e@?XuUo%7uXh_j22aj}l6u&)NEn(sak>xVvpe~l z@Z)BPF0Nme*r#757Ca;O&h@e0F%ZBzVJKq-k)CZpf6bWUFI&fcUFukrtTH`Mws=XPBdY8k2=OqrGFcP9wTfm-_TzzlR-ru}XRw zGljNJr9b?U&^s=pKU#~-47wA(uTLP)@g7$VKDu*+p(Z2KK|!~#L&0Vy-oq~ddn$ha zSx+k69@3KH7eQD1Nl)~i*M;iWeX#eRCDdI^c(Y5W2xcQ04%Zxk7hbQ74YholmJ4*M zUF<@~U{(24;aH2#lzcnWYBSbd-c%v|zVU{r;+WUV^HF?Oc^8MV1FkTOmIJaq`^I;i zrSlM_V0MM<1bgwRH%NyXv7tFul@4akXY&~u=CU_`iE-E#cGBa&ne=~Q!W76+u7s{MOg?BF>{DEDm z8lJ-YF`!>-P%=@K04*G>8yHis=8LbNU(pm(DTpWr7hs7l_t%R1PaKbwNB_hsl}E)# zGcyDHdhO`;N~xpbUwC+*(^cJ@_cC*aYJ5KJ~<;}sKWOH1S znvH*_POj-ot|*n1DxDJ}Y~H8W+>LM4;Gy0tW2OI|+&duZE8i4!GtG%M{`61US3TBM zx@R>Gw$J5SYW}&Fg!0*t5vwN=^14zLMTg0T+~fqKea1BQ7iZJ&4{Qx~P!QWVU0eaO z_X)xdvrqEAqOB9!^PiMEMf|i50yc~pq0}JKl~rWkrS#0+8Rnv9%oKhjYDu@D_cs2rl2)Si3^b$Uw90vZ@lOPqbKYfs;{gh>9K-E8rL zfhe;3w^H@Zf~Qi}g3>VrLQc<=aTFpY*~r7T0+mFzIprZRD@k(powr4KZp zcwp(D+=J8NE$33U)Yp_^7xaXd9;c3i$Xm5>z$BQOX$CfkG+dj+Ltox;XTeQH!DmCf+EZu`y*_FRy>NnI77)_!7L`! zQ(1D=))DIveyG}`>u2dPGFVsIScb;Cc58%=N~|5ir8w7a>y4W2wEXp1>dvI+cBYt4 zZBWZ7)n%eZrc0BUNMZ5EySgwrt()4E)>xp0dsf=t7~4>0v0s0CNu<|$Xg|b9c9?KJ zco)t)kKlLP+0Rq^&cF=mj{^`|^ra!ew^^hFY}MLPdIS<#-}?3n@iVJFb=wIaR9^** z!uZz5-MWV`kpc4n*h=twI+GSs;j-{1D&J$5TX24d&sDi5DSbSl`knvWz} zQj4dd1*s|wY&php!v(+7T|etKVI=FbxNc%yWMbRiI%T>JyF|0~Nl8?XXzfnhvN83~ z)cg3;pr`{N#=tQRWFE2W!-i!@q zPZ6G{$}N4*(l|=Z;7N~`IJvIf;69kjl;-m1Sr*xoMQV_j$oN)>z_0z{sJ@&L>y&R# zbz%m$K4T)Zkcrkx+ZMrsvMFRX=f2Uu12u1e-hU9Sxuf9$Fq|m70eO!?XSz|)`P<-6 zHz(zMCa}I#I*ZAxPG6wMXeh`pKB_O&%g`7%EDowMxyCh9xG($MS>In-_qN147Igwb z_-TWc=q^%=vlNoXhAbOvOl^ZAE>7#!9`wV@N z%q3&$GE!^H@cUqwi4RBqSOmpnx8CCF*YnmRBJ3X6$*Z*lqVH?GLPL!mW?r-6Mq>*nVBOlP9-Lx**9Vd>$NLmVHdpL85ITRrxwp4xjPy)%e3;D@H+L zG`q*#d!TW{%vTLN#9tx*r??S%x9zGGv?PclEX+Cj*BC7 zCJ?;xy<^Q=v-DWf^U1b~iz!u@vp1E~Mv~K5LT3}X`3jE*!~F%>w*ig+$;q)|7wU*3 zi29doZH%UTUrk+hL-A+bhtw9U+?A+%`7>^`!ye*&(1Jk)-1jd~a(@;CNUNiZ?gnKU z`-eDxSo@Zo8&5$`GDv;~S2j#D5blRz{y;5QxkI44u^!*5lqJrlFTa1vC@^6dFink` z{fVG%dUJzcpMbX;yU`h^W#*>5IoEAt@$9eb-~My>OprrdtP|z-&_2;8zb-bh#9Cp0 z^G}j+Ej3FO`2}MtaLACQv{PTd1)5I)9`2to`$M|k|0~X95&>|Y`k$)vA+5=uDX(x~ zmNCDIpvh5~z)^S>-8D2eTHOS5S^1BR!>RU4Pb|wMDy@tNd-x6J2rbWz)5vw{8?s3A zb!|Hr3ITMq_#*S}bYUypS9H@IgXpQ=#(tlX%=Hej)uwzcqs?`hf>wU(PwTYnkKz9n zMrjutcOlGxHM?%X+A}@zPKi|P&(U~5H`C?xnvaV1SJyuVkPN3&elQ~H$A&%sZEc*W zmvAiq5V3VQ+y1Bf|Jw5xsD~5uPEUf=>B2Er)XuwYLpQt--!_K-KWrqfegS!FkDmY3 zK3qR&Rjg;W(O*Ob91=b^D)dj1Qz^7F6TMYXN67LG3Ot$2k!~24@VuooOwUP#ZWK&C zOA<2-gddDLi&av$tDx)(KKNkMC{SgG=t57&ALtfpRQJ5dV**-g*Z2 zudTf4ZwvrCT`M4FUpo{9w1}+FT>uE*Aug*@h>-N=C0_CpOZ-Kyj#R8JSrjA{nP9Rc z%aHs!Tkk$hN<)L64z_t3`h8qmZ*3h5lc^2*>Kcu_p8J8UnK_|;o=uj59hW-wwN=u;} zP+pKlXtPs!F)Yy>^6T581ROR!!w(6p2l}k^-@i6{Mh8!xNnDTXb(v%N^ZJJP@kJ@t zcu*`Ew%9zB}xtaQ6P6)5BE8s{<&duwUv_R3oWkzp)d z16mMmh&Rh;;OzS1|!8o>1TuJ zjv07D3=_)yWbG0vM$!>eAC0plB|^NdyH?nG1~!+uF}S#3<(?A(K0&*eVwgWnGJ+C; ze@E!XBcfMo1bD8+KDM90b)I$CE;RMY{t*+e+4;ws^b@XqU{eVaz;(-klz)c|xCgq$ zcIx9?KAP{+u`a*32OuYUjRoii0~HEV4KeCV$mp*fNZp_MZLFz>OwpOjn8#aODUwNX z?Z5tMMypXHf_}g&EL!~8EiCl8?B(r<2QQug@M4>O2M`20zMtJf+$gT#+j7UpW!AP+ zUt2`bW=eBBnDH)TWuEtrXKs6oj>#CQtE#yVq0WnostgZ`R*8vXBvbm@i-(KioxIoM z%E=p!P8Yva<~;yr=xWYc6rnTsZfc4ZSoWDA&(LMM;7>7uY>P@jwG$?3NO(d}YP}@#U#$%-xWTPSV&1{3 zF_`gw0hHaYzua#JZwL0UC|YMQCS6b52jc|&MX>k>q{7krxt;3nChBu8i>ryI*+Zkh z$>xk2iSDD75~;W`zDEE7q>8YXxt~GxifCi?^pps~B0-tQ_qSX*w&3{Nw)nrm#rb9W zGx@{f!xobdE?D`8c=Zj4R@zxP78vWO*Lr8Jd`Y}x+{(QvZFjS~pVE83MHgH+5^3oO zXuJhEIXN3=0k3CIkd9pPZLYFM#}O!U2dpjt+}6A)O@RbU7!B5GR4bI*po9xj3|)X(yn0IRmq)%zm@S6aLYAKna0hZrNp+Wa)GEhqx~{jNZhE=-jvsjzle_{OGaLU zQYaSA=*Hw|FgF%sGsTJLb4Iury+7vY*2T!BGU;$N<*t0b=)Z` zN^5LB-?2RidEhitEnc$R<8BO#G6l<1a+zlCxTUj=kD9H=DPM`%*eaTaPwd+`+aTarCLT>(Hg$T}&k@WBk;Qeb(QFo?RIB_` zr3y7f{+ga36~-bn*(ng1|2&fsDyujF2|kjggD=l7iSIyO7m%(aL<~*?Wi=`Q7nF24 zAK&S_to3(3ObOMDS#K?TEtbpXU?Qg?MVNV_afh7<{!yr7a;={E2}R~L<}=4EP4Q1M z@U215HcRcw-B3WqiAXHc%?~j7s{o?!TT6d`)BBMv84Ez2bLtr%*cZs5e1W@7>fu8^Gg(;j$F9KnzqR*^h{{O2o zj!txB3R^vTyL)O08h#OSX>&38R^1r6?)koB(%e*Loq5fC&-(;)_wVF8LXs5XfaZ)+ zP5?Ngn7Cqxx(e2jCL6eK^1IzimGr(JyN*mid=&{+;E^*yAsp?oAU4j-nxH{)jf!Nc zk&aiymRpYfMT5# zPPYjO$oJ&b{M;dmK9P!8w}_g;K6RaKo`G48CqB$dq0Tmv{sJq= zF?IYbO;+-vp5n?f3L4+Z_Xy5{O3x8m=(FXgU+dFh1F5y&{7*L52yq-Xuc+L{`5;wW zU}3Lkv+nA5ajPe_c_h?)>EOQ^A-Y~tJjlN{51(*jbR67-yM)v)q!_9Ps@sW>@)gck z^O|{mRw+47r!Rxd_`$9F%;*K|-c~Cj`a0*~j`J(ri~Q_wr=6@b+3Yvv+B9ldn}{-^ z4vrF0nSUiyev}566d;$jXk&SOc(_rVLBLRO8KQkN;y~4x1Jq6cFYmk|5WmhVP<;%k z+?WLSF4+Cdp{t(-{RPPYm>^D#kRS3?pt$W@TYl|T+$FJAm#a@=4LU8+j)C$Rdu>7| z`J0yi^(qDX@jK))VWcOxkJ#FDON7+A^H{jg-^s;Zz7Oh@)V#cSOJch@Q&suM{t>d z*9kAOknR!8@=>p+=#w4Rf<*EJ!@VpFCFj8s_P8M?00QtdvOl<@xr3p%rOQ4JZX${7 zq}u*~?Tx+ej{f)-z)B6NaYk4aXUB!>-!FIKOn|0_jyRwrDPk7XY4th1{uq<}LO~r= z0ve?>t&e|1hc*b&(t|<@UIMVQq{Q&CtVCIML?|-`jDj9UOksmXayhu_b8=_rfBfvn z`e|4K&~?)a5iFo4wTPj#`s!ht%Jkq`oFrc{4r}|6JQqX;4@9qr{>W@e*u`Kvckfv& z5v-B+>;=bf(^?w9x)#wUl=<|-wS$G6r83(~I4*NJ_oZ5#%I#tAv3jJh(E~TMI!(8JPM~Mt++p-iho7+^Aeivq*k^G65eL z9Nb(wuX^z*;4?bA{m;LgaZyR(G+(+yV5$EDMPI;Pw3xb2wZ;hMs8W5ppT*wp@8`_M zNw#>v%JDTrL=gKPi*%_ zy(IWY`K@|@jsM3eeuTdgmR&0(7)R?bK|((8RrT%|$7*4_;fD*#lubJ}x~% zzK_SytkoBu10s9tSqfAnW-#)~Z4u*E+U0=40)M)(EzzQ_&g%@ImKyxrDndCD2s`0Ho=D)C(bX zZOJl{f}Z`GC0@$AuW;Z%uz}NEK_>EYBJY{%{s;lE{{sy5jNyw3ENzTPXm5xh!|(Wn z#{*cLt+6h$xT>g*b%a&oO9<{7eA??Gnc|wBNb=y`vLtN0=dn6JVGtUW-083 z!PUk=NjbW*lGEK%O|i6f?K;}82)_M5tr`sB_z9Di;<-Z`De&YbZCbn`9`2m*9zr|i zlC!#^B?^p4Spy+wuh1Te{F9GbdkuNP;7be)4=~8e8^YK%B}L4De6Kg)os18|YeCSn z?yO$;SUp{g@JwRgMDdVFv}?K<-)+As3}bCE2$>x^; zBmY{i)m2#Hy}Zit(Ku`$ysdWQq-&J&bsg@dTeWGtK7jO&8`ZmkQ$k%-%*=N5GN_f@ z7wv;dGV~D^XzU+FOpiOhr5H&)k>*{tV4_?0iKICTlX6%HHX3N4B?#=q+FS6p?=EXSz9rn2KDk_%9 zsqT6k=RFCPz$iWwn0SrA9-O1cEXGIG&G=c$@=Ui zo{)0Ovi|7$wFbJ}suqF6>RJ_PGB2?9EsYS+?lOVV; zfRrwUl|vwkNS>Q@3;R&f;PL@JwuW*&z=tOgsb@-ln>tM!GSHh_Gc|gPLKZ%vG@TXO z519^UcRxFvYk|Q?PhP>OkstdezdGEzc1=G!DNi-9(P>pTeaFFBY%VS3;e=?J%Ee?j zeqDdL@ouR!LJOlH=KWh>(fkE}+2J4yl0uyhC-F(_U)r?1nm|g@>BGOX=P@ah?b&hx7I4kP)p_m1rqT!m`()ikYOs-A{>G z^pulj&Lxq@_~aMK{D=Mr!5j53|GoLh_*0pag;wc}fUHucCwaZ1IBKoHARMKI;?273 zI?!#BZuIv{%7=wqjv4dlSfVnsE(Qah>f{C1UQM6KU(G&tU=$ zW@oFbRsN--Egh28+VR9r%6}`;Ta{zW!Ma4|p=#Itre1khWNw9GMQ0ew!e`jztevX! zwMr^!FxM5_osHV#3I_2mZ>(|ccGui@S3=H=-PNd~qtdKiusYgsP@)7dyrd)$IazVahm*&zIEP(b9ZO*{j3!yWf~ z2NEakx3dC9jd9v`_*6-wbFI=A(d1rEYH8(WMNk_vFmr^2)Z{#AW;Av*3mw*70q99w zoq{y!>AuG@So+7wWXiE(8O?x3**H%FC3-ZE8l*bk=uNf82107HAdT+_+GeW5D=uGu z2L4dcnc&zzAYmn$bVJp*J7VFpt8tR3aQ^iiW{Wt6Q#Z<4vB0wB)|QpIl+JYes_9owoh*jZtsTI=vJ+NHjF%nuWVG9=7a(?10X-eH)%Qd|1M z7aApY6(=r`maW}rkRU-hXdh$P$ipLE6r4ZKnBe8i*ezO~pHUOk8NN$ehTi-Y`}7&n zbvU{m>2S=*8`(7>ew$%frBbgyE%_^<-Spp;Pf`0{v5T$ynG&1skm4erX>|NQJcn|6 zD9@Lnmjp6V^Bsu)kV5F4g*%9u9}A`9keX??p%bY}?$IS27-Z0getar3kEN)cZq&&L zf)~p1c;BnvkLmeYt)CMJd#6p!WnLF-ZIX1`q{+N>r(OY=0cKjya8iZF>%g`u5m*9i zX$eVd9l*qZoUt!Ax;((83xccf-9wt34kW#XHJ7@-NdqfjXda-HB+-$txf=s%Pb6=y z1H6~9MBGQh;+kP^{kN6uel&O7*#ATW+i?|z@e#``V090>xK=MR-)elgtQiT zef52--RS+t4<3>yiv{1FIE3uG=_tpJ9(jv!uMO#&(tOKbr1tXFm0qM(ZXUmPw5SLm zmE6NJ+*`tM{v0VYADvEo!=pHn)?FW=ilZSS6V|klbzUjtAbaUk$Va6WT-z+h=pW|` zTkC~@M4po26P!NEz`C|vKvSF1(YJ>@9?{3bKKPr{{^Z+CQosLL1asZMoi+yaABA`)tJ7RlPop-xFZ_CgvitiU-G|E71yl zR$YCLYi3EyDy}|e%*u09g&&BsCq=ZZo*xLhEM;3ta>W*9z=41yr1Ue0-Q zKv&mB6L9(8q8ZJd!21QP<-M*Z`PlAniUPlj#jC|q3_9K%!s_Ew<`(>+V>nDfpg1Z> zJaS|+jrD|-NVNd^vum40P=e;$+-m+!?s4#{@{{Td4SMuyOGSD<=S+f{Y*WrqV1=cC zy=T2K%1jKQ?)~!C(zHaP)9opmbkE(E1(f~a+%C1(riBPgO>Nkr6avj@x1ED#YJpGW z`p2y3nsbGS+CkMH>*r9>;bJskFEnZpG#TyuP+|+)abWfDyVuf?uHK%iuI*37>P&R1 znKXaGeRvDJV5f_begz~JY&8e0qet!XWrt5%@=hg2b+Bep3xz01N-hKKzVAErvZwhRrugx@X=fdGK z&(==3BdejqwK`2V@aA%C6L^QAxhuYYX5_1mGJiURI+Ahcgs$Kv#rFFdUW7*b8cTB<^lm2_H4T&!xc}tB zo<_+~&fFZ!-Tujux*4h0zgxyHJH6O=gCo?IYnms4ji7@!@~Vq&$f_K5lcZK}+=^(x z{1NKCHM$V(h%)wB=2>Tx%*hmcrj3sua(pjxYiVr6bx6~Tub$d_*#FuuC~8PKU#JhU zC{%YKT-ibDJMRN&Guyx4?y7srzEf(?miE912D`rM?+E`9#(eU>5dl4xQUXJJ?mQ@n z-->}1t~)>=;_L~t(uWhQ9O~?p@)#}YzC}O$cre^Dc6*&~_{AJl8Xd^>y-{n@PeFO* z8FcPrjn9&c_-7V;sqzRA{=--V|DV{T^t2~wZqc*$1O6M#>6xUW=5@Vf_@NO>e_4B# zXsqZ==VLXTR?4aaK2OHuFut%}W-fe4%_+lYVvy!|5Rp~}&$WABoog~VJBgjJVKH{z z^Kx~6z3|{r0N9GbWvCA5y%+pd;*?7sH3U+%QLf$+uuZK>* zu$X-H{&!y#cFRH&6nkVy`q0X$}`l+ zQoBL?hyAIWIg+Y>Lfy8nMv>aC?>GDh3bmo%{0!qhS19e^T)Bka=;08I_gKt(9!K{} z+1&fB)+gGVTV5|5Chg@m#v7Bcj_MtLg;PQy2CtlVN=-o=TE84vLW>dqrXyw}lX}GJ zNVwj~QwfFsHLU$ybI#2BxjRM?V1=AMKeHrOQ8=Y^_ibx!V`d82+5Vr`ONJk)Ju!#n zSPNXfW}&`Uw-)k8_E$d_ZL80(LsXi2M}dUeup9%jvUe*;!#cx6^Qw~VH1`>#Y$7n* z?xYDl_NkJL&RGu5Jjk8MkjO=OvH#`V!p{)4Zr@-QoX9kwdAC9%58RJjpUwRP9&h*& z!`7%#@DjwCKfrLQyIh^XO${JtlbSsdo>!9#z`WdN8sUcvceO2kgwiklFRxpiO&l4T zC&Quv&hy4FXpSwcN{Zi4jtzr~2ez1c zK^MhGTZ}`E0j^zjq$p@E8N3wwA_c=keKM#Jy zdmxtNOPo(p}%dc-QD5IuxI7?OnV zO(Z)BYuD+}#bty&qH^#?Bk<36Ix_50U?%=?)D&AWpQXfPq%3hnx2i!4pXl&qVfUem zspn&!sYLd$-mg`ihvK7#_m#%+Uo09!h2vU-b*V{29)(&3+8AR|DRdORqwZA)Kc#XY zCq=yHEkpsth*xRwV}Cyv&>ban1zfD(53Nr8 z_)5XtDNc0QlNqHwd(X=S8sc}d*kyq`ZBqR>uuw~eSw4srXDc7>KU} zEGhzcg-1jn{?`Y<{KA`8krqt584PK8CopI9;Cxz0LP&5N(M9opvx1=}S0kOFz4?xw z9Q=UMH2$SbTH1}Zu;4=*>3k6*v2gey4Wg>KVCV^tr79b61=IHgH~6T=MVkW%OVG5=z|>XA5UW9+V^$yV?7(^Ro% zk)>1Fp)SU_<}@nNzF6MA%G-(B{E|&H@@9t@ZGxSF&0)@6P0QcX!1|k32YrfvzfP*s z&!