From 5552fdf814f8ee16b534c354d3e710fafd4cb53b Mon Sep 17 00:00:00 2001 From: Tiago Ferreira Date: Wed, 12 Jan 2022 19:08:14 +0000 Subject: [PATCH 0001/1606] Fix api version for ingress objects on K8s version <1.19 (#8112) --- docs/user-guide/basic-usage.md | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/docs/user-guide/basic-usage.md b/docs/user-guide/basic-usage.md index cbb7004c7..089c08b3e 100644 --- a/docs/user-guide/basic-usage.md +++ b/docs/user-guide/basic-usage.md @@ -9,7 +9,7 @@ Let's say that you want to expose the first at `myServiceA.foo.org` and the seco If cluster version < 1.19 you can create two **ingress** resources like this: ``` -apiVersion: networking.k8s.io/v1 +apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: ingress-myservicea @@ -20,14 +20,11 @@ spec: http: paths: - path: / - pathType: Prefix backend: - service: - name: myservicea - port: - number: 80 + serviceName: myservicea + servicePort: 80 --- -apiVersion: networking.k8s.io/v1 +apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: ingress-myserviceb @@ -40,15 +37,12 @@ spec: http: paths: - path: / - pathType: Prefix backend: - service: - name: myserviceb - port: - number: 80 + serviceName: myserviceb + servicePort: 80 ``` -If cluster version >= 1.19 the Ingress resource above will not work, instead of annotations you should use the new `ingressClassName: nginx` property. +If the cluster uses Kubernetes version >= 1.19.x, then its suggested to create 2 ingress resources, using yaml examples shown below. These examples are in conformity with the `networking.kubernetes.io/v1` api. ``` apiVersion: networking.k8s.io/v1 From 5f7656f4ccb24dc29ed24941ebddaeab802d7285 Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Thu, 13 Jan 2022 21:22:30 +0530 Subject: [PATCH 0002/1606] updating releasemd (#8135) --- RELEASE.md | 99 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 57 insertions(+), 42 deletions(-) diff --git a/RELEASE.md b/RELEASE.md index 10f765929..4396c20fc 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -167,7 +167,49 @@ Promoting the images basically means that images, that were pushed to staging co - annotations - artifacthub.io/prerelease: "true" - artifacthub.io/changes: | - - Add the titles of the PRs merged after previous release here. I used the github-cli to get that list like so `gh pr list -s merged -L 38 -B main | cut -f1,2` + - Replace this line and other lines under this annotation with the Changelog. One process to generate the Changelog is described below + - Install and configure github cli as per the docs of gh-cli https://cli.github.com/, + - Change dir to your clone, of your fork, of the ingress-nginx project + - Run the below command and save the output to a txt file + + ``` + gh pr list -s merged -L 38 -B main | cut -f1,2 > ~/tmp/prlist.txt + ``` + - The -L 38 was used for 2 reasons. + - Default number of results is 30 and there were more than 30 PRs merged while releasing v1.1.1. + - The other reason to use -L 38 was to ommit the 39th, the 40th and the 41st line in the resulting list. These were non-relevant PRs. + - If you save the output of above command to a file called prlist.txt. It looks somewhat like this ; + + ``` + % cat ~/Downloads/prlist.txt + 8129 fix syntax in docs for multi-tls example + 8120 Update go in runner and release v1.1.1 + 8119 Update to go v1.17.6 + 8118 Remove deprecated libraries, update other libs + 8117 Fix codegen errors + 8115 chart/ghaction: set the correct permission to have access to push a release + .... + ``` + You can delete the lines, that refer to PRs of the release process itself. We only need to list the feature/bugfix PRs. + - Now you use some easy automation in bash/python/other, to get the PR-List that can be used in the changelog. For example, its possible to use a bash scripty way, seen below, to convert those plaintext PR numbers into clickable links. + + ``` + #!/usr/bin/bash + + file="$1" + + while read -r line; do + pr_num=`echo "$line" | cut -f1` + pr_title=`echo "$line" | cut -f2` + echo "[$pr_num](https://github.com/kubernetes/ingress-nginx/pull/$pr_num) $pr_title" + done <$file + + ``` + - If you saved the bash script content above, in a file called `prlist_to_changelog.sh`, then you could execute a command like this to get your prlist in a text file called changelog_content.txt;` + + ``` + prlist_to_changelog.sh prlist.txt > changelog_content.txt` + ``` ### d. Edit the values.yaml and run helm-docs - [Fields to edit in values.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml) @@ -182,7 +224,7 @@ Promoting the images basically means that images, that were pushed to staging co git diff --exit-code rm -f ./helm-docs ``` - Watchout for mistakes like leaving the helm-docs executable in your clone workspace or not not checking the new README.md manually etc. + Watchout for mistakes like leaving the helm-docs executable in your clone workspace or not checking the new README.md manually etc. ### e. Edit the static manifests @@ -223,46 +265,16 @@ Promoting the images basically means that images, that were pushed to staging co ### f. Edit the changelog [Changelog.md](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md) -- Add the PRs merged after previous release -- If you use the github cli https://cli.github.com/, then that is one useful command to get this list of PRs -- One way of using gh cli and getting the list of PRs for changelog is described below - - Install and configure github cli as per the docs of gh-cli - - Change dir to your clone, of your fork, of the ingress-nginx project - - Run the below command and save the output to a txt file - - ``` - gh pr list -s merged -L 38 -B main | cut -f1,2 > ~/tmp/prlist.txt - ``` - - The -L 38 was used for 2 reasons. - - Default number of results is 30 and there were more than 30 PRs merged while releasing v1.1.1. - - The other reason to use -L 38 was to ommit the 39th, the 40th and the 41st line in the resulting list. These were non-relevant PRs. - - Then use some easy automation in bash/python/whathaveyou to get the PR-List that can be used in the changelog - - I save output of above command to a file called prlist.txt. It looks somewhat like this ; - - ``` - % cat ~/Downloads/prlist.txt - 8129 fix syntax in docs for multi-tls example - 8120 Update go in runner and release v1.1.1 - 8119 Update to go v1.17.6 - 8118 Remove deprecated libraries, update other libs - 8117 Fix codegen errors - 8115 chart/ghaction: set the correct permission to have access to push a release - .... - ``` - - Then I use the bash scripty way seen below to convert those PR numbers into links. If I saved the below content in a script called prlist_to_changelog.sh, then I run the command `prlist_to_changelog.sh prlist.txt` - - ``` - #!/usr/bin/bash - - file="$1" - - while read -r line; do - pr_num=`echo "$line" | cut -f1` - pr_title=`echo "$line" | cut -f2` - echo "[$pr_num](https://github.com/kubernetes/ingress-nginx/pull/$pr_num) $pr_title" - done <$file - - ``` +- Each time a release is made, a new section is added to the Changelog.md file +- A new section in the Changelog.md file consists of 3 components listed below + - the "Image" + - the "Description" + - the "PRs list" +- Look at the previous content to understand what the 3 components look like. +- You can easily get the "Image" from a yaml manifest but be sure to look at a manifest in your git clone now and not the upstream on github. This is because, if you are following this documentation, then you generated manifests with new updated digest for the image, in step 4e above. You also most likely promoted the new image in a step above. Look at the previous release section in Changelog.md. The format looks like `k8s.gcr.io/ingress-nginx/controller:.......`. One example of a yaml file to look at is /deploy/static/provider/baremetal/deploy.yaml (in your git clone branch and not on the upstream). +- Next, you need to have a good overview of the changes introduced in this release and based on that you write a description. Look at previous descriptions. Ask the ingress-nginx-dev channel if required. +- And then you need to add a list of the PRs merged, since the previous release. +- One process to generate this list of PRs is already described above in step 4c. So if you are following this document, then you have done this already and very likely have retained the file containing the list of PRs, in the format that is needed. ### g. Edit the Documentation: - Update the version in [docs/deploy/index.md](docs/deploy/index.md) @@ -296,3 +308,6 @@ Promoting the images basically means that images, that were pushed to staging co - Release to github - Edit the ghpages file as needed + +## TODO +- Automate & simplify as much as possible, whenever possible, however possible From c0098f305c05a79d2df5d58aed07138fd454fa3a Mon Sep 17 00:00:00 2001 From: serge-r Date: Sat, 15 Jan 2022 08:27:41 +0700 Subject: [PATCH 0003/1606] Add ability to use custom prometheus buckets (#7171) --- cmd/nginx/flags.go | 12 ++++++++++++ cmd/nginx/main.go | 2 +- internal/ingress/controller/controller.go | 2 ++ internal/ingress/metric/collectors/socket.go | 18 +++++++++++++++--- .../ingress/metric/collectors/socket_test.go | 13 ++++++++++++- internal/ingress/metric/main.go | 4 ++-- 6 files changed, 44 insertions(+), 7 deletions(-) diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go index 72a2bfb8d..f9d6702fe 100644 --- a/cmd/nginx/flags.go +++ b/cmd/nginx/flags.go @@ -22,6 +22,7 @@ import ( "os" "time" + "github.com/prometheus/client_golang/prometheus" "github.com/spf13/pflag" apiv1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/labels" @@ -29,6 +30,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/controller" ngx_config "k8s.io/ingress-nginx/internal/ingress/controller/config" "k8s.io/ingress-nginx/internal/ingress/controller/ingressclass" + "k8s.io/ingress-nginx/internal/ingress/metric/collectors" "k8s.io/ingress-nginx/internal/ingress/status" ing_net "k8s.io/ingress-nginx/internal/net" "k8s.io/ingress-nginx/internal/nginx" @@ -161,6 +163,9 @@ Requires the update-status parameter.`) `Enables the collection of NGINX metrics`) metricsPerHost = flags.Bool("metrics-per-host", true, `Export metrics per-host`) + timeBuckets = flags.Float64Slice("time-buckets", prometheus.DefBuckets, "Set of buckets which will be used for prometheus histogram metrics such as RequestTime, ResponseTime") + lengthBuckets = flags.Float64Slice("length-buckets", prometheus.LinearBuckets(10, 10, 10), "Set of buckets which will be used for prometheus histogram metrics such as RequestLength, ResponseLength") + sizeBuckets = flags.Float64Slice("size-buckets", prometheus.ExponentialBuckets(10, 10, 7), "Set of buckets which will be used for prometheus histogram metrics such as BytesSent") monitorMaxBatchSize = flags.Int("monitor-max-batch-size", 10000, "Max batch size of NGINX metrics") httpPort = flags.Int("http-port", 80, `Port to use for servicing HTTP traffic.`) @@ -283,6 +288,12 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g } } + var histogramBuckets = &collectors.HistogramBuckets{ + TimeBuckets: *timeBuckets, + LengthBuckets: *lengthBuckets, + SizeBuckets: *sizeBuckets, + } + ngx_config.EnableSSLChainCompletion = *enableSSLChainCompletion config := &controller.Configuration{ @@ -293,6 +304,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g EnableProfiling: *profiling, EnableMetrics: *enableMetrics, MetricsPerHost: *metricsPerHost, + MetricsBuckets: histogramBuckets, MonitorMaxBatchSize: *monitorMaxBatchSize, DisableServiceExternalName: *disableServiceExternalName, EnableSSLPassthrough: *enableSSLPassthrough, diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go index fb87ad84a..cbfca547c 100644 --- a/cmd/nginx/main.go +++ b/cmd/nginx/main.go @@ -133,7 +133,7 @@ func main() { mc := metric.NewDummyCollector() if conf.EnableMetrics { - mc, err = metric.NewCollector(conf.MetricsPerHost, reg, conf.IngressClassConfiguration.Controller) + mc, err = metric.NewCollector(conf.MetricsPerHost, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets) if err != nil { klog.Fatalf("Error creating prometheus collector: %v", err) } diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 7c200bd8f..a4ae4217c 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -41,6 +41,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/controller/ingressclass" "k8s.io/ingress-nginx/internal/ingress/controller/store" "k8s.io/ingress-nginx/internal/ingress/errors" + "k8s.io/ingress-nginx/internal/ingress/metric/collectors" "k8s.io/ingress-nginx/internal/k8s" "k8s.io/ingress-nginx/internal/nginx" "k8s.io/klog/v2" @@ -97,6 +98,7 @@ type Configuration struct { EnableMetrics bool MetricsPerHost bool + MetricsBuckets *collectors.HistogramBuckets FakeCertificate *ingress.SSLCert diff --git a/internal/ingress/metric/collectors/socket.go b/internal/ingress/metric/collectors/socket.go index 8fec7dded..a220d1456 100644 --- a/internal/ingress/metric/collectors/socket.go +++ b/internal/ingress/metric/collectors/socket.go @@ -56,6 +56,13 @@ type socketData struct { Path string `json:"path"` } +// HistogramBuckets allow customizing prometheus histogram buckets values +type HistogramBuckets struct { + TimeBuckets []float64 + LengthBuckets []float64 + SizeBuckets []float64 +} + // SocketCollector stores prometheus metrics and ingress meta-data type SocketCollector struct { prometheus.Collector @@ -79,6 +86,8 @@ type SocketCollector struct { hosts sets.String metricsPerHost bool + + buckets HistogramBuckets } var ( @@ -101,7 +110,7 @@ var defObjectives = map[float64]float64{0.5: 0.05, 0.9: 0.01, 0.99: 0.001} // NewSocketCollector creates a new SocketCollector instance using // the ingress watch namespace and class used by the controller -func NewSocketCollector(pod, namespace, class string, metricsPerHost bool) (*SocketCollector, error) { +func NewSocketCollector(pod, namespace, class string, metricsPerHost bool, buckets HistogramBuckets) (*SocketCollector, error) { socket := "/tmp/prometheus-nginx.socket" // unix sockets must be unlink()ed before being used _ = syscall.Unlink(socket) @@ -138,6 +147,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool) (*Soc Help: "The time spent on receiving the response from the upstream server", Namespace: PrometheusNamespace, ConstLabels: constLabels, + Buckets: buckets.TimeBuckets, }, requestTags, ), @@ -147,6 +157,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool) (*Soc Help: "The response length (including request line, header, and request body)", Namespace: PrometheusNamespace, ConstLabels: constLabels, + Buckets: buckets.LengthBuckets, }, requestTags, ), @@ -157,6 +168,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool) (*Soc Help: "The request processing time in milliseconds", Namespace: PrometheusNamespace, ConstLabels: constLabels, + Buckets: buckets.TimeBuckets, }, requestTags, ), @@ -165,7 +177,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool) (*Soc Name: "request_size", Help: "The request length (including request line, header, and request body)", Namespace: PrometheusNamespace, - Buckets: prometheus.LinearBuckets(10, 10, 10), // 10 buckets, each 10 bytes wide. + Buckets: buckets.LengthBuckets, ConstLabels: constLabels, }, requestTags, @@ -186,7 +198,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool) (*Soc Name: "bytes_sent", Help: "The number of bytes sent to a client", Namespace: PrometheusNamespace, - Buckets: prometheus.ExponentialBuckets(10, 10, 7), // 7 buckets, exponential factor of 10. + Buckets: buckets.SizeBuckets, ConstLabels: constLabels, }, requestTags, diff --git a/internal/ingress/metric/collectors/socket_test.go b/internal/ingress/metric/collectors/socket_test.go index 6ab972f58..3b124efa0 100644 --- a/internal/ingress/metric/collectors/socket_test.go +++ b/internal/ingress/metric/collectors/socket_test.go @@ -68,6 +68,17 @@ func TestNewUDPLogListener(t *testing.T) { } func TestCollector(t *testing.T) { + + buckets := struct { + TimeBuckets []float64 + LengthBuckets []float64 + SizeBuckets []float64 + }{ + prometheus.DefBuckets, + prometheus.LinearBuckets(10, 10, 10), + prometheus.ExponentialBuckets(10, 10, 7), + } + cases := []struct { name string data []string @@ -338,7 +349,7 @@ func TestCollector(t *testing.T) { t.Run(c.name, func(t *testing.T) { registry := prometheus.NewPedanticRegistry() - sc, err := NewSocketCollector("pod", "default", "ingress", true) + sc, err := NewSocketCollector("pod", "default", "ingress", true, buckets) if err != nil { t.Errorf("%v: unexpected error creating new SocketCollector: %v", c.name, err) } diff --git a/internal/ingress/metric/main.go b/internal/ingress/metric/main.go index 0cc07fe28..644a9b690 100644 --- a/internal/ingress/metric/main.go +++ b/internal/ingress/metric/main.go @@ -68,7 +68,7 @@ type collector struct { } // NewCollector creates a new metric collector the for ingress controller -func NewCollector(metricsPerHost bool, registry *prometheus.Registry, ingressclass string) (Collector, error) { +func NewCollector(metricsPerHost bool, registry *prometheus.Registry, ingressclass string, buckets collectors.HistogramBuckets) (Collector, error) { podNamespace := os.Getenv("POD_NAMESPACE") if podNamespace == "" { podNamespace = "default" @@ -86,7 +86,7 @@ func NewCollector(metricsPerHost bool, registry *prometheus.Registry, ingresscla return nil, err } - s, err := collectors.NewSocketCollector(podName, podNamespace, ingressclass, metricsPerHost) + s, err := collectors.NewSocketCollector(podName, podNamespace, ingressclass, metricsPerHost, buckets) if err != nil { return nil, err } From 15b0aba03b700daacf0e9a3f5154ca1b9f77ee18 Mon Sep 17 00:00:00 2001 From: Damien Mathieu <42@dmathieu.com> Date: Sun, 16 Jan 2022 22:33:28 +0100 Subject: [PATCH 0004/1606] First sidecar module: OpenTelemetry (#8013) * remove opentelemetry from main nginx image * add opentelemetry sidecar image * handle extra modules in helm chart * fix running helm chart * mount the modules volume in the init container * merge the mounted folder * fix the otel image * fix licence year * fix cloudbuild image * use the same nginx version as in the main image * only retrieve /etc/nginx/modules for now --- .../ci/daemonset-extra-modules.yaml | 10 ++ .../ci/deployment-extra-modules.yaml | 10 ++ .../templates/controller-daemonset.yaml | 28 ++++- .../templates/controller-deployment.yaml | 29 ++++- charts/ingress-nginx/values.yaml | 9 ++ images/nginx/rootfs/Dockerfile | 2 + images/nginx/rootfs/build.sh | 45 ------- images/nginx/rootfs/entrypoint.sh | 27 +++++ images/opentelemetry/Makefile | 57 +++++++++ images/opentelemetry/README.md | 5 + images/opentelemetry/cloudbuild.yaml | 24 ++++ images/opentelemetry/rootfs/Dockerfile | 28 +++++ images/opentelemetry/rootfs/build.sh | 111 ++++++++++++++++++ images/opentelemetry/rootfs/init_module.sh | 21 ++++ 14 files changed, 353 insertions(+), 53 deletions(-) create mode 100644 charts/ingress-nginx/ci/daemonset-extra-modules.yaml create mode 100644 charts/ingress-nginx/ci/deployment-extra-modules.yaml create mode 100644 images/nginx/rootfs/entrypoint.sh create mode 100644 images/opentelemetry/Makefile create mode 100644 images/opentelemetry/README.md create mode 100644 images/opentelemetry/cloudbuild.yaml create mode 100644 images/opentelemetry/rootfs/Dockerfile create mode 100755 images/opentelemetry/rootfs/build.sh create mode 100755 images/opentelemetry/rootfs/init_module.sh diff --git a/charts/ingress-nginx/ci/daemonset-extra-modules.yaml b/charts/ingress-nginx/ci/daemonset-extra-modules.yaml new file mode 100644 index 000000000..f299dbf1c --- /dev/null +++ b/charts/ingress-nginx/ci/daemonset-extra-modules.yaml @@ -0,0 +1,10 @@ +controller: + kind: DaemonSet + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + service: + type: ClusterIP + extraModules: + - name: opentelemetry + image: busybox diff --git a/charts/ingress-nginx/ci/deployment-extra-modules.yaml b/charts/ingress-nginx/ci/deployment-extra-modules.yaml new file mode 100644 index 000000000..ec5923548 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-extra-modules.yaml @@ -0,0 +1,10 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + service: + type: ClusterIP + extraModules: + - name: opentelemetry + image: busybox diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index 365a3cea7..72811fbe4 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -143,8 +143,12 @@ spec: hostPort: {{ $key }} {{- end }} {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }} volumeMounts: + {{- if .Values.controller.extraModules }} + - name: modules + mountPath: /modules_mount + {{- end }} {{- if .Values.controller.customTemplate.configMapName }} - mountPath: /etc/nginx/template name: nginx-template-volume @@ -165,8 +169,20 @@ spec: {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} - {{- if .Values.controller.extraInitContainers }} - initContainers: {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} + + + {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} + initContainers: + {{- if .Values.controller.extraInitContainers }} + {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- end }} + {{- if .Values.controller.extraModules }} + {{- range .Values.controller.extraModules }} + - name: {{ .Name }} + image: {{ .Image }} + command: ['sh', '-c', '/usr/local/bin/init_module.sh'] + {{- end }} + {{- end }} {{- end }} {{- if .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }} @@ -185,8 +201,12 @@ spec: {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }} volumes: + {{- if .Values.controller.extraModules }} + - name: modules + emptyDir: {} + {{- end }} {{- if .Values.controller.customTemplate.configMapName }} - name: nginx-template-volume configMap: diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 2c0641bb5..a1943cd91 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -140,8 +140,12 @@ spec: hostPort: {{ $key }} {{- end }} {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }} volumeMounts: + {{- if .Values.controller.extraModules }} + - name: modules + mountPath: /modules_mount + {{- end }} {{- if .Values.controller.customTemplate.configMapName }} - mountPath: /etc/nginx/template name: nginx-template-volume @@ -162,8 +166,21 @@ spec: {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} - {{- if .Values.controller.extraInitContainers }} - initContainers: {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} + initContainers: + {{- if .Values.controller.extraInitContainers }} + {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- end }} + {{- if .Values.controller.extraModules }} + {{- range .Values.controller.extraModules }} + - name: {{ .name }} + image: {{ .image }} + command: ['sh', '-c', '/usr/local/bin/init_module.sh'] + volumeMounts: + - name: modules + mountPath: /modules_mount + {{- end }} + {{- end }} {{- end }} {{- if .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }} @@ -182,8 +199,12 @@ spec: {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }} volumes: + {{- if .Values.controller.extraModules }} + - name: modules + emptyDir: {} + {{- end }} {{- if .Values.controller.customTemplate.configMapName }} - name: nginx-template-volume configMap: diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 93096dda1..a030ff2db 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -559,6 +559,15 @@ controller: # image: busybox # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + extraModules: [] + ## Modules, which are mounted into the core nginx image + # - name: opentelemetry + # image: busybox + # + # The image must contain a `/usr/local/bin/init_module.sh` executable, which + # will be executed as initContainers, to move its config files within the + # mounted volume. + admissionWebhooks: annotations: {} # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index 4893f3c54..a9e180315 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -33,6 +33,7 @@ ENV LUA_CPATH="/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;" COPY --from=builder /usr/local /usr/local COPY --from=builder /opt /opt COPY --from=builder /etc/nginx /etc/nginx +COPY --from=builder entrypoint.sh /usr/local/entrypoint.sh RUN apk update \ && apk upgrade \ @@ -72,4 +73,5 @@ RUN apk update \ EXPOSE 80 443 +ENTRYPOINT ["/usr/local/entrypoint.sh"] CMD ["nginx", "-g", "daemon off;"] diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 1aa655523..bee2561d0 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -35,12 +35,6 @@ export NGINX_DIGEST_AUTH=1.0.0 # Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master export NGINX_SUBSTITUTIONS=b8a71eacc7f986ba091282ab8b1bbbc6ae1807e0 -# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.0.0...main -export OPENTELEMETRY_CPP_VERSION=1.0.0 - -# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/c655b8...main -export OPENTELEMETRY_CONTRIB_COMMIT=c655b849f017a5363085a4b4e6fcae8a4b7621ad - # Check for recent changes: https://github.com/opentracing-contrib/nginx-opentracing/compare/v0.19.0...master export NGINX_OPENTRACING_VERSION=0.19.0 @@ -144,11 +138,6 @@ if [[ ${ARCH} == "s390x" ]]; then export LUA_STREAM_NGX_VERSION=0.0.7 fi -export USE_OPENTELEMETRY=true -if [[ ${ARCH} == "s390x" ]] || [[ ${ARCH} == "armv7l" ]]; then - export USE_OPENTELEMETRY=false -fi - get_src() { hash="$1" @@ -226,9 +215,6 @@ get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \ get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \ "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz" -get_src 37b2a2abf75e865449ff1425cee96dbd74659ac0c612c84ee5f381244360cab2 \ - "https://github.com/open-telemetry/opentelemetry-cpp-contrib/archive/$OPENTELEMETRY_CONTRIB_COMMIT.tar.gz" - get_src 6f97776ebdf019b105a755c7736b70bdbd7e575c7f0d39db5fe127873c7abf17 \ "https://github.com/opentracing-contrib/nginx-opentracing/archive/v$NGINX_OPENTRACING_VERSION.tar.gz" @@ -482,32 +468,6 @@ cmake -DCMAKE_BUILD_TYPE=Release \ make make install -if [ $USE_OPENTELEMETRY = true ]; then - # build opentelemetry lib - apk add protobuf-dev \ - grpc \ - grpc-dev \ - gtest-dev \ - c-ares-dev - - cd $BUILD_PATH - git clone --recursive https://github.com/open-telemetry/opentelemetry-cpp opentelemetry-cpp-$OPENTELEMETRY_CPP_VERSION - cd "opentelemetry-cpp-$OPENTELEMETRY_CPP_VERSION" - git checkout v$OPENTELEMETRY_CPP_VERSION - mkdir .build - cd .build - - cmake -DCMAKE_BUILD_TYPE=Release \ - -DBUILD_TESTING=OFF \ - -DWITH_EXAMPLES=OFF \ - -DCMAKE_POSITION_INDEPENDENT_CODE=ON \ - -DWITH_OTLP=ON \ - -DWITH_OTLP_HTTP=OFF \ - .. - make - make install -fi - # Get Brotli source and deps cd "$BUILD_PATH" git clone --depth=1 https://github.com/google/ngx_brotli.git @@ -675,11 +635,6 @@ WITH_MODULES=" \ --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module-${GEOIP2_VERSION} \ --add-dynamic-module=$BUILD_PATH/ngx_brotli" -if [ $USE_OPENTELEMETRY = true ]; then - WITH_MODULES+=" \ - --add-dynamic-module=$BUILD_PATH/opentelemetry-cpp-contrib-$OPENTELEMETRY_CONTRIB_COMMIT/instrumentation/nginx" -fi - ./configure \ --prefix=/usr/local/nginx \ --conf-path=/etc/nginx/nginx.conf \ diff --git a/images/nginx/rootfs/entrypoint.sh b/images/nginx/rootfs/entrypoint.sh new file mode 100644 index 000000000..9479831f1 --- /dev/null +++ b/images/nginx/rootfs/entrypoint.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +# Copyright 2022 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +if [ -d "/modules_mount/etc/nginx/modules" ]; then + for dir in /modules_mount/etc/nginx/modules/*; do + cp "$dir"/* "/etc/nginx/modules/$(basename "$dir")" + done +fi + +exec "$@" diff --git a/images/opentelemetry/Makefile b/images/opentelemetry/Makefile new file mode 100644 index 000000000..bc5876525 --- /dev/null +++ b/images/opentelemetry/Makefile @@ -0,0 +1,57 @@ +# Copyright 2021 The Kubernetes Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +.DEFAULT_GOAL:=build + +# set default shell +SHELL=/bin/bash -o pipefail -o errexit + +DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) +INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh + +# 0.0.0 shouldn't clobber any released builds +TAG ?= 0.0 +REGISTRY ?= gcr.io/k8s-staging-ingress-nginx + +IMAGE = $(REGISTRY)/opentelemetry + +# required to enable buildx +export DOCKER_CLI_EXPERIMENTAL=enabled + +# build with buildx +PLATFORMS?=linux/amd64,linux/arm +OUTPUT= +PROGRESS=plain +build: ensure-buildx + docker buildx build \ + --platform=${PLATFORMS} $(OUTPUT) \ + --progress=$(PROGRESS) \ + --pull \ + --tag $(IMAGE):$(TAG) rootfs + +# push the cross built image +push: OUTPUT=--push +push: build + +# enable buildx +ensure-buildx: +# this is required for cloudbuild +ifeq ("$(wildcard $(INIT_BUILDX))","") + @curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash +else + @exec $(INIT_BUILDX) +endif + @echo "done" + +.PHONY: build push ensure-buildx diff --git a/images/opentelemetry/README.md b/images/opentelemetry/README.md new file mode 100644 index 000000000..f5c3d90de --- /dev/null +++ b/images/opentelemetry/README.md @@ -0,0 +1,5 @@ +# OpenTelemetry library builder + +**How to use this image:** +This image only contains the necessary files in /usr/local and /etc/nginx/opentelemetry to +be copied to Ingress Controller deployment when OpenTelemetry is enabled diff --git a/images/opentelemetry/cloudbuild.yaml b/images/opentelemetry/cloudbuild.yaml new file mode 100644 index 000000000..d507b8f1a --- /dev/null +++ b/images/opentelemetry/cloudbuild.yaml @@ -0,0 +1,24 @@ +timeout: 10800s +options: + substitution_option: ALLOW_LOOSE + # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. + machineType: N1_HIGHCPU_32 +steps: + - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 + entrypoint: bash + env: + - DOCKER_CLI_EXPERIMENTAL=enabled + - TAG=$_GIT_TAG + - BASE_REF=$_PULL_BASE_REF + - REGISTRY=gcr.io/k8s-staging-ingress-nginx + # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx + # set the home to /root explicitly to if using docker buildx + - HOME=/root + args: + - -c + - | + gcloud auth configure-docker \ + && make push +substitutions: + _GIT_TAG: "12345" + _PULL_BASE_REF: "master" diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile new file mode 100644 index 000000000..bef5b5562 --- /dev/null +++ b/images/opentelemetry/rootfs/Dockerfile @@ -0,0 +1,28 @@ +# Copyright 2021 The Kubernetes Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +FROM alpine:3.14.2 as builder + +COPY . / + +RUN apk update \ + && apk upgrade \ + && apk add -U bash \ + && /build.sh + +FROM busybox:latest + +COPY --from=builder init_module.sh /usr/local/bin/init_module.sh +COPY --from=builder /etc/nginx/modules /etc/nginx/modules diff --git a/images/opentelemetry/rootfs/build.sh b/images/opentelemetry/rootfs/build.sh new file mode 100755 index 000000000..60ace8bae --- /dev/null +++ b/images/opentelemetry/rootfs/build.sh @@ -0,0 +1,111 @@ +#!/bin/bash + +# Copyright 2021 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +export NGINX_VERSION=1.19.9 + +# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.0.0...main +export OPENTELEMETRY_CPP_VERSION=1.0.0 + +# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/f4850...main +export OPENTELEMETRY_CONTRIB_COMMIT=f48500884b1b32efc456790bbcdc2e6cf7a8e630 + +export BUILD_PATH=/tmp/build + +rm -rf \ + /var/cache/debconf/* \ + /var/lib/apt/lists/* \ + /var/log/* \ + /tmp/* \ + /var/tmp/* + + +mkdir -p /etc/nginx +mkdir --verbose -p "$BUILD_PATH" +cd "$BUILD_PATH" + +apk add \ + curl \ + git \ + build-base + +get_src() +{ + hash="$1" + url="$2" + f=$(basename "$url") + + echo "Downloading $url" + + curl -sSL "$url" -o "$f" + echo "$hash $f" | sha256sum -c - || exit 10 + tar xzf "$f" + rm -rf "$f" +} + + +get_src e462e11533d5c30baa05df7652160ff5979591d291736cfa5edb9fd2edb48c49 \ + "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" + +get_src 45c52498788e47131b20a4786dbb08f4390b8cb419bd3d61c88b503cafff3324 \ + "https://github.com/open-telemetry/opentelemetry-cpp-contrib/archive/$OPENTELEMETRY_CONTRIB_COMMIT.tar.gz" + +# improve compilation times +CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) + +export MAKEFLAGS=-j${CORES} + +apk add \ + protobuf-dev \ + grpc \ + grpc-dev \ + gtest-dev \ + c-ares-dev \ + pcre-dev + +cd $BUILD_PATH +git clone --recursive https://github.com/open-telemetry/opentelemetry-cpp opentelemetry-cpp-$OPENTELEMETRY_CPP_VERSION +cd "opentelemetry-cpp-$OPENTELEMETRY_CPP_VERSION" +git checkout v$OPENTELEMETRY_CPP_VERSION +mkdir .build +cd .build + +cmake -DCMAKE_BUILD_TYPE=Release \ + -DBUILD_TESTING=OFF \ + -DWITH_EXAMPLES=OFF \ + -DCMAKE_POSITION_INDEPENDENT_CODE=ON \ + -DWITH_OTLP=ON \ + -DWITH_OTLP_HTTP=OFF \ + .. +make +make install + +# build nginx +cd "$BUILD_PATH/nginx-$NGINX_VERSION" +./configure \ + --prefix=/usr/local/nginx \ + --with-compat \ + --add-dynamic-module=$BUILD_PATH/opentelemetry-cpp-contrib-$OPENTELEMETRY_CONTRIB_COMMIT/instrumentation/nginx + +make modules +mkdir -p /etc/nginx/modules +cp objs/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so + +# remove .a files +find /usr/local -name "*.a" -print | xargs /bin/rm diff --git a/images/opentelemetry/rootfs/init_module.sh b/images/opentelemetry/rootfs/init_module.sh new file mode 100755 index 000000000..f1e4b27d7 --- /dev/null +++ b/images/opentelemetry/rootfs/init_module.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright 2021 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +cp -R /etc/nginx/modules /modules_mount/etc/nginx/modules From 9cf5d951aaab5d55427aa0e72b316eaaa48bfe26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C3=A9tan=20Collaud?= Date: Sun, 16 Jan 2022 22:37:28 +0100 Subject: [PATCH 0005/1606] jwt accomodation (#8126) --- docs/examples/customization/jwt/README.md | 48 +++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 docs/examples/customization/jwt/README.md diff --git a/docs/examples/customization/jwt/README.md b/docs/examples/customization/jwt/README.md new file mode 100644 index 000000000..a751ccb7b --- /dev/null +++ b/docs/examples/customization/jwt/README.md @@ -0,0 +1,48 @@ +# Accommodation for JWT + +JWT (short for Json Web Token) is an authentication method widely used. Basically an authentication server generates +a JWT and you then use this token in every request you make to a backend service. The JWT can be quite big and is +present in every http headers. This means you may have to adapt the max-header size of your nginx-ingress in order +to support it. + +## Symptoms + +If you use JWT and you get http 502 error from your ingress, it may be a sign that the buffer size is not big enough. + +To be 100% sure look at the logs of the `ingress-nginx-controller` pod, you should see something like this: + +``` +upstream sent too big header while reading response header from upstream... +``` + + +## Increase buffer size for headers + +In nginx, we want to modify the property `proxy-buffer-size`. The size is arbitrary. It depends on your needs. Be aware +that a high value can lower the performance of your ingress proxy. In general a value of 16k should get you covered. + +### Using helm +If you're using helm you can simply use the [`config` properties](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml#L37). +```yaml + # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ + config: + proxy-buffer-size: 16k +``` + +## Manually in kubernetes config files + +If you use an already generated config from for a provider, you will have to change the `controller-configmap.yaml` + +```yaml +--- +# Source: ingress-nginx/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +# ... +data: + #... + proxy-buffer-size: "16k" +``` + +References: + * [Custom Configuration](../custom-configuration/) \ No newline at end of file From ae6ab1d5ed705b9721a587bb18c3883f7ecffbdc Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sun, 16 Jan 2022 19:08:06 -0300 Subject: [PATCH 0006/1606] use github token for docs --- .github/workflows/docs.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 4fdff33d2..420808443 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -37,6 +37,9 @@ jobs: (github.repository == 'kubernetes/ingress-nginx') && (needs.changes.outputs.docs == 'true') + permissions: + contents: write # needed to write releases + steps: - name: Checkout master @@ -45,4 +48,4 @@ jobs: - name: Deploy uses: ./.github/actions/mkdocs env: - PERSONAL_TOKEN: ${{ secrets.PERSONAL_TOKEN }} + PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From 0bc01f7c35410ce5cb07ee86ab530e99ae352026 Mon Sep 17 00:00:00 2001 From: Alois Date: Sun, 16 Jan 2022 17:17:28 -0500 Subject: [PATCH 0007/1606] Updating from/to www redirect to use X-Forwarded-Proto (#7623) --- rootfs/etc/nginx/template/nginx.tmpl | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 954d07fd7..07e36925b 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -586,11 +586,17 @@ http { request_uri = string.sub(request_uri, 1, -2) end + {{ if $cfg.UseForwardedHeaders }} + local redirectScheme = ngx.var.http_x_forwarded_proto + {{ else }} + local redirectScheme = ngx.var.scheme + {{ end }} + {{ if ne $all.ListenPorts.HTTPS 443 }} {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }} - return string.format("%s://%s%s%s", ngx.var.scheme, "{{ $redirect.To }}", "{{ $redirect_port }}", request_uri) + return string.format("%s://%s%s%s", redirectScheme, "{{ $redirect.To }}", "{{ $redirect_port }}", request_uri) {{ else }} - return string.format("%s://%s%s", ngx.var.scheme, "{{ $redirect.To }}", request_uri) + return string.format("%s://%s%s", redirectScheme, "{{ $redirect.To }}", request_uri) {{ end }} } From 37326815882ad9a12886a0445217dde637fd0dc2 Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Sun, 16 Jan 2022 23:29:28 +0100 Subject: [PATCH 0008/1606] Support additonal labels and all Kubernetes recommanded labels (#7186) * Add: Kubernetes recommanded labels Signed-off-by: Nicolas Lamirault * Add: support additional labels Signed-off-by: Nicolas Lamirault * Add: commonLabels default value Signed-off-by: Nicolas Lamirault --- charts/ingress-nginx/templates/_helpers.tpl | 4 ++++ charts/ingress-nginx/values.yaml | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index 726224f18..a72af5d9d 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -88,7 +88,11 @@ helm.sh/chart: {{ include "ingress-nginx.chart" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} +app.kubernetes.io/part-of: {{ template "ingress-nginx.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.commonLabels}} +{{ toYaml .Values.commonLabels }} +{{- end }} {{- end -}} {{/* diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index a030ff2db..d30c170b6 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -7,6 +7,12 @@ # nameOverride: # fullnameOverride: +## Labels to apply to all resources +## +commonLabels: {} +# scmhash: abc123 +# myLabel: aakkmd + controller: name: controller image: From 784f9c53bbf50aa49f8f6a82d951e95828b21f2f Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Mon, 17 Jan 2022 05:35:28 +0530 Subject: [PATCH 0009/1606] checking mkdocs & ghpages (#8150) --- docs/user-guide/basic-usage.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/user-guide/basic-usage.md b/docs/user-guide/basic-usage.md index 089c08b3e..2142121d2 100644 --- a/docs/user-guide/basic-usage.md +++ b/docs/user-guide/basic-usage.md @@ -6,7 +6,7 @@ First of all follow the instructions to install ingress-nginx. Then imagine that Let's say that you want to expose the first at `myServiceA.foo.org` and the second at `myServiceB.foo.org`. -If cluster version < 1.19 you can create two **ingress** resources like this: +If the cluster version is < 1.19, you can create two **ingress** resources like this: ``` apiVersion: networking.k8s.io/v1beta1 @@ -91,4 +91,4 @@ On many cloud providers ingress-nginx will also create the corresponding Load Ba kubectl get services -n ingress-nginx ``` -To test inside minikube refer to this documentation: [Set up Ingress on Minikube with the NGINX Ingress Controller](https://kubernetes.io/docs/tasks/access-application-cluster/ingress-minikube/) \ No newline at end of file +To test inside minikube refer to this documentation: [Set up Ingress on Minikube with the NGINX Ingress Controller](https://kubernetes.io/docs/tasks/access-application-cluster/ingress-minikube/) From 1614027cd42aa3fac53d62afc235b86adec7543d Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Sun, 16 Jan 2022 19:57:28 -0500 Subject: [PATCH 0010/1606] Minor documentation cleanup (#7826) * clarify link * Add section headers * console blocks * grpc example json was not valid * multi-tls update text The preceding point 1 related to https://github.com/kubernetes-retired/contrib/blob/4f2cb51ef82b4dddb625f6053ad132c1faf07aa1/ingress/controllers/nginx/examples/ingress.yaml and the deployments referenced in https://github.com/kubernetes-retired/contrib/blob/4f2cb51ef82b4dddb625f6053ad132c1faf07aa1/ingress/controllers/nginx/examples/README.md They are not relevant to the current instructions. * add whitespace around parens * grammar setup would be a proper noun, but it is not the intended concept, which is a state * grammar * is-only * via * Use bullets for choices * ingress-controller nginx is a distinct brand. generally this repo talks about ingress-controller, although it is quite inconsistent about how... * drop stray paren * OAuth is a brand and needs an article here also GitHub is a brand * Indent text under numbered lists * use e.g. * Document that customer header config maps changes do not trigger updates This should be removed if https://github.com/kubernetes/ingress-nginx/issues/5238 is fixed. * article * period * infinitive verb + period * clarify that the gRPC server is responsible for listening for TCP traffic and not some other part of the backend application * avoid using ; and reword * whitespace * brand: gRPC * only-does is the right form `for` adds nothing here * spelling: GitHub * punctuation `;` is generally not the right punctuation... * drop stray `to` * sentence * backticks * fix link * Improve readability of compare/vs * Renumber list * punctuation * Favor Ingress-NGINX and Ingress NGINX * Simplify custom header restart text * Undo typo damage Co-authored-by: Josh Soref --- README.md | 4 +- docs/e2e-tests.md | 2 +- docs/examples/affinity/cookie/README.md | 10 +- docs/examples/auth/basic/README.md | 14 ++- docs/examples/auth/client-certs/README.md | 21 ++-- docs/examples/auth/external-auth/README.md | 10 +- .../auth/oauth-external-auth/README.md | 40 +++--- .../configuration-snippets/README.md | 9 +- .../customization/custom-headers/README.md | 12 +- .../external-auth-headers/README.md | 10 +- .../customization/ssl-dh-param/README.md | 8 +- docs/examples/customization/sysctl/README.md | 2 +- docs/examples/docker-registry/README.md | 2 +- docs/examples/grpc/README.md | 30 ++--- docs/examples/multi-tls/README.md | 5 +- docs/examples/psp/README.md | 6 +- docs/examples/rewrite/README.md | 6 +- docs/examples/static-ip/README.md | 23 ++-- docs/how-it-works.md | 2 +- docs/index.md | 23 ++-- docs/kubectl-plugin.md | 8 +- docs/troubleshooting.md | 116 +++++++++--------- docs/user-guide/default-backend.md | 2 +- docs/user-guide/monitoring.md | 4 +- docs/user-guide/multiple-ingress.md | 4 +- .../nginx-configuration/configmap.md | 2 +- .../third-party-addons/opentracing.md | 2 +- 27 files changed, 208 insertions(+), 169 deletions(-) diff --git a/README.md b/README.md index 6c604ddba..3fec178e5 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# NGINX Ingress Controller +# Ingress NGINX Controller [![Go Report Card](https://goreportcard.com/badge/github.com/kubernetes/ingress-nginx)](https://goreportcard.com/report/github.com/kubernetes/ingress-nginx) [![GitHub license](https://img.shields.io/github/license/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE) @@ -28,7 +28,7 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi ### Support Versions table -| Ingress-nginx version | k8s supported version | Alpine Version | Nginx Version | +| Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | |-----------------------|------------------------------|----------------|---------------| | v1.1.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | | v1.1.0 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index 552a11f1e..29ef07161 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -1,6 +1,6 @@ -# e2e test suite for [NGINX Ingress Controller](https://github.com/kubernetes/ingress-nginx/tree/main/) +# e2e test suite for [Ingress NGINX Controller](https://github.com/kubernetes/ingress-nginx/tree/main/) diff --git a/docs/examples/affinity/cookie/README.md b/docs/examples/affinity/cookie/README.md index a37bef6f1..891f828a2 100644 --- a/docs/examples/affinity/cookie/README.md +++ b/docs/examples/affinity/cookie/README.md @@ -14,13 +14,13 @@ Session affinity can be configured using the following annotations: |nginx.ingress.kubernetes.io/session-cookie-name|Name of the cookie that will be created|string (defaults to `INGRESSCOOKIE`)| |nginx.ingress.kubernetes.io/session-cookie-secure|Set the cookie as secure regardless the protocol of the incoming request|`"true"` or `"false"`| |nginx.ingress.kubernetes.io/session-cookie-path|Path that will be set on the cookie (required if your [Ingress paths][ingress-paths] use regular expressions)|string (defaults to the currently [matched path][ingress-paths])| -|nginx.ingress.kubernetes.io/session-cookie-samesite|SameSite attribute to apply to the cookie|Browser accepted values are `None`, `Lax`, and `Strict`| +|nginx.ingress.kubernetes.io/session-cookie-samesite|`SameSite` attribute to apply to the cookie|Browser accepted values are `None`, `Lax`, and `Strict`| |nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none|Will omit `SameSite=None` attribute for older browsers which reject the more-recently defined `SameSite=None` value|`"true"` or `"false"` |nginx.ingress.kubernetes.io/session-cookie-max-age|Time until the cookie expires, corresponds to the `Max-Age` cookie directive|number of seconds| |nginx.ingress.kubernetes.io/session-cookie-expires|Legacy version of the previous annotation for compatibility with older browsers, generates an `Expires` cookie directive by adding the seconds to the current date|number of seconds| |nginx.ingress.kubernetes.io/session-cookie-change-on-failure|When set to `false` nginx ingress will send request to upstream pointed by sticky cookie even if previous attempt failed. When set to `true` and previous attempt failed, sticky cookie will be changed to point to another upstream.|`true` or `false` (defaults to `false`)| -You can create the [example Ingress](ingress.yaml) to test this: +You can create the [session affinity example Ingress](ingress.yaml) to test this: ```console kubectl create -f ingress.yaml @@ -66,13 +66,15 @@ Accept-Ranges: bytes ``` In the example above, you can see that the response contains a `Set-Cookie` header with the settings we have defined. -This cookie is created by NGINX, it contains a randomly generated key corresponding to the upstream used for that request (selected using [consistent hashing][consistent-hashing]) and has an `Expires` directive. -If the user changes this cookie, NGINX creates a new one and redirects the user to another upstream. +This cookie is created by the NGINX Ingress Controller, it contains a randomly generated key corresponding to the upstream used for that request (selected using [consistent hashing][consistent-hashing]) and has an `Expires` directive. +If a client sends a cookie that doesn't correspond to an upstream, NGINX selects an upstream and creates a corresponding cookie. If the backend pool grows NGINX will keep sending the requests through the same server of the first request, even if it's overloaded. When the backend server is removed, the requests are re-routed to another upstream server. This does not require the cookie to be updated because the key's [consistent hash][consistent-hashing] will change. +## Caveats + When you have a Service pointing to more than one Ingress, with only one containing affinity configuration, the first created Ingress will be used. This means that you can face the situation that you've configured session affinity on one Ingress and it doesn't work because the Service is pointing to another Ingress that doesn't configure this. diff --git a/docs/examples/auth/basic/README.md b/docs/examples/auth/basic/README.md index ffd8495f3..5e890df80 100644 --- a/docs/examples/auth/basic/README.md +++ b/docs/examples/auth/basic/README.md @@ -3,6 +3,8 @@ This example shows how to add authentication in a Ingress rule using a secret that contains a file generated with `htpasswd`. It's important the file generated is named `auth` (actually - that the secret has a key `data.auth`), otherwise the ingress-controller returns a 503. +## Create htpasswd file + ```console $ htpasswd -c auth foo New password: @@ -11,11 +13,15 @@ Re-type new password: Adding password for user foo ``` +## Convert htpasswd into a secret + ```console $ kubectl create secret generic basic-auth --from-file=auth secret "basic-auth" created ``` +## Examine secret + ```console $ kubectl get secret basic-auth -o yaml apiVersion: v1 @@ -28,8 +34,10 @@ metadata: type: Opaque ``` +## Using kubectl, create an ingress tied to the basic-auth secret + ```console -echo " +$ echo " apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -57,6 +65,8 @@ spec: " | kubectl create -f - ``` +## Use curl to confirm authorization is required by the ingress + ``` $ curl -v http://10.2.29.4/ -H 'Host: foo.bar.com' * Trying 10.2.29.4... @@ -84,6 +94,8 @@ $ curl -v http://10.2.29.4/ -H 'Host: foo.bar.com' * Connection #0 to host 10.2.29.4 left intact ``` +## Use curl with the correct credentials to connect to the ingress + ``` $ curl -v http://10.2.29.4/ -H 'Host: foo.bar.com' -u 'foo:bar' * Trying 10.2.29.4... diff --git a/docs/examples/auth/client-certs/README.md b/docs/examples/auth/client-certs/README.md index a60aa14e7..94cf6c697 100644 --- a/docs/examples/auth/client-certs/README.md +++ b/docs/examples/auth/client-certs/README.md @@ -1,11 +1,12 @@ # Client Certificate Authentication It is possible to enable Client-Certificate Authentication by adding additional annotations to your Ingress Resource. -Before getting started you must have the following Certificates Setup: -1. CA certificate and Key(Intermediate Certs need to be in CA) -2. Server Certificate(Signed by CA) and Key (CN should be equal the hostname you will use) -3. Client Certificate(Signed by CA) and Key +Before getting started you must have the following Certificates configured: + +1. CA certificate and Key (Intermediate Certs need to be in CA) +2. Server Certificate (Signed by CA) and Key (CN should be equal the hostname you will use) +3. Client Certificate (Signed by CA) and Key For more details on the generation process, checkout the Prerequisite [docs](../../PREREQUISITES.md#client-certificate-authentication). @@ -15,13 +16,13 @@ You can have as many certificates as you want. If they're in the binary DER form openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem ``` -Then, you can concatenate them all in only one file, named 'ca.crt' as the following: +Then, you can concatenate them all into one file, named 'ca.crt' with the following: ```bash cat certificate1.crt certificate2.crt certificate3.crt >> ca.crt ``` -**Note:** Make sure that the Key Size is greater than 1024 and Hashing Algorithm(Digest) is something better than md5 +**Note:** Make sure that the Key Size is greater than 1024 and Hashing Algorithm (Digest) is something better than md5 for each certificate generated. Otherwise you will receive an error. ## Creating Certificate Secrets @@ -29,7 +30,7 @@ for each certificate generated. Otherwise you will receive an error. There are many different ways of configuring your secrets to enable Client-Certificate Authentication to work properly. -1. You can create a secret containing just the CA certificate and another +* You can create a secret containing just the CA certificate and another Secret containing the Server Certificate which is Signed by the CA. ```bash @@ -37,14 +38,14 @@ Authentication to work properly. kubectl create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key ``` -2. You can create a secret containing CA certificate along with the Server - Certificate, that can be used for both TLS and Client Auth. +* You can create a secret containing CA certificate along with the Server + Certificate that can be used for both TLS and Client Auth. ```bash kubectl create secret generic ca-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt ``` -3. If you want to also enable Certificate Revocation List verification you can +* If you want to also enable Certificate Revocation List verification you can create the secret also containing the CRL file in PEM format: ```bash kubectl create secret generic ca-secret --from-file=ca.crt=ca.crt --from-file=ca.crl=ca.crl diff --git a/docs/examples/auth/external-auth/README.md b/docs/examples/auth/external-auth/README.md index 62ae72e2c..ad3ee8b09 100644 --- a/docs/examples/auth/external-auth/README.md +++ b/docs/examples/auth/external-auth/README.md @@ -1,6 +1,6 @@ # External Basic Authentication -### Example 1: +### Example 1 Use an external service (Basic Auth) located in `https://httpbin.org` @@ -44,7 +44,7 @@ status: $ ``` -Test 1: no username/password (expect code 401) +## Test 1: no username/password (expect code 401) ```console $ curl -k http://172.17.4.99 -v -H 'Host: external-auth-01.sample.com' @@ -74,7 +74,8 @@ $ curl -k http://172.17.4.99 -v -H 'Host: external-auth-01.sample.com' * Connection #0 to host 172.17.4.99 left intact ``` -Test 2: valid username/password (expect code 200) +## Test 2: valid username/password (expect code 200) + ``` $ curl -k http://172.17.4.99 -v -H 'Host: external-auth-01.sample.com' -u 'user:passwd' * Rebuilt URL to: http://172.17.4.99/ @@ -121,7 +122,8 @@ BODY: -no body in request- ``` -Test 3: invalid username/password (expect code 401) +## Test 3: invalid username/password (expect code 401) + ``` curl -k http://172.17.4.99 -v -H 'Host: external-auth-01.sample.com' -u 'user:user' * Rebuilt URL to: http://172.17.4.99/ diff --git a/docs/examples/auth/oauth-external-auth/README.md b/docs/examples/auth/oauth-external-auth/README.md index f6e21f488..a08928720 100644 --- a/docs/examples/auth/oauth-external-auth/README.md +++ b/docs/examples/auth/oauth-external-auth/README.md @@ -6,7 +6,7 @@ The `auth-url` and `auth-signin` annotations allow you to use an external authentication provider to protect your Ingress resources. !!! Important - This annotation requires `ingress-nginx-controller v0.9.0` or greater.) + This annotation requires `ingress-nginx-controller v0.9.0` or greater. ### Key Detail @@ -32,45 +32,47 @@ metadata: ### Example: OAuth2 Proxy + Kubernetes-Dashboard This example will show you how to deploy [`oauth2_proxy`](https://github.com/pusher/oauth2_proxy) -into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using github as oAuth2 provider +into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using GitHub as the OAuth2 provider. #### Prepare 1. Install the kubernetes dashboard -```console -kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.10.1.yaml -``` + ```console + kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.10.1.yaml + ``` -2. Create a [custom Github OAuth application](https://github.com/settings/applications/new) +2. Create a [custom GitHub OAuth application](https://github.com/settings/applications/new) -![Register OAuth2 Application](images/register-oauth-app.png) + ![Register OAuth2 Application](images/register-oauth-app.png) -- Homepage URL is the FQDN in the Ingress rule, like `https://foo.bar.com` -- Authorization callback URL is the same as the base FQDN plus `/oauth2/callback`, like `https://foo.bar.com/oauth2/callback` + - Homepage URL is the FQDN in the Ingress rule, like `https://foo.bar.com` + - Authorization callback URL is the same as the base FQDN plus `/oauth2/callback`, like `https://foo.bar.com/oauth2/callback` -![Register OAuth2 Application](images/register-oauth-app-2.png) + ![Register OAuth2 Application](images/register-oauth-app-2.png) 3. Configure oauth2_proxy values in the file [`oauth2-proxy.yaml`](https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/auth/oauth-external-auth/oauth2-proxy.yaml) with the values: -- OAUTH2_PROXY_CLIENT_ID with the github `` -- OAUTH2_PROXY_CLIENT_SECRET with the github `` -- OAUTH2_PROXY_COOKIE_SECRET with value of `python -c 'import os,base64; print(base64.b64encode(os.urandom(16)).decode("ascii"))'` + - OAUTH2_PROXY_CLIENT_ID with the github `` + - OAUTH2_PROXY_CLIENT_SECRET with the github `` + - OAUTH2_PROXY_COOKIE_SECRET with value of `python -c 'import os,base64; print(base64.b64encode(os.urandom(16)).decode("ascii"))'` 4. Customize the contents of the file [`dashboard-ingress.yaml`](https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml): -Replace `__INGRESS_HOST__` with a valid FQDN and `__INGRESS_SECRET__` with a Secret with a valid SSL certificate. + Replace `__INGRESS_HOST__` with a valid FQDN and `__INGRESS_SECRET__` with a Secret with a valid SSL certificate. 5. Deploy the oauth2 proxy and the ingress rules running: -```console -$ kubectl create -f oauth2-proxy.yaml,dashboard-ingress.yaml -``` + ```console + $ kubectl create -f oauth2-proxy.yaml,dashboard-ingress.yaml + ``` -Test the oauth integration accessing the configured URL, like `https://foo.bar.com` +### Test + +Test the oauth integration accessing the configured URL, e.g. `https://foo.bar.com` ![Register OAuth2 Application](images/github-auth.png) -![Github authentication](images/oauth-login.png) +![GitHub authentication](images/oauth-login.png) ![Kubernetes dashboard](images/dashboard.png) diff --git a/docs/examples/customization/configuration-snippets/README.md b/docs/examples/customization/configuration-snippets/README.md index d60a3d1a0..5ef230ff1 100644 --- a/docs/examples/customization/configuration-snippets/README.md +++ b/docs/examples/customization/configuration-snippets/README.md @@ -2,13 +2,16 @@ ## Ingress -The Ingress in [this example](ingress.yaml) adds a custom header to Nginx configuration that only applies to that specific Ingress. If you want to add headers that apply globally to all Ingresses, please have a look at [this example](../custom-headers/README.md). +The Ingress in [this example](ingress.yaml) adds a custom header to Nginx configuration that only applies to that specific Ingress. If you want to add headers that apply globally to all Ingresses, please have a look at [an example of specifying customer headers](../custom-headers/README.md). ```console -$ kubectl apply -f ingress.yaml +kubectl apply -f ingress.yaml ``` ## Test Check if the contents of the annotation are present in the nginx.conf file using: -`kubectl exec ingress-nginx-controller-873061567-4n3k2 -n kube-system -- cat /etc/nginx/nginx.conf` + +```console +kubectl exec ingress-nginx-controller-873061567-4n3k2 -n kube-system -- cat /etc/nginx/nginx.conf +``` diff --git a/docs/examples/customization/custom-headers/README.md b/docs/examples/customization/custom-headers/README.md index 378f2aa87..499bfc386 100644 --- a/docs/examples/customization/custom-headers/README.md +++ b/docs/examples/customization/custom-headers/README.md @@ -1,5 +1,15 @@ # Custom Headers +## Caveats + +Changes to the custom header config maps do not force a reload of the ingress-nginx-controllers. + +### Workaround + +To work around this limitation, perform a rolling restart of the deployment. + +## Example + This example demonstrates configuration of the nginx ingress controller via a ConfigMap to pass a custom list of headers to the upstream server. @@ -29,4 +39,4 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main ## Test Check the contents of the ConfigMaps are present in the nginx.conf file using: -`kubectl exec ingress-nginx-controller-873061567-4n3k2 -n ingress-nginx -- cat /etc/nginx/nginx.conf` \ No newline at end of file +`kubectl exec ingress-nginx-controller-873061567-4n3k2 -n ingress-nginx -- cat /etc/nginx/nginx.conf` diff --git a/docs/examples/customization/external-auth-headers/README.md b/docs/examples/customization/external-auth-headers/README.md index 9aaf6864b..946088b4b 100644 --- a/docs/examples/customization/external-auth-headers/README.md +++ b/docs/examples/customization/external-auth-headers/README.md @@ -1,7 +1,7 @@ # External authentication, authentication service response headers propagation This example demonstrates propagation of selected authentication service response headers -to backend service. +to a backend service. Sample configuration includes: @@ -37,7 +37,7 @@ public-demo-echo-service public-demo-echo-service.kube.local 80 secure-demo-echo-service secure-demo-echo-service.kube.local 80 1m ``` -Test 1: public service with no auth header +## Test 1: public service with no auth header ```console $ curl -H 'Host: public-demo-echo-service.kube.local' -v 192.168.99.100 @@ -60,7 +60,7 @@ $ curl -H 'Host: public-demo-echo-service.kube.local' -v 192.168.99.100 UserID: , UserRole: ``` -Test 2: secure service with no auth header +## Test 2: secure service with no auth header ```console $ curl -H 'Host: secure-demo-echo-service.kube.local' -v 192.168.99.100 @@ -89,7 +89,7 @@ $ curl -H 'Host: secure-demo-echo-service.kube.local' -v 192.168.99.100 * Connection #0 to host 192.168.99.100 left intact ``` -Test 3: public service with valid auth header +## Test 3: public service with valid auth header ```console $ curl -H 'Host: public-demo-echo-service.kube.local' -H 'User:internal' -v 192.168.99.100 @@ -113,7 +113,7 @@ $ curl -H 'Host: public-demo-echo-service.kube.local' -H 'User:internal' -v 192. UserID: 1443635317331776148, UserRole: admin ``` -Test 4: secure service with valid auth header +## Test 4: secure service with valid auth header ```console $ curl -H 'Host: secure-demo-echo-service.kube.local' -H 'User:internal' -v 192.168.99.100 diff --git a/docs/examples/customization/ssl-dh-param/README.md b/docs/examples/customization/ssl-dh-param/README.md index 9029b834b..2eae67ce2 100644 --- a/docs/examples/customization/ssl-dh-param/README.md +++ b/docs/examples/customization/ssl-dh-param/README.md @@ -1,7 +1,7 @@ # Custom DH parameters for perfect forward secrecy This example aims to demonstrate the deployment of an nginx ingress controller and -use a ConfigMap to configure custom Diffie-Hellman parameters file to help with +use a ConfigMap to configure a custom Diffie-Hellman parameters file to help with "Perfect Forward Secrecy". ## Custom configuration @@ -27,7 +27,7 @@ $ kubectl create -f configmap.yaml ## Custom DH parameters secret ```console -$> openssl dhparam 4096 2> /dev/null | base64 +$ openssl dhparam 4096 2> /dev/null | base64 LS0tLS1CRUdJTiBESCBQQVJBTUVURVJ... ``` @@ -52,4 +52,6 @@ $ kubectl create -f ssl-dh-param.yaml ## Test Check the contents of the configmap is present in the nginx.conf file using: -`kubectl exec ingress-nginx-controller-873061567-4n3k2 -n kube-system -- cat /etc/nginx/nginx.conf` +```console +$ kubectl exec ingress-nginx-controller-873061567-4n3k2 -n kube-system -- cat /etc/nginx/nginx.conf +``` diff --git a/docs/examples/customization/sysctl/README.md b/docs/examples/customization/sysctl/README.md index b285808b5..54fbe4355 100644 --- a/docs/examples/customization/sysctl/README.md +++ b/docs/examples/customization/sysctl/README.md @@ -1,6 +1,6 @@ # Sysctl tuning -This example aims to demonstrate the use of an Init Container to adjust sysctl default values using `kubectl patch` +This example aims to demonstrate the use of an Init Container to adjust sysctl default values using `kubectl patch`. ```console kubectl patch deployment -n ingress-nginx ingress-nginx-controller \ diff --git a/docs/examples/docker-registry/README.md b/docs/examples/docker-registry/README.md index 102c8d39d..8ba230f2c 100644 --- a/docs/examples/docker-registry/README.md +++ b/docs/examples/docker-registry/README.md @@ -1,6 +1,6 @@ # Docker registry -This example demonstrates how to deploy a [docker registry](https://github.com/docker/distribution) in the cluster and configure Ingress enable access from Internet +This example demonstrates how to deploy a [docker registry](https://github.com/docker/distribution) in the cluster and configure Ingress to enable access from the Internet. ## Deployment diff --git a/docs/examples/grpc/README.md b/docs/examples/grpc/README.md index 7a9c2aef2..2d1929b66 100644 --- a/docs/examples/grpc/README.md +++ b/docs/examples/grpc/README.md @@ -1,28 +1,28 @@ # gRPC -This example demonstrates how to route traffic to a gRPC service through the nginx controller. +This example demonstrates how to route traffic to a gRPC service through the Ingress-NGINX controller. ## Prerequisites 1. You have a kubernetes cluster running. -2. You have a domain name such as `example.com` that is configured to route traffic to the ingress controller. +2. You have a domain name such as `example.com` that is configured to route traffic to the Ingress-NGINX controller. 3. You have the ingress-nginx-controller installed as per docs. -4. You have a backend application running a gRPC server and listening for TCP traffic. If you want, you can use as an example. -5. You're also responsible for provisioning an SSL certificate for the ingress. So you need to have a valid SSL certificate, deployed as a Kubernetes secret of type tls, in the same namespace as the gRPC application. +4. You have a backend application running a gRPC server listening for TCP traffic. If you want, you can use as an example. +5. You're also responsible for provisioning an SSL certificate for the ingress. So you need to have a valid SSL certificate, deployed as a Kubernetes secret of type `tls`, in the same namespace as the gRPC application. ### Step 1: Create a Kubernetes `Deployment` for gRPC app - Make sure your gRPC application pod is running and listening for connections. For example you can try a kubectl command like this below: - ``` + ```console $ kubectl get po -A -o wide | grep go-grpc-greeter-server ``` - If you have a gRPC app deployed in your cluster, then skip further notes in this Step 1, and continue from Step 2 below. -- As an example gRPC application, we can use this app . +- As an example gRPC application, we can use this app . - To create a container image for this app, you can use [this Dockerfile](https://github.com/kubernetes/ingress-nginx/blob/5a52d99ae85cfe5ef9535291b8326b0006e75066/images/go-grpc-greeter-server/rootfs/Dockerfile). -- If you use the Dockerfile mentioned above, to create a image, then given below is an example of a Kubernetes manifest, to create a deployment resource, that uses that image. If needed, then edit this manifest to suit your needs. Assuming the name of this yaml file is `deployment.go-grpc-greeter-server.yaml` ; +- If you use the Dockerfile mentioned above, to create a image, then you can use the following example Kubernetes manifest to create a deployment resource that uses that image. If necessary edit this manifest to suit your needs. ``` cat < https://proto.stack.build, a protocol buffer / gRPC build service that can use > to help make it easier for your users to consume your API. -> See also the specific GRPC settings of NGINX: https://nginx.org/en/docs/http/ngx_http_grpc_module.html +> See also the specific gRPC settings of NGINX: https://nginx.org/en/docs/http/ngx_http_grpc_module.html ### Notes on using response/request streams -1. If your server does only response streaming and you expect a stream to be open longer than 60 seconds, you will have to change the `grpc_read_timeout` to accommodate for this. -2. If your service does only request streaming and you expect a stream to be open longer than 60 seconds, you have to change the +1. If your server only does response streaming and you expect a stream to be open longer than 60 seconds, you will have to change the `grpc_read_timeout` to accommodate this. +2. If your service only does request streaming and you expect a stream to be open longer than 60 seconds, you have to change the `grpc_send_timeout` and the `client_body_timeout`. 3. If you do both response and request streaming with an open stream longer than 60 seconds, you have to change all three timeouts: `grpc_read_timeout`, `grpc_send_timeout` and `client_body_timeout`. diff --git a/docs/examples/multi-tls/README.md b/docs/examples/multi-tls/README.md index 198bc6d38..cc990151b 100644 --- a/docs/examples/multi-tls/README.md +++ b/docs/examples/multi-tls/README.md @@ -2,9 +2,8 @@ This example uses 2 different certificates to terminate SSL for 2 hostnames. -1. Deploy the controller by creating the rc in the parent dir -2. Create tls secrets for foo.bar.com and bar.baz.com as indicated in the yaml -3. Create [multi-tls.yaml](multi-tls.yaml) +1. Create tls secrets for foo.bar.com and bar.baz.com as indicated in the yaml +2. Create [multi-tls.yaml](multi-tls.yaml) This should generate a segment like: ```console diff --git a/docs/examples/psp/README.md b/docs/examples/psp/README.md index 4d5f317fb..f8426baf2 100644 --- a/docs/examples/psp/README.md +++ b/docs/examples/psp/README.md @@ -1,17 +1,17 @@ # Pod Security Policy (PSP) -In most clusters today, by default, all resources (e.g. Deployments and ReplicatSets) +In most clusters today, by default, all resources (e.g. `Deployments` and `ReplicatSets`) have permissions to create pods. Kubernetes however provides a more fine-grained authorization policy called [Pod Security Policy (PSP)](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). PSP allows the cluster owner to define the permission of each object, for example creating a pod. If you have PSP enabled on the cluster, and you deploy ingress-nginx, -you will need to provide the Deployment with the permissions to create pods. +you will need to provide the `Deployment` with the permissions to create pods. Before applying any objects, first apply the PSP permissions by running: ```console kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/psp/psp.yaml ``` -Note: PSP permissions must be granted before to the creation of the Deployment and the ReplicaSet. +Note: PSP permissions must be granted before the creation of the `Deployment` and the `ReplicaSet`. diff --git a/docs/examples/rewrite/README.md b/docs/examples/rewrite/README.md index fbe9f30c7..c529c34ef 100644 --- a/docs/examples/rewrite/README.md +++ b/docs/examples/rewrite/README.md @@ -1,6 +1,6 @@ # Rewrite -This example demonstrates how to use the Rewrite annotations +This example demonstrates how to use `Rewrite` annotations. ## Prerequisites @@ -15,9 +15,9 @@ Rewriting can be controlled using the following annotations: |Name|Description|Values| | --- | --- | --- | |nginx.ingress.kubernetes.io/rewrite-target|Target URI where the traffic must be redirected|string| -|nginx.ingress.kubernetes.io/ssl-redirect|Indicates if the location section is accessible SSL only (defaults to True when Ingress contains a Certificate)|bool| +|nginx.ingress.kubernetes.io/ssl-redirect|Indicates if the location section is only accessible via SSL (defaults to True when Ingress contains a Certificate)|bool| |nginx.ingress.kubernetes.io/force-ssl-redirect|Forces the redirection to HTTPS even if the Ingress is not TLS Enabled|bool| -|nginx.ingress.kubernetes.io/app-root|Defines the Application Root that the Controller must redirect if it's in '/' context|string| +|nginx.ingress.kubernetes.io/app-root|Defines the Application Root that the Controller must redirect if it's in `/` context|string| |nginx.ingress.kubernetes.io/use-regex|Indicates if the paths defined on an Ingress use regular expressions|bool| ## Examples diff --git a/docs/examples/static-ip/README.md b/docs/examples/static-ip/README.md index f74be5757..992839a24 100644 --- a/docs/examples/static-ip/README.md +++ b/docs/examples/static-ip/README.md @@ -1,6 +1,6 @@ # Static IPs -This example demonstrates how to assign a static-ip to an Ingress on through the Nginx controller. +This example demonstrates how to assign a static-ip to an Ingress on through the Ingress-NGINX controller. ## Prerequisites @@ -11,15 +11,15 @@ and that you have an ingress controller [running](../../deploy/) in your cluster ## Acquiring an IP -Since instances of the nginx controller actually run on nodes in your cluster, +Since instances of the ingress nginx controller actually run on nodes in your cluster, by default nginx Ingresses will only get static IPs if your cloudprovider supports static IP assignments to nodes. On GKE/GCE for example, even though -nodes get static IPs, the IPs are not retained across upgrade. +nodes get static IPs, the IPs are not retained across upgrades. To acquire a static IP for the ingress-nginx-controller, simply put it behind a Service of `Type=LoadBalancer`. -First, create a loadbalancer Service and wait for it to acquire an IP +First, create a loadbalancer Service and wait for it to acquire an IP: ```console $ kubectl create -f static-ip-svc.yaml @@ -30,7 +30,7 @@ NAME CLUSTER-IP EXTERNAL-IP PORT(S) ingress-nginx-lb 10.0.138.113 104.154.109.191 80:31457/TCP,443:32240/TCP 15m ``` -then, update the ingress controller so it adopts the static IP of the Service +Then, update the ingress controller so it adopts the static IP of the Service by passing the `--publish-service` flag (the example yaml used in the next step already has it set to "ingress-nginx-lb"). @@ -42,7 +42,7 @@ deployment "ingress-nginx-controller" created ## Assigning the IP to an Ingress From here on every Ingress created with the `ingress.class` annotation set to -`nginx` will get the IP allocated in the previous step +`nginx` will get the IP allocated in the previous step. ```console $ kubectl create -f ingress-nginx.yaml @@ -65,7 +65,7 @@ request_uri=http://104.154.109.191:8080/ ## Retaining the IP -You can test retention by deleting the Ingress +You can test retention by deleting the Ingress: ```console $ kubectl delete ing ingress-nginx @@ -85,16 +85,16 @@ ingress-nginx * 104.154.109.191 80, 443 13m ## Promote ephemeral to static IP -To promote the allocated IP to static, you can update the Service manifest +To promote the allocated IP to static, you can update the Service manifest: ```console $ kubectl patch svc ingress-nginx-lb -p '{"spec": {"loadBalancerIP": "104.154.109.191"}}' "ingress-nginx-lb" patched ``` -and promote the IP to static (promotion works differently for cloudproviders, -provided example is for GKE/GCE) -` +... and promote the IP to static (promotion works differently for cloudproviders, +provided example is for GKE/GCE): + ```console $ gcloud compute addresses create ingress-nginx-lb --addresses 104.154.109.191 --region us-central1 Created [https://www.googleapis.com/compute/v1/projects/kubernetesdev/regions/us-central1/addresses/ingress-nginx-lb]. @@ -114,4 +114,3 @@ users: Now even if the Service is deleted, the IP will persist, so you can recreate the Service with `spec.loadBalancerIP` set to `104.154.109.191`. - diff --git a/docs/how-it-works.md b/docs/how-it-works.md index 1e530d045..b7d48b00c 100644 --- a/docs/how-it-works.md +++ b/docs/how-it-works.md @@ -1,6 +1,6 @@ # How it works -The objective of this document is to explain how the NGINX Ingress controller works, in particular how the NGINX model is built and why we need one. +The objective of this document is to explain how the Ingress-NGINX controller works, in particular how the NGINX model is built and why we need one. ## NGINX configuration diff --git a/docs/index.md b/docs/index.md index b06141814..bda45d317 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,6 +1,6 @@ # Overview -This is the documentation for the NGINX Ingress Controller. +This is the documentation for the Ingress NGINX Controller. It is built around the [Kubernetes Ingress resource](https://kubernetes.io/docs/concepts/services-networking/ingress/), using a [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) to store the controller configuration. @@ -26,7 +26,7 @@ Its important because until now, a default install of the Ingress-NGINX controll On clusters with more than one instance of the Ingress-NGINX controller, all instances of the controllers must be aware of which Ingress objects they serve. The `ingressClassName` field of an Ingress is the way to let the controller know about that. -``` +```console kubectl explain ingressclass ``` ``` @@ -67,7 +67,9 @@ FIELDS: There are 2 reasons primarily. -_(Reason #1)_ Until K8s version 1.21, it was possible to create an Ingress resource using deprecated versions of the Ingress API, such as: +### Reason #1 + +Until K8s version 1.21, it was possible to create an Ingress resource using deprecated versions of the Ingress API, such as: - `extensions/v1beta1` - `networking.k8s.io/v1beta1` @@ -76,7 +78,9 @@ You would get a message about deprecation, but the Ingress resource would get cr From K8s version 1.22 onwards, you can **only** access the Ingress API via the stable, `networking.k8s.io/v1` API. The reason is explained in the [official blog on deprecated ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/). -_(Reason #2)_ if you are already using the Ingress-NGINX controller and then upgrade to K8s version v1.22 , there are several scenarios where your existing Ingress objects will not work how you expect. Read this FAQ to check which scenario matches your use case. +### Reason #2 + +If you are already using the Ingress-NGINX controller and then upgrade to K8s version v1.22 , there are several scenarios where your existing Ingress objects will not work how you expect. Read this FAQ to check which scenario matches your use case. ## What is ingressClassName field ? @@ -85,7 +89,7 @@ _(Reason #2)_ if you are already using the Ingress-NGINX controller and then upg ```shell kubectl explain ingress.spec.ingressClassName ``` -``` +```console KIND: Ingress VERSION: networking.k8s.io/v1 @@ -112,7 +116,7 @@ The `.spec.ingressClassName` behavior has precedence over the deprecated `kubern - If you have only one instance of the Ingress-NGINX controller running in your cluster, and you still want to use IngressClass, you should add the annotation `ingressclass.kubernetes.io/is-default-class` in your IngressClass, so that any new Ingress objects will have this one as default IngressClass. -In this case, you need to make your controller aware of the objects. If you have any Ingress objects that don't yet have either the [`.spec.ingressClassName`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) field set in their manifest, or the ingress annotation (`kubernetes.io/ingress.class`), then you should start your Ingress-NGINX controller with the flag `--watch-ingress-without-class=true`. +In this case, you need to make your controller aware of the objects. If you have any Ingress objects that don't yet have either the [`.spec.ingressClassName`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) field set in their manifest, or the ingress annotation (`kubernetes.io/ingress.class`), then you should start your Ingress-NGINX controller with the flag [--watch-ingress-without-class=true](#what-is-the-flag-watch-ingress-without-class). You can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true`. @@ -130,7 +134,8 @@ metadata: spec: controller: k8s.io/ingress-nginx ``` -And add the value "spec.ingressClassName=nginx" in your Ingress objects + +And add the value `spec.ingressClassName=nginx` in your Ingress objects. ## I have multiple ingress objects in my cluster. What should I do ? @@ -138,7 +143,7 @@ And add the value "spec.ingressClassName=nginx" in your Ingress objects ### What is the flag '--watch-ingress-without-class' ? -- Its a flag that is passed,as an argument, to the `nginx-ingress-controller` executable. In the configuration, it looks like this ; +- Its a flag that is passed,as an argument, to the `nginx-ingress-controller` executable. In the configuration, it looks like this: ``` ... ... @@ -209,7 +214,7 @@ If you start Ingress-Nginx B with the command line argument `--watch-ingress-wit ``` helm repo update ``` -- Now, install an additional instance of the ingress-NGINX controller like this ; +- Now, install an additional instance of the ingress-NGINX controller like this: ``` helm install ingress-nginx-2 ingress-nginx/ingress-nginx \ --namespace ingress-nginx-2 \ diff --git a/docs/kubectl-plugin.md b/docs/kubectl-plugin.md index 7f4205746..01be19f59 100644 --- a/docs/kubectl-plugin.md +++ b/docs/kubectl-plugin.md @@ -226,7 +226,9 @@ Use the `--service ` flag if your `ingress-nginx` `LoadBalancer` servic ### ingresses -`kubectl ingress-nginx ingresses`, alternately `kubectl ingress-nginx ing`, shows a more detailed view of the ingress definitions in a namespace. Compare: +`kubectl ingress-nginx ingresses`, alternately `kubectl ingress-nginx ing`, shows a more detailed view of the ingress definitions in a namespace. + +Compare: ```console $ kubectl get ingresses --all-namespaces @@ -235,7 +237,7 @@ default example-ingress1 testaddr.local,testaddr2.local localhost 80 default test-ingress-2 * localhost 80 5d ``` -vs +vs. ```console $ kubectl ingress-nginx ingresses --all-namespaces @@ -272,7 +274,7 @@ Checking deployments... https://github.com/kubernetes/ingress-nginx/issues/3808 ``` -to show the lints added **only** for a particular `ingress-nginx` release, use the `--from-version` and `--to-version` flags: +To show the lints added **only** for a particular `ingress-nginx` release, use the `--from-version` and `--to-version` flags: ```console $ kubectl ingress-nginx lint --all-namespaces --verbose --from-version 0.24.0 --to-version 0.24.0 diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 2bcc97dca..2e8684a8b 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -13,7 +13,7 @@ Do not move it without providing redirects. There are many ways to troubleshoot the ingress-controller. The following are basic troubleshooting methods to obtain more information. -Check the Ingress Resource Events +### Check the Ingress Resource Events ```console $ kubectl get ing -n @@ -41,7 +41,7 @@ Events: Normal UPDATE 58s ingress-nginx-controller Ingress default/cafe-ingress ``` -Check the Ingress Controller Logs +### Check the Ingress Controller Logs ```console $ kubectl get pods -n @@ -58,7 +58,7 @@ NGINX Ingress controller .... ``` -Check the Nginx Configuration +### Check the Nginx Configuration ```console $ kubectl get pods -n @@ -80,7 +80,7 @@ http { .... ``` -Check if used Services Exist +### Check if used Services Exist ```console $ kubectl get svc --all-namespaces @@ -130,14 +130,14 @@ Both authentications must work: **Service authentication** -The Ingress controller needs information from apiserver. Therefore, authentication is required, which can be achieved in two different ways: +The Ingress controller needs information from apiserver. Therefore, authentication is required, which can be achieved in a couple of ways: -1. _Service Account:_ This is recommended, because nothing has to be configured. The Ingress controller will use information provided by the system to communicate with the API server. See 'Service Account' section for details. +* _Service Account:_ This is recommended, because nothing has to be configured. The Ingress controller will use information provided by the system to communicate with the API server. See 'Service Account' section for details. -2. _Kubeconfig file:_ In some Kubernetes environments service accounts are not available. In this case a manual configuration is required. The Ingress controller binary can be started with the `--kubeconfig` flag. The value of the flag is a path to a file specifying how to connect to the API server. Using the `--kubeconfig` does not requires the flag `--apiserver-host`. +* _Kubeconfig file:_ In some Kubernetes environments service accounts are not available. In this case a manual configuration is required. The Ingress controller binary can be started with the `--kubeconfig` flag. The value of the flag is a path to a file specifying how to connect to the API server. Using the `--kubeconfig` does not requires the flag `--apiserver-host`. The format of the file is identical to `~/.kube/config` which is used by kubectl to connect to the API server. See 'kubeconfig' section for details. -3. _Using the flag `--apiserver-host`:_ Using this flag `--apiserver-host=http://localhost:8080` it is possible to specify an unsecured API server or reach a remote kubernetes cluster using [kubectl proxy](https://kubernetes.io/docs/user-guide/kubectl/kubectl_proxy/). +* _Using the flag `--apiserver-host`:_ Using this flag `--apiserver-host=http://localhost:8080` it is possible to specify an unsecured API server or reach a remote kubernetes cluster using [kubectl proxy](https://kubernetes.io/docs/user-guide/kubectl/kubectl_proxy/). Please do not use this approach in production. In the diagram below you can see the full authentication flow with all options, starting with the browser @@ -247,72 +247,72 @@ Note: The below is based on the nginx [documentation](https://docs.nginx.com/ngi 1. SSH into the worker -```console -$ ssh user@workerIP -``` + ```console + $ ssh user@workerIP + ``` 2. Obtain the Docker Container Running nginx -```console -$ docker ps | grep ingress-nginx-controller -CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES -d9e1d243156a k8s.gcr.io/ingress-nginx/controller "/usr/bin/dumb-init …" 19 minutes ago Up 19 minutes k8s_ingress-nginx-controller_ingress-nginx-controller-67956bf89d-mqxzt_kube-system_079f31ec-aa37-11e8-ad39-080027a227db_0 -``` + ```console + $ docker ps | grep ingress-nginx-controller + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + d9e1d243156a k8s.gcr.io/ingress-nginx/controller "/usr/bin/dumb-init …" 19 minutes ago Up 19 minutes k8s_ingress-nginx-controller_ingress-nginx-controller-67956bf89d-mqxzt_kube-system_079f31ec-aa37-11e8-ad39-080027a227db_0 + ``` 3. Exec into the container -```console -$ docker exec -it --user=0 --privileged d9e1d243156a bash -``` + ```console + $ docker exec -it --user=0 --privileged d9e1d243156a bash + ``` 4. Make sure nginx is running in `--with-debug` -```console -$ nginx -V 2>&1 | grep -- '--with-debug' -``` + ```console + $ nginx -V 2>&1 | grep -- '--with-debug' + ``` 5. Get list of processes running on container -```console -$ ps -ef -UID PID PPID C STIME TTY TIME CMD -root 1 0 0 20:23 ? 