From ddc29c08655b3e7293eb15e2128f837c7b369da6 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 19 May 2021 15:27:47 -0600 Subject: [PATCH 01/27] first pass at this --- .../networkpolicies/allow-elastic-egress.yaml | 21 +++++++++++++ .../allow-external-dependency-egress.yaml | 20 ++++++++++++ .../bigbang/networkpolicies/allow-istio.yaml | 31 +++++++++++++++++++ .../allow-minio-operator-ingress.yaml | 16 ++++++++++ .../allow-monitoring-ingress.yaml | 19 ++++++++++++ .../bigbang/networkpolicies/default-deny.yaml | 12 +++++++ chart/values.yaml | 6 ++++ tests/test-values.yml | 3 ++ 8 files changed, 128 insertions(+) create mode 100644 chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-istio.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-minio-operator-ingress.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml create mode 100644 chart/templates/bigbang/networkpolicies/default-deny.yaml diff --git a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml new file mode 100644 index 0000000..73913b1 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml @@ -0,0 +1,21 @@ +{{ if and .Values.networkPolicies.enabled .Values.elasticsearch.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-elastic-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + - app: mattermost + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: logging + podSelector: + matchLabels: + common.k8s.elastic.co/type: elasticsearch +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml new file mode 100644 index 0000000..cd87189 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml @@ -0,0 +1,20 @@ +{{ if and .Values.networkPolicies.enabled (or .Values.minio.install .Values.postgresql.install .Values.sso.enabled) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-external-dependency-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + - app: mattermost + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-istio.yaml b/chart/templates/bigbang/networkpolicies/allow-istio.yaml new file mode 100644 index 0000000..e9e4994 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-istio.yaml @@ -0,0 +1,31 @@ +{{ if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-istio- + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + - podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} + ports: + - port: 8065 + protocol: TCP + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + istio: pilot +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-minio-operator-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-minio-operator-ingress.yaml new file mode 100644 index 0000000..d59784e --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-minio-operator-ingress.yaml @@ -0,0 +1,16 @@ +{{ if and .Values.networkPolicies.enabled .Values.minio.install }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-minio-operator-ingress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: minioOperator +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml new file mode 100644 index 0000000..19e5897 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml @@ -0,0 +1,19 @@ +{{ if and .Values.networkPolicies.enabled .Values.monitoring.enabled .Values.enterprise.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-monitoring-ingress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + - app: mattermost + policyTypes: + - Ingress + ingress: + - from: + - {} + ports: + - port: 8067 + protocol: TCP +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/default-deny.yaml b/chart/templates/bigbang/networkpolicies/default-deny.yaml new file mode 100644 index 0000000..f60c3d4 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/default-deny.yaml @@ -0,0 +1,12 @@ +{{ if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +{{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 81d5481..e0d41c7 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -13,6 +13,12 @@ istio: hosts: - chat.{{ .Values.hostname }} +networkPolicies: + enabled: false + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway + # NOTE: Requires enterprise.enabled to have any effect monitoring: enabled: false diff --git a/tests/test-values.yml b/tests/test-values.yml index f180ba2..7840148 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -12,3 +12,6 @@ bbtests: cypress_mm_email: "test@bigbang.dev" cypress_mm_user: "bigbang" cypress_mm_password: "Bigbang#123" + +networkPolicies: + enabled: true -- GitLab From afe857b81997bdb9f4e753807e2c2cf6ed0006e2 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 20 May 2021 08:26:34 -0600 Subject: [PATCH 02/27] mm operator ingress --- .../allow-mattermost-operator-ingress.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml diff --git a/chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml new file mode 100644 index 0000000..23c6d72 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml @@ -0,0 +1,16 @@ +{{ if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-minio-operator-ingress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: mattermost-operator +{{- end }} -- GitLab From 9c6c1ded71dc877b5c722da40e2bbcecd888b8e7 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 20 May 2021 10:55:50 -0600 Subject: [PATCH 03/27] fix --- .../networkpolicies/allow-mattermost-operator-ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml index 23c6d72..6738997 100644 --- a/chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-minio-operator-ingress + name: allow-mattermost-operator-ingress namespace: {{ .Release.Namespace }} spec: podSelector: {} -- GitLab From c6ec167e8c7eee806260d1c325f8d0461c028ca8 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 20 May 2021 13:58:30 -0600 Subject: [PATCH 04/27] test new new robot --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index bd1a297..35ceb3d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,4 +1,4 @@ include: - project: 'platform-one/big-bang/pipeline-templates/pipeline-templates' - ref: master + ref: new-new-robot file: '/templates/package-tests.yml' -- GitLab From 5aa73b46fa464eafff94bc0d937a4a00996e4a32 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 20 May 2021 14:06:47 -0600 Subject: [PATCH 05/27] back to master --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 35ceb3d..bd1a297 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,4 +1,4 @@ include: - project: 'platform-one/big-bang/pipeline-templates/pipeline-templates' - ref: new-new-robot + ref: master file: '/templates/package-tests.yml' -- GitLab From 580e4def96da02ca27e9fa0258dc9497b5041db0 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 20 May 2021 14:20:15 -0600 Subject: [PATCH 06/27] dont tell me it was just that --- chart/templates/bigbang/networkpolicies/allow-istio.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-istio.yaml b/chart/templates/bigbang/networkpolicies/allow-istio.yaml index e9e4994..128bd92 100644 --- a/chart/templates/bigbang/networkpolicies/allow-istio.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-istio.yaml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-istio- + name: allow-istio namespace: {{ .Release.Namespace }} spec: podSelector: {} -- GitLab From 4bd19da84c7428984d6d3ae3c0f18ee454fb120c Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 20 May 2021 14:55:57 -0600 Subject: [PATCH 07/27] fix it --- .../templates/bigbang/networkpolicies/allow-elastic-egress.yaml | 2 +- .../networkpolicies/allow-external-dependency-egress.yaml | 2 +- .../bigbang/networkpolicies/allow-monitoring-ingress.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml index 73913b1..9855d16 100644 --- a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml @@ -7,7 +7,7 @@ metadata: spec: podSelector: matchLabels: - - app: mattermost + app: mattermost policyTypes: - Egress egress: diff --git a/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml index cd87189..24c6fbc 100644 --- a/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml @@ -7,7 +7,7 @@ metadata: spec: podSelector: matchLabels: - - app: mattermost + app: mattermost policyTypes: - Egress egress: diff --git a/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml index 19e5897..a745ad4 100644 --- a/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml @@ -7,7 +7,7 @@ metadata: spec: podSelector: matchLabels: - - app: mattermost + app: mattermost policyTypes: - Ingress ingress: -- GitLab From 7d1bd774d3e46d9da1f95cbbeaa9cfe9fe3a83cf Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 21 May 2021 13:47:11 -0600 Subject: [PATCH 08/27] touch --- .../templates/bigbang/networkpolicies/allow-elastic-egress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml index 9855d16..20bc80b 100644 --- a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml @@ -18,4 +18,4 @@ spec: podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch -{{- end }} +{{- end }} \ No newline at end of file -- GitLab From aa4a66a3ea0aec44558686a155fbce890cd7b1df Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 21 May 2021 13:58:45 -0600 Subject: [PATCH 09/27] allow in cluster --- .../networkpolicies/allow-elastic-egress.yaml | 2 +- .../bigbang/networkpolicies/allow-in-ns.yaml | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 chart/templates/bigbang/networkpolicies/allow-in-ns.yaml diff --git a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml index 20bc80b..9855d16 100644 --- a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml @@ -18,4 +18,4 @@ spec: podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch -{{- end }} \ No newline at end of file +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml new file mode 100644 index 0000000..c6cb413 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml @@ -0,0 +1,18 @@ +{{ if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-in-ns + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: {} + egress: + - to: + - podSelector: {} +{{- end }} -- GitLab From bd6518ba03eeca9b7882c9f68d3e8cf10efc559b Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 21 May 2021 14:13:22 -0600 Subject: [PATCH 10/27] in ns --- chart/templates/bigbang/networkpolicies/allow-in-ns.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml index c6cb413..9721ac3 100644 --- a/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml @@ -7,8 +7,8 @@ metadata: spec: podSelector: {} policyTypes: - - Ingress - - Egress + - Ingress + - Egress ingress: - from: - podSelector: {} -- GitLab From f84070d5e1acc347c5b16bec196266b5f0af321d Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 21 May 2021 14:25:31 -0600 Subject: [PATCH 11/27] changes --- .../networkpolicies/allow-elastic-egress.yaml | 2 +- .../allow-external-dependency-egress.yaml | 2 +- .../bigbang/networkpolicies/allow-in-ns.yaml | 2 +- .../bigbang/networkpolicies/allow-istio.yaml | 2 +- .../networkpolicies/allow-kube-api-egress.yaml | 18 ++++++++++++++++++ .../allow-mattermost-operator-ingress.yaml | 2 +- .../allow-minio-operator-ingress.yaml | 2 +- .../allow-monitoring-ingress.yaml | 2 +- .../bigbang/networkpolicies/default-deny.yaml | 2 +- tests/test-values.yml | 1 + 10 files changed, 27 insertions(+), 8 deletions(-) create mode 100644 chart/templates/bigbang/networkpolicies/allow-kube-api-egress.yaml diff --git a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml index 9855d16..ab02e24 100644 --- a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml @@ -1,4 +1,4 @@ -{{ if and .Values.networkPolicies.enabled .Values.elasticsearch.enabled }} +{{- if and .Values.networkPolicies.enabled .Values.elasticsearch.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml index 24c6fbc..3d6cce0 100644 --- a/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml @@ -1,4 +1,4 @@ -{{ if and .Values.networkPolicies.enabled (or .Values.minio.install .Values.postgresql.install .Values.sso.enabled) }} +{{- if and .Values.networkPolicies.enabled (or .Values.minio.install .Values.postgresql.install .Values.sso.enabled) }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml index 9721ac3..97a841c 100644 --- a/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml @@ -1,4 +1,4 @@ -{{ if .Values.networkPolicies.enabled }} +{{- if .Values.networkPolicies.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/chart/templates/bigbang/networkpolicies/allow-istio.yaml b/chart/templates/bigbang/networkpolicies/allow-istio.yaml index 128bd92..3faf172 100644 --- a/chart/templates/bigbang/networkpolicies/allow-istio.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-istio.yaml @@ -1,4 +1,4 @@ -{{ if and .Values.networkPolicies.enabled .Values.istio.enabled }} +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/chart/templates/bigbang/networkpolicies/allow-kube-api-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-kube-api-egress.yaml new file mode 100644 index 0000000..b30d4f6 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-kube-api-egress.yaml @@ -0,0 +1,18 @@ +{{- if .Values.bbtests }} +{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-kube-api-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + # talk to kubernetes api + - ipBlock: + cidr: 10.43.0.1/32 +{{- end }} +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml index 6738997..0268ebf 100644 --- a/chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml @@ -1,4 +1,4 @@ -{{ if .Values.networkPolicies.enabled }} +{{- if .Values.networkPolicies.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/chart/templates/bigbang/networkpolicies/allow-minio-operator-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-minio-operator-ingress.yaml index d59784e..ed489d1 100644 --- a/chart/templates/bigbang/networkpolicies/allow-minio-operator-ingress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-minio-operator-ingress.yaml @@ -1,4 +1,4 @@ -{{ if and .Values.networkPolicies.enabled .Values.minio.install }} +{{- if and .Values.networkPolicies.enabled .Values.minio.install }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml index a745ad4..5760f07 100644 --- a/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml @@ -1,4 +1,4 @@ -{{ if and .Values.networkPolicies.enabled .Values.monitoring.enabled .Values.enterprise.enabled }} +{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled .Values.enterprise.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/chart/templates/bigbang/networkpolicies/default-deny.yaml b/chart/templates/bigbang/networkpolicies/default-deny.yaml index f60c3d4..a0da1d5 100644 --- a/chart/templates/bigbang/networkpolicies/default-deny.yaml +++ b/chart/templates/bigbang/networkpolicies/default-deny.yaml @@ -1,4 +1,4 @@ -{{ if .Values.networkPolicies.enabled }} +{{- if .Values.networkPolicies.