>`>K*V?cC!R)CIEn7Qu~X5qN=n_M7pv-&J^|-EBkJ1&Wmak`GEVUgC3%bvNL^1! z>(Gkzn*LgwR88$>rCEb)il|0q>|X_eVI%QtCm5w@yIWb?yg)IME8= zbF}YOd6GY0P`GV=r}?7Q(Z6r?QR1?U`=5dl=3-H%-sRolaK*XqD{P>7kc&q2F{|zK zd>LzVq^z<0dH{URxu^0Qz7WA$g8gwHYLF@QLQ}?l2Sl;mVn*%zpZkQ6Zq7ncWJLWl zfbQiLf!GfA@~&G1YW69ak?;%G12?+%Y%X_wFn`nmt zqN=#VIj)aq-W~PFu2I~?_kapB(bE^`*i4tq{3h_w@-zE3`9MmTZ&{=SPeOw3&zlw> zT1`ygvystCyWD4UDcsLUf_Q^ADCEBoj2S!)F_Y2PU{3Tw!pvgm)7{{*z75^1L{N?! zr_ot@#zFa{PYPm+lfSI-IEUga(>is*;bb+Bu>L;)=0F+0yh@?J!I{roEk$@9!IBad zDRYyICkH);bC|GCjQqhwVwbwLM~Oedl(ScycDZ33MDPs1?S=SK0?ZL9q?U z@$1(c^0;XnIDf74;SA|`b_9llsrGsbrzp8U0{eqEf$}K~ra=Ley}_Um&QGsoFkvu< z5lqv|1l?%k3_s;NMLsT&ys*ae=O8SnbpH11EJ8)lPx6BPPKU|(G!Ga^(;--pU~Ju!}2JBCSse0$q?xd-3LnC!GPCWKDT;wLa7 z2ZN=S$xhjj$m3=0V;4C6n;`0^6GwmF_4HR?w4q=%!OuVc-C%s1(w83Z;2zx_i@>I9QCNV0X_&iU@L;aQiSro zevoobuC!d{1|dExFq5hrb&a|;LJ6415uoS+d~T4gso*$s#*xvi0gdMSvoz_acxIwe zy7$RXKHLS7>xH1}0xBDHFYtj0y07Se9_Y{GsLuxqbYtzsmoKbOFA1B1*-xz}vlRcP z?G$tYvcP@n7lzOX9AQ)zYnH$$YE{c0roT5nsDj)iCfUL*jIr6&W}+As+oo_5PYsDI z!OT$_%ypHu0{9tlx>rSzZG9|nlS+Y27p^Q#7autsr|#!6t$YBiXDQ9YuiK6WK-28*T%&~@j|oh zwFc{~*>)?$>h$8J^oE))&;vqdu@*g4WYIm6t{L-3?9L-ww>K(#z+1?sahJrDD+ZrU zV}4Z9ekxZZxkca`3EQ?iBI&!;# zKMi*ddxPGfH&i~yD50PC_I8yIvm`XU6*pt#pPaq8qVNuPdcy+@vOhdfN~Lp8Ep@1r z;+;xiMpVuyA)%R=12tv@gJ_(5P>#@Z>f>W&z&#E12;hOxuDF z$&haBq(I}bosOP?QG%xb<4(geD~$;ZW0<5pVO=F4P;SR&!rAF4SSHZ*0bWQqJgval zC6$7vFmuE3MvGVlKN{FF)xm2^0Dk$T(ranq*tP2*vZ$Vk>mtxAax<))YBICdc~)ln zk}p$7bBkqYTfg^z1TSIcO(P7yN}C0W`Nk-FFAC$i1VTNpgXVV*)Xnl_L zP}0j17mk8ktKDZ&;a=XL#XM5MrYVeaLs1nyeJ0pg<-WYSd1&6`vl_K4ui$IpVA!b2 zNCO9tKqfI#uu+5H=H1Ji>Dz(=ynzZXFha*b3)X_Z;10xj*XMo&==08 zwEFN0yMs4Gu7|c2W^O4_*BA@wn`K6RikHrvHU;U4jakT9}ZYcmSFD3t2e zU2JEup`sv8>Pf1AwU`SCR%VK0cKM=%OJ;2~dM21Pni{b;lo>)p<7 zU=qO$rXSdKlSV7JMDeUX2p$IhgBSRT4v)(oP2e%cPK9ULTIxLDVZ3;8aRgolkq=1Z znhb$p8i#NSqYMxq;S~V;jdr5PAzN)9O zv|6)9`J`6Qb!oL~YMGn4StrDyL+8-(l^E5kdaV0SK2QxRvu-$fhu5a$-^Np-|C_o| zFoJ1@|8U0*@;&NLh5m1UIMn0+5BApjztud|8a=)YdUP4&mfgWfn0fFrZ`exVQsvjQ zgEeh8IhJW{OWDVd1ZcCCcze~WHmq*!?V|LpzyawE63Fp7VF^C|G7 z$6M0;MCvx0$yPGiTb9PQk{OLklI=LQzYN$7lCYYM4uF=1c5*7OajN!Lb)MxsN}l8t z7A_6+g=|ukW^A)76_41B1z-VKH>^vT#{YaSGSw5OLaSND?Gwv_Ff!!b@1!x4BDfs_ zL(CEC?%CVLMZ9v$gF&_axJqn_WHQGgH~4A^k6i6>Tk)%1h0ks1@%zhl$wlA&Q2KT4 zWLuv3$L~J*>-4gni0^0Z!8z9H``~CjL49CbO0Zd3dQUh-Ej5Gs%iMr;~x=t$Ne2KdM@gLqWwdgTx zj5bheq0t+Os_M97cr(ITmP}Evrvw$kdxFLU^?F0bBhrglI!tIJ1?u%i97m+5w;Vdy zMZMnb%V(%}gTUT)w6im!a-0v85W1t-DM+AV$1NSW1sPOnN3HKyJ)&jD0vF5{4bcgkWa{5Bx?r&=w(R{!VchlR55auc zu78Cv)aw=Z6h3g+QZE(lq)M`TscUBGvAR*>Eb~l+eadzeu$NK7@;Jqk-jZH6LcN|L z)Gwd!iel8}R^E09qw&VP+NCRX_JLM!{wVIZfF<~C*YKrvkoXu@Dk5C=j3MZQow7M& zxaTqRp)YyPfN`Y}d07HhyMDnpb5<{!s4;7bi!+LPJ=Nglp0``|Cv)KFPfvgnKL}GW z>sl2Cyv3R)NtO1SHme2>XalUv68z;{by;eO%1;Lyqju85;`?RYqN`-~U z|MiyeLGjD|u=^QJW15bB%}8bmxg&j*bE*xlQEeo%@3I9TWZ zdX&eD{{Z(}@ME`S(o7(M+5n4&fv7!GQwjQsdLjG-UjW>9U@>>c>UR>R3#*HngXTvs zE#R`h5safD*Ky&r5_YL0>+0hH>V0lF5qTmjF&qse4SOq%I4HFaO}ql@PkgkNr(*{3 z(#xydYV@uUl5QV(={cA>#cw$Bf1n}dwLW@b>$R)TNBp#)|2Dv3X%;Y#{_j8AE&Kl* z9Io^KKg!dF{@aj@#aKWkF2pVe>hH2OkvF|KF+5F{htuYY4m{f|M~8-HU0lUPaFDgHo$`P z-)@^a`fnk6dVu|@hWNiJzMe_?J*ZE7a6aL;qiRd|ZQnLYYz^2IP=9~qrH)GzaCF}` z@#uavLaej~wK0z+YF@mA1i;-lj1wfske8Uat$?{M&x~DdjXt^_Q>aX>c!bEajB!cg zel-ztIaSOop0q@~*bFYE1GzR6l9tiDh4vb`WWdqvvit*0av?wWc-pL?eY`xb1^rhG z`H=RX{bw(pRqB84?yu?pV?03rk2PI29@mf!!NkQYQPT#Ofd!ljlwl!AjPAxnR}@FX zJkUc7|DOvt>4>fGp`*^16 zrvd0Hc)CTI;pzdk<+v8g16liu;gW(8(57$?B9b{mv*`_KzB(f8~8Rlj@5io8glHAPUkm=^?cx z{jPVTZ`n>(%mVzemwRqfeQcYV+D~Z-?r-yRnElll{Vbwe>o;y?mQ!&m3mc+4&~B_P zq+Y=(=O0@XNg;yDOt~_bVvOfSUQs2K*u!LZCFLu}d|Bv#_=jd+r?SAlCnHLFM`OXp= zq%)144H1=!Ip7r81Ru7IiELK#hx;jJL^Bfdo{Au){?1eM4M8!3w|6*&ss}(hS&B^T zl-O1@G5~l-lLX-e(wq*IphE;nOS$?Xf2WP(Iuka1Mu{u1?3Egmn4Qip#NI98bU3Xm zn9yaJNxR>NEU*3QeU(OEFdM*%*w*uw3@-0!nv-HaKEo@9+?6~h^Qx1-wY_}z>Fp1& zW{Hk~Hw#DNK02|b$_J$Q8L>2)Ig@4vRV=P96|(bH7Gp_Z)-Hi}DgVEgO;54JYAG~o zQP&m~uVzTAKHV5g+(mX-WYn`5?&x{;w(4y}AF~ z{I7fa&krm1{};P!{{I-y0{ma^hvOufCjjUVE1I^h`N0soB^>$OU-4-yQA#v@7yyN$ zLu&oVJieQ&wGLl(!&Fb*S^Tya#GWjG4_c})(*h-4M@wR*zSH)IG4(6v zVZ`&tUH~Iy=kOL7@j6-(BlVrO$4JK6gvc?;g%cR&V5c(w5MpT{Ln5OwiQi^cN?WDC ztpBl9jITjhzQbCTfNP2d2{{~S7uLNjC+|FkBvV@MRqftq35}>srU;805`gv;iUu;J zWbU`=E6y2jvcAM(2MJ-3c_(^=3xKR*@B=z^0Bb1fgkNUif~ zgrj;zq9EAn3kCKYPPKQA*?NIKVKoLbg!1@js4q%h?Rg_e8wKPiHv4%Y!#}ZmzB=w% z^0C`L4iHpXv0J1(=VeTZ0gYH#oG7`5!5IgdYX9xM_9(9Tr*F#im2#hGm$qW*GQpu5 z)_c+1^mfF)3$(^5fNLy5Wt!DwjByM0>20z2pWb%8f!fvE^2$$_z0yH~P~*_`nF0|^ z7r=wxLGB7DC6$6CLtS((wyw=a$@0{{P%gWr_+bkBl zUAO_TuR}DU{=VWuguS7zQRZH4v% z#|7Tq2uyTJxLv_Mr8?`QE0AL#xRMib0$iY~FJ7b6M+ zR3ppPai(f}piz$P7!s4twmNm)S?YRgZu3|bCv6sp!Zc<6wbk|tsie_40wGE@xZp54 z1l35>P+x8vJ&7hWiAY!dZ>vuwnbgSHPohcPLDx%LW7{j4n1L5_?F-$l2PGlh9HlE1>f0Y$#KDM938HjTw04q7iTlx|m6!mnl;Uv2GzNtNR z!Q|#1ynCLl%K3^Wi=C`lr)#EczJzC&zjkiN1R4+^aNF*1Dut#)SZKk%Y-=%+x@1aD z_xm=oRedK;&2k+HDBGy*Ia)9)_hbhCkD|uo+JgH?Pp$pedgko>E#fTwkqxdg5yM!Er)U;!3u>&9rSD#paEUx`emD`)x~Dr61Wqu_r3gghD1D zyCyLdiqUc4=@fB-1uKmsrHLAe`tB!|nl-h58L{90-r7H||Jp(5|8F)RFuBfr_r?0n z>)Q~5%jSOVed9b6hR6jNVZmzZ0QBw8g|b_=VCWDwZ8b2n93^aklfIBFJNA4Of_?&t z=;tDFt3u*m0i{3xj5cMKpiO@~4#&lS%DrFzb;~n<`~&?xXA%ehjLC$hg2?+w zfOGx-_Fk0bzvsK_{9ljqfS`8@t9(V|>LkEm<2;%dZiT&MUua^v};OUDk;Ij3YE-|pWkIKw22bfnD%N<)}6j+%ZiZ2X7WIQ-F z){MC{(yeef{yR@wl_jHm^YPzfgt{`Ix7b!ZWuB7G55$Fa-lHQVv$yqHJ9a7^> z66YN2e7?oK4krnO6DUZK3szz-uPH>L86QG5oC$__K;4Z+IDD^*6zhdhFbJQ}R8dMQ ze~%#BunTa{n4r*}rjm>Z@1wIJIJoL7q3z;cNuZS65?(-yQJm{B>WaH?eIyez(c_^c z{ByHNN9g+cb=?b;s7<6%kE{eZZk=AC@%2Y8UDnfN>vv zqcb#X5LE4dwe8L8ZEyfl^NXfYLeMD39H)@SZ~$V7$q;x|)51D*1W*k~l}^bJF~zJ47p&X8c4a}tt>H!LPccInOEaM_{{)|lO) z3l{q{1yX28j-wkui9``j)%@O_v-B*D$$JvNLz_k}+)|tAo&9+s)!?BnGd-HsQmXe_ zlmvSpRwZ&oDUhn>|(_#rnb$!q>gPi{Zd7ntF8sN7x#yTj9&iY4!caH5_je0D1oT$FeJ!I=-#2iepMOSuv^MQM`ZGuV z&)D*5zuYrN{(t^_zhwX0d;WZP9sm0%k9JLG@#^INjK%dqdrdH4qUa-Qp%Jfwlm8)&mG9D z=F1L==cy8?PZBIdOMH}@EZeoms%AubsUGPBkH|%yC?3d(T+;PLayo&IOW;J|euMhx zA1F0GGW)13hm4t!=R~Tl*#b}A*UO?vfw(w3ZQ0qy+3B(!i81Enf-|K&p9f{s=bVkY zcFPVz%lKwrY!l*L9xT6+F7q27PbOO_CAF1+_f@<6rP zNFZNDIUHgwE*`a7%~GR#47+}85RK&-Fjx$CC?nOZrQ|*o zCK&fDqe{&*XiDWtFqQC^w$lk(J<^ogZ0K8-m$uGt(F4ds!DF}pRWSbX_zJHbftGay zDr&D*+CxD9$KgEPdtjfT408!7{eIm}L&Y>LIQPq(!MN|%9@Oh+foHb-cZ(AmgGT03 z0etO#YAp=T^Z(vEEXRKxJl|XUe?Q6-#Qzs-yUHv81ym;kK7hbizIj)TOV{nDxo%hM z-{oJeSH7;eX!%#`rLPwcH}|pBT5hY?)T=SlflO0PM>U^KB-OMHF%! zbc+b=uE~hd-6{(SDU)b(k_-7I7IkBB(90RS!t_IS%X+!m{!jt-M{_C2Qds=&J{3P~ zqd_jwh)I*6ZSzM)Q`Fr?UBBn*xau=v%`QLVOIJ4R-G`!!z0}O4$Sn5<+whNd#no&I zE(^j~hy=pgJuVeACfi6bbVrb(<=S)3l=qj61&O*^d3P>)p4ZaFNBp$s|1J)7VF_R! z|KEL9w*NfaJ6Pxcd6cIV|Gi=fpk~iJqzq8Dz8HHCX}eXeedfM~<|qpUNPfe+x=Ta zWv%ff&Gx{ZnsD$+q|aE(mP zO^y7$GNEEBmD~HWN#EZy#mBy7zj=zn&QB1D?#3jo&cBF>wv+#%snq-IaaQAJ=Z({A zvC?tQlgri;$KyZk`M>clTjBy>uKs^muK)h*;Mto0Kgv__|6H*g;Q1u}W-I^=bN*;e z0FQSI;BU0G4WN|`pb2GbBf$Du!PB1q+aDJ<0?gz8&-R~{`Ty?j`u_h>9$@d^n59LZ zVL_u+ivSs?6U?VRD|`Y3Ws#f=RT#bl)LBX;g=|&Uv&r*ndNRi1LbtE24Lio-m8s7i zye=0ww1e?so9cxro{(+y#C_ov1$V!B+(DO3b8o0Xwm^7L8BK8~hXKEYxL-9=PP2fS z7dGQ=z&yI%m2ww!zOM5Mg8S2gk3;d7Q?D zZ}qS~z|(yG6~04})lV+36fcYhBP5!8)0EU#fYXxO7BncB$*$8UhDc7M#ildSZCaAz-W#0aQAn2; z>o00YlV7F4%Ul+9lo39mLV(wSmrzQvISQ<|q)|7T=WTH zkMRWNb6nWZ{VVo%%79ks16iE#kp*GED&iou!`+0X=3Q*7l(ZGfE7pUZr|1H6K~O@4 z)V<&g>R(G%b0aX*)BqsL&`E)~SFX#JhdZ7II%hp2Z84v@jwm;i{L638{pe zzb7ceLfkPP3%EKUByPio94}0>QCDZ7tnG)Bn2P1Ph>6+-B#kH$eSp)~Y?AR=Jx(yE zI3BE^PXno4uPhz0)%2<%wdyrWXmm4Xxgaa(xB%9wZ^072f?gGvrv5I;hzdzKdYh>} z8DFFqcSM+J+~)>dsh6(_r^BfN&Gq$1jBFDvoMoH{b)1&y@)lqpCrPPKeMN#I7L%SX zU4w8O_Y?*4h7n$`SaA)b30F<&Q0m@#~B8`D0UzC8h#~ z(JhbkHcR#0W3S}^Z?m+`$WkK3m@&C9>TJVB5og=Y9Ne*HUNM$zOCj8EI(lJ&lpfGQx$Tk7-0+ zQ_=2<$25(JPN=_FD`E5Sd(GA=WBaFa{*6$!^Eb~zaZfTZ=lt(I-#sYT|2%lUKL3yM zcorUA@z7g#!Zwco#CR=DTHS?d9yKXJu%|?$Q|LyG_9+c_-^WC-o&*MB*`k!W_)ewHL>dc_{X*MEl zNxmACqScP(s~>{M7Ek?&p=H;6-4N#K;xuRq_y1kp%<_{Ol1iMPY4By4YWd@; zcbbLac@DEskJj~y&OrVF(G>jw`ubEyld6Fa2!gzkhJH6W$<|U)Gk-gEAvsM) z-C}Ab4q41tW=Zj9mH8d(O2%1&sB{&5G1Bn2wQ~j>1RG=~q;Lz(!CoLZq}j-qEzCYGeX+b~5yJ8~dC_lIj2Sm&1E1I&@omMC29Tj} zu!;QbsyR4xw1rA8*#2ZIJm0?adJ1`d30U*cd}yWp+_ZlSV5s{R$ejl0M__4>C?}Da+wy!q`ooq3-Qo7j>WlGEGE&cO;Ls%EU$s(Rj}ApY&YCYT#E6d{l;LNKq z`@iQ*lJWqbq)dop(ES ze+lNG}_e#i{I$qP$gRKiIx?NSDzZ^yuEKebwY;O z{`yZ-Xm%b&+^W!q^02Dg*$%O~pUXW2yE&X+W&S1HRRzT+R9(J(5M;47$f}HNA#Aa> z*eavJqXLaT&5$#LKRz0}UfXAe{m(ji-rEQ`=lQU21fd z;XAeb%Le|}#I|^`{w<7#MLX{XxMU1;qxCO=+>gEG%!01{61G8iQrZ~^%bzc9C3FEt z3z!OBuPd+@t__CwG8m!;^OTQ;6UfSpFp5~_(pMF`v~0EuGfF|?hEqba6V`%|R@ENr0Ms^3Ws#XZUU45#s1H-;*TYZ4lk8`UIB@Tc{%a+g_MorX)r zou}x6@FC+9RAj=b-r%;v(QP&RnL$}G)(X~|A-mID19wh2`uWf&L}I0IF8~~MBban5yQN+=qKA_GjTKv0teQuGWVC%IHY z8ck7HK5|G$VJfQznyf$VmgN=K$yV)X) zA{i=|_HKj0dS=*JoT<%YX(k@`SV|m?CnS}p>e$j?{);fV2jpq%r~NaN|3kKo`}=^+ z^Z!45QStwOvAfRy{3uTw25ge9^vcdzRFa9$fb6HGn{UwH;M-76*U8&nsYamf*B8LG zK>vsoh;Bup{^vhCy?x&{jb{QM*cb@X9ZydhMhP2K7rNV0G7B-xtLeuj1U zBcgK6=YQ<-L|m}A$P%#xIhg1FzgNlszV~8n|9zZC2??FR|I?WkXF7q-ONbt%37O#p zYI|$x2s+NNPjMRdXeAn8oZ+TmfN_RBe?0}i&U@e3R>7+!a8Z*C-l=w>%odVA*UKCi z`9jDm#_0D_y(rs%_Fk;% z|D!zG>9CTP4eUQFF#l9Cwk>4*skCmq6Qq+-@m*jP2|-lvUxJqPS+-Yv8x!>S$Tu>- zfUAu%-TC+~I4Z}bl0W@PY?i+LG_`3)ce~V`fmu~kiv$D~HHdb1DzOF}dnITpMk`3a zAX$}KwCuz9eK#HInMN{bgfi8qSftNiz+I6|p7~)eie~VCow#rXA%JuE|Kal&`(^vj z;q!I=uSa<*@qcG}*;f(*=yG2+D}d&cwt;}=^MJ#fpUOI)-M>&JfnxsKc3|i0#5J=l^|Y`)?RI+zd=b6608#ay zfqhY)zf1($LYt^&znJhd6R2JuMd?COCf-S?