00:00:00 /usr/bin/dumb-init /nginx-ingres -root 5 1 0 20:23 ? 00:00:05 /ingress-nginx-controller --defa -root 21 5 0 20:23 ? 00:00:00 nginx: master process /usr/sbin/ -nobody 106 21 0 20:23 ? 00:00:00 nginx: worker process -nobody 107 21 0 20:23 ? 00:00:00 nginx: worker process -root 172 0 0 20:43 pts/0 00:00:00 bash -``` + ```console + $ ps -ef + UID PID PPID C STIME TTY TIME CMD + root 1 0 0 20:23 ? 00:00:00 /usr/bin/dumb-init /nginx-ingres + root 5 1 0 20:23 ? 00:00:05 /ingress-nginx-controller --defa + root 21 5 0 20:23 ? 00:00:00 nginx: master process /usr/sbin/ + nobody 106 21 0 20:23 ? 00:00:00 nginx: worker process + nobody 107 21 0 20:23 ? 00:00:00 nginx: worker process + root 172 0 0 20:43 pts/0 00:00:00 bash + ``` -7. Attach gdb to the nginx master process +6. Attach gdb to the nginx master process -```console -$ gdb -p 21 -.... -Attaching to process 21 -Reading symbols from /usr/sbin/nginx...done. -.... -(gdb) -``` + ```console + $ gdb -p 21 + .... + Attaching to process 21 + Reading symbols from /usr/sbin/nginx...done. + .... + (gdb) + ``` -8. Copy and paste the following: +7. Copy and paste the following: -```console -set $cd = ngx_cycle->config_dump -set $nelts = $cd.nelts -set $elts = (ngx_conf_dump_t*)($cd.elts) -while ($nelts-- > 0) -set $name = $elts[$nelts]->name.data -printf "Dumping %s to nginx_conf.txt\n", $name -append memory nginx_conf.txt \ - $elts[$nelts]->buffer.start $elts[$nelts]->buffer.end -end -``` + ```console + set $cd = ngx_cycle->config_dump + set $nelts = $cd.nelts + set $elts = (ngx_conf_dump_t*)($cd.elts) + while ($nelts-- > 0) + set $name = $elts[$nelts]->name.data + printf "Dumping %s to nginx_conf.txt\n", $name + append memory nginx_conf.txt \ + $elts[$nelts]->buffer.start $elts[$nelts]->buffer.end + end + ``` -9. Quit GDB by pressing CTRL+D +8. Quit GDB by pressing CTRL+D -10. Open nginx_conf.txt +9. Open nginx_conf.txt -```console -cat nginx_conf.txt -``` + ```console + cat nginx_conf.txt + ``` diff --git a/docs/user-guide/default-backend.md b/docs/user-guide/default-backend.md index d57b89323..f15561086 100644 --- a/docs/user-guide/default-backend.md +++ b/docs/user-guide/default-backend.md @@ -1,6 +1,6 @@ # Default backend -The default backend is a service which handles all URL paths and hosts the nginx controller doesn't understand +The default backend is a service which handles all URL paths and hosts the Ingress-NGINX controller doesn't understand (i.e., all the requests that are not mapped with an Ingress). Basically a default backend exposes two URLs: diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md index 05d6a3f87..7d86260f0 100644 --- a/docs/user-guide/monitoring.md +++ b/docs/user-guide/monitoring.md @@ -22,11 +22,11 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/) --set-string controller.podAnnotations."prometheus\.io/scrape"="true" \ --set-string controller.podAnnotations."prometheus\.io/port"="10254" ``` - - You can validate that the controller is configured for metrics by looking at the values of the installed release, like this ; + - You can validate that the controller is configured for metrics by looking at the values of the installed release, like this: ``` helm get values ingress-controller --namespace ingress-nginx ``` - - You should be able to see the values shown below ; + - You should be able to see the values shown below: ``` .. controller: diff --git a/docs/user-guide/multiple-ingress.md b/docs/user-guide/multiple-ingress.md index f13574044..83eeb3f48 100644 --- a/docs/user-guide/multiple-ingress.md +++ b/docs/user-guide/multiple-ingress.md @@ -82,7 +82,7 @@ metadata: kubernetes.io/ingress.class: "gce" ``` -will target the GCE controller, forcing the nginx controller to ignore it, while an annotation like +will target the GCE controller, forcing the Ingress-NGINX controller to ignore it, while an annotation like: ```yaml metadata: @@ -91,7 +91,7 @@ metadata: kubernetes.io/ingress.class: "nginx" ``` -will target the nginx controller, forcing the GCE controller to ignore it. +will target the Ingress-NGINX controller, forcing the GCE controller to ignore it. You can change the value "nginx" to something else by setting the `--ingress-class` flag: diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index d35a19b1a..b48cc1028 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -221,7 +221,7 @@ Enables the return of the header Server from the backend instead of the generic ## allow-snippet-annotations -Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `true`; +Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `true` Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this may allow a user to add restricted configurations to the final nginx.conf file diff --git a/docs/user-guide/third-party-addons/opentracing.md b/docs/user-guide/third-party-addons/opentracing.md index 27c64e300..468be24f7 100644 --- a/docs/user-guide/third-party-addons/opentracing.md +++ b/docs/user-guide/third-party-addons/opentracing.md @@ -140,7 +140,7 @@ kubectl create -f https://raw.githubusercontent.com/rnburn/zipkin-date-server/ma kubectl create -f https://raw.githubusercontent.com/rnburn/zipkin-date-server/master/kubernetes/deployment.yaml ``` -Also we need to configure the NGINX controller ConfigMap with the required values: +Also we need to configure the Ingress-NGINX controller ConfigMap with the required values: ``` $ echo ' From 0e5d4ad425cf519f7c674a16b9e8bda523b2566e Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sun, 16 Jan 2022 22:25:28 -0300 Subject: [PATCH 0011/1606] Automatically generate helm docs (#8151) --- .github/workflows/ci.yaml | 7 ------- .github/workflows/helm.yaml | 20 ++++++++++++++++++++ charts/ingress-nginx/values.yaml | 2 +- 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0d9ba2ad2..62843b1d7 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -137,13 +137,6 @@ jobs: run: | ./build/run-in-docker.sh ./hack/verify-chart-lint.sh - - name: Run helm-docs - run: | - GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0 - ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts - git diff --exit-code - rm -f ./helm-docs - - name: fix permissions run: | sudo mkdir -p $HOME/.kube diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index a99fcfaa6..7545e5d66 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -56,6 +56,26 @@ jobs: run: | git config --global user.name "$GITHUB_ACTOR" git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Set up Go 1.17 + id: go + uses: actions/setup-go@v2 + with: + go-version: 1.17 + + - name: Run helm-docs + run: | + cd ${GITHUB_WORKSPACE} + GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0 + ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts + git diff --exit-code ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md + if [ $? -ne 0 ]; then + git add ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md + git commit -m "Update helm README" + git push --quiet https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git main > /dev/null 2>&1 + fi + rm ./helm-docs + - name: Run chart-releaser uses: helm/chart-releaser-action@v1.2.1 diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index d30c170b6..778951098 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -34,7 +34,7 @@ controller: # -- Configures the controller container name containerName: controller - # -- Configures the ports the nginx-controller listens on + # -- Configures the ports that the nginx-controller listens on containerPort: http: 80 https: 443 From 2db580a51385c26a356ace9b511d0878955c5444 Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sun, 16 Jan 2022 22:49:11 -0300 Subject: [PATCH 0012/1606] fix helmdoc push shell script (#8152) --- .github/workflows/helm.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index 7545e5d66..0dd718846 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -68,8 +68,8 @@ jobs: cd ${GITHUB_WORKSPACE} GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0 ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts - git diff --exit-code ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md - if [ $? -ne 0 ]; then + DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md) + if [ ! -z "$DIFF" ]; then git add ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md git commit -m "Update helm README" git push --quiet https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git main > /dev/null 2>&1 From 51fa86e690c25433af02783d232289e6206b5a37 Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sun, 16 Jan 2022 22:52:10 -0300 Subject: [PATCH 0013/1606] Trigger new helmdoc generation --- charts/ingress-nginx/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 778951098..4e7e6ade1 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -42,7 +42,7 @@ controller: # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ config: {} - # -- Annotations to be added to the controller config configuration configmap + # -- Annotations to be added to the controller config configuration configmap. configAnnotations: {} # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers From c667cf083b53829c876f877585e8fa00cabc633f Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sun, 16 Jan 2022 22:59:36 -0300 Subject: [PATCH 0014/1606] Last attempt to fix helm docs (#8153) --- .github/workflows/helm.yaml | 4 +++- charts/ingress-nginx/values.yaml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index 0dd718846..1134a66f0 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -64,6 +64,8 @@ jobs: go-version: 1.17 - name: Run helm-docs + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" run: | cd ${GITHUB_WORKSPACE} GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0 @@ -72,7 +74,7 @@ jobs: if [ ! -z "$DIFF" ]; then git add ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md git commit -m "Update helm README" - git push --quiet https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git main > /dev/null 2>&1 + git push --force https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git main fi rm ./helm-docs diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 4e7e6ade1..bddd1eb5c 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -71,7 +71,7 @@ controller: # Defaults to false watchIngressWithoutClass: false - # -- Process IngressClass per name (additionally as per spec.controller) + # -- Process IngressClass per name (additionally as per spec.controller). ingressClassByName: false # -- This configuration defines if Ingress Controller should allow users to set From cce04fca486f81b5107a720e3b2d36f1b7a820b2 Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Mon, 17 Jan 2022 10:09:30 -0300 Subject: [PATCH 0015/1606] Rollback on helmdoc generation (#8154) --- .github/workflows/helm.yaml | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index 1134a66f0..b0adb644e 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -57,28 +57,6 @@ jobs: git config --global user.name "$GITHUB_ACTOR" git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" - - name: Set up Go 1.17 - id: go - uses: actions/setup-go@v2 - with: - go-version: 1.17 - - - name: Run helm-docs - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - run: | - cd ${GITHUB_WORKSPACE} - GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0 - ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts - DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md) - if [ ! -z "$DIFF" ]; then - git add ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md - git commit -m "Update helm README" - git push --force https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git main - fi - rm ./helm-docs - - - name: Run chart-releaser uses: helm/chart-releaser-action@v1.2.1 env: From 4badf201733f5a693289df56b5301eb0ba29d00f Mon Sep 17 00:00:00 2001 From: Marc Portabella Clotet <56038098+marcportabellaclotet-mt@users.noreply.github.com> Date: Tue, 18 Jan 2022 00:16:49 +0100 Subject: [PATCH 0016/1606] #7271 feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1 (#8155) * feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1 * fix: added-eol * feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1 * fix: added-eol --- .../templates/default-backend-poddisruptionbudget.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml index 3a6e8ebde..00891cee5 100644 --- a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml +++ b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml @@ -1,3 +1,4 @@ +{{- if .Values.defaultBackend.enabled -}} {{- if or (gt (.Values.defaultBackend.replicaCount | int) 1) (gt (.Values.defaultBackend.autoscaling.minReplicas | int) 1) }} apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} kind: PodDisruptionBudget @@ -17,3 +18,4 @@ spec: app.kubernetes.io/component: default-backend minAvailable: {{ .Values.defaultBackend.minAvailable }} {{- end }} +{{- end }} From 2aa34202c1ae42fc689cc6980817aedc80b75229 Mon Sep 17 00:00:00 2001 From: Aditya Kamath Date: Mon, 17 Jan 2022 15:24:49 -0800 Subject: [PATCH 0017/1606] Allow to configure delay before controller exits (#8143) * Allow to configure delay before controller exits Signed-off-by: Aditya Kamath * Address comments Signed-off-by: Aditya Kamath --- cmd/nginx/flags.go | 3 +++ cmd/nginx/main.go | 8 ++++---- cmd/nginx/main_test.go | 2 +- docs/user-guide/cli-arguments.md | 1 + internal/ingress/controller/controller.go | 3 ++- 5 files changed, 11 insertions(+), 6 deletions(-) diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go index f9d6702fe..f620690b5 100644 --- a/cmd/nginx/flags.go +++ b/cmd/nginx/flags.go @@ -197,6 +197,8 @@ Takes the form ":port". If not provided, no admission controller is starte statusUpdateInterval = flags.Int("status-update-interval", status.UpdateInterval, "Time interval in seconds in which the status should check if an update is required. Default is 60 seconds") shutdownGracePeriod = flags.Int("shutdown-grace-period", 0, "Seconds to wait after receiving the shutdown signal, before stopping the nginx process.") + + postShutdownGracePeriod = flags.Int("post-shutdown-grace-period", 10, "Seconds to wait after the nginx process has stopped before controller exits.") ) flags.StringVar(&nginx.MaxmindMirror, "maxmind-mirror", "", `Maxmind mirror url (example: http://geoip.local/databases`) @@ -321,6 +323,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g PublishStatusAddress: *publishStatusAddress, UpdateStatusOnShutdown: *updateStatusOnShutdown, ShutdownGracePeriod: *shutdownGracePeriod, + PostShutdownGracePeriod: *postShutdownGracePeriod, UseNodeInternalIP: *useNodeInternalIP, SyncRateLimit: *syncRateLimit, HealthCheckHost: *healthzHost, diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go index cbfca547c..7293e6b10 100644 --- a/cmd/nginx/main.go +++ b/cmd/nginx/main.go @@ -155,14 +155,14 @@ func main() { go startHTTPServer(conf.HealthCheckHost, conf.ListenPorts.Health, mux) go ngx.Start() - handleSigterm(ngx, func(code int) { + handleSigterm(ngx, conf.PostShutdownGracePeriod, func(code int) { os.Exit(code) }) } type exiter func(code int) -func handleSigterm(ngx *controller.NGINXController, exit exiter) { +func handleSigterm(ngx *controller.NGINXController, delay int, exit exiter) { signalChan := make(chan os.Signal, 1) signal.Notify(signalChan, syscall.SIGTERM) <-signalChan @@ -174,8 +174,8 @@ func handleSigterm(ngx *controller.NGINXController, exit exiter) { exitCode = 1 } - klog.InfoS("Handled quit, awaiting Pod deletion") - time.Sleep(10 * time.Second) + klog.Infof("Handled quit, delaying controller exit for %d seconds", delay) + time.Sleep(time.Duration(delay) * time.Second) klog.InfoS("Exiting", "code", exitCode) exit(exitCode) diff --git a/cmd/nginx/main_test.go b/cmd/nginx/main_test.go index e6d24b301..2a29953ad 100644 --- a/cmd/nginx/main_test.go +++ b/cmd/nginx/main_test.go @@ -105,7 +105,7 @@ func TestHandleSigterm(t *testing.T) { ngx := controller.NewNGINXController(conf, nil) - go handleSigterm(ngx, func(code int) { + go handleSigterm(ngx, 10, func(code int) { if code != 1 { t.Errorf("Expected exit code 1 but %d received", code) } diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md index bbf06b720..b9cd0c564 100644 --- a/docs/user-guide/cli-arguments.md +++ b/docs/user-guide/cli-arguments.md @@ -40,6 +40,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--maxmind-retries-count` | Number of attempts to download the GeoIP DB. (default 1) | | `--maxmind-license-key` | Maxmind license key to download GeoLite2 Databases. https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases | | `--metrics-per-host` | Export metrics per-host (default true) | +| `--post-shutdown-grace-period` | Additional delay in seconds before controller container exits. (default 10) | | `--profiler-port` | Port to use for expose the ingress controller Go profiler when it is enabled. (default 10245) | | `--profiling` | Enable profiling via web interface host:port/debug/pprof/ (default true) | | `--publish-service` | Service fronting the Ingress controller. Takes the form "namespace/name". When used together with update-status, the controller mirrors the address of this service's endpoints to the load-balancer status of all Ingress objects it satisfies. | diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index a4ae4217c..48a91b67b 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -118,7 +118,8 @@ type Configuration struct { MonitorMaxBatchSize int - ShutdownGracePeriod int + PostShutdownGracePeriod int + ShutdownGracePeriod int } // GetPublishService returns the Service used to set the load-balancer status of Ingresses. From a665a409da87028896dbb3d8dfc78cf8a154e275 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arthur=20Woimb=C3=A9e?= Date: Tue, 18 Jan 2022 00:28:49 +0100 Subject: [PATCH 0018/1606] helm: ServiceMonitor: sane default namespaceSelector (#7998) * helm: service-monitor: sane default namespaceSelector * chart version bump (4.0.16) --- charts/ingress-nginx/Chart.yaml | 2 +- charts/ingress-nginx/templates/controller-servicemonitor.yaml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 961efc061..4d48ca0c3 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: ingress-nginx # When the version is modified, make sure the artifacthub.io/changes list is updated # Also update CHANGELOG.md -version: 4.0.15 +version: 4.0.16 appVersion: 1.1.1 home: https://github.com/kubernetes/ingress-nginx description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml index 3e602d44d..74abe43a3 100644 --- a/charts/ingress-nginx/templates/controller-servicemonitor.yaml +++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml @@ -30,6 +30,10 @@ spec: {{- end }} {{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }} namespaceSelector: {{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | nindent 4 }} +{{- else }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} {{- end }} {{- if .Values.controller.metrics.serviceMonitor.targetLabels }} targetLabels: From d16e0dec4865cbd5b937dbffb957423c308331c5 Mon Sep 17 00:00:00 2001 From: Alastair Firth Date: Tue, 18 Jan 2022 00:28:56 +0100 Subject: [PATCH 0019/1606] Static manifest generation uses kustomize instead of python (#8099) * regenerate at 4.0.12 * bash for loop and static values files * add .tool-versions * fixup static manifests with kustomize instead of python * remove spec.replicas where set * generate manifests for all supported versions * update docs * remove all versions except default (1.20) for now * update to 1.1.1/4.0.15 --- RELEASE.md | 61 +- deploy/static/provider/aws/deploy.yaml | 1090 ++++++++-------- .../deploy.yaml} | 1112 ++++++++-------- .../kustomization.yaml | 11 + deploy/static/provider/baremetal/deploy.yaml | 1096 ++++++++-------- deploy/static/provider/cloud/deploy.yaml | 1098 ++++++++-------- deploy/static/provider/do/deploy.yaml | 1094 ++++++++-------- deploy/static/provider/exoscale/deploy.yaml | 1090 ++++++++-------- deploy/static/provider/kind/deploy.yaml | 1114 ++++++++--------- deploy/static/provider/scw/deploy.yaml | 1092 ++++++++-------- docs/deploy/index.md | 20 +- hack/.tool-versions | 2 + hack/generate-deploy-scripts.sh | 227 +--- .../common/kustomization.yaml | 14 + hack/manifest-templates/common/namespace.yaml | 7 + .../provider/aws/kustomization.yaml | 4 + .../kustomization.yaml | 4 + .../aws/nlb-with-tls-termination/values.yaml | 36 + .../provider/aws/values.yaml | 9 + .../provider/baremetal/kustomization.yaml | 4 + .../provider/baremetal/values.yaml | 7 + .../provider/cloud/kustomization.yaml | 4 + .../provider/cloud/values.yaml | 4 + .../provider/do/kustomization.yaml | 4 + .../provider/do/values.yaml | 11 + .../provider/exoscale/kustomization.yaml | 4 + .../provider/exoscale/values.yaml | 17 + .../provider/kind/kustomization.yaml | 4 + .../provider/kind/values.yaml | 24 + .../provider/scw/kustomization.yaml | 4 + .../provider/scw/values.yaml | 9 + .../static-kustomization-template.yaml | 11 + 32 files changed, 4566 insertions(+), 4722 deletions(-) rename deploy/static/provider/aws/{deploy-tls-termination.yaml => nlb-with-tls-termination/deploy.yaml} (55%) create mode 100644 deploy/static/provider/aws/nlb-with-tls-termination/kustomization.yaml create mode 100644 hack/.tool-versions create mode 100644 hack/manifest-templates/common/kustomization.yaml create mode 100644 hack/manifest-templates/common/namespace.yaml create mode 100644 hack/manifest-templates/provider/aws/kustomization.yaml create mode 100644 hack/manifest-templates/provider/aws/nlb-with-tls-termination/kustomization.yaml create mode 100644 hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml create mode 100644 hack/manifest-templates/provider/aws/values.yaml create mode 100644 hack/manifest-templates/provider/baremetal/kustomization.yaml create mode 100644 hack/manifest-templates/provider/baremetal/values.yaml create mode 100644 hack/manifest-templates/provider/cloud/kustomization.yaml create mode 100644 hack/manifest-templates/provider/cloud/values.yaml create mode 100644 hack/manifest-templates/provider/do/kustomization.yaml create mode 100644 hack/manifest-templates/provider/do/values.yaml create mode 100644 hack/manifest-templates/provider/exoscale/kustomization.yaml create mode 100644 hack/manifest-templates/provider/exoscale/values.yaml create mode 100644 hack/manifest-templates/provider/kind/kustomization.yaml create mode 100644 hack/manifest-templates/provider/kind/values.yaml create mode 100644 hack/manifest-templates/provider/scw/kustomization.yaml create mode 100644 hack/manifest-templates/provider/scw/values.yaml create mode 100644 hack/manifest-templates/static-kustomization-template.yaml diff --git a/RELEASE.md b/RELEASE.md index 4396c20fc..74fd3f1e4 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -1,6 +1,6 @@ # RELEASE PROCESS -## 1. BUILD the new Ingress-Nginx-Controller image +## 1. BUILD the new Ingress-Nginx-Controller image ### a. Make changes in codebase @@ -8,7 +8,7 @@ ### b. Make changes to appropriate files in [images directory ](images) -- Make changes in /images +- Make changes in /images ### c. Create Pull Request @@ -18,7 +18,7 @@ - Example [NGINX_VERSION](images/nginx/rootfs/build.sh#L21), [SHA256](images/nginx/rootfs/build.sh#L124). - - If you are updating any component in [build.sh](images/nginx/rootfs/build.sh) please also update the SHA256 checksum of that component as well, the cloud build will fail with an exit 10 if not. + - If you are updating any component in [build.sh](images/nginx/rootfs/build.sh) please also update the SHA256 checksum of that component as well, the cloud build will fail with an exit 10 if not. ### d. Merge @@ -26,7 +26,7 @@ ### e. Make sure cloudbuild is a success -- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build. +- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build. - Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image. @@ -42,7 +42,7 @@ ### b. Make changes to appropriate files in [images directory ](images) - Sometimes, you may also be needing to rebuild, images for one or multiple other related components of the Ingress-Nginx-Controller ecosystem. Make changes to the required files in the /images directory, if/as applicable, in the context of the release you are attempting. : - + - [e2e](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e-image) - Update references to e2e-test-runner image [If applicable] : @@ -72,24 +72,24 @@ ### e. Make sure cloudbuild is a success -- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build. +- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build. - Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image. ## 3. PROMOTE the Image(s): -Promoting the images basically means that images, that were pushed to staging container registry in the steps above, now are also pushed to the public container registry. Thus are publicly available. Follow these steps to promote images: +Promoting the images basically means that images, that were pushed to staging container registry in the steps above, now are also pushed to the public container registry. Thus are publicly available. Follow these steps to promote images: ### a. Get the sha -- Get the sha of the new image(s) of the controller, (and any other component image IF APPLICABLE to release), from the cloudbuild, from steps above +- Get the sha of the new image(s) of the controller, (and any other component image IF APPLICABLE to release), from the cloudbuild, from steps above - The sha is available in output from [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx) - The sha is also visible here https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx/global/controller - - The sha is also visible [here]((https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*)), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this: + - The sha is also visible [here]((https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*)), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this: ``` ... @@ -99,7 +99,7 @@ Promoting the images basically means that images, that were pushed to staging co ### b. Add the new image to [k8s.io](http://github.com/kubernetes/k8s.io) -- The sha(s) from the step before (and the tag(s) for the new image(s) have to be added, as a new line, in a file, of the [k8s.io](http://github.com/kubernetes/k8s.io) project of Kubernetes organization. +- The sha(s) from the step before (and the tag(s) for the new image(s) have to be added, as a new line, in a file, of the [k8s.io](http://github.com/kubernetes/k8s.io) project of Kubernetes organization. - Fork that other project (if you don't have a fork already). @@ -113,7 +113,7 @@ Promoting the images basically means that images, that were pushed to staging co - For making it easier, you can edit your branch directly in the browser. But be careful about making any mistake. -- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml) Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before +- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml) Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before - Save and commit @@ -130,13 +130,13 @@ Promoting the images basically means that images, that were pushed to staging co ## 4. PREPARE for a new Release -- Make sure to get the tag and sha of the promoted image from the step before, either from cloudbuild or from [here](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/ingress-nginx/controller). +- Make sure to get the tag and sha of the promoted image from the step before, either from cloudbuild or from [here](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/ingress-nginx/controller). - This involves editing of several different files. So carefully follow the steps below and double check all changes with diff/grep etc., repeatedly. Mistakes here impact endusers. ### a. Make sure your git workspace is ready -- Get your git workspace ready +- Get your git workspace ready - If not using a pre-existing fork, then Fork the repo kubernetes/ingress-nginx @@ -165,7 +165,7 @@ Promoting the images basically means that images, that were pushed to staging co - appVersion - kubeVersion (**ONLY if applicable**) - annotations - - artifacthub.io/prerelease: "true" + - artifacthub.io/prerelease: "true" - artifacthub.io/changes: | - Replace this line and other lines under this annotation with the Changelog. One process to generate the Changelog is described below - Install and configure github cli as per the docs of gh-cli https://cli.github.com/, @@ -230,41 +230,21 @@ Promoting the images basically means that images, that were pushed to staging co - Prepare to use a script to update the edit the static manifests and set the "image", "digest", "version" etc. fields to the desired value. + - This script depends on kustomize and helm. The versions are pinned in `hack/.tool-versions` and you can use [asdf](https://github.com/asdf-vm/asdf#asdf) to install them - - This script depends on python and a specific python package `pip3 install ruamel.yaml` + - Execute the script to update static manifests using that script [hack/generate-deploy-scripts.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-deploy-scripts.sh) - - Execute the script to update static manifests using that script [generate-deploy-scripts.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-deploy-scripts.sh) - Open some of the manifests and check if the script worked properly - Use grep -ir to search for any misses by the script or undesired changes - The script should properly set the image and the digest fields to the desired tag and semver - - Manually fix one problem that the script can not take care of. - - This problem is wrong formatting of a snippet in the file [deploy-tls-termination.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/deploy/static/provider/aws/deploy-tls-termination.yaml) - - In the configMap section, for the configMap named ingress-nginx-controller, the "configMap.data" spec has a snippet - - - This snippet becomes a single line, formatted with the newline character "\n" - - - That single line formatted with "\n" needs to be changed as it does not meet yaml requirements - - - At the time of writing this doc, the 'configMap.data' spec is at line number 39. - - - So editing begins at line 40 (at the time of writing this doc) - - - Make that snippet look like this ; - ``` - data: - http-snippet:| - server{ - listen 2443; - return 308 https://$host$request_uri; - } - ``` ### f. Edit the changelog - [Changelog.md](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md) + + [Changelog.md](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md) - Each time a release is made, a new section is added to the Changelog.md file - A new section in the Changelog.md file consists of 3 components listed below - the "Image" @@ -277,8 +257,9 @@ Promoting the images basically means that images, that were pushed to staging co - One process to generate this list of PRs is already described above in step 4c. So if you are following this document, then you have done this already and very likely have retained the file containing the list of PRs, in the format that is needed. ### g. Edit the Documentation: + - Update the version in [docs/deploy/index.md](docs/deploy/index.md) -- Update Supported versions in the Support Versions table in the README.md +- Update Supported versions in the Support Versions table in the README.md ### h. Edit stable.txt @@ -294,7 +275,7 @@ Promoting the images basically means that images, that were pushed to staging co - Open PR for releasing the new version of the Ingress-Nginx-Controller ; - Look at this PR for how it was done before [example PR](https://github.com/kubernetes/ingress-nginx/pull/7490) - - Create a PR + - Create a PR ### b. Merge diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index e4856da9f..b74690c33 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -1,227 +1,249 @@ - +#GENERATED FOR K8S 1.20 apiVersion: v1 kind: Namespace metadata: - name: ingress-nginx labels: - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx --- -# Source: ingress-nginx/templates/controller-serviceaccount.yaml apiVersion: v1 +automountServiceAccountToken: true kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx -automountServiceAccountToken: true --- -# Source: ingress-nginx/templates/controller-configmap.yaml apiVersion: v1 -kind: ConfigMap +kind: ServiceAccount metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission namespace: ingress-nginx -data: - allow-snippet-annotations: 'true' --- -# Source: ingress-nginx/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch - - apiGroups: - - '' - resources: - - nodes - verbs: - - get - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -# Source: ingress-nginx/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx rules: - - apiGroups: - - '' - resources: - - namespaces - verbs: - - get - - apiGroups: - - '' - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - configmaps - resourceNames: - - ingress-controller-leader - verbs: - - get - - update - - apiGroups: - - '' - resources: - - configmaps - verbs: - - create - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - ingress-controller-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update --- -# Source: ingress-nginx/templates/controller-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -229,459 +251,413 @@ roleRef: kind: Role name: ingress-nginx subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx --- -# Source: ingress-nginx/templates/controller-service-webhook.yaml -apiVersion: v1 -kind: Service +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller-admission - namespace: ingress-nginx -spec: - type: ClusterIP - ports: - - name: https-webhook - port: 443 - targetPort: webhook - appProtocol: https - selector: app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller + namespace: ingress-nginx --- -# Source: ingress-nginx/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp - service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" service.beta.kubernetes.io/aws-load-balancer-type: nlb labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: - type: LoadBalancer externalTrafficPolicy: Local - ipFamilyPolicy: SingleStack ipFamilies: - - IPv4 + - IPv4 + ipFamilyPolicy: SingleStack ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - appProtocol: http - - name: https - port: 443 - protocol: TCP - targetPort: https - appProtocol: https + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: ClusterIP --- -# Source: ingress-nginx/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller - revisionHistoryLimit: 10 - minReadySeconds: 0 + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx template: metadata: labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx spec: - dnsPolicy: ClusterFirst containers: - - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - args: - - /nginx-ingress-controller - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 101 - allowPrivilegeEscalation: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: webhook - containerPort: 8443 - protocol: TCP - volumeMounts: - - name: webhook-cert - mountPath: /usr/local/certificates/ - readOnly: true - resources: - requests: - cpu: 100m - memory: 90Mi + - args: + - /nginx-ingress-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller + - --election-id=ingress-controller-leader + - --controller-class=k8s.io/ingress-nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst nodeSelector: kubernetes.io/os: linux serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission + - name: webhook-cert + secret: + secretName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/controller-ingressclass.yaml -# We don't support namespaced ingressClass yet -# So a ClusterRole and a ClusterRoleBinding is required -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: nginx - namespace: ingress-nginx -spec: - controller: k8s.io/ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml -# before changing this value, check the required kubernetes version -# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - name: ingress-nginx-admission -webhooks: - - name: validate.nginx.ingress.kubernetes.io - matchPolicy: Equivalent - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - clientConfig: - service: - namespace: ingress-nginx - name: ingress-nginx-controller-admission - path: /networking/v1/ingresses ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - '' - resources: - - secrets - verbs: - - get - - create ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-create - namespace: ingress-nginx annotations: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create spec: containers: - - name: create - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-patch - namespace: ingress-nginx annotations: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch spec: containers: - - name: patch - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: ingress-nginx-controller-admission + namespace: ingress-nginx + path: /networking/v1/ingresses + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml similarity index 55% rename from deploy/static/provider/aws/deploy-tls-termination.yaml rename to deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index 63c3b0a33..242624ef3 100644 --- a/deploy/static/provider/aws/deploy-tls-termination.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -1,234 +1,249 @@ - +#GENERATED FOR K8S 1.20 apiVersion: v1 kind: Namespace metadata: - name: ingress-nginx labels: - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx --- -# Source: ingress-nginx/templates/controller-serviceaccount.yaml apiVersion: v1 +automountServiceAccountToken: true kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx -automountServiceAccountToken: true --- -# Source: ingress-nginx/templates/controller-configmap.yaml apiVersion: v1 -kind: ConfigMap +kind: ServiceAccount metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission namespace: ingress-nginx -data: - allow-snippet-annotations: 'true' - http-snippet: | - server{ - listen 2443; - return 308 https://$host$request_uri; - } - proxy-real-ip-cidr: XXX.XXX.XXX/XX - use-forwarded-headers: 'true' --- -# Source: ingress-nginx/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch - - apiGroups: - - '' - resources: - - nodes - verbs: - - get - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -# Source: ingress-nginx/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx rules: - - apiGroups: - - '' - resources: - - namespaces - verbs: - - get - - apiGroups: - - '' - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - configmaps - resourceNames: - - ingress-controller-leader - verbs: - - get - - update - - apiGroups: - - '' - resources: - - configmaps - verbs: - - create - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - ingress-controller-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update --- -# Source: ingress-nginx/templates/controller-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -236,464 +251,425 @@ roleRef: kind: Role name: ingress-nginx subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx --- -# Source: ingress-nginx/templates/controller-service-webhook.yaml -apiVersion: v1 -kind: Service +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller-admission - namespace: ingress-nginx -spec: - type: ClusterIP - ports: - - name: https-webhook - port: 443 - targetPort: webhook - appProtocol: https - selector: app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" + http-snippet: | + server { + listen 2443; + return 308 https://$host$request_uri; + } + proxy-real-ip-cidr: XXX.XXX.XXX/XX + use-forwarded-headers: "true" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller + namespace: ingress-nginx --- -# Source: ingress-nginx/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: annotations: - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60' - service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https service.beta.kubernetes.io/aws-load-balancer-type: nlb labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: - type: LoadBalancer externalTrafficPolicy: Local - ipFamilyPolicy: SingleStack ipFamilies: - - IPv4 + - IPv4 + ipFamilyPolicy: SingleStack ports: - - name: http - port: 80 - protocol: TCP - targetPort: tohttps - appProtocol: http - - name: https - port: 443 - protocol: TCP - targetPort: http - appProtocol: https + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: tohttps + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: http selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: ClusterIP --- -# Source: ingress-nginx/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller - revisionHistoryLimit: 10 - minReadySeconds: 0 + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx template: metadata: labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx spec: - dnsPolicy: ClusterFirst containers: - - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - args: - - /nginx-ingress-controller - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 101 - allowPrivilegeEscalation: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 80 - protocol: TCP - - name: tohttps - containerPort: 2443 - protocol: TCP - - name: webhook - containerPort: 8443 - protocol: TCP - volumeMounts: - - name: webhook-cert - mountPath: /usr/local/certificates/ - readOnly: true - resources: - requests: - cpu: 100m - memory: 90Mi + - args: + - /nginx-ingress-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller + - --election-id=ingress-controller-leader + - --controller-class=k8s.io/ingress-nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 80 + name: https + protocol: TCP + - containerPort: 2443 + name: tohttps + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst nodeSelector: kubernetes.io/os: linux serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission + - name: webhook-cert + secret: + secretName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/controller-ingressclass.yaml -# We don't support namespaced ingressClass yet -# So a ClusterRole and a ClusterRoleBinding is required -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: nginx - namespace: ingress-nginx -spec: - controller: k8s.io/ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml -# before changing this value, check the required kubernetes version -# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - name: ingress-nginx-admission -webhooks: - - name: validate.nginx.ingress.kubernetes.io - matchPolicy: Equivalent - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - clientConfig: - service: - namespace: ingress-nginx - name: ingress-nginx-controller-admission - path: /networking/v1/ingresses ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - '' - resources: - - secrets - verbs: - - get - - create ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-create - namespace: ingress-nginx annotations: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create spec: containers: - - name: create - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-patch - namespace: ingress-nginx annotations: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch spec: containers: - - name: patch - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: ingress-nginx-controller-admission + namespace: ingress-nginx + path: /networking/v1/ingresses + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/kustomization.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/kustomization.yaml new file mode 100644 index 000000000..ca2086ea9 --- /dev/null +++ b/deploy/static/provider/aws/nlb-with-tls-termination/kustomization.yaml @@ -0,0 +1,11 @@ +# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases. +# https://kubectl.docs.kubernetes.io/references/kustomize/bases/ +# +# ``` +# namespace: ingress-nginx +# bases: +# - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws/nlb-with-tls-termination?ref=master +# ``` + +resources: + - deploy.yaml diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index 900c34020..af3463951 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -1,227 +1,249 @@ - +#GENERATED FOR K8S 1.20 apiVersion: v1 kind: Namespace metadata: - name: ingress-nginx labels: - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx --- -# Source: ingress-nginx/templates/controller-serviceaccount.yaml apiVersion: v1 +automountServiceAccountToken: true kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx -automountServiceAccountToken: true --- -# Source: ingress-nginx/templates/controller-configmap.yaml apiVersion: v1 -kind: ConfigMap +kind: ServiceAccount metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission namespace: ingress-nginx -data: - allow-snippet-annotations: 'true' --- -# Source: ingress-nginx/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch - - apiGroups: - - '' - resources: - - nodes - verbs: - - get - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -# Source: ingress-nginx/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx rules: - - apiGroups: - - '' - resources: - - namespaces - verbs: - - get - - apiGroups: - - '' - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - configmaps - resourceNames: - - ingress-controller-leader - verbs: - - get - - update - - apiGroups: - - '' - resources: - - configmaps - verbs: - - create - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - ingress-controller-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update --- -# Source: ingress-nginx/templates/controller-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -229,454 +251,408 @@ roleRef: kind: Role name: ingress-nginx subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-service-webhook.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller-admission +- kind: ServiceAccount + name: ingress-nginx namespace: ingress-nginx -spec: - type: ClusterIP - ports: - - name: https-webhook - port: 443 - targetPort: webhook - appProtocol: https - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller --- -# Source: ingress-nginx/templates/controller-service.yaml -apiVersion: v1 -kind: Service +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" +kind: ConfigMap +metadata: + labels: app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller + namespace: ingress-nginx +--- +apiVersion: v1 +kind: Service +metadata: + annotations: null + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: - type: NodePort - ipFamilyPolicy: SingleStack ipFamilies: - - IPv4 + - IPv4 + ipFamilyPolicy: SingleStack ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - appProtocol: http - - name: https - port: 443 - protocol: TCP - targetPort: https - appProtocol: https + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: NodePort +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: ClusterIP --- -# Source: ingress-nginx/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller - revisionHistoryLimit: 10 - minReadySeconds: 0 + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx template: metadata: labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx spec: - dnsPolicy: ClusterFirst containers: - - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - args: - - /nginx-ingress-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 101 - allowPrivilegeEscalation: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: webhook - containerPort: 8443 - protocol: TCP - volumeMounts: - - name: webhook-cert - mountPath: /usr/local/certificates/ - readOnly: true - resources: - requests: - cpu: 100m - memory: 90Mi + - args: + - /nginx-ingress-controller + - --election-id=ingress-controller-leader + - --controller-class=k8s.io/ingress-nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst nodeSelector: kubernetes.io/os: linux serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission + - name: webhook-cert + secret: + secretName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/controller-ingressclass.yaml -# We don't support namespaced ingressClass yet -# So a ClusterRole and a ClusterRoleBinding is required -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: nginx - namespace: ingress-nginx -spec: - controller: k8s.io/ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml -# before changing this value, check the required kubernetes version -# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - name: ingress-nginx-admission -webhooks: - - name: validate.nginx.ingress.kubernetes.io - matchPolicy: Equivalent - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - clientConfig: - service: - namespace: ingress-nginx - name: ingress-nginx-controller-admission - path: /networking/v1/ingresses ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - '' - resources: - - secrets - verbs: - - get - - create ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-create - namespace: ingress-nginx annotations: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create spec: containers: - - name: create - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-patch - namespace: ingress-nginx annotations: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch spec: containers: - - name: patch - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: ingress-nginx-controller-admission + namespace: ingress-nginx + path: /networking/v1/ingresses + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index 0e0852550..87f64383a 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -1,227 +1,249 @@ - +#GENERATED FOR K8S 1.20 apiVersion: v1 kind: Namespace metadata: - name: ingress-nginx labels: - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx --- -# Source: ingress-nginx/templates/controller-serviceaccount.yaml apiVersion: v1 +automountServiceAccountToken: true kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx -automountServiceAccountToken: true --- -# Source: ingress-nginx/templates/controller-configmap.yaml apiVersion: v1 -kind: ConfigMap +kind: ServiceAccount metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission namespace: ingress-nginx -data: - allow-snippet-annotations: 'true' --- -# Source: ingress-nginx/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch - - apiGroups: - - '' - resources: - - nodes - verbs: - - get - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -# Source: ingress-nginx/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx rules: - - apiGroups: - - '' - resources: - - namespaces - verbs: - - get - - apiGroups: - - '' - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - configmaps - resourceNames: - - ingress-controller-leader - verbs: - - get - - update - - apiGroups: - - '' - resources: - - configmaps - verbs: - - create - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - ingress-controller-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update --- -# Source: ingress-nginx/templates/controller-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -229,456 +251,410 @@ roleRef: kind: Role name: ingress-nginx subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-service-webhook.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller-admission +- kind: ServiceAccount + name: ingress-nginx namespace: ingress-nginx -spec: - type: ClusterIP - ports: - - name: https-webhook - port: 443 - targetPort: webhook - appProtocol: https - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller --- -# Source: ingress-nginx/templates/controller-service.yaml -apiVersion: v1 -kind: Service +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" +kind: ConfigMap +metadata: + labels: app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller + namespace: ingress-nginx +--- +apiVersion: v1 +kind: Service +metadata: + annotations: null + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: - type: LoadBalancer externalTrafficPolicy: Local - ipFamilyPolicy: SingleStack ipFamilies: - - IPv4 + - IPv4 + ipFamilyPolicy: SingleStack ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - appProtocol: http - - name: https - port: 443 - protocol: TCP - targetPort: https - appProtocol: https + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: ClusterIP --- -# Source: ingress-nginx/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller - revisionHistoryLimit: 10 - minReadySeconds: 0 + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx template: metadata: labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx spec: - dnsPolicy: ClusterFirst containers: - - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - args: - - /nginx-ingress-controller - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 101 - allowPrivilegeEscalation: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: webhook - containerPort: 8443 - protocol: TCP - volumeMounts: - - name: webhook-cert - mountPath: /usr/local/certificates/ - readOnly: true - resources: - requests: - cpu: 100m - memory: 90Mi + - args: + - /nginx-ingress-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller + - --election-id=ingress-controller-leader + - --controller-class=k8s.io/ingress-nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst nodeSelector: kubernetes.io/os: linux serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission + - name: webhook-cert + secret: + secretName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/controller-ingressclass.yaml -# We don't support namespaced ingressClass yet -# So a ClusterRole and a ClusterRoleBinding is required -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: nginx - namespace: ingress-nginx -spec: - controller: k8s.io/ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml -# before changing this value, check the required kubernetes version -# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - name: ingress-nginx-admission -webhooks: - - name: validate.nginx.ingress.kubernetes.io - matchPolicy: Equivalent - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - clientConfig: - service: - namespace: ingress-nginx - name: ingress-nginx-controller-admission - path: /networking/v1/ingresses ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - '' - resources: - - secrets - verbs: - - get - - create ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-create - namespace: ingress-nginx annotations: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create spec: containers: - - name: create - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-patch - namespace: ingress-nginx annotations: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch spec: containers: - - name: patch - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: ingress-nginx-controller-admission + namespace: ingress-nginx + path: /networking/v1/ingresses + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index d72cac794..6409fffde 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -1,228 +1,249 @@ - +#GENERATED FOR K8S 1.20 apiVersion: v1 kind: Namespace metadata: - name: ingress-nginx labels: - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx --- -# Source: ingress-nginx/templates/controller-serviceaccount.yaml apiVersion: v1 +automountServiceAccountToken: true kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx -automountServiceAccountToken: true --- -# Source: ingress-nginx/templates/controller-configmap.yaml apiVersion: v1 -kind: ConfigMap +kind: ServiceAccount metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission namespace: ingress-nginx -data: - allow-snippet-annotations: 'true' - use-proxy-protocol: 'true' --- -# Source: ingress-nginx/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch - - apiGroups: - - '' - resources: - - nodes - verbs: - - get - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -# Source: ingress-nginx/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx rules: - - apiGroups: - - '' - resources: - - namespaces - verbs: - - get - - apiGroups: - - '' - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - configmaps - resourceNames: - - ingress-controller-leader - verbs: - - get - - update - - apiGroups: - - '' - resources: - - configmaps - verbs: - - create - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - ingress-controller-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update --- -# Source: ingress-nginx/templates/controller-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -230,458 +251,413 @@ roleRef: kind: Role name: ingress-nginx subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx --- -# Source: ingress-nginx/templates/controller-service-webhook.yaml -apiVersion: v1 -kind: Service +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller-admission - namespace: ingress-nginx -spec: - type: ClusterIP - ports: - - name: https-webhook - port: 443 - targetPort: webhook - appProtocol: https - selector: app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" + use-proxy-protocol: "true" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller + namespace: ingress-nginx --- -# Source: ingress-nginx/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: annotations: - service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true' + service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true" labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: - type: LoadBalancer externalTrafficPolicy: Local - ipFamilyPolicy: SingleStack ipFamilies: - - IPv4 + - IPv4 + ipFamilyPolicy: SingleStack ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - appProtocol: http - - name: https - port: 443 - protocol: TCP - targetPort: https - appProtocol: https + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: ClusterIP --- -# Source: ingress-nginx/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller - revisionHistoryLimit: 10 - minReadySeconds: 0 + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx template: metadata: labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx spec: - dnsPolicy: ClusterFirst containers: - - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - args: - - /nginx-ingress-controller - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 101 - allowPrivilegeEscalation: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: webhook - containerPort: 8443 - protocol: TCP - volumeMounts: - - name: webhook-cert - mountPath: /usr/local/certificates/ - readOnly: true - resources: - requests: - cpu: 100m - memory: 90Mi + - args: + - /nginx-ingress-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller + - --election-id=ingress-controller-leader + - --controller-class=k8s.io/ingress-nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst nodeSelector: kubernetes.io/os: linux serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission + - name: webhook-cert + secret: + secretName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/controller-ingressclass.yaml -# We don't support namespaced ingressClass yet -# So a ClusterRole and a ClusterRoleBinding is required -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: nginx - namespace: ingress-nginx -spec: - controller: k8s.io/ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml -# before changing this value, check the required kubernetes version -# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - name: ingress-nginx-admission -webhooks: - - name: validate.nginx.ingress.kubernetes.io - matchPolicy: Equivalent - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - clientConfig: - service: - namespace: ingress-nginx - name: ingress-nginx-controller-admission - path: /networking/v1/ingresses - timeoutSeconds: 29 ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - '' - resources: - - secrets - verbs: - - get - - create ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-create - namespace: ingress-nginx annotations: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create spec: containers: - - name: create - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-patch - namespace: ingress-nginx annotations: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch spec: containers: - - name: patch - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: ingress-nginx-controller-admission + namespace: ingress-nginx + path: /networking/v1/ingresses + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None + timeoutSeconds: 29 diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index 784993a92..ef0769852 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -1,227 +1,249 @@ - +#GENERATED FOR K8S 1.20 apiVersion: v1 kind: Namespace metadata: - name: ingress-nginx labels: - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx --- -# Source: ingress-nginx/templates/controller-serviceaccount.yaml apiVersion: v1 +automountServiceAccountToken: true kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx -automountServiceAccountToken: true --- -# Source: ingress-nginx/templates/controller-configmap.yaml apiVersion: v1 -kind: ConfigMap +kind: ServiceAccount metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission namespace: ingress-nginx -data: - allow-snippet-annotations: 'true' --- -# Source: ingress-nginx/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch - - apiGroups: - - '' - resources: - - nodes - verbs: - - get - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -# Source: ingress-nginx/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx rules: - - apiGroups: - - '' - resources: - - namespaces - verbs: - - get - - apiGroups: - - '' - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - configmaps - resourceNames: - - ingress-controller-leader - verbs: - - get - - update - - apiGroups: - - '' - resources: - - configmaps - verbs: - - create - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - ingress-controller-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update --- -# Source: ingress-nginx/templates/controller-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -229,36 +251,91 @@ roleRef: kind: Role name: ingress-nginx subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx --- -# Source: ingress-nginx/templates/controller-service-webhook.yaml -apiVersion: v1 -kind: Service +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller-admission - namespace: ingress-nginx -spec: - type: ClusterIP - ports: - - name: https-webhook - port: 443 - targetPort: webhook - appProtocol: https - selector: app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller + namespace: ingress-nginx --- -# Source: ingress-nginx/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: @@ -268,426 +345,325 @@ metadata: service.beta.kubernetes.io/exoscale-loadbalancer-name: nginx-ingress-controller service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-interval: 10s service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: http - service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: '1' + service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: "1" service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: / service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: - type: LoadBalancer externalTrafficPolicy: Local - ipFamilyPolicy: SingleStack ipFamilies: - - IPv4 + - IPv4 + ipFamilyPolicy: SingleStack ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - appProtocol: http - - name: https - port: 443 - protocol: TCP - targetPort: https - appProtocol: https + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: ClusterIP --- -# Source: ingress-nginx/templates/controller-daemonset.yaml apiVersion: apps/v1 kind: DaemonSet metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller - revisionHistoryLimit: 10 - minReadySeconds: 0 + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx template: metadata: labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx spec: - dnsPolicy: ClusterFirst containers: - - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - args: - - /nginx-ingress-controller - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 101 - allowPrivilegeEscalation: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: webhook - containerPort: 8443 - protocol: TCP - volumeMounts: - - name: webhook-cert - mountPath: /usr/local/certificates/ - readOnly: true - resources: - requests: - cpu: 100m - memory: 90Mi + - args: + - /nginx-ingress-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller + - --election-id=ingress-controller-leader + - --controller-class=k8s.io/ingress-nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst nodeSelector: kubernetes.io/os: linux serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission + - name: webhook-cert + secret: + secretName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/controller-ingressclass.yaml -# We don't support namespaced ingressClass yet -# So a ClusterRole and a ClusterRoleBinding is required -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: nginx - namespace: ingress-nginx -spec: - controller: k8s.io/ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml -# before changing this value, check the required kubernetes version -# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - name: ingress-nginx-admission -webhooks: - - name: validate.nginx.ingress.kubernetes.io - matchPolicy: Equivalent - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - clientConfig: - service: - namespace: ingress-nginx - name: ingress-nginx-controller-admission - path: /networking/v1/ingresses ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - '' - resources: - - secrets - verbs: - - get - - create ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-create - namespace: ingress-nginx annotations: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create spec: containers: - - name: create - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-patch - namespace: ingress-nginx annotations: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch spec: containers: - - name: patch - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: ingress-nginx-controller-admission + namespace: ingress-nginx + path: /networking/v1/ingresses + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index c87aa857e..4cd1c32d4 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -1,227 +1,249 @@ - +#GENERATED FOR K8S 1.20 apiVersion: v1 kind: Namespace metadata: - name: ingress-nginx labels: - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx --- -# Source: ingress-nginx/templates/controller-serviceaccount.yaml apiVersion: v1 +automountServiceAccountToken: true kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx -automountServiceAccountToken: true --- -# Source: ingress-nginx/templates/controller-configmap.yaml apiVersion: v1 -kind: ConfigMap +kind: ServiceAccount metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission namespace: ingress-nginx -data: - allow-snippet-annotations: 'true' --- -# Source: ingress-nginx/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch - - apiGroups: - - '' - resources: - - nodes - verbs: - - get - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -# Source: ingress-nginx/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx rules: - - apiGroups: - - '' - resources: - - namespaces - verbs: - - get - - apiGroups: - - '' - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - configmaps - resourceNames: - - ingress-controller-leader - verbs: - - get - - update - - apiGroups: - - '' - resources: - - configmaps - verbs: - - create - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - ingress-controller-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update --- -# Source: ingress-nginx/templates/controller-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -229,467 +251,421 @@ roleRef: kind: Role name: ingress-nginx subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-service-webhook.