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/tests/test-values.yml b/tests/test-values.yml index 7840148..071bdd1 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -5,6 +5,7 @@ postgresql: install: true bbtests: + enabled: true cypress: artifacts: true envs: -- GitLab From b29414d505d520068138821362aceeabfa530e78 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 21 May 2021 15:04:00 -0600 Subject: [PATCH 12/27] test --- .../allow-external-dependency-egress.yaml | 19 ++++++++++++++++++- .../allow-kube-api-egress.yaml | 18 ------------------ 2 files changed, 18 insertions(+), 19 deletions(-) delete mode 100644 chart/templates/bigbang/networkpolicies/allow-kube-api-egress.yaml diff --git a/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml index 3d6cce0..91ed5f5 100644 --- a/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml @@ -1,4 +1,21 @@ -{{- if and .Values.networkPolicies.enabled (or .Values.minio.install .Values.postgresql.install .Values.sso.enabled) }} +{{- define "cypress.artifacts.enabled" }} + {{- $bbtests := .Values.bbtests | default dict -}} + {{- $cypress := $bbtests.cypress | default dict -}} + {{- $enabled := (hasKey $bbtests "enabled") -}} + {{- $artifacts := (hasKey $cypress "artifacts") -}} + {{- if and $enabled $artifacts }} + {{- if and .Values.bbtests.enabled .Values.bbtests.cypress.artifacts -}} + true + {{- else -}} + false + {{- end -}} + {{- else -}} + false + {{- end -}} +{{- end -}} +{{- $kubeApiNeeded := (include "cypress.artifacts.enabled" .) }} + +{{- if and .Values.networkPolicies.enabled (or (not .Values.minio.install) (not .Values.postgresql.install) .Values.sso.enabled (eq $kubeApiNeeded "true")) }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/chart/templates/bigbang/networkpolicies/allow-kube-api-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-kube-api-egress.yaml deleted file mode 100644 index b30d4f6..0000000 --- a/chart/templates/bigbang/networkpolicies/allow-kube-api-egress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.bbtests }} -{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-kube-api-egress - namespace: {{ .Release.Namespace }} -spec: - podSelector: {} - policyTypes: - - Egress - egress: - - to: - # talk to kubernetes api - - ipBlock: - cidr: 10.43.0.1/32 -{{- end }} -{{- end }} -- GitLab From 36f009c5d94f72ea7cb94576f8dafe1b11cf7d8a Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 21 May 2021 15:17:32 -0600 Subject: [PATCH 13/27] try this --- .../allow-external-dependency-egress.yaml | 19 +-------------- .../networkpolicies/allow-test-egress.yaml | 24 +++++++++++++++++++ 2 files changed, 25 insertions(+), 18 deletions(-) create mode 100644 chart/templates/bigbang/networkpolicies/allow-test-egress.yaml diff --git a/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml index 91ed5f5..6716f74 100644 --- a/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml @@ -1,21 +1,4 @@ -{{- define "cypress.artifacts.enabled" }} - {{- $bbtests := .Values.bbtests | default dict -}} - {{- $cypress := $bbtests.cypress | default dict -}} - {{- $enabled := (hasKey $bbtests "enabled") -}} - {{- $artifacts := (hasKey $cypress "artifacts") -}} - {{- if and $enabled $artifacts }} - {{- if and .Values.bbtests.enabled .Values.bbtests.cypress.artifacts -}} - true - {{- else -}} - false - {{- end -}} - {{- else -}} - false - {{- end -}} -{{- end -}} -{{- $kubeApiNeeded := (include "cypress.artifacts.enabled" .) }} - -{{- if and .Values.networkPolicies.enabled (or (not .Values.minio.install) (not .Values.postgresql.install) .Values.sso.enabled (eq $kubeApiNeeded "true")) }} +{{- if and .Values.networkPolicies.enabled (or (not .Values.minio.install) (not .Values.postgresql.install) .Values.sso.enabled) }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml new file mode 100644 index 0000000..dc6f642 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml @@ -0,0 +1,24 @@ +{{- $bbtests := .Values.bbtests | default dict -}} +{{- $cypress := $bbtests.cypress | default dict -}} +{{- $enabled := (hasKey $bbtests "enabled") -}} +{{- $artifacts := (hasKey $cypress "artifacts") -}} +{{- if and $enabled $artifacts }} + {{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-test-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + helm-test: enabled + policyTypes: + - Egress + egress: + - to: + # talk to kubernetes api + - ipBlock: + cidr: 10.43.0.1/32 + {{- end }} +{{- end }} -- GitLab From 737078bc82dd23224ef4e53890714ee6588afd75 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 21 May 2021 15:41:44 -0600 Subject: [PATCH 14/27] allow tests --- .../bigbang/networkpolicies/allow-test-egress.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml index dc6f642..c8124ac 100644 --- a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml @@ -3,7 +3,7 @@ {{- $enabled := (hasKey $bbtests "enabled") -}} {{- $artifacts := (hasKey $cypress "artifacts") -}} {{- if and $enabled $artifacts }} - {{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }} +{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -17,8 +17,10 @@ spec: - Egress egress: - to: - # talk to kubernetes api - ipBlock: - cidr: 10.43.0.1/32 - {{- end }} + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} {{- end }} -- GitLab From 4366f0a0c08d4bf4d5999e1d82d056cccd44e7f5 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 21 May 2021 16:02:46 -0600 Subject: [PATCH 15/27] fix indent --- .../bigbang/networkpolicies/allow-test-egress.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml index c8124ac..1a9b59b 100644 --- a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml @@ -18,9 +18,9 @@ spec: egress: - to: - ipBlock: - cidr: 0.0.0.0/0 - # ONLY Block requests to AWS metadata IP - except: - - 169.254.169.254/32 + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 {{- end }} {{- end }} -- GitLab From 850b09bca0722b7ad82784f982f778a7e6b7e61f Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Mon, 24 May 2021 12:00:58 -0600 Subject: [PATCH 16/27] remove default deny --- .../bigbang/networkpolicies/default-deny.yaml | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 chart/templates/bigbang/networkpolicies/default-deny.yaml diff --git a/chart/templates/bigbang/networkpolicies/default-deny.yaml b/chart/templates/bigbang/networkpolicies/default-deny.yaml deleted file mode 100644 index a0da1d5..0000000 --- a/chart/templates/bigbang/networkpolicies/default-deny.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.networkPolicies.enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: default-deny - namespace: {{ .Release.Namespace }} -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress -{{- end }} -- GitLab From f067ce9f94aea9644f162db77b111e1ebdf35fd0 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Mon, 24 May 2021 14:06:14 -0600 Subject: [PATCH 17/27] default deny --- .../bigbang/networkpolicies/deny-by-default.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 chart/templates/bigbang/networkpolicies/deny-by-default.yaml diff --git a/chart/templates/bigbang/networkpolicies/deny-by-default.yaml b/chart/templates/bigbang/networkpolicies/deny-by-default.yaml new file mode 100644 index 0000000..096a413 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/deny-by-default.yaml @@ -0,0 +1,13 @@ + +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +{{- end }} -- GitLab From 23f5bef015b7f138ac6c8385b3d1b00c55a4d8fb Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Mon, 24 May 2021 14:26:31 -0600 Subject: [PATCH 18/27] gluon --- chart/Chart.lock | 10 +++++----- chart/Chart.yaml | 10 ++++------ chart/charts/bb-test-lib-0.5.2.tgz | Bin 2475 -> 2475 bytes chart/charts/gluon-0.1.1.tgz | Bin 0 -> 2691 bytes chart/charts/minio-instance-4.0.4-bb.4.tgz | Bin 8241 -> 8241 bytes chart/charts/postgresql-10.3.5.tgz | Bin 40039 -> 40043 bytes chart/templates/tests/test-ui.yaml | 4 ++-- 7 files changed, 11 insertions(+), 13 deletions(-) create mode 100644 chart/charts/gluon-0.1.1.tgz diff --git a/chart/Chart.lock b/chart/Chart.lock index 4365439..30b1f54 100644 --- a/chart/Chart.lock +++ b/chart/Chart.lock @@ -5,8 +5,8 @@ dependencies: - name: minio-instance repository: file://./deps/minio version: 4.0.4-bb.4 -- name: bb-test-lib - repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates - version: 0.5.2 -digest: sha256:3ca344e6b6e62dc508c2599518d638e424477cf8de51a53cf795c8481d6c2b32 -generated: "2021-05-17T13:29:55.74089-06:00" +- name: gluon + repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon + version: 0.1.1 +digest: sha256:41c1bd38bd9212477829389128629a39aa58e92e441058fcae5995a6006a84d2 +generated: "2021-05-24T14:25:13.642798-06:00" diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 4de4aab..1f50e47 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,15 +1,13 @@ ---- apiVersion: v2 name: mattermost type: application version: "0.1.7-bb.0" appVersion: "5.34.2" description: "Deployment of mattermost" -keywords: +keywords: - Mattermost - Instance kubeVersion: ">=1.12.0-0" - dependencies: - name: postgresql version: 10.3.5 @@ -21,6 +19,6 @@ dependencies: alias: minio condition: minio.install repository: file://./deps/minio - - name: bb-test-lib - version: 0.5.2 - repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates" + - name: gluon + version: 0.1.1 + repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon diff --git a/chart/charts/bb-test-lib-0.5.2.tgz b/chart/charts/bb-test-lib-0.5.2.tgz index 0df8143dd476200a3e95ccc1ddc9b52dac0bfae4..2045d9ca5f02c5d182a0b1654b9dc1838bd6caa4 100644 GIT binary patch delta 2426 zcmV-=35E8n6RQ)DN`Fw&NxoE>q~qFd>S^P6?2Mb< zB#M%J%AK3h{*XvuvA`~N7Yi&H1fD@{JkA3D*@P-Xu4%#_9Td9VZuiMxkpFkP-PQkY z@1p;xH|P%g7w7#!zyGM)JMUjSc?8|V4xnly%zyo#08QCDRGLXKf?408 zX*z%Hk=_&1bt2TEVyVf?p29znClFdqfw5HZ&n!SC(4ck%O>hJ?g>uYwiX-4GP*hzz zvx;z+3`yU4XwHvdp>F>Mlay0~+W#%QP8Dh$N-<_}Leo2Wg)R2q>kfx2_J46PxH#JX zeZb9)2N8~$K!0#+x^nP>n8p{OByXjGi-PA{xQ79PbC3ItdyYQA0-#K;aVH zn;Rg-;_`|n2p>Os%j8`LfC?cEwO&TsmH_Sqc|!EWpGY}%N01LqXJLq1uOoPu$l{4{ zN8oxxH?P+$!jLM$v|*Ak=`-;jLo)(*Ou0sj#A$%M?0?Tv%lRJx3L0>XN(OXFLmYu+ z;tg`78gn-CVk?h|*_#{akiRpIntab?0Insb{gPGx%snMfbs;CX1;Ipw!a(1Wu(N<7 zvX9R0Ga_fG6pK*16%8gro<%DSGs8GZP{rs%ho-6Ri0m}mrz>N7Xk|UZ!J*y%t4s(~ zcMS>K{eOS2d)~WP_5bI+WBhk7u+7_)8emeMJDI}Szn0PJDzKN=x4pPKde=j)3(w1qNq{LScp%Qg*Sp|%Dos+E0M84Qyws>5oG6(fc-{nQ#BKc-UjSaE zQW<#h@0UOQ_Uy;!FTOqb>nYscHkHrmx9N5p#`|fnV^`r05DX6_Y%I0Kd=H<$}bc9XR;fwG52xq>?IA4qyb6Sv`un4Vtmsut6!75DuviC8NKiDu1jo zemE^C2j8Rsn*~oL=c{UFl4lA2U>8_Dnqyb%VSV+h3na1luc?`g zav#3d&Mrq0QyW^;)~Ca}-AiUBn;mZyF}tcz{;tM%okT&zq#Qa%{!9}NWYdO;bi(1oXlYKZF@g8mTLi( zmF3A4PL`!Svvd~qvs}ji$)v$$_SWQ9jA$R0>}bk%8-^J6=~+HRQadvI4a zUO%-v$&FuIf6^H@ zykx$u(|O$tRZx`YyFT|TaAP#~k29VB7duV&*S#ekFcC2kf2!dBR(~|#TmEIY4>b*v z;~N}XO4UTPaO?ooG;K%y(pm5xLz7Q-qx~MxYWJG+JdW5U;;_DGDVS@IPjc(s4}Y$E ztHIqvyXoHzHmv`}m7l|0|JZu}V>lSBuK&X)$Nb;Dz$WV~6rkz)$KJcUg47NeB;TVR z>Waw{2Y=`rCZ+gxy?L%iUQ>#D+sm%&P&?v6mF}|PY&L?`J?GZPhqm!HX!ZYx zx&E=u{||;2=WF}FLGS4Q?*q1&`qI&!cTe8`ZkJ5Tkw4TOlV11GmrQoQoKa(a`EEve z+}|$wT1Mi4S1g(@S*%>MSiWencGaSGIb!vO1wc4SWCVY{f`7AmhEgghxC18O>>G&W zQa%*Ji3Hd4Jh!3vO(p~rF`V2KBt8;Cn()?|6Mx>MRvt-#J7pJZ)AzY07i(5r$85}V zR9f|UB^Mi#g4IA9lY&*{0g{4C{XAe&u#KfdCI$CN`8DYLJ{iBYAb;nCU%M&nW(Iqk zz)G5Mmqg!+sDImDKQYDU)uPq5=WW}9_57Ci2i_FaBcs!uWmtcH=+G~R4e@_2heLe{ zxb6GDi{a|`f5Y?P`7!>#53ma9pE=Do0GEt&C?3tFgrA@O@GqEa2~ZJ%%uJdYFcY+H zKjVftKTVhhL#H_gP^IWK$T66SLM)cF{0!PQF*41=TYtPVRY^%bcUna=gt<$BPK4Sp zkw@yMZB49QLZ?VzoH}QIX?soXt8Vj^!?FV#eG8?tninqyVk?zQa@XCdTuH||?<*kC zJIzU)!maI*X52t0VxfW4MGq<8LZrWyNV#-$iW#bn&QjkkHD0%WVmBcy7E<9sb!?mc z56@S>|9?9lc8}-3_X3aMH8lp6&|oAKlMj~@6cA*LM|K;O(r`*+)WmrVxozt#O{Fp# z^aMGFn9BeXYQhN<@mHXbQ^RHmDK(Q?ITexf7zD<-@j@q6IA&KE6%o{*P6_-d_%%q8 zx3oio6cunLkT~S|+uzr@g>#50?U0xmKmRR;?~vew^7G%SU=sWG zr+U>h;V%dUG@NEBj2TDmoDqGQI%g!HQ|FAB#6C;KV(09?&SQ8-6_c5Um(O2lhonl{ sExkingw!w4m3;4znGR)y{^zm6AK?f`I6^c0F8~1l|G3;WivUCb05JH$VE_OC delta 2426 zcmV-=35E8n6RQ)DN`H{LlYFT%NyoL_)YHcC*cneVnM?*GR}?G|U;$9)^Vxm&4)`Ha z5=BWq<<8A$e@G;-SYQ{siv<=8L(iZ#9%rHdWI~l8*EHo14hlgK1dj%T;y(z2)&HP> zdH$e32nLtu!yp)(KM494=a&}`AUNzW+9B75st3WX`&wo0|9=E%#@?XPOo|cA&K;U% z^VdGqmC5IOi}h2{((G&$Z86VrGkIvAu53ewIgVXBWNg;W3DqC0cWA2>e`vr zgaa}p=gxg|egq3m`!|?ooEp^rZ_#z8Q0qvFF-uaK-O4L$vHyNB9In{^<>g>-wEw$+ zn;Q>e95aF7Hh*-1R0`lNG$5oJUHJIXS#lYDXUar8f+q#u4>WU9G&H7$jvRo}CAc>? zK+47C1x*n?e)N{fyAA*qLK1r)J; zbatN+IYXsbjM}YfFcI-QUTK&c#z~4QK^J;7%WOwvr`bMT8QXm;>k$qP-Tq(YLZG^B zNZ9TF`+vbj|8mv;U-Xah-<`lVZ&PW2$#~&pN@xF4#;dEqUS8k!;_m2O54kcNY+=wD zMy1R5fQ^B?p*%-T!mx1p<*?i9YQgS;L#Q%rOrx5jMm1v*K8_-p3-h9o@@64xT6Iu4 z@2;0f3PYJdRk7?LzZ|U6^Wm* z3^^0%Exb)jQN3tR^AID$M?(^jpxNKcob#8Gv*>yR&&MyMd8tsNsK<0A)s%_kDN`fx z8)J=Rno<#us#gzOKV-rWsh+rtGA~-Ze5jtR_zieCe~mKmwTkMYlDArlvM+y*lTKr% zz<Q|Mc6FAD=$^_T;ap@Zm#S`J8^2Zg*iUYxpjht9o8d^B8^sFJ2LajufKM6KOR3 z`VE)~ig^nFLlt<>;mhPb%fS1~m*7QXn136@qA4*{k>vem+6|f!HC-e=fDM%%4dA;D zED}B%G)S^BREiA=8kk32;E9cnu#Gx=@tq&z%ojQ5YqEfOA2D(?`03p=h>n@FPCrse zZ$lqEZ>(hMjTy&Xh1eKKyQ0ikjB;-sDOYAD4d5S;S1y+yd*!6nYT>Y8?NiF_MY9^z? zhp)A>%TdhKh8B(W>F{p%ikZn~#~a7Yt}2wjY4F`7Q4%p3hn|r?)06`_g_Fkq_3Qm* zzgD!3=Uq9j@TA(vFp8PpSgA2mXn&qrlsQQhvr&V(q9Q>!nSKQ)GZ=l_-A{w%MnGj{ zc`}8QWhu`rokjhuknw+VX>ggnHMx}|+J_}OnyQ}-bJ`EKbh<}@Lc75-b*%ORXK3x9 zw6m3Pv(3Ds`e12cjeDFbZ8AYjGjm-;hc~~667FSmYbM(=olH4xCeImt;CtmY`g*0-3SX|HZnmlcO>?YXQ4U>Hj?yAP? zr*IHhdN!tsRime76vXD3D9 zIwQO#|8qVVteyY$2bah5zkj=cZB9$m%{iafOXpE7M}S)nr|$ar&l|e?Ic&+-GhWv1 z5t^HcRP22*EHeFC6DIw+TwY0zdr8A~bWie7Ik!=m2Q*{fE173{1i!fMuVv&Wa}{Ax zGT+weqHcyNEX#{spZgWK2^#yynJ)gzou>Qi-VzU)h?z(}Rq%f+n}6>u|Ek;jng+@7 z6^<>XdLlYFb^schwxfROJba6hDJHwseh+B1d(C+fN9+=DSYNah%yq{nh4t=-Ki9q0 z;O@TN^zQ~6*8lR#&ta~AY`y<691K?1|KX!!{_jp;lXaE~(02V}@7-NVY6lEb>`@PO z#bk+tKlBZgN_@NCFn`(lxY1>=DaD=bW!H768*!mZx7l#E8^P+HbL-=M+jtjr`v1dR z|JdgL2gA#Ywf*14qoe=73)o`nOGkU&9eMxTT{5XgeqVP?`oWa}S)&p%#3f7eeND40XbB{^EE|w0N6x=7}*P`?LWc=2G{GAhi-KMac8SHHW zD`~=A5`8P8?tgmy#1x;`h*rCvw`~j7^IP5@cvH}fj81o!Ve|REL%#wx#Q%jH4)rDA zw(tKghpXTJ4KIelG5)^`unOs)Iqfz8SB!HgAI+77pCAA5FPLiyP!WU7O_m!l6SQtW z=Y}{xO_&Blrv(O3rRX)tF_?)$ESI$64B9p^GAqJce1B)^l8Soaw8~}(bC&|W7`0)d zh}2KJnpnGpUYWo+bg{_VAq3Y~}WM5d_}@aD;Dh;y0J4oR5ti{Eni4hi2Yzxb^SCW&u< z>Q_Az{(?|QqiLSOm~qt38PQjnb4EfsbDc zVQyr3R8em|NM&qo0PGuUbK5pDpZP2H7*A^ZN>EZPyQfZjlP0-dX4*89bTZfJWHKPR zq7Z`s4*=yjPVTqgfDehHNIh)D&gFy;76~jC*e9`zb<8s<{Kpfj47sEUzxNqhuh;9H zo}A>ry zs{zSnpP-5nE*R%fJems$e?0p27no@YP!WO5Oqv-m69k1i4)Fa2srx=++D22iIrs^rNgY_!KGz2+CrC5X-4kOft32I%_(W)r{)d+`L zW-7!Z=h*-B$+1L6IA#LDZBpt&32r{!RN20?(i} z+J75frV6zVr5Lj~q3QLV!W#SUKRg{S+W(+89Gvd$|2EpPY2@N3rS!eI_^n;djD?MX zyv_}p1VKKddxW5%0mob+7mgc!=bVXX1dsDIex<3CprH{pbmRaOhYR=W3P^E0eQu5X z(!1ac1KCW4W zAytHF!z5wSXW|`(W(4k-a*Y;<(*Sw7p2e2i%?L_jO9FICLmYu6;w5sV8gnx8Zp)8~ z*sCizB>!L>HTjv#0Nla|OH%z~_lP{w1)ty}2wH5gev|UtB@_<(g^Ze>d@IjwmvA@qkh}EmJ9F+j#jtSO zU7y0Pv5K(^Fj94a5vmLu)6nQn2z;MPRV}JfO<9PK!cb zQzlTAT=7aVuauytEvtIKza&Sml=Ex8OV` z@APIfX8228s|_7i`m8bmo);*2p;19NQ8GdByb02X+wlhv%GvPrU(bGj`}nsfPk%W0 z`w@Kn*w$ZLVU>-ohFP?=&0rVJsV2x$%^*etvqOg!XqV@L$_^@w59Y#Nk~7TkN669O z^_Hk195ZJbcc_qF7dLpGja$7j<5=l|-(c&^SzNF47NtCQt4%o<_PSsdI#h^4Po&YX zY@z^$D)64cH}MCSg7>#?zzfGS_SGg6LlucXbYow@8d9?g$;Uj=ae4wju7D!J>B$1p z8!2*~537~=hU(nKk_Dx{p<368sjK$J%v{(^yW&h)gz_3XQ_O2umtw3_Qx>PTD9HlA zZuO%i_p_=-3;Da$ijssjg;>S7g)Q9B6XJVj;NWWZHJp#lR+&nkCHSj7;_11A4@41D9W!btq)oi_=DylOUNAH1_SI3u?1_Z(*EPDAIcZW3 zhh=({9Kk^?QSx1L!3Nhi=~_qgrWCI~^P`w{ANMte3e8gsGDC@CI;vq;RKy4e=ikD? z6h=R+UZ+NK?MQEVd2kK~i(JlgIrH&p&f|Y)(%>R_OMEMKv<*piH|07VGVS-)EV@O9 zLT#urRkZLNr)ceCVQWHL1Gv5HDt4@t;LVcdHR;Tj>ZA1OiS?~@+lMB1mes^fKTgf~>{cLhhvc72HguD7wm0Rz2@H5?Oo_+7yO@Fr5 z{rxWrfp<{;wYL82^x;zd*Ta*+{`-F$t;;$K>0hh-i`oFB5f&BbmP6g;V69^&$x{Qn zDj{2-?yIgKE7^Cm3bIYy`I5ryKH#^C)e&}A`gPNsz>>CIFW_#sp3P$J+x_aS^Zz?2 z|61q&PtS(^rTDLZviJYD(bkyrLe|v#0=)mt3eZZb?yCN*-`jNo+U8YRHPRQ0vdUYQ z)ts+g1nsc4s=d0ZQD3!KVYO6awTmjNT20h)an;h@?iWyuRMI=EEUMF7)#hwOcTw53 zTs~BAWR9w(;AfY2-X%#D4P=w8kEMb_Nr4GC{vIOPC^VQc>fovX{M3#KiW@w`M26ot zMjFKh0O2H&5&ZT29BBgp!