>!h+|GI2*@v%F$mnP@b`3>S9GFr7kN{vjP_wP9J7R5 zm2uA3b7t?c`|3LLp_fy%FRAd%@93UhUEVRP--H*OWSCdg4pdf(hMZ0QBv?9YsVi6+ z5xKB(REM9%6d=^31o=m;Zmu&`ph`}hrrrWKxutrXr2x%oI!g&cODICKcjyX~AvD*s zv;G&KIyMUg1)nmegI+|;na9u7r72gF0+qmPH)!# zY>dx?>wo*Z&&u&1&kqlG*ZSXMJP)e>xup8d`k(ovt^Vf)^p!)x%KD$(zYY4IdF|Hyo=*TvMJW zq-NmdFqHMx?Qi#K=Ksdw^8yO6+)E0W=l^rCUy1*Gad@!i|Bvxh{C|RFUyTn?sgzH% zFc5s$P9O+}>xl*7i?VPKZteyVA^6A>6sn*Xbr%XJI?HjWW(=)ei0a1wQ1U_0SGTtB zMGT>(EwgqtdZ?$F{_C1dtH=O4oBr<|ym(g0|M_fh9sl(xkG9BvKCScSndQ%8z*TCq&vxh0t!h*>W=XW-8D4A;Yb4zg^AV9( zB!NOE<#wgFjgzX=RZRyOXOcw>kk}ndnbpL!+YDgcCn<}`-)P-8YR>S@vu6i&udy7L zM-RUhso}aiHSKbqm?V8YFR!MP6(lk`*|q~CSzXP31I~OM++%b@EOyICw`yN?a00#{ zu`MZT4B3#pW^;zweN2*!aM5?2I1nWk+GyYlB)fvp3{$Tm{HP>- z_(Bz#WDM$&3&}Vh5tt)vMUY}3AdzudvlH|hU)Wt+v-RwBO5cQ|_?*aStosOyiiOmt zw4>nrhO-Xcy=>Q{HZMpBXO3yfY$O2h8JKLQx7)~A`^#%v~*o{s{%7Ot9^0aAB!J>zqI`<~&be1AD(Xo~}@ zUKKX~R=2(ek0(lnwYjM04YVA_-klG&?eQ>uX#sW2*i9wLagnN}W@O!>VHZ_^dwWG~ zgF7-1B+5DIR#JF6q0`8mqJF1T4~y%dibn6{%eGDH&xE0s6;#!2PnSr!^105Z><_Da zUIT7)4?sW9%vMh0vZTIltlYk}7872_{d1X2Ors~6&N5-Rex+itL+e)?(E zs%uwOjjC$~*Uh|fFZO|Z8IFI(HC^9c&AGN+zmw8cTvJlfB`?Ef-2dE0t116B zKmL2SeE)y={KY!|&!aq=IedMxy33#2XwjP=)uPuF+3i&n4z7N@pL^w)Ztvw{5#2u2 zg<`tBhSiAfS-#+#!41zeBi1&UCJ!uv>R1;s;fWIq31^|AHd@-t{d1+#ni%Jhz zT$zJezly3~i=SKn!72v)f|BvyPj*pA>=DXiT8YNX&?U%>yFO zHo`*W6JksT^ZTkCB_V6^Eos8Q1b29 z8@IuyA6|OC{2D@;LbML~^S~_~@TbSyHr&sjz(YCnLm%CsuSJ~qZSx>Cavl50Q*8kC z2jO}z>p+2x^W#jW{0n@V>3<~y!_ur^uKjm^x19g;;9#x)J<6j6A}_VXs_ek!?X#dx zSZ&^@uK9^E$~9p8nN>76ui=7WL?Ja6jdbck4YZ@2C!Uemy*_3;aG_f!~JY)-#1l@gWk)2Pb7++IN+5@W-0=KFD=HPl8)#Y5(X<{k6|5 z`OgFeKXm@TgWc!V{O{}fzmM~n1FQphSL6aqZ4Zy(7GV1NZFvUVL*!Ui=x8T))CnHH0%7F75`#X{iwHmZ0NuykbiQb! zPcM!lmZ!fe8O2c0Uz?D!ejejmpy<$1g zKwVB8bd4963N3+e>nU2=@JmUF7K2q`(Y|St8Ev*3$py8*#gYo zZPRv4-hI9pd$-Me#_oQruyohSLd@L3TZot2R#npOTy4wreNIOoobRuS?f+J}zCF$@ z*?r@7ScK09os3;hPO6>CS*ms+mhS4BrG-2BHp+$mNtl#_l{HvacDQoc?&7PAL`X11 zB}A;G8&co3vlOK?L6B=J%=I@fV8sBf3048XZW;XR`#+dQe}v0>$#l?6+4*1 zfV=eUi>nm3HkB_01LAyTB52SnG=ia%+s%}G$E_#&w<0bqkg;brRETM4x5*|{BA4FD zAStZ#_++ARABPZNJ>K3De#faKrO^dl2B4gf)JI(x(G_Y7es5bIde%i$expw#{WqG& zBl!R99UeZb`2XxZU(^4`cz_}sBM6XvTk}inYeriFB`9L4#56@?l1vcc-05kC5m140 zk>ezpq6nvG45{%D24`PIcW64Y+y%0%hD{^rNY&>$8TP%iT&y7?RnRSR}g(|9!nk9mJEq8yR&~nUU|iYHEc8Q!c=BJoW%rI z?T(;3mM1Z~!>QEDspL449tf5u(`_`!!EYOz!t!p_-CT~k+fMvHlW0VwKpEz0rLfS6 z9F>4UrP?WK#Yf~lnqV1?3H%D1<__~%c!_kY?(vXv6ZMe6i`}3&HKT=XHNjK0Q83~} z(KFO0`kzoC#m?Vi za!Vufnu`1A0`utq!Tw?S{(tXq9slzv&pgsrY=D5c866$W;Wbus8o%F0PjuTL*#fk( z@^k^a9Hc}39=0~-1^rXmTBc2Zeu#tqP8*MlblWt3zg4;G*2Rp1zG_1XbSE!^l0~(q zx~k1EoHgoZm1KoMM}De@=7ySx&K*l5v><_|o?N(IL0n5U^d%(3r_d7VrPTQrzthlu z(9xqxAQ%*pOEg8r;%j~~ViJA#sraE=v+^INH2!bmnM41*U9vnAm{0#-l<5E7{@VZl zah`efzqA1sX96C8W=>G*rOXaeQUhl}o?zPd)W%+bGgQ0%&9aB;O19w`kzn#pC6Rt|6jb=UFZLKlxHseHydC!;Wxj# z;*jvB_{-xBPsUgnj~-iU(~qq7*hgmW_D$tqk9j!2rbuLoTX>&0MBbM^YV=AejkP|U zyj4Ah>eS9Ocbqx13NLg>30WKC^?c3rv$a)mQL@#J&f@o#+-%lwr!@N+oXDF+*X6NW z09Tz7&n=dw#*L@IfzNJh!IfEUu_FOzq7s+65S}sT^D9I#sXpFM5K0(gB8A7@p`eS4Qnmif48xPRFJKiO&eTS zS&mt&fa8eUsFvaAt{V7_e%XTE%wjb@S-wA~DK<$Rqp>qzn9r0oGtm$SJ42asn`}PU zdB}ZM$J!bWsYBP3TETCvrG1o-;s5uTxU9)wN(pp=Ys498~1$&kJ$u_nd;zpcK$H()8WR6{};;V7Xg>3904SAV;bjFZkM z=tR3=eSLC;V#-CQKcaF6{$CHj(;xiAci{i+5985}`ak=pxJ`EoKm#1z$gow`5 zzPQUePx}LW(|OvL6ZLP#>8SJc|LS~#zQ&xgT%fblSEAF;IQx-AveTzA!8`hM&VKCl zZ$-pnvhz!zZ|3~JK0A4Je)Z~M`j~zG_x29=%lUuy4iDG%|3`T~%LPq|5a^2K94xdE zNd-ZB{k=}-0&_eel5o-K=ogG1A^*7^6LigU0-hKGUFZ|BtqZI%h$YjG9vj-rg401R z85af|i6Qpvr~zE}#Q2qdNs zAWkwSsAPP)jUp^@!bXU31Gw)-j}yVr1m6&pae9j-X@EOnvCfXG2&rT`DP(!HfP%=N zV7mblPfXXvmU;-6_rxVL=4KoNS{wCuSs+qZG?r{ix>C0LYs9u|OL| zziKEOuw%&kETIuq6UsOn(*czvK578gL!aeooB*5A(y$sG<0z&gOYqb>_5{142_saF zH)*WP~j(CbC@ecO>?%{54 zcdxg*=e{uK)qZr)ixP1E`t0h|g6niX2Pd;3;}hK<9@oG50lWdi*v%$kFGIw7eP zfK`R6D>jsOYCm2%b#Y@%eFFy)v< zx$0{hnXdl*um3S${QF=3XG@)T$UB;%w;4%028Klx`jXv|Tf(=YX+XQQCnC8esnlL@ z1A->Qw`bi}eLr=zh%o6#29-`#tG z-e6Ag>1XJK@r-ee^y9%cI!+RFsXi6xk|+g@#Qn~{|Mfo&IQsX${*OWcMv~*0OfbJu zTcsX&ztich^67MDvY>0iCqgf<dua0iL!sja1}TN6N(n zC@Q@r9d)3El2cC4P83n=guV4UomayliQu@HFiG!}y8Sz3IhSLE)0Ey4E--g-#6!x3L|HyaXp~Gl zZXY5yUqcHp5*djUCqW8?qY&jCuJ^CnnjN=m@5VG5t0RGQ`d;YNKOVK~#Pyy8fE`FJ zua?*L8j_lA7lUG20UUcwl#;;lh~sSB(H@x!6iu;I7(5%Q?s((s`A*G~ESVO>+LR#z zveb!kt_XKBRecgz74TmrBI0yVJ+a#`$w?0A=h0YEFx*ihHsK%#788Oj8Xw7nb3LTej0tbRlAyViyK2 zO1GhEtHJ>Qxq`%DJG~Ia0RoOFI(2y6R>A-hx$z)pAwARDqdnd@%MwaNM-a7=k|a|d z*N>y|?Cof`g?B38{M}+c?X&~I39uI^Yh{<9-|2j7(HXH+WHicIE|RI0B7(`NqY3>u z1S%?E@ux^oErR+;Z%xEWL=-NoW231Lv*TbwoVpP~3(h~)XHK6Zg_($@n*0c`)(x4W z5@w%veB49$ad=9wgtb*0C7m`O9-7w36c#kFL!3*dWPnI<#Ev_ex;vi;gl(-DV9p)P z2PX*vL9Am|RMgXB#UngW?tlZ;0F>i&YM2E0h);cP$5FyY46$KB(v>XZpGko>t+=mI zHT853JO>ySN}}aNsQnZcRVxO)r6%zfU4Qusz52`btMhAg@#^x;+4c3SQ}o%l==kE| z_1VesXRlwO*T>&%!*@n+KSkfXz5FveyFwS2Z@)e}eRYc7o_CJVm6UUQh0d-NhyU#O z>g=j-n!LS4U%tA0_1U-R^z7>7_3_!8D|Gz&HTvfG^78on`s~#eIzB%|CvVSB&#uqj zo?mTuUj60b^3~N9dV7h^-dwysdv&^v&dyI>e|36x{sr3n=Ir{*w_jbO*Jp3eu8&ol zEg#z3&pU5kU7mb-e13iW+1cx}>uhj|4 z)vIlE{`S0gcK-S0+4&c*-n=@$-d3aPT%TRPe%0@Etb|f!G{9zsF#3_!3JXO4`(OXJ z&@z=|PI`sCX=DQ+F-%cawMCf@arQPog~6h|LfVAjRA|`3s4&I!ETOB+BEq1u z4Ty`(0m`IWjyRs^fi=Oa8?b^FjJb~j3DqIBkWj-R>5w6oOMs;0Q*6uu`>-m6s`WiW zn|P}Lmiq8Cxn)C3<=u|NMI@O5PA3^tbTbV`!-JgBllUR}nCJhu_xwfq{%3c8?f>y8kGlnVt>g4NolibN=Xj!+ z-BmOu6VmDQY=TgeIPa)~P|xP&IzsQBe4Z!CIi8Sr@ZzmH3&Q`s_ap?MzwJTY`6Ym< zW)_42y!?#_Iu(xn&kHt`EibsU^ z)i3=io~$4N%q;r9ckulAekK3o;oATEksd|=tyy`0cYhylc>Ilkj=}gO`khZYpAR3CKBtM1nCJD)hMS?T6ZR~gcT0Qty3IR{ON;xrQBBh0fQ~!B!Q4 z5jDYgAZw2}(Rl}Gitad-aQS3~_0A`Su{A)J6B|YF0fV6RE~x5Vt*CEzK0#Kc_SNW1 zPbWujKS#&s-=aUCou6(S;oRC8z<#07NMePvD-zh6oT**bk)E4o#<1xbGz5Mp=o@C zPI4jHAE42^aljAUq|Kz)&>sR-e*TNVRcmKmWw#NV-19|cPcTJyZdU3fX=MWOdfy z&RpLE$*I16vr+Y6rqsS381k%u0p^`Pp_gR%4h<qud z`Nf>_9vs}*+77v1l4`$$DRSr4Dg#u&az4fB^r@y!8IFjq@A+dcv^7R3?ZLgY<~{>i z_A6-DTgv;{vgyz_qz8;GI6P{{Na~XlpdbYsD!EStOSPfa(+D=&bwv- z(Hpg3G##=dkb}h0&d!KR%Vd@KpQlt#cYN=xotWH`WJl0Z5A$eDC5dFt$qvqF4+fj+ zlQ)S!ajU*jLSHRiLY6tr#I<5kn&Rl@dM;I>bNTA(+HJdl;uI&TK(;~@O^5c*$z8#c zG=}8A`sN8piDEw!Dzywq1eh`V=me*xqHdnWhM1-31W!nEf(3bSR4a^%ooL8ZWo0sQXp@DOdPrdy7KF{@SxI#TEQ{o(F^`ovh2XEkSLsF6n5r)RzW z{!FIY&~r(K4PWX}*1VjBKm;-xxX9HavVzRduprN$^+*~qxSxTRYOOC`y+J3(B4j_g zNx){apj9gPM`H}$g_irmwI|U_rYF=#Z*t>4Mcymc18xRtovvCGx z)FP%rl1VTvgBA+6akd(^K6tCScw%lgG=JkG_Vo$QX#VA|j%8dIV4 zRbz4eGnpFIqlVMf?txbjStpDarT+KGfKZ|cO39sGLR%*0hD-sek}KY%W?P~M+7kFQ zW%8+|tOkw+G0073KLQEUwfkfN-pYwNxQ@i=mSQj|Dp5lX%9Ku4gMh%pZMPMjHN&hU zbTYC966z=8bYwk^K03AOZza?4XRqIYv4r4yuS_z*G-Pwqg7n&)p2Q++*4J-tU zw9}9?miSXKZZ{wTDmX0D8k0`Dq@_I}IZH?2ngHHP;Ogpxa*!Ks!bQ8Sjb|pp`c^oF3<=5J&Wuq}Bc+PGTkO;Y9e}h;|c)M|vhc8^sVbR}?`YWZaPH+3D=} zv*nce;)r@~$n-cFDSdW4Y5uCL9GoiAUY&vXD1cyy1n>gwP(G$YGEO6$IByTd`xR-x z!q_ye3T6d+p``k2MN=GHIAnKdjCriZA<58}SNn(071Cq__u{)7GJR)}3b(XYF}B`J83vuq(G3M!k4_V2 zGoI>(R~i#=^qQtpkYosM#;Q;Mo2KEKh*T^a%V8NWbHD=O2)QbKgXOEuoNgMix^j@6(L1`Oan-wtof~1m9 zODMC_^oBt16jF?J&xmW9f?cr*C?;?fA)HYvkfTg72Ze5$Y6m8Wd^4{tqGsV7wI^uC zl)4BmHqN~=5>AI05Vg_ZAaWqawRV^AIwfY2*ojygkxYsmc1!pzC3ib_jNj07)KmMq zr+1EkyB@Lg3H)akA#XMJ%#QO!slctomW_*`jXm~Shc@1Hv?7}zmdh-c0!{Kn(kvl; zRE3kW!sc#iu~G<9qBC^IB%!y2mo#*1AM2yf8As$jo@5Ex1`eyF%0jGE|2)0AMqsHI zbd-W_pfif+f*hf)dV9&3RQ%vC2VF&4x@T9HU+5qIve$JgS4!?k89w5=sS$p)Q81&? zjqt)=Y87-(C-P#^0HsFm)~Q_l#)jCrjvy@5nv~S2PR^UQM~fpd!S7#_bR@?|=y^SV zuCWQV+CLYrUAY=d9f$I)r?{%)0m;@XmhaH-6z5PXwL{j1fVW1?Os3li8y03ri@9?) zeE@IuW05q`Q}{P4rzQ}WM-0-qSM_|7a;2w-#M~ zSv;c^znI4>enEU? z)ehTeyF$?|9+lqHGoSZvclY}^qy2f>~R`YS}n|9lw`t1Db)yY?vuj(zKUNPFLp+H-CeQS-gih37Hl~zEV z6d@bqThCftF{E3Aa@=e+w|4E-8q8tMv{B4R4uC9^u9qY%n<$7Ry``L`6Mg;m5m?!4 z3{taq(kzRVV971vjikGDUiHUXp-do|@ldT|l8|&nEUX6Rt6rLWE!(1ql(%_xP|PMu zj8XJE(c!rI4$OFIK{%ryYy;tiad6WWm?3Rxp1|<+IRrNv>S?0;w~-*Eprj>-Bu7h& z!2prinT>hOIi5Crp)~CoEHk_g)Dt+dh%?Bsk-Gwo+1-33oBKm*bZqde=%Zs-r`Gbl zA}&zN=P?~>{{?^#Hxp9HOCxH47ayFSUupLTFZ~f4qA#znFLw77$vHj0+TE)xV>5?s zr3bfDU*lBl?#))&Lbsvf`ZchJD)v-ZL&3R|NaCWJ%}yOmQKqXg+xvYz_2Re;Au?{( za9SDx+UxK7_WAVuYTjohRD5NE)HYyiot|H9piR#wV4M&75u5D%$k>=s%{}8(Y@y?e zGl(<-%vBJ;NyK(r4jYY`m_Ls8Yl2{1!f~`|Q}Mql-2*rk zWaEZRH>?VRYgCUEi9lT5E>sa*cn*W?Jb$&&qAP|LTs73jq*XkNEd*+3<|>|Fu<{Z< ztxaFW)5ZwafT@pL&AAt56nSWel?4Ff8$7{uNxFRuje$G=q*$^h$ROVSB1kk5;+ox% zbTKlmz29`3Wm+!LrO6(9!cvh>2tNgBcJ-{Hf{!)3nEkBT#hP7wtn8weOsx;}>}P$T z*9ZFJKG16hy*|(D^ZaW#&$UAR>J_}7a()lf+#4EkCfHD-V+9Cwy^mkFvm50L&T>c@ z(oW0D2Mz->Ts!Tv7{Sogd$yBc@dRr@hiJg8p9M~16Uu4b)i^;38A^Ragx*}81(zhN z-cM+SqGiLx&Q4c2sWo$1GnXbz{fe23cfGvC!Aw28Xu9vgLz~uZ2wq)43gwf8So%L2H zW^`qSABuTsu^~Q#I1bs8$OWS}5D+yW!rT09h`97Z6%h7<=ppw47LFZn*E2K79}Y=8 zTL=PZ8D_IMM_5dPKxM3%pzR{upp3?Lh_hs}C0@{SM7`)`$=Nz;e&6|8tUuIjE28QW z2f|Gj(%yupnhKP#$W%^vi1Qpu%}b2FSRu`7e1H!zV0*5Y7%GGSniQzuD(2+XvQ#cz zdKVW`3UzBzLYgb#EIqAAF^=Vxye}9VB?JNc`GshBwyM~?FBc=T_hzhL1^{5yQx{8Y zg=~l^AW2ek0HUc0g(}v;@MTg#KDgp*X}!o9G}I~+nPiG5R%0y#@APQQAhj^`v52*< z^*J+3v~r6EDr_gmYxkD5#=6#6fAJbC@ULNln-d2#;KOpT69?df@U8_tEi&3BU}?s* zH`F9est-sH%D_)l$+bmTR)G`9%}$Pte>+YMj&4X=X=&oP_4X>VTug`@v)EMq!%4#K z1R4S3;ksfWOVqCPa$(Ml?_LtkXif6gB=1*3@{lG3_rK0{N7)5A&7uVBLm58nL%9^D ze#M7!X40t{DA6gX3`&gO{WfB$U&_i9l2ur;9DD#3*1R)2Bjef9^NJM8u5@%wi^CDd ztDGOdd1c%B$pgnmPS7HjiMip{f;`3$kp``;)TQS?gcK$;bsBDKX{_ZMw!JUtp>vkD zyBhu+s`<|OG^Qgeal#^kTioN<%CV;!