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller-admission +- kind: ServiceAccount + name: ingress-nginx namespace: ingress-nginx -spec: - type: ClusterIP - ports: - - name: https-webhook - port: 443 - targetPort: webhook - appProtocol: https - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller --- -# Source: ingress-nginx/templates/controller-service.yaml -apiVersion: v1 -kind: Service +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" +kind: ConfigMap +metadata: + labels: app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller + namespace: ingress-nginx +--- +apiVersion: v1 +kind: Service +metadata: + annotations: null + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: - type: NodePort - ipFamilyPolicy: SingleStack ipFamilies: - - IPv4 + - IPv4 + ipFamilyPolicy: SingleStack ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - appProtocol: http - - name: https - port: 443 - protocol: TCP - targetPort: https - appProtocol: https + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: NodePort +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: ClusterIP --- -# Source: ingress-nginx/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller - revisionHistoryLimit: 10 + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx strategy: rollingUpdate: maxUnavailable: 1 type: RollingUpdate - minReadySeconds: 0 template: metadata: labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx spec: - dnsPolicy: ClusterFirst containers: - - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - args: - - /nginx-ingress-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - - --watch-ingress-without-class=true - - --publish-status-address=localhost - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 101 - allowPrivilegeEscalation: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - ports: - - name: http - containerPort: 80 - protocol: TCP - hostPort: 80 - - name: https - containerPort: 443 - protocol: TCP - hostPort: 443 - - name: webhook - containerPort: 8443 - protocol: TCP - volumeMounts: - - name: webhook-cert - mountPath: /usr/local/certificates/ - readOnly: true - resources: - requests: - cpu: 100m - memory: 90Mi + - args: + - /nginx-ingress-controller + - --election-id=ingress-controller-leader + - --controller-class=k8s.io/ingress-nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + - --watch-ingress-without-class=true + - --publish-status-address=localhost + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + hostPort: 80 + name: http + protocol: TCP + - containerPort: 443 + hostPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst nodeSelector: - ingress-ready: 'true' + ingress-ready: "true" kubernetes.io/os: linux - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Equal serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 0 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Equal volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission + - name: webhook-cert + secret: + secretName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/controller-ingressclass.yaml -# We don't support namespaced ingressClass yet -# So a ClusterRole and a ClusterRoleBinding is required -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: nginx - namespace: ingress-nginx -spec: - controller: k8s.io/ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml -# before changing this value, check the required kubernetes version -# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - name: ingress-nginx-admission -webhooks: - - name: validate.nginx.ingress.kubernetes.io - matchPolicy: Equivalent - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - clientConfig: - service: - namespace: ingress-nginx - name: ingress-nginx-controller-admission - path: /networking/v1/ingresses ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - '' - resources: - - secrets - verbs: - - get - - create ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-create - namespace: ingress-nginx annotations: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create spec: containers: - - name: create - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-patch - namespace: ingress-nginx annotations: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch spec: containers: - - name: patch - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: ingress-nginx-controller-admission + namespace: ingress-nginx + path: /networking/v1/ingresses + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index a97984338..4f918c422 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -1,228 +1,249 @@ - +#GENERATED FOR K8S 1.20 apiVersion: v1 kind: Namespace metadata: - name: ingress-nginx labels: - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx --- -# Source: ingress-nginx/templates/controller-serviceaccount.yaml apiVersion: v1 +automountServiceAccountToken: true kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx -automountServiceAccountToken: true --- -# Source: ingress-nginx/templates/controller-configmap.yaml apiVersion: v1 -kind: ConfigMap +kind: ServiceAccount metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission namespace: ingress-nginx -data: - allow-snippet-annotations: 'true' - use-proxy-protocol: 'true' --- -# Source: ingress-nginx/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch - - apiGroups: - - '' - resources: - - nodes - verbs: - - get - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -# Source: ingress-nginx/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx rules: - - apiGroups: - - '' - resources: - - namespaces - verbs: - - get - - apiGroups: - - '' - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - configmaps - resourceNames: - - ingress-controller-leader - verbs: - - get - - update - - apiGroups: - - '' - resources: - - configmaps - verbs: - - create - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - ingress-controller-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update --- -# Source: ingress-nginx/templates/controller-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -230,457 +251,412 @@ roleRef: kind: Role name: ingress-nginx subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx --- -# Source: ingress-nginx/templates/controller-service-webhook.yaml -apiVersion: v1 -kind: Service +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller-admission - namespace: ingress-nginx -spec: - type: ClusterIP - ports: - - name: https-webhook - port: 443 - targetPort: webhook - appProtocol: https - selector: app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" + use-proxy-protocol: "true" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller + namespace: ingress-nginx --- -# Source: ingress-nginx/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: annotations: - service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true' + service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: "true" labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: - type: LoadBalancer externalTrafficPolicy: Local - ipFamilyPolicy: SingleStack ipFamilies: - - IPv4 + - IPv4 + ipFamilyPolicy: SingleStack ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - appProtocol: http - - name: https - port: 443 - protocol: TCP - targetPort: https - appProtocol: https + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: ClusterIP --- -# Source: ingress-nginx/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 name: ingress-nginx-controller namespace: ingress-nginx spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller - revisionHistoryLimit: 10 - minReadySeconds: 0 + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx template: metadata: labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx spec: - dnsPolicy: ClusterFirst containers: - - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - args: - - /nginx-ingress-controller - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 101 - allowPrivilegeEscalation: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: webhook - containerPort: 8443 - protocol: TCP - volumeMounts: - - name: webhook-cert - mountPath: /usr/local/certificates/ - readOnly: true - resources: - requests: - cpu: 100m - memory: 90Mi + - args: + - /nginx-ingress-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller + - --election-id=ingress-controller-leader + - --controller-class=k8s.io/ingress-nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst nodeSelector: kubernetes.io/os: linux serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission + - name: webhook-cert + secret: + secretName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/controller-ingressclass.yaml -# We don't support namespaced ingressClass yet -# So a ClusterRole and a ClusterRoleBinding is required -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: nginx - namespace: ingress-nginx -spec: - controller: k8s.io/ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml -# before changing this value, check the required kubernetes version -# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - name: ingress-nginx-admission -webhooks: - - name: validate.nginx.ingress.kubernetes.io - matchPolicy: Equivalent - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - clientConfig: - service: - namespace: ingress-nginx - name: ingress-nginx-controller-admission - path: /networking/v1/ingresses ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - '' - resources: - - secrets - verbs: - - get - - create ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ingress-nginx-admission - namespace: ingress-nginx - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-create - namespace: ingress-nginx annotations: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-create spec: containers: - - name: create - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-patch - namespace: ingress-nginx annotations: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch + namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-4.0.15 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 1.1.1 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission-patch spec: containers: - - name: patch - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission + - args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux + restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/version: 1.1.1 + helm.sh/chart: ingress-nginx-4.0.15 + name: ingress-nginx-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: ingress-nginx-controller-admission + namespace: ingress-nginx + path: /networking/v1/ingresses + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None diff --git a/docs/deploy/index.md b/docs/deploy/index.md index 51bc4be50..c3443e731 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -55,8 +55,11 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont !!! info The YAML manifest in the command above was generated with `helm template`, so you will end up with almost the same resources as if you had used Helm to install the controller. -If you are running an old version of Kubernetes (1.18 or earlier), please read -[this paragraph](#running-on-Kubernetes-versions-older-than-1.19) for specific instructions. +!!! attention + If you are running an old version of Kubernetes (1.18 or earlier), please read + [this paragraph](#running-on-Kubernetes-versions-older-than-1.19) for specific instructions. + Because of api deprecations, the default manifest may not work on your cluster. + Specific manifests for supported Kubernetes versions are available within a subfolder of each provider. ### Pre-flight check @@ -186,12 +189,13 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont ##### TLS termination in AWS Load Balancer (NLB) -By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS with using an NLB. +By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB. -1. Download the the [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/deploy-tls-termination.yaml) template: - ```console - wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/deploy-tls-termination.yaml - ``` +1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template + + ```console + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + ``` 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster: ``` @@ -205,7 +209,7 @@ By default, TLS is terminated in the ingress controller. But it is also possible 4. Deploy the manifest: ```console - kubectl apply -f deploy-tls-termination.yaml + kubectl apply -f deploy.yaml ``` ##### NLB Idle Timeouts diff --git a/hack/.tool-versions b/hack/.tool-versions new file mode 100644 index 000000000..5baa8790a --- /dev/null +++ b/hack/.tool-versions @@ -0,0 +1,2 @@ +kustomize 4.1.3 +helm 3.7.1 diff --git a/hack/generate-deploy-scripts.sh b/hack/generate-deploy-scripts.sh index 28625721b..2ec0adc1b 100755 --- a/hack/generate-deploy-scripts.sh +++ b/hack/generate-deploy-scripts.sh @@ -22,194 +22,51 @@ set -o errexit set -o nounset set -o pipefail +# for backwards compatibility, the default version of 1.20 is copied to the root of the variant +# with enough docs updates, this could be removed +# see # DEFAULT VERSION HANDLING +K8S_DEFAULT_VERSION=1.20 +# K8S_TARGET_VERSIONS=("1.19" "1.20" "1.21" "1.22") TODO @afirth revert for #8000 +K8S_TARGET_VERSIONS=("1.20") + DIR=$(cd $(dirname "${BASH_SOURCE}")/.. && pwd -P) -RELEASE_NAME=ingress-nginx -NAMESPACE=ingress-nginx +# clean +rm -rf ${DIR}/deploy/static/provider/* -NAMESPACE_VAR=" -apiVersion: v1 -kind: Namespace -metadata: - name: $NAMESPACE - labels: - app.kubernetes.io/name: $RELEASE_NAME - app.kubernetes.io/instance: ingress-nginx -" +TEMPLATE_DIR="${DIR}/hack/manifest-templates" -# Baremetal -OUTPUT_FILE="${DIR}/deploy/static/provider/baremetal/deploy.yaml" -cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE} -controller: - service: - type: NodePort +# each helm values file `values.yaml` under `hack/manifest-templates/provider` will be generated as provider/[/variant][/kube-version]/deploy.yaml +# TARGET is provider/[/variant] +TARGETS=$(dirname $(cd $DIR/hack/manifest-templates/ && find . -type f -name "values.yaml" ) | cut -d'/' -f2-) +for K8S_VERSION in "${K8S_TARGET_VERSIONS[@]}" +do + for TARGET in ${TARGETS} + do + TARGET_DIR="${TEMPLATE_DIR}/${TARGET}" + MANIFEST="${TEMPLATE_DIR}/common/manifest.yaml" # intermediate manifest + OUTPUT_DIR="${DIR}/deploy/static/${TARGET}/${K8S_VERSION}" + echo $OUTPUT_DIR - publishService: - enabled: false -EOF + mkdir -p ${OUTPUT_DIR} + cd ${TARGET_DIR} + helm template ingress-nginx ${DIR}/charts/ingress-nginx \ + --values values.yaml \ + --namespace ingress-nginx \ + --kube-version ${K8S_VERSION} \ + > $MANIFEST + kustomize --load-restrictor=LoadRestrictionsNone build . > ${OUTPUT_DIR}/deploy.yaml + rm $MANIFEST + cd ~- + # automatically generate the (unsupported) kustomization.yaml for each target + sed "s_{TARGET}_${TARGET}_" $TEMPLATE_DIR/static-kustomization-template.yaml > ${OUTPUT_DIR}/kustomization.yaml -echo "${NAMESPACE_VAR} -$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE} - -# Cloud - generic -OUTPUT_FILE="${DIR}/deploy/static/provider/cloud/deploy.yaml" -cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE} -controller: - service: - type: LoadBalancer - externalTrafficPolicy: Local -EOF - -echo "${NAMESPACE_VAR} -$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE} - - -# AWS - NLB -OUTPUT_FILE="${DIR}/deploy/static/provider/aws/deploy.yaml" -cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE} -controller: - service: - type: LoadBalancer - externalTrafficPolicy: Local - annotations: - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp" - service.beta.kubernetes.io/aws-load-balancer-type: nlb - service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" -EOF - -echo "${NAMESPACE_VAR} -$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE} - - -OUTPUT_FILE="${DIR}/deploy/static/provider/aws/deploy-tls-termination.yaml" -cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE} -controller: - service: - type: LoadBalancer - externalTrafficPolicy: Local - - annotations: - # This example is for legacy in-tree service load balancer controller for AWS NLB, - # that has been phased out from Kubernetes mainline. - service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX" - service.beta.kubernetes.io/aws-load-balancer-type: nlb - # Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default, - # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be - # increased to '3600' to avoid any potential issues. - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" - - targetPorts: - http: tohttps - https: http - - # Configures the ports the nginx-controller listens on - containerPort: - http: 80 - https: 80 - tohttps: 2443 - - config: - proxy-real-ip-cidr: XXX.XXX.XXX/XX - use-forwarded-headers: "true" - http-snippet: | - server { - listen 2443; - return 308 https://\$host\$request_uri; - } -EOF - -echo "${NAMESPACE_VAR} -$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE} - -# Kind - https://kind.sigs.k8s.io/docs/user/ingress/ -OUTPUT_FILE="${DIR}/deploy/static/provider/kind/deploy.yaml" -cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE} -controller: - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - hostPort: - enabled: true - terminationGracePeriodSeconds: 0 - service: - type: NodePort - watchIngressWithoutClass: true - - nodeSelector: - ingress-ready: "true" - tolerations: - - key: "node-role.kubernetes.io/master" - operator: "Equal" - effect: "NoSchedule" - - publishService: - enabled: false - extraArgs: - publish-status-address: localhost -EOF - -# Digital Ocean -echo "${NAMESPACE_VAR} -$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE} - -OUTPUT_FILE="${DIR}/deploy/static/provider/do/deploy.yaml" -cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE} -controller: - service: - type: LoadBalancer - externalTrafficPolicy: Local - annotations: - service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true" - config: - use-proxy-protocol: "true" - admissionWebhooks: - timeoutSeconds: 29 - -EOF - -# Scaleway -echo "${NAMESPACE_VAR} -$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE} - -OUTPUT_FILE="${DIR}/deploy/static/provider/scw/deploy.yaml" -cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE} -controller: - service: - type: LoadBalancer - externalTrafficPolicy: Local - annotations: - service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: "true" - config: - use-proxy-protocol: "true" - -EOF - -# Exoscale -echo "${NAMESPACE_VAR} -$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE} - -OUTPUT_FILE="${DIR}/deploy/static/provider/exoscale/deploy.yaml" -cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE} -controller: - kind: DaemonSet - service: - type: LoadBalancer - externalTrafficPolicy: Local - annotations: - service.beta.kubernetes.io/exoscale-loadbalancer-name: "nginx-ingress-controller" - service.beta.kubernetes.io/exoscale-loadbalancer-description: "NGINX Ingress Controller load balancer" - service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: "source-hash" - service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: "http" - service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: "/" - service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-interval: "10s" - service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: "3s" - service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: "1" - publishService: - enabled: true -EOF - -echo "${NAMESPACE_VAR} -$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE} + # DEFAULT VERSION HANDLING + if [[ ${K8S_VERSION} = ${K8S_DEFAULT_VERSION} ]] + then + cp ${OUTPUT_DIR}/*.yaml ${OUTPUT_DIR}/../ + sed -i "1s/^/#GENERATED FOR K8S ${K8S_VERSION}\n/" ${OUTPUT_DIR}/../deploy.yaml + rm -rf ${OUTPUT_DIR} # TODO @afirth remove for #8000 - this avoids the duplicate files for easier review of the build script changes + fi + done +done diff --git a/hack/manifest-templates/common/kustomization.yaml b/hack/manifest-templates/common/kustomization.yaml new file mode 100644 index 000000000..a4b5f64cf --- /dev/null +++ b/hack/manifest-templates/common/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- manifest.yaml +- namespace.yaml + +patches: +- target: + group: apps + version: v1 + kind: Deployment + patch: |- + - op: remove + path: /spec/replicas diff --git a/hack/manifest-templates/common/namespace.yaml b/hack/manifest-templates/common/namespace.yaml new file mode 100644 index 000000000..db890604b --- /dev/null +++ b/hack/manifest-templates/common/namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx diff --git a/hack/manifest-templates/provider/aws/kustomization.yaml b/hack/manifest-templates/provider/aws/kustomization.yaml new file mode 100644 index 000000000..cd6ef95be --- /dev/null +++ b/hack/manifest-templates/provider/aws/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../common diff --git a/hack/manifest-templates/provider/aws/nlb-with-tls-termination/kustomization.yaml b/hack/manifest-templates/provider/aws/nlb-with-tls-termination/kustomization.yaml new file mode 100644 index 000000000..ecec1095c --- /dev/null +++ b/hack/manifest-templates/provider/aws/nlb-with-tls-termination/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../common diff --git a/hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml b/hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml new file mode 100644 index 000000000..5b36b3dd2 --- /dev/null +++ b/hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml @@ -0,0 +1,36 @@ +# AWS NLB with TLS termination +controller: + service: + type: LoadBalancer + externalTrafficPolicy: Local + + annotations: + # This example is for legacy in-tree service load balancer controller for AWS NLB, + # that has been phased out from Kubernetes mainline. + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX" + service.beta.kubernetes.io/aws-load-balancer-type: nlb + # Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default, + # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be + # increased to '3600' to avoid any potential issues. + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" + + targetPorts: + http: tohttps + https: http + + # Configures the ports the nginx-controller listens on + containerPort: + http: 80 + https: 80 + tohttps: 2443 + + config: + proxy-real-ip-cidr: XXX.XXX.XXX/XX + use-forwarded-headers: "true" + http-snippet: | + server { + listen 2443; + return 308 https://$host$request_uri; + } diff --git a/hack/manifest-templates/provider/aws/values.yaml b/hack/manifest-templates/provider/aws/values.yaml new file mode 100644 index 000000000..743721fc4 --- /dev/null +++ b/hack/manifest-templates/provider/aws/values.yaml @@ -0,0 +1,9 @@ +# AWS - NLB +controller: + service: + type: LoadBalancer + externalTrafficPolicy: Local + annotations: + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp" + service.beta.kubernetes.io/aws-load-balancer-type: nlb + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" diff --git a/hack/manifest-templates/provider/baremetal/kustomization.yaml b/hack/manifest-templates/provider/baremetal/kustomization.yaml new file mode 100644 index 000000000..cd6ef95be --- /dev/null +++ b/hack/manifest-templates/provider/baremetal/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../common diff --git a/hack/manifest-templates/provider/baremetal/values.yaml b/hack/manifest-templates/provider/baremetal/values.yaml new file mode 100644 index 000000000..3c5a0840b --- /dev/null +++ b/hack/manifest-templates/provider/baremetal/values.yaml @@ -0,0 +1,7 @@ +# Baremetal +controller: + service: + type: NodePort + + publishService: + enabled: false diff --git a/hack/manifest-templates/provider/cloud/kustomization.yaml b/hack/manifest-templates/provider/cloud/kustomization.yaml new file mode 100644 index 000000000..cd6ef95be --- /dev/null +++ b/hack/manifest-templates/provider/cloud/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../common diff --git a/hack/manifest-templates/provider/cloud/values.yaml b/hack/manifest-templates/provider/cloud/values.yaml new file mode 100644 index 000000000..7d8266c0f --- /dev/null +++ b/hack/manifest-templates/provider/cloud/values.yaml @@ -0,0 +1,4 @@ +controller: + service: + type: LoadBalancer + externalTrafficPolicy: Local diff --git a/hack/manifest-templates/provider/do/kustomization.yaml b/hack/manifest-templates/provider/do/kustomization.yaml new file mode 100644 index 000000000..cd6ef95be --- /dev/null +++ b/hack/manifest-templates/provider/do/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../common diff --git a/hack/manifest-templates/provider/do/values.yaml b/hack/manifest-templates/provider/do/values.yaml new file mode 100644 index 000000000..2b0578414 --- /dev/null +++ b/hack/manifest-templates/provider/do/values.yaml @@ -0,0 +1,11 @@ +# Digital Ocean +controller: + service: + type: LoadBalancer + externalTrafficPolicy: Local + annotations: + service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true" + config: + use-proxy-protocol: "true" + admissionWebhooks: + timeoutSeconds: 29 diff --git a/hack/manifest-templates/provider/exoscale/kustomization.yaml b/hack/manifest-templates/provider/exoscale/kustomization.yaml new file mode 100644 index 000000000..cd6ef95be --- /dev/null +++ b/hack/manifest-templates/provider/exoscale/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../common diff --git a/hack/manifest-templates/provider/exoscale/values.yaml b/hack/manifest-templates/provider/exoscale/values.yaml new file mode 100644 index 000000000..76863f013 --- /dev/null +++ b/hack/manifest-templates/provider/exoscale/values.yaml @@ -0,0 +1,17 @@ +# Exoscale +controller: + kind: DaemonSet + service: + type: LoadBalancer + externalTrafficPolicy: Local + annotations: + service.beta.kubernetes.io/exoscale-loadbalancer-name: "nginx-ingress-controller" + service.beta.kubernetes.io/exoscale-loadbalancer-description: "NGINX Ingress Controller load balancer" + service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: "source-hash" + service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: "http" + service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: "/" + service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-interval: "10s" + service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: "3s" + service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: "1" + publishService: + enabled: true diff --git a/hack/manifest-templates/provider/kind/kustomization.yaml b/hack/manifest-templates/provider/kind/kustomization.yaml new file mode 100644 index 000000000..cd6ef95be --- /dev/null +++ b/hack/manifest-templates/provider/kind/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../common diff --git a/hack/manifest-templates/provider/kind/values.yaml b/hack/manifest-templates/provider/kind/values.yaml new file mode 100644 index 000000000..f327c351e --- /dev/null +++ b/hack/manifest-templates/provider/kind/values.yaml @@ -0,0 +1,24 @@ +# Kind - https://kind.sigs.k8s.io/docs/user/ingress/ +controller: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + hostPort: + enabled: true + terminationGracePeriodSeconds: 0 + service: + type: NodePort + watchIngressWithoutClass: true + + nodeSelector: + ingress-ready: "true" + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Equal" + effect: "NoSchedule" + + publishService: + enabled: false + extraArgs: + publish-status-address: localhost diff --git a/hack/manifest-templates/provider/scw/kustomization.yaml b/hack/manifest-templates/provider/scw/kustomization.yaml new file mode 100644 index 000000000..cd6ef95be --- /dev/null +++ b/hack/manifest-templates/provider/scw/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../common diff --git a/hack/manifest-templates/provider/scw/values.yaml b/hack/manifest-templates/provider/scw/values.yaml new file mode 100644 index 000000000..cee5e2b1e --- /dev/null +++ b/hack/manifest-templates/provider/scw/values.yaml @@ -0,0 +1,9 @@ +# Scaleway +controller: + service: + type: LoadBalancer + externalTrafficPolicy: Local + annotations: + service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: "true" + config: + use-proxy-protocol: "true" diff --git a/hack/manifest-templates/static-kustomization-template.yaml b/hack/manifest-templates/static-kustomization-template.yaml new file mode 100644 index 000000000..fd273c7c4 --- /dev/null +++ b/hack/manifest-templates/static-kustomization-template.yaml @@ -0,0 +1,11 @@ +# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases. +# https://kubectl.docs.kubernetes.io/references/kustomize/bases/ +# +# ``` +# namespace: ingress-nginx +# bases: +# - github.com/kubernetes/ingress-nginx/deploy/static/{TARGET}?ref=master +# ``` + +resources: + - deploy.yaml From feba7e1ffc7f2047f1cae5cb5f093f5b34c58abd Mon Sep 17 00:00:00 2001 From: Rafael Maciel <22459495+rbgnk@users.noreply.github.com> Date: Wed, 19 Jan 2022 23:31:51 -0300 Subject: [PATCH 0020/1606] docs: correct typo (#8169) * change docker-destkop to docker-desktop --- docs/deploy/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deploy/index.md b/docs/deploy/index.md index c3443e731..9f613308b 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -159,7 +159,7 @@ Kubernetes is available in Docker Desktop: - Mac, from [version 18.06.0-ce](https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018) - Windows, from [version 18.06.0-ce](https://docs.docker.com/docker-for-windows/release-notes/#docker-community-edition-18060-ce-win70-2018-07-25) -First, make sure that Kubernetes is enabled in the Docker settings. The command `kubectl get nodes` should show a single node called `docker-destkop`. +First, make sure that Kubernetes is enabled in the Docker settings. The command `kubectl get nodes` should show a single node called `docker-desktop`. The ingress controller can be installed on Docker Desktop using the default [quick start](#quick-start) instructions. From 39e721de731e95bf87359378d11af503c31928b7 Mon Sep 17 00:00:00 2001 From: Frederik-Baetens Date: Thu, 20 Jan 2022 10:17:52 +0100 Subject: [PATCH 0021/1606] Docs: add documentation about default ingress helm value, corrections to only ingress section (#7943) * add explanation about ingressClassResource.default for helm users Also cleaned up the entire "I have only one instance of the Ingress-NGINX controller in my cluster" section * docs: default ingressclass only when running one controller * fix link to what is the flag watch ingress * clarify usage of default ingress class annotation --- docs/index.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/docs/index.md b/docs/index.md index bda45d317..2b35e7e01 100644 --- a/docs/index.md +++ b/docs/index.md @@ -111,12 +111,17 @@ DESCRIPTION: The `.spec.ingressClassName` behavior has precedence over the deprecated `kubernetes.io/ingress.class` annotation. +## I have only one ingress controller in my cluster. What should I do? -## I have only one instance of the Ingress-NGINX controller in my cluster. What should I do ? +If a single instance of the Ingress-NGINX controller is the sole Ingress controller running in your cluster, you should add the annotation "ingressclass.kubernetes.io/is-default-class" in your IngressClass, so any new Ingress objects will have this one as default IngressClass. -- If you have only one instance of the Ingress-NGINX controller running in your cluster, and you still want to use IngressClass, you should add the annotation `ingressclass.kubernetes.io/is-default-class` in your IngressClass, so that any new Ingress objects will have this one as default IngressClass. +When using Helm, you can enable this annotation by setting `.controller.ingressClassResource.default: true` in your Helm chart installation's values file. -In this case, you need to make your controller aware of the objects. If you have any Ingress objects that don't yet have either the [`.spec.ingressClassName`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) field set in their manifest, or the ingress annotation (`kubernetes.io/ingress.class`), then you should start your Ingress-NGINX controller with the flag [--watch-ingress-without-class=true](#what-is-the-flag-watch-ingress-without-class). +If you have any old Ingress objects remaining without an IngressClass set, you can do one or more of the following to make the Ingress-NGINX controller aware of the old objects: + +- You can manually set the [`.spec.ingressClassName`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) field in the manifest of your own Ingress resources. +- You can re-create them after setting the `ingressclass.kubernetes.io/is-default-class` annotation to `true` on the IngressClass +- Alternatively you can make the Ingress-NGINX controller watch Ingress objects without the ingressClassName field set by starting your Ingress-NGINX with the flag [--watch-ingress-without-class=true](#what-is-the-flag-watch-ingress-without-class) . When using Helm, you can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true` You can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true`. From 922e27fea7a2409f2a23a741b939ddfe01130324 Mon Sep 17 00:00:00 2001 From: Long Wu Yuan Date: Fri, 21 Jan 2022 05:02:30 +0530 Subject: [PATCH 0022/1606] reintroduce helm-docs step in ci (#8164) --- .github/workflows/ci.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 62843b1d7..63bc7da08 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -137,6 +137,17 @@ jobs: run: | ./build/run-in-docker.sh ./hack/verify-chart-lint.sh + - name: Run helm-docs + run: | + GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0 + ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts + DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md) + if [ ! -z "$DIFF" ]; then + echo "Please use helm-docs in your clone, of your fork, of the project, and commit a updated README.md for the chart. https://github.com/kubernetes/ingress-nginx/blob/main/RELEASE.md#d-edit-the-valuesyaml-and-run-helm-docs" + fi + git diff --exit-code + rm -f ./helm-docs + - name: fix permissions run: | sudo mkdir -p $HOME/.kube From 53ac0ddd4214d9a3662751ba3741af3375af5478 Mon Sep 17 00:00:00 2001 From: Jintao Zhang Date: Thu, 27 Jan 2022 10:52:50 +0800 Subject: [PATCH 0023/1606] Using Go install for misspell (#8191) * chore: using go install misspell Signed-off-by: Jintao Zhang * chore: fix typo Signed-off-by: Jintao Zhang --- Makefile | 2 +- docs/index.md | 2 +- docs/user-guide/nginx-configuration/annotations.md | 4 ++-- test/e2e/settings/namespace_selector.go | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index ad2c8340d..b1c90e0f1 100644 --- a/Makefile +++ b/Makefile @@ -167,7 +167,7 @@ live-docs: ## Build and launch a local copy of the documentation website in http .PHONY: misspell misspell: ## Check for spelling errors. - @go get github.com/client9/misspell/cmd/misspell + @go install github.com/client9/misspell/cmd/misspell@latest misspell \ -locale US \ -error \ diff --git a/docs/index.md b/docs/index.md index 2b35e7e01..63afaa66d 100644 --- a/docs/index.md +++ b/docs/index.md @@ -63,7 +63,7 @@ FIELDS: ``` -## What has caused this change in behaviour ? +## What has caused this change in behavior? There are 2 reasons primarily. diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index 2dacc5293..57542f25f 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -251,7 +251,7 @@ Client Certificate Authentication is applied per host and it is not possible to To enable, add the annotation `nginx.ingress.kubernetes.io/auth-tls-secret: namespace/secretName`. This secret must have a file named `ca.crt` containing the full Certificate Authority chain `ca.crt` that is enabled to authenticate against this Ingress. -You can further customize client certificate authentication and behaviour with these annotations: +You can further customize client certificate authentication and behavior with these annotations: * `nginx.ingress.kubernetes.io/auth-tls-verify-depth`: The validation depth between the provided client certificate and the Certification Authority chain. (default: 1) * `nginx.ingress.kubernetes.io/auth-tls-verify-client`: Enables verification of client certificates. Possible values are: @@ -944,4 +944,4 @@ metadata: listen 8000; proxy_pass 127.0.0.1:80; } -``` \ No newline at end of file +``` diff --git a/test/e2e/settings/namespace_selector.go b/test/e2e/settings/namespace_selector.go index 4fa28826a..ea162d594 100644 --- a/test/e2e/settings/namespace_selector.go +++ b/test/e2e/settings/namespace_selector.go @@ -98,7 +98,7 @@ var _ = framework.IngressNginxDescribe("[Flag] watch namespace selector", func() _, err = f.KubeClientSet.CoreV1().Namespaces().Update(context.TODO(), ns, metav1.UpdateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "labeling not matched namespace") - // update ingress to trigger reconcilation + // update ingress to trigger reconciliation ing, err := f.KubeClientSet.NetworkingV1().Ingresses(notMatchedNs).Get(context.TODO(), notMatchedHost, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "retrieve test ingress") if ing.Labels == nil { From 6eecefd3dab9e1784be609e3e83af0418a216539 Mon Sep 17 00:00:00 2001 From: Sandip Bhattacharya Date: Thu, 27 Jan 2022 04:06:50 +0100 Subject: [PATCH 0024/1606] docs: fix inconsistent controller annotation (#8196) The annotation for the controller class was inconsistent in the example. From my best understanding, I have tried to fix the inconsistency. Also, removed an incomplete sentence. And made one sentence more clear by breaking it up. --- docs/user-guide/multiple-ingress.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/user-guide/multiple-ingress.md b/docs/user-guide/multiple-ingress.md index 83eeb3f48..246e38b52 100644 --- a/docs/user-guide/multiple-ingress.md +++ b/docs/user-guide/multiple-ingress.md @@ -2,12 +2,11 @@ By default, deploying multiple Ingress controllers (e.g., `ingress-nginx` & `gce`) will result in all controllers simultaneously racing to update Ingress status fields in confusing ways. -To fix this problem, use [IngressClasses](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class), the `kubernetes.io/ingress.class` annotation is deprecated from kubernetes v1.22+. +To fix this problem, use [IngressClasses](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). The `kubernetes.io/ingress.class` annotation is deprecated from kubernetes v1.22+. ## Using IngressClasses If all ingress controllers respect IngressClasses (e.g. multiple instances of ingress-nginx v1.0), you can deploy two Ingress controllers by granting them control over two different IngressClasses, then selecting one of the two IngressClasses with `ingressClassName`. -When two or more First, ensure the `--controller-class=` and `--ingress-class` are set to something different on each ingress controller: @@ -20,7 +19,7 @@ spec: - name: ingress-nginx-internal-controller args: - /nginx-ingress-controller - - '--controller-class=k8s.io/internal-nginx' + - '--controller-class=k8s.io/internal-ingress-nginx' - '--ingress-class=k8s.io/internal-nginx' ... ``` From 0c2070ef4a70f09c0abe4d668dcdfd951522c9db Mon Sep 17 00:00:00 2001 From: Billy Walker <39878488+bwlkr@users.noreply.github.com> Date: Thu, 27 Jan 2022 03:12:50 +0000 Subject: [PATCH 0025/1606] Adding annotations to the controller service account (#8173) * fix: adding annotations to the controller service account * fix: adding annotations to the controller service account --- charts/ingress-nginx/README.md | 1 + charts/ingress-nginx/templates/controller-serviceaccount.yaml | 4 ++++ charts/ingress-nginx/values.yaml | 1 + 3 files changed, 6 insertions(+) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 32dfd36e2..15536a79e 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -473,6 +473,7 @@ Kubernetes: `>=1.19.0-0` | rbac.create | bool | `true` | | | rbac.scope | bool | `false` | | | revisionHistoryLimit | int | `10` | Rollback limit | +| serviceAccount.annotations | object | `{}` | Annotations for the controller service account | | serviceAccount.automountServiceAccountToken | bool | `true` | | | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `""` | | diff --git a/charts/ingress-nginx/templates/controller-serviceaccount.yaml b/charts/ingress-nginx/templates/controller-serviceaccount.yaml index a4d7db5d2..824b2a124 100644 --- a/charts/ingress-nginx/templates/controller-serviceaccount.yaml +++ b/charts/ingress-nginx/templates/controller-serviceaccount.yaml @@ -10,5 +10,9 @@ metadata: {{- end }} name: {{ template "ingress-nginx.serviceAccountName" . }} namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAccount.annotations }} + annotations: + {{ toYaml .Values.serviceAccount.annotations | indent 4 }} + {{- end }} automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index bddd1eb5c..67144b097 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -888,6 +888,7 @@ serviceAccount: create: true name: "" automountServiceAccountToken: true + annotations: {} # -- Optional array of imagePullSecrets containing private registry credentials ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ From 32aa3404f7a99c01d12329bbbe81550200b0ee27 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 26 Jan 2022 19:36:52 -0800 Subject: [PATCH 0026/1606] Bump github.com/opencontainers/runc from 1.0.3 to 1.1.0 (#8179) Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.0.3 to 1.1.0. - [Release notes](https://github.com/opencontainers/runc/releases) - [Changelog](https://github.com/opencontainers/runc/blob/master/CHANGELOG.md) - [Commits](https://github.com/opencontainers/runc/compare/v1.0.3...v1.1.0) --- updated-dependencies: - dependency-name: github.com/opencontainers/runc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 31 ++++++++++++++++--------------- 2 files changed, 20 insertions(+), 19 deletions(-) diff --git a/go.mod b/go.mod index d3497ed21..496cb25c9 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( github.com/moul/pb v0.0.0-20180404114147-54bdd96e6a52 github.com/ncabatoff/process-exporter v0.7.10 github.com/onsi/ginkgo v1.16.4 - github.com/opencontainers/runc v1.0.3 + github.com/opencontainers/runc v1.1.0 github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.11.0 github.com/prometheus/client_model v0.2.0 @@ -60,7 +60,7 @@ require ( github.com/blang/semver v3.5.1+incompatible // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/coreos/go-systemd/v22 v22.3.2 // indirect - github.com/cyphar/filepath-securejoin v0.2.2 // indirect + github.com/cyphar/filepath-securejoin v0.2.3 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/eapache/queue v1.1.0 // indirect github.com/emicklei/go-restful v2.9.5+incompatible // indirect @@ -73,7 +73,7 @@ require ( github.com/go-openapi/jsonpointer v0.19.5 // indirect github.com/go-openapi/jsonreference v0.19.5 // indirect github.com/go-openapi/swag v0.19.14 // indirect - github.com/godbus/dbus/v5 v5.0.4 // indirect + github.com/godbus/dbus/v5 v5.0.6 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.2 // indirect @@ -95,7 +95,7 @@ require ( github.com/mailru/easyjson v0.7.6 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect github.com/mmarkdown/mmark v2.0.40+incompatible // indirect - github.com/moby/sys/mountinfo v0.4.1 // indirect + github.com/moby/sys/mountinfo v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect diff --git a/go.sum b/go.sum index 156bbe48b..64e23953d 100644 --- a/go.sum +++ b/go.sum @@ -101,7 +101,6 @@ github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+Ce github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= -github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA= github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= @@ -114,11 +113,11 @@ github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghf github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M= +github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= +github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA= github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= @@ -135,7 +134,7 @@ github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWH github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI= -github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ= +github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= @@ -152,8 +151,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsr github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg= -github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= +github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= +github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -234,8 +233,9 @@ github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5F github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= -github.com/godbus/dbus/v5 v5.0.4 h1:9349emZab16e7zQvpmsbtjc18ykshndd8y2PG3sgJbA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro= +github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= @@ -479,8 +479,8 @@ github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR github.com/mmarkdown/mmark v2.0.40+incompatible h1:vMeUeDzBK3H+/mU0oMVfMuhSXJlIA+DE/DMPQNAj5C4= github.com/mmarkdown/mmark v2.0.40+incompatible/go.mod h1:Uvmoz7tvsWpr7bMVxIpqZPyN3FbOtzDmnsJDFp7ltJs= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= -github.com/moby/sys/mountinfo v0.4.1 h1:1O+1cHA1aujwEwwVMa2Xm2l+gIpUHyd3+D+d7LZh1kM= -github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= +github.com/moby/sys/mountinfo v0.5.0 h1:2Ks8/r6lopsxWi9m58nlwjaeSzUX9iiL1vj5qB/9ObI= +github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU= github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= @@ -522,11 +522,11 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.15.0 h1:WjP/FQ/sk43MRmnEcT+MlDw2TFvkrXlprrPST/IudjU= github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0= -github.com/opencontainers/runc v1.0.3 h1:1hbqejyQWCJBvtKAfdO0b1FmaEf2z/bxnjqbARass5k= -github.com/opencontainers/runc v1.0.3/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= +github.com/opencontainers/runc v1.1.0 h1:O9+X96OcDjkmmZyfaG996kV7yq8HsoU2h1XRRQcefG8= +github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= +github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= @@ -589,7 +589,7 @@ github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43 github.com/savsgio/gotils v0.0.0-20210617111740-97865ed5a873 h1:N3Af8f13ooDKcIhsmFT7Z05CStZWu4C7Md0uDEy4q6o= github.com/savsgio/gotils v0.0.0-20210617111740-97865ed5a873/go.mod h1:dmPawKuiAeG/aFYVs2i+Dyosoo7FNcm+Pi8iK6ZUrX8= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= +github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= @@ -909,7 +909,6 @@ golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -926,7 +925,6 @@ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -938,9 +936,12 @@ golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211205182925-97ca703d548d h1:FjkYO/PPp4Wi0EAUOVLxePm7qVW4r4ctbWpURyuOD0E= golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= From 8cf73d9720106921447537098980319441859e21 Mon Sep 17 00:00:00 2001 From: Tiago Ferreira Date: Thu, 27 Jan 2022 16:34:59 +0000 Subject: [PATCH 0027/1606] Fix Indentation of example and link to cert-manager tutorial (#8203) --- docs/user-guide/tls.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/user-guide/tls.md b/docs/user-guide/tls.md index 158d23fde..8a18069d4 100644 --- a/docs/user-guide/tls.md +++ b/docs/user-guide/tls.md @@ -115,7 +115,7 @@ spec: tls: - hosts: - ingress-demo.example.com - secretName: ingress-demo-tls + secretName: ingress-demo-tls [...] ``` @@ -156,5 +156,5 @@ data: [SNI]: https://en.wikipedia.org/wiki/Server_Name_Indication [mozilla-ssl-config-old]: https://ssl-config.mozilla.org/#server=nginx&config=old [cert-manager]: https://github.com/jetstack/cert-manager/ -[full-cert-manager-example]:https://cert-manager.io/docs/tutorials/acme/ingress/ +[full-cert-manager-example]:https://cert-manager.io/docs/tutorials/acme/nginx-ingress/ [cert-manager-issuer-config]:https://cert-manager.io/docs/configuration/ From 40c69a1ef706a76c6b47d317003965ba9186cde3 Mon Sep 17 00:00:00 2001 From: Jintao Zhang Date: Fri, 28 Jan 2022 22:16:31 +0800 Subject: [PATCH 0028/1606] chore: add Artifact Hub lint (#8204) Signed-off-by: Jintao Zhang --- .github/workflows/ci.yaml | 7 ++++ charts/ingress-nginx/Chart.yaml | 70 ++++++++++++++++---------------- charts/ingress-nginx/README.md | 10 +++-- charts/ingress-nginx/values.yaml | 1 + 4 files changed, 49 insertions(+), 39 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 63bc7da08..25b8d5e14 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -148,6 +148,13 @@ jobs: git diff --exit-code rm -f ./helm-docs + - name: Run Artifact Hub lint + run: | + wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz + tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah + ./ah lint -p charts/ingress-nginx || exit 1 + rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz + - name: fix permissions run: | sudo mkdir -p $HOME/.kube diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 4d48ca0c3..e57e3ebb6 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -24,38 +24,38 @@ annotations: # List of changes for the release in artifacthub.io # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog artifacthub.io/changes: | - - #8120 Update go in runner and release v1.1.1 - - #8119 Update to go v1.17.6 - - #8118 Remove deprecated libraries, update other libs - - #8117 Fix codegen errors - - #8115 chart/ghaction: set the correct permission to have access to push a release - - #8098 generating SHA for CA only certs in backend_ssl.go + comparision of P… - - #8088 Fix Edit this page link to use main branch - - #8072 Expose GeoIP2 Continent code as variable - - #8061 docs(charts): using helm-docs for chart - - #8058 Bump github.com/spf13/cobra from 1.2.1 to 1.3.0 - - #8054 Bump google.golang.org/grpc from 1.41.0 to 1.43.0 - - #8051 align bug report with feature request regarding kind documentation - - #8046 Report expired certificates (#8045) - - #8044 remove G109 check till gosec resolves issues - - #8042 docs_multiple_instances_one_cluster_ticket_7543 - - #8041 docs: fix typo'd executible name - - #8035 Comment busy owners - - #8029 Add stream-snippet as a ConfigMap and Annotation option - - #8023 fix nginx compilation flags - - #8021 Disable default modsecurity_rules_file if modsecurity-snippet is specified - - #8019 Revise main documentation page - - #8018 Preserve order of plugin invocation - - #8015 Add newline indenting to admission webhook annotations - - #8014 Add link to example error page manifest in docs - - #8009 Fix spelling in documentation and top-level files - - #8008 Add relabelings in controller-servicemonitor.yaml - - #8003 Minor improvements (formatting, consistency) in install guide - - #8001 fix: go-grpc Dockerfile - - #7999 images: use k8s-staging-test-infra/gcb-docker-gcloud - - #7996 doc: improvement - - #7983 Fix a couple of misspellings in the annotations documentation. - - #7979 allow set annotations for admission Jobs - - #7977 Add ssl_reject_handshake to defaul server - - #7975 add legacy version update v0.50.0 to main changelog - - #7972 updated service upstream definition + - "#8120 Update go in runner and release v1.1.1" + - "#8119 Update to go v1.17.6" + - "#8118 Remove deprecated libraries, update other libs" + - "#8117 Fix codegen errors" + - "#8115 chart/ghaction: set the correct permission to have access to push a release" + - "#8098 generating SHA for CA only certs in backend_ssl.go + comparision of P…" + - "#8088 Fix Edit this page link to use main branch" + - "#8072 Expose GeoIP2 Continent code as variable" + - "#8061 docs(charts): using helm-docs for chart" + - "#8058 Bump github.com/spf13/cobra from 1.2.1 to 1.3.0" + - "#8054 Bump google.golang.org/grpc from 1.41.0 to 1.43.0" + - "#8051 align bug report with feature request regarding kind documentation" + - "#8046 Report expired certificates (#8045)" + - "#8044 remove G109 check till gosec resolves issues" + - "#8042 docs_multiple_instances_one_cluster_ticket_7543" + - "#8041 docs: fix typo'd executible name" + - "#8035 Comment busy owners" + - "#8029 Add stream-snippet as a ConfigMap and Annotation option" + - "#8023 fix nginx compilation flags" + - "#8021 Disable default modsecurity_rules_file if modsecurity-snippet is specified" + - "#8019 Revise main documentation page" + - "#8018 Preserve order of plugin invocation" + - "#8015 Add newline indenting to admission webhook annotations" + - "#8014 Add link to example error page manifest in docs" + - "#8009 Fix spelling in documentation and top-level files" + - "#8008 Add relabelings in controller-servicemonitor.yaml" + - "#8003 Minor improvements (formatting, consistency) in install guide" + - "#8001 fix: go-grpc Dockerfile" + - "#7999 images: use k8s-staging-test-infra/gcb-docker-gcloud" + - "#7996 doc: improvement" + - "#7983 Fix a couple of misspellings in the annotations documentation." + - "#7979 allow set annotations for admission Jobs" + - "#7977 Add ssl_reject_handshake to defaul server" + - "#7975 add legacy version update v0.50.0 to main changelog" + - "#7972 updated service upstream definition" diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 15536a79e..17b534154 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.0.15](https://img.shields.io/badge/Version-4.0.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.1](https://img.shields.io/badge/AppVersion-1.1.1-informational?style=flat-square) +![Version: 4.0.16](https://img.shields.io/badge/Version-4.0.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.1](https://img.shields.io/badge/AppVersion-1.1.1-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -237,6 +237,7 @@ Kubernetes: `>=1.19.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| +| commonLabels | object | `{}` | | | controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers | | controller.admissionWebhooks.annotations | object | `{}` | | | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | | @@ -278,10 +279,10 @@ Kubernetes: `>=1.19.0-0` | controller.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | | controller.autoscalingTemplate | list | `[]` | | | controller.config | object | `{}` | Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ | -| controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap | +| controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap. | | controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) | | controller.containerName | string | `"controller"` | Configures the controller container name | -| controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports the nginx-controller listens on | +| controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on | | controller.customTemplate.configMapKey | string | `""` | | | controller.customTemplate.configMapName | string | `""` | | | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. | @@ -293,6 +294,7 @@ Kubernetes: `>=1.19.0-0` | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | | controller.extraEnvs | list | `[]` | Additional environment variables to set | | controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. | +| controller.extraModules | list | `[]` | | | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. | | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the ingress nginx controller is running in the `hostNetwork: true` mode. | @@ -309,7 +311,7 @@ Kubernetes: `>=1.19.0-0` | controller.image.registry | string | `"k8s.gcr.io"` | | | controller.image.runAsUser | int | `101` | | | controller.image.tag | string | `"v1.1.1"` | | -| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller) | +| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | | controller.ingressClassResource.default | bool | `false` | Is this the default ingressClass for the cluster | | controller.ingressClassResource.enabled | bool | `true` | Is this ingressClass enabled or not | diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 67144b097..079094b2b 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -888,6 +888,7 @@ serviceAccount: create: true name: "" automountServiceAccountToken: true + # -- Annotations for the controller service account annotations: {} # -- Optional array of imagePullSecrets containing private registry credentials From fbdfc6505b8fd9eea937ae10af641cbc1dfdc5cd Mon Sep 17 00:00:00 2001 From: naseemkullah <24660299+naseemkullah@users.noreply.github.com> Date: Sun, 30 Jan 2022 06:52:23 -0500 Subject: [PATCH 0029/1606] feat(metrics): add path and method labels to requests counter (#8201) --- internal/ingress/metric/collectors/socket.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/ingress/metric/collectors/socket.go b/internal/ingress/metric/collectors/socket.go index a220d1456..44ca4b48b 100644 --- a/internal/ingress/metric/collectors/socket.go +++ b/internal/ingress/metric/collectors/socket.go @@ -190,7 +190,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool, bucke Namespace: PrometheusNamespace, ConstLabels: constLabels, }, - []string{"ingress", "namespace", "status", "service", "canary"}, + requestTags, ), bytesSent: prometheus.NewHistogramVec( From a2a0e67fee9964796f56e3428cf6d1dc99ced261 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Jan 2022 03:22:24 -0800 Subject: [PATCH 0030/1606] Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1 (#8210) Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.11.0 to 1.12.1. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.11.0...v1.12.1) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 10 ++++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 496cb25c9..fa5be593d 100644 --- a/go.mod +++ b/go.mod @@ -18,9 +18,9 @@ require ( github.com/onsi/ginkgo v1.16.4 github.com/opencontainers/runc v1.1.0 github.com/pmezard/go-difflib v1.0.0 - github.com/prometheus/client_golang v1.11.0 + github.com/prometheus/client_golang v1.12.1 github.com/prometheus/client_model v0.2.0 - github.com/prometheus/common v0.31.1 + github.com/prometheus/common v0.32.1 github.com/spf13/cobra v1.3.0 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.7.0 @@ -119,7 +119,7 @@ require ( go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect golang.org/x/mod v0.5.0 // indirect golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect - golang.org/x/sys v0.0.0-20211205182925-97ca703d548d // indirect + golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 // indirect golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect golang.org/x/text v0.3.7 // indirect golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect diff --git a/go.sum b/go.sum index 64e23953d..f7fe66f18 100644 --- a/go.sum +++ b/go.sum @@ -550,8 +550,9 @@ github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDf github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= -github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= +github.com/prometheus/client_golang v1.12.1 h1:ZiaPsmm9uiBeaSMRznKsCDNtPCS0T3JVDGF+06gjBzk= +github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -564,8 +565,8 @@ github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8b github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.31.1 h1:d18hG4PkHnNAKNMOmFuXFaiY8Us0nird/2m60uS1AMs= -github.com/prometheus/common v0.31.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= +github.com/prometheus/common v0.32.1 h1:hWIdL3N2HoUx3B8j3YN9mWor0qhY/NlEKZEaXxuIRh4= +github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/exporter-toolkit v0.7.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -943,8 +944,9 @@ golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211205182925-97ca703d548d h1:FjkYO/PPp4Wi0EAUOVLxePm7qVW4r4ctbWpURyuOD0E= golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 h1:XfKQ4OlFl8okEOr5UvAqFRVj8pY/4yfcXrddB8qAbU0= +golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE= From 0f464333a91b523581c6b1e74e49dd8afeb72906 Mon Sep 17 00:00:00 2001 From: stoupance <84509312+stoupance@users.noreply.github.com> Date: Tue, 1 Feb 2022 18:34:10 +0100 Subject: [PATCH 0031/1606] Remove Capabilities.APIVersions for Kustomize to parse file (#7829) --- charts/ingress-nginx/templates/controller-servicemonitor.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml index 74abe43a3..4dbc6da9f 100644 --- a/charts/ingress-nginx/templates/controller-servicemonitor.yaml +++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled -}} +{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled -}} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: From dcd552ceb55b14087ad4e2a8c076055fa932e095 Mon Sep 17 00:00:00 2001 From: Damien Mathieu <42@dmathieu.com> Date: Wed, 2 Feb 2022 14:12:22 +0100 Subject: [PATCH 0032/1606] use functional options to reduce number of methods creating an EchoDeployment (#8199) --- test/e2e/annotations/affinity.go | 2 +- test/e2e/annotations/affinitymode.go | 10 ++- test/e2e/annotations/authtls.go | 2 +- test/e2e/annotations/canary.go | 8 +-- test/e2e/annotations/cors.go | 2 +- test/e2e/annotations/customhttperrors.go | 2 +- test/e2e/annotations/proxyssl.go | 2 +- test/e2e/annotations/upstreamhashby.go | 2 +- test/e2e/framework/deployment.go | 67 ++++++++++++------- test/e2e/ingress/multiple_rules.go | 4 +- test/e2e/loadbalance/ewma.go | 2 +- test/e2e/loadbalance/round_robin.go | 2 +- test/e2e/lua/dynamic_configuration.go | 7 +- test/e2e/settings/default_ssl_certificate.go | 2 +- test/e2e/settings/disable_catch_all.go | 2 +- .../settings/disable_service_external_name.go | 2 +- test/e2e/settings/ingress_class.go | 2 +- test/e2e/settings/namespace_selector.go | 2 +- test/e2e/status/update.go | 2 +- test/e2e/tcpudp/tcp.go | 2 +- 20 files changed, 75 insertions(+), 51 deletions(-) diff --git a/test/e2e/annotations/affinity.go b/test/e2e/annotations/affinity.go index 479860043..4ca567e4c 100644 --- a/test/e2e/annotations/affinity.go +++ b/test/e2e/annotations/affinity.go @@ -36,7 +36,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f := framework.NewDefaultFramework("affinity") ginkgo.BeforeEach(func() { - f.NewEchoDeploymentWithReplicas(2) + f.NewEchoDeployment(framework.WithDeploymentReplicas(2)) }) ginkgo.It("should set sticky cookie SERVERID", func() { diff --git a/test/e2e/annotations/affinitymode.go b/test/e2e/annotations/affinitymode.go index 3b533906e..6d22ea59f 100644 --- a/test/e2e/annotations/affinitymode.go +++ b/test/e2e/annotations/affinitymode.go @@ -34,7 +34,10 @@ var _ = framework.DescribeAnnotation("affinitymode", func() { ginkgo.It("Balanced affinity mode should balance", func() { deploymentName := "affinitybalanceecho" replicas := 5 - f.NewEchoDeploymentWithNameAndReplicas(deploymentName, replicas) + f.NewEchoDeployment( + framework.WithDeploymentName(deploymentName), + framework.WithDeploymentReplicas(replicas), + ) host := "affinity-mode-balance.com" annotations := make(map[string]string) @@ -64,7 +67,10 @@ var _ = framework.DescribeAnnotation("affinitymode", func() { ginkgo.It("Check persistent affinity mode", func() { deploymentName := "affinitypersistentecho" replicas := 5 - f.NewEchoDeploymentWithNameAndReplicas(deploymentName, replicas) + f.NewEchoDeployment( + framework.WithDeploymentName(deploymentName), + framework.WithDeploymentReplicas(replicas), + ) host := "affinity-mode-persistent.com" annotations := make(map[string]string) diff --git a/test/e2e/annotations/authtls.go b/test/e2e/annotations/authtls.go index 093afe14e..790165475 100644 --- a/test/e2e/annotations/authtls.go +++ b/test/e2e/annotations/authtls.go @@ -30,7 +30,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { f := framework.NewDefaultFramework("authtls") ginkgo.BeforeEach(func() { - f.NewEchoDeploymentWithReplicas(2) + f.NewEchoDeployment(framework.WithDeploymentReplicas(2)) }) ginkgo.It("should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret", func() { diff --git a/test/e2e/annotations/canary.go b/test/e2e/annotations/canary.go index 31e740434..4f1bdcad6 100644 --- a/test/e2e/annotations/canary.go +++ b/test/e2e/annotations/canary.go @@ -39,10 +39,10 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.BeforeEach(func() { // Deployment for main backend - f.NewEchoDeploymentWithReplicas(1) + f.NewEchoDeployment() // Deployment for canary backend - f.NewEchoDeploymentWithNameAndReplicas(canaryService, 1) + f.NewEchoDeployment(framework.WithDeploymentName(canaryService)) }) ginkgo.Context("when canary is created", func() { @@ -132,7 +132,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.By("returning a 503 status when the mainline deployment has 0 replicas and a request is sent to the canary") - f.NewEchoDeploymentWithReplicas(0) + f.NewEchoDeployment(framework.WithDeploymentReplicas(0)) resp, _, errs := gorequest.New(). Get(f.GetURL(framework.HTTP)). @@ -145,7 +145,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.By("returning a 200 status when the canary deployment has 0 replicas and a request is sent to the mainline ingress") - f.NewEchoDeploymentWithReplicas(1) + f.NewEchoDeployment() f.NewDeployment(canaryService, "k8s.gcr.io/e2e-test-images/echoserver:2.3", 8080, 0) resp, _, errs = gorequest.New(). diff --git a/test/e2e/annotations/cors.go b/test/e2e/annotations/cors.go index 64b633173..c249b3877 100644 --- a/test/e2e/annotations/cors.go +++ b/test/e2e/annotations/cors.go @@ -29,7 +29,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { f := framework.NewDefaultFramework("cors") ginkgo.BeforeEach(func() { - f.NewEchoDeploymentWithReplicas(2) + f.NewEchoDeployment(framework.WithDeploymentReplicas(2)) }) ginkgo.It("should enable cors", func() { diff --git a/test/e2e/annotations/customhttperrors.go b/test/e2e/annotations/customhttperrors.go index c0115cb52..7256b93fa 100644 --- a/test/e2e/annotations/customhttperrors.go +++ b/test/e2e/annotations/customhttperrors.go @@ -101,7 +101,7 @@ var _ = framework.DescribeAnnotation("custom-http-errors", func() { ginkgo.By("using the custom default-backend from annotation for upstream") customDefaultBackend := "from-annotation" - f.NewEchoDeploymentWithNameAndReplicas(customDefaultBackend, 1) + f.NewEchoDeployment(framework.WithDeploymentName(customDefaultBackend)) err = framework.UpdateIngress(f.KubeClientSet, f.Namespace, host, func(ingress *networking.Ingress) error { ingress.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/default-backend"] = customDefaultBackend diff --git a/test/e2e/annotations/proxyssl.go b/test/e2e/annotations/proxyssl.go index 0e928664e..3672a4d81 100644 --- a/test/e2e/annotations/proxyssl.go +++ b/test/e2e/annotations/proxyssl.go @@ -150,7 +150,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() { ginkgo.It("proxy-ssl-location-only flag should change the nginx config server part", func() { host := "proxyssl.com" - f.NewEchoDeploymentWithNameAndReplicas("echodeployment", 1) + f.NewEchoDeployment(framework.WithDeploymentName("echodeployment")) secretName := "secretone" annotations := make(map[string]string) diff --git a/test/e2e/annotations/upstreamhashby.go b/test/e2e/annotations/upstreamhashby.go index 9474f2b2b..c4732a18d 100644 --- a/test/e2e/annotations/upstreamhashby.go +++ b/test/e2e/annotations/upstreamhashby.go @@ -77,7 +77,7 @@ var _ = framework.DescribeAnnotation("upstream-hash-by-*", func() { f := framework.NewDefaultFramework("upstream-hash-by") ginkgo.BeforeEach(func() { - f.NewEchoDeploymentWithReplicas(6) + f.NewEchoDeployment(framework.WithDeploymentReplicas(6)) }) ginkgo.It("should connect to the same pod", func() { diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index c5fded856..3775af8bc 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -40,30 +40,45 @@ const HTTPBinService = "httpbin" // NginxBaseImage use for testing const NginxBaseImage = "k8s.gcr.io/ingress-nginx/nginx:v20210926-g5662db450@sha256:1ef404b5e8741fe49605a1f40c3fdd8ef657aecdb9526ea979d1672eeabd0cd9" +type deploymentOptions struct { + namespace string + name string + replicas int +} + +// WithDeploymentNamespace allows configuring the deployment's namespace +func WithDeploymentNamespace(n string) func(*deploymentOptions) { + return func(o *deploymentOptions) { + o.namespace = n + } +} + +// WithDeploymentName allows configuring the deployment's names +func WithDeploymentName(n string) func(*deploymentOptions) { + return func(o *deploymentOptions) { + o.name = n + } +} + +// WithDeploymentReplicas allows configuring the deployment's replicas count +func WithDeploymentReplicas(r int) func(*deploymentOptions) { + return func(o *deploymentOptions) { + o.replicas = r + } +} + // NewEchoDeployment creates a new single replica deployment of the echoserver image in a particular namespace -func (f *Framework) NewEchoDeployment() { - f.NewEchoDeploymentWithReplicas(1) -} +func (f *Framework) NewEchoDeployment(opts ...func(*deploymentOptions)) { + options := &deploymentOptions{ + namespace: f.Namespace, + name: EchoService, + replicas: 1, + } + for _, o := range opts { + o(options) + } -// NewEchoDeploymentWithReplicas creates a new deployment of the echoserver image in a particular namespace. Number of -// replicas is configurable -func (f *Framework) NewEchoDeploymentWithReplicas(replicas int) { - f.NewEchoDeploymentWithNameAndReplicas(EchoService, replicas) -} - -// NewEchoDeploymentWithNameAndReplicas creates a new deployment of the echoserver image in a particular namespace. Number of -// replicas is configurable and -// name is configurable -func (f *Framework) NewEchoDeploymentWithNameAndReplicas(name string, replicas int) { - f.newEchoDeployment(f.Namespace, name, replicas) -} - -func (f *Framework) NewEchoDeploymentWithNamespaceAndReplicas(namespace string, replicas int) { - f.newEchoDeployment(namespace, EchoService, replicas) -} - -func (f *Framework) newEchoDeployment(namespace, name string, replicas int) { - deployment := newDeployment(name, namespace, "k8s.gcr.io/ingress-nginx/e2e-test-echo@sha256:131ece0637b29231470cfaa04690c2966a2e0b147d3c9df080a0857b78982410", 80, int32(replicas), + deployment := newDeployment(options.name, options.namespace, "k8s.gcr.io/ingress-nginx/e2e-test-echo@sha256:131ece0637b29231470cfaa04690c2966a2e0b147d3c9df080a0857b78982410", 80, int32(options.replicas), nil, []corev1.VolumeMount{}, []corev1.Volume{}, @@ -73,8 +88,8 @@ func (f *Framework) newEchoDeployment(namespace, name string, replicas int) { service := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, + Name: options.name, + Namespace: options.namespace, }, Spec: corev1.ServiceSpec{ Ports: []corev1.ServicePort{ @@ -86,14 +101,14 @@ func (f *Framework) newEchoDeployment(namespace, name string, replicas int) { }, }, Selector: map[string]string{ - "app": name, + "app": options.name, }, }, } f.EnsureService(service) - err := WaitForEndpoints(f.KubeClientSet, DefaultTimeout, name, namespace, replicas) + err := WaitForEndpoints(f.KubeClientSet, DefaultTimeout, options.name, options.namespace, options.replicas) assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready") } diff --git a/test/e2e/ingress/multiple_rules.go b/test/e2e/ingress/multiple_rules.go index 030be172a..07f5c1427 100644 --- a/test/e2e/ingress/multiple_rules.go +++ b/test/e2e/ingress/multiple_rules.go @@ -31,8 +31,8 @@ var _ = framework.IngressNginxDescribe("single ingress - multiple hosts", func() f := framework.NewDefaultFramework("simh") pathprefix := networking.PathTypePrefix ginkgo.BeforeEach(func() { - f.NewEchoDeploymentWithNameAndReplicas("first-service", 1) - f.NewEchoDeploymentWithNameAndReplicas("second-service", 1) + f.NewEchoDeployment(framework.WithDeploymentName("first-service")) + f.NewEchoDeployment(framework.WithDeploymentName("second-service")) }) ginkgo.It("should set the correct $service_name NGINX variable", func() { diff --git a/test/e2e/loadbalance/ewma.go b/test/e2e/loadbalance/ewma.go index 52e235569..15289f372 100644 --- a/test/e2e/loadbalance/ewma.go +++ b/test/e2e/loadbalance/ewma.go @@ -32,7 +32,7 @@ var _ = framework.DescribeSetting("[Load Balancer] EWMA", func() { f := framework.NewDefaultFramework("ewma") ginkgo.BeforeEach(func() { - f.NewEchoDeploymentWithReplicas(3) + f.NewEchoDeployment(framework.WithDeploymentReplicas(3)) f.SetNginxConfigMapData(map[string]string{ "worker-processes": "2", "load-balance": "ewma"}, diff --git a/test/e2e/loadbalance/round_robin.go b/test/e2e/loadbalance/round_robin.go index f035005dd..bc74ba9fb 100644 --- a/test/e2e/loadbalance/round_robin.go +++ b/test/e2e/loadbalance/round_robin.go @@ -32,7 +32,7 @@ var _ = framework.DescribeSetting("[Load Balancer] round-robin", func() { f := framework.NewDefaultFramework("round-robin") ginkgo.BeforeEach(func() { - f.NewEchoDeploymentWithReplicas(3) + f.NewEchoDeployment(framework.WithDeploymentReplicas(3)) f.UpdateNginxConfigMapData("worker-processes", "1") }) diff --git a/test/e2e/lua/dynamic_configuration.go b/test/e2e/lua/dynamic_configuration.go index 0a88fb07b..b382e52cc 100644 --- a/test/e2e/lua/dynamic_configuration.go +++ b/test/e2e/lua/dynamic_configuration.go @@ -43,7 +43,7 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic configuration", func() { f := framework.NewDefaultFramework("dynamic-configuration") ginkgo.BeforeEach(func() { - f.NewEchoDeploymentWithReplicas(1) + f.NewEchoDeployment() ensureIngress(f, "foo.com", framework.EchoService) }) @@ -124,7 +124,10 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic configuration", func() { ginkgo.It("handles endpoints only changes consistently (down scaling of replicas vs. empty service)", func() { deploymentName := "scalingecho" - f.NewEchoDeploymentWithNameAndReplicas(deploymentName, 0) + f.NewEchoDeployment( + framework.WithDeploymentName(deploymentName), + framework.WithDeploymentReplicas(0), + ) createIngress(f, "scaling.foo.com", deploymentName) resp := f.HTTPTestClient(). diff --git a/test/e2e/settings/default_ssl_certificate.go b/test/e2e/settings/default_ssl_certificate.go index 421a1543b..eede8ef75 100644 --- a/test/e2e/settings/default_ssl_certificate.go +++ b/test/e2e/settings/default_ssl_certificate.go @@ -38,7 +38,7 @@ var _ = framework.IngressNginxDescribe("[SSL] [Flag] default-ssl-certificate", f port := 80 ginkgo.BeforeEach(func() { - f.NewEchoDeploymentWithReplicas(1) + f.NewEchoDeployment(framework.WithDeploymentReplicas(1)) var err error tlsConfig, err = framework.CreateIngressTLSSecret(f.KubeClientSet, diff --git a/test/e2e/settings/disable_catch_all.go b/test/e2e/settings/disable_catch_all.go index f5d9bfadc..dce772f9a 100644 --- a/test/e2e/settings/disable_catch_all.go +++ b/test/e2e/settings/disable_catch_all.go @@ -34,7 +34,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-catch-all", func() { f := framework.NewDefaultFramework("disabled-catch-all") ginkgo.BeforeEach(func() { - f.NewEchoDeploymentWithReplicas(1) + f.NewEchoDeployment(framework.WithDeploymentReplicas(1)) err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { args := deployment.Spec.Template.Spec.Containers[0].Args diff --git a/test/e2e/settings/disable_service_external_name.go b/test/e2e/settings/disable_service_external_name.go index 910a906ca..d8da89d4a 100644 --- a/test/e2e/settings/disable_service_external_name.go +++ b/test/e2e/settings/disable_service_external_name.go @@ -35,7 +35,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-service-external-name", f f := framework.NewDefaultFramework("disabled-service-external-name") ginkgo.BeforeEach(func() { - f.NewEchoDeploymentWithReplicas(2) + f.NewEchoDeployment(framework.WithDeploymentReplicas(2)) err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { args := deployment.Spec.Template.Spec.Containers[0].Args diff --git a/test/e2e/settings/ingress_class.go b/test/e2e/settings/ingress_class.go index 09134ccba..2372d209b 100644 --- a/test/e2e/settings/ingress_class.go +++ b/test/e2e/settings/ingress_class.go @@ -45,7 +45,7 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { otherController := "k8s.io/other-class" ginkgo.BeforeEach(func() { - f.NewEchoDeploymentWithReplicas(1) + f.NewEchoDeployment(framework.WithDeploymentReplicas(1)) doOnce.Do(func() { _, err := f.KubeClientSet.NetworkingV1().IngressClasses(). diff --git a/test/e2e/settings/namespace_selector.go b/test/e2e/settings/namespace_selector.go index ea162d594..7c07a841d 100644 --- a/test/e2e/settings/namespace_selector.go +++ b/test/e2e/settings/namespace_selector.go @@ -37,7 +37,7 @@ var _ = framework.IngressNginxDescribe("[Flag] watch namespace selector", func() prepareTestIngress := func(baseName string, host string, labels map[string]string) string { ns, err := framework.CreateKubeNamespaceWithLabel(f.BaseName, labels, f.KubeClientSet) assert.Nil(ginkgo.GinkgoT(), err, "creating test namespace") - f.NewEchoDeploymentWithNamespaceAndReplicas(ns, 1) + f.NewEchoDeployment(framework.WithDeploymentNamespace(ns)) ing := framework.NewSingleIngressWithIngressClass(host, "/", host, ns, framework.EchoService, f.IngressClass, 80, nil) f.EnsureIngress(ing) return ns diff --git a/test/e2e/status/update.go b/test/e2e/status/update.go index 23679afdc..43d61b0e9 100644 --- a/test/e2e/status/update.go +++ b/test/e2e/status/update.go @@ -69,7 +69,7 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() { }) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating ingress controller deployment flags") - f.NewEchoDeploymentWithReplicas(1) + f.NewEchoDeployment() ing := f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) diff --git a/test/e2e/tcpudp/tcp.go b/test/e2e/tcpudp/tcp.go index 9b1885510..553cb46d3 100644 --- a/test/e2e/tcpudp/tcp.go +++ b/test/e2e/tcpudp/tcp.go @@ -38,7 +38,7 @@ var _ = framework.IngressNginxDescribe("[TCP] tcp-services", func() { f := framework.NewDefaultFramework("tcp") ginkgo.It("should expose a TCP service", func() { - f.NewEchoDeploymentWithReplicas(1) + f.NewEchoDeployment() config, err := f.KubeClientSet. CoreV1(). From a46626b259d87bfde2a9967cf3a16862638521b3 Mon Sep 17 00:00:00 2001 From: Kundan Kumar Date: Mon, 7 Feb 2022 01:40:52 +0530 Subject: [PATCH 0033/1606] 8217 fix removed extra v (#8218) --- cmd/plugin/ingress-nginx.yaml.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/plugin/ingress-nginx.yaml.tmpl b/cmd/plugin/ingress-nginx.yaml.tmpl index 1283cb7f3..9fce2d92d 100644 --- a/cmd/plugin/ingress-nginx.yaml.tmpl +++ b/cmd/plugin/ingress-nginx.yaml.tmpl @@ -6,7 +6,7 @@ spec: shortDescription: Interact with ingress-nginx description: | The official kubectl plugin for ingress-nginx. - version: v%%%tag%%% + version: %%%tag%%% homepage: https://kubernetes.github.io/ingress-nginx/kubectl-plugin/ platforms: - uri: https://github.com/kubernetes/ingress-nginx/releases/download/nginx-%%%tag%%%/kubectl-ingress_nginx-darwin-arm64.tar.gz From 6b6ebf0a7c5d3cdc8eacdfb0ec63f50e811d5dc4 Mon Sep 17 00:00:00 2001 From: Alexander Brand Date: Sun, 6 Feb 2022 15:14:53 -0500 Subject: [PATCH 0034/1606] Update the $req_id placeholder description (#8163) --- docs/user-guide/nginx-configuration/log-format.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/nginx-configuration/log-format.md b/docs/user-guide/nginx-configuration/log-format.md index e39c5f695..4a8a45755 100644 --- a/docs/user-guide/nginx-configuration/log-format.md +++ b/docs/user-guide/nginx-configuration/log-format.md @@ -29,7 +29,7 @@ log_format upstreaminfo | `$upstream_response_length` | the length of the response obtained from the upstream server | | `$upstream_response_time` | time spent on receiving the response from the upstream server as seconds with millisecond resolution | | `$upstream_status` | status code of the response obtained from the upstream server | -| `$req_id` | the randomly generated ID of the request | +| `$req_id` | value of the `X-Request-ID` HTTP header. If the header is not set, a randomly generated ID. | Additional available variables: From 4b4895b53bb5fd00874deeeb914d5d36fd19556e Mon Sep 17 00:00:00 2001 From: Tomas Hulata Date: Sun, 6 Feb 2022 21:18:51 +0100 Subject: [PATCH 0035/1606] add ingress.class (#8136) Signed-off-by: tombokombo --- charts/ingress-nginx/Chart.yaml | 2 +- charts/ingress-nginx/README.md | 3 ++- charts/ingress-nginx/templates/_params.tpl | 3 +++ charts/ingress-nginx/values.yaml | 4 ++++ 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index e57e3ebb6..6a8510284 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: ingress-nginx # When the version is modified, make sure the artifacthub.io/changes list is updated # Also update CHANGELOG.md -version: 4.0.16 +version: 4.0.17 appVersion: 1.1.1 home: https://github.com/kubernetes/ingress-nginx description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 17b534154..e5e93a146 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.0.16](https://img.shields.io/badge/Version-4.0.