-)jf^E|h8;AJKR6Y+dHA*3C$1qJcjSB<2=Hqopu6sWm` zP3i=8ed)iQ-Z!sbmvy$j@8;+=@BDAKIHLMYZc-dkx#usdIHKjcv)X8DQA0JjgQA9o zb?&gJVHHWcENa-MWTC~-x2afIik8>u_-1}!J0Gyx{=3O(z|Xf|W9{nK4U03b#gc}} zZ*A_4l8#M^GPa=on&lW?Es9jZqWlKIH%5 zud}pp&3b~IL(F9W2{qw_iTGPk$f;pdgp`^|t)Gg>xeo&4Jd}pRRNo!X zo8XrqMLyGR2~t$RnLy%@C$HYVGE$*)A0Epjkpf;negzRz+95GBe*U-EzC(f!%Fq8+ z9h2C%f2vnK75*GiK*RGag)!r(onxXeQs_vDi8Ok8>YhQ^jPa;n|a? x+99cuHf(nYi;(&SxRUQ2GS#7s(EoaGjrMKd_U&tE{|x{D|Nn#y-Ua|n0063gS|tDg literal 0 HcmV?d00001 diff --git a/chart/charts/minio-instance-4.0.4-bb.4.tgz b/chart/charts/minio-instance-4.0.4-bb.4.tgz index 46ad6c493b04ee1a445ecedc63f15adda7d4b0b9..fe167b6193d834cfa1ad4bfe9089c3b04361ee46 100644 GIT binary patch delta 7145 zcmV%88)tdJHrm<6e*98R3Fmdm*P@Orl;IA%8KYEOu#vdlNEqCn%Zq zQj+3`B-j-=mNhVMdE@{ra#Ve9`;y47FK*ll9sa1!jm?1%#bA_)zQ5LG#xCHa`lFc)Lsb2Jzoj&U$N!u{ze#LvTlf9RtDKAOBZ zKu4p)$>d-d4EmG9fq(d7>JJA8N5PB!2!+$%Vw@aP-{u568aW*(G!RHz+m!U!W+%e8&dBYX0vZjrx9_{|`p~ zBmdt=={nsmyu?$KMFRBfD{UE9^dkfeD|O__>hI=+1L1(+*W=f(T*>!H2pqzcMA*{+ zg9tGU3xC82nnaj`pfJIZA}-Y|Nd$#!nlUJ(fNFL^lPQ^H3`3H|6U?L{eod0Ib2v9j z7+xwZ9^*v7TdcGsce>2{8arKpfM$spL*H@clnW!z$V>_(FT@L{D<7RNFk>XdW9W38 z?lg;{##6_}M~Xl|NeBYXTCh5c(F{9XBL7oJ=znf=G1)KVBw;j}pyaAYQ=D*`u>kiJ zsrA3IsX((ewpSNG^>mR%(FKi2a6N{z=^H9880I(;j??{!2J_#{FkerHyfni3QQnDf^(#C!~IF$(|5h`{I4>XMiV%H-rh|0hzS71B>h zftFJc{SpTZ3q{{tW2THOkic#}<&GmUB7Xrs4)lUl1iVafK&C{ZJ;!2>86YtAB!03Y z@Hx$*P;!f6IvhG+evLt}3@bp#Nka8RD%L__DF2g2YYm(OfXcdKxcREuznf!)cy8*} zkq}fG!k(&oHid)=;8-XQ(74E{kk~u}qyZ5Qg`S0s=XQ3^S_P*&Ide!BGu>+9oPQ+( zvjjy2GOAru7Nqj?@`i z62DV&Mk+Fr5Vdd8lE=tE^IC!_)}I!*N(gn~tzlb;sNQ#}rTz}hwBY=dM1K^8rY|j% zv1JEj+batRVZF9cl(sZQ$5s^`$I>NQtZB@aNHs&Qv#AtZ!5oKKBuT+b zet|h=_*qWzl!m0v5+cOHr6ZSf`;6KvvQo$ zq>520*UlBbc9l5>DI$z}@FQi42q_JyetcK2vy2`A_l>$rz@S6WxcA zSXpw+f8ml_B#iQzYGpl~)}HXvW~xYFH()sAu70gmlrq$Q#@Az|=g;`@d(5t1(PVak zIR8Xh_#@n@LAVi6 zo>Jp9Ds-cSVC?IX(-m*lb~#4CNx1;MqD>B6!t_dzQXoj_lT7k<<^2$(RYe)L;K_vpVvdADE%$mtNHN#KI7=mEAWLTqh0?xLc9eyJRF$Z!ZbRZ4ob>8su7tozklO4`N z>a{lArtp2OHqI#$bGf-^7%tuyR%$HYDaRKlAudU^$M@wtsMi-r%*W8fpQV&7G*33s zAWh3gCz|$Bc3=)65=g@1*~CDTPaJ>%Gock2wv^H@9BU~wB{))Cn=-nP-5`hv7m^2! zt3$h4@PB8sL$}~@Pw&P9loaAkP_ysW(_HrW?$xEWVk~>!gA?smFlK^eY5X~jB$f1* z!ooY}iy0B~Y~lqpwzow+!7%Q{NN%Y$vxtaWJk%Yy+J)hk&usG}ALI#U!t97DcKxZc z7yxC0#z>F=elEb6Q$&k8xlbhDQA+lds#qFFfmHdj3hHxMBF8b zi(KQvDB&n`2ELaHSs6Hr^f(DqN)kz4t>w)o+3ZCXcOPeh%Awm9k)FG9r4X*?nI_S- zT!#sCYOOnJPl%P%MX(HeEsIUQKA~|;lQ$@~I+_|yA}Q>aJ|&B)Ug;}(`R20p6Xp6R zXMa0|B$-;h0O9ryP2?*+^eT{IB;){|dfKO9wv`@V1YYheifDkM0+vKhi#2PV21U1p z%R_HHDVw2${Hd0Oe*LfCtk+?p3;D1c7tLnO!mv1iZ#n|mi!{oJO0j$meQsvla$`x(CoM^e! zIcFheIF#D=x+Bfs&IMv9ig45^H@8#FR&rn_C?hE1JuZ;I(=2kWqx#+iaT2)2D}Rnf zuPaq?T;S?zTpeqrhgcw@Etk|DR_?CJvCP{TC)#T)kQDBED!DpYQGz85mH!Jx#w1c= z2UXq0noRP=2~9YS3NtvU^}=%>w451xTTu8_s@Rz2S%0c3t7T%mldrVL(X0uDXucif zi=a{6_JZcN{lJ_*)Z0n6Q)6oBs()K{W-2Xh*66ZZ?bL2x_$$H?aIzqbCTd~UPrszV zBT3y{g1v3^nO3a(%2B$oCBg+GR9QIr9-^?B^`=B_l2TJgP5&Gx0R|FFlS7^J(J3HR zjo}ChvQQQ~RVNjSogABo3D=P-TH}{CuF?x$m8&cz**u3bJa7wxSF%?=B7Zk!7{@C7 zr`OFNs{L2b%pmq=-m`)N)=q0qX7d7$_ohy=rV{<&@#FnS8(96qU8pnZGh6Y;UeRZ|09_w0><;hcMS5;wDSVUhSAxVf6 z0YlkR2U(t{=#LCLTriT%UK(6a&fi>~zdHSJ@x#wAfBbN9e0h2CpKp&ZPdCE9bZBV& zs=zLfe_y@Z2nTGW?;} z=wrFNvQ+--7mHoo1zIEj2cuE_{?Fl|fA}c>@1q#`FE`-1giz7mh2*b3tp=GFmE4+s zNU-=s*%e7*R^ zOjpfq%czU{2OEM_^(~kpjlhE^Er5kc$0l$wMk1J(p+YWXjEt>7I)IenDfv7Gb6}G) ze;Q*k#~JULK-2t4hGu2-jf50pE=Zy%S%oMOZS!nYHm=1wE%2aBRN;V$pj-hncGihd>DpO=`eX%mSPU>%_?%%S!sIxG3wfr01nTBI9Ei`Ul%nc54cDq1=GS)eX4W zQCBwF`Nmt@MtW0kZ_;l)J2yA^s(NTSf4{6O)&FKVuJLhwiy5%){{QIkpsN1|et+11 z)c^NUmh9?m|6jXuZeRTsC+DrT^!BP(vFsA}y_Zrm9n0I5%UnNJjes&txe8XPiw?7FDx$;YfAG>u z8pGA|JOEV*hRPLB&7E5a17+gZ4t)X|r!>Kd7(=Io-KpLLbxUh)6M>bRxA|F>iE)!Q zO*Oc!MV2+s@XBEv)@0^o6TXfOb#fzUg-k8teRFG81tKj_G=>8|w@dYPCuyVQ;V;1) z$GGw+)zRcDEZpDeutYA3!T^Hh41^Fme)LBNXqbzU>WXwv+KD@F6S;Y zlv(B3fo6JDH1eb^ZBpKU zsI|1S;xyN31xQ)Fwmcn^e*{9kQogEyVfmV%LdfMouQrQ%PI*U!ml?hk7!x^{U(iAm zx=`sBR6dPnDxVEZH|LhgE}G{rc@HWLhNh>L5o721Fm{^_Jbw8h zOkBBIsEc0b=El2mWf-B97dr=FtaIE3Yp@d2(m)x13knwQgZj zo)Wg8SCNsH3H7{ee`Raxf-v`#jbsP8NVdyFa+i5Xs#LQUh!j0ndZWyF*qF--t&3@C zgLT{4{N^ku_nQNyTV_GAh$vehw>;O(PZ$ngW{e~=!-6E4oy`(jJU;!5gUmjf?n0B$ z?=Xvby@EL#KmD9C%z2IZi#m$St7OR&E;ef0oPUSNqxGN8Ln1$5g) zKy7S&;1v~0irjs^s(Z;*wW~Z;8*yTpXiBqEJ*`zc-?eyP?DowcuqQWI_)T*jS^(85@U>h;^yNSRS=i&&fgyYbo$}s)$!%!hs$@zZ(bh1 zeOZHedNLk#%(L9bDeXEe5t9Vq5RohWSrzqZvS<0%8BhXL9g*9*&Nz;hRx|!5%b%=u zn(j$H{;06{k|ky3y}fZmXzeOh z*fxp6HowwaODeYf@GWn<;UQeLdT|(6K_VhZewkT;4GB}Of8Fab z=oCz*v*}%ZVD&FvYW%NA!h6>DKX>p+=ym+xKdR^dI~pE6-v7Rrvf}&CeXoDG_N&UJ zb>}oc9jm25L?#TeYp3>=*M}bYWBG0){+XN~quTf12gCmG zG5^oK6g#DuHS3<4YPX#03F5f3e>4%0_7c8EX^WZADH9Evt&&>>-)W0N?c|vf=agP` z#-LE+nes?CE4ZI9naxFK3>|l*gGxCGae!Evfr2EztEicdN}AlMg$+w+YW(9oyYhws z%=ut%ZeY**kwln#KSgu`9SMy0%ustzJNw=-H{R89%P?rB)7x}LsQH*Ae=kx~7O~8B zLum$iF=jK|fjyL_vLkP!+1{_=_Rx#+D`zCSoTs>%O@(ctm^ z@4b|D(#FiSNFya=w6MRRVOy-`jE+_0J zbv(obnJP!PeF9_USg>>Wf7Xf2QQHwr`yXYTPkvK4Sp!`nYFuH)ZJ2)}cFit5B`Jg{=2bSqfr!Q<&-Z-0zop+k*L6(xsh5O}p=aS5&^Sg(Sl*uQ^d>|d3eG#_ zGdC#z_)-QFV*zd%8XTn1<1ENg^?v6x(S7yGFy*U|FmO}zJRcQFe*~TxKXwD&Q}1`a zN&UTiC9y04*EL5?5X>2kF}Us=qcD>1|MoY~9~Fbs|9kfC!^!!})9;`BpMCi9rR}*D zD71WSuc}d9;hWT~uX8iaQ}`FSVT}|#U>GNSP6dbG{sY7uCsqWuKn&bJgDDhDP*(Q@ zV&3e}~OVQGPzEERrj(BW_Y=!JOE zOR^|xj30_VLL6a%Z{LjtbV{5id~?ot`(e25l+oCok_c}~L<^Dj#jzkErW>sbU9){j z=yyw2L$zVcLa0>Ok419MpZ;)@B^yLJzx^IL5e{cE-ey-a@T5IL^w!g{Zp@pGxS8aCNN@Ww;k-uLk8W&$&SV6by1-ng#WTiP=GN*liO{ZHtU|4RXikPT3 zc%kB6%ssHGS=q*3LGC~*xp52c(J~gqaVoBr6?k(Oi*PHZYq0E!nHk=C9@Ql9Kh3FAV}dPxiOdO11UE3{B`b;Vl|H^=>(NxX$O(wc=wPvjky+xY+F6mF9j ze9igKU^r~}{|+AW|J_enC(Jlne&(}Dn$T6wsrz>Sxuec@f}BRp6E7(aJ(P(#W#$Xc z-qmyce_gGdE^ldTw9Im9Fdew}5cFVKB&{AyWOiG^|Dc<1O@GtvLrnvXun7{*Ct}5j z9RO>kZMeR8rlPggWViC~4!L%#Ial_@CYFele?=7|Z?)Z`xOcny#oDVIeGe_B@2qU4 z|8*eHw&5RZ<3C3A?>`L=jt(E=zwV_h<4!%*ZQ&nV@A@>T4Ql9k@m+N+| zZ_@~qwLh1N?8c(Fw>@ri4Xv(NE~RhTh_*99eJ{H9=R@=Os&WhYzis%(+V6jlj_Uc} ze-92GzyEMQWeuxWTz)Mdt-TZJ|7}4g2J?rCG3ooe4l>z1IKvuxH8vyv+R;kNTPGDe z46$ervZ#ewR0AyLdSL8 zPRrxBS)x)tJh{;zzIvY5RlIC`f9D}h@J6SO*7W_=4jnBnwrjSYf8?v`uXX6y za#)xn+Im=+zuduLVWpo3JSZ;%Cwgt^|FZX}&rogt0_BW=X{rjO!KUKD}{}pw%zX`bR4F2EI fsCNHv&>xKs9+Qh6y#fD|Ngv<{#k+uM0KNbKvI*U` delta 7145 zcmV*#sAq`};q>?|c0t z&v*U5J24`OKz}5`%pz2b9rL5Ye~!3L@fc8=MkGLTAWkvHq33%;cQWyY&JO3lmH#6e zTgZe3SRU_D4ae&?7u*Pe}8cJ;<+=!iDY3Mj-fN~2YuHc zx&6Vr{%|~aF&_F}|Hbozqvx)FIQIR{E}84UL8S@m zO{ALSlFA%2DTI|I&NwV+l*O1sikW$(K*3yyl#hG8kOtg~N#YTzerxPqUDb_9OaymR z%zs>g6O;&VF5*a{ZMqr50qD{N9-s(I^bU-bws5+p`wPr2Rf91MWYvLObh4*7iwhJ# z5iy5@9I}%)K8X;C-0WVV=kSUR9&#{A2`&K#1(Ot+diXMc&n zEJ0C$jB3{uMjjLrDDRTG<=0%`xF`2B z>WvhyRwX@R@8$-)_u7icibRnYE5hLg6WrZOfXDBXx$B z#P5`xk&28YMD3fjgYuFYds`p)LslP)rEjT|V5r0LY=}XHb zErPdK5=M4wy4jZX_R2y+Sg$PUL=q3l!hgl%l7ke4gogMMM>vpkpCX20EToE+jrGd7pdt6*tQ@B_ zsbZAMwR459U1g3ziU{K#{79K1LP|qzOy!v3h|I`D>rj>@AlI(yToX=4gQd zqhM}CR1Sb7AqkY&u5}8C8` z&OcEW{z%#BXB4LqHhM+2-MB%F1tS5kX~dc|QbcRZ)g5cyi%@m?NQ3%e|fuQp~k5&QeJk$kG`@p|tOm9c7^)Rb{P5 z4c{#d|Downb$?m6^Ouq*H};VbNXdG+F{#t6AXz@B<~E|zJ12kQT8{xrQ6TwB!q?4B z3t3rh4k{4zrr{()ygs$&6$I*?wt&?ZSXrf0CCts7<~>-z-YEXiq-CMq<;HqR83(Pp z=|1(-PIT0^dg?B9m6Bd<`f4{i>wfi?lD2i-wG;iNjepy^4%h%Q@^D*@BXDMY1&67>iKe}j9hgIi1d{N0HZjoT69*u`OlSp$Ev57e$65+a362!kri?CRHwYrah2%lw z>djF})=8h=hBNhQ6d zu<*|LVn)O~n|J|@?QKy{FpPUKl3QxcEF$6-4|NBwc44^XGu!;g2YG^-Fgv1(U4N=9 z20)phF%l$zp9?VN6w#ti?i0y(l#)HA>Z}aU?0=^#V{74gf%ugkOpFpVBgxDa5qC-A zBG&ZKcN-ftNdrA{wBmfF+UBV$E8oLD6mD z^3YpP%4R4bf2w7nU;pbj>vfnY1ArHgE$G&Ez%0begIqrcFvUn@QWEein9D`>Ll#_N zp~m)UPJ%gnQqDybMf4MVoT#__V|7ER?SF5jt`S#FaUz)1{&cE{10VmlZYjz2k99Qq zCa&s=Dsw<(o@;F?PGsFnKLm0IPF=R5>=9az&djCt5Cb z&RK{V4yE?J?nv{ubAcF&A{=$f&FvJkl^mD}$_R>hj|(L5G>cs8sJ=HroCI$1ihpC# z>q=D|7r43_SI1iEAr^>e%O$mkmAh+lEb}(TiS`-`B!#=4O0G^;lwb)%<^MvFF^QDe zK~;CLCX;+|LK9A-!VC^-z3|)zEoa8w78HJ!DmG?$)}N}%YMB`C&i&)RVKAafPuu)m*BER@Ag)k%e7C&%Vt!gZvI*7&83tMr0b2>pmYX8+UGl;#J_pG3RwbPoD*}Q-wIk7>=LW1k#Qj%b(V4}v6bJN~W45f1tph(%I zK%};sq5zjdYQJ6RG?su_XVQk#zm~c!EVpviv0MiPx!ZW*dxzeEd6F(WOf=x6lsn0f zRsm`botjH0XO7aU0wtl+IXy!hH{3LaZcE%d031bP>qg7nNNc-W>Q7qU@}bZ1Z(C~d zA7!A^f zt(#(f=ZYlZ*c=ZzvE}J2^zt&8#&O`4p@CL-UtKM$$GTQzdGZw6RaF=j7SR_-ND|^i zz)-f-L6+w!`Xj>*7mOscmj>69^Ea30uTDQ){P6S3A3t0iUtV7P=iB4U(~a;i9U27|0>e=xssN5pPEIc`Km2_9>qY|@W({~#~DV!b>itDPCAX#@ z5-dJZc14nzX(zXx{RtK*R~+vvfZ7#Ez8G6Je>=C;8z@aT1HGM!F}0_wsbvo23iu%C zuPBb%8}VwRFVO7ISlF9&ZXW@vMyP(mwFaR!Km}HV239=9frM+{CXlZgN@jR<4|x*} z(^YfZGV0>~!G>T}eG8^YBk3J!T$oLqB{=xQ?-I{`3C^z77bpvj8 z)Rm2PzVX(!k>1qXoAg`H&dp7}svcU-e=jRb^}iX8YkXYaVg{_c|35lBsOtZL-ya-3 z>i_#FOLld(|F2y+x3B(+lk?VEdVAHYSayl~audzx7OJluzTx7w8=x&}vsSC7CLemr zD`g%3zt-37?$rO&A2#^kA3mP{-b<;Oj^*vjWv(BqMnD;+Tm`GtMTc27713dHe|Tvn zjp6Ef9)PL@L*S*#67VhtK^2!S1vrhmXe|m{OmK9~G{MWYdF5Lg?^FJNc{Xa*C{$u`^dnw=S z)&C25^R*-V3SX~8wB|0?kJmM7c*h@l-gZ^i@c&LSL9OQhfj=4@*8RT+2ZKlczmHNe z?G)#kv_6Z05eE7;#YUUJTRCVQ6$X8t>RSuZwF(r@FE8l8c`M3X->ua*e=IoGm&g99 zKHi7+@OG>k@nCY3UeO0gmOmSj5lC5ARltloI#y$1ODb-c8iKr_868hO%|HYx8v z)LPnEahmJ20;H^7Tb_{I)SDQsWr@SM=%M4!%jES7fFKD3& zU8r;mDxXF(mCpvIn{&%#7tQmRya$yAL(|jBh_Um07`x4eac{XWeE2NXpL$0CCuqYEO<3zPMtf}EMjf3lYgE5%7`9>4q$ zCazp9)J3mzbK~8(GK^5li=6|oa;W3hG6I%w$}9$z26--o`iWbSM^H^J`4d;kxK;X& zZY6<7@eo|V(>oxyw8xRjOGFM2em(y;0^oY|Lea*2T26 z!Mg2iesdO-`^|yUEwi9lM3k+MTb^s?Ck%%#Ge(k`VL_72&SnWM9-n^3L1rIKccDq> zcbLVzUcsD=pMFjm=Df!IMIFWERkGv>7aO&0&Ob|9UhB-if6Z=WM>*8~%D02YGRtXN zu9Z5Kw_9Fi?a5A9h=`p++!BvoQ=teq4DP<5*ow?jIJ(wA8(P)prYkkzWJQ2BBPa1%Bm{X;I;~ z6KiV|7j>89e;Df4lMMN_7iB)7`kOa2c}uCVQn=cqt@T&pzcks=b{tm*usAzRa@4XH zDc)Kek#Ea=)VAT#@5(OjF$2=KXFs~*%tzg}%tt!ycah~(a`XJNnjy8NQ58QT zk|Lwqh|Spih7mw_DMIaw*qohq>x=e|GB)iZTT>(He^Ohd{)&rR^)c=;8PMIP0=jJ? zpf2l{OoHk70v~)?-5&XI|snezl!tM+wi^loL2CM1*vnzE~ekJuISAeh2-khC(_~GsO zKQB+;e;Ng7JSQDGopzMZMhP-ki7`e$ar5zvDu~N>=WmaHI{k3+>iF{V!{xiv6YXB@{$s~P{3m2zWTLjEX;@DW_QXZ<|} zrIGaP;m?AhKxl7gKDcM_@d{t(P1U+o&`a3nlMWi{Gx#*89BWz@QZ^Uy^MZtG4gH<# zdMy)m_VV=2yR&z{et7lr_~OH>^Yfp7x%lwI*_)T@y5K+0tCJ?_GA<0GB5L3*o|aE@ ze@|r;qSVbloKhHJx~M(m#t1m~m;Gzw++Tm4%wJ2cxHfZq>2r!^cCa@2-rl$&w04y$ zY@0-3n_uazB^6tK_?EZb@DQ$Ay*P|3@`&-3o!H67@`gonzVcY>RyU1TD!taN^pcJA z${mQkZ>}tghmQ7WmRkJJ P_2=BI!f3@*{gL?eW!SLuY{^wqb9shHc3NOTq-lC79 zbY5K5G;5+I0!X_7vXl#kkly8q>0{WV{kL}|)&|I@I#x@Ah)ft_*G}y#uMa))$MW4q{BNZM4X)L}m$qhOlx`>$*4_W|N44+24~G4N z$NWF{QtXss)~tJGs@-y~Cy3+Df6_!i+DrHvr7dPcr%W_xwn}ale5Wl6wUcK`oKt$$ z8G}NNXUZeptl)maWHuL_F?8IK4l3m&!~tSu1`3k=uA*i-Drs`37B(!Qsqv5V?8+Mk zFz184xq&_JM-pM~{S?s&bR;m|Gehk??d*HU+;~^ZEyJLhPH)p0q2^`D#^AbhjKWC1|J&a{e^d-k|L@tm4=3j@PrrZifA-O=`zRt}wPvKwShBZ>~fMJ~QITaj!`wtLvoLCXq0x@v^45m;pL0R1s zhb?;Mf4u1<{Fw-Na#KjS{Efa{ zqCyI}ol;EeJzLA!1hGHV$XU>6C)G|!*pe2O9@@Qlt(<8!1Z)vf^4=PEHG`Z=f|N$E zm!E6x!;|(1(OXZ)x-oA$;%1Wb`han=;7ecXW5H8dr2uInJ#y&!I@^=0XYgbJBb7Org&y(2;7LLH>lw424Z7jm2o~;702@1@ufBtIb>J>j%1GIL%-nI@p)41uK zd!p}mNO`h1C5#I>>m@DB>*eHZuh2r()fI0=+#L6BCh->DNNW}zJ&|`*ZsY%xQ@BlD z@HOW@gW<5@|2ufh|93xSoiO8Q`I*lqX+l>yr|#SR=Z-qt333`WPrRf!^iU?|l$kF$ zdsol(e|NQVy1b>W(K5@a!F1r>L(qd|k+jZSKq*m|(D)es)#?1^RKDN;uTHVub)m!X`*KpNJJB zb^xrEw&D8XnTpm{likX{JLKA}=3Lnqn^+=Je->4Yyw!G#;@<7*7i+I>^gXngzO%BG z{?~y(+lGIvjsFLWKj#Vs0LazLM^P|h<>Wp4umulz|={kOZFo2ZXe8PKtv$g^ugG zotDRMvqYtQcygmbeDyr9tzM(K*DIP>f6qgj;Ehflt?B!#9XeWEY}af(|HxO>U+d7Z z<*+bEwDqtsf4PIh!b(36cv!e{=+CvR)m6XOZ3~*`UheN$hUjoqdmEyVG9nhqmRU_ne+SHj!g3e+LstxjTc?;4iCv zy4`Mf_w{S}Z@1gc|GWMARrfF3ue)zvb-QnN-|YOQyZ!3b-p*e@cg1*=J~88v{-yii zw(_0(P97MBghP%=$a*aRJjl_Q&{+>0LJo(Jp%#qrM?@JWVGrEyv|tn^KexBt?QOT) z@==6BAB7%9tk-fte+Z|j2Rt&JlCT8;MG;|`ORy8pBi8G5Ji%NCe9 z(TR$CHz}ea9e%g8U+Ks|->jus42=(QFSWTrrT24ZtmIKr`ilP8}l7KA-ctI>M zZcQN$Im98Ne-av+LL7+kH820Sg>eh$;eV%xGcAvNioO5sBPPI2A>}x9M>MIB`Os4D zEW{a!si*j>hTi&L$0yzmqE4pcrrO=zotu7e2_1J@Da&=;SMHnE*PfS8^%UfPK)jn3 zw=qZlcVE4FQ;`3=uh#PaDV|3Z-LJ*UfX9gO9$*u=fAeOy2S-1`?vFpc_TcWQ`_oV8 z%^n(#&`%!Pc>~{c{h!d@o7X==1mT-k!`+|!?wf7odE2``Zu`6b-rjK78lwWFA3daaUkiseAh_cqRXP_S-$j}xD2}giW zAP0Pc8Mwni0LU$(6#L>mDpcMAIP`+p$Ke>*l4eUN4aLRFNZ zXp~A~q5LRCM@r!`)w09km~}*-C8(a1>85MCE+#oiU!tJ`z~MO2_#Gb&F$|sUu0wxn ze*y6985l&!!=o91DRufJz}`%KK13rJ2b_t~ez70i!5Mo2@JM%%!!f`Nya*sijKA0d zC}0RM#AWg0(HY@=iWmy{3k5DAL$A}hiHC@Wh$H4=((#GMIx$1k8OPX19oYcuJc}rD zqBsa}ICj)K2}!U(f@%-gO{td7Bek0de`bK0E`|V73TJ?f3asF2YN%ge8Z!=tat9Ji z7#>Ap`2skU3@?^j7D2I<$o7kscZ@@J!#c_2aU$Y7i5}h&JyD%=B8qPzM~)fnj_K_) z+24e5#fv(|HQkXT!D)=dpv_1O?noT?Aiy_Bd|?QQZ4-q6ha*C#at9%{O#vAze?o&} z4tPvM2Hx!tevvctZ2$Ba_-Gi9$3j5h5KM81eKfRaQK#$c(vEDHb)E_E4hfwhWD_TW zYdS7p^uP!P49V#>;8Zlri4Y(h%i&3+nbLq9$ zl$1ldDJI-A`RBQY*vqvkU^Z?~e}OZvGav=j;}COeJ7x<+@%fen@f7tDonpr1PG9Vz z!?BXNd05H2;` zt$+yu6%sBX3{gPtiqpuQ1LC&{3PJKtw5@qd4ye&{KpV!Kw1uja>7$e|LW$u7c#}IK zhfM*td&CJ4^?fnjr#M8uJ5Z+Re~iWa+yXHZ;zkG;82YRSuCWiC__`FXq7U z+n^1c(ayC3uMiUWB8_P<6HrHSAPsNlle-2zG}fRSihd4psMa2VjA|qzeqpe+fO;$C zlN@U{nSPXwy53|;{A>xchUCC#ftH9x(3L{|gOe-=U>66~ll*b8Og<0hqiYRyg0Lbe zy~Q2^`;(&wa65r~!vG}#lHzKRp_V9ef&PrK*m}xigh5}xqeJMG0JIF^rF4!ZGl)`G zu@d|dWbBSmU%xd!U)5=*xv@=xw=hsGht zQ{*UCbM9c^PWUu<_Wr|x^V|N3b8__Y=tRi86uAS5TMxV-qmkZ-{Y=SJ=@apEsPxEd zyPwy6ec)O5)}yQnsh#B(1olqaH)8P|xN1%0W7SrV0^=4saEpjx{83tr%PNy!8_76{w z+^PReP3&;&K*yXDIa0wTp?@>NlyQf~A=nUGzmRbBzcyRXEOUzP9qXIvknghq1vaGa z5J!m0pF(rQ0U9GFwDeeaSoHUi`^uE~bNB=~lo0NivB-2*%ALY^q^DH*E+%vTt74oP zm8#K5cu#4J);05r6c>j2Df`R>E6M zNhl9yZz07(wzi&$aW{DWjDr&44q$q6`9zFgM^tlEULdN}(|t@I0m&>Y3JeZ0?SV22 zpuj?6wr}>2V$b0F+F(;Q2-52NGob)|g3~BKJ;eZ=!lUq3{t!Dh#r!{?pQ{%@=?y*5 z9zxnyL`v%WR?rMtFP*BeVNa9H@~KNU=B33<%IXHzOgP!~xknxkD`x^`dtK@mr zXq;+&vO1&nglqxJ#H6OUk3F7jH{lco2lB)~YSUqA zxKL_y%8*oq^3*%9`(GfR^cnGyU!>zcGpf%p=0Ioxvf!08s7{bHB9_#eLz0)}ln^gn zKSz*dIO>_)see0qm0=Di&JZ~Pfj;t`5hYVcHs}yOLDb0Qo7^}lMgrq5*t%hGTvo!P$fGAJW3cd zB{C|U(4!+tZlyIgQ)+_86LSP5eS#$9zmZr04v{*3hLi(1lrA~pF^{Pfntm6BhPWSt2>cKX4*BrIPWcjg_rMoN9=a)dLN)$k z8_&3WKYt;NC$D88`6gFjI!k@XW=yK6+du8N+q*xyUANoWc@3ui8;gO(8YYLaPOz%o z%VqHdwL;b?&Mb7X^(+fI!Jsz>p(;_8d=OQ0(Db^h{P38~1w!y+5{d~*My7zCq+)*n zIgpAI7!typjJg4lA8{?BP{`>_9!WR~Dc8?PyMLBJcA(&>v)SqFO1!;Nz+E=!fiL>d z7Cif3ogof8Y+_y@Z$d!(kN`%eh)-}hcH3n%ZP3}uvCiO_$2muQrExcE6KsgZMDS~B zOJ;zfkYPb^`*dzIho2aPJ3?;&42V39vk(G=R$!P%UGEMu>QGMcNw#&8ug$(g2*ppx zi+{QHB*-zGej#md$*=5gWXz=0m35d4#m=kjDdpE=o0v#)?WC zdZ8BUk`T}g@y+BsT$MQ?;~r?Yt&Ttr1Aj8kLMm1|P{n$nO-3WDdVp?`GNmXgCS6fK zPjPsP7=vTPdH_*M^dZWnIdT;>Me_j;5r`-n;ZL>Q2*~&Zho~=0W_u!3y?>GrSw%1P zD_Kx7uhdsXLqh2R0UlCFvD_J18!uI=uL_-*GCk0a#**v`)+zjir|}eU!o}iljelka z*eU#EGeV}S%|&K2VQR`5l?7$2FDbkeJjHxIOmj+D1bHYYUn#)LgFd)HD1rgLMGWAO zBYF#iZ2e0w`ZXzYtc#S__XAW{*AGx>J!9Xks(7HRT{eA?bzC=o~7s%ZoKaa69Wn zME$4p%s|B?bjZjNAJkH8eRwb0>m!PZKTz29z$nH0LHKj;;vPnZ~Ly9S>{iIft5_l&XnxG(j2&;06vGbPXz72dpl zwbRNvW=W$v@sUvd^$Cxe^nWJ=`tM)>Ll05qnPbY?c(8^(N(rav%FGE77hHqGv3b{d zCLlTjAAxY{oMbTUY3%!YM+Upx7a3uOD=bkiB7*`rM zG0|H$U&NTDj!t=s*hCO>NXj>X1qsFESs_sjWVz9Hh8lsCI)R1OaeqHiOrQ@^WYsl^ zIsI>N;_P{dF~>TzC^>od0uuX<-ZfKagekg%LC|?d5#tnl+|gi0gvvgdE}3J^@~#bJ zA1+`hlmYqG0oz?y{ZDMWj0~qdu?`5fr3m^PY*R=)@sE(JB<3IxE0tyz5&|}vf+?C3 zss!J=88BLeQU)cc9sm0k%#|$B8}F+>&7r+G5TYpL{-(QsnR@ViAA>~Yp~Ai?cGg@ssU)BTn#iWWdEr_ zzS@2BdUHzvQ*+9bK7K=az5`H5;_*aiT3KCQxtj$63gq?yQGW&|2;O3~uCx-rie5Uy zu2W|VE!-8QIE|6~OZuGw2tsrR_%s?BhY<0N$|X<%llGHzc$2xEKeta^7}GYcrJo1b z+uH-_c!}M%+*~AX2ztKAEfR^;`pN(vheW7{cm%GCzA8zlFay_e)w)iUUD2rW8_6PB zc688J-grVyQGetD+GiLjr{QPM!12f&ux@1>jMb^*f7-A9OPAM9NNuNGR;AtE(xac8 z{~MPcInPB8)$T~Z5}R~&yt^S?t<*%?6#GTpOc)2j76?h9Dd`0TFjI#I4Dl`CO$cGi z3n77(wu-0=z{WV*5u>#K+h8lXlLwSx1%UUz9&L$F;D0}qlM;vCjZ&iwCDmeE!XNvo zr<}Sj=$DXROt*so;;HsZvxwjSc#!zq86`S_I7A~tkzrzK2^bm1N)~!3B$s z-`b~GEOp=`Ap-r6l4i-Vy;*=0%vd~Bc)fTb(a1UKw;i!