#9Ia87h;K#i@7r|M$hHi+iA^K*KG9{&Q|#_ z+TS~Pz64FY{QN|Qb=l6f%mBndp6! zr9kaxyR>E@A;Ua`IH?bGGJr9GUyK?3?Be#h>r5tHN`@6e)NAciyM@M@~ARaUtgVl zfr_+#PAqe&!vN_OZ1>fvinUYKy9ub~D0)^k^zbDyUlftt0gA-Is5UPu`p!zI*39N4B=j&sSd_@4b8H{k4Di{M|dX zqueitd;9O+Eo4nvXeG?_mOKTp41Xr3zE|xk=oCB+Xr{tqbh~t0_~2Xc{_cC%UfLvC zq_H!ZCv1E=pvcyk7*;mbYB8`DuGYd;6Q+Kx!WGLUIXqZ4g!h{(bg3cy0(4DIMs1uz zmI-|Q^SlhM#Z%?R#{~$NZfD4N*{tIg#}JVCl%(d2mH-HopFK6z%B1T!)5|7>JMbp`X;4f!?sAL_i-7V{V(srM$C4sdh(1fX9 zsU&~`54PoeF%9ujh;bHu@E$W#0ceh}A+&dC>ZAvyF}mb@F%(Tp7`w?cLt+5eMpk)E zg)Cg<#Al!kAe>PY;Uswwl}C#X%UF<;J3JMpTplrSf}0$VCPVJNkXby)WLR^Jq8U@U zWQq1k)c-oZJU1SPP$$f+W4P>Che|a|$UW7w1P0<82ts<*~(yHFvKp-I}|vxqB0)ex=;~jts_(-7I>0Z%vZA1emEv zVPF~OgR-Wt6Rv*brhw66q1`a0R-Z2z)(!YwMyzl}nZxk4au{BQh4JfB+u1H0&Zy0Y ztOOA+E30A!8E1-1=qf!_K%A4Y$|B4MRC3Ix=ucN~&vn5NOF)bzKP-MyU_M=_C@ zCc+ljDixUp+P19_Ao4^8Xmqj;on#3lu7fq$5GZC*?*48^>E8DW>d}Kbj{KJN^7JNU zcWF--7e0av*Db(}?hy_K7O9If6AcCy`kL5Iy>l+!UR^^ZlifiVc$zRA`-O@dww~Es z1ymP1XX+EXkhbz3n!5lGq5%{%U=?>Ajz;E!Y^xcYTa30d)W`!FTTU|*lw*+ScVydd zBREkTg{%C=O0lFk;0MiPY?3*b5*d4y&@(0k9q7F5wK=&N=qz!Bd2AAX>uYX9jNU!% zn@s*nZhg1q>7|vvCnOro;Q%-c9d zKVU$Jp7#<|=_D7DO)TDm1o_xhf0fKfx(OCk$1e;J94jr*=3!S2dj5H6A?huRBK2S= z1YInwN-Y|Vh&f4>(!LCyH@<U*iQlb{qPedC;@X-@`16#6oaf~ z)&SL~SqAP`BG)B^fMHk|h1{fQfH{;(*7Fqlrjv{_+Jj2!JL*d?+wFXUrNmH9p(k0- zv|LDQpH;UYeCAX!n6Xsd3p;-!GwN{vA=Rs)h@L5bznN>a70B7rN61v{Rsy5qyd*~0 zVAaW#PObES0G1311T*OkO=F0P(rvv0&vJ~u@18JDzV8-=V@0t>K-tt#jmoVQw=^z< z3r(}2G=phfoTQ>gNvU74jYJ-e6(RNZ&iAR47Y$ylUlkM!u{}n*cKz=Q!44?wpVbs? z1FsHi*vgcO0K9q5xVDdeccCM{0DW29`m>PzXBi8S5$)T5Uf$mt`KGv$7V({}Lzm0w zBOq6K>ec%CzH1I_zhLj?uz%mxHKDa-q>rwdGj>Oe`>MpI-9K8F`@VanMTYOYdav67 zY;Bt@;#~BMwK$pDipt-2zwe?=9jdNr_!jI%<5s4`OHSJE3$&b#N#ho5T}P-9JqrNy z>ecNZ9xTu>QxY>zkI?^q@{j-h9q#?K+xyQSHoxnce?7H7ZT;8g_x+jgx1K&}-LG1+ z<@X^ReJUK43wL07Dbc2*vHq*GKq=}u=lspLVDY}Rq-*Ojw}Khzatr@_k#(QY)VAAO zYP+a~Kkoh2?1kgrU)^>v|K9qq_WNNmn`?PL*n}5l1-5xlJi?kTeIl1y8KWXyt^eeN*pgegkU z(U6TkWNd>q)>wOtaDoEzXIPK=4tjQ;=?WDj zc0KC>LwP_AzL=H1%YelUr4xbP9Di%`CV8rtCIV$;t6ypDMPukDpkUW2YUs^ZSJx;? z2H`@g()F=;XRecx7z?->2vgMr%3pZJ&Q!oVlp2G-?rJRy?}ECA2))UyLi!Nj^D3 z&kqj|4i{rfx?y{!BnnEgJR|YRO{G-0>A^33 z6>PZOC@QlntZ(e}??{sLz`;eA=XL$;{N>xfZm4z}Ctk&f?;)A%~m1JIOy7div^U6UVm$~or#6HdtdT&&?C8zFgC>i5Aun`$ zxZDLF^5?rqvr2jX0&67)J{-q|Q>b<7fc3zk%X2-6uPH7N7(toV$&inH1-LQ z{o3=PS>w6#w7(mg={8AAEG@wI7*{x(^SR+#ccG~uT-P#?3{e?~D2*fx+$od>=^QO{ zlP@M>>5q9@DDeeb)=6y>ZIQikBkzrrR;2Z*38vsvEf7X~M|)_3vrOAcaQQk zO66LT{#>y5DkG7JI}kNQsL3vnvDha*8K;a>IXzKo;ki->x6ww*Vq#-()ZchGq$!nC z_3yCw2DH$WOR|LU66FF@v$MfOIoCI;eRQnI514z+m)3Kcj#9Qnc;VxaAA^Q_9Er1G z+4P>Vctb$cQk*ABfQVQsBv;afc%0q895U3S_Q~;5NI_-9oWdUiA^@mEwU3y>9mU{n zG3tQsgCle=Jn7aZ`t%gyp|9M$&h(DgKfiiUqFlDlRZxB^;F$C)gaBnF~z%d?dQ5;Pece;TG zUOQ12&8R>VCS-v@dmp60xIhwJkU~f#@`(a^N9brQ#WtdS(l2a@1=tC(?icpH%iC(& zad<*fDbS|VSBwF4+c_4O*RmE}+la`hzqJi^%Umj)s4)(vh)STC;M31pKGHKGiRn0u z&sIcMF{*Tgx_WY5%S9D9?MtQS2Um1NST9~qM8;BR32$B%WBa{p1nw9XnPWN{TU=rz z?}ux!_}N2CL;{qbg(3sWPe}+grLu}$<*mOYeB!VOTSNzX8|ivt(qHIhK)YxYHW`&0 z0ycb)Wm|o8jMChlxmg{g%)vK+OuaY`VhWO#}-E|%RDXf-aykpNMENt zXQ9NQVq^AWPBfF3CTEHIXi=L&)3c&&tDpOmw&LljsjdW$MdrPMt?F#*XQA9Rv!05G z3g=DNGaK6)ymt5LI94T}-hc0)Q}&f{~!o@5eDh(uThhITq3?xM9w zQ9dZH#$v=$bC04HwZGg5B7%kWPq(9B6V)qCr6ne62*l#bB&LgVU7IpRITW|s(xVkn z&JJ$Um`+@#hAp`cLcb-c)R~9KEsdm`9|W;bsV`CQb47CxvGcy7X0LL#7P|+x&;4b> z$~cy%Hzj$;Wj+b^HZJpmY{2vv4oAL{tD`#A(xC3w7+~{L`!vu&Pz+azGG>8)^{wGXKi;V zKWn?g0?*p+Q1h(q4%KIEcUapU?(_T>><;TYmWF37>lDvg)@lE&Wu5A?mUY&$&RW)4 z%R0+GAMG8>Dj{YpUU`sE#^M<m@A0(&R-^O@iVgEGFAf$W#Yts67iNdy~?U z#hYSl3D^5|jL|yA=r<5!G{!=&t4)W{6msMp|7*f0zuAbRYp4qb8wT=67MnujE;hH& zB)$kS<_FX2;OUI;-v7tmyKcvETZzK|{S;XAtktAfcT=)QUWt;E`4~!eIF@KGkxnv> zW)9I+=x&77K&5~p)y~PgoM$;t_ATtafkIW^sxOo&yYR;{y9xztZ0!35kxa9(ROu3E zc?f^vnL~9*eA4Md^{pJtixxW*Yh3Y@OC~yu{yboo9Di-wZ!aH*Qg=Ze^)AIj+o3?! z{YNQ^IaC0sRJf?jtZ&?za3gjos<1c?Xf!#bP2te~P1b~W^8;wv^0q)ci>1cEB|huQ zSABq09#+LUpn|g$T|YS^Av?68kR8}q$PQ>QWQR2xvV$8A*&&UGtcj#|*pT0TWIG}| zyrGL7+@8pqzzSEecr4>0+~b;k@hOA*khVqE1U4DvBpB8{5liFGX!c`|VESW+Hvh3h z;~|JBZ+58LwR|j!KUC5S*!7G<^TB^Qt_)c4FP3vz7^jJlr8xeLY;W;2ZU$+XV}Imh91w;+P1$3i2g5Qolj+}Nd zA>t5K%hoOQAUOFr;r}e|xAw7=E0h4x@$bKFD&YVERwKb6MDN0FsTwl7XGt<8tjX)<73D?BNDgGANr1Z?4xee`&Gt z2gCBnm3>fDyzv2XRayQJEtj%mA472Bj#_D3|4~^vsGbN>1rQ8WtC&!8eTUe)5Z6^< zk0ZUJsI5U7s%;Okq(!NGQ)~+MLRt;f)#Eve)vz9rtt;3?(McRG8CR5UtQEyCK|}XO z-&5F;3|}9z*MRl$#1b27Q^)$lAo8AgbKue#4_lYUXhgbnl`*=?7<*O5fFJR4AG}0H zXxU$2U*uVtS(#Tc?$kObLoH=Y5v+B5cVFYlw2AjHAH>8PASVM{p^u=zozOUPtrf~|^Y&Cuj39|?FXLP=d1IttgVg8Tf!+5d@+w9O0aa}ar z&lwHZX?LA=S09~rw=g>GZi~@rcdJLI-7StzyX&;O7NgVdI_<9Q=(M|oXm^LJz~4or zJwimfiFwRsCBtx~hL&)xWMb!ycon&9G#2 zwHbCFU2TR|qpQu()n=%V&bzhW=xQ_UIXaJ5SDRta3A?I)U7Ta<(P@^QX4!6Zn&ryT zX_kA8PP1$`I?ZzR=rqetv)o~Hnq{Y1?m9Znva9;{>x{8vPccKQtNPc)UG8+;UDdzM z<5yqxuNDLN^OgSFei>c;zpnmYSO2f8|JT+3>+1itA5Y&?^5pc7Uxs(2s}RwCbQL02 zj;=yPS0SSFbnG&^3K3h5&a2T?h}d#;_5ZrKxV59x?mF$RK057gVRYKv7NgVdR*z1* zTO6Hs*J*bxMyK6%+FjexX?I=yzh8cAT37#X$>`$Ho^~ACj=17>v751}h7i5WXr6}t zN`=NqfU-p?pzfLv=Yd*SwmO<2yI%4poB%!1>lr*O)10Ug|Agm-lfKmu%rn+6+0@$H zygWUvX#7y>(^MzsG|?&%xrKj><)kb?yg%i}$cY-{I)(aOr@gHpwKLZ|1drSiFY-d_ zLfZLx#*Mk;GqDG9T#Tz*8-mt)X7L-_;s1_1GorYci8xCVT`K!XTceLKj$ip0`?5L{ zh^|}WNUIG+v+r_B+cVRh*ylpwKA;PZS>1&719h^NL+L&z+u$!wZc=mR>gFUDh$*gvq+cy<+dSCHO+@Bj6OZ7KU6g7!W}C*0I7VnPk_uVES{RVtHU zh(yTZ7aZIHT%ISQC`Uv-%W4lBit&u_lK5q%4GDIsDU?_A*%ee%to{N*;FuOkzmBRnRXFfK-_pt`np#J?9w!fgAFSq(droPwzD0wzyuf&*_nFaXKpXi|l zYr=!f(u5Z&$U8`Xn9+Ft7V%=66CNWpwBw`-nW)9gO z=T7%Qaw&A?`)Nj#CZqK;Zkyko_nMjhe8SV1zYYGl={L zsak;A!wq}Jjxk6S1LFMM;TLCxn85wR+w&1_A4#A$?yXi|YY;xvJAxqVz7Evq zyPz~NqcexB^vIB1mwB!W+vLlsxYC7Xx?ty7X{;zNt^lm1f-8|mWY9m{4n8d*Vp^%U zwe1HD6yJ>!B3@lyUxE!yqdDT-iCSY2b3&jv)l3gK0dPu#r096)lxLYx6Z)+HcmR>8 z%iaXxCAZxD+9S~Qs^`d-;-n*}Dvb&jC9X&`Twuj~dS%MN2=0_)`gVfo52VX~xHMql zGgj~oMvB&gYkM&@RiGTUU>LPCd_%_1aAH;FNdv5~JFD@}!b-*oXqd$t> zu?bJIEjHcw^9k4M)#WubvY_Lxa1CsjtI-JWZT)R`R0jOcM2lgvxkCdpH$(A(&+<$R z6FplvDwY*9RW?W*Q!E3jkCc z9hg)+t`{SIlZzo7odP;<6(_Qlkz-d|=vtsAeAyH=c%7dyZwrQ7@1%cYO6r*+Cn^Sy zAtuk^7x%C8Gp8=*TsqND7w9PC>{=v+ut8#=fP&~0Mx}JBhO(k?V%XJp7X*38apj6n z(4Xc$KEVGkmO*?2jMoQX4VZy-ItH}lflVwtDY946L4E{D!B^U8q^r(s!E|^2?hQ+$ z*D>AL$BF!P_~O}b+5J~B^qKfzg)%ZYWn?OpMV}~2MG4CHpzJ|(qDu~nDIM<-Pl$b^3(p<fAHEu9!WyBHVxHTfE+#9z(~p1P)rD?#-q+!AuQn_9@8IbKDi$OjM-9*8Yd}!- z(cc$9IM;7}#oCR?#@BM9mXoTc@EIi&^3U$6okWR0aWj?Y zy2xpctM4w@h$nYKEfrMvDm#nu6z=wYC(`+r{v&!Jg_7w}*>#!$Y{gcVfKexwgh7x2BEer&^rL6}MB0 zHd;6rIzvbD=ze08!ctLy+@H}WAcm8d?1<;N+wak)Sd!LSAwqAf?YO01ysEBMNW7-84c8nvrBJq*!z={&#{CQ`A(?!6p5sl&MYV%zD-FASD$W38 zzzvUW6NS*yKfWN>xHI&9LIIA;Vc0Y5HszN4bHO+<2h}0F)=sij#&VU2W>?J_pSvf? z$`19P6k6eoZ)Z9Rk=Ct(_qOuksFtBgjX=CeJ`Y$l64<_!dQ4iqbv&HD7sb6452p{h zxRYu!a5y_a%rd7Cih24u{HIN9Tq`(K%W2I~BSyE9sgC9>=O%F0>smM%v--|aw!l2S z%9AeKOmg|RkuTWcxv3)pACXZ46T8}$Tiyitg!j?NO}Zrf6_~JtW@!ZSm6(yJNsY$V zv~bUVxcA~}c6)mN{M5aFI@bEOkNQJtkXgfrYEPVIdLq^BTC$Fw%DP{UNCJKLC`?(Q z>`~1ha4_CiY>+P(j^Hd{lrQFoJkFy(9uM$22LxlvnHaJ&{L4tH)HLPC+I0ay1?MPE zmg`I=a&xZfBQyLc3npCN1rV&;+kgJ$26^vT7wd5H2LlAR$7drclx0aFKwIXS>4o4A z?;7tocE_=Qu^bzi=XIOg+6d%|Ut7<)F}@40E`07I^4txVsO<%6ad|%Ri_`kjw7D>! z*k#$c_k{nkROxCqUfb^6w>h)W8e&*H4X6(T|&t&Qi)ity0 zluPAr5nASni+!&$GIPr@8J_-hb8~eKR&T8oMQ!6vbc!s+KmvDkPx_}IMS#66eeK>4 zNmd$pPeRrC8SXw@_nHUa|H_mu79RyuFZuBoJvjs$x)?Rnpkw%j&NBKZmr4||v$Y1U zn>W|dR(5h$;P4TTqq$v9HasS5q?qdr8AJhUGEEIl0`fR?iN)-DQBc%JTP(r%BIMY7 z&QJY#(eZ$Z*yLIyh)NSj5UMN$ds}8!4y;gICG#O!$(4D2gh1vaUD`N3oLqpVjP zcc6Qa(M?7U_A?kdK>NG$L7S^B9=}^KZIBb_(REW;^xle23(Er>Q4JGXAJlp6HRN%{ zCX)ozk20cw;8Ctp@W4LkqKfB@59X!{Erl2gnuys4P}EJI_55T#n62lhTd9GwC(AoK zhS6fnt2hQItRgk(T~L&QQdP<8UPS1_JEU<$nuyKwSPwbH8CPo}t@h}|_EwzbN5>Up zP3*oxg#vydiyiJZ=qf{YmSupd!dSy*Jgou}aE{z_Bu_F6;Z~bO#1P{eAejtR7)nD4 zY3`e(qm@9wko@NM>rvVvY99iKDKnTh=d)pqKwGmg9;iU+>TC{EBXQ|)>h*&*EG>b z2rJLHvG2r0I?#*s^^D7vce0)gx%i&PU;+Qr>^h0%)vPd1u=nrbmZ?G#iswa&ySD{T z?i@Q*6H#Gz^eVlz^g{&cT@4{+vDA*R0E8djUHDCxO8%n^#h$8Q`N9``NVsA=GddPs z3SkQ=?yJ{QVY$o<2GYZ&INN0piB^~?xAf4LCbbeiS8oCaQuQ9p^r&)dmLxt5*>_4m zsA>XOA%^DPz7ss1->$~qRblySLh|bstKhWH!>2`lRyfvw%hb<)GarLDghDq+Z(FqY5q#kQDuag7Zq0#~xi z=f-a1W)-W6Y+zd2l@LK%0U|I z2oV9S&l2qwInVY&ojl!gF2hl=EOhKKQ^fQmr?UY}CdwrowC;xu^REl=njJdBt(Dx?^*8BeBC zi3$V7hdkq|B1$!QK!wX1{_TZn%jK~ZYp+XYVM%>&zBsP$HLaJ96JXTK@#LQfJaw zC`|42;Z>f46~nSvs^`m^!Q<45Sq`G! zX;P$SIOntMGoH&oi^2fFcrHV7p&8!&1~k$8=bzn4mA+)>rLlVUjH}uzMEGGX6JF}is8uXMhv)fA){CF%`M(eAS~1Sv>QPTCmp=YEBa$bm_qACu z%e@E9(f#w`^XJ27N1r*m=hi(bbeX?oEB2?VsyGBa4-)vBJKFE+e|G{O{FY~B!Lt~M z@Mj|xl&Ok-fWK4KxJWD+)J}cr9|vyPpD|_r#CWV`urdB`yqCVbcYvoF*1 zl0D!2nWiz0dua|OIN&&yKo^7qZ-w(3rW5}juyeX&y&&s?On@2A>5yH7%5{^H7hG8( zLXBmo)hagSc`lS0jKo+Mg0wfD6xuk^BIi)t4hyHDo_wB3kW+l8cO$5h2-Qu*Plh#P z2FAN@&cFKVtKR~T#=tX7y>oCUO&hiy+fFvNxv_0K*=S?i_QtktTff-0ZQJ^CKkuhM zdZtlRQ`I%->gznNvlQmOf6`q>isS?`jm%ugbeD39JmO!x+Dahe=DRY}sLDisI1v}- z*~Qu352nWMW0o!>oQ1}NH_R*mTylH(JVKxJ1h|ht1%SFFP3~NX*$nz8Snyvqk>X(C2F8agu<(M zSHhT4wt!a45EM_PVh%Ma?x+SOaH}NB@^Zv1Os)|Xkl zr)yLqCI`_eQ9KtukQ~f$*oNEl7oGT%_LJu~k}VFJx`P+tv8BN!6gOvTff#4R^XKOI zc}6Rvj`J!_R~|?+XrhXtVDpfE7}Ss|lH(2ri*mHdT>2Q4`D1LB<01W%L@l#?STv=} zlqoUyv57nOlW+je1p+7};Hf8CG-41lITe`4)#mYr%M#dR{aok^jD086)i#-@ekA3C z!3;+CXh?et)>^$YPjlwbxQy{XgObh?Lh@NC!_dHa8_nai@0gU+am<8E~nMC2b zY;C2OF9c&>5ycbY>|EN!