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.1](https://img.shields.io/badge/AppVersion-1.1.1-informational?style=flat-square) +![Version: 4.0.17](https://img.shields.io/badge/Version-4.0.17-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.1](https://img.shields.io/badge/AppVersion-1.1.1-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -311,6 +311,7 @@ Kubernetes: `>=1.19.0-0` | controller.image.registry | string | `"k8s.gcr.io"` | | | controller.image.runAsUser | int | `101` | | | controller.image.tag | string | `"v1.1.1"` | | +| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | | controller.ingressClassResource.default | bool | `false` | Is this the default ingressClass for the cluster | diff --git a/charts/ingress-nginx/templates/_params.tpl b/charts/ingress-nginx/templates/_params.tpl index 64a462eaa..305ce0dd2 100644 --- a/charts/ingress-nginx/templates/_params.tpl +++ b/charts/ingress-nginx/templates/_params.tpl @@ -12,6 +12,9 @@ {{- end }} - --election-id={{ .Values.controller.electionID }} - --controller-class={{ .Values.controller.ingressClassResource.controllerValue }} +{{- if .Values.controller.ingressClass }} +- --ingress-class={{ .Values.controller.ingressClass }} +{{- end }} - --configmap={{ default "$(POD_NAMESPACE)" .Values.controller.configMapNamespace }}/{{ include "ingress-nginx.controller.fullname" . }} {{- if .Values.tcp }} - --tcp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.tcp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-tcp diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 079094b2b..eb6db4a05 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -116,6 +116,10 @@ controller: # does not require extra parameters. parameters: {} + # -- For backwards compatibility with ingress.class annotation, use ingressClass. + # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation + ingressClass: nginx + # -- Labels to add to the pod container metadata podLabels: {} # key: value From d769ceaa5b29af5095224a44fdfcc774612a3981 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 6 Feb 2022 12:22:52 -0800 Subject: [PATCH 0036/1606] Bump google.golang.org/grpc from 1.43.0 to 1.44.0 (#8209) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.43.0 to 1.44.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.43.0...v1.44.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index fa5be593d..98d374bf0 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 golang.org/x/net v0.0.0-20211209124913-491a49abca63 - google.golang.org/grpc v1.43.0 + google.golang.org/grpc v1.44.0 gopkg.in/go-playground/pool.v3 v3.1.1 k8s.io/api v0.22.5 k8s.io/apiextensions-apiserver v0.22.5 diff --git a/go.sum b/go.sum index f7fe66f18..573fc3f84 100644 --- a/go.sum +++ b/go.sum @@ -1171,8 +1171,8 @@ google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= -google.golang.org/grpc v1.43.0 h1:Eeu7bZtDZ2DpRCsLhUlcrLnvYaMK1Gz86a+hMVvELmM= -google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= +google.golang.org/grpc v1.44.0 h1:weqSxi/TMs1SqFRMHCtBgXRs8k3X39QIDEZ0pRcttUg= +google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= From 04035cc1c2487a73f47450e3d2f45721391de4fe Mon Sep 17 00:00:00 2001 From: Elvin Efendi Date: Sun, 6 Feb 2022 15:28:51 -0500 Subject: [PATCH 0037/1606] Do not validate ingresses with unknown ingress class in admission webhook endpoint. (#8221) --- internal/ingress/controller/controller.go | 6 ++++ .../ingress/controller/controller_test.go | 4 +++ internal/ingress/controller/store/store.go | 3 ++ test/e2e/admission/admission.go | 29 +++++++++++++++++++ 4 files changed, 42 insertions(+) diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 48a91b67b..9afe00953 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -233,6 +233,12 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { return nil } + // Do not attempt to validate an ingress that's not meant to be controlled by the current instance of the controller. + if ingressClass, err := n.store.GetIngressClass(ing, n.cfg.IngressClassConfiguration); ingressClass == "" { + klog.Warningf("ignoring ingress %v in %v based on annotation %v: %v", ing.Name, ing.ObjectMeta.Namespace, ingressClass, err) + return nil + } + if n.cfg.Namespace != "" && ing.ObjectMeta.Namespace != n.cfg.Namespace { klog.Warningf("ignoring ingress %v in namespace %v different from the namespace watched %s", ing.Name, ing.ObjectMeta.Namespace, n.cfg.Namespace) return nil diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index b67929b97..5e3eb9113 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -63,6 +63,10 @@ type fakeIngressStore struct { configuration ngx_config.Configuration } +func (fakeIngressStore) GetIngressClass(ing *networking.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error) { + return "nginx", nil +} + func (fis fakeIngressStore) GetBackendConfiguration() ngx_config.Configuration { return fis.configuration } diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index 7e9b89735..2b15dc74d 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -98,6 +98,9 @@ type Storer interface { // Run initiates the synchronization of the controllers Run(stopCh chan struct{}) + + // GetIngressClass validates given ingress against ingress class configuration and returns the ingress class. + GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error) } // EventType type of event associated with an informer diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go index 2099e54d4..c4c1ef76d 100644 --- a/test/e2e/admission/admission.go +++ b/test/e2e/admission/admission.go @@ -191,6 +191,12 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid configuration should return an error") } }) + + ginkgo.It("should not return an error for an invalid Ingress when it has unknown class", func() { + out, err := createIngress(f.Namespace, invalidV1IngressWithOtherClass) + assert.Equal(ginkgo.GinkgoT(), "ingress.networking.k8s.io/extensions-invalid-other created\n", out) + assert.Nil(ginkgo.GinkgoT(), err, "creating an invalid ingress with unknown class using kubectl") + }) }) func uninstallChart(f *framework.Framework) error { @@ -270,6 +276,29 @@ spec: port: number: 80 --- +` + invalidV1IngressWithOtherClass = ` +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: extensions-invalid-other + annotations: + nginx.ingress.kubernetes.io/configuration-snippet: | + invalid directive +spec: + ingressClassName: nginx-other + rules: + - host: extensions-invalid + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: echo + port: + number: 80 +--- ` ) From 935ea3d8303cfa56bd42358f39adfa922a883038 Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sun, 6 Feb 2022 17:42:51 -0300 Subject: [PATCH 0038/1606] Update libraries in webhook image (#8227) --- images/kube-webhook-certgen/rootfs/go.mod | 12 +- images/kube-webhook-certgen/rootfs/go.sum | 208 +++------------------- 2 files changed, 35 insertions(+), 185 deletions(-) diff --git a/images/kube-webhook-certgen/rootfs/go.mod b/images/kube-webhook-certgen/rootfs/go.mod index edd26c0df..edd74bea3 100644 --- a/images/kube-webhook-certgen/rootfs/go.mod +++ b/images/kube-webhook-certgen/rootfs/go.mod @@ -5,10 +5,10 @@ go 1.16 require ( github.com/onrik/logrus v0.9.0 github.com/sirupsen/logrus v1.8.1 - github.com/spf13/cobra v1.2.1 - github.com/tidwall/gjson v1.8.1 // indirect - k8s.io/api v0.22.0 - k8s.io/apimachinery v0.22.0 - k8s.io/client-go v0.22.0 - k8s.io/kube-aggregator v0.22.0 + github.com/spf13/cobra v1.1.3 + github.com/tidwall/gjson v1.14.0 // indirect + k8s.io/api v0.22.6 + k8s.io/apimachinery v0.22.6 + k8s.io/client-go v0.22.6 + k8s.io/kube-aggregator v0.22.6 ) diff --git a/images/kube-webhook-certgen/rootfs/go.sum b/images/kube-webhook-certgen/rootfs/go.sum index c1592f68d..5889d4e49 100644 --- a/images/kube-webhook-certgen/rootfs/go.sum +++ b/images/kube-webhook-certgen/rootfs/go.sum @@ -9,33 +9,18 @@ cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6T cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= -cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= -cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= -cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= -cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= -cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= -cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= -cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= -cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= -cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= -cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= -cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= -cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= -cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= -cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= -cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= @@ -69,7 +54,6 @@ github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+Ce github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= -github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= @@ -81,7 +65,6 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= @@ -109,7 +92,6 @@ github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= @@ -161,15 +143,11 @@ github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfb github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= -github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= @@ -189,11 +167,7 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= @@ -201,19 +175,11 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= -github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -252,7 +218,6 @@ github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2p github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= @@ -276,7 +241,6 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= @@ -285,7 +249,6 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= @@ -302,7 +265,6 @@ github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS4 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= -github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -335,13 +297,11 @@ github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= -github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= @@ -386,20 +346,15 @@ github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= -github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v1.1.3 h1:xghbfqPkxzxP3C/f3n5DdpAbdKLj4ZE4BWQI362l53M= github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= -github.com/spf13/cobra v1.2.1 h1:+KmjbUw1hriSNMF55oPrkZcb27aECyrj8V2ytv7kWDw= -github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= -github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= -github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -411,18 +366,16 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= -github.com/tidwall/gjson v1.8.1 h1:8j5EE9Hrh3l9Od1OIEDAb7IpezNA20UdRngNAj5N0WU= -github.com/tidwall/gjson v1.8.1/go.mod h1:5/xDoumyyDNerp2U36lyolv46b3uF/9Bu6OfyQ9GImk= -github.com/tidwall/match v1.0.3 h1:FQUVvBImDutD8wJLN6c5eMzWtjgONK9MwIBCOrUJKeE= -github.com/tidwall/match v1.0.3/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= -github.com/tidwall/pretty v1.1.0 h1:K3hMW5epkdAVwibsQEfR/7Zj0Qgt4DxtNumTq/VloO8= -github.com/tidwall/pretty v1.1.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= +github.com/tidwall/gjson v1.14.0 h1:6aeJ0bzojgWLa82gDQHcx3S0Lr/O51I9bJ5nv6JFx5w= +github.com/tidwall/gjson v1.14.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= +github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= +github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= +github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= -github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= @@ -438,9 +391,6 @@ go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= -go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4= @@ -465,7 +415,6 @@ golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -492,7 +441,6 @@ golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= @@ -502,8 +450,6 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -521,7 +467,6 @@ golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -531,46 +476,26 @@ golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20210520170846-37e1c6afe023 h1:ADo5wSpq2gqaCGQWzk7S5vd//0iyyLeAratkEoG5dLE= -golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211209124913-491a49abca63 h1:iocB37TsdFuN6IBRZ+ry36wrkoV51/tl5vOWqkcPGvY= +golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602 h1:0Ja1LBD+yisY6RWM/BH7TJVXWsSjs2VwBSmvSX4HdBc= -golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -605,28 +530,14 @@ golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -643,7 +554,6 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -688,26 +598,10 @@ golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapK golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= -golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= -golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -723,27 +617,13 @@ google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsb google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= -google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= -google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= -google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= -google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= -google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= -google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= -google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= -google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= @@ -761,31 +641,11 @@ google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvx google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= -google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= @@ -795,17 +655,9 @@ google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQ google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= -google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= -google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= -google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= @@ -832,7 +684,6 @@ gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMy gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= @@ -860,34 +711,33 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.22.0 h1:elCpMZ9UE8dLdYxr55E06TmSeji9I3KH494qH70/y+c= -k8s.io/api v0.22.0/go.mod h1:0AoXXqst47OI/L0oGKq9DG61dvGRPXs7X4/B7KyjBCU= -k8s.io/apimachinery v0.22.0 h1:CqH/BdNAzZl+sr3tc0D3VsK3u6ARVSo3GWyLmfIjbP0= -k8s.io/apimachinery v0.22.0/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= -k8s.io/apiserver v0.22.0/go.mod h1:04kaIEzIQrTGJ5syLppQWvpkLJXQtJECHmae+ZGc/nc= -k8s.io/client-go v0.22.0 h1:sD6o9O6tCwUKCENw8v+HFsuAbq2jCu8cWC61/ydwA50= -k8s.io/client-go v0.22.0/go.mod h1:GUjIuXR5PiEv/RVK5OODUsm6eZk7wtSWZSaSJbpFdGg= -k8s.io/code-generator v0.22.0/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o= -k8s.io/component-base v0.22.0/go.mod h1:SXj6Z+V6P6GsBhHZVbWCw9hFjUdUYnJerlhhPnYCBCg= +k8s.io/api v0.22.6 h1:acjE5ABt0KpsBI9QCtLqaQEPSF94jOtE/LoFxSYasSE= +k8s.io/api v0.22.6/go.mod h1:q1F7IfaNrbi/83ebLy3YFQYLjPSNyunZ/IXQxMmbwCg= +k8s.io/apimachinery v0.22.6 h1:z7vxNRkFX0NToA+8D17kzLZ/T4t+DqwzUlqqbqRepRs= +k8s.io/apimachinery v0.22.6/go.mod h1:ZvVLP5iLhwVFg2Yx9Gh5W0um0DUauExbRhe+2Z8I1EU= +k8s.io/apiserver v0.22.6/go.mod h1:OlL1rGa2kKWGj2JEXnwBcul/BwC9Twe95gm4ohtiIIs= +k8s.io/client-go v0.22.6 h1:ugAXeC312xeGXsn7zTRz+btgtLBnW3qYhtUUpVQL7YE= +k8s.io/client-go v0.22.6/go.mod h1:TffU4AV2idZGeP+g3kdFZP+oHVHWPL1JYFySOALriw0= +k8s.io/code-generator v0.22.6/go.mod h1:iOZwYADSgFPNGWfqHFfg1V0TNJnl1t0WyZluQp4baqU= +k8s.io/component-base v0.22.6/go.mod h1:ngHLefY4J5fq2fApNdbWyj4yh0lvw36do4aAjNN8rc8= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM= k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= -k8s.io/kube-aggregator v0.22.0 h1:he3plI8vlaPJxR9vsy/lL5ga1V8CoA8M8x1Bn8eTCeM= -k8s.io/kube-aggregator v0.22.0/go.mod h1:zHTepg0Q4tKzru7Pwg1QYHWrU/wrvIXM8hUdDAH66qg= -k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e h1:KLHHjkdQFomZy8+06csTWZ0m1343QqxZhR2LJ1OxCYM= -k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= -k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9 h1:imL9YgXQ9p7xmPzHFm/vVd/cF78jad+n4wK1ABwYtMM= -k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/kube-aggregator v0.22.6 h1:/iaXzOWia2dqOQkIA9eJtkmfTveJMLz3Dci9ZA/WgmU= +k8s.io/kube-aggregator v0.22.6/go.mod h1:0RSTzxqiwsj5HUlov195Z72ZKyE4qgedKXCl6sLKAjM= +k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c h1:jvamsI1tn9V0S8jicyX82qaFC0H/NKxv2e5mbqsgR80= +k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= +k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a h1:8dYfu/Fc9Gz2rNJKB9IQRGgQOh2clmRzNIPPY1xLY5g= +k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.27/go.mod h1:tq2nT0Kx7W+/f2JVE+zxYtUhdjuELJkVpNz+x/QN5R4= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= -sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno= -sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= +sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLzkkmAkf+A6Y= +sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= From be65620b313029ddd2e68c03c52460c717c2fd86 Mon Sep 17 00:00:00 2001 From: Indhu Kumar Date: Mon, 7 Feb 2022 01:47:45 -0800 Subject: [PATCH 0039/1606] prometheus+grafana using servicemonitor (#8186) * prometheus+grafana using servicemonitor * fix review comments * markdown changes * more formatting changes * fix review comments --- docs/images/grafana-dashboard1.png | Bin 0 -> 360254 bytes docs/images/prometheus-dashboard1.png | Bin 0 -> 387285 bytes docs/user-guide/monitoring.md | 187 ++++++++++++++++++++++++-- 3 files changed, 179 insertions(+), 8 deletions(-) create mode 100644 docs/images/grafana-dashboard1.png create mode 100644 docs/images/prometheus-dashboard1.png diff --git a/docs/images/grafana-dashboard1.png b/docs/images/grafana-dashboard1.png new file mode 100644 index 0000000000000000000000000000000000000000..a4dfd81a74b8dcf6e8e0b8ac9fc4641d80659fcc GIT binary patch literal 360254 zcmeFZWpEtJvMnshl0~+dY%w#-VrE8*nVFfHEwIJR%rs(Vmc`7>%jeQ z$G$(`o9KzI>F%oPuFA|>xiWh~Wu-+v!+eDS0Rj0eCMqZo0s=Du0s?^t^$~bvD$7?I z1mu&6sepj2n1BGDtev%ysf8g3h-he>GURuK!LRA+zoMfjz!0O6+(dHG$?^<*{ynyEk9h2 z@_08hHZp>k+}aZV()bSR!)cqvM8lcLhEE(P<_3en3zpmgu43cL08Pov48!~7@Qvoo zir11%ISmEy%J!-)6igd^0m3_pH?}_P;)=im>SMhwmKz9yfZEbK%^wOj9;l)W^C7^c z4$PSRf(Bwtb~DGH9op6+WC=tz$F6ab3WVvDFI}}~*w2ZHo9~!lH@pYLgqyM_t({-!Km*#6g?}OKlU+%%J5H-FX9{_LGqw>5JSa1r$b2fyB|S6 z_Rx4(i4ye)BLs)q=j43%5Y8w2@qu20dY?%SpA=NjGXx#lAnSr6je7E#HIBBHMq$XP z=>AIMAX7WA0`f9dFn;J2Gs`EZI?5CU7Wo%`KCgu;k$6~;$_G7TRcVi0abwAfP|%9IkzD8@$Xkj|k3@l;wnL4qLccIeCi_Pr8aH58vGkl(W z(!WEY7ff=elav3DlI;scH@5HZquA<9@F(l|i0=cvU1{j!5&c=PY~^O^My{4nxU->!s@f7 z+j?gMPc0nv)~96z){WB%cv$#=bS}JMrQWham@AGY@8R{7`m9O9=4iP~C_99O+ozj6p}EI5-chJWnZySGu?ltt0>_j)1goX+8AH92G7dJ<`gLr4StX z9o;2IgX@Q1FVR>qWZ-HEAA@jf!E;;E!8mf31y952lmPqBE171+*g(kt;YvE8jPfy0(OHv!LLY% zBoR`ak4*(`*5^itasH!|Z|gc0`qVv-=9avBTU5tC|oc`$+TGOn}v5X!_6yQT{e_fL9An7o^Ra`we$ZyciBD ziLI|=l!&|=QB{ROg*x1mJ8x0?sidR0%2S2VV_dlkt`zgh2icZ=tS4<9Cb9$B7Dvlx zyf0z>=t9#4+v{t47*CJ;IW73t&X9H9b7C7PWGK~uq5ye*2wlhxx{XiE5@`X>f&@SL zYVqAVTNC+5NXGDJ@U4hWNtqFsLZd=kiI4_;ws|i}d!rk2`Q^z?u}$F*zz<-GVx|l7 z%Z-Y6i_!Aqi%FCykkhPcMrJ_w`PP6?Pn-w;0rU9y$fG`iv{Wms*6m&vpJGG zlGcT~r98$9=crEknH1IXFUqTZK0!GFEtByt-ze?;y>348yKu5_sv-MAJf_q%Z*VfT zRJBw!%T@HM+Nd5)byzLDtam24Ofk<<@F-uYf?3nO*6D{+`YqDQ$|8Dg#!<9GsUyGR zJv*!e;2?FhBtvFRnn&Pln)q;W-_D`NaoF+h5O8?Af3V+pM0_AMRWiwu zKiAoTG5ZOQFrn&)ZM3cbg>AqE)GSnINH5`SL<7TS>#OJso~N%@(yQ0Y(If8X#E)4Y z**;Q!I{bW!xfygDwDq~*s}%#M{ydkwbMBhx>Ol2RNRd@~{)pp<%^yY>mW*cfhu@g# z;aK7^Dj2y9mo2;Kpcw|4RW0q7bBANCzUojgXj-~;T|+2D4eISOP$m^5aTy64AsX4$ zlo^#7z3ejYhVByYK8>EK%Tl#aGf*q3GpS#zB&$W%q?)RlyY`1!>{t@ls+l{E9k$j* zI9A{AAGsavF+Vb6rRb%orMLr_mUx%ImduvSodh|oo3WZBoGfn(TZ3CC+J;`MKOC+f z;MvXZPn?R{T-%~>C~>ShWV2VLhNYUN;jlBN=A=rb9;InVRAa@loAnmj=d?ArG;B9n zI5%>r8DG!;CeFbWX}7I&-f2{7)UwZM3~U^=HMem;IbEl*S=;s+_CKW`)6WvA={J_4 zl_}ce9;cy|sBozGti{sm*s9-};F58Ne-HjNa=~_Z)j2m+KXI3NmfqLS&} z=G+}X>yFk;4h{)n3eQyb2cl*M9@~!tB67EKlZAb@`wdlFN)gTImZ;Q`whDUABE1t3QY)!8tgKgiFI+{5%X;NaDoIWR+O95QLiJ# z7sVvsBoH(}GWZq7aU-iu$cplf@3oRFv#_|(+H7)KV5+ttw4hG1KBLX$v1YS!Gs9?| z(S32T~b^#)hOHqqKb$Eu}G$ME*pi(#7h=2+!eZ?!IUyNmwcJW8*u zl}z@gM-1bJDe=e&;R$Ohhz)vk;wN#vl(-dN>x-?v**h*Aw$Dnc+GlmO>RqV~sXZ)4 z4iydsImREwS3K2fHN3hh+RVIu7RE%gc4`0Fele7vDfPsRX-%{CY#VMeTvoQBepFmm zLJ2^uN40cs;xc_|%xLj0UeImG@#x=6+f2i5-gHVUzbGzRu&i}grB8;0EAZ?%7`UFd+%ynQ zi(i-eYjN9=Tz0l+qDzb`Y|Ay9a6DUIgf}D9S*EOfn<%R& zFNKHFvTKWL-8v_{X1(+WDFZ6J9vJt>-=@U4}@ui}n*O1|EgdLNQb77UF$Wni`odNr~{v(Vvfh&TF+fPP|TVnp^~;Q-Cd z>!|tAQZGkBapvdmM|M`>5A{r1+CmE#Mhe2=4+da2IhCwZN-o3PgSXM;IhVnc>0bP$ULlrS2DJc*NU>OPo9P}#)1h51O z{Bnb0{#RKTlnms;NpZgELf2t4395IzL~F)`p?LEp~M(8}J#+5x^9s~r9`27niCQoz@yr+57 z?JTm*ky!453HAEqV1 z`{NP^b1niEDOo%LYdb?cW*RygIs$GOJUl#3I|Czjc|qa7ssn#<5tukQ*s#;mIy*bl zI5W~%+Zof+v$3(!(lO97Fi-=pptg6la?o|5wz4Puvyp$bBWP%^Z)a-bU}|lJ_uj6q zp0%R`7XiV0NB{Nt^F9q-O#izlEBn753;2Mv?`LS~Y3OMGt8HLa&iAA2vZgME7OH}# zmcTIs_Q6fhNYB9eM}`02ssHZs->RzocU1-!X4ZeN`fsQH&#H>{hIRthmcULOxc_^? z{;K@%C;zI*N&Ein|27tX4)h;Kfg{Zg!%6#Jv&IdBb7|27oJcHFL7DHsJy6WvKVa_y zMfT?&SO%+~v&E+O1Oed%5fkM5?gDz82HApAx7eqRD2oD0?xz(7aii6oy*ln@>BDp& zlv|YPcb$!gcI?6@WJ(}ZJQ1%?5e2rOV?TEam4>v#6giVed0a;7egtUDT|ot1Cag3 zLMidjMVyEil=|s^F_h7~Sp>YGmRV+2O7Z^-%L6nRw|{deeL0C`Yfa?HZP$I}OI2(a zj59nhuU8>njGCQJezm_Y(zL(brX0^#b&EUB<3Rt|PSHUOrlo0vWZe>@k0iBa`g%nK ziev+IjMP?g{qWet7zBT>^N^n%e0dTQ7n@Jy8++Q-o=+Lo_IqO( zXMj6H&0JB$VC~=8y;xrDug~_m;?-O&_XBgo-A)6{Yw}|*@*1!5TZ0+iujB}76F-4s zz>5Vg9#6Gn(Cm0bYippre!1@r1#4D6lrSrD3gp^T_|4oq%Ndh4aIROED%Nn_bvVy<- zysJk!i>3`zZcztyg%64}AP9V36b3gjQyMvl0Icy=4M)){!}ck`%Q?AvnQ5RTT&z3Q z^|G+u2~t7SLZe;3i_hQKdL(_2dz?U)l4XtD!RsOa8gE(%Wq?}11F!)Dg3Nwum@lol zObLZx{E>TFPcAmii<_9K?ga5*i{P-2e{*ToBk6$FrL>ZRHyFp0Jgz^II)Em_(MxRS>ih=e!o4fGWMj$!Wq-gXUFLi z4i+!TE8WT$3Oxuo~lSN>|q<{A!PE^2~nMXvq2!>bA~C zQa$oasmjc#zp2qiV5xY35A(AD3`>L!TmvkL;bki79^?(xGXx{S;G%fQpj=jR1N+2z zje@8McK=U(|L;}blmf6tC(DZXz6f>E!C%D4#G+eIw@XrXOPQdT3&!SY-%%-XDC*&x zlq1;>_nDMkWkyq26oezZ1~3N^{!IyZiNGE`CEE*xhAe2?8!VSfwo_}yo!4|PA~{?y zT~uGMf3>#kmg4+djeoO_;6STjOP64w|EE0~JfrrAD)%a#ZmexPu3vji4|{#s!>u+r zAW&_#iXi2#00Z2giglvSD;3Er!WGHN-7a~1??HK`v_C1mK5xPAHF$L=R9meSxCX}E z0gZRaPvD|)DL)WW^|XK3&*~kFB`+r)N3k_~o}lgZYc!=j?vBU9Ix3R!-Pq}-Zn-`= zVH>`^+{PFyb0gm`my}~Dm&uQQ>6b{LIk6jq-)h`VNq8AMF}OA$%6vD%QCFT=SJV4j zF502p8}`*sCtqD3;uL3V>U&ufIxoNTK3!iXFvO7_JnxI(#5dX-vtA&q^ZP_cEHycn zFj>iSq(~$J5Re+$Bxo1f1;-MEJ$zLwb)@lgJ1An_LC6M?Y}PaWWckaC)sAv8t+aLf zOAuyI@HjL)oX973QED?k%v>~%*6T~yRq#)2;FTs8`_YKyHnUNNH;2v!0~5^jpH?#PmAtOX=60yR-GT661Mj_)D6_w; z1%V-6Y0K&Jx3N^4XR)lluRo~G<7Rgj;$-$7SaaSjP~W$7Wx1|-CF(`iG^-WkjG>l? z8Z2+VFXP|VTK1hGu3{RECCdI7>Lbqc{Q}EnW`8A@C$l z!xn|pWhfI{-BGo@`y*`k28RO%yS^`Pq%*}hG?;B_wC1xOMA}{tLdSPIpY23CP@KKr zUYzY*kAxeC$+{GU!cc50RvYaLj^MX|P@156oI5mjK`V+fXBl@+xm-hNjP>O$*CB}^ za%Mk@=T)|Y0n<2McaG+#X7ew$0I`_U^rUi@al#A>)x{QWRDXw?EjHldaty6;o)K=i z-odd9o8j&ixa@gXW`&Xde4cuaVge7DFP%h)N~vTg4timn0vNru3BBAq!B6LU*jAWA zgCkgMduhs->W=x(D{N&wVu-mPE1a|n(aJ*;j<0I_)tLI_NLZfl-X+20Y=B+r38<~O zrr}F%Q}uL`Iwa`HuRK_Lch~X?N+^$)IRC(^m)OA8`dF1KV`A3~Pf?<9RduoFNEoalzY zA4OEb!Q|wnlQc@Ry)0x$bFMq@$fc{H&t8GId835Z@bO2{P_}iY<89^0r5)#-$JVK{ z?$MZo7TEiG_r|)~f1%}atGee3i)9aW7R?-Cy|9^5wCFC$n<71J24koIZ8CbFDW1%q z;BW`i#9VJXnyg6^@s&BoZf8gg2<^dY9yWr{b~<(M2F)v4v0T!Bx(E3zXx|3-08D;o zSDS3qRG+myv4iZ6XHXN0aAADy`*9#6zEHihd@Vz*h1VVQGWXf|^7?c}`*7NHon-j> zfuBFb$+~63h)t@jk}5~A2I^^rCJ!V~XstOG;pC{I{W9Y=fVQbH{?op93g+GEVSS!< zyA^PHVQ0`MQ$BvO+j2U-mq@NR!Bek)J?t~Qq|ycqQ6Jr&Eahpvz^+J?A2_r!S+6dB z?zUgbe7(FJ-Wd4-kISv}>UwN@dQ<3~(^qG>1Xx>cki@B>-E0bqFf(il*aNZ-1VERW znZu{fY$ndj6Vi>w4|Qf|7~Opn#ywLkCf-ahui1a2ehn~G_#3`xZxHq{sZOz@QeqFs zZrztS?P^t8m_M_W;8QV z>?91?T=?14P##j1j?Hc(=E>m9hW;P5ViD@8+`g|-lj0yHCN&c_k+IjJcO|Ci$#B=zM`S-jJ570 zAcR^o-0U5u+eYkpfu20xXtOt4COd-ZdqnE?qHi@iVGMWP0T%+%o1Cb)m$0(}88#74 z0o@xG>4Jy8g|khnx7GCecV~hp^3HbZk*W{;+P21f$qZ9vr~TY7S=tFuHn9j4%5szm zBLb97&W|HcA9?m4_ung>4c%(0VS^pX+fi2-N644a5lk^ zvp(I!V7^O0tj9GU;b(KzG={zH{ieRxmv_Yr1wkL>G*uw;^8y*?cV{kP8v>`z8yVaE zdbQY|AAxN8oR+t$RcoDhrlP9G7P^7wd8hkiiLb=&o^YZ@ty zrp`k(dYlh)zs8xi_Y1M(k>)x{aJ1`bYMy+yAT-PA-I{j-i4<)dHiuJ#EnoW8c)O@o zUI63vDy(!d-z9>R16Tg#6P`-C+th}wm^5K~Vj zZ86H)WWi0Br_4^f+XXht$B&=CM%PY`d7QT1t#V8j(3VY*?En6c{$FK1a)`bkD~%D# z#BO@&+9NqYDrmnzJg!(i&+Z$kzKY*crLO0s)Ckj~fmR6nO{-1qH{A^Mmlc$rWJkJ} zEA$bkp7ap^9WIO@@x9Gm%W!KAKgyVh4BCJigif=c)k(|)@U{%49dYvN)#m6d+Mc*0 z-Z<_f?GCbD%a{HZi`R9SG^OdA;^59*7o^3^9z4ojbGt(giyJeM4i{4HdfCZqYx_Y5 z3mnkt*_%!pk?hi z7~@q9L_d19Ou9Q7gB}^#`nl50+W?Q6b!H->gDb*b&z#R2wC&Ft015#8QEz^*?immTm;Ak%jxZse#3@0c$Uai^!HcyaTPmjXa0`86 za}(G5nNJPSMD?9}0m|fP&YEbY`9^G^V(R8WS=&?0s_`bMgCU8ZfC!2*Q)tos6q|@r zp!`sbG*d_mfrIbbph=Qn#p5EC#kuIX-J9Q~`Q*-WQbjdm1-No1DGIkQpp$2ghJ-_3 zviXLg!p9XU7&YfTZ^yvrso$9|+jw2b@?y3Tk5qkCQrs{R`j&|M$j$x1hOZf4=cwJ) zK7nnI=gFe1=DZjBoacXlE#TmriFlE)m=Lv%q~>Zlj}w(%W>%yrL;UGUeN=qQ1gKY9 z0FvXa(=)zJX@$a2_Ri|np24k=!%)*W$qZihsW9Et7R!qW37fp6dk9MeKU%G7I&)Yn zgoJ5D4!>lyB!wGqPixHnZn&pl4O>@87D^M8J}HcoAlQ_>`z`6%DVewW>SfoE;z#bw zo*#pkGs>9NeL&uCcHlM)_PW7PV!(v|g4Ut~EQZ*u^g$Jxv%6_hJU1#W_=W&g!w5pz(>Jn`V6*goX(c=UMn%R#%$M%rK)X9URD|{q{#YbaPpyMQDE}JSe7Ov zKfrppnjT0c5Vl_lu}MionP)LPQiG2mD0I5WMDvQm`sk2jfKjWk20(DDNR-)|elXZ; zh#Tj^9(v4@#=SN9!%j_ikMm!BE+%AUUbUQYPOrX&J>?stb%|78R+5FN%@dFN#ave5 zfarC70eQK6MY(LloGt**B{{}+!U)mzWW z(b07CadLR}efMNP%4y^U+nk^mXZ%$r%9N7wuVs-BOwEGv?RaR%>KlvoYU;O~mapUA zwAEkAt{*acC=(y~#84B&L^CVQ=WflEf6)Jh zx$P+wTiV7rgIW_@r2wyPj+n(|TdlK9=+w!y@LZfkhDuybcgQN|Oq%UpE8zTUOHTHQjM#(@u!md84$YKDVpxI5tY# z2P3kp?vQIgCm$(GX`^s?q{?iHi)nwhzrCs-PPg*flpSP4nfx3F;tu?mr#q&aPuIbS z6J5!h$ExAECcpKpaEcxwN@b(IvUN&9%An}Byql>T9m7lzAd&)rFsmgKJoO(iTc!*G zJ*?u=Pvf>_6SpUGib@q;q*65QZ$&wg>}ttOR`~0AE17&BQcqeOFhpYZhG{E)Eq%OU zk(v5WXbOnh-M{&=l7#sCq~$oJbvyO(!Ko9p=Xxa!ZdW5tXlduPtjkFGB|fSiRNDBr zw3({ss~dW9^T^ESFyuEd#`&Q6jouuNpA}PplFfH-sD*?}N?6;f3C|b~o_WYg$6Npx zk?oLNhld<2sf)M;C%MaOZ6IL_TnM2S%1<0xDNQ6u(}h+>00TtqR?CHr=Aq11w(5MS z6H1)9zj$%8vHL>5FxDWW;5ZsM8s6M7jMHSZ^LXa^D8;PPe*(g-1tf+;_vHBUDiedr z+$vSo^qGhK9Kr#`zOn1gn1()EPo8(Cj;{QIQPv#%g@4l6bqc{E5cQAF z3AaCVYTnornmY zSqR1vr%s=N?vF^@Ew!4|RXJyY_V&TP#yb zxX?zvL8=^LGhEZSp0zq-m9zpu+t0BycX1%?l19V_rtV1{^*=ayEJ*J-DMUdF)}%Q- z3%u62nC*iIZ^^EL6YkRZo4nSVDCmiVc2=t`}{s0bJRL=S4_$KaJH@L+vQQ$Zf?~VFr6s zBP3R$=+=KYmRpfqcN4b82aN+E-S+VsLBoq z(ax z6SI3;P$tqV4xNWbotuOXR+__G-a5@#ux4YVdBZtLq_HTca554Zn(4q6vjl`)1o_sy zo+4^ZmzWIGcSA9)8-!>Yx8+$5)0|ghF|Cd_f;Ot~GkfkGHn0(l zTjVvjL=2=)8e8sOo2xAj6y9B(ygauD4*oQM^}7YNB(5ju`sCN@2#kkJLOAnGKz|qP zBfeSQJ`ixytTZ_zd5k^N3}F;p`OR#hQL7D`7Npa}QD7hbfNXzjlbX=xd3$C|Vp1)e zeR?oX=1k!!l$XcJZl>3vxc#79;$(u<^@U zV`OEsVCaYM-Y58quMmgrc_l%@N>ph@Q z;+%G+_4%e4!YRXjz%dG0qTGH5AVd+u?c0+na70E$fDb4K zI_bzZJ_4TcwBAFA2uBonQq4}vlv=@uWOpIX->8Vh_Dnqg#{lcRI&=>`A65^=I7IE6 z64>G!BY15y?2K0=(u9`~Xc=1UJF6zYH~EoI3Jt^9$~Gf`VDXtMgpMysa@O;*k`HbLERV!mB65#u`I`{aEw;TFPk;>4{ArpL`2>C6Jc@J*%MGs)BP!a z;LSc`@h;zz|9LZKfp;!z?7_x!IziIA1J`N)ngRrRWvEsp?l;wqHkoE?}H{Bomoa^Z=*`C zO{0r72=D<|EZEuAPCD|UG|HVIHS4}4RKHZ5B!y8ll$*_T=ao{djq|(_X&16B;(Fb4 z?>HtSBOS}XohRKk|1$I9AD27+?iPR6CNaViPoXF-e(ddI4?Pt8aP}eYqG2nNLr&8^ zbJ6nLa^Z3c%{xAjyYvs+^?3>lwoSnkQ_oXFJ$TlC@e%^Ic;0Fp1#O}`NFT>2^tJM~aO#md zl`r+@P*OG^xo%7>j%x1WZrQV41m${&l6I)9eg%WQ9RfC8iI(Vzo}93q*TgGoVrz`1YV}pPTQlI|FVt1 z-H)y^qfwfKl8UC;nw3_baUd5Xy4JQLueQS!DE9WW#xC;7JA94+7bZ%^)Kn0(u)irlXt`a`alDpp=R`dmB zTYYsYZ!K?Kw=YkNpoeqSRBLW?IGq$Y52TOlHr9Q(BxX3yddtVMx7>*-{$%tVN}5Vl zzs5cPfZy?h<%R4jMrJJLXHHO2!sv83=wfZ7e7VUAerSCXx))Z%QMq~y;Mbh#vt?q6 zaj!r84<|Ikea*TcM(M+VnBMJ+MfwNkLrVo-%sQT@CA^uvf!*fM0U1C;VJny& z7pomEq)?XzWLF9f=FW_KqnXnD?@@U2cS2+nw$0_J1v~w%Fpm*Gr#SkHV({FuSWXhi zvcd|-kVYwkU1;ZNucgc|`?B#QC%bmw_Dp63>HcRwdLHvn%R&wZO6@f9ePmNcYfbvbS~_%E(-~|kBkAzzH+Y6r z&+CzP|L}!4!Xwbb9C%!bPf7uzcoFO*eWnlOme3{%T&*fJvVAq@NsKFFY2L$OaWccr zXKjYU&0bKyj^->2cVX;H5t~V4A?LW?x@s z(*BVyGZu40U)Jkj6G$Bh3>2Q}b5B{=2b+B7!R>;2a!jh``qORuv9~ZwTz{~I1$5Og zU*KT5&RZs}mIHp5gR)^K9Jow|7LXnFB@}8F-bskVaDhE8nwu@x9l&%oApEzqQ# zZZvuzEqHt*YOG+8ea4~typ>M-RToe_H)mvD3Un>M(0il;X`N8n1U_C^-JG=t2(~4_ z3khUl!i*#wWgol70)=69o2S*U#k!+BPV01^=sNTI$f4{VbfelWmOuqDQfHCG%^oCT zaVSBxBtdQ?E$3Co@Rm$1I{#GHw-%%cy}G%UMhVS}z2}FTINsCF%uT}|SFk4dvRG_- zsUp*#PO&*O5fhbxHe-^Qwqa8|dlS@57XTt#gK`UyAH8VI*8IlRSSk4n4a`7K+7V=?VfJ2 z^F~pXjVRP6A0)vRb77rC62a8e^)>Ww4AHf(yV##Q7D}A=a<>7OVneKWVEikqtxwJR zyu3&(@w)$t9L`S89NCse2sW;+X{}B~WBvb|!UsKB(USh%@VcXS`Tu z9-Z(oq%b{Ro7bbwEfZz-|4tz=^&MZ|=#nzt|FTrLGBYFH@=7 z=2110#K9T^vxP=sgw%tXZ8B6)4 z7+K};+_EcU9Pc`3T>~3F5*>0|DVk{aqzcKNg>glIz70>|%1k~NJzJh=!BXQ+-VxhQ z95ru6Pw5Hr(ay~c%7htc*$2i=@BDQr)xau*uT#yiBToDhE-!Z=O)p zI8PviBpm2BKkn;r+QSC&{Q889K)*>ItaK<)AGL88+@`5O1ob?cibecL#>D0Sw5A5A}++Mt%a;!U{+mfAbOYyqje zNH?xu`dzF_B9kuZGeC7SFq1B)_ukcR?Cq85+Sff-qwzA*2Pc_kKTHRoGmhh}1$M@& z*0_NEq^}!~=^OAMO+c^0jT>yb3W zW1C!@f)DP}A8OaUuDay7b7wo_?KwfjAym=|b6UHywQ}tnFrwtT@olSf{pC)XV=3xw z3pY;lsF*!M`#E<@>UU=3ln4~E^YQ)C0*OwCRBPJ)#a2F>I>tT|E5TX)n(Nd80S*DG z1-_LUT(5ZWF7;P%K+GSiyEzPo(Upar{H=mir85z84}C)GcYdgvm_rcK-sf`z7ID?e zPm2KJ7$39}HZ*FDjom=Yc}(WggCI+n=ZrHvU&2z%uAwX^gbAl3uZa7jC@-ktBo61( zX|WZ30MP$teF=palkgt{KQUBm6?)!^lKIt7!d)D*{b+LA3v|#ubC$j0;r}EB1&p_F zE{M^W62Hq*-s(85)z+3E8&YQW9tzdfglo9Y>|6qUD=dj3=Dvo@9m;{Nsa@AaaL!6Y z&Qd}CdFQ?_#zm;ItF(K&V4tT4mAI2-ng{`mAkOwbx>W9Z(K9IJ?!Ov49uAUb99lT* z>@u3qZe8xr|1^rN2JuR(y$o%+*rMxmvN*Hr*$^SySfvLhU($~|B9lhOnMTQ6_bj+5 zO_#YRH47om<5mCyCgEsTOpsYENErI25L*GGD?#|f69$-DZ)E0{MWLn+02?c$W|wRp~RJP|6js>v+*B0b{%GxXUm zKbI7Ml!9T6$kyl{BI}Q@FVSxBZhWmg7K-t1N9=l@HQb_%%ArPkV<{WC3ps&%qyIT$ zInxKB@*CfehluZ1z?6Y9Sd+T_+h6+PLxsC&Sxsvcm#npKY!2}7T%D|zRUGftJO`DvXUNVP*P#k4u-@$5@<8-`n=OBu zW{a{%*Ze*_+KpnVt5s=BXjlhac+AR9EQ^4Aynsz!Ap5>L0=htI!r)GRI|rC2aX>)0 z#4?%?FYJbSeR(U_=0e&K1;s8DFc%|dH@(H)nzmG}s1&a4INNMCS8=kui0Apdl~F{c z&v^9q>5OGqKch%D2zdsh#=6}c`~Q_Ljnv3`g#y>k#-FfdSCruW0$J-%L=TMC-ePO`IrA~v$0xxI2b4?BRBG{Yg8uxG+HDROxF20?DYNy|L7 zIriJwdHh>f{CmCvcs9-n-TCr-dx6LGZ%FnbSD@p+3b}*QtJr*V)E-^J;YJWyCsPt!P=I=eYgG!E7Xov>xr=I%}l~FtBY*#V2qKg7L5Y5 z=;+fPkP_|UYbEaA%kU*VTV8H`PrD#IH+OxVhrD0yf5Nf9vxl*t zmlAnu^i1X3Yrgf}9J~5YE2yWK+(oGAfc&I+Y<5Cm;eMXTNgwxbe+FFszLRwJu;_B= zjHg=6Ds#VWlCIqEc9?TMAdZ-h`o5^!Vm{pf@S(&4pFqY%3dPJtng6xY(RC{?YS}uiyyx?&Ow*$ zUPi`4GC?4G+>9!eeicOXfh6MoGek|ySPIw@UKM-~uSf|S!<1~0)I}hWhkz=V%o+n` zpA3wH3PEeIue-N6U zx4h^4S1rY=a74M0B#Kb&}qVwKD;E>e&5ybrcuk8l+3U zAeER$N&`wg#3S`Z!w;W{m8ZEqE^Y-fXk{<{Hf;7J4l!rQ>V8h!8&T!w%T^RmYQtNq zcUG#aaMuuFPhC!2C%no*;8pm#g-WL8-9o`-QgX?&z?Z4V)8^6YodW8y*2_m84;r;P zizAq4f5F;(7qlHlbkH7EEg-Ruz;I}nyw%9omwdr)nMn8p5Fxh}@5GMl-NJ3XRS3+A zYUrg;KdN%;RzA|St&U)Sx}rlDoX7bC{FiSjra`z>(2ZG#J|5SM*`tXZn7`Em23~Jc}Jz+7`8;JW&m&c~9Qo+g>jpyIm^d2(F7PcZZ5D{F=7S*hDtcwgu2o2n|D+!ebB}d9ZC;-ZaU^QJC~Lj=-~tR0#=Tx{ zl*Jw%Ac_(2>P=G+Y&QJ#murHnt&GxC%q z&g>oHQIQeyo}>}&hzCX#QCl=qW>rv1z09r@!fAxJs0DiylW=v?ZEIsVeo3XEPvc(;DwPmAJ)NZiT+f zE3p+wrl0g>V;Utwt4f~ba;}s7SKC8J2SUhDFP<3jk3|nc=Rs>T%?Fr{%sFBTZFb&{Lz6{RjUyI*(N% z1zU@*siGh)3+C8fXX~k1oWu5-Nbr&wh*Werz^nyK%(em2eeFu7alo8WLV!>i-;d4r zXes7P`O;16jMX0T^5&K%YG2eXb#;Y)>~JkjxP89O+w&F8cMf0DfER?76b_xOB-?|$ zo0XO(@ppwVU#N4feL2`Xh1N#m2RCA&m>I9j=l^4bQh%F9RS;iiUF6lu$q#}cF*qMk-p z>n4~T_@9j9oWl`*&~6rxxZ9OO`d#<^D+(%#c5&5`2hO`MSNy#0YwNmp$qe=I!6ywz zv&|hBd$;Yt9ER<=Trr6Q56#VR*v%la3nZ#qvjj0-V2Z1IW3>Q3T{!xc?+5!f*(1(t zL`v!lL-Mq4<34Ls#$q2dZKmB3tn>T88uUIr{OqZ}<>Y&t@+H~HHdxl_No*+Wf zQ+5b+-aUXtvWy*IzJWOAO|L{Vo#z^rHVNnn)D47drym=;`}pr&jJx#@IWq~tG0V@m zvLy-$RGQmCQZn^cp4*8lN=f*V$4eC{=0&qg+`BJ+&%m&B%;ODaV}Xuga|VS7MR43o zHxAZGx|f*cIK%#JN@^t=fPi2?E#E!sQU~}yKRIdM&s8s_17$wUQ~!sC9yrxH1~fcI zEJqLPb>jUVVR4pS$A8m z#y6PWVJZt;0_3I)PBzd8Oy>Y!&{zi)^j#I+%*`F`bvX}Z-wTGL^}g%lX$WEDFXTub zxmQ~i)NjU5B_rt^D|H?bws&@hxs@tan@!?F6gO%~9M<{BH0pp<4Nt=^AAADcT15Rv zQgd!QNA%NPdY8+qKM6B#t2X_f2`uuOPi|+DNvz$_D{ncMqc)g>3ZT>hUx4q~rHib` zm;0^=+ZTM|0@Pk!oDZJsSyFI%IUwP|Z#PFz6A0>vkQI!#>2AN{3MrYl0uA?yOa`eX{P9N`tc;6SvB zUVwHT#`R9zJd z`_w-l&G*FUR6Hz%)k?eLndf|Bnual@dPv6mrZN3yh*G082E-?35O8k71bA5*0{P^3 ze)__cR}Bf1n_Q9|1U)CagPnUBQ&<`)Q1gnZgr;<+9%?&Vcg!e>SqZQo!f+eCJp=uw zSjneg=al8YQ*f}#6Fj^5I22N8_w$wtaTNFTU=|Y9qqF=nW^*tY9}$L`;Q)WYoB(S? zKI^qaIiIN>@10KhWB7I3`~U#I-6-vD3ssC+Qw5Y{23=qP@!uU^tH}-Y`F}7+A1`>} z$!GDXa>7S)nds(Ro;e!q&vE#VL@jKVT+Qvde(#6%x2~coSr{J;j3R}W6WPp);BWkw z767C)mssg*4iTroEB>G@2&k-?$&Ivg<7D^0(y$sIXst3#>bcuKUy)C>4F2&fzDbIoHX&W&H?^tW+~Xb?jkdY9DDw0UX@^k zEO`U7R&@$XbhRZ!htv9c4m~ZW$*GinJ#3qC!U3TrP3# zh#-ou57sEBDxN_Z8&kWUv-55*=C&-XRxx}!r**WYD#1qpS0t$k+1nBBr^>ee*;M1C zl)qook$l9Wi*qN_vsOn7#NR`<$OWp;tDhKmRpT7i>jSK>+kdxYKf8rEFD8XqVx@jAUzCNUk>phF_lnG*2U?2wso;b?7KDJO0HH7;~e z(2qpv7&=t5I}57vs=EmxP8&g8Ckyf8jP|&JdL3LnmzMPcyuYd-ySSr0Yo<*&IO(>YBH z!yS2~zWnPSVFQ}S^i=`H%rf)6C~19Vz<5wf@Z7iiTgkRr4C6= zHl>jKOs?oQeCefJOX=KZZNqDYIE;2)4z3!FeL*CV5|{0hY4aRnD4YIxLviU#a6zV^ zQPDu}v)+LD)o&?`nuqB z1U()`o*2I z^vX27>x-K^^Ypk6*7JxF=Q!$AH@8#r3CbVIjKYuXoQpj9-+1H*zl-m?La2srvOq)G z-sm0*VYXR=28bGd&Z0Vug&mZ`=F22!+AP%{FW7GhYu4=WTqsr920b6mA>N z{*>o}%w4L#s<>%0Xcd6K|=p$Vz5$ z?{`$MJ|HLIb#fRnlI@!L()YU#1WI!gjC6Mj8dPH~x0|h|7%T8pTlOM`o#WmiQ5ClQ z9Vg4gAQ`HBy<-SV&S=mJKKzggKJn?CXSNPPv6JRNX z0AsHgs81KEVUd-9Yj}HSNr0|(!N;p{nRb&Ar+nYhy}M*3MT)Lnk}DH%WEXzhehZl-D0*ZqJIM5sn;cw#A&XpDCBznno8uD+CQ* z-XX4mS|VgU=O!5Rd#}bfev%mtCA(`MYDng^t9>_ZZa{KIT?1u|+?#O#=pPhy{fwX} zcl#_l*g2yKmO6CS0qpaQ>Khi*w1bO8kxXWx`{g}5x5b*pymxWw8R`H4si8G{B-6tJ zy~f(jIA(>}+h=W>Xx*Np#iEuA&FoG`==u`Q-QpNl*ZD%D>C$H`S6iR!>27ySG|_et z8qk4wK4r*rc@easxqvSpqYVy@+{_6DP`J#t`LlAo1yrdIAsfHYSPQqQs+*s*`??NM z@7%m2UUOeKMD@Y558}|DzhhC=Y}AEl6S6Q>+?=uyI{1n*=9SUAe~=O(<2#>O%Tu9m zy4gg&J9B4Zb=;KY@=XY>+#9fcyxZCC-o%B?J{z5@MzvfLyZQ5mx8sn{d+-`aA1l5S z!y|g^E&%r?WS$QqY>8~a;P0I!-%HVP5Ajj-+*KK`c0lL`EY4&6$Cq9`44{@Dtl1n0 zYP@oslE__OY6}nb;!DVBGw4vQC`_VP4{i=KP9iJ9`=4zDV~>imBVwz@cAW2Hv9D_6 z^$L=TEN0@3suejE%BH4Y8Vapcygms!mLM+#V14ZXyds8vNrE6i0a?h?>2OP9L5z6e zbX)o3ZIGk`?2d1-Px`BSdoE%%w;jD~{(L(Qc^Kw{E8hp#=mqy4-=X<|>K@wu&M+f^ z4P@mQpykVrR}g{EdaxO?drP^(wdAI1^J1n)EFtmo-K>Ho?54<$%3T7ISk4u4ifaqKbRx;a`Ezc7e)SQ%(@sJ{%~Z9?*k_8-M4{1+a3C_r>+O+4qT_ii}HHI1uo zJrLL>r4j(PJ2SFtJw06+0IF#L!%Ga0=`rsSH0^zEE)8<~CX<-7Bi&h>g%jVFig&t- z2kaf?wUZE%CoK;@PEN;%oe;`=UNaTb;6pLTYQHt+n-jp$3ebyFeUDa06Gxfkxi1sy_%?5CamPZcUkYJn%RX3 z02hI60r;x52Uvv)Ps@3C@aJsisulB#cx>yE`W@_5IYP=7pVn|RL*|S^&NJZoCM~$U z*6&Vw$avJ6UhBIp!%(|sq2l#!@16``kHFP&cjuNnPplj$!Dyjse2r34C=amb zur|KkP*?lzUXpHVH`8E}Apd7MhAX(!K6-2RsGqZBlc)yLc75x4y~y3JaB3%xL*JuPCf)PT@^}NUg`&_Nama@e_F-Cg zQDGJNp3^~k{rMW|7Y~JAcgE)-7b$+68Se+4>E+>!emTCErmzZc8e3%iHTTNir)@R% zt1DV3j)5*vgm{EEB^$4YHJuF@rg(bYUzx%xes+002T{y+3-?t#E=aShlJqC=^VRj- zf1-yR%cfqZ^zf$5>H+84%;ri3%D6zSzngo$2fa={_x?itxPUq!?4ntD>CV+ufKYvR z1EIm!R~ewkWKx&{`Njzg<4<1Qyeuwh-zkFlF9sbe^a|cksrfct&&ixbRCb3kgMf07 zS;RAX%7LWPv4RYvJ4AfX7FkbuMEDaW;fQ%mQvOH8&L?f0Bb)is;FpwBXP7Vbh`kO2 zmBdQYU+dP|WaODwsSTs~5&9ZEWS*SQ+omXL-VBY1F2K$K?P96PqL4;otDlwrRMP28xfS*H3HpN10G-JTnh6miEl@INokQtKHnNqcaLMgB>PO8mA=+GfeTKIN!=bK zMB7*n9N<-?lPsCr`cfcvbC)ynU+kmEX)zs)xOx|aAy{kTv-7PhfCBNEV@aEXa?9-e z?l3ViY(SgKVPt-9WLB_jQM7aU5hnFrwJJKnG5>-EdhV9_D=flYTAbJ7RBUq_c0*Fv z0wmO&_QN!*#CeHh&{Z(cyr{EVl2lXRyG^-tTAz}jc(wP9vs^GhpyMb25_tk^epdE`(_ zAR9of*jz|TV*FX9LH&kP_r)*?fKMpjxszLIfjF3<-};5jRkhtX{RPV0DQcL=X;`Zh+$PO?3VGSvtq<%AP~q?p^ni{)mkrH z#!9WGfi(Q}r?bmbsY?4b_2Ii)*tsa8#NfGY6to(fua&1iUVWlp@HXsTFMj%Md!EDA zrJh)C{~d|SR3B~sw7#uV$5FNV+rCp%jFq@t($Chdwt?!`49#7FH_z;EFKq{BR-|2z zBZxk2NmKhV+aiC^*Qim_^Sm>rmAmsm-_U>HZ51aJq?qqC8I;%qV!0#~xMp7zXI;5!9dTjx-OAwF_(bGcXE2@sfv?U_Y`=i$GdJHjy^ct;^wof2wy~2d*!|`Xoyznq z(Z2YuQsxu+2-H~Z1engKYH${{ANxezm)qKSQ;t)BM38)-0!!;RJ_N=d*vAM>Z?hI0 zFYYoM1Ridy9Htj*>Cg%!jF%R^ecHZG-)~Ig1g&A)d$M3)zY;>TM>A98now-Khx6b8 zg*tQpGD~6&_nSH=z*kWt31K}~ueM=Df5CpPk$}LGt3yuS7cCZ05?T8E&*CafIFE-qFx1T~jPwGNS(O>f zy?qlRLsE1y{$f6#)u-PJgGwN&33~>`tKX!v7?#x3Yd8#SL9IxWXi3whifXbo10}EC z>Br>0e4#$YT;r*NQkJ73I&pOw^E)pV)f~D<00raH#?;dA_F)g`mUKGstWLbjf)i>j zH)!=c2l|gmglq-hnr~x-9zH`7N5^gb@t|C6CIY1{fp^OL!!CtYPrlX}SYtVsb&w8M zsA!04YVKQTXa>)qCV5fJ1O#@8hE|*}))s0f*{@0V;nj?@5O>yRl*yPq0YB8}zGVy~ z;eKm>B_XU`Hf-#$U{BkidbJh3;z*|~#UG8a?SLApH2Ld`Q$3ptvW03!~$_63>ut^Z@|gQz?GhOmJ4lonFd z#Y-@K?o#kuI%3WHr&n?x$ff*F-YCL0|5{l%E$n?bR1#Do`Zg+knP>j+(*b=g`~{VY zKY$7R-O5y)!ma7ZhTXNTcmCrfSNtSv*lRUFsKy=abvHj;PzesNzLFC5yuZTlW9Fg- ztB>TjX0vSTZ~_gHHPc@seD8!KCIidM3l^hE`0@;LzwDqX)v?m2UPqc&U|swun$~OP z+nwi;)DR7l5Z@QPS{K`%x_bdsh1)%T$-yB~ckPBc!D?wN1`D72!C_4FO(x;B%B;~O zH-OBB`3_<0&ypG!p+`)<9$`-j9g=BT()@ns+4J9I6ig?O z_<95Z(B)h`l?c9qCAYQbk2m?ARgOb#^A_}a|WLqIIkn6#JBDXpY5j~V@yF`=e8}e zrvV-hi7s7qx!SzA0Bg;eo(k_fKP$lt)P&Kx_fD{C@&6Q}wg$r%$Zg-I0h_-4qfA5JAWu9gvBc+oetUyr0$d8WOfb>-{C z1e%@zV8qAUMyW^q1xF$8MJAtZ((NI1`AS#;5yt z|C}mxyvB0jMcdH`2T5aLc^_>L!^b$vn}%&!%tvtH!qr*bbJgCIorC;QT=Q2fACCL9 zDO}pR4w~F(KJ2|ADK-@gB`O&IliF|>A?MJs9xKMc02*uilp_naM^5?;DsH^YbZ|hg z>WwDT3e1s+a9@2;Lc=2^wQsc)9=2`63#-6o&m=@5en0lIsf$OW>yz_d^Wyez?z#sV z7i4?Y1}*I{r=b{pxpS*T0w`8V(1_nI@W}9M2ih*(mdsJMr1H7t4NxZdomUQgkp=)= zi%ds36NUCA)rJ!M$d(h_V%9tfRyh2?IY}z@CWq|usMK?*g%>EtK3PgU148I6P5Gu5b{M^pXiL+W5TF3QGGrj z#|oi(#^gHgC$6qc@qGgVidn@5KRA}l;KFJ>GnpxuTz4}%%hdb< zgkEbe_Vl7pkKD;>#7LTEuUJQS;iNxpo&9C|41mXhSMzpU1IP!pK&AZ&VvNTbtAn0H zKtBd3y!_pFU7)X4^7>#k!cyje$aYd9USY~BuQNYmp&Vl5gJExT0A z{^rp7Mso#!v{Y4p@AwKCI2K1viOY2#yCB+kggTYhf#gY?tK|+}JD)o-{W&Z%);^;B zG;IXv(u@N`H_P>(x&*Pt+T}9dNPg>^MJ<+_H#ym_O&eSfZnr%*9~vp<_8|r+{;9ae zH_bnqFz^03F^(lenfXFKYzsR##}Pg-StCP5ad`Jj?P}+yHDNXP?aUu-$?Ft=h#!>7 zu;kl}Q2?BgdiwZhDUhoi9~!tIiuiz6$VpEX)E%q7eeT6@oEa(g;+4t{t2b^Y;Skrd zW$?#if?k#ErCNu0{w^g^*NF<;F*&?!IDr;{m?B7RHSjXZ#Oo~+xw%+?B6q|a=cb~n z51HJ>L~Jf~ILddcR6@dJiL{v5kUnTvh~GwQbQ^Y^ZCk+ zp3gjAjh2d;;@WwOTzu?NhKDk$RLaqtT|nxsFUz%15n3UM%-Zs#By1AEMPWY_gt)XY z{c?RsEf(PI|JlKBKcVfPXzr;w>7ymPir5UAuRWx*F0C8WeC-TnzFW73pb{#7jF;l( zFlfgG)H_r!1lbbZT&?`vYHbz=^3;Knw9}E-%|6#yzO}LfG3@5u8rCRjAy~@q7Xi)B z6+D)7T1-r`olEQ6M-s@z-p|~uiLzi0(eFIP=$`(iq?=ryZ=sLXuh{`h zY<%}+HZG%UQPVW+pq1O4&h#0(hcxfkHZaW6>-xw??Pw$Y8Lo@*Dl`3wpxznD0*`KH zUx6y%K#Q^ma3u`NG_>MA1QDh6;AXGmu7~&?KjhZ44WgS1r|y^9SMW;{_$a&G8p!1j z_hHB06NLsl2u?|?-;l@T(|FbUlgpMf*~YJfvotE^WzLk5!|pJW#>srlBDboR$%LxR z#n!X7fpA`WxZY(Q%QGkO{h3}qd%-4vWHmjX1p$DR??tDAUJ)U%4{Z6$&+LrUDS)m0 zELZK^)Ct*t>CswhIFoXCq!`)bO{oGzEn`}cb+N^CDJ|Aw#~Hw4Kf+L+S-5o{fFJR# z1JWBH5iY`$e$FD(99$w)-tv#Jtp^LH35BNlO=%BYiUE?1)-@rm-38O!$}COU`M6Q; zNnMT1%c(gduV9l@w&fTz{|jg1i%l5}9H_cHt>n0?46WHn_6amGxOf<6%JrpDrTO^uch-0I`Q~d$u(_&pa;cmmgsAg*fx{IgW0ERGPANoOh7)iB zSNh}owGf}NrtJ-e#jjFo-Uf*m5;Zl~e1|jCg3^871QL6KIjeaQfDR_NhU zEShIi-{w|KI;&h)lmAm7c4a)$CV{M&Hb(OUDHn+Vpb2Bo_*iU>7St+`hnp?C^!bjK zu==#vf7RVH2WKbE@Qz!e`iqPY-Y9JHgZtIgd>LaKq(~=f%Z*cbZ_gD$1lS0(Jo>l$ z+b@F;Sn9$&_8hw35FE^%-+;xdS3vpQP~MtdMrQfGJbN@W2R-*Q33o9<1V*M|wTGBp zZ+>0AlqvJa>SVSF!gShUWb5rof~<;%Umerd&4A@!S6ilzizTREy3cj1fVzRq4T8nD z8OE}vLbc20Lu51xp8z^cN~O@0+fq%ahg6d0T>z;LT-%&=?U}1Saz(>RPK3pGFFrTf z3L`!{E40$bPONMW-TH2A4%$E(P*Znh8eQqaY%gP*0ApO9Xo-1?OdSBwyd;_3^s>O= zpO05#`L;Q#VhM|o8^OC%9Ag;Qpt*w;Tgl}x|0OTNQS;+UKj!(n;igu7f(?bVv~tLf z(R~ue5u>4A&{yV5ia-&){c8p6f!Y)7? zr~Fls5@u%uZL3Mud7q{8m1!j!pkFUTVM1Q-0T5-k&Z=Ly=tPqz$WuKrX*8-J(gU5q z2XacEkAujXc|QEYBmnI_zvY8&{#<>*76RTyn_J;-jOCh}TFO*`Jth;W+s=1{BaZ{? z^E=rQ7#+*1rTdl?V3*!F-twlXk6tx%VBj^@gu0Dp!$>h63~nuX9yY)9zIIvERxH>1$IXW-RvbVWzXqgGh{1{o zjNrKr$Y@H>#5{>nJjs+?tEw8bh(X4^JP9eJ?reuO15G++e?V@fAAsExM|f?Y^qr@d zpxo45emOgi2pDvnv(@4a=0+23cVdx0W;y^AG8TZtesTnV6+5(){2kibsJg*^t;+W| zHYasg4P2G${u}kK`C=Iw>M-h2>=0EZ^&}LKShr4%)MvW z9m@lN!oGE7VO|SHV1ntc5ldXg^9Z-)vUOm-GATlw%a31mw41FA-^L7fQ2!wtX_Ya( zruO&%_&J_T;{H=Kk+J6r)X_dN%v7(Lg|B-`>%@V`p16o>A{ddQAm`@8n|aQ~WQM$U zbRW=#wdrP~r~V#jj}2lSKdhBAMCY&04?*%c@V=M5j?obJcV7i$rFo2EeB=C5U2MLM{@u=4r+}gw40S{8g+P1`kjEx9s}Sd1XDs2H}F#L z!jzA|DFa zfh&WaO04RS`(U1*gF_iwt6)mZ-7%+x0;vB-;!11yyfwUwwMo ztewQFuR~W?9{l3&a2E0O3rSmb9lkF9r~r1T_OIHZ79JA zNag#EmJ_QPtd=e&siVRVwTBVVg@mp$ltf_AGpzol_~}`6<8bm@E)HbXE}d;s9t4NIs2|6V&K?1vCUI-HsFJSp%^uY$0i)Tg}D;F^}kR zsd>1MjJ+r?vn9ShT#c-)XEq)t2V(SJ1!PuI?!dztKI9LnaXSMQAD$$_ z@vxg%A#i**T2Ly+s%of)oaqt-?1vZmNr-={S(lhHbph2(u@L6Y*0GqN5kVyrxKZXY zD&_>e%;YT5`!Zc{61Z<2cs)>%F# zp~GDweQm6N`5ge6`vzz-ETO@P^10knb1jU%l;V%bv*%~r0R-a&8fdG!?+)r+V~cgJ z*qZ=G`=fx45oievU(I<9bX=cc*mIA2Fq}-c&jQFEZX=OVf!BiUirRQr!PUXD4MkZ- zShekgw4q3A|A>P{MS3jiJTiB(oQkR(4X{-Aife%q@D5iAp2LKqBoehfp5U5m+3@rk zGXDbrYwTlVOhU{YhM!&qn9XVmScF<%wYlJ>O&u_W|vVRMgLh2-W${Q-E+S#iiLqoeK?y z+OUyd^FhObL-)2Rq84nY964oh=n(+mG+wAv9L8HUu<=<%p&gLpT4dSiPedE^oIjjj zPc=>I55>mhO+veK$9UmXHix(B#ns??$l||BpYZ{x;7ilF#^MIe6v;25oqo?V0{Cuu ztvCjm-c$9_gzmnu6IYLW9}-!U!ebNlp&FMnSa}v1&$fBPW@KuE*YWe!_kv87`L9CR z#giV)fry&89JK^J;0fzF&Ph!PK@6awSh6>W-D_-^I-fR_a-S#3JzY6zJUq2xa3Xf| zwOKBrawdsr^-T6)kZmL$5T9WAhG3$DY54^!emF}=J5wvY%G&dN3w}{@!lQ7iLR-HH zAQ-mrir*(rJGOVq(Vz9nKxO$W5Q+F6pnXvs_-3!|XJ+EtUyXlIQEa|AWiB-%y(2L$ zg*b7c@4d8bIxZqioU--716$w7z2Gd`kRk&VZQ5HK50ngtl`W|>1%o+MZjs%3GPnkS ztI@*AW!L6x($LU5_nc_^UbKJ-KATnrc^(93Wbpeau$SBA-7u!)=AB$?iPs?i_|;F- zQpLNIA8;}r@H2IYdw}js>4L{DIw@#X_s(!N^c;+DB|0pW8V9FhHU9k5D~)X1j652P0OHOn4Gq{hen5HoU!ik= zX$=jmyMRbjZDkF|*L3`S7&yH0Yybs^9>SA(W^pg2eOnz@AQThOIj!%)w(wQA=QAut zsBupui2=Kpds&;C`bmI%h7zILfc`*W+v@D0$&HNbyOHAi+)qP; zg`@WXIwylRqU1d}u$!y0C?He=zz#b#cTuWm-6Fj+1-9z0XimlVO(L2e0w=vY1}v^) zDR@?5`X4DMidPM&shOM(EF+As{>PLY#SOv>XBll+J1J(>C32ZJ4awQmc$)&JFl zj>XV53UKNVvhEFmjiYaC)yfLV9WmTWEwj~9g7@oinyo(G%Q-O%Nw0;b=HL1bGshH8 ze`WPKpPkc*;A2$dR{`{UsDNq^ZVes6y@!ToS;>7hHLjg5*sFp`-S^*M$=(y7te?Rj zFZKUvGZ3=J?4_(J$5FC{fE&s+g$HTE8~vj415evkjJ&1w3+;5$Q-jofOzO|UKRi1Q znA?VSA7M0fDZrkpiiJ>3?i2UMLJd#{rXFwJG9^K9oSFM5om3CZNkd&_?C&}{^mMly&PO=1{y_I}avSw3@=L)sIr z9jE`ecm4IHum<35fg!`-&HLNUH88Bze*_b52D$B&%jfW?E<)QzuIm6;b!2T@Z0q0|Fi1{Dz!hL_jW7f zxdmg(F?4@iSja7caDhk6ZGRZHDtwL@*UZ(62s7(x`;j%3^5D3r?7BzbJv_|wGu3DK zs0_otzV-REL;KuY)fbs(Xk<3??AGJ99`Upanf%!JdIV6>U8EI&cz_2SD|i6c?o6iJ z@$WD751*H%{NOq>&2V_JC;i?Gbdc~}H2~-=PKFlty6_@#w?|tQa@eA!9E#k8&#O37 zez9lu2_Rl2ud79R%IzA}4czma0{#QNQpIEER!^oR#Ol|03y*d^{^`_qLzB}HU~9ez z08!}i=JIqrMk1?a5jdE9H&Q>*{$sxQ*O%m>Pmn?bk-J<4i(rhCLilV?oVRdPtyH|s z?VhWK9X*TKP`dnx* zp_>^o)%}ir9)%}})m#uK5chFsLf1-Hc-V;0Jd5B=oru-UQRz&Tsp~M5;>kZNv;1lE z=6?jwEliwAae(!E%$oUor!!StGkqn*5 zxYdC}d2Fe&5{9gDh|mVWXNn3hyIC}ynZF56#v;0wMqBmvkRsiOHi8?Ns3UnJ_O-$n{-W6uaJbB_paUCL$jKu1;9u!jszU zAD!ZrblP8FRSLQ~s7i*jw(?0(HG_-1+I=2A_bd)@Fti-F#&nJOadroI{=;(o+fMx7 z|B4_BEYY7&qAi3|H&*mW*LR1hi)IQh$Ceq2a8|s5B@=*L=n?TLQeG)sMgvZCYD>O! z=iTv!Ye8tdb z#lJ8R=(PwCx{03aztE9TrEGe1{=tG#wf!0UQ%c$%#ZtKUdZAC1gudnW;91=1T+s>2 z&7Cr-E9-ROWdlS2PX=y|0PWy^(^2Z#D;NwcNjUD`Yv0p7wu~>i&@gvZCJf66|u<_!#{zYStp}8=TQJcX3 zaz+35RQtoy{D4_Cdm_n^J$Pcriur#k>i&B&|LuqOKj5R86qWXX#@A}HzDook2;AtG zm6TBnafNtywIPu)Jo?8R-_`PoHB$||6cRic8lmb>p}Qhg%?T=2a5FV`I z*w9_!G3uqCNvR-oJZ@8NIG2)pYwj$`3gv>VGh>g8S?O9H?!-R0hX!+s9Ab#>_; z^_%Jol>E07_di1xLH5bpG$ay-&>7zcIJ3(na?7Vw563-+tJ4CWqC_J_l2!cAP$&da z;%y@(Cp;0(?ns$-6Yey##C1P30e)P5a(9o1c=`XI^0@!iJ;k?-YCdIG0}7CkTHVEYRa%?W}GL z0N2kvzbCts&xE&L0*j^c%j4?7qIxlkh`s9m*CHYJucpFE{2>cBSIwkn68_gay~zaT zFOpTXUQ=mFwzbL67@f45bMO@hzC zNii2rOX?bs{p&_7-2FIz#}d8xe=U7rbb-MFMI^HV34bgsY_YoXlZ+U^?Hrg6#YvDz z?ElM!{{a`!hM+Or1v9U1sOwd))d2+zVOVv2=M3)MV#m((dbT$>h`_5dahiMqW+Vy) zSgLF722;SGz5xR3%wlu^nAkt2q*HD=pJ*U#Em}Y?AJS}Et8vrIa5LvPkj@G~?25f_ zkLD5$M_4`gj1B;+V4P*wjIeLr{HC~nOrOcPdYdbS{{&8~L&Wu@&tq#_x40tcDE?j%t_YFV?jJM>=~IDf{^n*BN)MhaJY%H3jfo&%&cgYP9gr z9Hg+YwfqP`E??w+c+S-ddvVB}7MPky+E?bcvi3XQ3nI!|XDQ~K&1ihCHj*PfXo0n^ zs$(9fSskLTvh4Fw%h3Cacrny_r5pufbwUzy980{?P?PY@XDj@w2 zj%ju&Z8~{jeSJp~kn%gR<8Ig` z^_gmEOV+)lh^O{H#y0^G!(iAYW@bYizjjv_P*j}@0e zbF|LaJ;aRex99U^IUXf|i@F2-$wyF(UxO~f)07Uk_n2Mb&+(IWyiy}QwlZov0sGy8 zEW8jhy}{Rd%iQL~fKN-zYDuj=m!bPR*liKv!(HE-efgi&?%u~+`o8&+o2$JNr2`;) z@^E%3n%zb6`50nOk#uhtLIs*w=;7|t64Yyg_Cs&*{U`OyjcNV7!Ai$1E7c`@qYXW(Rm&3!uBAs%CMmlvYq^kf0H ziTf$xl>Xk#apJsrwwlJUloz4c`tuYwzVNqt%<5l3V_NoA$<@pmB<;}h6 zRwQ&}R6jObDOdy%^5l)lq@j6DQl-OZ1QRZ3DWkk53wFodX=M!=Cg~DCiXYDUex-g8 zM(dcBCuxuwVYj(f`!)MvaI{%nvflV>0j9sX@@6=$La3bHML*$sySl!oglsxLjU@@@ zFOPR#RRYZ3t2aqiQ92mFT(ojvl)rt(tToYnG_z*e_1S!F-)K*zNJEa@a!jk6S?|rr zj@aM@{~`B^!_mBLtLCQx*ZOpWXDE4@PoDPEDx@>hW>Rw5^^RA$ZcUgn4HK_dHoc(D zc^7Zou!Ig`mdj+;~s zJF(ipX~Iqu8*#$$)TAf+3#B~IMs=O^=C&y*{u(Xs&85ArhF@4e#3i{<{X*{s1(!Ao zyR5ZhNsy(OL?}b7foQZn#jO335Vjjn1m?$LMGfuBxsclEtz1&1dymIRPOL8VPo$Jc!XqhLUYYQbGnqQ|=l z11RZAd^+A1ee(7-$y^tINA2NEyF+(8q0H=7PLtLQM2_>NR;x@>wXEpmWNyrFD&pyyV}Rehm3b3)lKPeTG>iSRKT^0D z2G2wr?A8me?`gJu6p}fjf+_q4Nk$)F2i~;_mzM|X8!Z={vhI0(83FSApUV$t7y55z z1r5nYG#O8CKgP@MaSysS8qV?#477=y!{IY$GA1!;e;`ZagKqItMf0D~@m*ixXFbn- zi&+tquqd^4$UE!0>P!_Y^=En}^=-K6tsJ@b`U(dqvl^WpNEh%GtK?T0EL7@0R>D{> z@?L~D)DRV_SJZl*@8Nm+LKvTa%*TG3MAN?W^l2Y1_u8qF;qA=!IeNJ$teW&_hx7Cj zo#|zu5I-lUl@cFqGWU3@T^9VCU}2Vi(5p;lAXkvY78$7=C~7^gK~%xu+dJ|imHC80 zhE-2XCy9u|Z#I{gSg2Fc;5`|snb0*SsW#gaTmz&-?_A-ulx^WmE-_jFv8L~)fv#GM zjLgH%`&05(_rE&Y+XuETv0fq7I_qxx+#GDt@j0gn0jk{WW-7|Jw@?KJh6zp*pOBZI zqVSD}c@$cZp00erO5TOx|IzgnSYKb9)7=&B2)yI9oCDQk$IDg(QJ!(a$VPUaOdx0Z zTvzC{*OfzK2cZs%dUBtXE2lq3ES2bIwXL2Elvck6I1C=I?cUqo5OgaWvo?q~-7L*3 z*&1ZgEt7D;X+^HRyo@?5^>m6#;e0vcXw5%+K|~a@b*+-$rzQqcdDB&;S=Ny3H`~(- z4>w15O*NbC7&0``A3|D%hIiMIKeYRp${F+|@~+AH`}i1?z4`cJw21S^aLRyug2`E) zP5Xw*f}*vSGfr)CtIT;+g=pBpD0Sk#D0pi3F?&V;GJGI6&zgiEoEzk534SfEa`>!ks_gZv=Z4pnj*9$zg95;h_hh+=`ylOP zrtr8A3~g-0D_h`E4~uO3+OBCa5Z0pLAVU{j_QzyCe1G!%{$c|^M*@`MO7J{}IjANW zs`g7U$2jfnDxeGH*h%deI}CAtbJ$_|j(i;XkBif|bmmo5yfC=81K3M1R6lbU<)yHB zhIJ6YlA7>2n^T|PR!S}rzhxOp1KYcu^`M+aj0zdPix%cbtgd6bOr}$em(igONmY*% z?nhq#(&RB7wIQA?FF?{Xgi<_OhF<4e$X#_h>%vR0r25^b(K~%7gATDT#|;VCrFe-( zmmHwhupo@@PrP^QP+r0}6@%J}jba4kBY`}H*uFE4A@y`Z5>A3hQra~DvG$m+)Kspe zVRu*>;|d!DMkl)xrgB#}JH&$gD&9uhcQqex`99NfhkL`V?kYQ?94__-v06i7eF6aa z)Xp@zmKCb8wIsfpV5_J0cY680VM5bz?-#ub_)Xg@Y>pn(uQEJjDo+H*7qIjRe)mwUW;EmCL&Te&kT0f z1;5aGjwe*M1>{JyxD!2gtqe641~*i*IgVU6m)f=7RJ<-WiF55&7uyXm`;T_hyXWow z1nJFfF31?Hr?LGm6u*x))#mhtb93R{x54&2B2TLB)tG%3zOF;HKA{Xm%Vl!U%kQdR zwKI-xB4EG|kKgHDm|?h+&f3F+>VlI|{P5Lke8cgLc;ySux4(cpR5 zd%y2@#&>?|FCFmAdtNy)(mYz0_1KEvrfTfC+svr#BC?&BBCfhVpzeogrEo$#!+p{w zR+~oO^rlgn&=6T$MnfPay9cbQS68YRS7%<~NfnxiJmO3VO?SB(B_m6i8#aSD_eEvT zc{;zX1^c{}wRA_yZywOf4f}KAHLW}l@I&G~GlH z=(aiep2DpkTDO3uvUFP$rp@Tjt$RlgF6$Xk?YA(+)%@Oylhki(-B@#j)QRdIsTFqk z_O&wR*1L0dBb`<}20g)2w!8;`iymWFeKyth!fa!ASuhwllG}H>`gpzhWOa<+c;ww3 zD~Y~fGB#hLeaLXPSV8u8*=#O7F<-l+mN0x9_FxtN@{>VYxnp_k2;8pDr3@!&${E?C%L|VUkHspxZd6zR3GX1Am&S4OO6hl!Nq03X+wEK`pyxu zr3c&Bd?pbp{G3H!FCP#oI8U)%XkJz?tQ&PWJ*!=@@C2DMb4$wSBZxy-5M9`&+S0SL zoq(*K#A?e}Vl0gO$^cU`NbM-BpHt4L#f#$;m z<}0MS(suyhBY8oXmfl%JIJr7GCmGi7s6kIWN1Ka$f15(PfNmj@HTpw8bk1Lq9M-m5 zYW*Qm;SOYESGW|?1k~2Sr|)e`7jHtHA?f#|FLq^e{J#{zG^@y&5 z>j?%CA5^q$!jEErV+s`KfMt0nhIe?kcafN>Y?JwoA*+vOjLNq!PnV3UMXh1|t@nd1 zUY9%(Zx*#x)jZ5uWeuJlK#;~x+ffagE7C1(Z9{py(?$Wymu7d zZMr8>e&`kUhz_t#UPa}O%QWXlRkG?0&3w)8HlPBH6Rqp@vpP;Ow?HX;_rUbv#Xi+r zOYA3mv|yaE!dg-y!Z?j2KMoEFV2zOQU*1(*V}L+=zIQ{0=0&I=z@2V-Jx-}riT<2E|)>yQ=>RT zFJ+tj7Q^vtF_em?s!xC5mCR8V6Yf>NPy}4NM|R!lf}V^53zcdXl`Ds%Ud>$v)xnQw z)9gQzie(hE%B+J>@aPYbyXu=&rYcP`p&~f-YF?wF*BTtwlr&39^U&XhD5krkHOeSe z_A`k2@$2neRJz{xpQOBsd{<25Y<5)pR#v^@Bi_f#;O*Pjt7rw4XhSwt`#0xqknY*f zYY~E{2Jh|8pLf+g!X^Nq9Yp9_H}^bGsUHKyzp;Ivv1^$(-P^e)kf386&YQv5+>3_S&9h>?sn$cZatOM! z+W(nse(^((Wz@bIUp2*3o!Z<&^Vc{T<)Bdm=1m^?p<{g+s$;mePG{#>N?HmsDyNeet4JW-t^7AZXYyyZug`<6@abf91Q)dU$J>u z)^%uI9KUURy-K4P!p$&Ime(SlhuJjhI-MflC;nDtOf9I5yW_Y-~NXZ#cOHuZ%2qBlx=< zW|vJFiHk<`LU9i~PES*1=Uv?HkTNX~WgI7{CwoG9i|Zz3csnB$co{W%Y!kX8zv6>R zLyK{}JYfjKz$N%!bG&XI?iVE2^=@{Otg3jC_PP{H)mH>`3iR3KTdhQTg#vkk#WsA} zJ#u~vcNdiWvyiLIio7B=bs=q^LBYw!Vav7_=nRCji(g!!iQ4%))B0)cTojJ3A}Htj z@pBWfr}T zPpX@MTGnXn{qYTvafG0NS3T)z-(fbj!B(66$JLTMf=e82BhtD8Ci82>3geQ=NxBh! zF1w1(Huvd+pe{cU$@JL(oS%wl{d(UB5Vap zZmTFzL7>YR=AX&VMBWtz9j#J*rApM(cfOLKlCKR-OyL%QQ z8aD8Syy5w+k(*(0cTV>jLWGB>A6D;Kc{lrsRzr_z zv%K@dP##5Kv|^yZW3jZ>rg~tsto8Zh!zWiSx_QsIhP(v|1^5H?z6KG5NE_)W#a$8w z2CW7mIuEMRn8cP(G&QC{(rqpwx1)ZY*XrV@`ZEXr=ED3tDI6dP~tXeCB zcbB+7RbjPO0J$T!oHxW}A>0`=X~##V$Rhi+$nXc+YGp_e31i8^Qz&Xg(Ji)mz0WQu z(;;W$DYey+q{e)>D13W(+A13N10uzrQ0nCuEw=rGxjCod^iQ1ZLLfmD>W`@wjg;RS z)j`V**U>$##*4pT$4E0RAD3B5Sw%itHn><;R>InAj(yW>8==?zjDj*T4NJz4+7gr- zuEA>$KHwu@r&Ht5DORml`~qjSNw^ePF;q!ze*94Hg4zAB*2uG^<7diSQ3C?iZqs6g zc1!Ipj=#+OFZ~B>)6g9(DDKtCK_g6K{iO-d?=R$T6dHp5(Mg1iZ+Btf9nZC>C=#;s z5Bp-6)4N&9nM^L;lS^N`ZNLt4eT=YbA~k*mYl6fy62Kbw@k_{@b(js# zmPP{YW&|ee~&OZsY+A*Z$^c>I&r(TT2;}_K>N8(Q(#y8!M zQCuz?5uWM9(eJ%pR*Y3`GE5Z_D3`_IJ;xi{V6hvr8sDe~hgG-P^cot5IA3}6UzscR zjKNK?MhmOfu7K5$qWnP^>$3K61U|oGzBge9nR#l( zA?`HCTyQaAU+m2d;YY%;{qwmXLRb`Y`CXDaDDC!}ctJf>)Abbhy>w=dHzMP}z;!V<7UACoy;O8Kj%4k_~a*0-@(8x`v|uN%K4 zDHBfXttnGyy=4~lpG8^ro^k(G`isM)Bf)H%na`{(Uk?2r5I}t69TbXS!eGn3FrCKi zwQdmvQ)tDMo~Q6oG)sqFwJWUH3YHkcPLZ*72WAxWh+_) ztSpRx6!b#$o;uVi<3@eDSl-}i)n!O}CGx$gk?2foy>SWzf96?h++Fx8K(&!W>-DPM zr8u#A)sMx(!L6CoMl=nE2H(kZxp>f!aS)Jz{aCifp&NH}I&z2`M(NY>AJ^Bxz%9V2 z^)gcldc0@o{A5e|tt?B7)G#~xI$a-1wuqs0f@-*Czk!PTfzI4@kujD9IY;63;C3B< z>()gxm&b6ZNk^Y@1F3gY{U~u?Zo+%`0KCtYPc%=M{a~0Am`#kn!29$jPwSe*L;Iz~RCh?*uQk?}ojCfv#|hkQF%HSi%M>41QiBriDceu%#>AsAy;zf4AAW4m`BRx^dXI6c;(2%dnH$ z*KCVGnNw@I!qgDYKct5aKBAcFy$X&Cy~+uMnokQ{i9qob?QrDC7jlc-^pc9{d>%(q zE5K1xw%BkC^n|_#xSg7P{GnJ@gvJlCTK%Q6;fw&$dj%qs_%P%%B8Hk2`a|hQ z!DOn2mPuUSDF&xBaOgJ?_pmF)N%4J&hGTh5!o5!Nug}*g3NNGU7+Xr$WacWM)A~vxJp88`EN>MkcTe(gucA{M<^?Y)PI3lD<)_;+c1~jf+0R7@ zD~-iR1ysxe!VJMh@oybkOd(Fj>Qd!dw)+V4#)SHK)Z+vGy3E2JU4-7C5J_oV|@4# z%S3p}cs{Jm=6*}{`@{n9`C@!`Q&|U0^pN^bWmt|dh7Bw93?Oy$-@+bJU=~!;b z?Gx}trby!h0kn!|x7NX&b7_KHU+AID8`Bo5;6Qwd+duGL_`b#PfxVBCPrdWOI!Ze9 zjouAM={C+o7u4A6wT-7RXL?RcZ)EIW?wO(!_l;wNIxWH-NK}|~v}sxw{V2eFMT)}{ zvRWmy8PaLh0>dIB&nK+3>8kO3Vspqd$8%%}-9RYxjXi$@w5peT$gRkr_V8N`7M{Xd%(5K(z{bM&6Re!zLmC0J_5l|M5>ByMN}tR9qP6U^lG8fFX^xe z4G;=Dr8HjLD5!)iYsTlhXcj1I^h|_@%DAFhwqm3ElAS1}p&Co0)~eQecNQlhu3lg- zwEYIbgdRNTSC}Mh6R=BUdzOI)@9cHfN$2EG;s?WNoppfw1HTN09_;ek?!yo+S+g4& zhKiO;2@n0?E7mD_4pT%Z)0)o;n#hmIPUZ=HZ~RfFvhI2+RMT_b1U9|gEcf%2=Ziz4 zL1c+@_f_RhW9FPD?VUbsSiHJL!JUN73x_@3p{Bk+?0Bb6p$~U(lQ`JLYXzdz{5Jn_ zyaq($S3b;rJ-N96uz6jQ zGnH<$+8%yvuKXLn$ZU{t$2b*=1g;Jizqn3b#Bke0*Ry~&#^M(M)wZNXG*w)ui*yej zo{Iz36f@{mJyB1atKhryT)q@jFA`H*veb5=*Ylz;W6jRYx;T@~{?a3JNa+kVCu}dK)`b?@fu_0VI{!gb~ zI(^f_(#@3@R+09eq$};m>g)%>ZU?=}Hs09MI9a3#MOY+gt?h*1ys;QMEdVm;3cUrz z0Bc(39$PeVS^D99GrV=@Kx#p3QuE3pEs@w5Q=qcmpPG)|v>DFAvcmX$;J&7uH_zw4 zBhyv75{r$e9%zxWb&lg5N@!Y+X`VOzaX{C5%E?)IAw^li!*DXk>N>q9uJE58Fd$x5 z<-5s#C`eM7b+z0yLtnckop+rtK5hT8J7V26Iy2W^FeA$I1j+7kQPf_(2s|9mC3M}( zxJy6>oM8Jza1Q zi~jU{L27nO8NW5%(UZ3C%2_PUYIUU;JS=s3-A}pLm7ekBj%rGpR;GGw+9KJSFB|fH zes!8T%xvjE$q`u2KFeq{IERb$1a;C%uL&WNDeSpoPU$t|wKF~8Z4FvLe*PuoZHYbA z8>l9>x))lS<*&V9K+$F17e)89d^NETUk!X7nq#+&Q2z8-Y}GQFw=A8u?;57nTas#B{+_dS$x5G~A#=~o1Z2Lo|$EsQ{*-7zJC%kJkgAT$KL1NJyYBE5d{CbHN< zL}2fv(ApK zUM=~$3t@*dwiAQ65VZ~m&6ZYMbN{#%^+BselDjg9LhczvRK>zuIaU;!Uz#irJl^j- zZH!p(R@NE0FdSUd58F19{@eU9Qi9dtz}ZYRj2wX|xqdD~REg+k6vxmh+AM375D&(` zraPWkipwaZ*Ylsy%hZhM*B{C%K_T&gN+osMfa_&Swr!;I>V-(&Zc zJ@-hkxlQ4ZloMr03h=pa&&18&YCWJ08+pCC^A;C#HdcgriZQ0Yq;S!Dql9u*bhZ-c z1lwe|-!8jT449crCXPj4B$m6`0>f4&3IRYV-@LSG1Fw;bx!fBj(C~A@_1v&GmIG~AQMoj0*o;_s z!X8s5n~EBXN>d`Ud1cA2!f6)d?w82ZgKv(k{GdrEXl>0W3rTuc7Y~7&jA@HJEP_Tm z@y+Nta-T^22tVPybR1D7o*^Aw;$cn|GO#v~Q>;^q!&O_}pzo1}A7YrG@$CC)=`CC_ zRrRreH-1T$d;Oz!iiKaE6DF z`YkDxRb++D7Hg3j504n2Yf;*#(li0mWF`d4E9xD_Y;eFAM7r7W#ja~22&-`GW9n)K zH9~LEWHs?d1;}FoP(H{;4|p{BT~y~;<7}&*iG&}RIFbc-Nj1QVEAdv0I;62M^vVXE zAt>jtd&&50g?hYGZR~Nh%JHke8i+|V5Wx3r(UGmG#ay z;&@-5r`TY09*QjekA=3W(FZnVhKFCmOmvgK#xb|;OZ8{T5Lz-T-Gkgg4yOe)56M5f zFu$Y}@=A?A6g!gU&i@O31(L3;iok+ak@5|=9Ct1+%9XsJLB|>3xfuNDgV46Z56|TZ zk;fa$6u|%am&vB%oN^)U)rDO1j#jNmDice<>YQ_eC+dOO@}%Ga?bLXJsL!h>9A!kM zcDnd|aB)s6D}^Yesz-3W1nU@~G+ZvH^J*Bj&%aGQx&SJAjxfVg5uN84%>Rl1B_uRpJ-10HVro8vcffR z&s9S@K2Ffxa)F8M|Fb#*bCB|f5Hh+c&iiSR_ZQ^?LW#d%EE62Li}^IyN4{nng(d_c zae`!0VrD(xSH@Wh9Z~>~2W%h-&7KFi{Hc)1=v9_4StQ?ABPsj(vJ%U-5Q)C5A{9Qp z8xwmn#Yw83@Yb}U0`!p$wT7l316Vr}96!Zn*ByE(0H=2FmR@AXJJnz`Adq({m8xr_ zu>>5W=f5nt^U^Q-AWGXo48c;E%qI0=`EiArkof^k6v7^6x~$xKIH%6LCxjk~m@Za{ zT*#ei6(GM-*LpN5Eq_0#MEbtFW+G(HfSLO11?D=$Bp$`1%+&*0;}*@UuZ){uf_F~3 zbA~+Zhz3H7Pc1FB>{_~J$vuR9C=3|603>&Dz$1o@F zaAS-v{QjJ)IibXkKNSqHDDpapZobxP7weQo z=WA89bVOUjp(Zm?a&>^{`MSlF@(zsP(Jk43@KW9`Bud4kX#Q3~#;;#VU7JtjLn|5N z&ds1$86Nd^JUPm-C0EK8`B{{#FxRzd2yEebe=i18n-J8zNUL-m2wC@fbo7jn z$|}ywpYXzL9QUV0jtrhe+HUhso-k}0hQbWOPWAQE<|$vtt2@y0P{gGVcLDqIpKO46 zqA5BPW@Fez0js9sF zQ~!F%_3*Z4DVFg3G-ChFyDAE~yQBdQPT5z+n|w~s(iQsK-yblA1Apbh9NYbMQ4hoA z9BLurJzjK-lUmI0dtrNBkd2E(+!jkMvE`p<=EBfDyl2WX&hW0fi>>JlGG80VIz2ma z^L+?9ZhP)LMgt4172~7qg{OL2j92L;RS5CV5-uv$|_k|MGH*f$yb~~;pE*^g5i~t$Ek_M22%%j2ClhgAq~0WAXxGvJJB+F3iOx2>m;7(`xN5$llI z9{cTgbcsDkeYx>ZDt2@669okYu$5`RH~3J)KbcRLWSgj+r~p<_g83a2dKd#LYF34Tl7 z4V_&EXm?6XxF@vE1GZy?#-lyIKe>8kUx~!>(tgyd#S>3IhINb7QfX19vD{{72H!6EEHyJ+> zECd^Y$M*oezgT?GV~R6(cELS3>{t5rtNzZZ!CVuItC+QJd}!z5X_He3%tK{AN#Ansu{0e;hXm zL@Kr~{H&VTVQ#@^(JHnrYdP+i>UgkU`9v$fVQTg>PymL{x+r~1yQ;Mcu*;A48yzjP zS0k3c<##=`Ld+bWXawaquS|zMztE)p&V8o2Q&Iwi{<3AhXX)eWPkh0 z$EZ-zn=)*M-T-8Xql&})BZ|k;S}!{^A`@xVvr)nIXHUhfQ@9UdsEZUZ-uHf03slT6q?>?Gbx6enCLp5Vy%eSc`9bK$K z3Os@x^=|0Z>EqeNDb||g)x1es?8<;NnLgx-W`tl#`P^!;WKp1!j|pPSOTI>5D4B(| z0ZtlR9297zsQ&m3m&&x9r&wl^miX7~1J>CBGGo6nV%B72rY9m9=fgB6U`4RqnfQXf zxD6llmPuEMv>2wOA#!!*iU}FLddC?qjKsSBj-%I-No=yxLBve-kSl{QA+>yp+PO&V zAx>iK!Q1K`%}++b9qrNY1_(ej0urW%U5EF$p~Wn3INV8F`~jJG&_o(vc4bIuWX%~4 zP4zqfNt{J9qO9H-4p?Fgbvr9xVfbFs#b5f9Y(OH%3m3H&Vqz5Y^1_#BBRt=3qQ9n1 z`qR!C(1O$ovVdYEQ|tEdnwJ#B0gQm50vqmf{1a=pN57BdnnmEnv!G9O_(S*i)YH65gYBD%TV8L0$&dgzMzenEHO1s!_HftU2(F>CtE$!}cWof_*ed;_ zUtCUDbnbEhyWCgN6*$YOC?735@*fm!*O&fvz(^!Rsskj{*&2j_;mNEh{?3LAq@_K3R@{8!nB;@_=%Ff z5H$dw82GO~2a`9eD>mkY7hv(B2ZKbql|~v@_sz;YEB3teW0=H|=t4yQDjSjTcgDnb zted+->iVn0qm$s-bO}|EIv?Nsvv-OO5IMto*GKL$O`z)Q#3xN8%jRzxIoa*a5#l&r z^o*cjC#UI>j#`uzB5wS(T6*}3X{gitQ44${nFA5VTaMxee)UR=o}O-2zf9vfC8+)6 z7ueY|h_RaN?0Y+A{ZTiQ4TZj~m-fZfY-{F%GrZq!zm%TVDG+A=u)MlF{c2V^)WGg1 zzMq|rdW=5?AQ1+vxKEbY5__c&7HhPI%w^HXhuyvezJ?Nbblx+j?lvO;7x`j+hIqQK zUwZpQ5rxcmYO-%kpMpL14Q+z+)`s?tp^}MI3^5kUJq`dC2lJ=PGjODR@ zJ4Y=*fgasCXM{_E@ayiImotI4?JQw`0Jbx%SJ%FZqGa2%DNybjwS;i;@&I68zKWx| z;@Jh8C0`~f=9Ye01{pBnj1+mVez0HBPK{OKu`9ZPSq7%q%%C$-lS?Eq>o=k28>GG7 zb~n0O8rW^r{h^BJJ7km4ATXn&Gt4DkRT~tJ`y>u9gq?QW+ivw4$T6vuB5UMbpKuFl zI&9Zm8&oKkt648nPU`;4H>Z4ag#ZX5gH^b(@O4vy{s$S>1WSXa=tjH6S@-tJ72FR{%ehu44}0Oq^DXpe~p=?M@Ui9E@gVrkKpVv!!%H);#+{bR3q} zGyitgYL?Bl%mR4hm8AdWjZ<_P*X3bMCktch_Iqp(+)e54vmWz}*eO%=Q$wEBS{j>r1AjylAwM`D|; z<|@+tJJ)D(u-7L}X`An3A0VsB!m+d}+R1<^_n#zLa<2~yjxwchi$)wnYDr5M5uY8O zX~i^Zm5#^phx4|zmI#f+D)%Pi1EKZ5W530Z%%Ny4z%$>qZy|(#?PSuqhV~{q;XgZ+ zW|X`80HR?G@QT|e4WPW@*ye_8|N8$Sf<7A@M0uEy+=1xTxliG1_(@})C)HC>1Mb+zl77}`S2ZuJdo(4Q*;ptgn32OzJ90yl z&*gBYCbI6iA?Zkix=eSU=_H3GPNLZq&ri>&3FwK^SRQadHlYC=b3c=j74r0_xo{3h z_BAy4twGay^MF?pQ!Yq`-2T%>q#oX!GpsbSPGe6_m2rY-sJ3dPlAsp&fOL$oOKB|P?eBjv>@y{Fx9n_|9 zwGaLF9bJJruiN8)x&X?Oj#$^ZfEIy0EdaR#9R*cj@BNwy%XBR-7rTORv=nuTfX!ce zn_m*`Myg_Jtrk_?bBBABDeVJ58?gw}Ou$SyB@q#=^7AHlE`J|MRH#x!kH=wZEM5W_ z%Z5?}Ck2#wbKA=Bzr1YpGgA9reeFTNjHG4?7p33|7mq}EeJZkOEn<|!U~$KYT=(=U zGbTTb#^i>5kmai%83~{Du1;w)F6iZ>fbjjc(Xz2^TGZGh{8z4aK) zh*Uc2L!-jYE*SRvw|~0{3K%2>1eIVbC5a+Byg86uRIOV#+0#)M8N`8g;im0|%kKJp zL6p-2$MAMut;W{}j^m_||E9pblHQ<@%GnceizZX-xbZTBcRO~nt6;_pmTGP4q6$E_ zDs&o@@!~xm4t{V1MXxsTaeVWi!&)*$72&H7)PCU0dI{xh|Boc2T1Y4sSy(Du&tajd z;r_5JGyCym(k{JiEe^?irWB*fSoVY7;-)=wdU&SR)g<>V?pWZsd;ohodvl#@O(@`P zcK`mK`t7BELGtUaOSF5#A5Yu{V&AY#zycclpBZ=~r~R+IFY5O?LXW9%96ra#S|kxE zgUeaWF}Sx9t2WvDlPv#JU0dau zFsbR!#i=+_+3-J8HjgU~xNy5k9A%6x&&EMddy}%XF_5gQ{g#ID2s0R_C;U7JFjju#RecqM~bzy>`QL@fU(;S!m`+lr~x2pMz| z3{y(~CfBaHUhKQw-H?;x<%oPHpq1xoq+(q;rZQTNVhz3i+A0nqBFq-I;2*KpIR&}m zj`b+y-SKxG6QG#3=M@^s6}5(*Ow*<|{SO^-O*VC_%oFA|pE%*@d+L`JsP8thN3DS-_jFm(xu<6gsmL4tvP?6zpZ*P6x4er5oyhITN8ivl4S zhw(Bm^v2|lf%n=5n|d#P@YALTux4=ENL>x9SqGiQtiQ97klRs3Z?M`V_JSnDVxEr2 zVfYfsT3nr%0w0K}@$+97oH7S*2^u&5NqeL3dyjLX670_7E9!}?eIx1~CGEqehhl2u z!Lhe=PNaPe&z0x9;x)!U_J^o~xxlt(sQ-Y)t>~s3xf4`EeJGP8AYANrq{k~bH|~Iz zOP{E+9C_F@5-^Vc-mp1>FVF3zHNsW)pH7OqV)9oxuW9&~6)21oOEsJ6R(X@Y3O7%h z&B zpR_8Lv(@-D?)Il~*7OB)T32pKN=modE0Cav>~9mGe}UL@Ayv?tJOBxtRRIeoUANuJ zkqg0LhzmhdO6-fdN;||x2K^SC&e#51fhM7<<=NLplwaS0ZBLM+@;(4(`9Q~aQFeUpA2vM8N@WG#nW)@EY zjxoBG>9~?%_X|0?h^KF|HA8o3lK|lR=DOcAD5vcNiXDOxc6V?E{o_hHa9;Z#s{~Mk zVkC*pYv8Hupt@){N~M2*w-(iu)5={(_YEumZGUp^1ul{V)kmoJ_H+4EBGQ?vt)La_dIj7#{UzeCMX4R?aI3|22EEUv_U zvOT|69@=s@J?E;iAR6tj@U%TPyy<4p$BaMDgt^~jmBCC1?}@$iQ)*adRC)i-shNIz z#b|~5RG5zPXrIMbe4sS>rwi06{6RMx&A{P@!BgnRr$*AThU8a)P%6Oe2 z1~hxCFc-Oo#179uDBwd1Z%>$tFN*2#svb^C?ttH{9orim}PvXajy94OC$pElU6xV8ll#A;)Aq$Pw>+OF6X?z z^7ticwFMr}^e56a_*aiPmjIV~Q1p{QWZ4IW-0l5-XwwsLdT}CObs1S>i5QJSQ7eQ? z2|dqtiB`JV^x8uJ61JvMkJCd{QPp~e!dFleRqewdiDo2D=2XDRZ}lq9=+le zW*Jv`KuF#HAJkHp2;p~g3>EEJ{#F*AD;;@?e8IG({{hgoBOKIFPEi(Ns%L3*E7=#m zdvt@0grqzoGh>&)&_Z5L1$etdz#E9W1Hll>71EXlsaMHvfOYssV)Iz!cO!1z7zmj! zu^fPIliKFRJ60-Bbdp?H!|LsM_6`yIcDm zwxkifW@GEs1u~bCDKMkFoCg9(3y`GZ=`oP8N8^HWgH-LsluOl(-OdA&o_T8Uf8k9Z z^j$>?p8v{08NDP5!Ihb$>nd{<9RkoIGH_0&^NOy@y$zfP@%VmbANjZ6Hhz1cm{4E>*LT>e(CFUP z%pBt_vObLRToN$5Zhdl4r#UN{`BlG%es6V*ytyCC zPVPF}K#glj^6b2Mr|jwj70 z)CfGDJB`r!Xa8ad zs|--E2W0Z_aT9s6fT$%+_yyBGE=zxTy8*0yCC#4SPaIgkUi#_l^+bbS^!R(#J?KeO zRi^1mb$G)Rv!sA@Qfe`s9$ud?dT6lpD$qDTM0PdFbkLy;SK~Sj0*U>q#Ma8p?Dk6a z5(^{Zof6u-6Jx!LCO1Iw>#Wb%J%bQ z>_nh33?onWtlfsMwbRhyPhG2y>1u6Jn>7l|Dmn_%FoyCq%0KyzVJFF*+v|%D#SKj{ z9tBp_1s|VKOdB0f$gP^zvEmf*t^nfWGmxqO+h50^+`5^IZ?GgEDMT4+1A%NLFZ%)giT;Emn|kOTPh9(fNiKZULSGsTi_u7`fWo4W{8)Ev(_;-!?V5 zPTFoUd{a3IUMhz(SG|e8%SQ6p4|L5(xT@-8(8q0R>m7W-`JG`U2an@y&DD&{l@BSI z6nAO6gIj>bnX5HlmA-b#DpYU)xm@L~!*QmF06+KuEv)%WC%{>x@m$*|+Q^Y&d1b00 z9)|ZRexT>HTnx&Ssl6O{?Q$dv*fRd{Jyz&bgk|f}<$T6T>;QTvq+5HgghDG;uT%aY z7hk{8ngEng0v?_wsVBFh!G5~Aph;3L;_vH0#4YhfKR@p<0EJNV)|047(K3L_d2E!q z*?N#z-(UnN$QOWu`~?1%Bxo=DXnhnxs1x!-$(&nRUS{i``H8i$A9LF*^s>5nzASOg z+Oiusu9;T+3sUnasY>I2XDLDN1A*mJ?uO3DDe}`zQHz44)($Vnbm`-o%={iM{dw)(W@U2hA*vOdj$y4{(!P;QX zLSE-`2Fgq3NNYO_B4!or~D+czIiY8nz_ax||-s#kO#_hesnK!534m~~>c<0}u zlsyu9t)`xeY@CZ%0dp_SMvSKhev5-`6Aqbsx7*{SDlhv@nh z->KcOnnE0mnrBk{!u@DPKVHaLUPrVlt7ZNZ@iUQceG|dPPcPWz&9boa=RH8SYV-c; zXX0I=F@|c&+-UnaXBKhM&5i*Za-{QVm4C|CT5c(8viPrz9K77wW@9hQch@o0QA}dM zF*Ms#W$lV1KYL4$8|s;dPQ$=)k;*4;)tQ(f@CUW-Q)U(GALk6@PAS73{A@C;q zzxF-_wGekl9*nVVYJNe}S!k_Xij=s^oT3C-SyVu(+lg7dv}IEd2_O|WKgo1?b4WK9 z$LmyHFgfehz~QJjz?E6+_0SD2?vpWF=jj>!!wfwr=?%OZ8fwSt$`H)LZzMs}TT2(H zwRsf*o!{hwx4!aQYep`z29`MqYlg-UE*BaJvbZIis67oChb!wFWSFm`g z7TBb;{0YWE5YVQQ-fU$yEi~@FvYC#X-Jw-3tA#zcTwsrmL7V!bx3EbCs7H)Seb^Uo z2xYf_xDa(gIaW(XBg{K$Lp`CbX)yGuDaHR9^v;lQqSEwmsS_HovV%&Ik7KOnvQJn6 zhq)HxOKH;9967RJP-^1iJEX^vn z6@(xa5WF~AL|4qG^C?dX(p0buoM7;Aq&In)4oTSCnL>D=O_vO@F?>^YCZmZI%4KS$ zXp^={p+E!~+rJbto)&&O@knGNKnS%0zWj5U`&;G+Op+=gM<)Y}8i0gN4cw)TdNdZyp1pKZ?oI#4CZ)atC#Er31$KUc%u036RhUC+ z(Q;b8nxpX*I(r}oeA_g3$hlDH4pORJ7toF)kEOa{E5?KX7g?1WjXk(0M@u?=FA?{q z+B9ImGn4-|>h$uDx!?lsLzV9E=P<@%+;(RUJQ>*LO*2R7t3#lGfj#|;U#J%yFl#2S%go{8%4x>E2Rc!$XbM2wriWWa8|C1 zwinddqt#+w>dUG&dL7!)-hS?I0@VzEgIFXIn=zuoOFYbyY2@gP^1ug+@i&kRgYiN5 z6!rPP`b<62i*Yky68tT_Nm{?x4_=2lZ~cN+h#?5-n%H75fDj11oi7xmP9~Bz-s6 zi4?!|hjnGTKROE`6kFS!L2kz%QanyZ!3{1}x*3D)_;Vz)K2!is#&UiGu1TjeCMvT5Wh%1>66WXS%gbU1ndCO4*;z%a`)xY>*(Vy2(xo z-JzyZx?M%Mcqz;_S`N2c0=%~!lzK@DH^~)OqJbaXW-Pv=Gau>v5iOcSEhX1AVsVBI zj~SX#M}hQz*n96_I@>OMG(>`kkO-m^L39x%IuX4S1VKda(b;+kqW9jSvxDfpr0Bi( zt=Fyh?%bQa-*19Y7nI#B19m=hUE)$2$3^Ow7V_ec9wWdf+EZhRTnbopcSbv&AT=BL?Rs|s|&{7w%F)}mGki}~Y`wPOSsdDT#{a!*Tr$M_J*-H3-8QDTdHah>o`)4ZJK|!-BO^Y;Y zKfa6}#en~VcC%CLxh$+qt9ah{+G}o9-q0kIv_5o+ zwwVv-X|!k&^lI509P}Fr^8Jya&F|L15P5O`Dz)?u5#NXCp5w2SO@N>b@3YocHPgk; zP#l_AXUn4a#+5*T{w;C6FF&PnA-sd+WwzCWyRnw_2i0YP>)6EOI+uyQ>-s*8YAIue zH1|f0Vc&yt-hInUS_`v-HUTxdbzN7~moYEA)b7}nqtEpb)*IJ4o^it8aTQb2`!t#C%ge+CH;T zj(=1B?h@}rfdVGW@%YJY1}c+PMZ?7eWp7JMFmHTvpJY2Qb&FfNYUQ5n6ucP1X%qUI z04;ZKbWQ_7r6geoj6bBzBGT}asnrpi6cok3lDfGJBK$m>XsKQ8woapFF+WuZL}ImC zPxou&fYOgf^6||qKTd;s`PZ`FZpFpz;;f)_+x-FIFW+VxFBWmGD*nubGe^AetB3#W z?R~Nn4_($L-K!L8WB0sfS;_@JMU*@Q~|W>q+VhST0&z(5)~ETT5}`9v@!_kjh1 zR3jbBtNsC9?q#F!q&OJT;ChIacy-pl=gFE~O%~l(x45)>qG#=x-W1-AL(PR5@rk5% z_~$_QJusdZ-SHi&YlhIalZ@f-2>wORqNj)ZYaexxuM&{88&lA-Zk2U z6Uet9lp8;Gj_M$UUONX4t-$>LIFsX{%Flh1uZ{x=5eYgJcTXrZVns_$sft1&SM_TC0jo#YQ=j_61*Ax4DPNy&0k$sX>HSO|WRWH0a8K)@?nP99! z#u=~+@m(Wj;ULl@7)i1cHO8f?=;dP4u6h$$GF}TdEw#T|sWTbMUl8}bz48{SnxACZ z&$e&fd&Q_$PCm`q3I@rgvg;}^1V&DG8PP!h6(B6n*4W%IUBdo?F#u< z?-1L~TM^T{-aS+nbPoF3LM26-pSFM}dJN==W}f`sH{m44S4Vv^K*R&_C)uDrgGTf^ z2wC(A16WFLDrXKf<>&g2s0IoZoPIspwKJVg=sA8ezyIzW&dN2{`NAFyI)v|B4?5@{zL-?v(zR1#=(MB=lzwQL@+WTZTr4in zrX?X3cCp-*LUp!qs`+f93HP1=7+Qq zuPiryv_~i>-@{swgJ1NK^%SexC5Tr@+k^iFHD6xpgxc}Yh1>FA-LF6)@7$50y_e?K z>>t<-`-e;HR*Af%n!nm}>3X2sHCnw$$>o@UhW6GmHcol{$H$K?oZ4SQ@`G8udp|$O zS@>r5t6wWtsLp&M+I!Dpsc4YE&_6Nk1G(msX8Al8<`{z3Q(>GP&sahX`c@7tT#>* zV74!<9Ots_n92Pxn24ma%X<6Fe7y8UvXma-{mc2JZ>5vPb|rimEn9c*>`a~VF|QEU zBI&9{30$5FU-}G6r=`NryTz25+pl3Z3@jV>GW&}#dBmbl>vpIJ z%gR?k7NI2KSjgkO-!z9HKQ2l>4~l#r|GejOX#S%v;o{Zbt)j7ke)VG^!@IdGo&Ge9 zttit(j+TIJe0Y1Vs$1G-<(seCMIXkWOOeBv2Bar^^T}TxhOc5h7Og+N|41AcNN~Si zdm}4w0VXI`G;8d?cBxz}8M48ZRdS6&`eFp;_xlx@eNKs;TGrm`yv`eM(zAQ30~@Nv z+n`%uLwRELbNf}YM{SD65^~4tPYP>^amT`etsn_FexkNYqtO~rK6n)S{*k44mW=9= ztV(nvkGA8_CTnZ{g|Ro|){a+S`d-wJ98 zF-tPW$x`Qy7#k&Y6y2%S+jU^FI`!TV+erbnI-ya>RM=NGf$JWa%zt&+#cv~L z?KX9Ia9|dU<~SvO;zk0Ebv{%wbgzn{ z^lZtHktN9(mRs>W&bhzOw4>H4XxL_HQNwnl24aDbJR1|S0i!+&i^81uyxgOt>hkUi zMVp?@Bc9sOhSPC+gfx;;v?~9r3p9kje;vW~B-HgLfea)hAYLy-!GZyV*Nw&g>hPv+As2L8eGM(juf3Ml({|rCr-rm4yI8$ z^_pvg4`%$=wIP!Zly?{D$`j29aml@U@}O>cEt&LRt^MB{OUUncVsS0VpZIKZ9G}9k zX!y%ifOYt5%F(uLoE~gZz(BiIj2IAju7&kQ{*M<3mKb=w{(uK0hgdO?_T=OdI1(;tL9+EbK3q12eo@evMV7E*?TdaOb!e{P5RMPH zOEL&b#(YC8EhUBE?QwCIyRbK$cw%!vM+a!>EZxzHVM2dim?b5lXUPxrdD&jLb+Y+} zeIJ>)JQ&eV19LYY!4!3EI7>20e=>NFrOZzaeuSd$1C^lnPEG7qdkxLgg}rGI~B>C@G)`;*kKTA{}-LN7wNeFf0Of9!3K);xJ|7wK+eC_3K`6Q z;8sjQd^3JHY-uUvFC}rwdKae9f>m4^uc*pCj-{s=^`-6V^fYXLf5L7cKFj+mEn8kI z2<@5Wywpr9W$>ePQR&BGWUhgR)nLsil~2%<=LlJBL&9WoPie$H1{}$+P7G$qv9Y5w z$<&8yq)U6VKgn=5$;A--#U*3XZt|e{C|CUYI}bzbg=m08GbYV?B5(3b757oXTGTS%Rj`shXy%5(m;5*~f6QOF;$h=TAp}P<+JiP*$kY zs!7|2iNwDRqw7x)4+|C#gVlT#+V`)+|Ni{BKc@U+l%fwOTQO&H()OHVU0ewfQ;SK< zJ8hf$PN>T+apy}38xsv-oG^$?bm6{Nlf# zdB@*6G|9=1`6+Y@S&h80I{wZI8#)r2cf5xxJP+sDzmNOx>HcdB|6a9!J;T3#_unw_ zZxFuDTmH=%5c$);#_+E({F|QtTTT31t079+e@n~jlKNj`_}3Wzzo0mYn4W1O0TN@y zEv zNG^|3%NqNz_pZtKD#L#eCA9lU>qCvwxFlcxgEFB~fseeb$Atw}J~sJxV2&t9wMP|( zrU%n8ez}JijqFQ8?MrIyr@!ugbx|>?KCdpt`w+X87HN1WF}x$e`nOMDv`r7!w4H9l z&;#751 zFO*yC7+-F-qfYzoM=F&2>Z}t&z;ns3>eLo_gi@=nngj{<82*aA`VS@raIyMlGf_VS zJ%(cjq_Y1TWM=>dcGvA5!GHcRY&3T8m&wa*39(mV&}lvcYd&n=JW;K6{94-VCUs!i z-!5l>mhlw8TK=+!1EN!$LftuzD(WOo2W2sOtv}q1quOMaCM->9*i8rRG@F7+CKeAl zf;5+pxaU`K>DprzB1oXF>pQ;s?SnhPC$+8ei|x=1Lx&@qL$GvDas#4VXB5xPD%c3M z8_G3BGfF}Wd+?vPPd+1stVPg?X5`9MXN!1|H&2a{3;?&8>`){G`gi@Ar#w!h7Usde zkJ~4(5mKJpu2!m`_MDFEPjk(8jaz6&Q{hijhydbe@m!x-P8Owfe1f#Drd5orE`^2! zE8e5refryOVF0s@-oSSezLVJ&O~jM3=&XBLx6>{T;|dd6y^%q8X(>JKq0%3!aDn_@%0t?444ef)GvJWolTUYsHQ# zBUoc{f}@x!=vn#j9ob&Ll*R0?FZyl2e5thSU50}*{KjhaBY;*Ag~)^OVv+0Py!xMy z)A|$Vdu?U)vRdJLxO59+$Jo6PpK$;C;3O|E4MUZX@`Fu=*7R9zh6e+&Sj3UX=~T6- z_-c-9^jLwonp*kCFkOCTRyNCF$+cmNSbJr}-54}=gr4tqFdN5Y3L0D^uLqBi@^L8o zDgMH_;Dx$KG}3z!AmuY>$H)Ru_3t}wM7-nk$E>&hgVAD}Adf=7CBx(~W%=#}*SO~q zJ9k)?@l@JyyR{rM>pCc<5QzcRCz&#wWv~~ zrOfqd<|y){RubI0sz?T>H^F%t#kTdG8Z7i;`m~W;29DdBIIon7FUyIU-+kP9AE|IyIU7ciYWMUF_kTQ@hX*sd zqdp5|>cQfEKka`H&Ji4(XUgll|2^~9G5{|h93b-lN#eY|!wPI)@yCasfkCK9=FPpN zk+>xVr_SRx^r=IAGKnq?-<@~+0x{X1Bad^J5lRLub$^^w(Di96>AB$4t(~Labm+mZ zTF{P~Pw#iLn9j{Kn>Z8!8<#@=|2oQTFP^&BB2`8=6+y z{Ni!g=y|(8$5;j|9M)!K9Zf|uGL%kW*6$#W2=^?`Q(JD1bgGqpU-wb7;L4!(yd8se z9fqW3A5d*AaeZ-!{@06h7xKw4#jfB!8F%xJ$+qp?+}8!uZf7EHmrf1q6BVj%r>it4 z8%NW6E8A|XZ-uqcGM)kd`bcgVrw+S!jU2HCf`BE*L9`hM1!*HpEHWG{p5+d{I^fg_ z6B6FE>RcA_F)gUqsaa@S{0^FN=t{U_nO z!I6?tOr2I&4d>PgosLG5e}wgd>A#VqSc`*Zlkd!KPHYVFc%8F*IMAMl!1l<|jPSd( zsepWr9M@rrJB;RlNLenf1^Q+qfV8$XhB<{s+2Z2-0Y zZ4*tqH6&zpn%5b^|9Da)wBv9O)w?f|)wN}rlRp0^74W3-s3Sb4)w}gipcNz^1l=xS zzB*5$_hG+8^e!iH5do<5wBU8Nh}2RWP?YVb6Ei^515wL_ItQYfJ%X&R>8@U3PB-D; z0#~B}kG$c0^r33Mzk{U3Sp({WaKR*dPGLWT#3pSg)XE@nor&!1Qy&+4Ze9DYg8$Kf zal5c4{G$ahKvelNh=5&9wov{>z8ersWbTLdB<+qFYTP`uKX~Y@R)|s|c<7BG&S@7a z^G%~o8Pp*4bEZ_yvU98X)ZaR^Ej2dF4~)mE720{VsMe-2FV1G|j#sn!fO}yqgl5(g zVp)fqTAGMPr?s>P)>#iBVi#VlzxT7@+4 z^J4dg^X+*iguhvAqaj03pkB5dz;lx{@>F68dK*MisigE`ve3l=BVz5 zR;y5j5+I1Dy} zaO0ky2lVJItb8*@H^zAUoLsYJKfFB(nsF|CKBDd3#x4BjtkDZ6kZk|TdQFnyqLosz zjnDP2)RzI-7?+dXrnwE$$R2MA-Nnq9loBcG2OxD5T)9a=FfRmf@1l9iKYXsb`Nnwi zhsdA$tIac#{%=b3(?OPhwu`KRB7oZI0bnr@93Ejyx#al)UB~BOQ%R&0a~1E$`H8Vs z2==Fe7P7YD#ehIBPs^;lU^YZX<0J_(7dfkeC!nqGi&9%I(Lwle%s|GH(`*tW^Ig$g zIptW*5zX(_Um74Q-GA>CuY`(Y2WN})&rYE*F^%`SoPna2X*nH;#PK=!5Wm{4;lkLu zwjyEhy=+PZE1oNsV*&UDR_B^*ZlS_H2SKmc{6ppmkljE_Z_QUt9Of&HZdBG3wodG6Zq*q+4Ms%6f~Q;LSSx&5q{m${0?dJ;Cc z64OJJ<`X>eHIJy^WXJZ+WM&mKT4_OU=8i)flVzI8iF04e+h`C8qyY8}|G{@G0}H%I zI^;FGGK&o#>#m^@qVko8Mc)N3N?TryY0)2U`ug6afrn|ZsTv2Vh@~=3hrOkQJPG*3 z1ktqNy-KFN9hwBa?Oy(3!yeKR{Z=#t-lYVB%S(}H2*oW=GwfDxnLL4d`?X$~g1V)< zBWVPyM)7o?bR{p)Af8SCJ8zLi zKKxv7KN-RBQ0l?%<$m~-1R04cHTz(xTg$}RA7(6GjXq{6$lO!MDZ~1wmL|#3Uumy= zm0pD@OwA^1EX!DLIe2RE6mB6IzZuEm+n)wat?K_6Ec}wo^QMwo?x?*} zqNq=SiMZ_K2zbGI{PoBx&ukm13lCCOkKM%R9i-rabwp$wq%RjjP;AIkCp*=UU|EX3}XPE;Jif7E(}d?j?@! zNIEyr3rFA;_Y)kH&r&l859@P~&25G7E5>A_#jody?Ns4QrVN5 z4hQp_WEsYL)w$bYcM&&a9&tm0WABpR^1T1B6(gZ^Yszb}Uy8YB2u;gv@eYA~VTsab zC!6TDhg2b*${M;Y(=>8dM{Vzigme(k;YR6Ew^l*Gb$qIHjk+AU6`&SyM$5)=!|dEx zUy~Q2|0q~u-`OAUDD_ZrF0r`KWwq*$-RH)OnFv8vw@WPgu-RUzH7-zpahT9=`9bdN zO^EJ91^g+*D`}!PPX=eKettsy@aOHV2!I?dl;^Nns00vgy&u@+PyatI#xwc6x5jaM zy&or%8;&kT<4$MZoP3;60f|D6pBPk~9X__SF`i#%2HPz%SFa9}!smPX1p~kQ@c_VoiF@&jraQc4YhE9vf6^Jc4`#PBtk zYZ@*Np@Zh1pc}^NOi7R@$;1|=gN12x_}UOzY5^A6!_5oY@Pf3JO^1Up003(2ni7Ha zYh{0MkPz?b`wfcdbD)hj|5@-8T8<{HQU{}IZr6Qcyt7Sojs|H%S-Bu=bL#XN+~gT7 z$U~(8l|gO)Q?Nxp3unFU7;+rX6@?Akb=cVr1otrcTNVZIY`2k}j3c6%wS}64oEp8f z0$y$CEH4>&9Y0uuLA6edmuD#W$$Aj6>hl{AtHeuiyX$3%Ib~$|Pu{9}4NS{`RSir6 zTUTSsZmeJ!57ZSULQ}2@tM`l?)<>B@GDDrI%WVU%R+;K6(pPLTUpilM5V&WgQDH*X zhZ}ch;P>ntOEcf;a_|N zB~%cMpD#q`u`}?w@8yr^H>Sd(9lN0VojQBbGR=20l;usjm-h>jHHN&PTse-1_VXFO z7W~b=O0u-fx?*xgj)7%3-$n@VjMO3z^#rsN=ZJKhG-I2T?Wn z-@{{ed3O(w!AJr+vaK=(N?WRAzXcRJ-9A_|0XL+U$#Scv_HT^#xjWDdLC@cc4}J!Dl$$36TbmBWmmjR)$`2SwM}v7p zmBWn*`sGB|WVW1Xwq0XYL9D@{Je%|l3XYodKL}WB8xRNcM&9INA!D~b^QZkJs|#aFA=SfAjO zcRwyIaNww?g4m3L34I#Kos|aYd&UZO%ZPpM914Uk|F@|!s zDp;g$B|ytPV?I&OVu52$;3{)GSVwzNw-sC5BKpT7Gnhf2Sdp1g%Zm~usvjvw_6@+#V)*pX_zIUIJF}4%sOUi2*NJIhFwA`bn zkS4>4fpQ|h*JI=y#U^J2aP^&=;M_~(niN)oQ zAXvt_+|^f0Lm^+i-^Xg&oc1oy-;l?_oXB|@3A|s<8~eFTHiV#hdU*2vgg)L2@>6N~fiEc}hf89T_=8fPrO5AZf7F`I^&5ydzQbw{tE`;W z&XY?rKR&(A3cdnw6x}#r<}JudBhj`k9mlOTi1C39fwU@a467qxbDWDhW&lF>Wn`q7 zaOQ;C1C*#^yk+>!WjRfkG%|{{Ai!Qwdv||`1LU0#Vizs4r&@hzPe>9B`~Lk`m#x<{ zN-5ZY?k`O&FlF_mtzMf8uT#iJM_9DOX<5Zuv)HOc9b}Ek-sg3Y{RsNPN;(RrAt^1$ zh|Exk*NZODH~30&gKv;~ppa^n!Jfj-K@pRoyF4r*Hjrh9il{}UAlW<T?5M zV>#>!R$^k0Q(@^~?JNa9-K-j4B}`x(5a}hyG^|~ zUMnA}X&bOym{JU@?2j1bU94I;rW{*^efC4Ol5QDv8lo=bZX?m`(;gO%4`M-2$ht_+ z{$RYm{{`wROH$K@IWk4u!Q(b(q;@qpU*tdvj@BLLCcWNr%5uPd^#m>B5&cSY{iPv) zV&?nFbB`2bx7GI!3(r#d!16ZAUuZS_Jm#;cYldbA`wU?l>36#_6n-z2^I5`*J=ez%lFZfPSoQUnO7D~#16Au7una-1zd1OLAv;RW zHZ3*I?PL)@cVY%l>eA>Rm3ZL%@-l%C0;(W&`;k>{3l+1PC?K|wIxuG$Ua8m)8Go+jd@qNmrVX|52 zgGRWNt_s`Oj&HS1_QTtx_&g;(iGBDwyOAaymKN4&^2fTVkjG--vxhd?4IJMQ*pG!q zT#M5A@y=AEs^t^-umH6wnIS~q*#MId`OrVQL!>DBxQ4P#O8mE;$VQ|xcg+!y6jAOpV z++i<13+@Kptcm~apBds0DP%{@p6Dp;+@&%#=Ns!v5KxL{&@d`som&@7BF(sGGA)FI7+4E7dIEs>b}9qS@>@YDkZ*+NMxV@hIf(GZWZ|4sr^*~A(YZ<2*t;@!X$*&i zw2#^xXqZaDRW>w73Q-vk8Z$ND)qaTDnGm(Ac_uZP(rk&d#vq4fjlCN!Xd7(rTJbU+ zlQOmIxfY$TAPh&G`Z$rp)w&&L^UghDYC2nX-$i=-wskHQtnW)Mxv-G}r}6OhCGTbs zvl#`N-3=UnZG)qgGOt1H=IT%BkTTTem-ncLM( zMtJI8uu6gQOO~8YMZT|bpof>%beJI~<>-o-$o`@_$b~kQ-FYv>{uls$2xN7|bp7S2 zt{B6w{oaPH-qtebETggFMVzXV36iB1@1ueC6eiskX$il8`dCX(zvewKW*|sDfG84V zVoyN>jTwC*N+u8W2Y|$l)fhL6N&sg1xP*uUygxI=<4FnYP9rHfF zeG2Qx4P@s?5cOU&h)f3e8F6dKSqz62Y3=lA@wr4eT+hQEGdNZz+Ro7y>@Gix7(hx$ z9F&Oj3IPVuu*}PeJpS}cKr8ZmP3JdX()eL=-}`XTwm&R}v${R%U86wdTc3G6=@Mg; z_uIUBYGb6WeeI|af@v8vDflslW^9Yd-ih7fw3D`YX%@FF{A&;P^`+nZ3mqei&LEJ7 zGkZ;jI?`8_A+|nmL79CmETYFNuZ&{P~o=0Il;5 z1+ggE*4@8#7`oMJ{o6d-Z}$ma^((IXk~v6};2k`gGadR)!>Caz<2MlF2Bg?PBis0E zNXQSI2hb7q1FeLFRMPsTE-izHR5^wPqB5qLu9$)rr;iqj*C^ic-4PQ`sh?T^BaUC| zcftEZ@wkTK$8SkNpvVSM!E~+^6+>+-{DX7&6fJ9PaXzGW8z{=u~kW%oCAWzA*iP8(VP?I4e0E`fbY z{iT6B(~Md-CbKbbovX5PrC^sG1z}kka=_ za?quJ)a>M`Q?wm121BEf%*f_y9le(Ec9C75v!s`|YoG4^DCpsRne zz&_VMQyS5jO;a_E`(2D1pw~S)m~2iX6KlaGkuzeHgPNOo_h3>zTb5Emr;uyZyg%7> zxQg{-rSdj6*dCx(Wc{_u-}{K&=hHE^5>M5EwfadheWp!|1zu0>_%_HGbkQ&pJ-I0Y)+EytU>LP9X9VMuAXD) zPxqWHM5$^==KF}v+J3fJNKx2f;5rx_$dLc}I?TSpu_F9U^w*3&Ki}7fRN1)po>4buAN{R>0h`Uy*Bcvp&hXt zXFc6s4qPCxK1dj3VLu;P23Mw=E+{4Q~aqI>}Ti>QXDfRa1rqQ!ck6SnbbU3)+uG1fh_4+z!%;70phs z4J1q2)Xl&ZoJUc67_J_l(ut%PyqND1Fi&7jd7`YdE5ixHuR}V1c{h={R-b(e(FsiPW-h?6+$?2Lgkjy$7=DQfon(x zL4NQ|#0LHkoxL3af>F(Ukx{R8L{~F-37a&+@ z;6BP*=7a5-I>F_x(`9gHwLd_uz4bGPl=ie4R@rp^cX=-K3I zF>cm4xG2urmDajl8l(C1OpT5A4cNF4B!jlVCDXV?*gIJ_;kjtz2)zr;Z#!Ua|cUk z*|#;KU%vr1fxYbkpcho^Tx9T1OeAKre!Xry+pFzi!jWo1_&B@V#1gzWSNRuKf18;i zk0(^~%T?7H_v-LawV~PaPYySMw@L3-v~*qkuD&@;*Vp-YRER!1`7DXwHsg8an0DG+ zxs%sLGVEotW4Ci3m_?%$@QPaf83ndzgSkWU>TDIHZzZyWrI(a_MIf)lu)49yLmz-1 zg{{$|s}?h$r$vFE`K&g;filUpIB6GQb?y!ncPZX_CW|~iM4wVx zCU)>6ffQnM&xTa}X{IEJe%m2X@?$lx7AU+^Y8#CP?&w=^M}^sw?%zd5F0OM3eVWfy(s%1h?$0=; zL-CkHhl&P4AX?A*VZA6DNsB|~A2nU1TQdpEvRV)vPdkA=t;jM?i#9d&Gfc7w3sC-Z z8&RoYfwTy6D~!(iP3pnMMkb_eoQp0&^~>Oi97qm#^SH**(XTV33{`-`=ahfgyw^A3 zI)J{n)Dub7ftSTFhYF|wQkD;_ti#K9rYaVb-KLa+0dK_)#bH=&xw^n&KX$fwmh0?y z%#x&mbb=+ExF?bM6z2YcSt02mg(Vt-D|CQ&!&$&)L2h&VE-IMd@>F?$G~duSBUxCE zfAw+PE4OO%J9JN#71j?orrRleNuR0`C8PV}F&ZSOQl^ak&}t4O31j1npHUHno*caC z`O|jPahh$tN$CD-6m>CDsa-4~#AR(X*>$raEXZ(bvcP)Loq_b{I`7&zx{=-Ocbq?f ze5NMXZY$*?fH#@G+{2YLlB;VTE>LCviIG31^c_zg22XZ*dkA*cR}K_f4l0k$fgO__ zr#?SU&b&|4nU~-r(M;OUY?d$N)*p7Ir^pbNh2A|#XclWz)i#d+z~`fjewU7}p~ZNp z<&Qw!?n#1Tv!*m}>ssIf;wWy6>*bzsJ}@q@N*WkfUjn?KPNLej*uw9k@(k5@yw>9T zSG{Qo?A~VV9Z(1pKLfUd75>#A7W$pmK=eXT%W1L62#;2=(vO!#KY9hXaYtt-+=A_rH*s+7Pg*~iu(b5j`RujZ!E-bX-TfNe6?3O&phN?*fcu8w~N+T+%1 zx!EECZ9ux2@ZoXu(?DOvOv#S*xPV8p+W(aHE*yxUbpLNq`i7pS4t)DdWGz2j>j?tB z^U_Z+I*o+48!yWS(kR9p9-)*fymkTP5>yP3ntJJH5zwGKcz~=mnxO+ae%Trajzna( z(+XZ=rb^S7eEQ1{JPSW*OLUDP9kE(CN%*QM%|~H|2*`dEdQQ}e=Lu}8tqETfX(4KWLVb? zpll1jFqmXb17#~#PlW_|EW25`(iXyKTQVWx)tHxD*s-iOOgQjCljn@_71o+k)yY-| z6(N}cq*fOWuNx|c3bHGLi9b!zur4KDcfPUy>3mbB(opVudvlfc!Bgr_+KH34>p!lh zr;QA^_yT%cC$?gFaEK)QSqj*;%P(_j^v?e%6xA9a z<=->(g-r-Vle#_!NKlUN*zq=K0cF^XlovhUYiPTs1!Dd*b&+QR(&_B?t(Uvh6q6j`yhRj=9pb@(gvyNV(I_N+ z%lUvj*~RC9CpMz2!i0LLWINAQ8e8wSWoIRxsA{=N_&nI68OZ96(hcEaimsS$Ox^|6 zUNh{bI#LCWYtNr;BNjcd+VbOPUwa!!-jTNZh4SXQy_kBk&cTrZZa2xtS1gh=ITfwk zT*n*iNgS<2ObDuXvK)w=xrwqFPhYtFAxHE)%u4h$1T_jKzq0CoG$9GGKaazdBj9A7 zHs!fnNJ$o7FCWZb9SAo;y}!nY$Ts2U@mBrbtJeKrvn!ciT3$-46`Oqn1d2|s>zax5 zKQ+@|PWzmbJ0kp@EwhT&MFVlG+V9lp|l#4avB6nnK^AKbxs=BIP0Fh zd&WMSn^!ZtBCd@zy?SYEXG+N=s|w?2z8Gqsl7PL?oywyJM7j?T;`j1;tpR_CQ2V@_ zl|}?5764$TUpd7dTk`WfIv7aATgqrX^YUpKoxk5xwDe<1=lAaoX+x}voyE?(EuOa< zq`J5{n+zo!wQ4_ly)D5YRGmKemctGgV-YHXQWZ zv2G?XY=IrjCRjG$;eLP$a!e`lonHA|3OvGuFve?z7~rqVvaU+xDVs*OrHACpI+cCa zbVc+BVSgJ07n8?T&7Wf`!hg4GKU|%w$DLX%be%q{s@caxet2y=Ub{EB=aE`oFBtd+fbG*-MA9`CPKJ{z^of|JmygaSnK7BVUJ_PEwm#TE?~LOQp8LF zx83n{SF43s;n^A{p)!tLsKJ9Vyxzlgm}=hp6Ed3$hAj)?W3_vWr$B0a zif%n?n^74mMm$#426d{xy5upoa=s0U?--2hOjlFzpG?=oA5+=Z=z(r?FpI3`cTO>y z+Ct4e+g~;Hyj7Q0aV*BARQySP>>yuETyg$8$U+N!5kSvg;x9LZVPqj(Ea34^@~VGO zt>$tt#EBR)diGui>Jtn(Au)8+%~yhYHvN#logis1XYh1;{^r ziL~DWH16C;+2{DFLhacWovKub#nGSsd9t@T=Kz#k02IL}AiDJRo>S5<0A}CcvD^{o z;A78wJ=<_uOqdlfRCk`&%RPo~eBe{#)In1W>9TeLyPlKcsR3TwddqX=s;8!YA`UwK zuy^U6cIv&BtDvFatNO(|CkIUgo`koP_+Fud%Da`83m16>DGvl;jl3sZ5I^3d^Se^K z$m$r6KwHq$EArOinh^KSeIjHEM0pKN$=r6_PHyLXk4{45ch#>H_j6h@m;K~g)Auj( zQOW%uGd;yv$`9nS@0}PX?>a(nA(59(|iyPWOr zZob8F)Bc)Owu*`}?vOxY9l)hr+ZyZi2DEdtj7! ze|%C}+(4bn*6@MFNssbKbpa~`?h8l0O4*VBEqnslmCuHJMu)QF35SNUS*5Ny=rK1O zbWe|m@|-(#er&!~du0BO8*D9N(^8SoDKM4_0_&Ukfw(mVSc~Idx4fVON*Bcp@jmag z1pZ6$>ZA2oY(uvf7(DD3{~#~+UHVC|2rG!;yoOK96sc^J?rJp!WG#1bF(QPM%FMPq zv0Sh{l9s3=8%y@rpwW_Whf3rx&i&xpO>NHCm!lS24@cI~RWNdLN&q6-m-pT^{!X`S z;2DhX9aG)@?z<^EJ%HE>h)QuIkN@p~Kg*ZGvB*^y9xvZCdWg|-@8arr0hxWpXl{fbPowG{)fz-Vs}!erTi zLizwm%7x9yvbA__#8cNMjQqmv!0rnHB<4T&xW0^)0fy$137mqZu1v_%@&^XE<-UX* zF#5t;qmj3-6Q_`PyHckO_nk5SpV+isxCcJRDs6UT47x5^sqH{*gHanczRohr>xc;l zlekZf^?$1)E2^ubO4E^}{#t!ksamerM+|mb{lstg)zj@EzY>f{5c73=-T9AQqX5;R zB;`r^Pf%usVuI9ZELAo^@&hbU-}+4(<-q4}oLOsKxmD<=XWMgkOc{bx6o-uMFC*xf zjX|n(aMa)lsGQ39tgdUdrGH{1*SaknTJe7CsJgUfd2o!$*zQ~mEbG(bwIxzunK*>9!qygI;8w0aZVbdN`QX{IPvv%XFd`(I!#47YX5?NE=5KuR7eh0*{fcG z##Uvq5<`yGnN{CkZoM1ROIS4dp6howsv9Cln=w>BY3Zl|+fE!xux@bnX{EZ#BQ}Lz zHEQh+PgwqeMeybPoY?4wDbDV{6ponQz`7z*ceKK#=kelU`M8<}r#8Uekz_M!5LYgY)(x!JNY z4rQOTtP}<%bdJONcopAR5)E9O>}IR@ttT{G{S?&=Ih@bnG|V*dz2+pZ0{l_N7tg8g zS!jXBVY&>Nc!*XK-|Fia*{Maq&y<7~fRz$Y+|wJRp!egjWUsTVBVc-VgP^Yz1sHLe zcN%41M#v!LpB#Ru`I(cPt`ia8YMgw z9(S?xQAoKm&Dne@V5BKnR`-Q|x5&mELCm`X93yS$5C4>7bC7>=j1xSlCwfyWtY>tGdybPPTrl^vdCcFq0Nb2=c&fm;3%D7Aj4n3R6N<#gJOG+7%dDN^@ z*{0G4FP8iD1+@wf9$bEZnVi;#Gcp!DJCq~HQ*AN#qej}i^l*oFdaOGf)voCo3#FHEKf7&=B+h|YXl zn7@#|P?uq}vJ0JE>*Fl9+sG}W`p4zWW@6s4UZT28slADn5p|Ws8h?7>wI%&|wQiaN5DnqX`1_+oOOJ1S)P7tG#`)F@ZeP7h;4CHXjtTL!ze-y2!*&ub z+5}nj&B4@kYEK<#;$=&&kl`;Y=1Q|SBo>E^nl)K7MXOG$QTiht`MKnNlsM{n(f_97 zwC`timen;G%E$jpIW6RB^v)VxUl}-Lx%j85-e-ZjC(xZmM0pat_sxpV6_?x5Im;Bv z@m6nOHTy{=zoWVQ+kSy@!mjB)(h1n2=sK#!bfXnzlL1z^5MTlr?T***pv@av;Ru?fCiOrr>mv^5(t<8zJ^`Vnv3N{q{5^lO|VSQ{CC-ucpFz z+~4G-mCiwmEt+8(iLRe!NRH+N3t4*|_lBoG%YM==?k-BHit@w5UTfpB!FQq%u0T?#+V z&BP1S-Neg16j;j53m78-do4HYr5}})5AiJ*Ze=bhXp5C*v;)m`XYEQ73vcrjGa5nf z^OERETqe-+8J}g*J&SA8%pK5@W~Z1M+&oD$r}7n*-XDgwatWAP>nt*LDcfQ8ptO(S&5?aEKsw+EY%@$JFj@ z$8dD7s3Sl{g772P6jvslSF9glOjTOVejDYBB!5f`qXM6v|I-AwCboSygxe}CZF~mC zOQh*CS%BJH5zN{@rxcj|cGniIR68U0BbWm^mC!~pa;3kG))RUt#5-2a2Y!dd1B?kz z_pg1fJh0Ja$e5IH3w2W#Uia7UM1g?;76FERzLoT+3I!wbWsZ#{X|EQDZX{@4fZ&5| zxJ<0&-k0n(+^HCJpZDdI@Rn`H*_9{?+kP4QObh2ABHB`&>lBo_K#?a_Qo<2yXEUU0 zvCoak#7Pj`uz^=^8i{iw5`yg!XrPgC0j*yeFq9BUQ}KL-DekFcj0P!sYiPcEBh3)B zY;-Do#{FiP@bkQOA9KybeVOGfp_B6S;~f*#Vv8iQA08jNHh;}#A1hmhKV~z|YC9g~ zw>U_tob0KqHgB@%u6j-dn-tG_11w+qt^Uau&r^G;+`vZs0sHM=+9l1~G`WU)YyWy& z$9?w^B0$4UTJ$IRUObqzqWcG(p${(Bauca1@tLBS;I!vhkXx-I;!n%3ran0LG1E6OI)qLAJ-%bm<=`;|Sj9qKaIW;c zBG^8X6=b$*Jn{o0Bzs_5hO2`fj2zeu^w#kNCp9c$Bov{jljZs+Yx&{*u7mSp$hi$z_nmo((E|^h6Vx&xBWKL1IOe#G; zC^d8s6}gmpspgFn++`l0rzKfSoc_)Gbx@To*r8Xr(!JbE-i<956M@F4{cK#@p~52Z ztiASQ#bk!+X$}skR2W~7C6Q0Hj+U?c9+zyBE`g4vo-!#=gR;%8nt_3j_aD#R9;2G$ z516LhO@ylgXvy`JJdUmV54Zi1;re_1P<`mp$msNhB+k$IZ zKgVB$DHY##AvoM({Xxw;jiQ!OR^5si94XjXJ z>jnD|c&;@X-YQRW)d!Qk(BkAfu~k8Up3Ufi&$**Gqt(Z|-qwT;6HlGUjO^bpJKZN! z$wPW|1fiq+e@)c{fqlXc4vAwHW)t}xf2t~N#b^xWRF0yb#xSLJB+qOI^b@(LgfB$+ zVzvu^DMN_GwAVq%5Mjx)4KK@g)IH=7OJxvH#>|9iD!caA8FWg^?Qo!d;HxoR!`E(X z2FGBhv~Yt#{`2U>G#yU@Kp$l?fI)YIfP9?B`U1K6!iIiFTMzHsXT5sO$ zXI+;|Jg22fg2l}j{n1^q%Hd$dDppRcPKWLhDlv<%)hd&JOflX0cyO3t)s%}JXY4#F zJQCw=6+M4N5Y=;TZad<5i2H zq8BR#X4#tK^_it8sWZ;D;?6jlLZS<84WUhUt;Os+4z6r-`Tq5?kHJQ&v(Qgj61?vI zn`UMyteGhi;XL#-tY_Gz+_|A9hPP?kwp1OkjyHmxJ>}hpaGIdVsZw*ri6;QP2=js+ zoX)p-J{1pw%_J&lm_&}yEnDt($IKX3_l_5tFy^b~rdw#ZW;y>+5i^X(XeZZ|$&tYb zp*U)v5fmR@-d=e&eDOo28B7}C5ZvJbPn5%YqX0@J=*e<|soGh)y6pMRq`}Um0vF~{ zXcPBKr`aN%;wq@Alm9{|o=sz&6OUBmRMS}mH~n!+&w|o3pB5if24%H1+-X$f(ZsQ^ zcW&CmSS!hzfLkYv=1es9uyL6bYlJfEeB~*Ql=FBDAArxaK}_5yC|Zww3dI?q(HGx; z&xK?eT=|!wS7_QqaV5~XKiCgQ@dK|k?NDJYd!MsVammBtYZYGGChaPV^B?(VS!*Je zgwOn=7-*XtD>OioSVIyb9gfMKS4|(V@R{*l6H50T8L<)fy~#^MXVGjJvmTIGs5A%g$h=gjuAqx! zs8N%=*AS&*r6&xiWYzzCzR^z+z&ZrpY!)y|PUIV7BGh&*(_rkO%lWg>?}zm+=m8{I z)xj1tLR!V*3YSI z^zzS7X)_T^SKgDP1B1T<&&#IQJ>PBq^&k<>L!z504ECGez7*YoLb`O$NaYofRA9HFTPSqg0Px07ZtXGX(V5lLm9t+$oXiMR#oR?w9(O$ zhzMA|B2hEL%`(ZSHVJEe{_(w2(Y%D?PtHjEWKVmr<(HG_2^yWW&IT&wAKuqS8te;i za45s%+c>nB6?;aiR{;5kQ~tzLVi2~&8Ig>3{s^ik#gGYN4s*+-FDAHCQMS+C>JRJ* zymZTeDd)H*s4r!fypBtouL2#DMj5}sHbW^V4@$-AD5&!|Y%;Hhk6FkGg!1owl}g=% zl!#!~(Yx+^J;!Oy={!rH2Bf3D8N#A4+=#F1%IqKWU6-l zaw@2HMu-JCQwRCk$_A`AAAw1!$-tKxcA|pHe7r!ST_uazS&(t-y3eYg*vXbl(nXCDqkY5xWLn1;Y!rurxHxp1I!9b>C2-#AuqGHERL zJlL6sK{3aionijKmmoD7n;MC>^{ERXr#>`q_>*xQr&~E+gT2Ax(Iyzc#BOO9jihoJ zu0tY2uM=z-z?u`i4-Z2F08f^}l=IS2XVZ_wE3frb#Vjr7p@p&wVJ>Jd-L;EEAZ zu-_nmEun#1h+GAGId10DE(iW(&51-%%43!i=zRECt}p3o$v;p)&1NUQjC+XXLuS|! zl!ioN?c!pibNHeuSXIYK-j7HI4h3{}fOV}C-Zj<{5WtEG`MQ}=u@Gi$n*16i*)Qgf z$Mo@RcHWGXIVpde4ckg2%4Lm>h z-FX-5xxDWgs`Yi~XZ}#V^OAkgL7*iq9LpBWD0Q<9?uqB3e)nQ5pR@u=1Fz=_^asJT zTcUvvWs(x5W!(>Tn?!W~lCVjms4#DTjZ*5MW#yexVy-57FohWl79NOZ@}HW!xwzDV zuDXRtCK3io7=g|-g(7*<jWd7TP%<4C8`)U#8zl-n&Fx|^>9?;BHHyCDb~-q|n*eO$>3Qr7y_g@t zWR#v4OEHFE$&BR$e&EPvtr1u z%@&fKaqZCmB(U8VAHN;I*R)a$8cRPfn)7H@L?yx?mx!V>abcA_Fx5?{%3Cl6YV0Z^ zwq5d9Mcc{M9G0#@4`#@9**%mGIjpCI!1%o0PB0NWjvYQW`nneQ(3eYQDNIO!wF_oL z3ykRU>7?P$G_z*4)&Z2ec;WZKEN^Nv&h zUvSf!Y#h%Yu=uR?Zt)Ek8$3*H7R1~j3>rH`6RsCvk%OPyk=sPw(J)jjLGYRqHWn6+ zDR>5PKkIDl;Ao=6%S!RkdCI-lsz^1+0EG=`EpAoMed&+MTmdTI&NaNgC{#bsnnU^Q zrNYwYC}}XhFDp3ntnPWjuw0WXqWt{Iu~l=QGJoe}C@S5-N;fTSET2@DTb&kYt|Oez z){yBREK8TKEnwm_SUxSJt=?NtpWm$Lk49aRjZL0&qfPa=%AfyuY$Nu)3`lnRV<%y1 zEr}Iv{Q#>I*v`Nx>b+7O4|_0|*Cp@wR;c;wx@$o$N_|=iQ3jctU1WXCJLsa}wz92t z$vpQT_Jz4`upJ;wsg`fniYH2B^Z)FVs;C8WBt7cfZ$FkU_m~M#nt0>$?Un4UsP*MF zJszEd7w(y?(WzO#{pr$aeuz&iS}`>hn|`>b>U-achq9_CZBBK8n^DX8N=Se>)Uv z%}Z*$1X_a0aPEp2iF|6wr(24aIM$45+TcUQ#d?*0-M2uo$8MrSE5M-Fzp#_akV_QO z>;3p}ATu$s(&uHB`SApp_cM9;pIuQDm?$LH`rP!^8@~g7(RzHo*2X&qoqVTXKGR&$ z5|G66$(ixAajKr=Ms}6ouUj%d%C<ilqUFC(#kF2_?s5J`hI}1 zl18dCqiSK5v^MF0VDASkR@22+gzu(2!ET3x=R=tev9^KYLCeKihDXljSNZMKT&nSC zC-p{oTKlElk1~|a6Z=0DV3ChR$}bpJ?zg53xz_W6{|E^QrZ>_{xqK;c5S%LGHeGAu z4>h0ZpikVet*Ca$^=4_jNO}k)$@Ii)SfFKo;BkKf>>W#g#m^U)A4Uwf<>a^U6|ga9u8;bGa7`SGvBKxE|YR7{7GFMjy)rFk9LK~rtS&N=aTpfi@$~QS!A5q)H zHRr7T;NjVvmxE2hu*=oOY2@s3cFISBKFy_Hsbvd0k-69BS&E7`i?=$k!8;*&ml-C8 zF!I`UFr!UtG{;{mfxVQ;<#_XB^c?;0Oyh%&rRc(!20__^XTMtZzxf>d59!4_dV0Qs zZGXCcSWcOyOa-jr|fVHpC$18>(TNocQcJtCh?3%Yf&}xi;l6*s0lkRji=m z{44S|>8-%#KU=lD_?}?l$rX62v`}WtL|kr&0#Jx9u^Z{hN!OEc$+tPenDra)x_#E| z+Z*}0Yw~Ln2d&Kfv<&%8Z9T5Xy*pNj(sJ_8JQ0=5^8(7=iJ9l+{ldb-#f3u)e2Pj# zBP#z@`1$AHG`i>5nG{FcH4EEU2ZR?G6*exsnubP34!V*46Eh}rJABRcEz=Hj=gF^@ zvlpjUTV&dtydmQ7ue4cl($Mq23q8xRsBX+!|4n%uuw7}DeO#y}nvPzUPRC&4^%`@H zl0es1Bk z8IQ$H8(B%EM*QxoIZLrxSRKCi z#tUoZa;3m;V<2JUS+hLHFE7NoYp>UusyRo$ZN3=J=|E$VIoPJkA15;AcNsXf?)c6x zEXHMOF~lO!Tv4LE15_**m*h5@noJ9)L=;WS>%<1t+74D_ER9W#TOq_tKFy6&?+IUE zLGF2_A=K!gOGI2|QM2yH)EkUzyT>2q01lI&)@?-kO=+ren}53ibE4&bkZ@t^vjrrk z=Ohi{6yKaU;A9Z+mlzhQ2d~NST&#DJ)`uhS-Qz&$nt`1T?y19Lj zern?WZFqx|Dt(Ue)Jv77m(-6#!zy94ySvw$r}T`J4^BgnGKSjo9y}$gv2pJE(AlBg zQ4*8kd`7rQtgTGBC=(Aw0(hvXw-~}7Gz7cvQl6YmRs#LSd~d^|tX$GYJlI|n;rF~* zlY8vT`IK3uPtmK&q8l8=AyS!9_07z>hI-9zVh8zWdp7$W_cZgSQ~dIGvB8^tKT~6v zvC*%uE_cX3&ysyc0k}QT* z%P*^VJ0enJ)Y4}{_x}*h^v5kBQ((Elm8fRUiTY}_jEPoTZN(86lS`3%4DGO8aXIHE z+eh2?@z+QwNmrAS|vk$W}{`}QI&#xxa+Rd>At}b z7!1E)>?e8y?pEiBG3;J(Dpof(unjCkDbMnEv&0HRWreE&P`iqsZ!Tjigo;EAMV`Z3 zoVn**_L8Yc5kBiZ;#htficIkv8+qM3{$4Rs)jb{iRbEjEhJx(nqroAqdiEvip@WYT z%P!)V7wQTp$2C#aM)whb{edfoKoDzmmfXPGN2a*>fn@-@lxZGc-Rh$;P2H5ZU8x_u z7*2RO{3lU-oO|zfHluVx-F`oxFt4zDW0gt$JC*JC->h+?wmTA(WW1=diPIV#4qM8PRHmL3Nh&Hvk~myor%&%~B@|jlZ8x9U{Wz;3SPx}5Y)6-t zo@gYVp}$0un2VILBiK5>_#^qCyLs7TzMhQn2`$!$(`YF>Jk(w2nHYF-AzW5C3G{*W z5&Lr={iEr%^0S4t;|h4xrk8fF#H?fS*vG(u>tq>x^%%>3k zf1FwAgv2nEN0ZkjBg$@;ise3((i%@o9+-_6b{fYcJ}N9-iaaz!c<7$nfnCYzbD>Mx z7g_JVCqXfNo)c$N%lj(N(NSVmCF43JsBZK5%x-Yt>a; zolRg&db0aut!|HoeqM*`0`+t^6H{T*FFHsScIqjCaX5`p?zK->*6Z{}4<1B=BYVsZ zXL&TkHQCkdEt`SiSi|#@*fmrna@!g$>yM^hikI(vuD(%zp&t$J9#_j;Snp`$@n%t6 zhJTf;dTA=;IVKwb{MZu`08ay1!x$LzI8GR8w4 zTBW4mbuF^6&h4qgt=6L$ex>g`rq9odNf;NCwAmVps>uUQ&) zC+B}p{|@CtBT)?d(vwGV?0f3!px=X2JoJ8IxL+o`J@xVUd-n`NuHc&2$G_Z4g$to- zRg1Z8)|20GG<%F5z!#%@(6NxFAv(y!N>lzUMjro+*aG^If^H4LnD$F5gLa*H+}DfI z!i}u{&&`rGGID4;%_rCs){s=iGT+ErRj5I$&Nw4y%RK>riJwZMX*S70W1}V}@}A2@sHej>_LfoID|X zYBA{$&T*Z>Xpp!=S-2t-J4!Cga&dnJ8CzWO_LfXIAqZS%Qx+`wJdOeEOqx$Bt%7@N z{0wm?{d_$lC!42Z_pW}y-MI;FEC}CVK^qCvzhDw(1@3QIGYHSnEtINSRh@=yRO#J-k&Y5P zRMU1!f}LGMK_TL~Oaa_vFxNW60=d&rwHE1&vY1ov@ksh>vG|Kt8+vuu!@;@5$@y5L zdegqEsVWP`;S_g~NvO#}&wEf~G7xT8whpx0V6x79DzhB`-0hUk8@73Q$a0)ayyqbDu&N^e4&v#Y9Un@tjUXc<|9 z5O`>7hPUuh2*x&(54jnqq0J$Dnq^{Ej71#XsAk#rXbDNmDc;x}UJyBg9`Kh29Mu`h zU(Y>PP>^ThC=HESp3L@&QmC3BJLXn*5DnnOQn2^F^|nFe4~-h^(!E|(|MHO&{kJ1i z9Zt`w>d2skX6E{be@D13#U2QDN>C4|(HMX}iiL znw2i2(n~`B)S@t}ZUxWYEk>3kuEJUV!%O&VV%tc2vEZ*(yiI4r@m~Z;FnF^UYj3aS z;39a}=4i@(O0och?0u@3*&Gq^>MQIF^r*;W%9|^YV+Rg|FRf^k_AdfKbWlGuCdBrt ze2o@ZUKOw&i}#`a=<4C@mh+|Q`M2*{nr?nV8+0u`%1-qWb33mgm*J)Snqtt;X1scpPwn$E^YS$4~9Xif;2o;Dn)0l zt2gVqS%&>2pF&((j;IZG8jp{dHWr6NA`QA@PGO0LOUt8BIrUOuvUfnTFA}hq*-&XY z#yRWZD?Z1_!6b0B-y)>nO$pd zqGBo=z{yy&iF*Sryu9&#J6FC3A z>Mk7C7f`~eS`yYodtxcS^3~AzuiER5d?}CXcCFg=1WAR7Pj>vU{K{W%u@`aA0_~9@ z3>em8vsS0*RIJ*lUw&7re>Cd<5SCf>Mb%>3!@ zN?`1$yuSZq>~EFlE{G?g=HVkv9Grzn!U3Fx4Vxr)M}Gv4o|X{l^XflGmw_GKY{;9N zqOq-J)|9VjEjL?o(VNmoh|unN&q7Ag2gH}9ejCZACh`vl)}NEu*phQ^^c+4ImEeT9 z?7s5vd`h6ZCdqkKRn!HKsRZ~^6GCcp>@BT12FXgMp>6LOa*!Q z_(Mx#V&d$66tOO%jc|H?ue82G_iUWBBb@i#z$URGAZ^=?