_RO{F&@sV~~bif6I{%;g> zbRNoujNyNx9{BM+u2L=-3S_tBXc^^S^a*lLU4KF~r>-gIDaOmz*OC;diYIW00+zg! zz6U)por$Ge>a4nw(M#jVha3&K*q4lFxtp|VV>F5bAui?Z3C`rQ%Iq)2v$bX$2C?E$ z5=aL%rol19JI@qO4pT_!U3M1HUZMeC5a~_(L4Gza&{h}vS|iBZVKFB2UV%@O;=~7V zG=CDpenhSwnJeo>Z4d2szN2o29Ot_#3RZVkpz##rDgL`~k3^+h zcZ?VISq5*t|CgnD@;U=*u%^lC)Oh4G8};It z&tqxjh^|p_3$t`9^QpkuTly$c6)CbxvN9VbR4&JuzmWdr$@W&)QF1>wR&1qYvwvpo-v^n6NGf{<=Ebsq)Wc>#PNxfoLHsmfVz4EhB2EB z$*1(az7)^{zrXOwi!JaXsr%xOWPcx3(yBEFQ+rIw$bGb~5U~tE^+kG&DR7OUmBGn^ z01W%cgETp7iHL8JG2_#ulqy}mK+PG6slLz>CihS*f~MbdpZaBYdUSz^P;TpLX>;OB zwjDJ{n(opj2DW!zy-w6tgLpb1=k{IPQlq0ftXDKmFEuD5q}Ef_LXtDaWq)mrB}x~S zu6GB^(*81Tv)Wz+W)#*Sgw!%>Uvn(-L)q6Z>fo8`2B0^Vz&4xQ^*S6E3~pq zxu;RhQaXM++Sx;KT7`o4nEKhjw1OrFPp{H!5jAa5pw-&iT3uT}T@$2zh^{8v`fY;b z!By&eS~+;RqlaYm&zjH+=YJQX*-VcpQfHABT}m31H{(onH`6hS{)`bzBUGpZyB^qi zvwMp5J1>gGi|#b%LYy>gfT%lic#3nD%eey6Bhx6BH`z6Q9i_`AvFJbs(IT38Bn8Xc zXV;u4zf^hN5d~z1{FE5#cItFW!o1vS>BD2qw^}BtaW(fb0U3cayMI^;*ahc8b{~gh ziWmc&iWSKNm;vS5pl?Qo`oK~GgsYx*GE9I%9f=IB>plU zp%i&~(a_FyN`*;p0_v`63w$akXy&?+JO>oqnTS>rYAghMZrNp(JGduSpsWuRB~$5W zpva`aY~+yzK4RS5GJh9nY^E*+LN7e}q|WfIdGQS35kQ{=yJH#DKn7l5X3Z7I%d^99 zY#p3^zSktvbm;Znk(x?vU8HlW+ju`aWHN_lJ4At=w36TaXsV$>0 z5#p<1*pf#T6hTjs;P9P34t*DM!jdh+`Kuq&3U8XNyl*gS3F~=}CL;;-HUT1PSvpvza-v|{`dHW?V#kK}^x* zldu>bf42&ogp`Y+^X74|kw{sdn^+!RaH(5ALi7r{%f6|jd(MON#32fF^QAn?trMGTmSxenAvF((v;tQr)!O=wCcSiE`+(Qgd zsA^20675Q0zL4kCs@yboEtG`A^5e@%T~KnlR*4uAxSD90o0K`wQ3`=`0p ztBlhU= ze{dp5fn+7~6mg0@Cd4_RTsdUxcNI6j@`|+OU|Qxtn%y?H)FvjPa-WG}DaM&cp{Vvk zu-l8$BHHoxr|lp2RDq(KqQ>Ktgjg?{6;(LihYf%(&?=12hhV&K0TNK_5n3%{NZeg)ZrP zo){ia;SB;zaJRZL$vA~rtBw+s(eTYh&~#23E=nVoiSij6CJd0^#b4qvvLbw(f535C zNNPv42cq$nb-nT`faA{^{@eEF&uOT?c4=t7HgLiHy`yJi`yO<_tKDuF{1@1^n;Hp? zYkO+H3KE^rG955NdS3hf-LXfDb3!X!=VWkTcIw?zd{Htj`z9|cuB#^Fpr5VUx% z82bLcElN*FOgGr3o9jV5mHstZf4f48(Bgn~aIGM<87&z_&~T8G$WdV833lBdv(Zdn z?d}u;^W}nqD%;IEJf9Vw?@$U(+d*GnXVLScUew)D5+fF(AQ`DEGg8k4$Z+h0=+4YF z=N3Z;ny^JeT~HP;+2CoqItsL-@s*zh=TNTz_%lX=JKBSzlcR%6;JZGQf2KUJKagbK z0tfqpBkVf?~YE|xsMqs)V5VogKs<2K-$NuX5R0Acz;yi%mDwh z(2O8~gxfaiSWVOu8CWEDalb@TNXN_aBp-E*YdNGkX;_s~t2W34Hqoz)p}GJ5>ga#^ z=NFep7gvYJgZ+0WM^}eOKkt7yxx6|(y1Y0(7#K2{@GC-7YqxSxf75fF(g=Vn5HZE* zdY~q1Vu?PIkFK`@oN6r$RhETKttr-6Na_tEy59wJKye3Nvj;EVg_rNct9IfQdvO4Y zwt;U2H!)-7bd`2jMfn+=O53tBkz3|tnX#nmrjyt$$@+(~np7gbcDVg-?kVPfkQW-E z`wvFK6}2%Z|I6#$f7ki^UvIX%uh;n>p5po30-*g|jd{BV+WJ^bjJ~5efzWYB{rRlD zC5rP|ghW}DaZA06sMwxzj99w|KFjIdE{4iWzFAP142dqGsP~u$^25FiiWoCQ(~l!U zr)^6@-EZZaGBF_*YAUHTzoGOLw5$b-B&v9kEb_h3fHH5Yf3eJATD%e_KxGPBxM$u| z6#9tDCIakRWK}51cc(aP_rP}97x<|y7v_?0A41Fp-1oShe7tYj{~G!w2C631OM0CI zY`sXTCxtAnP!z2>1}+`lxkHuIt{AQy(si)pH+4i@cwf%|b>ljJY_r5Xl?ccnxQOv$ z!3-mGt3FF^f7t21{;{HfVTn_VB|ypuNog;NzalLT`X5$Ah;CH@Lx^dP4z04kt0qli zM`DoJgh>vKHH;~`2YQ*Z&>V1QF`CRI%nsX zM+29C;;U(+UjN_jzAozj-Mu$!{r@SRmoIg8H!ze}z@@9v-2?|H-C+aFz!2#iZpugP z<;zyfe~xjeE;K8TALN5u43&pg<_N+%T@@eo;e$$SVuemRJX3a9C5A4=+O|VcEC{o?(?#OH1mTy?=^JfR(5pX}MJ+dX?O|S=W zf4>k`(hjvaYT6|%ix~=K^9IY1aIk^?1RE;(e_odICi-3*xSQ#R_9l=JE(sXx5I9L> zz7e5TK|teB4}g+wpnpENe1CB?xY|EFJwChY?+*sQonIWjeZFxM50S?M2~x)ccbwGy zs;cvqT*H!M2hBSU0b-{r7T&k*&#n(Sw9fF8sD4Ro^!qmWB11s!z6OrtBairKGeg2k ze*#qDWYJTeV^x#qTOv#?Jp>Unhb4!&iG`iU`T1)6)K#xd*F?F-b3wZ}Iu4xz$KiYi z94vkz>EQMD#TmLq^hGloIqI0Jl2-DoA(Ml`+qdoh`*dsy!_@|QTEWl<8%6?ToC=K$ z*aRD5?vGf6~YgQq~2IqXz;w4v5&F0dO1{#J2GBCz59pDIOH*Nq3=_nZpe4~ z$9;RVfI|QL;xdQCGR?CHd6M~Ld*-^ueLD##(|GJRjiP`@1I3ixmaHv>2AsqcEx}6h_>&|By7y#%QARMe4fY$~ zKJOZAtrI+dlKyPpSRyYJ!3YQRea}SV0^0_P@P1dpmji-)^_N zv$p>|#q;@d=Owts)1JI`IKlxEOU&D;Ad5FaJ@B$~f8P?NT1THEe;saCndh_xUpe8l zbU8;m(dQ<)n&3`aM27ZMe(-W>O7~_~f^+Z%a2kgm*nK7c#M6O{8f66o-5S+CMPo2O);-j;Oys>L$NP zFKDsuw*T4&?W^_@f1Ua@aeGTco+`URCD!V*YlNbP9dqqNRwpKeh6A#n1 zE@-L*(6?T;#5~$s03J@>MM+ic^@Tk3W&rBzC%NliN%-#%f6~RaRe}_cf?H$XmM7?7 z10*YHj8g4EY>8b?Ts}eSRd(IHzpo@+u?Z)!n@dGZNS|YtocjaU+z?3iXQCjF0`tYy zEdvXV*2M}{HgugYfRn$$X|P#dTj^kxvIQpcOJ+|1f5tGtBaD0iqevx=ZT*JSB$ws6 znCfC)Ffc?Oe-uo~$P@ugD%fr<_*4L}=OV(GIHnVB;}-lp3+9s#Ov z7O6I^W(YfL+@?# zWy8WVA%}vJokt0-nYRlgm|qMs&{VsN$o#6m%{1pRe^n-Ub%d?%n#hqXo76fCv$lGh z2`ztK5W>qRwF2252V@9?d2>43LNaRRddZm{JvV97HJ|Ll=Gsnaaq}^)z~MMoO1u#h zdmtr8hF4WTKvvS|w;F=M$ViQ17v5IXaB`xfYzXlv2duz3ogY|FFi*Bvo-VT6b9m5z zsj0XCe{&tGECt7sA(B4p8^+S6P{VZARiYg0C3~?-?%Up~{Wr%Wx?e55R88OE?~eI>k6(!yJyGJ$5_x~1%t{ng4etvZ#droTi_ga{s~ z)0GXm`_6#bl;e>nOD~6MreWENx%?tDpOU3{f6h9sxfsg0e3=M;AiXRL%J^1CX2VDY zcVn)Akk}J$(5wyGKcAnswMLY1ar@o=MO*y$|Fk!i-JpsGD_Rg$)Fpq4{KHsCut5^@ z@K^xnbbqghtCeYcZujU zNiFaljA6~FJz&6+v6B9Fpsi-dql}y_`|${%KY_BY>o#p=p_!C$Z4s%B`YBY!CyPK; zHQW-xJ5S_U0WLeaV3y6tBO-oI{&{2?e~}P{JQ<6;wX^~4EwG6)mjJf4{B~RH&di79 z1!PJKF~!U@2<%`|>D;iRHc65fjMinFf3u6+1YbaiLth}g-OWy(jBl1&D3ji8=8Gok zT+u9$RO$h#=%pkoG-pX$E2cw6n21TPkuNzZ`U3up3AeV=oJ1rbqVX z6z;2I)r_cL9jm7DeGyh&d@XRwS#os@`D5N9(uf-$&WkxtEb`%kT-byME4j|z+GKNS zm2jBO1LS(5K)QjkuYi^AQLF+@_t3ef(t|lW7m?iXTEN}R$C3@NQ@-OZRI`UF+v3~$ zN;Qj;+VqyxGFt}pr?h@#ifraKe=3IcifPLJ-u`>LonLSp)|I?kfmvm5vh4JmI$Q;C zNMe&)S)a244##y?*4lH~!dCZ!5MIYPrO@mlkj`1Q1JpzYAV|K0!V^Dk@yci!yw+G=n2+y2Gb@!9(%E0gFw@DWEIM?TmPe>2-M-zZlB z+06a@W)d_gjn{~!vpM6GgkzaYKy*`OtLFs3TY~)}wHd%-J&7psW9bxaX9IIvf5qX5 zBq0QR;xSiKA)67AbtdG_;iMxo&&!h&N4MgLRvfEj;jq49ja%9B_B4vIYH0;}v8Cm$ zPA#_9<7Qg1KHty9I@VW7e-p0(X>gYrF2zDvH+7fwd}!PL*=-gN^&y$OL{>OE=|c+D zR?tbD!-27Cf{P@Nz1RnCY0CLAY+ovRP24{}OSGBCM1P*wo z?mPh}iF)KF0S>LUFiTDslFBlQFn7VB(v(cJk1AGdOkm4wXOiY=f16~9!%EhFMgYy$ z$+FXPbD^UdBz;{h3qpSU70vpEYw69P-k@3Xmh~;isMBl@OX%@e|@05qE!E#bMDcl~7A85^r({MoYQN=auONB$~AUmc~B>8GzpfVMnf zYnL*Admgr_nY8$=e-7zv?=*?*OSp@$nLSMHoQ+oNRAo)%2c(AB7ezj3NcR%%Ycv8@ zmr6!sbt6*NvobxlawRGeP9~{n&hgAN-Y!Ee75C{bZK1_X%XAq*PE5ujDy&>eJfxn2 z2P7PIyJ8?W@*~+cDyKfg2W6GF>O;IAHD=aVd9yrerEP z(>}7ZCS1wdnYNL1toIhk+kA8e+HJ6r`bM~7s_Igkf5!4@y~$|1Qqfg-XLQ3`NR3C5 zm=1a+%M=+SexSk^e>DAW7hK(hHf;ol78to>dec%B)nuhhqCz~{`d|ebZxf>!uk(9gW>zZcS|f@p zNL6khP$~XWS*zd5I*xhS(9yD@VM}34n0Nu+(wEazHS^_rF0IyM?CdtmN%KTrCg2R+>xtYSCY+$`nAx^DgaJqmK-%9eX=7cmYy3l%WRo4 ze=CE0DevF#^Wi_lheT;KeKy7PXeKRX47PIFO5v1=U@c@Ry2a>D%2X6`OtrE_MoKzM z8;`WD8_V)@*@G`KpliuUXO{Z6U<0TNq!uz+4zWJGwO87_SWedOTQPp=nX9TIA%aRH zJOd+4Q%6IYfmPnuhbG;F<}N~YNv$Tye<>uE=^y|h2_2Ihq5;eOie`c@#K7Aem)hnn z#@o*F;ZD1_>72`nnf4N1x=}o+yD!?e{cUd%Wnz((b~yc0m&$UPU35kIT-nA5SehIj zl`3AMLvM{!Qq|g>VHm-)deW6~$bS3@2Uw_yqc~J2M>5K=hkYc}e`(=1sXu@|e^k|) zZVew4&37?Ft~m(KNT3@ubI8as-|CJ6ZmM=kQjY5T>}j479XClqHamx$-Mf;r>U)q8 zH#r$qb@W_X%4#R4y6UUvb8BgVq!ftx9;;1Rz^KL)k0;!$J~C>%O~1u>Ab;kNc&ap- z>+|7Ra#hjkW7QO0fIst%R2eTVe||`JqSkO2slAaOQVW;dL5?2P&1`paXNis4SQPN8 zm_=K`tu8LcFy?6K!JJ|MWhZXwK-p_;-B{_q)eJ{w)t1qB^21_c^Q@lq;+>ETg)_9p zMxf#t&g|Y&iU3!?plq0xINBf8esW0?R5D zONN!4U08z3TYLmLk_kGvj3CJ#9)8D6T-u-2$+oiKjt%8p9_k!WE0%V4YthmIuhbLZ zJLZf4bcV9vvqbZa)@=+p9TlerWKS;)oPUP;&5mk@s86pQB~t z_LS}vr6r1ttkOW;vuAqyNTtbSOH2smiK#dbb8tt(7ee|_a;G@emF=3%yJHebW!mdQ zd9YxFV&$ZrN7AfusSuz@*%sAdK#mIb6o;W-QomrBK4u>j9$Djqf5cJKwD%UY{~nr9 zR0D8yadCdp12Yn<>8Nwo>Y&9Yk7Y7_tvRmF7xe}HA6UC=Wyv&M>_DYCuF4`No8*v+ z<-`g>pkt&|4w45WIK+W+#k`4!NJls+4GU0y<2t*Iw_w->Yf3p4F&;i=V#?Tf{+iZK zBC?nUDk0nS)2*zge}%@Q1EYwNh+^pi5McvDEcPmviSlf2G*niF6jWx=7@FQ9dO)TT zqzJVCbKBj1?Q}~H{;FBP-OL)_KpTDHD3q5MJGa|I#Nl>b^aOdkM3k%#hp-5t7>68< z;((#1l(K6)C8>1RzXp+X9LI(PGNmhslLVL3!6B$ep|^m%*?TbQRD&^}5Q_h) zb}NgJu&(;*NO^E^*pz@C^%tPu!&whTIA!~VNLNv_In|iV86yK_O>{7)Ur;bj0^DH+ zUb(OS>bCa5f1OHs>rIe%Q&IX3GMzY>%ezy^2XV-8kQ8|3zH+J zJ_)TQAq!R6HjUV2aR~nNmHSG}(>UPz@|esZMMuz6e^-G+UDPi^@KXU`2VyY|NX zfMlEVe*?J9Nq18`YnN@M2(@*88wR{A4`yWpTsDSURcI^gQlJ$=t!@M}A`kt*hP}|mSJayfvV5^>2NR+}+_kx!+Rq0%YZ|GoE>N55Uis+He<4bJ)V4~hSe$NpD6;}57PWe*tN(Pf zcgxC6Qsu{b`mf~HShcaLS^fO}sCWidS|#6R(-xd;XgGgAh$iqXo`UUebGc~`LL;&- zP3>i=ya06@QuRrwX|1izC|h>O)R4+0$6(FKTvoA)&Sm(OQo6F>qtV*rYOAGhn$T@Q zf6lcsODx2>NxjOx*JQDHD9be>i9J#alE@U`96 z`C9sf@@8GOE6nY#$p#Z;N-xk=Pwt)kBuQ9pw@smiCxn$DWuXa?)SEBLGexVXOA%rv zvEJviKk7R)wIs4nlN%8!=aN|FP9iife;MbzDUj!zl?2O`begm`2YMxp23cO3@7A=j z>ka`nA#vc#i2g7vIO5I`=tm{KvU-dNZBF3^?Z`V9HEuBBvG70c9b3ulMe=F*h zv2xCok*T>VrZ&WqCSV`=51^U>anOKzcG(4pS6;0F?M%hTA!1?Xs8*&hvSy7;Bd;$( zWY#?!qk1EWfKW$WLcxanGY$}Q-v?v}+9UCIC&$_C&GJ&?tH}_W62`W&UoRd!7zR2wOpzROEhqo0Kf2~H<&F3^G zfF4&KB(BbxcOIhrU|$FolgE&;K)kGKiU;ffC5adr3vSSCPFWS`#H2P{d?H9iaK^cUsE=}0Q^1txPS8DXaGL$pBx|Ve_tM-pY{G8$^$%8 z#d1`w=cat5Gcp2w>!K()9sw~*ZcNiF1AKx)>457?N97QycYw${1`Kg7d2&Rkth)f) zRda-;&)5=4;$}qBMiMj8M4Pco#WdL5tp3apy+w3WMcPdf>?Pgb0#-Sx>ivzxz=NTH z$PfoZ!YAO`6u*{ue_mU4u7M5##DtLKc&Za&_f>=dTBQFZzSNm7`zzW2M^y^O_T~ z2m{E;S~1uWi}e0mUve}S$szRghr;Nkb+&+2PExS~V_fJOe+~hmKBAJP#WzmC9icZh zgOLrEuEv3c9*Vfww*=UeF^V0AyqID>bM(7s#@7pnWAzTptWOX3@rsCV8dGhRE(iHC z&0W2^PPbj-uKgbKyoc$M&dZuo#j+11koH!rAx`Rdql)$yq0xW6-F9C)-7WB++wR^% zv?`-e#`2hJf9d}&+(4#xI;l8WC;qHknciU#v|-Oj+jgj z%)kWRDp{4@MYNnT+~$mLhxQZgNci#oC#9w>i2w}>tuNV?5=do}Y|;GR_69M@|DKpsWk}5j=NPZg|K8o% zezlv=fB(L-x4X{&{uGaLtd^UUZ^ELznOz&p?b@3vW42Lodf;}ub%R5{mzpzMQ^cVU zIh1+!Oft#T2vcR61o!vZbBmVF6(%p*el7_hT*$QUT1l5)XM$R#y%II|#V$?VX;!6R z`l46bRO1BQ#RjbV#9*@=!6Zpj61cILdR#?pf4skMDbgCNY9qFhlB!u*cV8Rz!55$r z-N|2Pn#W_ZD>=wLZ3)()&2G?a%L-*?{HG;J8-bUh4WFwRR4jxy$W!hPZ&id$ow+<` z+RIw`=1-;?y4mFxqFM1INs%iBs7O^;BWdP!p=ai=uPxoy&%CE}{m-4?IuFzb=B)qQ zf3NoTvg`lO_N&)#*6aUMJl00FN&yg~@A{pW)rw|C#< z_kXW<_SW+MDV}tqSrVJVLm4zg%n-+Mf6DF+m58vc1S>=^TF<&~@hP4ESwE(Ss(*9! zzulcT1^sVlt^YmA(?I|8fhFx3rvA zSnj^}$Yvee^KY#UmTH4_dSERZsNt8|;Sh(A&JGj3Qmb(htV=gmz zsPEwZULyD0G>^Fc@C6KaU!%~olYy6Obn_M3Cj5NAkfQ5kHQfw%YdD!(lWRLOe{c4- z^ZWldd#~5>|0$lFc+AWGD(OB@H;^Bqj_amYBIIrH-B{+AH}^z>USG;87uDu|x7Dp8 zxF$;li;yP>!e@~#R?(6u0P?|-H_)H;71}2R`tM)>Ll04F>z6MaSjCR}dS%bNt3|G? zdWM)XY+6rJ)zNG?;XJZfOa*kOf4m2N+Wv7*zfdud`|@?JJVOEUIH7ZxatgUOIgx*t z@+AP21gHmeD6DUAsV$ZNS+~;%uK@G>e_rqH29yjf1l>bO(E+#TW;%@y#-x&C(BLsg}x9Ss-V^x)(ie)E%+4Q;sA}2Z&G9deZeQ$ z8NKj~P4-|dtkeju4$ioVE4_NS8rMXjF^PCDsW;UI}d}|1tIdD5t}iN zriK*X(D_fgQi@JLe|Q5pPyWAtT{!=Fy|cZR|4;EOasHEX$A#dI3RB^fgqRbG!?EiT ziinhjoy36H&j5MIvQRjFt-v$1rDj34=9Ifttu;*$OOquiy*RCH9U9jy6W`OKrk1Ow zq!Hprqd&GJyEEq;QE|ufbVDKGsPa(&HVj=i!E+1QAHRtMfB7eVO69-Ucdh2?pM2)Y z|DBz@{C~5v_i8QwpW?~M4l5i*s>NTB09Eb<8f7$E+xi|u^;c4@*tP5?PKZkwVXYa1 z->uLM?LTzdTAi>;e9iCeFfzq%5gp1RF+;hU60KATUSM4R-Q?}J_EgIMAr5_^ygkAB z|EpJf`SbtXWLInb|4E*v^8cM;hxIb>4K4#DKo@8vh+?hROAyzr5Th$g|uKoXY z!T+ngFx}BjSu-PZUek0B zEuJ8A^<&`)@}qs>WBw#5xfD{*I1%wr>ZeYb$5$=9k~_q?>DH(nskdpiD^UQMH$i?J zAbMsUdX7r|4*eL(FFuP4t__ z`+-uiQr<`=uv{rSea>W^%ixo+kr>TdBy|-mLs$AN!I96RDikf4eTo?35}4xRHfYNw zr3(G+u00(juW|e+7+P>2h-FB8)EGrkxDk#vRE40vZGIzD?KP}&gJznaSo2D%d{u|% zZQKgbe~Wkd?6)hN8=1x$&X1-Y;UqvbFY~OIE9{2d)Wdth5uM^tf_qP)hx&+Oc^`>{ zzTK6&VwttPA;5Wf8TYya)xrFAMWGdB3Mc}TDdtrmKs!n8^2IDaOOaH)b8sNd7cLyz zwry);+uYdL*vTfD*v`hbH`-`p+qSW>jho+F-*>C-U(;37)6>;;`rzs3oUU5GaWJ(2 zgmfE|hV=NW&CYQL6IkWq#Kw`;C*{R;9`tJ1bP}Th?=&98j8i3|QK~CB#~k^EfwDj+ zj`v-Kl71y51uky8hJ+X+`|D4tT1Gj|Mp(AyfaDSyQ`*tLvC8DtKigDu%iJfJ-4!&4 zkCS0>@>9xw2BmvxgZ9NF?ye+h++q}Et%O?0>TK3hrY!tPY?K`Dl0cM4+B=i5hIS3* zIjfZcE~@u@M?0QXTT*k}o*8#SdfjaFq2FP-K&ZhLop_+|In5^ID)xU9Ew4k^;ke8) zHSH=4>%;uNsjqC{%vRu*e_ZV1N@Lo`+cvf8NaUucY}{6;7{hbY&4WgX*0&yQA^Efv zx8Brv!%{^#gg$oDH=oi@e1Ps-BlrGxFt-cd1KN|~OvOSdeze#Mr{pC3Gq<)a@OpBB z7lm#ROS(hberh9p9<`^DH@lEDZ5&^zdFP@e6WxK~Ph0cACc(c9!Kj%io0IKGFna)D z0?)6p$E~i>BFJs@BGVGfL>E?%53Za{$l*A4g-pesRpeH4&z<`Q8vu(J+sMHI+11B& z%{b{_AWd@B2qmI~u*H++%ASFy1*q0m*KY5$e>0X;r@f9RM~W`kgpEjBC4^o1vi#Wk5ntPF+=}iBpmW^*l{ZvLq4lBAcS0T!&g{HR!)}B?#gJ^ zY@$WNM1?hK+&}sZzyX>QmzeOgbro6?36}R2>NH$^d6Fa6VUG>&@XNWTiGBxMO&I@VU;VOcQw+wbyWK zw~=dyw@OmoZxfDv)irkin9p3*OuHl|A{$nrUe_Zt;713069ChJ0$skJN6ZWwS10F2 zF)UI$c79R6B|kT=4^}?@T`%m+v>{)*%o!*W2#j+CyOtDo2Q(p^&rZhV#D!kBtcxc! zEeR3pb$0RKy*-XB4BaLnmwxd9hp-RMoA9d;&b?yprkI&(CIz!Pzg1Y9E4FvKXaBMP zV?i0-A++ALUIS3LfU)=NqBwhoTVra_WBuYM{LK{mLOlfinmTl3sa5*L*1;??0&SPL zr%@{ez*hF~2pzOF$&6IvCn#8c;VtXYjMnJQQj)~iUX(`uT}DcnMY6)-nYN&7zUD{ zsfnTf$8CIl|5#Z0upY=$e=~}vNAKB-j%L~oi;&D zh;Y9c%6hgAOs7;?@YpL^)ZW3~g7HjdrSoGVN)L+&9_T(Vu3E%2j77#A^_*&DMm5;Wh!pgCv9v^f2 zP;LA_VzW#e-dws#__msiXG}^^TJKSXxp7Rtp`@^hzaB`juU!QC3^BIiGt$RncUUvv z1Pc8h)vZu;)4V)?TdIsFc?T<@q5|!YmI}K7#x42Qm?|@xey%TEVtl-|r`}4swu{2z z6_dis{^-i8mZlz?TF&IBQ$0?_1l9V;^Urck4pn2LGt&zwvp0BSJ@>!74UwTplT(wi zNWm4_0;X_wghdHs*tQo}p0(;xVQF5s_!D(vs;^)9ib^vufKB+}$n{DB2K~_I9Dx*2 znLNOyrD0{bOZ!3%n>qV%^K^IonU%}f%`O8@-_4D883iZ}w}AeAe|#lIierXcMXYP= z7P39cuzNo-`g8_x8IVZAL^#lvdydJWT}9=c?DU)Uk`u+VBf{!R2Eg|aP7^qf&dx215b?9{*LE`*3xiE75&*^@$&g+!^WPL~Z>;~&{ zHLPbQM7xY=w(+J(YrgI)O%gL72I>i`Zm*ZHZ!}h)=&r_3fbZlomjK|$(*p=|^@;R- z)`fKPbPpJXWSiffUrQ312p5m}6~61KXzfcB(ZYG{RG6D9L8ZQ?N|lOcMM_-0^^vV> zT3xV8?)&!}C&liE?r*>Kt&sWBTDxfU+VkV~!gEkIA6pV!jT?WR^}k#KUd@1;ldJc~ zwRG8hs@rR=q#e_2rk*<*J|J}=p}4AuRJ?rN zS0Wdw7r{+Yb{7t@N?(6fKY1`7Mu3#h??=15jUgO>8$PI&rULPf>nNy>OE6}4HETUU z9Et2ePxoD#Myok6HNg(2Y$G3R5bV0XqI_IY7o$_8f!93g+wGFx;1&_$(;0#h`o2du=Vt{}a=1Tu;}5rii~(2v0hn#}xt$J>nf$5`|z zHP-CzTGaek?O%Q61!Xb=COQAprlPkGFKfGBCIwXMg@%CEx7 zpb|Bt#rj)X=tEF+I_Q5Q>~zpSR%qQ4K-I=V=+o3&7m3&^Pkg{qc?mN-)@O$I#89aGx*XoasNGDGmB||jEw0W zX#2a4soIX1=JGOph8vVy|E(w5=8%+g%{vx;nMsT@PliuDw*gg$KQh@5f~&%LNPwmV ze};iYb_P-u@)o^^vBJ}2mb65tG9(ID0`oNk&w795v@<*L8TLYN&A8T-8XA{Sub?+T zRC(B5!Fdc4iFXZsr@{J8kwO+6)5`{tPK|}{`NnMoeB}u7A8zwrODjEb20T3_YO%ffH z2SCbVYpr2umDF<+@-N)jW%xYILQrz_@ZTm>3OfZ09rf|7AY%4Llv87~GeT0Jw+9|^ zTQx!Ej7bpRZDO4t)I+p%r3Mv@EsQkw!ha*e08zH@Rf@>fg2v!0CX}l*OHgCw8=EAM zSTE`goF+tkq1XXB%{!=;Ac=h)^$!>c?u zsJ&fR9=04zFWTec^RRsAl}#}CUDIsR)=gt}+!edfHk4=A`8UTzX{N!v6K`Y$Z6a+ zU>iL>15TgLNqLH-(1Q4mI4_qLNyCa7#PQ|RX=`R2HV%`8+uIJ7&|P|2x!C}Y9${8) z4w2zv62FofdDtc0iiO}6H0{!?rzgf{3YPAy0z<$G3x?DlY)a_6An*ERQoRyA_|rjI z(zX({DY2jZI#`sH+@C9Zz|qysbFm7Rln`kOFGx`En=KMvm>=q&gb-QN3`rl&DmU}s zAFSn)j22rx^`tM_ZSEW?1h3d%(>OOY;KCw~_fDc8_A8C0g_|C3pQl2Ui=zCI^Dktbv(!Ht%=t7d5 z+BeXeq%gG*RMQNOHfq)~`2hWuPy*KL8-^r8bqT;8`xfZ>e)Q=VIW+m{+h$kqS^3NN zmd%rUd_3zAj>+_s%DP>MTQ*l;y6rXD*&6%`!N&;Z3f2Nk6(kJgMKA?$0egY~J-)_) zB8dzGwMb&`Wk$KPeCKT_Qc~ z7Yq1w!@%~i92Q7I5m^{Xk02(7v$9ESYqElYn?d*~s4_pgR>K~lp1Sdwj#FPNPnRVf zS~h+5M-PO%ZN9a%watN9bID*s%|IL`@|~*Z4M&Lm3%<;oPSq7%oHO3VmZ$h#??Vj1 zx))CLs4H4H13Y%)!a}0v1Z<(S1d&3szyQMHK2%mD(l!S**rpr-&584Ak@;#tCX(>a zM&f0`R5om$K@dCrTfs^wkniGuDyXIz;d)SFV3JuZnQ0Q6T34`)v>60;i-SuuD2>AX zU2#y>!GiGriGp-QgvK#W1(M$M!^k??!>c>1n}Gj0b7^d5FC1Vpb(S6qr$5yP%>lCS z+a)p7OL&0ns_&CPLae5+{|c*XDe%!d3JEc{7`V00W2 zlJ5mC(qzzCy?*pp6WUqMm9)tK9++k=3ser1DKR1{H7mA_6|c|3`mWHmpUF!unAi%7 z*Nm2d_bi!+To5xfYX~VzKcnv=>2FbSrZsQC8ED?%i#pGimJC|C+?taAr{(4G*+nyO zSs*CikP?b(I(Nm}u1#2X4WvGae@+|8fYJ>T$pt@?o)d0)*)WxzYuwHy05GmR|3T(n z6E-ilHl!K*9P}S*2km8tA@uHt~<~WZjrjK<;hUYwAC$p-^zbQt$uKl;RnaawDmEH z+2R9ksNtboY4@YiuDa=c45+aCH29vGQWaOp@~)M^R#otFKO=6 z;N0C~@nuVme@d9xIo4_zgjzVJ(>Vigkmu?vTt&UJ-^O8WzDLkgWC3T0-Twt?8yE-@ z4bBFUnCrx|35Ed~zo$##fTewDeB7K9fD*G1u@EYo6zFrHdELdO4>%G*u?vgpsO3SB ziHrD)?KiFW^(^?KM}D8`4#<+;-s=H*N~=%#HrP)7Svl>{+6TVLzB6x-wp(|&K6BV~ynTKRA|=flfy*PvZ^Fo3uunX^$B6w3 zfEj}!`lS^p0C@FC4DbU z_|Zu-GhB_y8H-a2qo`(XAMFJn{#lW{k+eebvwJOI^Wg&j$>NgwX|Js9l$`h+!9!{{ zcjm|bIf4{S=f}U8q;73$N^Gguuu`duc|$k+#@o;P(+;h*wvgw~mkI9=p@G}+7FvXl z*P8bz9dl{2C(|BBu5de47+;q{=QL4R1$378!0%JVGVTpG2nNW zG!5j|Ld|)Jf(8K_QV@u|WuOh(Cz`RFuP-Aj4-zk>AHy8fpYN*Ai3F?RP=XWw z@z=KA8bf*lZQibN)B3Bd4JdM`QMmAUG#5=~m`cB@757Wb*$fp9stq|K&fqQ&8yFb2 zW8U`Ow9%NJk%|)-E)E$6SS*f~6VC-qhYC+thmhbau_FN-S{{~l!su6cFN#!v}6FR-Iq2AR96LvC`@JkxedX7AX(Bjeiz)5LV>DK zUj9bfZ+?djj*_WFNDLWHeidCA5W}qea10zD-d=nIETzIXBaxOfWW?%jV_CbiK z-3WwDk{_WpJ%QGxj1=BXBT7nd1+xl=3y>z_Fz%kN5B%^|xBH z_eE^WI?I`x(<6L8BEB@k?}putNQ_kEt@?QYt3}r2?@HW<4hAHoVsF@32}WVJ#sli! zmuI*sY)8V~Jm;#TrRL>QF18J~)q+Nj64tB#Y9EFNoF^sU14tj0jY% zoSyQ>G5N}aq&WWrf2T!4M=FmOfeq(O^7%1EUKi(1{11KfwwC>j9MPL=4rhz^+IWI# z>+M$h%yeUXG%A;Qo9vw?IoJ80so_QB;?2>TkLHM=OqzRfe64fYbIi|r^Ci6ayFCbH zq9+mA9dG7OL?OfO`%6GC2r-w0$`rU2-qPB65y5~CAX58xR*Zxh&+Jf&&uY{V7n|pd zBCOfN*KI+pPcZCHf8uYC)l2&@OHQA!Rg>%Rq!V$cl1_ZgACzxBGwZv^)pz;&4E8(O zB_L{qP5zg0ZaB;M2mutGF|qZtj?mW5Euzz zozFR`h#3lPEt#qxnKv6?y?#|L9KJ8{>&!2D?A(IU69P5^g_FQVqa%tFb64hWQ%?oFfM0ils< zTdla|oLu^ryN`hf0;@VNXUkWodRCD>j0U=U5GLtS*p~0mU&NaHe84=2{j*AJ$t{Lv zq;fo~yRP4B8GDt8E!M}er;`Xh+l<|%qQje1Ik(hFs~tP|vFE%=hyzIbDw|qsXUOii z;8?|6@|~;J>xqGt3YeU>M&-Y}mjRS*BmTsAA9|X^YxR+!