(zi_&uMK|Y{Xx7V+nBbALZGMx9~j(*OJG<+*uc0E*K zG_9}a@DhdKdhe8ooxsPe=-839NN|KrWOOEaTY@@A0;wQ>Z%bYvZn@B z(oCnDfiM-iAxo zD&H;EQ`3&rTc-Zi1k-@G_*~0Pc=F{KNJdS;y6*4A&hssL<`I^1OasR6znlU*HB*ke zcyTvWx4;6`5^lNq_GyIaF?vp@j|{j9+lLujQ%)Zkq5JRSgodIfc#D`Deip3KAh>I^Aj0COAkM0IzjJEIO`X}r;Ly;?I~*mekc%i$30Ox{dgg!&gp z#*PIfp?o{rRgSf^T18sRmUeE*`_+{2bF8N}(oVC`SuHCRcG=fa1b(i!ZuPXr>Xw zpxY#S4B)%X&}!Wwzz!*(pa3#7@q)L-tNuMR29iE6DuN!OJYo^)a~N)ngE zhZ~clqRp*=L;q%ay?#{GwB##a12|o;YxfJ(9S2RB4fq9`+izR_?TJ#4TzT2mCZgra z!SF)K74j6&gsCpvN+ZHR2dJtJ9}XmudHkNszb<^Nl&f95E1>u>==TOyPZ0B98EZU- z@zwdt#vN#`XFCL5-4;j(42t=iDc6zakv2ey!j?aSWvVgNpY=j*#jvM^$kNy}bO$~P z4ubVbIOHu?>agTiwgFyG7q8<^4;d*8Ip5Et-|yYshBKui>H344%_`*tm)>wvLnXC|8X|RZO^kUs_7vU&)5uv6M0YTVf0xicU0l@?Tveb>gy$d&%^Yte%G8#7uA2G9^&sVR7Trj zugNwpl~D>^xaoAiJ2))SQ)rk2+JEhBTFB@JRk1QR?*5Xvat8h`ij^syd?Q>*HC@#o zNZ@utlB3;x-@1is;IO=aVxQHM>#rMq#vCm)O1pfxbv z%w(E}-%?6DfMhM~h5bOqVHKIC?C;CX3zO~CNWLg%IoSxHaU_NZ(u_ylk}#~8A-)$! zD!`s5lXgqSlVKIW0A%5@c&9+Nq*~D18^S1UtW?gxxqoul!gAWR1 zE_z51FoRXKzlRM^@O+~X%J*yVd_Tcn&jYb!n*f&AF^@wml-yT*26u*pO24&2M#urQbT!#{0Q07^-G}RHD`~&2E~0DS0MqD zJiB?4i2H*QYXO*!PdUrmdd!sTmo+@AQK$R5nD^eyaeN$f6Aq846q5`-v);dik9te_ zE0w*6Edp``$@dDUkJ=yf0*n7NBJDUYv|*09c*b0!v|O;am%fb<0$ZYWL0Bxf0x=q! zSn9($ggiu={2o0n1kdx&i(&P%#YZUfJf^5N_#7|HMjFCUNS`N|_BMoXr1Dh}jXyL|0!u_#{6H zEJ~5Q+4vf<*me+rp^sF%WGnCR`_q2K`sR#5JeS*TH(9f4_YT+><&@zZ2-PW3LSi?u zk2EnkBnpCs-~(%xJNpqB_HMV{85%9VQCZ1#OGPi#1_j&A}I65$=ele?dcb^3qW}y2r_~BA+I}f0S6qaK~k%I9PM=9@!5bbUm zt*`@`lW`l9FdaTCrGSrwEr3mS}P76(5%U)y6|4;P|aa>38f-9#x{!sw5ZSaXqQ3zDwh?{s)q*jS<4zJ=^+)|+plEW$uuzZ_H99=-}fl}V8Agnsz>0wA=;y)c`wizVZo4edH+i=fU>hDQ{}3&c$|K3$#?%XSz;&p-s*-V>t=Ol*ly(EI^o;Q zam@NMcv3mqbFMV~(QZ+ae@^n!E}=Qd1L@K=81)Psx%LK;j?#8;zWm9MYj<^z7QLlw zfvu4SC0HOQxSL-zEw0#I720Qk8~5#06*b1GOi5S5Amn1>ldaSz;;=KI5c%(MZ6@aj zXZ}X4P`CqNmc^i?uxXJ9WlN-h>4Q&W`gangFE+%CYk_l@GOpkH#_n@~zD z;2H@VCz}h6`GFy{WDDw-6<8y%ORo#+f`hF1&g% z$#?&FwUbPNV-N8h6zM;`>*jss{}3l}sl>e;RyJx%-T0^4fm}x&Te=uhybv+5ZP}dy z9vU$mAT~_j&@*7IPm_g)?0==kmM>6tO{RQ)uHUq&>|mCILvC`Jz}Ix?e(Kh3Ck)*% zH-CQ`{2Hn&>+s^qm%G>VUQJ#e(d6_T1^C?VRbX1D!2{+(7E{A9F8WCSD$T`mx8bkagQ^6*moP*@+7r`IoTrh?!VN^XOqjq ziLv>vR*~mpqK+^zvw(Q_!RyAoTD-MDl%u~#4Qz%;$wy*d4996g?z0&Y;cU%(mX_hN z*l3cs*2&NyBT3O?B2k~M%`U{qD)XD`)Hii@)xd{l8nGjQt-s&_o)`B!Q{chON*Kiu z*zSyHNoX8y=$)zkAkG4^3bLN|U}_=DC7!#Yz)zxlUkK&w%gBQnE$PZ&0TLdeiJ{=W z78k?=5TS}Uqh`9Vl1{xQTt#ycn7_@*Xr)9i&#S~deHNG2dRtw&ypS~6{E%R*hA{z- zZ_D3rb;n!htSO6zZE~ZVV*ZTJ@mhK8c$QZ*eQ}xPfwbsPB;wC&v5lafSP79e{KZY; z;I{AK8qT(h#5=-KUG6I_1WxyYb=U;v;5H~ zvkg9!*^bBua-87^5*J^GU#V|36@hvdL)_fpja~AH9Sn3(o92Gtby4_2Xd86y%?~x8 z!k(VBq*&Bf8JieRCK@Kqhgssu74Ug%yji2UB$3kg=xBD9t8;U`)HQ>E7Mn2#bH4pu z)d%8z1GK}CrGn?a4ispOh}7)3BJdfg{g3=Ifa#;u|6Ud?>Xs(N=$HKP8W88IJ~it< zxmOTd=-FT3WA94Xiu#`x6={vE2Kr=eZMRXS!V)@?=wv8WU%KT|w^djq7-kbQLhhJq ze5o9=AkMMaDGSGG4aW>Q4cOC;jd*L2MEMFQ5j0j1a~s~$XWQgLVkPf&ZGTES>Nt=x ze8@f~fy?%-J@Me)Pdcr!1zjZGPn8Y%eb@j`Req@qC!ktCeXbaMWDxA zQP85g5;_vx{I2D*MatoCl_gHpUi5+QzI^!7WS1MC9lAz%TLRRE&g9_`Nx-1ywe+OM z{(Jx;ZpT89$i#=j7?vc|q86!24<04Kj4kLkh9TL0yXyIDf7+PF3ET>~M&@QauMHl2 zeA^Cl_KnjV>o)f#upXM1oH#~C9Uv1pKk8Kfo%tuehE4rmmmo;MkKI@eq4+)5#U98l z`uE3MpoG*qF-17v+9H8?#t!Q@pV{M=iRZi*m|mP%^Z6}Ct|@9 zxRi1qRQu!g9M<*c&eg3O!yS?e)Oej^O+OQI_?M1zg(~EOSzMn>Y^7f=pv3DD)T)N! zZz@quCur80@%te8f(T*c_fhJ_c{6BYd_t&{!}=fn!2(Z~WnccDrCnlO78g;G98W~T zi&(8umz;r+YxwgQzTI|>l{R%YwEu$aOlu=17M?*LID%K*zu^2QeK<=KbW8a<7M4DbA0f>%TVJJM9n0uG zu4BC|Z|MQ6adYbX`apx9xM-QCFy@qE8v;Gep*X6N2tg7!E_s4)9LK@65 z*i&z=zO&GPL4&GO@i4coNb>;so@1pzudD`jZ#St(_FY z<773?;$}7a7bLKmIn9YtSX(h=hc_zHSg`KD`Zb$9%8+wU{9DQfP0jcU5F07>hBhM6 z%Pp`m3(vA+*U!v1djc67<00VjeX=58SztS*oUHTq2q&nZy@}Zo&(p@0d1pPf3#I|9 z=rtcV>0`FB9Mb1R?M+fg-^Wv(N>4NwP4;$m>)%w1g|hKdsnHA0ZmW?p<`uM)M#7g; z(Wj=X<4*lc)=0(GyNF{Z0|vm03J%+-xAq@xcox#ER3N@G{@edW_)kyEY5Vf%_lo4o zx=zn8+Ktp^A65RRxM2)H7wn{&1c8d7Q&GF&rt8c(#5dT%=hx#JYf>%JvX4RXKq__(Y)=ZDOl*4#>>S_ry%tUDV%`%em^e^FvL(YuMil}_ z^oRxH{V#)u1~P5Ej*p{D6?4q_us$T=t2LxF`w;D;Kpq00%`o6dN>uLLq8_TD@|hU_ z!m`^aA^s_)M-@q>^bGaiCyZ5>UcaMC)s-@Q0O4n?M5*rU=ZN$T0=SO-G#xmtZS>l` zE@~(PxQ_8OLL2)0;$LEv&>Tnjsu%J~84GLy$#x{oQmeYSkW9q5V&{CB1W~NJYneE7 zTw8m=jCvM#T6>^XUOAps*9zf%f(t=K5--qceJi^Y1{eC|OfEGHX7cc@p>?@+H|w*8(o&H67w@VBS}m=-byqXHi?mnM_b=2icP38w?=|V+*1~QE1NFj2WE(-{ zz{Q@;DoQlAPyfhai?)6l3SHO?bYJyX7pLS<0cgKdlU$-d2Bv!_yW&MJrN{Uz?5Vvy$(p%ug@ zCGoob^)U;O$?7vTHZj%}B~s1^fpZRI5~W(YUGt8jm?!t?_d;s2@{>>?C7fm+V|xw< z3*l})$zH_ew?$j0q0S<3`a>8n9IYm7?)qh!8fWwzVGHCn}`t8*NMDoRp(O5+52wx@h(hIv= zMIEb!Y1ChfrxIDw3#Ss?QF7uI(Q@MDKj-|}|8;68l#n=c#S?Vn!mB1YFt|SF}nRsS3a*@{m1?a zMXyTAt13WK{U^NW*$g89R^7F?aI8v11G!IOuE|2<_xKb8NU!{jJA{)(9Yb+P_5xjwDt ze@1k~)Q`{2hiB_b;`iqkU(f!YYvJ0fA6Ibt7&`+j>~;C|>S``iW>r7VsC}H#yW7L{ zXvEZSE5=Q(>sR@~X?#;A0UYgCE;u@Do+*=Cnim-b<0g7cT<2at1Am=X=CnUREWaQ4sX0aVBI%@n(Nn!xi<1t5@S76Ns*4oSs!61L^Lh*jJL05oF{iO><`6E}|qnA06e>5>#mVDMC3O;EC ztoXMZ5yeF>a+tWzSHI{slGHAV5dC}W`yBDo{7Mew!iF4kqt7L>9b$Kx5jcT5Ns_Ue z2+ZCFQV%HNSc;M!d3UmYtv@9Hp4f^cTGbpiK*s{68_nAVd~v$G+b`Fpj0vfMRi~$} z;Gm%?t{kH0nmPeZDBmQ$+(tu|PZx5Oo2h03&gcdtty#~Y=s4Ys^#xCq?Q~Uw`U6Yu zG6uoq88TPtMek)|80gw2xdtb)d%JH6{rB=AM)gSL;~N3lbjU>#);)6r5ZxOpZ)2`G z{|K$DTU>yb|L-8|sFJ8#e`s}o997fsMNrKtSegXpeQ-xt>->mUaZZ02=o-;{)%GF_ z#gdW9wmlZ$DPkB&|9A)T^pu@e`p46{66W2p=Q@q^z~976U_}NfBu(98} zXiz+wHB3QbA=47h4@QiHBinfR_Gf+YW1LDPmOAXGZC``}-SRf@gG8T2a|yS> zMFX+3IME8lLoV7U9CcR6w`B&C=qr_zryJ%p6#x7IMv?~qmn~K}!QTmu^Xu7`jnc1a z5&{o?J6vc|?>`y+qC|m*&s9(s6BHhiOv)K-=siSfp&*|lkIh(vOeyrITF=#P{_>%A zz;S%Wna?G1uE(OIk+xku%z}|9crXeODfOL(Xu58i1LG;zV;mrh&;s=JmVh39r7;rS zt7vXZ=#Lc%ZZV8XS<^t5i<<37C8k_)_@=ENqKg6Rm%D~Cg+ewVQ@^664mHJN@SzAy zH<*tbg@*1wkwPJ|zG2Ifu@5Zl*WdV75|=%XZkkk?7-*je1jHeKxP3g3U@jqcvm?Qj z7Ol>G8n&ndOUX!a+qtbdEc11nrrqA-c0|cV83p_|?G2V#OXlTTEb`==^3CxNI(A^Q zRkgj^ZYhxH$127xDd*)NwG2=-j@3wDwtC*yuNdK8*uz5lj2vBOOl(5-Kywb$u*f}{ z?XZ5Aq1;N}!fr(;o?)ki^YZY({c^MkE`e%BkZma6nO&OiZ#5U^e~+wX$8+hGna`9+-O=1n(bPeO+IkecBQ2dvV)7FeLA--a#Zy zM(;}w7N(GxZtxMJ===8<`_B@CXRt<7twn71gPXylvYl@z@rN!2cKtOvkMBcCMn*+% z!?C!W2bYJl`{h^HBQrK?`5#3(ubvZB8lOR1`VS2Z&5Ee+o2w{S+@7uJ{;mFIb^L5) zX_EF#b8qz{TJ+@c2}Zs-GSL|goAL4-0oKW8ySwzep)ByEc9g|TjM+ax;TUpCPz)m~ zl&*%Nv%^d95{a7E5vhF7Y7E|m&g8A-pV2^O)gF_wx)f>12=p<~6@o-O*s}(;94a$N z$cz#c8ay@%sPXlbLG`PdkA0oILO~2lbOJ120i)Qlj1R(5n#|~v#L2Y9n+!z@X1d7#s3d%zGB-aSL(qw5 zMPV{wkKiq@Skf1DDom#}C!dvgufJ*Min4Una#->7i1oXFO`kxv^OPy9!8|dd_t(?RZ#ZnwELA(TF+~+z`ua znAk+&YeswgQ?=}0hh!#sY(*=m*mU)QdviEJ*WFlHHoTPjGX6PKxF}vB;~aaOi2=R` zEsv|v!e1j~*TBQw?V@(fr)8`))#_kd!wrK%%nZ{Q>+d$u!x>s<2CkMnXhuyy55K9AnbiNufs0ZEG)>)d^| zYzMB+L%7(E7=hSEJ20jfA*9|NU=XY zUS;LEMIjyTjilj29xOv|z|BvTPatOP=gcwAx&8B{i3Sm!d937BD`fCv7`E*f^ZNB_ z>Z(-4uYQbp~aw`?0N_7e3qNr9DxOb}jFR(2;7ykJ z=Uvik$Bw}3xO6T3y310b3nOP-lsR!IG2e}1NSJ-HuM+d-{%Jm03{9GX)M{CKY88f= z#Q-jc*5|$*n#oq#doyL2GO%%+DeqnWSFsHlS=3@rves&clT#LPaCx?T@AzuUsRkRVuOm&n&Fw)eG zcOte+{epJfi>2wuqSc|-U10kX+vS|Tmu~4MZBhyrgl3uP3S2o7DCFnvY@a`aSy z%1ab+RH{6^T23&H*hIb%9!8CiSe<@eR^4%_#&*nLaCC?K19=0seG*{ii)W~fsWLVr zPiFzg*K1w9?E$%#@TI{J7DOvZ z%CaHdW%wh$JS7pOR)D|&)*4vku=>MYHsr&=U;XGv>ie`ugwG(@zD~pxGb*1w~B{wKJXER=qetJy(2O*GIS;jcc>Ov_7`HigSf3(b-CV==-Y+Bw~%@D%!B zbtQ`4Xjg-Wu@5Vs10`+v;up%{D%zWFaU%cx%RiFqmaFSs&_WjM@kM!DbPOY@NbSfV zr!!1I7$%M$*a@Wj<;7WmPZ77AsXvjIz1O^TKe5yJL2CTp7K-Tegy-3<`hyZ#15UFJ zEkPU& z!c`OlBI;JSoPx03nVu8F6bio~GtuP)c2`AdV?2C~QKYjl4ZlM?v8ovVPE~(Dd?MQF z3cgSg1*nJ>WAQlnd?Jv3YoWbbQ&Y^{!9{0sR~=vo*#7`hHYjQGqD-h`Ad}^y4EQQ@ zrP`JNR7W7y#NCKW{MXuk#M|C{b!fll|<_c$%5T%t{1aojBf{Ft^AWa+?_q+_zcYEcckMePB>fZL2--LPZ;lsJbDX*xis};rBbS4stU0Sv zQE}fH^IVpPFzl4HeI5*836`v>gGd*8M-r5hEae^d4|Q#7vicW>tFQfU$ak}sWH}k# z?>CwM$pq8VNM9((Dka_MZy3ZoMmon|$mF zf^pOa=o8$X6axLm=qM_7u5y8e-Q1ZP9QHq@&7ebDn>4ebBYtGFJ*ndp zr%Sy!_@dNp+ham60&*kucA+4Oo?Df^+HDqH>Sr@{2m~uoCOLEhL`91k2n=5B_9Q2X z3|$f1!1$riGc&MCyL4`OlC6LqMj{XEC}49vNe}y|V*_h{HMQ|5d6Z38X|^^o3oTRu zK-tlbAKd`mg0G97#@qf;P(kD`Ph~sfLf57mN!fCup}q(rb4HF6%=V^ShUpbQIpq^k zG>|0TM)l$SmNC|wksJpa2$v=#K|w@1*AI*wF-t=dVkVCnRC|JCyz)t`aVsE=9H`;Q z4|go&wq<}iq$>UD1h*U3GxPsTDOkww31{1@8t}9|-v;GMNL!10R(W%_=+!-OZ6ivb zy>kTZuV>_=wRpR{!%xF~>_ZyqwMZLAXxBJ&1@!OG8 zhoI2mi@+D(WV`h_2 zb%ggU3Ova^(t;(2hgXYYi%K7WPQP`L9+8+8;+T@Pl9P90<)x92D|`Z1v+s>=3d9V1 zGQN>ltz(hCqvh*$LA{+vyG4P3S5T^d>e|TBSbyb=Pw!U|L2|JN)xptMf+4;FMZ+0u98W2@1{*P$*CGCnI4Lz^-t9>EUpXc_SCf^abc>poreA~#VZ zssz!<e=JmoLd4#CB$F9Iw(J8$Q;szNTXbtrQwp^2vc8_kABc*a6Ziz4#JUP?(2AUO^ zu02Qdu09~m^%Ws(5NV00prX5YoT6`#*P=D*()3x|b8GuJ+Ch%=e0?f}z&3#x{&qM5 z`I4-X&%Tb#HzExo{Z6M_>|e~UT3`kUi?B?;0a?>3nOfy7l4b;6Fl9g|4JkP#-QaDy z^gIsKx6xDvZfVn1n-4e|`bqLjQRgsYN_PAr?<%!8IA z;pe`AyVg)T?N*d|UprOwZzUj7o}pmB7l3Jdb+Bl>oyF^GPfbntg;IOrF)&ksY3C%h zsRijfi8#wMi{NY1m~b`^-LU_LsndDURf3`<>tj*g+=mG}SNEXfSzdZu-5`V!lBCzI z`u6V1oU2yZ$V$yIMlA`ETgE9m*XpIAm=~V?NNK|UCjmv9ekSp(f>QyTb_17*z9F^q z>3H{B|5bIat5bxaFWfy9lYSL6J} zXRCf@pIn%C;nhB3TT{#iOvJ2XMsR3Ktk}-Ckn!Ppc?|9xJn0FN3|STj5&FJ8k*o*i;6d4x5)5qC zv`HTZvw`jO6fiMZ4!9dqQ$Er&H&gecKoT`NL8sUS?2jL7Vx0i{#zHF>=|p3;XprlF zz9M8bS|s&Mg-EToL(`R7^mzOP=6ZIBWX!2(e~`@$MfJRxXrey%U?XR-4tQim*Gx$i z1aemr)rEQvT9H}VmN+e!32luly9lh$3tLLhx{xqXc7uOdYj%O7qSI`H76eMZXMYeK zzW^O!F`PE2aw#oV&hR-b+}5JL^pGJYx3^VLi|er}pGw$vJ(vjH@soG!4$~7)#SQ6O zySLm3?lN-F&}Gm8Tu?qN#~)hSRGA_w%5(aYYdQ;NL(1w@XL0Lx8Q6@^m^}Yv*l&Dn~xucIt2wWpOc^FMis?p z7AJN50DCU&R+CKjd9C$@7?ko%1KsB|1RF0koR_I%%_=;nnB%w zmo&KN*#9*U(JB|Jxcb$jja@TVPdpou32Xyu?l?