*{}+Ubq77a`f51e`r1oj z(n&Huo?C%kty`%Ee)gCaqFH0n8;%G7E8+{d$={PtR9y|Xl^!6lR(^)DVf&9|Ar!u=kv6(ljlfFRe8{S7O;&Sx=r8>cc~M-mh24 zHg4AMuq?Y-UdK^nqh^&^=gK56cDAQVnsjGNdPFEbAW0qKoKSN*-?ERY7v&EdDj{&Y zPJYO99u-yfZpjX2_TyX6uU-I9tQ{8w9_Ok?SC8HKqag{%Y*o76&9Cm5e*f{UR|`B0u@-$mGT z-e|Chz7ImY8_X3B`fA19Po^>zCwqff1Zgn^BQ!p6WWy_{ox*Zuz5SNrFCqPJgl-0V zf5>4VejF86VH`YxY|yq^gW7=N2^>zEZD@*W)8(t7u`{c?8jN!E(|c>m-xeP5&{|`} zt{$$tOVI3YAFICOcZO>In&l_*Q`)~nE=3;n^OVBA&2EeNz!01!KPVC3Tmtw(_Xt#@ zL0Rc&i>$m3vvOx74jCk0udm;%^l1Q#oF=Lc(}6e4dyo``jO%v7h^F}>{dYJR+I(h z{#$=PGM+Pvf||^UnCg%-^;Sx5DWDAaeIoaI4+GKTKc?N2szM=|a=u`s3(dD(x*OM3}e3Z_2$ zl{{<+g$t+(DvY{QhH+}%?zUMA_vT}G#S40*>^K*BLVn$phwIY+DG$ZrXYXa> zPXSD?POu-UQ_n!9c_Ah=yHk^V$Do8BZ=qe%qrobQHn%wpKLH z!DDVq+`xXcJ4X_+X)o6QM_7E^8&}|R5t_F9k)*CrnF7Ga2y=wIaZ6P0v)jkZfB|Us zDPIk|SkLTPINH}WHruaIm*3wDz{O!UjvJ&~R z3;lT;OQs@aYQl&I&+GNsljh2jeoM74kS7j&S-(UK1-2u-u{lVfQ>Ndy%l}o~th6~zo#|ZS>YT?u%G_&A zZcak#wN70URUYgRAmi(5I<#8~K260NdRo->9>JRc&>W76#{iDDF@1BYteFxt74w+k z;OcZg-`>$IhBHcf5=3yl3dkvnFz|8!RIsD{PjE!=a)gs$s>-s6#w%(Nx&?$juk%nu z7KJEu&T-OuMI_}6n^10DV@|_e+imKIh%!65{>|3r=OL)$_c}yw*PnDy?$%u6+c!x? z1KwmS(WiCXT*w>ZLGqH7;gOoZ#D#Uer%Fpn< z5hiVasY!GdX29MgICb@dakW1c_(9mnI^fQJOHWXP{96qQhCi0qd8C(bXb)rO$eg5p zn7UQ$n$=qV#X}i?M+sjGt9{lT9wHcDeo_m8WP8% z@wcoO@qcR(~3N`3xBr}q+d-}gZ=!}03OAN)nA+bd2kB)qiS z8tlG#6qbX5yX(MRPHK&~40?~N;Xyrin~KvOgILStr?UK*ng!y?xi5_?jEFMuAYD!E zoC2b$w$(YPFAJW2bE4b`q$?TV5N#9NBpmR_`mz+DPSQn388|~JgMnP+S80_X3~9S{ z$kFHP$g0THDQz7H5DY0k|L2H7z9y~;Smx#U|UZ>gX4*D;H!IH8GzGn zSVt25Pb5c%S4P6bZp5>jK~l^f#EEz+Oel1Ju_nOOENh~?gtrRW3l=RO2ZlD>zFq3M z5hez;JM6Vm>g?ngv?L$@oenB*g0k*)3%)GD3+@f(&8EVl1~1qzQ%)BvjcFuC`nm>r zAjhgbrtK+kypNS!VgL|MfI2I|O-};w^M62mYFN+x-)AdEq^n#FbUQ0SSG@y=w^yfO z<}oR-8I#uFigO#&nkpN93Gxh*r?N9&X{;N{25iEyqFU%D`UT#W{aAtEI?`Dck>Nih zA`j3U(}!gPN64bQ&-V}>3irOe&>L{Dm1&8wKCkb2ksyPt4aXw_Ug)cv7Ygq5A4a=- zp{K`4Z!|ZWM{RPu*F$st<%k23HPhTu<%e?I2=blWpzPz!c7eHDq^KzrSgN=5)<-95 z{t9dG<(4KzOp~}1zY)!A5vTXKlXTS>cDL0jMLoy_hU2k~)L~Kg;3l);_T8SsLr-VD zzmKQhv)Bb+U15b~?H>E3Jdg(+K-RV~lI=vMkc+#?&$h__;}{E`DE9PwmanA)*giez z_=sIxDQJv|O6UtQ5J%<#8H?VZ5P=0rdwG+kOtAk`=y^lT zK=e+)GC)QTTcFY~yROo-i`~}_2|GKj0F2&8?vkf%)L5WCgmn-^OD%9l^RgN=cn*p6 zN+0d`(|)e%9c2?u?~UeLxnU<+x$is9_TT8fCieL_c%E&8n&x;Bl=Coqs{|P8D zh>w8N8Vg0KTY8f02*{r&VxuLhT+uP+f`uyy3ViT`cP@K4$tfQ^`G0css|;o8%ATa* zN(E<`aT}K=DI&ST?dLuA{jofW&SU)^lIyc%RyVySL@H25#w#>!S^Xgk_A@%_BSlzU z*k^sA56t5AgWQ*3#1GhOuEK`{a0;zRLstl}R~mgJ5h`G>;q2`Gz+Tf~_8Oev4eV9? z#$G@E$6mt>;F>k%W1+?6qIr$~z($1@u|0Ve($3&}%&M+~eTmm$V3;E%hC?_8i=`4x^Ga>n|_zd0>WFyO9Z#U5D zd7H?&b)OoN$Vp0!9}lzlvEL-jz}~fi9gTga2X$|t6f9$s|2Lbf;}5V(w~;mC%mxBq zj3K7QvcxBgW&|XcDxx z9$X`b>r}F{T6Hn0QRuhGc7KHdnr``rGpvH4^PQb zIKX=eMhHb-Y=*GStJ_2^Ye@!-1?a7y5rNxmMo-rzQsAt&hSjTjn!bH};w;uo z>2v0xrv5yY>b&bsj(is@>%wkzPe{q#Q8!|wnl4}z(n_nP0%%>bGwFm~_+e|jAQw$% zirOtQu@}0LBJ8VDMDG@HOThlrt_7n{B;C41e;dKj&z=fEX1KjcL$4mCNq-KC4pIZ= zNM-4YK?;XZP6fclE#Vrdc4Kaow^1uB7oNyw%mpv!p*xpEvpH<^+qQ{#l?j(hIxm;@y* zoYF2U2~QCzS1ahQ`@l0b+Dk-xr1ChH-Wh)D{L3SBsqrT6s?otHhT}Cx18s*W(B))A zM-%)q`${eoiU?yjtTbO7aGF@=S(K&jZ(&AMjd>7RYhUgi;&%@xr&AKVkg#hgmmWyl zzU)-EUNc+6Z?Q+#SH8Uub&H&D_Byq?9%lO8WOp=j_ep1xQ6?K|G4I7M7&+b>|M+As z+tqml|}VB^H7xn@?cdOeF342;}~iyC+IjHmT_IUlmGxH?d-M_ zxSZ524%H#lF@jZ8=4cfj2oYEmkVFK9t5P9P&g&`GRcZ> zkTE51#3&q}O#QwzANg;kN7dx4)suFGjS5{8#A;#!mMCQw-PkV5GG>s+Zi`+hO?MuJ zjfK*klMgm!eEk?DnttR*j>f@fHkpi79FDyFeBwklF+@At^xEr_vCq5y?#7yyipnu@ z@Es5WUuTj}#;=!hzNW$?EXAG>1Q6py)3D2R5#gZ|Tz%D#KrN{mBtNGGU`+y}Qx~ue zAW>j^ zD_TCv(lSL}T}8&23W~Q4vxs8&jckhF1ZgAM2H^BU9O@jB@a|hy-bMK-NEZcWqWLA) z`l8c=%@UI;Z|wRRH)o3C*y8$|$?3XnsBTeE61%R1?>fh4LJrh>rg~^UKm@i4<#WNSfSD#yZ8i1-;x@tkrauS{IcZ zs9Q1i=n5!bue(A+ao7W|hssDV^p!UB%E;`Fm@4 znrFrDRuTk5E$yh`p~XXsNARTcwRJ13W>Mp%*?p+>?TM4Nvt2~R7M`G{tOZgWLaS)# zvfZj#u!8nYW7zV@z6Ng$8LA;BaBYHJA&-35D@-qAd-lU>Wb>gzYDKRNKdME+e0$O> zgZ#Hb(D?5;=U0@%iSaH1mZTsbOs<8tGSp*+aVFPI3bGYDS?Ei6P_JYP+VvF!#8G>c zYl~ohlOaU^|73{!aHMW3KGAmMQqlWc80F2=l25-aH@1EJ$Ld}hmA;vAiHsDWQpB9` zoT{PijTs8;M4+?tpFow*QBqgI(4vSx?iZb^7t5Eyowlr3cA%eILhfAZ2=L0RXz{)y zybkB^`$Bzy=HO_|!rc2QgTl*#5(6^e6*evA(8jsCfsvlU4g}X2t~+VkIZ{#E9j=@v$x9-WG~@a;o(U z{UU~&6fzbGp?nC!L5p0@L%?Csz&MPNNfJg-ic{XGu1aosA4muM?Ayds1;L4_>O^em zwli<*(f&;3gnK#+lxi=A5<|XdfB@Bc#xja+{yL|-`%eUl+`3mh=R;@Qp$1{bGzr?N zD_CbZ)EO{FUL=h;!skv=>tpt&qM{?3(G{Yn$4+Wv-_h3U2-9>MHEcPk~Y%6(q_ zGEu>Ugvb{F1&o_CLVQ zj5y6+fy!Mo)UEzxbSyT?(9~##M(6d{&Id0JtM-Yu3xQz7_-hN<_pvjoJWx>@#_~O& zkZbDoQgHfBp?yW z*EgFZ+4wS`2wG^oJsMnQNh2QIjPHVh`hkkad2_vX*r2!CCfP38twB(IUC^yJo_y!C z3+_~c;GEvfRFzNxCaGy@f>Z$4tUx@0?l%;va|Al+u!L~P0`Kz1v^jz?$FHI7JnW&G zMdJL+ZZ{_5=~OF_jDw=JUUWGKytnYYx^1PDJmnLiIJs+Dx@poBcoE_?-%;rq$_Mu9 zYMBEMNZorhcU2f<0;=%hQjLr@E`d6s%q1#z*~W3K=1~Sv&>1qkJ+oG6w2oxIVx5~H z9WTT{l*Q^u22pr=!e5OI$Y;wAvgiOV8!*Masx^p;GA&dK)!`Hlfys)N*ZRE zhwVV_APN@ZA(}XP(;5@A*%jX;{e)|LX{O*hUD)TGkoz>hg3JtOX?oEs`w9%n0V074 z*`4qlEbu>1mpMTe%18LHuodaVgvj2JN9`4(q%>8{engDIzA7)SITpbE4lS-fA>?rS z>sy(^Hq~uGISF1X6R@#T)T@~1uMnefb9G~B-Aga07i@M*V5o)%zUM=8~B7s1(X+>AMz4p^pYTbqF!%KqN8$cr+dgx}tL{Ve{TMZhm7 z1zfmEJ`=ivcpF&tGK-)DYC}{hP$qhD(D{Qd3pXhJ02@tl7nK6wqmdp)>|0<)`IRoK zWw!Qxkl@S=U4MxF)g+8*R$tWEOruKN6i90-0$s?vX)(U2FT1DfhExk$Mv<=DhI(sG z+KJ^uMSnaMUK#7!bh7Jzcii!#^8q2sfZ;M}TXC;T+8y6C%0NS$#<6nGBoD_#(`3gA zh#%B52bpb;XC~=J`%pioKr3bo>zajEQeP%MNAoJWYkX};N6W*V=|#f&UOQUx@|4)W zUM6M^81h~`hHHWpLIOBrUKE{RQckL!&^0q;?G}Bcxw$N{Z(jro9pE)C*9sAghhOOv zBb3tvf-9wEiBEHmgSp^O=yT25jeBdF&zdr5I&t?gEI-c${s`QngP4 zex9`z`^imO&S(?e;=YyNFEf>z1vC=OVtEd5_@8G|{Ujdb9JGJ-nqunC3GF4bn?2CC z?EnEW`yJFwxy_k;6GKU$sjPi4DQ;3y+F7&w&X@c}iE*nvB*5On=hG#K^TcJCLP_hm z?;XcTXec$Pzw0r;=U}!?zsdV}>HugUIDKt|9{~Om`&svOgBX866QBiXA{Z?#CycnN z8*JPn#{}T7CP;WrQ?^Qgq^DxIamU>|cML=5=?GtzB(N$oL{PJO+}D^wc+|>oUF70) z$EX56uxM&9#D>K>B~gBs-Lramsw$5m<#Wi_@Bw7lL~C3P7) zcZLWh=oJ5AAb?*!7@IU28|iel-@*9)3Q$QxB$1!;v0HNRh#y>z5 z0fI2b_vo=>M@p`i#ZOJSH?iMJMCR;0o!g54T`BOG5dxU#(v-@S$hW{W~eZ-yF=BXzjSJiSqu%8vr zh-drxogdf8s7)y53Vl7Kj`zU$0zqszQ854YORHkXs6ZqW2xcX|JbG02vL$>&!rtTW zPMs!JQ*JncpPXD-K(_gd!F0>*#w*U>a-WRg=7$#^lFzC=Vzr{C@LdGrwkxO0_NQ`J zbL_l(%YmFO#+nztthcLWN2dB5ZRzx3hun`YIs){WN=z)spo8J9qds*wUJ!7zv zfc(q%G~#M9Fhv&pM0tzj+XDd*^w_)oVe!7M<0mL7x9h(;cg{EUK+7s-66qHv` zNF)$!`@Vjiv6FfwbGd50Bs=zb!V~WzliQBaK*!OLS}RQf%o=gG#Bu-YD|bpn_j|`( zM9<|@K7kTqw=BqR4NlbtFoiWTG}@D>KoYcT0vw2#O&LC;VHZ;mdMA=?Tl5h5K+2W5 zIa_SmVq?c3cr_^sXo;0f<++6i$9{;?EOJescH zrwyItii<{vYVAC(sQ9wDIJm;S>wrD8KjG;d;0_pt+mpVo&K!NYlUV8SIzE^t0?FT< z(*^yhe6*nFiG0ltKO3?>5WB%+IAS(t-|eHm>xu5pQ9q#*wy{1JHx~fA`-)RfZch9_6vk7RzO*UaT#4XNncYULdd@N$M)uBF^H zsb7}?zp(qRdTo$q$8yZ#niHk8`$0(8@f!BAu_r}QT~j);hqJ#A&1E*vtM_j?ohqGI zOHDYQYJ22(_Svi4kLtZ|dJ72dM~Bs~p1EqA0JWT|%sT$l|04?Hq%w(SK{7#y$$-{y zycVZg8QKYp)Nngu?z6afytueHzpBd2`)b(>LTYEZGTQmsl;eAZ-1IN&XcOo4b*6KH)SSLyZ)@<{hI)lMT4^yIFM8>k!pQ~+B7XcE!QB&p%m2A5E zc+2;i8bRTivKpgzW@_l>kjHoz`|!v=K!0)KmYxEPB*oY<`;X)G@lxtKKOcpaXP&00H}U$n378`X4x(XJ|9zP_EeEqyen!_;>e{h>#% zWh;MF0p-oL&tupwuSP4~hv8UvVqy*2ty>($(D!1TLCX5&g8$Ev?rS5|bFe5kfQ zr|*z*=K+I%ds^PcwY=19AUZWzHH6 zVZh-&8}RoVw*e1iiRJNt2dYP&?k-t~)f!mmSHJbN=)d0Szx@<>8nDd|i_Go+diJmE z?0@x#miRC0p8fZ-|Er(+^_-h)tVZj!ihoJ;zx@<&3UJ1z%?&pGw?FW&?|s|@oSOm- zx8KR$zqs!I&3jK=2R!B9(bj+ej=z8L{Wa&&%&&cozyGhL{5PMzpaCuXI}-li{^(|F zV7@qwOxCT zv>CA8o8H!9|La2tAPN9b`8zcH{R02>D;p#O>unw=_(S&kUo1H?ecSy5*=5D$uNI$N zl2=qrOh`zV0s&aZKg(?WPEUU^FW>7j44^uxra(3x5e7TQFSffs^v|dE^5*q7mrd^B?bc`Sf}peChL-9ZB|)gwF=Ck9mUz`-ZptvoI$j z4SKjGk43aztn({mXufT(e0H_<4x-uH%iBA_{n>Wa|LJ0Fl)ik66i{NGrg6pD`Q~V( zDJV3FTXi&ECKvhddiLK|w{!0ocfNOyVRslXlu_X-sl356q^9N+sP>d;(A|@NQ}zEt z`XBeaDK4%ttWqzzddbh+9g(w)dN>^LKivetb*TXQuwJV;1h`=`1Nic-^RL_@gj&{^ zw*Ryz(st|f^YgFR4qDvX_uv(8@Ot%;KU{-$o0HTR6cM>Ymw{dNY<9Ezln*nz{ihK4KL;2s&i8SulLqN-= zLY^Q<-E*gCfaAy+e6UuX_fJ>f;Ou6Af7`1U+oJC(mYt8RmL`ixZ20Hh&Xe9@!!HIu z|C@aFPrown_zoK(B>}>o@Ag2J?;qa?DE#Bu>Tmv=P4Q1(y0T|;aa7Vezb8LR*Jy74 z@T5?swbe*%_znO48}3{Esymkhg6ZY?>1~`xl?#KmPyMUk#qDKMVZr5S`!mfc}GE z06BbtM`p9_xYEC4@P85v@NXBbq~C}*1MIesl>lkxANFbUM1#R)pip7Q|9@=$AL;ym z<=6lan{P#%lIu6Gs0lpL|4W!XP)f3X<=E->+M3}jlTEI8BC-qh#M*J~phbS!vUXQs zH~!xPVX{pkyys?x$&fjfVOQ=Tuhh7F9Y|^&`Ria^2AWi?-5|w0*v7SZ{r7nTxE82U z#;d??jKQT#mnK#ZM@^(b#3uM>?`#14;pF$rUaI+}rDju|p^p9-2If7pBledfcmfbZ z0Y#+se=DNM%Nv%(DIjWHr8R!7qCrfF*BjcEczYv;Kew)^ygb&?)6g)AB+sTp#4iN~ z297|J_m{s1h{#G*Vl8Ydml#d&sBkmQ7+T1*v9b9g(8SaCuyS$9U1fCXgHZiIf6cz7 zKA=Jt9*96n407HE!CHdR8SviVGYwQ`(F#Xs!tKihSlqM*epl}L{Pg(eS zKiZA3WT}OUVYDg1h=!P;;U2AU$0`|)@SI_U2eaW;sn5w1Mc~T zf7{mAo395fyv&iYOZA%TPju}|j7v$cmsb&_sJdEx@ncN?M4SBXE&Xh7 zH^_q`ON-j|Rg&rJd83Yt=Zzn$|{zCLD}x76o1D-WL+fXdZ_m z&d^dz?JJF(L%dQwrJu_?tY3av?ic5u201J`qDkKJ8KF#9MNd?0%Ne|;^`mLiEi?5BH5ZbyMF|T6ZTByZ8NE{{yKj- zs>&lBT2XrK-ALz{vT!7a9(rCoc+M5FGRhBEXfEd=uE6&Pe8}$`{~?nBt(IhG1e7jm zlM{ucLd-NqOVcVZf`Y1DH2WW~^DDUL8~5k#JUH^(TAvFwzAXXB(I8~akFB(*$@3{c za9I0^mr7!+StwVyIl=xV^xUpT=fGYV?!&XYo?)nZ!wb{cF9?3q1(lh3>wPvK)<@j> zs9M2eAN+K=aCf%(B*F+F@urFI+*3Doi89(i^Wl^Fdwy;~z}<90j5mlTp7`Y)y4tT@ z!Y1!se{nwl?bR28@nv4u$9)|M1q1ut-lur!t}uxY0%$9RSdRsr3z4(9t``-3D)5rj z)B{@YMy*V!H^-l0+J73~GM3mE)Gc4(*$cZASyHx+Co0q-Qd>6Ncy3UVx(@r(IzFqaf`1qEiL~sOrnk%R8T$!mhBndX?a23FpZhT@!8Cdwj>54nY1g z!bktj2%p;t#I0Kc`ySMR9sq@slgZ;@pL_u%RW>I#lNV5{duwV`C7`Zel~a}+T7S`5 zIx+Ugmhr+%Nv95KKWNY%KNkA!LvObaD={}t+oJnWP@`%|W218{=q71%P4_*u%pKY0 zg3rwVI7`{mznve)c!;RTuVU+BAgU`}ET~^HiL*>(XqQd<7S=XML5IqKx^@1YDF$fP z2I$jcFkP*Oo*4_A=s-=i0&?>IB`1@nn>)N^AdRNMBq$7S$3D~uT&;Uw{haA8xdkecrx@0e#H510 zL~w$W%4*418&{@$QaB5v6VXz<>Cz#>Zc-9iyP&kREc|CLXR$>*Yq&O*@R<;oVz!?h z)-0@<5G$!ohzW9i#9w7O_C7x>qV@B3$r2n93Z3dumLy|trD^!NHUTx?ezjzaOQqBN zpRLzdCi;;VRWbzGK0K#jvTe;w&CAkj=<8EBeo{DlSRW{)$Cn%W@P~jpvEi<{Pd1_% zjTPEo^*Qsq?HBvU@ETswMsVTV;U5tt))3Q@K%CiM6+WT+mwv{WYbNTlzB+1D9}?$r z4zA4Pik^osCN+yDX;}I(_%%NFM-zRLD@v}e?PrdLJWJz!!}H>4 zL?!wGb)!qBrqpS+Gj^;!W`259k&OZxB}HPzY~L$t-#7JY)uyO|OZyvJ=BO642tz)A+s`7LwXQLYZX zffd1A`9^|`J`d%yN1R)^NRVTe9Cz{d%fW88eIM>ZCGC?(A2pclWj8x;N4HmL(^SOj z>(cA!j~)tQf4llVzi&VXXzlnLNZSfDtt;D9-5x@icZ4t<`M zX3-CKIfZ=~BumiEx+H5-iobeIkH?A5(I0@auqSJn9_(Es$Wh82MD;h*-o_?D(Vxf) z63`Y2OK))DbE&#hL3|_2+9oqPxw7L_Q`KBmLy+gFRik~KfnF_p2SdcH$V_|vsA)fc z!Z(MzlWoW-D3JBY3=QCXfzL;5USdz`n^G5r(=vM5&%CiNCnFW4`ekoi{G&Qy)qg z(&l}K!kV6liwrJmtgf_jpW!(i3aY6BmQM`k4+>O#*pyM`vU+{0o13=QUIUe!99qOQ z*%ay=Q*`m3xXYU5B9=OisE_T})tx*BcwaS5#F@Y`h)WHpD^jR!Z;}(G6U(SMI6;Mx zgPd!b=k*hvv|)F|(gHE6&0%A@^ixhXHfo*8-N7+sJi_@zo?}Ien4@-yXH#(5pgxM< zIFDta=Ji(h<5}`#c@kaZ%1Sz%Qji7WvMzCw7^7V$O8oSG60wUb(^+99;;ibGr%+c1(C2CDG%}bo;b4^Oop2{<*n5sdSxP!t9;mDJj3alMBCt z)uaD+uxfC8{p0mj#>>Fe_w9{ei=sEF#Z^tA1@F4Q4n9Ew9IHDZ`Ko@uPd|tbBfHE& zF*K>br0tRc=;3E(nJQMYmQHZfVmVnI89<!b-|F>T zzG>yiguiGj`Y6nYs*y1MrV!?uuR8M#M&Y@9n?zbVn2c$sHnBhDmTcCPH+?&Is^;fpg3N3;8xmJFD&lr^HT!+#` zf5)|+Zu^5i-@qCUV6FX{#pyoQGPc7<{n!O`Ps-RuGMYM)QKqrtF(J-<*! zb~KD5ob&ny_W>LzSSs77Sr(1YuucjpOG1;mPgG{^F*Nc`Z6genf|Rle}d@a zdcVVSu~B%mj1dsPtL(kFCwowOJO;<_l|Ls~((y`hH?`x31zT_l7&xLv8-0I(fFZIE z|1i?$*A4rYAk+X695H5Scdw*5A?Mi~(;@PfRt}4syZcZ=zfd}Lm0GSJe<=LJes@^# zTaApS-hQf*wN!%-Zm02b#ktRl9A?Dof)JV>37P~NQ_%;Mdv}wfIW_YOv}Mc|8yfQHEoRf z(o;Vs_D#u$$`I>)TpwCMzaN~XSC5ODSJ0ikpO_CG?N5&|f!QDMt>;H#UAwUmVrBoV z<^XF%xY?L+Ger0{R*oC4w=j{rxU8B;szhXoHqowvo|Y)o;D@w7o(M$gvY<@phYKE$ zV;v||aKH9ikF!v~(aV66Ec<2?x6jp2l}C>*<(37eGo8{*g!FrOma6#&vKg`G5Z$4I z^N~88JO{W$&{Sw2XJ$O3g&jH%4}btp$O0K{HVTeuX#f?W9*}m8=rpEIKsi0MpCe`aY zzw3{_Dg1)a&i+S?baX4w(E5{A058-qvD~=c>ar-Ps_=TycQ-|CH3y=Xj{qTrqOZ^0 zzZN*ad+%D~UhIygOF`5<$WQimxP41OP{FBbDOi4hCEDwgWFvz^NAhJnvS6vhoxH)t zpV4wH!dlu2_Lf2S@%=)KKqJm=r5KjZu*G+v#I$O=9*lat2qVQ3Kf-oEl6W&RmTWwI z!DQSqXoMU-e%va_RhF6@Amo{q!cMSu_sPIS08DqHN(yy3**RmOLg&XfQi6qXh>vVo znv(GAR4*XZY;)OtNJEL*nyDKhC!X1)@uFCDnfsOg!o>v-3{)wZ$mWC8+@0&i7nq|C zcWa!WpiuAjm~Q`sEj_&ctvw<>#|$X*$GdkU^gFZkEo+GW(PvDDy8BoykGZiG#`|xh z@?@wpa2#i26kL)z(=az@>LC0LGc>u@9Aqti*n|4*&&RNIKRsVF?u~BKxZ%P8FalB&21qQ%ZaHMaGw#7;Uo_JFW`()GaS=bMy_%RlnVmiJ$r8-p50qr>B&ZqtEmF zN!4At`9!%{;T{ZYKRvX5$)TR%kXHEmn@OBL<^DVrIqDc`1G{?$aH@g%)xaG2zGnF= z91Ipp?3>Hg{d8dajeG>FAw*_#$vb8%CaT>U7%w4fo_T{_G6acx9*EmNHgDG?*VA}I zQdvENx=Kr!7B14>$Y1?Lvdf~ugk~eUxpPxx6jglOSy?^3Q|>j)21=Z`#=cwezB!L5YlpXLJm?yrznA8&&9wK2+1nB@J@O zZhIU7uZtGM(!hL*w!<2@|%Gy&rS@OdTlV6QkCfjsV;$I zekOcaM6H0&RF2TyU|3hSo23uTDRT4c>9QVUoaQ>Fo-9 z$}aht3Q%5(#>2YH3WB5-d`Xx{V>AU*Ay>tsT_V`uq z^O6)Ansa#Ao#NMJ%CUk(kvtikPei?pb$+tQ+(IIFiYj^~Q7YnRR_WV&mmM8m%Li`r z*1ZASd~(x~?ro5!!tx65!AreTvQ0n6s*5yKU7=T&*c0&a_4s)l1_5q?dK2 z>HDA^S(*dW?~ykox~8ZXmo>uFOJ_3u>lVC2`B7Rl`#V`a2le^$+dYQ!m$1B5#O{S%eu8O%nw*OVcOhGfqS3c&qgksIPKctk^-7vc^{Qq_HBiL zy`PWGke4Ipf-erHgH%^&(j;7{542y~EBh<_)IbfD$lu3N^^S%1ee$3NW`&l;5g^W2 z`U+Yu)+{xp%NZh(nU&rJSvz4(Sen`}JwAvOgcBw&)uraK>0_@P{S{fGOOLKLXO=hJ zyw;anm*yApt6AQ0=U<4#hQI6S*MjVGJAVWprBFXssanWEj$fWe8=oBPE++c#m+Wr~ zX@vUxgp@jdqNshVIva2fK+OWV`qUlhIR~HRFP3~S9EHqXhYtHHtW4x=^kguD=?(g= zv}LCs3_E6S@Qpfj+1OX=dC4=az{gWKNVuik4 zScjVA&S70Ixv`d{^yzTf^16A4-qoi|4!ZzI4@(U5R6>FdTZy;d&Cf91u1 zMvuSn^=E}0I=`U$^Xq{&eb7B$e9Ez%jilwz2cdhpAC}n^$hSS;8wH<{AKDw|23m%( z4mueZ3TuvBJXFtrm)y9qX&p5Q%qj6&-bt zAeX~|3K=n?du8jqY96!R5Jw;+^%?OrfBda?%#3iL@5S1v`^h+DSapkH6Ew<K<`6Yt=O7d9-B2y+ zvrKZK-hMY6G9?9m&Y?B+9}-p-=laanG!!9y)=aTQikhzM4Nc~E&IAxW*T$5Vm%nPe zI$AL+K9CZosVrQa;>8YB&6r$Z3p4z$Xx}SISr%FlcM6Z~SDK=_fGa-D^@9*jS((G# zoH`u2slrIf8Fb^`DW5X^&VwQYjWY^mKN=!3t1T;7%B>wKg;|t&@&@^?r)KP<;~PD# zwNNSAN0)w5xJVg0;e)i&V!t?hsSqtJ1x$Z%efnf4xL=sbh{dNrOD%V zoHvE%{J}Sk7VHj$C-w2gn_BpbpR*>U@GH6IUI$ZDr>SC*-8PM&i>$yyD1Vmj?WE3d zswnfOXU`JQyzbE!39QgLtp%V3EJ5BwJGwOM-Ay~E`EaQmKGQjH@KJIj3-E01dF-hy zs-McrQ`bewE3(rMvw2S8UhJ%NdiTiC9uZl~-{-~?C^6&>UJa&q${J9B3WYV01W*Y9 z^6{7MUX3b|@yBQvUkfk~zj&GQk%6^ljIY5GNDfUA?j3rcgJNsTK|kLO~^4 zfRK3nv;OgZa5%mJogT0_+sFE3ogPXC_fXbDJgQ<1N+eH*5wXfF{W;%~jIV|1_}0*} zjQL!8c+Xt6Qth;tagtVquxV;6oLZ+hOt3&M_!jt-OWYitGXZNl@!iUN7o{pWc81|}m%Pn9`uEz2ytLHgM%(+se(G_SrP9HDY2*0V zThtvIiHC+vxN*Toh3ZSBCMF(gcG)^fUzKspe8^c~7{}cxuSXvU4F+Kbp{n1R8673cpjm zhCGpAvAyP06UgA3T3^?{c}ZhHo^CB2m3eCE*M{!e0yxp?TxA+JL-~h<7VRta14fj` z%-k;Zu15a@JO&Cu#?yd6H82ODo;kL8uz%fn^4m9{pLwnM-;0_>>{(GXWfx;2_a>$j z(sws&QyfXZlaG%vcH@Vg^rLp|v_U=^AzGdOT9?(7hX_+8;J1EQB#u(V(C?E>LIs zco+dOn8Gv(6RavqAF8svQ&Lu=Z0oyF_hS?c%02I+U%%;f*Ed00V~d$!6;02!>^`$( z?jnwj9{8|zInZ0yDR}Pv?sVR@43s`EYx!rT#TP=U&mrhRNqIZLMVdT`I>NcF&w6Mx z=n2Gcl7^N3m{G|YCg4jqK$n;#N+a}r{LLhAp(WL%$)`8+a?qj(`@6^}LE##ITJnaW z&>i$DfVH-ygd5fKPlb(+KW;Q^pBULO&=f<{=$Ed3NJ;s9IWHRh%CA)XNB-a<5MfDH zTPvKI>0HWV^|peb89#o?EY4RIF@0D{3FX6G;NGgwGDg^52O5E8D3H;bq5J)C2 z(0BLf7ysf7V;MV3Ad}3cSPIUJI4!yySVFd zje18tI04-}QX5z0uT;}dAjZtHEzQDgGQ-?SGp&ZF>TH&4%-s82vVMLFS?UX2CI@tr z>}P26&|1?1Ff&B3s@eGZF{xFmQ=tXhb;L07JVep6z`0ezJ5xK378@q{x(4^y2a+)@ ztWTNITtiSQGeQ^d0u3-`-)exjrnvnH^nsYu|2GbVu?_vjV2OWvw-#c+|J*Rc@-dEB z-qbbr?BYyA$@5t0(3Q8<0@)yXo&Hp}nmAbH8c&@clk7cvyejTl+E`~Gi+Xg4g(yJg z!a2bSRHdcZfnxpgLC}(?KG8T(|29o*QsUYH%b=t0BL%wy*v(_qj|VSxS6Q}@#B=l$ z^xH7U&@gSFLv4=Cv$=tu%MkvJuLr+A5f8>QscgbmYrN?=ZqGpEU$yF{-=-SGW>V1uDh z)U^VcBOYJnQrbfOnh>lcN;$d>eg;TQW&Eh0M%}!+`LeMaUcP@Fl?}?1`KrJf#*oL8O|gutK4kev>&j^T zq_)Dt_;E{i23G;e;*pljb^YtV2M-6vHFTM-C1vIvy|q*$BKj&@=@TE9hPanTNJi-G zJ$kF(#w%tEnr;^#R5G9(A_0we8^$VpE`Y48Q${4Si+o!#zd;!3%MyPQ^0BOKYmI(3 zZ;+4ox{E*P4`4|RxhbDHL{LAFjYj7B>`=?#Raj);DKEPaZxiZ2D0O z9V)R?5$T^3y=$rc-F3K$6UqGYoK~@nW==XmyN)sE%>WYjiPsMcJM(faGoduEDYuWt z5Plr*E1#zflNMN!W#%2Tb!2em z<)|fuB@H;@FKNLA+n18fE~+QeMS||W2-2T!8!(S^S(UMD2YhYyXxGsd3tT<{K~DJ%cxT7HxJg)nOU2g2y8U{F$fqpv4B zW!Vnxk=a0d#c+=R*2+@y?9$^N(&vv^qXC2|W6)xz-_ioa=)9j%cpxW(y?oT;Aflq9 z8w-pLnftP_%v}52C-otxS8o$L8_KZO*FZ*vI*j|3KkYbNhh;muJA0Jhn55c02LVua zV-}EI)}yQ@hql%CSTv1F+>Y1Hd26pve$T42G{ImeYsWpFmGK=}Nlb zpcnh-6Ot((bjQy6NZwBgAI_bG8;3m7T<<391wO%W`Er&!qfK^nU~h zYmKZJg6aIl9=&)pz6+>*K(eruM6bIVkA6Yxl&|j+XQ<_jeGX~MLTvHtL03OwjjC(> z>Q};QrKtx=A>+_UMJG#6n_AvW084-PUTwR3!3wxL@pY3vuHNkDOvBz4n-b*hzKJbc zYL&MI4mZ8>C#GRq;hj||8x|U%@w7|Uk`w?I>B19FWu=$v`~Z>xH;OF=T1ffc0J5zg zBndb;9a2(5Evar1awo{8nA{Bp#=0b>8I6=j?|_BPeCJ#+hGZ=NRI|rz9ZvJ2l0IKe zOA3Ay*ucQUoRMlQ2!5I+w3dBtm*Q7xgsd#TNXo-t2#03gkL>LjmVPWpdw!l_;nAA$ zmS%CweJQdq<5(+e)(6-^NLQGlKX&|cawu7R)_bno(ikda1_9$0@~cYK++Cq8r_s)^sXHHk7AfaGO~aW1YP6DW(`2}HY-Go$rWi}J z5FwbbpF*ab{ZS%Yqm0>n?G`pv`me|6ge92tO?Rk1gFupNuMNhDBj zstEUlfi48)eVv*rxDUh~DaYc>L(aHM3V%4%o0}vNe9dw=hj{f4$i|WKbsoSLW*J0s zMSm>zQSj3cIhN;PvKx7bW^uE@iKN`hxP7%(BvGzR#E^A-3v48`@)uQ$5`sjdB73Du zv;A_~+GpE)OuMW7?P^flv8&o1gCVt{eGdTrx@qv$!O~ItSgnFM$<25rrx9ldq_C`L zwSU%|vsYC&?#*V9y%&H4U4q-y))ye@;@a*jj;smE?{1&WhrYn^Gp*#=ncUL5%h^zY zS^Wk*Ljcl>ZgB7c=eaGq#nH|X1qh}}=u68QPu%;~EmgSbrzG8xQrC&7-fQN;=FgLa z(g$sr?-vZMi|^T3o!ztTh5&~RhAT<;g;fX7@l z@V$HKIhmtBeeRs|RM*7IdNcBmj)W0!8K^s zzO=|0zG;pS_>d;4Gp>gb9$=3s!YLGLCsfntsp6XKhXe)TT-)#YS6Fj1O zc)CMSk{SE9=)zsYXyE{<1WG`})X;p)C3Plqg%*lIU-9eEU7uU-bNCxDPT7@KFEt4% z>8XHrP$v3JnR?c3dwRU#G>N)$if3~~e`Rh~0uaTW#xLC>|iJ2AAfSNK5CR*z~WEB3WhrZL7ML6NF{wdZZmiv%Y6yk%VmJ z@!;s|Fc;s~71SH8_Cusxjlw0^Cx6H3Hl9cuf)o}}tbed?1$JjHFDav!lys_c6B?~G zEv*^mXZCwHLN?xOM}-j?<<w zvpCaO-tU^^FWP1YM$k$NF_%$f`KfAW+5}o`njGXq(McPyyF$86Qp}NgKuDDJIdC0e z6$`IrVW&fnJz$)nE2-ei9OV=pG=oxqh?&YJrVrVD)m<7OTLmL|D{^S!2{ndA=-!^G zS9t-o%06t0g~}bE7Obyoh1Tn=y3-WV(*HpG`Uy>EWXT>S=a1;8n&fmDcCi|KD=_(t zxFl;+y@OzpImKid7|ZqaZkqQZESoH@el4WhdeF?hu`!qiuJ=7FIrC56*XQNQ3W6ne zsKd=t$j^G`8#y#&-vXGG!Y~u>nX=t8e|^WczmM#$^=FTT$Y-0c&oKPOuYPJEyUi2G zhT6o|8u?Zg!a*aa^c9mmP^qE7#-^~JW_mZ8ZSz$3==*Zw4HS8n4R)f5BPiC+{kc&O z)1DhsT{0zguef)odZRvfqG|&|pP|T{OTm&KDolrj`n!wFvKEV%+~6>gP7->`RRm~5 z@6~}qQa0&Veb+ zJoLa-zXNUE8E~N+bqj1_X%4l3c{ssW!0*V)<-&!dVy7@aRM4DmPKK&B0BlZm@q6uS z#rxz%%rxavX4gA(aVV-8?Jq70P&ZD4C9LySI|D7B#2%nzjI7KnI@Uab?IC939p~l- zb%)`p_AqcX>#hxMsV0~5cu!Hm5;iIXK_IU3GUWpN2(O5tz?hZ*XrigPc)u(zIDkW} zg(N+Ert}UQJf;1%t*Q-mhJUqg^v0|1(Vc}+XSPK&8Mc4IJ#^(e1@Xz_Ltx}95FLH2 zJLBzd3mcif{_Lb(V2uR!!Fs|qQT*?S)Id6GgNnTY1yRNc#OWVXb*GtMn^PQxSsH8c z>toWfS*PzjHA_~*mtw(62cH>pG@3Wnagw!A>rA90;kQIaebE#z~>`@2cG{^KW)f2_M9Fs4JoZ@X)in`&0|M z?>xB!O^a~3-lSD-?Z2@KgX8+KLN=1L*O!WU5ED7#swtjpP9m~bjGM!3N%c9vS)D%A{gK>vL1IH-3MAx}DW4{sDyHC~t*@zD$C zd}c|?!=$>oxFb&9uRC^F@nMC#P>cXlHb-QJ6q!GpmSfls&bJb zLUKLlm}Fg+$UruFmP)K~9I_eF^7zujTLi{%ouOdj=R%dA)m^qm!DeePTd*@$=lV~5A&t)=`3`Mm%(L^gt(WE4IIu~XL3qdluXISviZ?CbPTC=N? zCJfj`!X3a&ESujy%f-&{YR@-i_mWU?jAaW_6NrsQNbKeYUe~Z(+-A^R%k?t9XTq5$lSLRSxk*D5m_Cyhr^{V+~%L z_?thPUB>Z2t$T#Lvr>;XES0BS*lq7H@unq~nU`Blj+hqi4sDfiGTkIPk~TkZuhYm} zX*XoOA+hhAk@?%%yxdIhD;Cqtpd~-QU11mEz*nvjeUO|6Wz^n&&cIQOZotPV7VH(k z9m3HFdya~PRmH7QE!~NcLa+8pw%Ig&Kq>c5P>_17wZnxM(o@e=%OMoMO2WuTDflvV z)bY9gz}uY>5P>q*DmcPPS{DveMiptV{*cMbQg^rn%pshgYH>11vpCr>ibt{ARXoVdXlP*JE4wnlb%PA&e^xs}DeovQokdn5;KW30!`$>8FdN4rF!^{qN3 zY+?3m!^|fpdrmpl4Aigh^jAQwcc62-LaA=OJNGW9@S0R{8n`H@fl}%NVEQ&U6pYKq zITd!ZI&M+uB^KHTOd*scN%qs383EV`G7e20mEe?PGR9QiIa-@shWFl7W^CK@V~z$TtXFd$%R!57iO$J; z6P4!rQEB1J3qm5*wVO@0?Vx@Op(~v;1e^%CT#fPZ1fZ_=;%#u-+fSQ16yZo-g26LvAD^w zZ=30~hv5$XDSSC1ef!%?FuX4d#9oU2V=&Ke06aZ5 z5Z8b1ntApd<@QMbG!${OM zngor9oq86-N?Qy|IFxH$Uw7XL;D(HBmsC+{t)2p{@HkL8e+`16ZyYeRfI z1zy1W&RI!DzCG9SL^)Id&?bIq$zvLQDpDp6hdK^r{w6{p9eGI!hd)>-&u&Fw8 z%6;jl%%kf?90onu&U@-m{0DM*AboSi0u2bJB-Gv?c=0W{A!?T=h|mi7=6UBICt&8x z!u(AY?B)@iguuH#AGoV^fpz7EM>EC@{NysyU26d0bElaa%G~`EUAYwc!PHt`&rLc# zfz_Lxw@p&L7<0B$(~0HqZT#x5)<~t-*2U8)iGeH4j(Mq$0)E;}phqm&;pbTkWS>gN zS!97%CXrIApOvPD{dfmI9<8f!$$Q{TpWa|6!=s3|9mdZ*4+|OHm)t%2JSZYMZzy37 z_fVSWv@G%|2Xb)W3b2W}>C73tzVR-Z+BDOA zAWrCmNK-VQFQuv-UivyNc*{8{2$%<*dNfyaVcySp_gU>HrHwojImu&VcYMxYmgLHy zOgIBWv&R-Msrbn~&wG1lTGGmPH!8Kh|7fNK)LRM?Q8cC~p$>9F&TP(t(f2oeB!^SF zsQJ8?kN2+5aR(tGuMx#5akU8?H^r>;1tAymi#}JFj8FA332CCa zG&G4N-K*o4Jeda06gTzs^o^l&OYUX)fCuU1`045Ou|s<`-KR76>RKARF?oxh5v8)D z>h4TWd1hlhpzohuamf;g&@?Vh?2XIKlu)oOIW(pQowOA{)4{waR^qczYms`_f8-=n z{F4P5~Z$Odz{|XEN#+0MDm|m zpfRJJi%$y*I6){BJIbP{p1<_!sbWqLIBsevv%+XsCU-7|))laDA;})Xnv3@+KOch& z`qZ^i9~Y;kIltz$#i3`;D4drhg<0xll9=Mpvk}Gpyg`UWY|Y2&}M?;8ZUA7OW3nfMCO#=`^Rls{xt3-i*jF4!^xf3>T_EnOw zV}~}hkdtVm&ux&=dE7#F<>5z2@vK8y_?46@!ijW0zr8&wzv0&SHwKqifN|f)*UFdl z*W7CW!@7UuHqJ@(3lIX&Ei*pepLQFYxa01W*pZr7S(xPRn47LA2|DNAA?BB#&)9kb z9u~ZOF-6O#xWRjh-L7W7$FB66ygN2R#u02@fQqk`g9%W-_F8v(mSdEhUl$-^b%%DI zp*0k`#EzMBKQH#VnVOAFMoTqTio&LZUMeV&FwE!8B4wE_%R+E90ZG!}DT`{$fekkc zqcLrd?<=&uX zo*BwCnGR9hiXV#32w(KFNMl+kZsv`3;5vOM^M14yV6@v|hl><{Fbm0Gh+k{B*MatRC~vt!r;q}CjF9hghH^~K zLJm`+eA@lSj=pEH5vpJrM#ni*R(6rXjmzCF>sZ3fC^3`s3cST_TeReFJ7_j4WW1I&XEPq}D2 z)XrKz#q`0Unz;QOv(87+!Q(|!HuFpB#zSap%ij8z@B!;C*eaJ55E}mT#>!j?j@s-p zbs+i>iDPP8vJdB%v(o(_CL+uqyF4HeJ(5%TgA1uG8@ezfPRgvXIH+^7U~ru!&*N(j2g0lwI1 zYg!AV_BmFCjAqiPx3Q~LH!^_}Z@B4Md~U4v=ivf~Y5(e5_@!fV`v-99Ea*{e`WG&R zI8yaUmz>0=^2+O1PoT@GU0US10;Hw*$z&x`Sn!km4S{cMPa`^etLOV$xJzX6&u`p} z$@$9eN;~sAygBufE84h-sPz71kF&_u9Kpk1`vGV2-Qt(1`9X;#8zd~geKZgvKwZlv z3xB@-M&cHCI#Uff+A!2~luW-pKOST=xUFfutTZUErZC#*(A_^)Ph%}0Hsg!g{cT1~u$EF(M zVI6%gA3`#|-3Fj!7~sU7;S1R%nlxV+J~$386fa;891j+GlYs4IO5a{s*z%g|u11pE z_-slLujtAIi&X|Rk)vE(DTebDT`b*02~#kr$PJ|cvLGF1r~z7#0z;pnc)iYj2lYa* zwt6qv+=H8>pFTXZ33lVGR?g)pbRD%jfYZDkm>zpUA$4OQ6H=X1=$GK0@0T#3x4NzT zx~N1m!vU?>uF6<0WAD0rmLl~wCc*w9(cV+HZJRf$Yx&FRJ}NNHTrp`2`R7`bY8qLa zL)!XBCkW{EpsTl`xum5_&FJ1l%7Dt0|6?I3{&sMmk$Msuk>0C?yaXTzoV?Pj&oLA> zS`o{atGaEdaJ0@=FJNw#f6>F-lRED*ug7&^*(2$`x?y~4YE3bWKRT0mhg{rhcS31} z{QXy#-knw(xEhsa)WmLa4RkGL&bKj>r0y#h2#~85t}-6XMWM~JOj1vJth_L*8Z5AV zArjQDG0+7&()C-`@Sd%F@IqP$^HGU=hl-J>&9lC#!6-NuR9W!;%b^^L2yq(>PFVU- zgz@U#nheFDzWDTc(cQL%Nf$(f=~(&Gsr1kmg5_hAKslH$R9mrZ(m2x6An)?Hwg#5T zy%x#Y$C_pL4&OXNE8Y`|piymg5)Lf7+D`S_ZEw-zDw?bKu06W%3HSc}Za6qL`v(yv zp|*_QeOj7Hw<5&8kgr-4gQjpG=lT_D<>Hr%upnfm?_`mAVk){fDMa*gF6q=haH@ZD zirGwyx9QSTUo{9JGRb_crA96*nIKd(-iLd?g=&1B*xir5KYW)IZZ(s{M3!1+tM&y)A{{qp!eqZRkmT+TzDOMTutNG8QR2gjtmN;{TZ=Q>-nKiN4! z(CSSqlkUMv!T|kh9|LftCv4NDlAoR-@wr?2wsV<^mTM1w-7)wcex(p{a^9?r>|40) z%luQ#vx2rWTC5`?Qy@%AZ?-;XU{dVU#e;b1RwTUFFZY-Mmg9*RFj(8edwL{jZZz~= zOOIF%1;daG{{h2aWq(YP%ZZr2a;KBXRJoubNeMVolQft^2$#EAEd(&JYYZIS+aHMyyRV zXvOTJ!$?$v{0B6-AIa8pdfgtcyVKuZQaojjAOR&9v{yUL`r=u+G zq;vGUJ4)l`J>cDP{T9 z_PUO2rEP6@@wR~Z(;LNB*Hy@?xu>aaI2O(d=}#_ptxzS^f3uem_w8^Aba>9`gJ*!2KV; zNf$W08~{h3f68&^Q24L^`4~j3w^69@$5ZU*Ck_7zKNpu%2#kS_fTPbpmWKc9KZV}A zMpGw&Vix+7@Lw1MsRFH~8*udb$I$qD`TliHV!v0Vn8U4qVGNXmi`)U|{Qnr1F0S91?z3;jK~x|8_rcfaC){3g;B z1pCQw z$|U^Qx`}$T!^6@t(RYUdx-FrwR87Rnx3&0*zx|2L21vAYpvo5~c~a<9g5SGYCz5JB zAebr|@<>=4(-3yBXM*=6Kf`pm{Gs^^^V&_jiXTV*Qk$lq1iW++fkcJV8*{y&3#OX? z$}JFruQ4K;2V1{St(+4LyrKp$mf**)4|a!=AcSpK{~oV3OP_&ndt~7&`xU`b;H-2^ zVSS*tn7QX_BaHEwr$ zD2xk{1DW%@l^}%qYDP-E)HD(~x4Nw}jzH|-(}5<$P)&>KM2Sh%4Z<;riPIn42I_!l z5efQ{(Y8dccEGuasj;$h?DK$9`maHra{Z2!nfpKBh?swYa&6Aw>G(tB%RyO(+M1dz zP1=81TxqUW;HOFE-hA)WTeUz6@sE9=UE>t7Z>RdV*PqOX>_glv@?ecP(kpm_Xz6b$ zO8dgHyn4%IXBdmeMJ8R+wGQ8RPu9p~mqmVMn1iBI+vOmJMc!0|a=vMRo&Rtb@6Dh} zj>f|pC;N~_ce-$Y#!3zI%1;T@-$9idP+VOa0+DuK`Nc8lIO%>Gz}3H`#e}gI?#mc= z;K9$G@Md%cKJi!zza%)OD801^IL|ENOE!6x0COjkw`a_lGNclF>OeYcLH4N_eW{GJ`gT-V2b7pNSvX0Kd8 zfA?S1c2Q>ojw(PZk)ir}JdmXnh1msD1T%dqBoTui#v-%dNef~%m6Q@Kp=qfK3%9oV-a2+hm`qm*ZL`W}z9DDAXaJr2$f(?D&Ha_G_;~OUr*qk(dH*&j@sZM=hdH{lFgKB8jFQXgTkVRlWAc0FnmO)#BEf?=x?AM* z&9+ROjMkIL;t;e2#7;fAb?jKo#suIR&MDOK0VA(-7Y(t!FmWTb-Huh)D;Mr>m>1<; z-)7CVz^+LLgg#$(VN8g#9my-W&q#s6+>(Jvvp=I$P?^8k|5)eef7OiuorH-en1(Yb z8L_b9(LzkMA*eQOhq|VjMP!tIt{GdMLKZEEq#*vMxp%d z;8IbI49tA1r->wbjwS*t(m*(Xt?jVMo1})3_vmLrKVV`U&3ts{@PYzLS)ikN;cjd( z##T!Pi5QeeGrrX3^>XTn{O1?fAvd*8H!u(83er((C4o$6RZeC@I{XBX+ z>w8;pwq(d)!7%LR-@ZQ5V4}0Se?1cPL_Xcv!20ZA2QrwoNfm3M%~EJ|c8Q49aJf|q zvx(f~NQT%fo`N>Zb$uy@vYILUBB%_s&bofnwqxtZ!{gcU{Rx}SOqC7YrJfQPJ0%#Y zx;BpbyzYvDte0<79Jo$FI}g@fwOx0;Y?k(ti=gAV_H8&(Y)@7`3asSk|6MQ*ZbUXe ziZVS)g#*au*7x>7$RMA4l|4MbV0jGs`dfTWReEia9TcArtxElxIE9+Zh>= ztt=Y165ANRLHtxjq_t)#a*Dp_Q#V#Vn;Mlo5C z=GOU~rhNj-)f|nE*XBSgej2c$nhBCF-mrVL<95V6Q51teks;{>yXoJXqI)ia_Luf< zl_0WX_pF-N2NmuBWv{ATqwg*6Sr5^(eeX@LUe++?OOc61qcUM?(sO96T4tU*JhZjs z&KsIoQ`JBSrFBCqX3D71uX&Uk4fwjs6q1BtGe>e{O@6idQW*f{wFE(6QKv4yEF8CU z+4Z@buABbz)BYU+NhOd?G<^k>+<5}^QbRJmR>D^kHffLqyY(?@WHi-spTQ|2wn16@ z^|UY5bi{hAcNI@r%Q|PwdHwI`vEadMNCC1qPtO>SvXd0%t zml&^d#<4afPbYcS@-w|-g%hd+Df>j$vHYc+#e{fm!nE_?#M>fGJxJQB%bz{^Ut}G= z-*3|C+h?yrz-m|a!)0VxFVm_3zBK7l;RQ2^n~5}co4T02$}4Jaw()#2i;GJ&nz^s< z;Xz<-PCb*Dq<>hnzv8mgOKv?wpF0-!@?3##<7c_e)klE3R?65nf4| zsGE0!oYibI2=nraE9U~AP3*`h_+T$yF1m#ri?fPk$MOUCdZIweSa@%b%rsbu(T@0h!|3~J$O zm*XRXFLhpjie`sB;VDPak3DhyX__l`r_o)C0goZ)iKC=Yj-+>gwLLLPk-5f{A$j0h znQ4!*8mooQ+wn@Xy9%P&w02rM!0Ipfp&%mec%4^YI!>o%&6xLKE4ynBK%WYG_O`h; zmGGV}$>4e~ObO&rW5ghVGD>@p51C>Twv!i6&^eAI{O(adx{SUb=?*&$gqVNEoF%#& z(b{e`(WM!)@^k#fAotom zx-$?@gY2N|IlvOAZaG~6inD6XJmcLVy#X2sI@-ccK-VA3H7m{7S_B#$}=cSIpa)Gj`4O&^9WF$8C~M zCho`&kJ@hHsDiz-uYLrX6|}3}k2_TKhVQH zIGVl5O+m%nV%%>u--OIj1Xq}c&WYE4?i+cx9wEx~9dvRMw%b824P7ZF)1m0nJgbk0 z4?Gh2q9)3NwWTfv2>w~Zu4l=g1n)N*%0z`DJw+?Idz&P@$$e;q`?i$^W0M)5{I8Ew-hK*lh! zxVwcq4;L!*`)Y{Hqmu5oL+nhF;APTDC;K`}BUMF3L0*Q}hGA4c-kIpnctZ4DYjS7S za9UP5CSrC=)SE^kuNef|KkwZ6V@0l;ja&s5geSxBmW1&+@Vt2J$P`CH1V-*VcEES5S8^craLpesYMtz4@!SRI~WJnWMv2WhgUj8#68EjL-k1BnbnRpy{oe(^~Ib)JaUFscRU@J12MsQ`a379(y4s*#>eo ztB1rre%`Ju4ULgL-{T!#klmWdCS}mNeLkH$d%$BzP%v)xT^)>T6UBW-pD7_VqPPvq zTj~}th9KUj&5u*F6?tAF3mXwaIfcP<$d~K=68fA|g}55#uc}pH>@{ZFl{+6{jHDi2 zKEwi~H%h?D=6+_TmBJ68RrR7F76-j{ZTsVF_jts+a4_yBEdVc&|uVT%a1h(%;M143K6-Pk96-9l%9V z&QN}g9MX!TM~|eZ3?R@X+l7|HKRyQ8*w|>?Zl9oN=LZ-z3Rc=JnRTjzQf$n2BNucb zlrxo9o-cvIh*~Yx2Mqe;GE(?^)F zT7_Su`cckbwR1VLT&^7bSSE>L#ub5GrdQ}u3R)1)b_y~i3so(|L?Q=HL5E~@Y^r>- zt93T>Zu~A~(gS)V(L!~y*0t&$y;{HO5E>wc`BL_WO>m>f9Gm5tP^dY?jWRp@uws%pwx=)0>z4%sPcMNvLrxoDO!Bln@&GZItQb+yC4D??9BkGHs;tn zB-gZ`8s!y9;T~Cskcr$38-cd_u{UY;l$j(ryy0FtYJRsz!G4gckmfw(rhgp7iz{K3 z{k7EP0E2?ksV_HIXgf%9g#7D5p5b@@@)xuW4PW6|K_GHT0h$?J*F{{FwX0#sAhh=;Wa$fgD zC#I^Y#0vk0#rufDD3`1&ka+uJ^~rbIrwc|_X8R(CV&j#RjfBt?Rzj-=Ir(ab&1h6L zB2592m|rtNLe>DtHx}bq%hnb3ppIjWZ*PE@E!!lSuP3t9w;THBJ%P~ckO z;qmpty*|}K*ADCK^3ohd(_bFpS&&k8{cmL(ty{PxB^YKZF}7wItL*f%$(R<*E9z0l zG!oj2kJO`1D7^gE7|DZp1Y5Nyr2Qgz`dygs_`tqhp|h!eVb7$C<;piREtXQ@uG)2vZm#;YY@%Csc#vx1$Ujy&PW9 z67LOQ%>3pOmxlh7TQO?o8WCY&|JW4Pt*HUrZ~_@?u@i>&V9Ish0e^| zuGtN|ce;pWa_g^4H&g4Ch}sKAb9C2wuP5lWk!*KR6$;(@LKP8fQ;eY}!-g1g;SyA? zJqb5_xQ>!B7=>|jy`==p86B;-ihQfeV=z$UGvrvnJy&O?8E(6xds0mzsr57jlC6}@ zpo9ffk;i-Pg|BBmypV3$jlM%JE}8(Re97LFyLG%j`Pk)V1#5Gl%iSLkmD-+#k*8KI zVU#-w4P-W3?>QbbTz~3ihrM|%fFm=|M?zkM@Z)c+aQ&Jt#I0yKS4Pwq-&SuN7ot1T zKjAoG78Ax8CN6bK9_Mx-enMz#kl3WZEsbGV#O{Q)1Fr!pqASibyJayd$=pw;J*X8HlGp74*%jj=+5?aK6yM3(;H*v+XX6a1)0>JAtTG=n6a@0x))6D*( z+dX>D@ajeMk<%Zs@?RDw%C6@|GYJg3JeS(bwoX+v8kg{k%r(6=)UbXCoebCHv=`l6 zZjzW&=1wz=*-AIG8%ZTDoI>pDoi5v^TDKAFSB;C9Lof{O+jIdX$$V3n6E*YN&k9%WT?pO1V~#}cjlQDcwL6Gs{}`qGnN;d4w^ zn@c0yeF7=e3+ig*vpQAvCqIzzhQl)U%W4&C6k3O1>aG1X&8FIjB|6oo3t}TBwvhJ4 zV)fH_MhObLFd~!F$ijuP5bK3v)}|H1Vp=UnfkD^ZN@_U0=Kh;ZOW+50mnxY>QUGPm z9Q|aB4ei$$PDlCO|6qsOTq)#+RcH^S%m%9`2G=)A;C*lqDqf#fWkB39FeI6R`4)P$?WZIzfW&GA7e_`V~@gxFiF3xdfD zwPe|XY58h3Giv$5oQlr16_w`5#_gQnmTjBn^Z1aT!LBMGK_$R$$H(3Fth?+jffQn`Skwmd zzeDJzV&Mm*gH`d(7qfHf`Do1#Gl}<1O$30TQ@`f5z@cH`^t)pBw7i0W%ScTg$f4Pq zXd9p;>#Q**T}F2z7b(3+F{*q_jZk5irzu+}Z)_!@;rP7TdtEbUO(IpijaWXX{&k@V zLRs~&o~-cox=5jR_*_b=`iy5d zeJ8gZJIJu{TP^(p;Z!qi-l-<3g{k{KjC|@A*m>*k*8gvLrw#VB+Frv&a`t zTq7r_Jte)CCtAjjVwU>tTjRrgi|ap8SmTi}u4o){qV&acNVU~15z;X&hrDmQ>1@9r zTyr%a*iShjI-?SqGo2kpOc@?_b0mY;O48Em=gK5v`tYM6$}nEB(p(KX9D)gpK{m!C z=}4(nbDV(_^4KHpawz~vN()EIOy%uWPdhm8bkx*x<37$+5d+i4 zp@RKNp#(C0H(>so^sSG!gJYoAW%LkT(;=m=ClYqQS=i+9Wg??e#RN#I;+lJ`>pCi2 zK*&#gX{IYoyrU}Cb#y2f7Ox%|5>10*;b z#bNOwn~*y!%dy#7+nYC355D&)KV9XZR!og1{MDr|e^O|tpH$_c%(kj>V3|3Vm7&0F za;xxUxI!<5F5#z-Y5b{n!H1ZLH*>cl#px@>H;tQOKmy#&$vN47F;ZeyqzarFBK<)p zj$ow@UVD!J;{F5tmr5p!y&Y$FJGXLGf~*VPg@RUGdIbV#ruHa2Uq9SMjsIp<>RdO9 ztlZc-r>?yp#q6>zpV;~EJMG2bP$^G6QMgidTE`+KLOcI4nB_FaIN(;56h;)6Y^%1D zKcOXDNk6H~qttRU)VjNot2$Y$r6J%d$CJU#t+Ig!tZaj*YKADNV%mqFDEyS!Kc z@FmgsWR0#gF=sE!fe`zdp3+ot?SBbk)Wy^ftLvSu?XukDUwHOJ%1X$rldtrdhYG4;q#Tb+8`m%&B*&lC?`) z3P%sPrUmiJ(6DSQ6Bg-oJOgJFm^>2l7h7_|mFRgkm*5HlZ8|Aznd=VS>btW7s@wP9 z7f^g0sIzQ+J^u3*_qv6d7&LHD5vjrbbPLb63jDtIUJJ(@YMNq@k*Rb7Jgn9Z$4aW5JU$z~+ zw@G0!fm+O6X&$VxR#REn!<1;hE)hr%Tit3JSx2)_e-zI?@!XpX+nkYWXv(SY%zXu{ zPF<~J%gtWvA9y$Ck|iwKdPV|wvyoMrJ|d53RB!2hUg2ib>C2J=&i2xJL{zvnt_GuC zm-*{Kwob&0NU04*&OwGCvuxRi)XJrP;jkk+YP|sAxS}yG@-Opv+Z{e`U|;YmRA!cu=i)(m}oBQWgctMA&(;yu>(gcCk zM4;14pARHVUZ@GZheP46NJu5K)&kGgiRQiHmel;xd?fB6*yycZG;WY-#h zjFK|c#ijQ>+7uOGge=^NY9Hx+_Iq}#EB#8l)k0tTX+h*Wq>fnlH+hv0EU->N56JUQ zJ4T1mJ5%kO-`NR0EuE(-ZVkm<&?86@Xf`|EcSI6sBA`o;yd;PX%?$y#EwnnJl&==n zWO|hA8WrbuA|ENUK{={?Vr0=;>3ANs7V+Xz;5U#utwfaC5JEZU)C=~5?nt;+=VEaM@qA4VkdfsWv59N+Qrsv;nZ8YB@G9VT)K@B_Yrn?^^>>Dw zw&GqF%n!=Q9t@1Z%gPk^OeCI&T=LWaJ2j40Dw)&rR(N08(`r{=RPIX~|C}~^seZqV zdp0PvEgGqkXzV|VY176W&C+B;K0mduo@&C<8&L0RiR5*^Gg88&uU(pZroLePKfQ6; zS0vz#%Rc>-j(p>`7jN9-wxOWYRndFzuhe7^RBzr=A&s8^!0SBsy}H0X*HS5D9Zo~# zXTSQ%=a}M*6jCcb>}0y^UmStEq<{)KVcEFv1D{K?2r|}v`1|YG(9QXF;RSG(m;bspQfx4dLuy+$ZAMC=$Z9P%Ms&<;e)#M4l3Ab;LQs`iMOpX%!5Rjcb0 z%nA2>ML3*dIHSsSJ0mX)94>jj1;-wGxoDW1`%9eX~G3YRGy&ul zg2+>FCJGwJxmI2{JtFp{@^Zgnb$yZxO6)75#c@y;R6d);&Hbm1KXP_K8(PSDGE(~u zgh{A+T$_~BBQJ-&ljydUJwOB6ys`%6B| zo)@FJd#}#L8~1;BzgOSJ`2mSyl&dA=)7bLj9+LJI$zwjKd{;h8>mJzYD{?DT)RdGV z9N3R3(jh4V8_ed z32NkY6;%5(pvNdY*A8KBDb&{-T>n|oCPU@EcQ@+Dsw-DzIs|Yg%_$iURyNiW92|r` z7f5S>MnN9xMF{lCIwOrCQhuvm_)yG5yDs^@4Nl&-NtxJPOSki z$gKW7{#W*g>0fWvb3PHr|6@Up@ms=#IXhD)MUG5DS3U{wd@O%|W4(`P^CwDc#&`pH z(htZ|q{A#~SXZ2{1P{8$`o%EW)8~8wE`^+cBgMBszPEEDnCjYfCmFV7DHJn@d9KN+ zmlrJxWSRK;0U!@TKw8OxgAhtxg^+EakIer;8wh;540-4Fahs9I57)C^!S+Fpwm^(j6acKbPwljdfNMcn4V&c0y(TO zD6pRr;;GlM>l9lNC|iL3TCc7ySr>9D&+G@e75dTqD`!eI^B?qu)XgCspo&i9eq8NE zmXP=kcw7AoTuh7aQfGz9phKVwdZTv7J%z7vIAuyiJ7MRGlw1--!GoHCsJ336z~o5VvO|XC%fpgN|cR{TfGCT7ei(NrkjvxE;Y~xKwDuuM1 zUF~)lpL@^(qiDZ)EBI+l=V^uhY%MNoPGCK$1d<%9TD*;g&MV+;QY*@)V+eH zmQGDhJ>WSz`z`2%9uxN@(b5^PY(wTd)Wmu|3w5y6ASU9jClTykCeR$06px~zx2W0v zaCERR{Y5(u;tJLPQV0PAz26_kFmB#s(0D1XYNZ8;bvn^Q^*{t+So^rxY;>^tmX3Dh zSx*<`@xSirzOYX?qB$5?D@}IA~4-7N_d0w^s64Pd<)EICvAU&SIc&pXa@wusPnQw?U>2SqCzFQ(ycjK%-dhh(1uyO*#) zEV}}Xw(J-Ib8cDxR`(*|zzty8MyGlIbmMym+XMq{yn6w4BE905V0MGX$+ol&kM;Se zs}r{feoH)h-qY$a?5D}V z)?eF7@LnUu4)q8OWCv_1{czJYYas658Uiw!j#1I<`(_=R zoc8O*!joE$)%YBmA9|~y9e8!@EhM^&>$k^;8pI(fLmzlJdgHUv@28@|6M@N0O=X79 zeX26^(Z@30U)FBW)DhSLCR)0d63q8tP7qAzi3aT_oq?m|(n?MhZYMVab;)w_TPM@v zL`K`8OBoE2PMAWozr-^9aekFsYiM^31qXqhbT#EOaE{rc% z$3!AKa;R;yDZ$WMaGkR?+k8~mLd8U!<12(In3)>h^8vQABY-K{x`TIjuAIX*O{*qMYJCkDKyY3bK=PshL5U0) zQZZZjeq4HSvJX!2ad{D179{O{!c=n!(J`mw_|C-Jo_8%;?^B2N2j_{wEF?=GP} zysqKcsDyNQjG5p$T6AUloIYN1Y!Q&hd(uGaIMcztm&dgLd?d+ZqsIWX2#}-brL8{Q zZ{XoDe2?eKr)@C#d3V6ElxgpP`ZJWODC4a>u-g-Dk7sRqT$dr~%Ktsky|cD4CmOU@ zfr3TZ{h%ARA)DbbdNV;CB{#5{YyBWozkh^i(5Gld`vE<)-Lc0{U9KW!oO=stF3P-J z#*(#a%f@OS%azx8y%*YrT~zyK4r6Jc%Af8;=aYs@&zyDN%{9rVdH1u*{z1RPfzc#5 z$cSA$tb#de%kxTBCS!Q7vXo6MOqgDGJ|}Z)bupy#fKE5*Y_Q4nuLql=HsC15>O=Cf z!<&pB*S)Sf=nXNOQ4gs>D+e>bU7l6BoZ3-Dy_M~_m46rIiUun1Yn%D_JUeceUUW}1 z4=`oZV}qo2xrWG_=$3ICcKxS0ZW6JIPPmxZ^Hd;>8;oaPB8g%OKj4*SI)Kv|05PWl zTUd#{mFQV9topcW+JC(lgL`>~r zs(_dH)=bc3%t`ga(xQP^&grpfjkVK4C(*<>`{1siX$P4}Y^j^t6JGN;cIhosQRcch zX>FwT=Xjsie0)gex@JnPTQ)G-0gP2%y_Q}WmrAw0Eqqp`eKGJ)#(hmGGkN+$Gn+3x zY9wz+HcJuj!006CDOo2wrQ`kLuM0l-BCWvsWVQ=-@^du+mPN)#Y-eaotzMdg*J%Fj z`^`T>T-RAwMJZSD{aC}dQ-soEnIGb!0|F*7?+F&uBrfCISNiwg7O!*a5l zi(T6(Iqsu_dFnIwj$%8ve+jyuAkX7{cA7!bA&Txuh+njlbr>)=A7{?iGObU)yl}Vy zY4nT8Ng5cK-S>jEfn=)#Z|;gfs_*W1Cjw1kszQ_bcMXvjZbo}I6s}|k0&7y^Pg(bK zmYI)Qnshr&7~}L1L78Ft{uHOX2h~|Ujh&|!54bGLBOn~$z(JttLXugN-oX3p0R3=O zaBEH_DQ*sF$iqRi{cFKOdIDR4FA;eF${mwD;H#dT95nP#?n8x8Bb{MQUn%Q3);>_#@XY# z&MWi9ou#KOc}Ju9I12kT7-JQXFg*26v^tDI`neRX&8g_ODx@SnY0K2|9#?sn&B9oQ z*bl#q;5BzMFj(jVaxTTCiISw2$)#O7&C@WwZ^`4EYYn%kKf@xRr-S z{@KM376EDSsZjnN%i=XhwWHCw5Oi`aIn$BCx!F1dXPf~zpK(ZJ+i(xDCghK{FPRUSsW%`^F`<^pfxx4bD z<9^3yUWxIrlXjwEi!US0*8NXR9($;+kL#<#jy87`W+Z!70lC$rW;(lak+CS0I(eFVFkm-Vv?}h-mtuJ&SfJ>RXQX>xEl1Y5klzc%B;%%_piq> zz?n|11-gE6B;{ti!SwA8uzsXXhJ8~78rMFfceDiT2j9VUj`NO&wKSzWB|@wc(Oko# zYvm*}@R%~1f&2X&yTEKCo<;Per|U6{F>RX+EBYAh9d6WI#F`XfEE?XFRZvTGvwL67 z<(w`_$lI4wg=q)TP~yQc@2mgsE-QDDi#36Jpw^&$Ot<*EGkkJ2_@V= zn&r~rHrjfQ$2;YSG^rk>9pA9&v}Ifrbqa{noSJ9=Q%~Ijk7FrUqU#F&JT+mpep=dM zP+lwowG`7sDf`k5(x{h>NgPX?PKnOexY+ZNHhKK$#B0qodbT$?BZ8oVuy6jjyc&oI0%Nm3z7n8|ZK zNvhfQ2>UFG_$hHmGTGbjwv13CT}I;P41-QzDt^A(Viedye79vEld=2gV&B7-ow@=U zWHPwdXRoiQc*8^FFdZCVv7QJ|SejTLfsbdn^OjX+WoKt4xmO6*Ad;5%GRrQl(&>mu z4W@6nl}*MUu1;uG+OB=-=%ZI-$;YpHcN}aVcWH%zZI>Un%!VJUZ0AV|KdxYXz&-A< z?uXAYY_8v-9^u+l;&q?ScHbhcJ*33!B)x=Ue|`2%asYl%fRpy?;%d&8Kq<5NBGZG= zk6H5p(i3F~LPXvNg%yW|NA3MrpL!EHy^ptS3BFbemRsjv~OIMzB&l}ysrfR;scxs#Cpp)D|0-3jWd-;u>H(rYIC+lNzo^e>G z=d(Az9JsMdR^s7S>zNrOGBMG&!fvT((YOA}3{3V^Uh^9|{xER}U+!msvhCOM!?M(3 z`1+;um9i9js)kui9Od9HQ!L#yDXZ^&b>yLFZW3`+1Zi4HxmqS>fdkp@!4=eDb2>rX zbRrpc5^Giplf?(cs%`$eo#k11a2AW@@QTm1R#|~f#M%sD8PeU~gZvqd>7q)@CF6J_ z*t7JEr;JDGl_nPtdI*6Laur$%a!~bo53F$qO}G^IbZW#(UFEN+9bv zYwGDumX2|I9Iuiw!ck0iqNlb5#k;OjbN8D!8jGm0BvnH{Dcb@rRKCupKO;A#{f*TW zzvrZvJf8{hxl&LuC2;40UPeWhub9CIG zRPQpMg*aj13@gH*{jcr5C~>0Q8{$I@j#@OgWuDZYPB}YHH5wE@-CXxA+L6v*wx2vg zgY1~}WSN#kOk^T}(5z3#fqB=F&A9!EYo0?Usl{AtgzbqZ`o>V*i19#{__l=FN|%)D z!`*NCfl5PQIa6oEyHtXs9klSZr%#{NqacPNIK2bg|w{ALaIr-=4Agok-mJ}*ynsh9*7%AlsXu@{5+ z(pzHlrPspm7(Towpmr+%BxreW@y=s;YscyAm{nis{pudCU&ixe$yZRZEyMU2uEM`; z4u9Fl5ncvvb5YrxxTeK@RTlP+GXX=-va*Pb2PSWV(|H#9zoP~0?0%V%-7MamNl!Z! zHsVmwHde9t6dMfZ5@{TE8t;|rk7L&4nD&F}I|B~H$Tce>RP3*OaT)A<$)qyLr$YhL z0iLYx?J<)FuWv3KS+drI<4m9rLg{x22q^|iM_akn9xWYCp3pKfIEnDMY;F&alCZnH z?azdGn6v%DH`Ieiv+in*Sb4*A9~frHRH$sIrJGk*YeFVFGtJb>!YBe_S6CyKL~80^ z5Pj#XvYHV#>MP9zX8poZ*(6$hY0qpl?1Y%)^lw3;iTV^LOcoCoz(J$|ZdkkZYd`k)ZeFLmA%f7j*|edaPx~1$P|d zN~3<+RM$+t%Cw*DIgBl1RC@K%yka?(U<&;TsVvPk2m5zQoTyX~t)D+@(@*NJ8l<}6 zn%`31oa+cI5yCU<=uE29v>2dm)t9W1ad-S$g~@Mqvl#P!XT%cI$x%YiRhO}XrWMA> zFOX4&W&J4Gjn1m55+h1ubT!*yJ6t7{H-Nq<^7<+qu|PkdEh(o>C#PNilbAlXEaZNN z+RCF6lltldG|qvnw~($1Sq}SZX>IjGD7pe?c~I{H`6gN3B?}|g?md{9=%GLBG5Stq z)XDMN$oi^p`LPh=bu_H)4Sy)?KpbvQ*R4Jvchz|JbhMLmsJ9C4R=(wm_v8yyV=^rx z5jt^7`PM9y(e+AeYi0IM2%}TOqC9hwi?&dZ%iXSAUYnKxg<9iJBDJF4D;YV90xq@& z^jw<*Zx6Iz(nbARPO`F|&Yp5pktaaKZVvcs*|Tn4#bvu)a@~WYpMX}Woy8#<_ByNM za%>6RFiz?78QD07;+mXyt7T9p|9*VO*&g>6rY;`xFnJ4Rg{z~lj@X|khPF20Xm_x> z{nL_{RYpZ~tXEn!zh`lyxbb^5l8G2uO^2<_Cf#2?o=Y4fcFC^uBb0j0`6o+<%dqq8q+Z+%&{1=Cn&S z+)^c_zUy`GbfJ|Worp#d9p{10K$KFROh6kV4QH1<&ra%PnYr2Fep%V6OF|RQ5Bl7z zY8xaBihOR(`J;V{HA!`^Zx$~Jb5WuXaKHR;i#TOLqiQdzHERRoBlBGkhT^lRPT|+~auPmED8F#b^&oa^On?~Z3E@s><9Pkba)+bqR4mhMDotmf zs0!Rd#rBEwV7oQ2U#hjWY;xMU_$Uj7W!V+)@-JtG zm&&Z*%aMwz8k+;AGfjMP0oX$iFQMEhc8tBOM=l#osnNJDy!o9^-Si_n+t;H`Jf#Af z`ihso1SU0<9qb9Uf95uJUwSn0qyXYc%`&|M9o6x&|p-BT;;d^IP7uk|;I}56yWBC00o<1XVak$-6bC!e5>T%3(#7 zJ&PMGGs{;GP*ARgJE3Y_Ufb#~+ivL?>oby+_H291Ov&0NCuHCpddLaN)D1^0g8Zl$>*p zl9ilMkyPXiMV4Fz6aocOq`ON!o}TXMp6NS%&V8Oc{l{OFRp0*hUVE)Ktkq~J>mL2h z%%&#{WW@nWv{pDpeAE=J;)sTlcez{SPZflDv_{v&5l54+?I~HOMckH-GI)c@_#Qnm z8+=J(XCLb63cSZLsh()%S6S1O-%^a7Cug-HyS_(B$^Q@~4UcJ6b#P9*e7d5`7r=)H z8?!O7e7&DcqI{ENmJ+`;iGqc#Ue3+CN;aC61!sY)Xrjr$Q@IIGkU67U+`LhptkAsk z1gxpuvqVX>$|XFVvUzx@SW(PKEKda?rfpLkYzm1)!}dv&8R6=N%Sp-4Dm^y#bB%YC zR#oDBcx4UpRqYLwC39v!L@PUi^a?%9xs-t9yeM-7spo{B0I*-f{NnpobG=hokK3W`W8tonXDxCS{JmMIOS z{GJS58`eTLn7)5YYw@VAnbbIK$|=!uaaw?QWv1aWQ*bzg9I39G>c^?+s!2Ljh%oDX zCmGz?wPbpSb@0;b2_BEbzpHkIg1&N53VR>IN<- z2AA#bQQxZU?SjS=4Sm;Dmt>{uAIzQlK%g+l(v~~eC|**ZqTsa%!wc?J3@v&WiHVH| zDw1l((kQ$-e8fbQGXf@|D6mhEd^Fokl4t!cB&=5j@0#QD;HNTVPu0attm?nEnh${d zT|LT{8K;tKJO4ez==QP&7}{&MAwUWhQxaC+opz(45`P#xCjV$nJkci>`)m{ob|9%} zMpO8Sr&;XahDhBL;fdFC^G{9$9gUk`o#c3GrbgO|Xr<|gW;gbwhg>ZpH(9fSn8!kl zp;LP+h`nh(Ij_54URgCPEJSj3SJtY~iNVS(84EPM4BFLYyks(O;j9;uZ5y{y9cKiG z4dy7ZmQy*-t(vAvduSZqP-UE=H}miR$tMDWYOvC9wKgb!WLU!L2Gs z^kCQ#Wi4vFM3n&JnO`+cIm>%@+7{c`cxsV`A zH#%bzjpUiT_LN7|Q#`Hf(ydf1v*l3@%Y-Mwx#J|Xqns4a6|#7ZQk|Jz%+cdzJFR)D zSt0rOE9T+-WFDmIHZFBb7+W%l4#Nad`4YEyJRL<&wB!v_&w$mnq>2}tfDB{8ZJ;V zX4B?BF>tL4Tns&yYYn2>sI%fSl2nZF*c}J6#e>494r+c&Q=e$VX8>#*daEiT<`QPF zsmt0d3(Grnkg4mlW=QGZ^4~ZOxkoRzgSR7n#d@K&Gl1i>=9?0{6Q*0YWvp+G78boJ zxnw}tL%MYVsIV}R(bXuTrqyV8C1YB1EYfABc>jxBZwD35k&snERakf8L0IFIxnZyo zrJ1umYJ`cTiTi6AfGr|%c1zeoMJwecgURv_ET{65?^sUiSu6H6swRG-X85{=LCo+1 ze0VA7iX~2AUwgWJ=L}R96!+BuQ<&nua_pMDmG^!!cm8Abm-g>B{TgcuHybV5T~sXV zitdSdMNy2L>>9*RdpwKM4Xkgw#-Nr>;ikvLrcs|*T%wN@W;YH~6I#Y~9?^9_vCGq| zDdok6z-q&pGjsPIGC~CpsA;#6sfirCODx9sRbFMyJ|c+XY}(40967l#H{LWgimn-5kg;P6O6X4Z2CLEi+w&Vyi=kJ#xG%?PkPh`YLW34XtQxYL4v*r{ zwe4<4K0_RlX1Rii`=j-YI#Ub7%8T9ChKnhncRpiMQFd(SNm2O_{`wS8W|T1=$_+|c zVUA>Mra0Rj!UK0U?;Ki=g6-?zYIYM9Ojma8FVva5 z;kumSD6En(&^q)6U$-eYn?WpCwDbiJGtiSUN%&xN)Rus+E%10 z1|(L)LsA#Qa@L0h*p=`VSWy`m0O^kw{wCoO|7dS&Zzy#gPGX|(`wq6RvF=?EfzGH3q-NN?rrZpUT9VQPCJwA)j&ZCNng~Bk zq`+47*PoXh7xibT;~X*E7+k78N542{jO+EZdJdgpw^DhPKSu&X~#st5r zBiH6ALB2rbqX(|iFYnFdLB0TY*+|^>=6!$swaxX}z#8^UE6;ROdS27H{5T7}`RXOO zmE8#0a?bHFN{%&UM0(HsOW!u2&g07%5sl<}llP0O>oW^=P(^zEjk8FX2O>%;qZrhS zf(8#}@v@o->#Si~_aG%Ro6ig3IaVjW0B3-m3>zHY#K#lWUK4#ftAyQ!6w|)pg13BQ z)ua-l@tj7hsdC8LM(Ycsj&X{IZNJdgT%cD%Fjt-=n{r)WFs10-nR?s#)~K2-BA3;f zUeGthzg<1KII_VUnOTBMSl*pj5fjsm-^h~}6mevQ%ns(Aur`47h#?<83$N8rzlWRp zmFXN#5&2}p-p!F$OpeDNeD^xbqdq#>LvLm4$J?pra-b_d!^Z`k8s+PSGV;-t;KnY> zr^x0s4v6=fiHNc_XKRQ{u^D}8DXVJZnL>I`aB<;S4DUK|{+X9HE<>C{I6_)2gnKPOSAcdE?4wF%^+qU0cW5I+o zQ!?$_%y|rkzXH0D6Y8Dqq^ahgpk$_>H@{Ds67II77~3m$5<0E$-nnFAK*zB$r-);e zL{+S7mC9N1w4F<1%OwZUIAv$VnTI9*$dMz~BO!4z0jVtcRJiT| z{A_~xFmj=+N7x`mwn1?EG_7OH5b@6&@VzGKIyS+8^XUBMN}=3F!~Jw8 z;)kh5V#nn=ItCh>EobC-43sfBGC{R-kFQFR4v$AF?2X~!XJywa+X`RTQA90bW)E%; z2jOFN$|Sm9^GH$6KutNdiQ7~m{D5>Smg_`g*y{$jLB>NuSHkkDJ*o_6tlr8%WHviT zq)BY~!2CWM!D;*{tADGNqU4$CdhnDh^w<#&HwVREn804o&~J#^tv>Sk{4c^l%m&1T zo*D~nlpaZM`EcLP2XczWn%6l=_ZIj#PqLV8wBodDDZT{y}Mq#yLRMW1uXVaBW;us%eN)ALJ+#fG7KJh7R~ zIF>_=QSp1QAwJaxBd%pLd42A9sGGB&`u?Yo*@8aI_7`oaqs_06Er7Bag>dz{I@4+h z(Gn>(Y-p2x=(*69?8Mdi)VlV*D|Jr72~_qzK&W)1>4hRQK+rUbs%9z0dT;=rUa z=r0p_3%s4s60eN6;`w{rT;JB9Z}SNXmYz<&tI-?DN$vnsxOhl|d@3Ke$YwZkY6^LC zYVm94^fHgFe;C@%f%BNmODcsYJ5Mt}C=W%78YykZNxBC{<-Pz6qXdBm!_;BMS&b}A zpFbwAG6f|wx~;1Vd6aNHW}B}NU{oZ}>|SI zqH1b&hRs|x^?1Z!j@4?&ggHxJ`@M7THtbaC9c<-DcWmT{xyc=F-0~y6^i{VUkL&wTRd80^(qvRdv8&s^#XUMXTIQ}1K&_7% zcpbG|L8z_vzdsswUDmOGgsJqLI4Id!ZPExH-lY#7Z&6>rpWD^Bbju>u6@8n`X<1yg zP!&n!l-WuUDMjNp=6tl084^uVhmu7SJ>&314U^iL&rp}b>#P-&1=V}`-<>3vwo$vG zm!e#!O;bGXNrsSLhmI|Y3>8;^hft)j9xkqe-fa7k_9P4HF_|Virtr2TFsU{X$8Z|3 zUfy8+CSna$cO896Rw`u{3;X2cr!F)`L~fINXxx@CJ>hUf-B7%@El#7LR%n5cLF#eC zTPSGv##z#ET$*HaD8rgK?X#OPM6{?`2?o=aa6Yq5KYrm`{IH$ac&UM*g6(+&edsQb zCU|Ym1*nOmd4Y}=dA>$StOb+?klTHt$DirB9uLhDJfGH#GSMTr^47};GPzRdkT>vk zDWxjA@vLJZa$BSOGAf`Js9FUfe5039)^)9fiPc+jY?#zQ)qO$k3myqzd*_zr8M$c^9aEN*zz7i z3{%c`E(t?jHA#`wuWybt@^v7r>vdMd!KrAT&gErTaZ#nA$|UFBP}DwdPc=|{=&Nci zM|sEaCFQ#lpH==CR!!UY{YL(9KGuBq&9g!wvqzQn=t=Xbd`m&m+{Z0&LRD2&>#my} z-?0)?!1MhD?tJ?E)@iiY6!Y}SibI%Mu}%ln_Tb5bK8qVJ+eCyJd>l}cI2fYVO+d^r7DFh0`vxzhMrP~i0&_B-tQIz zh{#Nk$WC9gYT!4qCoKWaWum1zU8CbAA%$R0FGsj*FIMpg5Hwq%Q9H#cBy|WDnul_X*kY`(hfuL zN3Uvlv=)Dx6|vk9IVjv#ZG{!P4w;;Ru|#h4FHMGu>9as;9nYig!?_PPn?u4tz08Zk zjZ@l*<-W%g_HeNpyPm-^P2sGPWEp&0gREl4Wtn~7V;xC0+I;0ZiqrnlKX>Vqmwig^ zBUrB0@!5A9P#VN7k#xChIvt}ALKn!SRVGMy*=A@& zn=8J1U9$A@jV!pUQ_kHFZhKW@Jz-fH9gtUTZG)3Ao4HYEO*L*DtFzTJVZB62iq9Ql z=v7(IwL=|)o=8Pg%mQd@b;7V+LyX24140Co{09)?mwqC3aZ-ObAmK!+)Vg8 zzs7St>ER>@yyv9&G<;x@0j>sawUBdwmVrL3JK7yKwl(wL)oV;rCf{rUlnW;wY#@!r zs7nm++WV#{a-k~`_}PcUcS8@~6AfOjeVHEZ4%v}Tv5lhcV>r*V;RF7+Q&=D*V=wxP zW2lhNxBh;R4i#)Fu!1}Yv38F;M72*D7Yx-19wUpa7yS0EJ4?ihyJv8sB2qH!I2b~g zCvVNIC*2@8`{M_n@=>|>!6c2HL4ug43%sjqPbD7Z+L6(JsO?m^+uy1$>e>3Z7N z5@tjHfSAwWYzQ{w#r^i*o)`SW=jT3?7@#Vj3AKrvXWk<_O*>2f0ei%s{yjm`WeIaj zEkMzAYg@6nFd}6fw3^H$*3SqF!e6YXWnH!lVc(i>7UB}LdinFA(~>TK z5T~%hHcTUI3xpX5ewWqU|9i3;I^yr^^!)|QGI;xp$oblX-1+{wci!E^p8U)HWvdS` zzvAhQRLSHSsZ{4MN=N;vAS}=Ae&Vg!*QVUiPPe;iJ&Vb@L(BfoYIc(V<^t;uc9aW~ z&A=O`P87uL89~+VDhFuaZW4e0lBPF+z~Ymrh1Eh%YdJ5TW$hjAW9a=*=HO4QeJZ-o z*nx#^)6XH0+RvM1?y&>QBditbpR0{^mS2$;1ID&JIrFo&I*UJcD3ATuzw+AC=4Y3q z?W^_QTAuwd5k~9xYdZ*ehkpF67r=#g7hkh|2=p0|j4j=|=j|AqD4Q9mTbt&u>l)Xe z7DzWI89;5da)A=J_VgPJ`|)!}UD&+znynFTIp`DuKI+E>5)3JC+(Kfh$7K9WuSQ_+ z0QNBwz!?7N?KZ&P_yscTh(_@%2(g}1T*~^s%0D(HFE+R$Zuh}fR5bL#v9(iu_V<#S zivY;^_3irD;Gi{F!g|0*-#)~{I{WSHJ8#sS^i7=Q&wV-+8UT#e>A#_J&C$~+jgU!7 zt!K_Py^`*fwZw}nzgAKFgCuS7DNZ~c3J4U6k5P)S2LC;!$i3eeU;Kj{SpEDeg$V)h zQ4%Ov4;rki??frz7|$kM(=l%bq>T<+!u|7^J%Hw(TX+o>(BmB9Jw0nF9d_^M5eLsc zcJ?#LYzx@#a@sC*n3IzIuRbY{MlTyz9XUg<4f4?((GrI|=gq9IC%wO@H(m3S6WdQ>*%Ai@*^($K6~>_e;F7uu2F4gX84(#=m@_6GPvOg4%U6Uf z>{j|xuz|E+e3>yYCDnUUP`0vMNF8nnl)vlPz_!6==5e}7^(h~*bf8w+2nlSsJ=b( zUFyR;eeEe>@WSAa6Jq%Xoe;SqpWTR@SlNP@*ohRGSa#jU`>i1~$}5icbGwZaS^5o` z@|EpsWDY=4;a~uU*igr?s#k7B<8oWVcq4}knnqhDEUOyi6K+X>O!8u3&NgDSB(|Wq z;hshjdc?J%{EGf_Pl;zLm1CP!9w^(v!Wc;DIVG zhOWU%9qGXkW1h-o#n|Eeih{NBL5@}T&8&O*hJXum^`9UX)uZEcXo6`jrniL3_?;(t zvM5CZOn%7y;`pwvan;38u@S`DaB>}{<9SK%%=393G7+md3s|)bta6=}Db*o?!)rg9 zbg}ZdDsDo~SkMK4;+RyaHL*k%DascOH8t$>x@3rTz!Z3+cQ)z9R97VlSfO~m2-Y{> z&w}cWKk6)yKTYH_XJ=2W>hB%&61N7p8E00iB}M~jBso>I9V*hOCmBK=(Rg)n0hEUw z(Lhg8rSH|O4r4ZlDc5yOyY)U!rn+tRP8cNgODgHB06vigXB@PGZH(an(eyW`{qU7&E(sX_DUsLoD61adClj zl-zwcyIH`2C=(C(YWHKOoc-f=ijYOSR-W7JU6>&(?W+J;FOT!?^>NPw_!bBYvImN| zk`qC)0#|>PPZ}OaL-}n#is=*Hn(iy+&;= zw;l(BXzpHqsp1AS9>mEg6rmynYeay*(;L`P5lBCNv(;T?(77cQBU>QH87s0krYrhw zQ)H&N1iCUY2Q5$$+8K$otQ^1# z&M};CRfH(|HVYvWvyCbQij7QBTm~h~fxYAX=N?!<7>TG9j1+_U_uXl4=hS`dYzL-a(-e_>$=^yqFy~YeA@o~rzZbdOE3R(4ZuC073BcLPE z1~tjFX77^_;V;aqUb-Jcsy)!Cuu*-l7QKPh6t|I>H}g5G+kl1`%F#0L6F2GezG$~X z=ieE_uDcU`o`iK}=K$Fh34;9SGW1XgwIKj-%!&_F*D=8^h0h@M(P2Xa@&Xvg@-_&a z$ZHt^)EBE;xcJM!Vi?H{fBOP=kA3)v9gr+JicOuGxsC-+1Ld|K$J|L(;)C;c>zoib zQayHMHZSd8V*G&3D~A2yyM!8(DoD`p-+>>tf>FzfZeh*s+bYk} z8un6JGMvkHOd^TY`I_)hXsax8eB^f*fdHtx0z;m%}%zEg&4uLJI9A;b+^oAsiY#+D5iedNA1ihP8s@fk8?_h~r9DdNNA@&SY5ny?ft10NLD^N( z4shM_RY?~?oT6ErXEL`jG67NpSH;FdIKIHwmyyOL4Q7a~F9|7w$+nl+K$iCY%gyrJ z{G=c+#m8uC?t@(Md;XzgdsXLJw0%0EUAi>(CdVaWQXm)mnZVaDeNRCwYf@zw$uTL& zqSQZ`f{;H&rdFxtYZNg8T91uym-$wfE6v7I%2C#_?FpbB`8xdwdp7l<`-f?@XFB^n z8aW&tEOp0d?_F6VKvQe8YM0tT z>cANgFDRe71j7U;qZ56D(68zKS9M$xYqR#5Fd?FAE{UcmhZHCmiqgZ~$-h@Jxe9++ zC4(OgF<)nlWa=K#v=FLuwa(Mai?FEjKtdr2j(?WP1TNGwm$>^_ zBdvT}m%pJkKKig6osA^6d$D!eHziV7D*e_1)PIU zfwcK7_Me$HXZtuEH^@Cf6jjA2i5+Pbufyo(Yk+=^S?XvV>AE}&w7}7}BDx>fJ^ZB` zT%|g|O_DWitiaXvetbi7bl9qJdr35_KomVzIz&_=f$AyO)SFh0b*zWm?QeDVqH6Y) z-#=z>vFWE5G@qCo9^zh2!=hj4lOR$ed%{gvK3p&wCQx?XDUt_;F9)1ja?fV+g00=B z+?>JzN7d#m$BVPRMz+^UB(z4WB(hyiK%sB=8O0L@eVc6JPe93H<~}X4-dA@Rp3P-D zaLxMmatKJZ5^3mW|GZ7*l6R+1@uz@wf1^%)U>AB7WLof^H>ES42b}=qyWXwC+g`1& z_Hj3F>Pht1a&Sm6?ixFgGzH}AFI2SP(_E~OSQkPzGKg3=iWFLaq*$_}A~E z*%}X=XDo^1@7U&WQ2YptpPfbGSfJtvp3UQLgJunb=9`|8Co7r6i@>fD8>u9yV6`$L zM>=C??hGbnjmncGUj>@LpB5$vGJs7N=#?8$Qxsjy^T-FJyb-=|>Ikl>jkw18FTQ&V zz@(tCY%g*fzfcdM%1P-1b6d~0{&pD1`Dsde{o(0Z%JZ7<+1REJc()Sw8-hi7wjkCq z+mA237HmTBOiP)q)mTa*%^MFP(^{L_k}fWsuc0;d_JQcbyVEqqhs2*Ebn%$Zghp{=UEVWph~_S>SGyluZ`f0Fd8Zu+Vc0U{^leSo2}DY-vxc8vQMo?0 z`a8Z6MUDYU%0z6ydmy6V(tuMx4?D!L`$IeRL8eI}Mn1g8o?yn%K%)^N2=Rc#p<#m& z3}4}Pj0WI2|IrUHM2yvg1pQ$V;ItTaG@A9;YpBYWDk;u?+b*$ABxE~z z2Vx3H2QKSlkw!H58*7A+*0BcisdfciwFzbb0Qv3Od3G8Pr1doKf& zpASBC_ivuO`3peoui**z;gQO!LN)TI6Z#`}$$6jVr)E0OYyhg-Ya=SZD-IJg zh+P7OOH{H0x|*!>rg?TJ)MuoDNdBt!$;StwvMm85MLGT3y>(iGl}(Z}UVBkrUHvtq zwSNkKP}D{Q)AcT8cb+-<@Fra4@wNcsUR5L}gH>#pIr9Q_X3ap;3HHnsGmujPE-Q`AC9{GF`zgWvp`@;0>%AC(!A4@I& z4Lph8;cX%e7MZZ#FPjZyXfFj%rv1zN?T^qXJImPJ45!2?P}y;Lu3f?Sq*j)#1}ozW z^^ZIf?)nBMw&yXW(&4M(^)jWp-ho&t!pg0f6v#>9`27j$AmFXB*mop^kU3VZZI61O zDu7-%*U2K89;1DL4-3hnC%MEajH6|C21bGxKr57C6tKV1#zl3AsC+!c0uKhd=_sOi8YTF)LD|v4UgZSlfE_=ifb{au>#YvW>2&v* zZ>|q#hEf`w-0%qHV%)1K%EiD^M8avs(_brPqlH>XRt|kB2zrzN2G||0Fs#B3?k9^T;=606oCw-l}cfu2;E67tjApzID4NNmME7&30L@ zXt=pb-H2-_P%Nm{>N`hrB-kV6&wR*9nvKZ!O|Db4{3MU0pw)u5>AP?;kMYuyu2+Ds$j$)_A<^{Fif0^15 zsl04VN!{mFz1DQ%BRXGbc2cvP8uQ4RNP7Kw-MAB*F@rP)%$WUQQ~r}`Y|Atr;w*yH zGc*owG5WwQj~FVdC>O`>gcnm9-AA@r!0jv(e-8nzoUmX+f@z3{jk|k=-TBF8h!K(d zm9p`&Gah>i4HV`hi2=%w0Qnk=L;RKvOn1$8uY)HRva1*Aup9RkF=3?p$kzp1d%e2( zNNzkGV?m9jd5}&$NT{#~t5C4^)2UlyJy>`4cHbZNTIl3#`oNFyn;#SSv(x9!mp&uA zhEXj_fEX0n4zgEST5Mie)YOk4)put+R(#ff4s(IfNh|n4=`7Sr}NeFt`9QK6qHPHJJ$-=uhE%{obRLtILUthm7e`M z3s-^NA^OGk)`K_;Nx|iq#VtgrIX9H$wdBvA=ln#sWJPWI_(Y+E40mx7$5t`Pm2h_T0E91y!8W|jre20 z*&jjS?kQ|h5Dz{0FLizpxLrQ-3eeZ@Z)gDens37;U})0(45E4iUf-^xpMsxh$I;sr zu)Vg)K_s&AJEd=&`U534_A1_d>37+1N}WG3qW%R3gNzs$|JnZJ%e`~8)oGtnjl@I6 zw5uInad6~))cTcXc)MXXfQcK|Z&t($AO^&r{!Y~51C08*7+~+F9=ZG8JM-Fy_cDN? z;@OoW@UfmR-+LqYD=SPp1bO%eU4T^s`ZLP1YD&=)*pZSL6;N=VCsVbKrH`7u?DLhf z2V^iZgWB|efz05)e;(Ooa4d^->SO~=EEm3^nV^@IM1h!&+}KUcAfD?}iYt`N?(2hK z_^BIb^}jTO_ED% z%|NjwlX6}E@m44Kv;O=?wNoGS(EeE)ZpenJ#TxA*P?6siW~=Ew^nT z*MQid?ujhT_a%7sXD@-yggt2YL^vHA=(7u8BRJ$Sjn|ipWVg+1-ksAfH;h-yQ)w}M zxjt%|Mv1Cw>IC-PaPzwI*kmV|c56sN;l!%*L3c(_)l}_n7$F6(bf5+yCN`6;t30gz zuE65_S17Rl``5N{zqoETRD;ELt(knnW80*&&@IQ9R!yjnRbmb3vQ=x)FgBE9#lhO= zuY(njoB(6%YO3e>2nDCfg7|B2S#RL546bW%IUSzWu5_1?OuP~$iXlmd2>vOO^uM}? zF)}ile~|53Yv1V`0df-gc!$tdUNCA~`<;yy-Y0GDrOptc!v~GWOKi_(-aDevm~KcE z#Yh$*q@EnF)g&`bvAY2t0i12rd6lJ&%B|l0Ys>P$D!g+LCBQQEz0#-o=PLdGc`oA# z!iu7n)O84o+p!19$f&VM%^-1&2N2oQx(JT>jrqQzKXgsY#Vcf|_< zd}8!_&xh&s-J+_Qu=n#)?I6Hea2d0617p2T`1v;%-ZqTt*G}~|eY+mM`|J)mmcyG? z_Pn}2dX~}_b5ck^8|Ow{KfP7P*K*RKMbK%gW$;$f@0zx=QRlwH=O2HmxNmzg8_p%H zJ@K|Lb@wd-8{(1-FU=2HPVT?h8CF$OyLL#CK%Pn${3U3Yb|m+Op5zAU%9+Mmcl0n_EziQ!#~Z?&0m)j`aMOn07AdUgkZe?V9UGZ z6-Fl>Ml%cCtH7jj3G+}qr|so3?RttF&2Z0s5c(Ts0oHWs(=_!YYMsM4wYLxNQvZlR z??{tH4a#R9vnn>@1d_To_fAT5j>Eoyd&^*g7*bvef*D{@2>$u7$uL~|V;p@u zs~-N6do84?ofQzFtgd$_(Y{22YIxJOxoX8~G9$$hHibk3!)7*sk+G^5Xbjdt^QVl5 zZ4vB8i^#U2*uV7naSCm0lGgmxZ9!T?2P80gtj@nQk40t>fbMbZ;bJ3}(iUCW@8{ko z$<3G5-ZFV!mxgWhyQX>Ld+`LGQMTrsQErF6+puC_HR#v|Oy72bVt~a3d(2i4DS~M$ zLTP(nq-JqsWA#hsu~X0vf?ImI35}M^i{Tm@0dh3Z)%F3#Ee0f-ypY()KO#HFJk?J$ zM&hv%M=+t(q8@qbu;1lJpUm(Q?qPo*VW$^AjsE-Mj?zBR_HKViNuVgLEfSXnfX`Upp*7_bP8~u zb$|?QAzX^4r-qQV7W2M@be>DS;Ls;$@Cu=3DDkm8z4ACy#m;y|*={WmP6i3cXy*Bi zc>vuLG0cPXUvm<}OOP)@K@s50t={J*JpG0JucC@s*IcMEv`sY&YpK(GBj zjS>HHAH$}0ky2O_byXlLfz|!#LfIAyN^`!U$Ik|koItg^KlcNMQ(ms9N&TIB7f-Xe z{6kQ0(R(?i_$j!{0+v)&H2br&+9wVk5DUdda6E{O(D*PT=K9U0Izoa}Gs=+i*DVda zn%}8=s^4zuzc6^<;uO(^r~Z@-rvAS{rT(jI_+M|T_;1&U|3B?L8zAz*$Da;&PWd+G z%IPv6}j*3(U_PZp(IPxbRYwx+KRs-;&Xo_6-(R;D( zmpN<2c9;{CWFQ~_T(?G&imd6$)?R_g>R_RNw^vz#@BtJJEWf#`#etO4^wJO2FmR2$ zIm}XC+S@p@c7xPG;C&w!xXtLH+9jW={P<39zSb`{#0ezYgO6 zmDd3mhJ=ZwKfk=$VB`NMS*(6WgMWYZzZd*Fh4BYD`To7l{(Y|h1jFdRx7q)~Z3d)g zsR{cD?%xKM-vrm(;idGmf99^J*-BvjHZ!ug{E4War1qtE zw156e_?h;Lwc@d7`>Jt&*LTu?uW0C+|FfPLpfwmLk{RO@e;%A+Lo|c$eCo_8_tYsqHktc()&A5Km@FKPS260f930i~KxYoY_BdA$&E>?xG-HdUmjzg; zeSW-_C1rkpq@NJMpVK+uCvO#nk(<<0{`;$cK@z91|Cm+{f69V)g6>^F4UFknHo?7A zWP#CFR+x`sC~>=uGP7YbmG_TvwX3WkJ$nx?V()*qXny|TzXI0v`1+1H*hIrjyhw?#x106uDqdEfBtN7b`z>`cAOQ{d4r0T!qgr4b!2jV0n{{ znc57U@x3Bupxfxj8qwa9kMxffdEz#GuQQ~?D`Il2NHcwO*l%>^`2(w_%&L+e(0-84 z!*zzP!fc%}noVUB3k2E#jjXLPZf#Ll}2SyGU^nurRAVZr%0O%ODK1YT^ zU)D*EQ>({52zJqTd0>ihpH#S1Vr)RRgN)io&3jxn?I&ftw70v=3yn?_N@PeP;?UI;e(YG%7J&SvmYd#wDeilQNBw z_j{s<)n~|E(O%c2-fh>ZU48S^hFw7<((}jwbh#2c*olc|i#63lmde3p5CyQn+7vYC z(jPof=FF$vfSwQP9Z=rEeZFDGEn#QNM!IFgM$AoNcl(l+MMrZm<%=@f*tD~jzm1VT zg;gT1hbWl7ZF%sZ(t8&w*_{of36;n!;Ob0eZueTJq&dB<+PWIg882~p5sO#o(R>n>sXfX0r@{A~DwQ`dWByDp zw+I}n^EaQJwY)KQ-TM@nXN>u0?DQ9%*={f+mQ}t1%!0DBU6)%-^JUFxg2{1;ar)xz zDOEKHDUS*tpr~#zQF=uDkT6MH9t^FB%*Ra~jkpybF(SOpZnPQwW?ky~}a; zBJ8(8^QW-&eX2(^8;oGPflt8C(n>~m={4}zdK@^B-P)vfL9CCW9-CK9xUGT_Teu@8 z?1;|28S7FHWKbhVa$UzvuZRJudrt~C{d_fCt8_25pJ(L((bH*?9yhn?$wS!e$^Ac&>}#Z`~}_fyp5rQ|F;GBfK;U| z#+|mf+D8pJx>i$i^6<#q;G>$8I&hqHt2QLfPJ0R&c)$Ca7(Bp->NG%z>e7=A)oQ^i zYcz%?o({vT2Ct$9RBJd<`$nqE9^d93*EG199$kfXM4GIwd;2)&23nSw4Qr4OnP-fe z(@+VqdWZ@=Q1V{p;Nzwzt+JyduG+d)Mn_6N*BT={*-pogZ+9-BPx9B0_s#R4D;nWc zgOvt1@Si5$v0~{?C?A-~wQi!`YV|r!KDP4O-=5>LSfQ^iIlpRE>K*tsU2s-`*` z-=#X*Kc2AW+Bv?;g*i#0kJ@2!4`1^BJjb-&-kP+y{k0#; zt$bl*Gv)*HgV_$NTwD9gh^(UuA$&`2(JL$0l3f!m7KbLDj21)aNA+g}ZSItfzkS60 zY`i{LwC^|}W@{ha>rMloDr*|zUvxN8Rul(B<`7L@SNDUvHKq zh@h~pegKW)V2jKZUUj1=aSj3pKWBPLmu;T#;u1G}c~G!?o%xJr{>|*&X(=zOjsfB) z3vbg)9T6Jaw=0RxZJtU@zGc%BQdV;ww_NhN&;;`yA8z?v*_$tv$E-<@PH*yFvbZSz z+lIHmwq@TmDf0&2E3uCKWypF5tD%9pe3%o4LoOLe$}&DDiVSJH!j z3*fY~B(KdqhJ|u0o20Myi3+06%X|!96A(OuaGd>&2NQx zZujL5i)v2cO%S&r?zPCqgPduVhkCr$#~*iXA<{aCLm1kUAXeYjv(;3m@+n&|`JMhF z&8+iJtB_-KOvzdj=-u&sNxh2a1y^kwyr!#QL=<1WIRa4B#2W>v{HkJ(In!s;kB52_ z@|sE-(JDGsQ!bXMW#ZZx>&syRpF|t|%(7%~a-`)hO}x zOAE@hn}W)n=@@n^a0X0Ah-qsTSvz<=+Tu(*{7^DkHEV#x z{8F*wZ(wYp@DZLaN}ys4-6Lcz+jQWX>#1lVg;ui<2H~$|_v&PzxdG!S#6I)*kdUu3 zayYf{l6C5O5wI=BT;U-`nX-uvpAkNZ!`2zho}NapCJdK4tV(UIj47*JS6@SqWkv#> zD0KDugyz-8FxTxhJ503BHt8=FcSx$=mxT+Ad}1(6`IIg9Mu#((=fMsTkT@314cU;(YTzGI8p9apArTYaI8 zQo-83hgH!!UMYbeFT9$Xmod@s%Q8Zc&cAAyqK3&dz)^ z`9c0Pr?XVmw4F(JQ}%g%ukcRz$QCu!d8S^5u8G)vdtI_7U%^Nu2i=8(BPCstKaA2P zAm?qoF<*Wnv@Bdx(MeU?bdU^r^7Q~IGssv3Y_~DBCEA^?ptn{|(6-6RHtrOk*T*t0 zi*IQ`^V3AuSnDABion7-a3$^}9CZ%IH-{7+P`fx}9ojDq?R=fEs!{C`I6&4;Rh>XE z&9hgJ!1e#e^`N-aJXXhHdUKI<)xP+97BI1IGI4nRsXu|Mbck?iLZMEDilF00n5gD@ zx!Je|`N)h*M+ABt@cxg;^!7c*Hx%fYooHuo1M$)=L!DVh*h5vLo(O{T@P)&KGYQ}^9#C84u zu=k#EO}5$AxS&`-Y=B5t5fN#E(yO9?BB1mhkxnSmdjJclG^vq}(z_6P3l<2y_bwd* zgx&(=y@KL1^Sm?jKfZI$bN(OZi{J2f=f3x~_u6Z%y)O!<`TSR450ITnYeqf{>iNaR zaP|t7n69rqTZ+ee6rwq_-(u#2Sfnk1In1(;ZnwoTRcq@}`8%y_-Fe%k>+V5; zU+LRdG#7WYs07X8LfAD`V&317-6&s*b(a~22~A}SDd4U#D3@jInGxlsEw0Zn8_n{G z4G6^r*mp4Ot;PCql-DcwmXE(A`!o>MO8ZaAEP7Us+0jbz>7Mz?~C*_(wv! zhyt((!u~ptP$S?`u{DMMSar6r$YpR(C_G2+>P#$Af7#YClYu#6w}C{$K9H*t0T`)p zO0V`!T}izA=3EfSq^x2(F;->Uk5SW4yHAU0u@yRC*pj>WC7cI4<=rh>MqDNm;gp+A zEGZscWgpg)V+-!@O4_+jrFm^{<$;O-_w>KJ&EL4bdaVPS<~u75$X8|%1Gr*ntSD|yeIp=$44If*sXkBkqaaI~3} z$~7M17C!R}Pn=mifd|ku9c|Zwi1M0+c{JC1jTqGPO%rWr2QH04*A{vqrcu@eWTpz;1Dla#%#oIgL^m%#}UmN_|MncMo8S32XysiEBFNBe%AV$w@&J=fcUr*G5b}*suOD0%GG` z`n*3rfjz#3(RgPBs<0bCs@f0mAK|wO}zeMT;R5iY9Ul*q&XpVbPQjg zrBuaKkaS>}?iIyx=ar=OPtRTH4=VJg8_Bo)O0@GnAXdK_(~b0B1MAmoM?P#A44iCFZsp)eWA=8n@bC}Lut=kacA2c2;HHu*&v>>7YyTTnY7q(wE<@??h%nndBN?jvbE4p z6&fjA&#ZnyF9AHMK(hVxUap7zh{tz@-IVx=pUH%~B7UnjtGSzUXGLdrJdC}sF5D=J z31YUXrRqa?f+$Yhr*I!)mv{#Ze@_zlK`KpmQQM`janvn+@GvNX?FSedA*wK?m z+r+%TrE^szAEDNz)uLJ1x7)-~%I2&*HJ9e0LKn+5F97JBBG<+5Pal)i5bdTGe)Xs3 zQgJu?G8RxfZWOZ^otsYBCtAJ`tSBd{Y`?~PY^|&JT$Rl9fYRCAEuo^POjOI2(p-FQ zh_E&N_9WTKMGJHFnj!Y28iuDI1i7_S$gECP<)avqJnREbNRXbH*h})@CC}M=_Vf6i zSvBWn~2sm2@)NGLXcyv%o)DFxL60 zr0M6^cwc=$-fAv)Iwl$S-cQt^Zkny6z|{ zUf2P{^3veXX79AGz6pzdPHfy5>5SVz;%4~PU=(T@*(&)Z_%2{?cRSsA70?tjTd814 zyBj08x_wn!nO!pdp2-@YLEjZBKG>9eIzHVdC4vsW$ujDZWz0x39l;9jTHK9my$_$sb@A~#k1bG2_e$X2 zFX-&-5DR?YNt;>UrhwEpd=|oC^h$!GYX||aq==?v=b2S%-iY`w@=7}0B*x0l06=?- zZNA>wlJ`bap6P%-3$)B^!7e|q*u@0#4LP!pUERVK=O@TaWjSZ&nD~@9&v*F>jDEPp z?J(2?nJSr>w6I>lMRSrs+ywGfTpgFEDSLNm~Cn#H(3i zOGPEH^B9i{*ETFVlXA=kHkJG07AQz3$~wNx<|%nj$#8N?Z=~O8J9gB+Wgc|0a^PBp zk3J8Sb&X?ncEPv-bXxE89d%33SwL9M-cwU{?L%knZJTGzCP>lKvEZTvlw-5^9{ZG- zTB+_fMv7@RXr7+!E(JZSX*QM;iHk|$YdOEF`iNlOB)KajMr5J&E3jCrFO;Eq@!czj zZKg8%X>oxBv-xzi-bR+lM7B{(eDmX1wIWzs8TO}`ckyY;-Iis_mhO+-hY0)XIZ~PD z`|U#LgzTkvz4G0B2DiT=_u7~GA`{l{!DqX`!mDs=`ZSU^%B?HAhv^?q*~_B3zz$Gq zOzIqEu7{IHq6cs9#r^OQB+9!TsNesS+dcQsxm|WZa)8fW4uwOzvjXL!g%aNCx`)LF zfIT$BD;_#u2TJVHZ<*$T?N-LZps9I`{$}c?oQX(7mM+Y(Cdb+*xvsWitu+fHZHK=t zHBZ~2l4D}71&9gAZ7j*Ro*gN!Z_KEv%G9d)nkn31R#PQil*4qI&-!@NbFJr>^ZuYw z%JApg8I?CriT~R7vgV(~cNA~tt~&HpxRt^X=`)UCFIS@cu#l{xrI8#YjzrRZ+a$8X zQVHeIP+F6IDy6U>4Jo$s{j_uXc_>&_`9+mhW5pL)M>n{gAchc87S|9~7Kb)Ht}0^J zwGY-2W@4F{G4A14>%Nd?bo-AOr^LH-I0J8<+Le3pWQnhBz zY+*+4SxW_ImNBf%GdPMDD|xQGUv2JAeKCu5M#1)8ZE=r(Ca733Ca=IZO0~b&C|N$f z7Ux$oxz)0mW8I^x+~)e3X9xhT+Bt!nZK!e~QZ!#6nY^$%@>b<)H~++~nZXsE!JWAk zJB91YPc*Z%oXYq53M6cH8CD{jbJ?l)yIiv0>vA>4(<>f=Je**#lJ52jk#^BWXLhQ% zW7Krf@=Hz0vIS=iTDFN@3KLyK`)fR^zzrQsR7jidAkR&c7! z#J2EynVZFDgmvpH__U~^xaNm1x4G>bt_(UryJ-w+gHE?i_1G(Ye}=4hkzm>x@A?X1 zy5nBH{`RD6Tx|A85ARX8Udj<5piKTAt)$Ho=k~p7N`J8hYX(u?xTn6Ngq%#&dGxF= z)o7ZM;r-{%Z2weTjZP+|*Dka(H}h6XH-Gs;8jJ_}P2zlt*t=Oa)vV`uW;z3c>$NC9q2d=0t$6|+WveDvo&Oa#y)xIx4X`oiR?Ct%?#$`&ER~dv=%M* zpuFmPJtv>>u}&2+zofl~1m;sTmT>nd2T!x1o$^~2DutC?&vw z5aktM3eqc5pfSp6JNI#QomdP`wZLpJH(iF@(G2X^4b%$|xU^>dB6i|yNB!9j8Olx8 zi2bOi`K_oQzDJNb@6$?&^vLvBf3A_QSXGazkF+emgoC;1?ob-sWj=zZ9Z&vVeE4V( zWHvq*J@S!waezXZqj#l-NqzWJe6W;S&YWwER_<6?sp_SG!O*&esT!uzAuZBhxXAPe zE-Ghc$6;E@^!unu)zr=UXhc7NoYu_OJ=eWjlWI z6Nx7O_Eu?Ykfb2Z*^q+Yy=xC^E(-p_r=E#G>1p}`~ClM55m6ZFZpB615hU$ zXd@(CX~=9Hg%~r-x<4ETZ=?hLIpP!;SIlcewE z8;)iTs$aOaM0J4mFFNc$mGrxxPjyW_H^G-~CB#CE%Ot8Hnvd1ZH+r~mKP6NC7WD|Y z0bcEG>w9>uEcoj0Xl3#QnX<1$kAU8P@eq1UIs@z($?NiDiObKu(nYn8(_LvFM}397 zy6JmpNb))R!3*~AkOf+x4zaO$$?C*gyd-c{_ID(KSVE0RVz=WLN61D9x=?{?;Fb*I z%)^S}P=os!H|us~3CuV7Kk|DciH$B0l=&UeJa~nN2qML`NXp1t`fO+FDe%0|!-#*# z3;h#Jl17om=bswT)z^mLo=XjdXw1vWZ)E-ozaI@QpeQWq|2cq4 z^yo^Gfn@FL*KNP0UxS~K+TsmXynw^%M*D{6nVfHz;0>ZYm9TGuKXP6G<3G=NG9YH) z6b+7 zAIzKozhvJ2bGrUZ^3nglPS-<%%uuGBrXM2e*z12TqAG|(+Y>oekKp-wli%X&K^{_? z2IV0ZByCauZ`AzEl2AGzXR*pWjRs9HNp>oWyXXf6XE_-N_HJ72+LW!!?%QmG$r06d zbNjm=`Nz&{AHq!AN4+^9AIG2nNNb#vx3Le$*eGaLCWc=`jBaCk2^? z;*eFseGdO4OXyqw<;LnirygHZUl8Tl(C@%IW>yPVjrg*5<&sw2Sq`io0A=z8{AB^k zuO^OlEG%v-b2lG0VyLhv$(Cg-5&u#BhW=CS@n>mYlmBn7_W$eo2=BH-o&67>03dc> z`b+RH9nEFDPWll= zEfO3Y35)%-HDi1v@b#Li#9Qx44qDBTn0+?h?Iy7?$+=N}!sCy`BNJUbUOi{KjdP|V zHb$W7el)6*|0!MnGo`EXf+NQ5L7nmoj{6%^=JmnJE@GUG*lxLv)M)SQ$OUNoYmOh9 zUYWyR)V=ljda|mra>9pf?MvLhrdjHLX2b!6%YF_g_XEZV{8deSsQt}8!qzsiX*QqOk|9q3%)#hVP*%60@(Q_oQm6P)Km2P@W$awAOr+FsK2(aZ`OAm1;uix6jg&K=((iRM$&fik z_=@p1)s_;~DYG+?mTH?sKl}QYo!g~DwQV~Uoyir?^$|@j6)U$xxHK@#XNOb(TNe$Y zZP!z>6LnBB85OM;8IO5?8=Dg*6cHnI#I`>D#RFbkIU*;Rn&Q+N$+u^vMH!p2k#62U za0yuc7o#-gnqrrmk1gQmXN0<9Z57T^Z7uV&Xym=u)3RHi?`L)x?7z)xrk3sHUo5;4 zMcsyb;~69d5pACD%Gi=E8R#6+a2P$oT!+q<4cpmTsrNj5tN}-HT}k>BgDBgEJ!bB` zk$&oc! zC+r~@79ch*SGxdsgHpg7*!z9Uw~~v>#MY3vl-xTv954m!5nb*aOZ-?d5|?WPWuZr8 z{-8fOJ>zs1uYUAce_M}}cNX1D5tyeFDyT=sz#hVIZuxo8_S>`CF5?gm?NWO`+Y&_d zSlhxvpLQ1XS-imd?#9YQ75r%3=flS)*87EIqSLduP{_SW8K*LL1{5q%knv7cQF0io zWflxfv*?3;QPQajiHQ!)71pz<$>C!!AhZ`5+=ScBhTBrY2Vj~;y`>J>1AWU3*3&Jw zskTS235=~iSgwM{)&DjnKyG<55EMiP~t{>>Y^PF$Ri&qmTB&(xtFa~BatoK zVODeR{&dcj(<0W-nxAV8TweV{mz^WLT@J}-Xit|V$b=K?0jl^6po%{Semd23BA!$T zu$8)3PB6Uw@v_+dKVH@h^RYKeYuyswr|$cx@YOGflxE6Ix1+66wXxO++>>kzu)LNe z(+(pS#X&@JJ_zjesxzmH&>WK-tNP5Cs8DsYQIFTc{>24Ij!2jM)-r|uri@;L?4;{< z&PmsW`_Pp#rxNQ63BmgzunJD<*ryEKJ$xglt18 zK4eb}^=AeP@ahg+VbLjj>3YLF*OzuJ$WDuTh8eJ%G2wweI>4=<Gcf$iyhm0@GwX~C-2=2bc2rf>^;;qHKqrRf~b1IYCb3;yrVk*^8+ z_?RCCUcUFX?)fV*X^f}{t!@ZgAp00f?iR|>{g#Bzh2@OirX~)iF&(#lGa86b^kTId zB6BYVf^jb1Sim+e92UU@-}8Yfqzl6vBMO2FGA;SK?Pl9ly0Wl?Ioiky`TLDN9Dy&6 zovstJNVUu=om!x8iyIoQ+S~?LZipEB=bLouSeSQdoM+!tr+1vzDb5_EYa0(cpKCL9 z%A~anv)+1h#yyv-i7|``hJW=wE%P-p8kd`pW8Tl}AdR@n-Y{r!ilT-7I7M69<-x

g?YQVH!*P_5L_JazqCU}QWb_G+?O-Wee7L?hVvM^%pT z532O0yyG9Qtf~ch(+d=V5jTso+XtfCAwql4xS{O6fSFE^f@EHC9Xaz1xOved(rU-1 zUbcDxYP0V~(96@`Y=9XaEf(e&wHy0NB;?T0gXc^KvE$(Z7k|X*NcLD9J2bA2&#PP3 zLq^Nl$=hDC!<%gxOI5w3G+i>@a+wWl?#R8XGkp`Hi21duo{S8(aBdT?V%T!Xo8{S_ zv%0AK)55J7s^Z1xK1|G0@+KYMwm4;|`+J)mn%(GtafiZCcMd%^%!7=9n(2`bQ@^UL zRyFN+FuoMa(|)a>C!n9jJuhCW7MuC758fKr?qv@sbdva zl+%@h%Uw1ev`_N&sfN$vN@q=-;!s}=OC4hAbDw-aZCGmD`m_!Gp+X^XSv`nT=|~xD zSJ271a!diNJ_T^YDCHubltzJxK0V)D+{uJ!AlW%fN^&@ZDIVvE4`7Pt!JPmmr|G~K zF6YNb&wmIwAfzuop*%jjo3{I2#~c(bC4ABH21V{dfL2J#cz;t|7(c4C zr}qZci&O8BI5CoWMeW!5IPQ4j$l7zhvqX8Phj6d8>W(>`KN9n=i&+L0@lv;r^Fnqj*#B8iR~*(_Zrz`Ui(BnLeL8kh{ezWiF;rmc6+a z$F5cM$(L?7EXr~8{$z(AXX_r-wl&ng)(n*hrYVGHHogUBSI%mQ_a}FcDU_~HT-e z=zy|2B72u0lWW*|qOP8#`7~wx`>s8NS?@VuV|iE$=Zx(^%JolACbfNVqqJ$~aL9-A zKw${XRi~B7;L}MB+^DOvFvV(rm#UnhL8tB7+tv#LJXe^NiuzM(?G`!}kV9+Mn8A(6 zF>Oq-Hn;+~lJ>f9_ zZQO2-Sv~J(k|Gl5bFsrxzEU1qqmN|Tcb&EwA{y) z{XGwYd7K`f-XzIDs~B+xeO4UU1Fj4no@J<6e136hguLbIP>-9JBYrA*@NFx0iC;?W zy5`+;l|n%$$NqRjUi;}ySv*}K%~6sm6@tU$x^#1Fts><0yPLGZt!{U1);@jbtO2I5 zO0({=Y0I{3OuJ#JB{GH^S8CaDsllK)H@U9n`&i?8i|z~k>IM`4wFS8iEPW6(E6ehH z1#j7w#)hd$ds_KGUq-$FY=wPoqVn?#{A(hsmJJ%Ml6hZMVIzjkKIv%s$*F)AG)Jl5_3LxzPvQ=4h%RIYlvN?XC&{A9@~I?Y-y zu`Zzk^iTLEU_1S8pd%$lFM2i)>f(LNeBh4#!oVeV4ZfhT#{LKO=jR);$EYE-JTU5E z>-0R!Zm^FRt1W0}l5TGheibPBGgRco(_n~oI@CLYwD{Tyk+AU(Ql}Qwfn)Tg=pR*0 z`y%Ku*7cn8L5@(+JxOqc7Kqq_{O7tp3+U$Q9`jcc*UZ*qXHiT|$lvYwY-2DVB&!lD zx!>84w`_0t|BJ*JPLxMFJA83tU`>9-+LyD28WNO`E8AFjSQ{&bH0$}KBM1N`gz50H zlcA*_R~bF6XRRNFdLc=;LbHR^=W zjl&uz0BBIA?b5HQ`q=XEHoeBTGrT9PPcYt}IpmZOA~srE%XFEP^^e(wJ9xbA=XIaJ z{MMx|Mh_1#1QZo{Xlk6F#t0lYr>@zDpvNO`xnAA_U*bo>Yzu5jM&|!qXoxH?lNggw zah^5XQIXVAZmUcF3XUzf@L=r8c86hw7DSOhg%czBDATc}@ z;^{DsvQJ3^T}kl*qRtJ^c+5B;bZcHA9NLojtkNvn4H1nNLb1Jen`=#O$R44l@uL=b zID{L~M!_VfwmdoScV6!tFU253!7a))TJG~aqzV1yr|X8wT@p=JXc}|8UDkqSppZ*o z-+!Qm$igkuCZijWjN5Lq{AJJk4^<9nrR`H4%YFt!8 z+w8S<*PmnwfrFvG6Tt})MYxZQ+@9HM=E$|~Bt}^7a9M9UvZ$^rA%;KbvGy*aoT1wD z8t~e$<@9i2r{(v0)q7iaAR)@T_`MGO>#~j6eHuc$oi~VWgoa@7RmVjR#FMTIqDwEy zCe}_UUU4@T6>?a3*Qm)`OO>q3y>Vf=ZH3#WYZbX}7|4M?U*Z29=L?WdzE{2<-jAW} z04Dk$3CE)_=*b`HW`t=Uho5ipcXf&iA*Co>7%G>6L9nH+TN6gyCd-jJa6Lb&dwI>G zyB~{VuiNsdP!ko3xY)t-(Xhe-9_n(J_0W2b@(0$|dm%}ML)Rn&Gj^xu5Y53AZrk;5 zm}B%wX&?#OxvSleE?E|~zy!J+*+}EBZG1RJPfD?6s2B>S<#4jr(vF-9=FDa_~0@M?vA0wnU)TXYheR|iyk0D%1&jABH2+Trh zG@qrY06JrKlG28fWAnB>rgt8DVJ^-aj}m`&o(lcU0Ug^?fQvONQ394YKk4946hFg<@t=neu(XxiQq_~=ODC|F{rja8Obts0Eqd;wie1#X z00a*4$@^TT=KW81e=$Rg=Z?=30TZ82iLU|POy>;DbpMUWyik?Eyxc!O;bCG>muvE= z7*;6UEO$G6=ru~9z0rSadr6dDWc`;~V~xZE9I$d?cY|2F1ua*R?E{R5M ze-~~4(;YLw6>SD=iu)zSRbN}SSZU8rk*-nT)-HZCLW>@qA81avxk>t&bThNA>yI z9Zyj50Lf}`EQ;1>jE!>mk+$j3qej8+&jZ5ho(I4mi$mWW8UD#Np86MDSt@K`pxTvSptimMat%;-xZ?3l*ezAbl ztOd80j8}a)Y_R7r?6`nkZsD@7V=)lvPW`;@koOK$@w6;`1B3g+QZXT>M$zoAi0K4W z0Y{$ubb{C^5A!0|rP%`7Z)*x*ZcSsH|{R30|7wm2LW zJZ2X4im(q9xSLgY1}J^?DWrOg7Tem}#_m!0XS7U-cj+pd7)9(SG`ZhNX!CjOapn2y zP<#{A%@eK%I{x4fUyt6?vV>SI*CrZ_*N-)RQNb3Ki`a?^hrI*Jm6e65N^t0h-M!obS(Wd z8H*2B?NIw9Ja9G|{jJ;~2j>2Fww7y4F|OCP?$iTnug1d@7i3wn+qUCumhDY{6FF<@ z>Q|uLU!ALmvd>1_`})y}>ePjbbkbsN7nr%78x~t&LgSN>)H40NbXVkKgeSX=BMY~^ z=Xw#S98AZCD0erfdWqV3_U+yrIlF3kN9A?Qu#r9Hr#8^Lw};(Y9+f#fG2;2c8ap4I z*reS3ehlKik|;cc4CoVKhiCgnT}%eU*~7TSOyRbT4|!!rue#xnP5k*cX5XWvwWo4e z;_RHS#8dtt81(-I!2qnwGVq*-z(Oq3obX%uJvxji5A5p+RblT7?{3G{O6d=&Le#od zmV6&@kH30sh>H&}svDs^riLz~uJVDuJ27@OJl*$smlVBAOHQvM&RM5PXv5WJt~ME4 zO9_FQX7W{B#de`F;k$S~h5=_3md~LuHu$DJ@yX{qV9AAKai)X~%8>IEJxl2I7?bm8 zybdrvzB8j1%Rx8hQ=zBh)E;FKaBLw60%wzhr`~Kn4x&fWHitzVY0th=~1e^iXEad4}|j9EOg@u#RTcVkGb~q)HAkIfp_{p`R!2~Kf)a? zp2~8MCfqTIze1?>{7HehfVkF`z{a%Z`&aKq9;fATE;tR}-lchr zv2KCSdG@Q>{>~D_6xYZ5H1&ro+}hCJ-MuLGM3;IF6)%2?(Cudsc6_uvQE%igAF-3< zOSkc$hqt;CC>)VfU_HXeGC}*7dXWX@3-1hN{Tmu{E_Vo=5rl2fJJi*M)(@snC#&I0 z?2*3^3*vKyW%*vr1&FeCg=^}-Ml%O^^>>j*<6lTP!thD9(U0b3=Elv%ol1CuX{c$g zJ5CgA1v!e!T7TMt+bvL#6Ul!*ewyMvHBlzu=7Wu5vGARu5f^AI65<|gJ8vD^i|I(r z%+TH_&2KUWHMTb7{>=ui>`_Hj^#}j!amr&Z>lYwzwOM>9ahKy!C;6t9XQ%lR_1~D; z$l-QZ$6DY<@EWJ77|whs#A2bqY2~Vk12%K^%yIz8o;T&F1d12{HYRm_buY7R7CHDv?<`L~L*{BcuuYuxqD6Bde^; zKgwQ%$VNEqqY>KUR?t;^B~P)E^G8^nCpHc?%4{OvPu6WdZd3s_b5ce!g@=azEC}fU z>lRcsG1_DwAoBkfKy1(TSU*Un#;x+p;?0aisp~#2MXF-OdFvEFH@;My`d9>e9Wozj zQFc$zuB?7w>PHF>a1~LZ8~=>O)+noXDQh=R{A5cfOTZ=s{IY{a`}Bgsmv7Aqz2|Sv z?*=sHgd=e55?-Q|1w*1wIOBHlb@9m)cdTjgPgSuo2S2BZ{lGbw#(*8bimjzIL~axp zn~p{*PP`iEQh-+tjz>QJ!GLp|R& zbV-(mp%;fwTi!R5G|*BfX=tvCi#E>DKuCFsO}1LW!o{9(eb2vXeXb%m9E#Ht6Lbq% zI~Q_wtImgu%(A9-=Y)l%Dz#C^3OZ(GXy?|>8aaQ>wn=iK!>oAR=4KenuGu7Iu92GQ++4O7)86P}%6-gY-M)Amf-k!qupnxN9v&H*8^0 zxj=n1v9(bYKvut+G!zhUe}Fj8_hzZ8^DbCcw%xW+14rEldnOt=mxkI_o!ccE2a76n zC3JX75n|hqbS`i|0(b0P%?^kKnih7JWCl0RXli3)Le5T8RbL&TN|5>35xY*qARQy@ zG(JNRP;V5A>mE?qwbFh;Q+4AetV5u)WO;&BI#Y&&XNuo$R$t)RVw^^m!ePKq2a^#t z)mrg3-61ev&gcx^8N&060`4-%rak|rE(?OP!9N=cMgZ{0dLY!k-(*?+Zj<#vq0I4w zlfkzmczTugB!%@*YjHjp{r5(NUEW%m2o8QrPD;^aVV8kv$DT;lMswSkZPrj4^sR1? zsfa_#XLwDm%g1&kr^+3S9_;OGHI5E~HLEW(v+cWj4Rg@VVw~^1ogLsl(5@g9y<6MB zLh)_+dS)9#q4hT^VB+~v>5uFrt(&uZNL`&szpcOh3Z$lCldFQe6exhpvGRsszSiAj zIHbT3k6@Y4{B4=rDhKM8vh`jVEP9tNI`e-3z&Z>?Tzy4C8AibxR$D$OHiL5khA%4?w==d3 z`cBQ4zSq-UFy(}H?M(LYSq`}_e-2TfeBVu}Lr3E+C@&@;-6WDMnIg_x=F#;YN0Uvr z6_Md0=HNcx$I~{`WbeNv(vu#!vs`}%mDEaX%!`?CY|_G-$zKHNwp5V&}xS5*AIbV*UyMDk^yWZ+f7gZ=^ixgynX z*Yy21rpjv(4V)buJ2O%zluGXRfHi-&LAvgK3uc4f~tT%N#O-Xrc0#sPbiemc-T&lcln`+og@xO{5eF#=T!m z)nM=Q6bdqX&DTu6agJ>4ap>&bEsnc?5B*Z8Yd$nK87Ce!=TU&XNZ{2N5wi*%2@WnnMT!y|Wrua>P&t8~F(rX$h3XIuL4 zY*Dpye4K5^G$YXmoqk|73v7WaLEZrty@oaW6bY*r&wBX!ULa?8(-uaGdvPoI%1;!% z@+=!EAUEWSmd?o#tSI-$2U-`3&6#IiK!qSPM~7l@Z*_%mrnj_|%eH}G4E+fYZ6U?`sOBSqFwOW~~x120+X>NU{p{Lnh0`rT$6{kiw@a8kh z?ED;v5mbuW>O@ib*0B;Ru3WN%Lh=qu)KQw%NQ2|gf+l#Z7j5!1n(5)BCE=L_w^G^u%RW{(A;=tD3_vF${q_zNqcfn*JK zu}!;okDi>fL=L^4*EziwTF+TprzJMk9$+wHBQH6ilDYY$&Wx)<1Fd|^d5n}#1}?Yp zK9c%Xk>u^HrIn%5n@sL|J2BW4!Xdopt9_ER@s6TR@^SaOtZ~YaSrOOGPg{vYep&D} zysttbQ7(+LA_^Mwx#+wetlAn~zz$ZFDx$(!RfHA2PSTtBQ$Z$qDq5gBc#7nz{C3Mu z-@-K4R|8;>dq1`yR_zylt(OVG#LO%eG35M$mfx|ZFTp%gC_z2=yrFvwNplSf7jBRl zALxuPTEPVSMaz1Lv@>y%v@?T@W79a5ZPPKl1Fa@gr*z%KPo7R#wTq)y|KJp;=7-#x zvrn}9LdsfDGxr!07|1j_xQL!}BbU^ps1#CRDFCjFA1(lHMZ8S`ID;p5zbZ5A_t!$6 zznhPst|!)_3zH&V#o!qemr}cPV^GAsx8$L^5>hg6My1}y_6-h!wX8$N+79uNk#(JR zv$f-oJf}dd(j3D(+}sB`dggG8V-9T~jbzxNOiw!LhA0Wg2Nl=m&0tX^_HmP z^}5yhl?3%`Q1Ukg7X51W^L-{3-SIB+sWcHUmTu}z-U2%c-}PF!)@Qa=Xfq?qL798% z>dD(DpGVk-)Yj767G36CxdD1aV(so1xwgI8h998i&hBs_pABn5W#vChL+d1J~ z&$WjOSVvAE7RN;?=SOT+^=D)dPA<(6i(JS3h&#PSh~fJp_=g0zWN9rWUoVF^wWJ1;xSm^Kezn-yOt>}0!S+0-VDVM^K%7k>X(I-Mt0uX+0f8j=!S}| zOEENueC9lLydUn_L5y$b-6x{lV7da?3*r93d&PWG)vNC(FT|4}4-w@p^;eZ9mmu|a zlQ6$LqM?B^<>3nX-ZL?XH(m(Ub6JkU+8P#M{DHPqVw{TEP#7FTSNErh2 zQN-xUZD2-EGy=Z4-*C{$^%H80J+(0Dc-U94Fmf%5hnU-_;r(^6Z2v^*(2^eW+sEGk zY_=|DUhUKvLpczb8;j|=uPK5JIb0Qe&ebzg6?fCCHx>q2C3L8-#WqF9du1d(zKfk} z=X}uns5SL*LmJFCyL)}Eb8sgji(05F7dO^iM>GYwvi|%@_PihGw*q8lymB7i8%LY1 zR{YReWZ>(-a0O&(lxe(}KqB#BxMGHG{Gxr=oO`_;sl_dn62W{eGdzqdyUfI2q-8}^ zJ#U&B%8>2#n14qfH$Y;6jP84W zQP*XT-tT0-z>U8?8NC2b!l}HmfqR3)f)p*h(+ZkRDUW%RSZP}A9z5(%bY?_0rN&s6 z#4=!P<=<`nisUyGKNPVyjc?-7_zhk$Tkn30|IY;5Q;DdEVvPWm6~=*8=C#<7Aa&vJ z8||F$4{$Z_w0XgQ43V3A=iZ0T@o!{uArP4QwbG3_f52Zl7HZ_%B#5V^tR~08ZXm0v z?UKiOMiPSG)~G9|*J6;_fon8f_e2yvKYw+HsD!eP!QJcz@-=jIIGTTOK%Sz-9*MbB zJUP3a3++B-GL-hXL$8nT8fec2RvOZBCpU1l5j^QEQTb!WU6bI&d0v|m9Bf(>zC@H4 z!)8UQAWlQsZ#AE=U>QwpY&i={49Qfuo`iOeZ+_TYY#{%zKgk;Z%A%ka{Cq>jm+oZ| z9GG~dqkiaivRaa~>hAm2pVz;Y`HMe#bfLdoAknD=a~pu#lc=hns_h}R17UyvVQU9Am!<4 zcwBp;$6&V2GUnxgon)DfYK#`?0hBnC_v4941*!bua{KH8kQ0B`iqoJ7p0~?J;;2nD zFecW%Q4#=drD!p?99JQ?$JSSa>zmJ|daUPOow}bGF_D=bdlOc%BZ%R{OHc%M?r1G> zA(xJB(2X0eTt?evFd1AA&Eo(g{65dUWGgXl=KY~p51!XU{OECDWCTlTP8O*beR~a_ z_+G;O8GtQW+-mXVQDCk*chs%sBWsISru{UUj6whE4~h3)tk3cq+dA%iwt>P>v5QWPoF zyRm^^NFVhu^d?c>n+^OERxjL4!D=QG_BDN_7Dy8K(Cw`f%h{qqe#`&T$VP=|^#`?A z2Tr?-??`^8PmVHyqJ;OrtNAwkdMZtjj6!jIjIZ#=bBX$g|BT6PtPg6SxXZp#uk_L1 zTM4{u_MUHzzZFV%iFud(!8!LEk2Ha~mKiEPczBp`A}uV)YcMOXsrV);Ii4IOfFPWO*mEeRi|sDPTQ z{{{*+{S@{1Lz$7BU%=9|fc|V7S0i0crhi~t`ET?cTxbH1t&A;2K7D*%bhzhLr>1$;ICm0NSb?)USTy-WIuJ!CBpCDFYG%AMzpqp&m9 zC!$u1PD#_Fs^FiZYngQOtmxhgk3N;zlp7Cv_Ehd58jmOB?~_cI9*NV)zFs?iv69j_ z*!J`VPGXQCPVoW@h*d#s6~^ZV@Mt*a6z&S5VEP5C=PLX6o#qFNi18*K@HRrP)j!;y z7U}pcedzC}MZTviCXAo3uHG_8966z$>n`t~v27I%%!{a%3tk|uV{Un#1{s&%q~q}R zu1L@<*n}7n#T;rHR+t5C+T2=3mknoBWRW79N_3=38b~m<_uo4GvNflk{ZXS*YXcCo zmq3mB>8B6uSg&Qw-wSM#;|SDOxG6`UY87CwV*TdoH|K-+zKFmNZ&1qy680J2$p9ll z72-5gB9FL~_%)F>^PkFpnly-M_;ko=(>?5eqLoj(7Zy1|;&4Zd4SvP=d{Uxp=_*Rf z?ICcSH?2J&npfyk z`qwX~YG7ACmBSmbv98>ErJtc)mOK!-|x=$*P#4p^%a9TOKdzw(*Dm6=#VXY96K1+G3zhr^tn2!2C6?GO@(tE zFhj5VQz-E6=h3RS^?+09JX5cA4G&p91pN+V`O_HBBv?VlrO4za;lPWKa$~1aF#{>s z^FBDuLDPhN(kRso<=q`ZxQPA9yi6AL0Yk62Psl;#umMjwKEjg@lyx z+F&WX5fU^@K_@JILrvO;SA0cTS!F;Em7pYqHp7#e#j=0$1)yNy`mo@=fYTvwjg+`i zr|AT*APjMuV7O(x$6sy%EC!Tmru{b#=vf<-c0#JXa2KVqOtkvlCUeJg+AFj2*DEJl6Y3x15^0 zkW)3QOg*X;+AW7r>sAx^Nw#FpUsvMS1`Z2W0Re%o3x2Enrlf{{V}$MJZ}wF>4&{%1 zT$;BfmY?ZHWg>><&C?@$W+XviZf1c(go2V5NUZhZx|yG?tDWENXel~QbwF*`MyOhd zoE|FXQP29dr1<#$$)0&6u9>vT0y?+A(N4U&g*0-#h;d)c+Sx6M98dD{yTY38@n-wy zv>W?KX{kLNO+8?|j>N$#$~N1?1sq4>24F5mTos1Uor7M{u>V?~+gN_BVd*X%JJ_Qy zmLP%UXaoNLT)Y1BCScilaTEXWH@;!YF?1e#|E;iH>_+(5P9SU_&Qbk7ocrahe!5WP zbF0%okXV=02$Tbbr|<)ZE{Dg9R8_~%qM#?huEq#&MtMWN6Z9~`5IMXbve1yAUsSDAtS z*;k$m1_GpA;YvGPOmj!@T{L<+~9N9rZGLRopwW9m)q>Hg*j+JYzO$ zKi&hE4e@YZv4GVk`=-nN>3sg{UWrO|2)ot*VInca+B^)?A-cY z+2wC0cD@amY~6KZ337Ydv%Wv9=LSYN5`vQlDUH)1Ft3iXoD!n^#o&qMDj^bl;f6t& z`KZc*(T%;olA|qfD1zij-g2O?-~9NU(YprlQtDQn2h$qvqX~QlJJ9U+^CV5#EV~R0 zPYMo%^*)sG{?$9kTh+8QKdjDy*`3soOdeQ_Ye{SacJ`*z_;==U{HTu~4elM@f(1+{ z_d(nJZI?;QhIvm~2;ZFf`u;vp|23Dvk353>6#BtaY-6(K zJ$-wb3fH6}SZp5qgurZJV?#QD^V`uigC0;f;2KE^1s!O|H?t2CzBoV+%TmLldBW}c zFuhymONxh#3!zvdkb=2C;7zAyl zmnR#c1;0ygVNgPNA9hJwd8 zpyWe3R$I9HU>wu{>p#zJ*l=8ZbA=E;tZ8`Lym@GFBKc8l>?&9QAk%#E-zurhz2b(~ z*$;LB5am%cbFwN!V>yV3jlyjP@|_CVq7Zj@Gl$NvMBOxy06u`&JWy;7T#pgcKV6R} zi1NAK)a?tt>W47zQ+v)FkPS7`cr7{!INl!j2#&uBw03^=R@ccAKda(Z!R-RZ z!J*n^M0s5VT7Hzr0zw{8G>2?~&Gc^AHQUU@$gKV1K>KeMhb!RbvnMIW1qQgIDoYs= z?2ZGC2B?`{ zgc?krm(}onu^yd|-T$HOt;4EZxAxH`f{K_RARr+rt)w(6oze{|-3`)Upn!Bqx8$Tl zS_SE@DHE6|U6Y0hOyWEf1oz%&eZOLA_$~YH{{PD-pVpa6|K{W@$09*P`_+K73Pwk z>^&4tlk$3j{9)4`29u%>BUWj1P;0?PQE(H?1mmSR-V5*-oK#pshSBM;>^lrt^t+(Y zez{zVI4;YG5nhh#IG!yyY3UP0kp{oXB72X{fJ54YJweN}NKvGBI_UQx?Y`6ToL^4= ze@ul=AGDTG>(#llnQy;a-;0|}pFQu9?z&}9I;)B*9?(0UY^VGOlkFX(I+snx=h&5; ztcLM6YS^D2n|m=Z_gg(p(V=>?J6+#&|8~?B+yOqrzIQW(&!SoN7?1}WEoz1cTKP>k zF_xO2FL(fh#sLNu?Nywd=!uXEBj74Hcx*tZz89O-^Q!4kA(3;IPHxEgyEp`g$*LOd zfF+JHP9l0ih76K}bguQL=|-OiQ~%7e`Qd1W&S|?fWuwNh+}cdJ8x}3*dW@Uo{t0f% zR$3^X==-cT_I@M?@j!NarPDT#JAU#21L2~k76sD$*@uY>GAB%1dKJ?XbPeZ-3qY$k z7_c3-^~F2m8b74}c8(c<$TGoZCwf`}} z7f2H5bKX~~tRyF{*$h^bvNT@bT?C(#xy>yJ+7j-bPDJZfa@IM4ECgLU4z2V6UFw|$ zeZ-_HHRk#MpF~5YOzlC%zQU2nn-yCOW}NYp%*l>~Bry3UM;6qcjD-^LodXAlWVYk| zID(oCID)#gocY;IocWL!I$!qZ1Expj1M)oc0s)dhMc>mBvHFa>JQ&%TThR)aH!%Dwec%d>>%sBbQy_DzsnA%B1u6k9t3HBu!x?HZi*-l8v|Q3xo~Tlsbaw{1 z#hI7=%3_LfoWaEU$wl9 zzh3Dz`rUhb3v|4529<(p1GnVndthYCZoFWW-B)}uGydqAqX?AV&xm(<66GkkjAyiS zZnbNb#Jl}WASU%R^aK{v1d(sZ&6yW|myHB65ba4`%h4EEm!&|DRL6tK#S#RJJABN| zNy`qMoEN2yhoQ;LA1P1XHU8k%%UT`UK{rV`92pa8RGPgVt~f$B%}=&T1;z|{^IG4+d}Jz95Mjor4}zkM>!2d4dMb6#lazXnS-q`P&;j)CWh z_+kXTy+1#yBS5iOq`YiC=Lix)c70Ue6CX;P9!h{lAw+op1cfYsK!c~$#+3?QY}3;# z82qoE*#Duxg$7Jx$=a3cia?$MtqibUKduT>69w8SMG#fQ9r_!4#0YtzgJ+%|ToX+X z^0J=(asZk-{>3J1ti`sI{z zvK50)R+2mSAxTy6UUGmW(hBsO3rd2ZA#(QL_!9bF^Kph0c7aR6*aD zaGHM*sbmsf;+Px_+m`(0!wSI}a_xT%b2MHgZGty-b{9#W{82%{^ z`{EVG801C)*608t&oSN-NL(EcJ25GqgH%%t!0rwtUmD1_O-F1ieh&v(s}>gL1XA=i zAg5bVjzKF-ONN(j(Yw4Fu=dKHVhxesUK(SRo;i^BOhA&H?cN3zdi9gi{19bEs1FAJ z>;e(*Kf1Y}1CB=dI*EjY@_O2AK+SZa^H&c#+5&gFRg z(?2djc*30l4&_7z#GSD25$yyx#<)gJ;p&|Y6-C54d)`?6$I_<+hsH63YFC{fWf5~n z>CP4xbT^idm;?Pa!v_CO#ls~w#mr7og4P_YMT41Dmt#ExPrWylN7u43U<)br*Ey~8 ztYi&-(X~$pI1{KJsFQ>)pFbH&3fdQt&nhbfN#f-WR|VAjj{5jrYo8 z=vM_kz#N*aQ)m-ax->3)`AyWq?9ZfkQ_ZcpQ_iHu(*UAhF=79u=+~#9>YeV|aJ9R6zwTI{vqa5WIoxs_?iRn9 zr86nPr?_VD^n1)NV}r(%=f7;CU;XaHV%RWaH**+)EjvHk=l3XEQm+t?0z2i-L7w;aopr7uaIC@g&wIsL9WE>N|>*iB}ZwJA4hSWl0u#MrCq&c8B zCJy;-Ih=!_Rysz4y{LKI67;T5b*kQ}oHxQEdk2>R0gCh8bd@axAR_L7pt@@BhxncUPXK{^t&kIXQ$BfF{RO-3_v5 z2jiHIBfkC+GjitgHtYlA+LFtp2i=}-_&tgCx}230T?;|sL|B?=a2)7@FwS!zJg>?3 z2E5C^!@yRSCK(EqD~o!+9F;c=hBo@3qes6g7eOzGrdQSZ`)u|uOgyB-zD4s)p+>-EtPwURT}UZOUn_aZIEDp!nX70T63K0mIhj?7kytF zl+nk+Dy3Y0tdGMq0Ln=Dp&!f9(H^4-i<~(Ui<}i_Y-CumV3KBt`Zob?zNL~TSx^<` zp=mo<7L{{}D+&X4idMHzdX&aAgiRp>>A#>F;il%CSCK2q`gU5-m56y(cLFYXw8OZ4 z+8Kd)qwqJpB4OzKfcKL}t-Ix)6pEGTvM@B$p550hO0ND9fT6kaepJpZcWh+4Ey8%_ zIOq7?FxY8-44m_(NtF5pT)0 z`<3Yr|ANl9HejVnMr(6mzcM|$!m%fads^YN@(I=l)nlXk3Zmu&MzKmS9`RFasUjlC z4^g=m>P5r+0szTMg90#`)NlWWCiPou-CR5>Ujk?Y8Na#A2x88E>R+LK6C$UST^4O3 zc>gHEC2V((&F#GU6%Cr?GGx0-wzu}WyP#Ej80cXJbCOBvVt1dRiHFN#-#6N&4!X)9 zlNP(3Kh!9ljfiuOQ1yN1VLvbU<_)Zw&78KXo(IVUM$)otZr!U)=RG&O+uAUnA|0&lAo>|0IT%^I%izIvwypS+I z(BFdTvKSArSSEDdyFFTHmy71dIA^w|VRkCgZ}HD3Di;^VtJf5kjaSQiP{yfRm+Zy- zupu-6!+4|BUqB~Ld+boi#zLa0tfB`tM-)h=$FUbFQhe8(=Rmpa+hNyJFhSXt=ak*= z&sQg5p!!kV6%hHBme4J!wOB z3)O}6TNaO5=!J!v=vyamKcv?dWub4J9XL(Fgo%N-2ia-HX?A+@ieRz&*xQtVCr6cQ zxP}2zF;X;;n6ohh_M%@-Ac?AU_8BL9ek#K(Yxg@1NI~(AI4e{-hCF=@R9P+{UcD_z zw_T}Hq(+J0P#Nn5Y4BG&j>(xbDZU16DgW7w4*J-mQ1szg`*rdy2Dt{he3jHne0!BG zR8l3pE+XZU)5La?8G^HC_jVJlItg@SK&p1C)c0`NN1339STCQ`{|XQq zxS&>n5LGPOo*(*Ie3Ty@C|%JG<^=PK)cx5Zfu=j)u2TX#(yJM2@=Sn`vX}OPisuXW zq92DF)9G)E-4BUTPa8o?+D%jSGkHLY8>fg%E`|vmRObItP(e5FJfLx;0;bX3uht&q z=my#s6fc7^(dUiz4J_D3em+w)ClBjHB$1v0*JZlFZZ!M?r>+duRIT5?lI^1Jm|K6w zW(R>bG+x~&#WPcf3}v>ulQ{5kIjvh8w*at+@xOYCVtqc`I_XLyazWYjdSS1|=gvZe z|2N_r|Dp5wk@pdP56j+!m)&9-RC9LU-a6>R{DaN~lB>=)Z|fyHuBrpurv+4@tRnHr zs{xVCL%v^iU(|6-`qu&)Jrl;bV)_bxYr;(0RpgJ;_v`I+JRpF8D%7!9-0v_EbK1>{ z5^USdodw~I@4x6~{X>#FzG6t$SzTiT8opaW_CaXHV`oAf&}8)gX*2VHKynzEd#u=8y(UNC-&z_5Pa*`N@pH z%ov~cngT$H!J2ael!OU=H~wFXfrC5vuTsPVa$rK3|7c^iV!Kwg_%bQ;4`PzNuq98e zBGuRB(d}SzPOF*w^7GfA#hLR(V&1-Og5#2mMXA@anE2OGXKP5vLA9L$P^cyl=k>H5 zh^?8q3YulW6=8i^-?f%NBgz3>yDFAdm(umwLpH3#Vm- z7VY2D#+Aq$YI4t$^O1k8kZ(%)^8a^Ak_vpGmrYLltGBri+1HOnr~ot^vUCeohImvt z#_#qMyuIwWAq`UVJEU=S>U9ZqEepmk8V*!`vg+*)8UT#WQ%_jA*VCMz4VBo=KEdRx2i5q?1GLm zGS2NY!74WK-`=)Mpdr#1XEmP0Dz)KK|$4TB5}-nu5=(Z2`E{UPK*S~w=5yl&Y-Tg zR#m{A_u~%3x;(P`eOl>f0_tnOoJ&x4uFC+8p_IXzSFVml^qLDL4jwgI0U|0fSJ>#ZEK zT`&FB%jdVGCg&`6-0TJ(zawy&3wgYAr-f$p&CSzr|Cdi1xGzc^$*>-V-KlZ5BMMSZ__+X7hC(8u1}=qm9F3jxP=n)lEn1E+gv@?!=~ ze&`}OLH3Eav3Td;eWiYYVkUlcQ|$sTixHR+U^Aam3oGGnez5$%cmb3D{sm+~jwmd( zPP;t8lV)SJR$4a01j-!GJ84PlADYSPZu|yYW5q_*5lng=xRW@g1fuyC=vpU0Eg={w z8GEh6(fS14Ryq|*SHG8~dvmdHIXymwS!};sYmGXX8{WEJ0wtZFwwHWyDTGb`NBiy7$D2=zWVy@E-8vSBgzH|>=sc-TsM#DxeeKCDNgay^9r96-E zr@4dm`gh~9-BPq9X@Lxgk;|kYYkUv&u-x}}Kh5|R#Gk0&L?e#b#)2i=e71aE-S2Q1 zVqcYKdi8kr>j}%Dd!#!b^T+XbAgwl;KRet@pMQ&q;Y3-9p(CR4=szJ(VA;Q8S=m^u z-eCw&L1%Ea_qH!8KLj`PR#6brD$CniDJw+&;3Yn>5q=vhNGj90LQl&ro}W0uD|$?T zSov}c3MxaK1F86hnYu$f=j*$=YVFm!52}BBt^%W;@7Gv4FtVG=B5=z)Ufav( zWz2HSfA08XIAfl}SGbA)^ad6_-}b9O_#@#*x9BNV=4<_KDclrE=T^WZS@o->c!4G2 zPswnvcCvVN8t#F|R>B@0L!(r@(Y;agX*42kytAuaz<%b~=~I|r{*3>V#)r#XkbG3- zCB~+GgT4QjZmD$M_a}P6+m{e{1&S~l-F2S=X*WzKKcp&*2G0Ct>kN1_64)@-EjUC| z_wZsX1pS3k1Ec+BoUGY-S+UH>W%1s|)+%%mLT#8ERbF1;?oqbCKCNml@Z(ac92Img zxSS_#w)%NspQ+A6Y=Zp}kwD=}eZuNScqZoqx%M0U z1Dh`Os9ns9hM61&UV!;v!h{+8YGr8@a;Ju0h~Yv!G1@#^GN~Q4?P-8 z;(eU_d>LlX@}%OR<0rlOpHCVlOma81z51dV9zxG^*Y;}APu3m~PFl?UD8RA*Op$1i3T(8PL$n;cIRiryZ)v!eT!Kg%XV3P=j zC5JK(-PtKSVxF9`VpwQRzF> zC#(2SC)+2X_Gd0hLk)dr!f*WBo$(3dY>-U0-@;IwFur-XdI^ab2?ykVr_Z*irWE-afzn zHNAj(OCqP+sX|pE*-<)dmVLi4L`@vg)voGwB#ZE)q+s;`a2!b?E!(686L`xFz)$<5rH>x1a67tZdHG zRW8W}GPoxCsM{jPrv*NtRf$AGLib#tzydKG{pF@^+Q2b^kz@0CTm+`8R9n2>Q-d|w6f2ECW0D0O!(EK^J1-7v(bYi^6?Mvk~6u9)5_eLEFovqctW9ps`P`qmP)@U zyMYK*M?4?$b$UR9t1st9EylM4edV-9_?+}K0TKSf@>A7)(6dXpox10OqTfXMg{?TL z656kLQsZu3l2MnoyArmdrn>cn=`ib8CpHvrO%D{^NIp*zv(DUE5D}1@WK6pG{S~<( zn6}3a#DtZwvaleXt9q-3f;y`WhZ*(e9dS*V3D)HEm8gO)NF}R?|8#2W?97l5633?QC&9n?9vhF>!N~9MbVP7NTrvTfC`V0%YU#iS>CYd7CK6SXPBgefY&CDjYf916m-%zF? zLRCI`fScv*B$?cFKj*O6xi4Z(Bur}s4&TER(}p95S`QB$GnvRX z{L08IFkxm$m5_C4k~IQZ85)9`Jj$T+4HY&odZT^Gz+B$Fgj@y#qSH`24G#a+0ckez zTQjO7%immax1DARZQMBJ&)4Tkh&h}?F&m&c@mg-UxRd#dVRDGKJ19B`Qxw9d-m#V;tS*OzV7MyOr;vHSeXu`CbG20ut#^q9YkgInv!tmQZ)yW z4vy>wBQe7uNsEyLsXDm1879GvX4gx&N(1OaZ`;GD9>BiV6O;zjUs^mZ=Yfqp=PD+0 zx9u-z()w_PNJW%$n*Gp@7BrEt-d)e_hA?KU1qG6${B`x}COlj`M=#}enBz3O z`w%M43SsivFH(V(T^EGqLzfw27Nsw86%SpH+EFXEcu+ann+pkl8z)R+Hl+znp(_N0 zK;J1p$>-@wR9_E+lntNI^jzTU61q9$*^ds6H6_~nqm)gTM!6;OYcj(?GZ7(U z(wj^op5dC*Zqz(gI!z`i$k479PrzrWwcMapku?<|YHGwa9 zX>_-Mf3zy4Oo#b{n`c-=?a#*vm|B^hvij7+N9me_=IMG#cLiIEjT9log+Ehxo#*ZO zN6eFz>t}c;!Ua>|+I}2~KRc^8bs?tFjb`jHsv=lJ-c`g4De9*9ZHW&~s|8qy3D$4C zr|!+$TL&F?58{2IKp08K&9F=plL=XmR_^%<*K}NIwTT>NCzw|YI@p48nf9{?^l~-G z9gQSov{Stc95nC$Bp*d${aG|WOHl>rAhOmbA}H&v_P_IPR+(GhimcI^=)et&ilX%* zp7nBTC0SpiV}y7t;h13#1JBjAJF7!6Tx=L_>17o@Z2w7ekg*_2Dq4rdyiSW*DO0wX z`~`DvFRAiRKDX^9HmCi28s+;sxiZYavQf=^t)kOy0j{DWU{qzgTj(exnl>;TqUD7g zj*e`+34ET07N+!1DjzO3ac(57&yZ|qM*?GCcjz-O@r4E8J*{6$B)m?dFOs$+kt|_w zDgPKMVxANggi_w#_xMsrp94IsSY&kg+3ZImp$+4g#Vt%&UG2qomBE}vksq#CS1QC_ zGppu(mT_~;x0>a#&ussoQLtOOo8UZ3MG6ywR5&7f6^0-v$qsHkQvT0+#9Y}K?OlS^ zr82Izu{Z5yBf$wrU7lt{?>-T&onH*)k~M4=8u93A_piVV%Sc*;sNPHgR`LD6u!`(Z zf`RuqNBbpDGzDM}8&sMCT{J*^rMq}-DOyan|NIvsr@iqDk?y?4GjXo6f%zd+;@8Zf zhv$<*RmR=3p;`i?s%Fp}>&Rh3!Ci+8pas@bC%G_aO5GV(Hsn_#h}GopIvpeRVXVe5 z++l8@sb0MRS^yP^<+h~RzDeFes^abT?C9p+of$5acA#L2Sjsagesmx&lPqi$0=U`U z!Q4911i3o534N4f|B1LjJ!!v=k$EyoWNJ4gl3qq z%JWedNs9)KK360ii5$WT*^A?Xf5Ag}n+whIbr2dDSjyVrSU32{6lWOFNaEdsXv z5A3P8)MNLJ-Rth3jlh9z*XYb{%MQcRbF%rcB=GhpfBKvX+w2Ov7^TSe+_vO%^VYu> zM(W??9Xds7q|atZM~6o1e$0t(u3wF>IeN5bQnt{HG9zZotGDfv&p@)DcYL*6e{@L2 zOm0fe{)ssRy&>*}{$D)8Iyv zi$|J0EQgeNXP52L53EuD0$4YZNenvIQGk8I)m52T{3Kg1)tpJzZWHNq@Qx&{MHT0x z`$Bz*fRAcq_S6u9?=T98qqXf|r%e~sA4OCz=h4dxu0;qsK$msayQ%}WT5!t9bIb?Q zLg0c1>O#Bw0rH!6*e510>%U65UyT&b6$^ZtCcbmA zad3C0TZ0k|^$t4jETaa|D@=*LBFxhtzioH;mQRfTxHd<2?7Y$o>>i)MJb_mUaOQU1U8#bhrI)X7F{|`2g^9@TmoO}>e;XzwE+EeH2`t% za^TyitufmN>OnFTzwI?A1(vn;g)ie-(Z1?5L7+PQyX`xnr{UAGg0*9Ao=>x?_5-G7 zwb%$9eDCnCRuOm-I@pYq9Y z`F7HZ%z8g*nu;81HTx=L;>D@8X5NKCu3%2+noNmIr~OO^eE>mCCUdb_UlMQiA&S#65#u1a=1;BjIQGcOK z|FEB30JSKhg1_UDJVbic67tiK4epl(}=1 zBRJznM;xhleD0=I#HW#qem+mgKi)xD|T4Q zw5`NK&0fMTwKc_HIqRvRE=6b21++ag5|W`<8}MH1uFD+B!jodm>9!3sRafIU3YdY0 zS9?#QG+Z;KqPBjCRKUbrv(@T@Q7*2v_2)w)fa436M(X81$$4ma?(bfV;dO~(S?SF! z**C~zchRHBMcUWG9-|Tao&Pmr@8inEgy{Ehvm)ILLk7_T)PIdc|Up6hQd zXax}ZOUabUPd3%$i5nEsEyhwcE{|1<16*l7uEW~>8{UJD6}vTFYaGqt^|`KlZTpQL zr{Xe|Wvu2jLkiLd)sL4bh+5JY2+LP#dHnbi+8~Ku(Hw>flfU-Iv6W0DQPHCZ6S%YnvU7)S7k~zvABvIL&WoO-3E7)ik zYKCD6)-Yx~I@rAZ%$X`>%eel{PzP<#1vlI#0U^mYU7HlN3*AJFQ~j{AKzsx*TFN)R5a6ey{nEZ$?SC*nplV&E!EXM4?}Eugu80zEV5* zK57t})c)mbt;e<+qa1eWLZsQkpjpXG4NHlUe7ntldbDnINjI;!wY;osq~oGjl)Mm1 zB8u5dZGcy4;&P9VtToAzNQaG<#j^Kwm@Bo4f1=7$GpEmY^BOv+<;(1|LfH@G3Cu7x zk37O1$J__21=c#PekH}5vg-4AVgRS737lUB;|)o0`t81Zd~8T;2j@eoo(r&dmTP#0 zLWFBsZx8I>+yrf47}|KJxt@f@xeAOLUD;$#uRLq7^HH_mM`e<0Gnz>IGVHID>RXKF zMLm%C8i5m7&w1CyvW)Pp!tEk@s>w#X!7I>6ZTPAG!1nQ)d~LmbSmvyuyY?5=lt79wi=a zP-~%A7A9=Os#b~Dc`0AK8vu{_Flq5Iw{`~F}HH^kPLmH z!AM4(qVxe1C&MrPup_Yp=d9kmoQQn&Z(i(+*c8tWnVU-(w!1+|Y;qV^`>e5ALgx5% z!HLc;qo)0w5*!*n#NC$?RNuDp6;s5{hiD0Ysu0>1ksdC$%>9(OMD;C*REVL$GX>X#F33xzErO@}wu%$P0dZ*HtB)X&in>R$ zwZIhyMveV7yP}xmSOkG2U@1u9z_N`Wb#ChIMi&|L5{9vTWG>&LPteO5sHI3v3ntx> zulrd1m3PM137=Yg`4%W#f7>o|Gd#FB;$VBozR{v0+lDnVXpEA#K4RhHChZw%8+<4& zr6x&k3Ny~6)>FuD{8js_|1jA_pGlCN_7g%i)UH(oI$6S4h3XOxu`CiF z^JKW@O6S>s#Cdlpz>sTX#i7RDA+4vN-8QDp(BQY?9^GBA&-zcx!b3s;hAyCy!QD|FD zXzx0Qz=*xKa)D><1K}^KrqH^KnysdbVPRpZ;ZDZH)~yS@TN>FkH?(iQIezJIXUxCVdIi863Y+_zX$5d|y|fqLtW{W|&h@T^uNg`PFd> z8}+=7=q<_26Hh+wcJEMd`|Iliz3(`zRJG6>DunoduBT$H5K(bXMQqjQg=bcmbr;GP zV#2mf`toYFu~N3qk@m`S4BqNQa8$*FvH$SaIJ>)1EaKk9nNi za^7sNs5TslO&DrzFijKo5@*P+QGQD~G#(0@g$5r+)s9@#nBCUfk}_UUpuBTx$Ec4ByiC`JCDz(s{N^!S1meQ z1UhWr7jD>@U_R;)$3K=4t&7;QAl&`cywX8wuAAa6iXQfg=XX&gGwoNlPFio1;Yp05 zEn9>`#-mj7e#A66&dg0;G#h(PO0tY$+ia8ZAB_Fi+6`#mbLtHo^?%nxaLRC8SeHy7DO$gB27 z3NoyZ5{cxL3goCXY79c<=2YG)(RN0J(MZpGmq=9!*gUIu{2-N=z>Ts@cvkJwPCMU| z9jLOsqfa^wcO$#RlPZGDubplpF`Lupb#~GA9NP(Stf~4`RUTWnw}(UYa7QEe1J>y^ zJmY!L%tOt+pQ_$abL>)9d3V_^o>^^4_AvEDuFvv{N=G;_cWV}RJ-exvyL?U-(L(sKrB(RsZp_2y{+^JS zD(wK(tA@~guP3_0^ggPj7PO5y)6kZ8*sU62c9_a_Ly+0g9ID<^x1t;A!db*cqWI@40R!s;g8B!3%%Tsx8nG0mW{ zXLf7G>*%0a;s)8h#i0UxNAj^ib6s0e6`fCF=})PY{xy?4l~n=kui>0CR=^o zq0a4HLh^PH51w#6kM0tfiXxs*`&NfM#ErRc`vG1rhq%yJEV_4nXRxINjUKXX(+K)L zKerdSB%JoC%%O-FQ@GYpTGr^p)=ZpLWWG*fuU}2s0z9pK=lW^7@aNw~|3qDm<`Oci z0jQL0nO=9YE(meEuL#NL!B%u6Yr~ z{DExumA0L&i+QeVWUK~v*@GSlyrC|pGkWCIM$qZa&%3`52d%uVd{0lIA}r<$aZc-H zu-dXfHb%c@iy;~=8_1PA5lw#-V4Sn_d^VFToVnhz%O;k+o9S+?+trBHg1UPQtwZs& zwVPG(9z#50-z;*1^rNa*DLv|*S;K85{_SY|sL*xu`5;jH$Mt{gg3#Q`aOocs z^ebVwy$^S@ZkG;kdgmw#UJ{TIhRZcX=Yo|U%{@90Z`*BJY%ex!H$vF2{`8FDwJfeV z`l@Iir}?zC>;QEooIxdja~No=lLy{3XAJ`y*E`fb*T~t#SZYg)_jhN>`?lBKd352M zOoL3ajkIFi66<@Xhv#siu5aKRtC@o)?cduZsPcP58L>-&f_^kl3B2#Y_p9~!(V2;! zlzFtuYwe*8O|2SYeYpaj+3=9TG-G20>s5aP294r~4|fFR>Q&nLmn+7B{&T*3Tamta zr);cB>MamL#I0UPL_n8BBe#?&Oc_qQMR zh6ES7bS-Cf+z?=e9U^S5P4ywP%A*XH?z4|C7bZ$HXD=G1psxDHiPh z2#w^%4+=HK0?A%j8lS14{`;SEKcT}H7u$&c{x}Uhj-OHSv}xgQ4@LwXHli_MmwpZZ zVW<8ru<)~@4-WekAph>R{rv^}%jeR`!;swNul`f}`qy*to;}I_098&c!t?hJOmQRS zggB>qW94h%ts*9-M;N`ZDpsdxT8CY~MP`==+&^3880e1HGiFLjT5EHF>`^1uCE zH_>GX&0`nL_Sov3>YP-2wD@)wNp8f8~T zD>vS=2|4V9xa<|qynOe43MSV&g&-!TJ8Kfdl{k4z?13z0ns)4-m9`)0R!!vZ^^Gdp1>rIJHLtO}crjdhZxagt-uCPF}6DvDnk;GvXuWySefJ$Fj|rfbMy z?we|qYb-idA2#QPw4{=hnyR3nDz`ooCCldU(rb9Fd;7iB8XCr1R=~5vjY|yMX&1Ds zoemkFh;K#*l5k`46T)MVT#r~m)Zj4dkzrw<@z`^WCimR$VrsjO%yF(sG{+ZS+}NZO2^MYnPdqmtJPY!xz{ z{M6j2%|{2a1v=JWmIb(YpyGFObY2^t8Xd*r@s$gsJh^hXPlag&1zvjTR3Z~m86tjR zs#k@yE49UfiOe7<)(8-WLM=wL^J^v;7*jTYWTV~DlM2+z!e@BtT0>ut1j7~1?8amk zouoo11?=~)F9h|ak!g}x;s9B$$mT>7(~+>-0WoX&w*8iU)7gosxH{)$86*omn#Bzk zhsMw28~@-k=rKt!_?YtLM>5Q2YVHx5qw?@y6a0QN+c}g{G($3tzz(cMoO@%qA#-q1 zkP6NFYj4H4b@IWxw_=Q=LL^!1tZ3}^o*i0GN7Ca>L%!p9_}9!>s0za2-~AKl!}Su$ z2DCha999N3hVl=3^NJHEJ^ZOa=}k%e6YH4gh)!Sj6K-?+0^@1}i56r|g`?8HAgCRX zG6Dl0dKVdqd9y`ENKGYS$H0N)K0D&^9d=jCuuF*0E4Ez{TKD0IFbi<_+kVb&)LOp} zzal{6`hOli4<@>tW*U0pP_b#BqSGNkhrBEW;{D90*rinOg2OLQvu+8A(CHb``jku0 zCfZ2{j)(^8em0noBkIcK%F{Y3ao-yjR~>F=mFuU1=Ula)k&70!?uwrHE-g_&<}n>_ z-!+I55VCs1q_2VKfMMb+7JOpp+Rp@x0wRz?P z*QEvs2`@ZVDvOxQ-~-$m&=zbhw+Ed^lC-9~_?9EZHOu-Xs}{Xy?B9?kh_c z0VG7?WGQs*xEK>I!JW7{{nx*7&$J}gx}{qoeC;N$a+V^2i^~8-M5D5;QO`R`Bb2{9 ztxy!ijJxa8;V}jEzrw%Vx#u$!06#>w{ozu-(4U0uL^ebE2bgUA-71`Pf<$B6?K0Ij znm_2qQG;fLC-Llk1Tt@&BtL!5QbK`W`7vp$Az-yIKxX7ZSsI{0XfNkJ81d{Z1W`vH z$1VVF(CudwUop{cjOtfulAQZkIpVrT&D7O|i0m991|KI_u6>4j(S+URoB|N)?Vgg+ z=Xku;_NgOCI9E43Rrh?I^NOx1EHx-C%=PLIX;zs*6lDM9+YiJ7jl5zs=ULG}jtN$z zUtMa|-^dVvd~8&+IAleAz2c>a+QD1Gq-f`Hw~<*cG!3+XFWYwb73RF4HiTOGS;6Ky zg=5$HeR|7tix|!dX#KM7r%(l`l2VfA*z^eJ_?%%4=j%iHbU4V%EI;sTJ)wJ7po0tt zjWWHr*LV(yu15(ka<04-f|^YQ5cLzxZEKVmm2ECNn<>kc_3pbXv_J9Piteu8QD^pt z#ye&N9yN{tMLhl{<0VC%gcUD!s_sosSYB*mFyQ>PZ9Fwr=(JcE0%aE0Mw@Am;<_msjHe!Qk{Q{)>e6;K_#Ie_OCUB9XbqP>0u~{LK2xQ2zL{7 z6OO&nr{KT#0byu3A+7Jo1JC?Oxur_QI1BoU;4Vl@DpQ_LDNkkNE2kfALBng^FVlf) z7_YulwR&d39Ppv9Hy84T`wfQTp+sRhOVLQ=+@OXh+fZj~F5KuK<_}af z_zl^_w8|URDA*6QRrDvqdo3$EP6Cu9WvMt@BM+73*OwL2#ot8}V03UqsD-Uk=Jx&e z$uSlqfexNE6{S~az%s=B7@AG}hGy3Cy?-~ML9tWGP@E5L_vSjGlah0+|E?LT{8lSDa&99U%HvC$L&Eq`0m3oS-0JQ zXExlbMbjNsn;gHyjT=9HMBy8s${e z$@Cf5uIbsa*kvU}c^%cF@=@srlL=d}a8mL}kXR43YkVE9=~Z`)gI?jP2sRkYGG$(D zCVH8K+rBg_0m=d~0vpT%3!jOfdo<-i)1_xOyG@TUVR=&?Qb9Cl!MyT!d+lgoWem3$JCV$)#dglb<{ycXsGsrwy>k^%?WgV{JY?s&cuc50R za{9EEWT0zN0#h~;?697bwQ}pxNv)Spz9-+x~!Tzd``*> z0|lmtF#Pz=ILTWpB>D9kiOcIBvg+|8e-2m4;+6Qna_0R$?;Zqzqj*FSF``xnrD~^8 zDgBDJ$B4#y@$QSWBu>KaB(l)%zMcvl>6Q_S-Z9uD;bup?7-Hx%cbJYXMeIU?GYjJP^e>-E{L@&g$=N2=LX;`@(tv~^X;*?;$Fc?2Pm zEC86x#BeCBY`{uei+=_V3!-u(=lf@*dnt`uewV@X+t=ib{Rj9C?u{S$;;DCCh8MZ# zd%X34l6@{HFLmJ%D01KRM^5kBQst2rzbbKIU)v<(vB;Zhjg#*ZK=LO%%w0$qyS_41 zl4dcsSFIuXl`ny^B#8?2xzV<1%C6K@tJBtTs9I&)iua)Jb^=SY*PpcQxTm?jWD3it zW7FPGUaZ~_v@jb%C=u83nmMLlb?Xn4`Iv<=*>(vd$;`BBM!x516*r1@qONiU8@o~K zk8-H-|2?W62%K8<4IZkB2%L<9kZIG%wc zYUhq^^N58xU;ZAyVv_VW_DY9auJOy6MVzgpKJT2aCIAEVCHrT|s0Y{LpFgcG$ z3c_3~5)%wSZP1ZDL^zk|Pti7n=!cWwr9Z~fs3z+&bNUs8?T&LQMRe&Gr1AU| zAu&O@BjPC!R=6x$ZdWe#wS~pTGJr~Q!ml2_mCxe5rCyrWUi+=8 zf(19b3+>~%MHY0*EqI97%~I3T(_7Xin==rT%m$zl_xYG8C=P6y)SJz^;25N~p#sL^Q_bXXu7m6@GT8!z``0PY?BZ z0kB$G1oDmoeay9ls0`@pAA2Jir}06`~br+RW9^pl8X^`%;v;m7`w6D!QOKISW*Ot zIKgv69gC2i`s)TAKYkGf>6HG|ncT0O0?1hcAZP%=VvySxuhA98snBeVU-1}jo{*)+IfHz4Zo6F3@XeuRQO(t3W`R2-lf@rW5Ei;P4;{_>T-Xoc8$ z!Z=wL23Xe2f`zxFd_S8eqpp=QA0P8moWiT8)h`LTq7?k)hW4#V?eK@d;MP0ckXGMX z1+}@73&w>;%@;0(-lfe_O`9V~EXbnj!Uoyi+%PRg3jhcr71Xb0>O9Ty=44ykM7Jsl z{N;DN%VbyoZrYC55i!T9=gF{#vi4O0Zb$j!e#^r9qLDILOs{o;b9WL5%qL}h$nk!O zUXxjp?#0q*JgeuDP;;2eih#sQzqfYe1|opmpq+hCYL?n2@n1dS!oP?#Dv{x)wwyEG zW#>2F$xm@)Rgv4Ea>$6*OHD)A!;4AzgqQi3Uc9BhPB>X|Qy574IppFyfwfXca0Zuz zzYV9K(N)!QN%FV1nTaSqSCgX`f@PkMI;>J0u8ktMCS@l|G_3_|`jU?G3NjEtwJ%4v z?bJ!L!GXAUFI#V{w>P1c-mo)rpSwfm9<0VPzuIj4Q~tAIwJ$pZ(J=;LYcHjNrN(8& zg6@4Uj_r)y{k3uq+4N_g0wsK7u!H?3)a5j6z*4?msT@na99x|LCDFDJJ2W5$<((L; zaoGCaT(08-lTG#nY=hC*8ui7Q00I@CW@@;rmuS2ezvHE==MJ=HSiM$Msvfv|tJc5) z;>8;PbN)e3aX~ zbUmu%FGD;*-=%#>AtyL_84)6X5?bH-P!1Kl&hdXEMV&QL^6#_G2E}kQ{ogw4)QI9s z>p+5xmg79_T%fkFJKRZm(xi005Zcr0n5{dMKhx+^F5|iGhC*Y8O)BMg`Fe}w_AIM{ zlYFu^ip5`jQd@Q3O`e%~54=0zkqQt@Gw5i(Y-e8Rz?Z2O{keRv2h zkSHJ69UT-r+DK4Mw}qq_VEop9gTKPt9g(F>ZQT61Wgp(J^ygwTdbs(Z5JTwp!;LUh z8sYvsjR3sjLt@#S11g|$@*uy*@Z7}#-qRxeRo#nU<6rD5=v8D(|2wjschWhxrA@tt zoYAy>eQ}22q%sL|%FGGH zuN!PR&PXmvvD|Cy1ILF=HyQKuj}*Dhil*|q%>kBwq`~m8q9`5ZT*DNN#|e8*+p(0F zXB>MqR{6Zo>X*8r+q8VlM_e^4_hl_X&wp&TWvYKc)>4w%y!nnmg|(`09CosPN*H-p zE@oFQ*Y!g+o3^Y3v_I~vO{!omf*Sb@b#({FS8I=ti#hvJ`DIN8-C(AaOfZXR4W*IB; zVj|0noWmd1O!6J0SVBPPzce~1z{+*pw{tKbW!JnZ@g2R_>+~=RD2-PVpFZ>W&YLg@ z{_3|NXKmD*Ae&H=nAV>Xl3V8{%Q51zDhJCoi)QPSbuaV&`SVMtVc2lT<)CR}gMS@E zw7_8BYKYrS58pb=LwaKv04R*+7`#0@(f_Zm9bLn(=2PsM@NU;8FVYbmc5|m&h;hrt z(Sms4!m)w~RLK}Z~WI=Vm z_IDTKPda4O651o_gcu6m+F+F@Y8x^QOAEUw+LKnc=v%%|Px^p_L8VMZ%z1N`A%)A< zX^P*xr)`Hxd4-Srw8U|#ld?5YBp5fyIKbsio?R07%;+n!EuS5>}xk~RsO0YU6lhlFu~zhkVyxSOHuSxf_&M+*Pb`Nth?Yt!n~#f zN148|7)~#7#g5)&mzQia4jhb-zr`$EtCYJ51>L$xCaenJN`IWzS z5&i#gEA5Xq+i%5r^~=zS-x~bASM~1`{#A|q;dXU2c>mLX{qtOaKKcI-`mg^ZG{0Nm z|I@VpKW*CoKSF3|;8@kBgv`|6E8mgxI0*q^)Vd1ge?xv;m&Z0@L(4keBW7R7q-k`y zaMU_{<%z65dP(xPi}>@S_#Xc-0T5gh+37;s^=qUt09lROVJRvnHL9KcXdWxypR%KPnn6mEiZ|v~BT>VfMNH zn$5pmBI2QQ5$=COeE8;L0Q;Kg85p>ier5(ZEd5+>7kyXmexjJM`*(TfPfG^iRZ;+) zo;2_jHPuh#kEow-)}I~Dv2fcj1n!)