{5;`Q?12*EPDc`Sfr(d%m#n&3+zxVWuihlS? z%wQ=}uGw&u)kuELU>!^VPq6qWW$F^QSXWvmD_bR(o+!L6l<{ye1nV3G^tL*&(lo^F zq4J)fDr4kN9AMily}a~J()5w{+eMD03HP z^2ja+6>N@AReY~x=yv~BY{85K?Q!6t*rOBjwy69}o7zo#s?Fwf%`KO_*o%|-6N4HTbZjz?>;k?mGfss-=LqNv=|6yGo`6r@cXZ)KA8Xq_$`s zOJ-jnnK3v!kfDe%ELw_-bnRNVR$`8)#YqjnBG+cUeRc=C51RT*@noFLx3fGB<^KBK z(YsaqgVO;Lw&gp>4r)nVJS7IMo57OL9u=2snEE%rKcE&eA?(A*KUnf}o7hks3A1n2 zK0nA=2(m_5BZ?KOr>EcZU$)u10|~nHEg$~^M)Irg;n9)&gE@s@$OVX+7rYBF#CXuB zJx5QBCSr&v^fS^Wc0!1DSPSsEN;16p+6(yS*FFgg9MY@86_A3M9{0@O*g2&x6wC3u zI`bXm8VOq4u4D!xlWHO{OcCwq(nmi3I4@!+Gxu2@JTx+h>5Jh@VhR3$VO%&EyV`*O zprMEtN^#il770?3cJO|-MMS)beRW~y3H&SZ%of?t@i3G%z`xU}t)vOttD>@~hF z6HbPOg6!58ubqAf{B{6kFJ>Lc=F~uQBHAk8UM_~ab0A~W9tKSB2C!y zuDV=B%$22z6$TPwrpFt9Ln%jSMIHn^Md7xc>7^XfDZ-9n?31Oy10}PJ%E`0$D93Ag zr@Qbg223}zIR}WwkD6OX<4i-x5s!zxFed5v?+oIN@dCfc1;NJpqG8N)h!hoFm#yqy zz)vU(W%xN$-N4sDT z3SP0-L^D~`0Xy3emD&d_++%DbPr4=!o%Hl zWZJyYQKy{PYF_ZqE=NbkL5=`Gtc3b$S4Q#0z0wu8V%XW~OdTq1!wr!NH*N&ot4 zrAzZJ9kr>Q7wjk!LQ$v0A1*I6od4u1-#Dtii-9SfsJ5R(?JytrfNKj3Jw21u?_)3k*RKjo(LJPY}i~yPf&2 zsaL!v)&mOVE?3tJrp@P4Vq3vBp-M_7GGu6Da(JjInn1Y=`!9juBEJ)NeXHX&m5q!g zEB;qhZMy+Xh~B zxr|%{!OF=tWn4j0{6_0&ZP7a!U+}_-0`DCc`H(I+5tl3DatuU&t|XgaCAO0aU`l&{ zb2NmT?g?Y3ATJRv6MkJic-T_LWTvRLZAiWF3@F4M#mDO+72TdGs9nHi>jJkDWh2cO zjmI%noaRj4GreEHA|n+fR7E4f0{~Jo{1;92&qFuznbto+6H%iB?{x`5m#_=S zxf;(JmeNA`b!xqc`yNfts*n+o$*u*{oM!y9Y<~h$;`SH>Xy*T*^ha|ax6ywYqrfZJ z`v~gNk(0SN+!rZ65`L;gnE5%%1Uj!hE{?kitI!uJg~xx-F%FV-S28$;gjL^BfNYJ3 zOwRWFS7G*f;AQ{1CuT(nRFD;Z_?Zqy!vGq6uQrljI?fcH^oRPfL z=3+AErk9FwPd;CTeE)O^d+Vid7JO-ooo#A@-DSgi>`CQoR`D=g8)1k7u=}YjDZGjI z57p}Rp#h1w;&p0l9;To6{$0obb#IwY8hY>qrF^`&fxJ%$3AV7C>!18Kk|dq`l=UIv zBoai}nojZ3H_1#LOeQujQe{m7J9gftC3;+;7pjga-xBYZDV~?^UJkO#%RV>zeo7Ux z(xG34u)iQ#t(ZxY1XyFYp$1Fp{C81_F>4{<2 zXZ>yI3EDp2VsBMS^$j1OZrM)$9WKIyR1AJwOirYQmDnDK@h_hF`HlHgxN9u}zoTmg z64+=2bGkc$3&^j43XxgKX@vXcCi|b9vY>*APW-Ar&rF18~!AF zcM=Ji;`A)i@chF#q+T_@iC?(Go%elvuYtzI$%C*thV5%ZAj0$pw2DKAk-|x%)ziYF zP=iexLarWCAi)3*Uj+CvqKiW0^7dfJjh*;Gb;T)O)PJv)C*>tBzDjR#K)pe(T^4RXqQj-7(SF8ZvpPp#38HjmSJ^T&Ek%nDkhBD_xg(V>Zs--r{Gac~A2S z$D~g8MN5~PyJr1#iT(Es3rgVZ)Z>9mP*wt`hP-rQ`?n>RcneMS4oPk6bZ~zn!klv5 z{`tDC0}xh_FnNKzKv(*2p_7emaeL@06pAlXzH#iC-fe*M3AuI^N+46%ZSTmI68`%n zfOl+*wGc(Dh+FCmH`Elh-e`He&TkRxK`B-~4ebW;YO36a4`Bzh;L`u&N=#5LR>_nu z&ehd-L4k=+G+5N6V47#yLWz6aYVJ5iGZ^me7${8OW{9bD(ZjqlopkP@Ef<-Bn$_R2 zln{I)^TXS>Wmt$L76ISgt5B%C8nj2D`J;`1*~}c2o7r5JUn6tBYne^K&hC3dCNB;n z2}+3cRc?V{P^V4B2602HLc`C1USSyR%}hoV@5~l%1J>`&{5dvdo0@(J#7eD9@y%62 z3E1U%vi{4_?-c4sh)x(W74L`gOzQ!9r@Vi?00yh^&j_v!e`nRXTI_jZFWd>Eftk0= zp^T~GKr)Z_EsfdFxZsBDnpNb48WIxS9a#sP(ZUKr)fJQ+k>`SX1M!p9(4T?*^2H5y ziRKDQXbW^9kXX^tF+YGrlTQxI=QqhcG!WGnbMq_f^n%S}#C&4|!Ei*>LyK3Q>G%T5 zOYZlHeUG`bjt6(2p|geuykb&i+s`clD)^!UT)DvvJGA@u+kiXy<)mIwtCfo~9Qja+&+*rSFv^!!N zY{1K2Wg1)F#tW??woWGWHSrNPw1B^A7}cjw>)V!n<$f5|H^z4BT3tf_jbQeUMy=Vr zyLMNf-&Xume5&zLb^5oS3ucwz?>7v_8yo$#{KkNp!D+%4$m*7!!qMtRkgt5emS%5` zufQ;+?Hk1oYRnGH9_NrCFLhRZo|F$3w2La29{+E@VTgZe@xpS8B}9RMWJQKCUTBQN zdq+t|+Vsus>n#2f@3?~%xmD<$I8nhz&zz-$6`(c2^tMpm{#2@GVA%Pu)N#DWL`G2V za^_~9>Cy;V&1VP;;yuSFg({yR=A8wxyR}>)#4R}#4EFl;%ulSj@O$j|=#`Gsd3I~F zEz&ncJAwt5A11JZV%Hf!1BVU-@e^t`k!ATUzT9rfEW-Wcx9s<|9%^>R$HnD=v%_S} zmwLu=+C^Kltt^|-oGuW-g_pLK_LS|?e8l|kTs0wAJJ#!%mykOlEVTC_Z5{_aHdcLQ zDHCI9*=?Ouvz{UQXOWXHckrhsR30CrL9$A^7cO4`$Cx$fIwGY?rf;_X=AsIbk~-oa`xmfz>x(>h`( z`nd5SV0!dAP5J8tj`xzH4*y8o`=x2y1fLmTiX(NhZ%QSZ5 z{};gXWfkVXDgce)lav>?ys+g;#jAzlfxcvLD(&p^5}(r0!9(I`0VGX*9WYZ^$feST z`C+?NWE}epqD!VHai}p;Sug<TwG?CQNhtSq&oh#y_uP zG+o_gH`+mO7nVrJTL}wTlQF`EDEj9rOt*0ZbEo|gZ~KT+7CKNg-1d3sDF*8RAFTZ?mg$i?k zrq^-+tJ4VD(%O_}jlV*|fUegvq}z4qMpeu($pScDIUk+svkdX{E}i{%4po@XT>RY? zRMAm*Ndt;aKTrEav)bwyUxhJ43s!JUqbBh%IoVFV2C?Y7SuUDSN~J-};XUF1eJgqU z5_` z#n|w!XkE$h;G%5?otDR1vHfmu!b^66C<;8@A6CA|2a$hPCisUZbA}$kvq(9(3{m0l zvCub|bb_xYFaj#N^BgS4S0tDseiuGv(e1vqqKSaUN&i-mW2*;x<9;EfFrnd5bage<&C85x)SQ%Z~$}VjB7^M4)h4G|wzvvM>Dg(!tp|STf;_c-^S1!|;?>c(z#F zm;bx;KhW`;Xt>l0kaNYWI83^l$WN);R&2QNhp3=B^_4lt;l0!l@&EUxYsMY)-f(9~ zcPaA7`V>hI_%O?WLyVS?lx5{}SM2p8#HeyJp8yI0F##54wPDd8wwsCR{N$Q=Y;MQ8 z9xkYvl)FE})ko>3mKwJHBRf4E$Q z?JHjvw}gf1FF&rJ4ZE8f{)8D)tV<5TvmP2HMq&6h>XpZOfm38N zys2q5L%~xGS!bartWB-;whz;x7uXYjYG`7^*(Dmn;HRcln5qTX1qYo;N> z%2z;p8c?NVmY?kBWg6G7tarr7`N@c=$>}I^nOrs9_`MX*cKXZdB5h|fn@jU+WZCDD z(*TJUsg;;G`LQdRH025{PXCmi(reyzmW=!l|4|$%*QpCFyPpQFU%Bv z)rW#;VYxZ$yX}WRK5hY@e4p zusO)5P5lpPx&dW|V_gs#Jz*8!g*{-1 zm1dZMaEXK_1^q?$cG7+l^Lpz`ZOXMyg-%dnl->tsOd<1C#WgXR`{~zY`(g`1Q>)bF zw}K2puCKQHHD&GZW*ael5ze-#>P|_Ae*)fL*g&*RtJGAlW%b#Og67vWroDD+l-!r@*&@wtc~c3avsfUn%v*rNguiN^u`a83$*I~AnF76K}+!DleCBtWp^zimz~n__kNgvZx5KJ zQe~vR@bQ0dyiV#l3JihR;qgZnn&DCYIn6~46k`BI1cNhPmwI-FOVNhaclT#8D;iz4BULG4rM7Cy5`TGyUEA;L@v)D8gea3 zO@Z|{mfU>0;87=eAf$q{dhsBQgx?6Aa#<>2w*bticc>qc^52??Z?JD}ah>?X{q&AW z)Jx7D43Q#gGL@rdb$XRPYpk^Yi=x`AK_zhSardxsFhc5${VHymcQuqI#)WoT)LBVa zv|21+EIKVxcB>Zc#6RmXw@m?Cu2}i5TtmmMBCfjCDANjN>BA{!Q*co>Wl3*t2ig+b*4 zV)03pH%Zn7S@g$>uM5=knVUBhsGL8Vz`LR&`?0^f3{2)=&ta$3lBq_BNS!{@bTYni zmjK7*LkSNYHreCl@l2sy2EVs!_y;heYW0hdJagu-P;H8MZIbv~^$G^n{Isv2NDc6 z+K@=*Dco8`Y}4(&Vx=406INn_Cx#*_wT)e(c1&Zde*{*BKL*IW4@5b#f(M{?EZ|zM zi5dZ!7F@#MMjBbajS}RTC5vS&yRZSN64={5)U&Jq1zDQDEKU-Z!qmZX8 z(Y6^1MAP1D|4?;0j=p5EoE%_?97ZnxQ}t4bCx#_A<34oZ)5z}NIoeonqPb!&gaWi$ zQ%e+_QchW#iXwPkmOwG4UN&0K7_AG^Oxm=eyS}-MlFP`Me<=_C-6B6#MOa$21-2^x zGmvYU+eA^8*|lPUDofQc`FANF&NM8dD(4y$Ef2y9Cx}Eqi~`IN2MNF=$3k?g(>$h+ zDSw+Z`iOVf6N==z&i@;X2-5Wc+3dL#a#idL4&&WZ^(@1OOX0nu&nnk6q&HH3Oi$Mm z>($ns`ps0ljfdXR4>7}ORs&Yf@*@@(dPKQ*MBFzhp(dpvuo`dBw#>+(ijbdRD_l@f@kaVNOn3%)8wHzuvoYHG;Ngj}@IXTzuyju0qD++q@0&dQrv zQRL?w*Te~c1yR|q36e^jrrj;cqzC6Xa(E;M^ya^!nljc9<{X_0NSu_GM z1GT*;A~COQ`e*t|$HI?^jYxmgHlusIzeMc5#NiG1Wi|^R1P~cQnajK#?CgIaYc}XP z?c^rl`G3!U=kx?U=ueGaOGY@bQ!SR3vHR{cf``1)p{M26@l-Z0+w(>*X@YM{J<=1| z3FBzcSu5Nl0{GvEtJsh1((s^#f`_&*QRh;g1=y^)$LDL*`M=D{+6l%=dj>$u59l>4sUIT9@7)mR5h#AgNk4m~~&&)lkdHxbvq{N1kiE*3PvDa^#Dz z%<-Hy;aZ8H1Xbnr;u8A9C-4O!a8Pk1Mr4q7OjIlg0l!6KSk$WfO|j4^rQpcSxx7Qr zbgDz#?o(t;o;f+IO1ke48V_B5iFk8cb?GqbH)<_&!}S@8g(erV?L+nUGPIphNq@_F zM=N-(Ui^mwMP+m?W{tz!5LnXSgJl9kQo}O7>zGkTlj|7b0BtPc+Dk_UWl&awZ@QXO zBXnPl4V*FRdQ^|GqWAxLn@z@s;2=6L&+pPqj85;BSRQLFMzVaxP~PNL07V3GC+bLD z;u4X=ddBY7UeoO)81FX*;qG^a9fBGxU1gW9vx*MQ3a?v)Fv+z-d@jVaaoIk|To0FR zoGM40w0Ah%YTA5VeP+2x)32v7EB@|0g41=y3n<(jiePh3h?TOM@J}z*Cra@yUj37%!?shkjby$~wCW)0%1+n`7(-fkK*r z2B>nw`-gLI_#%Fo&`W z0TD~;w3s-~`A$U4w%|AYazm#0BHS1K2YAYLOhF-1R50BRu~*w@B5eA8zH7H0c459& z5*`-IskD%aYNgxEsO^++u`^LKu2I`SpyzqhQ6vNOaDz&lj{$RB(768i* zH?rxuV?z_)KzHGFbWKgkOR(ncyIaK_r{>gZQ`w|mtW0|*V?Ld$Mzj9f$0TfAnZJga z@vZEQy3nps`O^WvqJbUb@wsMxd^Z1k%Zco@ho#>Hxt7`AWDhOhr?x{2xH+3-faY;; z8gq1fCv%vx=1rtuZ?X6w?mYSjCQwI7a$OL=YP+9rnjL{N6h3f{ss{d%0GE(By75HU z_B#F!GZocQI%P=2zbTRx%@T&*_m&{~L&I_bqq5vWEWWI?Gh{EorJU}BQ9mQiIeIeu?RgWGg%Vz#W^r6Q?eHFv+>N`3C??U-hQUyB zd_=Uc?vh>LO_Id@qLSXi?5f+Fe?Vo~8>GoU5z9uNj`8-=7@l;E?!FcA2r=yHgKOBx z?jBMY|HBm+?Gl)}u_G+72Rvg+!Ti8CK2QW#BNw!EV!YO-cCd=xgNBqUGVP+H3Jz9* z3*)^2WEzSL0^#p8({1c>^@T(zH{&tMF5EtdxKhNoqe#(TLntE0J6CBzzJ(0a@*99h{R~kw+(pol5LpJlq%`fGkhuDngQ@pCrKM zKpNI0NKgFPii?+9t#PE-aN3E^>sM0v;xiA-iV<^f1+OeoSdv6`+G6{d@84_}CI`Hb zZ<0o1p&Q3|UQmy!HdHw9Vc;~{AIWHn$qX~(-u|)k@aqQtmb9p>04%%M61DDIz+%iAYpZ>xW-~QLvy(0|i|yPuz9}&9pNLuOIGfJ~ zE*C1pP(0)8Z~-+M=5NaQ zbw29!^N1^RGm_&9>7zcw<8z?T|2>+TcQlyaYjzf1DQg;k0Hc_cDL!6Xa`F|j>OQ>I z@7k;kLX&X|>sr+nxHQeyn%Bv6$F}G?JqCPMuUOy>vs%z4+Y_7Gp>!Ex4*7AocWhE% zyqZzqt7Oyu!Dp)s=#;nVVrB(O=PiGfAEuelzDEeRNf&{uc@le$fHH{wq}glWp%T=F z$WG`1(@$by0Pw_w`O7P&7Tqu#PH!~z?vRb7Y2UqnfKL`6EA({QHcGmPIxLx$3^6D} z&-3tNHNs6H$pou^HrkFob}%zI*4hV*4zWQe8r61HASO>SdHU|?_>YwfuEoq*3AcHahLLP00ldn{4wBxtkppj~;206#ogWH-}bm%U#RgbSPJ5A#!; z*;dAR?H)Aq|74nOD{{3xu2KaAgfxvp{|?S=v@YtPyBr>XQZE`?#Z5Lqg6NX+H4D;s zSS(>AIx0YeFX(9!h_lzjt4#o+>0~PlN$qiKpv)EI}IY=XZUv%xARG3%5m`R@H!|} z0fi>bm~E8xvVV0SJ)x}rM~~##F{Mt2E-G(HzHT2; zH?45N`?m6!Q}C(#emh=g?k}NV!mrup1=I;quC>&;5hZz^Y`!FHfK)T?g~e)Q^@|Pq z?#8}R6NKiHkXCE_sjoni%Q0IdvD(}=;53P=Z!#h408Ln?k9Bt+-ZH)~&U2GWc{>J#B9j==+IUVQUPjyqcc;6Rb|2iNY zVpw;_ATZquOjGrI3`2E5Y{#!8WH-5# zoA^E6MMw>8*ZMbTgF00?#E(XN42#7m1J|L!pM%u09KV)=`>p&Q>xN97`~``?UqvqG zK~xEt?&zL>+2LDY+cd5kiPC5QET0+U&l7kL)s@&r^NxiO@SsFllX1zsHXevM)#4&j zta}vGhX`r$C*w_r2d&svts55dJR(Pz-l;Xrir%@KkBUt0w?c7%^9Rr6gLhYF8;^S@ zpYKm^ueZ6h;wd zki0sa^lSQ7X3T-cu#l$FU>IsTW-D8(NcN#mW#cm8IjrbPDs>f9gqi z>UH6r{ezV9Hg*i>obGV1(T^;UuCCg(9yjTSE>G7FNn)|>1iJt%_h>-A5uO+(KK%!r zx=}ZgHMF0k>A(Ek+Ud#8wkSH~-9nQ@a73KaKjj9=#b_~gZY(No-QCxb0lxJMOTYf`77wIYh(V<^mt7-}>a*`*xDfE0|x|4MTnNrT|Zd2jpM+}}c@vFh6bfuE1 z^|9W+kwaI_^obF4``r|u&YQRRUj?!R&{5u-2V%qgN@R7FD}x5bERgoD{fq18L&t5; z2zVH4V>Mwy1*3curBym>EAlY%n) z2>Ph6X)V4NjZ*3=d2^8oS_}+rSb|%;tyCv%fNATq(jDEm_sNLk0D5&Q9|{x`CFo(b zGqB9FNBegfe}&BH#5iY|>^R__5u+69BhEo+?h~Lz3&nK`@qY$1)~?1J#{rANsUyy2 z@AA+Ei3pgL7PZSbXB(LJ=PfnHlf@MWv*4zp&k3>pC>W-+f-=BjY~x&PXPr2gd83Dk z)mj+%_0fuM|NmJg<^548RMp~FA1_YM&rXlJm#6RE=H+Y@jaJ26y<4OMA*r<9WZ(`v z1|KnjK2^5ilYd_EpQ_*VDc=?C$PZw9&(Gl`*O4oku2+b}iJ4-7nz3IpwBJ#iajW(5 zU5wtciJt5I$GhmDbI{q<3uJPT3H8@ttm6?JP+ChsCA(2GWq8d4A+bzFn+@A?Oxg)& ze-dBr7#Tmpe=?rQ22>bf84kV-s!;(PY1mw(X3oVHiwx z#PzbgDh1Bn)=4Epxbp#{+}O+to)k|F`Yp6f5oa!RZYOkGloUB2#2n_30O2qh;{nM+(qe?sm_tAFM=0Z1R2yfsFODRXY7!DVJxgV`7WtQ)$sU%AgZp`vJVU_fe*lC7sguH%Cj zfqzpvU_`_Za}$JJia4GsNaf8iSSCSn>}@@;+VjEzG+Qidw^QPAW?aq8#2}(EtG&Qu z3#8Plg)=$$G%g z=!sb<*2q*cPH`yqI1wzI5D;b#;Qx=okbm9I8)6*6och-3NyX!Xkd5~A6GXcWf(SJ^ zXiH{3KHh`f>jCoPXvd zSE0^79Et3ZM#&VFN+&Y`78%HMSKdsf*G861R>&#qZWihy# zl?qoD?C%`r;ppe^SmwNn(E$5bX`*&F9Z_qe+D#f!%ZG71)jJ>)1YzIC&b$NpXYM%9 z`Wl*m^x+ML%uhM6ThpNZ+W3CS;3-UEUuHEqh8HJgxI$MS6Ar_P6qpoVL z9OrgNH}hv2YXg|tW)1Ta=6|#|gm7)mRA^iZJTva8Asfw2gl&WR4V4hh0JuS_WcDgV~2!Q>l%G7_E z`R$USms&|Xjf+x;tPn2eG%4ENN- z;8uzyiU>AA6N-gjV;+G2AC?sI1x&5PHcBzau_R=nlAj4w1x3hM*I;>K&eAw=yrwJQ z?_zwrkZq>OTF@}WBaIzv8qw7SJ9g8__T%dG8^%nn!)!3pmK4>@VaTo_jKvtsag5Y9 zV`psph4-8H+s?A=9e=Ahjjig1x8L#hjW=-{y>s3IsU>u%zTP{l-WQ72+wPka?XmWQ z`q(?~9-aJfaq{7`clz$_5AV;9yO$@&RepUg{m{GYUcT=k^uy6F-HXfOZ{72A^x@<} z)#t2`AMEyrez18Ke>mtIblRO4?amXl|M>9n%fqKnyyq_-KYw}AIe765{n+VrI_Ul7 z(GNCr%?}RmF+=gg{=WA@t&^N(SRUbYwM-W$-Q#~Eglsp|H@(a5#ijb(eSOke!0!-3 z`+K_i7e+!s$Vqwp{F$(GbLng~MjZ&TRI5?RblWch69uk3#5BC|cGNoIobf~S{`~bt z_xJ?;+&w)zIe$L1XAcRM{upglc56#>q${O`_snYQ5qaqTp?BLw}d_^gmOmq|YAx9XX0ck;QuA8cv=rD01}4U4nD zTD9~uJKNlz2}VSlL}l9@RW;fP3wB`rW#c;lmj^a6F(rlKnfHsmD;tlL4wqS3`!3k~ zHl11~4u8GS;?OxKL;BhJBPi`hD|@yYss4nXFJG=_9eruomkebxMK5M&N3!2QmS zyXVCdLbnWbS(~5r(T|dhLdKNpY!i!_q(MqOgntfDDbNU<5VjRN+S$zok;%UCYXe@t zeVqAo?wC|S+L;pzs02J2jNSDgRLNnCqt_q);pvPxR?>R?;U7r5blAMsxFit{IKfwh zYcomiqVdoig0mr-P;w1E<3`d`Th^9=!j{qgo&1t^nZv8&Hkf!kbb@(E2``w=jm0{k zfqzbS=UgvghS6tSpTV09Q)4WUps`Q10ZD-k#OnxlP}os)G~H>8mLGv=*?Ir@!HfNQ zGq!awc9s+;f~DM7V4kzfCt`21-v_I28k2m{;DkN|$6QVzIl-O9}` z?2r4MU9_*`5%v!h@@%aK-ct{q%G~&;dJmb@D*_AL@FS4jfolxXq4Tlrx7wf$!iN!I zLjU+@HXctabu>L5j~->27qwdAjL7~zi2eiz3JC5Gokx$nEFT{nj7XcpEyz3ojemQ9 zPGDz`nT$Ow?;;p{579@9((CJM*JGaX(H>MELI$9C4bVJ@t-$l{7OQIs3`gOIpSPq3TgGyfsT$eX%wKn zR)QW((Y4}2>Ww#XKUcL!;Qu62<3?wO8cth@kPuREBhPkSXRD`n(bS|#91;=?uz!W} zbPI%w|IayaXti=%$)iU~;oxPP7Hque(W6%O;0L8>V3W|nB<7*9YXyCTNPj#*6U>F@ zId90))RbOfjn7`;>2fABI9=0b1F1vH(QAF^r*kouN|&;ptzYs>Y({yhBPYL@>u8%h zTR0D&F>Q(|rjaRD2st=(ZIO}|jeE1&Se>VOk|jy8t;K2{J({0P>qGE=scBt}fJcv7 z2z}iD1O42+?4BK>{II~JlYfJQW4qObW_Q$C)lA9blgsX@Dtc){T5`uewb|xbg20Km zB9Wikb+mwB>|5pc6^wNI``%+?&9i%h4}!O2AvFhHd6Z3dXwAaFwU803tvCz^$9bwg z8(%F=+Q>qHwRUeZku^(suXc~q#~*u{xy~EQD14x;3a4*hw?CYA+kfY;kKeyJ@1C9Q zIBm8korOcrf_r49d}Z?&D3QbZz}rsmBBel>q>~U21wNaxI}*7>@^UG;Sqz?o&>DF#yY9k!$sw0Usvz6oM4ABu}& z1Jy#q!GxN#G;5cjQA7fYB?+fWEPiwT?&7lh_VN&A$>?Cg%(($%^*W~Q*wL_5*(}GB zGZS;8mj$<>cXCYlHMJ`ZpfDmvC4=o-`_d{lP<2XE<)sg45r3jYPL=utz6eBmsApUv zD@%0G&ffj{>EzA%p0eOhkreZ&zX-d?hVs0gbYb&Ou|Hsin08`ptAviJ<&e(&ZGhJmiPtqq1AF) z@CVRo)0I|b-kUol=Lh%smpYGA-r?nS6&`e|bH9fg-O*iMW${U;&cY8lLp;b-l8hPH z6_+vVe#iUG`>l@#9LGwjWvIUo-xM||=RirH-w8<)t$!>z=kGRUE_eWJ_j@N7A5M=> zKE3U}Iq7Q+Aob$0AyMP@tUM>>r^OreIsNkz0nel|wRvY^s^Y`0#mnS_> zewMrQ4YgU6tsmuJy5QKPaHc=;ttIl*9NcVc7h4$Loot87@&nHsb2&+@;b=(;_eD9| z+e*%}QGaIkZ3zp|wpCV~@qmuz9Yg)HB@#R|Dtk*l6CbsyL}04~KU{m{q}0!ljYc3| zxSP7#%R$o3V3uts*@mwbVYLgX$NRg+h=nD(CKh&nv4>eDWpI?+ZYo9XF>*nO+V8WX z=(u~?{i)kCzx*BT$tc;=t|(qM$eAZ#>0$?GX@BVK{Sh3!g6~`gK66T#V^I`)p?AE6 zOTxqps?FQnj{xt3)YYJaN*YIJ*CD_2|ya!yr~b(4&*bDr7!(&qa4l?#z7X@~Ln|{ek(Qy6vhm;HHvQA){j!X_i>8%*b z%+UYp0SY)v@|G0F`2TUAGb?fZCsRQY*epskx#MLOn0XL@;8j=x#^mWy3RDZ*_tT_uxv1=njIb{{n{?^bJl4H*CZD3G0 z3p&^C)3<#`r_<>?d-4SS?Q}Zje>?k+pZ#tBN$2U~PUq>frw4!Q>_2<*_{rZ;r=Bh@ zr&NjHf9u@(UFFVg2+hs-VGAMaq&sHp>JV-HzLjv&HX_Te+Sl4f{P}%rtMqvLnt#yI zSRSIS_WoA09`8LB*T1oyw4H=?HN0cx`hVIft^cRbo;+^W|JR@g=!|G-(O!O`?H+D` zA(rUqR0+rW?yNxQV|<~lA=SzDY3yD|FoBi*cmm-P;J3J5lf~BuEW#OW2FOd90z-hSKQ}i?^Klf9ut$oJi)nb`R7ZFMt?gq;ULJa z{~}BDk#BeT*BhJUAWLGj(4z|JRd=&QqYnxl*6H0>Gvm4SzxXPv8}o!!>;FmTpd|nA z?>~RqtpBe;|Eyl1#!IYtQx)U+MOB&y*t^XzC-yS600sGtm-=L6z*v^z#ol=Q1*_tQ t%Yizce{Br+AlO*Z9Vbhi_ZY2bprM8uYUtb0{|Nv9|NjgH&yoPb1OPYPoDTp1 delta 37971 zcmV)1K+V7FxB}<60+3D>iS2IPoqdmEyVG9nhqmRU_ne+S4v}Lme}@xDxjTc?;4iCv zy4`Mf@AYf>Z@1gc|GWMARrfF3ue-b5-CgnXFWv1|ulBls0o@hjQToJ;L;9EQgWJk? z?mKy47!nRSCL!y!0PrA3V?t*=a0EFVLWWu}!XFT2n1nrWyVHVEl>FS@cDJ|PZp%jz z3VjrM7_nZ<0U?~Ce;)A2bV|Y&02D=pVJ^W=IFDGb)A0neF?Wc02&dTf$h4#XZUJzc zG~j-6Kec?sJc=VOUr8C{sv#NCP zbZq@}WC3Sqr~7H=)oV8j$E_PQyCc+>17bCm{%AP~g<1|!-zbU#>`4N)9N-19z_>Mq zIOGtAh)QT^e+qFR#@D?3-xkI#pojmh9?rBp@+tQIw~v?rH-(hr&>hjFLgqtDy|WN! zB&MF?uNr#me;uEAH;6i!j+<(CcXw|3!6kIuX{9XJbzix=t*<>VpXw>d|A2TmD{f0druRXXo>i+Z-+TBOP z5&FqPJG*eV>;HuIcVGVq5rn(1hI>Ex-Q8{EdE0wGZu@)w{{C>-8lw}-5C-5#u9yH%;TVAkQaD8%QPz6)4DPL=K^-}K`k7$A=#e=a)IQc#4#oAQ4Te7#Awz`8_sERTajZ#T0 zlpm$&NGV*VT6Q=bvySMq1l5x=-E>XY#Uv-`OEgpfI2Sq ze}f2lcr*hrrB0s&*qf=(M`#4&fHN`LFAjn`IAbpW9_bEpI0l%37Xjpm@fTYF1q=a( zxGa7$Iw!nO5knz=p}-|%=yf_b@et7val~9qIzI7OCuWE`;~4v>BO73yXAwnC6bAtg z$Bud@Aqf^pQ0)P`Db>J*?zI|j&aCtSSOi0PDFes(Zf5UC#rK!MDZ=;$T5T6F}-~z`A!P9f<=U1o#GtFAO2EZK4q1a75@-?jXdrDIjA-XmG*-e~)R% zz}thtFLGv{ADo>49}VO2SO^Flf+-HMkA@a4>U4cw+K~;j&NBhtA)zybY~mzvO~>Vn z9vH!ZAvxU!oQh^S5dwr`IXsCpQyP#f$HyJTK_LDD98Dv^qhLeIKC>^9LrIa8l5$8l z#e{n%|Gdx;d$~3R%*O30aOQOef24qV5@K#`$83QpKHrico}xaYQ_Ps$>5E--I94*3 z+=Yk=Ru(@ZA!!)bRlt{0x98< z;c(H(m|{Kyha}|alNQzIgrlD9oHrqNq2XyCatKBw@P)#_fKNg#vJ?yr!lj106)+*7 zLc%44AqvP{aT>XEK>RjAAxPedwl#0b0X2FKXv3J3wosKaeUuVLC^4J>Z*oWEuqnWH zk2nFMzAvWx6o<$c$`t*NH?f$XTOeja+z8B>uMiUWB8_P<6HrHSAPsL9lfMQ%G{&GCihd4psMa2VjA|qzeqpe+fO;e4lN@U{ znSPLsy53|;{A>xchUCC#ftH9x(3L{|y^}BpU;&4dkp~q42a~4U)5=*xv@=xwwhsGhtQ{*UCbM9c^PWUu<_U`?m^V`9x zb9(&Y_*BTe6uCo*TMxV-qmkZ-{Y=SJ=@apEsPxE>c0WG?AC2U)1c&4nZK)+NQ=U%< z(`E&^=1t%&%8~adq4i8wyVzUw;WT=f5)4Z2Uer&FR$T@xjsAu{-sjsfitq9q5>IB1bB?B!6^9 zm@@9rI0PGF>lYG^{?}&fnPpDVy<>ed9rAq^pumRI9pVU4`BP|)I6z~>gq9xb4vYRi za$lJee-57@hZ4daGZvZ7O1V=QkMxu(-^FC^e^rb#qf#{*3GXS5(OM{kA}$J>S4uVS zrC%hdGr1O60M%yz8GvAf0|ao$IDdk^nDL@9*-CheDGBAl>@B2N$kx^~G42M>pK(wk z+yP8aE}w|;>xgQO$_qr5db*G4BOsY&MS;N)rae$*0TftB%nr={QS2FfUmI-720>bV ze5PjDIqsHYf!Q+OQS${%9KrkMZdiwpGvD7~Qv+Cxa&ib!dl0W9pp}zC}X4nUPqm>>!G{ z_?uc?a0M114&}~wf}~_&9Wlp{#|bTJm{l5(r%o0+j0>eUrwmC&C{MjZyZ;69NuLoP z`9(S&Fr)emV-AECAPZhggX#oHBVtLdIV5>mP6_eS^>YMShNGUzoqxKcR~hDT;tY`! z5a=V{8BsEIWP=Xj6GR<8fuUT9d}VO6011rpq&(Kd5+v=JU7ybYJTXU5 z(kDnl{u_xE;1H=ptbb(B2BPsVLzv;0#A>b$9cmw;c3UF^xu_-0CsLCy#ZPZNTq*e# zNe3$)M_cCw#gz};Y2(UbCi}?hF+_YOM80028RK8fz_qCab}^5t!G)#2?o76 z2vv!y?E)aqrlTb`hGBO49Bo+Gu$bnRxz>pB$WYi6a{D^B2g+fke z@<_r_NV$GS+JChSvI7N2oy|^X*W&H90`9U&4}8&ww&2I`w%VH5KLc@qNKM+7i3 zMSOz8vD+@AX@kyIj&%mdJkB}dD~-ERn_xpMCW2p6TQUO-g$xUV+oyAzIsC*R+!1;M zU_j()oP`h|v;xCC>UwvOQHOGhPqM9(d~Nm}LMVPhUVqHBCqa(k^b2WwOMYc{GY7Gc zIWQ~M@(Z5;gF~T^wdCJDWidD?+CX1gDd@h|#a#snwpkT67Yjxe+2s|Cxd ze3+Ig)b}y7Kvd4|I?