#o1v#}s37Ft@2K^46oIt{_G>+k| zhU*IPZA^^Pj-b!Mm^K?^V7m>M|0myAYIOzW#=Yey2j^Rt<#td*Esw$oy|@}spxmWP z4U43A+_mMhu%W>R3<}@1pqG1sA1!x{J+mM9ZmNgiP9K_9D;7H{__O}2jV7T!hob5F zW}dL6Wcc1>KfYjR(Cy^t#ig{}(kRog4zaiTfqu^-#?P0J`8z$kHc+I*Hb=NnSqy9M z*y7t~sBzrmF}7etVe;CIYcUwG=DGwqb*x#RT`v1^CUz%gD8=H1%6|cHt5R7(`rao7(%hp2@&u&!#hgd2oL$=| z4?Ect?`(#ITH%A@)0Y8Ht)3>Na2aQzlLF-5d8By1`iOF6ZOqofycmE|4(_QXdnXaI zp)LGm64Vhp+dGFiAlr4(K&1vvoCV1&GKO2JJnRGUH{`r!liZ)Yy2h4hNzXQGSUpP( z<&#(!OmSZb6LX-H#T}C)`tnj-FZP!z&Y6EO9uMb6=jnzg?E!#^OVh#x1 zm2D%S>h9l*u#est!!BLN>E~w4ETxJ$-Mf%b)Dr*EJ-Xn#(kh6eqQ0H28#OA(x{H|_ zX`l5R%~wk;lVx>mg*946t!d~%m z?Au5-`2th+@fo5C1Kr*wW6caEq5!BC+{{r1wl7okwpTYl9(pd-NmQo!Zs2nlyPAU_ zJX|hyK28_;hM4k6I<#cUo58yL?Xa6VCner_+z^|a$5(vcC|CDNd0#g$Tk^(rq2^cC zrGK4{$U$_jPtRTO6?0XNjk#eM^^0-Ap(>#-9}Kwz{1-gEWA#}rOo@iA3cWMI)u|43 z-|U)%YGoqnJpQe$pGTx89L&57AW&*mudEDKfZCKB(&IU5f|uzrI)-hGbN`uWb-Z!)_PE0uD3(oiWrcu^Si2g$FH`XfeFmTpMpoeIe(b(!htdPB zHrL2E)e(Ox(%7%!ysBs0)^4%kyzyh)=iYf?#ts{3qqMD^dHeHADlc@sdXKb5DxqTq z&kHy6ph@qL*Y1Bgm_XpM2Jc0*U29N89!Y>pZ;i>6mA=Rh5^$ly( zb}w_&qH|mLbr~V#{T0-;mO5lxFodQmQaDkDj>FHcCXcqis6OzncqB!ITbZWF-#rYr zVLf*-aKYqwwwDg4vOX)*d6zD0XwAGbr*jDA!!q-BF&I>>r{A&m zp0RhjucJA#al|+ysEBp_s!dj@EM|^ympW_2prEl5hFsXCtjbOD_VN#M>Ie=Sd(bUk{_6~0ZJ20lTSC{N- zs=BHkun$0ithbz~Hn-$*MPjTT!Ko zPB|-cE?iDNo5MbsMN@UMnXkEHc5#3kN!2xvp;{yCbM@2y~&w(pB*4`_!{<%!b zzu(li(J58|1z#z115|h$d;K$b;^hBeK<(VJtAPJNpwvd|FU32dTI9?&)(Z_diVNGH zbPZ1*#$0cc<0;eM?+4$X+uKZ)3mU4gR%+irSijY|FSEm3dEqw9$usVYZ8ZbHSXHx| zFgbY60O$eS3~{qcN|74e;NoeCu4MNUP{gKlv+nx$$|mJqo2WFqqhKg6(_}-Bd{+#v zkQw9+d^6%FIn2|O{Li9h8{lE@`HNUw?(O0DoIi`VyDRGJdK^=4dy6X)#@GG!V|;zR zs!~!r3(VSfSQ}{gCM%U?+uQyYtrlz=hEaN-XwB9QmH-d@8F9PA{2{fF*+s>@@3;i? zpO^B#TM#8Y43I3lMQHU3!bfTJYA5r-h#D8!-Oq7W&rlXGkaiOya_ayg7fG*A8)fii z3tET$28(b78^|~DrAaPDbvV#q`QUu+wbUL3Zx_)h3F{XK=3hEJzElc0Frd6pY)6`G zShoiVn?f21{~s5$Z4Z1{HxXpmgaAo@au!OC71hUza2Wd03-=oNU5LJL$auP`Um4LW zlC#CnU$iHdk0m3O7Ot>3vk-^w$6PeCTQlOeC)iX#dbFi$Xk`)eOwtsd3O;e%zGx^XWg1U-8BI=e6OYw79k z$NVF@g8^4(c$51I0Hf5caP>tfrd)O1{J7zTH%@l6<-?g(0^I4Mn$QcdxKip0LvZ&zyc8&%G1Tf# z)#Tg1q}II=obS`;*9>(A|0oEJMr+vl%g$z`$IR>p_9^7jZ9ekf*~nY{_Kh`;S)$v( z^XJ39-m>g(s} z#jl5@IzE0r!W%KW!?o|-%iRCA;OK;Tgla3-6u!b8MmZ-cstObSg}9^m+b?c~U)NAYHh|1Ld`Bx(8BWuIM6XmoBb~`)FXe{Y>LyWGZdta5? zj$;e)%t-UWGlG2gAeA44zNr}}Hl;zsu|e) zj5}?(IGjuX%lpyVC+~I=dxnA9s#0$~QCwy|2UyLu%?;EfJF)DK9q~eco6_K*U&#g? zwuNmMiBSWI+tNCJ=^R`e6J~Br{;bu@>OYW>2kih{bEW>v+iYGN{HgusbFrXEX4@YWR@9hBa$GW_T-t+>l_Ph6=nCtxKFp7LX zGVhtE?;qk7>YdCT^#6;fa|)KFi`MMfwr$(Cakg#Swr%5V+qP}nwr#8Te{V;3z2sV% zRZ$W1A*)udIlhq}vn8YFl&M-6g`^ZHg|RqphUkYF&rhGYEuJK(g4~V8;?}JA{C%p0 zw*Mu+#J;R#3jA-1CP~Srq_yldXC=w7E zTM=MF@E!RZZ$uTbqa1)Ew|cXQ`UNGAxBRZTNC~)$3Ucsn3mx0sey=&3a#h8rx#sIq z_b1+L=lhP-hv>Gf4I$#SZ`uEfF$8*4xh!8t_m>aqhoyR!`DGmto`XauM*ri3E@hk$ zDiB9-edSU-fB7K7fe)fV=N`XA-aIkzIU-AY))$pY6}bt1Zy` z3fi|U*^m9FPwVqbBHee@lj~O6RZOVeQxSwxb&UU1fzgQn@GzhD;=g&DLIwrK*Dn_1oAsLno_SJ!@xDt1&A3`)3Vl|qUOArGIHSegijvo z@hIkt3JGQrbrj50Q6wQ#3mtyAM#qQMHo4B?OEiKmkYAxra^$O0JnxSh!EW7^S>F#k&z{)42k zNc=AnG@AFNcHF=`*8Q8P9_|HG@`+aYL5v#YgF&J1B!Bh+yOwvACB!83E3j430Y7@h7 zP>et=`V-;8ex@%)$fzACSZpB0zHb&6zNE$_xEq>%vfasGb)(_u-Z_zQ2`ZdlaSfBU z6UW$amnv6}PH}PdzgP;jgx@sAhusK0#VzO+`VmzShZ24r2}J&a$fTer|xj5Zcd z6`-uGL2Nzm4qVm5rbm|~AMd~aMs%!3l5dBerN)&08MulfCT0Yy>^%mz!muGedEhb} zw{Y|U8Nvtf6f?L_dY{6Etmw2qeD@a&N^%4&tHxloP$O-snOU48 z{E|V0l#rWqTd~rvzVVormTh13E@Tc2+w8MeH^Fb)D|3(867Yjr4wxJiV|Ze*m7|JX zi)DW}%b;9hSkEJ=dg(11vP8RTzXrhIB;qU-z!&-*I(PSq*u-hnZ*@juR4=!F*K^Uw zNq7*LDkVyj&jF-WgR`wrtZr=O)0eR4T?>1GqxAs5t$Lo@w^<84-z%{^FFG}CmADhm z64MfpD(xwv7EOaRXWfL@d60V)-KP}6D2?EPUcx=r33sd`EzjWku(~5P*GHP%aYvGzG%)6| zsw`AZSG_gzy~_5$7Pi;#{fo7RrtzdEcNu*5z+3|)_&pc4*Ojx6v%UokaRWupYQ`?+ zeWV37qZuOat^o9sO&(er>?C+@o2`-6N`X~P17=&XyLU}+Qrf>gQb`nfb)wgT)LL3t zUA!MZv)??9V79){gCShSmrl88P}K?}a^1u%z6**9PbyO-=zTFtGOUa>>i-czN&gW+ zb|1e)knPgumr7=_cVVIoT%VC+*7fjzs*fZ`Rj|&OhH9J~SW|7$TbzU+hq5j_J|@+# zBcQc1Ew1?-sw|xo!n{tPh9K~&dZ}Slc<6OqyFs>! z&u3Jlq1~__?fg+Ad_CXz3G>a>%Cp!|`)vL*8$k95_$jk+MzITjTx2W$BZ7blv4dXY zxb9H0*7`gd(^uv%MT?%=`tye1Gsz}B>6}6R@AM)mSEbMd*usiO@Xya#%vYtbGzDfq z0ymin;(@Ug&?lrg920rLInp#1OdZHWl4$DET}ZuNgI`=lN<;hynDQ$1M+9^UfXw)S zQQ2l3C|cj8R*l@|!8(l1ailge|2mS=$Vr8r(K&JSWraoYYR$~J2rn~GvgrS9Z6lfy z*>Xac4E_K@%cAFvXn`kPf!q$#)ls$l&~}69XW*tUabSF^JtV$anbG^`7;zZ|HjAlZ z1WGR;09L4|gsjMaXvt3nAqR}m%V!f`VWRZ)AL-4mGvsG9_XLIa$$dy9;4&E}QSBh0dxr%iNU!11}x zRQP-eq~-EQLN&U}OowHePzM-N0uzQDfUV$W&(Q_F1F8l#C+jgDEij|IB#Y#x z(8fBlN;FU&P0W|LCJU%d1z6e$kmJo5tTUUvm2!v4mKwbLUbjA9L)lH=MIGFOT9#Kk z-*xR44M9Z+U&UX)NiF~pVr=t(iDf3YI&A06@k~H#kT@1RuP0OR@|Q@#s}I4awW8*0 zz8XHU1K@pCjZ{hNJ>Sqv&B&M6DV@(kOfXP}>nnsmUd3^ohMTB`aBl1hPjCFoh5BgY z6x6_@qp1;!uTpG9OMeQ-iyZMkx47>hD${J9ly(Gf$1{@X0-1uDh?a<AVu0#ovB89X6(8Mw z<@9_7m4U-8GRtR1Su~<#7mYYsl?@h7_0tJ+W1PRk6}O0bnJW72s1u;|#wDh-OKv)i zURaZ`4=7BBjAXXBd9Sgob_iOR_-((nn0i)7a=It4+t0OzFBqqd5)+n@>M{+V%6lj7 z^pyy5e!Id&;uVw_vPzyZnhc1E)+&tkBPrm&mdg2FN^Qdm#VBv`n|ZLVngWEacXww# zC?3b%lu1v6gERteYV!K+jf30&B9dk|uYpx9bF*;V=9y7x9VePWNb`1}jO*^>euK+l zJ_3nR&F8|~VKt|D9c%4cnjZo`>UyMFYh$*~q=mNgFvqEuST4FleB@rq@LykU zT%0@VfbP<}-Xs+ns2V2o*gW=81!@O{Lio$H#hrHY3+^xPQBb>4E=5l`7ZTmQ0#ccg zBkTj7Rb#{&ol;Kg?GLkJjgL;fsG$lPxS0Q%x~>{HxrCDZPN-w1uV>eAo-ukrJA_UQ z)fqU|OE9x47kqvTynkwx^*?2oSzdGIR>zwlFr9SvxFychDzS73D*gF~Ys9&ie4gK` zYB43^MEO2Dij2gJJsmKXEx~#IxSDwh@3C`)?#vE^p9MboqU@5 zPAk)%=%t*JzCHG=nS)qHf8JL{CB)4!*lhigwZ9vxWVFAe*K$(L`=1K#$_Ph(5L1eF z9|uuE7c(IOuG+ddoLRk5SW9LjFgEOZAxt=RB=MVCf}XEY7hxASAvCU5o_H32lxn>@ zwPBIg5tfgAMbH-l>&Qw7E5>ng`buxYXUkU86*Np`%kR3?S1o2=z01P$Q$?L!#`0$Bo{#$T@+4F zWu{RD6J`x@Avjy%Z}PqX*0HpU2;)#tVVFTsr=rflJviRj99MdRg9PQtRhp*)cK7!E zKkA#dSB4a- zER(jCU+G3t!25!QWgO1GT7&|#C*7Xqu^lb+VkNk2jaI2CH5R?#X;~R zR!RB?5F}Sl`BfRk9qM<#Bh^sQIXE*Z9=ADmW!O6=meaFg2)E%wi4C9gx?9WKsuiFE5 z!)Pb06#?djW6rL?h0Vfs$#n4=bEb65`Zj7^`xT?9pg0HOQ*5p zOJo-h!93PaYy&QI3rKfs!eSc<&{{Z$$NF&%){+G2PCfl$1mf;w#)W(uuM3TvR6Ra} z+|;nLrv&?=hOxk~w?_crN01q-;2R{nBryEMGxBDxO4#cg;M znq~$)L;u4xYKs08!;mSe4x@a=t)pp!Y1m}-4#T$d_Z?iU?7yF|j|t3?Z@^}m(4Q$) z2mKvx?qU4zB;ax149SNS9%j+=)E&& z@3s#%QFlMXufB$#Jq+JF=s&hmKWv}w?`$NpGC!}@n=w%cgdu!}L1DX0qG9Mn!clBE z8{EHBn4CKm!zlQ=J*MFwEPMN`-%3WWYd`%KZ}_*4Slk6JXg;D>)o;ILEZu@}6TPxo zybj_0t?%&9$Ccs2?-$a{gb8`Bvp3SLMBom&3>S|Fu)EzfDK6+r=Q0rSAJyx@yH54H zPDKO*gCvt&!Ybd(vFom#%K`Rtw;5_NN;^q=e?Bceyi=r&F+eCQ z5GzEOaCjY|(M3ia{2(ev)-6nw8ien;IMpMPu=cjNK8V_M&^Ahd8hdzh7fkYyRkaEo zvbWc~)&SGslAE%%YW{A)PBXaA{(DIsAsl}k%gp?MAb3ZWW1!V0hEBTzvoe|s;9h0R zB$(3ELj2}u>-)mjYJANVzR{I|b1%0U0g3XTFVqx#_As|Yh*%-DkH7-X zsPT+2@)2~RY=VToF@5%SJM)Qg84Sa{4mvp<7jX)_bloRN(C7=GKo^z+hL=miU^DZk zve>(!d9l#C(xlVTb*0#Yc4L>}#eAhflpnr7Uh>6C_L>>V8(E+?QU! zBd9yr8=O4g37&lkf;0{pl_>^MazfO2=3fy(lDQ9ig2VU38Syq@Q))!>&Lj(^qnjtx zFZF=LNO2qdHm{*`tRr`2T9lS#HV#qyu)ZR^R)cPv36#B4s@rH+x7I8UlAWri>%5ca zxZBO~*NCG~m3)?sVJX$NGTUII7pa7kIzP@oUOy%h-_hd!>GYcT{p(gt{NI5}Q~XzX z5!i_*VJRmSD3Kgf>h<5Cbb2)VJ|AN{+uj3?8*bk1_TK2%(^SW3axaut$Sl3<^LAuC zr}UVfq6V@s&D4uDnLqOvk%(icwLf+*UIAOC#Iu&#ma{7sQE*SNWTWRbKre4|6w<=s z!gMN%MiM3>$q;EPGe@b~kZDK+W9|y2nPZWX_?Geg$zeRKW>9biGyD;y0_WDouQEVG z?b$+u87~bldO}EMG3+b(%QRseu;exd#T_gFP7zs!r8Bc6(um2llUxvwe@Nw%x?qAe zUD|v+^~7A|l9`&3X>bIT%#~`R4j}&yfQU}ADJLUG?P_qa?!?%=0bSJN(ITt8DovZk z#v9b`a%xFME6TxwVWTH;c$r4!*bGa|Bx0)TJGJ%Zl%Sx1AE6U%pCa)imnHLQmvA$I zg(|+p#7otO4N*s@J`sm0KG|kdDD4JusghjACe3Y93+@BG5IA0{CI?f16AWg(>q`-F zS8Xb+_Gw%o({c>!Gn^{_vFx?$9yhJTiIz{ZJBGH`%d&1<=lYv*8W`x@3*%Oh6>+7C zG<`U`_V;VQwFXh^{+#7kp+q>?GsfP9>`AU9HoSVGpSd>V@k&FSoAD}JjF~~}}XgX8bQ0)XB9rRJ(NK&zr z|BLzi0n(>tvwUah@YbJ72>DrA?>|k*r(FF+X`OrN_l|au-N+h5FjMLSPOd&rF@rkJ zPHfHW@jcSII6uLgJ&$Fwt0S335gn2kxDCuBT=M@S2>;zoi9~+`vLhLq-#VMVBnf&X zdE(7#JZHw6jpcJqcvV`cs)HsM^ePCfc*-AE9mrFYUq3sh;cm}Q$O{+NV;%=-yg@@XXe6zD1B#6Qd3lS&*h z)6LGuYXo>E%4d;)d+tt|O$f&;y&4W;5bi*k%Z>EvvI$)_~(_2 z`0D;SxWx6!y@?=cVd@s!P*>J=XA?(Op;e(Ta9bhWw)LH7q$S^2D{ z2l%Jopjo>YpP1~~XzOXg>+yZ;5V4HS%($Bmftilys<~x})9I@GoiAxkBJs(;l#m0J zmc~l!+llXpxmDMwEVp$xSR&F5-8pV{i^AAXqtg7nnH%h-awwVOC3z=@;FC+zC3Xd1 z)d*RL@m%BS?F5-GG>O7IQ7t@gZc_mZG12mb?WujA-#|@NO|4#MCazem5_-g5ME{}{ zLh&(QY}!x(m5t+#L!J#caO+x`T_1)!AhM|lKH@rL!!-`WLVL#hl%7M$o+6n}2eV$v zKxYEWGQsqLl!%O41~B>+;0kEf{+i5Ppk6%kQ3)r>s757xZq1Cn^%Ti=)a+oR=6&Gd z2c;eY!4(Nj1O+0dH@sB>2a8*x`6mM=X^RnJ7`gXsAiAU^Tsg~%lDJfy1$xi&W1%c)_)xL|+LhDA0$m!+e04zEo)jPG z8F>RZnEuwMlVIhPqtRW^Kjw;=Tkepwn4{?-fSo~li6RYxX04dA#C-5voki8DN)nTb zYtUC>4zk3GbD>R00}k-U+9@;Q2m9>(Z;Rk2cK){4;0Y2zoI>0022Ez{~T zhcVuYO|Z+W%S4`gV?)U4&4~KG&)cYm3A_@pX%1=Nq6n0X1g1~p=>@f=qmgkJ0Kv8i zc`Irph*-CtnlmE2*KD+?jZPRur|2u)ACG9$o2oc%%lkmU5Kn$p$LaY@;ROF?DJ19J zUc6@uFYdY#qz^VvgMmE`ta?pLe%c<5m$B$q+RgUcHd(jhXRG`?EVJI@w|=(iU1=tx z0WbZGBG*fVuWGS_TLvAB8&{>el@g?6Q9=`jG$Co8?}-+^_y?v6(d9a@7v{Y>7A4im zYRPfMj>uU?Tba6?g~8Oew<-qiFFS8<4xow_F~z|3;jB^=^+5li1^JZ5qFxcdPo>q> zF1&(5xzBBIxU^!3zec?OtsAl(RJhMz)iST*qS9&S@4G_`hY)s5TAbpv8yYXK_T|3vJ{MJ3O0O1c1ay zQ;;s8zhbFk`WPw5*7&A}Uagmy@esj(*F_F1SHC$E0t=`5V%x3DT(h1McOo7_YM2Ao zRb4Dsd z_(Pvo!=%e#3uEvCl1{@z>L`2VRV_(l#LE}upWw(xu^JGrpvDR*XzzSfJ8Ys>lA$dco$7NE8|K ztWg?Zl6g)e#`pPWfY@8W9K8qnEHH{Vb0ItF3_$||9c&(U2$x%0A>^Qk#pSmQYvm{a zlgYi-;K)r63eDkU;MYHHfU?6OGDe|X)M+CUBvfk13@eK?)-bsu6jM7?OUh^#rD28V zRR5X5i{d77*)1FlxQ!l(6SI6qspybQT&t8ej-o!