$E}k39{PPd`3K8Kcl;7`7=WkrU&IvmJI?rzC#4fBbXQ>>ZpT(v zv#SG#RrEA0^~Qg>5~?50o*ZM(JAtB8iLX0Mqin`)|JI!j-#h>H^%L+Em}f?8fABb~ zM34)R$9vGUJh-nW_nW-)=gZp@g@}1_3_b5)_v2K+_*cF9&wuqFAMnR-g`Qym4D?*i z$=`^Rzq8_h{-l5V+mJ?JYKgrq8sk6Wv;Mr$|M(|((!h+6Kd3T)d;kBC&;Rwe3rs?2 z)-x%-xBt(-@$Xmps^oiPO2fkO`Tz05{{C9Odh946vctz2|Ev`M+gJHWNae?wFs1Xa z31I*0NB#YrKhK{m=lsvL{=es1S!6T%QK|vm`ty%p-L8lE+yTb|*7Lc}{+%?w6cf*nCwlNJOP#91(Dt8(E}fvuq)CYmpsU9` zRkt~Ri$DGjR%crG^icS6_`bND{~w}G7kKTwGtlfN2P661& zu}`@OL(`%BLkEAp^-VdK$mfl4M=RxaABv_8*73;AAC*PTs`~enz$5dEizDn#;cBgC zx&8dS^IJ8k`tNapSMRYvEp*B95dJUv+LZ(TnSS;EH%0=(Q%KvTLw20yxt-R0fr|4; zp#W+w)W1K)RZ^%~?vc-hzqpUQ(cyrPT=B|2rF>{)z~61Nt5^36B+9t_Fw`%y{D)QX z3&gjpx?FQoR+P_p?reeu3J$%9qaiaOFz4GUyqtI-?Z-Che-7>#t#$0_FkjR}xrrW-<`O_kX zyz|ut4!!5EPS(Glvo8wv%Tw_Wu-~6e*Ulvdxv07RJhQLBoUMy&W#iZX041f$@zti# zxMwE9svPp?LF@WnWUr<~k^LEA8PNPtyBsd8{HMGVPw7)B4giy;PGa~yZ0hO|_?U$* zhxcT=?*3`KS@7+OFV|Ew{|Rq<3qVw3Cft~c>LdI;FYM|N(up%J*Nz`A-Td=-Kionc zeG%~VU$eyiU1kCa?TXQX@|L8@?LThu`XKg@&%P&t1NxuGD|2H8F36*r@K2y*K-tIr z0H`b-ThJdr1VE721l?P(8valnA*#n{Hb}}eM(Ka5U{GVsz&`;~w_=ih^H{Hh0D%7P zQ}WLR&irv9RCol}>rNu&;sKoB6$tm=FUIeG#Or^=>q;Q89x2q@;TO6MqN}B~Xr9*q zn{%3L2GIV}hpzw}9HpWkZF$T7)OR2-yfA!L(?Im^nnU#ibR}~@4EAd_;jKUhyYBY; zOR0`h+8)JU2Y{v3nurT*Mtp!St*)8Eb#@Yp+VieuN?q{@ISHfVZ#=BIt?u3Q3dJ@k zHFc(zPj7O7)o^J9+X6TXV8!QWE!1{s#szVw#NCSh-& zQRqDpx5&k@Y2(?!DbcarGAlq3*7#)j?brMJssq{zXb~_OC_nuc6`o9nLoTCI(@_%i z=*Q=PU1Sln|7Ont2{w=lN!tLteMs@vY_oI=(7AwEe^xs?{b|uEc=3%97)SHy8?}|o zYoVGH3qg*}={j{apGL;DBvr`im&)amU0~eFBLL!1H=%i@cOk8STRy70&LMQoZwc=S zu-8^cb@Ktj#OLBz;=8^lS9@GN8frp@Dx)65YPv@{s-#?N^_>pkqxsZw@|>=)u<-g* z-AYl0hW!z#>%C**;F*F5Fj|M%*#vX=skx3v(z zTF_th03kk`_I&^_EF5k*!G~mRS~r;xCX=O?no#HMH>FikFVS3Pyd$g4E31daVhT?mi-z{~6p z;LTudj<~eOi<*f|Y}^@B&&Z3l!tLSlPpZI}vg++GtSB84x_5OaS^st?*Dr5qfxiJ5 zJ>&LEFT9_3h5=?dFyd?^#~vF2U8Lu`nii*ZxciFcZ{laHz{%!L^`cVo08F4YP90HEVCHgO=efRj6(-gJTgaa!-qHm3rjw(E~xhNQ8=$mG6sUf4$^M(!zcjPV)N2v8d6o`z>M8I1SG#+5a327(jk zyC`a=-x}7l4~?Q@)5QI+A1M@3W}gF%g_XxESX4iaPMI7gDL(tqnUyc-`J6LYPjS@Q z#@G>)egG8k=C^(O}8#XF?IaZUm)ugvuV9%x&+6Uqa zl}%2=1afby`o027st&zs_HGxT;C9e>z)|>!ku(wOmv3gqx^m$Y(xq}Be4$TzKgQKf zUIYD8FHTB+ca=yxcvW54 z(C?03;FXMYC&+WB&Er0%A1d0W9+k^UYLAKGf7EsuU1Zl*j#w_tmkAk>=}t6Ht< zS1$=K?|S6>BRR+Ct*3Hw3lxhsM*k)t+ZvGm6-*QV zil4r4aoiWZ=0|naWMYT~cGhv5Nm8Olsri$4uV`QaN2WSyJ6#rZc05^|q3U+gK%6@h zL~Qzm-j5UgwF>9gh0vJ-mDJd)fbIri#wAHqP&goFzQt&N@d^6vfNi9g@xj`s-puj( z^qgNssfL93fS&RIXsSE2E!c@-Oo-3=q1&si*75}TG#+Q0rzxDaW7B5@W^-QK)^79d zt6m3!h!V#f<=`?0z=8@)cScY?0#FIXb?sSmVrZqff={mmTmMQqp@hHVMg7~T*AI3< zd{+ec7u~Be(Eyy+sK2RO)Ru;)^TBv0D`oi-#Jf}|_#RDj* zY?q#my8m>ROI(1zsFm=Ug(TArh0MmiN z-UQ2XG+~aj_Z{FSL8$G<@CM~5sK3f9v#+w9S|aL3W3xet+UN|!n7wD>&6 z`KVB3 zB-HZYC6||uo%5N?@)2`i&y5ElvZ_dCmDZzOwqsy&-*_RL%)z4S{L1r`eaB33b!frN zqg~V#6_+`ml==Gi_nBkg-)D;b67;@{nQUU+3jjVx=?h-oEeh~1wBK+uW{N_`JnZcV zZ|wmHq{mG(9hW3EWxBCNTkBa4#L}P9f|d?TwT;f15k}LsrGCzddxOlDXIY$$Ow(1S zksGsBPuskWnV*Qhwy@R$$>oWf%|dU&(8!1m(4&@M~zmC=~gI+>XubkH%V) z8l9{mnSB?wBLN+2tN>qqup;uZRsNE_MW(9NV3?08#wR;?beqR{oz<_fTCVd{R1soI6}#p7FT-sICcqsH0JvT60({czNq+ zg{UUrfqlN#_`c<~V1@hy$$5`mxi#pM#;tgv)9(DI#z$R#2e49O0#6j9gL`#jBy8*M2B7=No#77zbPvP(!Q&F!qvgT6;o_~mO%dFY;%L@6b5;g-<^G-pK%ER`Sxxdv zP;sa_DXZ41v2?mT2RQTaR?KldzSRxK{q^vn;2oHydsdYj|LIJrX}7oBl?N>W-1Fsd zchKK?rQZt-U@TVAfcm0Ijn@F74Vrav@bvpBE}%js&{=#R8Mz}Y;;!9YjJ?8ykHp=3 zqnsRVbo>T@3HAqVYp?RYp&R0~fS>lZn|j=hf=}v{%L4}A#{9sJAEJ!2#?^OJxyEQY zy|}4;>^Xe!109@Wz8L(-cGh!3V8vgmn*3#b-Jn^iNm8?8o-Tz_g^;kK9!-*Re*V9CrmwW#mPR`K(-$Pkugd3o4SW^>W0P!x+y4jN0jQXTp~p^{ni#b0KnD& z;D5u!z1g-pkBE!B<#!fL;b5fgEcC9$$(e^ba$4oGKXojU)^fagTBl~^LNBJ7-Ms0U z=1HDvdeW64QSu_;D7;XmT?EJYon*r$A_;U|nby{zaLjo0le>vC4UXDKRqW1iN{J$$ z%i@+$?*3!|u+#4b(;0U}PDEUY&nZ80D`L*uh-FO^*i%j7@=5S=>{a_1iC z56e$#?~<`&YY-K*W;*l1oE5#|Xgd;z)%8^Q+rU0--k(m4@;N&qwWNF2q6tL3hBpPh z0Jyz(Zob1VM5VDnpjavd2~j~?8=HKLu^}k$W8Jb7v`cz|hYa)CS8Y2y<|+( zGY5Ds8kfCVq{x{lU%d~-hAI#ip9{1Dk^M^O+%dL^v1>#>1%Rsjph$osb*?<-SGTTy zGjC-mS~xXf8gf~z(vME_4mYXu1&Ww_PZ0?3X=-nSUtRMnp;KtpH8h{Ct^rE}SWT_V zC&M#%YnXvv=@c8ImkO7)X`Ei~-9plfDcfX$xtlecQ9B|-H^V8bC)h@VLzj3-k!gzC zrZ?e!&S$3~MfVsL?Y|a$zK*Gb(l?epjzd4ui1EM1zag5A2aUkm6yZabm}V?pf|CTdqW2 zCksouv2+S{KecluWzd{JA#=|dv5A~A9UyRiP6uIPYNxd}hECpA*<#Pk;5>N2x@2#mhtx{u+#KOOUHSM~H`XE{We*5uIbyn7hl(xsml~?%A5l(k zf1a5W^gE!ZeK|r4z*ODBxa%OyRgYI1KA>vEny-IVHZ<1@f9T>#KJ+UthpL_M@peJ= zk;d;Hs8;Ep=S^_NlNZH^ZjL@>Zr<7p_-w-;#+687YgQo-gvqAO{G#V6x=2``qA%;| z_ORUvNW1RhvB=HHiR{8}2m-SPm)0$T^E)+zn{}{96p#)0H{2J4#83R3HyoL}gNSvF zw(i+ooCB*_lV;^HpY6@90aqq&u9|%(X>@4*e3{KKQ2nwy{b!;0C5pKL);qZHbJMAw zYUgWBzC51fOcSzf(d^JQVY(FbSiMd!7Ja^B%F}-9ao=?U6P8r>^mJ3S`_ZYfM%}lh z2DnWX{FlhXL)Q6d)45Y=p1fb3yS9@0$>-9dG%v3%-^01K&b0AB-Fs%etZ1v~q{T#F z@1)rsH)6uBp0gJ`smn|;1qQF$)+Tj&E5^!VYE_jB=vFxgsT8>y_K0hB-DDlX7|zX* zM)=FNs9LJ1;J*W>&E+5W<*}I{5dP$5_*j+)VL=RzW0Oe`*Fk&fP)?BdPfS+WIiSW+{R+VGzDb%cF6imvz_x%xJ z6#U~gvT$x!!H=9T0~hK(GT9}hx~-z!&ybkJ@H$y1{|kdjS0wu)H*TjGmt#OBAun0`IS(4757A_X0o6n&yb0s$k*!Id(Y-iGVX|)9TJtJ zTaOLKxbUUNUc-v=wZ4%xLfKY7U61l;7Y!o?pDofy#AQZgFW^g%FIQ8>-FrvWCVpJE~`gUw{)gve@OX@rDWsbg@#I_?`WzR%U1nG!81FuZ8%{$CWO>F*K%M-M(HW{5yWP;1<$E4DKvN2YF{Q|8MyOqaUve+*uN z7c)X9U6J7h%V_79lX^Z_PDd(M8IHUInRz;P&$Au?b1#(pTQ}wLjWJBTkFBwNbhn?}E;_ za=4yP`Bb}LATD$D_@LvmXA{N?SB|e4aXJ%2ce-w5I|GoXl=rVyyMZIVthv=g^gi?6 zXp$ak-%j(h!9IN!g1&ioQa!rX+8N^~%jR3fb&&90c#q#iG3~rt*Vnfp4fj_x{dFBpq*Ys`UfE$)N!sMSAZiV?+qmRK>+} zMp#Y@#vQggp0|W?RG3<}fy(<_X*xUTUK<|@%S33sQ)#72W);6@9hWNANXhEt^@M3E zFVCK;A(Z2b><3C7ZE@4k32Ta*!z#U`EU?DBj#^7cYQ5OVdmbg~Joa*50YcQ7W41J> z0BQSzu$;VM>$bg!k5(G#AMc2d4b#%+k|Z?W&MZuw_qJ;}2kz{2q?h@JiWq70Pyf(8 zu?!H@N?!m|-f;lF5G4p$Esndv(uvG*L7^)-Gv_Tek8mqIBi%2B;WEk( z=e!Qn#w<0)*XDiJygvG>6r|Z$F1Az@xWd9mTC9m(nCg3dg`1b!6VuhX_H`qB4rixJ zbd!JN-X<@{zuv3EeDdL~7hmz{<3Y8zO4XTbU9#WWxjj0vnxs~l?;vX6YR=i%9Og5x zEXE5~YiXs_Q)*?$k6*4H3n1fmZOBLhIBuuss`gUKur#?KW`#LzJc}jC&9aRam_jhG zbeZ&*E^8gUvE!ywK)bckd^jtGI}+hC$4k}%=j=Lt?lZaXW`Um3aV_n(`+KHY%a1#F z?rBW31&?F%BVv)bf*HwG=iw2dY{QK!1G+0Oiymg=XVE0lR6f348UM_gvuC}Ft3ae$ zj-*(jsdX&JfDqfEm7dpKic2}@O+13l?VcfTPiPol36sm4&F;!C5*UT$_DMo1>HgTRE*Lx!I zFs@sucwq&(ai@lZ0++Ta-#tMF0iZ!V82RR zhm5VZiQkDbg?LCo^3K^In&m9h9*R-u&-W$I8b{mDxYjuWzhrnjA`vQ+z$THdoQ{IL9?(2M>VN(}l+E~2pG$~x01!2 z`qDzF6z~%lE9x2+AsgBlWoVMnONx6`*NbntR*A|rI%e_JZ|TN^jK)IVZE4MU*~U7x zY^oiSWAbmU(Mvur@BP|sxD+ihS*UDlNAZmo!BLVobvwJw4a_t%WEtyb+iPM>pcKIE zlTl0+6*?h2$b0A+kEK|b!V@reb5LE^O)=^<1_mPe#l-+2e|ytIuO_HM9w)0#O4-?7 zkEIHoG7P8r?uj<%BV|mj8;PXbYw;^4>Q?vCUYJ)u;ACumYIawVd&tC6Bv9a1vqGXj zpLD&+NMK{m%)3TT2?G&}X`Fu0sb`8BMb2(`;Q?sWul7m$qh=!S7?gi6z4GrzfB1KA zoN8@BS3RQV8k?fuyQK^Lv}KbxbsuW^_++44x81DE$vNGZjvpx!;|1gL^NVJP(P_oK zz|`8;{J1Z`HS(^Z4eurw34T8s2HIO%(X#cC!bSpn`oWMufx8bT6{3BcZWk5uAv``; z1X7gbeJ;|EO)e82P#Jh(V%kYcsF={_@O`dK(mo^TGftuL!T0>Q>ASbF<4j4k*q$fx z3>momNK@V;H(}}IK^7N)irmR_hD4K9K|cbu@-O;N*f;YVoXZ{3w`jIQgMiemYY`yE z}Kc9L>GCt&{ z>vX*s%MieSRJfTxn-?lxT?rpzbKg+tOggdmDx}hy3k=aMs0>#QunR)3~OnCg=FM^-Qg4 zx|fnQr{mL9^l}mEtTBUZ>YgudPjj8tS>fN#D7MbitZNGg1|UwY!^1Z4hwJ-HRwaBJ zLv7=mEiO*USh3=ThUcb7L-r1}u^6JnC8U-TETcgSz#SNSuLqt=dkP1G}=B3K7cW?bYNS=L|h~&`9kv%B?mxY8l8*!QcG0 zMYAfucgjN@E)5$D+EdRpA{&+~a;3D}PL|N=G=HgvkfGUXH^=ES<&@FGamWbT$Oz8z zy*_LD$sR;(MI^9QPcXJlxf@(;_fk)pxk77@)Jwwyo_hNMG7> zmLI6(>tfz)mEoTCDbGW<)}O;&=iZ4$-N1W->+s0-*AG&$uj1D}S;M3LVrvhLd~;$^ zGR{WoDu1R~S!3Il|9?w^a{>=orFL-nwJ2QT}ggUQNH*#NQHdU=#YkstN z$1~y6SCfhJ{pB0lrX>UVCko{tVZT1v@)NC>-(MY$*6Jv)J}F7h@BHbl)-rEmKI*O> zH#0fss_Kqhhi@hfHvk8`O;~H?HrPzW`MnMIDZ=P2-*;>Z5qtTwB@g0f<5@#i z=@>D!%C}Mq?|ytScrU@=rotDuSQD^Ho)S5N750&uR{0&%lwWN@`XhcEK~y0ANexYL zJyPFu4cMI?vWfCDQPkH3F||a$?T9A_eR&H?l4QP4uL0^aE1jjhc&f&f;KRRDuvH`= z&%MmP+*kB;vIIn3wK`KM$7Y{F0dyBtUT&j}Q%c>t6XCJl9I2E6-lrQw7*brHl(E(q zm)iW+lA;xxj=REV``OA1?(J+g$MNWX0q0s~Kw+x&^g)t?KbZM!?-N1@VI5pKS7IDM zNc*8Ka?ULery6F1SkB8~56?YGe<4!_YSx7mCE{`*RGbITaWYcdq6$K}FpA0!z1{Vm zeHb)ASKI}Rl2%;hLL7OGaYw4_ZP^E#i|9qLfZfU}0+rtRcy>5_M zejk5NSh0S4#66h-{DaWfhZaHUt)T0M6wCc~3L>jPFQpv)!n%{fg#d&@l4|`%meQMb zp_F}kzdd@t7>PHtu-+Tdf?)I6BEOUVP)AX)-;UCy+*_twwCS2n>ja6V8g$r1v(GUp zRJ4e=BSN4b7@lCCdax5TOGk#vmn;S@_HsuAbrwHK@z`ugBnaPo#XTSBU{jY=mEX;O zxY9q#{w=S!YaYzUNnzH^BYK#g1~X%F7kc?zglnulthxx%1OXB%>kRhMxMWQwrpwd# zk@JI=E$bh*&Z-x0-0d_0$-wdpmi@!C?Qq7$Y<0#~kM_l*$D&w3s_fswIHmc0b0 z#_Rx(E!a#hQob(0vBGIsi~j!k^`f3J{pQxH8f7XTBJtqfuX4GM4bQlL_@Xb1N>B!g zEMyLJ$bb9x#&LX4d~ynDqx9Lf3A);RSe`)2mjA$|mzN!>aix2Swi$v?n{cZ0svMw} zBjX+vW~0cx36H8o@mv?TPL{!Jhm8J-w`KzvofvKjP3|d4;EASkbV29ngUR_M)6~)dFx`NMn&3uWAp2eCJP{@)64oY&)wiEv(1|nU z9Vl6@NMjR4ae>dmTx9nL`!*F~W$xYyzk}}li$~cV8}F%%A}E|v3(+@wj1L=!ZDd#V z_GVXbzEZViwXCdVM<@=42po!Aj3Z|UWdMEIW7$sYM!q0v8`6w25T~@6sIE~dSDQX` zAbARL$r}GsaJrrk$=Ua7`&80MRIeD*FaAQTdaCBI1Q`3m|6xIfEEq7JNgpide;vXr zDn^V1oa$OWd>u@zxI1Vj&bLdxIkk-4Xd1AcEqL-`U$}Ebu9oLCWU`CPVgHRAe4T#G z`jWS+f9trDOkqCvTjKHu;5_q9*$_s8Ibh1N2N3g*iL)VZ7yO997y}-6%?!e z92$-+9H~iQ(tDySvFYSq#g*N&3b9Sh>qiuw8pDM=?2<%`E@qau$Sdsc4SxD@oi^8h z(X~_>;$2t#jOK)IZS+bB<~VfQT8^!BTtByuv~DZRt&-x~&lj|OefR1PriQI>PS#3Y zwKMCkic|JIkJB~BQNIaGsxr^LacIivI>*;!AX)bkT*CQ+4oLgGC*n5>1c_+%?HB<& ztcFh_Xp&5I6v34D@Ewos4Vl&wqS-gxF8gbAw$0~xQ{+We((d57FKc#5-wOBLGvur7 zDx2Q0X=@DQRO|A~Vq)*=LI(UMJem)AS{+BlS0*E%Ps{7IehigJ^O(xO9`0)@U}|;Q z_KfYIrHwoTGQ$=A=1$%70`n^9?lJLnGi;2za)QbuoGFijPn#^OMV)gnhU*i7)sKoG z4{09YNZk{f7WY!GvP2+Q0kXuPf6o$c0d9HTzGL5wLHxnX2;JjI&|3mFw9U%)!!GaB zO~`zg8>}xaC+X#odp32c3psvonq5q>PFu!7*5Z1v&03slyRs%&(rQPzty?e--{4ojgC@tpMCt(X z;!`tp#*RHAwto7lqDiQ(_c>DCmh12=Mmm*{Rjx=9R6VQ%$v^D_cJ{6BTZz~8FS(cR zu)uWs+#TtnYJpOb4g2&Gtic++^dvf^MaY zYBrVoTh}G}u@<+T0G%YoXfE9Pr2>dC<(}TP=vbu{n}P2hC4j*v<&N@0Q*>*7lm=AD zDqrXjRa03oXVGKaFGt_Rq_k3m22Q%|teajuCwLq#*FBI$`;jK*iIX1aO7x|@F{eP# z>U4P?OfBYZ%t_eO(XG@1X6a-0@VPnf)9^7{6;O>STqty)%9JUlGMI9HmKdkHYD;U) zN*pFJ9>o0_N_^q=MxaW6(tY_2&(MPNkC3~cT&3-5USZA*GCPzXlCo2nVV`A@3b>?q&>pu70%B+fKBgh?fhJ$Y~HnaA(P|(xiWva5^IizpCOYyz0x<8rK?l zTg&OLl?j>ha~5iycbLcU0iPajP0RlDnA0BN9&$%wZ-c#8b;*+SAhA7Zsb5rV`SuZH zYOCOk^ZDRy3{EwW^VST*be(N%>E)@=#pxW^(z3elkSqg45e{PD;*`sB$Y_6F^^tl3 zY6W>D%KbK=fhm#?D)(4!HvWhMezLU3VafakeRT2$8{)5;MkctOD{epl_KD|^CpSs*z3ewi*)Y`Q;iWq zp{Hj@i;+sL`W$|-mU)i=N0U=2DkV)w5k0wm@mRfD#Lu55zO34IT8vS(WP>xM@d-={ z5`c0AHx-nz2AAAzr6?=TS5nG7O{$7-S0Xk^$okP1jdBr;y&RJ&af^|>!;^TBfwgdA ztns3W1fcfW#le?+cyYW6$uUXe^R|CEB;Nj22R-tt+WQ~TlGvw4d#2cNk;o$LOA}yi z0Oicq?AU?b5n`yU*z(8|S(6yg25HHtXq5m;6-|oFtw#%v!tkT;?WWSKHujP^cClc< z%6-T#^l_ynSm$u1;0d4^^4{&fT<;z69!Pgg6wmR02s+WV9 zz?NK2wv)M*+TYK%c%>)U7{bs?x#EkHu*AzTAa;bHmL-9@9w%R>5cE>@ z7CWhnQ{zj!?Gz@Z$m!3HZv>Qw_KMZY*VaEG#>kLvUvd<8*9;LZ;G?};WSURs6jbGy zee%{MwM^(mzrU(}PPl!F^Kypi9? z`1XmnWMr@Wl_!uxc>;QKJ0`#r)Z+O@sMX13qcL|@%fdtZ=Ptgf)Xg88VhjX8+0As? zJ`#A9$}2kwsSt^xq8|)?n_Nc) zJTe3Q^ha!6_d0x5zSEWupSt|%d(7m#Jk zr0d&7i+MCVtfC|`+Y{O{d8}#z7n*KZ+;r$4kKcu%-4qd(6-#2Z&r7v? z)!^wRBl6&Z`-fez+khEuF0gZ~%}^o{B2^XKsOQBO#oK|}|2+ey#^pJC=$ zV(i&CK9jG-GG(|9t{vo+&m|-Mohm{GO0e(vJ=fZ1RYJJ$5j1A+l&HFpTl9z2x=&V2 z{s<-Jcs{+3><%f6HCb17+v}gqk=ULdb7M-XCs??SiX!Qvgj8-nqc9_Q;whJO zL+Z)(@=;6S7bRL%eXz5Fa_vTo=8Xo^Src(lEY@r^B-s${qgOKeK-+vBgqg@Kx-tkV z%YTfjW&+{?gYmt)DS9D1Mg({REm3|(RSUiGI3~y7$N+^0)!^XXRFS@$#&THiTrG|Q|S7#VN}n@_hSc>-nLld;3S z4~7x3CbHUCtSf8&9BPHmrS3P?nHuN3=6p|pk!d}q(*on5+?jXuy*XGe4Xb(Rn?Exb zmo};fz|&`Uz6#@`{7DzZhpWn{LKvziCjRAz3J`9WP+z0Kf$9i{axG$&9l|~A6ktA= zeAAD;F=?~%G=X}Wu|e$46lHUY3`-(IM8AZo{pW@W(jv7&hKeM(f4Ci+iQIVpR=#;Y zTa_-M+MpxmPwp4sXY48NHFc-)>N?NuK8+b8CJu9fVm+Ll5jdNP#uwi|ql@3(2!IL^ zMZMEopEQ+xA5m*CehB`pJSQ&@(fdmJ1G;rP!p12}Xqj6x8DIX~ z#&eB2xO=8CF^@erRyg5`e~uPcB_sUHpeD;AElI3>{h5I87kf?& zoN*QehkSA%{*|edb8W?@Aoqg*q_fS^r zp>Bc5G0^(SRfDDM%CVmD>d!cFALl5;X65QeRQX-L`M1ZrE07b71GO!7Om z62zM~O%r44u4-QuQiHVd3=CS0&$usDo(q1GyfG3r(s;TrMmyke#_@gVm8Dj zdQw-p8yq4wee{lY`C})gbE6yAkA}Mgeua(e?%TGP{#SWPlcG`cVdsj(+EZY`=diK^ z5X!p8K?Kk`C9Pi00Nu+mWZpwv4gSHjs6oHUo%<0z6-mjYmixv)1K?ROrLG!;k%A1$ z`TkHq_q5bQu}hfHUA+r$Av`Wj5*lt>n6}MoRRn6X3nv@9MZp6$e-7YS>l8S@e&Lh; z5Ku_A(BxKplkq851bC-MYWj2NuI7m0-c@bypW0eoUjcRVXTcPwuw|hz%Uq&1&QqHh zB9*P~i*zQSiQq_~mYe_^58)&}cpNJSTNKKvR^Y{{ak(7Y z)rTf56!PaIni;mM(>C!gbJIq;k9Bje;TuB_*Gg7`;zA^IUHgVRp_5iX#f#libB-UE zZ7C~z((eFR3>nK}xOYbul=h_hvT66hp|_oQ&_WO)n?BIfobbFJ#RSXc7T-=sUmlUZ zuu&^?dT6<&Nu9!Jt%7eBCD$1y8ZeOO$GU6)ApjJUgax0Jc<}aZnpdB{nGh-4%p%Uo z&Fo9Lyq=C!9Kc6q1su|O2}PYK;3Q`|GZ$xjg9BxgD^mJR^CyhJCVBdCOdq_Odh1}5 zEjG`o!u;a256}S8W0J;~$Ow~aTrw7+bgwN27zc!fNZgSmSW%71d0wgW^5A} zKPcCreJ|ii7f&)F&;2n!qDiCP8G__NV_zA1jiE{m&8xZHBM#QMDm6;HBz zSi>=%^$#|SK0LosTBkuR4g{)FKDQA1fn?=s!%_lGIHrnPju+&g z7+H|t0pk1crf55bU?7q!r*TKu2YNy$#JM_6Z|49j%R9*emQ7>%AAM*qrd+QDY6r6or{4>k z6h$&2;EfTfsBt_+7kw9`$%xgroIFn;Tef&FO)eqB){C9`VtZ{^ah*qk+&(9al$*Q# zcmk*o-o2f@YA)^#ajmN`yMPl?-1z*iBaE!9GUk=(XK0k)s1D`Q80{4>!0(!kGdt=mzg?NJ7=_Wh#{Y?AOHOCstib5;hoHqByrL^^BiFlh2ugGIII#_ zdE#hDjO}ri8-((KAg<8k$2YR(8{m2(e1YPLZ^n2c{3CY^CR3Q!@<$2b(C=&%V#hy0 z?^&J8)rvJ=b2UQp)0K2P!e7gJ`JbNe_6}Aa&YtGRGvzqmN=CAw!BwiLt9Z5fR4N4O+m)csaU2Y|gQ!1t=(tIHK)|NseBsho)=! zp$Cf};-{w!xsU1lGX>lr@L=;n->UEVPg;c0NE{2CRN|}to@V>rHS|Y!wpXyRXSUlD zFKE$kBEM!jt&f37X~w%DK0ikm0N{O`2rln4W0@HOW|0L(e}Ld0k;l=%uE!c^WywSw+7GP6{;8X|9dgR0!`o|hdzP4mh5V=fA_VVA#( z9d>I(I+uv@R>?x8LLQ>9_ee4|$21)nHXo)w&{ewYT~DqU#LF$02Mq)wqgOQ@l0tympF8y`u#COd)Pu~UL3eYVJ6qK*>sXytO3AiI*f;Ga@zt&OTVQC}=8bam) zT2Hicj#p-SRh?K62fUtr?5$N1pc&$XHhVYaFQ8DYv*xVI{*kp-t0FRPZU9Iomw#V4is+4!Knv0M4@wM+A)U+oL` z^oLJj^qedPY}tCR^AUX?I8?WqZPkf73&_n_f}iX&wbpz9>tfo#h;nF=6hk2H`-qnB zQ+NQNy|>4=>DBq}=b5M5;Y&mgk;wKUHrzhQ~4H zxQHf8fCP@-gjR2lDM5+`fiPVfY0;=;hC=H&txs^~Mhf^Tg`2(dzWEG>`Bt8Unk7M# zm1XHB_t1i_cTZ_I`w@I01=eBYR`_N$__HynsmOL?udIf_bS%|`RzrlQ>mXcoN zpp{RgNtVm8bq{;z!9&}bqXZ|!?B~+A+3QsFSvEZAG1EJP=s=9;1ZZc}g8wh}-U6!Xt?L`56p$7Pr9oOiLAph{ zTN*_gq`N^vY1n{tcS(0B3ew#r(hVDshHq{3JkL32yx+Lrci-gxKvt?ZrGDc^3p$E!B%f&VG zDzhIY2_k(zA8LBYTiHL<7PN$JK~SXXOXqVzy4<52q@10+#v)-tQUWMSJyl3t0ykAo z84@fU8PF=oZU4?mHkDSKcTmVd!);e8p53ipK=r5S#C_RB?5V;2QkbNh<(fH}8`I); z$$E;MkGX7%i6DnZ+V$supB~o&Brs98YS)zGInUJ?t6B}snvIChQ>A1Zq#hPc<*13< zfHEkS?i6n)?G#cJJ10@>>5-nuq`{+y&wHJi{TN_40clSn;@&!!a6q!G#9OXdB1v4m zNfsdbpG}|EccBSzsW1ID zp=%F<-zEqxW8OuJcWYTK-*@P7B>Z`HbU&*9-59VqZ8+${^*!;tBH2`+K*o0%(e`?0 zR(h6!jXzh*l(_XBp26Z=j%_G&PlqYUZMCWkga6?on* zOPDS{nmfKga7RsN)&CQg;8ny>Ki__ijEC{?bXPi_M-SuyqdJp=a$v%EF0a@~ay=;T z$8?RVoMBo4HqF^HwG!eSyJkLXCg*(H zV;S0_w?1~X?$iLgF@2}*7)~+h{Fo>w#ZI||aIu@EC4${t{iK;s_)aqXrOoXADSDVS zq36ZEI1;bXrPACpoTfS{47}noVq7~BhTe52+1NNemruN^+{;VDNpym3$|3V>Z=Z;T zk!GY&c(jb`dWmLdiMnaaJjMrgaZv7h{;Sf%!H=hnhB_hHS}3?sV_o$ihII-Bc`@@o zzr#cjJUx!UK9S?ageh~ajMA*}0TDlL6I!%4^VD{=?kTG{dFGcrMMTvEX?~51z7oJI z1(m@M(?Ks6mp`^)%IAwe=)G<}3g}|aAOgj?dQzhMINJm`O1%ikq88tXpH_xD9}!oi zx@;{sj7lm`^+o55j8I>O|Z)o!UQnxj*+TkXHM_R&Z< zAjU`Tz4G3k*u4NhMvk<(>+k$4)EmxMNy{Y%3@PU_#3rT98$2;O&*v>Jsj#}1=nalc z)lyXpN9;MaIV4YOvaH@7KfLyY+QhS3CcPIb-0YQKTWhMvvJR=jgU%vux-RyPtBB!c z`LUx>;vKDX(@{GxOzkJ>E8BsDaIzO8a&6oPdIQCG-(HB^4vk{#=c8TbN2OdY(QHy_ z;v6722S$Qv`dH+w`NqKe{D39RZ6c9YVM%i|c;ybat^Gj5i!YJs(jo)IYl8Jc{pLeO zu(IkztK-E!ZGpjsT8ZxFS!GMbk^imHg*&gJ^K}ZFM@pw3&Wp)TNTdSrZaR3O#*a~T zeYF|(}780>^3pcYlm5Wy#T_RbU0-H(FWH0cO17$bX-@uZ~K~;8Lf%7 ziKEMOzTRlEs=m?hkE-)?Rq6uCcdHH8W;zJ3V2t3Rbh=b(7OET8u+R|djY|V`p+8*O z6AC#0by#&IQk3RAD0G^OI?I{Z*O}2nbAL`vvEB_9j&5TmX5^0ZHTeDEH+d z+cGCD#7Q&i-WmNc0%w$r6(c~!ZYAdVPQdT$fLh)S~V)^liXJ1?dM;0Hw=JdjD0Wi6uZv@Hd+XZ2H@(|}TAuN`Ak~n^5s2MV zz-D3XY?&l}qG2YT_1mxKVFqE`YE8S&=iAq3Z@SPQp!MUW$huR$e-bh@aPD^}DTv;-WLd1;o~AtgJ3d^#$q}6xVd(dr0`?`Su@H8CleRZJ+jqSXc)6 zd&KG=i@r8!%=E^9I?42wP zM$&)#K+v)N(FrhhBL_zlK!9F~Ty?|E88oEp$1k)@iGA^S$n<`nang zW@6N-uj-Ba`o-Mb?Mkp8pHWMHKUr zny)F})TKZ!Q5eQaurT>|b`iE0$_TpIy5ea}Im649FiHy`ozeUvoduKKWe!D>Nc(~< zbV$l22QE9k0{QDTkSyx&MAn*D*PzCZwD0FXws&#A*uR!6)FNtF<&)s>sp#WTXXd)5 ztoykkCHFIib>|g6OEODvT#sG9^w6ig1>9wHS~I3Q#P1??@gvJ4_H$fEr)q11K?K3&jrF7~~XSdN1}hk;HJz53BlL(j6gW@ym)5C4S?= zhV9^&XWzRROJdPj8ehoqRy9KC?LN9+Umk;2OS0}@x%X``g|Y3d$e4G@d=N3Y6jpjP zGtl4hI_^aD3!JO8%M;TRaW>=4KYYJ0VVq)9t!;BExO_O=51|U@lJW#qu*vF6HkaL| zURJk09VqBA##@}UGlOX>HVH_?43;h391Gz6&{}`N5$^&NPl#P#33&&pTjQb(BeZVu z`^lg)8)?>FT5H{u=*cox4w!5{1RwN#|vBn)yR z4w&=#^9v-$6ue{_QR?7sl>3*8-~0^nzuD5)>;ED_{%JqKYW~?$7_a4@E&WGI|Ey5| z`-)Gcaz^>bEP&sp;2$FZ>(BeguKvX{{Nt+raaI3#|9=40AL#TK_WK8;f}rUCR~S{` z?aw(kvPqBQ*`?f6PpIip=@fWx*mC(Z4pivIS`f`)?9e~IT9sfScAaAy6G*Ya3edNr z?jCmV|D4bPIqMDt9rYQWI1n7 ?)I#x{u$U{$(5qjh~8c&)>Ztl*_IKg=l5o<$R7 z_}ZL`f3MYV>3p}v>2QGLem@lv5%U|;WmmS8N4$TF67Idf2?ZV&Ii~S%+&tyw**t~d#fjgp z15;v6449-L$KAhEJ^coH9!3KFx;kxmlIH{6X-IT0-7nOxx`6L6bqaTvU;AA4A+XSV>m;hHVq-GJQ( zk>0)@3|kYi%+W5hEh~Ca^~I_4eAmm{zNINV$z#l=91PSf5E!_Xj)+OdEz}HXwey?y z%dpNLb?qy8dc7-j?u;$P@`ck}!=BoOdhWyF5i;YR1P0LZ$8wn9SmPLLUQ&{E<^htK zLzON%#|fK^vkxt&?Ui_5gYw=?Xu4*NJ?{f#aKMS~KPPFSYm1x9DQ@cbnfPvMlz)o5 zd=8PKiUf1?R9Q8zJSPRS914Hh4)|n~BrfepU5o0c-3nfLou%%o9v>QdXcec+Y^muK zF@zkWXxGaB^4$GRTLr5P)Wq0ewSVsALoK2=Bb&XPPt^X5PQm+o^srLVM@h|1A+2IF zCR5PV!s=~?5`?1CFeiI9a`|@O4m2qECWm=0gPX8p9Z3>-+ds)GCj?^LXMF5_hDWF) z9!^3jFL3l$&#t-teAnfXUUCh>?Jl(%j#x0})Fn}=FA$TIYBfb!Sm5e}D%UF-!jbZ~ zHAD!Fzz%8AF)f+hAbqjb^|dB(Y4gwW!*wS&Dc-}5TXu20w;NlsMmBM|hB&MyTWvCC zOA2S?3F+L92nVf%b24w);&g&By}8jHxMpOHtCy%I1Mon~B#RI&+hUvG0GJbuqdG2;s_{SL{w8)4L|*&z1ix^XWFHeX5~mG%ual+u;#mOtHY3^Pd?0KL zu0*g=4MWGQRdP_x5s|7>DJlTb1IL0Bl#JIQwr?fG#7SH#wNJy%vjCTVWcg+LAph}% zh+6TB)hz5;k(^m>MN(}itAUReRR7YZUvGS#;esxXP|&9{f>`5u()=E-0gPm@{dDT( zkkS3qfh`*S{+v9Ag>$>%Q};D4TIg2Y#s!$?8GVYj8w)0Qiay{pqsUFx)E!;)+~%pY zF8u^=Uo}|~`;7vbEMo)b<*K3h^~};*0a1#VoV9F@=w^7mSE6IhH*qqLJoy8U&qAmo z+044gQ=kijVtd*l(z4H}7j(&Qype;<=wMc236}Q_=Ig0hW=m}|(h_@RM2BW)yq^i~ z5+~JJeUA2EQMdc1ljz?`82Gz;R1wcF2dzjX3)n0J!PJz7kOyoky3YIDcn|Z8kKv`R z{rRhe7at%@8@=dk7js>>MbPc-*)~#)vu85%b^-b$xW5}GjHFU8m7X@>x~1HtX^H1Tpcq~-UIeMuYleRT zYGr?R4nhbTu>24>UdOLP=P?Jglrtli3QUH}oa*@$5~A;*pq%mT+o0d9W3k}by7pNL zFR{lKXt}5x{|TKR`?P5HxU!H>sRRvO5J(DIoq`!K* z>&)dFMPOHBLtOp>c4b~CQ-i&9u^+(~*bxoe==1;WO9#Owc%dg|J788S)AZU?Ev+I*&zVvqhAlnD-+$Qb`-oFvFWF8GdxHfH675Gob%`&1w7 zL9?+U%~IB23s0v^&`a7Un&wbb!`Vz-zia zWT$Fe7rIY-ORvEnD}eX!=De65Gg80@PV@Y*1`ux<*WMymxsGJkxezKsZhrgQa=7WA8 zQj=H?8hD{#9!l0B@5+b8rM`SSmD#2I#n+c@E@ESD<9w72yUh)JKTq0NJ%4l5qdDZp9@Jq06F zgwW)^`#a1GQL^9$*MIQ(x3&6(JzE2Xh7QG3sUMb@fkACb)mu2_mea;VMTVE|2dPi5 znCaDbUgJUXblXPInNE3l@qkZc)OE@vUgKJS<8nRgUi~5@-C-N6`c33d60L%l6;%sj zO}gy&uV8etKfQvIZ?NT;V%xN0m9lbJ^HuR_q&S&v$XoS76v4cSI=fu=y-)b-ljj_; zt|)D0PHjEWsp|EtKAc-9gWf&9D8kkOqJsg$O+U|qmE+>-@5p>h)0fwM~+TTaI=I?q608o&p6%6eNm6w489=;LT^+KW}{Jiq&lp{Jsshx0D- z6kr#Thd$s?R}6WqSIiRFn|w2|;7=BwI?>zm%;0WTzGdugQ;i1C>=?~F1R0B%9+XxT z43CR8koHj-L|;rHPV=VbP*K_C zQ?1(VsFZDc)XGjZB>71hf82{k(4$3RC`FcJ<0{ABj@jXS2FN*iS`?qR1!q&1d zG9Ulw(|g?AgozwY+Y^B+&nG$hsSaPRn$8+qj6pH$-sOG=S+-+Sq6+`@pG^?#y-*Ge za0dHkGHS2f?&SX+q#l!f2 zauMe+1z}FtZ5EqO_ueiRd?r5Idn#{LYcafof4Y{5HCr;St)s}})F_fnW!H5SQ$QCu zZb3P4^>eyZ?)B9CXwwxmuH{>b+s=B}K~IHz7x1HaXf;tc_1r%l(ZlZ|tu&W|#x7sW z%|@ZfBkkQa^Pb9Yb|VQ?z9pIbX115u*E5WkuqQ%EsG=+(97+?k1buq>tWElUrc@mP zr(jZPflWo(!jI2%sjDJ(;S2qpG94`xrO^|<*F%u+Rt5+EjKE??(K1#sr3+vR& z_L_fbyFtIKI*ltYKx5F3soXJ1r>Dpm_#ueHyFfDg^k7N(I_k+{0PmfxFn4}?Gua{{ zxsQUEhssi9B>N~am&iXQB*T@`Ki^W?`4YVhP7(sfVn}qsiqC&l9G}O(16u!uH=i0~ zY`vq^?gli(78AiN8kFh!7r<>_EfoLS`l;zwyl7AP>xBmn@*~3PT3gSHJ*;OvY!3%J zzJ2_Z8Iz7}DH3oTjX{+1>81YQ*&^<>r;1Tu3Jvf~QL~QIvK)NZMd$!LG&#b;nj#u& z&tkO$*FjV63Y#c21a0?A^K?4Y#hWb7?B zSB^m}M%4#w-q#>BbP5S<;cjn}DxfD?E~Fzdfx+yeCffeJwF$xH0TImT1CreD(A?yb zm0%OG(1a1zxa=@mZXBa-@Q2fKj;_YRJg)RI1C7NdDJZc1C@AZ&tB|D&5o?ZW*X!fg z;?IGYUaXFzg;NYVzVV?8fm*X1YjL18I&Y`Ou)ATXOxnDLY1YRv z?RTZ#i*per$+M8Rp1GYHhAH}r8ZGF5gSTv@SCpUM0P^*O#pxMQX+Ay0)Q+M!DO23_ zr4&0R!@>y~vOfM_g$Gz&O8wv~!pim^WBA!3rVx&y*xu=`UR5(XZF#{1tNTyP6z*aKN*Mgn~VnNjdlJmk#9ZcZ&n<%^?r-Y)3CS8p&YOeBLP*5 zxmT0Jn(gftAat-g3|VmhoLGb)nvXuf8>QVTb3AJEU90{h!fu}K1JK1*;_~OTRhDPw z#_3cOp6=y7h)AOa_z%!S*+^!0QqI*RYf74y0A)Zej^mA{R`bOM+8~Z8P?}^emk>Va z8qcoEb6%2N>m;W#Mc_wnX8ZkV%?~5OyfMxU>Z|a^&+w#oQYTdtW0 z4E^p{L@7>4EO4PAYuxH2+Kj3<8&m`vX|!`h-?X}a(QGlj5Kk=tb;^uz7lBAdJF9mmBUD%?c^zmT1T zs`1sJ*eD=$DxP7iz2P_|b;C%TlY0yrKi>Z<(qRtrv_Ft#hl=9Z@)9CH-q1bjH&4DU zjaHTukfrabcL9-ruY}|zWLS=$IMXR@0wC=oCLd*R~`( zDVnO#!bs}WNQ8-dT%ox$QuU?LM$7?kA_u{WBXmx_ z-ko-jPjLl}X`Ds{W(U)a&KEYcT_c??M2~t$q8~GV{&w1Q%$!*b78dcl)-b83`h_aHKVzXq7w$Z`QuDCM; z(i-jc@Oa5$=c9VJl~>#sd*vBNqPtr(VGYW1JnQ#PugAysc1CaUa!bcqPk_!)}XRNO{YK zS-!#o!u<)Wx45QGPT5IgB~H=PY7vMGA-B?1FV0ftQ*KTwkbvn?QDXgZul_dt@Q{l0N` zQ2HW7=kBDUX62ha`&uO#J5dfPrVeR%x=D$|T!hR_vh zTj}SmQ@D54kahJT-W@~&{N3*+*gn6T@k2nQK=(J&cx>elq4%&BxMj0la0JWOb{VI7 z6ezv@Fm6JPW-4Mf+9atH?3kQ$_h>ZvX-o_6I)ekC_4+)0Ga-|V`71Xi#+eQHtKJF8 zn_`vWHr56^nnQl7M@_Lrk?Xuz|M;5!rl@s8;>&jGsy4C7jlFu+4Gh@?p@=wTj`BZEj-{b*zh#EmwXG&xVs!L zSXKEqAvMonI2{iUnbbL=^~F2cP*0+#qoOH-o@Z2)Gq5=#>mK#z@`9I3Yh^JT-YuXZD>HSWzc_UaGNXfAAcISh;d=R4O!cNIbcGKsSGAVPTT) zZW;0FjD3P;K5HX`#^E9cnsWxLx_t11M^K>&lEyk+jTtXE2ppSdQO;TBUKq>M6@OzoBsEF}eMC91VLRv_ zCvn{@GP-_!b)0U$HKZx($PY3?uWKvp?snUCHI}Za$qK*Xfw&Pjb@+V9s{C zYP=h@BQ*~_-RojMaAt!JLgsOpUhls4{fX@kH{LTR{|yO|T9km9bJ7=uD}hhJy)hxG zA&u>-cAk998b}uB&zLlZ(Day=iTb_;kU}ajlw?|NcX9F)5oyxt5oHlJ-=1C~22r9h z5(QTqxJW^JUE`bXP@^iMkK8?#kK8zsj%kH2ahHQ45ns0*^cP5fOt;g&UVt^y<=H)t z5`C_5?=?Ma{9~03?)VYefR3))CEhY0@5?Rw7%AM#-(C*^6ES#dih|qD>R(3BnsqTWJd9xU#k-Ag;#+G^{h}+&|nUM_TJTg#+>PnOPTj5SMt;d zm6;+=u^AOdC3d({wi#sZD(>l&)uFpG*ehAgycL)Lh{#Z#4~!l&oPta;oM6*TXKCo1 z{s`XQX)IJNrdH?vIXr5v{;eg&`AczsyV!e_8W@%=ciXW({PD)g{+kJ+5eLVN#rP(3 z1o9Zp$8EO}9(coA@~$T$3aIO1E;P>-D2B6$Mc}Bj;%#Mu(pZynETJJFmDgsRjJW-d z781Q527edFP!XHL5hSQ{OD6&)E)8CLuawHWYM_uq5d?1StsPxnW}R0`sBpOGw$h!y%*-`?gwmT`2o-> z$%OUsSBXiPpb}!Aro&|w6P;0R?@Do>iBX*ehbtnZ)uvLUVR}X_CiKf7nXJyhRw=Jq z^S%+74eVE#_=9K7zFwcrFkDyX(DZxm7+Di$B_4w|xgTpeTxz!1 zwoc;X!TdCiq2{K*Z(qHdo-SXl%T+gCr`SS4+Y>m!vBWn5Me+hS=7A-0OHGK|sH3=6 zSJVYxz4M-hF2vxIGv4?d#K0y-#_^zBHU&oEeOhdn_SF}Qd+G6gc6VP0;O{qh5@NxI zC#(zRz zSa{%c@zL*mOdx@^WGCEZ(KFQ@>cu)&w|X8nl!rD{OpbwyUOH;7yUX=uXF#?&RU(wt zxm5y>0!8j?{r9WjxW4F7^Vm%W&sb})h3T=@HY-{J%ZXU;V(=gpF|Qm5L{IDKiulsp zi|?5?i%!z4=G~j%A~7Lgc~MN+x`G=f|MdawRNof2Q$16hwr#w<*}N=vamS+|eYf$R zPT0VlUbEv9kPnjT-$Be$$ya(qk|a;|!YO>}-nv=kaCwRCKZt5TX@%98B5vN7U4=yyKMG>soTwes2I5w{x zTW)}Tx;Q33z0)+0^_`M9Ke|up)kMdJJoP)xSKnr6(DwD~EuB(ca;zdM{psU82ZSzb zVTeIM+TEd0C{WL5Ig;D~a8eR%%O9|X4Y_2em+k|SZ9u;ivSyRX^8@bHq&rZM|Kv3l z;-E)NeItF0>R;-9%C^iR_a0=E+}Wv>EbGk`yk=}Vx)s9?wu!77X+UXNL}C2f)DFn0 zXP>#B#t>wuMk7>`FT+89JeegFc%_`Trznn-?lcgidO)LBA zRwB!?)?;1CP1#c#*;kXj;~d=LH|g5M7GI4Xtax-7jz1LePbnx>hLDiFlKjE*`* z0X;U6Y;uC#WjM`LVBQv5BX(cmyn6*>#XG&#T8k`@_C_n$Z8<7qJ_V+iRJQqfxfcBL z2a=i}u6WBD+SJM)T@=G^Evjm}0e`B>I@#O(+n-iW`EXe5OIle?W%)w{*7P-+9Kn2< zg|RG_zylVs8-FEc68u$#ZvGWT0A(uDvi4Gt9S_`cqVk2P0N1kCQc&<$xav-B5SW+( zp8t=RKOO?=Jg~dx#UB=WPwnaElY-MEXaRVnpG%rgg7(&-ythYySVjKmJ?*uO2Cy+n zP$>yC25ww2OQNG=I9iitrWB%fZQ-ixA z^zx_`-ug)AxFhbr7?$AHqLP~TS7>g2QIwzMUW{Y-{TaZSH`9?2$%r_jgeXw}@{2`T zdm~8s^k^2zp$VH>VfaQE$1_-Rf`~* zI#IcN+Yz+O65Lb5ttF}xKX+L{r;JS3@6H1{pBowS0Z5k>Al;4xv98Gnif7Dkp+{d| z$x<(yhteSu{Bmo6I({5pnGarsQcm3NNyVVl%fl z>0(56CkQV?u&@Ft;qNNIWS%MiRW|W<6yLIGARoPW*B~Z>WAW!|uQ-@rPy+KFU|e@0 z)Eh60dhg};DEfIJzOkoDePcmGP85(*7JPFCdOh>!_iM3l5STRbRBJ~-=)(vUAO|hf z2(BT~f0dQLh!KD?BV-2d&Rq9EF9#(MH4{lZ#$}VZC3<<@B}r}|L)ah9@v1KyU{E8P z_4jB~DbRD?tRS6+f*2=rdizINPNZ$M7^E33-QAmV!|0PNcyX+{6&niETP#~go|x$=^&eR59UFo3trHRH$0SgnWB*YBZB(4J#Pq_ zL_R=%bM_SwVCGH}L6orebr&agID06hf<5C<2W5FP_-lex*Z2d)+st2XjNOnA$6nb> zD%6L*Kn|?lf%ACy7g_nM7~QBjAsHzq=%h&lqQ+bA?;sfyQ2*r=X|Vp|)=`XU zOsicjwgoc9IB)6YkYr47tf6O-WJ2HJPAO%7YdPLzzb-nLSm)k5fiz-Vre^o(nj4&U zD&)ejCbS9vSs5Gw4p0I5VHMyL7_hYZ>5R3g6Kj~e;-FQDLY*&?Ew94>;svEp))cRj zp*JvHoMbBYEe(S*aaBCj5k94n)V!6-xU6MuBw6nZm5r*rBLFr;`m*eMKU^s&y3rBC zS!ZVj$h@?hP#Vdw$0D>mbqwS^~N_NOFI#^JtXHDgz?ZvcMA6BqisV{T@*tk zxbeZQw6nv%+@$2&|G05ge9zwFQ_Urso=uzyao^b$by?B9t=Qvj8{+$FXIGdT_NlM+ z*YckH=gk}B75{lb^s*IuzoXUZC4peq-1(*G&naX1nw@v2ESJ}tQWy#gGb)QP#N!)|DH?AL4Zi@~I{nE2& zD9}MV@f_mJtoQ~u#jrX9y?a#CH2pA~1*Rn347L2vL5WbMA}~P(i_2Lre{|Js(ma*l zBQO)Om<3-A-y7~)2Om!D$&M5^zQMvheKUvwygqeW;jazGCHaqg_RM?cfF{P@p574) zGsMcwg)U*l?mfcwn!v(ld>4*II@x8Fw*I=s+Ew-e^iVl1e*7KFsm_K&@sFh`=}44eSrQ#NYq^f=hi)JqMr}6T5n4|LgBbq zl;*4SoSuP0BB=gd8Ul^VI{YUcq*#V+ul|Vp$9;Xt@ou|p%X|k7yR23Jf#k>w|ZfGVM-fSWf^)xEd*UR;KfFIaJX0_Vix3*`#s#e2o| zDIC+3I*yMhX$~YD0Ln9=NNCMhdXv7QTHt&>funM(1xE<0OzH#!#}P^OlNHi{NRd*4 z-WHh%F<;&tB%xMva!Zoskqu7oYT16}^@&*V7vSnzPtx9V_jeAY?eKg7!rYBK-`V)a zgvXG=g@-UoEu7KA9SGSa4?3&74qt`CX|g<%K=whp8&RD`qmXVMw=j+u{^7YZe&$da z)!t^1XpiU#Ugl60)exVZr9O_(CXWR`v6|Qs)y<~x{9nXATLpcj%Ddx91(qDMM?|@W zQs6s}k{0+P`)SLBU;vl10v?LDx3JI@Pgnk^6kzL)B@TGgO|6OQji*JDOw1-y;wdUD#T!vSid7n2?KZrKhD!>gU1c%p z?PPUMJkRcGau^pIXqFHxaH`w7&LFqAI(JpY>?JaC^Y8fS@$)TDNtt?>x-7tq>b) zASBO7Oq-7L_>x(>lB<$OQPCOcJ15_m;@HDpw(;Be@Rf>TQX?1$d`MZvR(vW+(%j`P z`~|}w17h;}>U@oRpBaZF$fBXCC*-h?J-uKkm50d0tyim?JoxTksaer2i1kOw3 zGuxRN)^QtQGK3EuXSH3~*?Wm-?3X){EAcSd(!6YE)kH^d1WVv_yRPj^Om;v|p3AVx4GPs>B2}_ru1U3Fs{@>i?NsGXZU0o+!8W8 z_P01-N}lSGX73&o5pHtot(Vt@FGMDqR4#uquDqx-3lwLL8jM8@AB3)!=p@LOTxJp& zBMrFXJmW!m7~x%ci{0mrP6K*NiSw6-j&+L`1s;dO_s=t%yQ*HdRfnug1aZRmEIOZe z);R1XvIz6<#QlB*{&p5kRD?IM19{`oOS_#ht*O{V`+#*=s&x2cPGk!Z zxy=L@g+|xRBPQHYbJgrIeytCZhd}lYr%05G4&1T6bL#o-HeX?psTJ#XS zXrGpEE{`28!DG5^E-pG4|%$pQB;?AZI`C`H>UEVruZsntyjE$VO z*SU&VR#b%LOktR5u5ai|7tHxzYprt)*Pq zrX;@ePlGB$2);B(&`t7&LwPF%b1?7F;VYA#DynfHJ!Yv$$D425Bh=%Z ztVAaTAFdmR+-t9iK?I=Y{ArO%lk@QKLWlorr@5! z?k9qBcAX|XC;RL0Q0VtK4D&~5zVk24UYg&#C{GVD6y76}X0iy40tzEuo$li+1c&4f zd~evv7p>mw3 zImV7Oph;KB*UC4hl(;L_R%)f9X$<*o4~hfXA7CNehWSecO+WNBRm#6 zY1X;pHmkj%-Z=fn-N5-9i*ln0yFsm&Kocfm%Qc$zs=3%ctIncI9Iq&M=WC3J z?bR?(PDDNmFBTzrV`-R@1G3OTG#K%w$$>U-;V%_1OEFIX@`zynWDsHB#z;ikWQ;dS53Cbeh2F!NVUbv1w~NIF1qkWO>m6Wa@L zOTy`0U%lv{p42_Y;lfGA6L!gO7pN_)O$kjmr!@S?(-%mXC``gSd#^g;R>{U00bv+dJM!Ly<+}cN*Gf@@`nQ&f9dxed%)Mb@`#CU z?dSY>pq}89hyoRI%XN9lK@LXi>O%*IBGRA)E7F45j{y!vL-=?lY3rHIKu&xqPW(<8 zU%V+W-$QFDNBy>wTzMLNnYp$9e$GdT7=~%M@1J9&sX7Eyh4+TA%kus)3t&Xhx#zi9 z|K?tPE~i`J!l2yqemm!pVXYiBX&AWa`O@7O2B#T~1lyMvFf~%^u-3=+o_~#wbT0V1 zNUPpwgH*M9!#$^kvYPcf`54mUaD!sn-S$sbb0}4GLca}M6=AcdAPd_c_oV zTWWxRdt>~DJph2t@HKyl-P(xmXS?UnYOoj5mIqJTmPV{g@=MCl$^UC98@v)C1%fv6 zfaDWj?DFs&(Mc6P7YTpk~B z-5$_&pVv?+6vjaFIl~X$u>WY&Y(4mDlLvDNyY(VwaVVd5Z}YimAN$G8dzfagy}myV z_R{wuES7lf52q=YK*vY~f}6>K_g1>jA*G2HnzzHj2QOVyfx4gJx+~a1o1!S||4EEcs7xh1IqD{QWK|t}uEHq4?v>R%=i*Yga?i=49KqP*Vq)7_@#_s&wYANk_ z;$5vXA8Y^mz!l$@rK3MnPc4qE4*>s{I1b*Yj8ew&eXUmaA7(JOmeM5~@=(E$l;OQa z1mLP#Z(LRFf5TO6V=et}?Pwbcv^XU+jIN*>lEpO zo+=+vxZLdhih%sq9@=&(E}cUF77M z1Rug#`4XBUR-(0R&VdCt(j|kq?(|y zypB*sPG3!*O&S4wk3o~W;k4#SZ|sMZ)9hbfNUeWAM9ojg6lNZVJQn$?ubW9b;50|) zNfD<8eX0s$*Uy&H*-U#gGGH-=6~c!W*Yg82{tH)}Azl*Cqo1pzt}ttH$Qou3V%<03 zzfqJEm_+(&6dhL)YNWAe5*4wJE3lw=8~%P%t2<<2aLfNjGNR>kQc==+pWhxACjWE; zWYpFt9AHU>os3JLiy3(WKQk6xX-Y9pG+n|tw9nao$B2e=G-rLlDMGTD(39MX877S;%sjxy+nox!PNFQ>}d)=^sj6wi_F2T$kQ6DjQOG z#*5zZ`_H}Nykz73C!5(3Nh;Hq#4mrX7$TV!hB z^CdideeqV_86qqs#`2iV(D|v`FJrwFy$-@f^C$o!|? zt)ZW!?&&UO7sRtx4`M7PVjVGPU12&fovOaMFdiH+x4w6CF48a^h_lJ^gF~^#1=!3M z+DSvlk=U4I`Lx?tJo;@&>KP`C`84d5+pqMJ{uihVrV`{}Cg}wOZy;G$FZ;-Sg6_VrMnU)4`ac z?(z=@>N1jPB}sAPKoc*W9+P;knmLX=v3HF#!jICc-p$BRO$@PfXw0*|#gtevCe`8N z3B>5gE><>pfs;t{Y}sG$GRbiG)lI^vT>uI&ku@wDrD7PAPoc{u=RdbG^ZVku;#lNI3rHlWsS}ggzB8bh zJO>eR0nV91!kw0M{jkQn=ZG#y17am_tKgFkCIr;BFh(gpw9OgK_H$ou^gXjZ|HC># z^Tg+)o`GN(AHsRQtIu=Mr`n{Zx*_mUN9-X(kfVKzX(ihcE*U?n{?*2MuT|l~I14@h z!Kc!cxr=H|m>auHz~aygeZX!qoO9`g9%CiT!$-BeW!2nh?R9eFgOPClufs)cN(7Sz zr%h1;ryZk@A5N~E9~`xJ8`j>tcW(gkk}Nx?BUvbhQJrJRY5UASmRU>cSkRila<;mv zhkxVqsJgDaaq8$8N(z&D3Gwz^Md15j&kW&k!ROMkk8B$|)_=S$Q&tvk!0URrEg4hu zQUs?r{+ub)*@ZBl!^K06EB!t{bPqRcXWLOjT<_R9=H20I99X8aJH^RrVLUN%hnqo_ zK5fpAMP~Chg2}M8iPvZD@a<1Tj$AxQKzLiv+zTAPU3qcZy<&4&lhLfm`$msC{*)Y;O`j~j1e6w+*5U7JC!<12 zq_Q`1&v#oSrRHiOL~y8Td`5yDvmoA;Mk56@AQ?9ju7%dOkLpAt9u(WOi=+HuES zSUJweL(-rm!^*~~iihJ1GPo_7$-B~@HHKaoS#8seRv=!!6r6H0S@jSP=-LhBYB0nf z@k6k3E#yh>OhwY9rK?w{plCm_1#@Pp_v5jnZPR-{%kvp1Wt&QyURC4idxU-d6ssn; zQu-@{B&?i=O9X)v$bgWGBSxtwCZp&nk=9eu9Tz=N*${H{;xbv8u~v?vSzg2}7cobY_4c9i-qLAkpW(hqL3@F;G4 zbwTS^1qPpG(5AphnV~phaZX#&>*XYONx4O07{+>qd!lU=ZU<8AtIM|5*9E;jZz*KP zFrnIFHrK~CgYV7<-eF%=N5M(>aO`sLzOf8>+|lUrhG;3>l{%T5D@9!IC@^(zg_Gx* zs@ZM|8fK{zCb^u529|xrK}T`=2WP`^OFxYCztc0@d@W*3SDqOC$Qqx*C?E4iMEI~G zFB8=FQjn(z(!^RRfcw`%K94xZ21=wamN}lirLbkBOv_`~Cw+sqnA#;t0=~#}t|H3f zAl`SU?J+AXwS1x8#vhtE7<{6z&>N&T|+Tb?w{<;x3fdcvCBMb3Pr>Dfl%6YCD^H5k|N!-+OCo83Ln zT}b4fbl~nMDHWIyzt@|`US}-!SMotnGLyA++;56-OtZWUB;RCU1Fz7g>{2( z%Y$X3@bt7X{t3U~WZSj)qtXvT?0m(i`${6DJsjh`_e}|_t`G3X>5wE;t`Dt$j{rF& zG9E@Ngc&!32{ix8R`PG~jdv})uT0(5I@eo!nvrsuFS*(0B1F4Rg={^cr>B20$?7JH zODoh&!9LdJD$$GY$FtDTb7vEd!z#=kEoldtmyx{k&7gi!_F^&BqXffG7%SM~5Tupw zj;G&ROE$PN#25O(Iv)A+!q(C!Tk)mHnrw_FEx1~-#QxOkeNT}6MFH{~zU=vOqm)BE zN@bKb4V68p%}GJ_xgTg@nOdy;%%)WaEsg;GJg(sr@eTc$`74C9>3pH=3Ea7JAFf=o zg8vhwaEHn!^M=BcezuEoSo5Rjj4s4SaeI`0`MSw`BHteO{uR31BB_kj$gwmshHHD5 zFSp`byjCp}Y>z4*Wrl+W-ZyHSzc25_Nd7xtL zzZk@lZ&a7{C#hiXE!xnSkwoEr@`)amEtH;r5F(8%+v?e!vy%QDy`1S%xn}*D`_dcY z*E_**BA-rkz}Iuj{JQ*Hvz+)wG`j7bgiZ4kGv7^#q3%yj3My^#adwyQN?TOYyTvB7U0 zWpJ|Y?1FR&LUl4zf+ol+C#i|LklhzzB^C0LgZdW`)z(>#3^{P??P(7*sm|w1}NH54>-`@^;p3h@x%l z$Trq%68Gqewu*6C!Q~z{!9F7oJ4i{N>l=%YK5qFR=DygVX3pZPI_sZEGxtMDWL;ThZss8fy!|4g=$ zeRBgZZbd^wqk2B8cy;Dm?$X3$ReHjJKQ^B+*mw4YUs%7VJ<8v4oTHt?rajsw0&R3v zs^8ab{6vk#C%nhrGHzu2|-4L15-drfv}$;_0Fb%C8Db(Ps$diHaq@z!(>P%*=u zZHKCZ(+eAs+QZio338tdIEE&5^}kLbHpA(c%LN4M{FPouk zbP3Ff9TRjruPpz(ntSE2R31aZ9rN9(vI94#bn4&}2{NYm_{mHCs6NO2Gq|7VGGR1c zQP;; zGKA*}>$uyvnZo>n$&pMXsdTQmIH3;OqT)bR*Jk=DxNlJ}(B5c^ z+K;2zMX2b9K ztBG|EzM7UV681+aJ`0@3O>#r_)R+MY-!fkhFWbhtiu2 z8kEYsvoo-M1L%Og#?J~{j7h09y39V2+DPHzZ02@*y_yXBh2}_%mF_FI5Gp^q3v2DE z1egm1&zp;P{z310a8esTK1UX?bNRz^jTetS4Rm=HzXm#SPwNv@y+23?m&YTI; zD)TZd3os-Y(|pOOC_YQ_TK!TphP|#Wc1{kI#Pq@jq~po>`&ai#XUvOWZddJzk{@CM z6yIy$26zx<64odeWDY(lo+C}8lCuM}-CUNjG~)IXzLT7^-iHRFYP2nq4M`J#sjQ?F z1(pLyfRnCKnxifv?!oI}Uo!qdT3G83njL&X3*C`}`qLE;ACo%beAj>fF5KaC4Rgg* z8&V!W7R+|x9J^Hc6D^;urcp*$`QJ$-;(WTifUxaVf$Qt-w`2FG9qm@n-i+kW0&j9E8E^{QuX%Twz=o9!)Mjw4x zHvK_^fDaR5^JUIUwf4er67HnG`}bPQrTz`37w(yI=CR#D&FQI|ArL-ro*oV67+Wx7 zH71EN#$749y_|;SuxcN<=6HBI9v|27ntN>PiJKRgkH&juty-{*{i&995pbL{3|QMS zG|Yx=dn*yrj8CnXX%{@HvSsT`7CUXTPQ#P&%Fm^qJXSy!5d-n}vF{H2@ocS*922Jd z76uVQbhXR)FRqLUayvuAKIToMCgt~i6eDQ&+C01SM61UdCG~Tev3XhSXQ5f<=D79G z`lHv_mpN>-VENaZG@d_4iRuK$JHq2NJbK+jor!%hUD#QWJ7xh&i@}rK(sGvxl#Qzt z1i(2Nkc4|YTI@YEa~mJZ``0Aw4KkMZ4Xl$%>mCp}oj3S)U+CZhL$Tzx7SQ{ByW#XB zC*?BW`2vo;t74`dnHq4s7)`S~vF*F-FtcB9sUM=~fgxHObtzE5qxD;8@Y4Kj$a|bx zxh5^QQD2&dDW?o_f3WwEC12SRs=D;ztBe~8KUVF3L?g;lTwf36c9o;8nOiSWZR(xU z0gzWOHN-S{a$?c|i_3b))6Q)Wzb;r85W1ZD6@|1tl}sWIMOwEw7WQf}3mR&cnCaz3 zs+P*`N5lhhaEb|ZggnQ$({jYOmdB@`kpg5XZIX|UY+RyE&HZ3=%wMuw&qPcqrFG&HnqqgLG+27%ZgjMY*E{;R;k$hCa7CP-z#Y+02kLz8d5c*oFAQUVGGu5EfGa3=) zu_`MHo*qz_2O#-bI{K8?Y#%A0RBTJ+A-B&Re}l&M8>Tv2xc6eyow*N-O%>y#Y%AKCx(@X7etkKO}lrOx(iBN$PaOI^cwWm+p1F2q1?WT$7$O$?*yzl z5kIaDFL@oMKj#o+yrr1W(NV8%QJvO>`FNfb+9hVCsyqNr0F@f2EzKOqnaxVUAbjN^ zHFyB|1SrIq`PqtddE1!6E0A1-&&58Gdt^!2=dMdFS~hiW8(eKeLo8dTS&QOc-KTCY zpX;^9e!R`sUG67i>N~zU`mL8F)Q57Be_I|nw952xOU8s~%xSjI81H=tZYdVHxqcXp zd9)RKHyWS*!UX-rBIoxnFCO3OHjRSp2Q>~)zl$lzf`8;>=WSp~_;E*iX?l}&5|9pG6JAaZ@u<1-HCLw5MOEA5%+p(uW7w5#4g>hi` zc)LE(khs{*id`*a6RHn{5v?w1G?i*Ay`oEKZv)>8c4@ExS9$`XxfcdaMi)4=?R7PB zsHfs`1Nw9hQ(!)aobIKioIiGJbHjgT68`eC7){KcoBTJrw2{;1L+KMya&GcmU8QmM zb6MA;Aqu~X=WJ!PZS26KdksGkbnPFWy`-x|s3-7c>_PHT^62Ha67S2wzHhc{!F(6y zN7KfgYuXxPWzt-5dBVTETz-3I++4f`|Fm4;s)dh>qj4c4iA=Kxu4BjC#-9ssjjSF{ zc!ds5?#{QnuG^x6-Kf;mZsNRTguwJ?YqJmFTPx471Z~sC#6F+pcZJt*&wZ{n z)vdFQQqlJ5Jbr9$WE;s)N@*kfxk$zo*%e+5@WP;L){^?Aj)DBh}K&>c>54kna1!o^=!7Wovuk$|;IP9+<1SdYElf z32tt(L4Ac2G|$PmP6^3)VgwSO9NC`VYMyCl`Yk|`x@ZKD8@dM}&%qs$9Rl_*FpDQF zswwSj8SgqgNUmlQ!3m7|vprYx-%?6=sPd<8ZwH_ovG#bsKP^o`$yGLjhB zLyu)SLa}<_nS*TYW4xy)T?R9R8`-exKTVu=o6&v}Pw8{O%oT*MeJm!74Ie_VkD}r) z#&V0P;01IJ9`mGj_dZ+qOIq#% zuH%>guzgmm;ezt$C z=JcWE4Q*)4J;n^f?ao{Z?y|QVcK(X&FT z7;QD@L3N%kRL*!IhD4o;^_f{qztvY=z2_dj+|RWy*w2PAK{7|I{P5==PZ~+}+%y<_ z!m6rAT0ijOKHhVYIZBowm*`iqrscx^#@h$&P31U_mJ-=`8vhgGuC!9V*Ovw2>m8Dk zI(dF%!n!}l3%z$iZ^pK(#B#S92UiEEZ1W!mdns*%u&+4ptpz8|r(vab@e@Jr(aS^B zcL3^LXQ8%%gb$Ka+|SwXE3qp1?ARYq?5ifUmcFlkR`s6VBQd_Dhw2@5W!ijF_w?!< zP88IAE9}8N;C(;5@9I{GaGk13y9seyRcsRDZu%Mek=12#U7jpO5HG&gVgF+ES$ihW z<*GQJ#|$~2w?fB#2%q0PdydL;npsT+yZqS2HV-_9TAQ`+9n(>7)d_xoL-6LC?Axus zd|eZt`u-kt{?}Nk7u?F1_9!6ys74<$;?+J`ZMFS~utx<)&-1(@H}lt16uDh{n%_EU zGz&Wg)U;v<3V}K#t_<#fBPB&CZLUAE!=@>rD;6Y~k8s|a(?f(C1Y`*K8~9;+EDSw$H(?JUHhI~ga$>6|`rlMvX~ig=R^ELWzk z#)6Q8b3P7oi~xzzS+nZ<0Nt(4JvEXHC#w*gXQ^>}Ru62J=DeL6ShgX;sMB?~ndOtsesM)vG^DnSEu<2rHuiW>Ct~o!1Dp8ONiltN|6p~rS;Kw~fsS6|bKuTa? z5WBBp@Los;3q*0fusiW;-XwR_@c-)`q{0fVsu=?N88;WE*)LKR-E=@vI? zQz}OMR?mb&bXVK80t!s9PKKHz_?rBD=rN#P+N!zVd>0`~{Q9rt{(S(6%M{;@+g0H( zy2HYnI`=(5~sS(UsP6NMC{3R|e6~*UZYxvx;bUA^65T`dJWbK>?gk@ zs^*zQ(TAS9C$9OLEGs4hRAu()PE3CZ&OrZ@s*v|enTO4AEwhNznWz*Fz{O=a5g$4U z6ZdFcSYMcCj6bBvQN}dG0uG(eTp+vP#6uX|$)YQ~W>~5O{z?WAMB7Uz9LwsL{dg;N zKtZq8vDu1-Ybe~so-qCL z*tXo}UiwSR?d1=oNu5z-@w*P8jmXBbbq~WWS8sKM1UoGYMUIyPqdpM-A75ytI#=<^ zoig0#@XH{<%?G+kZw|A{m50f z(L|pNXi}JvKi+~o*i1geb&3SILHb6eyP@+A@pW?)$?&ze=1U?E-}>(W9Y2%L`A4|> z#>T?-gsvAYwCQc*fvLZC?Y(*egCAlymH8qOy0hL8X@G0(%1rP6Vlcl4{#;$0)&!Yo zD`!X0*gcY@5Z>QZ0jrR8lSYZ10@J8J&1j~!60LfYqu`=-b-N-|kRM1$KK_bu(5G%a zxO#xv-hn;r386kpEJ`NLiTT19)8R-sD>w~;8*A&+ucxeQ65<2wf- ztB0kQ0u#Sx(WyhWxOQMRgtyya{Aw7$c&lS*!Rr*6sh_Sa<1wR2ut4-i1uok_TLUcA z$dI5nN|-vGNTv0%u>wPV^cAkmqhUdfNfOVWWw~%t>+q^qd@1CX@I2&iF0AaGT7~Z4 zEQJdJ*IcUQ?H*38=OqpFl(}_exdux_V(aa zKtq0EqH9IWWvd-9qaOGdmy_V_t+C<#h2uQOE_Wxpow zr_A#{=4b{P{m=fjr~G)!nbV+19mm3B$!sSL1%_qh2Ln*iIw9^M=G0r^z>s} z(ys6KHO?vqal>)#XW!UPL?hy5hiF`GKGUr5vmPSo9a>Z2{mzS*G{EdH9SmL zD>QSp%9Pa4?hY_q2Yi*Xd6NL9k;JL#wIwFlQ|zYD3PkmfjbdDyoLk2re0E}1y-cLA z?&NfKmPfxcPrm%3!%!)nkgBv(4fqHic)Fa((d@PpATWg5el7$#)CJgu6T*-Mwy$ggnFI+ zmJJ@_A+lF&@ONkQasRhO-5 z`fSTsp;`<0_U5IPenP^$B;26Wk2It1lQ}gkmy@7TY-X6k?RE?ggBz&gIdT%(GsP;B z=VLzgv}8-+lk?ble74704n$FK#}+0Im{&eV3NcS@*u$o4;(gU!MvxXs2I+d?A+jGt zV*Lzd1YfR(=_n+n#{0Dvv(o+q?bvVM*AxGB7P)bGhw^8-zS>nUe73jke%?h22yhc) zxPSa$5Fr~lwF zrf!up_jxou#31nH`g7v~QR2g<#e>Dh2T+leHueDTBZ9qgKg5O*@vUJxr1iIOLSUCJ zI#`18zQOrSdOHb)385STHn*lYxuy6ud|Rufh907P+Tnx?bu$YKQV9(52*VpAqjR^> zZG%Blm>jTilug~EG!BC^b7nrctAS#dl8=hxlKxtR863Sc(N$tUewUN~4H*aq|JOOp z6k}DGa{a-SWX`oNToybh*mIuv6|GI}+N&_}jn$Ec;^1iw*cK}9ER)+~3&ubg+`6D> zLJPLo8vTml;(#u#M!(}DHH514@V4kUeDLqfB+&8RcT7-|b-eruT*4lHPP=vq3#&9+-;~#;8R8I3gZ0MNf!RdwTRxgo)JN7jD>L?YJ zYOnc;V9Z#2W|~cVHO4h&?l4`eFhWBYehw^Qvf8cpQdN+57+Z-GMX37k95Y}Q^a+q` zKsUPiKkY_;e#{xKM@GeSAzp09ob}&?A@GQ$*B0p$B=9Hf8DC1&6&JZkO|&lx3}JdK zxw0!w#QKOonH5U_LnuAdnWCBtkwl))b8ZH$EjISdCU>A@Yc7}qcLkSAeePYxgt8Af z2`r!~RO3R@6?;uf+>h2EDQ#*(A~g*%4U^-MaGe__?G0Hh3QS;WaGmAR)jyi|M!tft zP+to0yNeIDjAL9jHYGA#*+abOsHY=R!%v^QLHTd%zR6QOE`+DhPRUo$rnrWW|Hzff zpB)6`%d1Q;%i4e%QFTl?EFM1jiJdW&g+7~cK-b>Sl3f_u-N@a4x`&3kx!Zr>2(_ZW z9^>E&t+tQ}hV26NVSn=gJx9~~^v{45`@rjw)NR6992$fD|78sBETU~T^JxgizV}nR zg!Zn=qE8Yc*>)}LpYWKis!m3(;8pMqk*3mJ(j)W&I)MmNE9G4gbd7XDA z2I*hB2UgWTMLm-`a{UvN&Yispa_MVlT-Pjb=(P=nNM(3?{4(+;5C*OCS0itcQKp$A+X6Mm3(FWdT@{#Fkgwi4#oeQ6*53F{B@nS*Q7{^ZIMTNgCI)5A zITu^3J8O31ro}*Dbj}B6!HAoqz$ip%V@;gC?mZrUduimyUe##e#sO^zcY+~S23g+O^Dp{F& z4|sF2erg|(65VPq94eBrx#NMe?fit+OH@_+eMC{lubLmAZ_dP0`gFx#>jZ{WLzInH z1~)+$(PMz<`%Vk)7($6He~UqKn@vHIpWx%2J(Cq$YzBkh_7Y}Yztjn)aQHugr!vsAQ0$w0s?`yvH}DxG6>9Kpuk*RF!fj# zd!Po)J`GKA`g0Qt!y4mbiP3BUS*QtYho-<{81Rlw-h8~&>|b%M?ydE;3LhTH39s?t z+e@3j_qvX9t>{jQHA&_WruxDqi6)vO9JU@)ol2(XY!UgB&&+VwMztf@M!Bw26qUG7 zi-t5gv`e?+NC=GIdKdpVfPI)55ym*5k(1I3PZHG$=6#tDp3Pq&XGR>91m*?s8)Fy7 zS*22~97763)6rC>C9C{HzM}=En6!H*r!~tWS>lPnKRnWOzVT!wB4+wGUUIb|{&tMU z%aI$kn<9-CdmO1K4yr?)Lu=M_#u_Z=#B$Bl$HPV}H}?-+qm-@wqP*$oUqd`voldXMum0mB@;wP0Q;gUlL01`o_*MvZGfG1jsjDQQ2IiF zO(Ar-`nKVl3-Jvf(DW5aYP9mUF^DcbWq@U_SKqGWQp^-!Us*nq0UYJo<`p69CVjEM zQhK_*ni5`q=S-jHV!NvG1G)sc(J6P=$p(+3!wT!Tps_mirW2?2B9DvwT^GiM>IlWe zzyrb6*(Uh{<-sqCEY%8R-(a`un-;zjk~UMT_~|R!8PYW?rkyoaWsOnYO6C>$CoH57 z6PccTMQ?Q+vn~fXzeEl(tvKd27p zQLBP&^z)eaEc-*>|6<4z_1wST@dOQd8FlG(z+Wb9Jh_~j@Bh{FOcT^1GbTnmZ zp33itMMr?UXxeCCfx}VwS_$hmI+Uhq?&jh#EaWZ|Cmzs4B=4vu2Ypy3WuL&h%W=Jz zSqtzy7#VjW+eCMAv@RZqAnzb%_Qen{rA@oBQ+tn7yY*5}qRrB~SJlpvTOy;EBv*J5 zzI!{VWPkOvj==+A-BVp#gT+H2UXcDM!enmVZhc;X1GJ1UJQVfjs2JAzC#J!@J*8fVE!i02Ov(rKK;}nZ{E?0Af&wa=I-$tLVtqTOlOA_-dnw5KK@>KNO zFBae*@i(@s-o^h-)oYjVFYqQj9E&_wHU9DvLo$&4n!iVwsF%2tUOUTzr4OHhfOgyZ zXr^G8*{5HCT4?(oVP+Gj2jIGn?6Si|b_qY5Td#W!0ps~oIa8kV#I~2^Ibe*fws-0n zKL{*~CN9`pTg@6>nKxwb+p^fOjIqALD^PJ$lBvt(1gzrXgSOw2tL>NdLmJ+YZ<$(b z(E)HkD9M%o(f^|Ick`TUBDsnj`~R%|?I-;UeAgCKKTd(1ZuN%fSY_+{ixC3)om*Dl zR`_)iBFwl)q*=hVF<@pu{_=t_tzqA?)Zhq{;>P-qi1D^21<~3Zc(OpgeNWt`=g3X{ z)W&1g`MV-^vGYq4G6d5EVkDp$6>1@FI-diJ5tUNdV1tAXY4fFaddP)!LHJC+YTam7 zGPFB7eqj!5&1EV%<~tcB&4wg>!??tZ zT>>&(&qFEwkNNAoz&4W$e3ad03GTw%w5{7V@>~KUV4FD9H_dnmhs$J~9lG68!xAWM zbS@^-0C~bWvDR;6SvNE;)^>43%aCbdZ$du3^M%eZ@5!0?+44vhA+v#(&or*^k>~Yz zu%QJusa3lgTgtrWPms}q|NF=1{1xv& z=Ht)bxOPT-0VlA<8zn!%G1=P`K=Q(F?`R%ZD71>D<^H6~GRZL@*5U0d#lY>C_{>e! z^F@AK76<=!l*fs`+|oXNczWyB{7;Ro4{jRI0et;Bvk7RCAxSx%WD8^N+ppH_h_V@m zpMW|ibi4%;EK>++?K>NQ&U+I`Q;VUtKiWbqv0h*IHjK?HU9tt%AAJ*(%Nh|v?{TW- zm+d>U8a;K!AGK0o7-d}<8#YHKTYtvYgyA>d00XufV40GF_7G1BZS^3^)PScd7P)#` zr0>2D9)n?x^8sHSaJVevK9z7T0#n$UGv;={ZN~MfbAN7~7sej9DJ2=#l_AmRW{naw zAE#nIJ;<@Vn+0&b)Ney_eG|X9-_W?=%^U4%=LcjZ;+icZ5g03+-arE?cW6w+G7H@2 zijsV3KJMfo=i-eA-|PMSfrfh`sS-{7JQA!8LL-Bfg*r5n0wn;9q~;-I=_D`xmpj-X9R-=3a25ksZ-E&%IJ*AuD??UwJzQ$NX<DFwe}o|0aUq6i(*_&z9uigRR@>$o`7l=7UCjDb?4g;$(tBwdTyDeMq2bcwZ=?Qj6Y|-um*%i%E9orD)pkg!#N&$O5e;PYjC@|$g2f^R&Kt4CHhTYj|25A6ugf_oS zZ*JQ#Y-5KiV-U}to9ya+EKE<=d-&kI{#2vmcXbPa`*8Z4;qtev!ct+c>JOS4_1rQRtEO96^jzrpW2RI z_^HV|gA^;|Jc9(rR-UWtBLU`qeQUO#A<1SvH$)a3kr;9vcDS(fh==p|Dj+=|29lQmE!@0I$GOe*SSZR! ze{?sjj$+(1RWkVY?>?hzM=y&%UU1ujnZxE1>|Urw~7P@o;6S>$eYm zDxO&FNQ;MqEr*^Lux<-`d%=tTi-A5N5O1J9amXF3`on zBJcyo&)64^?e0&ly%6Z#M>$Wx2IMO`nG`?v!)({KqFb zkx*^}IVxg0&>0eq#K|>Lc%$ETo5v?+Ju6hOP=q-et{#p(3Vi;^fAjgP{?or6SXvKw zjPaWwFCi`n)IZyO>{b#lULK{sbA|la@BY_gcl6bhv-5G($do~D@=g`K4IcXuHql05 zK%cdNRZ13MPIs@0vc+Mq0Mw?(7?E7oWk_3Ld3WFe0?g_h;ct%)-q3I?=MaK4*Yb8g zz!1T}qTu9dCYE2F(SPVYtun8@}&^L|3f=aYgb)LO2(W*wHuotp_rS;HV_EAzqk-;b*C&%)Y8&gpab@jwnh2agaZl?kU{q3xx4(jMN`|Uo){Ev)HW9NC! z-!C+0t=OU6?t4^ddMTBgrfXUrGim;gpgVopkfP#vK0Nk;`M$?Ls34ogk&BuwXSO$6 zPO~}yN?7eEa)T-qd1d?+qdZ~mcl%Y(rQ=Cz(z4(OAVAO#w23%!6$o9Dh{oH&5_vF6I`MPK+as;2r zqW(sF@oGD_>t!x~{FBNceIa5Xwe$x&a=-cz@W_swa{+ip0nn>BEmx-*W!Fz8tI4l| zr+Y(iu;uwn?(w;_ApVN%H)JEicgBAv9Aq2@Nm-zvf>H246x7@Dw|+ZSoI_56bV@4Z7kZ<OpF9vTKgX+i)HEH*g)S2?CCpF5hscYK4QiBW13i6cKoJ_Ry<-OuGgI{3W`hO1uT2 zSR$1C85Sw{JT}5+3dy@Pw@Spbs?hQ8+;bMMw2~&K8g+UGaf~PZ7Aw)^GenFDITFA~ zjT>Z@Xp_&qZ;Bs9e)3Pg4OZ^2 z!CAD(KCrXD`9O<+?Sm@OzBl^E{xAOS-C=-PZl|kBhb~eO59jY_;H^nv3YjfO83v@N z*p5XE-gxq3f1f{o|E)(R&@WIsM#aW0w6$ z4cHNqsuH>5hy{AvxLM(EP!M1~!CvojAu)hKKC8IB=I15rRv<5RTx3`}RtcfdXCM4w z-8MCp5qKM)fbOzw4+UtKxF1T=bl>91Fyj}rn6h5RiL5J6w%wVhmf!1@8Mb4j`ZDO< zr#rdEdYlF$Of9nLAK{J0Zz1**^Z0@d0?6js%)!Ui{@`N~&|H?}{J;A-W+JP~(g{}s z+9RHZHYH>$AarO{HWe~_^o1siwHYU}Rfj5h!OsG*4)LW+!il~RkJkJzJQ~PbEK_9w zseqg0YjLn}iy@_Lc6d%hetDF&8)mz_n#O`P=!pzt{L>l?wa0w0N;pma0T1W(q5uWscNvgR$-A~kLBk)g30w(1C zc(XN?N}_Z&AVv{jFtBQ{M@gboR4{qdDA!{ml%-Ez;0H(pD}1nbR%#Qa zC^N{^f6sNY#HJC?niQT*51itsvmIi_)Ii{uf^`>$4f*MPvbh=b6S0W>AHMS@$Uvnf zg7JSUvu0R;)iAm;)$QV~1an*(0#nJ7oYKDDKi*MKni4zR7>Kz7@5pTzu+5dkx9)gl ziM(}!I^%$gT7qBue5YeL{0Jf$w-QoZSlt*{nPHe|@S4S``&{%=o)A)+4<6nRNdS5YKomSzj?@&DK}1EURC$ zB-xWA`zA5$&;WehF)u@w`6GPY0(IV0S}1F1FUVCYZ;{Me*VTcNc@~FQS4sw@W&#)N zpKV375RZsS`CLl@=ib zcicH-t2Nc*8eWmX#AD{a2NM~9J!5{48{76F0I?Do1K6E%ewzS5a_j_qb4aLDQGlxk zq{D>9o$;3mS#~D9uno-aLPCl3AqI#rA$Y#Xw6`R`z_r3UKWivG%*utszJI4O+!kVb z{1}`*C~Fx@U7>r85v>iKzWs=)gi}D!AwfUS#0;P#z>DU+DkTraLH}$hhT1_0M24Cr zZcAZ+&0BW{6vTR50u2Zb-bvha#PS}XUfP~;q<1HrRl=n+MY0pwg?7Xv`Z;4pPw88Q zNV?~$GUd{ZE zcr~-NN(hBrnb18#VYsB2_*Sm3kdyEP()%J*@@PJ!yBoQx<3Fm}h|95XieL0LD&eiG22j z&-3M(zRVTa@!10Y+=}5r_W({>Y;-;w^im;@$5^$ky4719sbRNOy z7R|Q=0?VSu2M|Tm0=d1kxr6~HMOhbHyg6cwZlUGTD##gx!oS(cF!LFJYt+s6yVT7f zW-aC)GHYN!G^l|Fd2|ct9x=9ACX!=BaU*g7$|?vzspNP@zp!ni1SFN$0m0t=l)2>N zP5H+F503X0ye!xU8*(FeyL-vyv6}blVu`2Nf{H*~8k9-=dgR6^X~>+1OPPN& zG|Yx872>_9!UfGk%)G#YpFWAVJI``ogZZ4Cgv|Wi43p2I*`^!j#UsULs+;2J7XT?r z7f$YxaU>7Y4jjA5i~{M|*kbE_lW{7K1#Q;T5LqsbRGz<+j{4o4JGz@6I#%ajGsbnV zKye%MSH@3uP>_Fu z-5){z83N>?j_>ec#e9>+3vEWA5y4vXPQR{0uoxV-r{1jvk`KN-5m54v1VAwOXs9md zpQ^$3<3hZlUkE5F|Gi}MIm}!R9%8tD3|0Yb*3oKY3t~7!+GPuToF=n?egevm#Hp^jWsbAoll^@ILV)hXtT(!73Y4X1kj!r3K$*7hS-v41dE|-Ge6ZxG*s8i>Fo1 z_sD{{i%&G$Qa9W4{Rz`vH+hOb`l&%WDM%%2>`chG)#*H>)>gFFf-^D=ZQzx#m55y` zVtP?QZxHGJuaRZ#^W~Z7(zr(X%AaBgnOx?8Hpml}aLU9wa;6Hz zq5e8|mptcjw(q_ljK$+R1g1=J+HCjjblCsq<)Z$zO{h8l0TjqiiWp)y&y$E5Q=pw- ze8KR#9kQM6dN{;Fz49kwfArH+!@GnxxU|J6hu&2iZ}%}e3v90+K6_~v)g%@|n-W(O z>)V=+L6W44i)V+cKV2l;kC!szv6fAo+N$hZn)di~N2Gi6UNz5nx4lymJ8iqBT-aHJ ztb&2?9`B)S+*lR(9CKf_Z``X4>!Mg0GiApfvsM~I484E2f0+){*9jg4icSYe`!f)IhDO2Z8|kdf&F%c)MOqI&ci|%aYa^J1{w0jKhfZpbipFB*>}%adL#sJHPAOaUTOPmp#$V?|KsEPAXGmy@*89=G13%w6 z>HHuZO{ce;ZXMT?ULQN9>YpocgB)|_v@Gyq(IkHGKFEx5E=mIt1>kyl{>QF!Qy(@R zjKiyr=9e^&Ej|mc8~d5Mr{x)QUE25bio}wwUcC3GsY<1l>$eA4S)yB4{5GZ?yhqmf zZJTD~u&GV?SZPAL;6!41$nanQDa%KjsO7RgnYbbK`g=Os?C3v=Gu!gfaQgm?IUQM6 zl}_MkdJi1(Voo=dN^h98@mc6HUpMCxyWJa9o#NN|T&IneN4xeN>t5cMPobTt>k47s zT*%?*LWN%6#eT+MZ4g@<;zMp9WQ`M`qCaVzz@8v+AGrAE$Twr#w|=?SrL0_ajFMm{k;B)9dGVxv>Rop=CzIv`P1n4#sWrt-6~2xOGs8$7~94 zK0hjtBZSYtPVkvUHhUs7y1Nstt@WBD%j7}c78h`U4E0=^9xee%+Y9?6N-CC@f0-zd zn=I9TY_fT2Fu2Q5zGdAAHV|V0$8XJkXiO@6y7b#bJ@dLekfAcso9{Ov^s$0%{9(LjT!>6Tx-;pQhDko?Ktm2h{!GE zee%a3Vy^IJsUhqq+WU0>$O4P&t?7)LZZkuJk1-C7-B~kABLj4I7dT9UPhZreoZ~n( zJvRwp0FIPMAH%ggl?iR>^Zjt0DV-f#O{sVfw%A{Kw`j*>IrQ6m^h(UT!;n634e6!k zVj%HqmaV%UKs9&TO}(|d9ttX0CKb=L&f_g&Yi-NwkHoRARCCcr1(E~%0lyJvL7_IK zoF;X!2bg}ypSW0kV5w`gEp7TDD;u6+f<-a9PR!)b>%*@`|D(GfEC^@7jPjrA@uVJz zTeq(Q*1)42pT29bG&_3q-ui98(E~-IaaQa^q6J$lDmXUD#XFVHYY#0ot@J7{j-n8p zp(yK&dDch`J(QOBBo{6cto_?PBrY4z9J-`Qe;tUXLvtjQ zTdXx#)&pQ8eNwV@dx_{0%wu1jDnxi_`6^EHhS z+afmk00*EXOJm;&Q*3__A%YC{cp7cA3j2MnC)RE;+c!^LDQg~CV-0Ktw@(q;mzI+r zxH9zk!o+%8ll+xz^md1t)owOOMC=2Hh6=iTd}^bV6EQNU zD5HcBXqqZp^p+C}fcpJz5qBN3JB^w|LeAgJPwh(uE)7GPkk&a~S|vZUz~Nq^Ywo^_ zZX`>bANBGcR3qP4wtu^?Xnb|Le>b!l3Cr5$-<=N%1^ALwd%S^b?vLTCaifNc;etOI zqSPB&w+s>(r6?7w8#Y<}=2}j4=UULldQTw6L10*`j>=?k1WD6##c_Q&f`oTCI(*vK z@|&@K;mmCa08O~Kt%z#vW*DR;-4$~yIZNV@ue+;lIsg{FnH8fap<5{}QYitLRKWX< zxlCz+%~MN0ui;x}wf7i8=T1NL&oWbwj)1;hR0nOIN_Wc<+D}Z_U&oHtX8JT26BO8M zSYuF!Oz|r$L#t8ca<&cKTkJI>C@2#0mXVv&o_>}ioG*))-@h7;%|*0wAf_2VO3dmi z{I`U)Ax#PlVNxpLTFnTJops)BS29yIQk}41fwMY4m_sV1 zUwY$WxK3HXa=oGB3$&W<-cJ>4Hv~FY`Y{{#UTcygyx{e{_Nxu`s#mY3Bmf=js>lne z=30^QUZ$+JMw2Ad@SV*^TRtw*mE!SRo~Pe-5FS%)U8vt2;0G1VK4|7~{AhY2n|VV-T(1Y<*>7{lVj{ z_h730erF)E=`3o;10(9lKG$sFTKhA#1xgClNsm}9^1BfK%A4E;Z{){*s&G2{GG%*H z!s|bxn~UI^B*E-lN=`ZLBey%c2cYz~^+jPg5qL8f<(GZa7lB`?iM%IbG za!uB*io&k-OBzNLIQ42X@kHMyf4txWi2^6vc*G%C3ee$~|05kf`Y$yzs0tCEDt%39 z_!-M1K)zjX$p{9@!3Vy|L8;=7L@QyS1FNXdx{}!`l&m(J4A{`l&|KV7@WD}-spJ+Y zPzF%bQ9n@RT{@m{>q{m@9Zk|0jegRT|3}+fheh?aU7*Y`z|h^@4I&^N(t?uG4I&_o zfOI!fQlgZSQbVH%3@HdmN_PuGcY8MI?|Z-Zt8@N2f9~t@5_t98=1(xl5| zXprUmW>>wIlSVIwA_aF)YUId7t;Z}Pqd7n#!NRq=+14Gp#Y!!Z>NATk!pU0+kQ&XI z`E}m+4_dmiU*nThjQdqZt?MrZovi(M{}K9tpI=M+d4~^e+w7}Z#sX~0o4N&ulUE|Y z%fC{{9KR4;ygEOuFki-X6-AXH1d*4De8-FJsHJ_&X=*n@@or75IJAjK3s4X`yMEcYc0S z`uOQ+halg70~HPUC6{70lSVd ztgXWVJeAuO*K**L7Wn`J;lM`t5_87yv`Kw^tifVxp0r=K-de2qLYjdPf?GX`f?JJ- zvlB8t@A;kex9Mp|d&P&`Rkx+6SL?LXX2-AQ+Y(opM5vJ?ksb!tqZ8|EGX`E2?=NsG z%$KTT*ieca5mE@im|uBaZu(U?9Gi&5fp&pI6CI=EWXo~);Hp>{pQJHEJjYvzwbsGZ zBN}{1E}@5t?<{n8&N)vov2^3+A*{H0217)LqKT$!2@S=RJJ=EC zh>vo>|GSQ7)(U$$X4$I%rGqO#y~MJG{F|Enx2~QFeZH={P_JGq!=v|f=VlW=V5hVH z^(6BFzD}tD>JM6fh-87mU z%_$=f??lDzUA^?{TxsT&Kx1crq2_CDj$+`vMjD0*(@fvD%~%OQfU*hiJhwLg%ctZNfZ4>(K>k zCXcoy4iGWuYV6)0m52rp+67_|dQPP|fn$@EZNaA2K7nQL9|j6#>2sTDNZUO>G9#C3 znT75>fa?c&q$P6Ga}>NaI=-T}qrbi)7TH-tIzT-4IB=rG^e>sk$K<~3=>3*Q4M#F0 z*(F)FT2hu7731jk>S@WQ#A!`5E=+zz_WU&xra$@n&`~})q;o510cOcktSK*y_PwA3 zXyDWrUpbYHJubPl^f4Plq|Nu683FU`?dcSi9P@S`^Ir@2!4-9QS7#%lWKxTaU5cY0 zopc^Pd&b1XOdYI?cC=qS?AdLoW#o-(*^o%wuZ?b+`F6RZTL} zj46kkNxZee*S0+2)yP`x-r{eC9_<8HeOjk!nyRX*oOZ3URkwhkii&%5m{-rA7|L)j zZs=8+rN%jt^aXu6v{oJpl+4Gxmy=XcVTWI2^y!VwG;sZ>u^l4?i8#31X>Y=7vG3Ps z3uo(y7ge9qRIS=fOJ36Ad~$n*)iGlJ4NRw+3-^Wb+zQ@@+cPbu`V1Xq>X#&JROCBJesqg$TS6KU z15xw|Ey446f#0i*<@_a7GTGa`mdAS$U5~Q;fHgYZprhUmz_iLB>~}%b$g!nJ!mcSt zGDyO11o1xlh2mgXAJW(N_}9djSoW+kuA|YKbM-oV5n-PbtfQ^b&caV>Qt4QLP8!^s z#`|!+eB1Y61ES-TrvRQZJ9XAS)twC3@P1lgK5-2lJYAe|s+1sk09=u$E!(<8tD zSbtDi-?5laif3uYs4V4|#q9aRz|rGr_h+1JG+F{u1uKY| zqZ%wFwO#>jMS~s`+JSmz$h0LS(ebfS%_q?#4CY-?^iS-h+VV=*9fZ7IoRON4$BoA( zKl(IM1fw%VJ^P&!e=d{Ki|i+J#1q4dmHCz^APJ`9>gG}Ojr+YXkbmwRTUJ_hcGhbV zI8`UH1Yp3g4hW66Q(5Z9 zhT-RzS{|dOcPQIp=b}sLVs?CTifO?~g{soK&0j7{L`Oj-5}J%4hYFw1rI#fgG7U5- zwqzbs;3GfbQ$zdsFt(gpG;8}#DX^#UMOUZYr|#TwvO_1{gI~0yu!3PI!^?XXZkUh)uEnCSDA-REAp>3oDe$2cp2o3?gf*rT?^*?Kvc?R_3uFC>{6( z#Pj|9&n8PkSr9iRRVB#@w4%YE@|8W(@%u3|C%Un>ypVE}o^VEV>xK1I_<9MA_+;ko zKbf5rtBD3WeS?3gF+%5TW%}%KfU(sz*OO~a~;nTCj9AUK~JQsW8IIr z$X~4ECHJ0vRsD!9JMTm2u`|Ont<`MAmRy#lVd@0OWWj6CZGm6&y*ne+v0jVKKv^!&1EYkVf0tQ!?1sJ4>b#xtsBz8x8Dx z99)lha|?p4${{r?+BCaOVhTnHCJk;HMD1_JbIGWY(HgOzysyEF@q>F1Kh6+P#i|cD zVE5daoU?fAnZ-WLDA#W&fjSAOe*P-TVM>`}-g;-*V!G=}s`yUg}1~h;dqE3x65*Et{=V1!_@aX6V2GQVs z$hf?A<>$ELZx|RhnauA|;Qc2^hC(4oPU6*f)xYmo>;1^UulNfN{?%XylK06v6IKPP zE8|$obKLFG^9+fL>TvxhL+!-`u_ft~&Ii&Qcre)T!=776mrNqwyksr`7SV;Zw!}i6;p%$eJzecy&wQ&Y+h&z|! zgImLRKDN{HEe*mMGinf%=8w&9?Z>{PRrT!ATajx@C@wG8wS-TwmHYO2le?e zCZ=~@3XTx-DLt$jl(hn>?2m^ zd4j2fS;tWh;lv{aej@12#$O=C+9jati=&7Jcc&1$@p5#hdVAz??78HP_*Y}LyciE^ zZw4$~Ymc(leqY~kz9tit>t_uj?)Aqz#fO>v2tLU)C^^vEN_>Yui25~x@^OGRbq7@U z55$Y;oJyXvmIiTidYr+~U@DTr3N(p|l6VUxq>aXDrDO35TrZh(GNr89liAGs4O{Oo z+J4{QXX!mlK$-Y0`4*|Nl2~31rupq0KC-a=5V?buFJE9IDN=2oTmXFIKH$ee&*A0$ z@+vgm>@YPu|6_PIXBtemmNQd2v@x$)t5CH?_(MOVB94mw5<;ijPARhG^gB*GM(_l} zH483nWMoBlJ{O^0(8pa|r*wS?Pe%b(oQ_^m6ok=%8=n->D}8WGOEfk16wiJ%Un&hM zTW3F>2DohHoSy9vLXu5aV*C)ohlEn&Z(G5YhyqU~k09ok{RheS+DDqpM+REnA$br} z%oAnKt@~Q62X?5;yQzy|rd4BnFYy)~N5w2|5x$zs68q^&t2nN&B+6qZIRLn6@0KFv zQD4x3$5y0Ni^W@0KM`SvG5&}Nc+|w_(%jGV(SpG}tYcbtH^iajbeP3_W*NHYdhMNo z+S|8&hwpvd0zgwzllpFLFNHVgm{@7?=bR^v+{&vRrk$LPJbjq(2j2)OlCY^GrJ^%T zZp42TE8&C+z=s)Z7*^#^QRp1IeD15$D> z#p#C}y5(SE$o@7UoY5^Sho@^D7_XJs9)7T&bZsLnpI(?fox><SBs89dMA*rMtkte$Efl0yO$ z^v~P|)j6Vq<~*O*2FioV(uYE<@IbEsjo|7z$`scF_OgoJ$C=$Q^5jNC)bnGWSKg_F z1C37_gpy$Qz z!;+vbCznSypYmDDt?uQ{j6UB^LBP;ZevZlPbeKfjwb?UTAjcX#HO76vo+yRPwqxhP z8>l-U4=@07MNc$T$4*P4bHCy=L3cHs>7}JTSoa*jsz}fhGHnT>Zb?rCTJ~cL-ZgNQY75I1kVX)HReN}N+k!g1>zRX;YqGVHN zT54@~F3J5lWknj`A+fe`|NDz;n@~y&n^?RyUpYF+U6p=_;r{jY)n?oB`C|zUCJY-1 zHQ3Cblzs>*!>VNjkz9#d2tS~}12^vXy#U34rvk(ANfaPPQAkdQ?}_QAYroipZFj?n ziy8`nb}M02Q5Tx^Y7JK(b7LJ=;fRWOi3e)*r-saj7kDkFMI2iKY~p9Bh9S`aL40*$ zVxsf*reOE??w++jMn0`9ZGhXkr0X)fNP($XnIU!FKCsk^S z%&MB#Ez2)1ZiF|m)&hvp6!a@)zAGb!zP9=? z;xFiz%iLCm41LMB*O0NhS;hY;x!UJ-HQhzRbsRokUtJ{Me?wec>s~Lb99tm=8x)I=;k<|3*rN zkx~zy+sgRl&6dbqw$jL*DaV*RGOnz31i8+G;ur8InilWb8z-~r0EK94^w=_%qSmbM zmzta^i|+}a{oKLJJ;-u;Boc!e=UokMv8;Vyr5&#UPf%nGZA^*x^^W1?wo6pxe%1(F zMFu=D+Wirbp+ZE16!f9zkBKkF7H=9uUu=Xp0Orm zrYtjVa%r(sSlE3#BQ6+Tr|e83RJ;7C)=v-IzeRLk)VPmz=?TMF9xg0ODC(_y@6xQR zP|byW;{<^QZ%K&bcy{F58fJ_)yQM8P4my4dU$V|+$D*@r{zO;fYHHQqtsaph4LbAa zBzXJ4k6@r3_c9#n90p`G8>g#Y*%SRy%b&a}Lr{9BRmSYOC6!)-6%9;sr+mivxuxE2 zgSoS3wf+Ka*eEp$P;*HJykHh2)@RrYkkrxF3t zjhc^&5*zwY7jckohhj2<%jE*=&wpSfY)={0w0Zp1un!P4JbH#QkWbraf>y@dNf(iU zhcBMT8Ijrr6&dlN;(>4(D*mJ%hUZ<@U}0j0@JeQbh&el2KaH@OcXYp6@a*BkjpGs^ z$A?M)AW~7Eult2VPccodKYctP)N<0EACZ_Ej4{L;bbE4AdjSs$V+Y?@Zz-}PTaKU% z^bkJ?5BTNK1tIJ|x9=a6V8*ZWAIl}OKEgp=I z3-+|anqfzFx(CCS5T`0_%8rZVUbVK>8qSYhnoXjSLX%5;^2gB=S*+%3xVa2i5<63K zl}MC%Unc(~8!1W+g|KL)f5tsWjHfUYLdUsAbTJP{ev(0q)#j^B%vc(;`#?#Z2t&H* zKaLl;zH|nt@eL+L9?&#$$ak7?V=sDrBu&zM@4Xghi1(#y(dG60%A>z6MNtV19T-FJ z(c(iN-ZC@U1esYLMtH-Xr(}{pw`EUOb%jg6N2Te%4uvfzWzo$TVBF;hB8rv23{A8W zv?+_j0+cT4W}tNW_mYxPumZiKXvnwuP2#+7>-t4fqUpF+GB2_imM@vbi{x%yY7?>a z$oo;Jsuz*bQK3a|E!^(s6SecqSi~PJJd7;UW@)MRjj_(? z4c7AEX^F@5KmL)Y8A+E?V<=kAltSp4Y?i^XAiJz^PesCiNWG8JGsZXj;rzIYsyK=r zE2}dr*}=huOY0S}da2&rmCNy__UuD1LPwbh)iU>9GZx_R^y2RhkMFMLUKysRMT@VQ zx5`4#SAyghc3yGNmO|z*8)=Zc`hHmN{fQ&%|22+wZH-AO>dF~U8C|X)DqZa-kO3ng zteExNszNl_@QMr=Q8YEl_A>oPMHz;+s>!u{y=zLXp|?%RKof@0Q>x(tp_qypr% zB_&2D2un605e#yD246LZi##Hx2+MTfC@{?+fKcd*$c8ec?3qKnJ**`|_4 zEFAe(A2q!bSQOP0e~$dB4FX8%qY(7}7KPc$6e0YmiP=m~xS<5Or zBx;A}MGA2W+JMRze1EW9kmrDmNTOT<{oIXP5JVm>jtWV$!(@yv&u3w4_q-eGK_CCG zHTgF9!U{wI#kioWrC2(j?#EY@f& zM=ewiL>=bNjt?&OThZQ0>jmAD<;e$kAa4WHMJ0_ZIS3vo;;vtV7y+p=C(?Zd4b;eU z7?S1FFHbYuF7MCvkOp|V>|c#l(?KXQ7N|?xh2pI-g6SiXoCse)HH)ULR&+^e2CRoa zDji89yp*p!0z2JHg>(RQl+o%ZzssN^1x^X?T;1|Mq{aY5!k(W2qKp4k$4q3?C#X4GhlLgl79u)1$ysbV2PST#7(|_R@RQ z0F!KuGj1oU^I9s4X^NuxQWk+7byG)Pk$obj-^ncBG^9D(8Bj9}q?!j0kLd3@MYe{Lqq>1 zg)sY%+#h&2in{98!@`;s4vYqThxuA5p}(RSG^7#Oz}SM_xa)jUc!-kI18VafyS(^S zhfMOG+voJuO_7#;DZTT{xSZI;M5@mI270t}d|ysZu5GkL ze=h*e+R`d}Nq;@e%tmgEQLJ5tb9z&fxRCgOfXAc(s*=hRnBPnC8Qs4I1t0ndvgb3L z<`FP2#Q6<{RkGGDwq#`=5ZDIud}OoZ95R}yPgtoAA9X=a>2p>_{Kh`WKgXA*`N6Qd ze{BS9PNQd4OW8UP zjm!X=cjI_6Fv3uI$@41W`Aj+~Sfcq%UBebh&zPm(1&i=1A*_AMcJh9$3m z=3S*{`*)|9wU9uPeW!-$9suLt?p)@IDHHYs8?lwt2i<>iQyPFy|1~$!;cPjhVcjF? zN7#5ogWm5{pDgR&hF2#Ji2K@r^+&%Zd80jv#;m5i{$5Ej9wWd)?i>feXvlqaK{^)? z6o0F3eS3#PG+3oTgs_YPYBJZ5o2hX(>{8g=7XP4^;K@4T#niQ95w&S&7oN#ZlqaAr zmppeM6FR|6Oe<^<#~~+A^AmnUfI-TGr9$G5hJry9xX6gszB}!oRJBKV+jgXZw)67g z_{$fGw2SQA&ucd?mA^C276_Eeta5v31~grLS{doRhPqD!BC!GzFyD#Sc}9{zy)4blpzGpWpoSdDCH@K;6BDP< z@3F`Nd@!m|o2ZHDd5z^P;nAySqd$ZK9K=$-1)CPycX|9^{HFyAN`+T2F)ZlZ0tvlk zfC`L7TKI7RL7T?>Zl?tE+?|${i(AHD|Ko8Q{_S{vZcH<1;{^mvHi_y({ z`y;kXNE_2Iw7d-AauGcX<*t@K7)c~}D(&(#cx8p@N7dWgLEIQ);CvF&%GdnfBAs_; z>+9TZHE&0YcR88ky>UbfjtmPX)%u)q!OD`emc#}GY~XIooX9WL;s?J}O@eEq|EPL< z|3i^RhaXStgukU=UU9vwW0K9hEa}<561U~h4F)OV4c-Yt_{vEvgcgDU@@hPYEzpYe4|y$XZE3ZaYeBxnCY9k-fO7-C^Fogy zaGX~~U{;s(03oTWXApW-B{$;dzW)uTdy7HvE6i@{)ho>CfpICAHl7k$Uq4+Exxm>| zxbdQga&Tq-$0G0r;law6l%GAe->Hc_mIjdHBhmg1Q1@_#S#ikA0_{wD_NzBD<(pTT!AFO>Pd9p?i>Ku{qdCuv_(ak@ z{q2E?E7dJo0W{)2Vo03olaN2j^#nZi*YI|q1W~}$f^VL+d~VjtJ8-r)Ec91A=H_Lj zy2S6fJGiwsb2Ud(Q<&#g5)3oiv6DAZTD35~$YXZM@-Gt_nYbPV-&y3Y zk1f`@j=ZTYyV;cWzy8psMsd)Kn|9+Je03okmMyT7M$2=3916^z8~sZ)nn>KX54dJ7 zVG6fpS4l-B>@c7ZJY_`FO}I zr`nbKMSb7{>Kjysz+urk*c{rl&hBW>H@CFgfKrLZB%646GYeI z%{N@Yu%)5FRYD~{IXPM3)vIuJJAC(h|NGLo=YUKBNIJw_#Gvy1iI)#Y+BU;YAFyOS zbZ`I#?#=S|s6w;t6$qf-zXCEoU(5^rC&vn(ddG~uY>DsbJdF!=^B?r+=m(7^Se*aE)32 zDc=Cg#feu)t$JH{{4IL)qqcVtFr5)x<~q|JkK_~j7i(I!k$;aD)N(7cV3wYK%ioxP z2tf94SSk|{Ko2`H-e~?&&3PVa?#l6c=SRlXatd@C%Hu}j=wxVGFD$Eq+yH(NNW}`;u%*;y zP%w%QyaSTug#$G~cK`@DoROz`nhC%hk}N#szWjg8A>H1ZTSW#k-USb8VzUOKHdbOK z?Ksj|*RLD)^~}rx`=FOXB(khI>E?z3G+O>6AzJUJX)sKJUvd z7BDgb%({<5PgEZ_V(!kq;hKsE8w?EE*s#TTy)$8ADwl#rNzo8YD}c)AQBp|&o|=zp zvHJLLS^5g8(a>O~lei`zf|=fgTY4yZLhjByvE@s(RWZ^vroFVn@HD_6PIRV4onPIJT)4TB9B zeC>dKHly8CXaR+D{UL{&)RlO|T2CE+|6yquq=okxPEdYT?zh+c4&i@f`w;{V#2 z3@!N7Mq(ghC^e&@BDq%Cp5!bCcrD*VrdL1T$J2#T32b=OXXFXNzlVv_0H@kT4@E!p zx;1u>DT5q$_ zV(3dXiR=fNFYnPu3eZ<1xkQaju`<1-X@Uj9}c=%x!<@cORIEL z8!OZXx3v|*L%0meJfFnC>+W%rg1qg4PBf6%YLNw~h~GrS=&T0F@$Z#L3=Rt+l9!C% zRjL#DS1+V}!(ZO{YicMX81&dZ0lRJP)yxM;hi1cmpIQNAu|nV}& z-qS+sl~R$Hh3&!ehn=2RezE4=3yBtI5yy55z~WkJZ`s9(qDUz*oyE!=uLtRa_<Z6jNI z-b(XY$N%qOX6@g^rxZnu%f~MYH%agx)%|jZWfZJ`NZeE5RX2a#QbzVq4M!-@KUcwd9>Z-(|@ zK06`(nGI2^VEy&)DP~AOUweDI1ww%(-H2%u)t+6ROB=KoIU~f&&c_hvABl&7`-*;H z6!E4xHMyvO8cz4R_6MGFumkL%Xa&3dLpATD)iagFvYyVT$%G(>r;nL_#=$-+vu4@G zL!FFHmRhIXZw(0@%>SksuO_x#L2aB$OwnjOE6XuR7;+r$tVK;V8IEh8D4OKKpOn

`)S`mb39w@)$3JyA=ZcD*Zi#J#K|N|6f6k7(9hLM~hZJKX$imr1r{B z<_OH>BJgYw8W|5aecdebOK_svx;~lNpXcH^v7CZJo73-8&ev3#>)J}%Y>`S~7%um$ zh99%3=LGtC&{3AupcyQk7rjjD()LT@Bmv+0B7a{lXju`kq0|&(aWDYpTI>8p#`zDf zpj7S~nzr_r^9p-IYxKa*KJnstV%D7)fMGf@)uC@aE z2tqL0;|W$L+;skziJ#*P8|>-((ocyK>RkrW^w(=`uOUYp$5o#tH^*`rjT$|Jc*1XC z!JQcdK=Zk#hD|Of9?$3QZ#1FuU&gc^1?`bh>tgL}sXvjtZd@?;7`l{-a`A5BCM5u? ze6tUH`fw&P!Uu0}(|toNun;ij)3r=Du;C96m=1BSO^U+~e(ASx-xmkKt>6QQDnkzQ zJZ(pH&4Jm*Cu4mWwfSGkkLJHXTl(wO=B?b=!JQv0uDURE7(+Ura|)F%>W-a9;R_cp zmJRW%d)q=R;HlS`>FQjfnvOWYG?l0huq z3-wQ8BEIy}aTG(Cc5aYSamkA)FabkW%T_vOXASLG0B*MbiInzDy~;Q`Y>o@csly%i zX+%DB!jQ!U zsg`6|)8&CU8#%g73d0Jp)4Na<~2$WIS1RSf+Kur=U|Aa-^M zrel!}C6X)S#=aGG;XuW0^#8eB{ycW--c1s32LrHH9->vK_JV|$z46*|XN!5s+hH(a z-28OM_?;CWGLU(tih%h=fUM)!HBu^rE+>M;FZQpOf|w&E;#YJhU4v%UskHZ#*}qc( zTscG1-SAl{lp9p`?C5(zBl5 z2MdG}&ftC+4c+(9s1GfS`%mXA?I~#mx=*1ZHlVUJnBm=r*ku^ z@kzG>D6M$6B>$R*cG|5t6Rm>J39Q_`E;+JL;Wc8W+#3;v0Iw0iIhC4;1z}@j`jLWw z`??d?w5f851?0dMX9%pVky-0S)cz|^Q+mf^-lxvPj8O<#V-M*)_Jc?9@bN(b*C|jZ zY#O@th%ofFNh?IhS>E^TwpVsKNc+Oci7u0{H2QP75NQBVeYoV8=+x{e+2-VJqW?*W z-3n-2^^6wr&&IWaNewR8G?~C8e$@n#&K|qX@Epg?=?(_qH%#dnT{s+QCK_Q?%S0;C z3Eyp@TnruG5{O!n%3Wu2{xDV<0!BJ_p^J{_)zoPxxQEK z8~=t_Pe0?6MFmAj%~9~B?jm}>0`+EZ0>Y~;1=Bnb*tlU;265YVmkz%Bq@hRt5^|^4 zcfJ6XnM~ibVAQ(w2Ac*5Tf94jCIi+?Kp&Qq<_~qCDi#i7MImSGm ziQG({iPwVW{I6;F`wH!fR^<^Q}|}cMh|~C=8yCJ=-A3`asJ5Y`Vg)YnMYS zQZFsiR zddyD9GSSq}zbPx`$~*I+-zD(i+xX7|um19BCAmsIARKe$avUPn5^Lr<#3ni#HP51rP z5Dn5NV|kaqm8U&v0)*il=_iiDM1cH2%2e0gH2L=P8+E-s^%C($-`PLl>5XZCInm&S zEXoL85FSuo&{Kp&H+Wwy9Un*7!qZ6pct1z!Rm;PCv=i*S+O&z=p!|?47grYc zC*@KZw$+`qf5z>fv#vqShGzAJ_PE}^7hq|0@!)Gb9!ei!SpMBeZ9oWxJl!- zW9(fe7g(xu+SSc@f?y3S?ew2dMe5RuYwg4gkiA&#Rj;w(V`FYK&a>!LcAjsF4HYz? zKQq6kI6JD2k1g)>z3tLuK;IZLTll#9y}FUr)@l}rgiSGh6({11i#!@Q9rL;Gu+yPi zF5O7iFFa+>=V!Ud4faT*OfX3Ix~Y*gO|RQjC23d;}QX~|DW}^+yoP@7w9(DI7X}ExtXbfCs_~NKlEQ~TYc_sdwHrh z1^d8&vJnQxu(3L$!aQ4spwz?-nd`UTNh+G<-mjIh1`H-XjMqsG0#Xew@#8}1L3W%?Hfy{eKNk?*i6|-Nlc9~)!42+ThCL=S=`mR0lR5JAIZUdT9Mr0_jsVXU= zTo)$kEAYILEbBM0@n&_XFj?Z512(86hz)?-Pa)9;+*g>8YcAISC&{9NNZ?wY-(pM# zDsM8a1UKb-m5St2_@wL)<|Py_#P^$#Q9yGwg9V_!Gx@Fl-e=pw{vN}J3iGiYOb!e zD0nz@@Cm?UgT&cAC{G|Zu#D#?q)(o5l6<-yf$KD$A6O`(UR8NUn8K>vGLIxfvnCQH zNteeMr7<556dHvN2a_soObGjkZK(;f$Q$oJnl5GS*#Z0=DMAKKRpq~o5)>A$D43ji z#JGt(u@t0x555ko_Wa$MNB(zVn=n$pdO_iYPqZ zT3g!}i7!W3xXl&<>pQCgwx)1o=ln+2#jU`T(wVHD!Q4-a@R(?y1gDw)AlzJ2lvbIt zIXr7uFEhYCv%h*;`6yrMEabGSb-P{=uZgjC_a{a1(@z-7UHb zjXqNIFfO>B&YsF-8X}@?15AZ+XS251!uL&WfH{@r#nlKxglKScIqb^`pi97-Jf~+V z4(x=MPU<4A0O!bT88Gt!_}25!v9V=PZW>3Fl``gM#zf@$PyJi&8|v8s7WRin;$H!! z(AA)_(>AZBnTw$2J;o(y!&K{c;ehz)Gy0wG*GaDEHRvo#Qq1u!?=po=q

e4cl@P;;{Fr+TD!3-TBrx6i0ARBF$A z7ERIVAcKB?H)(SG^YW#7y*{z!{AdTu0wKAFd%Nt>h_B-G8I>c)Vf5O+h{9ASocWJY zOh>NXu`6Bc%dn7=bk>>4=EFwp#c}(viZ*^BHmL7n%wc6ids%?h%P8?q3 zmH&K5a;5CPSl9$5io%Mx`0)ZNbm58;c4P4S(oNLp>l<$S3i;?s#QGKL`kUV;x<9pS z|3n3P0x?HNYhm`|RF||C3AbN?Y?9o16?AN2g__NC>q3XAvcM9%^ID&+XY(uFrjL6c z=$X6gWxtPQ&O5|Tqcdep%H`w)t#ZWdZ;s>{i*L)m$%TE8@p`` zGxKYklizj%&|N2>%RN1mc_?kT9j9kA$!ZebYlm=}bjCqGYQkUg^T=Ls(AjV}lWx

F8Oh9n5GL9&I|e3R`hAWTu7gOaM$aAx@SMiD)v zZ>5mFZB)#Sxt}SoC5d9!gJ^q08T0|xtX%v6n#Kg2IT(KIf3|~=`6$4=Gi3+!#A9%^ zIN4N0gYelu<1yV14sBry=z`%GyuuqfX#gyAd zN-N!eaQ80Z=zeQu=NE?)Km1yNq!fphJ}Ez?PR07B^Qpdq`J)XnL&2n{%BVl!n&C7z zS|>t>8JEC&3r7XA{_ZXeFg!b9uC)P0~X4zQjT=tyO5citOoNq^g8Cl;r(BCI6%R zlxGuqN&wL1%1~vZSnAz;f?qdc*5HXl%h!P^hYru7mt zwakGh!wc3maX2k;bIdnGfPyM3L~grKMJiSHSGCK+d{k_!4>S~2!w(ntR$P%V6sKjdVMNnT3p^(0wt^`B{&LM?5yvPiT5wvANwZE@43 zFIS?1W4RqtW?PVWhFYf5szgUys?rQCrpwG-n<&XU(c?y9?@hPp|7u9s>@AZ^^dGy| zE;Xq8>R(v5RQ?Qw@{c@lUj{EdBy73&KCigxY+44jO1arAfpI9Zbr92_>m$EiT++F&M`2gE+bB4vP*5}9n1US)n@h4Z<9=Y4X3-Rw_Bwz zQfSP*G`@6Qa7S$L(qWVb0Rz&vY@M>Jkz|pT;=t)gqWMBY|5*#?u`0 z>TZpJOxW_kA|kUxwJ2Kxl;b1Rexv0j$szWV)Ar5NPk;J){Ixngxb}BlWKfOPXMW~D zxfIG)0eWNjB-seQ0vIoLS@^3uRBtR=DeDAh4?AP#Hm zN1>3%7j2?*cQuDSd%XYFmO}l9t8Yt_nV0ie1QeNdRCT zO}a4L1PeyL4lT2xyUE+yE97c2Kx@PC*_q+axU+SG#N?Wnto9$TWYz^#J1q=hZkNoe zI62II`|@fO?YE%hsCFuNt}YM&Gb&8M;tFXW>>LV8pWK_SzHam^E*kQ3^D9YWIhM5t z5-M3k!E7qAZ}m+Al)uQ_y6t~R?0HkZS z{9lP#lMDRqP^CWCRxR>+3XZrpob?Rbgo?az+`wIgyGDted?PC|Q29*(XrEB>(uZR8 zB)&a>(5BHK32deA39@?}v2p?%aBG4^(AAl@Ss3?DV&dp^Qs#wDv~ z;6s1oISa0Ua54lc0JMn03k8VwH!?To$TN9!R>8esAK%Bmm zMJzl2z|N3aeDa6^&&jd`{;V1l!nYGt|@@dXH{&cH9QY*U2)FHYG*@M}Niciudm4r;Igt_J~`YGIsA&?hmM z?EU5b%gUB1?2g(FB^iNC2)??b1At8oRK0le^G~^p7A5a5OI`wG=O_LL5i|?eo@XDA zp!=~B%R{SC19a+%+C9wBeX#0AE*7ycaNE5}V+Kb2MwGd_w64@#HM01~Hj7J*wQYecADV`|+`;0=at zY&5KJ04N&a(?X!Ky_}X4mH?rx|Y!P#@gpDWuse*b6wSv>?8l)!o$!&&vr;Hvqm9W;Qlqd`w-HHge^1GPzo*k>v;x&!zW z=zUADa-u8VAOqB#w#KQOYy>a}G~Elvs4Lq$0#)##1nyh>VBG=Qkd@>x62>nn(Mi9- zcepuQ3F!}(&s%~>$0?OSlam&~#C`^1>(+|RsuE?=#2xl+E@tn9RmrLdZ$0s9mZKIo zB-c{pukA@XYbAWU9_+R&h%b4lAza_bSO1H@lb*yX%R)~&Yy%qfLWv1=YG$9401t02 zD4s`+JYj69j7{Wrb?d`s-%x1k9T^CoK$70ogK>IPl+u(_RUXdmSu?a_1 zkm>CMJ{xc2S^crnNq)ZS}4D8}wF|3{fj?6>tFq|icI zo_58jj`;8ORL_{fbMh>Tkcf8=CeOBukz&&)q@+JBB~B@1X0r$8Vqv`hWYCaNk^eU6)(1v2X(W7Q zz}E`Fk!aBBlrXCkTq4Y1r=uO5M?H{#Omr8SR2Rgl(AS;2WW?DnIzRcEneWlnd)?3N z4dFwO(lH~s?&3e=VUP;f^qW22@%?9^;a>qRy{Wbh?Z|NB%5CCe+ZOs*s^t%RSY#vS zo9;BJ16Y;SWly{%c&8D&n@T771uJ9eXf1emqI;x|XLnG2r_$m41ocCIk;kRsbH}{Y zDI;ML{Y>Y_a8Voq?Nn;@5Ry$mL6dgW|*sDW}a*_ie+2gn|?4p8up5grxvzy;gQ}-uMI|B zuK3|&Xo@o79`Z96z1*Iysv%>u+o>a9v*mjh8MFBX!{aY-+v{4c%_#it)i0Eoa`xBCwG@MJ2b(H#&V-XnrX2Or7spmn&Pe#;PhJ;cHsHhz%Vz_ugo|Eb`RNr6j8 z?hL(c{4tRCx?QlaN3_%j@Uqrr=`PfIPS9jUK?4Ot~tlHu-ixvqKl3R%uX1C-Bbjx7R{B-h#iF`h<2VR*=y)@iyyxyFGsayJ$s;jK<7(4oJE^|2tF{AtwX6pL$LKA< zc5U@C5xkboV@dW%D+7~y!#?&Qv~l{PFr9QvXeD}z)pF|*?4m@vn7ttQCGFd_+un(b z(Qn1xPH9Q)uC{TN!Kqiy_sbZEi4btW2?@O9=T4NyjYCN!3YBk+MSd`B*&ZcPQ50SpxzU&$i&AZ$V~7a*ew+x(@JlBjXVgUsz`t` zNr;=&hbZ&gnQ(sIoN;ON9KG~0k`tIKwN^pOXU}>S5FS^3MAM*dbTxY>>sQ}{>>?84 zs-oazrL7N(FM4MJp7N4nZugRKPRs4_ChR-?JbSKg{KEd?>kgExR+g-Jb*`ywfbcl| zuwS&@holvlvUG0G`QX~@%&|nXY9`EQi~qemIvm zAN+6Z+_G!4qv#f>tn%{<__saGS}bRQ;%7}MDB{JLX}^;I(cl{}Zkm7W)J4~WeaGm^ zHCY>uv>Hy=VuWm$=PUz8YRhe7`|c^x1jC?SfH`W zy+ZCOXxx)JQWd{dnKs@J;41qQ)gnC+!NWJfkUM6f%IMwN$vo$je}OM;KdzpUG6 z_1Hb4AE^J5)h4yyh}|>p&!uw7LI7TY4>SM5+-%m>Sp1;E} z{MKBJgZ@P2cITMQr&`S@@@3mZEka|_8wx`t{=3BDA_Su%Vg#mAzHd$Oxf^3mzOI~; zEX@JTmk)l1*lOxQOZRVf7Y|X96AWQp_3~=pv-9v|j6blD-kA4IpYTloB=7|M>v~9s zh+NQias7P5;eb>?*II~&-@|#Jrq{LUqCtdIY}Y(i!OW~m4w8hFSz6#Z#3r2vsL%!G zdV$OszL9lC@xY;M43seUN9IduZYT6k6(5WPgO7z(E9RB&b^nm67LyiKPc(5?s~%Dy z^ojcd&i9cZ@4-VR7Yq_s_edIUvwb}qJ{$NE`yG5!?5+5`L=qscs$P6gSVw2~Wf-F4 zds&MZMcixm1)5zy45hQF0<#M_RrVZ0WD7d*v(%HH8p;B*9S)`{!bG>&?gmoltqRYg zx)?KL^YlGzz$WX8^|>N4O`;s8YrKEW)?fTN%VADvF;O9^+yvm)07U@0ko}w|)8R>=P$#Jc2)->42vMo|u9cqX8O2-o9S3~lOD?NG zD1I8?R63tU&13=il0wUJXvG|p>0J-s={hDQfg?B)U8Q#6I?gpc@ZCrw*-Apx;{LuO zX}ulHCs&@G-nk-k2FOqEX-rI0yk^PUi(V#10?e#^&_Z9jwF2+))>t2J-Q>5mkM^eA z*Q?g6^_?V74d3syBWVxl#-cO1`gY%ul3msg%K1MSaNn#b+9ZeuTs@a|E2+0DOgQE)R0mHP}Yh)Pk<8Pa}Z)P<;I3Y_u<>kIzFj~QnQanA(6`u!Z z(O>SlHl2Oe(RKr7K4_YaP&fD;Z4B>SVv*h<1B6Q|5BD{M`&ZYIz-$eN{>oVjb-v+m zahX5vU;tO|dUd|WcDts_v+Zh$xOalrGdISFeSPDxK9w;Vre&hnwM4xl zeN=x;@$BMt142(lkLX70pzPU3)?UB({97<3aTwI6sCM0*kRM)h?Nk2{9VGuCE|+yE z4F}&-?aCwQHnl5cw?W@y&j|bG$xUDnk{S=XPH7yUC-y6=|D(4sFeiuehV+X6VSlyr zFV2iQx2AJJm|4&8z@s*eqKorGj)B7U2fr!JCaeFW#rf=yAYcs3eVWsgo9-{DujBDE z6$`78B0r$dMBw{eMzCLtwsv{zOX`QtPf4T72-%JnO zXm3{X3YEVy-2i;)4*s1Fo!pDb0f`0dAC^_SJ>{u@&<7BdmhPwSf^c zBN6NxyDk(f znl0sDO{4xgW8|N|@_3Xoo~(G2&Vke^`420&TLi5(3^nb_F_ihQepH3;^#q(Voq}6w zBRKdv*uE3L7kOKW=sZ^c`##J@a<{`t89e|=ne zjc_EURZ#|U;j;j6AGk~B`!v_0J>|cA5npFsgRq&LPdeT--~gzEI4~GXDIT+3T!>-u z{MR?vP#BQ)PlRbzkyP4}H*?Sb`B@9^0k?v~z@ckz{! zoLcT0wtr2C{`M6e8sM(UEjr8@sk(8Kl2gt(WLyrpxv3{r`^;AO`64M7$9EYk2&} z=>h-Ug)+JiEUD4D&+{MulXw61J-HOXeWl64`LyHizdle5Sb_f<4)<>iBm@3G`6;kb z#S_vVQ0e?z7x4dYfd9V%{-2BhCxPg_nX1X9*&=2!}rRDzSq!Kl>4{hJ(Ls`;oB2lJ%dz@&Ep-jmC}lV7kM)G!d2KU-emQO)?OUs8e&JDq0CH z+bEh3d%O2?*PN$l{@GXm-=Cn}=w~4flmQrhOpdeTKP& zm3bnZ$th#i^IzQxynm!$>PSF0f7ntn&5M=);|31d4et|wD`?CVGO-g5M9sWma5dZ2X4r(O&3u7oHaEw}^_V_j=K|uGgdrt=TM(_ z=d_s_hJWzKqSX=$3^}}uOj6Jyq|CBBhW!#7fg*puXhFaDACvKan0OW_U|t>2aDF)W zs&=E5kX;)l9bxjRW0?{f#xnm!)PZCDwT53Fot;_ANDhbHK$_Q?495F|+?5f)7MWCj zqgzaEXLvumvAJq@W-V4~W|EQE?@H#OewE`EQsfg-KKL2$Ohpo}aaA{EoGfdl!`QD? zyStbB*1vo%Cx2Elm|m9e#6^5?G%V|WUj7=j-k&|oHpdPLy1AsUVX-ybR?q(G*!ZLE zD2`z2=PZ@jr-`$MYpPWq9N0BQrLr|G3&MzuhF80i5fKs;cA>Mi?&=>{LmTX#r`;CX z2%+NEf0_r8QlE$WEPszv4COiM_h~WOs$h28JGu(e3U(V*0!FebjRsf0^R| z_r!0B)n_XOu`|M`DVi--XmsCQlR8S9r5q1M!X*8m`uBIng@}KNS$T!Ti@(s5CrkVtdszx@@>t38~VMHH=xjt*7NUrAUUZQvA*-j4-pS~$a zW`iMgPPh6J`IE49Z!5z+6%)2|5QKxa6^hcJuJV~QL|n|5$^G=1uRZ;0MFoc0N5uN- z5nZs)j==DPR~%c%`#;CZ0^gAKc=yM-uRe}Wc1(1tGZhRhGZlPNmga7@(@wcx-P>Q? zS)X9l5vkTt=a~)A6<-v*9tJ0AZfOvg0>UTUdZQGf91aM2M{Q0iZA~Tm9@{Nk;;PYl z*&)Mw;*J*Kaw$!ZVUQ(d`k_=|58t$7q1F%#9?{3=)}6lL-z-}#6>*>TP;kKQiIk|n zKhJ~h%+>3gfzkH0r@8cO{M`(Hx8#pm7;%6glSG2}^rqf#IdHK18-HWP%*0S@wp*4a z6&ro3YNbDnh+a#L4EbHH*hbWn_9A25;H}A(`bOR4>H73b9%F?kN0G!791~|lnTjte zeGA!(Wxp=eyKAlWdda*8tF22dac4gvLrx(e-FbwvpMKuwIe-(yC>f7B+d~@8f1ca^ zl#m@dl{J1SGClBo&T>ZsxA~Z2&B+~GKV&K4cvId`)0aa( zcE>G|&|8&L2ukCOmE4_cME2DXP&$oC6$a3lvq5Pxw5ETtL6gJ=Qr!6KHOP<%YTh+h z>QC{9qQuMTdds>J9Olk~%-J8ywfuW#mYjRO@He^qSP2${c=gSo!CF%{M(&*DQ113dYD?ZdyBup%tX452@$qb0~V4B>&d*}kD$Slw#=(d2* zmWa<`p|=wEQo6sM^67G4u_Mj5>4euWzUXPs)OsY{<Ak>5}wvoC-nOrOpK;CDk4HqKAH7J_RzyJ$e`@$ zHnQJR5mFaRi1FFZ_!${g4XvvCQ;JcA0+M`P10pXLdmI>x8sP$6y8ndxa?5 zxht^D5}$d)yB6PrPY=Ez@@x4IZ2GuVxbzawO_@LJ1Qop@y=r{wh4IlWD>QqEjZH3k ztx3j@rGu>CpvqDabL&}#>@zuS*{_$P8vJwKHot5?#6!KGNt4`F^l2D0_HqXuGSLga zsaX}KI$#xTX!1f%v4s*+0VCqlVZT{mUbgif6Gb@H^v-z^#LKn*8$NY|pIm3ucPiRt z55=5k*)@%4?Zu_uoZ!7Ea-3@4TMpq#np}|vNl8_aUogy++ZEsCGEps?e(S$n-Pkva zH+`OA4}4Ji#$a1Jv#9#tZHDF^9^k1-uHU4X2U)9rnV)T%I{qT_eDffB)BQ#LeyW&{ zLVLV%R<8Ht<6)0MX$}eZ)%bu5yq>bPzJ`XE#a{Vuw&PguNkZIyS`whW6a1KR;JE`RD!qY1kHvclG+~_XX@No1PJ*BgR{@X~#ZK zZ7kL0vsmF?MHht$r%YF{yfnXn-Fx1=B%b@>8YPZxO*5K^@-FU`DdxlekPAE#wc-KZ z>~-R#p5C$T>`_90+YADvt#}aaglQox)p){5icPbXYc zj-2xjC2q6-YO`|^AvCYMF#1M)dfjy3l&D*bLJPX~3Fv=4mKe?CB8Hod92o=H;imfZA_>K z+EmfpmB}J7d?ZwGG1R&Ye3YUq_u=u%~h0|W~z;s4!robceTJ)Fvxz+E!7nT># zeKs!=+-DGjPdkpI)?CqPx!gOGdnJ{uFkIBp)HmLwAHRIsb=&*Az3qzgjdmlww6DB5 zQhz|bn?rP+2yswHbP4_EhJFJ1@H)g>pYu-rwK6NaE(EoTL0+0LNcDNH_9Z2nmu8pP@?F_iT#qMAHMm+zeOJh$X|6JMj)ur*?_W4%^ zfgl;oX%2GEZ&aAbrjKrxa>tBK#x%6hlCUNxQ@}1H2NEyWj zJA*dd7uE9C5V=iER;p(8!e!#UjPT1{;po53|Jm8&f6Bx2@v2GcuZpGGFNct?VAypn zaoU5kKE=F{Xe6zfgw1TsUB`wIV%YwKg=oeL4s}&P|1fnCf(1=7z9Wlk+&k(*G~QRuJB*~_exs-f;%21x8NsnX4`NC$ux#Notq%=hGWkOR zk>S%x=M`wg!Jj1(NT%J!Gu^Snr!%()7uNdJGU%Pital0WZW_{dUmLKkhsjvI=egJ1 z_eC^nXD;xWnSV*b@A_k|Q`<2>!_|d#Z^n@%VU}eL{}p)8c^Dk+ES~h^eli95$~)J^+0WojuVTG*|vB=DLaj4Q77wk<<^DHT4$ei{bb0;Y9rQZQM_r zeYSQMKXq^K>@3yA398a|ZwY<6d^p%^j6^2@g+NF_KAUgAt+NJtcb*>qg$|nbnQE7e zS%;g-d@OgRgl9+c~P zcYyH3No&=1J^`cJdN(q4w9-7oWe_foEUc<)20 zVw_IT+79+7**@+Lnbq2(X525zo>y^Cvl*6871>|NOUqn2u1|d%gr#}X8^i_+=T0Mr z$PZ;vU-+R({WgapF!49$Omt<{@SUU`p|4w`?$1m2GrZ@;J_;<()1Y3qkM`SlRM5Np zaIP*`lH8RYTUZY`k2uiO{0j2IxgqCgDkIY2 zMTSpPfdR;SVS-~>OfE&Zk8mK=`1Nj`=SZ2SlvKX=AkFHTLvc*`WH70BwLGAi_|AGZ z`#bUX%3FG;;h%*C#!d5K>2rs@{i72=GG2D2y112J^jY70YpvgX@CYC~wiCXrPXV5g z_GG%ZGMB#KDw?v)ToHNn!8QgJt4+YQF=dmyh2xe{HEci^E-cLd58pH2#zS z%-Xf)EAZSWl-;P&^YAI@yKtY%Ns83VIP+Ulpc8lvHPvlXllc|5Ue%kLviu(Gm3x{s zR^^Np`%EV5{lBh zlu!ahK$=Ps1f&Q`FDBFwAV5SwIuQbdmLR=`5PA*wF#mh!H*>SN*Vs=5?jY(-QVfRHGaz!=-`V2Qb)}swgwLy>yTOk`<0i zzgFMUDzBydB2;`%?a;=X-84m!KicqHZv!>;-Gv0V>HY)19KYzLnGlT`8!BE&BiF+w z$AKVJ{$fD31~s=|?nw@kL7NE{1|HhzwZGZjS{W77Oe%?|(S#*++nNq*KNre2Y<}he zmk0b6pJ%?kWpiOKIP4Cb458!j{q;N4>E+MVU$#dlAe9E47xkL-jpaA{pUp&Y!zvr^ zfl|_e+gRI5D{19ib05W(rqLoQ%QJ`-931G4_;)koaMPL2l7>6m&dY}uD2RyPH>fl! zm5F05xbUKMM~rlReOdoELv4*@L6;CoOq;tn!QjE-_KIoVj{!fTzi8!GR*4&X&$lCT zRl*p`19q`%{o>fLH`cX~gNVxP3L2~Q&w#T(E`KAV}Ed;o^z#_wVGFs0=?uYuuz9+ghdE7Df zY?CRrQzwY|cNRjaiRW$JhUqtZa+WH~gAP(5zvOWNK(g>KhK9m`lE0b89936_{uJQ< zC1<+reD-Cl1=G!8FZ#)aMhD4CGT;DFJe8-LatT^DTM|SaJG$@eZcJW~Gaa)!IW;ql zA2)1=9`23uRELj-GX+?5d=zz2wHy&C44+-8QIdMIbzF{LX6w+r_;RYKb^#FQK0|st zkLwf>Oa>tN2Ti(4?Oz&IUH&r6d`x|*?#P1WX6Wyzf}0SnRJ)z<2ytwOk;|DUq4lgk z-*22mZoR&CpuQ-st2EyK;<&c2QWZcCG@jZUc0}&^<$%Eg{ryjbcO5Qi7qji99Vsj` zFY;~PBS<~tXvUG|>sKx3_NUF(FXvzt;MAob9j;1^cd_@k6LxD@=}NT2@NH*2Ab z2=jWApJ@yMnQ6O--ApT4(gPS*?cwU%Kkt1Hfig(mgd@peC?^HPPw4KG)%mR(qF`&!f=>#lsV#+v85E_aM_lnKgNxN}v<=NMX=Z>yNV`zWhk5Qyyq- z$vPs~M1xRdG|~YX)@GA);SM^8mS3B_y)aypD^ckE*=J`|s~X|{^%?Ns@S12l;s=%d z+2ls7cT#){WBb-;G#@NuEUy!@+&8h{W8MB%>4qC3y^6#9(YMHaD^?KH@l%f^C_vI- z@CPx}$J<^2PIh*%yL!+4zAN0g^{lj;KY9#CCb+Wg?={6Lr7T7=k4^yPBcBdFhL@3> z^RjHf8z!pdr>i&({}JRD%z`}l(dc`Jgqi+lI(G)>nbnXlThEE|WD%08&`Vs<@x?&= z=ol8U8|vG*-RsQSv*33tJsW(-#~wcjx3vI=Nr8$KM?|*dy&rju`+NxT4SEdw-g5Ol zq<&rnxvrRc?tFpYpqCY#?JTlyV!f4^?^^%S8Sip^XYq%)3Gxa0)22~Fzvb_jx>Vf; za9uNEmbq+4RbIcDvFL3z53x7f1f`>eudKG`>E(K3jzyuXcKr5#Mr} zvSu_U(8Ox zPc&)Nd)Yek*+`%_9WJcQiTZ1-lsD9w1>21?A}wx}NIE%(b;=?g_w1sSKFyRA%#Pc> z5SrBfBwX4_&Lx=6;7DId9@}ih0~qfoeaFptL*Q@uXQPzSe~dJ}N^7wdvKiS`JVi zJL_R}@vpGnr1-!uyG$K+J*|?5UFZ@`qY_Q)Bk^03ip+!{zlVRskmIibl^qwHPZN_6 z!R6O4`Zdu*Bk7hy1X8%Zc9V1X_SmVs$xc!%f2A$sUf6Oaz6t9ONW8WEv=kvOeAx%%2E($zN*5)tFos+y7ACH}&0JW@@S3LxTU^6)CI9=E~*S%O4+> zw_6~^l3Z=5N%avGX+8F_VXI!J7OpgVl8qET4vXiH-u@Wg=T?gh*C{95rbDL;F6^b` zWNJ6MCmq#a5sl1WdgMrbJ+M^La09T4)PVaj-OZ;dl|swn{FjQgL(u?KtyU_V2ENyo z`B8pd?|k#9Lx!YxjDl0hS4+HzOTr_N%O+T1`QsHkjZj~}1(Z@padb{>y8XsVU}3wc zsI`Ih;o{=R(dVusCe3JUQz>2hgFhpfCjd%^@>h+hJ@Vv}ai6_6w{{<8qK>OusW=I* z)z@);vXdv3O$xPylfs-tZw_SniPvnepqH;vd59sgb8kS5JHl(-sfsPdzo*El+R~8r z7WQEc`;q$jnz;;4J!7#kN=~Z;dovEPUn!Jfcr@DJ6w4I&^_^MZE56;m{lvbBn(gU= zl%N4WI}J=e`A*^|kB)V6^oMPMp2U1PsSo?)Z%(y&V5ekZUk$~}BU2{?%`3kUh-(8* zHmlRIHWNO=?{gP~`n>i(Nxo~a{qWXCvn|rR3@nl{?+HVZ_wTy?c)-bndu?u! z;BNn>#F@NC5qR8=9(L$k$hY~#+I-rWi|p|3hnzsb@^}+ zl!CCj2N)js@?`icSrNPF%8dwHGZu2ptoFmE5NZ{KAnPz(`}wm((1x0zfsoYcrKG3} zd+ICuqIxV?@9l5<+HErP7cE%C_(r{HsYbA{`lzW#5uk}ZVe4JhTc;@p@vkD9XeeHV zw}w5`077IY%R94EbbU9@dtYkUt@dkl$&3`Z{O1LsTlroq{7M<7X0=^V!_Jg&M0}5O zoexnQn--O@d?%2)Aa7dOKaMO8;z|;;5Z(CH{Rv8(udv*D?*LH%w{fQeYXmnJYv_E~ z?d7?DOge~;`H)6j&~xT>)`bKkjSycs$bkTS)Vq{z-|MAG;07T1N_;0)_XJV9_BKu^ z2VzG#P;VC(;{z&|8{1kGx&xHUxacNlOHk{jUu3XMzK0ETLr|vYBQ52J0&a>IS+P-z zc7s#03KZeF@07CqZ2aw5eacX%~Y(_v~qX610&4G}6 z%zkEZ_lM_sgnt}jS?KfbDMQgn_QI3Nh_+%eo7C zxjEp`LA?rp=WQg_Z$V}mNX~&RsE$ka{Pjca-z#@n>-J|`EoKmNd+q0Bgp4wcp6-qC zn4k4qi=J3(j9{GZ9YnP^kvQA282E>MC@2n|CpV&zpPaOxI{48^6miRMZMr;-wDtnF zdk~R$xz=gKl{w`vv-;{2_t+QL#|1>wlRr7-4=nu%dw96CcxVQI=W^=8T@D7t%@XV* zy+ZGS+LRrV*qw$_o3iy8@^i!N)`B7zBN-=mLknC_34$j1HUrrOBlF4Pff&9#nkE5J z308#D$VX@Cv9g_}ni0ud4D=f-2~4ktz5C(3u#@xgG{sApV*^@}xqIbI z1vg08C-6(f!ff3y%GF1gG=O=Nt6T>_Uyrx~Ck3I_+-WNg$bAQP72Jy1M(RB-V^GWim`%LkJiyWjQTx8V7myFQkfteeZJ14&XT(7p`sIM*b*)NrpT9sXx zZj@trLePu%^GT z-hf)wS&INK1*|JKiv%{|{gF^#(~r*37e~=+HHhk0kv4u>->iq*t|xlsYD zl6=@YAWm%MMZN;xu z!jCWQxC{vO3N?;AI=g>gN6bj7C*EXuwJJQCK(x8bFl3$eWx0lSGHUI&^l&co$?oi#k>pG_oZD37@*dFbFvxUh+6ls+n3 zSAp`$sIZ5-nG;}*?fKA_I9Cni$@hi}X^J*4+#%_&K)<|T2ZE-2k5@ zH3h~#;;FuRZv}^eFGW75Edo(`vWiC;bz4t33%zkO#0`=huEc#Jp+rCEDRc=a|e#@da_{02}_T;brKJD z*P;CFSKWCT;2rs2zgyx;iNHJMTqr+6XmpVk$wvnjW1}(<<9hbc#OvN)Q@Fd6lFj`@ zbe>~LVrKT&a{(r3uVI~T_<(RN=8~idEfdEzyG-vSCazy%YUjzmf6L{h`*e_5Uk#-; zd`uTC1}!8zxL@pI&2Y8+W7%-*Qb~tRviYP%_gVDZW#zgl3F81ZN{lYsFvh)Md1=3j zRAiX%WK`+50=@5HR5Ofu9?m%F@Or-`quz!nkU28d?^=pv$gcw4WuiW?h+KBp6S7@o zpwLhb67A$Fovyo>qRRK(VN_zNaw^K%<*}|l3)aQd0*RjeFsq>G+d5`iK@^vU`->_{DrUMc%3OIkBT|L)HV z4x`BobS-8Xkea|e)0Jt_@qwA0c^n$ZvD$f41W1#oWSv7i!x*L$&ThJW=wR#YK!Bk( zBL^ijQ*Ozc6qS6n2wK#Lknj4%l%hw)_zqPUj<)eMY9c$GPF$94(9(!>hm2jOs7$$C z0w}Gj<2|+^F)Yv21m2$$_`tS1t0V>R~i0k@s2nJ&wY>2OK;eo24zC@k(FzxEx29bydp$DE1}R2vmYA=OxU$9y1u=VNp9X8l;dE!H^T_)V>TahnZBJF))^V_^Gu zMaE+&(B`936g+ZH$(&RK@yRsm%DEMfaq<~ugTorm+Eu>wrS3lt%|G04cq!~yJGJ6P zJ}iGRQz8|R%Ul0@bANWUC2OMO|AcgCcegat(6<*&qg*2lXlCy ze947qdbr12nE;d*I0lp{$~BQ;rgQWylp44bT7XqJ{5Yn!X?wJMuL-D=cQK~#IjF%O zg*j1+rs-E{`FAir_A^-2ILS%K()^lRJ;kvt9!UAP>doV8))lMR7%X5jxp5>%gIZe= z)8V;}D5l8;9kailkTDJ9jWRH~_OnyV!@#o(N^!qtVd1$O>$goZ40_%g{i#e*Qv#|K zt7U+qd0Au$s`9kOri<>b&4McQmv7+1Op&HV9pViLVE{}AVHEb-nySzZfP<+$OAPZd z*&>kO`aAxeSUi9$v@lBUg!x~3W*Z;E25RT@O@+iJ%IBpRXg=}Tg1<+Y?L zVNr}$hX27GLA{*Ps}^M*x$;}hN6yGwpkezV{_ILi7Tscm!*)2wPdTsoNcs@#3f}ze z+1KmSUAz%>3&!1d@5C#l(GR4g)W(PwFI|-YkJ^gkyiK&ao{H}mEV$mzw_SCXM13>v ze!|Z@xv&X6>_%BHZZLa4sl3|<=fAJlqp2{ za@7e&AFR1=<8HazQIK(+ZS7hXfDv_;&5d2v~{B#>6 zrAG3!t_VDQccH9luhjt2X9bEjds#cym53XQm?dhqL%g9ABfK~l8`MgypE4Wx5on{< z5$FCcBSH!m`LLB6$n$m=m)w^9915P7pu-t4`&2r=i5By%;jf*1QjyyjyUb*)qJ{mo zOexGl?ETydn*zd$n`y1~#8pL)k4#q%f(b{}Pp>x{nDqzd`Dp3@NXBl#!mNSmMbGXg zc^h7JF-VbyiSO75na6JFOq)2ZXJa zyOLy0Y21H)i>-Ucq}UX{?{`TXE5sb}NByFjbg({X60C5~HQClb&%!4XUOUs{-@4l2 zdV3maxs=E|6$KWx&b<+1&!UC?fm_uWNOS!-r~R70VfN&W+V>D$)89j}JED<36~jLd zXfneHZ^H8`IWm;I0Mdj*zjx&k*qy)n1jw8K@VIT(poM4-@xipb(O>R8Ng}4p5`=NU ziprm#C^#jOKs?pRlff0sIOSj|2zj3GSRnc{{8Nmsbg-;vy+lsFNOgvec-k)vBm)*C zahf90yw-e_QFcN|LDPkU1^48gleZH-eue)u$2W~x098UxCK@)p?cd1opF$?*YAy5; zulZlW%8xfe4Cb|&nB=W$?FKcXsY$8IbvX^>Yc!M%Uz96>-{&&xw&Gf5C}+@G*@|AV zEeN384h_g-?<3HPJfNjkLl&(S2%+jnz2m&Pu(gQU#>2M2FKp+K=!qow=~IMT_%@u-J6)gZ}e@OQUfbGV(bliX+aJ1b6PohR#?Rn%w*u%+8HxR1!=@~GGhmb zYFWT^Rk5#|p=Mh`zX4D<$Q_sDu(lzRT5-Q4iiAKq4CqM|eEO6$W=D)-n2gS}ug!;% zeT{}43-gYr*;thezh{#3<&3&TfaS$VW2Gb^H1Cx4+#(<(sUgX8p4)@#7e8bSsbCpdW)hzFOz=`(oiae zdw|qxc=0)v8;KOIiQrnklD`-Sq+nkrkVgKUuY*HdENC9VnD9b=CedoA92)b!D#35f zl(^<7rxt6YzJRs(uCZTWLL{3{O@#RR-x8IWQxg50Co<-@pUfz|Je~m_ANoIRXQnPWti)NF4y+r`8H5GUrmvioy7ELYb`p#tN zy2S1L#`sjpqE<-zQn$MA@7Bzqc%PEP}zbS}1zyNQzu6_j25b^=C|cJfFs!E7gpjY0+rymHib9AY3-_cP}gc zFgS&q>UEEVU>0C*V6O?9JkFu2tVEF}Wc#!Hl*KnM>siKCnIRt@ffk|f_>~qDqE2F zo>QHJSCdv=Zl&4jX|;W@ZvQ)!0Bzf7j%fz?Ve+iq^yK8+4ahTk(K!UPng+QB4r7>c zVP7@^d*?3n$x+u+?sz5@F772(Yb4id2bM^q>!Sc(?&dNQhgF2D%?bG~$}-NuzKK;i zlsZor+%cbd_<5+>>eOgUxnUPBFY)E3UzT=pql3Xc7plg`z1{q;mI_?#8x@QxN*p%= zTi@tob{3c7;);R>tDJB`PYFI~mjx$}48Jt$?qgRsVxOyRSDRJ)*_QoGBaXiYdE9f7 z(x>`e9DLv!9(q5E9M7I*xrQ5!dMvcGV*_o^^ zrsIN}oYF|Vn3<)tOlCyy#y1bcx<84w?(ZEd9QmN^0l#=MsL$cr!j_~Rw}=bUO16&~ zngOCFl&;yZt`~76(H4jEdR4IGnCwq4N%A0PcBk>d8UpmH-JRKy^za0(_3Jbgz4hmP z*CLZsTe%%Zp;~-(up@%dLk4yR&hV&8^PGhdg`99BiT+8lhh*QHYi&4hRq9(n;+3>f zYX(`@+n1~%qjRn#H^gp}#_iBeU5Ua*S%w4KrL++1Y0r8u%y;^%td?N0jJ3d(I(iN8L|z1PiI*z4-EGxG?k zvVy>V@WY4PA8>Ja-;eourP$>;erZ(Nes>bjG&DUKbNB%8X`Io5VI z+_)1V*e;_3FGBa4*&SZF`JzEHXJG%?(TUKYh~7hoxO;cTp$BKwcje!2XuXwC$W|;q zn8V)wlN%u?7VseGdoZ(~(da__prM?vFt-JV^O)P#dt6?x2H1tpPj(5F+5Xws(YrPy zUT8f4CXY0%z+HSPq>hjppzPHhX21;#4B-5++%M-S0#?BabTJ*csqKyqm}lB;;yJgl zTgDaY*zm_Q@oV&S+4YG5r`{bI^T!5kmJjDGnT>Wye9c~8%M>gjYoY_#8efT>u-GU~K)|Je@B4r#s<^y9wmUQ7<(1RN6tO&oyh-dh6jM2jBXtdq@79 zIp#@d8DTAQ3f!PE1Nn6(cBC{}uo35MLIJ7HL&hdRzmhwr zDb~rr+Q3+)lGi!Hg;l!F4)(Qjzc_V|*DIZOR9I*U-}S8=?-0ay*N8bxo}rFQrN`EpbqZrY6HUg2pfAec`QJ=D>WnYmE- zTTdr*WMMiN|Cpe)F#+z4yG;gfCtu!(WN%?lex~|I#Qgt;oqpdq#}nxjZ#Mtl zKNa|o#l(r~KLS#JzaE}4;JoLBTRaMnpNYZq;hTS)a(_3ox%otJ*@-@hxK*Y`P&)kLb! zkg)&c3RwbyE6gINdOZ5mz5LT1INSt=15`H5_8(p0#xYsa;M8&XKN^nzKCpj$H2-~I z|1{l&4|7?}LzOR2g^@}>&+y9OA|38Q1Anzx2mefbR^>u*vQ2+h- z2n6A*M}T;#-%La2^xvcAzY&^w6aZK@H$ry*!M}0v-w%o80Jig|o`N#x{sfTyqa-qT zp%19MAgin=OHRQDX*% zW8rI$;-9L}zYpN?u>ALd{nK##_ksQ6O#SZ)`==Q3-xc}Okh~i zf<#aSm>O5?-s)G?KI%%3K+0eF@BaN@z$hZ;7V{OL z!9W#xh?i5^H9pKDfNxzf1;Ah2`B`^78s*zRTu1x#8yVC*eDMNkM@0LNBk@lG^?&~m z-1WCpqUEX*Vn`+eosLJ;Q+Hh_t^H8rudU%&jRj#K$qzgnmiwoS>!0d?f6Ppef5<`H z&pR_I6LM^VC&>~70L!y?g0D7R@CRUhme;k{D zB0|Tb*HV8TS9h1v3IBdMb3goIo4az|7sJC^T@T__!MhqpBTjA(~1$1xgr z-5wJ9?@yZ)6`m$Kiaw?6ajix|_@?UpOj56@ZFdIe-RKXMK>7kWjF)Ntexp2|^cRGl zKZ$8>ZUgiV;`m_C%K!Hx{GaUe_>SpypY>2%9;HgFQY#9h7iwsX2_ z1ev3?5U*Eh|5VOtsmi7N)f7Lv$Bq%RD#iubdD|)a0qBh0pC(OeGA_58derOcGg{@y ziwAomF9;jz1OBaBFe>s89QQf|a+ z&+@Qwu}WYTGkGHAnXbaa5#q2)kL;3`ph0=gbo*!1D%Vj_nA;G~x{~Ro-UrenWnd>@ zIYkhH(&Wf-$I6!dy|pDb>zR_`I?9YvNgS~F7NTJ_mKnyMAPM(*{+mlBS=?4 zqf5nE58tWjR2%}*l(s#Lbld9Fmw%h*OE)0*;YH&n17;XKy)HA%;r@0f|I}t{CafdQ z>bgyu%=pfT-<)9*Cj!%BIz6R3*I6_G^PT!YyEs_HYtxxwYqu0A?K^)48hBmAqR#hD zO{3XpXLo%T-Y|{GsB}=R)c`Kn4>}}O+vT|2R?xpsehN?b+n9fPSv)8{u;h(s<8y!d zd1#q^?+?9#C%o-8#O=K+$DZs1s};XM{>MpdO(*3%+r0|1znSZ_ zEnq#oHuO3?W2v|vI`r39x3aiKn3P-6qiz$vOV%z)_f?O<#)u(eaPku z(w3#~CBNQ>;r_~@BHx| zkpA9I?WeX0tmIAH>p>6CaruM!XXR6vqm$5gS4o5^;~M0mHnC0+XRB6XWWN3LIw;^S zw6>ta35Bx14ucynJ*qc4r0j(T2j*HwO%f~JPjOsY_H|=7Mp4P`71@wfT0v})Zyug) z6PSK3pYGlf7%NmYbt`+tD$of#dK&fflzPMo(30cL-Sm#cIu^I;rlEQ$D&X#s_-^ZI z+iWCKYGP)r=0)iA_|a;@E%QBao{|AzlI2l9H47NrJc3L&(E$xNCszHdH&Y;Mz`V*a z=$s`+>88tf)7I6|(=%1N4D>M`!gdFw*Vf-A(trD~F^qH^6SC2L2O=Dyy^FOn_N@A( zxq2tZtfSj%7PxY-SL1HhQK?#5I3XhX zO2RxL)9(>Yp+61;@!MwBJP^+G(Xlx;7BA-jY+dKCbJ+(KmmmGle(}FQ>G&VdEa+5X zM%KWD8Sb@SwyjU?Q+is;Y~WpsB7#SS^tciW(`5Z>SAt&gBgvy{^k>EP)|?i$hMrj! z!%hR1o~xv-pCFYGlL^QdrGCkpY$RMt8qypWd4le!mQ(uhx^^mnq<>YVwi8PY!#O3r z;-)*3@o7oFzP~rFnAyz`gTDJb&ttx{Q=)qj44)+^u!~5x($rlmc+K#LQXaY(zR~V{W2Q&HRabyxtPv| zoFa{m2@Y3qmt<5QB(r4&ziqC3zc)qAO*XqR(~*SCF9qb^yDR(Lte&zd{wY85*1(7U z-Zvu1CO>^t_Lfce2+V5)=3WO@ZDo15Sy7`m{C3)>ysvYGIJ4D|8mje^X?E9UDk2*C^|KX*fAmDv*e)QofQB;DJ#wjj=uCN%>hAV9oan1^ z%EY0YMwMM`SEu2KlK;j~eeEFOPGtU3+n1-I{_)~=F%SG4kaK{>F6t7Zryz46O19?o z#lC%AOl$T26Jf8VBRaLEyu>`QnjIDNXbzX^Oa(Tcv#8lHd=NVutQsD6h04bczG-B} zWx8pK$#?t}7yd7IPj@pO+-XYq*=2zdmjb5|Hpk+v&tvxKJQ>p0yIw0r;-`j>Qi}Xg zZ;Uk_2rJmH`xGx)JV9St9z&vG@mJ3RV$2Ak?d){X-$F0n6zk*cV7oNkyIH4%9p=wh^8mLTClcRa&ql@00k&wb! zw?ejN9Mp(BVToHRB2c(wecK=kSG;;>$fUJWQp3G!*GfRKmE6dXWMW|Fdri2;x}STS zQ?j}nGL?^CvM%`IHR52CV~aGMls7$_0%+}?d9RoHk!S7E6?|4Xp$e4L1kAsb}9~J4-@Jg8LkCacN6G$G{b;v%8A6W6k#lL^j1WP;(|G`sK^N zsuH)2IYb8NKU>(s_#%@jh%XR1@KKd)yvUQ?J_T$yyGeVd5-gqUw)c6p*zMvdIkd5& z19lUALzl&B&A}?}uAt9|!*O?`5e5&F z!lEN|nUy%Ij_O;GC{GMPmjDmGQ)kf81H6JZ% zY~bo<{PHMjJjmR2v_WB-!NE7bYS-))fwI`O33H1xu9yqI^_WHM%~TFIFEE*0PXuPn z^?V+cD?P=3rG)M4CbSZ>a2M%hxUMqiO8h3XZe71iTyVR*Sup~8pAz^9;72hbSCsxm z31e*=taT1B{!II)d{4#HkGj2PS~uumU~dLQhxHO}1Bx$Da1#;4CwivpJYGZ((8{Gn z6XTPhVva2|QxD&ON$0G!A_(YQ$LLX&Bu2oq|Dx8&>DP43z1FNma-P;DHi7r~tsY0A zvA)4FM`u%|TyGM%gT5=N7vUZ3g^O#VI7*=MLs4fY9nR>ML>G6>Rl!RpVggrMGdrGPw^qgY6I!D`mgnsyVH6Gz-ra?+2vF6D ztDOp&$wktH-_c92xk8WVX8IW>1IsL3)ogy8%Wmx$C2umzT$J`8NE)eU;>|s>t3oCR zq{lc0J4|mTFx$IpqCGvoYSfFF%^RFD^PCOCD zS$!PWD9S_+bUK&2=Ms~^V?J_E03wDr^A0m}r&3^DU%xI=So52Axt7L>iOClH>=s_Z z(&|mMdx5RvcNguDN0-F+Z!6bz1<}X^{Ubp3|0?U+x=vnJj5Mlt=iPPh8;V0{ZPFbI zq58`ce_si@9f|Us6D>5%S8iU_E7aq&*=xSz>b*Y#`$hLETsXgp7hD+rSIQ)o2qCxxX!VhD);iO{Z13|a)oW@ zx`G8HJ04iMEf&p&%3gAgBjqkbj-jqpRsy$FV!lpAb_6r`hlpCGb0x{9VigUJGe3(< z>V9xF7=|1`+VyH?i-cdcb_d=Y(ht`v;G1a;1bxo{5-dUef-fMol`*8Ll-uyFVi+@g zZE8H9wxuJ}yho?cb$2lJONkUHHXU4+^-;*+2gDA}cGugO{rtdsUs3AFanfx8Ll2!@ z%EV|V-X;YB;&Hk8^1NaquH$2sGC!$&j|}3p>BJm8Vp60*eHfe?;dAJmMM2R6Uy_t= zk-E=_KdJQ+EHqv6HNXP8P~OZ`p*+Mwl_pnlQneFa)Dunx99!$kq)k~zgDSTM@T4Kd z9I0VZ7|)ke={L(RfsH=yIWu^9JDO8^SQJxFbLy1;p_x(d-a+raUXu-niKubb8^4$f zrPycnQkYc7&y+9_pj`pFbvS2w=BGNAaCU7DIKCbUbbI7H;$0nX1IB&XntRvao^53z zR{J}kX0fBQ-Y@&7&TVqA!j{RRWVai29gAN=?LTKnEta;wX>F1W#5(+bRuX!4N%EIt z$sY9#ej~-AQq6guI?Gw?%WDB{H82^#%7G%CJn_aBhqxve)BFX6ubE>0%=1#$2#f-I zfp9iHG4#fyT0~;Of+l8PIVtE!H7iM*6xMea&}WBf*cpBN5ymh)SD}~&*xRho=LY7W zIflhQ;j_bB`@>h39p(G%-Y7oqDR^?+Q;FYCYo_`LvQo)*ZIjyB*3DfvupJyE2HN&x zlaJsBExl7r1E)DRq*0wzh7o*Q6(-{_N5fiu!Cs-Xy_BrX(51l==_WeD>}248%lzJ+ zyx8+q{e79QSSpBK{)q4>p`sxJ9rSo0Z#&X(HU^M27J4PsFn7z2w3JX`$;jD*jrIH8 z38O&UKckq<|BXZa9i8|q_#>nB5FkV7Aic}KmmyZJJ+tfQKClOr{$ zkH@^!)as~;;67?7GEIf9cx0Emj6w=unO=80ph9IefUoOc9iBVPTlB7@sGV|IsZ*65 zA8k*oZ+hb)abv**5EnIkQfg%c-X3lHX(cujM)4hxLmee-BK>ebiBJugb>=?hAdbP0 zqodE=FhJyv(u&j0V>JHOi<3_#Qo~g-M-u|O)Yi<&E>Qrn7&8>uy8Kl+jkoEMMg@O# zSM1!bN)n(!ejn&Yd@@rTw=nUjK>}MoqjWUc-G`80N)h#!yv>4GU|xTxC0!y6Gi7sy z)aszO08_!idJiSW3aGs5OS7c!WCY7~DLnap`Ua9Tju|&J^?YYkvtlBXzcvi<0;>7E z#hF&Ad*66z@e=ac1O;^7`Z1cp_@H)yiic_E_7!sXFmd`;7YA~dsAR9`qI_N^E_LtU zi-560o~!zgAFgKC`%HF8u!aEf4zzd5it4=~pQn?VG9h%*@snC+C&IyqJT7X!_^7GD zG4f%P$4E@-QH|y2@$1WPZ6_N;Bdq5mr|{2`aeu)L!Cu?y?%+TR#Pi)^k}OUM%bl^N z%Y1g}Fq_(V|5F;5nR)9bTI2CE!C%NbQ~YnkyAMSq$MJ&nQ#Ls)8U8c`)=`m~iovBX zc-7HKzVWcYm?Z^2r-8I(ag&HpZ89&2xVT;G9;|Uxe}QR|M(O$nH=TXhJy0roYK^R$ z>6w}O8&bMtcyxC`GT=CWhD19OSCWtFR2mNUINjtMf?qs*H!@dYI?EoYn~D{|%X-@{ z(emj@uN~*JW*(F+ZGjGmA_;Hx_*fVx?E_dDkMaM5?>2Fk;l?;&H^UMjkP4^v-W_`09BJ`#RGr9 zZt=IGdg229K)LR2UTuFreKz6Nei2YA@O^kQGFpPUg*Uru8l{yyz7?0IOn4r+P6B<$Pzr|82yr?Cb47E1wqBh-7huSKw8< zsaF02n+zjQC3<-IC5Pe4RD^-Tda6^Qh~U8L7{x(NPk7W}6ys*0M#BemFUX`Bu9%Bt zjRZRORh~4-rro>|Q8=0O1V_^TBrmBGc6>-v{M>%V?uV+&f7~>Q6!L0AIZp#k{cepRH*|3wX{=pJ z?q>{FHpev^vAMtP-UNxspgj1FY^Ru{q^0y#>1w*o=K8-AT;8d z5yQqsd8sca?!l?~+QJ64LV2=W<90|z_B1KiOL{fW@$~qZPh>aouI(@YFr!a_HyXiL zuLzbdSv)^F*ZPUVs`_I{5Uli-C&Lv}R>(0gG_w~gaPQmp_YvKd-~{ur8})wf4va~OVLiW89jjSSH1^Y7(Hjp~zd6n&F>db- zUC&F+*ge-RNzzzMGT9s}0Fax&eP)Kj{%H|kXCA;9wqCa~%hA}P^7ELrajl*3cS{8< zW=v%ZDocYckn9CGi`9K}(*~-f!T1)l{6PUM9td5q`^(g3T>0yU2dj}HUY0~GYd$nC1&K4eX$)(ufp)7VMXbfNa z-cZ$x_ZlI5Mf2226Dw^pAL(KbcZ|tSOLAWApc`@JfS1uN>+-ML`G(*779~wYTxK78 zK5PmDB#6P_K|U(@U=k_tX6{`DJc+0Nz@S z#%GMFP9H|i8GT|*qMXMY4k2Fo3k~b7Hl2i9l!(8)CtcSwaPF}UYdv;x>vUkTx&R^nD!_Fe7DUHabGn(owVsIi}9oQ_ISu)H+ zzwAeyos_JG$6SyGf3D5Ly25n|6Yn73rqKo;ZpTrtGahPfp_*wa2TSvF$w9hf)eZ@y zkjlsfewop-j=b!j{ZAxh3wF0ByAwdb(9~l znhu+%-OWR9h2#ml;eUiREDa*8(AnOd^A#$^ZH}eJnKXNcdYK9ck=+&OF@{Gd$niRS z6XHwVt$kLnB(YPNscKwqjWjSjOoVJwe=*eUr4Bt}5i8TX74ff@RJ!jm7K*cM1#c@@ z!n~MU8p637ooQ9`p54PIVLlTsNiO z{@T#DwgQ|Vr+u0f542=r@S;EbQlONCP4_s67`J30<7BusPOzrSo+E8tba6KFs)Ylk z=t32FWk@uKQT6jhgoAXQ37hLsTd&lOi>@j5sd*=4*x#-hW#OKfMO4A-ESvktFcwhU z14qhXwZ�XAaQ9&bQc6QitT)Kd$i!ASc4St>i&}&Bu=KU9YJEm^I58k)y4#(xb=Q zmNa~*_lDhlf#{1&wDVr1qzZ?G@QlaRagnAR zjjIlPQ4OvZCdRs|H&$dFpF1sXOc~rJcu<$li*}s@Y=VJbz&{;*apR&5^Cw3SbJ8w; zo6f@lJw^%Rmv9EvnDS!U*RF2;--}P@?&A<5z%1T=9j>1amy=SM+k_p7?8(5{j?7Aj zyJI(s5*d+DJNz~8XMV(*xk%bBFz(m;hQ|lms_%WO>}L&>nb;BiGnsY8;6}c=$nHY9(!Y3(t$w^ zG)5pBC)}4R!*Xwt+@*ab(~$9VJpdg+N*W_A#nC6k-sOFKL|LkH>Rw+7SReBg8S^5Ar8ghHV4ga zU~94v*6^0V|2#TXr^AfjIP9JK9K?SsuB_-qnB3sB4sO*n@L6t~Bz(Dm?XB6mQC_d; z^rL76t{$(>YCI5|wWEX_faG77M7#8B_0^v#FMFZKl+vW3t+Vh?I;Vh^zU5%WT7r|ocZ{^N zd$wQ@Q1vwILe$le5=Un}(pFf+>UXZm3G&ZI2B4?WrH$h%G>jcU`z7CETC_P6Ev52B zF61dEVgPOszIeY;eXnBk? zQ^EP}5oP20yZzhUdaR#t6KW!5KpG+M`zUM;A}*&rQ=o>Q=nxi7co%Dsbv!viJDD_v zSDQ6sx4i?b>VWsWMR*)GeQRx5&*<+doM>2r>ck> zqe?IpS>0w=!NbyT1LUUI4k<~q1b>!f0yWqVGDXS~i(1tce(oq1i(xj-lhM0aVZ#Rp ztrl z0!juigP*cI5e&I-PMJo|;K|bmH2SBN7oLBIW*B3a+m~;oE!*c+TKmT z`)$D(mS5y*uxWo*fS?+;qC?g#C#MA) zDYQ2TT{7TZX;-4S0#~u1pJdZ$X8Kp$`u!;SZ%CdDA-$^uBA5`pSFyKoJVZHFy0FBE zN)o%piVYVOc^I0og1B$yF;-)Dg7`@2685I_{{!-~~+cbl|mDAc2?-$0qfH`GR>{@T| zE7$6FLLiI(CP+Gh8LBB8IS2Wc2O_0=&N|p0?d_)unYvy!q`V^UmxOt{EMw6KkWVSw z`zk_}ZRu!lkwj{N>+}e!leuQAY=S;;@Ri7LQy@*wg^wOCZKdaw@ma3&dy787g||~w zY#f0xUZm$5Hk`K-P;9@ z^j0olc~U-0r!^^r;WKsB)-k$`uz7bXL?}AU#fT8sDJ2@0?8;J7>QcRZSY#)wJ1N9~ zXy+l0?3uTQQ9KmhL-`d*by z@~8vz@AgKeuk(>OUwdsoItIU3=|k zul?+`o&`4_Tcbj!$Q7Etm;4ol*NM$%?e3_^kf?FPp4?y!OR?_O+CovMa1vi54D-_B zNUs`C0x|DyCv*OcOWm5!WtP?GBqy>-rX8q7o^7=OXUTa93Sn+HDR}!?lj%hOUs9;> zIqENcXpL`>Bx}oSLLW&mv@uQH9Ucr3MaK$<>QE+P z{bCN?bPv12ZKEutoY?;h@Qt5dxRh3Jl(6K5AESO;pMoW5tigJU>{R8Q{-~cl`vKOEIA=~3SRMD^L&2d55dpV z>x8DQ2+UEf`GTF1^Zag2*^AjnITU_ATHj-55f+_k(R(Iy9M-zO^qjTKKx+xys0Jtl zm*nFc$k%UlvzyKe&}q54Cd12%s+7&4tzz5y>oJq;u?|aDO!rRCzCNI9qA1pDU=|n1=|TG`s9e zZR`xUGDOJcV63Gs1ekRiZ-CDk>bdD9Sv*`HZ=b*npI<3zscouGfA?kN+1-W_vld?y z>*FCDhG_tQM z0a8O1Ui3&t;^JU}XiizazIL`o)@~m%>jr&EVf^g(Aa9})>{vB=4tIk(<7`YeR`5m? zMJAwDQ7#ACC6~Dm3(nhC7O|hlQBlT~pkcEX6>(S$1#x0EQs#Nrh|ejkMF->x@r|HZ zCwysgjyK1$$@OnA?&6DS|4B>TvuHMBCT0TecU$ioZD^74Drt3am@@OvU@&h+mg4sut6mxpGOoPPY6Bhn2DI<-*vb)TZk zYajZ_C6)j*l_Sh9v{CMqQGzMrZcz2{@j_8cj=u;aG@+^T9Uam@)X# zeb?i|a!oSbdvFUs-guocEqcB&je8}q?0leoS={Ul1A|l&xf;%0F+w-0=Zz=xC>YH~ zx{?+@p>LEM(Tz9k8t1^*|_*4WDE8HNrZ0I*SAJ46a ztcy$*>`;t>f}VO2mOc%gPphp9TYUXKStp_D0iOUT81>Boz+l9cTZwCo?pn3Fvq8ky ze2Z_Dz;Dfgdv}DlhXlip>J3q_$IQ!^LR3Mby&|iBSSM0fU4mpdvbL4;_s9{P`MrTa zBZakLoR14WlnSvRMK7&6)X1}Pu7VKS^g8$Rg%z_8wU}mI1Lal4_kX(wgw%?|p#vgo zr`hN7W6y&FgBVY}Fs=&KzebR?0pka(_4{gqIgyMPPR5Nl$ZQb_Zzvn0KLTHCbK-`o zTYXevh;cOv*kHUU1+Yx5?KNwtP-K7gM3ZESoZ@o+m5jD{|Alx+*OXY~@9GG|V-;+;oqCK(h{(8S4 z4YkyE;UpyCy&fNvc4u89rAHq-~kme+00LMB=9ce?JX8pkXB+;=@Mt zfuOIupK&Y8{HCDYSGyG`9yxBbjkiSUc~jrH8ZF|qx)AyA4x$k zHIIS!-+xPN_6AT0{uq62 zK7X^)%8+uY8d$Z}%CP{Ujh13H;NmibILWLDv_6PFCDy)-Ry4T0UoR=^7T}==I)b%E%&I}x34(N(RzE}zYvH9snDcGkU#qZ@A|x=fNqP?C zIOHH?Yd!tn_xXM^({FMf>li_M}+gJI7WN;$lbl;!_AJrH z1S5>23fS{ibsiNwXbXE&XWZiXzSB!0e{u6FTahCK0E;%L|ENa9^&!Qgp7_Osa#?{& z^?yvB^=C@e?H=11Q#8oXf`2x8`#23i5b^T4qC^isi^;gtXFq{JT{zA$K1CwudWBM1 zFT3oQ=N77cF$N*2$~I#H!^79Oc(Bf{j4kqAM}KS%vo zW-eu`$FtiOr`ZAYpkEhUDUBOr+I_LVU)wVzXuLswKNGE&#QLNYnz;+6zF*w5FlSl0 zN&8r;wO3UvikrV$6Z3sw0L`+0C2-F_D%E}!V7Ch`QqL5nI_-z@o>DZj1ECSKe1b&)GCw2$3^UZxSCzK@s7 zQuVc^8h5%gNHqdd`7L!p@nI0Fnmc>PW-w)uC=^xDgT8E*j_kBHs}x@V&d6vi87BEaI!L@qaD#qSm%5h=w8yNUH1}H?twugk#fWx%9}`?o;~=5BM%*(->L3!?dXg3bfZ=958uXCOptNt!Ef_~ zSp@6N!BnGl@OwSfcbTu}EGtzTL+Dsa*{z8MR-}z+FC)1rH+XHdZJ-jQDYg|#?!mHF zVF>I({-<*7{dX@TlzvD-c?`@BTc+lo9l&<7nwa;g#DCf*cY4h(@ElT zU;nB**hA`eu$7~`-Vv#7FEK#X7&~@^yLKiJ5XCulC-9_&O~k92h=JdIRKp1I{Ri*r zC^%RF5x_vO57ol>(kr2P zfNGNC00Him!1r_8X(5K$YR1RwmN9lkEkJYj^2z{?n#B_lU$wS{I_k$<7GtcDG*IHO z2S?F5Mtr0@k#<+F_==bwpSVmtYkz-93s+#-s~u48$*aOJR!G8iqYh6}ZqD@#;$$ow zm^9M-#cNMe{Hn^9(ZZ07yw$Z~1?~O8dh5N2nAXMVE32LxgdM@Q@`v7AG@pvBZ>Bb} zGdZj-UXC7XyvsoF(7H(9g!ElDdt8JqGHDuYOjkZAg|aP2;LI7~L4+wv@)O+XO3f-_ z0e;mFl>%k%D)78EqptV0Xjz~90P}Vmp8-301|1fbf^kE7jR3tVGACYK*3^D{ftjipV9<9*emr`8QOGTrl50Wt96?mojIH^|m%xD78*csj{cV}ORsqh(lH1jci z#Ju^km}`jQFfO83$NN-mk@2Xv>u913Klx+g!Nwgt7z}s@#RL0hMT}SAR|qqsGCQZO z@(?}|ie&(48Pm(c7Nz7+H_KMDGOnAlelkX?1ub;u3rxDJmD6&Q$DW7$972KPp2fk6 z&LiZnZl=iQpj-Y@RN&q{d))qUP{}9(_Z^nuW0LFcj{03yQQx8(t zC?&YNcPo6bX6)b#tuJqsEtG~Bz=;Lkgl3t9@3kI6_(Aus0TSsoI}()-zP+{PX9p%r zg}6iOzRX?(fs0*7Dt~Xcw%>KfcS!X9eG*_)7{c0D>Riq_ce8N{Wh4l$W_pKW2I^4(D%zNcL zrd-zp@DFMjxe^271kF+sohUWZ5+Z4-HngJ0+e)hxM39;*T|gU4moy|E=N^g!j@s?X zNZG?R(Scv@SsQrfSR1q=5jmxsSyq+IM45KD>SuG!tup(04`{2c!;0ll7 zO8ro(&#pdp0z79{P2ziu*AR(ToEvku=4NYT>06V-0N;GKjwnV1v$Q3L%lss9*bH9lv0|a%H62(_^5<7h?