#26eS)&q!Aq7PB7%#o|8 zDVh&(h(JWq2!E>WMnJ}=I7EF}GTRfO>iv_1$SQiJU&(@!d8NK88WKtm2=I_XisjD8 z+IXo_eO2hxl<9$XG?rvnu+HEoJdLM-6D}5aYkxE|z|P<&n-MZqZ7wpK2~$(fs4OUB zeM#Y+;wk3yVVYCIBFG~-`APv^9rnQuLJlyoQRmDSPEm!C8kSm99!3!kLRZBi!sjsTiC7P1kj20uAktxY6S1KZu%;d<; zVSh;MlLS2@$i=cJ#nMJ%%+I zULR3R{DH!*2VSWIv(ux4enC%a1wM?*ZGY}G=z$k64 z=)Z*l3_V1ZXO1anElVTyPBz$L3wI4>ACx87!F@ZivkyY0u=Jdb8iL>V+#vJR=qU7Y+3rOrc zde=;y5vJ%420`Z;MT}GIaYut05i0v+x@3+u%eyv^eYk|7PzK~z2W)p;^*^!gGBTX< z#5y3@mLlkHuuUQH#6Lo=l9+=)tW=s=NC?i@qvJr!WH_<*M~DQFcY6%5Nl#WZBU{UwPvRHGf5s3uvEVpqz%E zJp(5rbHKWlaWGb=j{j-D`Y&BxJ0Z25c3G8ndrOaga{g~zdgMG8Jyg3R0ZVMs)$#6z zbhT0wX;bVMbu(cc1X~~^g{Gtz6u?X!9x%kWfHxt8DKCTsR@y3}E&vx}aY|elgt+1Bj>EE6pN) z|HEP8b7z$31mX~l2t|g8r6pj9z>vhDZ`cdzH5oI2$|d&}U}Q_K+4@vwD{HARaP_~L9N8*u#|IA;3Dn&@_#&Bo=mH4ppQo*L=$i6 zyz4qkrlbVZhkR0cNM+%{;$dRXF)n=R>{pV3lLQwmI(}=PVzJbLkAw*HKS-J-$M$9c zPB3HfP~r9Bg+wFgsNZ(P&QYynXT(R^Y0&|f2>QQK%+W+SbKrqA?Rqd3w9S+A1 zx>aV;4rC0EL+RZmR9mg$$={|i2Zp`_LynU-S|TZ5NhKFp4=^&~TVMjIpBP<;f1s;K zM`f<87qvaK+xd>V8FHNOswi09S%Jn=jHmeT!aWj|a@{dr*ykC%_5N=@STi}KnJWbp z2;l&3(0?qEGv@QLJ5D^mZ_um<+F4Sd9pu1&I%0Kc+y2|CY*{M`uiAz*>gK1AqN<(k z;;S9IRnzC+|Ij0DsF#;tQOfHKsKJ^ht5f5V&ur9-V?K|il_R=F#VyRzt<0waXK(4F zNL8fBD#^-hlu)@GWBx+=mnYj>T}R3N+*q-dl7G#*^&n@1T5<&CYabqXG`-ZIjF4JSRSQYZ7=M?wHI^t{RJ!(s!OZw9?{i_%PHX?` zYGJuP{;TU@X?NF}*uSMFmf`oWt&7>>r%WL$e6P^TGUc8|HB0IE?PzBY#c34^+GFZx z|I!MY96Y^BvqjXjMS)gpYio6F0d-A~_942OZ0olPk_T6*?`h@W<&GYb)jw-OFMph0 zh-NcAqDY-ZR&*(8P~MC)(cMhPDEc!-ER9g14(xhhXLs)m>vvuhix=H#&V@K>*Z@&? zdESGZyrbnhxEN`-F{5ndPO=8i345CFe^GFJox6iIQQGTiNydw(84EZTB)a}&i zl!SS?)zXK@ns2pCQsZjwV*)Y)=YMvw6tD{}gzP>E#}qLJI29|B2QUN5wL#yE49Q*b zL`~nt0mfXfVNZ#V0@v0GWR)#T7fAeNJVGh*^rE4i>y!$U-UQTL)fV_v zPSDJCBY6%exHA#0B-B_4_S~||DtB;CtUy^GC`zW%(Lj+&f!W9-3w*@5xqoFY(AZ2} z3WQ#G{7IeRTl3->z$1V@33kUasDTW;z|5K}ke6qN;n+Gj`+ToSrs>ir(w_%%04YkM zIM@UHf~8R%(lZcQMIABdvulbuq8O^}cfDky@UBEivHeH{8W z=E^%3PZ8S!cSw7-%QD(IReuc_mVWNUIQ=OiD?}1xWt=E=nCr=FBX{aV%Y*|^ZOX+w zp_z=}ApRDOGL!*k$Em8J5nvN}zzqW?5jGFJ>8qsR3GHtVY>q*u(+TQ{<-rEZzncFI@r1yilyXd>@B zBYAr6AqFT^H6~Drb|o-h$a88{ZXh8X%Bn2&U62i$+mxcFzJD(u1z>UqK!QY+;}P~C zm%6$A)7Kie}~24ysy`4i?(E%r9BN(|byC zR62vfX|l`=XGSyA{v=ZX?G9@tvtg_R(Uc=LU&LqXa-izd;X%@+q(9<~eUTMrx_60g z&7IIw%(x6V5r3pWvXXg_l;+#;f9J2MhiW^^fMcQ&OEps5vZktw&3)qBK46 z%{ZJ3S*inQ0fo2m-v--Vtwm_z&`)}B87l>4h>SB&s(;)r>5`+WHS)=+yz}c3iU{kZ zly=PO|4fN7Gt??DMdorylid65Q4z z5k5}gIDai9wIkXC(fHcBUU?nB@n;SHP5blbG}K?aG&EluxZwWY(X+9A4?5u0UbhSW z3vAm>jfBRvJ+)s2iB4#l4j8&cRGI{Zc8*mvm*jh4k|y;sq4Dk8qJk%z_9DNJf+`;4 za3&xKT0B<_eShB;r6(k&8*J0f^&p-~|C+2_A%8_^alksbR*>3^mW(23ILJxlC@}E^ zyY7$KXr{0Bb_#*{azR0r?PeXG&kE0XBn7AKps%m9==o7E>h36s5erd}jMTLmsb>OY zICesGXXcu7i=hKe*dn1WD2tbD@GM;&1=`X0+E0RWs8;~|86&|R?ZNTs@!=KlT^~wQ z9)CC(NV0E%!-K&w`0bbDa{)kKdvhm{CBUweKs6gl^)2w?@Z$XZ`0(n*Cb-H~wh*~y z_@7p_O>lfVI0jvCe10S_5MQr{GmaSe`SRkd0tk>t3seR-l(>h43)b0qVP<^y#TH0@ zY>OX;xGy%_2`#2sdRZ1u>y3C~CatLL(|?1v$EWSw$BYze+p4I+x1DJq?PFCl?+)I- zJFahLfd5%&Mvy?lZ5ws0ChCa{ERwspUm_`_<7Ii0k2=P+98#S$tV*d>8)O2T=vT(j z+<$j{{6GDR%d6wd>!Xvw!Q0d0>!ahJ58j_%U7sCaU7j2c44F*$6``rMTREudxqnV+ z1i%%Dm|}E2P!lz=L?6jV*INNjwHAgd%fhDC6l*Lb^@b7M?}9m?xC5`*gO~5Z%lF|` zJMoIWH~>Z4z_)^%n6YxYO1rC~{0vT|ZCRPfE%UL=SWlvVKT<4E%mY8P} z0T~1rFg7$xUas0tLRZgqF$wQkEdto8Y`1MmpAAJiV% zlJF+j1Gv9m2rFraS{ya)5|+gbg|c~rWk@*KK!1V_m3%Ktd4CgquMOPI^h0|SNC;O1 zjCBZ{Br@NKP^%!Iai|AC$u`ix7+k%(JRV#h9G#tV8$#`AV)~$+3gx9ftt1QxyyEoAzhdha6gG_(@d1BsThe8+?%=p!Qw^$MKOz ze6*P%VI={oaDTGsDbKO0$@47{rj{Op2%5u^L)^r|PUHN1HGb-<*QRTtT;sW*T^t>U zPJ!caJ_8OGzmRnBdh_BO-6Hy;8I2ru%vDJ%`PGogLE-J2cK=;EHihA813j%^=z|R- z0Wwa7Mh0wx4Ker1%VeBGH?_EM9CaMLz>%|})f;K#2Y)H+0>{w<0UQTJ?9Tu=jtpYk z_!!uEFR7}rFIsP886V_iVKENA=G58(67fKlH3jU>L=Bb>A@Ck$VAP$V0S-NsbD_q} zn8^$N%*tOR*1@fFQmb;pDu>&cGvk+Uf=k=sRtvM4^^)Zz zaUpA)uzzsvgp$T1Lxx7Xzt0H1^NXY7>yv&?+=awPtl><~3Ng&ll>OfQ!(|-un7PpR zsZclMJN@Iny;(q^e{p%0Lt>fcS%f^ve6l@r-QvET1e9q!_M1jgz@zdt+K6XSTrSL( zfNGaZD9sA?ynn6-062~$#`A<4-_T4~TqeI~Sbxn9z*oy|NiLu%oB zF-NRC#^Fid_^6x2!fvt;`%Sva>-h3KR^o_>&!5FYMCD$61BX8P1k7}^o%&p?ua0y###uhW=6=F_y-fb9SABrLJLv+s7@uDksW z4Rdp4CbyF-A<``jun##>*oc}=p|~E)J4izuj+skUysRrYPWefx$VuJjhWH;8d`!Y) zN(p74_oe{&HYvm0+dNg0VPtKv;bV`3wtw23w5?IE;c1P6T zA9Rynq!+YUciVq$gZ6cMiBA2RxPQH+Ay1Xvpb~5K*)_!#WEe$m)`d>_7>ZT7R5qtt zKx=}6smmrENr;*%nozP%u{|6Lj6Bt5MmH%huS2mq!&$b5Nw`}|E_Iv1+`S^9He0J5 zoQa3&S{F1`0_a;WTVftXv~8N9$sRDjT}a7r@Ei;567QudQ^jO4$Mv`6aU_fInjx;1NbXfKj9p$F_b$ zYLd(HTugN_FBlji4+^GaWPgf)HLcZo2S$O<6%Y=VRLP#w7B`0R^V`) zD<$5Di9L{#Bg3nzA0R7f^ji(VU}U65u?uf1YB)L3Q8t8llmk}aoX!udCzvN&EKe8N z?KwPXz|>S+fVqxTmVbg1$q-4O^$lZbQ>bA&>nc%>^^(0~tyyu+jKU4H(4RnA*L9n=vd~OQxVDJYM*S43 z;*&+7sv2&I;GHM(tN@ptTrkV#;}H=*C;vP$jYx<>o_~x*-dfs#_7>PgnM(lMT7J7N zc4y|p@&YoYg_vSy8U%JQsdR4GQJW;m3r6d*&A-`2Zh|i$#Gx+`-tJ~6PsTS(EtE;` zHuFUjb*^X@NGkP!RP<636`Hf8trgQDBTU33*T|Qg6nz1I#)Mm2X-*;%kn!wSA%n7b znVhH#3V-+2v1&%tuZ~qy`MwCNF1{8xi|K`v~%dtfJlHHu5%< zFMy&k`t&mneb9F3-~aCa_4yYzfjhfp4}8Rt$B_><#LTwL zH-E}iKsIxKznKILO5-(R>1@t8CE-}+5)j=~+3Gm~@Rne|NNonNSWhBK{8&0g+u6X} z)?aZrB1s4VpLopGRLEvTWSt4Qb2#b9%=7Z(#L=xdq7}y~Svah(SmRcNunOPNq|GEEzFYBg`~2KBFtTIq%xSj=B7G38SvOkp z?WM9nt|eloTqjmoLd_$wBzWZ-l^oNiY$R7Gpst8HyNX|2h)RDTVJ_WvuR zO<5N<3u|+36jYKcy;hrEmao=nid|x2gi5T#v57Jorm;hrJA>1}tku(5#y_?~F-X_u zO2weOT?WP|L= zpDCG2&a{v0tO-}LcBXA49qYXT@-`oxfp!~gq`ncZn5w$erm=ilZ+|k{u2ggt-WlES z7EhGwv%+T}YmZalU;Myc6s4LKM%o82 z9ETweeqcYaH_t_J6Mq<5-B5I;uT{bt>F8VU3;_$2Xd;CB0%3qd#%b&&>3Rg!pqZ6Q zy4Hx|3R0EZ2ULo`RMzUZvW{b3HgvSCXxLKN5++`NxAf&S6}j15qiJ@Zy@`Ea7S#1C zF0qReYOdVh*Wcz(2l8!<1K&h^RUVOJe2YQ=m8hLNemPpG!G9}V5$BFb4wNM!z#f z2>gTKP

tLMfet?+{Ntn&nMqZ7EkHICtb~*Og>5qJAwjvkHKdnI%U}NT2KoilyfU z%`#i2%*r5N%76Pe{9^bI@gY$fO`lCMJ(@{N8H24{wo*7{B3KJqif%EwlQI>B98;}q zk&%+l(#9ig>&CMDT=w9L4Cq=i(wU|H4cGwc0;z>emP4!$Z|s#eFP4+_`&Nu!dgiLC zNQj`)2+zO>)6~&WW?+@~^`S}kpt*}sT~ez_ateuMI)4a2NJ7UXhiJfZzoMDo3o-CE z$ECJ;i}ALze7MstZaU|3Vy3->mu?gf>h6p7ZGYQaM44D5r5#TH)TOdqW*1$NK3BFe z0+uF+N2Q9F=+GPElvK5LXBbBCte$jb9C8qU!T}a);wTQ)$&rjQ>|q}X^5^XZNn; ztoj~g#7#~{RUJK-ma^K(sjm9!`P^DsASnf6zQ<})7BH$Y#p4M#tB;J@Zqsiu9>||L zB%Ugb=K6eimRwbI`cO4R7vRr)BUQ#riyzXRsDCvaMrv>5ht$F)caWn;bu-(Y+*x9y zHWmfEDrV7EaI1@pF^oA{dN8LLK-q~~I#BjnTQ^p^Z#Bb_S+!;Ko&2zv*gUHzy?7@i zL*WcT7Xg*03!AnScuU6S(ZH zz<;tz#gbtqXBU>B@)jRKj%0!kE+a^?hlk%W6PNa9b+WB2xMM>(mxnqB)QY8@-CDG? zz$^6x_>Q@yvQKk3rh+4)+$6Wzp{`uzSYJ&jiN_NlgPMq4M+j746QSoTUpHl^P92u? z39!oS+~^qCgg8-$zz;tIOSY^Asc!dyM}Nl&hTD&Y;r42dn;#l{rZ^%+5|kV~U*`SR z^5a5OKI&7d=7VE)gZ`!yzm} zD8?a2qc~uwDW&WhPf04>^{+uB9mlaDflTQN;v~W4ba2S(PZorvRD&YMeSiGxFl>3l zKRvi%9gP@=WB2Aqd5@_PFO*fwGRB%}%TVnh)9LcO(SrZ-1=@%4C zlK^*^fmiOUzq+jhaHmqJpzoT z&=$CxU~iH}T7sdS2)h0G{=N->a-xYTa$8pu%rsh<*=@_PRPx5znT)}VL&jywi;<2S zTZsd>zfVGINytJ~woM~;Ssa4@eC56p^E3{)zC0!~NYN4W)K#DniGM@CZFV{@Uta0$ z(UjaGUn%g?6-i}ge!;*Lhj-_Y`=F8vz z@BJSy@9&?t!A6EW_B}r9XjQV$d~RDX)}v)BdFn`y-&QoXI?6;8Pa&O^#8X>7!r5~J z%&xsLKOouW`~Yrq(tq6)&)Q{MDMD@C--ZD%%Y#|j0GExSRu$UHx)f-IP^%lkOo+32 zk=7~$t>uENl?1R_5POqrtYI&7@fGzZ1MR`RO1l6yjQqwSP6AmXsx!qoQJNo5)!MA> zbRntUin?C`_rZi{5O-}Zr}p!K&YDJQs|(box>r8>bBIzOwSTRWDi)`k9?Go1iAAkm z>gqq;?A@|*lT`V!p8hMjHCAn`YF0nLKPsL17GBu=f$uU?nGM81XqH`I3rIfBL_-M2?x!P*! znf++ig>5;R#`7NLgq?B=zQt@=Vd{ z=~9GPNvwDI?2q~mO)ZJ+)8s}(%DE(#xswRZOU5~G3V-DJW+lOLC7mYi&4FGCqd}IJ z=DRg*?7BmMO-LO0GNL~W3y!#R1p0A_udE&;LYq^#0XZAmS91MJE|jS()uyvUWM*n@ z2UVGpzR93Y6-i+8B+1?0YuFDnTRffkS}iIn4fYv~s^ZJr$lEm!&r0V{woC%N%v_LR z;fi`?tbd#{Wn^luim45;qzTwZ{sX9HKpZxpo?UhU;+0oxKs!_Mafn!$IjWT@jI3EB z)5z;f5Sew)#;D#%A|TXJmr$_b{)_{}+;;&Pg7!%K-N|uwd$YXM_NVg_QPa`gS@p!O zAevq#7Nl5So;RaK$!cASs<9a^GN8JSJ(Lz<_1EQSnnjKx=;IJE1|mv^$&K$hdlX%# zFRC1>8VXSdd@+1ix*DbmuB%T<&?n@9Xnc*C06Wvk1m~nvw=Xg~K4|+x@!?HHMXOPD z^M5&w382T72Z^h5=ADNqKRggZ#pE$$ED$fNn&JUFL`fn>#)2C(n^RT=Ix(pYRbEfv zOzixMjglIE&Uk7)n5++?k{FXmq*Oa4)zXwooi;KFL9L*jwiPxTS+fPe@4y*>4vBcj z)Ueb0O{0#RNGRlkKfsqSx=Km$Y|%La@PCj@BOD-kSJp%%1vunHXtvT%7fcajaE!L( z;CZ6p2;#D|Yc<&}lT$AZEE_|v@WtF)Pu`Wz{%j*|;KL}h#-1TQA$~?`J-n5OMJtBL zW!&cqh(Zq{F}Gf}i_}bAY5yL!t)h+{(ASjBF93fJKOCICKOTS&2d5`T2UjN-=YPGw zhw=c=RIwaY>$xc(>5Pm(-?}IYPDVhCk{i?X$^f6BP&(lH(os1?>K!2RjsZiQOP(AN zD(f!5cGVnV=`*%OlDHX>w2{P2G|^`4QZWrSH>*E0L~jw@RFQU51ba#Mw}4ens(ODT zG4Nn0ATq?kknjokXo`Q7cz(3%e18Nw1P~KKlH;jPgxyyW0*oUw1aXM}j8WoLqRD~4 z>Cr)7RXHP6Xh0((K$>W~cXxO8ewxs+48YsbPSG70^NAzzneb`waK7jd`c{s9<&Twa z3(RXy$RZ3NCu_xEM=a9&Z+*$pSR{wg(;o_>m)6+=Ryj$<3XE}~Yd8di`hSQ@mKNVQ z0e6Jn)C@*8Sh^Yq5_%}&V&4*APsS*A81iC@`OMMpo*7>+9FEmHEVDj6+{Y^-zG+Og zRk|GH%QScO>N?$ajl1?c%<~?mOFA!WN)^jKkU-j7v4%LQ-;FBTUxY^g^=8|B?R2-m ze{Q?`3(=~KLK(|ruBHFGaDM}(j+ze=5Lc%I;DF!6LLvT4=h7BnL|xn%BJd%9cD;zC z-~p?Y6t<$85f#PL^5kZ8PH@UI%)a-IGa%^ttshX;!c z@#J2Qk5Y!ADm;n zKL2}nXZzJ&F8}-9&VSzPb^iCKc$8zc+@yRH7VXXK+E{Ma-c%X0jf&F)x7)279QwV~ zoY|Tp4t>a>%(G{bNv1}aD$^vmzt5gqv~;d8dC~TBNdVzOrghg!y7W2|)GFu^=v5k~e&C0q5 z+Nck{0FCHQ{yNh<9+O?kLGEcwunui@gJxS+C^O?fElJu4ybNvlT*aVbA-qAJa(8&6 zB4p~!9&66J*De^?gZC) zpgu5X{oj7Izki=y|97@uy?V7?|DWQqHmX$$fEaz(@4T#D+>b3+f!qRK>P4{msLOY` z|G|14pR%PUObpB`k zm>#PB&DH<*c6JN;-}YMndy=Pt{^!f9hz<%lokawP+)*B9QYrY%CR^;!K>Xhw|MT8b z4>N9QIjykVeeaRYI=1KES{p3Y2J7^|S~gI_FSWxV4k4W#C3>Y+<08l>Tj2R{#+6G- z62@I-@L*8i!Tr5N?zw3masA;781B7Bp=T!pFW2biE3{4c`FSStUuE9Zj+zkcS)|L%6){=dJ!v$p>~$y0JrZSHjEy(-OnFJ_!f&$N?o zJ2QW~``h{b|L)$-TK+%9lM|15*>YI z-0!x!RRq^$sbCTE1VQ*L(#0xT5(Pj$Sn>w?v%W(6ltBM23}EOXYHj`Ug#)YDNnfw* znRm6wl~vCWQ-)3JNvb-U4JVvO7K^EX?v#J`z)#yh?&}vS26A7%&Xs2+E?^3=5fRX_9fDVQA4KB5%@;~c#`rs8{p8wD5{hhr2zw>Hs|9z4tCn~dE#MUaH z#QwScIkPfUsr1!u$x_2#e*IW)4r(QSMErpz!vL^ERj+dKn zxdS*Hk~ox?+C!xB z1=^%fbEmNYqmcJ>Vw9E*p>BqKiURCmo{S+g7^dA2Pcrmr2Z}qr#-I}$)b>ucnVgEU zEZLS}t?k!YRMN$hBIvhD@td!_+6;dhQ8Gn*f?@`kM`48K@Moeae03w;BR-|;fAP-E zquT$9=Re);_4)79Jh>@kU1!T}{j#^9>+WQ^slLz`qC*wbI>UOwf2;+c;#(Y`G4f4{ zETAv=Bs-%Qp0UZkFmF`Yq2y;I#*lFoa&-;rFo1ZPe3ds;k1$P(Q}PewapZrCHxt6R z)(=w*#LJWZVfID;PBBJCY8#bFO@x6(E3QxELz?!MY>0We|`-m1Wfh3p~>W|xG> zdq!-=IGP$#d_(6y=}IX&{osEM;5_;N`gP&_=XG~~E&re5S>pUB<&I0i9Tld+DG4zr z6o+HiBNP!S3pIili@=jnz*!cpa;0Bjh#Zi43)vOj(k2l9VU{FKUnvF}>V z)j#>nlm9zAdHKJ)v$wsL|4;GcWQP@wBGuwANq{Q%0*x{nt!;geq53PSR_t1K6DPza zjIh>>!S7b+hV~yiZLLmNCBEkOb{Lsrw}=j9k(i-eO^H^j1TQeI|8Da3TYD$G6u2T|22lQ!nQALelIhmH)~r$X2xl zm}~!ko%jFR-QQo6e?J)lT||?bKRf|#lh;2V2!AIp|My?LT9f`iHV^)*{q_F;NuDLn z|1@`;X_G@hQ39{7w=7ym4xrOv_FbEXJ&IIUVRCgHnT3yRkpN=tDbQ-yg8L!zgmIsTVvl zjYuf33rOeof;&uxfI+g_m&TFEN8eoXHsn{_;na5@mSNh^GinhBe_Fjvo-cNbb%LND zAjYJ7r@}b12-_3N?$+b3kR{hAOm}os*38J9*EHQjizmoj{aAQ{{AgeJm_JEME``)H zPDK3E`l(aq@l^}2TR0sN)$lmO^_c4h@M*qUqaKfUMo>nRij;0>N3M) z=Nz2EG3v)bpp5vMf18TTR9GnNDLNYA5c8Qu6aA*~exOvWlsA$IELX}-pEFtKGWaBH zBu29qNnHiY(3L(*aOAV73PlTMpCX311g5yS4cc-^sX~9dYflHsYaBlch8ElhVi^)2 zHAYbsZiJ%^RUxQvo8QP(dkw4Hpqb_;*1VD`U)AAx8@B@Vf8t#}`|S$nMy9cb^P_1; zI0+EV%RKAl3cF!9_3&PBM5j2E;NDT_p+2Hm-bW&#Z+E4xSY|D62yh-=#=Y)PbufQj zQD_C30*b(7icEcDa3D?C?Z&pf!N#_2+uC?zZk&m2CmY+gZQINFiQlQcD40bS?m`gyu6-i=2 zQ%dGrE|*Ov%LfR_qZ1Ba5<===-cU0rR9u+K4Dsc<-4dw&C5R+U%B@?Qkf!Rqb;DSX z$E(@+PuLh1QjKYb*Hw`&NSpy2r50JzAE_9z2XR3xAD}iZe;js`_vR1D_6g}p-dz=@Ba9LOsP(+hAQ;1 z+ZSCYJg>tt)iSYOTy+CUQgA&K zlEbpoWJivdZ#KLfaIr+@>Fk;QjYN*)*L`Q^ivX=7eecHy|MC9{P9T)1wGw1-!+j^N zE9-_kD<(jzx`4r;To60DXs^w>YYWVv&W)5M0|wZl}Mj8xB5DI83w(C_?#j)I9~RepN)9F750 zq;Jz;78t8lhm%a7s+B5Q2Ma|Bvf8M)9j#DVTU|>Qm{WZpU#=(a;NDf-UJaUHG1b|& z9yCRAIb>IH8Dg2-(R75-Jb9EI?fd*^H(1AD zea>Lzq-e+|A|1oL5#gZ~gAFS&Du@&q4i{^7ewZ@QEZbRJ@5TKY-M9XRsTcLJo=|=p zP@nL{-)p|wJ}BzU;PgoS1$`nb;Rj}evsRdi$M+>ScW4bGv8e`_T0C6cd7rN4&ycW+ zuco7`W8~?_*KIg7an^2ePYiUw*niyuo}Rk%V;OGV7u>%#EheRrJzbscT@(SSLvSa>*Z+`0yYj|vKiNLBLmQ`OV-(a|)Ly`XLpr&8%4_dbeZi;&B>M&zl| zQYq<|S_RQKr)T4k0{e#a5vGb4MDUQ^db)&qpI(mIi|=KPa@%-k6Ri_UCJD^%ohZqs z&>tBvuNH(s>(yWUPU*w!mr#JD?7=-Pl4BYn{r*tTSSy?YNnsnQDw?4h>E-?Gs|Uh` zO0T(mm2O;rpOjmip9?nKj}PvYiI31V!K!nxXdJ8Rn=6wP`*4rQAj}mQL)6LVb}Zjg z2W@O^OlYqp)Oo+Bq^TdM=cVTEE2KK$N6+gx{h`UKI3X&}EDahrkpblAL4CHb@#*eb zPv}iP4o!A{>ix6ew@2;{sP*)fegEpy{o8=%;^AeD;(+I|4ftAii;x1nwtMR)a*mY> z?G?RD#H!bnVF4loeWYjxfiEDJDC-X3>e9ts4b6+2Njag*3*k%;eb;e9P|b02^Kw_~ z&v1&=K){69oT?rM0G+NhM?9@j#Za54UBA?{p8=+`u{(xR6NuE3GaFO8vxZ703<@a& z4>!(Cs(<8K<|AB{D=iB8dRB%v5JsM``dZGNoy;&02=p_uiHKm;YCVR~*SKX#Qy5k@ zW=9Q6F=H5S4>{6}Lkb?K5S6m?P(BurC+8Dxjj7b-KZ?1c0d<-Po2s&zu0EAJ1yuIJ zi^b8^f1jmt%pS8J6%*QD8uf zu2N9g(kIjfvREy+F(zd6B6&|I{+rCLXsR` zXnTatAM`t_ETgT!-FO1axy-Zqg!+WjOyk=njfK|y+?4~mt;WZIeVJNCz5=TQo9Yr{ z4gEWs{}oPB1n~qX5wvrk8+>|rZ3uAkJ=^oP0Q_9t++Q3n`!>PmF&&>o+vnRyxgUDm zWwY+-4J~<9BN37+=r?_8<6~LyRftv5(}A2A5nF?=Vl9<38^)0%#9{s91fvL}yMwQ{ zVlT>bhh>4AZp?ux7Sgt})0{hL{dHqociZnb4?8b6Pv?96wTh+Hrw>1))^rOvTF=SY zf#{8hjD}2n=}}@Spw^n_#~s=}GRe?OB0NpBCyQ9!N}j@rTnc(Cs-2|b2?|VuhRLpJ z=6D*?mrITNn{rJrl`kj@a#S@_KJ*LAPDeE}XY%?^;e5CNI?K z$t*^4wCUolnM4{BBBMhUEPxcfM{89r=sc2+DiaD@ZOdcCKYZ+pwKjxN+{avi3f`zlkTCuH%2r-Il|&|#Trqxy>5&TJ1Q@w0;#`24 zD&kU|$|*BgQ8JtcW2s{$pNab7GdR5yH|tePe%x>x7lF30!^aE1&vyQ!iCi-@1YXs| z``@lFqm~AVJv;aI-g_PfJ$Jwms5e1#cngD5e?XE-MTOF0K$5eqhU_po<)S9moa{;B zVvM&pLDn}Er17u~`J?8|K*!dV1^<)Hg_(n8?rPs4xaKV(rFE?K+evcaO8hXtlja9X zr}DhBDPPa8$mCa%KKP4 zWTu3w>cA|v2=RIdkxKB@ASyn0gFWZ2K%}nx6Mcp5K3Ro23NskZtCby$%SgUZpO{8P z+6GBlF=)IXQ)p%dTK4NFyPgm9cO2tzuNnTC>_`HH5Mz56?r-eYzFOM*w*JCepe(U1 z#7A-{MMaKCe^@{~vz+dF z9(Xolr!Q*ye!S?@U)wJ=cUQP+b=S4+#*J0u?d0e&G<;Q!KmMoo@hKn88k>BA6lCx{It1i&TIS2a;p$(q`6 zyOkZRvp%0E!AM*9yC0Hj`0YUhQy~s@c+`PtDhl*w+OU%3ZV=OUGuCjtDG~g~om6Y% zrZDyZ1C&@wd4g3C)^A?QZ#f%**(d_lh?LIKJjv>#B*jL~$(dY<_Ff(|Wc5cMU&^ZP zLemUIr_MrWAn;R5+9OpR^{+yJW9PRzR`FPf3cV#zi~q=HLN7}1$!|JrAuQO*f7i@u z!lqQ#r1Mjyvny9Vvxx+_);gZDW3oT3KJPz1%Dq0S-!JPwWjR35t-EuuWT5*{AD5m- zWP`6g0>SQz5~Stv1fYxr*otqLDUK*KBEd4M6)rY`R!pVhbY|PVb;K{4?O*bCe5jPK&mhv(W5Xnh^+>Q9aW}@v zTUU%@#IiIc+c#jhIeI@xuvHX=5FA6ChOKW_6aaxRK0x7yNqALKV&QJ#ZXwj|=;r0E z>R!N5!oNYWP=MaIQ|6Hrr37vRkc@(l{}5r%=q&=$^^q^Pkds?)34k&Q$;XWe{V1yC zz0Wm|K+Pvdp%RN@ffLEegECYzf*OCj=X*dxzcL%hc*3)?8pwQtf(j2vcS3|p5Q<1T zYdZx~iL9UAYA`<2zZ>2JVpTD~2J05EtG)#U291wCyEfUiI@HFx+;KYa%*^DSAW~|9 z1lFx=yuxYvg3Wj7)&>wa$SoG|CvX-xDqoRr-bCZwTp(Wl-|pPt!H@_0ztxX&?S2Vi z>%q2*Lzyb|`N2pdL5bj%1TTA#-5Ha6;t*aDq5P1uP_RjI(NxGx1S9}{!@xj8Y$qjB zFeDbng1?Yb1K4RK_T|`qAk3iMlokt8w=C;`(U8#qce}vl z#YKZ)y4+ll5UXEn!4x+JrQ@C=_bw0R-9d8fy>sdl1X@@*?RJRJ1ZN(_d-9CM-8P@S zys%K9`3?v8rQrw&JSc#Sk`03k9k2a-Hi#{^Q%S~FWOTfclR7KRkBvf|8%xIGZ<`=?*x$G%{@EfZODRl zdAr8r^@gFmO#Y}D>!3;aNh{yzUUe@nCM;^lQ}O4R_QpIke9ZxKzG@VRB&sO`it?ow ztwojA4>)!0-nGw^=d;i9_xH@Vmu>HRkIpYFPleNjR@`S2)6Q4I&^I-N z`6!XxzWz_BPq}iP7Q^%5U)=U|u@ZM0W+6Ai4zIKjPwAX5H!sG!fxelJpzk^i+v=B2 zdgWlPKibfBsv&@5Y*nF>eliut7?nC@b_o(KMYzf$gPX|=G@{WB@F*P^xhOBvQK;D= zb}jwFer@YTVws)h=jDoQW}CwR7EZMQz>p*EcR2q4TWXnQBxpyyI!> z&L+K_N}F%1Qdz%fp{nECKto!iCX;X>tk0{*aqteCT6=(+#RoPN9(4&7C9*Rek9M&= z-CWs-2&zV!IZL_#MWK}+$dMCc&V`z^^M8^`#^)BqK^GD{1N@(hl|OajPARh8U$(bw zIf_3oZ0)Wp@4JiLFlW!>Utwbk7Y^_=OZiivJ_5^h_2w0F2M^W_T0v9ncFIp}tr~4A zn<^KZ04<>LVq3;)KK_1oA}jghNM4a~a6eYDVU7Lp7}(sr*v$BNv~=xmU;1KsyFQxlzD4%`!_1-d z#os1zukZ0d66wB&545O|uV7bANB>LH9RAsO;txbHrh=f3rGx%JCWZyYCuu$)M5uzw zP+ahUL_81$B|?Pi8BT26U^*mtHVE<=C-_MC{TG;w7;Pc_F!rfiuSo#K6}}>m_H~xC z?sQ(&TktqR+?6{k94}TnJNR7ofaDhpmzwAqon^9WMfve5NNCr(B2kk+rgRf?_0PI5 z{S)XG*PSuEx0(3!S^aQ(^vUzu{(AOhKNnLOur0cAKWlUJTPJG)H%j+bEKJ$C*_8qQ_ZfI$B8$U06mve)~3 zl{T1?sD~-V^kIB3hu@)Pa7?MLn|UD!G;6|^CgP8jVJHdn;mZXB7re&X&-=4?jdjnU z=g-qckFVeUcA|v}{^PYF0Y!@uvZaOB!;?KhLW>sEu_nPqiwwy85RgczTpErc;zMOd z%~^8#?rgG(=-Y+ld>|@J^;G3!!(mgl7wdoxZpe+Mn(&kYT^>UuAPp}sEFVTR-T+dW ztlDLQW+(}5p3xTy0xd03S@8H`AYsrgxxNn09}dc#kS`_-!hHX!^xZR4e#pUm{`^*O zA~1f00{ZRai&I-f1)0}P|Hm2^Lb)E?MW?bk-8NjmCx9561eqltVeIfHdM)}|ln<$A z1B`g!nj~CsEoXG3Zw~}M^%E!S3Nx0bYK95v+JG>@BLJjb2#JPW8O^OaA3Qx!#dBa_ zABHw+M<4u#XxhBU>~6wejMKPmTDRfK`2-P7+%T#&B(-F9*zZIS;m_-pjf6s!KxdXW zju}S(WfosyE-o`yEZZn!U$F}oc@26{l$-m(Q>wGCUQhx`pMH+MR5DB%P3IjfPjkHSIx}`Rbos_` zH>5`X{T&7jr8;oGYEIT%nK;;!Ey~!FSb~(5(+Qv~O>4M)RU<~E9`^9@j_|f5o%fd2 zX-FPog(UpX7?FtSy0+lvur|cn>XEW^VUjbg=c>F@L zz|f&zS9RZg03{+QU(wvE3<33bgDrUuqaHIN0-*y&-wJ;h-%0*9&R7tQ1&~eJK$Y`C z33cIWeSz)kdeoDAW`P-ZNRj!x!q*C$;O)m-2rtzs2zv5yMx|hHl0HTXC+w0y?