-3QVkrmBtfKJ@HTKh4ns_U>~#h zKikJa$o}T$M_~az0(^olo)1dVmE1==6)48_rXI2oQNxo{o(Qc9^9h1J=3PqDgdtnie_(8eOHlRdGql>EzKaXe23k#-6f|=i9_&U)m=H$}7zd}0 z;sspZu*Fa+w3apHWlQe_LTA=A_`y~z_{?Fqd*}VI?P70ykZ4C`!ef$HX9W2adEtoN zlZ5KD936BOL)0bQ@?p7P>|blFhGD`Hv<_8?+vigj%Z}OZc}>}$nw!Zp7{br5M4bAoF&1( z8wG~vsopky3wF@dscOx7K5NV?_03khr>xGdHZDcb0)y%@BrPZ}PlkqLsUF#c_a;+o zb5Ms50IuLu^h%U#0B4_G14~q=DmXDX4f5%mBg>==MHCA&VlKG%e+E3?)_u$j`75=V z2#4r}5+iCbt6^;V8!26}+c1Fn;Qc^JN{`0-19h}E=~#6lT$!{Ra73HSlt8UmVGxvW zBEccYs?vxJ6^;r=)V3=~?6+J+pSjZ&8kuKTj*UeMG1ArEQP3uoeT??_e$JRX#8{S+=OE29k;gP}A<)i=Ga4Bm2?FzQtBQ@te9 z&RokDlaVbPnChArmwa@^<&Tyx4&@aYqhkv-B_Q8cWG~`f*f!RJ*)|l${RR@i>y#G7 zxswb}14Al*(~G!6`d3m`^+Oq7a0@7S9h(-hG8@`wVR! z?a-uj=vyB8{^&j=;^6=WkY+{}s=X!L27RU=Qt+>4oFu)!{G7b~WS(!`{>G?6KVLN1 zemkzm9o5?2eph5)X?|%9=bKxSgIFQJm}IbpH~Ue!a7k~ZTbBy4;x4uv8a2ei5T?Y> zr598r+HcsfrvZ1?MpHxGSFA{Fsj1V1fjLsVaAJ&WP*f3C7yWLzQP+?l%R%rv3BujF zNziH;^@s?NNIMQ|L0eRPmKcdQL={;unzjfs797rtK^BqJMhV{XK~skw2R#G@vYRsP zQJD}{rM4!#im#YH%C)_Je;!Sw_yWj-`n$ukoD4j@H8P->CY=dHj4Wb=D>oWZ(Gf?C zs(HA$-%U)YUx`Fd&P=Z#uOt;D`EHTALOs3=E|DQY9fv4v7wZ$1WY|F7&PkKZbm@G zt5rq(JGmfgRo#0aL{q>Sy38i|8$m~^Br2KRKu$-@m5-6bZ>qSdTk&e?n!IS;A%Fo5 zyDp<~0kpFDs^ni)?R2{R!v#-Uwzm|6ZD_WD80q831!?llm81?4#fNfUxW#Ry`00;9P5 zM`;dcBXtQ>^r#laOmH)P^PU!6s%$~xiZ~-DlAG%OM!@ij?Jlcn#qrY5dy-_S+*RdJ z6vm}I2k&k0U~=k1nfn@-c*Ze#|N3N{?8cvvBMB-QOGaDc)m&ma!AgAW1)R9?FBrc(veB@E$dN`)V5|i;lC`*1QwgG3tMX}so)5uU^#D8M0H%<6rCC^CVWSCcN@E|G zhjAFE2JEF1!yTbsx)1E-+fcrb9ke@ZfzqJSJp zGRK&5)uS`S*3GFmFvDdmn8#Yj>KZu7U)oelU2;g4eXm?c$Q+@TY)C6^%ECt=DKCa} zKMsPrM=^((PI)o8a;OVTUb7%ciQ;LvVF#EkX4dW}lJzT}b{Z?Fp%P)!p0&I23~9Xq zn0U7?a&xvnK)GMg+6I^U$UO}xi(J(5eU5FeN>1YQlkZFK2X}0bbG=1R>ZRZ>6LB_k=2^>KEC9SU5 z6Gp#X9w|24&mAncL~z>oYjYm2BRGVab{he4x5KT9VbDu0HiD9oeHo$`1EVbuoeJ_d zL%A*n25FN^hsVXEJ+ryxVhcS2@hm&##PI36NsA}6qUHO#VdN+Zw_h9%Lb$~_jlT+( zrrYHdqU>=i11)MjsS_tq`v4WTpYQ2_L&wS;H-D#k(w7Iu$(+r61<%F<2-43H{`IK> zh}YF~e~YAG{~@_V?Ccm^XWbCD{M#FJ@Ah@tucq?O0I$&|&3Cc@l?6ppseht16rINHq%i-p-JG46bha+#E-1SgUlMgHp}5N*P^%Y-VV2N!S7eqfy($C|o* z4jx|T9qMjE=r~r#`udHBlfuX~p3|M-RIcOm&dcRK|3{1IXt==oqM%BqZ%d}-@^A>v zy*=p*SGHxwwS8%M->o+qY!l6~mxS9if%I1&26Kyc7nyOf;c7cg8-1TP0MjvOE%d<2 z{I$a{5>y4t^p!J1!|})o(1S-hL6xE=e7%0O6v>CzVVSaUHugC5_{4_pilj1)CvDQt zxBgb@6?Usxj|w8L4&obx)~9gp;5QjCxuy1VKINIe$_EK*=cX(yDLB=XaOCM17NiI^ zDi`g|OTsklB{x)`8fdByLa+G-L~Vb5dK7t(5~{hx&Esva@v>83*Oy)EnXFX3qRl+- z0ZOr%94>BUwZEA$_QKv(P}A0~i=LX?)!dSDMIdW-v&>@^0bZ%)i1B5}bz>oJP%Z_` z^=1Dhgdu~l1irR@w7x2MDT*ml!#fCjVfTm{g`lGxsM z+TNC)wS~Ri8Livt;e4Nh)w<*1`EBCjQlQytztvhMED_k&CI6}FVi-MiG=dKf`GfL$ z9I0AUvHjVy4OV`zD6LYCoAcdPbgf))+*onZj9cn97d;QR41>k4}10iW<`h2OxeAzAVsdY}Mo@fi9@?zz zG==YpR3XJ+&2@IA#X4!(rA3Ac>Bu2Xm~)d}{VRr|Iwz~a-;So^9I|$MB2q2Fw?ddJ z{&}!*5QgZ|aeWSyL?L?4y7KyO0~ibSC$XyhD zg#Oj#N%^8lD(GrSYgoP@WsA)dH1?k?IK8eJbEg-6W9U-m^al=EH{8kfo=_0zoolyP zVsn~YabB~nX=t+PXhMdQHp6qxY@;W~Q7w@EHREbKZ`Oj?m<%BYM~}~x6}Q5#w?jHQ z8~6+@xQp#sfY@2jCLyjvq0emKt=}@mOk^rVJB~TDX{!1Cth1w|Zn-pg=;)CLirD z-IasImtXKwBfbrG^(Bh>UE}QgnxgQgn9B?b+8LbIkzn=C9m>th?mA^#*uO_2ctRQ# zM^ct24F{}sP)c(%4pHU^O@2zS2&?S#)Q|Dg~QcAeE3om>9=yTXvT_ZqY=NI z+P|H#&!f7^ps?0}hkDi3tHYaXP6hk$HPO14{2pujxbWO8``H2C>4T@_hJOhU$d{N~ zazr*W7SGzNcalrduQO4wUBmnKDQL{48#~N2=#(-1czp~OAsaW} zbwwfo9v=^P?a}jgB3e!F1@1SABSULtNgr!>^qz9{+AR9AlN#NChq^B(=$E!HxYUZD z7zd?0^3^XYG4@PSerTYzVH&f2bcrF}HYyH!@PQiV z3gu+naN&{Vu=w6z&tK{OuHpQ+JvJQ|R>=dqNYheBFsI-cmFkSH&GS_M$zpm;#i&L? zmI2!~^))JI_CM{$2m?hqq(lNA&oLoo?$R6A+CCe5Bcb+G#kSVI2hsy&cCy zWN{rsRi}lhXzo%@tIakU4b6v{N|LHlPlcxSzZ~qpU;b?lne(`-pTiEZfsYq+e4f+F z-mYVL?QGE5=~ySZjr{!qI6`%n(TV#J8>5@WTan*kE&c!zm+U6_xtnzJ{2XZzy2qQr z930Nk=QfAcN#I^t9NxKbl>3%IOQ^divzxF^cKRkdmQ8c>UEA05W1FfSmStx7p_i97 zi>H&eL}%~)5Ez_p8}b6|tYbtw*lcua+^1r4$fiI=NFElhQl3`%u5phqroQu~Ku&yZ zf$G`sCLv5x?&;o-N0!(;7N#Nmq%dxaFdM#2d8XIx@@krZ=B?8P@3y7(*Bd)72S=@< z`!^k6a~1TVrYp0@yN-fNtBw%tHp01i)O`Xr19SbH+Sj!INS>) ztI(~px9=nJAkBiJ*iF73g0CS6)SD-bT50`PK+z|TIz^-X=Sgwm4H+ch*QkIaRo(e} z;L-k>w?BHpU+Aohc+Z8`wl2g&bYWNMd@j(rFUEjVSUIo}vG&)fcqdC^UQObyf%~9O z!hrMS8JZ)ANIGcXQ|g&DN-X&Ci*^UFs#x=E)O@*Oo_%_e#YXUWl)LWNyZ{It`Y^=M zmaQ2M`hMFmF$j|KFv8+R>-b*{LU9B@dM1By;o`V4GfgCI*%hpoVM`AuGnt6s$|_$g zvI*WpeQif*p}5htH9~pWn`FG+<@6a`e%xW~A;{a$=z~js0tCldD>Z~Y(-cE@2{#2X z6a*MdT`$$m1aJ@~cs%*Rz2I6;)${GF$z2WbE;Zp)v2C6FAnipWlW7$Ox`dI^F6kz= z%hcyk*(_cLx+78^#eUGINd)srI0P@y!YE=oz&2_D!uj0!8F&Im>({#oY8N#v&ax*f zwu_xM5awgsE3;h%iW+<6v;^~fruv`wyHIn0)|NpKd;ic(ML@q;8nO!9W7JiU5@86_ z(&keTrhZoGPK~H&I2lNv4A$JrIN;Wg;fCah&r4R@mUuRkKXzK8Ui(KzN`hrd`zYw# z;G7-mPN5l%%VE{A^_RlD@S84I&uyd;V=wgw=$1mno2fE*#-)A<`D6IJuFA<(_pRLY zb`vA|Kj_@a;>|YwBZUFT>clFgu>23Tj|C)=k%be2T??rQvP)dMrYqT#UV0Tcja7yg z2@XT>2Cp^X)ixrtYvIqi7MoVqU>4nF!QOoLyexHJt##Of6N#X_#Y_Jhe^H7|^)aH{ zNIXV)+?h}mSOb%(#%#K@oiMl~^EOBGs0B`G1Br@Z>0#f(!vyi6q{ukS?xmf2aVi~4 zg*R$;G<<<}bj?MbO0#=YrDN7n`+W#Gjld3)P6bh4;X)|?i^WPH<>j;*@kXOL9AK)( z?_WoS*{qv+mYdd+>6Elw#_SepgBL;>W^bL0w0WaJ&yf_2{~gOb%V*^nfNx4T=5C8< z1Sm1~r;>>leD%AZ7St3TS$l>oJrs}{ai_Ab35*$Ng|7t#!fgKB>!kA63BysJE%gzA zm8OtJ7$)_&%()@R4$)z2!a?0!S|0`ArAFx&w+Spd6IfIl&~pOEE`q`L#Ijn|7F$9f zk+Uk0bHP_5^pdo9ixrVlkGtp5r^Ae?su^B=Ff7k>twX@ul?8 zBKT9EVf|1OTqN*&W7&2~Xxusl;COlbjyooaNK`j`H=|$W7O~9=_sr`g@AEC6=HNA( z4zUIO?s`vFywu?^B;bnd^9kaZ%G`&;jfd{)W)E##A}K3nB<<7vFqOfKe~hoMq+tg5 z0PSD`AQ{!vZbDNIv-k{|R?I4VpBV>bnZ*?dx$QnDKt%g!PjS8@2pHU*kmONB2OF_^ z%mqvItAwIMZil0uPiXIulmx*SC}bLDO@o8Y)dfnDEBnv!G7&qQ;p@(J%qMLB&$vIr z!AwToaMqqh_cR7MXAIpUVf+RUu*N2hta-n06Jud-w9<)?GB6A3`u1(Pr&?0IhV4|# zpoM%C-O3(?f^$;^GTol^pE#$Djqnj4T%Y&^uwFyej9TOdHV1nW*Dn1JH@74O5h2iz zwv5pZgN{dbN}(O6L*}X&EV!PSx(Z{y}uRfnDH7HRi-WU!Gd zD(S7Bc4MmGI)^PF&vA(aU4T;8L9dQbCtwQ8w1mh-Qc=9bR-G6~z$Un7NJq%PLJ#p} zl72b$(r^im@1grrV(>7M$3FG&#vo5Ty~Fe#;){EvUZP9YKQbuLfNpBh=!R<{Fcb}R zfM|?sVcowQ zl@-d>0XPkY&t|qQrZ&G(f3coTYFQ{m-RlP;WB%pwP;I$3?(?6 zvcbUDRLa%bHqxT`p7g)o@@E24Zq}(P{Hf~hLWcCePLp6`L`{{-N`sp5etRY}<$m0gkU4yB(?>8H zmJ+O}W`g+x?li4--WQzM#KQ6l;mO15c50^DEFW+`p+^^DPXxD7f)Idy`Xnb;19!@j zmWsVQ^%`Jj3~IAWqtk1zvW;U5?%@1WJ_Bf zLbu#Kq6YWYnz-CW=m`0ABfx477f%l{o6^!z|222fe6|s!h(|E`8?2MUE6%o#>C5Vc z_K(bKp1h8k<7-6@FI+I0{b7vFdKfWmr{5m*`d(RzddH5WB!5x$DbNFBXBykXN9FuHR9U-y5K<2G+w{~~)H zoCwks6!;(KShPvFybfM}Ur%QgpFgj!t;&Ig<31Kjr@6RbDvT|7O*Gw*G`! zLf8c(V}y-W3IYW3_onw1T-GkpPSoi%U#rTl)aKUn=WCQ`4=Qqk}p`OAT=G)7{-Jg1Cmd)(C^Uvdu`P z5WBuCwC{0J4uRas<+rJn+z^J3^R8_=4wmui6B3W3X1(DI!d1PZA532K$MGG*%X0{g22e3Aa&kntkn_W&ARh+8< zt8uUn$N90zhV);2l`lDW4AL_{&|04+sFI4AZUqTyO_KVqV)OoV;d7uXJVn%+2qj(5 z7IDJe+=_>{)Hp-P=pqnmDQJm(Rj>kgG70C+K?hPLY!~s3EZ*v1+S^02il3%OtseF-cW8 zw!nD+fGlqGCDc$cI6AZ0`$Y2_o(REqZBTC~d8mnt|w800jiZmR2+A zof>9XB*EipovoLFvf3>xCv65}H0>U*L~J3&*`iOW#fKeDQ_wDI38_>LSP{O8yaV_D z42$pag2sLIn6Cw0#rODH_TWYB*(} z)>n~Wf~}mR$nnyveXl10Yys-N>> z={Fc3abC~nEhS6uf1i==%E2=ew20>=qs7txdnQ!9aQJ-jIT}aYKmP5om*I~gqsk`M zsuL@$3)p-;t{k~$Fb%~UAO-qe*;~_C6Hipv6He14-J&ur%ih#}{ z^lCC-DB+M?K6Xi;GZV+}SfO{R#$(Db*?DDc5Op}Aa+xVKNa5+P_ujk$N=KMHEn_%g zvJh0-yZI?Zd-4+n*fFO%d(etS1ybKv8p4uI`a5E7&cnmOtHbhnm@#A0`{JVt+WN94 zoE_-dSWX{mZN`Z_o@e7JjdKc(#=A{vko> zf!O8rw=^>Ve&OpxU&!~dqS*rXNe~D|!oSJD0o^LF->Da@vk(lVK8WeO}w zP?$)}NoHkBtX#Kdv;%!*6m5tin7ZK{uGN`Ko;%sB2!Mu+WR-*Eswh~k9(d@w)NJvw z-;gMjO8u<-fDEI>F_Xe1@!VV#qv5?Ll=iX~D^NhoU<5OLJpJu;qFM}-NPgRf6&#Vy z6YP+v2aS)+5Dm)>*P&^Wygy0ms&J%sQ?u`Yy8tw{oF7Qn;@inPtsZe&JsHZVY2O`` zOP8=rqlu^t)taagsgpISh-2QPyy`f^ZK}L(;d^g>z@*CSq?MrdF}(txO;~BjX7wmF zjSSNNCsj47%AwE^jaKaF>uPLe)3x@qwud{#Vnul;7upcw;uqGoiskib)HcJ@9PR$+*QubUejUg9VHZJ+4S8Lv*{)M5RSn|Z-2;-UT)vr1bT4| z+C@KO(JC;aYDB+&H^Wkgu%AL)r4qp+IfZP`|y;2|(Elxp9g{adG7v8z&g=xw$eWY=PRBy?GxD5OYOQ5vwu2V7G(Nwcpz z>XLj-54Vi1NTY~lIg8)dUF}SkZ0kV> ze|i~j$-n>SSB6W)zgYJ;{p08Mj{NOE1N?vUDBH~ixZD5t#p&tmldAvki{q0Qe;WON zKgILK`~Sk~+=mPB_4y^dY4-xYKELdA1lHX^-q`93oJZN`atFRXzZ~ijtc#8g!J|X) z=n(t_9D=XUFE{fEzCOPk-GWEA;Gz9&Hmuoy=^3p5+LL4O({qvi`^hJBlHJHh)+=r0 zk+!FFlMNKv#P928U{Y7k(gVlEf~8FIsA0-R(sn5EPu!KYe*nVS`a&EaipdvqYx&9?cFdY|j|n*it1J-U!S5wFSL3^REosPpKr_JRjiQX^6KZm{V&}xyy_YMo?vLDYXJ;sV!ysG&w~5*1hqXx zYBO~qbsXVL!@cbii&pC`IeY^Q1OVquu1uVYH!Pu>0D-S-RcodT8YkSqNqdF`+YE#N z#d39Mob?1ID&o1aI2gTM7?X;aN$8qMa!QU!yWIt&F75?5-KPAF(CHC6Jwm5@J2OJ3 zcN^UZo&H@yr}t+Z@3$X60?2T$7{kGa@XrQ8&ZtuPQi@^`xHD_SZ!)DDj^uQK9)NBr;5el{D{2SADc)qm{?|GPiPn(oviK-P4#ZICtZb0cJ} z@r;nQ5wbQy*1TtgtOcGOAZsJKqw;)abjMaWjnQKGbf19z&vSCxHT!pu{qN-T<*U=v zdj9X@ljG6;_bHw)(*EbK&TUP9wVZ~f)vtWfF!*`jt=alkeruo1%;)9b9O~j<*6`1( zO;u=*5P)hp68HKLWDiFNqv>!o9agA6nhrmK>9E|^L#&4FOrXm)LF4#RvRnSK&s=zB z3wo9$8pkBVA4|s3Z&d=#!>fR^YB65<631fmu*})5p59xR2&$z;o^KA?YOp#Q$2gdy zO<}xQfPxJw8VYiopF$d}z9ys@Cv1&EN|xq8jF2rXHFgpp5{t=)t9Rf*VAvl|qojzn zW|tVazDlTClIKSOaQ*=6W~+8Er;0~sMcx8wsxF}KY(Z}UL1jYqkGm`&$#lP?T$$V# znxroA3pWntAzZaEMD3+ZH7Kbsaax* z!d4dDQ_bTd%}{|Xd)PuH4Zgq@u|!~?uFY5Foh@vCKl7GmRvygQ->zW7!U8!ToJwIJW@k-NJ`};*s}E9l1?je z&$_Zh*2z_t2QMtcN4#GVzY1bf*o2b{QwdLkB3}y0f5j1+wb>+f8TN@(!w zqER1eaWGdi_U3u$I^HUkBKH*vO_%jdPP5)&df!; zp0D$|SWSA_^@@JH!X~~G@%p=U>+N2X_CGbN)jS?P@>O9tS@7ON_ZrD+ve`K~={Zjc zjOQD`!TYb+$B40Dl1$jY_)%#2kZ{-mTIOzKdo}wK6{GO!g2FvnX#PUU>B&p-+zg() zO>>^F$+ZyV9hD3AjZ0!!ZuUT{$K-h`ETO&$@Pb<*S2PEc?CaBxZ5B4!!USWNHlN{I zy)CBLC5Xgnw#t*eu56uWQ)7=4U1r1VNg!$F_|@?-d46HFXVe7ATPcMsCz$Y5<&4Hp zW}?|@tDW4eR+;8}DVfp?)