>nGcUJ-T#MO= zy`q;?yt+-h2$02HE9WJBac$=FlIim&F6-I3kfLY$Y9&pHy4;mOmBN?vj%v)O9lRjcD4WeBP$>*9~6*-q%SSMKBquz)C0#m+zP#Gp0E!Sa{0v8yP7;RpdlN& zViD^^A=+Q<$Gp%fN-lkvcl8pu1Yn+_+5 z`JgOyq}jJ1dc>PZt$JxXcdQOS7y6OZXZR%TP!dW@>7Uh9nmC0O+K(X2P z4TJWl8V&aOKmbn#8T67B2vQKeNSP!rF6Ro94Nym;y-V<3M%nGg~SpM+XjlIo7m+dG?4tKh3@fcYSQ*w!-LR9i+@e}fCouaZxh4mWZhXqzxHbo^^kCt@yv_PyA9fWaX(mh`FCHjpaYk|~0^PC{OT`~Nya7C%mm0-SU z4ZdS$m%DT_Ehf7Gs+7@NIhZIWeQC0NqV@cnkej)EveuuwMT#1v$WAP9JZdj^RmwP3 zNNBw!xzH#hixO=Yh&;0}Yawp>+eAt%aP`Z5c&MkiqUC;K=zh$^ez}p@*0?a31=tSx z4Ax^^W2`>hJ{?7=b+r{!H@5avK&;KPF?-s~B>W^2&h(X(D9IlbQa%-Owmf))9HP9%3AL{AxZcXLQn)AH3bYzB%Qgd@;&j?<`W*9r zSnMZ_FYdi5W>|nnf7z(RiSIk6`r!)5OmQO7qgpB2mvbA2_(0>S5VxVE&;y8a z5J1nAn3vtIM@26)_DxtM2lW$aNNuyeAHf%p(ZD1$tcLZP7oI!fXr^Wddbo!EeRjXv zruF4voRz*E9~7KSr)<4HjK?c!O(pz6j)IE%YVl!3eCU*m%e3CQnDc3N{#L%z(g^z^ zgcz0vH8~U-Uf$arvJUQ_)!`FPtq`lteuYvL^qSQUG)})BybrZmUL+?JgmD?SWsQfHGF; z(VOb_Q#L#Pf%LREVdAq?SZKSwX{qC9KQ)NfF(0%0C&@*kgz%|%4w}`z8P(XnX73Ce z=1}6Ih~AoW?7TaNp-q|C(f=tjbNxzcM_l4ESDU*~1b?e0^ISsuu2qv`f=6G`wM)_( zer!Au4oKxD_~L$GeJkw79)Epw)jndqVPZeYkn&9iB-W_KjQ$i7qjn+2@%3>&MO4$$ zgZ>uXb7n_A`}WCF>ibR}pm_{526sM_x5|)y`QpesD!8;&yqpxerjd5OO!kYxRIXI! zbyf#{okivC7NG!LeC`*BnmQPhf6w*ped?ak?$aysG1B!@Ayrk;FOLz+%ca8*Uf^K;qG!>i@=pzjIMj1?9*lbU+vbY`KuhGXBw7 z3@DvBAZ1%^ZBget+iBjS0%Dd{PQDdjvz|t0qI`-1%g_Fi_uFgV(&&K;NJQ^}NNr7) zf(7No@rvT`*9mjLKEiN89#`{tLj{!#BAM(~DzCy}_*ral5LML#U`d)Xe2xk$S2-L4 z?*g+rttd5I^>r4Ukx%k1Jf2iM@ie5P#AE5+&;u}rx7;fqi5ulBai+xyvw^nb?BO*za>VF)8jG%!gq;^N~iUp{|;1?^A zPWBIVyqLJz!_%juO3693rOS2s9Nh0ZH_CfO#?yf^tQ)_jd06F08(ua@ttm$LM&og&WtI@f|4F5p*B5mm*y}V!8jJ)r2e>=+3aN?Jbw0*Xu15a!I@B_;@>O*rde>e^l0NeC~r>!?DQSj-08_t zWb6HGt&qK~M`z|od-ZsZ6lpb0^*`XZL`^7yX2j|pug#3p8EYRM6vWTp5^HBqr|uB8L654hG(??WyS5zM9a;~R*aVd!TuYTKCU#!vIkCC9y5fsxJ9QYy@lQlDL2{Rv z1-=NO8DO&$yE7PSP6mJBlOYEz<$CM&N3iFl?)(U|5jDwUC>cs0hR*whaE6c&swc_dEc}F zNpRl!h?-1M6Kg#Ks)|xLpN00(r3)&og0%QtZITbJkftiGX`Oyde89L%3H3*8tSm2n ztU3jVW76C~jrC&ZD)ikFdd&nY(5hI)#ex9@QLG<--p!s(I|X`Yv%Gdavbl ze)6#!w*@)WH0$VX%{KclpMn?BtK+%}Jo?+q!%^IzXy}CQ=8$rp1r)mj z^x3qeAKkt@){&c8+TSGTW|5H~C|UxqcmICN7V$-GiF|=pM?L(w>(}g~tI81T8da?! z`zj&qX9jZTo`M_Ax!;4Gf|_=DXS($2govC*A}B}>C8_6ueWS<34Sm)y%E(kBUUwo@ zccVK>hXa3aZC2+Szo$9EiWNrK*^8icak*;jCuYET~)mfvz7sE zsM;6j^s!OQ3oY98dHaimCm+NHyKBr_%=c>zm|Oh_hapNmvoRzyLWdco4jg&`I1g*& zZI;NZZ-ABQkp-gZ7_aA0ji9^J#~z5o1RW4F?4>y&9VZRsyfdiAJXVr*)a#48s7e1J zO|wUrBxdhFx}9#+oVn?8m4!jPFM9SAs$fj@;?-B`l-+(NH$0yTj>PfaKi}zDoE!1r z;jj_e_wKC+7tFxDhzA}v6{b`8?GyfSO_2Tz^=1UXyfzQ}m?S=~YEP)~@~KL>T=IE` z02u1IgM1B|rA2%W_4N)D5wds_ziZPQD55#C+rNOS7ZVDa0g*3t1cT``g*n^u3g19d zp=b4vLS0F49f1I;D@fgkAbDiZ`UKA<%3ulnXpC*OSKvKS%nGw1!gNi+g6pB1d;a*| z#Z%|jsW<)KTBuDT)YSe6U z-pq>pUM-by%&i^~8o~Llxlrq@d*Fe?r`{Az5^8GVqGy#t^S~yj%K;pzRRn7h zz&;5}llTXc50iy1OnJ3jKy^IQ3Dv>@UTp&XfZX za+@yK<^MNHheMXKmZIpd3eNhwMb8j+0>n$<=BLY-{-W;aZ-=tIfVS}eV%1API51UZ z$Bx|>x5XHq9$x-8lC1YMfzjzbz3By4x9gYBJOQ)-9e;j2vy;B9Te!M#ZR+J;UDX0Z zl7Q~^$&b$ePk%#w?H=H}uh#+jtJ7B9|3;7G%FH3zBnwSFix+~xpeyf>>;$MN$IiEk zl4WDr_no?d-pBW!*8mT*_f1Ib?R0tA8e?R4B2ecW1CRA>0*#1dP5fmV7jRt|n*_YZ z-n|9?gx&wGdb=gDa;2f4kV{X#4M6>K}jX1TgA^?DK!)Nq_pC?L5$zPXWWJNp4opb zjsJi6?!VLZCo}$cy8i4X|6N^wibnsty8etR{~rfK&z+Gu|F;&ve}VBI_k#a-r%rOq z%i3AuKMV$BUlsvdnQC69@PD?IT>^q`|9_Kc{%3&un_*;)fl(e;FG&6$Zt4G1a^Vkb z(c@;Be=SAwr>*60!>+)9Q9m9#s{eT{{rkOo98g64TzdXLw1z4WXBG;4_Wn1K*Pk$M z`*GX1b!<%?B>ppNcx+2kAAC0aFV_7>-}|RmO*#nZw-vYkRZhk~joAM90|;R=P9LiJ zKNn@&w!P@KzW3b(kN?aXAI<`!jL*3KyP)?U{Z#fY5RAVQ?ElZKanlqS1-sY%AG*{# zV5wXZEBeo@@!tjZ503fY1@>nL{_g_&GbUd7|L+3xI+s+pkZRyM_^!c~8%M=giYau@ z5_n%2CL{goqkg+g^K33x1*dnqvLQ&gV%?B7!zJtY9lHm8cc2XEtf}6B z)V;nRU`+;vcA$v#&mG)GXsh57{9)sZpiwF)?=z~-Q>=u2< z;;WY~XXhR_+}^eh8T@>99Emr|MJsjYdngAkaV24qT9C}Ot?s{d>3ylSb5t&1s>16F4V zu8Xf-Tziz8VZN?Cf`fJtx}tH_p4GwHvn0dcVvmXajCfNZvk$x7rr}M+rwiz^iv@0n z&=P?dY}of6$;>7>?>F;v-G8gye7S4;v3_2&7vFv?)!p^B#j)+@{$-Duc%x`tySuIx z(ID-=A27OnEC^|yCF6#_SQ9eZ=UuUboLp3CMWk3C6jRARZT2Pk?-km=P`|OBj&i(* zs($UPn&LPh%u(*0J~pQ}?$Ez#AuV`buEP_YpSa+xNbCDC#>VliZyt(!me+CY0$vO;{McaP~QCzP>lE@2xR? z+r>t4pS>>dp&DncR5o#}xEk%PPtiplX7XT$V z#LY~+2DR)a-7#8~`p%2QRqEAF4)pVxl z%xH&*ee36k<^&+KSyh^9@=Hp;j5Q1hAj zevGyZkv_^}0>IA~Eid`_T$Io-B}n;X=+NNZj0HD*7IV9mHmN7WmikLkF!{{kT13K{95{divd z4*E8n7yq$ENoRGvpa=ptZ>Wy6q-GT7g!ha_GdV30CR(e`fn)-&Yg4_tRp8)hm=gJg z2$B5pTIBNAYa)*)_BorpueM3mWk)q$X12~7#BGGlMY2?FTHE*_3Q(x9t|co-<@7&T@3W8 zY`de$DSIJ|7l5#gH@PEG6B`b>aDH31>`+452*V9EH<O{oTXXq#J{`{&uRdJi-A%j7wPuM znMqsM`O!xHxvI{ijLK0wu*ghF{yBfsZu+M*WZqUlq5LwbpNpjo$+|LVs-@)LZ`LR1}Pif7TpN zk@(S|99E^0c`EjFYS~4qVnrd4F;6P(+(Ro6syg^c+6zf}xBT(SAZ@-K^HsRr7hq>^%x6H!UBYcdZNB@> znMbZw5b^ix_o9=ab5D_yJ}N{^9gi8$2^m%WbMT+qrS^>fxJWkIy*w?eujE z1oN5av^@46MVehkad6% zfYxY#7sYTx&=DxOO#s@oYE>F=^~dPQdXNq0go0hk{|;%*INEJ{i3P^Y3ya2$)RC$ z#di;uA~H~=z4Bf%5&O|4|1&89Z_BqQ<+kqsOv;wZxYR#R3UPZ2ZNbqw}(|FVmUHUQR> zsuEh_dz}@M>P}y3P%aagj3bpq^y~4-p<2!^`*hy@Z6wCMjxh*_kA>#e?n%x6rJnwG zum2{s2m`C=H>%OI%gbF<&b;=_4XcM2n_A5ugo-ko0yQ(&ghP#17tsfqg@RX|BYp!` zN)c&o%8ob>8pcRZK8vY+VVLUy)GP6p-Ri@37LG;WeK%WsV{Pj1(mK_Wsh$bB%H6Ts zhwlI7KYk&AQ|eXSqj6!o7x#{fEuFIDr}Tu#Dv_`CY`?mgl8GqVui%F&Kalpe;_uQ38`9Ro#5t9= zklz*H5U)X1EVBtY3?w6&hFo4BQ0dLWGI4rC0I=qG{}3MMaM?`SlpSqPS9W;MMhn#I zS7(>98eYWx@Ez*c5aD7UcQAV_Q3hW**%jZH9g4{I^9D+12( zz3REpwFb+NjtM%3A?lHYawmDSlAq>B8AYiucBp8jF7D zbJlPe|M1C}eXp?dZLA%Kv!*8L+vqRh^|joxQYy)aHC>4#djnOMLtfow!+~*aLzMxO zKQ#+pi7A-F&e}ye^k#b$Rc70Ibx7fXf-1*Opr`rZak@>`B001rye?u@9y^C>;f*%H zy-)d%T?QL9ZAM@=dUDz}mCVrQ_yH8IK!-{{ZEbvB#|QlF@VZmq36=0A@$IB?b)Z&C zg}|t}-C~)mI^3G?%@mIfGet{L6Jmvj9aQXHFB~+|J%6Gnnlka70)LTrZzb&J(wMIw7Q~g~UEk(}?a2ZQebhWlsGuXH)g8w9+zy$a7KP zUDWI5=uGEB#$JoHM1+z<6imwlW>HJy($(d)V1XE&$fm4~uB$3cR$&nWY*;>$>!4#OuEc>C7^`LQWFp(QZySI>*lwZsLx!{-EEOhiVW zOYh83!&)B9${_y{Uf6EA%sszkhIG+OG&b#K_xmPyk57iPQl*d}^~p{e=LUNa`h_>t zyV+K%2jjPskt{RH{aip65qh#}vf7z`XY%%BtAC9B%riawA-YQF*nwp%M;qyFtDD(O z=^=d>m5Gs(7z|gN#5UYuUygZ&>m7m2JEYX1F$p*eh-kLXOnr}Kw%tf>iu&mJ^~R79 zS0hv8jahp7s0BCMLdZv83&i2B5VY;I;HglW0 zW~%dTMbh|=A3kU6)7!E^W7|PRn$pzjfDA)V;(2ScJ6s;Hsw^rwyrqtCnqee)g8;4T z^2PZ3|mW|dDvrTb`oLm2{9 z@}AYr%|q-G6g_hO9^UL+-BatbPhRpdQap_{Oxf~>=eWB}$5b85e(lZji;t@1h zaB7fF)&kzd^##rxVh0iGujMMyTPNe9|4{&Y5c9WfGw${N@w4jzB&pCW3-($v`C!7d zbR$o?$`=>yNF}ysQDc1PaZG&`$6s0>m#ZQDom;b9OiF=WmjRloIG_PbbguZ+debW0-86XCO2Ou(hl`uo=cS=n`2j9Rk#JDP~Q zT~7EsUtn*v$a>nrCnkEUhXM)d840oCJbXSNjWxNoYLHlL0zbCLZwn#pWl{hQ;tehHT^zGPgn!6c?L z7_JIH81+*&a3kGD-P9Xlhzkb zre;mq%^i(aIAS5ntTa+mSKO~HyT%EUn;nTFF+#I0Fk|l7{|*M)$uDl&OA5n|i9)G2 z_DQ`H^&@#vw-U#>H77Aw!K{#BC$!&Ed#~>PHtg7St$Xj-pUW((jJwqN`H}tM7iN}I z@r4<@-hEK7l4gMdh|KrO;4tBcpA;;9EKv$}K2C2P4=%Tc(b=^ zl7{zJ*}yJHC@crPvg9W8q^8$mB=Y;y4jGG|I()QQjZUFEbbJ;y%F;e3e-xb@VCN?Z z1!D5$d#Q#_&HS)pE|fh?4-f4xao}Dae@pOMX^h~-i*z$WDHFYpw$R0fpONPyx+7aw zP=+!t^BB(HfQVda-*9#7znHEblaPZfWuTK&|MurO=hD+wTyV$w>~ zME}_}RK)T1=Z6G0e=RQKC*pN$dF(T5f!KwlB3kveH4}+F_uey579E)_GEgyWW34~u zR=IKU7i>q9jPM`bTj6;PB$UaHBzL4W64p>@EmTESQY-M~o9GK}NW^oyBR;JReM-f5 zos?ToYjfaRRMM=>x@?b@YV$BSdPK#esA25$EA=Dk;@!_s1zFJ#V|s_B9Ct}UGieD5 zsp`TZsXQDqI0wq4)6&pOP;p)8;u!4{&WjJeq?k_%nV6EHw7(-Ye3TTn6({vB_r=O& zQ3_6t)Uq4|oh6~9F zr<*Q!zce9}1kkCrL75(wXnWC3%oIg^SBJ3>4Y&A9y=b*bD@%Hpt}42jWzf1L@v30U z#2cH-(ET?ruuAe>we>_ceXQgfDZVS3>Jp z==|AzrS?-L0xFIf9xkaHKMLUdJIaTS1_U_*q{TY%#dwghB!_Zl;muq`$jt(BH=(1p zddK&rTYBVi8<7J2z0tloHN%790FFlekG;;4Cksh1HfqMndYWs>JJ0Qh%Mn~iN zbmmYLr#n26ah^2{)hAa?Cfcw^_o~dL&9t1JzcgXr-!PNYhoAfv_VDB3&HQn&RT^zi|TB@>5f6dw?GS$D}pX(SuZ1>dM zY3Q5oENYTY@4>#0{E;}vMS)`&1lmBF$%-6bTW+*2ORLYT z()Pq{g^Qirh9E&R&!zZ-S!V6a8OwDCrPkV1XZ9>^i{$keQ|S)rxM@u_ZbYsvZCT); z&?n~#L7!GyQlFy8Tw!FYRJ6y0__ zyakchwj}-AA6n`O`l&iaUa@s{k+|j!sv1!&Q(9vzJtIfM82*Ru3NZ>AhU&P+f+s6A zo%30I>|vrk*mi8R*0@zQWt}d;`&R$HGFLARLC+5Pa=F&gni9{?!%Z(Js-FpMUF^6a zSFDDTU0jsQwwkWl7~`K;s~h^BhlE-JbynjPWkACxp&}=2c4nt^|7nx+p`*cdGpnA| zpSZ#D{embWpX-)yE5B1mR+@>HN|bdMveI@t2iJ>KR1?1SEsp&QZPYTUWGFReaxnqW z9FJ&L>WtRcTKno`GIVA0qyRh9`_~}cw;Hrph}+=@6oqz{`HuzhEgl|WyRwXwM9k5V z^v5Q8``X6)AWF84?E|Fd` zm4?VEai#5Nztja%;>RK(?&n6DD$=cb>In9)6YyIbt3NGvJau2*B_R01hWqRL^f|sS zGEG0f%U%+VZnMj16$a#Cf+>eBR(=0lU$WkY2Q0|Z?n^ow6_f4Tasa{-Y;VrfFQGLQPL=Fjt``vW z-iKNJAp7opg&|_C{gh!QEs~LWK3S$6Tjmw0;y0I}pYZi@)`^pXCn;f-aVMW1hr8dq zzC)wAG=Q+$+YF&>u6xA<%q`>@v(DFz*c%?TwzMcO5ee-e-9DqKXH)ZKC}sGm;4|&u zncr(qP}RS=eruR1oYWn&)2b9}$8Nl-ZBbJsBoU6k0(7;kUdR;r6O9iSfH~Najv#t;R0u($yi}Uu}cC!F&u75j(YODa% zE~noj2x4R8=c0p>xAZ;*kjy?4lVv22Nsb3DPlKiga%-2yHznGwNzHU4`J@it2;R9~ z8Kqg^KUNy&b|?hD6cclJQWsMTMQ+QoRr4y2dvLhRlKR?q@ecn;W7Pn`>45GjiFPeo z{lS#D-%-KM3tO@eYxAOyEN`qYx-PtQ5O8?at0xWr?lQVvCZx_EdS`D$iTp?`UZjG2 z5Or}vck64tyvE2A>55b-75UoRuStpZL;#~S$N`a8SC4~?O&6|;A)%WyQ}!}jvmqm? ztQ#peFCB)k7@;?^0(-FM9mK11-YV|jw-!D-;BiA=r#U6u?eQ>_&1k(PsC4GjPuMw$ zIXk`SA0dnRpItw_*T5Uf#EetaEo?$Q0#&Y6t^UI6El=;ng&_pjJ`XfDYd0;@NUgmF zJDx_f%Ei5%+Jx0r6NBdunWq_P0OEP~(lMIHeo)NHF~Q&Y{LqvQF~wi=t=fq9L$$#Q z1@lh{xMIX;Df=cdNZPx~SQt=8pak;bY2S)-1d2-?EhMdt?}Kfi5aMD_NuK~={m|T{ zsWO$;jlghOQfz%tsv3!;_*6DW>u|KP$j7mPC&FtYJKs*o-Bsmo6teV=EWZG*{qW=y zH^A6=;`>{dP=WV$5Tn;9U1rtGCOn$;^4zlW>35NK(HAb{3ArlHB~G=b568Zc8iCXB zu%lq0wU`#>%BM9>-$@~}p%tQ-@c0a7Xm#jd9Ph0d2*jG7cmiVBG0}wfv0Jfvpx@{{s=Ote)7*H?h3Ibm5f;aWA@xi!Y;jad+%8JWHeA%8QU2K7403K zjx0m{U?H$>-=!*dJ_TyTItPa3np=Mf_3CC<4P@g%@)Id5IS)^nM3cd?I(oi%j5D_+^q4)BqiLbBB z4PaqP@S(gMpR?R5YSNlUfPiba}2X!b4j_ z1v<7m)jFJyo!*@8vZQshDSq(1trB<^LToqDd^mc2g+44G_5(IB+@kH&76x5zQw0jx zgg@?31YI_-i{*T|BVdkxG*BaV?2wPA2uU%I&NU&!r31Z~k6-4;#qkqJXQu;Jgy?95 zF?Xu8qDv)11|)kd-_t;c+JnAS!axWizXaEctj)wLL-)#Xz1#*s^m~%yi&z9`?^vZA zMUVyBrD+JdwZM!qC&~7R+@LR#l6innxo89E4Ywf7*-Tym%`ROF6@=8=m##HDCA$SP z5kB4=zrr}ff_Xp=#)}M09mEK&Ib}U>sx=LJxFg?PtpSL~TwYv0^KmKMLBBE48>9*1 z3p9SRbpJQk%`$4YJ3D((Pa!xfEFy7F%N)Y7wD$o7xUZpAp{I7YAsWNlcLc{da0-?O zgTZA=XGCzc!pF?SeQ*M~FXU9ih&c(C{KCq9eDC;Uh2D>`086}pmIBz2hSW~5 zGQnj7EtCP%Es&FY90Jl=ox8RiziFi;NxY`FcWli7tx2?IVylL~Q22wuDYngGBc?SP z%^UP*Pvli|QD>)gGc8hVCp1&78FgtM_6j~dH63O27cnAztJB|%Ufe0UR5~f>#l>~v zk#vsq&r5+?LK4ej|VeH zq0?%BtN^~49e-6q(3B3lxL$xhP+J(e9z7KjRK<@j-4YV2DOs|}fJdCNi4Wpwe}e9r zeGN``5c7GqCqYPPyg{n_SJ*%b8j}oKRw$F-hf-=G3>f%ye2IKKbpz4cDbloCh!is# zUB&fL!+%k~uG2^9VvjK2c}4Ibktr!5X;HpZ7T)OO5|5of58@w=Y}2hJxiVO6yQo~h z+)%ngir8YnMrib{-HW4cr54bBw<(Qif0U(vvz|&rDyp37=}$bFZHgI0ZmyWCN1>Fy zPH@)^mizuGHSPeAt9UBn&=G~wXJH6b;7@%>8$*Y+au5(19owz-{-sgkwbZ@H_XhDM z;&=#+AD?C zf4@6ix2wk$V2>R&GYdSJ-y)X4N0AuNJMLT@9q@K^sPgZt8$6n-& zN}PhZ>!hq*A+s-U zE%+C_)u$U9EZCa|`*+0nyEZ%&55&8h^2F8$+(z`tfo8roa%riE#P&oMjPg{~5 zCF2JQv~|8MFhvL+n18vV+WMF3@3~N4LR)}Dc{9V7m84h5x##e7U~f@mjA;#ndB_P8 z-)Q+-jE3!C3V?7j%EF=7R*1z1rEgZJm(Sd}gyIkJ;FaDch4g5i-V&eWlK*hyQ^Hxm zvDQIz2Nngtu2ktE!-TH%Zq>nK z-8;eb=8am4A{WJAuP0*ZRq3@6*QoBBg*k+aNa{31uA4vkg59j6-`Sy9yF zH$<>l1n{?gD}x2{=8`hUp~oMB_x+pR4U$KUTP&M(CtlqP%TY==G}+db~Z8+zcByKzE=w;VZf@HgNI@b*(8%3FCQOBT^!sUbwA z(u9LZSNMzS{$X^=BNrwUpPju>qGW9J#!Dx=dUs0JXa699&EpB%tB7`^I|KF58nm|Y zp^d4u)w~DRG_cB5_D~Pi>hwu*}RKtOcn3 zZS!fzqKivz2YKd|+l0=M;8!HmZ`k2Hyr|1@ojCe(MBD!zj80|YY!z?q=5Vnw5YQ>z zISu|x8Vf?#8{M6<d2VY>IzohzO_poF-lLKj@cmd{AaAk{1YlLY6f z5NhTqg-=PSUu>25V0f|gpRBMzN1hDd*t+eR!xK{g_i2?CINkO~#fU%}EVbJkJ9F`v zrZwHy61U11>Ev2}Wa_o~ao-4e=93W6vpN3h&OQMy9*T zB1f6y5IP5k7c0kX6DRFEg|nIq5!$AJy-RYIhYpuAhuUqmd|AIg{L|I)uF#OQQ}#Wk zRqUsSm}!mctA^)J-jc^6W|@3fuS6cnG+YBpGui?$aYVa@gI{2b9s-=6&daOML1kVbb!AI)l;RC#R$E>Dm>y{)dlb z9!w**P{u^rU}EMK-Gin6t+3lxu3S?ScnAmdlaEqGZk_~k5d?9 zybG?aXoM#e*_7#JwWjNFpCO- zI+zZ1g>aU<{}6VeA2kZ{atxThIBgABpgYF^)E8g&@$1VuF_Ei)Rd!6Qvt#ed&`orj zLcSe^wJ+*AAhLHbIO9@Q3Ajs>dF28T`QeEgyn-Aud5ZcRU`CaCu|dc}%>i zU*`A?+BXPS8uuZ>^xk}Rm$aP?SYi^X0yBhgorrb%E95OZV&3_P;Fst<7REBsu-ged zyT4f^y5@#SakAA;&L)=9rR0b|%o7o43`7irxb(U&{m)cs0@zIkgVjUFJ}Gs-&f(`2Y#fv z*42N)v{qf|?ktQ!-5#eSeka;EW42%J5GNb}htN1Pk>$eX+r$~978gHQc64bUj%Wc# z7&EK|THqyiy#@~Qat{VBwZ~$s{o`iZUs-PQIpDVn@Hm6DCNb`${+t(kPZB}_-RrKgxsS^_;*n`~ zu#8+s#;=<>Am8kRX<91i%5&~k!(?OHklQ5?x^c2#*qgB(hgqO z=Lux|Hgo$!o&T^65=}8OG?F%wH#BsA+VmK&V_UUia`ziGZi?>q?bnwV$Sf(pwS@)C zfBQ`vRE-&c;(@`t^e^(g$doyusf&6lE|iAjT+0OXr{K9+Yd_G@Szt@ zVl_kv_kjG$3ka*OtzoWzf)tHY+tlw9K&1CuBwL)<%UuW`Ur?*%SMjVJdmA-({BolR z(H;pNwKdomHwAl+ehp=~&4vyhcB<;M06;^94>p={gPG-KZ<@+Pm2;+rx;P?moa9zN zwjEII_Rw=fljjU!{6IB=O)K1Qtx=_WwRV>MXUu++EQ1!;p0|V%C$g66RPzOxU^{BK zo4J-gW#cOIfWicPqzwK%WSB284JApecL~V^7nOo zM}?>LxBCzXiCxp0fSK(V8h)k@2&Ro0bd1mCl~_ZLrQw-oKG()qNazltmT3kmJpDbK z#BbyQ#1j0pKla*$w%ZFD1-zu@BKAp};eM6Q$q)fVC*aaO6nPc}3=#lZHEE-UdJZG> zf~)X$xh3O8Nq^^PUWKCx%a2Q^-PK-PWJ}VN_c&-kGJ!W8&=y9$J;}P7^==^tJy$$} zkEkX_Cx+?P72Is`4b;A|!cS~=H**H&4%=JSqtFqrs9!tMPPu=xTZmAQ7q^gG8hO2S zFpQrmd8mnpS^n`e%Y7-qhu9GMK=kwE|IujlFBN+H85I5uIHQ-#+r;!DjQ9;14643pF$LLYT{-;7818tz#BrtuC@bt&5#gaft^{kJ`X>reOE`(_+P3JPt<`v>*4H(m3QSDcGAY_6gEXd=1rs`AaO zd{mpeZdIq8Yr~Ei^T3qYkO7b^A^(LpDu4E%T)cW}MO!QXG+g+~~v=udg!^QhADDm)h2Ejwrc7#$W$`TgPsu<=Wz$#{%2 zp!v+X$pZZU6qAr@fU7g$DJf(4e=zZXmXiDifieTrxtWub6Xvu-oxol3nR{FK?8g)J zvsrM{K<#J1yI%6W8%R1CCfLr(r0(zg2 zQM*j>iDt99IRqM4vATG_C_?6`$fsS#9DPVU|5z{WlnU;X#8t;Gsj^**2} z*F2LB`Yl|k{;AW+80-bE#TBDhSdI6l9#&zNUWsT)TwtRlKIW7%qs9P@#00YOrp%e( z$&auP1QRW_2_TU@B0}`X2;bjMWlqlj@WwOo6`icj2!*_^drgjccm&X%O8{EEPq{iR zE+ktUbRLHs_iMA^N%z93c1Z}*R*ch~{Vlz=>fwz`X+o|1L)h%GQdck)v|1`O605XG zFDZ#&Kv~I`Ctc^>{YUq$QpARwczOU+%!TGbK7fT!E~8a0z4WdmQ1`)BPsC?5#V_x7 z9dA#(^IA{DMSLq%4SDw9ihRy(WoBauv;7(q^o$-2i|zj47IHt1?eJ!b3MI5w=xH>F zA!Z`-`0MeEBvXpCqRd&lE&M#w1~FZEFynYV$6Yl-Q|`qEKP{5yNhA<3la80I$rzV= zBR6=G0hSSAZWL_)(dVTRKRyqTdhYh5ot@b?O0LrTmbIK!@ySHy%FHR@eqqg*8n2-R z-(HCbFZ$Z89ZFuNcLoGZ0lkc59Ch+%n%SM{Vfm1wPRYV)$_CiISPAS?TFOnIJQOB| z2I85+;?MDa{9F{M?c-IuyDSakf+Fr=oe zu%x&oE3J%c{%_YZ(>uL{y5tTj$5r3LnO^}>|K+{+@tLA&_JNrgs6h&aMqj-ZdJyCr4gUWGCjkIX!;mD2qumqf}jfk><*oLtdlP+Y^jO&EHYUDvUlXZTA=UA8=Cv=9*0`KHQs>R)$`vLFVFof z*Sw_3`s#(^tH*aa`Oh<)Ik#-UdWj*1Q~%6)hj@zXhvP#=JIdHtZ3BkT(9nR}+k^m7 zYPLjarOHX@n!mSyd6Tl-mO`aRySc-V$nuuygWT6!4W!^Kh6$*0x84U@wS08DT>y!i z;<1;iT1~wZoc(xHfv*eaxIka}#8UE_@OA1khg;w-u(I`Eb?SFHFe#g$;M31KBeCyQ zJUNzEFp-y0C(ef$L>#6O+#Bq>q=}TdEJyrHRr;Ofq1OsU3$jY)u5)Jc3% zE}R89r?N#8nghn-F%pgp6UezRzmDpP!kskgc{g#(rZ7LNUtf|X30W*CGm*u>)4I9L z>7mAMrB0zEN&(wN8UDHkG3xziXHv~WcSVMjxBTBSZpdt-_GCjH!v=;Q&r>7}2u`A*bDvW_28UOL*&+_?A1 z&!Pt;+CUg|%mJDG11uynTZ%z4X#Ma_&S?Zy64q5}w z<#^m9^$51@=)gogHOz(ZuT`&SLRO=L8Vk&Gbn3RcPvlb@>=`w?-P_Z2l;#gybC35r z2@l`Lw}oe;R4Z>toL%e!Z>c0#+4@U^ippPJJHKUOIWiv%O`&Ff&kG)CsLL>Jb9^G- zEizhpyKiLy8o}Snzq^Bk7)P2;71$;6xM`;l$@YJ6s}QAEoVa=+e^S3gWdZIf!^U`{ zv}RShl|WW~U6y@vS#IQ<=?ohrgzc4G(QN-_Jo^mT%7;cz8>ah~H?gLrsn?5zxc$Uj z^&Qcc)JM)gs(!pYbTJP3(H$!n?iW-TH-+2I&Em~%ZaHZDIOipkls()nZ0OP_rS(qJ+R8Jz3@3jy`E-Dl)(9{rFHW?i|LUR2#)~Ebj!J~Yu$G}Y|ZCVvEsYj zN8yoraIEaxLFZ7uBOS8WpQ+pNv>=AezM&1{_mA zz(!F1Cl0%wXFqy-Qlw6pn30W5P7r(kp-gf#__6W*H8I;5ztc<{@yQm!64nh(+=co4 zx?aF;RSc1QhULX_@QZMhUe1+?QY=@id+Wi< z*n+3)eBVi)$~FzR7?Ww}dA@(|#+<2%!AWE?uQwa_B@=6(`9Ndjwb{OeBkcyTVC2?3 zaG>{QXRvf}7OP&Xo|WIC@RDRqIWA$>L%40cM!=Q6sL#@jmi z*n)||S^iV!j6!m3ItZ`^Qp&{r@GzpMVrH5!acK>jY%bbZSvttgEGx|G*f-+rq`Dnz zc8wV3XM0)KtZ6u@@)6tk1-Gu`_HoTq!IZOqk2|c+#jRYwt6iHD$11b}?eSlG*^zxC zIhIkN8$oUe;pFr#c<}n`Stk$Ggsps9)>z@XLM5B53Of4ns94t&&|`gZW(9Wv?hfC(ScN10lD}>uZP5MYcsVl>1&v(^aNL z1ZtMCbg>On<$MKDqpt4MKh*&giEgqI)z_`2%Jw0yjn(Q}lDe{;ufah*WP}B{JE|;G z&`P9zwA#?!x!LK>cWcSytBXSq%v3XFh!UC#6=s+Z*22S4FN@^*&~s`BKriv__xep$BA)=NbQqDb+48&|Ia6v%I!A!Sg#^ zTaG*_K5heJ4{hX>KYdOVO%&mIrPL$IzuJCr4SIWuj_Nd@96xw;QRY!jf(cwYe^d@-k+yH&+zrTTFH*W!l@1C@7%0_bh*}{ zx;Sgl=5YS8H5K1TyT@vkLe-}B-HFl|u20>!$MaHBzp&nj#@qB6Z>A16|6oUFs@{ymA%I}n2EbWus@o{@;AZr+f#p4*Ptb&c|3vo`^2F|9QiEiz!REBDvF zz6|pta(|BUt<#V!6Fl4+`gn1~>o7Ebv6ku;jTgx(yf_UNa8p-S9b{^3)=-fKK8~jt z=Xhr0lm$!o|1PN-hy%7Pymj%}pOfqYx4pILbxX$L@4p{Pnd+HN1-&t-Xxqk8foQ!cdFy|o!dExGd#5jflEUIG)s@|} zwOXRslLCB5AIj<|#|Uo>VwG53IT>Q1jR~qWb4}KaIWBJ(f|gf%uk=Y;tAujz3a#gE z2hR>kU6MT^Z9C+C%cvsX;w9Vr3@F5a6qc$IT>~Vt*5!ZTMD=@tSD ztXrxB)m}{ge~v(u8K8OQmBuEIaHz~Anf>(sX^}idX_on%BJtfpc09Ngvc>CsH{9Cv z7wZfEaKGGU$MhQKc=Qf`ZTh{gCoBH(*?X+gSh9Za z6-iT*=9E1 zRqEe*#}PB~`-htj#FtD}*L#jSfxBJv@U~Vr$ghgo<(Zz@5Q|KT`iV83Kej0g4L97r zcj1s1ikJhHv09Rgp=7l)iHjUGjd3dO7Y*pOmR;$QFMZ%;kZ~KW+p^*`pgFL%JDbW zqjy;iPaM&XyROoLu#58wZ;46+O28GMM2m558g`*}|qn#>cGeW0P+z-VgumIn+y7uGDhRkaiF7k9#+;|`|BtIvljMI6Y5!8^a5eDbs*!r(qS@Hkp zRw}q;QiwDmZ|yHv5WHlB=63`L&5d`|Pfev!DiofpgP2MlJ-Djw4>% zQJ}eMb&Mp&tLXfpf#ScICCbOha%rjmRC}zzx1XR=l^eQ;;$!fU5?AaFx6&m`NHI@m zAn}mF6Np2vrSX!5i8MMf>DL!N^n|olw`JtmOm5QhXkGfmyxkg4;L|N7S9xQf_8t(w zhL4i6WB2RjU1yF!6}QWs%5mf9cQF`>H%ae9{8OfxX4#M1kl9<&@=m)~>S#oo3$t5t zig`A-gjvU`0<6(_*F4a4gcX+>YUQS)*kD5f6?=_wQLeh37%l5^KJV5N`NaU+G)xJw z(9OJKmjOj92^61av!Nr^2WW(P9K-mpKO!0h)UIcQpfsR5`Bqx!WL_Q5bI4K0%r}y< zXp@=%U^T$S0B3pofujYaj{gNdm_+-Pe&2KGa$pEk$X=tpd}A^1j7aq2s&DxsP|E73 zm;xnJ2st zMfCLH(`6n=z*D|ogTm&f08?&!75Lg1b7^;3xSrE3v-%uC#MJuqP~B#4tI6)+f3PHp zlqDvm*4K(;xBE3hpv`yMF)Dt$Urv`WSX^bMRGB0LmxXek-{&cFtj>ym+$$;LNwAcG zC>_?FbY!?NI_!_>k*)FATkL_gV&NhiqY4l%ItwYm`)hPYExu-s$4@vvts}x_KH&JzTAulr< z41%P;AGjqMctpn!CD^%^y2UXa{B&qnP2Hyz&kjl2R9DLh1hCUUzk1(T$5{k`{COv* zL4nGB9Be}Nf2@ap3GBXeGcH=@Y8@<(hE!+BKhF7Sls?1;#u_!2n^H)77G1#sZz|!E9EOAQcTMW_6?>Il%~HJ3M_@VqYCy>UQ<7 z4$8p^6volR=AkWIc z7XzbInAp1nRMb2)4$+e|g;tENvd)cWx?)xsfLS@9K2ZU-`No`5 zc9pH6ivzp;a?qV6R_WE8lQ}|mL00&|?Su3=q)peV4{>!u%eB4M9kojipoKvw(n>XZmKBhSYIAi`lxDT#WAat+yo)S~uq#N_5#9 zM|V_@UMh-xjf?RXmYk%={aaF~WMApICb_t=OSxfwrTDV=QvMsksfj=kfcTZZW3Yqw zjuEt*NQ>s)BgI7|NZaYwI0IZ2_gypM5aO5Gk-cRfx9*f5NuZyC@Tr|Iw1vpycOPF? z>!xBG;|gC~xe>v- zqggXX(&{J8%*&hc<1^VrH)y*21iO(EEh_>48Zb2kP(o~by=0gQPj}KOp9XW4z~5kB zM)tR)O5^ON-t{)SZ*$$!3265hE&x4(v!_-CLe}CPre4&@&k`al$$n6s9v(=%a@J$k z88R_sbR}#jIC+_bH|=t0J6!W%io5b{K`Pc$!{9%Sf$8*wi`&;y$1G;+I{xw}M=BnV z1OtNey1@Y}acbUUNFh}bg-ScGm{gxsfV;P3d{vc*=E$xaqaX&sW0(E$j>XQ!!wtFY z@*_%S+uFzOk&RZ+uepQVqngz=YA(}KeU{LUg02RO_f9E#8g~@^u=X`}M^vjNW0w52 zQK3nb&@ex~r9sPV_FU6%=*9Van-ibDKor`W_o#ndZA2@@%@4g}hd8q=sXkKf! zox#9Y*kdMX2t67!&nN5#nDNLUP1fqXS0;QQ%xqEGl0#Z{Ao*bou@SwlV49|ck6=uB?pLQ zVoqec&xQ^~BTr@bXa}Q0Ea))pEnrS;-4xoCNxUW#QD8d)@PT%SkI=Qr%u*?D)r3!&5 ztf8vDAJAAuk^-`WVZ#*)t-WJWLy#oWDdO|J;-{H@SOL*{4Gyr$KC+b^p3IpCS%a!q z-`}NahLb|z6W5WkX}4IC+}yjCqXD3SYkrXa^aIUDnPFq^h0x(Cj-Bpk8%|tM))QJ~ z+P>Q*`jt{DC*%K?r_dpm#}d)<`=z{~7#mQHxens&c!kM|uhM$jjWQ{p>mjm(N1FDP z*V#_-Ja3ykDa86+6^UI&6u+%+5@P@Ag)4p=TsK40HfGCI-dnd)6{!zga}dF)P4s{* zw0?c&mja_z7JFHSu6~6$O)UJpk#H(7+5BoYz>*-WP#Hg@W%E4%3`je}Cv&MtMEOQe zF70Tr+fB?^@>mK#`AJ0-C=TO%S*XGVR=(f7He@RxsyxFaPyHcVb&$-pWu9<8;(#kP zL;bW|%_MP>oCR9MZjF#Ub!MNqzSiq{alEVKpHKeQ>o_o5=Q^-S;ohy{?HiP2*7~yd z`V+U#!KRi*A|X4ZiTn#!e2ov7&;FMUIqoHXK&{I!g;NXsHs1AKC*b|g&A`F5I2rqt zA?7cUQB`7v6*hWaR3nYg*&+Lh${Vkge2FYL-{e5k$$8y&($l=jxbF9#vwoyb>1uQB zw{{rj2e(V^qVX0JuZU1!%08g`ZaK=dka}C7ep=F{`X%N&5R1nWVsVW+i63WwqriU_ z$Yr;YO$lh)U#!~^Q1l*cjI(F)>|O6WP1RnEg_*8+E<`ZT1n=(ixOSPFHZIG4nIBFL z*!LDFo$z0ypLD%z)Kwr8BmweXtk7@Fnpp5N1PLfHnX#=~S0&Wz0Vj*+vrcY(;0<1x z*F`wQ5c|)wGnzC0@OGYFFZFCgJkkBzL}w-f7W$IBOK=baWk*;9$@VOoBFOteIiv!h z(C(y5Ty_L2+W*#@V&Qdp0AIvj+}hrYOZk0TS@4(#GZo4jm$+h$a1}9cufrcA-w-{jp>_# zoCF0w>4|b@Th@UEdqpK}RXJ#V*y*rK;9K^+x0(d|d$+iVoMo0d5CIOH}~R*-Le9xPhX>;HwS(a`nGyAv1@5u;g$YeHXKvnuqe{I0y(?(Bev$? z!&`XI?<)VUeENH-Nl!xA*QZ{3Pg^I%Y|2T5i2(y9aZ8v;%Ia7JddKN$WqaRp9$1}} zvqp6*`|6tW&v%SL#^-CDURQxGCmt=7rhazOv!DB#?5iX-Jzcw`J2hylhQ)$=lm;!H zAnLDhg9>+O&1aKj`DowOJuHNjrW=!mPH03*s{W{_-5Ky74|_v9nT>&el&vp9*YBqs z3mrR*S!xv7CHiLmMXG{qx13&&UD?hmlVDE6*)}jKfE%60{D7Bx-@z)l@NUZ<8p-!) zg!a{+ShZtpr`Wd`t4}qC4_--NnMo!5aeTVna3lTMJrZ$I08nQJT>?%Q^g``91IbAQ z)isW4v%j=gE6}@{NC{d1ps&a7VDI<^5)Uo1dvYh-@8@CJ6HY0?wSd)&|INc%TZa}g zY&7meV^@{j^$}&hKQBqX62ATfLtXv02F<#`usNR?nT(GemD|x?1_9cF8eO>yrt8uH zbIsJAU#;v-0OY@q5VoRe1+P9SgsgtT4ZQZGMqrf|>VVVzRc**R98;W7ujafS6W zrQhb;CXORs>YP6R98=rtBjqPk{~cQA{5m;w>!O%e>=o6m(+sjhwJ%#rAGcipn?2R8 zk=%3S5jlqoS>ah7-zk8EIXT^Y4>A}(uk<9^dqyokXtGIYChU@z4+I8P-_h?C)bLW|k^c!(F#f=B?H>sl1 z(Xd{=Zf3jR@uIK^&-|pg$DDekduC394utIMAo*^-ZMqFHXy2-%81&jZRr(rF>!4x= zttb|cEz1IEDKpz6_mcT@FhQ`~Y&vq1ij`J-#i`fjXBIo?AF!sf^?9Wt5GRPG`Q^}u zeIBtLbgwhURM)%0JPSU7Y7gYI%TXrDHJZw9EDol-00mUWEiV3Bj&xMgOT3$%w86M> zb)){NHm4qSIWpaK2Xh@@dd;hBdj6}ZQM{(()RKO)$xkh4lc{V{cx zfNU#8scK-d8PAF$Rk7nBq^odB!{X3m#siZ@LWs>UyLe&(yTE znIk_eB%`F~${TY=xJeZ@DqJZhb`gGveW})qB@r_4Kw8#m&$dCBY1i?)MkG$2fkf$V{JSNxonj@S8MN>HgvFur}!-S4-i#$GB$mxiNvIwF9I-Q@dx>|@^k^t{+TxVi9Hf+_?A1py>RQ2=OmXOr z0{i}KaZ88W%rnc4X*5{V6PJemz%R?HjEZg@44PH*nl2)3S7d@b)rSYK#q5AAsvIlz zzP?QU64)3qx8a@0f3wOXV1H)UX98scu3^y+4tZn8a3_-rs|35W>4ob8i^pg~NRmI& z$quUAc)ioB8QA@;Y{a+l3fASK^qxvjQooG2K(t&U<3xS_?H!dDWQ(Y6GZCBP)0O}c z93H@jl4h!ubOX+)glU5bWkt60O`BYOD>FY&XSNo|b(DfncmPMQn0oUE2%$@<_VU(tu6SPj-N~&H zA;wAD>dBIDb7{5uo$|_2=$D}ldmCGpg5D?F`=$fT@{TEl{Z+0~;N1wXX*06JcH>n+ z;>ML_b{liq$)lBZ7U_yj?V>w%S-9nllP3H`_KV0gR`WY5YHJ zqVWAwFIi?J4y{tlj_krS%nQOYylks~ue#i?KHR`RH)%W&DmKV1d*j~A+wom@>>ZoE z_tMa?)F^ieHygN~2C@(jGE%g>#}=!y;jJX^eWCoTtReP&2$d{9_vv^ab(lMUd=v<` z*O%1iY%$A5b;96V1>R33qhU?&PYSVDVFX_wTwMex;Z)kQTjI`_?fdjUGTPLOoOUx| zdjMTO!WcBZF%Z9k78<|*9o5L==!cz}7$7Pp0|~+>BRLq^lZ-6_35b~^5cN4#GV_rU zk9#WPM?@|9Cx)%EuR;uq5oz^fo+-{omDoUh>?t)02$A}J(Wqx1FSPZHc_?K8)y$1k zO6<>q4^OeMc{vEM-a)U2ZOxB6rHx8pmJc5`$w@2A+swSKBV~b3PATa&@HNw{NA-)% z3CCmaMyf3-ID`DB=j~)^MpIP1YSQJAhBv3(+!~J3_%n8jZ>D~9nLtfQ5ETeEOyUUm z`Q6o>1lpB##trX=|5pZJ1x2V>kp8k&uDrkrNS9a7mC)&+S;NTR6I5)1rf<@ zB=4x=8*{V!HwJ8|6nLVMIi~k{+hfahs6%qX?T|{eyN_vU3{ZPDxW~zvC?dCWpVXd3 zg{fs=#S{z@{~sdk9*!VJHG6wP`ky(t8ELPm1#SQ@3lVRz1p{!>6d8G;K2&5)&Kv!a z>vqu2w9}+i|LMeYGPnumS2_2oGG(_WsDkb-=R+G$;6ceUuP!?FNv@B)2KOsSoMB-0 zUOpJ_fivD{XaO|dXh!!8b(}+u`rsUYX&`ovk?dGu7Q;yKnU^^3s9~8eh;IyGos;-6 zIIcLwLY4hK`NYXxSD|4+cIf;{Kwm{brbCSXqOrtm*-B$1O|yvCl6fQ(0V;vtR?OvI z^Czk9Imr*@fG;_Ax$BbLDeV4FWPTTgK3V(vM!)sox8!NnEpigxEJ_+KqU=&v?w1?X zdxvTit_U|5Smco$IAzY{qVtT}#qZ}SF8u^OIsA{~y|q(TxgguH8OHZ&nI#kwqMy6SFVzL72VgRJ2`$b*(>gzswt zG>cpJW%m6JmD28JhjTLyD&q+mC_lw_2X3k-UD>ppE@O_&))s*fA>nFFN-KoDya(J(jb2U_=zTIu;#7D!S`-2d1m=IaVOs@G>?sK2{SSXLW8X_orw zI{BfS#8=F(X|nJ<&wLtPEmI`p-)XnGv3_0^Tohp3|8<~2!t80xg70m9 z)t?lURy`^iiXVcP6uEjV)=PtAyi@FrlZfhZ^G6_w`CT)&_{q9pGp6k%LaoO)Rsp$3 zPrmSycpmkgAlmG#bQ9rv;Uea=2Te-3~DrbS%cP-aLF@h1TOK8{e^6 zOQwxtcGkn;1%^@ih}R7?KF0vU!One;flIs_9XGSL-ZAENbLU;xyDZN4%A1jF;I}>M zv6~Oc_Md>uE5!tv%RZp$Vh!P$RUr$v{HuC2RJ$@idd%K<4nq*g&&ZFq3(Tb+0Dr97 zMynwy1L4yX5g;h!u$43EJVDZ%R@)JSlUaViEusm%X$vX=@Af}nS}nk z>5*mCJ2*$X>jX7!`az6^Qz%;3G>eB{&iVTR8v-Q{fBW0NGT2PXXZO}9sW(%p07UMZ zY#SGYLv+%U-uBO^<&R0!Oc>dB1&lYFm%nZ6G|HQ{6Q~C(m3Bq&++Z*ONgWR&)1E3L zTl^&-@Q=Kwmrsk57fYmZ{=+ATDiUdC*|HS&1M?ypR-Az28iWN)8r?RAfH+9Qte?^e z22s_XSGdx!lzbV1LpStlKM%a}8GO^^Y6W==92Q5 z1g*yyv0z+@SNG?s%&U}ANW>W0K_VN$NQfATu92)XGlET?D@~s%_DcE$*|LW8EZ)I$ z|B=Zkgl`l;UZY&ow|VIe{9nCR`e#E9PzM9s1Jd~ue;hW)$_jS#j0Mq85S6DKi0Wp2 z{F}o;O4n?l9muB2T@XG;9*=y>^dy6Of$=rG6AW<`bCbf$$41D=ptCZdx6$aG+kgBj!N5`m+G>v+Q~9&bj6r;Pms$c`?!mLb-%vW0@shD zrg+yeiVL9-#kXxftyo9$UI0`|^Y&X!c**ZV^^^;~iSASK=rG>9_c1Au+u9_$KIU2o z89O4hhAm7|wjyZAzMyv&r9yE6Y*y8EjVPHCBf?lc&M5~S#C#~9n`;b>tzIQMf9W%!1P{|_p&DA`5rrN^Ieg53 z_LDk!cgz?`bo1R`DHEd5pLV6coo{qWdwx-Tb&)mqaEE9>-2lvVR3+BY(kh~S_m!;~ zes7t8FDXgj9L_f^R0VnooC@y!IJ7a!Uk-I1ZPY3}JcRjhfakm{WB>)dHxU{+pyu4C zuBPO`v)RO0NeXar*vV{nI|~}h#2)vZFI74yOTZ6aEg54*xEj`Eo{xN7Yq6DTzDgm_ z(xrnl^*!<ToI3iEC#>D_HmnWc|M$~H^;LlR>;O#O?j(-8`N zsq;3M_;-%Wd1q0GUc7q;iaY_ABG!yzoyA|)*M7faa&_#kWs#y`jyxiRW}a>7Jlh_*IZz#~w}}a+XOy3k9nW*VRZ8=R#cbI> zSlW3>tLP$d`eSRRz8B(UVt*CBGq4M&$~xaMvi>gY`>!wd_IetIbzauVn_?_X&eM0q z()*-Fs~a0YPmA;$Ck+biPu>eZeXCgfwFzOdM~T|eZ*~0qt+@Wn!q+F2ayZL^o-aC` zaNYTp={cmBbRlBv*~drw8j-zW!^r6-*>qpi(C}H<%FmTe)b=H3@LCX?#L|(y@DKM! zWf7{Dnc#q=7Kf?CImf-n;U7YqzYtygU_R+9s~KI)BRlc3PMt?OIrwl&S8s4s8E)qW z`470`>V8l&50U&UV4S}d)8i=H$Ll>+vpVj!w&u{rY>GE?wR`#4T(+oqhs0AoPIn%g zVIX@Y4Rp$~T5Xs%5$=HSxVkU|V(}qHpXlsjh}0wtzH0e;O9iPe|COD^Pxmp8iUC!_ zOUl=T8m$KRKkodT z2y6VV>jdtAPvw|$^LqKNa~CC;WzPdKb{l5^g z(zH!R!Aw7}dzX#d&=x_Z&WdLo>*V?re`df$deJUZzGkZ=TOT@M(veNJF9(h#j9cYT zn9lU<;Nr93e2ll#+_$R4rg@@5?1Yk0XZC!uN7P&1&o)}z0hDEeY>I8-aE`+hzFG^r z{K~e*|C`kERe>Q-u+hA?c|4MV0nJ4=AQeQF(vQYWH{< zZFqj%@6P|j-djdxxvdMsf*{=jBHaxFN_TfD4G+@Y(%ndRhlqf5cXtZX-6`E2-~H%5 zd#|=AWz<^@D~)Q86vV3!#csE|lDUZ=O6z%A04L($Lt`l7 z-5s{GYy0rQ0rzBK_=5i(&W6;q4vPhZ^-#uRuLg$4$q!wwR0h`tNtUZ#kAgWJi;bZl z{UD8};|G1i`KpSQ%pT97{a2k7+7ul?Z2{?A9$qK}KQjqQ9Fmh00HK z3foB*l$*-sco^k5X%%n5<XX{K&?<1^o~kJJs682HhxDHnB~eG z_2e>3`a?NOYbJ$hh!fv%GCd(89$gFlomM5Sic#&V=lMpK03mx!W4Cwfq{ZA9y)Daf zw=PLGuiS?0qLptqD_qp_pZM|i4D=mz9_nM5H!ovO#*$;o9TIwvAL}ipEcR!LhO;n3 zf;5#mLgsBeu=1364YVwC92yFN88ye`K&f5xkeK>Kz?QK3nJOCyO1*^@w8@~gRl_x_ zK0DL|bHBM{YM;AMCE^?8Fmg~6^=@cd&pu@Vu^C*`_4Mk5O`m z;v6Z4PPn-DL5pzPNeIK$f-Z-=HdzbkpE>wQ!|Ymy#EnASe_!thK+X=XlP)NsPL)Ib zm%ePr5FaO6tUboaemix*3p)!BdURZh7xZUVz7*qyiSokul`q%cwbRd*N{A=+eb$SU zn{mLB0r&I&o)Ex=QHnu3Z0Qn>~rM0ZA`=<*YrVMZr^OY4jBOaL~5}NPC>LyCeBJXq&|w;Qdae z|C(S&v;ka{QMBxS`Kv@hpGFuXJV~}O2bZA0LvC*mQ zNp=!=>=4m1W+G54c2{j1!*hGXY19urA$y9Y^Ab2%P+jZE`JBNdp_#!%4t{z2%cbgD zuXj{Rszb%9{X6;9eyMNkD&NsqyxC6?2*|*Cqz7WE@k+RbYh@37Kxp$Ft;Qg4I!ixx z&0$klq4Fd1>8H#tAXD4FBf~|XwOY@{(DLkMFx+8prH z6Z-={Jn^Oi+DwEnznb{Nw4i@Y4*0WIWYxg^>rUPlJpA9LBL3``zx|9q7HBdgf|I!O zhtW2_F~9y~+90|HAZc_nw8N4A1gn31oPYj=s2@Q0XGH1q-`&Xgosa+9qy6KHkMsbq zl?^kB{hST;&*2Gw^2^^Yi)sMSvcj_*m){zafAS>1drt38ETE6*^j1RFAMUpQ`#%Pi z1CXbB`j+Q!0bUnCvee$`z{uYkQYfqjKt9$xkKmtB{Y!BF>kFbXa3`sY>y7Q-J??*6 z;xiop`To{-zqbhf1K=a40VJc}-r0WmEjs=q+7tlDV;j8B|9_a_-yKri96<6%cMlHE zzlG)hW3S&3>i@CVZ-4>&f9&-e3GsjI^&4RD|LggM?$^_ zt5}qLUHi)kmQ9G#slOrh`F#+C-vn({`XwyDFJRI{ z%GquW#Vw~s@o@vCBW&5Ce?zDfMT66f_}m{<hh}9Y&_(e_uq)Y{ooJm>VJ~<8 z^P~Rj;AI#=>Zn#7@%!cWw+tf(#t7Jhgbk#UrS!m3r5ODy|NUD0?QlSiT#fDivzeO5 zPtR!;drgrTjoRC~cD#V$)so5k|NT-=AoG46>$rTv_U@`hv0hlAFP>gw=OVnykB9&p z;&0#;bqNeCpktfA`?`TtLXed=`w|y0B;3Pin&-cVdG8sZ=vVL10lmFN8MN@__W%FeGV(~E(SDb$_XLwxfALP+ z;4+=3-1U;+_6s(HrZ_w{4H@=SK6S223B$%fT-ZQ}HxWoP9m@g!-&wMMa4@W)(OH9P zfOy5V%Z($mXIsfZTfoaapwtSeZjV!@DpCKc%cKodo^7t1qyCL$#iRHIpB;;aza(99 z<02J7m0bx?c@v5C?a-QH>^_bNRG$Iq@J}-Q!;${%Ei84UwLqinLV64^RX2cpdmSsD zMoAI0zra$b%cLfY%1AM24)u4=SH%wm^ITd^k_%PqXeM5422T_y#aX6tC02|YqypzF ztx)*y1r$G#xwjwOs!ZZ*5#HOo0WX+zMr}}C?WBmU=((w_%lVE&(gv+^FEHQP0DJ{% zxwXw}7nm6F#&$r4?U^Q4K@!yQU3LTk56#l!QH=Rqv(`(^2R`bzIhCHon}0`cGogzI z5iQ!%%3qEaxIc~7a*?2~1NyptaVpb=NU&Ne6Y7>pB(w8OBD8j%lHD&l0#$hp=rY9s z9mG%mrvTWepxB(~DNN&*b`ZzE^wfWR#UBcVP7*YAc#mT6;G=!t8-VHg^p?PQ ztp)(Zo9um3lYy^3H#AhE8#!4w&P~ zyC!AO_IWv>3UFI2t{bW3B8AYjyV5FW;49PGeK7Y@Q^>pGcOzCFbcU#%rz!+I4yhmZ z9~zrJU1TTpQg#I1VCy3P9bHE1jY!y;a?_Q-?6LZsu=uk`i1_eUz0||qwc92oTbbu0 zgmbYG<4m1hg4~FPRkK2|nM>GkqpA$BdBP%)-rcz1P5m$7P;Zd3o^;3)Lhz9Dh1 z=l;$Xij?3j(ux=)*{l{^&ud^HQ^02xd44DuH3SxmK845S5^oR$G6+OI-A*LXrlID4hMW<5>92QF- zJa+3=o;^c05F^lcgT@~L({>9Q_xd<)Ho)S*^}A z?t^P}Al}U(-VW=M^QnDbGeW2`W*KwZ)L^Yi|jm~ zR34*Zw^znN!}VL~Z-r)g&TId1?i%1~WzxewA`YvYA0Sivw@~M}?>@aNP#1Xs%I3~? z`C7Fmo1`e~S|*wfDp@{j%~X4oh8fek4#_vED^a`7nv}cuAOn@Q8AIlm=b11E3BVO_ z@%w?Dy37-kx#8G1+<>ES5vB~943v+|Re)OZ(Oz#Qrdq&cr zEwN6-ztV)>P#9Ncw|!7tB*-v71)29CrM2NPUDDwv4qfn{y!F8cwpzGBIx&yHzDGVA zl``!kMd4Xy;~NjXEIN?gdSG5E5sxrxkjxIoyxZ*26?K6*j(@BZFE<)KaQvE9?~ni# z70sTiFkS*V~ zbPfPBQRyBmK&?$4D_x5xWfNf~$iQu^lMUK0efDg#1Dy88lqh`Dvjiw-Yg`2)9WVqQ z;~=2*T_o!1Z$13q(JHzG5NIVylL?0g!;q)~9vB5(Xq3JN&Rz*3kO`w&T?faVfHgXS z30Tv)*zbq~N(Yi*spZk@j@z|5^d$@L@`>Z(HYqd$7Gfw9>CWw zz6rza$FEsHw^l1OH0&f=?2Dn?XiQG%^?nNT1uWTs+lgc<#hMU(>U?KGgNfHoO`${} zeiFmK?oe>j{~11A1%>M@&livJj?sNsqrN|$Pb z{VNlJ-v>aH)OU;lou6TKeHs90Njo3xO2PCs4G9NaNX|OA?>8&g-N-M6Xs5qYO@SFB z4^2?;buycJAVqq~YU4c2b%|#(awkizQe221e+LYZnU6n86@)s*g9H6#ngm@5pqJ0- zYT*b!>4gPoGc_P>l%fX~i0#wzX%?KkX1b%?Fc5b*5(pnXu$PG*&X zzxy%xStPi3W75qE!Oapn^j{qL$5)ZEfR{fCm;UV+)=>ojc%pTFp#k%RHxxQ^Q0|ry zm=UTb-t62#w*=VNThuDbM_u&nK z*C))Ub0!ye4^Mexo2?o*R4BBY-O8;W@LG=MqWKae17)=~fZN1(lRswbd^ghM>iMQR zKv+~kQ^k5lNw2Tpw%Es{FxgI{=DocgT@Nn%v;5*OhW1VbNFs!q4fj`wf`|rqqR;J; z*p;DzvCPqj?YRzwZVPk+SIFZIMP4J3NHVpGC?<&;n{0c}8^cSzzINN;z3NlUd!tMW(%29*N zfF*6*U8Xs}ngk$iaQp`g!yl|xq$vTB)JYuytWE-RjEv7o_tyD*Nr?od# zWf3&iLGtU5e(H9MuZe4TA=#G@&YuPE0>;CHw1T zWDM;*LNMM0)!5Im{s7uuT(1t8TrjcKuG-?WA7MoasB_o}F*qYy zOy_akXb&-ifo9L`o;jJsEs==pkMoV!`8R>Tk0iiy3PWT)KgZ5TCIPfzuvsx&22Lxt z0dJsdjx|2(G%~GG_9q#oGN4q}Pgyy?Hq<{ON>2tF;mV!#ZI1x5SDC|R)$d&iNG4yY zh(xJCISwpEY&QpSkT`dKKbiNpI3+p&kk_?9trPg`Q}Ht3xu3_BfdkNy)Zp)~O=SIu zK&coNu73@!PH8}@4t||M{YCK#7yz}sQKtbbVdhF;L3TcOa1auz?BA^Mg&$Z0zLW}V zQ~)fW3YG?A7#)^i9{B-Iai+=f+onV)p<0cMD)sHd5BxRt_r8YQN>h46(<6z>NK^Rk zA1nTr>2O4W%~CUH{zGij+YgNQ$lN$z!Jk5khy)NyB<PHS;a0N|xN!f{ap?U5 z3G{)?EGh1sgwDN&_3L@_ zvlzsSUl(jC44(EYfC<3_Y^*4^QI*L3hm^M$F=`$W0WtT}xPOGA(7`0?lP3Su*bV}l zK(GR$1uuP^MxwJpe=Y0oph?hx(`+5~=ufdEets zP^HP`V-4eCGSd7dxcG_aAx)3~cu9ru?*3BRkxT%)8HAp8g23;~z?pWlvyc^dvnYg@2Jc%2O^i_AuT&ZUH7jBG0ET`yr`|Tnej1c{6>n!Kh~N z-XvhXH%W@2$gys{FNM+0*ZS-yWkNus1NW7__Fx{7F|({fYVu`D9K-E*fc4ogwqbz> z+He5G$^xRtWBJM6hG0ah4RiN^NyQHfoXPn^%4ECgy@|YcC|0LN)qUgy zK`pmxP2nE5we*eJ05&jc(rz$`C-U;!D*dSY9{QBNc#68M!;H_tYf=)civx-!H{O{X zr=yRuwqt4ZIzYt~6xx-0o2FX*6fo_gIM~qE)v>EXl+m zJr>#wm>J*HYa9gsFlrNa2a)aA)L|o#3P8)IUa7>>tI^F>n@8i%)%1DayOKMmH!5b@ zD&;BNmX{txY4Qm;??YetUFcB%5Bo;qKm%Pqr8-d;wWU02Jd92o+~HzNRMku;@-lE3 zVZvufU+v!hD7Rk3yWTpCv%UIGOs!HD99tl-z|i<5J=Nx-E`8J_W84#4F71{2!~Lap zLwUdyYs?+=)dSgn`LTA#Xm&-`@`QDO$=Od^hFbV7&8FJ3y(E{f{ZRQ{M zaiX2FjC8+6kt`$eCvz-LT{%P}cZXsIMsGfKy7yG4w41td5ZHw}lH9y(diF4D>&2gL zlf##MUE_ANZ|XQi>zGc9WEyLoi-YET@gq>bZ9c;yc<#`d|G;(KL>0BS65PQmZg0j; zmEOqkE{EkD+jwe^S7v19#8 zM=69wI3I5s#mCozC+#Dt&L3XgOX2W-&A_z2=UOJ_In$>!aS%K4Ol>{Kh#XG)81Y*N zqtz3V8fmpl2v*LM&Gw}8#Y-dop@=2u`Sow#4r5>l4pFVu)C~!ET!fRg6vm1^KORXa=I#6d z=;|Zwk?KH-{(3kcqca}kpd3*SDvmg1=efOQ4294;4_q=mJ>x1f+Tss|?b8_2X5 zxfN^QKYS$=|7=OL=<8JAmJ`x?QzNB|{2)1NHpoaK{Y3@LSP*30l zx?-b{iIniE;XM&>IlRpA{CnHe1BO7{&M{09rHBR_QAINAyDJ;6*G&%R@H0(jxeb1Z)$T3H=$X zlgnwllun~*sGC~3_S5=M8m*8}_S8_187gBD1b2ziC;r99e5|O1;(|^3 zZu`awzgUmx!a45EB2@+Kd=QsF9Y#RQb7?$hPHSv+)OM$FcXcR3=;jPc_&OXS%u~Ex zk~65Wnm6eG2>K#wjK-)KjZ;G4yu1En0EcV3YXtX5It;yzo5O!5oy}UG?sj_R>n`_WuF#A5e zk3OTJB8s@0y?)i$lR_}I`>00BRby2%)WgcrvYBmj+Oq^;Va@b?3N>IrC7{#ygLQF| z7`VFLK(oprYj43bKZIjHhZPW>(WI``p9sIQptw7Uy#%@y7Qa>LM=5ZqA5w(%neB$ICCV zw8=g2VL5d7)w`_sm>0YqC)EJfx(PesJR z+|a&;!D0G>VzaJ6UlMI2(N5dbTZ6S5PclFRDCTHF_a(7xv>DwS^bg_BZA_PCDSp;B zp_VU=bjROjCM+P8l}o$(9FWQ*F~#UbOIF!{9Er+`aIgi>9Wlns(33tQ*!Yb<8SE*C#kxzEqO1Qm#7NK6t{UUem0i`Yk9rB;#=-{iQJb?n!C=Z zsadY>Ii0a61T-skLRcZ+se=IrWFrwfa@^ zqwy4S)S3-9Y)9l{S){KY*mfO9@*Y9rzS<}Y&S`JcLLUu_*S{q!rLl@J>jF2+dyEKx zgjPxs{)L;n*LeP0z9xq*qXwvBH}=FJA+W3Nq&Q6uFar@X6mT11Oz(qwcZlzr0k#k9 zcESyu0(aM=`bq=j4{vPg*)}KFo_JJ#^^#CJ=~Qr z+C}Ac8FJ}rs*g+$ZW))+ z`^l_|yqnc;tUs+p^I_i`+GEzJh66c}iQz)xtyIsb*Nq1hNt_Kk6$O27yP0K`^GPTj&2tT z=B${XO5>{TJ3?8CtK<7tI0 zx$m*EXU7=Hhs{`d`C}n-EqmvO(Y1L`QqVgdS@$R>V6*QKR(WLOBRfuYXdyc$5IQ<0knvk1 zK-IMr2+0{58nMwfrN}7WbN3CNoxO8xA#IpDwV!yrICz5RHI*A{GAfY5;7%;}Ab6ui zF?TgMTjP$=;(0LN*nhdk<2T&NjG5n7CgdtDIL7PYL`Z?S-vQOq+{hj5?s;AH;%?wT zDC+y^RH?*c>xnbV`}=+o5?pk$ll5VbEThP*4D8S7YQs!w4*KT^w_CmLG^ZRCssri) z)mwK`o0+Re4_Zev!x5g09f!t=N3NoaJ|eHDNlLK=ol0_sW0hhUS@l7D;cky;`%zUN zYHp?6hEa##*xgI_Q%J-XoxlLSU5i6WGq^U*6?xH!AcehPQ6WfB8=;!rZl0hNXZWL( zXnQU7INmwBR3_TAvM7m)C$rL~E;JzXx;u5?;xK4BiN`cOA(Kjw8QYdS1a&mgQr3y@ z)8b-Z9kzHKiz-klK1b;V)#7!ArpW744;Z0XwJk{X%s?euaWg8ee?2nm3h4JRU-B19 zX?qOGhz`^f=Lk_^uB3$T+s2-CIX^?Q%2?{TY~`dFJSB%e8Qo%l{HXY4YQ4c$2==)7 z@jG)5t8gd*3Q5;1`~o|JTl1n2Kc{N+tP>YVwqlT3312kx#GFh3>};y ztuBJYK>0ol^>B79;%Lis4EwU>OAz!o1PbWqo6vF1%)@pmC0Fe}7$7el%Za=X0Z!jn zr@k!TUm%>#x}_Z2z6+{34rL3S{UD@;q%D`h{%qd)rj3k{r93wX=~R7-1rfBh6Llyk6$@#-rZTBC{lZH2<#x#0J)Fbe5i6)ue@uXKEk=gXqj1d;RHv$%Q9_)|Jq8SJ(!I>5_gwV%^2(<>? zKp2d=eCR$B!Y-$f$wMYIY_1z;?+XK-9{rg%*1qk8(A#(2c8Is6T>d#*jqh2^R$&>c zvE~Hmk3lI7rYSm1I8!Ju9nNkebk_C;0iGJTJr*)nn!2kP{hES%k>O9JAk&1;byKJJ z4toRbAGAdT*(Ua+C2*<17QXSI9PS&ZcapKvxG~c*3r2h1+wu=H#9GCz9~BO@Z`-e* z;!cPlPAPP%6pBj4xaT?)`3zIp-X@)G9BA=E$XRM*HN=s_AFq;0=bMLMs@>n5Js@dv z)nUu)zj!AZNr$9Qf2AScm0G@(ipoe9e1sZlPD~&h-PYFz+H*a2WVLy1Fnea+?ts?O z*C|T5O&$Vkd%0;}>%K;V;p?#(<7x9*Vf1-kXz*NIU<>h38YjG5Q+g}HQZ8M)2p#VT zqlb^M8zQ5E?$|C~4=KT`!@ES1@?KK*75TJg_xt|2!l4R79=%DtfSC1TRek3OndhQd z>;kj~$!C!aLWbfU51|y38gDZck{+i|VJUIe8oXc}t=hz}bjU^WDGgOtK9wuZ*2)jcR# z`9eyN8?U6r;|C;P4;(s0z*$m-U^sXD5`K^ar*9L_J;r_;Ij>n$I`?|x;bJ`mfqA=q zy|fyU-sYaNe@NFFqc(d-$HOX=XlT6Oh}A22f65T{%uBzI!vQ6OEBu$N-h%sv`}Kn1 z^DR{0+8q%#KX0(RForxV>P~e&-Lz+dFr(!~ux4g>@KBDBTDhfn8y5KpTZ;jKzFIdn z^Qro$keLtk8t`*E7&9>ah~_Od_0&%_o_jUV-zhHw~!=Z(v(`P;kOlueRGyW7aVo^Rsxf`%X9!~wwRV;eS8L& z$YoK;9?EzurqH!xPsDm^>bTKvviXM5y4AAZ=M9A~%+=Gay^o}&9}Zr3AvaIsa~Pzr znjrABX0oxZ*wdq&`ltjsKNpH{-t_RI?%vaEi}agzKpYE(=LbKeh5L6GtVR_!Qo z_ljdcx_#nvO`h{uw@t;iGYZdD<`h1jyo>cAD_tU!xATLZZ#UmtAltfpDLK)VQyyy| z#r!KpEn@Lkq1IJa(4|4Y zinl(s;;9)VOwafwQm~&P{aoj>b4Zas=3*f{)O@WA6>}e%KFuIBHL&>FHp z;3_|0R7*W~x7BZu3pBL;F>hiCS+b>h4bLnW$uZ+~iOmqrRm;Wy-B)nPfA``=u*f*E z(FhP+qoN4!j^92W+jge%b7Ft;z;}Vi*XT)^%Hg5<10Fuirqyb!WgwPYv+W`iyA)|p zjhxpLXpN0Hqx95Ub!cQ5p^|u)gJK}O(4((b&Vak8l#ltXvFi{5YfsYUiiutT)l@?- zoBC>#N|UUf@tu)a)`H>zg4&WNBCfGmPQ!xs)d{@+Nup$YQ73fIjirTZmGCuhz!C;l z$&%TsfXd`nc(dg!#Xrmkekh-aCoV~@mnTW1UPovof?s+SmSIwiFDJCQ(u4iKr)V{H zQWJ}Gr_zy`32)Q}P7SvSZ7QH(Z1w~vpstchA`?hUpG{7|G#*xbMd0)I;0S)_RhvF5 zkyw)9+IA{dvx0Nmv5rQ{y3VK(ShB|Vyq%}s*}G~Nw^4ubhdiQpp7?}e0I`+98A4Z} z(M913T`9wJ7z)|6s7pTEapR-oeOf2$eZ==))uWg;y*~n5!2%p zjapZeNCgFAcrdAV>`9PLY+iFd$hLi4h!<2}^?Mu2U1qyt9<#>uG^_Hpme}vh3P$`2Uou`kIL67&sXkqbfGKmYLWpWx8E0)!CPxmZFN-VpJ zHDl=Z)C^z+MCz3g>k*3%ss`Lz^tm11;Yh#acruj1Y3TIg0#ih`OEQ6FCL#*4FzKs# zQ6M+s{an5*bd1Xx&fA%W&@(>&NKrv<^V8ZE*VFAcH+p4+S~n#LmlMy!U}u)<-9bDGF6iCTMcO|A~K&eFBTX{!e4E78@+zrmkVDC#PvT z=jJ)t+)f@Lq>_5-EL60OXYsjAg^ksTsNWetay?(B=h;WXWxQ>73>CX&5eY{nc)1}5 zX>aQ)7)pgE%&Oi0eAQit*pe;%*vCMOpzYLg7PWR8vjiCd!garoOSxNP>{*lbP=tR~ z5zB_($1ob_82%AyIHx6LLQh0&!lsGowy=2ew?f|_`<@7m=f^Ob4fpFstW3ao9=Sh4 z56vT_LYs!6%1xUp6r_^4@#|;~w`Ij8>8cuji>~A5rYv5Q&fyHxSjm^DA8L<4-oD8_ zDVL|OS9E1+hw$>w$`vHTB59BN!HvK;+hWH*SA@3uvAPck&p7d6H9KOkef(S#-W2HN z(oOd8DxF)`i@8*4|^gGOa1(tyUbuQ zs)vnViN@oDKKedd%je1X()8PFhWmS)&144lc}<*Lv*=vk;YeDz5EDGq_RKht*l)i{ z4E!_^=z8wH+3{?kp2|lAQDM$^!S`l;+x{vNj#T07ASk`QpG2va^pAhQ^>2nYa_VlU|3DptgsYsQ`)KzJ&Ko?I zofsbH%yW(sBX33lTFh^4Kw);o(g2=BHHc3&VegPHypk}&KKB-3E(;5&z^>3dbw|3~ z^&b#j(oQ?B^R<6V@*82*`i%t!b49~1D2hmLQ8)6H^QXw&`+_a&AH5En0(%9cy*?Ye zLeDpeZL&L?z?S=vj}>mzR)lq*~yyN$D)gtyxHtFBOY1xvK3CQomV zklBb$D--2Ex$!g~^n1DxgT%2`h}qNx8`+OnVSeSjZv328VcZoJ;wT$UKrYtY(^iMjbr=t)A4L|DtP?@@<{cXvAQxKQ;UZCo-G{@Z zGz=q989|lejbVo^ZoXC6=^eopyvsd)RwS7 z22mnLOglYg&6o(@M@FWDAc%S@>}4kB+*V7^CSpSsM^7ADjD2*1!6LWl44sChEq}4r zpOHPrKcHw5%e_Y%uYj<#DjI>vb^BbYKT)G@^Bg&Om^W*$S}Z7#uRFnfKKHoW|JkwF z2%*7=-JC#EugIa%i~M(fPWwx^9?-)}#2k2Vmqno8dnsi0^} z&OW`$?8W5a`h4r2<+n)2R;W4X_(q4of9DOtSrD6vuxD2aS+JkASBK_kU{1>8q3l7L zyw>8#uDpfR{!0J6xw^fx-L8vwBK=gRIqwbYvjkMR&3p2jbyy>v4jd`OnB$ub1gFc3 zH=a3N;TR~Epe88adYE|__ki%g)fN*YN;yKd=harK-%|8`TxWTJ^mG8j`uSXD0+n>a za7MtQ=bN?N>;V;j0$RhU<~q-vn=n5{(Vjk+@V;`raZ!z1@>|}x zYk*rbs+@IJI3nnLG=jE55BVn3_3Sq0e>}9ae(q_l-#|Fs+~K>u+@FTR2snRRKkB*u ze6wnq%|N4&ea%j6I)@xgRX;-$%Px>R^5sQ|3;)!##3jjt8ZMohB}l9P zgbQOC-$0OC+6IH%7f*zi=GIz7xurO5`YB^0q4nJKA>_sm&Pf|2qdP(S#9D*1n!C7G z`VSvZfa1LhGX`nCud$nayZNU2F5am$Lgu})>yhd738V3Jc@tGWosA;hY=@s-T+;(V zPt&5Fu}12LV1jlL=42wO3+SrOV~gi&I{nEkD3v?Y7^6mm{XMW5W#0=`)XoxM2Nj-# z^K8eccLwTJxkNagAE9P7~<3%>gS} zCXN?1bMGD(#u8!J&Vh#i$v$^cJ}W(sUzuaN9o|LNOnr^bppmf7@dsO~UE4$Ei=8F% z(^!cXWB576GEuEA8rea&&Hb*9tsSAUV8Iv3tQZI_W-{oA87_R2emVG@I@JuXE%=QU zEAuXca*JUob+;HbQ)S}opQb!&6O?_Q=c!PV`W1J(x$bT7}`8|B8^75llm!&l-% z#c7x3?f2-c&Pt(uE6y5a=bp*CaJTiQBY3QN9yG-#mx$XuD8mw!+f2(7Qrf%+fjSAe zmBu{-L7r5jB1TVmW?9kIG+TqB?1Uww>HH~}qeETQ@avxL3Q#_AR`nxpjJMQkK-^WP z8y6mLWhUzsf{&dKdjfYnzaJ{^3PgB_AP)q*00+#5z^4f_9QIgvO(CfIc2i2#x*gZ; z!{U}=X=zmv0=aKA-FyMBc@aB^PK&s+Ad;2|F)vQ(9UPncqEJi{#LCSp7PE5I($am# zevh-SY!*}a23#*sS8EF7n1b*WXpidp8+WS`F{r-UWuu~WAciO6E!Rn#Y!73ufad3= z`Rtv~+9wO#-){8OO$YKl1jyX+p=83rD?NvY zvtwO06vs#srI!?&p$~rNBF^P z$Ych;u%!p9@%$0-#hW-3{*Uc1Op$pO-mBMNdu2XRi0#@a{74!*)4I)6E`Q9tvk*)) zz6eO2K^#GDjS{etaNlvhjK12}*dm-U4t&OefLk6gl1M3{uvA~aFZE@+F( zWh|fGk3{!-oCmY;I*wnMq=Dm`Kcjut^bl3w2dUl_8Y2bogj<3-*+%BH7Mb64F?>UB zn$aoR+S#hM>Fp=A zi3~QmSFM|4M;H+YLfo7B+PB0;zBN!DxFR*s-Q*qcl0`c>XhztIX%5qcnlL4!8w&2*8Tm$cWRB{!I1>)_iDPL9>&hpI);DSGOy?BLd@b zJf@jR?odr8w!$F~<+Qj-5U;s%R02e0qsSp>{p_ z=OzrDl>i&_;9&2jusizqxgs|*I9jOn2<_|QNCPrRypM=E_YqBrx+d>7&gAK|G|w$Vc8gJ0kqXj~`Zp1eT7AQgolkM{FhcaYHm=g^iLnj?Y80wkUXAF9m?x&6PLjiKVMa|omr{} zksrC7Jt;(6)mdXgG;9!^i1S#EXsIixNpYHc3t#)bOBuq)I2v_zW&p-0ITM>oT9gk~ zgr`>Xl^$fFR&y%_F=#iu>67SvjwuV))I>Xc2sDzz4h+HfQ{o|1Oul6#FbFKU05GbK)^PwhG`j~~u(Ikle9Wwn=g zI2UXz859z%LWf|~lm8TwzDGxHulm8&&&ju2+9*RUJC=q9Yp8oFjl47F952Q|>_@F> zSNyPm(R?m*hF-qqOyf(e^ix=o`;*>i7)djTS=;+hGDdEXWz|KS{dEKP2F31)CD|YG^d2lT zCXot$6WHDp1#%?obOE09>P2-PY)j1@ji=5mjP8jiv4zi=)=aX9d$$v25r|5913b5t zP(}QTWx?*SkT~XAANp!0YzamRcdp#dQ8rG6eqi6}Q|_G*Thpktx{vuUk}G8H`&UsL z{6GLp8TT5e%I3Ac??NM9oMS7gZI#7WA2;S!qc88EFz2?$A`$zTZ-R7@r4xr9>{yeB z@aTV*1c{Ge44*P1FZQC9WRn|nwONJHJyRhry0#x9xK@5JTlRpWGo{Im<%@KT?1C^u zB}NQ~P2dAtQo*#|LNzQfW0DIoH$=z&++=FA>XpIS`*e%5bTRsXE?4vE&KXo*H>f6@ zin&SnWBvJo_Dl%YXIYh@$)^Ns&HpW?D6o`^)l(S%{??@%O?TW-b8t>(;gb3 zdcm9Tm20@0e!58*RN3iG_lQb8DcGwrOYYe51Rh^w<*=rnPCC+lF%OB`8pL=XX9Gb@ z{EG1l{4o$9e)crch{?YFd+LkNEVa=^jFBQ-_?XCevkmy&i13L#0XohI%}Q|SCv zFf_PVXJ`i7lCpGP!F0VsQ~Mh8NpYP@fd~lxevkM@G7)If1(AfG@?gM1kU;J5ZAJ*i zZNL7UZJvH0Jky4j#U@@en`9<#R3k#O+@w?h? zhKHa009}JRjPp;O)Z9|actF%CbQnQ(!7so{kqQS?J&^WB-C`36K0Cx;GLl>AT)8ie z^{;RJg1wptqwnj|y>h%`9YQP+6lf6-W(1hIFS6Bc$ee3noA&MHK>T^>NvasdPJ&n) z@lQ3RF;rDoeqimHWR`MMfiQq*l%9WDo%aoA3(BncCFT_7;7<0S}dRtT$#ME{khrqM`?)D~YW((FUEr@aiM6Y&)4IS>WO- zh|d+$kr98(fJ8L7-Op3T&)FaknImLz>m(LF^+UmPUD~aSqCgZYZOGF4U?r z@|)}fjDTb$?03D-7k#X`g>?eByNCov$0buVt8`_90?z}5nbHx734+t*Q3F=qo=ec9 z3%0$8e@j^<4of-n#&`tOlv1+xg*nxYd^8_lOs28?qkDXO)9f2>TDryp@fSYT&bP$^ zqK&O57x2g5^>71{o4VT2*2KnO(eC;Sa=icP1u%Tg%{l_w|EA$N|9uhvdKz^zp-3~vmGEtX4J9#XxJ~cV zyE^`nocgpKI5!vKbbzm13o%#oJRjF=t~AiQOm04`oY{0qk%aHBd~vl`FME$gm%^si zCn!J{fFqm1@!qzeykju9N{}1pvit_mexDD|qvTzObiotxAR{cKeQONBr?rd05cu}f z`KZMKhq`9q;EFe)YEV(2od$-lT2CtEAcW?11tACkJ|z?Lcj98;^(QtfF-i6zIR4I( z&PmUC_QY_%DOcZLm^j^~6hdp$^Wyf)V58YmS{?VJ(C&%mkHQ!gb2Or_DXU+t`SEE+ zjGqXO`!fb;OcnL2L6a-m2q$JCU$Pr@VTng^78(0|8?ahxZnGm~G=>as#*nPHD*3Id&%dqrjRNGA?H}9aOqF3hFF0)FMMs5dR_s2N@gl56N@BvA}jhvjRHS#$WUSy2z85wVLgS9oeID0+nGvgGFusIm}+#NK}dLt zD6@Oe7mbQCM=;vy_H11>(VjLsme#Oo!67*iAm-qqc7{mEp&fQhzD2 zLj!Z8G+XZsu@@lrOU9P`g71YfsB*r(tn-mz3+(8Ne9TW7X2}m&V3yYC^O zk5Kf=&-|#j-*J=QMbV-OzhZG6QIBvEh2&mGV^b$f1ktj52`;ejvt*II&yS{w|vOT_BwkcW;&5H4l9 zuf06le$Z;3qeAqd;}SieOU@;DMWeETvOUj6R9MQvS`24i*MTY);!&~_4b7ySI)x5KXp_*`+82i07oNg``5>^bJe1ZeL}kekjo16tScQk&;UB(`>rl2MjJeai43(` z9*0TvR&0C{XFg}BqUlR0HwB+n`>LQBoD8ndAa(SAxJ5*e#pIum*+SkJ4Qa!pXN#AZ zK)EC|SX*N(qsJ(~&f(@>cAWM==)FohiF-2qu3IohDzK&Nl( zbi?7~#M4TvdNVIVWHMX0v*4!n{}J}qVO8~8yRdY3cb6dD-61VXvyessC8WE%k&p&K zx|>C}v~+h!cgLB_XS?^lzVp7{@h@2y%r)oyjUM;7hXK9OSxroyk0vU0vEj}YSGoJ= z`%X=^_o4PfCgZP_3apCw*#JgfMqErMhoBicPYJzUjH2>u*UlFXotu=lRC#F zuN`V*U)H!egD|9jX~(wG?0_T4U0BFH99Mvi0%)^@4D+Yg5G`;sF3^Gabl>;%;*#L^ zqEJU~T6iRdFEnPXZ}A%LJEQr8oF+rY^5yLd5_o(=DS^k#po0P}bPi-oPTydH@ZdW@ zD!T^9t2~CuEyv`-Zl?+y8k|;=mipXy1mhyETL>hhE>@DGvfx%S?U+ z|G?{2v%bE|ZJV8B8Adu~6>&q^p#b};4&hMdTYMIUaa+PclJUYjr^QOuPuAv8H4fP_ zA`W_+*uDdl|HfLBr9ccp8)@91@m%N?dh0#Gx z2;>td*0ZL#>yNr%-0n~k3UKnOX;)FtH;VcZ-1VhKJ3PVKg4~!?VQ-$SRM*@9&>i~0 zJo3HsC*NHTZD-0AId zug^BfZC7Jv?C$E|@$5`-=C7!6IM;1e6idz{|I!6blRxAyd<$c-hvc3q>g7}E?+%52 zWb`wIPi&Q?^<)hugCr*{Vqb0c&8RsK_RK2FB8e6&bYj<4?a^d-`g8KSt=aDoaV1`g zJasXx$sG7xD;2}##ecam<$v55xlj#3(DmWa@MOUXE<0_VVD_q0U$3`O?~T#xx>(H5 zgY$Uo02m~1s3O#Xa;046tBtUY*9`t(5l*=vy|oHgq93*D0WYc9{^kpB>+6{?v=<@>#Cd$J%O^M6a4y$-0$Kd*Cd=!xJ!u&h zk(d}HSZ}&rI+y?*oMQu;^rnMk{H{HV08Tz1%qeP97LoVh{CNd{Zn559Ti~KN>YyG9 z7>yv~aAe%o*YK>@`n%UvS9WBCeZUo3o6SU9Y>m&a(5l&mkI7Y6 z$nf^EvHkMfW$Fidx6sFxRrC|*7uvrW5iS$5$?CY8a2j# zNIB#g$i~lqO}7pVaQR4Fa}))nS36M_f%DQ3fEc0|q|5Q-u!{exLN+8A&9hzF%KOnB zX4&g0zlH?P)tmEFf6Lm}PuM|HSPSVydP8N&6ON3)05g?-u*+XjGSziw_1lb4yl3)w ztt5Pb7C+p|_3gg1CEqi6u1Xd@BEW@h`CcloQZ6D)Z^%mLCEA0IAUo{V`HyAW{X4v) zGYYA&^;HRfd~b=XMOP}PG#>(w)=`hu`K@zEBj>0TfZ2Q*%W@U!&)6XdArPY~$FQJW z0=psQM-t^su9O&P73dacb7K1Xl^v4Iv`gZ9Y0%<2ye-qAh@(YWr8zTWp%826yK^G) zdO+2P;61K(`lR0ykSZ7LQ8;1t>+M%+M`H1$Tk3&znuEeFmM~!lMN;t;01#!)*Oc7m zvBr%eaz^&h=AjA87O40D4;P;JDx94?|Y7^;%nGul zeaNjdggsu!B_k@5p+gO_E_u9IXFw!P#$&4qB*WFhH+FiHuhM63CbvE_1L!;6kt__m zO9_im4p|iIrN2@e?#tfpcs$AvXK#IAY-i>~D$RcjEAz;*jqE6sAna?gzWMpCM4cck zsj$8LR+VA}20f1Dn}`n4Si5h;+#sKXA^lGiT^cE5D_L)%iA1691CHP(ah{` zlV=TKZR3<|9CH}XcG`2ngbsv-0IHbLOo5T3aB&GPbho3GMj~ga3Ep(7jJ+nbQQ=B+ zlZ>E?wU1_Vv3A}An?qFmHyAy3j5*j$h8@%gpyx<$bYWMQXt9;b2thm(|0Vv_bSekl zC+iN+l{W9-veLZ|(oQ$1gCp>xBEmTx{>}A90H9;i{KhR_OvsMP%FP@_q&!FbP1*{+ zw_`AAqqncpoPE{K!z0XaHI5}`@%Coq#Nm}#fZ*f(!(pk zw0|ej73KBJ@gWU{=*Y?Yx1s6!AlHM(uOC8u<UD`rD z`S57~HF$C;o?<#M1B!$8808qjXYGs3EQp1WIfDU*SQCxEzvsCWZ{4U`(vMK}`EhE# zqP$9S!pUmsg<5}LAvy}iLWvDQ>rt3Dzf-Hjgf0XOl`oi!R0b*0;4F-@N4--vk6$q9 z2`w&^YpeXi8tziXPPvX0^?Oa)%Hq3*T#8nEhA#+e=12gE|HzuPu&ZvHNsUleDWjN) zm^i=%2*Fo@tkm=B-2a=Im%28Ivd258`3k=c7lvq3pSgJ1mm4!K{K$gi@y((-G~Hb$ zq%BDlVqgrLJ%q5az9H@IzT1mKtOeR`99qlYWe{^zW)UtFn*X zMynlFrS_FRTMR3C){QDH4b`&Lc1rmOu1&I@`tq-{`h(E-(n|-gu^dCh>EcVX_{%(_ zp@fS+_u>2aBisdahC=1$CnLH|ZrRGdD~^JyzMT~7oHC1mwb*;SDl7KBm@_tcY~>1b zQG=)OTzXz;hRKg0FA1Q;16D3gJM?SQv(B|kwGi9=UdiK06LVA|#onyyTOC(x(#Pwv zXRJ$QuVK4(G1qRV#3@Gt^G+%}=IW$>{^WTu)T3mJ!_P?hbD)amK%hzb7=&W3G#Rox zG$(zkUk^o-Ek7V`l*$;MW)VU1Q$~tDU7vvr7zu5Lr#Iz28Q<=qmDUq%HUNhX%*Ghy2|Feo_<0)=n4jV!5Dm!N0624)+_xNj3s{S$K zi_Vxy>g;v|DgE6*cVjWuQ?GUj3#?zd2m1o1s1YQ;^sGN7GOD;fAC;O@qN9ZDG-0lX z`j1&z<(CME_wK;WC;TbJYPK!j3eb<_i42b2r9E5xB$RphghoJvk>rwAvM*QD5qm7w z85EHRAh!4=U`JD4eVDqUp=aAN^*EaS1^-eJA~t`j8T?7@_cN`wzfX80lYzIeyfj9V zHu~sO`E!x3$e!xkZ1kWrTV_X~6co$E=Bfj=d2qj#stscX|-NeY+DF7>zo zX-b#Est_++1lw*O@%IdVlwR8$qNph(HY5H*_w_{|1+H~=t3Ve*iF~OEu>?C~Qj@f* z_dK+!MEtR!*-5rb(1qr)usQ$0Ywxtu1^%Fke2LYYvjjM+n*c=zr^&WPTR+q0Pmeq@ z>94x)ov)F)3dm;>AC}&>n1b>|5<63hym5*d7&kfq&2$7TSmNExcef8)P2B@$gt79P zlG!V>R4uDODKJcdV>#cn0*|MjYQqBBt&ID1)bgO)no-}fRF-7zyzIMEa2;ClOOptL zJGAPb{@-;>YWxxTeSthV?ZsE6Klzj-6i_n?^owWAMFGr-wC6UgD~C4Y%uvSo+EA`D z*z%SI>HX+%5|WncN2(YR~F`GtS~x*{r{9+NZnuDSrtgZmj$ z#EP3@H3c6hT_n~SsWTUHwU0McHy2w% zV%jdm%C7GY)?ih=pqObh4xTf@nh~-BWay;{?tY(D=#&nG@O_}y)PEq=vh^>Fb@Llu=pYge;V^#tEUi(P2O3mU+aQ&W+m5SK2T>=+_$qQ4!UADrGD~!b1x-uKBuTZIb-r zam4-@mgsE$lHN?$W-N@|)Sf9fCEZ|@WdO}}5*L5C(_C|R1@68MAq2INlH9(-fLyL_ zDFifSW^2vT-{ccFtImHpEVkZ2_QKD?e2bb@?2ON%iw&$H1L_g)fd=hQRu9%IazS)> zN1NQ!*$_C}l?b~1#^7e&%VI`qG1BDBPV>MG2Qm?V8@;x$1)y#-pHqt|md((A0~XJ% z$}p)q=-(qi=zS8f&lCivLgp=wIcr3AIMN;(+9G?3WFy?r$#XrlG>(%zAG2)S+nx&+ zwsxBU(;%DO@anSi%Wct^$rxj`4C(D6hgE{p-^M5aRhNAs0&ejfpr`e|+yN~a_bT^$ zFQm=aB8zgd-5(%e;ubIaxwlO4ogL-jC{;M=WDbk;;hj>b!^FsSuPM@yDD1?R(gDKx%0893Ut*UH z1mr@`E9q}&uzrs&bviaHcZwDVy2vh5R~jS(jheltA=kieh2(Gx)o~>jpz+r(ko9~d z18G+}iWczvDg8TBiAxGQ3*dAtq600roB_Zn7`M5FlAq{PwQJ1${&~4`+$#RnPVVc= z_?}Cj%cUU<5EI-7y0@6^W6?Kn@Vj75ToAPAaC=rU+)3rzF&&Yx>CC+|Fhc{cDiYK} zTsMBo9KA#C!d~?W!l*t^4D7vsn2Qds>|rmiG)6!ck30a7Ii`BDf@gUkBvlUAtS6Pe(Fh-eVR~(<-Qv>TGed?@R z$`6WWkr4jm$QuEy_VL-5qG*Sst`-IuRR>Lb_tDKOhE*;>b)#fD`u*ttD(U);iLdSx zi1D}D5FLlfMQF#gS+`5;=C*p8nP46piXpUN95*Bhp{|83?;R*SKVHL#wz>~Xjk|S+ zpmD5s^WnajHzA3x%rnf1@_D+gdTKFRZ{GDe48!N*ec!L^tZ;>RT5)*vvUdWdRG;h{ zJ_9!ZLLvo9NW-ceDxb(W%*qC6-`G8!I)i{N)y;R2SPK9gU_&4cjO2K#EYu!N`%IT<12moK51DO9?=4L*r-?2+ zXcBR*hN+Q&O@q{XReWC4heG0qY#+eMNp>hCjKj$R66~euCycvVYeatX zQfLk)!&1?f#nAI4I5zcD`x*&b!rtK4ML>3KHPb>3wi{9bLiLzGX;aIOKN_rlD!g8Z7ExqD8hz*;lY!6B$bQxe zY@V4C8z1v-smz#XOzXUTzYl11oLeljKo7D;R`khF;v@i+^Eq=Bn-rxk*NV zJr6e)&mQk1P8COoX19E7J1{6D4vZ@_>VL=5*p|q6$RB|-1*$@#jAydu+GhpPxX7q7i?^vD_CUdzHv*Epf?x|URnS0rWZAOx-3pQIa#*he`@m-hK>Ls zGSLrgF>Avj(?rDBt@lIG{e+!18PU53=Cs~-713!2FrX@jkDIRdDz=v|0R*8T z2Iwn;j87#RD(;cl7GPjjrlUoV??pLJuIZOi;;*^F)T^%{{VzJ3qVPX6f%b?om~5MA z%s=Yh24Sjlt0A71-N6R<4=2*f7GSM<-rm97l{a?wI1xJWdJXks(!7>-xg4h;Z$U)e zpwvb!h=nWKRHo+rK=c}ERebs;+cNNIk!Lc#u(s)1Oz9SpOy2`)xd@zgWM%^0 zPQtmN68FG)>lVSN!VXp0@E?+w9l z2C94g=U)-UVKD36k$o~&$_q|w8ST=oJc_7ujmdMOju$b#gQ@)ZHheY{L_gn_e8P6a z8`Kx|CU$$CiXiAaY23fcSl?e?0me3r&f5li@}~yZ;&&uL+ovj-C$|-jk1w}Ftt*Y( zE71sF*Qsnw$I!`rdR)`|oNED|3V-%3-PdeSohes}l8Su~WDryeRk-x`(!HhoT3L#N z?J@IiRLP7M``BIiDinN^o4RT!r>#{xR<+o!xDyVV*1oufk(s$@FYz?)ETe>o?eW~L z?tXlUD7|qJ2?9n#?8;;IJSsCdl?D5+t<)`-DwF!x2OXL5Im@Gk8ta9JqcTYxztsfk zqUjL^S>tb=lB$v}tJ?8Xo<#<@G>neB-;P8UvzyDa0Z=6Iw>?QWM{wz6xU8onZQB(F z$xRrfNMi{Ilw_ z8sp7mUwEKz3&L7g;EwRgT_m1RlnhYm1n=aifa_11qBGgCXjS4!bEG3bp7K}Xl!sdk zg|Bnr6BFTNga>4V`h#Uj84W z4q}$&`rhf%$Cncv({L{T?T4f9`QKmP=QDXNlqgBA z5j#Jt2~QO7c(n>jUJ){~Ae-p9k>i48CYE=8q}Ow%*>}Od^rwH1q)| z1S(;#II%eq$1ZU=M{sI?)xz$!+P?Z+G~5Wg>*mC2=v=F^vt%%eTKnJDPP$zex(cx9 zY@w$md8%7~3nl@mkYXFrPN=Q|Gg&#e|`(m3i5Q*Bm9?1 z5cm6@3@Qon6a@A{k=!*is4hq-MhZEX0`ijhA9w%5HUD7c|9)G0IwC(X(B?_Yks*}+ z;Umi5H+>J8((rQnLJRqT61a;d%;VS@uA8R~1PekT^DiOf!!XoxVe)GXO9w?cV>O?g zBnt!p5&y4y|G$60WPwd%>h3~ca*^Qh_uJ}zllS*8Xt4osnsl;h*q?AB43Ym`2!rri zAPPbZtvYlFw!j-kNrI*(NlEaSqi7-D-@p3b9_~E_APaMSkx_q3&zOmj0EH#pW{(;2 zJne4KDmd$&r`HI_7HqDHac*&lqjwtE!gPR?3NIFF{?BLepXae&fK;ALVBks*OD?NwCs~_}~b54d(yy*W&+^MEL+^sPn1!<_$5&r%6Ej8Rx5vwz77%_=w5vL}6aR|35Z zcI$WVBZv(-^7JZj{C{0~l^AjkXck3*|B^d#c}SZ*#^b8s@Xz1wU;$!vJ{!b12c8JDi3P|~U{1V(!Jo61hlE(6>{3-sz^9wlayEYq`~PyW zKiAL!bd@2TcJ8mJV7dXS#deXQw?~8pkwq-XGX#Jb1rq~YvUg42X#H<5Qv6@X+5QP4 zNhD-s^8fmPatM=>3Y07`HK`7fTpwlN8!d3k#`KbbD_$?Y8U24=(G7CN47{&@&j?c! za*rh$u6zH?Y;gkbKxZ4r{7O(S#Q89VLjUAyL)d}g(x)VY+$iXkW5WNx-iyOZqC?(d znuE-%zjB7D53ynTn}wi1_v{Wqr@CiSB-M@p6&2i7w3Qv0;G>qAi#+N1WcDm2Z0yYs z1!M4#H})Sr{J(#IQ1SV3 zEQoXl9pZ6+N@3k{0uAzdfLGX%4mz9LkZQ1X(=~FxA6}@pU2UfdAr-(*U{NQ{k&7m; z^Hn?k=lbn2;+BtK#L`Dj;m`!YocriuW$i@krK5lRk6T@(hMX{#Wl_*yDMf@xDW=C+ z!S6p0!vHaUIBP+)6M#pZ$-M8VXvrr(`M48-(xOP`yK~&uIo7glyFM<5mQlglzhFB; zFwfFh$UZmqieOU#81>D^^YMa#?+Q{*6$ld*X_lIxk3@tR^6Y^20gWGPi?=BBEumyW z_>-juDAdv+@2f@`r4q?#77{GTeAAn++8+@x5;_^bebR0#o7zzm81wx)cIS$vd%x9Q zi0%;F)b+SEG8P(rK7uadoz|Dgg7a@*b)*QW`7T5F%WpYi(5)+LVslLZ*|MB zlqU-LRLzIaFEC5QR*S?>6Y(UjJL3EA1({=2+I|hJl!kk(h~+2w0i7{nuD2s!#UT$h zZS(9$BNuIlTdG&<11#FX#;3+KN4mMcm-;Rro4hj=b1Zm%e|;Pya?NHwx|NZxN99^& zYJMF~R&{{rUQ?6qlT^?5pjj3-;M-hh6O_QDk-RCyOjF|p0y08@eL+MUr=_hYd#$o= zId^kYZ&l#n64`A2#uJp#Mi5cy>~+lt{WaOP0l+7u*>ZjV6!6&~GQI3zr7?Pdx4z`^ zL?nA~9rWm2g0uRY#7rTEuSND{$c|Au0d31tOr41Rf>bhir}Edq?J%d**G1ZH4WEjy z8J>4tzy@en&AzsIiTgV5B4+@vh{y%Ys^5TkNy6u^M8wtE#KWw=_hCpUW_)5KyDNBY zkiZ+%(--Xv(r`YWg=UIls4x1c<5W@1B~X(E+cxQb(3r;Gj^Pw3;5gzK>EZ!tQ_<@0@r8&3Kq^V$YvCEgw!5yf;r-RC zNM@j#Ko+vM1~s6O7ic=5Au;}Ii!$57_}ZGk_K&*;w3`m{CVo!5PXFU@`IP{%K&L?^ zgSW;5HY~JHXmDX~zUwC?*`9h`%0~RMekSuWuuc(1YT{`38_HQ85I*e1d!GI>o2@Zp zmX5|p+nc~qxJ z6NE-2RR_C=znsQkc|Xs=x7?$x!Wq2kMk&oC0Af`ML*=)Us+9c4Y@T|Hc0wiRcD>iI zZchyxUsY`WMhN1tX%M$FLT}yt_+wf1z5M7E1m)M|j}V;>1s9g!b8MYMnQyz+6&!|C z5|oY>H1yf9?Mye+ioN~EOTZS`>OquzK|>1dPn8Om8DfW+y{-!vb*YxE+K$IQOh`40 ztm^EYnq{hv*=~8d+%l~Ob0&&R@^XDw#q9ZIlx@7SQ!cjJ9yxOobgGQcz==DE8622~ zif53k0{9ool=k(!L8FV=)5Ses5g{r&W7Pp3*fs$jXh9t(zfAdlD+z6a&Hyl%>??Ey z*xjcpkGf95%!(6{jx#)Q_rKNAh&OE$KA1_jvD#j&lJ}U7fNwi8WwaXXE~!VQ zs507~2?%+zNLEx*=*fmatvXDq%vU%K0K><{@39DylMsBe=|d5-HV(l!h(W^)gTz+2 z=}LRZfX$H>rv{!}A%G}OS%W_s7FDyKLt|+8A1MTDsBcuU*$-?Yl6d zwjKBJ1KE117CyoQIVqciKW~o3d=S{gy6TU`C>^0OLU22HFBifw3_Es)3FNWZUUrA# zt7}%1)}24zJ2yBVi%N%+qs7sxpsvjwh`siOT};8KJG^x;ba~uH`>q^MoFf}aJZp<$ zMIq|p6C6!0wJ9GHKdiwf!#s4^*z`A{pnN}f=(6}$G$Lis13k3|UWx}Qn z`J4^s+iW_ARI__Czu&kn%S|?hhW?rfrNy^k1smEyg!D= zHhb8DZgv_=mjw*Q^gfz>!CM%d>rX6o%@p`SCDWB?AMF}~F})dj zf|sg)LkN868=>E5BwU@iNs)Ha#v9_uDK<~|$KD!?x(eT!N+ z^LoJ4ohmILgp{MRFfnkvj<3AVLL!-I{U-XJ5P+u3>g~Xr{Gi6-x>Luy9YSBA#UZ&8 z^{N32dtIP6E(#$3p!@=aVxV2Y%t?|z{+-9|QmZDQ@b)=vChtJoMp8@ILa6XA4WkQ;GGhq_ zr3-zADp_eDdJw(mIDKboIawi^z+?~?T(StP&}8pPG7xn1(R}rd2;KOVUL`Vb6?+WZ z?E55nq*=ROhf(nJX8*68&S$YC?5DoslO-k0=+!lB(e=r!dR*mJWxF506XLKC=efbR9SQBV73#qTr8l zzvHDK8nqx=!I5V8eM=)h_Q&dq1F@zFtgXk6Fo_hfEf6nt^(Nz4C7Mi#_q$>eI;X`5 zYAWC7p!$P)Jo+?g;J=`LU^iL*8{DOI5%E`?(I8UKfBm2|;%HPPv6lRk8DtTcHnYH1%};R5kIj+yBNij9bo3CpZ#8uuB+ zNTMbk?j|0KHs-H<<>H@?hcA&%^#_Ft=2ggqV1b#{ogRR&Fo2HanuPqUtwjjPP2_vI z&o_dvS9@TiK7-l?+$ z#kaE7QD=dd-Fj{hOkWH=`se7lLWL-sCVq{F2KGcjK?c1Cj$9Q#M3*gF zK)%xKwGy(!Wl@8lJN70OBOU-=#W@5lLN1YdwmOWdiVg zZr2C!jSkxZZGz5Iq{XbWxq1YabKpWjlqZ9F^4^Hl0<6Oi$PbI{yh?<8#1)=*0c@VB z^>-82nHO7f(WLNGMQ^7qs-g4*oRm<7Vk+a1h=ZdD&1wThTinDadeL~c>}=gdapZC^ zc?ts7vyHql{JwmcunhazfPQM`z4g(%-9H$Er|y+amaW4^6AwM;-V_wfd6T^FPXjGj ztL%Qr?*>2|OOB#*_tTp%1D4#c;6Io@%&MyuO1f5WsXc@n!F z?6dV0c9YW)CHk7;oCm3^=-@*JrJ%wng@j+?-x&CS#%HBVUD!EYxpxv}C_pB6MTD`F zS&h;bx*df#vBpMkY#FT9J=0)kVx+56X4sa2@E+dZmFYm-9!nC08O5xiw8(P*?kl^)gDr>`n6_be(p=pX zsf7~b6}_Ka2)B?ilAHp%k3dS$6xM!Jx^HyW?<>skFDAw*(BU3I1a>DF-8hVpgZjHX znFqCw&EP-18Gxe`$gRN-g-(BbZ8IdlY|bDes2|j%0^Px?ua2OUG6)R;TnHR*jr^KU z1m%=Ir_40E{_rsBpzAx1TTh6aIE(u4LI8QfeCSP;x^(6HBkP`t z>01*gf3SCROrD*#&P;^kK+ldKmGJ7pq1exj%XK^e2`+1hZ1 zFT>yFxNyj)3*teRQew%gWO9a{Ca9K8GEw^>fJ*MP+-a=!F!LuzLk{|3(1OcSE+*C} zhTBGC=WM|-2`-Wis4X#YJR-EmHO`J~z2p`;FdQXblZ~%Tue9;0+qbGripWDc^+M4d z?hEHZe^Z;O-SqW9>>)tm&{a5L(SQWb@O~9TF&4f=a0Ql$T?A6kTTxv5qoqbNVPPdH zlVT}RVPTo1L1I?q1V*-_A)@e2FzOeRLn)*eY?lW!bW=!U#jzmmPnH%N-S zIdA#TJQ5#8pqk}JDW*d6-$A4sf;n))oNe`N=FA8T&b5T=GqnZ7waow4=nO!j`ta*J z%buhYNb{i0<&;|gy@`GD7`$7HVjL|JiE{{?YNlwQp0!^Y=H27d{qbTDKYo&^sHhL< z^aKNkTq{==tu^X-Y+-q8FzJ?du`il}dHIT%+wwi(nWk);ZOO;3AT+RwHB1=H#1B;r zVEO09@}ps!*KiABQOgD1E8PTltnRZifTqBK?l5a#x7k{hC0QVrU`VS15jFKfbqqlr zDIC@sYh8z1TIf%LW|R!6IGhapDEs5{SRg(Rj^F4*QmG_3+@QJx0e{bNK6a;KZ=D&f zsDT_S%Ryb0wZi?HE^FwQ1KS!&Z|-ACjx;KUH=YV&DKc%qtU67Ib!!4s_xb%DOd`2E zG8eiq6vg%j)$}oDQ1QCL+C$g1PsaJA0$bXB|DC$aqz(=V8nRpG@!Wcc^K`v8x@$+_ z{qYolGrzWH%Ki}B%_41MIxL!5|HQtNMIh|GgP}UN61xDE%~%lwOf?ymSO>lgJAslK zh%y2Vva zrqrjJ7Jy&6aQ5G5052aW>?Lz)#0vnCqJ*gmtpji>?PCVdwGA! z%qTmcmlZ=#5}m?r#9}&E30?Zg%WBsGnFjDcDj>8A(eib_LQ2NQ-^8$?L;9N(>b zUh*W|7jvM5F4sCRM83xeWZHeDis)O34UnqgeR^*+b(#|T`?$m9^JB-1`mCUXQ@gle z7!=0QQjg)&>W;=^@32csY*#X6av*el!oe*#2I6x23cTyC6t6t@b{&QaRHL>9?7atC zSID+#_MhUG*o5VxY@IGh!#B)MCEWR;asVA(tO12E>~)zXlDgjH10V-RX8-8iQ40$X zRm{gOIuY+lZp*(kD?Vn>Kt3GgetmQ*8A~nWCmDz=@r~Oz-eG)j=@YNS@BNwbux#Dh zkEaSMuX{)FSRBr`m4TfR8KM2?;iLlg(pYo9TYe+yjb@4=po)bfNv-D;3^SJMH^zmZ zsbEUW;mXR4Y!*&3Vu{!?Pd~#4oK&$W# z`c0lP2GhiM|5>~B6cKc1@P#M*Xy)AsXXQrK{>=|(LDW#UvwkRY{7WI6f_&4fGkiv9 zJ8dFQw}%r^50`6vHSRjALBUob<-3TnY>V~=zgDoDP>~#WdsQNK-RV&&iS4~?yXhvX zPL%`z^>$f_SqR@5y;TKO!%)U4L3x-Pz4Mc5pf0 zgCkK4MFoW4&syNT>fCB?=?oYhPkS8qcZX1qgGag*;-!G$dZ1JD{+iBh0B1n|zT4~Z zjKtk*tu-p24$pz*c?L-g5GtM@a0T%J6dfHp0~ z*~pK4xqTq$YWM~iJ$>c0y+4Jszpd1P-=#HjAxV^O?UVx~ZJ#SvFHn*_*Wo-&*M(!p z7SeUo$?NC-ashY*-=5~m1bpfd$(A^}!4$|Du~{C40Z>xXdQD|bXoIS-50?0@*L}Et zyXw$hC#=HjFfB9iL+Cw^UmfUt;D))vb8JtxNea03!>S^gTYmlsAU{y0{f8|MyE_DS zCWru6W{7oE%nf6U9`yDK7%i15mqxfccn`zmyWB8F>1Noa^N`!ncM0epe4Sq)= zBkr5cYa$&D1tfXv!CB5ZIuk!WN)v2b4~*1b!etd0f(h%BFp!tS5*UYvv+FyQ_n&zV zp648PvehSE#O9Vt3U3OU?9p~fXpLi3>Vr**BFOoCKf^nUazuP;2~u{^!L20~sWD7m zQ>=Y&IyzDslQt~M`#=Vri0TCpXVFf6yS`^M2}Et?=ltbGb)wZzs_7Vyu(;9G47`E}$rXt6$%LSNztv z^K8w-;P4QsOUgJ|UQxlIt+vzV56?Y71z^=?x&q;vk$tRY7>&JGym~xhqyR#T1Ftn# zyMStuovB?y9gnfP>Ohw|j|}3=sf?ZK`KXd(q>rf=59$+Hj(?+uZKMLJfgD7PmQhz1 zmt;~ODl64=!Jc#Vh=~Gqnt0ATRNSq#&$**4!nE_U$4(g9lYux4DknLvXPZXkqYir* z8|0T`)#UlcJz)~_H6N6JW{IN%Gf!h1pt&kD9y5TEziV97<0fXI*DJSSBm@Ir9K-Ye z8X>~ux76N8;+^hDU^)??AOPS7IQsq-ynghaBw^T>0Wl2-G;hy(*v%jR zFbg!n>(j}RTl1Gb;9bcVfn6?ZXltEjzj_5j@`drF!{)CIIv)U6PMkN z8uda@CkKfm=BjVKd z{fwr|`Q2AW<0|X9Y=npLtVViofV_hppd(by81Dt7>BxPXV&}Vn#Xn?8hS8p`5h$3y!PaUPM>9CESUwD#W z-COL=q23hfueP@X2#j2!l#?*#+X_TDPL3#P9lV~;ID}2NzHda~&)1#Pkq*YHGX>L4 zmM?#*BI8arz6l97g5P=OQd}Z6BMUTTWMtN8qJ5vNp@`H{k&P*NIE*;BGmuWQJ)F|f zC9N&EtaESe3B@>11&UZ0MCjr-ZeUmX$mZMG>NfYy6<4@Z^5;Bt_lEv+3eq?#y!ljJ zPt&}RVb|Ryr55Xigr<684}&kr69(ZOI>l@;5*_&cI5r_4)rp(<=im>&@_m!7^X=03 zt<70*mR#N3B;oO?yBVeP3gi;Wj7DS42E`USDmS3~$M&a70!nnC;cDHQ`QK0FIvbJ~ zIS8Jgh3rUve>t?jn%;bUvz`6ej0P8y!@?RIO$sxpRkp6P%W+o!D{rzHk1C^OCVM`) zgy7(#QD7;AD)PU1qaYK}rms%((1IR7y^`&sUdFs;(v)NoEh=cB`oQ|3n&|t&4{O=96OXXFx5_ zbmch8Yeg-S4M-T~9y`y00LXo$c$}l^CdO}4>y zEn%!CPcg|n9$F(gVXoGSK#bgZvQVQ>?Iy^kx6XtU`vTZI@l@6&8tz4F5pTdTS=JZ; zI#;U*LAsy&u7Kkplb%TN3y1+_Y;bW{vz<8<2Y`XR$4xBMqwy&BvFa}@M~azD%&6pi z{_a*2NmD4N>)qj_fi8FUdxvIv=#tbo!HcP^AJsSn}#Ne%cM7>vJ@D z68MeceSEsDb8ht`=q$y!*jZ2CIS}(RFV5POsj+Y@q?mpil!2cb!zF_{yC9;LF!7=1 zmA2zvV^y2@x8#ai2UdWe^M)hZr_hazAa(UM6=>@6CTlf^%O6sof}uC}RNzDj^*)vg4bq-C57$0s(5i>CmPHhZaVE3Ez25QHlV zNEA?k(sP|c$V{^ZUwe$jH2r0`rByW67H^pzS_-E*ZmPa@C^_ahPEKCHGAs#C0Rq{4 zJ)CC)rZBopD(8XrNB`P;uiM%JYU-YpIDW;&>456N^GysyvItKxhjsZF`svb@{w_OX z3D0D`A%_b=X%gxIw~jJ=%~^XgLI3F8)PKk1#%vaL;F7%hdW^}k6*VL)vIK(`Obij) z&7TCTYj`5F*$hI83S{_8ZX4siLWsY9k!I(sIt3oMn`c2Jsn z6|712kJz68Jjw${1R0ca{6b&+yvbSOF}{7t#~e)@)#&IQ->I&kNvvvRKy+{Tz7zco z{+}ZS3?sYh``^Fv00y<&=Yw=O58OtAK8n7zBV1>6^qHTU$SD!FU@ z`AGi!*wPoe0llz(djjrN2uSPM5l~T4>7DX;9!lY|-JgDy0koc*Ld8{j8fri3J=XW4KEi-I=;VF0{w$rQDa_ENYgPKxhKYjwRT^L<`$AYxo zjqtZi7LBn*wcT0gV$9UIb)y5fWmMg6z)m}fmsNrm84ti#7H|7ZPDt_6HwM5ifn%tZ zcm6<)0w5qY6vK0~>g6K*^~1(Ta@|iJ-S_U1+rh4bytNZU2FC83BRXWW}J~@-}h;|&bm-A?wq6YT6X=8 zmFU_l47E*mbo^5cjC=|d`QS~I1=(n zP2+QiPk5!FYqdr|`P^ zDI`y0P>6Q+4zpH#yd?fGbK_DOO@0H9alqh&R#$XDNLXvX<2?lPenj}`vmdDW%ZN39 zNY>EDE`d~(-&RLAhh;)pEA1U%WVmo3=;gA^zZRS%*0_Xmw++OrTg@e-*p^ZZ`Qhfd zrtLRK6#ee&*tvM*{AD90iA@gW%-jGLG9Jr|P;9z&45`dE7jy)4@*o|D2jOC3lv7ZP z7h2xnyG;Y+J@Vklnl+9te@u+~l0DJ3B~etJB)_^km7T3#J432n!Zs9C*G; z%u>k*V4nvP;r}7*Ed#1-o4s$kVSzMADFV_V-3w5ZmhMhTk?w8@r5h9w>5fHrr*wCB z=X)-$+xy=8-OqlW4}JiaaK1=v#1}9mZba<+1_E%zWXh*E!NXTJ&ZKv?|wP{{9;`M4AfxilZk z2~=0STU0?Ci~?&02f;yVb9GwgzOnq97^g(t0EWnH>WX$LS7X+#OfZ4)dWaS?EN_J5 zi0a$K;sV}LEf8Op4?~nSg#s%WrQ2x<8e!UI3`p4Xgx@%twVzVmM{)|oSls4p2H90) zW5%i#TU!xve6E>*^czZ+(sNqatB8guo!w;=VqR`l4Ir|Y%a^stTp?YIdiZwea1XLl5YNf;jj7IF>IAeS{Ze#Jlj_O^haexF70$oM^5= z^#mn4S~~ei6Z<(~Zq;ISIG0G#Uzv3UT@OE7`K6_6AnnS7PU>1cb4wKXE{(&Uq&=K? ztbMP+?K0Cu+fB!svAtYni_i9m)#VTc1Qt-fWK(vOrU}AVyXDPuO+|B~KQP?rBurr! z+?6_aoosuze)Ca~IfYO##gC)7vny}Suc{IZ=|JBAhpcpj%b{u%$86OS>87C2Z7*l9 zJXp@LC@`oNU zVYyzv0|6bF)JwNBUPrv&!@|&6z&<+by@5kiC1BFeT&9C5@--!yl4!FT&Tsw0JMv&I zE?33~7m0&PrNGBAX0Z_!rH3}yE{mWw-nKU?HT!`_D;26ws z_IXXtm>0jAA>qrHXM+Pf@0XRMSB&+p)@qR^!ULS?T6br>{6$IUrn|)*Tj8}ud|8#j z0){ruyN;>eSE$dD&QQ@Sti&{eRclQ=wz!%PFDc4X(X)=uO2xD!>5}#Z%t>%0eqtZO zoo4VPxO~JjpDXyuUgk@OI}2D=S>v^veoB=YlhGr8WFC?sl};z)wBCvDpS{E{meWWa z+{HS+I{SBm9@aBXNCsUYpN0b+pGx*sfCN%N6BlTqf$m&K?H^c!kpf^+Cd3|^N4zGN(a{Of)FDyBU^s`$zTk|BuGHOnD!`{6fM!Io^_WIiu zj_*WHElbjlsM&3!1iTq~H_k_4g3fAQ7x-TcsVpmBLr?*TX%o!gfaWn(28zvjzVXrZ zn5o%ZMJ?Xy`QaFP5~o!bnMv?k;XSPUmk&drRWtZSc4mbfUkoQcmld8ooyt(wq3S7< zqmt;QDnr`E>Yvy)z|=HWo0b=zX*z;+qCg4SMTqC|Y+E?^(q%k2Q%|?JNFDb|q)PTa z(Dv{FUZ=_Yp5%((6wB{vm&4o`yn3%#L(41x@oeB@b@lfmLb9i^nS*qAMO7E;5`LtX zV@?ic)A!*8Ih9fMWjL39KG!%Qv74_WE;AbZVU-0;o9i(~$Izc7&Ed3+*cgf*TGEO; z*uufe+c2El{O|TQt2LkTDAL58GJq-(;894(ZwMgR%=hNtn04yflR=~c*w0Bgv4cn~ z1qI0M^~>lm0OPZh30l9+tW5VakmdpD?+eisVK!*~V|ce7Vt<}2@1uWwxCu6+n|}%=>0n>zZ2*Jfhtb>ahu~mi`S@IDgY;D z>!mNa?7gME%M@v4790@V6q`({fiIp@)onsgx$&9 z#Ra&DQhSHhfXL}|K1(93RoCnORsI^mZYfy~1~I!xBD=8>nTb+F-@rhGps-7u6(PM6 z%EQC0jo+z%N9qxMdp)#L@@bo*x7x6{1*o28O9U%usWyl+PgemnIQi1LYk*8+HXEp1 z0xYBjAu4o^dXp|T7eQtsrR5^E*e`=TWlPf(CDh}<3k%Su?DcuM z`+Cx_TY~Om#8A*}CIHT2ps%-Ee{p7g_=vGM0Tx*Oq+dC!P@Z-d#UNx;q~5FRJn6Q@ zLw-ZJ%Sw!XEH9ZvAF&v==E-#TaDL{Dvj6;3cUFX(oLEZD@tTnFlgUv*@%B`riG!j~ zH54y|7XjGC8rq7JcN4P8IT+je7Zs=z#NxZvZU8Fmg&0VN&kvklVJ^IlF;h(LfdYs|N&YvQs z7dO=;(%Lk^`~#_rK+DChkMd8=R#;w(ibBPU__jdd8PFgV&+M0NZ{HZU%)?!95Biw< zq2p3eFx}feOojc6`OtxOrVK+91#QQ1)q=(?e8yHJn$XNqg&ARh^LlTr&yV*pCGwGx z`q!b#>}xM4WSr=a0V*iYFo;i4a`sDEW1~(gBZA7-nM}X0({c zrqyJJdla$Rak?qe=$-?zDlMF-A6(Eb@_r#>_0jmUXxYNg88yaLrBEtS|AY1OSQ05xvO`k_ILV(4@msI{- zA{5HhJ(`)zr~TE!HzN#>k-a6wMs53*V=y$~d4JQ9_NxH~1OhcTO-rzE_Q>w?4yHI` zrHei1u@!NR7t`G01hq|)AIIy?@UQOcVKU}6cIqD^@mw9wSUsc zgc{%`KEi)OP3&MiFeK?h_Kt~Ea4beplOTahzk(chdEq5F)&nzc;U8@~(8Be@cSiZB z$)*%Cp0!iLHAEmSd<~nnH8;Y)peKBpG{reBl&19DVyF%c5I(;7)#j_ z+WD7SrU2o&xmAa8YYm`3O28xw+0PkD!9*uuiVk{X@9685n5yLH2((tII$sU@g_K#+IduiMi$V zf(LU99a$0j2Q;hocfu1tW`z2_on%UG9%TM0@b=sxIM7ZzzF0{)4ZcBXV=xt6fLu5b zc)V>m7Z(r|+K32({^S8-J)L!jJYUcSs@PZxj{^y-K%`{uP>nt8>jS658R8h)%O>l` zt5p!48l~`$_o*6hHZ_$Ul?qs5Q!tT;`^oUSlnYiK18sYrbzBR=3nP;YxTBDAS#PxB z6<+5n(~HJ_z^5WS{TM|bOI8eS(aG){M0&vw3Bor@=eJvF59D_`XwCoQ3DT~ts&m*z zAbLjFV4k(99A7xQc6V_wo$5uiu0L7AC7%5)8&G;`e{*@?-6ON!y?>bvdqF1XleNY9 z;X7T%$|;;&1~h;Ens4_@Ew`#B(!3b->6CslKJ>gOG;-lQ;FBaZ{_4jb^)sm{y<_%}^?8|OpakYT#`=&2yA z)$skhs2@yFD}u%syQmr7mMm`M+4!@FCWsAFncVzVeC}7QgnRnL5BHzC($4jWRCRTA zkIv54G7T#C+0tp{$R8N71!v61B1pNX?0w72=srypc&`Yb^#{EWz@b-p)BXK5E-*Mf z^&azpf(>R@DSUT-wt8u2hhDZr!kNcYfY24GJqkkffv_tt!tz_VU{}7%fUem~On(s? zpq4Vhln!Db9E|Z-vE+s6`FJJ#I|ko`9XNva79vYA9)SFrrS#}z{Jh9xzk6f6HJww+ zn0C3SBAMRvm}sSjyK=9m@XaFjSl6D2hOliN>3eG(_RwyRp@^JMed4>8jF`dzXZX5` zwY0qwil6jKJ^*$NVdhn#DR}h)@D6xn%0Pz;b|+NWA1;I95CnDB*l$t9(WrFv3U0AT zuqLhNR%D*9#lWg}^%ri}XcA zUQrR&ZTe4*Jb3?2bt4H;CEWe!fA|Kvj5{~uI(9gw-b!s*;4!O=FJGJ-y^z;G=>W$1 zR5GWcbxxdu*g`zgy{=w|&pk+fdb`nQB!}|O+O5w6uyVJ44&CF@O=D6ij><%*Mu~y4 zzKt1d?XoE2=ZQSlTN$vBJeS{90(Ws$GB8u-GK2&diNlwJ){=H>(U;&W3sBU!y))Wfif5_IpbMqoQZ5QT&Y3FnvAk;kn6QxE?iv`0v8va1Cu(>P(}zn zKmA1fhe0I2@lrqVj)YVkqD7|lz6Q-Cf9NJFb)_WT@Ye9J-yybgN}t(s}-;kkQb=`NM{ckMlc|^dUo*1+f*;hUmz10}{y)hX7LgMr53c_=Z!&>@l zXf)ut!d0_~d!$zPNQwC2Z;bCNw{*TcsTH1!{|)sM@wC*BtCiJMekW&zKl#cs;x=1| z*0f>P*lOU&&sXfprAx(tMA@5#FxY>k0h5#~SUaq0s;M*LK0tYevSAg>e{gVM3us34 z*}JWt5rky9U!P#}JMK}=&SZ%K$#ku?2K;Hx*Jw##PATfI(VX~OALH=0nL(XxxWuw6 z;Yco_3t)WVaJ3czzx($+o|NqK_8CKFfCBq6{T)(>pSWlxV^LJ zPwV-7Xab9RvQjQz(I9Ore_Auu+SxJ#U6(J+ze3HPTPV@`R(n@JeB{oFA%qT&TVd(8 zk|aRI%*}%&A+e>6BIu;ge%VG|wLSU^K7)|c9lpx5trJOK`IyI&!?K$)Pknx9m*7E- z*JMr{9+sr)m*Q_44Du-uNFmAfVjH>M@vyR&CXhh0+Vz!}CJ{)frArH$HKiLUQc3H5 zP8U2vASio@4q6UNOKguU+wgZT-y96$JtausF#i~636GA?fW_l_hY(IG++*}0E*KhX z`?a^6wa#pe=bV%$!R=>j9me(;v2*Qcl|ku&hE+IHo zUO+xuLz$U*+%=@#(9(`U6>j#Z?tStKVzuTyu(3h zGm}eQepG>!1Y8a^Hn@Gx++PCp66Jj=3LO(6FEREORSyi2#F#R%0paTa(t3?zktH#a z&=+jnSBJju74JH-oOM$K?4DQb5BG?hML1}37jKduSd163NO;o0wI9uHA;Pt76lpd^ zr-LSo`#K$>d|hPak6nD;D$jQ*O)GFRV};*mo2Jg32+`b_4ond2N)5TH4$#)@qEBK! zQ2v&2?KDOooM}YlE)E4fz*IZb|L(ce+*6&MD9q5FRT=Is4Y>>N7`i<+eAm*{Z_i2- z>#nqr?y~9mh?{bV>P$E9Re|^VZx0gX6~b`aERc-X>R~lBX69i$R@vFvE$dty^M3qB zBeQ1DxSt4QO|In}vRk}Z4U6{!0`U}lUxMADaINIMgMf_q%k6~~kNrk?h#5$5Rli#m z?>TZ@mX!zi&%6T%3ynE|t~tE#z{w5eb7(g=PXhJMi>DYL z54sBzfd%fCJHrBy+>efMaGRaMb2WBUniJAdi4A{ZawE7f!fdDR{w`AhC;G_-9}e3Bn+~SFx)a^rcZIm%ty5?U^-U;PdFBxMgtq1 zPPqE-uPM3FFXLE6-K}5pfCW4$Z)qt-)AA;*N8oiNQI0A$F?#Me4sD{GYU%}yZ>ZUp z_oBeS@e@w6$j^MvT5p6lgjLWARqW9_^T@8Wqw&75!fk{ob_p~QHUgmxOvX%XTtQ&+ z67r$pmgpv1`RTd%NFh2{v7 zHb2rEesR%x~HnWTRI?DXh#h5}3Z zeDWDT{o&Be>BuDl6K3z<{%90!xGN9$d)KB-2|D)QszbvsYpR^C!jT$QJ+6*?1YgQ_ zr;lV**DX=I|H5k|`gE2^gYGDg@erYZG9+LiA@uyD*sbkss5(_yVyvSD~YvtgMUe#ZS4MAUV|G2w7 z4$5qe&IwoS$N6niy_Igt!tmpwEFSS6dZA(LnZqSnvup`i%HOvg)o^ryRtpU~zQXT1l9`f=3ZcTe-{8JR8~o5FWQHWtx$^=Jcg+q~$7KVS zrPvBQOmg|^&4sSV9hTtaVu0Y}o%$q8!t)JYQ}l>~VP3I>W}uy{r7>D}3+s%sT5n+w z`v5le>%VFo|HA45F|-J@@&=?Flm*YG8r--cdMvPdy{Y`%cy#iV1&)96JtfBN0#vCM zigkrEwO2JpHA!T1?7F9#X`GFKUfr81(FJPO%o(84+g$2u{(6Q3izO7PH4ED&a@Qn* z%{otf*s57FPpiCfuB$&ac~Z~$5Nqjv@R7F(sQP5zI%Q0!-bPCuG{h$`WEA09l9Mh@~m{ zE~HJ8AmHf#zFSPn-}(2XjqjgbE<}^G$yc)9v2QN6+fH5moma%cQBDUvv^q+3GASr8 zn@{f_&}WKjI-YoQE_Ykrna;Y`?m@RK_ia2V1Y>07;MJ@^o9qz2nYYj3fa8&&R>(sA zqc)N{U(>%T&;Pu$zh8)ypk!?B0a8G3!Z0ImRIza`i*dScNu(A& zbrfvIeuLHrM~#f(6ql$^bE8C!%cO%i>wHnIOP7X1Ji?TkKx5Ga?1E)g0ZeLEBW zYNZAcio%2JNU#)z9kktDhUoz~)u?J&VG3c})0rr8F)DeKr~!^csqJr>uZt zLn=(Y2cI^1lw?4rXPSw9IG$L}YH^3h8%C$YphPLW)}4m$Stcwnq+NrMJ3rKSgTZLD zJhzRzE(BD{1*{Nf=pW>8$X^`Xbw~;9F$TVWhAQC(@9KnG?+(y252t#@Sgl9DxL^dT z^(Noi&_%I;Kyq#ucM=4F+dm5^gdH)4eq*n^&&FXbU+pC|D?Q7Rc-i-ji@C;e0KPPf zxY68Xq-C5=`kC{6(ty`)6+pk^k|7~a!xQ^pNXHh_$<>`hvI$UHEvHM~v-lr4hta zWU|i}Oj)Jz1dWZUBp>yf@CCeX5WbSn4G3-)+VP{I;?hQ2ZOV|r7bQ=0-?Kle_&r;v z2e*ocEU$-|+L~1}5Eg_WePx>QvrlF=P_=H$!Upj>0a#?Bk?L=IxwRNyE9FZ+mUwM) z=|mVbUA|1mS9wqK0p#-LP%-ylY*tlY82za~(U`?=d;H_(bvyDyz%;wDc$aiUD z24!S{O91k?v_!6|&dkoa!|MyEaIjfC;S>-K7a&NvNe`|3d!`N(MN7i3mb{uCka<6E zezRi2>1uF4Kpfar{@$e*JOgk-MQ1P)VFE&&5_4MsxGB+icJ*6)~5stULZg_o^d!pO_RG{&=8k%vd@uWMJ0Ay8dgYPw=YULX4+LD zs$ipSw|BHe`HBe?GFVr4chL*^z91i79vWX)gk)2>O)!2IW~E9yjAt44zdsJslr9B0 zwTR`p;8E&8ui^frYRSM3KxZLNYPJ!Y3%cW9|CnJ_QU?Ai&e|fx@k8nvM|agYNf2)_vid@K7lNK>Th74yOP9voF#A#iIvB zrbV?@d4=Nni=*Nur78#ISS_`6MMA9mk3^${ZLFsU)q;Z-w%>wC>2@oLf#`6!*3=6- z?Kod0A4Z$6B3cFxcZH14^*N19^1y5sErj@6r$|mX@mlE%KO3rZQUSQ4`5K^djjQCl zP$zr`lRVVq`>wdDIazLTd2BL0$~PcSCYcWDhb$g${<K=h9%f zP&yx={X2*1+1ZS;%N zCKl;eGE5=*JW7uU(F>7Dd!nRp>^-yrHK#s9bm{XiJkMtOX8NX+oBA#CQE z82lz6K-ym??@tr*G}1z(Q~5MjNwLOo7WqDvPOaKqs6dM+>@cgVs<938B}#}R9YKn~ zXPCwN-9regLv$0j(1-~zgs8+UZt<8%2)`{aNoorby8+e!j5Bxl2NoSi_}bl{zh7$h zewKUbPv2$~&wKXnI1cVL1~t5_6712Jw+_+z7Mf+)4Hs{zTsy8ohqI{VG#JQu!WOup zc*#|VNWzJx{eiJzJ^8VkAYcvvqh8`~!Xa>z?0^f7Ys@S}SWkh43v82|tjfZ9#2U0t zXZvX(6Zw0w7Os$Uli!7GC5E^iN4%9kV?RTdB;Y^;&KU@jf^Ptc!o(S9h~MjmhX>*m z#1k>MGWAfXLYh>4h?T${&nQT!Gsd)kFLq)rWIM6vV0rLd=}81G4^^<{OU95r1s3g4 zZWj<(#L2oH!nQ4S7S2LkZYKsZRnF;8l){nd&o7 z7HUx^Bha*yvVVS_(&U_2&6FU_5>B#n`K~}f?Hdl2)BE6DAF%pw6ySs&WzI1V2PhlO zW2m#6mhIe)^SA??LR$ABit`071T*caKn8V8GPo~-L0Ff=LJR|LWHjqb1o*ze zFWPaRy9;^hWq!12Qzej~WyTGrd7tz==4T1+A0KN4y^E`5kE^R?K|5 zMFZ?eW=AC~AB=whN6}DKFpf}a(o_965W2Z10K>~@E=RhMg*ohoH1%$;0CX^Z^V&Jv?`AR;FuhZn-vYS6)4Fe32;5L7U_%{ZT41PEH zuV0n`1?vGzUS}w+&09Zv`Oojk4W1+>bm?H#d~r6S;rit1Rqd=4>6c+gjbdF-69y7j@*#GbG?f-x)g82-w9i zA^ks%eQTb383%oT{Y~u7*^bIOr3O3Fs!KKnDP72GqW~Uv#aJ>OYeP2O%v#oHIzqEL z^U_=Yv)6pD#Gcmim8TvU!iSl zDm*3mzE4ia-(gEjs~md({kas4%mO@ZLQV@M+xZF&x4icY zR+Bmj^|rql7njQjvcyALFM(U+w3^4!X>#eClD!T+9OcMGtUbZ^ca6{#DNrk|{PX=Us!$IK zY)9fTdpgz;LGXm4_YeW-URx#|mSQv*QSU0FvFVuDdbnK6V}n=j2Vl5UCJW*3qlC0I zM&^w89Y^2rc%ERe$R)nuWlR-TtU{Fz<_6+>9)}G^n`DMfT~@n(TNf=6VgP|99@zU= z#)|!){P(}z5hXhm4YZcH&(hd<)UyfS{*^S+-znO3#{9?At-k`^O)kPq;-@De&I9C= z@inQ56S;WCw{BHQ9H2^jpr9k;N5h z8Ojp?69GuGgBlj*`9y)L-dbt(;ey`+d|(UE*lIj|5>QUXi+d1)mw}L_1HR!0^<<7(saQz9Vyu>pX$A>mJo@c-q3KRtbHRH!?DCd-GJ z_^&O>I~I7*rmt8nWTD0qObz|Y2mA2URJX**Lf`g1wR98=8euQ!uwk+7Jh{3yVITu` z7I^i9f*NnGIuYz&Kuz@-?FW?V!#R%9^{EVU9&T&8q!TN^bz0i4&tPr|8~tcua~|BA zE(70P9WO<989MKrOHTk(WV15o^zz>NHSk5(EE&I7OiDVH-g*=*c_0 zp!1PrY2Ow8@*QuGmv_of@#QT{?#)DMJ*(j$+>!HLdxlIw0$ZlU7@+?DAVCB~AX+tF z0w$d-XP;Rp6;jU@X*G~fSk1IvLaSDSeAPkFDpv}klr&^1(+QFz8^;VYRKA{FMe--U55KzLo^dQSsbX*eTpVxB@ac-^ZH_Ur8FG^vhsra20|kt ztO2OE0~$enQK0$7|8_-BKcQrYimQ!M97s6+esCA4j}P(bjQ*)IQ9 z;lIX=|IJnY{lc3Gdea2|A!GXlLoXWVlaTqFC!eVd{fnVSJk^E_RODz!Zz-IS-jTb% zp;V$#6d=-S`HJ9zr1aPS|L;2^_^B<-4QcD{>6Zcvp;ZWYS^@XGS>*pjh)_f(*w2+n zAQxy;6M++0&HP3=6xkiA`v_kxRlGcqOA$q{|0OSm0aZN2K$_w6p<9y|COlYIgLc9Zjs9No>egC~oHE6j&CJy|ZKtJ><0#H|4H=YG3+{y?padv-0xrr_Ji>GL6>%P~qy*Z|Z z&x_WMs$OqpFsnYPGAhe8)#*-WP6J}Y=H`|*y}qjb=Ms-X4H@cVH2wfz*aro?6n?8- zV|yIaV+P;>K>%4$Y&=gvW~U!Nugq|eD^~rj-esD{(b34uX(EX+*{>0dX<{xJU!}$G zA;Ed8qilbo4~9!h8e2)eXb|dKz0DK;`%t0YmIvxf>^5TFKHf&z>U2D+%*R--9huC4$?1JEN*9MA`$)9zV^`pm>&L33?I|d<3FK)iBZ}@SoE6+iJ zdQ6QSw;lNNBls^1V9X1rNT6Nen*2`>0 zTkr(ja)y_r!ap5ftQBBYWQ|ShXlZ7qOEH>LDV>mA33Mi4MbL== zw)Y^ud{uD?yvz%X;p_k6?y&8ki*RL-DI)xD$UqO6o}xs|-qS08K>&571=koCW{mhN z4X5|0+SM)yv+z24WRROZ4xT~}6dR$(sDZB)kLYF85mc8iEjIctb#1pM_>WB76=}n< zewNV~QPIBKF*DZ!jAM(c#Ndwwk+2;*x1HIdwPYfD03b9!QB#KFQ+8~n{=vHN`Wafl zF>2O9z$dth#@6#Qh0XtRxq!Dqg?g)RAz9Xc-wO(q!j3L+^~K_8^$|f=AFBW_)ikG6 zfO8?Yps#lILSNCpoCSQn^N3MmWuhU-L+>ur)V620yeHF|sSNxuUMkb8jDL6N1rxd8 z?n5E$B^vmnlu|=!cig7fqp^+SusDj#PFj-aR!(_-)M^ueg&r-nhykN2xTbzeqk7#P z2U#cM^oXc!_<6WppWs7IF9HG5uSkCa8x#0&brqgGQjp5E!YqneTO$~!%@uYRU=J<- z*_}KBz@R1NQmCjaU7MQ^K$_})w*~+H8%=2*Oa7kP7j|^ghQ}k=G@*0f_K;_yWk&D) z$Og}WBle~9Jz@a!2#R_2hfs*GW>Q}g<=EGaEPo~YgGg@g*U)q0gO8ZZruJ0@Ot*K} z91xF7EO&PyQKbvwXg(Q>U^0fdN)tFsn+W;t$xHOxepi_H(=*c10<{&_`?K6NZkOck zrk7bjuXMncX=46u0zLn;P~Y%;hfr$E|Kz zFQ~*(IjKrw!CysZHpM?JdTN?G!H`=0$kt>8FaV$2h&Ly~(IK_XML&w-i;M7=ByL!E zI5EY=EI_dh3E)r;3Ov%HUf7eyGX9q>7WkjoY|yo8Fvt+`#3;^)2R5p+XW^7xnlFIH zj~n#wsfQFom69_&thH}7x>MR+TZUL@yzLu~v1rIWVIvnjI5UW7U6roR_Gwwh7~0*s zAiJ2eH!y=jHz?^|v(iK2_K%f4sD4`H&0l}pG;fA2)*ksspwR}Eo^yyo5@5r21QtC5 zqKhJzng^VF^>MhZ9NLMIAHYS`O`|8^-5sM(L3 zVb%xId#qrNMXOUn5jfic`*(#9CS@XM+tF5hU*Y=;8-RlhV$ytLe4lUS zxFBJ8r|_kXhET1}Js>24$8JUB!QEvUARt5JlDP{4Qg|Pp0i7qx(`>By_Fa9u#L~&U zq_Syz#_U{L3>W7+t-vRjC-(VEjFtre0ATerhtTghc;%I~FTWzjV=EtDUX zuWl61+OAd?3Rq&U13e{q%D<8JOw)-wGtDUgmF+z;mJd(}v#UqNrS>2F`Jp-MRo|M+ z$z~sN7-7H9wB-PRll>T%D;b@#csnrfcjl=R{4MWaGCUq3!Cj?w59yML^2&~z(eeeW z7FwR&zUPX9t7V9$_8t{g(uZ{=9qv>NH=bsV(nVD*g@Q$Afimw2u}P zbG^M_a%(w$`N%IQ>WdJ?Yj1M3Tim2~d$E6%c5fAcs++|mp8>Ph9o^Q<7lBH=gA`7RnSv?bscyaP$yU!P(DpBt*%>6n zL_KTMONfbB+e6ph`5QwyH%Ki+EP9Q#+>XmHpZWJ;^G!JmW^cRfpSkyX5)5s~Hd(Tk zz!rc2B)~ZJqSm{A3Na1eVsV?Rmdkq7I6eBjclkpftGDw5b#ClE5Nk>Al)`j)G`N1@ z(9Eqq>K-v1Zd6n)H&J2KMvy>DKK#Zbf={7;xSaitRc~0n#(h1Xj(sXe<{Ofb$Ab~& zRquefE9t~T*X(j+5YU1Ah6l;%=6oCV`ee;VcHWif`ERSKdQ&H}KUs-YC|uS+)#F>*$=yPWkaXf3@)EC3R0&=tjcQC=>CXMGNHWCAPZO-nCLqf{Q*3Mn*?LU4Z@xa~ z7&Jh?zr6@F8I(oZKVH6gM)Osi%0eEsLoE9(MnHceJINbmfJ6wokPKvwX)?!w6su7E z40QzTr4FfUSzB2e5a7zt1KW=QK7wCV3d!Hc{vKDpX zw7ss5$B50)z`GU&lwEJ3uup{igt>IAl=2ADTE%w7IfeGt)XPi~h z(N6Uy_1TY#PnSBL6|aC!KldYlqKOKP0lv?7YJqUv?qSnytEE2iZwmee>J&_Ff&p;4 z9^S%J29lCz?SZHr^jF#SlExq6eKCkf+kk!Kr^x4vaPyREGsC-=Ux2oSmY!0a(`N~B zZrk$Lf4>?V^hU+O@wd*}LnWYoC;E!&w z&G)u&udTOoJxo7aag`88-~c1 za4rPKgH?w}uy_i^naY=l(vc!4sMBe>z16In!-F_=7cru)cWDGwcO#H5tDP z85-~9;Q}gfND$aL5!l||S4?JF*D(3OR{`GuakS zRSR_(La(amc7dA(2&=Kc^fQ2@0ssy4hGhW@B6;fd`fnCw{IRl8slX}L{j7k6Nf&<= z?3T~-={ASE*hxDth2_R`i#xgM!832iRmH_?!i{X~_-XCFz&=LZgSKN1wT?VoZ>HZR zVhGuY7CUynRxdM(qF1ITaG)ZzVc22OZN!M5;^37wgKt=vo}Mn<#5!KSKHanpYRF*l z_rzyVS>tLit?{_nBhFA2xT63#oYmIaXa2D~3M3%#Rj*o1{8~ivsgy;7=XihL6rz(TQL>e(8S^?vTTJG z>jH*cvUQ%Sb(YYwLKV$(**$<(R6nl)#^JkGY$2Krn-lUEulY8Y_j;sY;dOEbejxNv_7abTZ+>E2*qt`TWcCO*dcY$A%+qKo^=@J$Rwh8 z8DA0}%=S8UbQHjl8(Nv)}wen=vtM(@{M#5|Q{}XSsGRa~6=CcXah})N4 z3(6_6Wh~b|T(F)%2=+<{uC+eE+e`~FZ)ergJa-`vD74>XS#!aICtqj^dc5*Wm-{+6 z;Bq~sAdTG*_Cb#GJ$1=^YI&+XR_AB_v#WII(La}P7Pqagn?G5vBa}Z8zhk%je0#aT z>8l^#!i)pe-gYWWh1ep<>hWHF{oJzew!Egu?C*3d7}V$dju_+u&dvJbVFZ`}_X>%a zVC*=_lHY)k(-1rl*Iqpqq5e2^xvjW>ug`OXE zh)Z9ssNUardU0FKPV)hxpTAxH&~&a9I*lpdk@pAAlMPxzTav3XNU*Gs0NCT3uZv>O zY!)d>&h|bfc-?Ti8~g)%RB;ble{b-JDkzof-FY1&awZ%xw{b5d{}Ws8>}OY9eaX!k zI-ofP(c<~>umPpYzOTZ5p2>F$SRK72F5g;53A}nPf^6Kx+FT~rgiLN!-Xk|mKfYL2 zD~(W*kAGwRriQI9&+OUK#mZ`=yvvTUI>mD;a@SXU6*h$JVVj2$=$KiTmA(>EwzFFU z7>JIrP{JdisC}K$ET3$*+8#jOaC;&)%s&E|=D-vugq{AVU33{Vv2-HZq8Y-zer-EE zyTlbAVbbOG&?;dz+Ap_eR)`I%9ZcjM*b`GV{K}y6fV@g8v)my%KpQyXU~ADko0YfT z9_@#;Q6VgOFuRXrJ~i95@hsHjqQo}tWe~_`ZI8)n^+)g5()p!5xl}fwby24mBvG_A zjk8$970+71;yTkhUTObsYq%)Fk_!N1Y|A{80Mikm(PgT(1K^Lood$mGL?>{YeDezO z*`Kn#9wy{0o3}C)lmP*KB6zewm zRR4o_3?hS=R_qQZreld|sQ&&qy)^#vZG?{lDc5mX^MUZpEhiV2ba0RX{~1ll_FnDj zaD~LDv|{CQKHRv-4VOaIZt{6PF`#$A*+t~hY{=%9t>%;N+TO6-Q7eD)SMO~??J;7m z^gq;`69r&b0;o9>pv|TJ-<(})_00ZO4W|-|AXxCqZD#N8bljz>o%TrF-?{>{GfKI?vn5NrxQBJIqFZguEwRg#+l0i*I!s-IrMyGo9++G48Z(kL9|I-Cdt@ zL~go-|HV6g{P{sNM>>aAFf(ckk25d`Q|KNR-pHyF^$lQ;A*OA+G@Bx&qrJFekds+qV?3#{i` z_Rf}T9?Xg{M8mn#AM&Ex-dGm$=vaz@gH3f=iTfP}nPpK`)2~DVdOS19OIW??oJ(?Z zn+VIMk<**I_alvNYx=_$WoSyohCFA!__$2|W*^X%CyW843mi2-CT!(oL>^#t<);tK zCxC5BL5dqjCq<*GSO_oicyPbgJND%jkQUeLn$4Fz1QoWd`{_StOL<9C7%yVKYS|`$ zMs7-F46vE)iqJQ~mK-3HfmE?wkB*)Z*pm%Tk8b)%LmTW%GFHh0a{h`%%I`;`>kRs% zc#pfV4P++$-*Hw-xg&6Cq?;w2UVr@IUBD?a5K=i{wz=Z3~o9& zfOnE+A3`Avj0qB%ocMG~R{telznTeu#ayr^6ML>vN89?@qy><(Ig^V?W+V4Cf3y{1 zQGzzjuyG50>iU^lT;fQwjhE-tVt{R;2wh+E(0$~x zE$Z4c@5Hrg{a#&5_1`(T?ba}r^WAK6L#=$NFLvn8M1gvn)A7%|B+gHv^nOgP@X|gIjQSg8Sg^?#|$F7Rlbvn`iG+b?W4* zTq#M@ZS^A<$Z1Yi648VrD?~iPmjoWvbPY=g!B7fa)q5!<;Ejk@zXyNeVsUj z#Qp!qOyA-GMj65+FZ%Qs)lT(LtDVW!TEvVE2JLO)CObcS0d+n~dxgyMCVCgXe9U_t zFig&rpu=ruppZD(vI+e2i%~nnswg2Y^!yli%}&!6cD$x3>P(oW<7t(}9hgscsTcGl z>%diP7yKUK$ONdbjO<7NLfHX@0$Es+5>6>V%0<@|$wxI`>uKMy@BFAkjfKy}5pu&` z(ADS3?b}rLYPZ2_OqblB+feU*HlPgozpq4FR<$Lb z{uF_iFzFwICcSorp+AJ6@?(iET)E;5=#57vO8TI(^L-bP3L6vx&wuhD(Hin0b}2=q zGj2_T6$#`tTDPOpE(`?;htFO*&nrC$paA+stIh2Aru?wxB@f~YY^}r5W52`~_}ml< zA8ZPKxK(umM%}8IeFtnR1#wFyzVd*ZjVvo@BF(E$HV5KzE%m?3J-oXlb%5?kKogM9 z#m>sk4hikK3zc?*3wseNRmP8TR}C+JHf$$;P?0qTxzUkxcw}UxHT!~q?K;wIt$oNw zzH*TT#bAMJ2d++aSCVY%MI1ILhYw)?2W+jx*5AnZ)Ic zpjNe$Lrj3$A4JY0MC&(>TEOeD=RfZbd#DRZ;CtE=LrqNfWT~PR=59@M+b2z`U@UZJ{I$1m`J7qU}BhWSc0a`*f#rc;n9&EDc>P7$)xn|Z_LqT zZQwo*wmH!mp)0*mlLr=WyKOoHdBcn$qlnveM$_?4lefo`sci9Nt`M(}p^N9?1OcKs zc{2TfRIRkMxnhdRbOa$!0o-Kcli4mNf=yBqQL4<(C!eWgDfR`IE<-k~78iBn*gGL* zc_nBE0QxUet04>my)R*|9P-C}P}|up`vta7Qks{p+YaLVLIHUh_?-V+>53H4+vzKM z)u~p-P!2uq!<|k&2)JW2zr2+>J2T6_E)ziR`CZKV=ELj1gyzs+ipL=3Ddyvlg##+= ztu?kAPVO}}Yh*w=@!T9h_E3Sr32O$M$S8cBsr|rU#bbJxkk+d*quXSIjzILML_|bL zW{cq*t7baxHum-gjOGn%$s37DNta4^^6U(IaZICh;j}rv=7%*>KnpXO`_-u+yRsG# zE3UooCi|C3k;y$UX&G_r-(m5mfjXtde!eq=^<+1Ayk#6rghQFYY>F-HWpkc;1fIfL z^Fiz?3+M0eJ1(9ZjGQ~SOcIln(t!|;2C7s1)(fVOnKKM@DF6iRB_9KB?|ks^PQ+UvW@XZ3rvi^rZUQ%80PRnSBu$HTeOfR+pXqVi@IO6H!i7$D8Fe-}|9 z@9;^I`PumhX9k|0Jh|uWRYyiZS#hdkenW(=(<(P>wjjVDN%qaxIg*-;S8S|xfI+5y zg->BoBhSPCmUZd;V58y<2s8l!R&n++zoCWOPwJ8XaxVXUU;)krdCxt%k@U&r_P@g{ z3QljwUHl&C-VC>Ib3G)L%VH!;@}>rng9G~EJee+YuYW+o)YrHz%cxfSze&@E*(TmKW)uN^Wi;3Bkx{Sb(Z-t04<#>rQqDB|j?UZ1vB zelo5Hnchw*4~F>_k7XUcZsT>ld&0$O*&g6UQ9qU+^K(NwCDnRlT`qK@Nt*HFczKXR z9Qjw&0#daj`V|ZVnl7vCNXl@ZZN+@NQ2ZGr5)O=6huzgRz@qvS`Eb|iRoWmU`68Sj z=Sph?wSP=)0o3)uNe;TuPaxVT3s`Z=$z8sjypFr{}V}fSa5sLIeha#+tXs6*nga@IHu!)~nRG&^w1!|E^me z=8z?bcZlr8!D}hxlrWtn=ud$NgjW6(^_d)c@k0iP`1Aja_)jgWYH9`Vy@jgrZNaj- z+B@wJW&Gv@yj5O6i}%rb>vL3?fOmJ~eSXNZE>58JmJhNxBtS=2JWB7mkf{J{dz=+X z%e1?M2B6>P0wl3#h02qeChoZ;xC38E23$6{a#jj7aa)q-FVhYJ$WI<}S-SlomxGgK zg0%mLbLc;zy24p9EGbmTl>_m3R}#C#&eYguyLsp^`0kbHcP{>X+GNB83`_I{^k+>a zyKaEtYKs7*GEP}r!*L8mJ2aF@J`= zsRr6|<1sK10maPVRVp@YHnM>KH5E`bSBUgd@~f|(iyKm}@{h0Nq$Pk#Tm8<2rB{Ow zX0ktJV)krJpFn-vp}NKHV@7|;FkD6wosXJswCXRf--Rt*g(Y}df*6wpV2{^W-9Lr^ z`p)m6`!>(8j7=gRy6k`U14tdJ$=C@lY$_V+Gv|)2+iO%Wtz9NM#@9%%LcrKx%9F`U z%(l`lf01cw7Vd6t-yNI0tyVXgwUjcf$mhqoUKRpWGv!o+5$WmXTx<#?vHCe5t!AU! zGlzpYSW?ydtF!%QM=PBxdlmPa=t?>3>3g`p^j>Y;gP6B~sRf&J`@B|YwGIdE{cM)o zNO&0P2{Kl7){%&zczjAY37E?TT6HMzB9h2v=n^?$#iHpL&YAyzD`u(L{HWLgPmc0x ze++0Ob=Y8JB|}tq7f^8Kn>oGYDltO}9_cjiTpCQ_xaRG)d1I8)MR^-6R=XTaqZ{owXlbm%9 z-wut2+s#l03gWx5ewe+Ui=ZL5CT0j~S<$n}@x;e~kP9wpqu_q({(3yD+IXE9&t~r( zZZ|;gYBV?yKSw4WAU!rPLha$P|A^>^fa3+^Ku3mv#$N#9Zo#tNqO1Zch~;a&dEmcU4N9&=G3KEoWimvmscLkJ^a|C z^+sg<&L_ZX@5=t}yIfpN|5Xi8ebN|0atZVY(d1p=wA!xsN2PHvpOqJ<5 z(J25yX5^Rx73vvow(@{Hx>YkCLs+5a*?N1ztbsV{XL(c~?dD41cX#D_^cA!NKH^Q- zUy3QNaSw_c?9bLTuN>)fxk5oix|R??;YwgQ$pI_UX3?*7BPRW)uD%fz~ePD8wAyO_8Lw0_k zYW`H1dJgpZf8aCBQ_6)=q*3(M=o1&rQ*fw9dFC2Mz)Kjodq|@6*?k{qjwb}J3o&1* zh`rc{cdpj%2~tqVJloJoUhlZMjfd;`?tnn#aj~fi;r0*!OKgu9cGtgLU4`1L4ge~g zj;AoeX%kekX>wOdTk-*UGSK>(QOwqBV~%pekxWxU}>3 zA$t49f5WXn-w4*{Jp+h-xgM|W-dlW^5+O^6X}gOL@T6VFcj{Q{NmBo$8DHy9fkIFw)j`7|R>pKB4M zW*+R72Wq~$wl-Ma8l5DZ6ylfsnE556|8P6A$Nm0&i!BS3C?6P>bX@(p57>S$jYn$! zKBs;mt-pRj|J6M|ps`I5lnDlb;9b7WSX~l_@@*PWbnSG)IEPDoc3j+t{aAB^elX&< z&rR-7E}*lYtITx1D((R)(z*X0Xer~TFvt`^fa=szI9X`x39lK}(jLq+t3{#(LnG0M z_g$oJJX8MXq{|)oYwO(;Q~|#)Go;4-U2flY;g`D1Eo&^L0v#iq*J=5o^=A6USsW(= zRXM5-QyPRV5;&!yFEBfiiP^kx*)7L#2493*gO}R+w&W#X_@*7`A_zH0Y zpH0?4r2R^+drIdskAuwnhL7E)Z|DJ)wBA)0ks~7i3>fJGb+Mc@ud?G7S4W;6O^6i6Yf!R3JG(;DzHaftSK!H&RSn z<2@xn1i55haem|MM^SnJv^$ngAyoX8k?984cPP!cU(Y4RZN@=B<*i4~vP(yeoV_Q` ziPSHx>xU}r$LLPCSM0be#_b={%-=yVs2eYwHU@~b6e>&0z1Qr&r>(pZN=2QIzU6iR-or=|NDypRkq@~ZIVc(phnXn7S zDa`C;Gp4)S$rkTuiY>B*(`A5PGY=AHNUB!n7z9Z?oX_WR!fgv%;EGiOrMX7jFcadc zf%?kn){b;FAP_w3e)){ww|u+zLjl-P-yP}*(~ota2njh{P!`<<7Yxyi>w{-3mW-7me$kh5SW}6zb_c8|yi=3j6G*(lsp6E5~-tJL@%LiOVF3FFnuqF#&C*_mD48 zs0tOpR#4(sDme#~7p0Fo?#>FQ3y^L^p_b`GK3mq`#mjfh^Ptw4hxi`aPBV@Ww@Cqx zF+D4cP}DkgO8n))O4!LD0;z@kV%kEck@P@a{G{uPfG!S7O@}B++LK# zO8RZPvNmtr;?73%-EGF8!(`x>awe-1+3ftoaGno`Z}gK`iA;k0zMtUGl~Zp-^Hi7) ziIAdTr>$bMS%5QCqKZORI>WQHEYBR!)J`hf5jVt89VOMvncsTQJy|`R*?sn@b$#F) zuQo}6yD}E(24`aVJzJx#uuB7j#+~(*t(#@; zHpUPA-C|AkKc{9nq>p*l{q~RKZkrE;geh!tcU*Gl)VNco{P&?b4!ZD9$R0hsWYKj{ zErGJ;ub;S~R~>0AcQdbnTLwo+}VK$x0I7W-vsG2vwkwO@mR)QxGlSp({8I2`lO3MUmf; z$myDq58fo|VbumEUDZ$xVE8&&`;)*ve~k9%&zHB8gW0LBb`4^>m$;&zCIO-_2WT33j?JIK8jJ;zb|B2f(l6E|)}KWZrJE z8g03~hciG!)w2Bnk)rEZhAkg@g`-z00>W9!5RLSoT!=w^Q!#8H3=ji^gc%KEr4gjSh4!v}&+^*0>yp@wEpsu!uvMq!; z=wg<~DcAs z>UXdkVAS4@t%-nt6|oR7?qM{YLYbTlY4mWfJfIvGd<6665zI~GqkEDRUe0A_^pHNa zs>(Asi+y&1bln4|DvP-^q-E9Tz%Q2e$uI9ddbJK7H`y(Jd!VKg5gzfC^j}wxFxn&8 z-mAEE?&&e>etjvb5Y43x4#eFM@_O#|2=2dLZ|Yw@BG;-X;$F1GJNY^s=J78_+E1=gi83npUVt5oVQUVu zq@W7}X-2jOK$@JoMBje|_gmswY4enGv#_P9+6!XKBZ4z1PC`w-wrG%a`q2 zK~n#9Wx$2L`GI+uhsG$G7Zt^B>#uTvg|f;2m>3vKr0}Y1#)E-^$gF)f_x7EaotQqUcDYLDw=mEMDF@Rv=$=YpAJ1$6w?so%b3S!^RWnW?fQ)qnX^ zn{u`2R&F*LjnO<_ArDUczqi1z?GX6IYr@wlwrJi9j`7`1qr6}?8pP2hv*}guU4s~3 z7O`Eo)fUK@YIANlie-zHVNB%J0;SbjFy4J~L&hS5^!_XhXbTv^7%221w~bua2Zx>v zh4~ZAUmO47CND0)99|DLb>cQW{cHa@!ubXS$jiu}&DGe71n+V6Z3EUBDAbw`K)s#jQ&YBAm^AMj_?p_0fupr>(2cdSOy z>LZwF&|sEu*86^a?!grGDTZNUc+NolNv@9f6E!pE-mW56&vZ#ovn)V2Ef|fWJNM(4 z7KI!c@)EZg8pR)r1+7;FbG{CD7kh8g^wr>Xv_7`O>sw1a+OQ=;eM3adpBl#NLE14C zLqIv_wp&s?S1+jH8ZpK6e!upVa#apLohMH?`wm7!sWT# zN|hQ`BKhcqqB3a3Y5t|x$y9=!`vgbFoMY#6`oB%%;f`B{J@R!bvqt1jO0JnG(M7rXu)WPt$FJy8pEZsTw z(SXsx@tNWdo})G~emUYFkE&S__|zIPgtPxVwEw*6gCT2U9eLmE40nWaxR}24ro!PL!AF!*`I%-4F4u@gNAza&zti5>|(<7 zLW4-Wc)UU0Cf@85QRwpzU-{p^;yqlw4B68^Hsi13m~8RkN@u;+Ad2K|CmTb;3;$X0 z|Mrc>D_~#cXUL%banpV~qh<+UVXR>=i2-Pgk5Tz+QU3K+zrXPJPaQPi>fd-H{o9NP zfh)Cr8Y7_WhXzRz!FB)l%KtpOt)d?c)CJf7$|CCt#W(D~}JOTV2HiJD=1`PxuXIVOE*f zs^#mb5hyV}`UE1RQF;7lX!)=Afu?|mX+MKoy!hA03jli^SD;f8(49v-O2b&3;w1W1 z4@VJ^d?O<6sGXYcNGdyk)SaW--3RzKz5?F{kCk=F>0(_>fI^5enaC3bN=T(9-we9` zw*PFHn=_B4qFWoDKq{EWxWF+`4Tmt6h|zqxf`y3iJ9Go~cru0;8fy06LC^mKO1?{6(qNapHXMzh->pcm(~YD`rk*ZD~(TD8(CKkQGv z&TY0r*>a>FY1ZC;=GP(wd#2RnJACQ&W$02bKVfM&+R^pt&hs$H(U>pq;9+?yA~Cv?DV@c=KTESi_wPFMuYXGo`nPdClRU{Ff!7Wb=qGw=?WrT4J| zp;mee64Ceb-%1(w<}djqYJ}MNLx)m1ei{X-*9r z`J+V;-sUGy;A7r6IdQ#`j8||P2)!?41?G54yy{g7wV|8%p&?ddyB2IyH~qagyfh&5 z8fGBCcQ6Dwo@=+-WD27vfips=rV8QrV?7>sepELA@5CeRe%82haMChzWW#@T)TD6k zym_!8eM4$}`nO|Rjsccw-AgJ0`ww&Uz7QkRLO3F83AwUMV1usYaK0;R9~mqUVDK9< z+7bGA%RB+&1eFYw`pj9Q$lnt+%+B~8>aa3%m1B^-)yr-aW_W)p#%!X51NhFsE+jlq zR1AYUL&*HrEl$I&A>)bRsvy}`W2)SlmCp%{ z0oD54B4c87jP?_iw8cby#dhgRfyY(doJa(TEQE7DE4?#(sKRt2Y`>!t4f6X5ue=p} ztpw-9BJFS=on8YJ%#Bsrf|P%B+;Ypb*JaxedC&1EsX_jEn9Yp|U5Dkc@-5-oll zH0gRbC*A~0pE;Tg!UY(nAMKjCc_pI{#4|E z!V%=3oXY+m6jr8?C{{C?pg6Zr9-|e5b*@5H*$j7`jP+XMqoZDkIMA-U*=TD%;n8$( z!}uD(Nt25B&dtqf5QO&mVG;04jhLiB{a+_7|7m+9$1>>DmjL=7Cs_;z4qn>RV#a@7 z|4WT0M^b_3Q`Mq&N5|2=yn4*1voqlOWJIZ-Zyp;*5*X|oa-`G? z>2vrF?|*hhsbknXqKod0?n%{9{^@y-o>WT!=%opy-l)pS4Y%#*E)>o>zfa{Pkx7=I zrV`3~SsQOKH2_4tTWvv+Q8e~62wh)%lAYJ_dpT~qy%He2~`$DmnY;=)cWrL{5+&{Nu#x;h3X|+)Nq!hxN4aSBI(|iGaeyh z8Xq63{n5~??;{2xoi{cPc`iLu-{>8C_vh+FCJME)fyotede#wL(Y&~sV&8@}S!Kr^ zMVM^vJ>sg3lD^aFSr|fM`it>NNTh(hly0}I7DcN(pwbY#RU5uls{dx_^ANjq4Rx|s zC!5`icbLfoj7e^KW*H&a_3cw*&fC4`#JK2J!tB74US!Q;gBhGmvshaWh97(cFc<4yFK#}Hcr z&vsIa)UL9rP10H7nm9nFc-cJ0@OfT>9_Q8Cz#eHs2)MVBT!sR)ZkIZZv8tWm=TPey z+myR=#5ckffSHB(r8aX{VLeeAjpzIKIUD&!T<(GFCso|#D!$(J6eJG0QNkc#vd@WP z-u-Y$>0>{Fo4>UHHbWRGhvF-C)=CtTqNwGDi^+X*rV$ktzl^W>A>!sPc>M&QV(IB~ zn#Z%9_D^WH3&$h~bvQmBdc~ zDOP{Dq_uZ6-Ide$)4BUb!}(V8Pal6#k}6#xSo!|#vCWSD1h&16t(Fc@t?PNAY(Q1m z-7aQN6m`0677Jbc_4W>Rx$esAT8F(_nwZ|3%j2PZzS-2CL#!V8A z#b0>rO=y%Wk@lt=L@JG!>ZcUaoR}-}`{iPZ3Da?u!C27piO+E$r`0VObWK-bIpH7AZoI4TGUEia z8e1Ph!k4C6wlN%=rkxlAGZ335nl4Kb`M!EY;uVAJisN&x!6rCIByI^F-7|LNEd*)WfbEu$5#wVs$v(xwD(WP9SZ z^HtG1XXx(KYQ@47d)M|YnE364y+kar=I!#G>bGp3BK_cs=uFP_*lafjt@^jXJRTO0 z{KEs_4oH>M7@-m}fBocB)w}R~*7EL_P45EDrBTd)5NUpKw;ROH*@Jt)tF-QS%O2Qi zdR0!kS%~)fbxMe|YR4KE*1?DhaL&?x=D zqgO5UwFqu1;5rg1U+ay{2DIsC>^=!Q0#hnJQ?PrWoUMwsoxD>F5?K79T$Fs_G<>B0 z6L7B~3u!-(Ri8|3L~zVhm}WafLtK=8s0h-1lBWj7@F+BSxMxEZh>36Y)Hm8#aV$tZ zZ=j@}^yXr8UHNjEKh{71b*Bz&&IQU#^!M|^)Z$nXu=1g^gT2A6jF=(mu+9@-iA?^IBiCLA(aDW zXPM<~bD>^lI*s6%Z;oz_a8#zN>n^P?`<)QgL$^Sv_J=`vs7f$)h6%~jB|J@bHXP@j zCXLcfkIP;9r}6qjNqOVr*-Y>Z_;Bt^tGl!w{czABw@R9>Kq8;ZGZ4?n9{8TwYrF_6 zq*y@}OJ~E5_*GFDXQe>BVpb4K|IFhj)cyg#UgFr=j170rTjA-r9f}6f>wLG$yGz_N zw-xh*!v3o>BO2|(A9VVbuMB9o5Y%1I+`_J)mnr=owcM^e(lxS;E(=SQs^4%23I%Tn zO}8Dvp+;A5pCZyR5RW?oQ7I5`88U+FOUqfbcpySaCn18WH3yp@)UofX+@4X$`4h;M z>8_3Wm4C4vi@Y!w9zU0Be3tbkT)n@UWR^9#s`x6`*sQ`5Dz}wo81%;EYNlzF1{Rr4 z6r#*Lefl)>k&Jn9QI-3(!x4FlN5zy1$Hzf0n?N{1sHk$2id(hy%DdLGlw0e*oy)d` zSRg3oz-?Cp01g$Qu&2Mz;y)5NZFB&+DDsb_s`Pd8D|?x(uWZIQWv$voz@76AZIn-c zBXBG0kmp?g&>;SJ!@%W`>bST6Wtv{>@wcrclPRjsk;6*Ui232yZR)if2n|;!RM-x6(wjfyNr6d9E1D2?nP53s4@Qe3?&I<8{M3P8dlBckF$Mp_LAl;hh{9HEYPJ;ZWw~16K4qc zEeR=9txUR@8A6ByPY5Au>m5(8!>-w6C{I4w$9ZJP9#>*oyq9HGIICHlGqX zw)1>ukb7Z@1mjm?;dOwn(&$!m1PW1)1twrzO8BQ#6)W>zN3okK^?YN^4y=`t8&{k; z-<=YwYiH$_GV^Jee+B~+xPh{@3Do%7y>0TP+CpI4a8nDmT0JZ3tC}RI06Xd!lJ$Pxn1< zuk5#k2X`}zT+X(KL&zo~`eDem%!WHk{uvuLd%^(#uz)_bD~3AIl;EC{&Py@6Goj8f zl*l(>MrA1RE$&JI!tl(YisbF+w~`YYzGbI!Y5C)q5SatqQaMPEDz$rXTb>GoJ;Kqx zfE$?guKtZYM`F6nk})K4l2!{6&uu)hHPe=S($}rU<*0nR;y1)gWM-H5HA%~b0h15M z{n}&18G+w<#_Zktg5~GfTIF7H@aXHZDI6Ep#Ksw?WQI9}Y{cb-m~`}1s_L)6HZ=I* zk#6XJ=q=Rk!B8J#t%4BUcz;A0e=+uZFqEgUJ zUR~ug1`54xGrZb4@Z21mScnR+6AsLt&hkNZZBeg(`9A)`&`cL4iG|kMaAcrA~$ILq0dY%%zrPmRyw(-rr*=b0!jZ|Ll-#+{%(0Wh95m}hjFv}IrsIW? zY19LrT&GWazOo}4najNi-$hANPe9OX?{Usah;W}-77NU_^~mK{UHW0Rsdjv`I5+w6u0bVR~xyllxk zVUHZ?LI+h%cYzSqn=YZQ-;4zNIx6y4dr2Dw0H7wAj`S=D4JJfpap;xwKJKsm%(atJ zcRS1{U7*#Oc-C$5E&4Ju5*2ZK!DEAOirAGrxhA4rJUTLe0Fbs$Rvf5Z&n=pB#3H@U ztULL1j;e9Wi+p?dq801@xqea8I@;O&{+x(VyS>bvWYGGh9x*-k73_uFiOX5NQ1FHVDjhi1J-3_A^f&_3qUG58#ud~(n zfm!Bt;DtMPzkLMjWU<}70lLPOx>7KOnSWOV%ziz zNV9E}*L#wQFLz9gf`qP1v+1P{?heddcETpYOaLI6sa~}7ePBCS_7yaEve+0=|73ej zu!UFG0;rEsf(Vr{mr=$5%MP|;p6XA~9GGd+aohln_IEZ8S-)x<;cik$`C+BRQD5>w z8cDfOBhwT-+naoF(T<|cI`2eFq47GP++w!ayFXRL;~2mHp^;zM@s?S;sK&+)48oZy z;S`mcsXX{@!RONBc48>$TYMw`jnh?l*(#Z6oVE4?e`9`&x#k43rbFTxWX@wN`62ro zxY`i?wU;8K9!LG!H_jlprAB>=2=0UZ`bGDCFzC*`+E5tHpf7I7OljS69*g8lf{4r8 zWHxJ1!>Jx$fQu4>U3l!k$>-}21|Hn{%iZpsW+D^LA1k-^FVjzIf9@6YEcCkzlKetL zn>pd)gt|-NA{ro>65obXt%*uGxVTheD5VnPYVEd`WjY(Zgq?4yWK~q+ZghegW|A;u zaUVvBt5#^#*tD!T8(+_5i10ywbmqPbBTy*T5e(p=`wYxir-W831NmD5PwiFv(np}n zir(C|NmXMb6jfOV)qQ6|1k_oInrk}3#aIYz2;pibqlSE1{UE%`%%6Ol#BY3k6P8f|ahaOl9rgPrL4;j1iKeZ+j#5 zu1SjLUkSUAC)D2&x!12o$qIxWE<4J=?M{}ZaPMKwpAkrfVvV+Ep+&SJ-JRYl*xH7I z5W7`mlmNVDnJIhd6||)T3|Geaq7ah&#^c5!7zq=7?rwg1eLsX{4CU-ouRK3d$Cp+U zYZg~{1!#ZogrCSydWwu6ykJoG88Fi&Iuf?baE8VbIxtbA4@)E8aYUY}8yPPL+F9$UjcY>+O{m zahEDHgnSX+Wj=1NweL#^!!1Zo4lvZO)q0ztU0ml%vc0aqPr3mR8h@TA;)E!deDc0t ze6IT%<%Uy;A6(JbXA}EY8Vy!>@Sn`p&m|fi=+Gf7t>&RYc8vr57R}YGzFwbb(5qIa z_1VH1Lv`>qk5@fXcX+aT!^`e!W*ASLE~oALRPRC5Wh_m0$3xU!rB`+Bvy8MSqacz- zs|Dt&&P1TQ{jkxHd_HhVC|9Vi(lC<4xlH*Z&f_vX6{BJ9hcs(H9XM?8R2vScc) zN#f0GUGL&Ld$o)54f+2%3aX`bTK$pj)^j;sjZ*cZg>lAip)-~?(E`CH<3GMle<=H4 z=|GpZ!c;Du3@VxGpbf%!#R47yYGjn%u;MyX2Y{Br)w}vs%{m7uKg(G|3tmd2PyEEU z%S}7gkUY|w_Rc~g6VALgtrL~vuAu9w0`;n#JeL9@FsLZiPxqhH(cuHbcR6*~0Vt}3 z9$$MhjC8S+mu_aqp2)YRZS^Ol_jmfE9jKGHn9{d7(IhoMy=dI(B@5($(wdKZ*I&{S z9X)x$wx1aBXJ~QXi;G{sMK~MvzixS<)9CG)s~9Xvt~K&H%y<^B^K;y6+&fA2Vd|sy zTp;c$gy?>cuk!d-#!|vrfi2i1Uu#!64;_V0s?-7wyF#>K5E_N*>Zxb>DsjEAx|FpX)wKo7Cu7LyTTQ$^Ys$-o`}x~P6KiWU!oDc$jh6SW zA=6lEHoA*?_~DVXlL0krEcqMcGcuwRAsUSeKC-2(kmQ^q!ZRCoiLw@yw5s1Cc`47DFnLiU5uEPFB-b1jn8I>;5?OIyMp z{i;ayQTxXr-E5N;mxX&j!r$X5gkMuD1 z5*p@@VG$Q3lYaE6Xl;`)CT);A4gmkFS>?gzOmcTX3Q(u5fy?yk+Mk_OEDO$_FMmJt zg%?cv9Z1w{;xTmi_PdkJJ z?zg#3@w`hF3P9<01I9%X!PxLz89<+GmZJ}0l}>)_F1ebfXcZ|aYbk$VQs9A$kkzK_)4cbb~!ss5oLa|GKE& zxMl?%Li`wu^anHqd2_iPPL?V}_vy56c%2;+FFHTKj}`Mx+e< zG7r|>>4T#2sizA7)IFN_8zZ(TyrBd=ilNe+pEOinw4C)8W;dy@sw4){D_ZC zfPvl^^DLxc!KF1Te(Yq>OaibdY3*WHpNJaI#0XmQGy&h zGam#kCI*Oe_56-mh+aUF5OEm?YtIO`cBs*l75Dsr;x~=dczdm{lEGU9ozZ=|9xFa* z5i>s?d>Tqscj9afs*8T|c76D_YlBw@TQ|e~BH5365R8%lkH%o_4tTV7{)2&fnd^8z zC&3V0xg~J;(v-p+A})hmQY=BwnB1$BbmuaoJjs~Y+D`Ee=dPp^JCCDA0FE{5Otec1 zFihA_6sRpCoJFBMnVUsj{T)!c`8-;nU5BJF5=H{)stKUBAB8;AL^x9MI`7wx-AWK(L=UK5YkLC1S>AfD{HHyp4IfC41DVhr59ZiGRLG<}aX_z>wY~IYgO+y zB7<#C+jxQ6pb@F(2M)_s?o*}KEc%!Eac^mqw9MjL`512bJ|hIllqSEvdjcrIq8%}@ zE_*Y&+5ij`!CbX-B$q@_#mB(+V5N2j}N8l2QB(dm2?$oVv?ER$Q+A;mFroKgYWDIfr5tpEMt9eAq3|2`9nr zC6{WsnJ5`H-QpCt&KgMJcIn;b;y;g970vh}eIgR)o{XR<3Sk7;vd(bgY{P=-9vdKc zssm4ux4y%h2)_XMF?-?>gHBzmx88NIw&McQJwN&w$4L1L$9CdWADyi@ zF342i=JD8d?n;L6EtR4zsLJgf`<4wjn^+_;&N}w(F>lNz;no+a269^8sF+NWfj^j4 z<{x{SO^I37W21+2)Gm1EHS&tjtz-feiigU#2Sxx&XAf9l-F~uwiAU)#Ff(=6`A>I8 zVWkNY0%XyG%oObAH&lqKbO2@5SwGqt*U~!bcsA;ifZEe7;um3uwmHqs zZ&V|mxgZlv@&_y;uYWFkB^LEvESjeKYW=>CT%Vif%}gb_CuSZHIG$Y}G(8NZ&zJ&0 z5%hqpvojd-!!Q_pag`s0sS=jvP|cU24*Bg5#@lE6Rk|N? zA@&}?K<|30)e2nRRgVBegykdOp(o3ZGFJ~2qmzyRP@BOQPCuu}*PcT1P1k}X8@G+_ z4}@TjVRZu$lT(h_3FQlcjLHIa?zt4wu1d3!aDX8ouVRe5Cgf92tCrN%bTA8bsb(>p zh1m)UakLz%edW$$^R_$&g$VTaX1UfpK`9E*3P~^A#>C}1u`*J?!pC9c_&7YvC6eeo zQQ|@pA5leSg^rB7L72VJMntd7!4g_oqb1=?%Q$I&QetVU0i2x!jAN9viP6aUy$e1u z!;9ptnfOLvS%Zb$_5rQHPJ15vJwZSyHfBr&i4aUYE#l9l%;98=vevb8Bp8@IV65Fp zQtL{p;J(a!Sh0gwB`Q+-5b-g4wxNx2KNRw8&lUviR#y2snQ2Ub*drqT+eka-54k`E zWlR<~ggN@L`{j-c9?o5;&yl}dX!3kRwd5|c{RQ(e)1HV=xOXC{{F&bjUS1E*GXCW$ zm;E1kMy0p(+aQ{Z=8&gj#;Lc?uf;HGTYvY1bq);hW&JR!_%i_QnpC35m0&0;{OvdsI%vM4R zJ?J%S6+i+tH0H`bRK6s;?sF%sTr4B_IyG|9e8l``F~bEvP*mpT89Hl{3RnWz^c~}^ zl`l{;#W)kiY@m1b-QrONV`R7BXWU3MMxMv>pIsiG+T?~taUpz3;e9h%H-GF|G`zW% zy>&6-aB?RpW|Vb5)=MvJM_J@M)Yrr?>6Vn+ZMt)9z$1zZ;G3q&p zHhtP@sH#*WC#*Wb|FSUrM26UIEsuS)>i$j5wuDA2i34=^GFGWjOQ=ft`uUk>%5bK5 zz5{2Bl2-A~x<1>s@#{igC!USi?MUo_9{;hmc>A5Lx%2s0!