}7vK zcdw9Xtn1oi#+q+LTIc<{EmDK154-lAfVg+|*Monzi@iK)2!}o}|BP!D(wi)lPDmRo zBu#m>1-9qE8s){wMB6G3&8;ykNHY)^=Wq0+pWhQK_U5LtJU%;m^@u#}IA0n!BKiWF zAjdVv_}#!w2rhWQR{{r^P4EpZw4mbeZwtQO;{XnJCg?T$;_n@J>Y0n+;{3;mmGkX$)${eR$)Ui&`IEpKR`;kB zkH>13!JT0Hk9XD3!$ixHlovopQSVu&f+8x6xSewT^H;Z%loO))bY3})ruNm3S z^fzRX2sUJk(Ak6kxLE9TNj0Hz)B;af?*vOR%UOCT(9YCY*jC&C_vjZBNgNg!enSpC z`?%Co{;};ds&WeE=AchFP0Ne}4bEOe9v=?e`rD58Vbn-yhr0 z2NAq+7NLj$sR1{FcOZO(^82J3KY4?Pfu67vUmQb^}RO`AbwRZ>p(O zHgwAINPpB;zwi_`%ugPxV`7!44GR1?69gQ~@bkq$McIdpk$jW|8@DMlCGTsce;!4{ zp!`r=&Q(+Gp*4!K=^aXc#Mo^0V&70xy%^=rzE<-On+Jv+7MkbdgAp_ofhz6Sy?oTQCLCr$aAZ1tvBAL#5TywccJoS7VkYWwTTUQYIBX-|+q{972 zvEnr9(yeR45|_;8`yyy|c>7CAX4)F5YxP2U9=wW-XMN1eA31*Kh zvIlnwxv8g&N5hN;H|I?lwqM@yN?xQ_8u6Uik_ts7jQi%Ym%1H00vSM|0<;z^E`})_4?~l8uhMtn~(f0JDJVVp6PV4zrGL0Y!Sw2xfW)flN2*gpKKhwXhR@i&BACTZ7Hw zSbtPM#_{!r-;3XnIA*(|venob-ZdbfgVW{9LgFu;g$?{-hkGVdS)LCd0gnZ@S2!8b zcZ9L`$m#U5iBJbhv=rYTAi6&bWK%+~-eu}+RUp}B}Ai?c_fu#W$N zZ8H(H9e?UKeZ9=DAMg)Y;SfILc8W|y6o`7^obhdOLBoCdZL$;4WE1b=Iu)Mi zWO_MI@KY!cPRJ-a-)Rj?a|Xxr0X;25(K1W8))U?)gjdR5CmtP6G0BKptzVyz5#*{z zi}h-$(d?PoYinnEn0yrWz&dVz7w;{NT+1I_gY&nP)^{emuSf(Qo%i$&k29v+@aY3$ z;C37^*b(oMGEVs$j=NJtX+fqvuG6^O?2dDlC$C#!=etqk_fn(7c#XqDnWD{iom{;9 zs&0#s8)Ft{{seb1Z_;?>mFZ63UWe@+4tR^4@b5ZJ)QA63KH5P$9ll(P3GRYfgwL+( z3nvRKrAbH5QY!_VR1yUO6Wvd3^(>Cpl{V9t?H7hq$aalySWK?dG`5P5Tl(6-*hMSQ zQQ$LnAQt=}{VBw;ZqFm^y@f=O{4D(xQl$nHs``XYPl9&d54M6YZ|2|7h126H7sc#0 z6N9_>zs3?LZt_UUR!{+q>oA*9NP$1%Y<)-ZJE2uW3J`!-AkFHId4CD!Q%|l0^6hT5 zZW)FHw?#O&Qea=I<*K{M*Va5O_U%v7b!)`M_(O`2>9SjTR=Dg`r1eDNEL11u?H-Hz z68)zPMVu<(8GJ9dA``Hj$pYNn1Vo;fZ6|$)D94j1Tz=CQixQK$1JGs+;u|d#@;~Um zky0%az2N~7cac>*k{^WhusWF}uROlwv(FjKjpVlHkQZbN}boOc`(md<}|DfkE$>n;pC#!83j@EE09Wj zzlpXdSD$#hdryQlp5MZZs&9;3rIY-wX=j^8sSg2oaYrfp5Ge zL5&Jw1vW2T1RDDV!5u#(x@)G|yiLU!)yj!mW-$tMbWd9HP$b=)Qr1Gd&Dh{Bh_6n5 zJTnc=n!d{CB*~V7=3tA0hW$&#bS`ug!-@S-4zdJRgu7cWZb^ANbXrblA}!3FLnfT) zO$?CWy{M~x9=g!Xx|>1$!Acr`H711;KrSQVFTW|5k8|%cG>7Df-CjMANeYxIJJ!s% z>Jc+Cv4E>YuIJ^WTxdWZ&}BVtXDEZx_Ukdq_v+$~@UueExX6AbqMc4xapF!uiz?0IKZn_aH0aSEX7yQkJ6EKk4S*#k zCiqWJ7&NlDlzm0g5hz6h0-Iz05i|8p(nlBxvN0o)GKSeS@BHx!Sgf>;cuI!ordHh6 zv!n_l?}V)*Vimp(^F*&5hveAB$6XJOy?8RU1T^Xy>@k1r2CTS$S@=J$C8#a@2f+~; z-_D?#4-ngS;y#LVLxfZoR7lzzr-4)2$UddM`~yRO^fYLi8hjE;U;QqxlNDve0vm1< z-B`(SNxpyvI1*Iq!sN~fSBtpOr%m>fms3?ZueXicv+ePVq&mcDETU+;_2~b?8;Qts zb=@KIm$KRgx*jxt5sFYMhDQHAy)MBRBeRMR7N@e)*tKG5mMV-IhXL(x0B^oqcu#L+ z2K0$h8QFFs1W!DoN?fb`jn>O#$pDg&lY8<71%pg=gEQLw+nCVe_g|!6YEHonsCm4EJH-o1kV^VA6@`rTW0%E$vk|UVxcI4J>!Efa*vn*E6qANh*ke)y+iJt)Ws}wQ6AtFMpRKM|%hD zhHST@K6-tK_E8D{9;Pp@Qxs~LDO?iw7A7qAJL;6dk2TCdF;Uh~z}-R>>5(Z!RcI`K z%1{tTEdfr*r18jU^=yXFu8>!F1yhVF5n(3H)pA#Vm(af-)~(Dq=E9F>lyo7%D<`t} z7J7OB*if3zIHOf@b`QaFO{QAw+9p)kL}GJJ{ui3)slA)4yQ-z<_}j8qsCa8@iK`wX zvy(g_Z4AqmeaIUX$hTsq`n`Pb(dJ`y)m(2@;At?Ur9yIb)uz&JYkuWu^X054hL+ql z6E$2Ren@8+R+H##aXC>Lb9pSm!BM}tShut8g?mJ6__(pn%~S4nuFOFvSFg=CDfF*&-5Y<|Y;VwYlX}b}%Z$X^|;RJb%FQmB1!)HoMN z+pCa8R?s_DG}F05p__bV0poMyh~Uc}bUL6Q@f*Wz7EnkiB#u_OTMtc@^opJcpqvOq z${DT;txlFam3~EA*$ib&wn7`TBa+blKGgj;rz^LuBpJ`|@Y=ZhDQSExVn71?B%2l8 zdWFwK&p9<0zTg;D9M_&#wvFh+xci%y+1C9TY?Tr+f=?G%8H9lU&hgwgp(^KO+Gky% zQ>3ZADBvbB(p{$N)OOU=QOlL1-@sALRYpFcy!~~C zk6dO`?|{8^#kj5^mZ)a>@5VX3Q-FVv4l>54y4Tmh_^Gqrd!Uom*v|;|Fz&&=M#ojZtzdfV|C_T`F-x5`m3Uz79O|_;wDiz zrh8-6#mridh4C@rhQIp8j?%%BHfW?h(VGq*uE&V#_$EPkXdpA^#FN-gtS+*U`@#=m z^Vy6<1gw}dB1fTg6jYqiwIz`mMGY2UWUu94B`~9khNkV~BXB$9f_RI!2AxjA5+_mO z`t&x4x3<1m4+mUm=)bY(Z0UC4nAuPCrjcZ;U7NUDrnuGw{Oa0=_4iTWr}?9pT*o*? zVsC4ya-v(9D=6K^-M&4uS&~dzuk}>X@-Vff!yb|u%pQH(%H{yc5B40fqtymL^Iwy4 z^Ngw-aU>7O6;hoNoL>=bAn>>TYHc5)KV+}&m`Snusb6bG`g*9U^6&<6UAnY=ao7kh zfM5f?Sm#a`81ugvM`B;W9oEN|+D=I>LcTUTgVpcLK;r2Y*wIz2%*hih_Q9El|CU&% zYt=S3$H7CjVP+?2fh>anT7^aEzMH?W(D#=>#KX0op2;Zb>%o+Q){hULlH}B1;@nIc6xGZFCx1gvE&-lE+bFMR$-_p_8X7cktHWL3CFs{XG;+s*Y} z5o*{1nyTX5w`vUW+l(3-)>t~V4x~{VAC}9QjCB_ufzP^3%sC6#<$)&(2S`->ULPxO(9M17E`6(%BV$@lDoMSd3 zbg%65GsL=dk*^L3v94uRn8=>8&RfJ|`gU_io zxQl$Tt~hbG-bkhOh_5iWTB`9J$@HmWr4Q?Tht~?;^p8a2h|E_3a_Xg)zU8si9C~Mq z&NJZtRibdE#@)GY$a+_(8bSXZI{LV6Ot1l(mXc3@)APk~_~D2i28%w2R+auw%>*L+Zf2kp)Rj zNix)xMC_k)tj=^Q(&=|0@(awT(mo<{jDo<5=J?S$oex!-q+|ABH6Te+_;UD}V-A>&H~ z97g5tjJ=|}U|_=jocx7a8DNSUH?3`F2kOibWvR45;H7R_)@XMJs@mq`zxI_lib`BN z&i!AL4mz(l4m1w1?9QnxERGM*4nR8(CdfDmQSb*vrLpSQEzXeAEH^vwBd>3)YC8tr zKNdA{d7FxiSgah$`7F}&wz~O<$#T3DfRadDNKX$JQVgt?VONcx={FACMT z{7l2M3Y~@1TStt|;tK1Wn?LncFDkL=@UAa&~kHp+OPw1}xPs_Jo(tlS{q6{^|;1_Vf zG+tElMhoBXqF6yu)O2Ln{%I@wX~gmvPmykR6K*E~>V6trq+5p0?FI_jl>IM2jAwaF zJm+nzpGZYARDU8>R07wB;V2N$xLVY`7G$g(Q!HxYTdzs1MV~K5VyJ@PtpO4VoGA^9UjkA#i7a8Q`09dGc2|Bf7tIj)M}d1$h-b>(pqZ&etDb+l`L znLUFN<@PF~9NnY%Jb8N-s8W9+qhr5ELqq0XEg6QwB^$9E*>n13eZxGEhD8C&vEb~S zvQB~{Wjn>Dh&~jU>RIgJv`vuSdK8LZ8&9?iQjHteCp#i&ykvggMW~ZfX`R*YdEMnV zcL&nw!*yrZn~QU+rBxOp+}z|u1)nQpWX*RI981-zEx*wPDC|46{QQEK`PJYloTo1| zY+UtQzfg(WYbCdqw*hY^FLZ!#X{9;%GPB{>Yw`JDetqiC{CemN#}_Ig!7(t4rIB~(dA47R$<(J$hPZa)3I-k>idVjuIanLmmbw^EJ#btTx%DXkLfxkszGLgmFOOi zxt=PL^twi=KfjU}pmk8bTmOCVXTth5PoB0To_fEzP042r9%s8^PNsi}C9-z2=qYH!99x@`h+xxvBbSf#$d4cq1!wu4nopk1~y9 z#X8@zEf>pYJGw~A)E=~G+P(fKF_s@Ts{ei#zkP{5=5GZQ8c!E3^uHP`bFcjRs{g4h zb~`o)O*5wkO2e%Cm&BmsA0KaYfp?b!!-npE!Mg}P_pE!vS!8WN?rJq@?B=ULJ>N4h zQlVrK9xW$&0uiIQoY`i;io7OTb}*oK=g`9LbH;sr0_{f;iiDgf(($Q)`f^!w99)JnBH%v& zE>pMirxGQ(n{IPctMPz$8wOE=auAe4G@>D`0jEu=dNWxx*NWL4!6BQ-^){ya5gD@| zo>v`1q7x+yO*BoFGujj6B@GS>zir*}-UHyH6S+-o_<(y>$TOMyE%_<|M||5wqWAzR zDZ6MO zRk(3$xl2l%{y-WTC};u-mV5T!s?0|NsSNPrv1*-U%SW0<>DXUILw)q&lCp_g8RV2d zgq2HsO4EkZeD)s(p<0dWi0>$d%;ABTGIOEWrUPNsi_@l7E7vi-GjmpTn=#~Q)GP>Ocw{BGB+3=w|Mge;*x)SLm?ZmbP>?i?M| zxk3l~)~ne`NsXUM=gDx+2kI+!NayVVF!FmrBkyn?H-E#66teJhyKmuf4~Bpd(}w5c z#oO1W$6@*M`(qUD2a&Fy3pQ30SSU)VL&^d#(B2KgOfNHH=2G!g*BEMU$Af7Syor7` zw#YXo46Y!Fo}@nW>Rt@SC@9K5F&l$QYbwtyJQXe*w9S3(O2N(h-Tc94tr8gdmL5RK zwJkyCzRldCm=d#YI^`nGBU})@ zsc5p+#o`fh3Z~7g7E#qDDJdK9qUuvo{9aj$r1NpA@L?x-2}Lwv-%|h|;6Hd~po*j7 z6UwT5#2kL#vU@R;{s)XjBR4E=iCef4GdWX%I;y>8qK44{?4Kt(60osz(DCiO6wU1N zS=|8o$v=f!;wZ#aDC{-CA8>0sTcHqX?ztM3OuG|zYG)p80Vo9Xl=JmAasK;Og@_0NS3p27QhC zS$KY+g!Xyb>h&gS;3N!g=G6e&xOE{$Dr1e-sqi>DAtt^<;yoCiZ}oHT${+JX&vd_w zizokNEUL^a?t{z$&%^s||8A(y{G*;fMgCSWh`zL~>-3eOJ;cJ`W77MyJN{t>1QmHd z{q)Z*kP7=1@&SH!;G|R8vbLAepM!G|6+Ov}p}xJ@r?OKAg>etFLQ8~$)b<`AAaTTOf> z*lM(SxsJ*@p=hW?#!|mgV1hwj9+UCE@c(S)PTzwilr@j8?$5*G%1;YKWy|`#o=XP{ zav7Q5d9f5@7mKeo%N_Boxnip<$*${&4P>Dr>WU{(h&@4+2||##XgZ^!)3K{&_oqZ^ zx#DZ3OTZqJx#)OYJY`aheyOOw)i1rygK$nCIl6Kx2X7bSC;WrhErc~Y4H=0mjLWFG zo8?qvx>ESSpqhqp`fivx1amvc*-rH{>u+Fa4iB1I;!~M9Cv@3C*q|d;@J^Ttj+hvz zUq0W&6_N6qVgr3}_p-*;>k;?G-3WP|re{?yY`|XpO1weaOY=V7ynB7t&sac6w)}?`gsf@)u^*tRONM zbNV;9u-RAv?%bwt`n977rE{+tTRR&MW}h~HI;-{I_oFv|j0>xqk)>q(8&{lJuqJeN zmHcST_ zteL7v&=*G?yhJ`2<2gs;@I$a5!Q@Vp>5F_(y!<YAvVjXvW$v8Ow1Tc7ikYoWX zLp^ZsMK3lymW^u%>n$;F<4rbk-!ieYEa^!Zn`|{|_DDAK*A3Fje;#qRz`wcvaG8>HG!A5}5yn=8zGHzEEq zeO93$jM1KMO()V9n)CA)?HYBm&8sKSUdhqXRQ2dmQ=APetn}P?xiGP;DR8!y$K%9C zV$ES7tae;x+g|&wha9H}Q$Esr*od0uKG3iHJno*+v86q;Ua3sX;eP0_nRIit^|mHa zHEL3RT=j8{)j!EvbWi=sxE@1lKv^GRR~Oq64u$fll@ce=Ro*Dw9y( zmGHtU+ZkzBYBX1V(}A5#%JJxm8AUpVMuw%9#MuU7QVI2vWvif4qjHf;lcE|CJHg=4 zVsvRANX2W1jbhW%jFkG8hs>4_RHr8r(^8I_ z?)6Fuj(C~+y%pgILE`#@eZKwVXA;^{Y3ZOvs0ow#Vp!wUv?={?` z#MT*hFbe|ui>J%}*hEFt9jpU{hWma<7G!Jqg5s2n?JNqn`Gm+f=TS*c99{@5fa;2`r$XS7*?|!%kl5j@v!lKU>99#k_jgy52a}Lz*i7BB=uPZU`07GvZ zmo{NYf>=W8Qr9@pre|Me7(c+HZa5yYd5S9r`IxpK%ZNz`HB<9OO6qT^l_xXtjo>WJ zhgNBtN9<(Mq$|k%TjqClTayYGgd`6oE>sSGb5Um0qu?rqswaRnAFmmw_1C(3^Dug| z!#X^p^*j&xG$@oOLdJ&X*7KJA<kSve?# z)3(>r$i|)IrRw5Zk}hf)by6TH|8-2xg*JbLPO2Rzb9 z2N;;ux=Kc)DM&!)KuekEV9NedHcjxs^sO=5qguHoq}e)a<&!klT~kNQmFb zgvQrtdly@raB8eb+sZ^v#|P2imIYW)4PtrxVb4)|B`g zf|xUf6d4-)*3Re4b+uw%HpVOg^T^czt3)NK|#Fm45tS`g4& z3?4Jb>gc+o?KzmpxTvE&LEF7mDKxLNDUM?9G?gN8rP+j=2%UB(59B4Tq6|X2`(ik- zP8eb2Ac_DjjPk21O8c9a^6y^rVJMJhkBCv+ETgvilW1p%A9ck?!>|*I9By?y%iQKh zQ=Pm!1KiP@v+iBr3~5BMrl1bCzGfi~LWdh6Bo#Gih_LRGBs6*V)X@;0l!KOkU*cp6 zgvwo%IOni`pc4$Il8g5R+){UT!AM0lKvp9{q|51d2c_+=qiDf{z!3(uA9 zaCGvN`PyBu+VZF`ZgKk;j~5aUPrqZya#^GgAIMnHiJ}|%AT<#NJd<^@vVOJ zNE6K1kM+D$2xJo);({qt&^DwqMZBPK7B@X24=}koD*bTH#0MW2j`iD(A`&4~I~%7l zUmXDotMv)_iDCneP4Aqu??%gyCA_Zv-`uWm+#5cNxZ?H~giWhWDFJAK$aPMi`BQ~om&=UL#GMCKwh z;5BnLp)lX9)zj!Y(a_h7V0phz##YF!=}7jRDvbzjQj>omK^@YJZL$$uXT6UL)3;S{ zTe?gjHsyirOwYeh{X8WJGxXqKcr+hkx3vK> zDFWr*bOdhja-vM%M(V@S*mp?CK1P5(hc_71Ic_nU>QjrMgb5t*3%s{-@eQRVOj7D& zw4i_+ibwXKOb!rJ;2)^k*1J-fE;e%_e^EPRWh~#sJDI^;<7R{| zz~bL(0jjRNKaQ?4DYENR6tt&i$WC+{>nfmvyDyasaw}Vy25Qwvgl@JRq2)}mUQIin?qRok|2d;O>Kh0;$4(%(P({Ql$?~K%HCl) zk}J4JWEqt7T=O&45{n=CyVEjyNsm7t6XIJ2Ge%B!4eL}_dj$2&UcOnpHyCzxL#2L7 zA#7BQ6XR^V;P!2}pSR<~OU81vRWqzXSHSy@Sa}6(rs6*j1%Shpf#4L-?mC9IY3;Ez zA)=aC(4&dgy*{oL^*}RIm8+mXz`yq*g6|xC;m58Dy~?<5?tZ7U-|k;!0htAKF2Rq@ z%Nij%xhe7NJ+Wh6c~w|!Mka^0{N_Q={!ais6T<9hgdFF}aQ+A=v3p7o;>_aZ(yqT$3jsFt;Ht0#S;ZbEFy&FlHVSUm zP`%ya2d3!Uk6f7Fb$@1l^lT4C%DECe(>vpca}B>%s|*WK!o`Sx-r2`htiM zT<9$?##UCed*=WCpZ`ljObW{FBj}^KrnUTDG|Z^4Bk0wcdMptmTF}FKXW+SKkMZxa{tCI%iFMAf*>S)WLEsA>NkCVDt1LT@_pFei*q<7Oyo+g z>y;vL7}qS&F!n2s4)*nC+-iM%$Ix3oHgkRObQc}&AMWp(1u{O&h58#X)`FQG>9Te#~jCCv@ba=}408u4L zJn;M;@+ZcJ==9xr&}uz-@*8*<*@oXhNDEUCUgU)Xlm_9ypFGiO*M)OtvtP?xWcK(zCi)NpAV{_0Iw)0O@0!x5i2_vz(h7aM>9)V73MT=Z5a> zSN^kJs3;mAT9CS#j)HIMDln{K$tm%|33vocDrbZbp-Q& z>RYEL6_590KHM`;5aTuoBGmY>t+@U8bPsl~N9ZR(Fqn-kcXhTZMMQ#nMz-x0i@*k> zI17h$ZnENujPaQC>`%V`P!Fk*;Ms8GIFOZyAybBlc7`(s(+0Z>=P&o`)?BsxQvIG@ z09JDkSUs~R_dpRW+-kvbT9878y7+K^Eb~JeEmKq~o!kakzA(tP_ zvGaEM7&doMkrE=Wb90T8#o%gIDt%e7w{uj4qhG*dx$`PUeH>nAsovd8M6HWzw`oKj zAI5BAc0eu(!l8?uc?a^(+;N`sHM9ZggIf$)m*6}rYkE#to`(BYo;Y%flmg45S>p%2HV$$xj}md1~YyKyKfW4;e3kBT)w zZv62A8HL-eI$wqQADd)gaAxVB+`DwNFxo>}+Q zm=EVB!nHyFhGr1WBe_1L=br*M?OD*fSm(7-9|VDCX+!(3j`p7)9UKPFe?(_*e}0G1 z>(_s=*3+3;GENs32@$X#U77wbH@{tR^rKPI&RALM@SHcW)?{#MrFV~^g9u>GoXV#2 zU6_}T7nkVi{^7woCZjZei{m~0Fu0Xsg%W~o(1d2;H&{gA|A!TYd;t?Du?;gUFjIsq zRPu9ys-y^6>l!RiEO^Eu&uh8@{yxUHOW9`1tOX5XJT%yGrV&$JwBt6Nd_S&EzhTYP zCd>vSV@c7?9K`$v!dR@a95bZ188>6wuY$h?f7@A>y<-)paaFy43J&&z1M5xPM(@10 zKxzpSs&Dqrs`tgR^|tfo)Of7@pg(pmI>)C!T%LY7>z=)P`@{Q-lg`!YNtIupPd{|8 zI#=(z2>o#UYv=N+{9EVZ0)05W)b)8QW$0T;`e|JlzEDK#Y}MjasJL z{t+-y;>rU|<6Cb>ty3YmI706)e!1+NoT8sQXXmFUNAB!@A;l^jp{>epZ5fVqt+nv3 zT}@r0j{HB&Zo8;FWO;}6a0CX!BfW0=G>Qm2Dh?2NX|2L7ky`Jximewy``9`4Ki)-; zU5>EF#zgkGoMH1ZEariGn;U#j8u8xwrNYGw3#r}&TfU65bd)T+ac!)WM{Ym=Uu}i2 zUf)lv*Y~r3!=wFI!T#a?(^t=5y?VA{eg7C71cz>Q+addn0QP?73>F)_S?( zA&*VS28ZY=`1wpK3Vu3ctuPu*(j`nNyIB|Yx?Ba4s4U$@3BD%CoV9Sv*>XoZK?X56 z0NEo_2I-t^^IrxBy7`?b${kjK`< zU^3!3N$Zyne?`Wn!{xQcGZJB65PVI9F_RQ78jtNEI3J)fB{$$RZY4dvWo=m~Y+3E! z%P;AcIlP*+!Ne1wQ!HXiM9Fk+E!Gi@Ou9RN?|KP4j3F214Blp#8exefWg#&JBn>tY zuM^loVMj61bY~1LKLRnb^TEr*R|oTEZ0BI?Eh#}H&qS!fJZG0r<=*(92Ug#Vkz&!{ zls*Q>TtOf?!LB_;f%IUkY936Iv8(x0n0}U|E;ksF)hK=uJP%&Z=_I=)kMcN%1BzLH zg(tTRK$Mw{fzR)fwn?A-tVvMnqS*7?j|cm^=)lAy92{!oxmpi{=K(rXh4D}K9x|y{ z1Qz(=MqM7b1hQSJd~-2+U20y}riWbI)^7s23rgg!cy-rU^y9`jrb_rQR> z$H`4xb(Sb3k~f8Ln! z8;K#JV#dGE6X$YMNUNLmO?0G9qX6x75_ErpZZsFtZ@i8Bxvo6{|0kJQH#$4iaN0_w zf{=n+dA6H6TV1`2W;RXYfRLzExd=%xiQ6*)5w%7gd7~EwnR&d*1cJ8tlm>y z#nZIh)^asZp3G0C^C9@Z^t7%_B}ggzepj(+Z3bkl=j>goUr8&C(c$HFl^*n} z^S_50{n1@sW%)_3&e9JBLp;n?lAIa16_+#X-hS}6;BP(D7no_KmZRPQd{f$>yaOe3 zekT=4jk4r_oxi)3x!?h?-RquSemFZm{q(l;=Co%tggn#zcJJN!Nx{c<+yeH@c!fx8 z&R^yOUJjCO4zqka$v1qX2(MBlx%>zN zEa|^AOSJQ(Tb!q0u^u;iiVEGn>(`@x?(DP5qZ1hRB8l&$D9%D6b4@>jkp0QjiNhBD26p0kpvg< zj=-_P+nP$v_CcUh2)uYLKhg+$%D>~`}AGkvA@5+|Kiy*_;-JQfA-(~gQqY4 zbntBd`Tq0g`maCjAG~;Wc=#u@Ur!g8Q>I1mKkeW7U9+9r5Sp9uqZUHWNq5Bg^%2_o z$5tvx+lnl^dS7c>@#h~~TQiThZwMWKj?@v_Y9DMh>+!);dHq}4N!v?USHnA2uK(xz zGwc8Pi>C+8`u`gA2%QrnExOAujNQWzFvJQSpK0OP+?^FkbBr&IHKaP(K4t!eR6)ZD z9w?R9zZ@kd-o0&;E=6^)f>rB(|LL=t_5bqa%Vz)oDwL;#(EGm41#yIo3;nl$Zd*h5 zPu}`BS6N)1c23@$21!)kJ67)hhfinL|FivrX8nH^I_BvF!F6~hdTizZ9J6STi;DZa z+?|Tb++$)>m?t=Gw)%~tx%F>vY^swDtXlsspUuht2QOYU>;G%enwN*&^~SKU%x0?Z z4GUUVa4%8$Dlp3aY4Xp{FdE~3%!H#Tzy6CX(MP`Bn(L#?ZWLDkn5{*78 zb=ahLU(Jl?*8k$GtZvN{R;~YM`-kQAe|T{4;%T$~zXtuidVyLmvGPq-Toe~o86M#7 zHp7Cr%hVzi6*pd*laW5>d5RZzUsXPG2DaTVnuhnEOEgYx1NE98fvJa TZ$tkl009602H$2>0Kx Date: Mon, 24 May 2021 16:35:13 -0600 Subject: [PATCH 19/27] first pass --- ...ress.yaml => allow-egress-except-aws.yaml} | 5 ++-- .../networkpolicies/allow-elastic-egress.yaml | 21 --------------- .../bigbang/networkpolicies/allow-istio.yaml | 2 +- .../networkpolicies/allow-kube-dns.yaml | 17 ++++++++++++ .../allow-mattermost-operator-ingress.yaml | 16 ------------ .../allow-minio-operator-ingress.yaml | 16 ------------ .../allow-monitoring-ingress.yaml | 19 -------------- .../networkpolicies/allow-test-egress.yaml | 26 ------------------- ...deny-by-default.yaml => deny-default.yaml} | 0 9 files changed, 21 insertions(+), 101 deletions(-) rename chart/templates/bigbang/networkpolicies/{allow-external-dependency-egress.yaml => allow-egress-except-aws.yaml} (66%) delete mode 100644 chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml delete mode 100644 chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml delete mode 100644 chart/templates/bigbang/networkpolicies/allow-minio-operator-ingress.yaml delete mode 100644 chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml delete mode 100644 chart/templates/bigbang/networkpolicies/allow-test-egress.yaml rename chart/templates/bigbang/networkpolicies/{deny-by-default.yaml => deny-default.yaml} (100%) diff --git a/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml similarity index 66% rename from chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml rename to chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml index 6716f74..2b7b2ee 100644 --- a/chart/templates/bigbang/networkpolicies/allow-external-dependency-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml @@ -1,8 +1,9 @@ -{{- if and .Values.networkPolicies.enabled (or (not .Values.minio.install) (not .Values.postgresql.install) .Values.sso.enabled) }} +# Mattermost does not behave nicely without access to external internet +{{- if .Values.networkPolicies.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-external-dependency-egress + name: allow-egress-except-aws namespace: {{ .Release.Namespace }} spec: podSelector: diff --git a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml deleted file mode 100644 index ab02e24..0000000 --- a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and .Values.networkPolicies.enabled .Values.elasticsearch.enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-elastic-egress - namespace: {{ .Release.Namespace }} -spec: - podSelector: - matchLabels: - app: mattermost - policyTypes: - - Egress - egress: - - to: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: logging - podSelector: - matchLabels: - common.k8s.elastic.co/type: elasticsearch -{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-istio.yaml b/chart/templates/bigbang/networkpolicies/allow-istio.yaml index 3faf172..4e97a61 100644 --- a/chart/templates/bigbang/networkpolicies/allow-istio.