|;!qKw)+tmONTkHmn7RBjbWRg(T+c&Jqw@nL}4vE4C7{ zn!xk)&#(UUnmj-Gi9a$ix7jr<_4YFxjqBrRJ%S z%e8l{p_RqZnDu^6#DYgOA(2?kjqkr+b+<(tp>r2F3F>o_=0YlR_Wlid{@?yvXlC?r z@$(gV{(t_@H~T%%VO-3Oc?%i3L$HdLtxk+Jr`%=fM`>L8eJ5n&lnaGc0s9O-b(xB# zbe^E{iZe+hE0q4tpA~S1gIuv~mI=;4{kio&y*vG3G#l%=y#e-u;q`bGEL6U_Vz*|$ zM`D!;6~w=|IcS%>hr7*Izs*(i?);~UVWQIsWC&)c4>7bAUZ{3S5_*P2l^X*JwbUsk-t}t@BHuiqWB1l2|90XQsiM{XTVLr2d zQnbFRb!vaK)&j0iT&jo?A|+HAMVF`cWtgw;bqcyzwOGM+?3FG}xr%^ke%i%gXB%P4 zsY%K%RK-$ju3d$(nrIa`B!$vt7r*k%HM&*sm!_0yTH9FAWFO)3D?S%#&eHsPoeh#W z-?mh11*=C`pyO}{pJ8gOPkt3wSXqKjRDOse?s3pDULXslQc|vGT5=L9EX%Kq= zWQ5Rt216VzX}UlsA4+bEypRspv#HETi(I^6Ig5r|*_^q;Ubq+sofjlwh&Q?Mw_qrK z0`AO1!f$OzK}4Qtp^)WdzBbp^a5ZrV(CH!-?O+h?V1@@ zrBY)J;%7l-fSxIbmDzA}Xg~mSh6JGImJUZ3YB3QhJ0y}VsEiYRya=sZoBZl#$Ry@5 zT7GywB|nGq%{q?&0gJ#$)XI%h(iH&Tv4LF?5QR)ND=|%G`a?V=31@|+p>t)UQ6xfWMo=A`)3nrL6&%Jt zTwh<38Thl1NW|L&lWcGt7`N`}=33T23MKm$*or5nR;el4qmqO)X zZ37%OA?iUI0b1RskFIMsQ?Gv>ON+n}NWgH_ zO;TOLcvtil92k>q&(YKdIeptjCS+|exQSv8H{zNn!{KU8;N9-I`Ge3Wgw?lPWCxfo zkXgRi_-!q2%uUkmHn=|5@<((l-@>IFoyNNs!{+Yfdg*O82R*Lj=q%pRDhnptq;N>|B-D0YWx+D)v4j`XwUFw2J z)1H>+B3=ixe&hl_NBC;RVor0GtT6>kPphb?OP;ePI+Uv#;E5~37paiFpyJGiD zDh6qYN?*;2O`jTPMMhUc0y|)>e*y(V716T1GdaXDC^+ko@NswaA7YV1I4vICDsaH# zRUp{6Yhws68W6()O&>!;AVJ}37<>E)(>~M@;QN! zSLF2cyEdHeMT3PiQ zX6&&so@cWyv9C_)rnu^G=d?cc%7)T^#0-D{ z37rbLIAZDK!%S~Eb@W#@Kho>t2=xecG-LS$DRg8z)_sC*N+lK*p^*MT8qJ{6?(5fb zTj1X-p68nB-ZM#PN?01nb*6tQGcgQk60@&q63%*(tC5Y?`k>r_Lj;pt(wr@Z^7)x5 zUPadk8kYgQT$3IB_l#BLd3Pm>G`v=F+ONbvRuYyn9$53Ktx>oWD7gWTmiD4RNW7NO!XN$=l%veVNv4V<2XIVU zG0b1&)>6Q@$?f9ZMg$rKl_)J%b0*32SI5WS9O|E347*6IR&=6RMkU-%V@U-?4__U> z_$H*FQf053;I;+og9iE_@Wu(TAC$xpOXAh>@#NKC{_@Qs5kXW*-GK-M+Xq3OpB|qc zo}T>q&^Gd^;cFf1#Mn8805iTXi+Y!erh(m|88J(=ChsnX@IttDAr5Ax4q1KYyB{;0 zt-u*Hj@x0b4O*UI$qEOoU;U$7scCbo`#IgB@!mAT$S{mqtx_v4v_vii-H-%WbxO-v z?T){7yf&{{P_xZ7Lt?8e2g`k`6-w8z=?~aEGOB|4fF2VkiZn+n%%()I)M}-=9bwRt zQ>A$Ok}9oD28D(|bTp_3&8egx{Js`ix;pAcw1+Em zpKX4v|7(Y3dIR6t3bfRk9=9=n^$fXHJFQDThFVWYEC;8kbaScJ>iuSih+_K1F01?y zg(jl24vbTSIOk^@BAq(zWYCg_b^;5)nWoo0O?XUm<|!$Drnl~EBxuCXa>o^6A9G0o zo(G%gj;+Z}o~UU=Z}c&66VYiT^P8O%7yZf2sOc&^9zBf_-Y1?Honk=RV}iczH39;v zgsqjKqRemL41mAx*m^fY@)Wn%?2c!@Fv)L+YRDIjimi5uPDmy(Gij3wda!W2DtmDn zU3;!a)5>L`aw8uPk56^osMQ9ugtp1^ur<~2-fw{W|84TUJtii9bVu&6-b*nZCu?sAqS z;^Dl6jSi6;yXv>?qHggH)N>n7aT644cZoqw!5D1| zE-UFg3GEsI^~}8^O_V?o%mYv2h|1W!C(r))>}e5cs8ZBLDO8TOAr~MMa;EheUBLxm zW)OzlcimU(G^ZcQa~J4XBs5*Xg-dp~I0Bs_3k7-oWW;^@F%ui<`oYRwn-vRw;au$} z`tfWr1TTKptW}MZ#aG5EPs>sEoNX%#H&qdhmLXYi_efSWj(?$YJy-@j^UJr2z4~>D zd<>bMea}qY2^Jrj0OEKzQm&}>?HrQn^F6t%4~*J+Ef7=Lm*1>x5?jT zv&p4%GwZZO;XQ_~h5)&fewTq5&)eF+!p1IBpXR<8ynK*wcU zWP)Y72MFWZ%0lk>tG^d2<+lMiZpd}rRO+59-x+&?2B6SBuFqI%+V34<$6SG$Qm(FF zbW=k{*;cPISDURu90F={;+{##W7E!ewasFJGH*Ab(ChCdT`@!H&BoiPSsO9DA2x~M z0Yf8iSi0VQq(iQEXpE7MXmZ(Wq1-UQR7)Q!1T&<-oT_01w~<@)uF0}wZEdgS~~WGvFrX@#z!3*x8jpU1D7ig>D(m3&{pE?}IlilMH;ozXeR~C6gr1xTdrSnsXf=R*eLctYn{vH|~b zhsc|^@Bh~>C&*HZWPn;9uH^hsuhX{b!4z$-se(tmNMaKKL<@hqFJNv*S*8Z-{`7(# zS8osyxMJxLkJm(90hf<^uG!456v)fx1m7!F83Hp%CX74awh+h17&L~{s z2ErH&qeRFDRe&OqGrZl+=^axfOK8MQ2rRuR4k2I+0QK-oA|;84Xrd=61iR5y0JNP+ z5f`}0P*#Vl|FtN{16b}8e#fw6Tv9AVi1eOIkpfMDhASTVAAqe8iB*=coWa^8ApP=m z5$fk`_Krw~UV^G5q_OiJx=1rz5!&fm*SEW}Iu{+1Tc^Q!{oUog-9UUsLB-(n75I)I zN?&V>R-v(n#&&p=te7V}`jHJ9qAhDL*|0L)0Rqc#3E~v_;qu4J(DoK2lbXBdOe*R7BX7FX_#wi*}Q`AH@R&)-$0LS^#oD>HN5$JUUUv%JO3p!1y!5zO|1 zNxMFBfqp62_I8m1R05~9-g?`J8dqi~8mr>~F{2|qh)O7nQ@C}QnR$1c(1kyO@Dci`u(@vw23!u3=$ z6S{B+oM1;gr67<#P4L3wL!S+rtT915_^y`*9bAW}-^0zu75hgY*5aZp>ftSTI&n8Z z<`!fJNI)o6toEO$7CAtu)8i@%U-5rY5zMAJ37vNOVA zLr4aIXqreyM&76bs2zsGra0)cDetestj2doFp-B;3>*2d2PX?C$q!wGR#o zIaTXp$qH#sBKI>_79JWHK4jwdkVeW}WTU%?iE551=uI~bFS%!uCV@r`!MO3z$G*kZ z9}8%l^A+SCGcGhXuaBfW2y7>ao=?%fdmR6xk6h z+lJKQ*=#cpyn~BN=Y&_X#*0h0YO9eChmQMVvLO-RopYC8V z`l*rEC!k^pi;!TqTq?clKu`%LOLIdv4kg_L>a?1=riQvHcUw{YGM&D+(!XkYKRnFb zRlQy?=3J+}g;*Yt3v(mP~$J(lR0Qd%ygI3 zoBdTYzIHfYowK{5Ro3oU=S~7IjUtxiiX0KiZVSvGVWnMPCMwx}OQU-|2sRaN`wq)p z4ocVxf%Wku56S)mvgdGooP%+jL$N&eIvO5)APzYU2OWf49)jBuD|`SBIO2Mbw+-T0 zg^#s9iz4vYE1C`hMb667)yO8SqIqg^Ket}{9qGLM^7FMZvYubOxza?04gQq;)HABo z^}E?Q@Q!oV7SyWB%P#8`JeH;#1D8S1pUUI=E&Z+@9nFIxj_q6|7*9T?IW0FJdLy^B ziyeTzc)oAo=57sBJ2OfB^*mAdE&Z9zj}iU#{uO$W-U>qkLk^745w$q3=|h3?B(y-` zBADWRF2El|gHc>3YJ$@{(epcjuXhNAc^(aV^A~NcC+r`a0`sUc9!H!Vse0vfq{V0I=Ys2u=E~AJ7}wJ zwM|ht9LOg8f$umXB-YTu7}EAgwWiTgtld(qHT3&!%C&nP+?OKQ?sd>lP_o_Y_@20E z`)FfDhOy;{v2tMC1Md8q9r*;Ke}ay}e0*S>`AOlX#&{Gq%{4L$QNelIH9kU$ybRT8dU%&@98mpSkijf zSTLjh^dXtAOWauMNOBZR_+zh=tV`a4-!l&oSIwAmd}xA9L$;ovO6|=&PZtP}lqNPH zjdFBSv)DP^VSdjcqmvm~pyBzNTr$Z;JS8&$9j4gqoF(FcoJjVMBZZN_Q^sQD%`y!% ziS3bu$_1b;C?*k(L@0^v?vTiNAqRP}e5cFR=ePyGYbP)Wgrrge=H0`AQaR_jq>?9V zqE<9XNQQ(Ew}4-)Onit<3v%*UG{W8loNL0_*M?+X8<2Ia#;2h#kU-0i6AsW`vtAE< zE*_c%SogKfYO;iUOC>emcz8#GIX@Z8E z4DZjW(p@T{K!JPx5qdj9Z%62@dq(JO!W) z0s|z;L=QFus+qQF9xX8$L2ObJuuv+a-BmKv8TjW+Tg(~$;p!da{-nV>OyF3B}SJ`umQ}o_P2@Y zc|5_s?+ZL^daOUS`BrKrc!TKB;mWeqKNwAiDxZBD>r=N7_oxeKplDPrA6iOv327US z+p?f2EF%z&zB1u6$(%-aEF79bV$=k4S;QoX1;YR!n*Qr4Ia5Rlkvd(?r0Gl51CyNtemxdh@HLJZGzHSU7J}v?4*TXu7s@;q5ET z)f2j`!8O7|_R~IV5>I)~X>yU~Ox}kQZ++ssfQxFMs^QMTp!7g_j#2JA4?Ok}AxWGj zu&~ALEkFjCGOHPI2m5ROT%rC$36-WoOgq(eslHKxNVPaMm^%y5K0Lc&dt~QpHxMvlAEf$-G znWuznkwTw4kHU{Ig&}-%W3GgOgA=NT$eIV=yV6x`fZ@DFlADa&Jj*m4Xb@jw0z>JF zn2;3L0$iP!X)<|^SA0hp%PwURQ;N!9{`og}@q;UB%Rp&%@`lLXcAhKpxBW2}W}Ve# zp+M(@64Gb!8TIzqAgO&;D<9fz`;gkpJ?8}R%9aZV5^fXjb;~^gDc#uz!-pLRy=DrA z%jTb9<+Z+OCV8Kb70YQ%bL#!1Iq+A(hA?`XciO020N4kADHFb91 zCC{G0A6ZgJnwUTJ*$MZ3>Ra;f|M?ZR%Hm&`RPM(=JmCi~@{b}JtD|!L|GixCd6cQ? zny!-Vzj1tgeEjxU9F4Nbi}OLT=z0qKZn}!UmS&gMGOGs8ZP*eWGoZHx<}AdjM)`DvcDV@O z&aR35G)zXF`sgI*Dynh{G{Ja!3s*qgQ=eEGXAn0z=nANcImB0W8g(upwWL-u=8Twp zZc}oRl5@IZ$vIW*(I-GtT1_-zhfRUcL+gbbqLSrwf%&Sif?39*%D#!2(()8o$r!SO zN`whONUZ1?K>VGeeU%osY^}kQ?e3ANJb9HX30vgHFB|NBUf%Vr7MX=G6nl4y> z|4G%sdhh!*!g_iC)B;BfJDf_3-hGzmeDOb>LS!8|ikch8bz9-K55Q_*aj6dIvxG-s zQDIZPRfWSeFLj=dzozNU}Dt zMl}>nvxe&&waM0rf;S+!2GS8XVgx~^IkLKbH*0DRL9Jl`_NYx;h`FNkg#B=Refgqi zyl=dswjL&VJ$eB>_BB(ux$Q#?wIFo5E@(~uJ)SPKXdsH-8T!6ap|W~%`=jo>-E{5O z#E1BmFsVG5%=#_ zin3tHiwVC4*D8ZJ%mt9ZLR(CPjQy=}$!M%s)KjAIRkcrDbcUGRNe~beEm?GDY-bs| z#nKfkDNZFo;NT;mir{;Yk&)1WhE19Yb4ZnwxyO0&Q`A4L*=gxnH-8Th5#xLy7Y7G= zv*t}oXEV{aMUt$^gXB(%?nXR4M|3qJy%d>?czp<)Dh;{W?-NDHQ^le}ve_NaeqoZ| z_TjHD8WlkqMNg+M%aT?29Mf`w)?D?Qn)~B|^0aj|&CcFK z`M8jF>A8kBnUdC>C56b(&jzXlSCzso+Q9jlRS4|h0B}oN15)S%dZPFut)|+3e5C-l zdb_K7i-OkhO*aA`xTxE4>NQEx^*^W&Y%nq7RmMJ^fc-yDl*rHmup9R45B>K4lUFBo z{MYM0os9PXPx5?`_J416Zfp3zemDC$b4JzD;_rTMnEK0))@=Ol#V0lHyN(XVdA*wv ztl@iF!R0lanW7B&LX^OO;B>`uE#DdMDoC|cO3*B)esjr4b7zb>84s(PMF%1QXYl zrmx7prT2(uOD1Op&)dw;Rf?Z`WqSyY%@PG=+pXk4UVGq?BGY_O|8z2avANrgM?w7b z1V8-=2nc-Rtmut-aqbGXs6PjaWFq0w+EL~_l*U50pt(UvJ?*|uD7$;DhtzKwIh9;kaI}wL)L47ts7Yb+P``bZb|-5%|sXcsD#NCOr9U(&50_8CzgF~PtDxMZ z+E1=zD+bzQ=jiHdw279kf~g)YB2#iHl;ZQmxTvddiTTL&yV=R{q5s!O<*yfQQ6Rkc zFQ=uG?|YH9Ir(;wY{k=|WN{^H!Qs;EyU>|9y2j+J8UE^QGE<&Fb92{5#97ieIt*!q08SU;JXz z_Nz=gpVagVz1+m|3l*lM8tdF*HOQPn@D-6JYilIIFX%4Een5R^4X}YZYDq}oyjY8Z zL}*Z3(tAeo2Z0RJoF}x|a!O);3j%W9uE(U7u3Kb?@r7{@WI4e;jaKK;>RhG%Xm$QH zR%hTb1C7qezy{i!{awBRh8tH;4Yv)9=a4WOE$vTBk;LuR4odFW`p7q|WR%NVB3IQM z3h6Qeg!*e@EK$FwzMUIcxLxUOicDYbjnZBfvi<}NR`zJ}a};c1sdBceTsXBOujZud zHdze_ELvAK%4gyYJZO~Z%n;BDw8yi~o4`J}eWOBcpWxZ)(_}aI>7Lnsq`BU4raR|3 zJji@!0CN;;_vomZSD^*%&a$!sOqi-{n>@v%kk$1ohV-8?DyI2jo&23~z zc+*^_+vZ3LcdXI5pJ+XABm97!)GKkPj3%4pZ9jWoH8q>Gp@ez~*1djpq+03CT{9?e zO<&HMo_sa>xJd3p30dp-Vkp|q0L(iO_zjFZ&}Rz}1Z&wwOKQ7t%cJqBd_wjg{HOJZ z-OUQrZU1@o^5v@+_4seE|MYsa|9pz)%e4R0R_E4MAbdN+cIvjE%FCujsM?3RU8wT* z(^`ir{T^x~GQ}$n`qhSnJ=WklAs6402|3HMWKA9zUo1g@o7p76A|;8S@nlXDnnqRb zJRv`ENb#6UdJ9*qX_;MkTi<;X(ORk_&qE}V@zK|MswdU?7%e`d#ivUB(c<$dEIt*6 zGRW>zsWH_0vjXqc)$qkkBF!WEgERI;v%;Ux z`tGht8ca11*Eb>^)Mz3$;nxNcJBL{kxPyqh4>ITX?A>=8j1en1FXKZ*QlZ*rWG+wq zXEKy%3m+dI_U^j_MWQ87V#!j>6%TnJ&Bb&kVg-RVdvbPTP*uFphSsbe)I!lHDOAqn z#btM9>Ff5|7)1k9UHM}+l6hy7dNfn=-P#&}4@=T&QIjTW!0dMAGKP;(rG5}Li}c`0 zzN}Phh4LAwxGvQ>Oq2bat7aUXB2&3!bk#!H?%D8(RvjVCv@G^PIVPiE-nkZ%9b96C zT0X`yO{i6PbJ00AJp86)<~%PfT=ZDe?c}%(*I6H2Uyk^2+EaWwVpZTXBw|IiWN*Ut zVF_31#)}1zDkk_4EqO1-C_*4gGf-Id*&;9qJ~mcH8HsA}db(;=Vy3gR; zPmbr5*pBTtgnuCe=px$?*-SsTNuieAdFBE{I{4nNT3IkQbK4=|-O>bsO_wCx;N!H^$Bxn8#}SlTu)D59zrt&a+W{vAu>)6t?N-^ zhm*4&ZnjP7X^jyadP*xJ%m)zAnan*8dm|1EXwmW^hv!dYvKEDOu?NXHO;OS{QFckt zVGo~8571$Akn`xSC4^G>)Dy<(^3|1$KPgOWriN+%`0OF%FMNDrKi5O=(D zZ#T$t4prKyf{krLli?jDCTzpcY0^1^tzG`%`ub8=Y*!JW*8`d)PCknwrt~77uMI1o zC>}F%c6p%=@tB~B{42euGw4JA={8i{w@;s`q?HN{lZlzhZYWBuOM=&-s*1Ve`!b!SbrlCVOCzrhR} zl_=8qO3X`O8_bS#Yv^nd1$C3~b|qFl!u6n4ikIhusqVD5{}g6kYh zX*LCk4fvPmJYBzg>t79oJl9>w1tyqg5m)Sxh?F4&jIHJjz{)rR7UNV9n2XL8JjBe< zh2|y1!Ye`-N`33N8&VfOFCNFJzMVPUn#{vjU>h6Kd)9Z4@%&ND=Gz<0dk52HB!49H z_;!YIWBd-ZxuHqCX7=t`l0C-o4uf}iS$3GgdvkdYFn#Y}^frd=j;?QF?)J$Ny6N1& z(A`U$pq~7x<8*Ii=LK6;fIQn;cy|c;+-KF@#h%--iMO%jc3K1bHN}Az+HGvJRoiQa zBrwb>+iG>~Xtm28+hK3*XfbGs?Y6XbwAf{X9b#kcXu8Gvx|wygqiq+Iq{ps0FosZ2 zMC-DmK8F2tTgxfT<8aYsW1DGj_^Baw(nqt9Ze<(ofrD&h72Uw{*+w|& zUun?^+ZP5~{@Sd2K@-CcHotBKv&)~m)xy`Y#vV+kdb|W&-+h|54QN;AdpxHH%4EDA z;nL!|Tf|73#z#TCWNor@Q8C;cVj4dr)vjP~`wf>AB`qar$Zn>}PGnli39}Xlq#Hru z?av4bA3@=}4RQp9kD%}o6yBuVh?^d9(<5%$JtJ;<#7&R5=@B+g5jQ>JrbpcLh?_2--zjc-YYc^DDRsF=D>Ww3&%RL<;qY?M3EeF