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-istio.yaml @@ -14,7 +14,7 @@ spec: - namespaceSelector: matchLabels: app.kubernetes.io/name: istio-controlplane - - podSelector: + podSelector: matchLabels: {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} ports: diff --git a/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml b/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml new file mode 100644 index 0000000..0339a12 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml @@ -0,0 +1,17 @@ +# Allow DNS. Due to inconsistencies in how distros label dns pods, +# we just allow all port 53. We could provide better if we enforce/ +# standardize the kube-system labels or the coredns/kubedns labesl +{{ if .Values.networkPolicies.enabled }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-kube-dns + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + egress: + - to: + - namespaceSelector: {} + ports: + - port: 53 +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml deleted file mode 100644 index 0268ebf..0000000 --- a/chart/templates/bigbang/networkpolicies/allow-mattermost-operator-ingress.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.networkPolicies.enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-mattermost-operator-ingress - namespace: {{ .Release.Namespace }} -spec: - podSelector: {} - policyTypes: - - Ingress - ingress: - - from: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: mattermost-operator -{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-minio-operator-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-minio-operator-ingress.yaml deleted file mode 100644 index ed489d1..0000000 --- a/chart/templates/bigbang/networkpolicies/allow-minio-operator-ingress.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if and .Values.networkPolicies.enabled .Values.minio.install }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-minio-operator-ingress - namespace: {{ .Release.Namespace }} -spec: - podSelector: {} - policyTypes: - - Ingress - ingress: - - from: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: minioOperator -{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml deleted file mode 100644 index 5760f07..0000000 --- a/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled .Values.enterprise.enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-monitoring-ingress - namespace: {{ .Release.Namespace }} -spec: - podSelector: - matchLabels: - app: mattermost - policyTypes: - - Ingress - ingress: - - from: - - {} - ports: - - port: 8067 - protocol: TCP -{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml deleted file mode 100644 index 1a9b59b..0000000 --- a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- $bbtests := .Values.bbtests | default dict -}} -{{- $cypress := $bbtests.cypress | default dict -}} -{{- $enabled := (hasKey $bbtests "enabled") -}} -{{- $artifacts := (hasKey $cypress "artifacts") -}} -{{- if and $enabled $artifacts }} -{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-test-egress - namespace: {{ .Release.Namespace }} -spec: - podSelector: - matchLabels: - helm-test: enabled - policyTypes: - - Egress - egress: - - to: - - ipBlock: - cidr: 0.0.0.0/0 - # ONLY Block requests to AWS metadata IP - except: - - 169.254.169.254/32 -{{- end }} -{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/deny-by-default.yaml b/chart/templates/bigbang/networkpolicies/deny-default.yaml similarity index 100% rename from chart/templates/bigbang/networkpolicies/deny-by-default.yaml rename to chart/templates/bigbang/networkpolicies/deny-default.yaml -- GitLab From e46165d594d4caf6a8791801516d8f8cd3204c8e Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 25 May 2021 10:43:47 -0600 Subject: [PATCH 20/27] refactor it --- .../allow-egress-except-aws.yaml | 21 ------------------- .../bigbang/networkpolicies/allow-istio.yaml | 4 +++- .../networkpolicies/allow-kube-dns.yaml | 17 --------------- .../bigbang/networkpolicies/deny-default.yaml | 6 ++++++ 4 files changed, 9 insertions(+), 39 deletions(-) delete mode 100644 chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml delete mode 100644 chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml diff --git a/chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml b/chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml deleted file mode 100644 index 2b7b2ee..0000000 --- a/chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Mattermost does not behave nicely without access to external internet -{{- if .Values.networkPolicies.enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-egress-except-aws - namespace: {{ .Release.Namespace }} -spec: - podSelector: - matchLabels: - app: mattermost - policyTypes: - - Egress - egress: - - to: - - ipBlock: - cidr: 0.0.0.0/0 - # ONLY Block requests to AWS metadata IP - except: - - 169.254.169.254/32 -{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-istio.yaml b/chart/templates/bigbang/networkpolicies/allow-istio.yaml index 4e97a61..6c4c48c 100644 --- a/chart/templates/bigbang/networkpolicies/allow-istio.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-istio.yaml @@ -5,7 +5,9 @@ metadata: name: allow-istio namespace: {{ .Release.Namespace }} spec: - podSelector: {} + podSelector: + matchLabels: + app: mattermost policyTypes: - Ingress - Egress diff --git a/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml b/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml deleted file mode 100644 index 0339a12..0000000 --- a/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Allow DNS. Due to inconsistencies in how distros label dns pods, -# we just allow all port 53. We could provide better if we enforce/ -# standardize the kube-system labels or the coredns/kubedns labesl -{{ if .Values.networkPolicies.enabled }} -kind: NetworkPolicy -apiVersion: networking.k8s.io/v1 -metadata: - name: allow-kube-dns - namespace: {{ .Release.Namespace }} -spec: - podSelector: {} - egress: - - to: - - namespaceSelector: {} - ports: - - port: 53 -{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/deny-default.yaml b/chart/templates/bigbang/networkpolicies/deny-default.yaml index 096a413..d2583f8 100644 --- a/chart/templates/bigbang/networkpolicies/deny-default.yaml +++ b/chart/templates/bigbang/networkpolicies/deny-default.yaml @@ -10,4 +10,10 @@ spec: policyTypes: - Ingress - Egress + # Deny all ingress by default + ingress: [] + # Allow in cluster egress + egress: + - to: + - namespaceSelector: {} {{- end }} -- GitLab From 762fe9e31653dcdf93deb13491f2d11073030d5c Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 25 May 2021 10:53:58 -0600 Subject: [PATCH 21/27] add back monitoring, test, elastic --- .../networkpolicies/allow-elastic-egress.yaml | 21 +++++++++++++++ .../allow-monitoring-ingress.yaml | 19 ++++++++++++++ .../networkpolicies/allow-test-egress.yaml | 26 +++++++++++++++++++ 3 files changed, 66 insertions(+) create mode 100644 chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-test-egress.yaml diff --git a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml new file mode 100644 index 0000000..ab02e24 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.networkPolicies.enabled .Values.elasticsearch.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-elastic-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: logging + podSelector: + matchLabels: + common.k8s.elastic.co/type: elasticsearch +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml new file mode 100644 index 0000000..5760f07 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled .Values.enterprise.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-monitoring-ingress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost + policyTypes: + - Ingress + ingress: + - from: + - {} + ports: + - port: 8067 + protocol: TCP +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml new file mode 100644 index 0000000..1a9b59b --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml @@ -0,0 +1,26 @@ +{{- $bbtests := .Values.bbtests | default dict -}} +{{- $cypress := $bbtests.cypress | default dict -}} +{{- $enabled := (hasKey $bbtests "enabled") -}} +{{- $artifacts := (hasKey $cypress "artifacts") -}} +{{- if and $enabled $artifacts }} +{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-test-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + helm-test: enabled + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} +{{- end }} -- GitLab From 79c7a92ffb7fc80a79d02d3f47bc9221ed626ed9 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 25 May 2021 11:00:49 -0600 Subject: [PATCH 22/27] monitoring --- .../bigbang/networkpolicies/allow-monitoring-ingress.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml index 5760f07..38f98d3 100644 --- a/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml @@ -12,7 +12,9 @@ spec: - Ingress ingress: - from: - - {} + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring ports: - port: 8067 protocol: TCP -- GitLab From 8cad195a5fbd81781dd6e6005b23d09f666797af Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 25 May 2021 11:45:44 -0600 Subject: [PATCH 23/27] comments --- chart/templates/bigbang/networkpolicies/deny-default.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/chart/templates/bigbang/networkpolicies/deny-default.yaml b/chart/templates/bigbang/networkpolicies/deny-default.yaml index d2583f8..31c4a35 100644 --- a/chart/templates/bigbang/networkpolicies/deny-default.yaml +++ b/chart/templates/bigbang/networkpolicies/deny-default.yaml @@ -1,4 +1,3 @@ - {{- if .Values.networkPolicies.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -10,9 +9,9 @@ spec: policyTypes: - Ingress - Egress - # Deny all ingress by default + # Deny all ingress ingress: [] - # Allow in cluster egress + # Deny external egress (outside cluster) egress: - to: - namespaceSelector: {} -- GitLab From 4a553f4963f1529afa0008d94e29d56c8fc623d0 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 25 May 2021 12:04:27 -0600 Subject: [PATCH 24/27] external stuffs --- .../networkpolicies/allow-elastic-egress.yaml | 21 ------------------- .../networkpolicies/allow-external-minio.yaml | 20 ++++++++++++++++++ .../allow-external-postgres.yaml | 20 ++++++++++++++++++ .../networkpolicies/allow-external-sso.yaml | 20 ++++++++++++++++++ 4 files changed, 60 insertions(+), 21 deletions(-) delete mode 100644 chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-external-minio.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml create mode 100644 chart/templates/bigbang/networkpolicies/allow-external-sso.yaml diff --git a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml deleted file mode 100644 index ab02e24..0000000 --- a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and .Values.networkPolicies.enabled .Values.elasticsearch.enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-elastic-egress - namespace: {{ .Release.Namespace }} -spec: - podSelector: - matchLabels: - app: mattermost - policyTypes: - - Egress - egress: - - to: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: logging - podSelector: - matchLabels: - common.k8s.elastic.co/type: elasticsearch -{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-external-minio.yaml b/chart/templates/bigbang/networkpolicies/allow-external-minio.yaml new file mode 100644 index 0000000..12a86f9 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-external-minio.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.networkPolicies.enabled (not .Values.postgresql.install) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-external-minio-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml b/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml new file mode 100644 index 0000000..bc77595 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.networkPolicies.enabled (not .Values.minio.install) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-external-postgres-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-external-sso.yaml b/chart/templates/bigbang/networkpolicies/allow-external-sso.yaml new file mode 100644 index 0000000..cbc0db3 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-external-sso.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.networkPolicies.enabled .Values.sso.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-external-sso-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} -- GitLab From 1bf7dfc59e73ebc0032761055c62a0fc3a049782 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 25 May 2021 13:15:20 -0600 Subject: [PATCH 25/27] no sso --- .../networkpolicies/allow-external-sso.yaml | 20 ------------------- 1 file changed, 20 deletions(-) delete mode 100644 chart/templates/bigbang/networkpolicies/allow-external-sso.yaml diff --git a/chart/templates/bigbang/networkpolicies/allow-external-sso.yaml b/chart/templates/bigbang/networkpolicies/allow-external-sso.yaml deleted file mode 100644 index cbc0db3..0000000 --- a/chart/templates/bigbang/networkpolicies/allow-external-sso.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if and .Values.networkPolicies.enabled .Values.sso.enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-external-sso-egress - namespace: {{ .Release.Namespace }} -spec: - podSelector: - matchLabels: - app: mattermost - policyTypes: - - Egress - egress: - - to: - - ipBlock: - cidr: 0.0.0.0/0 - # ONLY Block requests to AWS metadata IP - except: - - 169.254.169.254/32 -{{- end }} -- GitLab From 10474b2c582ea2f72045a1a9fb8d69114fb3273d Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 25 May 2021 15:26:57 -0600 Subject: [PATCH 26/27] cleanup --- chart/templates/env-secret.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/chart/templates/env-secret.yaml b/chart/templates/env-secret.yaml index 9dd5e1e..e20b9bd 100644 --- a/chart/templates/env-secret.yaml +++ b/chart/templates/env-secret.yaml @@ -40,10 +40,8 @@ stringData: MM_ELASTICSEARCHSETTINGS_PASSWORD: {{ .Values.elasticsearch.password }} {{- else }} {{ $secretname := printf "%s-es-elastic-user" ( .Values.elasticsearch.name | default "logging-ek" )}} - SECRET_NAME: {{ $secretname }} - NAMESPACE: {{ .Values.elasticsearch.namespace | default "logging" }} {{- with lookup "v1" "Secret" (.Values.elasticsearch.namespace | default "logging" ) $secretname }} - MM_ELASTICSEARCHSETTINGS_PASSWORD: {{ .data.elastic | b64dec }} - {{- end }} - {{- end }} + MM_ELASTICSEARCHSETTINGS_PASSWORD: {{ .data.elastic | b64dec }} + {{- end }} + {{- end }} {{- end }} -- GitLab From 72051e20902dc2ca801228a4fc6568a634d31e26 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 25 May 2021 15:42:14 -0600 Subject: [PATCH 27/27] fix --- .../templates/bigbang/networkpolicies/allow-external-minio.yaml | 2 +- .../bigbang/networkpolicies/allow-external-postgres.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-external-minio.yaml b/chart/templates/bigbang/networkpolicies/allow-external-minio.yaml index 12a86f9..90b516f 100644 --- a/chart/templates/bigbang/networkpolicies/allow-external-minio.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-external-minio.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.networkPolicies.enabled (not .Values.postgresql.install) }} +{{- if and .Values.networkPolicies.enabled (not .Values.minio.install) }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml b/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml index bc77595..bf11232 100644 --- a/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.networkPolicies.enabled (not .Values.minio.install) }} +{{- if and .Values.networkPolicies.enabled (not .Values.postgresql.install) }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: -- GitLab