$f#56*Cr3L9(zLyC`ca zBXB)HMGt1D^K)*y3D_fy<=lNL8Te*P0UCC_ecojnGL1$GOzC)Ntf6vP&;0G=H|+a> zq{tbtZpsv(DOXew`P}cI+txEd7t@^p+19JmR5V;8Cg=F21^9G+Qd&9I~bqIq<;#+B5-2 ziRL*mtG4Dw>Qq+UM#R9*^QzWuH_r2C&VR+VWX;L@T+?1+L{jY8PL^{F8SzSG(nzX4Y$vCU zTqgv}I#enxUE9!`JYd)W;<|36kcV9V!Fy@G!F3CWF(`%w`SX+t;+<`OtdX~cu#a+~ z{c8hZ0~_eZge$0?x=mj}#P4Il*r~o9P|V~*gn0aX0{%OS!HZ|kvhYWG;$GPV=bc{& zN1+MsCS$tJhO>yH%R3F_JALK><{F2h`JYbT6~Hl1-&!r=S?5E)WgWC}akNr;>WSBt6E)M(uHF8VjLOqLRjEHH;bq3o#B#9VzYv zeo5)!**#k+;B=ME492F~8G*G6Kp{=_Y;UD6OqXloKac@>45<}+qDlj`$skEhUX2$v zU-Q5>7&Y<%4pEd51ysE`I^?!DZKBgvo=t8txqU=9dx`w|F&YLDZo(m;e2(r{0ULDk zwNbKJArUMeQOa_9($sh`mo=-czEqko2m+N&X|TGeNI!eU&$h*6Q>K&%j!LWEota1p ziP$tSQc7kWcwBT(X1Y!coTe2=vXXg`_zHZFq?ATPA2&fzBUnn6R-7&OU^nQES1kC7 z5t{P^M|nJ7UBtg`?U3@?ck_R-_tsHWu3z7;fr6lPC=H6FARt}RBGTPTcXy+tln6+J zbjKnk7APs*-QC@Nu4Qev{+{!k=Y7u^XPhz4e`_zT zd+`J|{?XF)k76^c$DlllH(C?JuEa2PEp9OpnS1OZvRKi6evMzU4-9gN zo~mOczZ>`q^|fK%`x;5_YejiGVy{|aARUa@tr*@foHbIsVKFHZ$Bsq7W*Mg27Hz_O zf7fMVSqvXN0%}mW*#Ehq25)w>X3}XVURF7_Zb8yJj>Gn&{G;ewbhpS-0%uZNn#s!I zxI7A%n52>fQf6Jhcz-KYclXl~?DpXe(z8VpUVuEz@>JdUOFEL0m422ys2r8T`zr><>g(Gl=f^oU(|x=JwnJ7s#!}Mp&``nha22 zlYt(Mjzra?`q?)H5#uVN}bEdq0jR z&FAwsw~73Zya!rE)}OC#yQi;Z&BsoO?&Ya{QY;CKaN^E-vER7)wkKH)RvVLDecebq zc4)>DpB@|$%h1vmr7XzUl~%_RKnkXMty;!Oq-5K>HmdE#s1wJoOX__YrpP)vm~USQ zlLVcbFTocsg%3KSIhhtn(8NaW&BMX-2A8V`Z;a~$oBcxlIr4<=SO=uG7@dizskX%T z@HhGm`%4^Nt!McWd~w5_;U#ch3$ApYr#jh6mM~Utvn0UI2)uMIMvb5e0UZr29C8O$ z_R>-D%A*^DE&`&NfCEGbFmxqkS9Q#==qF6Ta5jyU@#z@X@2qiZ7wlfpJKG7xbR1FW z(P^5|n$apgHprsuK)lfXa~oEMwDz zNcK^9&hc|^U`GulY|_NfzU!lcyqnIQ*kngI?6XzhasK)MZo1_(VuabYjRKd|-dDLq zsqpJzV>@17ii1&%rHz^bA7@DjR}kdov!?UcCMz)MVsbVxz$B2-THcUeJnQ))T#~Se z?0=B_d`)D1ra_cBrhP)uW`ZuKt(S*6hn{=jG0OnX21mt$my+*c<7)n}^VrLcq81dw zAr0>oo$Y*<_Z{1Xj)W_*-$up)NR=A%4<0AaRwP(@y&V$B7^@kOqRkMHlcV%i}%?MEc;Q z&CKj+kEkU3y2_d~%qYq|toV42K&d1bfw9v5@(%pf2~?8LMw?_;;|*u~D^W7r!(6P1 zA286sna!FP;jh?O$MEg-E=Zodd?gThvxJCFbWwyKV+1RWLDL{%gWLXvFx^CQazyQt z?a=*}a1u7G=8(6D+9JF+;4cO3YDqb7f;9({8()K;L{^zU6ccC(73k=Dk|oCLm?$|{ z_XIin7@U%g4_-;3IpJt_s>Q}augtP9Zgdsk15EiA{x9$?@YmDgg$NK zud(97?3fdHC2+Oacp||2&b|6deX;YKx0A4_6)JT?`MS9A)a}S1heF69CgNb< z7bCwA!NQtt>rgQl@f2U^)IY!4_VJg&PLK0bk;L@^wEG4iS(+@aFil|db;_fWU5~X7 z9f^1Gk)pm#2lblNN-~NMqSOu|E(?h?P0L^d?7*2{=E#AN>o5v(wy8dqAk}r3ln48& z<&nw3wJ)!%7TeNAXQf++{u9e*`F%Dhe3 z=sI?VnD$#Pi$&%;IUTO2PnnGB3?5%J6Y^HtEDJd7E?9W;8%5>)7;5aB9J)jCu|8Eb zdAq_T4J|hOht3Knwcl0ypUV&me9Ay!R^$u5lZ%$ry-O2}yLTy|Yr9q{z#IH-C!{S` zkIr_jy@MNMx(-|qV~^qrU)9}Q<`wUMb(Iild#!i6&Sx1US}jo5A$pw1$1O=b*lU@x zz$qvT^zTr%QB+>W!P5%1!%rKCk_;(J$LwYc)2jylqLxyzWPty<&4qmX&$PogS_Ic8 zUv>F?-%={OwXD5=RE>V7P-|Wc$jZkX%E`XwEE%uTMzM#Gd}btKWZq3=sm*K?{?bUY zt0T@k>aFkufXHUo_VJiPuc0Gjw9yr6QE#`7_Ud)?9KS-vrXdg4hOb|KFtNW_>PQP-nU6_ zi`pWhqQqhVSmuM0uI0fR8-3#F2!&;&oX#*o2dy-k|nq*q_{HIxGf zi&pmQx&u}(y{1uR-fAQ*$HYomO^1wHmG#!E{2ZM6vzf=ypf&mX>9%p`+>eK9{&DdcU7Wq{JHV^v*4T|LM;O+W zyMfBOEhO@>$omIb&tvJp$zqq}>GeMqHpJ>+Zk6aQkfTtDuCNQ(;%j_pcUhT`)*iq` z60{yDv{Lz()Hl z;`7CIcyN^U?IKv?-KfkAJufR-y7$ixre5Y+_pR+2gNQEUpM@h2d%lIV1+jQl6paWo#k59DN2H5{<2TXP*7cmu4qI6E9T}r2g>qM>et7}ZyO>A z5>mzG3bW;C&cm+wZ{75NoDaH1yyLZ=E_P@7eGM6{6GtdPTT;H%hlxB2tn=_(94C#jctPyqMOrT@4Ya~}ZaY;;*lA09uS z&+Kh|L{O^w$v*0#3rpa}m>+5~o9vdf2OSVr^f4tou3VeU?$a9KjTn(;m%v4IEPImr z0+%H*SJm(VRk`3)3l{wamy^gBHK2;svF`yUS*Si^(tiB4HyC=}L|^OgN84alnN%9ff^xm~kfZwaWBou}=8ucdF%JW8CS(07z-$M>kgXdxZul*J zu>-%M8|eM!fP5!g8gxR=&~1+n<8gD9o7)w2TUU571;We^we-&w{0agqj7VpsqWu7s zOeM9^?;T5I_TOTqSqIGz@Jk&kK}K^E{o-(qz|o?1<1UJHzP->%l?h2p3>ye5DUu7+ zBXWB@=#Fwe1>RV(h!!rlb^+#+pwcb8-{V;`?(-(Es2BX~bT?s{__{I-4-is;$NML9 zPfT?U5Gg5BQ&SntGK~TEGR5QAw>M_Rz@>*>-?zT*Y5$v*z;B?f9xU918oUZ|<*0jG zbEDb&0z}aWSpdrJL(;8|>b!&fXv`u?T2EO6hWicS zsq=|k=ehfwS2V(Cd83fbL$=`Q)kmdOI&*_jHQi}E%)MZzB#00)CtLjN6_sqpJ4J5M za4Pw&fmi1PrhFVAB}Cj!p9}Yxu6V{1!ursCmn{hXiVq7yESuE_Zv5k0YEZ|13NYo6 zONfK+Vu?Uy72|KR!Dio4ye;0?x=JR`G)>xn5P0j&~{|hOUh@T?DnOV&mu*C!k)G$0#E(bR)G?S z2T)@5^yoNx{wV+4C@Dj`=>mvzqDcb0Vww$vm+JKdPWVbZS7SR*qG~nA&^{mI+pSq> z|1-jUO<;s5vjzTNjP=uWZ*}%b(q!v73jpM5irD6^n{i9pBd}BqPSiIM#j_I(hcN^x8n`k4b>?K z*pEF%03J{9H~#s6-x=>;ucsKmc}-Qw>+Rov_Yiz))JuVgT#d4aOeRN3{8$?3(-yNJ z*zS^I{-b679o7Ez+PxJPl=rZxez+L?`iCnBkw7)6_Zm&EblSfp)8f1WImSiIv+0f} zYUis+$zRv?U%a4&k@Y&V83=!F0El0bf-!u{yU4hCMle$$xC1%HS<1615caVd|2KT> zT9FrG7l+xN`4FglTu1-!?*C~OIm``(h|l^b==p0dnDGRWLi(BKJ%x^Uw-Trf6t?+|32yuAyoroqU#`rq9CCz$dmLMoB;ufKEm1Ha&=e4Pv`Pt#2A1X8zvha6#g}^xY&cB{ z-#!1!$zc=Jk0q`Te&505642y+-@!c8z?vcWWS?N`GZsP7vhYHLtS~)5jOOn=(7(P1 zSZfHt9^~W1?~3o=W&?M30ubSA?)DYRiK+%G6OdfU>4w{3Z*i1W;Qmm{Q8cI|*eB#6 zrHYXob6p>xiu~Z+kK|5FS1NuRAO7ds@iTn?74M(PU}5fgEBs&Ye*4ok*c1d`-(pza zLzXERdSbnIBofVJ7J?;1xVZ`h92tPDCU`?k_xfux`DJ&{xWdxPxNsOFKZBtn10&gU zZ3*gE`IDe@&1^g*(EOe(b)>{ldZjNDgBf-2hnSD@>UUl^7MT==^E-lcc)j%VXi7%pu%b_Jfgj?#gaUnPRZ+#RkBkE}~;$PZi zv@`iiZp}N96c@1^sDXm_LVll`e|{&8X&{6Im%$kB(TR(n0KNU^(>|yQ&P#ywZed)z zgfmNytF#5ZQ(R80`!427!&ogeeM~wKt%ogi@pSUg6w3|ofZhi!8Er|+9R#D5oZgK= z*bEnrHCuzON_P#{aGT(qUscDT9Vt7tnfPxysJhLZA|##vx`TL_=m5iT=s!FdARy#` z2P*0Rfa#|k{=bCjgT&HN?|xTX?cnJ=^{yKIZV7NhYv>1?-Z!ffs(}xJkbbT*|IOOl zFbT05*%`u~A*jFmNh((um(w_=AFAvf#6a6(Lf}2%_+S30^?_X%nlkHVnd1JFg-2i4 z4D@;z+V`e-KXKNNSB9v|DC8p~0lTnDYkf6aRrb47Y^e5oOK32virsPTE)dR*4-x(X z*aI*c-URTdquk?nUW&+Xv$Gii4^y^sMsqoE7k)6|(_ImKjGx1bI1lD}F?ip7_RlTz z(=(Xa*BO2pg$jWRA7}P8&QoMoj5#K%5Am+XF_YC<8hP*=pI(@C_}&()OftKd^$sP` zp#2SWaT2=c)Fu5qjtZ;9Xw-XW&O$6wtJH%N;pn=DhTeq`@aQA2ECiy)mRPn>9_!XL z6nyV!L7Uhyw3*?%Xw(&JL!%9jZEzpp9wh@mz~;A*NApZEdUMfYm6OrM1f9V(MhJ9qoinoL)jo_95ZDerBjr0HU6VY0jz9!?kIQ5%VSXaa3n3 zoo7N!@$JNX;wMIC-E`plsNvE&BL%e@gCZU>=O~G=S!$PQc90+T!>I8la*|{FWb_Ku z#wMR8v*^YA!MdXXI*pjk>Vf#7c=PS`Gd~kFT)zE97=#VLp+{`S_7S=K!YEQY$c zuI~;@QS%pH%M{OaiM{D-O=ax)$PRpDnKPvpOm%mgIiBe9Q>-JGFBYu!5OzwJt7hW2 z*kGL<5_M;0zuH^c#%M_(BO?=Ai$7ThwP{Sp*{k!-VXqldo+o81eOTvoJ&P2NWfjSk zPET^jXIqNWi-#EZCfq(^ATk|I6^&Rv3B&{E2G{2yq+X&+n`7ntpzUL-wn(V-M3n=D zgXQ6koHDb?v{r>YN&6#yP+H<$?oADCa^0G`I$rJKQ>fj%CanTyqUD#g@)ZuN*l|2W zd{GR#DLG0-_V^u4AicuJ$4_Z8QXIzQU$WH=Qo)ez*W zEz8zG_0k%+E>~DB(vo2x`lAhPY(sVTU(PNEcJ}{#qTvR2Bplfz2ixNm1scQ zL0A*R+Fdu@;Dpg7?W-j5;?V_v#p5m5Ioy?b0F>zopy)y+HG#Jil-VQ)p><956M{p(_HZdDqB~cQ-3%b?n zuf1=^f7Efx?};n$)!M!~s?Z{oJc5~0Oqqn;4^zByBeM&xBC8h-vplsg#2YBSqE<~H z&SQ2f)tqEwHtfEdCGI2R4`oP9m5XZxxHT)c3DD!O$f=dTIm*`yjNKE5F7fAIY|TDF zRIT#d@EOOM$=2>mwGz%!C@a0KRBn1Mr1PA1(&^BxZ?|6|mb*UscobimruL~i8cL;X z3n`)f{>m{`zuU5)(q2PEsDAs%{*Gdncnc<_!O%Ni*>$h1tY@n`wO;;xW}jb@I3hwI zG0bAPCkw0jnzzNW{ezFE&KSZqHa3Pz{14VSp3+ECEA6mlNmk>Rm=4Ff#xO>>#&8AK z5_z}MFAq)YtaL+To_sm2-kmtLo|@vVdk{QY00<=AeM8XwKrH%T*ZP$f;W*T3Fr#i% z$nD^kPRlOk`s<%w0Abw}GWW3CUH11eM+z)3z(lKt)v5!!UM=+#jtf*Ovl7_JMKxU8 z#fIxC)=1+RdKSmd6i%(;ZM!~kf3(qcRJn%hLa&p9I=;Z&Qp!J5$`Cc7-Q4QzVp6K_)IP#Kk03f>JF3tCILJO zLE3c*lW=USj6SPQsoe!JgWOMgLq2I-7CR5_5HiHls#Vjh>pn~HFdWDb;yK$ZvWT_R zY3&J~6iaN@>^SEDX-S&?qq?;5)a z*5u)C`i<%#x{U<#T{VmC#-82-)hc_xlLI2{v(mZA%1Mbh&0RbrV7iKlU!`{OVYYO4 za~!SC2Udz5wH7?IQE%E;S_I2^aJ#wI&r}2F!_S>|wtjlg2J_S~h*&2+xTU8{B!F@# zl|aK=tYqMd(IvKBhDCniTk3qgBU@!}5i<)}G6k|g>6FIK#CT3W`-u#yZTQ&zm3|B& z33gW+`?Dj9?a_xID>8L*)~yRVQupQUD0KpPlCPjS6&WBnRtEDo`{J{blQoQ2W9=Jj z*Jp!YUCidEiuv7e0N$to&_;@WuEl~xqQ17%*!|~@^|Jm>E;lP7C0UgalXI4zvV&2z|h2!*m^L5BA_ za_&E|8zqZjDCxj92;fLxz8tsD2lH<4F zG37{T1e~fmR#E~2q0W}}rN!i_%PH%)Zi#s>QOt5Xs4+4zx{RR6{wIXKQUPn2W_PYb z42Vuk(4523NufZP+v0fkzD74L!uVi1{9h1#H1)yeAt7`ixw70BCR*-na(Q)sq$qRC z+H3UjtFgN?2gBs9%cIG9`4p$x8g6YF5*dO;X$K869=U`Z$li}I+pu3Z2J_&p7kYiU zekyaA7iY4vTeqIz$@<bv;xPI6Auj0Sf05R!X8 zG7VgwOyviX6qOQVzrDVD#nx3Q+Bg?*t!KjNE9>O_%j#rNzC2Nr^tTepPS8}XSko9Py!HO z*cnU4Mo_7_+8oq+(*KpW-SgwdJr3a)EM9}l4?CvxKaxlIkI zyN(|$VY)zRdn!LTuqb%iuQdS7^&&)*X1AK=li{Hy9$F&_2Iw2~M$tE^=ZuXpGi6I& zTO3wLYX@G{gEDEj4KzuS2X$rM>7b>lUGL?|9-{ybove$x<7D>bj6bapHB&%kK7r@ly!mxS=i78wpBElc1 zqlE3UFQ}q}pTJo*W-THfamjk9o2kayqI5Gfe19XqTKvmssVIgsH;+a+Is~T@e#Wtt zv^=%-L#qkRoNA>dTk4DDySStHJ0aA&XPRd34Lr+w-oT@ru>Tu_XU}F!lFORSeuReJ-NDIwHD>}?)L~_rdcdNh@f)J@FN=y0YYh~e z_U{|MLWW73fHLTv?Dbb)Ms~2W^`Z95t%LgF2ZNZ{)I?|`kl$c=HFAX)m&;WhD&^d( z+-{%zKV3xL#8vun{Md5;3}khIi%L~az)*RP@t*5Mt@`?!4Cu{Bsn-!py22--q+l{x zq=&MO-8sh!xpUx%gNjNV&ykW0P=zkEZI3+k6X;%#Xpi?uL_}g@V!itI5fS-BK45Ga zIxit*P^i;kORzcUVq#=Jy4sf++WW4I{iLBY3;U7sgWzV9mliLlYrQA|M%hz&xxYG? zio;tJQ4LhLqI9oSd61(p5os6 zsn{ar(VR)qy(qUDUiB6AM?Rp8(Wa}i)NX!aI_pqjO&v??>!uPU?7;#h|l3 zYTKcXXPFop%mXG@xJ2a94?MA2@qdQ9*JA$nxI6vS{|I*vWl$RgZZB$0pH7u)tlRA* z8i$6t*+=V$o>rZAIPE+Jxc@H1KZ1%}AsKxpvw}TuS3bY9qJyZP{FE$@=Rly~XB|lj zW2nl3F^<)OPyQL;B;){MgNW&S#u@<~%f%+5;Br3ddffAGV*N!FgN`NYuthl74c#T> za58gj82|@i-?~oAnRlQ1y)xRBqPd((F=uy$V+q);%`! z#-CMDrHT`hTsw0RrMRPvx@|*YW~}@WNo-ZBEu&_8>y9CdO#)Cyd)(QTcH5R9+n^q# zM_MUN5qS>Jotu;;P(Eg}z|3@{84MZ6AR%-j8!6Dekt&9_9O!?i@UR3?E=y!|tv%p| zEdah<2a*@@yxm{(o1}@vd4s(>h25)70U2_MLNql29Z|dTO1dlk+u`P)Ww>eVv*ok% zo-|F|bVG^VEWYHh-AJMxzb_E9fw&#H8YY4f$89ZlF4?+V(~&|y`|xXjWMgRElI_x% z*no~y>wws5_`UKcNbmzNx6X#arVey}UHMxm^h9n?VhjE9i`PSGISy>OlrCqoLB*XY zy;&`a+R1hLdA&8hlofhfQ?{JTqRx_a=N@zI*288}5^N;F@F8kVz%&K4XGg%_ z+Vm_BwCPafLTPVoBg_L?9m?7UZ5A_IHZwYW^Zx;}en$Gg#H>5bY`w#O$nby4tgj|^ z9OpTWxg=^-EL4)ut{4-=t#1Q=&bZUeqH0G=7v@ojyZC{{`|k-&o%Oll}@%RDH&b}Sf4r>#endY;|PO=FAPBU`dcfM3qySaOJjU6^o&l!G<(_jmTDDRKVlo zl*k9(4r)9FF*h_f)O{+BBb%CzJpoOus$uv-o|PJ}qVz2Jj?dYJ7+~9NPONiaY`fJr zwtcty)jAbm+f~gvipnUlY)9ot;)mbhA$^HqHhmzrqx?uJt?CEbuCgH`|f+$0Is5z=i zEYH7<-u4YtQKV)H+-}exTI?aTw$r&!LRxUixJ(^>iDO-KJ zc&AQZs^hd5rKfERNyw#v?`rWUr(#I}7+?`zMcNzAu%+bo0_nGb#1IX3@A|opzP!PA zLH;b_;E-bBglx92JUhrnjo~D7%4JQW)26>_BGKQ}G%!wdMJ^!>wNr+B?c5JqU>?o3 zu0W-hmBO%IaK5r?rr*;kGlo91zdjzyIv17Qe8yj#-IQUAw9uXee1NjlC`+|beAjN# zm)1|fjTRg7ZdUIy5BnfZ&ngyY)`=Utn3v?8T~gtZ_PCXLwU*VZamkm=mbJFZ`yvvw zX-)1N-ju_dwN?Lm4FK$T-vRc)ZvZ>WnyyDA$6zAMQ3fQ_gbz@3d2~$J5^UMCHYWE; zJ9<_hsQ`d|_6NY8+A8Sq17I)x0kDrnnq@eaWHnOC`aXjJ?Bl?|j{YV9*mv2M0&TK( zxpi?rq~?U5CU)%SIZa?Vs*4XG#zE$o>)x46V7bKf2i$`Y&Kj&M@6a0I^+ z(C$E#a8Kn4M11sR-cQc=a8UyTA57SoFZRt*2;q?iK7i*ti zWix)qu+lRPy#s77+QjPfb5A%vJ6aXiAHe_-lnqo9L)3C;{qTKZ+l zW>Z#T4sr$IMb)`Jyh%cMsPt`u+6ZMU{}n)l5#d!JfHwB?tbPPg__18m%0@69_~x+$ zEbiCak%je>P ztiWX2I|<(KWPHTc=I-wJJw_|r9AgIbIc`@l$V`|9&~Y<< zi=ha)X?HeR%~_#4Oa7hQOff7w_|iG@(3|h&R7tU@Yw@iW+p%S^E)C&G+EepG6X1|Vb9BBF^cFLl^TDsm- zU)X>Y2q`y`QDbo)o5UNCN_$aiG(Itr(LLEC5$YDwkSydXVq*w3>=hW^?PE+H9?Gu~ zOMg`-+>!*k%~E`Nr#I*xzA72$!;$zV*ugngf`TNzV?VV~+pDPXm5ot#u!a4cg_e*^ z^b-U8HbT%Oeuc%5sudU>Y#^$gqMX%#vU_loBtGvHNO_S%?<0<#GfuJ zQ`%b2B^MnBxi)Wc(Z;QghdPw-2-&%{@l_?b-jxVfx1YEO(>|bTj`u%q@QZvOep(fD zTI5obqsnto+Q+@Y^A@i3NBJI=(Ib22UQ3dozxJDZ?)X6Z9}PEU}HFC*jnnPlLV4^OR!fr0vjZ2V&7EjLTwsS`3#Zr4!x_Jv$Y8dVq0B zJXtJqAF(Z}S3kS4{zeDq*u6V~-VOfw11{~Kg!pjUl1aVZw2Kvcr^VqhB;52{4eYgs z2(^CjLryla>S49bL4dd3g=`xBSO_0}!^uaz68$qZE_r(b7!xxJ%?>p6=;~*gb4P4b z);VmyE+pJulXw&@>;uEeoo4DqC|}6y_yM9k4-n-<6{l<&jrF@zMu+q^CW_f9;r=)p&Qe0;kIQs7Edgi16i>v8^s3VJ+>zb!$;!PKK#rYhK3%Je zA;b-8!T=#AKWz0~yao>5%qz0GK1Zh}iyd*6hvmQ%Iz8U;x!gUKyhYnsL~NR8AVbEq z!kTQP>W@Q*-6=sUItp`0){A#&T;Qz!be$xgt^@Jp_nuhaWC7I@#8Qaccd6^`JLvL) z)<@a%eUqP*Bi#C&sc7D2b{{eKUVp6py92dP)T6p0F|piPgaYlNdN!zY4P*e3b04e` zLWQa`Adv<0&XG%O%LlA4&4rVKrI~cOEO617uT%F~ zXe_spq%ZD=cHY=UZK8O2?6+=;#&*jC*Gr6w0!4hwj*rAf?2mBAD-IP)d0fce53R;O zr`a)5Cy`v2X0`}gz_OIqC6O$akoVGUnFu1_$kZ7{wv4E==!oCOn{SR&*+>Ar=SFPT zv^_ze?pYVdBALG6&=q?#GgzeW3&Rsx*(;Z}@>Kz*UK-TM1u~jK_gcd;g}w^s9Rd^Q z&Uk2Fv7ixm;0sO(GEr7H`{q|W*#7XK{TmZ8u{&!qZB2Ntbnim0e&>Wsy&31_-Z?AG zax3vs8I#i;}{kLE^NS;O@*zhFic`uDrT05@sxyW2%s& zEVg-gBpGe-kmA*s_1JQfCr7)9jhV5xw$s`pMG{a5OpA{#YFQm2J4lV(dgA_D&$t{9 zJ{)4ph1>Lt`dI~oG|dK2e?g!3Os`F*+~7B zx|(Xat!CIwlhJ+LA1U|Iv-<^EMBVVle;&cL8I>TF$-VXAhBqi+CV?^X_8I(*4C&P8 z3oG`m{JuD585X2}?JTLU`N{h>6@7kXSY|val77FV`xvR4^kGdj2@CwJ7zv@>{5#ZK zrfAE^ya^ZWy?`4I=UF$T{297mS4D#ME@Yo&;!bC$m<-un%SLR5;_;8KF&&xWnD99C zCI%sSKS4|@%M$YI-k89N|I)Y-1j%K*4s0wJ&BoH-6Zvo$5gIAwD<5YDA8Dle`W6)% z9TMVhZKv;$XwYwe%uyMnm8~8t3L_K69$s4;wkj5@>OX0o>eRtI=;_~Ir-d2tw`@;d zuK=#>Jv=kh*kw|gdWVM@Hme`PXib!r>Uo}ZL^DQIU+4xH@|`7XXJfZhXmG1Yedzwo zxA3)FtJtZN@c5&26dUmgo6gFU@>as*w^%OHa?Otb5)KYP{~+O-BLL5fVQr)G2-Q@=rNgesQ5@9hd1+lZmpTK4e^4d5RsGZCXh;wXRfdTHX^ z$$D+*7D=tLc%pwY=U%4wsytnKESqJ9nsn_|xz95#xc%A9=4JR7+GVKcxr*g2QytgZ zc?NUk+XHjIm2mDADbO*?2^Qo42MDaM5y5$HA5)BaJu{h+2sPz zKQk;g>dv9;$0pI+MdHA}raO6YeQ&=^>$V3K5-$H@XX?j~s*Us&`TWdns}(2IC4p82 z5iRe@M7#V#$qjZFa*M^QxZLJjx@E8&TZF|E+GtH ziloe5-AK?W`tYy<&8J?+EPBm>N&5?*maEhL8VOJ6b1+ZfCqZmlvHLQ3U8czrKNW9V zHy2vAy68!Kq;V7j-eJo}RWIwl4euq~h#;Glz|+Xs7k4fd%ZYZDZF1~NlZ_^ZvB^Px zp?|-_NLjCEnCM_dx}=f1QE%P~i~8$kG5*f_JA`hoX&<6McEanEW+UK`d+C&y zwH{xz8BZvepi+XmnqNvifZX^|bve9M;BH)QPpE}G+Mw(89raeOw9Wm2dO!GvdRN+Q z_JC8QFAVhtqqO-u>V2>=P7P3R=C|?AJ0icK-nek^@G=n1hWg2=ZnW#4#G5_=W|j}s zk5*&>>pi<@^^^5>2tXkesM(6;=WNQ7Ne{A6b%wFt5+kfQf8`}mJOqFMFTvp1QOH>l z-OBpcAkqVUGNsu6{JYd{+bJTN+_Uo}hx)tc{HpWq2T&HC6N&?&q1{$Ua=L zp5>#EsiFMyV0ca)1rt4QjgN=xwGCP96B}p6r2R*RP634L>x%9l1-Qd=3(Vyx*p z_j^Im?V9AkS1Uo0m3|>c3Yljwdep{vGU#OQV(hj-3zY-vtPOG*|N5X8$ z6nOXGMt}a|8Sj0c+I5zfsE{TM1q=-gXOl=7|ABS=MV`twLC8Y-1%n78*E$~P_F^{J z>v92c?OUP;z;~oE#NKph@lEDJD-(Y7CszDn8?~ z=;?$g>-SAD`K-n@SmD1{Cd1aZUO%XQV=mFZ`(cn@o&-T*B1LxGm(E8z!S%d9ul<8y zHE3s(T#?UIN~v&Y1B{Bp*S@^<;%4Wj8%q0jD5+?iZ#|@EijXghpFlaTVjtib?Pl6E z79|6tB7Fa%DH^L$l<3EH@StiXN5jK|?M@;zi^Zw4-yvbp#!dcwE;oD?{*Z`K{Wy)C}vNPBHeiY^FLJAk^hrf1qVWb?FF zZ$O&;rCi9GIRwqiibwh zM-K_R6L;;Fy1brM+&g}^qb)8bXqB4GH{2^}UK40d&CsItk&%RObmgqoRk?WfJ#_f) zq5q<|1b+-%FOpX>QJRHfd&0v@O{?4fZ-**Toi=9X)_k~3ch$@C>ec&>?hHL_S0471 zo1gvEPX6Ym;6pW^2+dFkH=bdlCbN8?mY6 z3AUQNc?^ak?h`CX^aH4SF{9!e)GY%RkW>Y#JZeSan!pHZE0qI^K`~F0z~;(8T8;&) zm9LjYMr8=e$Ekbx24=xtd@$qES4QD>&rX>Q-N5PliSg01bmvF{CvWG~c5(50POI#5 z)$KU7oy|2bEKoTh_8-;bMx<5s573*N>}T1FYkf{J8Qc>0)|wp@Fr3WhP=^-Wmr3$IV+2SYmVA(zzi zbq!lB4u|cEmqcXsq!Xc_Ce2NP6uLfyViKnYmp-7vdVPVoc%kCPuC54*-9GMd%p zWfG1L9yI$J8-+>1NxlTuk>sE22x!_3DHMk~5XqbuRqW5X>T{=u?|0Z*w^x=+#7Zn# zSP*flZC0fn!)uOFPMTT~q zR&|^ft&O=|+B=?4U1+8Ga{idE?Zw@>s(>L4FXF<`DxQDKky*^Ucc{xc2?_U040;>w zgLJqtoFH0ewg-M(O_0M%JRWk;UoL0?w)mUyC_}T;YY&Dz$B(S z$`_%92H@FzE9|H&Y=C3nCp5Rrfr_@WAc!YkosvJ)(2#x0gsjo zF-F;P`o^Jnly#++OYJmKjQ)>lJTM;+vXV>0k3A}Co9oN$)eP#C1ZM_WAc3ES(b?Bf z@OF;?o&6TG8PM4;?lC$7I{Ou%vqv(L1SsNj=&~302ezGSSY6NH;<((@^R6Q+ZDcBX z*KzEW*h%O3J3H)3hSYkEt1C?4rdQh9z!J(9WtVxShl4g*jb{60I|n{XUU!1NZycVn z!yWCK59DMl3eqqbjSUUl{}cu1WTv}m&tf|EvF)F3->#WqpxgH)&?LVB@@jUhD~_5m z!4`U|EBFiBkfWf}2F+T~OD*H!t!gju0MoA!{96lxdc{Kk`21A~u$i22n1D_Ijuk2|`y?b~IA+`*lGECgzjga2 zdKj=j`9)Lv&j|Uc$Tvk(EH%CtheLPOoJy(i0oUnTktxAucHp^eM|0X|4+K@=M91z-+*B=1j?>s z@}Q}AFn#xXH(Hsd=2KN%%}nQe6np2=Va)Rwv?ap#K}+xD_mP(!YM`aJ#zYlp>Aj6X z?#J&3Yv~O(=VZwLZt4BoR}jB@f-qL&mcYl)zYJ;#(#B1%%HUN? z!XvR*lWyW|)FI63D0b@=bS$Mxq9^jBwVIMCVJ%B80+c>JS-3SG~(Xo&Uk z!SxE4O|%^sQ_?t;d}CYIeq@-wz7z+2B*H!ZAnw9HsyS25W#`T8QT^=n_8N+|>2!xBFB6{B4kZ z@6i74Cs^@MBEtL|dHs23F%3)zyK9=pf8W{f@8rSkdgP?_|8g!Re)$k6+@gfgJNSJg zJjsdpfAsPEQwaCtn;*j%!jDgH{uR%k@4&djtE~w!e7=jFMgEY#@BDW-@+Z|p@ONx~ zr+P$KQApI$q|z4hN;_4_-p$8r-<`=2ZPIaiLst`x7} zten!*{(`geF5X{v{x3fC|4RWhg~M0nc6lCA@AeEEVU62dmQam`HU9=RE9PHe^7GgD z{`;V_Tm^DxDH>J_6gcSLf#<7m%}?1E{%U-+(G5OM7n)bUn`Zp`lVG1mybXe!Zo7lP z@u#}&*TcLeLfnnGy(VZ6xYY-Z^==z#r_*S3+nuCBe}}^F@4O6mN1q9IMkL(MDXicA z^>II5ybD8k@SG%G$rD^+d}}}G1q)r=>9!0R%&-mcbQ&Bg!XWiy8c|FrNpYMP8Mg`}yi>?Mu6fYb1PhG)PypI5D@%@Xu z`tw7+kA`RZAco2IZcm;4bqlPw9#B`aZ)(=`NM}-M?bD1_oPBisw3A zFQTf~x;lYF3b!78zm!Bj{0bcfajKY)tEGRK>+9;4_wElsRJSgqJH6Pym3 zISN?7%gbq~LSpKL037tpP|fFh-3OW^;K0rn=9K;U`_0JbUw5k@idH&0`BX5`UgY)j zzyzC}-FaZk1d$$=)?Y&CP1yGG6mYcnII(8dYfwcra)Lhg`=|lnx6W7W9ZRXy)t2ai zZ{4^tMlZU^$d_WU(gRE-R<LD1y-;w|X7%}I)p&zyASc3ud)Gjd z&Xf-(9FmYEL4%341% z>hZbG2L&dv04-X5mRrKJg~sadzj;LSP+RHN9M$OIYX)UVHjP4(f`5RTZcv2?Qh?=iHZV(fJlkbDczue zbax{lUD6FA-69P#NOyOul+xW@Lkv0e5bqjq-TU6Uf6sHg$NL`7@%%T64m0ao*SgmF ze$Vs#d?hHmxAfvO@vXDdNxMgEZs`OaeieC?8kPAM&u9}F-#j$M8Md|&2{6(Zf~|sT z7%svZOZ7pm4^k?M-&O^{;y)&zwT={H)y^nFR}UX|#ImM_g88uK@7~$SWrpA_*K7m+HM`YJDr~&0W(XJQNRJN=MFP5wdW2+0Xw@i1!eB)H zwxJ;*=>cU%RG?c3Owl-e6N4Mi_^v;K0FmJFDrO(Zk<@qRtW)G&hIPf%88~iDr2yLD z00poE_X-^yDIGMSlD+h!c!@!j)jgy`$ftwDVm zGBR6kzD5|(B|!PH;lQa$ihG);g6*OMg&x?wvRnU9k*vPI%63WfS}6< zdTCC?U)BHpssK+Ci|!xC#Sds;rhe$rZ0C{(W+Q+4mje>BBK|T3aSXifN({u5$xnH(XtFLivA($BwQeKMs%$GEifU}SGld3xBFhvk_dNrH;g zKmDyvz%4px0s!_{bDKy7l?&Ayl;b~45^Xn0B+ahQ?URgH4H^wxy?=A>gVR`syuVjxpY;u_*8L!5!9D5%`BH;G$@*YyZ1HR~3B-4#5h zzT@r2P-d0_dcKuNc=)F?efY@cq{-1%L(A0)OfpD{O>ay_+dZAMHD;s!eY~=@3vYyt zw0fme5?7@ah15>T_QCP{!>vi9xFu(Nj!(o&IhuimT20cCo{%TzU75hIhHp`AIfg4p zX*NPD9N$rFyfwMqhQxcXf<-h})e;ql^0}3rImPMl=e7F0wzITV80ZV1#8RQLfd-R| zL1$DZP)c<0btm$A2l1araSa*f{V?-#-@k7J5-v;jN83Wt^cO1z%B`QCn(Q$kGt?9I z7q24)l7q~Uz<^KIi=Ln8G^+Y@2D3uhy0TUyW#mEPS+>VCm-I^kt|CF4ULLpO_n-y+ zayG!)TKxf&NDz6bbf6^Dyfkytt@$nu#8T)+-yLGaMUFeL!P7Y8=QCKnQ8v#vSKDbj z%9#c23P?l$(G!C*(fL>Fvqk87KM1tSX-P0w~p<5YjBnnJQ_Zc{5qCB&VKn@rn{7TC39z38^FApdT zMl!A?%6s_`w7lp0gKV;@c2ywej!J$JDjQBL!fT}%dVHhj5vyrHECrzs4#@xEqBCI*&{JHBd>bd{N3(%Qi>?ghqqg%hHh^5?6E5m$WVJHmY!L^;E|;r*Saf@N zj|gs{pd^YfA}zXSdu`*tui8H?y38il1i*S!nOq}y;K8@_CbQ!PbDzJG?R`}Eg7^{f zg~T9$uE=fl-1o0x%^D3d%0$<`n;tp3rGQXte;utvGBXqkU2RtL@6L)iS*RHtoCz=n zkn0zm0CGK%RzBEQ+;rQOH))KS7(lL5^`svS=4ML`yAGlas z%9XajXETvTK_gPEv$n)%H+`<-b_gh5r}q+ppewY0(8rYC&Gy;_7Xn zSmG`yQ?K3%KiGGuI!a22XL5d`ls{K5v;LQsTT}zs77mJBvzZCnv!xQK` z9>;Cgtn4e2VKAMotdMf`sOA+5c&ZlgNJVeA@BJ5Ih50!FHYs~e|FdhJ4L7A$j{~vT zD)lD;<@%j-86lut*P{W-waMLIlDEQ+^`L~o)-6Px9%XJM z#%ygr64X)6nyH59{++?{+4J_!(HorJO)Lie3DmBk?4UXMd4 z<2Ejar%ofV5w4{Euf!doq%v&h!uJsD0AH47Wj4qDz*P6*+RC|;WV?Rtxj$$>Z@-nb z6U?$z6l}MxyPudyCDhE;YnXOKy_~Lj>071cyy^$cxC=?KtD(t9b@vP%Mltv0OS;(F z&+U)7SP3=&rh2gNd(R}pa!T)`i92?FK15mD$}e3PI%{ZMb3mpQeZx{kzDM^boLIZaG7>Z3GFHe`V(-TcX= z*tTm?{aI<}y!gFEdP9z(wlm)pyIuZXF_;*#|Fzr??pwRvc`O^%L9PS*M~hGWt33>HK|O|82(Qx5-ni=m-YP#Ve=q-ln@=OJi0d z5;M7>=izMt(HPb?Yws6Nx-rAG&X<)~N`ZrwL#4+#M0CwD9ft8?V30I~x$q7eE znpkyqeW^RrJ10R4Yh2TF{khgC2=LF9InN(1;-M-q1x;7SWrDjje;Zlx10#1l|de$n23_wHSbt$&E! z))XffrFNf^KvM#%nK=Hs>I{U}HD-*4=(0C3+ziBucft7qR~q;>_Q<9bvZV254ne_s z8OfEl23+YAIJDE&h8S?A(?#!hL{fwUuJpmW(%)QZo8=C`m97f!1zc&jfwr1I9wmQs zrEN`2NP+Fm!DHv{G-ir+)8rd3!>xKf+bvp?NQI*gFZoxFi`t5bIg|8*f?*;E9r2`v z+v|q{XzQAcCG=>B%*U$l~S7;O`XQITW5-lN?l!=KM9 zh-*2OWxH^B&p%Z_?#)xMi|rVrso20rdTqHio#+;eA5fnk50XAQ-&C!cEJL{NXZ`?7 zkCjAnHBEN|u(YQlvn!+Cmk~e{k|KEWgm18|iM=1+s*z4+EeJ#AKnjKU(5LE^TsF)1 z)T%GU=nv4@y@#mMM^i7n`52L2+cWpwt7$VxudNZygx~(MzHs=X7c$tvI9r?8sWFI! zD;9Y7iImAa9;?YXF)F4QqX2+nfjW!Ia9fP8UblKVV__&ew|zQ<7YUYT0AOj=3U#6~ z{Z1rU`mm4L5O#gREMRc8NLaQ&g|Ojtt@Npk-fl7+${;&^GcTI} zZacAe`hzZg4;*#Am~VSryUPe+o@euqDo|*OC~2GsdcR6+=Q)d{OAGyNx5Wga4T_Hp zfG*7&IXEZdWWgHYj8hqQc_9*S#5gw*t-IGweBov~Ug=Fs%q4W|-Al@yu@4l(Yy)o=z2Wk_Z*(N5 z)}#2RlF4iAR=!RXB#elcIx$@`{=*L&fgLv+0igQKGs8 zVP+7|p1jGlJ)wYDUiTrv4`v`Kcd0ve716}dZ$Z+d5ZEvs-|DCdq0_pvu15A=J^H(F zjyy2dBDS9=3GfWZq8k#Wns_Fw)Y-V2AH$>g?4xe&K<^plY)@rZ3D%TqufbSq78QgM z6)1&rWw+}>-FxGh1eQxg0z?F=XFlci&xO?n7xf{U$iZ-S1PPZ!Uz( zI6k0ddEl=sb5cB4AV0ir!vV8+qx+2@YjL*Lg1f?mn9RmbC7@liJrr+qKP8X1ovP_V z7%4svUQCcdOPfr!=N^xFN#|LpVWHncOQ2d}&bW+iMa(Thn{XRzo|YeBhq3&?%48Ct zpJ1CVrI!a)v;8f})EVWhtw$xs3aSt67u!kA~BBh>FQ8UHJYNU`5L%tNAgw4zqVda$O9y3)Rw6lG=M_ew)>}c-O79%s~H(O z7KCwB3gy1g_20&`vUgX3gbAvT<{ad9=b)gUyff^9&~)n6UB+#XPI0h-ScuKBL{emE zhkRXFlEFpAsl9LUnJpkeqar>b>Of2tg&NTy{|da0dTIpu_-P*>n<9+eLb|qTXRkTY?fS8>i?64&eYk)00vDLok_|3J$zA6{{ zAzNC+`&zan_yQWxIQgIs{$3QDYe&|f7QfpY87uoZt@F?dB{m@*xu3Ula+yHg={Yn^ z*R@!2hg~NC)|pG&0=NoC%Qev+%~r;7k!^Ch2b;QKVOv zs4s@0mGD%fc|6npAo}9#xPY;+Bju!FVs+l-W?cf#k54JeVxJo=x+yq4n0hSGQTwzd zQqz+_X6++SoV^2D*-`Weordh%0C0$fF1Fyexbr=F1uN7k8z7I`S<>;yh)7EO zU(_jTB>pa&r0*Lm0zr*lM=kOOu}9H$K!WQ?{an$)8FA7#&tlOgsn$aDRHsn8TT^Ns z#q)>lmFDWbGQzUwUDF$~?8LTB9Lchv9<(75`u&cPf#7J2XZig5*``2@;w;XV~+#$OJznZgihG&TQ!VOgktA7#+^F3G8Hs;)_MrD@#OCF~A7~5_nbH zVt7vK`~IG($6%&9H@a>9F;fj1J@WIxLOuL*p&srv0Q;rnZU4r4>EQ|=x}VkHxZ6Mp z;wOCp?VeG~RvnIcX+M}H6I*vCuXuiXpcLI5(=c8V5Z2ts=W#Zc8RiHyzlJ`U1=V$Z0%UaI-CH%!~*XhjW)> zvce2kL7^yGFaXM0{_GE$g9kE(u?eC*iUJfIMtqauiSz?=*!N3~2R3fxD3?gCtgFIz zNm>xv0XvUS86o0Xg;QxZ$rj3Wiqtwc)lYQGDWT_UC?r zQpKn!b!GHjEBQYbzk$fIswU#oJuX%qnO}v{w@;qguPXuub2NziG#{78<~AP}JOLn& z*Upk82Hi7@1a~>8=HR=|n~`@oJ9}-_t1K;a=#JPeCWJsnV(dw+{RY>qCA*ML*o{6D z3O%aVz%KnHWE;6{1}cX?w$1#=J~uJk*!e-NuahoH;UKj6U8pm0cDv!NH4(8jfM=h+$()>rJBQ6Bd9yf8V#bKb>p5 z{o+PxMoPDLYCZg+u+U2W&UMw(!R$UvO^B+mljlW61Xt5Rn6ohx3x)rxWOkG+e>we$ zJKn)MJc8iRr(||OLMg8$;JNeWoA##=?yHo1yAljd;?Q1^KmoP8k<=NBg31WAOz9+X zKO(&I;Wz%z3V>EC9a$tkoA&dHSM!UdVv3hD|i+ zqgrQUIYx4REGv88*aM@xqb1;u5b-TC_@Y-;Xf@7KcIw?U9*6DaHy)OCmCn1J0KzBdsGwEr)8Em8Bl&C-#wlcwcHq>w27lnsH5Y z8+c!$^{3Tv4PBLgoYpeex__)cX}2H$(qYJ5KjuCLz3d2-4mg>fJsM7e4;2M(H$H}*xPWE<9$w3h6$)ktkZ7p zw;CmL5wiKa|Z6+S)%R!4vEe0>{P1IV{v6Pta3h0{ygff30+}hJh zRV1EiywKj&HBH!4f?w+5B~Cb~!wrM2lN6SLjK4^|j%T8DvtM}BVJz*PlsN&2)-~lq zK~|zIA2dF;;uh(DZpQL7;O-&KPs8z<69&@77GE9i%s*9Zl2cH#WN5KfS)K5lqiAb* z$_UCUKQxbV1afm*&`)4n1zW2Q=fqE@F!<$^`g^uOy7IW&tLx~aEb>OnP8x%@{e@;u zJytt66tyJAem2qHK6#@AfXC&=5mTYv2!i0nm7XM;$!1qpR!wIqNH`TB^edQ)Yvp%_@ zh1PVM)$aidkGy*%Th5zP`uKmB73@d>LBYvNeT!?6=6w*&=<07O#YKuZ zH0hoiDiLrH-}Ql4;c6WOKqcR{Q+$h|zu{X>BLGTiBVWJfVr=)Fa4VXOu_ZQMH;{fA z$;~IVeCK+f{(PX>$V%{#7Ls<{0%*sj_V^W>ePU={FP#Q6FC-l;XH%3nxgP4(do=K; zA8t;>`QtI1fJqenyE&Cje}(ND|49fAgBo>b162z?vjdORv2H3)uRpO}R*#ik@mer9 zcLUWD$X6EE{-^6u50h_q6Vt^Bop$=xiAi61LZa}t9{*at}U@eX+? z{s7dQKX7X7{d-h&~9+>S9D-l|1VDSVNuUXd%;j;FP#Uhh=m zW?PPYq!Rtax)o-5XD~lU39m3lq-)LUiwSy+4 z6@Kry52X7&Ij8%`Ck$5FMDKsWii^j#1`1G2M-A~KF|6RbiRHUHthM&rCFY)|;-n>` zywR#lqxAxxCNj(y2)b#O(z^sc87Jpoyw8Shf|8GV<>q5YP68+luSpItfR-@yybqAgUdslrO7YS%DsyXO^@lhSbZTyBtJ7ZOIFD zWrUF>-p-h!Pl>6X?yl~lc+5Ay9j7xVNmw?G6wB3xlfcM(mS&^lS+;0jUn?RR-(11-u}o|_K0iPnV31e zQ+(!EC_v*gdaaG=j~9$zGCkr_c?U693(fzV^l7I1y;Zrhj#H>_A6t0T$*-i-^% zTQqz@jEd+A+^7x}C%9T^EZ4qD%GG9o^U#J;>#*L)LpbB~vj)z?t%-_YdVnu`LihlQ zn~%?1qyq}a`joc7Kelv5$Ss}9;M&P6u(*~S2nv*s79bqJyE z>0vIk#{MN^zZLF1n!R>BZ91y!YO{noG*_ope!e8-&qe=mfHH0-_Ys+JovV(M$HO}A zw#uHn9Ke;?WSuPTL9mtYoNv%zx}3$g;2He{#KRO$yBdFPPwwz{Yi;o^wbZJUJ+bMP z2fF0fWx!$7&$g?)LE+6GYcVFFGFnw9>$|s1+3tzHdPvM6dKuuaF(sS<#7b#MrFCt& ziNSr;TEp&m2^~*nVOA0x+j7(XkiF$HYy-S|w6DVmc!leZU=irl(ec+(lNBlYsWx&>SlSq4562_DK)c!3rCI?)tcFb%hw;=Re*tYI+3sm}ae{FRRv}Eij?&5RT51uzz zwvbqlCz88r-%~5@i<{Nvb^X?xF2C@I&ELg*y7UICsjQBZ7$yBCFE~<7+02e(Q3h*A zl1T_7O>@ORO>-IgNiK_g$1mUyFcMhvVE-&t3_PTI{Y)scV zu7RMJmK42Bg&g^erLyOT#zr8xb_=`rHXHs+8NL(JlH+h*c*!jp-yo%X@4UTpR7><0 ztaerdu4sbOI~e|yzCKxdYO1e`yYQMZ=Ewd^%d)jRZ7AreI!-+#5dGmCg?0{lK4u_c zr?B|=ht%Z^nO}dw92+CNkc$y6^HqDraJybyP(_5}*52uz7upge-!$x3Zz5BOV1vjM zBCQSzT&fMQJfonU@ty+O`T1O8bKe(3soa0MoAV6@BAQ9Z&<;Bec>w%FT zVZ#DxH;Xtme*u9pGR>-v2z^|0AyxH6rFULb-!Umz7k1-}0wJPB4i=TPdkqffkA~d~ zN~CIPi)ct7xgS~GsZ07q+Mzclhmf@?kLO zZ7v9t{z3Sq!|uPQCjpZS(=jZ=J!3T=d(ULh@tUAxp#hvC@ezfutN(U{n*Lwn2vv-` zX-{A!vE2DQEde`aK+i1Ma@JMIzh^c@5ckQN;gVoSBqu9&cXZet0~x_D=WGK7-zdYq zK=^@q9-IMT(jO*qXsAEM0O97nXMrin@F2`1u1%NKGvO?_n~|1UZ(9IX6CBArf1}E| zNJB-B!Sw8=d8A>1`PbY%>#3E<7uSHoh_Xn7fP61l_o?}H387gzs zIdumV4Raf(k@!K6Xe(5>7uPYz#$WzeoVMfwwiBApo^^%MCQHaXFC&XZX{TH=9vp=73UEde)&+V(j*zF>THm=*7|bw#G+m^ zezH`g#`1}|ndFQG$OB1M5V=U!s(bmcn;`=#>gr1Sz;v=U`mRP^JxD~5Lugc4AcK{- zmYZQ?%u52_vDQNt_{GL1nPHBMoO%_;Th=TBP zZky_DhY~!Q1j!?EYz04rQs;Yio%~m=A8r;ko%ejXKFg2TU#Ie|yvC0w2^YY5XfbhT zJNq1Qz<9{noD!pYi_3M3C(&jm2Z%yW_ZP1SM4fSm5@6HeEF%_Fp8Cnf7ETlRjA&MY z!r$6_p|&@<-?#9WZwWjS8=k)zn~E=6`3B!Ty%*0MdDRzsoiG{KT=B>DO>6PP=N5kD zksS7I{ajDrqn<+VhL)GkjE5CEvmXV*LA2ABch*MID9h#ZeC9P(+?iU)?s=berhO5r zj#gIKQ<2+0tGGh`Pf*hrv$hB?peG%=c{uhXNYcOsW;3H&f z`4>c6moOeWwdRJv0Xzf(T~7DyXRt^h zT&|Muc$BPWN>S>MG3MfX@sdx)8#=WW?CIj{b?qE2ojal&lFu&x zBGd`=B;~i>dyoVab6pEx%nCn0*JH%t{}f7Bf)UBPP;!ex(C_X5bDx+lH0YKsCLW#` z!G*V=d};UC2T);6Y8Iacq$DPD8vmKD51eJUnlVLREO^=OEq$M6>XZbvCc2g5y9Qkk zp97m2BmMnk4T_y&#_;gw;7rj7O~1JBQH*K+G5Lfmd2ack)Z#u1-%m?jw573cMoT`2i-&%IpL%4Znok#3!;4lA_YO1MNj;;t0e3)Te% zEE#6pp7RI3f+cZ^5I64ck8!*Zs-?C z-){R`KM}b0^Gqu$e?5jyLm0%@$bA%#p%nv4zI>gKS)KM9BoG}<$iwUZkg5ML1hsGj z-RuHkjTJ=JA44Wo^7dZk$FMsn8hlnRP50-f-FM<@CC3?B9S9uQjM@}iQk)oOT%L>2 z3;A2i(l(l$kXE?R%WmpzWL-ZN8S!}1wSi18y@l96eGAm0(5$r9;{W)xPmrJX->o^TOrXn9h&3KZ0{n+UwPs%a^%jh1F z5?%e7&!-1_(@<+~EPLr8{|Q(Bsp3DaZO8Yn0A*)lP7CmY|8N(4X7X}J9LhO4IfXa? z-jl#^u9AcugVpIqwcf|O$Y9YdEE>Pj+`K8SC=*4}R-WUE;8N3_0n1#P>e+wMtanb^M-+afe<}G?>l`@8qCr ztsKZ3?aoi_?+cK!V$-Pm09h$*rHni{!`0iXH&rAK6%sckiQbi@xss1sz@ba)b$iZ5 zdhWL9r$LGe=k}xK>$QDv)PD}$4&znWi6w}Xushi^Z~@r049R%;`uzBaQp0ZX7cX8! zsR*fvhI|KOKB@_f4+Pk))Sn7Y8566(smKc!_)4)~wUAke} zOGH?B05AjSCUviYYK1JgFy&+KB3fSjH7c_ZN3qZ3ar>243xn0i?z-!5cwJ+QiqwJn zW4-H>&Odv~|9e|yx7FAVg+T`qsfZ4+x%r8TrYiXB{^>CO=L9lFIx-DEJ^R%o_}4EK zLo!qyuo{f}p8!Q;6|Gb(Jz>MqOkEVvdDSWRI6A_{#3W*9Bcee;M1P7o^XS_7$hAZ~nL` zMbp6tDNE#VB_UD)#)^<296Hm{0c%_V9uacNKkcx;T%SKCs8k& zE_Elyayh_W{r~s2B;+JS?0E`VY|%6-JzD{*T0oeJ%b=aU2$ad-uU0S4Q9$6AVMoN% ztXtj)QowSeohWXd0++&gw(;CQc~piUQP6M0^+|cfa;Ka{W{&eb)oub#x)js7I9P@Dg>dFkrXoW z#;bZ%pKT2T1m|NIbRec9ZsTedod%Z|2nIT}(kKVm*o%)UI=>pjSGw7x z)P#UnjD=jAJ>)~_}2H>}R`hxcR#ruzO zeU1stl-ig{PIvKtck9t2S9P>kk^=QKDusQ=yI6OvLAzpY)f?TV4@-teS2aK?z;SJW zEaBO_YnlZx|K@%hRi7|+@n}7$=l7dQsegOold1Ijm;CUzo8;FYMT3x6JE$y-@sF!* zkG$H9AyNVDQsW9*LP9>)ih0U($iPt>ejsB9N29gX{~9 zobWI>I_Y6=fnZj{(2;<9PN_qvDCoYCqK^4(meQyTwrM(+{)bVd`NdR_hf z4*BQQ1h4;>u4OQ=>{ehFZp}1E%(}tp0I5Wl2t4=1@lx6B*N51M;4t2W^PT2!yZNs- zoF(79c~)UL-LchGS(hc9l&a$qulK-V`-0D)E3SVmoDO~h)p@9EfwT?es+I_tcL%m> z*4ruKPa}hz-5b|w3%FedGtrg2uNl7zeSB-rJp0vuq5b}2nmkTHM*Z|LzlHxk*3TD^ zy36T$kdwN&0yeK%Ak_Mi2oA04dk{g5m4{)~6}P>5da$tnq)f3jL`vj}SdfoiV<0kauzxcDHx+Fz3dTiQj>4 z13K}gM6jb~D%dm1Z*}ElD+ii?y_U*bklx@am7fd}kK}R{sn#-bl_=d$_r>sU38N$T z2Oh$I9i5C(JaE&4djHz={p;%Vfi?Gkw)nwTCa_6}h`)l7Tgp*v@^HV8c1VQW9lSgw z+9j7h3q)quZtSgeOAvB9$og|l6LH%3WXdG#4jsTwygI+8F*H6D4=3i2X;%jN2heGJ zJ!Tyf&vn2~tuTK>%|I!jYWu6!qtb!?Ycm@erLwc8FYM-5uAQ12Tt9c;tCUjtQ2W^G zqB3}YqzL6Mxh}7S!uZ)05ThgnbeIBgT>1}`KLd`h(IUU6z$=Ag!--0F|7K(Gv=Z&s zu@e6tN#U4ntNf`mjCnG!0tQx9^@p`_h1w0&{_h#}|Ee%PtnHLsw4H*?Ko|9AVt@L^ zIaKe?)EdB@mRG5W(+0J_@wn^j-=|(?DDB(4k52S#6x;)?Z+#l8P z{O;~bG7|ziXFK!FrD2|*V8a`NbqXs4fW<9!vd^e@L`??$lkPh{{>FU&#N|Zn z)MiaA?X^vNRyGj#B8SzgaXOUk46mYb26lGy0CquC{Py_=vd>3OXrYiUbWNku_gO;m zdyGBHK?cE8RuCS>k-R%v4pF?GTS z@;vOh#uu~@yoeq#bDQol-DA=1#|>gAIRnAB^j-$t61|U+@ic%X!`m)EbTx@zN?=>c zWt&jo{w18e%g}0@zNWNhDyiw@xkDB#F@76n@!`AGEc_7r>+yd)0Kk>|%#BQSQN{XT=uVzycyI+alvLAlcxf~FmgR!AerXnoSMIsas@J^X2XW}zCM0G=;}n#cz= z2ZFUul?i|!731M|?f3HbFDG%$!{{A`y4e+RH@Wp+ME0&lIi)Q0B)#cmX| zB$^IecUe_Qn7{;8{7kg3C>}|E&wVe@f~4Q;8j8ufDpPD+M$jg`j>>&LZr@_ zi0h%`?pzx_Y*o=(cVr{FZb{``xlcj+WPT?o5R*K;E%XscR1UjsyU+Fp?drwzS1a4L z#yfrUHq;vI1zB(3MqNCk3+6;x`&F!MgaeEK7NV{fT~o2)N7SmdZhwt<74jmypsiB^M4C=rj7 zs4pt^V~_ajf5f1;MS#I-tTuhf{QE|#g$Hap@0!i!V}vshGq2#*dR{jAlBHpU(;R4T zaU`=_Y3GvF`?iGQ$CfcA0k4l?FGLXR$cwsc$G(ISHl>4b2VR0WVGkKUaA+oq zSC|f`0`-uo?%kShn|Uo5a=8gi6R59~xlAd#;Mp!k;bA4xXctsTmJO~kT04x4RX6~Sm&Q8}? z|40@|O$KAr-}{jFKlYUW3cD!I1p-(Q`7em9X|~v!55!<>gC_us%YHA;RZh!9aI_A> zWhmT{bnMJ6l+OrKthF<-Tv40=BE16Dl7WQ;_8BKZ7wJ=IvdWY43BrP~&RMH5#g(+Z zfKiWrPIYG<0lVWD7Y~Ng^d8?J4+KHJhp#)wMOa=hDouDU2M%X+PBcpSGLe>3v**1% z2!mSs_e*>smB_vRfTGfNy-FioyKmUFmr}puIErUJ(ePfU1^1cA9uRZOe-*k-^-POv zfmJx@@m#l?lQ~jAS$DK02jT|y)G!%s5Jt#|5b(&8pW?8lRLBfjh+n9Gdyum8+73QK z=W=m&aYQZ^?%bq&6 zxyH}ew?7&%yv06{MsY>E&ZlWLp!1Tn*dFk)1c(2)N^!dlF$I#wAPG7Rmb8v&>TmC(H`vYPGnY!>DmwCr zaK7@Izyrib=W-z*uX-}JIz@3ZwtBAe%Ya;EXBnJx7MHsPT2(I&GbTs_lHZ>0ufNEU zh*o@=NmQg&C#}`AMkOSpLJK1o`xw`Dxn~=dV$!{kw*Ao;mGB;;ZBcP<3=XX^=bOI~{UUG!wGSBkm*Q|3;v{Np8`9`2I1&unzh)=KgR|j4 zHlw}?B8*VkcClAH?dE~W-q0G@Lx?5pOeXZ2M&6Pk2DU?*Q8G>&1!`#t z!?ug32lzu78t9wxU9%J(iO+f##)q(`qoA z(#~l5M6GKUE1Zy@q~;CrNoyI24uog_0#RX-bgaFa(^tN=#|S^MJ#V|GUg1KQ!ymTW zi}vvtp%Xulu~c)4$?afHt+c1r5y>4(UCJfgZrhxT_255N$>(>m=FXGc_0R)#0#@9y zE_g%IAg?=PLT8+zgz7*Rh-2V;^Z=PpP-CNZLC~Gb?J=M5(zG5Om_Cm^(h?qRzW`ba zwR#?t^U^sG6xF(IoMOY^H3^qU1T_rh*p3DWs9tp>!<9%bd2}jFl@dV^0rN_0C4C?- z4iRzFS!QZ;HXp}3$v{jpN=iymZ09quw`q?^6a4+;xPuA~uy`@n^Iu=u0V+8XK*?qb z(hgF5&tag11N>6vZ}jfBjOsX6jK{Ilj1=iG`0$A2^UUquATTTjSyna*ZJAdn?t~L? z3Yd)+Mkex}b~@QYryXa3_nD?IQ!0_t{*<nSnDccG?cbOyS1A z68d{=7Nv%B^c(!7R$IPDQsXa|yg0AjUpzW5m>A9(eSg8{-j-W0e2}|8xRbI+)U8pR zt@I=0V1qu%e56LB`ovRXb&$c_bv&NY9uu3v&{Z;5r|g*0)u=Zq&C1nN1Vksuzr<+| zv1)i3p3GB;;kJzRq~V6GXY8ixkV0WKp8BvbvK@E98oEPus}p?o)qs5~5^AUiU}B7L$&}+!Xo<67QSx z(_9syt$NKP1l-Dg)0A;EARzscV@wy7x6Uz*tw3G19NN7}B|z|9U?>~Y--v)?j=KXV zYB)6q?}#M0)^yZD6xx$qRZOVn=bI>j!%)08VYK3Ie3RJK_Kk>WM%7v_p(DSJq0LBd zdy;JfMo|&QUzaSWxOKhg9+o>$UP`l;^Lh&en(5_tD2`wpuk9mj9Nlfs5*5FzFU3`d zY%>KB4nrA(vC7Mub6d7EnR0Tg>$PRs@vT0>x@GJBH+ld?Im=|h_l|U4EJHMrs8YkY zh~r7z?wOqJscxSv$yGGm*__gEVO^%nrDV!dsqh-zVZ1y4addd>cWbA&ffm9|uHD9R zr)%i_@iO1c(-8`sd29xv-6w-|C9&mhCpPX_iO~Aq$y_CxyxO_BSHZlx`gK6%gtbkG zuK@OAEf;oN`XvvpBrp~s7H&|^geybN^SK7FU*j}sC}zvPP+6!^xV6jE{)qSYzQ|jC zWbNvvN+i49ad^X-@YDXLC{?FZy-`G=PgIEMqqC9ad-L5s%>y>XSFTXe(R14IXa+22 zV=%bpI_)3PNys>8j#QX)gZir zTN6^?j72}trn6lMz<5>4PJ**<9cOyj(iZrVkoH10$E~ImS(67vojUUO1PD0gcZ~|h zAm%ZAxnM&npV-eKdz-7*0E0u6gh&Cu78V_FgSpKJHCW6q^dVVyDYRkb>rGd7y&^LT zX-H~Bng@9!zv83)=D%`vj@+Y%!wkp!@76k(YWgg1jikjI`m$GT4CTIvXEwsrTgzMU zn6)G`-8gPF+CRx6EH^tABEA{}cbf&N2&4WDh9z<8mo;LEY@s`{RRJH!rM`9>FfH;e zK^=GHm!rh|!zFNftEw-Dd=01l4R_@9nTWKo<>PhR^Lt~}K8D)buomGitXb^9y^>FG z>9xy`>unRUNj#AuSFdexd8*Sc1!%rE^;!aTYNfSg&`Sr=fFpwjI}e(Pla^D${Qdn{?|D0TF0ge1<%p560~A z+2ot9T%&75&*fT-7_YD#|JZmsAYc7`6M0h+p!|X<{ats(P`Iv~ubQ%HwEJ+z4K7tf z(Tt#j4fn(Wh@KR93gOD(?sZh=ULYkOI|y4Y~Xm$AYe$ zNv&Q41!O>$vDbPCNEPA??_i-C8KATjxA(QS6uNpJ^smHH{!8j91e{V_9$n7c8u>b* z)GnonJQ>ZRNBEuHcH5E{8nQnA zN`dU8W~dB)9r{?Vm8LW0fw?1Lv=7Xt$}=3S+@=cY>^IHVba!a(Q^yJ_*i1Ab7-&+6 zP_5cRlAgPvTR#FpI7&r^o5Q`d+@)CTO>d67{vXEv0;T>=71 zcZZ5}Np~nMWzZ?z-L15AcgRNAG;F$g*Y=$Ad=L6P|Mwlkp$-S&-uGVjy62knx~`wL zBa!K`ZR_2`)r2BFKU4Nx|K-vp+D}->w*E>%o%1wP36av5?eRR;qhIM~H^%ZOa#SX) z<9%}Fx8gZ1cO%x>w^p}3U8I8&`t@qaw?K`Ze8Ta4t$uz%Id3%gXYG~Dm)!z$oVoRl z)7hl+K}+F|(pt(4_URuDf8 zuMl0D-KjM~tK*kzw73f;5$JJC$57ySBoF4jkIFwH!49@gXUCuoL*eBcUgGzgEXH$- zg?O}s6?gRbJtdH^o_eqt!6@8&R1i$IIe>ex!?m`%a}F9|OMKB;D~R~M>lL2K{s2mN z#;TV!FZJ$U@~E1{b-@`=2vWv`#ZBMiow+-r3JM7GfdCdL5I4Dld% z#^B=FVgK3gG4)XN`Z79A)^q3-j&_*MBYctA=8$bVEQMm0KLF60oe$J z@v&?yUQI%dAiP0Tq3wG)~iVyPY+e___@|xr+@vAv}m+)Z|Q(zDMWsEu@8vqUB-b{dc!; zj{7w8a@&VwDU#V|jppg%FDD$MqB_gPWt7ug7Ae1iqnUDq#G*~0ozWITuBrKqbH!1D z{A_v$HkyU2@S465wj(x3H>kBEYW%{i2H|x$2*k<@o?B`{LC>95xL4r@QbRW18ZS*p zMLv4&$HUCsH9zq_@-dT@)ZsmQzznatq>Uf+5x1g|kBqHz*kCSZQEGT7_fViiERmc+ zaJOCW*1LQU&0Y064{AQ~BkmKEU9p6HlSSzs?nO!|uyyo0&c-Tn^XP?{n)F^I1w0_5 z3rW|82O9uv*;KT6l=TcTbDawJAwpece)NzIWXn)zErMFcta8`k(DS+}QnDe_O4fLa zZQ7CgdSsw^Fyp(*a%OLokig!|SQVB#;Ir9B7rYvfOYz(*9WT&G@rvj94w_=aK3<*` z{7Xpg5(WD8Md}U45<$E2rUb~ENH298(Ycl&Pj{5em!{R&6Kk91hwRgz^v3;K?rZ`K z8SMJSd;QaF`}>(4KhR8!T0_%;XLrCCS0+XiNwt=Y)MoB3nJMM`5LKW`W!{dN_^uSi zyw6*a;ReKzpTtz|MeEJzwuT1SkT}@IqH8^UTgW!_ZUpMh9@(o;KEjcVA-kHdqsc`P z@+oY)rh&p+ixeDz%%{pS)rbs1B7tTs9v&V|<5;P4y*=f6i-Gqgbpjr}Y7pFm*&ypS zYB=DQ*d5Iz14hN_{|O{02BicePi1sCgE8hp#!T)jHU>q2e}q( zHKx5l1{3z?CE?A6KTtHqf_>ksp{8H9kAxz5J<#9Oo483ziWctU7meTZ^l0bF)sr98TK04};-&flxBv52Dal#%%`H|7MRjS) zc~1Fc!8n|`Ou2;Uc{~cSgXC1s^J0Zx-BRf$y}$v}^YC4{)pnE>0wKsP5wWvr;iPe3$>^c#VU--nEr50paObbcDzQLg{j7|7VF!w!KDa+{3X9KbNBU zKsUo7(4#sM=1hq2^77a&@acDH>=v-->>Y?9^wkf7GXA^hC^sZg*JrqTlG(Lh^n72H z8zJ*|IXidV$U0=Ns2AehL{;?1KIWoGCKw=F0m^=bfvHevUL%*-O;to2&RcN09rmA? z-?Re$f~8kVbHL#HI=XQV*aoE3w1}q?NJ3V59~2@J<=bE|s53HgT4hQ{waL6CI2_ya z0II4zw|-9R*~zTku+CmX=xdolla2-#^Z;nV3M~3pq`ekZL-0EWWCjE#WJuurAN>!C>WGR4Eh?+0TalikIFc$7e-zhD5Xd9J+&o62cpcKypR>Gvb3iy|{T*@|$svUn74=Hy$fqkA z11wdET%-N015iU~`=cyw@T#U0I8hS$raMY3Fr^1SL*GV?vI!P&D>U!4iNUAGBjt~U zHk}t2=5=q|+U{ZzRDB|P*g9($hXtv1BP&CVN&{&Oy`B$AJVs|nhqP`b)%CkLjEBdi z0B&|8(BJj1yOoE#QRu5uj)CG(rJa7vXo5K0eYnkbn)L$A%ah5FagdI60VswLk61zY=IOrOY>jO$P^~)Ed!6o4_azJI zjL)FZldAAs3KeDR#T!7K(+6ioFuR*;~TOEOqVC}?fL5In=206+P`0pJp68&STxi0udC|ppW^_qi z=(*x^Qju??#8fO_1nAd@XMusyKiCa$AyzX@zSG`&weit{cBb-ZLj)>xS$-}(8bxW= zbInmB$*e~vaJq!vo$iEa4pLYm?ux2QF`-^FDKoOs(6d?I@q~hoTOA?z8Xz8k>s5|g z>^Q*M4Y#y^d;$^|jjtZHg`f%Jl|1bLpEvkf&g0=zDJ-OcJjgJy zXvVC~se)EaI_t9!v!{D2si60vp*BoJ?C!tBX>o=_ul)$ZkyL`x|YmUCvuqan1m> zQ8oj|QuoDkZJ{l8eWa>zKepB~D19XXdeWaIW*j%hhXAnEh``;~aKP4*1BgKOy5=D@ zUK2&TjlDp>q6BIsCd)UHWOm$TZ2o?JLC*-CGoZC#iF{9IHy&>|u!np9i*tbY-!lmW zm?*FG#-*EEy9xQZWKsEx-gr%*0e_+Zy#G5QrM*fD>{)x7<*TyX$As6(@tT#J3Rc$r)2hd)2FDZQeUXfD%O-QCHa~Mx;GN(ym!G>7 zs^xB6AvE2|1f;pfSHgjJ(Mg!MSPTedMYZ(m@6Fbtk9oLY81I()P_y^n&kdbe-~Xp* zS^T?bnWvgx{n(nTJ$AeqKi6o&Qh8RARA4h*gL$|yqhpbO9K>@v0aLA0eO@S^wAz^B zT8}ZHb<3t$__D%;($6Iv1$HtYv<(fYyMA-$zsDhOW69rWY^E~m)u}p>#2xeDb%MR% z**38Jr_RqiJ9MVDsZ$J3E-`&y=s5| z{pgJ4>_aIr?iZzW$uo0y3w`gaQ(DkSQkVu*M0Q(KZ5ss)i0e7>OAojf^uK@oNCMiS z{eDN-Ne(e4grx4wFHeDwx^ui)+Ra>t5x4O)V5=IR}#)(~rk}oYQUZ z1c}S$GL@!d+5Y zvbk_*8TAX)H$1mUOP8%=kraC|AWXc^wns5vuVZn)EQIhy9E z$O^a{B3J-AM=Jrm9UIu7%+Wz3~&^ zKWMx9Ze><)I+PYkt3Vp!)xZYw|9Og#JN|%7&ntlO|BeAwMCc$UMe@mvpjw>6r|>x! z`p!s7QOmO`WpXaM55v+Q@S`wT*l+0xH$PkiN> zVm$OsBJq1x@v{SVZy1Eye5@)7udc!ZTD-dCv`C4vnJR4YiM^p&eL zF2)n6AFJV6s20Q}Isf&05K;M&N-9@r1TT-FR-TxDSRL}Fw5RPZOQ4+Gr$Dk@gpD8JA)Qnk_ByvaT!e;&3dd3^;^aZ9#G(!t$)^XI^fn55^-DyRuECYpa3{Y znj`D{m<+?cbg85vkvEbNWm|PPB&^1AJtJ6kZw@O@TR<2Hlj;svB@(WyC8BXz)K#mv z0@}DX?7Nc+K-| zl&Me!z@yOmZSt&cI3W;-SIhcr@MCFxP?ByS!hFIfgd zUC3U6Mqa!#Usb#QKCee1o7G%hlzfUX)8B|_&wmineH8k$>@=Xf!vEXEpS_SieEb~& z9$z`sm%t;D;oA$>0eDt+_JeT6hvp7{tZXj{u(F%ARS0r{)?G8+bn^m3;u!Xj=HQRUKpOr z!n&bH2erEoxQ|Nas;VALVnOu0cN6zK@y+vHGmPf)OwzU?&C+1lmMI<>p}4bi)*~l; z^akYWkmQ(tY>798tdCh#Xf%vX+k8bYlRL5$J($WS$8zi zTcaPfD@-MkupfPpU@VAjeuD{y!+-?MSY$e1!DiHJO4mJ1SYvB<)~m(u@iS;PN7Yz9 z$hJS0OUHPM%AlXvCZFE*=WZh69(1I;7n1&9y%jT$-CYU@Ktc690yIIZ%OWgmT9X`v zyRGD|u2J1l8953z45b*&kxVM_kj{u=mhpb62m+aA`S`Tu89)u*K@wQIeS2+c-^Af) z(-q*L#VLAPga8gYfu|sqGgl>_k?vL!{R>;8WocZa8XYumJI$c0@gkjKTa&jdReeON z_FJaWBz<2JXgQ3p{9GX!wav(LOZ?Lv*#VJznQ=2L=jA31+(K zbZDHm0NRk2xL;!5qs=$>V-0~iL_s8C=uRG^Hu9+v zw73bdCMdUOfR4l$c;}wl7XWw>F2>o=L7rz_G+PP}QsHY&@Fb%7F5bL?j_3XeS$tSu=o8f2d%}er&MPFgx5p zG56DsvKQ=>Lm=*3XD<}pe!jtop|nKxVp;K=w1ZTch|BT?+vQUvY~@-zqsLmx8z1J4 zg?JeGpWeN325Ip73#Ds3=<;FXBy(BnFDquY0yr{#dMCuZwBUWaT^~Kr7U)mu^cq~0 z0^W~RL-zr+rl%1Y_W{v5f)w}sPJKmM^@3M|=0#`nsit422y{aQ&XennQ@KDR#boo@ z=!=~Iu<^%_9zER%mv9mE-VPDEZTCzcEwjho0|xOQ5BD|z+@h@LvCdt1+G+KS5{s*g_5WkGYtbwfeuO9Wo>XT#|kJ|61O{kvfc zwx2s}nkkB7aKVG+#7#q9A#6Wk>6XHjTBmC&&nkm>jiy>>=k3c7m1WHHO}7dQ17;yq zbBqkV7W(n}+>qzT;lQ<}=}xs_vq z!z0M;&p9Z<&x?+$%T`;RNP>h0A7Z0C=m;e>qh1}VwwTG{a@-l0z(aj_LIvi&&kUFb ztdRN(2x}D;LAMZvA~2oi$j^GB&DVIB?Wq3MnE6@J^^=h5gj!UTQOO4+vfn_ewPJBq zO~uA;9Nzkn>4du1D!I}Q-$vKopB7gZh)1@CHz?UjC)#T3n`vy(0MH2RYq~vOG?lT_IMx zNenvfVGW5+&#oga@~(H$Im$qmVA`AWF_K)gCTC>xd{9qV(93-wrfa1Gl14?J%C(Vw>Gm~~t&l;P8_o-{x5rO*xU1Z3N^rgg76 z4u?VoonMUCmG5qGdg6!H+RilG}gA2*E^R^;L+=G^#Ewku#E)R zdEApR`do_mhef7u3L<1NYaBPCahBHFUz;;(waa8&K$d`9%t$GWkgMRS%_d@a>x5+V zWIAzkuQARA@O4C-P}4}sf}Y_3 z7G;_r#3&{98Az45<9P6gRSxD<5$jWx==mst8|$TU z3~{Xq_16vRJ1%l*&wa8xT+U%A=DgdiB#nETxZkM)6P6W=eTj_I>2!*Qt3z5_Iai66 z2V!F-x%=f2+lFFEMa~1|^}NNht^I~tOJX7^Tm`#7GE*4I;ikNE+x{Z;a*_156%uSx z{d}#{Z0$-%vfOFEc7!%f6xBCJwJNBO6D^<5b=@JvLQ{3L(8A=^fL`LH?_37mNWruN z5TX9<$8YWEE4)KsnQgEzubQo1Gr@$Xcfsot>;G5S%&2=a+Tq$*YfBSBT+zb8m#F-4 zUZeNokNOjYQ~;kDKmJ?i_+PwReukhDmCd+ z5Vkh?Z0j%=C|D)pw`;$CK%kyRjwd=+q$U0yDyuPg29o*0KpzDa+dJvC5qjo`4no9c{@=ljnNLg07}Z z9bv=1iRP^cf_M;ukzj0EQ)qvZdYaHtXeWh%)7_Hv17zj_&r)(-!MB zGdJeny^|67G9l?wcdDG^^Dy@lrZm>urc+y1dZz=v;cmMiE$W7=4E#xw_y^$E_RXH#liF!3*96?P61+LIE*B zuAHtruF5_d&t1MUU)}uR0O={B3aX?8x1%L_hC3l#J~F%{<@P$0sKK6 z6&E#yabkiZ9Z!4E=d-F*BKSDlF9@(zx-?GdL=$<4%_Ah|6@H8}m0oQLJo~2CQ9b`@ z@%cbf^AqAaWok4eqP-Bj_{Q%EK96~~KXMK>~@CB&w z&SrZOuJ~E%Q4Z@6#2Rw$r~WsI@gJu>9+3Z9DxIRkjr=ERfytgvLXKxM?5kT=kCyNc zPNqa6)q!U|mXg%y8D@(4ip=v()Sc!}b>1@xV$p@HMs+n6?YJ*vUbmM0ZjsT2&ZE+m2!2F2DnEsXrvur!TR!52cQ20ZV z8#RNE0>+C0XCiLPF95wYB658p4y*{6EEY7GK$)lvY`KlpX$&W?_9k2J)f%EY@RKM%T zZvk^ZMKVjlr+XbhXnK!49p(4u&M$@ffBvzU7JT^x3+COM-3YL#_2C}5VqLrebYwBX z0S>8%|FzKn{`Yw)_!gyu9eV%9xd~h`kGJ6CXeyB=eMkj94xdow->>4|7w6yK8{j%3 z{pP0+$$!5DF4W-OXt2`~6nPA^fCI!rzhA{)X(Ru+P%dQfFSn6nrTovk{pT;ci10^m z3%%=$P|z&?i@omVHTmPq-N2W-UShrU`TY|7h=Q+-ZX?*m7x1T`{lOns@y2)jp9|?E z5o2e;`v-Gr9HOO+kTvC8C~K)CXMr$zjQfQGFo*3iJ`OWbr9 z_0LDyldswSF6O7?T`G@sMI@^+c2*CwE3Ug$_`bed!&cm`K++{+Ec(B%!(VSr;jC89 zxBgmxtSoy3FVKG5=i2K!KqD1kI%k`q0$J5wn%+^|DXyk$5qqM~a}<`J+}~r&A^*SM z2*${rNDLP5B1<+QoP%Eu*qawm{LU5nUw>U+XOp)6_!oY*nS|(p(}~|n)=pi6SdEZb z6Ae)$eqWE9i=tfcMCL7?X=yYi*O!{?CvTwW?M&@+*t1+u&Qo~SERVLi?W#XxFgKri zyf8K~neX>-J~}Epo;ikGFknfD^4n89)9#BK<3TQH&9FxBCgY=)Tj`0C2w7{@ARXe_ zcxO7Y=Ds+cAK4RlS9L!VfdDITrhmp+_#A4WU3bk7gnFUunX*qRk+V{HZ5uqtxBGUE zk_13nDUI|8a$&V1)sLVsT~EGM@vrTM=l+kTrMrxr|G;bhe@l^t>doeX1Ydef@$ykw z+)Mr&*W_2Fqx75{kT#TpkC#geWrCc4u2T_~jjQ=g6uhBdS80zans=A>owz%Ew2w~w zqs>WlKE=Iw=zJucKvwWA>BE`F7>7ixAFgy8o~EtNY}l_4HZhfeO~?i5Es22h z5Xf29GX@wdJ98i`X%8csFiKJLXBJSeQaZN7bh*0VBjJ7X0fEIJ%R-}gsPX)m4m?^T zX`Pwr4YvE973RiVHev4`-va*LdoTeWTfe$y>E-v4EH?8o8&9=E$914aY-*~%X`&mR zfE%yz$qDZti4qNM;1+TZR!Htooxz2a{aDfxDF4qZ5l$=fRG@%+|su$#jrj^-2cajg4jXjx#QFJs%+ zgZ36t1u-Q0fjyyxI&&st97kZS!PcOW)Rg$u9+qa49quKkHD!{JbH5#yr~7dR+Sat@ zHit&j=5dl;RNio3LUkxzrR7lQU9?pb%jN<^o1}>zH(^%m8+XmFI(#$Uh-+{7eHS1% zhwp@y9tMOPzy%zx?pnor{>cPNnIsKA6fD%=-c?!@cp479C%X4X zuuCz#$eu`)cE`5W2r|*|feLDaF5lJ#-Rf}`Ut)sWa@9hz#lg3O!NCfKI{Z|uDa`nB zk1{@-xmVYjk(|%5fVLFLsE?5EW%$(HZupiAXO*@#5m98987=VxcWNb%Y|l$H;(&Mw z$HZAo2;W0YAoAv&X?N`isGdr^PS$s z;1FCU>GCWETQh7Th6c5gmBRh^VHP;{|86(G7UbJlP=GeXx~Q|#+*qKXmIyipw^_(3 z^s%<&LoEvZ7(^4Z_920e*mzud3D3NfPsIuz>HTvpD;&pWCjsQsWG91}8^htn0Iv94 zcimC#;+$n@iYNjM47?vpO}F8Q6uGZgZycv64{p&$aye2;$303edO20q`pR!4dqDA1 z#`7*7LrJ&gC=JV*1De}xap)0SU|Qm^ab(pU#c_{XI`Xmd>JC7!L;DTB+<`5DGk_M| zOR;0bf@8nV9E*u!l{dR8dxw3`=swZLbb9UmL;?f#6c8(fom;wEhMnsxQ8ttW5^0As zpGYUs|1z~My(t0#2U%agknh1@sSaja{t-tGB$9y`10#+(ArZ{Cl0ZIb5lepNI-LoF zPV%Vhh~u|?lL%)ZxsHB3Nu(cPo#OhgedA0MX*?Nt#ZCH?sZ(AHEB6w0${k*V{Ij(c zfUUm1y8WJ^$?$dmr?^j#FpgWZ9wLv4>e-me;7{O!=T3oBhn&cTjafP_;6;2Q!F4 zj$0iuUkud0+&cdLv)U9%$nD};P%)O`40mCU_E*cybqA0pJ=krbM_2D&=o9gR!ZzZe5-!*7Ee^(HEYA zE@h5Xag*2q&gzQ^S}peY-H`~)fUL3hPLDTueT*;zN%y0zbl-dE*eIjOcpgd8I4qK3 zL``z#E4`Uoq6S){4~`2D*| z7BbQP>-(Z(LC2`)PWLkbR7H(|FJ#5*!c5R=vL@IX%xp&ODWr}zM{^C`*^2H)L-n|f zG20pty*N)Ja+$e#9Slp;Bup2s{^H95`?Jd1iM{+Hv|45XG)XJ#J9qC6#g;CaZd6$@ z+b>yUnk`8loc|PAT`gVWT$>06c@`8sRQkvdGGN$VsdMf}!~P-o0O?G-lV7YHvhoY* z9Q{rsY2$;0^+2*vdR#el82y!gV)RL0Oxklp#k8;Q;vZ4^l}DA((2u8*2(Q>C^Z=qf z2!pC^N_$rx7m-v}t%naVADN&T{NZdUV8<-+#J<*}mWMdeB zZc5*LV-59sS(Tn{iB|xEA>sqj$V7Fnrp;ql2FeD6PlKi_%rUnwApiisCtUq%nV#Q) z_dq}E!SeT{kh8-rIirQg>3NLyddDbw`(?zB=x^+_Pj0^jBD6ta*aLWs00gnqeQ)Og z%(NAOdz{Yu>Z0QHcdR<9KhXVsu#_rJJs`&-RG^x^EP|5prZJno-9*`+CCfV6A zIW7SU_3!LtX};{Skx9Tp*#r78@mjlO_AyBtOtFU5<*@YMN*N!YYM|vB(CN?UbA2ia zf>VaY^LUp1dOmhTpGl@@bU$P44S9?xavo#6-7K2Utw)1qZy|4k|Lpl3!|N~m)xNo{ zvmACYK)-Wf6|=TqOWPOtaTy`*)9~Wgd(4NrN@Dj{qMaFD5fC~BluWd?Bxh2n81)RV znOSZ$WD%w*n2=`I))(=Q=7vrC4-by^hojGr3P!P>V@N(7tpSzGxaWk zoAGDv2=ig3#n_i2s;1Ac-o2BMsoR7i;~jg>H|8%3*GDB>RmTaROim{Zjec)dT2mf3 zRPG#Wmzpvh5H&csevfb^{3VZguRyD8&^HjB_>O_U-!q%}O@cC#5I1`D-0i_Y9=NYr z0tG)SqTb1Q)xvtRT#9FXw$!)w{R+!L`i^9%6UG)F=ZTGPC#!ke8wiY#7EjG#b5B3k z-p*RYV->?(u{qhk(&a^dXL!gcv__D_)g`KaX2;thcnyM<^y-n+LgA0&l&#eWSU+iSeU3 zMoZB7X+!85Bdf|vVN*)^{bGl;;XEWg{DDs(rPSCmQ0)b#LA}$KuG9JH>GNA(rWa?e zkGJO>RtG66XSyuL3+Mz*OgO95L?;?FJ!)*1BwNc<%50)c@V#5rigc&UH6kZOgYcJw zZ2!9P%z-!XrQwz6vYDf|GLQuCWyn3FEf#PqTdE_)Wmkq%mZ`&+9&X<+wr}2PkX)+P zPp2IaTbK={C9Gmf4iILFNoK#opLf~{uAlaEk-1%@l1(Q?at}MW(3K1?qx)2uzhc&H z4~>i1gsH{O)U*^Py4=fIlbZg-BppBUWa5ZKAmd@rYz(4CUji5A zOJe1bB0cvY|Ht%wDIC7YO;>f(k*6T`#B@Kpc{Lk`9p;8dFMG9R(mFEUba}q^xk%_i z>O*&&JoQTUF<|9>7RbOADpmG1mHSF}QvrZ-KMTpH@QE|17ez0F{|}IsZ`+-8z)8#d zQ2t+}WiS_U-u={Z&RhC5yb)o!hlu{`>tZ>^!5<&IHiN@d;0g&Tfm({IeAQBf<*tuO zS6K7!BcIsKMi@S_8SBtuY|&4d{Hz3088c&=e0-YCA~7Q9z9G7M$Madem#LYiQ^_7W zrs{lFzUf+AS@KOkV{&5}SeQ&lW66TyoaJVMr+~9u$Q`B|L(=-CuLTI{a!gXZ0&u-* z^qQ@$x|4;7N_k2EJhComTKMur{A|_tI8<1dHPC0-O8=Pg>CgRE(g*0s+$$S2;sFOO z;&TYn$+Lk8JsE~1dpi4>3k5l{lKci0Z;D#aR7e~P#evQ`HqriX&@y0=+d3tG&Yqcf z(tC_%F=6xNt#1IYhj6}UKc6>Vi4^bAm2nhU@{?Ib=l)|Sf`uyYxW-b1CQ5lljNV5c zOpIGqShh=7hD0+T*<<45Cz0?s$_O}bMJHUio=C1Kt7^Jnc~WjqT*<_Y34t$aouVQv4pe~~MJulTK-HwC6U?M6p=Js#e+_ z!J40#M-5UlTIq3@uB86_QAXcEBZy7yOuuBI4n0QpyfEfpSLP?le1@Z;)}xz^u`@K{ zZF)A|!|By3fsB=W)EnFgam)eto(hKb0e18%p`q3L(%_)cM_7Ojyk7`rL~;#w#m6Osx0sh$JL~vO~vm z^cFDQ**>1y@ta^rlSv&eZdOQR6A1_I`#LY_o%bKg)y(`gERVWMwo&1*w{w1LDDK##K( zb9t`35zRDeO=Xg*xgTv6Rtd9)hL5Hvqz8T*c$zcIwK3i!eC}-HjJaM)TUEM5gH=o+ zZz$=dP-$N0b_f6fq-`tSa7k7jDk0I|?BskYXNq{)?H8`Ieko=bZ3dzICKROZ39oIO z=slVGUH7xX^jaG4BI@Dkr@0ZnYd$qy22;IC^K;=ZX5qqz>rCrwtM&2wbteT{HzcIH z%<)k7J$vQ%em13_d%ZNd$Sc+=>CnB4O8jFtecF^__R4A)XUgM;kJo6K1jpDI1=O)E zbxNxwiNez@(6eC(9P!0NO{g!R-26NEbt~;lVmF)UdUpWDL^fL?@M&@onTT){lTNhV z$^%cnn8sOv&5Q@<6?5V;vyrSe7BoIuYx~VfHt8h(%8;(`8K6RK$C%=SbB{sTn)H9T z$7=8}2UyQ@;-)H~O=XsI=ndH_j}fMpl>PK580T(T*I=TiZr3XzFSd^=AjLQ5`DdCH znjz%?3>IzHCGtP+6i4`-Qm3*$q9 zQX9(kKUQ$o8hWK)b{JOYp0@dRaO1m8bV~}gi$u8;&2}*6$RscdlU!wmnqwI^?OX`u z@$rA1+zG~rAe*$(EPvV0VU99@tS4JzexpzEA1GEB)6p9T{FjRKBWOe`q5r^HG8g-?fnYvC<401*H^7 zjO}&2m}HAa*Gu{c0#|$kA|6ubQ}L$|OI8~t9F;M-KR&Zi30jq(;zXewFVL0NYMbd) zUmK8+F^#$}#e1^BLf7abGsCx5wq!Z+d22}I>S^<(u$Gfi(dN|0g`z5H;_2fEvyo-y zqYsCR=R1UbXQ&TNT|Qd^4=zs8LxCjZf6&KU>&sUFeQfynMg7JgD>JgOf&*wJ;4Hpk zk9C%++hoMBHz8SHSrS~u2fRjC&s@H##RAL8KEqbWZ=w1X7%cSL_)dT;rtz+_L~sm_ zucB9Vl_8~1+pRDc-2Co)K8FK&bL7z}@?cL0dWkObQI7YKTaq@HnmrXLgM!|>65N)! zx#J6xzd)nzp%gq4jsXLId>P_0C-6uv69y^sqg7TqG2H#QjNOJWr$N^4atPPv+;%}w zU5V$p(^Lh3#8DBi`1^!6cdD!`BY zT;)2?SX2&aMV%C1I6I^mC`}Y!=YPPA%mdmTVl}LP%;@xG!BB`rxOQ8%FC0UG1nvza zZIDa9c8=>8a82onqMQ#nF{)9NshUH4v)xbSlIO31HxToeH*n>bH;{`)RS_Qmz0t6Fz>#ic@u3m$20r-$ z&ceVO*b4UsdUi4g0B<0Zdd1_*s~#5u8nH166KjniC>LBMWr_( z_vtpk%eA|7M4&EpVYP64P+px0vOJVOQWgPJu@?mO)$;cb8{9UU8yM0qdt@V~Z8?L7 zU+2;6SGu1IL*$mgRP@=9Ucdu_RW(e?Hu|tsrdZ~a)|mU zxTE|tMiJgZ=N=T|OySu2q^G($ss=73s;O^z3Jt920H>Jm+IZC&AZ&=W+DWMv^0eC< zW-$ER>d^W+(!j`Z8-V6J1x1*fA5$dvZ^-n0XKb^NDKC4;6M;H`$l*2wrpz@4lS0R{ z21w(R>2&VgmD0ty^fdWIO?oK-o&uA3!52dj;vECAd^5XM=2MEQW%xsQeY!&Gs|^OL z@fw=;PlRqv;c8@Fv<9F$T#48msi(e*62cn;rXLyWJsBoI*3+mbwmUNJq~u2v@A2N@ z&E~a*JWMqMS_gW4Qq(~7yQ|>k@2{=iAvxb8fizwJ!St~cVGRh%gBcK8Xtl@7S^|q#_{6}f! zE#7R@3frqz5i^n+WejcmkpqdYD5irSFpBJr<*fkVT)`5# z9fVAgEU>{!e-aDrT>f`E0)n3HH|m#;KT8+uUdXd(2jSx$qa;C7#QW`5wemCWoWDeZ zA>8%_35(p4nhp#^D|IE{QM`k1t~V1G6;@#U=}P0t%4AW`PsXE1yQM7K;+O?*oMpb_(uKt{!ynxTy!S95Kt^0RU) zZ~E0KJPS9OK-bOl4E003X2}UGa7Tc1p9WYvcWr&Bx%DG46pjzu_u;qwq@5n?20jyr zuRBK^=&>$i&@>#tJtXA(_|A(I1*LAL(oBL{1}9rJSNSnK;C=uQ zAzsyiXB4#EQ1ti8=)`6jq@>H(gI;htzvH@}+1X&KINa`6+YG|!BAIl!1FL{c9vn89 zzw;m6?F4E%WyO4+h-pL7Vq0@pp>2sNZ9~CGrG)VfK->M9e%0ZqU-iV5AllP3xZN+IWQ$O4 z(k<#=yPtv-xHEN1poE^Bm$9vi(N0XVnf5f!Ip;6?5DDux6P1oZD5ulrti+CkmqI^9 z{(WrNkHy=qxBLI8pF>Y2Oco`OV4&$EkDB1uTMGyNZv7}`%J$qzzAvK-C;mo>HADz+ zNfL2ee=^jpn~bmvQ7lWQ@w$Bun&vQ8j-PK?-0ACVmuTji>;rjayZdyipPGJ>Q^v^* zFLj1;$FNq`ZRQwGexGq#ed>O+{h3CcSu2;NcxoRV+!DZR4RDd^GZaV2qm2qh#bMaV1eqh{(q>H~JqXqCcWt0zk2fWkw;mW6v0_Q}W`i$979tlF-x~=D=$_ChbRCZ4qQC zlj3^saf&`lp72Gcq@-AOA~eQxk)(+4qS<#%0aKPDz}vlc-}hemW$H5<`LJ^UFutx# z`VFzx3r$RY@C0REPAgg9>T5sX@Pqx{AAHgavZ(cY1zCoK^T6JWc1I{f`?Gvksiz*u zv0#jfhBRVz+7)~Rwm#~whQ4N>+Nhe3Tpxo;QS{MVVFg2*fbB9x6j9a0Vo4Jn_TbO( zVx{0s;e&|XHZJE0u625`$@q~TK=OsVA>Fgf6A?mojpb9s(8&Zd#S&m43>k#FT5U(73%f8?4LFM`t@6d!<3yC8CWLZm^IjD;Ptul zw832i-kc9Cttp2eO88bNe4Em;!icn-mhY9JCU9nd&X(`FL|N%in?Pw;8B~uUxtC6A z{eX<^eU^Lzg*(Wo`p`tc$*L<87(pD>(vc-cs1$Ip7FK00ulsU&vETGDGBEgQ9a|ZO zov>&>bG3uA^9&KjJH1^OZwYgl`LB~jue70HQzOZOGnS?*{ zJD-hgFWXx zl$IxB3mAllK`8Y0o5a|fTNL`Tf(#F_Zxk_LIN#<0dUx#?_Bc#bp+Jgm+Lv=?)4A3) zCS@m^i`ALQl6R&YLYb>~#}yL^)`I=xFn>j+4>>cf=4H^u?5&ph!{}>I-vA~Nsq8Bv zp5tO2UQ|zIrVyN=q}r=kW6SzY3^#7Av>MJDQF(JsMiSe&&-O0bT69;2rE`bp3S(K~ zq|q2Q6I1RLTR*Mpu78qET|xRf+w_lBUwt$PQ6?Cr$;9k5RiYQl#6ggNW(cZG9adC& zd;e8wejLs@u*eJTO9nYvMxSOtj829Vi2zZmjJv~m==|2~kn3Zmx=V0!7NoPU5uG=t z(2t^zdTbTXNvXQvdSz*A%v5c`s<@+YVrwy9xBaSG~^w4RmpT|23*~y+~Ls{2W(T*Ub zGtw$a9I{>~e@f1vQJA_dw1GRg&Q(+@TtUQ;fSt8{9 zmJIdGI7f-(-<>V=TiSmqUO|-^f4?MKAe{RPR-j7XqvS%^0tj%|O|^&iV_x?aeTt$L zD2MVgz=%ZxHLIJ^M4v+Ts3@|!Uq$!PR9!L=}Va4;tvjY zjYA9|mW~nHiAzz+WqZ?)&(7A$veuRrz;p{CGE5->$a^hV5D5U&Mcwx9v{4yBx;K_3E#nN`Pkwg%CF}U`OWM0 zU4B1PwL|sVD2$!GWrhliV^X)H3j!h6i#7~K)nauuz|(d51VVcN7K%~)+P0poBRt)} zE8(>RKsBQ_Qg6QAJItj0rm)%@XD{Yg8GjKI;IgWM3XWSKSuIl~A>$5a-n;gwu{`yU zi`IM>-$g0T;O(k!Nr>^@R@%k!L}02IAew+!u0g}Crc_d(l8t9H5Fce7%=-A;@7Y%M z0<8eC(b0j3u3ykX1hF{40&`4PTFytBhkPiX@*_dJW&d-Pjqq|wQ~XQ!JIQMi{13%8 zlIaoKj$Hw#bw%3gRkja~l(j(QA;0sL;MR0yAa`&z)CLSdH?NH#yx)Bo9Ev~(+C`Q) zex=xICK&keDm**ofe&xXI>l3LZ6vU0Mnm7#A3loJVmDFmGb-u{58sfXH3@t^J-Iu+ z@owNet4}8gF#>|mv{W7?c$z~*SFP!zpV%l&H4MTi89)JV&i1TzyMYd*jfX(05j{>JRznZ=fh>z)%5ZN0jedZ4TQ<5)E-tF%)@7rB(Vz+Z8&iBoumJ&~` zG^W<|R<-Hs*%N$GeKO#C&_j=qfk6;F=NHax4euWyr=lN}vO;=;= z{||d-9aZ(Vw|hkt5NQELS^=fII~7E_OS-#T6a+*{kpUqySW8C}aJBEL3+{?vU^EdN5pU?Bi!5ZCoXP(qhCzQabJ(up%D{s#8&aC$yWuzr+gO!3up zWDAMZrE$UVqMSR5Kh1Qeg(KlEQY$%PVv7wm$H!@)?Ixo0ceiN)6_@A10jB?7)SVZ{ z`*S?H@FeZLN(ZlPkumCK@o?#BjI+qK;S#Ujud^6uhgb4$;z7B5+Bi`5&MZ)*ykVak;tXKm&!z^dtwu7{fB~6bkEnLPylyX5j#+X{f54%^+FVCZz(h%g^EUzy2M8g(m> zGG3cHz^S@FWUM$Zj&OO~XEgy+BdCP_1!xRK5?o%;WjlH}UiZdlJy zc0E4SM$Oj;aLq^k^80@*Xoo-zXPl6vqG}@%kU>cpNy<=#yr|yH!DPvAufuLh-PlRb z?JzF(Y8dcF>Z0M-WP*2F-((CLoC|Ri-Xp+!ePmmyhJL`E`^@TdDOW(9>OJgqp@Vs- z&5!|Wwkt6;x!v;q%r|>(uz!xLJdN7o^Ae9%piG6{|0vsC8u(ac+7ifK0@?&=$cV?+ z_S)psi?6CnMj0zm4J0K+ViuA)?EU$l&li5Km$__8!U%fjcDN!AqHl5B3+*pwW5+#C zcm12S2anN4D7!Rj&SiTnZ+VR-tPP{>R=4Pq*ApGqz5%!$t49q#+RAX7?j3G+xBWHv zC8blxUH9E+7W>a08c{qT-I?tgI+fk3JZaorYjk_oaHuQnD`p+gSdszU4towH-?9WJ z90z@R2H`e(pbe&qS#OQYWZfo-%22df-{Zbb8*T*by8<3GlZ z@36Z^oT>U+($PZm)hM)_axKQQ^ciHP?-0@RNpO$r&T7`M=lw+Ps)EO+N}Ng1&a8YX zNQ~Oz$)>$4N+{+t)#1pU-;Vtri9(AyZ{AyK*q!_R3bov2X_dVj6d#<$TewS`{M#0e zmi1OgKX!ymZ`6j17{q)8wZ!zebsB2U9NW>Z+Rf@6o$}XiN1OPjw9^p|{pctCF^GiG)`mYGOy9W(G3t(=?>GAEk|ZVGTXcbOBgOmt zTc*Ozx~s#jQIXqaNOuTDL0KtFYtFtL7kI#oj|~0j?)onu|5IcS|BqKjaJp{od(OY; zy7Tk%REVcn2)zD0&lP#H^J5<8qBfUv80i;j9?<{#Kt2mbpzLa!Q5V_lgriBD`%%&g#VctXzQQL$;LXvOkkIPgd`Z1` z@M2zebl_34mQEyVx!jHw0-M<|WcGyf`A)K*eTro<1~D(D?lXqov<5-RC&W;r&M+U< z_bnJEO;WVY2B9vr$xkC`?-x-O!Wz4!v6dD+MbH;$=9yoM>_qn5`s~K2{auH}cjttQ zVMiOm4~w6qPcxA7V3htU8wEpsy32m~EiZ#!xEcT)n^>EAOh$O7fZp#(noHyt@PkGi zRiF;`9AoJ@gDb!Si$%<&t|wBJSB3JxG5#jSIca!vsKu0xL$Nes3fSj ze%(aFr=y)cxDC@Hmx>&>JRGPi-1!02DFL7kn+*=sX&ZQLPARN09UbSf|C;CO&G?PYIXtyX?O|ES= z3k;*lsI{TTQhX$AF4l4QzAkHb9{w2+Xamo<-|F3)E9drgxg82;>h58qmm5T;YCmjn z-`^*3vtE;XQa)c;vigyV6urfL^HPD^k&X5J8@*kT9F;7`=sRXORS@i#a$-7IOGz;_JKL0n9pBaU9wmZ^27Vh`}f@e zRp$(+>V92Nel+eDTnR;_u05fgf!Pzp)K^?@E!*}@f}E|TQSD>+m9gIw+jAB2@5I4+ z{66c$EhpQ1@pmT-yFQ44Oj?kBZJWstGHG+K5>Nv~-jn|Pe9bRFTQ+yYLe&0V)NQtc z>nRtuw`IUt4Wh?`UUIrI$}-nmNZk^M<4>)e`;^OWK~{;0|7gfn3=!1l1CVtEe))z! zW(8az>dnn;ZsbPZC3o(>sbs`oTmIFsPHyHjOreh`*L(msZ9?XxBCSX;0_{)d0k)J7Y!K8 z&BB&nQVh&|ku=ymwWBAsb|L1yr&F!j;Q*oAP0{4CH!H$b5{FBs;i@ih=6xs}@F>;8 z6$aPRiCt2EqE;i%Mqe*;(jPzF9m5F>G^Kd8E=<#nZ`3(?cC-5ol}Cw_@s~C;A!~@= z2Dbh(AO$6HxhFy4{CKye^){E`>MeQr}zP zzf1LkkgojY!XoLb1DIVb)q7?)l$q)P?J1^36V7d>#pf>x|JbmQ5fA;!Z~f>*@LXfq z`@|(~q|WIf$x=@RV#-f_q2s;7G_c;pIK}zs&oc!}YIK*Gxso@6v<=0sqesP5U@i@Ro%=N*9cYKQ9 zpX%=&6#k+Ae2t6vHR4^~`6b8NA3BY9D8Co2e|;MlLHNsGy`}%N?REnE*)ZWlEf?|k zr}|sBfPd(J)0ujZ8y?0RPeAj*BB<>w$wc;_-v$Hza-`ngo4+W^el#5MZs9FqWYIFr z?VV2&r2;$QysCZA1G5C*HVghqoBcYdm_k4gW7>*%Dfs(0+>r+z0t%U96}uo!0o8K^ zsP)jzzVv}3LQ1(O5Dc`;B~+pK8@LvKw(;Np25JHxR_zMQtNFjLV(?cqbil)PAuy;Z zNtqRywkiVevX4j@zVO1Rz*T?$#qetD8{>#4h6ve8jA$)^^UrCVtf#>R4ZFpNC<=CS z28ba7wy)3hIWRkaE+nLqC^L09X)d~izc-K`D_HIH_E*2m{L;-p$0Th9XfH!+{O1*- zC=ibuo)c>FRb2(crR#P^GQX0?>RN3EtBWP6rNC8#?&~70u%qQE^Zmn2_yDPsvzLCb(R@9pcU+Z{Du4#ZyVIonMw? zURtyZEzm4`+a1eiPPzbLhfB?~)+bkd5s+P;3buK+HHj!#K&SW&{k;BqkTdYGs);1O z^4}lqHH3HInZFaI?b-Yh$e0HL8D}H(;em{>gTQS;PSPDRL|01k6qSUG*^V9%6Ueia z;U?Bk0BE|}voCF>iv@YuEj0j92+dDGKt*m=hi^&l3V3Fy z<=a1S*+-pyM~8G>!>py(Y(5=>-3! z1LF+B2i-L+2~s{j`^sI_-QP>iMzMi6c8(MuwV)u?b*&>Jnbx}x3Y=v)lQ908uKrr} z{`vFYIw6=sZ+v)_Aq-7XAsMJxzhQdu?JLSotgS!Q*9XIodD31GaxpyZcG4-|OzP z!+TM*uUV8+lsu67F z3%*=N4<5gH#eo^cu8#*lFax{t;PuDSp9iNH>HOibgqL#BAHit?>7kwogvhvNB%})Q zbA_1{2>tnR!=u7p0%ZGffjglOTT?X>LPC($tx0!9s4CW6*e5Is>)LIX0Y|I{{1^|_ zGr}jgrI-1VxfuSsQ11d7rU1Odaf(D(9f&i__O_^=`X2ia3R+MRe#uOo*+}{O(&Zum z+5~zXoBmm*Ly8*`qBeSKyfN4EsZj4%BgKp>du@zKMyKs0k@5Y~8qBPuA|)A8a} zZpVxFzP>_Ln2i3*G(gA%;z?T4(5RtOi3H#~Ip&Ry?7IT$KVRtv4;EHH)=}JuL#>2E zNFm8zv(*Ot1cA=C|2rn@GXhUXA93FzG9vyLuO>ciK33DPNVorN>M{JPv{y(1%_ue8Z`B-sT53?3D8Q zeTG!>NI?cE!0@I&P0A;NTZvi{LZ8<*t4RVjs6IkM3-j|LtNmlBB%7<;@6l%iGuCDC zNwfq=*Nao;Pm9&FSMy~ta=W&aR8Q~o7J+ONggO&-{5mQ zPUzYYX62ZlL>QdjW~Jk?d9x*e&V@%(D3-O)TKbHB@7dk*%&o>QD%O!JkTGpHkW^5x zW5AK9{i525Au8PhCHW;h2aw5Cn1Ip(&-pgn1Djd?U`@yP5MZ~Rowq@Hxh_wJbmdfaJ-P7r3gdNAoiC zrcJHV4zMLUB{~@4Xo*5b$Yx6=foeR+0`&Hct!N0Pykh#^a?9U}R=E^;bDV^#1OQ105)q$MEae4vIB;Mza0OQU zKCE7i45jWp+SN9@$$f867CVM7L(2q*E()u2&% z1(pL>^ZhaN5buJ*6*x60pW51!1e~fDTvG^$>KoKR#xEd-);nH<8)NKg3a55sl!_CkP8yrFZt4_Pqxzu*vwSN6fA*c+*0dqkE)9Y?a&ouI+C3NZ{gDug|~K# z?S|RGQ^0?_uj7Hluhl-V*SCg4;uW#aVqgL9F|DW5{1vU+Q6LXL^@P9YFNg?Njl!3^ z?RCh|HR1h6+_L&P;nGm-6n)r-YL%~o%hpH={#C{c^fkiJ)p7cPWqX;=7!NycGE<~A z`6TI4*}uUSW~_i}V0H8sviQ~#;~jQhiP!MHb09hPiA*Q{rY#EoTYJw}t> z+&G?*-c)dHqNH0H*_}6IX@veIqtY7tZaw1rBA$CwUZ+MGjeu{C=LzLw)zZ`sul$#` z)60`J>RTlmRjb}Ht8YT{YVS+Ooj>?QZ^%dKs0nU_YvEC6_!srbuj(-}sr`A)BWd@6 zdJE}`3K>~{42Sz$i#7paJA3XHqYC?I8SkDqu=)9qFO#|@<&g)b+FE*5`~N8ni`Dtw^`L=R9YI;xk~vgzQIgegja97-?0r|CsBR8N zk8AaKTTY5=O4+xGeW!8N$;nG@=BUg%pH{XnmC4 zxJ4ZDW4v%~n}tvxEx4(8{NCouy#>txWg;|to6grMV2==_BA(yM)= zO9DVps}ud%1-Ll4Cc9~4RRKhW+#sq9C`Q=Khf?2@H@>y+XJf!40jl=CosDG=LYR}& z?nOQr0882bjdtSSGkPuGum*@`9k-6+hE2|g%=Z`6R$^jyMVrc726{6V`xRQR8preb zY*k_~txX#o*H{-b$6qdas)kW7ORe@=uYcniw23W4?np{%X+`?PGBEQt1R;*>(s(t) zF=?u-bCUcaJnV1Wc_U1Z)?NpM{aFu*`r1B~20$X&C7F2IiM^4m&@5eZEbt)}jj1>n z69`T)QG|s?ee^yX-6<`zzVbRvHOH8jkU4y;m}h2~y*s24j;>;MFVw)t+vD86NC56| zeh9y1&r_{Zk9_#Bd7#A~2md*XvfYC4waG_*u56THsJJomr2 zi<8hti4gCx7r5h*@15vc^CI1R0CW6ECgL`mWOW_rt(&?G`-{*|@=p4#l@%!;#xbaK z4(ncIg;WoL(PZ|#yDFa~jIStV{j|SjG&=Zypz}%rUCn>iEO(qdHd?z~NCcQ^w)D)e zd{y)=g#Y01MCN*$I3ywDhr)-V69pF#`i!)W$PQ0hMC}?oE{YeiPpx9EO5E#vFI-KC zW8#YQ*R_V1L%(bCa&2=9EIa0s*nd@vf2cFC(ZwFU6X~(=Rjy-OU+zhBNlm<(YPClT zwK{{B?-EE4MZi61HeNXVdd=mOi|E29qV4V5beyOv+ z<_g66q~Z%5y5-9QkHa*4p)w*Z5OdZiM$q<0#cdndBgH$%$%Gou=VLM?o~=9R__|$~ zb|`(uu^E`HgbVWW7g?VAOiogfS*CB-3iWUjZ+bt`g{rK~a}3Bq`d1%|C0AyvFLC?1 zgvMWr3{+^R?>?ZH58Ej zPs@bYq(h)ne3dc#!;XaEPI01k!@Fc=IGh`()i}@VEkFq2_N@WKUF(j(Fxk5kkC}ye z4RggePg^lU2_+ACX3O3;$!G4bZ+|rD44q#v0u_t?8uEo)rLlT}SJfUnMPyUVLHWl> zhf_NHkV)0TgMrYLKoL<LiGCB zzxD6vUwDekYO%OCy-fmBN?peJ$sWOhe@kflm$~bfa#+O56keoiGA>Mt@h|H(rXlJT z7D-MIxKLX@S6Ghql0GcinWf>x9_6{_MKGh;#tKDL7m=0-kI+%V*G5K(vg+sO%y0#sxAjkwtZ zatZ^sptmRdMpUkL(|w-xg)Enar`7ISk9nXWoUA;kzA<=HD3Ae@L9k#X)rMjGM$aYEV*{oKAWe{g zeCIqxJ|IJ%4|eaw?>$g>Jv4lIP@k$3wk(OjR}o%OMNhOTp8KrguYFn>l2s(G{>0PS=NF)oYjda~(bAt+~d zmPo!rK*k;C1pC)UR`tp3hF(iG#SyH!0mwG(k)&%Sqzjv}Q)&fI)jv-#)%SVL7mW{k z%n9kopw^ljro_)BNb;&!>EjKiN#iA;dn<^up|DIlUlM;OBzn1VBpT4BEySLyCdAL5 zG*vl5>aIg0mmXV66wc^Vo8Y*ySGRkE(tqrEBwD)V@J1+d38)*S#xsfkY!c^j)45~iwY?$tM);!d5!h2s?g6;^j zB`yU^+GJS@>{Q;q7({9o#)xOH`G~>8K6|AUr?~l4pNZUC2%BzE|mWaqCx( zP^8h&?&&@^AbTCYd)D_JxUMkEV$f`8Zp-bS=*PdUS>~e_Smsj`c=Ogn%6^G1OyTzS zS?EdiVrw5oa|w)3(w|gnco_;@eTGZ&d(gC;I)^{SorQ$JtcZiEHnt9|wt|>{RK{NM zAuIviZ=?RUJ@8C+VrnNd2Ppzi)`8kU%5uEi(R5z(OENEBI-l3Ms#}i!wv(~gpx@?r zMMpYtQpO?9LFIA&NPI9-LY#3Mms%Et`e=?73WoT(#E#5s0|uRNY~@E#q4QSk&!9qF z5~~K{)1d+k*N{a*`C(lfIk@QiZlj;+AAMa9-q&}(IU1We0Z9NSt>_tS#**NozQbYa z+nHuQD@vA1+Iz)qw&B9E?E3Z;k$~Y+QSQ&Z^awYvV-rS95j3ao^QR`#7Wv; zTl4ClzJbKDjZxufpNAm(5V;?+WYjj+Xy-8{y{=xlJ7*hJ`KoHht@;Cu@Alnj{)~p`sw01CJWz%!p!!UB9U?;4g2Sc3+&!1+B5j-2;w9hktujjLQPrq z6j$6{TKjX^FFqpKO}7O;E2%5=Ak%k08yQOvS5KBm0zzci^J40x7Q=MCJj}lrb-61Y zp}_C9S=?rETYbD|U04!c8wx|H2fbo80~9@;*HPWdO1*we{#E9f-DOwrw#m{4SMfVO z@j9ilcdiw{#L$80bMPv5eALZ{TloOt?u5-3|F>OMwr!r|g45vqeRK($b&gqreYdu# z2CMynYSNik(mJfy^*r8cyb8FA!PChgtllp9l3EFiQWHE5N#m#0RgPNCs)u> z4G?oUq^8ILBJHZaF_aA!=;&0F-BwcrUzdsarn=h6%KP|+de&w%=lBYH3n5d7gO@8`CvinHnV!fP z#P8{D(`@+p4a7zdWIml0ZZDPMx7){HHEma{@O1$RcBJS`c%ufFWZcD`iZx=W%kp(l z*YD|fHHwi$4}I@x>si0H1baal{?k{nO@1~4=+`rvUbyH7Y}9?Qj^GeY_1>O*GL0Q- zq4Patnw~+K`jG=;kLS@LotaA1iEzCbGa)gD4Z3}Yqth_ixa>2?PBZO2TVo>enyy0@mBljpp2+30H=x3uv+prC4IHk2KVg~yl7 zFxt!+ysFo+Zy{RNAK=&ErE@sw5NfX7z6j2Q!|3iRiZPN;gn^U#OvCsPdt$j1wlHW?b4T4ZquxH}Id<{TTuv44-h;)mTaIyVM~?G2 zZ6u~hgtpsFRy%4T+Ho%#9wL}<1=vuJniB^hr|-CxxL( zZCkP#C&r5)Cy_=Fs9J`;rn<|-4?uG0`_AjFzb)ldFQmP`uO-4M+8S9EY;Q7Vs&!j7 z?{!i?%rfw(mxqVxoD?vpN=q`K_2VFS93R% z|A9#^lBD1?J9~az<1O?>!TH+z5O`25W2Ya0yBk*TBogTau8zX>2_4H4q&nbEmMQHI zoL-PptgOyyc(36-)|^;zw7IgHlcn0CwC6O=39C~+j67yY;lB`W94>yjJC8B#Y+~g6 zb9!>2z883#f9b?l4OCpV#`-)xcQttzJ3Sp!;lv~jyz318+I2RnlC|GZ%J=rP83{Q9 zP3J!th*h8Yy-yvbRu|%@rXIju7eKNTI?ETr!^>o$QWC}XwGu7Mp{_5sVx8j>VBAAJ zW$VLPdY{(pxUoFj=ERo@Gr>7xF#s2cS%PpgxaOYKnUDeh zT1tx=ah!6nXSMAJyy-&QJP-~%^6)mQ#7U$DmKY<_v``gRW4{rtd8yj_yrt(c9;|&Y z427Ge^2AMlwEs%oD9Y<{+_3WsW_VRMSZ#=^@71Sfqk@^#YNT?_apTz5Y~+zacklzY zL~A7PyyrX%gm!t#wYNSfi3(tkpCnBYT3N2@3AED*e{+KeE=oZVTADh;km@#`EVKs4 zIGlA8%`raVu%5(DddB`tE`qytDsEh}ad53TB}A9XdOQi|XW(L$LlF~)vt_np)BlaY zT+T8UFDWu*G3qPa7XO<4PX-elXqKAZ^nQU8`v01${zfc?6AAg^>N{`q!1+1?$RxLO z0V)j22|YY6(tj+MEK1+R>AH9KyY-;rkpDmCtQF?_zwFyU#Q_>}FrP1&JN?S1)ftj` zcWza^$4F>syZ(8iopmHz0=F8w`x671_H%N7uAf!zWw)UgH3$)l^S?i~^q@>&_sB-l zs*$7lE_;Tw*rMXmhV^Jw7L`!d@XSSb0=Z&p9PoU_anF7sLKBnn=q2CkrRW{Z$HG6jLvl3*`RyR46`pd|=@0POhEMnUj2mVbKiD$wvo zdA()i|9v(Kh=zBp=w*sA3EcZ+Q^4?3(YzmptGpn`I5{M(UmmKGJFWdbSAv)3Ixz{U z^aq!PVSbFoXECy_2-nKFxR8}!L$LM;*D?KwWo&= zePZSn8ndy=@H7-J((%G)_S~*(r4#ipw`hM{kytv8+A^-qw(el1q*4)XO{Ln3oEr5u z*w7L2+eIAv_x?Zfoi9b*^d}X$RIJ z5C-wgcc5!N5qBCcIiZLuwAh@iNEj>Kew<+ldiDWV!9Q10GfP{me=Vi%U@1-hxs=Xu zUB~mxu_>`g6ZX5!%YJO5r#T}n}~>CyMP&%ESO5a(?49km_)GPm^rrr(gLz3}(+3 z*vAL`P9U0e^W+gyaOWkW z%byh~_HLzH)B8C~xt0?$Ukt6BCcy+L6&r12NM+|YF5bM{yH`acTi}Wvc;jJ61yq2G z+A*g+_DS!(Pz&$fC4IdDcj}_A1!7ru%s%!9=$AhJ6fb|-J8@jSZery|NV21_}jRpUM}Bsp^@*9poHw-+uHm& zOX=%B<;f4=<*foyce6F`)g{b@T7B>!iLQdpolUK_F+nxe6r7}^EZx-kfk#yBBJupX~DEm!5P%>2?ZP0P#HDhgXJtm#8RB#`~w!?-*O6Wb6O+3;yB}}BfJMjmKw#dK=yg4 z_Fhf!7}h6YUaj?$#+D%Y!XEvlZ3lZ}X=mi`t<%e60T8`GDJ?Lf;G5AHYzP6DMnSZ}wkNc9bqS>9;l7<~n z3U=5WW5Ze{=FuBf@wQ)^Cdh7=M9SsU(7tV&u$+;fT z5eK84|8j?qS}mCqXoDo#QGrdhdy7Wi4J6NpYo`Ae38;#ughn-Zi|BW^wmL9KQ$>2GIu$ z>QB-7da()_JrOY*;S4%cD&Og&?OnQo56peX>f^_6mKcq*>2oI}1DsFxaL3BrG5Fjs z-^cTM=^^7~tK?9Nc^YYa^JUBzKCz2Tx~iPS&~NKwsF!B0b}$)!JB97Ud~(|VafZra zsgn!DNJ?KyiSWW>B!>#p_gDL~q~!&kX5YqBQO;2pdt0-(LxtqGV%;_7c*_~jD)gR|e&Ai1_9~*H z#`6#*O@^e}O2>5(ms$>b59FGuu|WW93tXh*Vu>hC^_xHyn14Hl-I@$fFi@xTeUI|t z#AxX=eI&hSA0H*X!|hObw~(Kd?l|E*_+?{?A%cjgDrEh2i}ZK%?<{W>>Lz0L;+v)) z!mTV}OAL?jBBB&F)!8zYgVz*gU8=rDd>bA~18#E5u->wc3_3WI)ltnCFLp zhXl`~++?y_$e?XHNitx&7Fe_;&4WbE{pb?c5%jF}3=$lFMS9w;kJTUZ4?4AtsFiYb zCu%w(=qc*;?UAc-$QNM1^nvYgmr!+oy4+F9E#a4Y!?`8llfe$U15|bXJ-%m z^|6S15<*+zuX8Of8$`UMtLxf zAHQP=5fF9T_MJi$Tiq-mRpNg7Nm~>XmHIX76Y}I&cjXX^d~RY11w36LdIF^NtF_M% zl8!J1uV9qjM%z{&CnmcoARX5HBqQu+PD?x`ERf0Rx(XKMP^Vh6r4*(-ec|VJlL9*4 zky9ED{T8jN1xnO3mYjECm>poaD!MGWn{}ek6FRG?BX4`?I5HR-aQLqpRr~Ppwwv;V;;=Gg~ZqDB+&_5 zELaf;9NsXS>O2*C=r2IXY=KxrMe2-mgtGNuX)wv2W9(v>7?#gDZ0yM+a+@!X<%ikb zxTTkxfa%^{BrGk9a#dcA!wWgZt7tcRwJ2C-pMF5?yJkow#&ZIJ7j<_zmJh@P49;jV z4SYmB0&lV?P|74btoFC(R-Ywl@oQ#|v_dM^T9e=1*LmUmH5s7gXK=J!a%=>7@Jw&w zIPk6N2obMxeCjbT5iI27)M*K|gs5h{dJ7eA&YNvMhBIg&yQPGFo&uGeE450pE{Xw4 zgrO9@LGL)V&D~0pADZtp%!Fa*>Tp1U*IC!UjD|l;r6WQSA6gQGAs=zXS$0+7nDahV zc96eDD()iM+q^J~XrozO!`$AzzNb`dn^DNWQE8xSRy|?bAy2jXzU# z8u)#Hv9%;qyxQ~hTs&No@IC)fe+-hy8UhZh4RSYq1{*0chc}hj?h*5$qp>%=fm6{V zJXlWiT&*i?DNDK{QnL;Wg{p-z4F>jm1O$>mT5VHAG#)}ojx7c%HBV}fGpU)deO&^D zh=zYph4D!R@t4rl>9^`;Gl7^gT8!*M+D2IIWty_wV=i;)ony+r(OQ+;*+JK=Gcjk% zjsTMTX}3Smeb8u3dyE7R2k&+0Pb9Zo+V*o1Q|y#BCQ-UjTw6!+O_u&tCyLBiRqhN8 zXOiAIH zV|PZh1VAnbNFzO9o{|jUI4J2c9ouKfeO|qxUv3M^vQ+2grYylk z9ADBd25s?ZY#)5b)pZz6w$#pC=z*Zh<7(`8;W_qGHc(+z(d+7m{e!#gMaL40)g&$3DEM!m2a zd!nbkmdV*?AO~HaStI9!OCV4A+wd=X(MjkPb{Ogp%?pe>2#UY3-t z%Ow$OV*On+3=*z)c!&(Fdk(l$j{fNP4J^*g>UNBHS#KNKx8NVu#O?a$q~uKE64cB? z^DmngXJxHvMH4u@eW>G$ausUuYR|eEcjcOyKQlfN&+V@7z@v|nI&V}r?jKD!p*U?6 zBcrdcsDjqIAEZLuj#7av{GL7k)#W`7BUZkLy!UyiwC2IRj?-BQeRuW7%4g@wNr%#! zt+UB00o?~b%TDfq@1-Lr7rwnTvi=~beWXdt#-?z;xThx^l%e!^+n99%Ye$MWc$R;p zXHL#H!uG2j*He+WKKaATKlU&D(TS3QAfP(naD;`}-@~wv1ocpnTC18>DNA0=vYK{t zFetdFjR#%9oI-J7epS=~eKDFrA^ka&rVl=t-V)>g!S_A_k%-VolOCtHw}Zi8;$s(z z=eE)=MuPfc&O{ePhpo@5q-0LiB(+kYE9CCunQ|w$+B@)=WtdNrke&a!VLcx@X**?g#gsBv7|(kYhX=F!f^d>0x;sbQ zvu@-*m3x*fP{L7dKX*A-*uiCIkRf~%)lG}x#}l7A{ITiSO)qG64(WCZ-B#yB|DhuZ zt3*6L8l0%=>j_dd7y?gH6}9;XCJamsp5*)k6XpmM_=yPvy$8UAod71xQGP-wvzC^x zn@&Y*04FyvA+-vBjw}k(jJWW!O2IQTsi8FsUZ)e$eo17aKTb)^fBD>m^uAw1f&Azs> zwESDg$d1{O5|(=R6A@JvnM8eE`G96HcQ*0*MW)1&)pd0ZMG!^Rm7;Z=+Huc>R9-K8P-8 zPAXTN3o9h6@1#O!di|5L4C6(4S@$%4GerIGWYr^U1UWgmyV%&mz(pkj&Ih|)U3$X# z;IyaVug!*XpNYM@D_3*wbwBgq9R{zj%Pv--# zN;B1YK-?itQcm~6&n`8XgMs-G5rT$DMIVgMy-j__NIIrBAW0-ukYVUK=TFKEa|e-8 z2hjs3<@GPma7K6roKZpi=324N=GREN2j8<4sJ?kZ!Do`+#2&{6yu;U*e^SeWn(&fi z&E>Ht|20Pyyjk~ zQR74hBwc~Tye@*kJrA42+$bFs=;2}VxR`yoAM|byy0r|0teX}I%sb zHis2CiIW$3VzR{ldZ;_z;Ax(CKS=WZ=EG161-IwCk8M&_OS;u#HLty{gh5*Cm9G>!dIW7K} z?3a-an5^T6pdfc%q=cRH9CMBW!9nvsCnz>-!^e%Y^lOCQIZeS2AWT#Hg9+s{J~qf= zWNF3yWtf8T`|F?o{Yd}YO8?uJ{y&Yl{$XM0#qxG~=%AD>!)S&qU9b>{TOUbJAPv4DnHx9%~@&w_VJeR zrAdl?+o9FucIz|M>(?1jR-&AtP*w`a8K3Nuq4oIvWgkI1idQFmRpn6c!3V;;S0+di ze?%>RAOMZ>K|Sas6YAs#Y=F-MeG|2uJDCvkuxD->N-oOoP3l&_!!1ut7EK8%_DhS5 zjY1`|)T&}z*_8vdJ*qG)$Dm@#E=9wrgZ10%4G0L|A_Wx{@4_p_F5S;h^I1+>4saG} z+QuStA{o*VPGD_rnndt;%O>VkY#`^p>B;TL9mng~UW_er3oUU=i${Z)W&4h=D;3uS zz7H$$=d*;kgN5F$ZVzzc=wm^P;oeTimBNz)1yij#|DTR~hqN2^hiE^X3Si80sNgmlAj3T5Gp z9J8&-g(p4cK0?)G9_9r6BByqrnuyCSf?lUi&%g(>N6-hC1gn>8+eJgv8#?XD#E;Yt z-LT}*h+9VORv!MskNK1qA!-^Yh&Mk6OuHFRU;Y^&Jc9x{1#c2=gDW5I+$io0S4t`N z0-F~rs^?^Rfc?;`3G^vjAMJQtoX<{b^>&I`jKTw-AGjasxUUR{wM2l#5VPTOG+f%1 zc*Zu18|$Q)$cS}Uvl0YnvxsV+q}PXKLkLH2B&nl2&M*$1%SV5t`Wu;isDrS{?UV%a zE50Grjg%lcT1YP@PSKY2{R%(MMmp1ihdLHP5u4-j598x+qhv|fzNQl_4 zuPq(NhGYK&CBVZsv9xo=d)9kT`^Q06a$uMP_Q$N=!l3 zufMrkspE>r%(GPO$ysfI`e_YYk2E!YV(sRCXzr!gP8Ru}I!OA}Pk$2$2w=_G%Ikgs08@y>kO?GQnoX1rDr#IY@R{Jlnz(Otd$^QEp`8CS}z!bN*rbG=;O#mMc(d~odP%60lkzG^F%9Krd z9YGnqj4%K78u87Wi||z34)f_+cL?B^o^jbP+2qhxZ&W%majCVo=;f?lB1KP(X)@QoHP#ah|$=Y1X`psf+JF>-)lfOm> zGB&3+P*cxdulEpd1I0eATplm^d&?snb3Uo<)4N4P>uqPP`Opxj*Lse_5^>o@FbCCp0xEL(aJu`l zH^I?3rF$$~Y4BzNT=ha#K9K1q3+xyKMweNMIOnR7n3KzUjQtfu?$UEcG+vV^w0 zoVjSM42!w@64bkdk1_k>c$`LNLduL z)~#75we1(1%7#SG6Z_y1?TEK(aNvpF#xYk!^bn7g{hbI}Nwr=Sj~cN@-2o z&*%VvrY_(WIv-wN_1Jf-trRKnIyiWKTe~t~OLPirE@yBs&0Zo~rK0?fS`{Fg4JGNP zJ?7cg4jN&R7)4&kyHx6r8wIuRV$>+MKOuHG*g8O9%e;C&anRSMVDf#fY)_q9rn+?1 zG`A@4SPe&e}FTW&{a}fMfv)l3Ie~pr9Z*=QM!Ok|k#l6&oa(NRk9ZGDuDh zC{a>3IX6gba%wVkv!``@-wE%2yIcFuw^ds;HRU)|(=@+x&U2pUzOOr*eSkN=15k{$ zPJ(2gFWl_>>i8*~dJ#CWLWKqMd8OvVFlVd+_G>KBs-rcY(nWVxL)jTJ6)CvXmt&B< zQPN!*jOfnvEMJXc6)_L5NHEu6Q`x90tUsV!m45u?R@}FF?cKL5D3K~`foH42MyT2OK0S2ReM3U8^E@hwXJ)`3p zRgnpd$^!LR1l|Lkr(Q?5I$mZJ0}dQf?ZYDZfou{b6A!xZ(QyJIqD&AQ+8Z+&=$TDB z$psXqX@$@LB`}2j1V$5?E><1-rknQq*Hn&Hh(_yX)Wk4*lX496T3fH>v;1p>`r$U@ z9kCu_M@;o}Re>i`UC9EmQj|N>r5yXvo9_h)S#>pm^Lg<;0n}8C-E150eC`0w=h{2v zmaPcv91-GW1j_0IiVDrb{OI7N&PUVHjl`DF);XGi6qhg2{8oxSOKm4TGZ~Do!-YaC z2=R6j$Z98*wRoNW-frD@s$~fzk5S#z-PNf04sB{B!0MHST}op=(NkG1HeQN@xP`-F zf-x4EkTp;788v&IjdB$5Jv*D~olI?QII-bYeZGHZ8a**HxNC{ zU8HzFs2V60DD@PC7ug>V&Vh6V)s*>-1gHIP8dqtmO>pJ2)tL45*DNo3PjYnTR60J| z;cd_Ifxm3en8?CWl(CxlUd>3P@UmDd)CoN|!>-!>DwTy}y5XEbFvzFW?8?mT(-W|e zm@7t)7uLtgX*D|?JJlUcWZ5Q5RLxDkFT!@sK(GevP^VUCQeu+Brq@2Ivv47X42PMV zJlb8)^gkj|2Z4XH>mm%86o)}UM7?W-Tv=6`<+%F&?w-Kmn1am_#Bl*;-MCr4^|+v< zR=aA2_uv4b3ZhGa$8GvdD=mmFLQmp_5lqw+v3B(NRKUWpDrx?H;W$eOYLC+ytPX>XU>`!1RAi3`%NrMHr$3PM$<;NrFgNwPxrD11^c`Y- zUphtS9B1U}Q|_j_wCBbk=70NTHByp^bcABM>kvyRr_u99sj{BRaIcN=zRj-*VxMAw zw_L!+V5}Hf2=VSATginZs;kPGlWe zv5l~Yh72V&u8mH#i*r(g6XE-*egm9?R+>Zj7*lcQtsAwHEA;pgWLbx~0q87lrhSij z_B}V8Y_Tf=^Q^O#6lFJF+=tr zwWKZ84(8uJoa(Q&gTjtMlIaUF`G6bGvo=`+;)Q+s#Q_FJ1C}Rt$P^~=zU+}KyIPXV zXZoS@M8Z_Oap>tXHK=s|SN3wT1)rdmd|ZCM9iM^WYA)}s#8L$uPHJ#Ed5 zl_+mQjNsk;VJL5T>N0UN4)HoeA78WWRq0o{1%~uaMQo9bN-DI%#hp;kx^7VhL(1;3 zr0R9gnjb6q6UsdjBX&qS6d^73yYqX@1%jLjzo?;XlMb@MJpJMaK7_ih?!2qJ=q{sx zOjAhhlKRJy$v{~Ou6MCV!(%E{iUkdW6SY2?^>u}!iJ3xf;XiHI*k3kmOeAE~WI%(b zwrX;qYJwLO&A#Fg7`Le+Xi-u+>FlS|U@oXHou!<~Hz?}AKRZW?9id9BrB87O+>_?O zGioO?A)CsK+1WzVtbzJ`s(zn!)9yKA9P^i}TZnnzMdBJg+`^G!^Pcp9XcvF&UcUNe zdx#FNxYB&*bk&(@OJ!(Ke6ihak|Kga+ktCevG+H*ZGebw>79No_w@2;S#HPX_wT>o z{7w5pA_jD|O$bc(vKw29%^P35)4MnPShaeodAbqI8EBKSiG`LEyxakk0|h2yaIUX| zV3pnKulxsg@9b6lD$5bAEer?vr7NO+-92HE$tzxFCz%*cR}jPc4OqNy1B>@^H<6%2 z$GK`>>G_T>*!>n>3fJ!C0avXFyv19}#ROQqH`l_p8-y=No)=h;X3z4-&LcrPi26hr zs+Liji#{wJ_Nwv-@F~myA*^oS6b{`~!aaE~HfujZSQ(8f6!~Hfj46%FdkyUS`u%E#x28?V)Z`pf3_p09CI43%;^md*n;t(SR zGFbIG0Y}0EWU#jW%wUb?q-Ob*!72?hSjp?T=V1uWft&+Dikq5oAm7k};6`QuzrmKS zccPhM(NHFWevAkbbPgo2qH0dk6l5emnHp{=5e5`3(-p+jN{6S27`zAiucYV1yUfj| zLnQQ4GH=-eWyYnoX)rhr+kt6=G8=B-guFCrY*6e*O?*wF|8oOr1@OBm2NO}fnK&cl zI6BR2>syQD+Ft6Yjd1m9rdtZFsG2Mxdp!oLADrYGj$5Ycy-nrQHBO-|ALiuX(0|^FPp)G|) zl%Qv`Ul*jC3Sz(+RYc~svz76V*Tk^O0f$`kOZAlyjO{{H7aW-k?OWcbKf1mSBiibd0-RtuJ(rarFq3CKNb6xB>g z1%^M&Ii}E9p`&>+vOculRcD$sVR$}o#I>KdDvxbmV0R0*x>piDNsib{tKWu#TcL;F zV4J9rQBLZ9#r=y@k}Lg-eNCpUT{bq~Alju5E@OBd@N3!xD?hZKXBjZG=~-aQVS=eC z*wvgXt}(85%LW;;4wA^^ldUXLE!VuV+(AZJC2h?Dn-938GI#7R*_t)%bnx2VU!24m?pw%nin z*6N!P{mwL0r~Y^=49*rC)EvaB_>OGqD@JJ@2fpcR)3YPXRf@N5`(K%!9q^Fh0eb;Q zZzah;PFza-UXUwUTMz;E0u+`ZGl98(8T@M@6BSEekicW2xMaiUJo;C?Om=e1n zg%6R<@ZM)y!f5j@>D;EWQb^ETjZp&WZ{mBnR0AVKPpNyLR^=a7a=k9UQcOSbA6D`j z)+ONErsowB)9H}iVMMBu-b2-mKaP=68^4wCdfDkV_dQfDnu5tzOPr3Vp7Op~p0v{C zq4b5seIU?q;~+%Lf|x;SyY9-W&FR;&Z2=tc7-xOL=(=N{^D4N9IpZsnd+t6O&lAfO z0Wac{DP)hY$;i4V`hdut(%%2DO}>eV`3gT4*Q)C?)f_v=in=_VUA*|cF?oZMm+&>4 z!M4y+($w^n^{eW$o6mMqS>$LSj?-I}P3)UtFJ9`T2qMrFQqZlBo7<1F-?ZSc(-|)B zyzUs8K8NXqGCmL@H@y_i9(TF%g?c8*>VUarn@o`hef2f}ndW54tdoRDhVzqTsV;i? z23*LIGAt=oDnmU-BEP$sGvlIc3a|JUv(U*5m4J#-snDS_xFp;Bei9%f z7(eoLs~;&PZ2Aau>PLX=Y~itvk6x*FO?f^DkbMD5Nw33Rxc0PpzUzJWei36K@NGOi(jG^c2>tdu|~uJ>CdoBG(QYR1Yl0hx(3WMy3LO2F0>_ zI+l&;lhE;ZlFb-gJP}QgJZPYrN!7TRz~!;#X%;R$zvMN#R^94dgN4Z|3)xJx$4%CF ztZ~2_YNvi#$QhX*WBqS7_4TAwg&*H-$t|pJ%jK1ksKV5rFmP$zEieF)ToD)`xL83} zi!2vgI+BZHA|pM7W1Hb?i&#ggAw+dyD^v|VXGY2UCNSMONiJe`a?9c2&c5t>q|}LK zLCF_8>=K2heM2Cr=gJ{`T-v&H|F>+b?F$cZgW$SdE-tk^-TD1l;6e0@T1}TT+J|ZGM*8?gY)Y9Pb_obc;Y%qdjW^(MySw?xnFw zI14FHVBU2*-gmCz(#g@@o_(vP*^_oZf_r7oF@x;VWQ`|scnEOb4_*fq&D2vMTtT$@ z5$GT_3ulo`c$%1HM8F(Uf8si(|TGte7 z$C?KzC(f@OFFGeHuB;-s>t?W`z0%59yZKbrIal>1m{wLE30UhAR+W=#@{e{I(F321 zllM0i+F!95p55>I^q59M`fyoYYB`I?BC2~ZkveFMEQ4y{kuoQ&;X)fVdH=$ed1s>OYo zK>BR^w0Q-!r3wjHe|rE3pKs756;BqmGDYCq?=D>VF0Ez;&tlHL&^WPW{?%y5&^<$R zS7_gE0~xb3xrtU?>XkH{UC1Vjs!~nhAK6OH&4C#P>|sd-9UE>`QJeX?Ttks0)wIEn z-`HSYl(mN&zh~4gG^~pw3@MDtzfx~(z$8%&-&-SS=c)VUW4As^SCh&ptV_PB_9GOx z{zoWotfbjv3sQqZ_;%WBhlP#TFN75WY+51f7D^xxSEGcoWhz=p_PJ-nY4Dj0ufnV? ztx3->>+(=dS!~6T*3_t?8)Nuc4|if)z4B%u=@HDqJ8+>un(EwZss zeX1G}*tM|DR%2qdF;wgfTo?=OUm#t`^u}04Pak3}>zqVgWiD>697pytee3<94lI#g zrV$3&Rg-!i^Yrwqj=W*ssJ$JD~_#X${BGgPJ=d7;C@5=J<}^K@ipCdTvax zI-odcZ-&p6*)>>VOZXU;GnJDc?4)Ev>4wU{W%r-UEwaw?SC%iYi5OKMU9pg$p!S+t zJU^@ZVsA5R6o!OyZd0Fvn)>FsCJ^QOF{FBARZSWz zh`*n*k`m48hqQ)DuHAmr{e>y2z{go+R4Y?eVa(Wxa>!tF>e5Q8)9UB~S|7pWPEUw# zBqrGOBcS^9_wMoaCt$!u^(A6iVPFN&O5F8Bb~`3=w|kt>3#D)Osw_l%yT2HEXOCDG znA;5;*v6B|z{{gudY~ps*-E|1^-h|#p*^V#UeI8f_(%6ou0bAZ4dGPQdBkjHksR=S zdNM#JT7jwt60ZA1u(c8_UC|6_HJ`Tj6Ga)*StbQPjTGW+%QtPhrfofo(M@Q0U8H)l7J!fHvnhdxgS=&1rSBx^f+vs$v&%F57;_!^GIJaRQ zht(A`8fe%1`!CnFX4_<=LdckOna)R>a4oLwBoplZsPjBj;!tHg$WFScw$;ni)-$WhIDlX ztZa5ik!cE)YD=nOf7GG&$!gfCbz@iW6~wyOsFFM*pbXI`;gAWnI$8Se#FPWr{h272 zx6-yY0F);-`x(T}bEnPRDwP0f!&h%=g0$h~!F(<$LhgmcVBI`@CM5a{aKn~dt#gjA zT1m`1>o2y{Ji|R?Fp&Oae>hrpwIycQj)4e(10-wQmnn^OQ&wSQNa!Q;YkwcDoqi8y zZl_T2H9b}E6@F!q3eyi7xec=g)JTd{xs2jC($=bE@W>;B2@1=|X0qMpw@h-jCxprr ztca{X4mdT3xJ>MC-ojp`F{dju6eQ#boY8g>(aakc&797;*)j~4x4}APPGNh5zihpo@ z@BDV($~t|+be3J#TvL?PC+bN*^lLJwjW4(+rWOz&dtqQLIem-A_*N{ix?~Gw48M`Q zUd-ME78J`uZ}yqm-KCCMI^O3<%brgp;?B`uQI^psdW~eSaXZkgW5scltBw?|8ZHyP z(EZhTZ#B?f6J}w;OJK^;IOTjEgbu@zj?xclITyXATFN`0URFCyh3sclXJ-^p0kU0> zcVKq4SBF7Tp=CVX8qxeic{20nkv{KMDon5r;D=zg>%K1s1IU0Yh%+?rnc*7N#Crl+YZdpryV{y3##?L%-x(2u)Uc2x2+djM7-hz2xKo@S zOrN5JNG2lI^>RZ~(Sl${riqubLkqzvYV9uA18bXh7MarOw~pifcUW{2Gg3~fnM(>6blxO?Tc&CF zN^dkT0m6{$*LB|0NM4>%U|Cr*;XH9%k%9Lxu`l-B=9@4h{6jKpCQ|?-QhPEt5kbQ9 zRs2m3nG+^vGJ8m=P^>>n*3~5h(WIDM=cO@MiUCoA+y>=|=P&sfy-$$ZAqR?vPyDOJ z+GaJr)0dItr>>fP-W4ETJU)1&!BHQsn$*6-lA!&|^mm07plpu!F?42bJRfcyPefUY-?H{wNPUtIvi$F7-xWiKIYUK;>^`a+)u2 z6*&%e{^e^aRhOzoN_a}hAP=Wbb83v=_G3fOxUG$Q=V;ZxHilrDW(1uOq%J0VfgY`l z^gr(Ot^s<9tH(*pVFxHj-)tZ6nujgYC&wiclHfw!|54$sz6vm5M*%VkFK9n%!2oV& z_LV2Vzq#$M7*s|5!4431GOc>(yT`{{1b>f&XnP8F*0!|x znZkz_AVBoV-pD%DLJ801CMHMGqTix|y~N%CBJnXj)xv-QjP7M|rISI9pvnjRa_z!VR=EE3Zi*wca*+S;4A6k5${`_LY=8$ zh84DV8R2^c{Hvd5Ur9y0FME|Y?W*e`Yt^4I6kY;!dybyJiX&`E3@;p(M(( z4~bLuT0arLV-1_BU9)%UomE>{j-PBty=4neXN#Z_d#JGs-|2iLw2LK`?j0s&|7M~@ zc}}Y+ZDQw?I97cCMwI&O|ELIXtp(_S(wlE@I*gX`HjDUdU%Txzpt}~O5|a6&2&mR> z>7f6k2(ZN$0WIG2*jBAm4M6b|G09s8$N@`ua=?(8pWHx-Pw%*!3u>h~MDivEMmPU+ zQ1nMV0LTGU zLLVtqP~Vq?#5^==txU~5S)fUA?^=JEUX1RVtO6HM`qhl3xz(+gAY}Sc53{$A@dR3* zPB;+fcQ76-AnsdS!nfHfSlmofn2?e5ucqUfFju0JIj<@UqRM> z;qQ+r4g^U^oY=>ng+zq^W`@%6aD#brWMaL_Kr3!hJ?2ARwvBaEYnJAeG6T(&5%ewycdIDMa@9r4V({HqzY9?04x z@Dy`C*0&uMIqdLtCq@YP&H9#lwP{v$#LB>LYDuRrn)$I7Vsz{4`j>;zI(!nQps%4E zBf71pC@ zs53LL7f7zu6F2}eH;9lJ`#=@Bh)v2}>fPYglF>|?WAfB3Bt;=mS$H`JtL z?ll)Oh1q=TzPwco(x!D7N~ns5pL^M^d=_8NvRk4djh3uY`eW<$mvHbL(6w(wNMz-n zxGjx7^H>{Y%@uUnS6}MJiMsBDySrw|Oe})x*5YA>bb|EL(5^wyt<*p}N7ewpSg`Zcb+>rnG4FY9WNora4DG2?F+8uyTOy7W)<(e%im#~$C(L0| z0uF7clfKx8)ph`pcfVJ_?-UIlKiV%|+X8U_28|zhcCm%;fV&;R`YZIThc`eQ7+1Np z@Rb!S9S4lo`c{nRf!U%pK~8W z)|#3h98T@IlB7ZfKB*|ImvJcaaLqECqG#!nb=Q8d4W_$%ZTrlr!AxeXjduH}C)W+L zCe42`8Ost{yO!O=T)(Tcm8H_oRM1nW=-AGA_9dci?U|aD(@+7bzi1ib^0v|0@1YZ#0vrFg<|k>qEpXcy)Pz(+WmEMwPU>TN!bgqrL+#cyfgq5 zY*WdNWnVG)eQ&M)(LuY8o9sKMjVBcVz^c6DW@#gTD=i^PBkM%h?MLN8LI%zCvFgFajAU1Jysc zEf~b!>0~@Au?2gEJLpo1xF&VVNK816XPv5LX&N$6N&d3GUdhK885=m`!hkdK2;I1v z!midSuLC!e@8xq`Sdy-8fr1gowB6piaT2B`a#wSwxa6UlC!NC`R+7y3Y7!ujPTMwbTbWqmh88n&QU>+a5qljnsee0B6Qr{<)goWWEOBZ3HLt6rT-Zvit zpZCpU(2LLe_W5((H~+?)b1!^%S5g5vH{`*E;B0W%%r{;vCt)&un%WZlHxt2~>mPua zkxIR5(cfwupZ5)F`N5@{bhkOgnHdZ2Z?u~1A!6^MF3&czfg#ALWX^FXSfS<^ayLgM zc5d;annsw~UN`7K8b@wM_T<0pQ7TJoe&m_<9Qrxi*Rspb>I-l)<9x10d$ad*`X(No z7v#M6tVue$p`l@p>U-max1Q827c0ZN9q$ZbodWIGK(WYH5)AtB(#?ALEb_Gw%!b}v zA$&XmSXk~=;du!g-R6f%fR`Y_xwC#G=Ds%mx;Ima-E))ZOO-S-GfFBst(dI->`H$s zJ1>x+6Ep9TCEHK{CZYm!ix0AaiG@rO}<8H!SAByFrPG`C)Pc##?vqg6NE zyz*+8gAHpFVD?KmjMahkiApt3mUWt^!G}9biW(^+x^kQRQ;ReMJRt15E-F(w15)?i zJh2yu0DR6+~7l%ccWo6N`I-?@>*$?#cq4kCtJc8mG^>a4d;k@DK4M4$|TDM zLCDIm+|Kx&{4g@-0 z04D6v-WGVNm42w@f|#1T+^UxN!CM+~9RL%^>qVUUKS)V3!Hs7-s2b&TpJ3ye_|r${^3L?ms7e_edlKf z_h0^QdA%R*Zt32#QgNxV_*ifF?`rE`i2`p2sF5t3d^)C$Yd!7yU=TqsuAWQT6|DEE zw|FTkI{SL8#8461xo#48kET2W1G7Df8$pMvvq2b@m=x?~tcIh_Rb4e~@b%_>N%l0c zY*|PoB(Vi9tynr$LKr%jQQ#~)_cyc}zDoNL}gGdqw@DA!}^&&(zNVVBAxb9mjkcmCo3qzkB3pa_9 z*di#}kCMa`5k#Rcy8@TuwP;Qq#be?%4#xqFLSSLkdhj5`S(I|h8GB&3Lj6j1%Z02GjZZ)jAo= z!538oTjz=Hn#wbMGjg33tKGmT7<`hReUj zGHw56M>1u;a+QldSY$29+^NF^xwoQn++5;1O%6B>^9UC+0FC9OZ@^PdYRXx?&*ZLXKCZJKt$u|vQWlI z3WzUdn|h(HvCnQma5+KI>l&NmVbUybf#nMkbhyXgK3{HPARAX1XRmaM(}E#TkAM`s zvu4^jWoPx$&22Zt$BxJn6Q_y;bKJ)^ExLPdMI+Nx;+D-F35Upj*S3a4`3MHt6`dP( zP5!_4?mKT~REict4w=TFLD%c=ghDoznr^;j*Qj>0vC>6hL0UPlw*8EfvAd;4b2ubZ z{2@N8{7RH&qgwr((Y&{

R+ zs(=1>awvEqn#E3EIT2TB0^W0OP>UQ8y89-H3YzTS0^Hs`!_Oq8gD!Ad!d%qquzTy zYchO3!z*fwUj;eyfc+)Y#~C2tj*{@d>(tNB#VBS_auxl#)~&5gliHc^XiW58&o_Dz zy1G_{!4VC|iESZs6sV^{{z~HUo;l2lUs*-l4hN2j+jnEhxT3AZ+&v9m!yoL)(^;5v zLTbVw`}+s^hz^ej4s%f28>c)noRw^WT@+WGRCiu*3a2(fte6LtsWu`$|L@MaD~Z?j zN`I%~%KzyrxttV$-zr{Tzc-wCSzQ-RqjLZ@tTyNEciv@+#I0;VwhKoFy3MyD4z2y^ zj*0_QPslzy8Dm^EUcJ&%Pw=Ue2yKF{wrUEOmXfvy(MtpR%V)3Y&8ESVTC~;Z3=;7X zu>E9309b*>b>rGM_rUGiBx?C;lepk$dnHlvg5sxQO90UD{_?j0R}&5lo5PA0JmBYE z0hU}s4yTS`(-UAs8N1kWDeDMMj^kv{@(hT$C}yPtTz0})Cc+_|;tpYfIwB;@RNw9F z0VyEy;}WZ1b(|+`ObqaSMBuE6#I{J3A)qGKwPDqO=YZbjnqIh3Lf#7aS=!Fs_&~6@ z%KnBZG@jDW_>D^>FnXeI0vodG(S{MYmq#Pd)+hJK+^q1w;eoA!w4L7q2cF{_Z*y>1XTmJNqAVynON1YbEjKM*VccsLz%jF2d=jvVUhg z=GELJA{s2-Zy^I-H}p>WR^Ye}F(ep#6Q*z+?nPN?z_VH_J~)Qg@4)nvo>~F+Ehl@X zufHc8rF~pB$q}2r+(iEq#lmq4kt-TC4w(c9;EECGRYhJThXPH`>TxM%;(#bFo@`v` zgf%FH0HQ$-6CN>Y^I1s2Wd5f*-he_U(V<;lsQM2KQ7Fq%qcUd3)eOAHWpa8 ztSvEH%5&kc1Q;=CPg+bEBKULN$VhxEFjaE(2jtDgUiOzCq=Uc}mjlN4er3*huYjYa zfikb2ubfr?NIsR!_cSvR@M*hf{JH?HrvUBCeYGBNYoEcjYBwUiDV0>-OJ&N9bl_IG_Bk`e?z_p@n>w9IN|}#tVq#-!$HC$8)qD zutXJGyw;0Gx}5_Gvvn!w9D+9Nfh$%7!$QYH3+t`1jF>I|AHu#esIIkLG7tzP1a~Ju za0wRNA%x(B;O-8=H}3B4?(PmdNN{&|m*CEZS>&AW&b?DpGe0SQP}F+X`*!!!-AiZ{ z<|PRhh68M{n!kiriTwJ?Awfj-fyn5_Qhde&@D@LfDs`q=3XHXD6Q#9V*^pzfHH#FRW(GJdkzBY{zqlU@%r|{@`uqIj z4#jrodg1{c?AN=O=l}Y5;L0d>h7BrK+w=F#Y2)|?n>2|NZgST;Vh4-G920~zK^N4I zW~VW5qk@aGL<*Q`fKg;LZ3d^7>--nT9~)?k6W<)f37#J zFg_onv6wawi%zi?|M4((Sf9xzVWI3~UQnEvE>Ib@uyR-dV+KZtW$o2974C#NT6ctveay=>~vVq*$ zc~5QA(-{9#U}O@34kzsTQHMmO?L|g$@Yw6JcSxgO0M$*^_AS&$SttwK4g?#Q4*Y66 zln);`JIOlp$RjO1fvhx5JCXPRi2?R|C4{y-p8d(AM~b+cdrAcNws5bMBTDu}{HFqj zNEr{Y%ubaez~K1pYaxHx(yNz#hCs~jGQhUD-rbLWdRUR7b2d>i{YI8)qs~F#nLSJH z(I-3M2X%^*gGQY*r(_DB_%}3uI56*fJcM+Wnwkp1-hzd`bgdtLg@NRmygxTMF861B z2Cj(R^wzYE&&RrS4O4n;`SYTmL6=N>vkhRJ>b2N4PRAwRh_$|`E_p0>e~uUFj{nsje(j#u z|69FLvG7!Fa<5I%Gk>vdl#2c;2h}bRR$04DCiA6nestnlrf}l3KY%xYDg(C{6c`i| zV2Zb*Kov}?i`Sn%iJ!=bKZw<$Q}?r!p*xMOM8rw!4lM|utkb}{8Xj7^aJK9yHEgcg zKR9j4o!paIC7T1bA?k(PyM6_o1dNS;UQ_4)k?x?e!k7qoR{+R?$RWAM)B;${_9qqZ zUhF?Qy#=2Qs1o7!{GL|}CUvd~Qhqy->&&coi5EM_36ywu)u00IvKe(Dfwu|*5)q=L zTO%U_UX9KM2BH6U%>|K)Y#&CEpG?~b@67pa72Y&cU&1j=G;Y(3~RU>K`FB;lTeIX@)1{mdHnxbUjlN9wev0(&L` zX(CLD42U1V!YeaHpoyXW)(ak(K|3>t7`AVy6nWZts0T0JiLZihg5gvbaK%QZ4=e9N z+Mqz0c@NUvH3_3eLgw_(BWUo9(l!RWjn>uls&f<|C%Z{r^o1Vn?g~OUcAtr#9}NoI zsJdgqW`REfHf8ne$0Gej7U4Ym33wIZ%CN!c{}^Z^jG_bn4{1zR;?hv@bOvNCL4~U% z=`V`579SkuJyXF)QcwU?iiPx=M{e4AYIgs%%y3tu|Yqb8@AM)bG#+B}GNnUA;L--Cn4tY=QDS4Q_uz45NS+9k# zV&nQ4;`LI6B379kPemc}o5^obWz8S|rZs-RSKg-S##vYvCTNO@gQJ$TQ*iMkwOFV? z4e!qnHU11Khd(9@_O}>BYMs~^_1LW38q`4r17tJ@?j>LXbmU#}e5*Jd%KVope)=8@ z!u>~uu3i4OP73O+@!Q1OzyWyenOmGX?BF|A%4m+b6*HUj=J9GKl=eM04veuk-bC?r z=uk7OF%Apm)A1{8k{)2HLyim^xsR?l3vFr>*#CGh&W{)Y;O9}OjYo>I@ecr{gy^Zg zTtltAERS+j4idia2M^w+ter<080Q>`P9C|ErX5-Fk$}EI9sgU$cPT*Ym4DIit(A7bB=P!1 zW;)O8ocSGeUY9KwSEO%}4p^M<7?xiB*z{r&`4s}#^b`5aE>9>bmVHItukNm#8O{&w z-&`GwxnG@~{pSauJVFsav(bHum_0EBFe-!KE7QgHT@FF?CIK%NqfoDsS_I`py*jG# zVtWR9>vxI*ix)BVKpP1aiSI{2BLPZKu65G4@v%a;m6dFL2cUS0hy=Q?|zp;JE#BnUC5|38pG(3=g5o zNUYeS^|dF>BF|iu%$`{fJdt*~TM2hCNdje75pO*#Ibg&b($2+|C{BCGcoR_MjNDNqJtWknHeAUZlCFz*-g?w!KZ=?M- zIy9a{#?%6z1~8!Zd%Ra@XZkokYR-(3=P{Y7B^Llknm-1+z_gS0d(=}>Xgc=-r>a#$ zi+qnRAkI%`qdbE2lKT2@fIR9Stp1-_-|Zo<4~2I^go?i~uH)9t0_<2)@YOXo+Fhj< z*?lKb?O_U?!$1;R=>Cp2c~><~=Zb5p_}*mQYGGZX(q+5K6Y%+j2gP#4xFL`Zm`^|O z0hM72BdY8lJ7ldXu&-r31ADkyCndMlMNQfXZ>aWoNli`y=LG*u-=L&|jR_sz&Kv(s zliw;aNCDg3FJunVp{~HB&;**cxmKoXwT1dj)=ysKO%RcaXz|=rE}syuI8CJ(k(<{N zm6KeMppr=h*n~$^7>h?E+pdV-eNQE@WG<56)6*-S|h$lbLCL+Q6E&Z z*=xMn%PxXIUhu|hS78Cgh`QUF7O6F_<*!q{bn{5FmQ$p*>?kve;2f68qws4v zfpVS{scU`PEkkvPA)7BaIhp-^8Oq2vZSf1%cg7z@Z1{h^RtSUZL4jfWEAiMqe;8Z^s`(yCy>N^JXEnuakO(X<)3-L9{!jDta| zNH8(U2+R641Utf;R;m0~82;>QF2=;pj?0FxQSk5xw6Btqk~&y}cC9^M4T55?slzN1k^CF6J9J~Y^xQl8k4{dBuif1fPdR6ID4r}JV5)PHpqJC$b{cu zN*rkGTt94*$g*B1Jq1_g=m2nR3igvf{2pM=@GYMFA!BF~v|_w&+I&hAawj}{cPV%1 zD*p)uioWfX(wnoNMT_L>7ANp+KI+(}0Gc5%P^_uxG<|^6DFs0p-gq>l8AhgUQQePL zMSG0BEjB&ohaYB?z_DEFK|cwQubTgv68f1eb+|E-+DV=dCZM4}*)ZG@Y& zSQ7=pVv-qb_YIM=pCuyyA1hOUIvZ0}5UU(Zd?Txvy@0F%&PUNRb1!IElHGgzuM)g) zdVF|D0Z4?A!9{$u-HN_C!eYWrHdV5PvVTg(g9PG^#KIpgg@33}PyAzxoW4N-fUWI) zXn&>Yl?^qG`KKzF^73Gj4yjG}OY)u3~NyE>Q4 zmuF>tlp!pnagzG%qWm$_VkxWLSWH2ZiTL~8*;fM1$a7UVP}@C_7pSdH%1uFCO|l4F z8T^qhcB7HB8}|tqA6hquoHXan&^ZY$cKuLxOD$quUyu-&O}S=3E+KWL)afr8UL4YG z(DCFDTj|xZz;*RLuN}r17dNyrAO<*ly&TZ*&od4#-`gGDry3TW%$9ox#q^l$(6ann zM?@9l+9{Iy(0_}p-PLo&2O9A0UEulaKb!RvwQNC(SU8_5sCIkrf)DkWwQ2dZ$9UA_ zGt>7b1+{$V#vSdo1QR@A&S1Bg`@pId>;phEHPm@sIR zW#bq`0Y)#ln&5gP-5UXcHk~P@$GmtDPerF!=1>|z$Om_m{h4Ak6bwT9xa}P4^-{{V zKfSv?gsT@II&ksnNCW1aB?1jq*L)aid0%q-*joy*?tWMnl9n>KPSEAqEr|CROdeP3OKOrc5x-{D(>zJm?+0JQPpbKhL-Wr~0 zbQ$4dlH_=#1;hJ=xPc@HxvdxwLEm^1IlgV>?ABTxp4pGLxl7Voo`B;%Ceibh%}TP37cUKP-2t+ zK67-NKGG3KBW`T?-~%DGo6=VU;41ppp!c^iXriAIq3dJFjDX-e3ne8S-@Oy-WBakv z&n(WpvYT#7y#9@9vzzOeZF*X=O$|8|JxIuQBUh%o8(Q|2Wm6vA<6-(kre@m`rA1#% zhDJI_$dxcyF;7c64Po1_fY0%%3eg|QMWO^JpA6a^@JR?=Es94_L=*qmf(x_LH!|q* zUI%$Qd+4$im0pS?EXP7G{hRKW5EVS>eFYJI4_L>{>tQb&V_$B!x-cX)e88Q37?uH8 zKJq|$%W6`YKqM{{5rhW@l#}UUfb|ZX_5tli193V6e>JUknV{bJHnnIAVab2c2#*2) zN2p%l$UoMQj34+R_hr?CqVDrL`#s5#TI|)GBNST+gz=W8Z}05MXphVR;~sz&vl`v? z+Ze@tD~Ve(4q>Q{UGYNkcroOq348!U;A_T9SJXgu)oSp3-eOEK6t5^sfnq5NWxiXD zHWHm$JN!T_HNs0DH^92kCVORW;a_T0?N>q>!B{sujOvZA_@B>nXk>yP8+8cD-&$>v zi&aA0npR&q<^Cu~vD_Uw{(hBUveqAom(ojQV)uom$;U-pz++ zWmg!6Tzwe2%<0XaJHLKd|3J}?_Q8^*evlAJ0qpp3gESXQc=@5nEBHqy>o;Hg* z2Bq#K5W!kgYW%hX0ZM`3czee#K8`z$Z8$LpM8QFYmW$VHMn74~MR(u3d{Jpgs+>1V zOn?5mtdEp?rv8sN!XV#7DR%w1`K79c6z;{DxWC1}+{A6?cCS*^{cmCQ_QcB$YLqXH zqNg7^iVhx55p0Mc@C?&U#opYU5XZ^;(V#WT^HNp18;vq zMI8eS*KdE6WN1njcqnIxb0PCfK1lruj`Ez@dlY!#^zZsN$(i!)pW!kU?x^M&ct4b@ z!@q_i6R;%-!V(va{xk?Q=eBa9R6;p<>%srE*2omiQ5i!HUfVp!%1{ghJ;U^QS3olJ zZJ5v2nvS}{beC3Bh4|?Kc7@CJ0?V4JQII1~+9*1Qjp-w5{!4{ZxJ)*uRDU^vRoM=* z8lj56ywVHwy!m_nBJHP4Nw3PzG|aGL-(CIoEx_1Hp#1Fi0A$N_JHNj>A4E@ScU%8& zlgxSTku*~}}@5m80it4-r2WSJpd=mAv zzq2oK;zS(e=O5iCHicERUMPT5=`$Qn?Dpk>Z2X{%GBsZAqMrSU|4M;UJ#Of+NTAl$ z$U7QA3RIVq=PN36jaKeNn%8`kb9ZcO{u~@xK9vc0WJg7&guXS}ZM2TK^YV4bUwrqs zEJC}BqU^q2O&a960y12qtMuuDhVrT5;R(s6wg0K7_xFH#v$<6tbP)lGj0`QWnq`ht z2aT7S?=#Pr%iiw%-&)}E#zxcGb-9datx=6PKptle&{X#zy5(at1(Bp3Uj-!6gIxiQ z?JU$viO$Ppl9GC41ObWQ^fRl)MCZx(tXvEb@3#zWP4Dw6Op@%cxyqI&?fg2xn$^B- zVW-aX!^+E%yB)-MA5fP9Q~T{KpMRV{Wofem35s`|)I=1`a2#57%byTVdZrslM_8p( zRp?BxlL@v@d9;Cw#2fs9v`eXiLTiVZZ>at_1tCyi`um%xPz!s?*8=#8ssT>`p7#G- z0m@gl5n}`%gnJCSo~K~X_fM?lIcVp}h9?0b8l@ld{x_m58#InEOl!m|_lSMludAL0 zb#HT4XWc-K|rw@W;6ffcgd6G2JTcId!hFd&;H2xuMtn$vC9#xCS4!<-8*v1chDpKUI-i}A85<~oGzxV=$beAgDC_nWgD=n z=n3FuwgpdEL0uUUqc))G;BfYt%?1@Jo@*agw0<|aB-$|Om;nh-Yj%8GG&Wa`KrXv~ z-NX>YzWa|cUnqKhh(GQ@T5-8W2UMoeLWZS!9W>kBK^(Cq5)Ds}s(c)2iG9TpU+4Se^3 zMoirBcZFSwP2Mw%@yP@Xy0>6dHYj_sM5+2Wh&3@lc<(y)XAK~;t@&O;M9bqSmhovy zd|!Kia_dSZEM{%^^6ygXR_G16}hqMwvi$F5gGW&=lzDl3Cx&ONrA< zmcOm&WKhSO5p@BYqc`X>_<#xMC8bH+H{tELU+s4~Jw#n>*zD*6#RV+&<0wRJe19Lk z((!WL>eG3#^kKXt2-A&oJ(MSbcj>3T`>2wx_%oG!@JZ;A?2OO)8p@{)`4?jJnZtG2 z9ScYhoZwMF*l9EKuu*|rT_+Ia5{3WIrzE<>VMv+cz7<>ISYlw|1HbMwsD(B>9_Lz> z*r&U_lJ`(q__p%}P*zQ7OmVXX zZu2V93bAeKtFWD09A`c^gBuvB^Lpe8Xd|R213P3MspJ3U$E*NBF1`7vME3yI2~$zU z|5S_A<944lN}^SN>oT5lbWI5Es$91Uxr1ndUaPWtV7zpHS!5Xhu?@E&K7T7HAaPC9 zj|!~L73l`uNYXhjKV&cM?a4<*{Zz45h^76KLkr+z$CYuEFJXOdv{Y3|bLBj-M0WfS zkLb!RmUYbdU8$rfLp=r?>&ApQVU-*qlR_Xn5xE%I1rvW{@$b6bj>{-dL!S zt;ZaIB5((5BUe^IaA+`cdq;$Pn$3A;9jlz=VMBSmFvzt7KCT(myAs=tq2M%tl+lLyQ&-PIka9PrBu)V%jgMmKkVop&$AeDx<$-SpcXkqZv*4 z37MD=9-?(}_}ymf6nVXz`@}0XmB1<6jW)xTOHks)nFh(|UEeQg7R(azvpY0f+7rZi zymr~>tOLR&AAmmBCCR4hZJqmCkZvm77Z0hq_tcc(T|PJLUf<$qLiP=Rx7+05tN{&! zz?6T@#^#ZJYYc%%ncZ{A;@6ca!@6ZI}Mv zrMs7tJN_YhecexIeuHh}mu96k!%z}?mriHwxAyA|*WDOXw((P`e-;UqkXAH!86mzb|+1S|pS zK-TJNh}5mE2zgythUD5@qws&e`^hhfk-7?hW6==LXfnM^9i$ZX`phQ9AJ}~jigN(j__1eks;AhJ>5G|C(B9#+m=e_@XCB6 z<@7jKb<6O+CZ_{^LELG+H1cqtaCV?gDJlE;ud zh~N2y=5Y9*@D=ty1FKbS&4xjZ_Mv^nr*+4NZv~f?0Pi>dE1>@0vv;8`v&L;B+B2S~ zP8=&_3&=se0zy&)2EZOpd$01jbH&YNi`78;agH(5aCjjy)(&2ia7-)-cGSTGimQI~ zitphLdsAolhIadrI>u1wcW_)c$636DZ>^Ir!;6~9!z9k=bZsH-Z&7kRpuu|n`0Y6{ z3$}4fOzO)2r;VGc%s9@paL7)rdu$(~4v99*9o8^--(&b9o&NQSyejz8D_1R zE%-wBXg@?h;0EJon!*4In-lSi8+MF&#EN+8kHvQOaH}I5M!cXMbbkTQ^MHxr1w4mgS^nqCR+XNL z1>zh(nPFG(F7ebGPa9;avPDBWz3*s6#*hEyc#3hL+#mQ(0GDPu{!h^MqCX}B$isfE zwcj4dJE#5el+kwhsv&uxIb}qchy+<7a>vsXR(2eS={ zpF(AU4(QKQxWByh1fQy)N2my)Iyzq$A?HHoJGMUV<}EM9q--t4o%p!e9ITk7r9O-d z4}_~g1+@wZ)WQDvc;3x#Q!2!EJt-qVYk4jLWhuK}aw`@^)s46i@oi~q0sBl0{U-xX zCmp=8?XaX}PfV3`NXlg;wCY&^jF|{veeD{C!+rF}=j1KB?U!-i>pG4TK6>lHer7i9 zEy5ArWviFw?>Q6h&bRWaj?9yVB+?z`ly_%1tFa&k^1A9~Z$80$^@vH*26>IW|482o z|8|(Di~Q!5d(4pZb$wA!MJayfU86@VNQ;>U>iB0bkxau9t8B)tA{0GX@M0zfPTubw zrtw*{=;gc-@wmtH4I!bUIULtj?Btb8%F@gCq_gi3+{YFJ&ak0X3Ar9ANl*+4F@L8j zcEpUipKod z0kPuw%vfPCCu2E&PZuHY$)SRw+g9Bq*D41zqnLAjaGSw1AC2z8ZUmC|pa*HYdYLjh zHkkMPJ34L;AdU+e;5S9302xtv%E9VStW?T7cKVUIz zOrW5M?KRy}JZ8jwogZKc>E78|3kc8cqQ&?gX45f4lOD1(`d#Kp`yCdo34RU!A4@SY zrQ5urRNIu6&t!CzN~jnF8xme7iaY5+6rYV_R2_r1Ol(kzdxLHOV)fu9M~oX!~-76jeu?sgLKGA2 z72^A(YN>~ssJ>QTuaj@+(1n9fKhfjq7vT&n^vHx7l;M-p2ZwaR8z=RKuw_+DRvG^0 zO3oTC%JyD{p5cJ0Rcz6JS5pcZkTlZGdH=Lzjt#2&((~R{qd5%y^Xf5svgGNYow5CHF5(|4)ZrW=7Q1)+tJsJ2j_wvF*o&4nE1@KOVa? zn9J8CVQVeg~$dkSV|JHfqtRmXc&QS0{Lz*SSit6-lr zpz04~2Ep!xX&&qI2E_zU+O*EMUQy0Z{LgHDUm`$Lio3smR>+m9*6rm)@MmUq`Ogi6 zqKC5%x=j`8Xt_36EPk2H2TSOsJ1-RmkMev0j#joH1w-0QHdnkS4@~3pl8~_P%^TT} zz3iC|--;#UrPTAwt;Ua8i};AEkRrTg{zsS1SgxnGx65uD3>O4J#;Dq;Dj8LWCjB=p z8SUHS?{(s-G9kSh!~0{&fc16o>%FrPszpM|&f@zFu38oCv(oX%UEN-8rLlVc4CO7? z3irk*6CaO!DKm*s26g_7wgS$&((tCkcPQ^9VHC^er5{fYf2$dH1oQ9h)^Qtm4Db(~ z=aPro<3X!(lifMJo(g|8;wf;C`pbPHMYw@Du}$q`0mdUmKnN8b6j&}ZIhC)&%BC@} z6YUfqwzz-)`+uL#=@RUTLG+a=%KMTSt?V<#P+PncMH0<}~?ysoofwJhO^+@lo)3GGDFve1yRPhe0L1`6MIwQ8Gb&<$DEM&uY!c zk#xf4pOS`?5?C_TD%~WD#`A63u~>Eo@H^1?A>;VP=D@v$nJ2muOm|`aOz;7~=i4CrTec}d-vl~=V(_yiDno>o+XbfBV9F=!Wc#_) z{NLDRO!3P(@wa|pBEoEg>td^BZYi5@-EgvJ@KC32?jMUk*72rs-akJs@k zsQT!#Gpu_RXiSx3q)$9bP5jNX?DKJw{hi1~G@DG(Wm0}4uf zd4Ot4XVT-k*_F$~3b1U(;0WXQi}7_mR;bCR+Mk=wTn)P_1_Qs}^Fz_kX54ljHs97c zNik_mwFJ!nei~LC3)IQEx{zQv6bC=v*Qo5ot_>gKYBV22S(r^POqQNQke~BXtlDOH zkdr?#{K~wNW1NR)HJy`Xx1K-W?*GjCdxqCW3W|-PPZR!n1$leF4tG(Cy!=ox2&u58 zi|0ndwY`)y%%wp=VG5EvV7Kv<2f3?bA4n)K`HCz}cf4D=Nh4q2l1k+#uu6F}dz9$DEqr&=J(b4#Afw^_ z`uL`YyT#>(<*_V{b(K$wu$K@75-nEku*}gD)rW?{hKa9O5&exHsA!yVQOnu8&$a+= zMAA!p(pmquQ0`{mOUU^_jX>W*`{L}4as6BlFUnUu=$@0;CR(%Eozur~JB2+l%Z#^i zVaC<>ufhEr!u4!xN}sd)50D=zLXhWY3VRr@Bi4-qj~=3dq7Odc1ApOsx7J)?PM2BC z{%uTmTHRI+kM}8z`{gZG(}NY@KZ;yuzTvfIvkY92p_qZ%rb;6#u7X}z=cgni$0_#< zcn9!Ckld(Tmw#AcZmw^0Mho{l100VnWw|g^to>W{$PzBVER3~Kdqizc3ol$ zS^klpSM2FNrqZlU-)YyN!QyX!?y&q}GHIo@7xETCW3US&@Iq%fSn6_kYhsO8@c#XT znEW3tc9RC|GyY9wu0y2_4{@$;&eQR}6Q1G0+IAzOcp*m3m|q1cZgT4#V+6%PQf8)R zg+E&ixTp5Rv+TsJhEo=*T{GM9R~};rqWFQcMttGTxtu?! zOU-Ah>e*RdlOu7}Q%_s8xP)yVm<#_d-p;!u)V>u_?2q4!C&ZuYE`5Y_tqNPhA!s#) z{R~`v`=x!>C`I~VG96BVspPiIEIaH`qh%vyTH!}ZOn}*{(j)Jo9S)>f!$sPnbIV}R zYclZ&{l*OP;C1NN=AYIR8An-OVe*`&IrB7*tOaijK{=-)zCWcho!@x1&}@%je>~nK zIgH&aHAC9@N1Rp(B9d@({3Bm|2%a>P?H;4I_2y5&UZpT{18)-b^{AW?tzu!}VvC9G ze!?lA%WO_mmzbH1!=ER#_Ubl*?2d{_POtre7UiS!mOm?`wH~Qvh;U+^Z7I2gR;{W1t zJ468Wmj=iQxO{JTH&tp$y_*!_i&acYA|dc_humVk6uN9%+RG$DS$mE(rV87jIp>dg z>3kK$O!5nUXtEtaMM14K-M9&>@1bDBrWRy&d6-)zEi7P`5r8tbaP|uqR@JBNlW52_NJx2%J+{00!&SAg*_EN8H;Zlj=I0RPy;tDn{(O| z`RU>xbpg&EnfO-i0}iN_*4J0!fc{@Ux$;2C%V(OXxsu}|b6_t>%zKP6wmY(TlIL(7 zo}b3;D4$Rx{rN#(?oiYICV$lMDMd5&wl&F$yodLO26LJrd%DCUCxnqxX%uPGN=}Xt z@8*cs`Qa^NSWbfG3Vl3V59d=O`hGq>++M-!Kdn(aLy#G&cb6vW5neR3>f#tETuld* zbGD{kAVHBT|1sJ?Lb{#%?agH<3uOV?VE3h?${qYp5;M*6NxD-DCuNHis^Q8Gn&7L> zh(r3@n_^jAUOl=38C;=4uH?YGwMqPxW$qyB7@KF+R7Zc3Ay&Q}-${bg7NQ)qQ0KP~ z(Z327m%`p5r{fKWSBN1ZQ8OEf&s}{~!#8;QKFv45#S~hnX5EC3xd&-j4c0$b9Inbdi(~(+8LLmDfMyRbJ8T%=9UWnju6e>B z?q+(j?5o$K^!oI0okyX)ntc};E3B?H`NZ8;3dtenM;W{SuqC&$yFt5mRO2A#Md)-x ze>u#ql~kt^%XM9ZeRUDRpCpKkOlTh8^zjj<_ThLomI(hWw_Qb}-4*w$rMY1R6KuI< ze@s0Vj7c-bG8&e}zLL7d;ahdLHCt@QUr=*gG^&ZM`HiF zV9R6T@??v$;knofPuBU-Hps88=gG9S^Vb%s^aSaZYkbB3oWQrfoGtgm`Ko*ZagT9< zw%i5jZrq$@$N$Y#sr&wK`G5QjX8?odD^PBHhh7@QjA7sIWXpqA!@Z3Fz?HbyGaKNd1Utpio;W)_Gh|t;#a(NvTyInPM{AmNQ(f&+->%G0jdjjG z+bHCp^fk8lI6%R0V_|j>C(G?04u_zw!Q2IZ))i zx?{eT;)RDIShKfY<%%mTyI!8Fmc!h*z(SM&cR|~&tNQISdGwB`C}evyK&l-YsFMTyI}u=FMkfE6*MwoHwx0sHC1JOjg#vXWj1F(1u$YmH@`Sq?bO3 z+F`{oJ_1o*W4}qThS{Jg6!t65j;x>CV=)r0KR;8DkD0 zxvw!KvmLT5pBfG)Pxk4^?CsyIWPFR@dkP%>ARMcv-kQvCU>mN|b0c}TvX4YhY7ueK zyw~9#+Szuq641kUm+k&+`^T|n|C-x!ETr@PVaIH;Q1^FmxM0A0IR*sRmJFBXVWci1 z*LyOOcD$q;wlW#xFLn4+toQ)aMOWqYr~?tPerOL~C|dU4kgCmU^gS@H@GMuC#q)~N z%Hw&yAl~25Y01ICw=govCcvtHl&c)Sn%?=MaW?6+d^r=n1+Q0Z%ooCkSMe45EC!-# zj!Mjzz+@O1AQf}&Mzz4@*h8AkX%ddkTD9f3p0n$gR_H9pHn|eyD4m07mU@Dm5(iB# zQW`qjYCB1Ox^G9%>#@mQe;6|BX=LTZ?b*;#?4*NM8n9efj$`5Ry1wcS%(1X~Z&&&J zvL#PcFx|N2-9u)jF|z4mQ=Un1oFmKk_3pbH`zfYR>aNFLxV6qrE-)%N>1Rp%1pT$` zOyO4--L~P`h8~N(L&^MyV#!QTW*6#`eTn?@BRb<0hoD%uli7UDB=E;zHuqJcJL-?y zR(|BA6^eY-QiBWp_w!ItWyC^6+dqmG^28azQrm+G1@vn5V=n+cXBZ1>CUZO|J&V_D zdPYraYFGV*i{=z8i~4&yOy-B#{f@&Rg^Zv-(^Vmv|akYZ> zX>s51KC`%8FH>lw_LE8-u1`nQ5ltk0I6cUu_*^wdR`K|4vV9K1XCs^l^n|gjbFi4n zawov|DHpWOK+9F$Z$F|nZ|U5C5%c+`Vh=Fmf_Ff?+FtGUQo63nm2N%bY>oFd` zgjg-L`K&hL20FN&;?uYPyg_o`G$dI#`?0AsgE;28#P8q62%1S+-uK;<$)Bxz#lynq zJepc5Mz9k82C-F(fA<&ftfmL7#o{#_q4lqh%U_VLE0<`X)?x;xqUD4h5Ai>2;RSv= z>(6Q5-^N5-y5u>oUU@#%OO_k8MfC5sF*c_*r?;ueK6JI7)VaixnVfC-DJUo;e0l!> zH@#we^ZLedmD>~eG|+S7TfeKDoSH0E`0Vw+DU*`(!j{N#PGTmshw|{3T;`-&Y-`a_xC* z-hmbG*^j5U;p{E7(U+1jpCqk`ZTXaq4Qpf_i*|(NVVLrDRI^72SPr7N{@YCc7GstLD>{AU zSs8tosA}C+aMNk*~l7Zq+2!*&X2Nqu*4s8jD;2R9_6B z`()l-{ARs1sq$ga1*h|rGBX9X(o#9^et(o%*d_!yf4r}k=(F@$QUQEneP;2O94duP z_*%NXw=|zzJe+Kc)pAnbhKy^5a_m$5V#B*WmhWW>*3a+c&f#}84F3g7d18W2s_LR# z-WLAY#o4mw=dnOGCL~}cO5J9HdswT4u`gM%sW!44;+$SvK$*$XzWfy;1`*LEw+KG~ zZKBiiE?yrfr#Rcw9X|(A|7JD(wlj{v11Bz<_1+zQOPW-Yx>V6i)pXoM4JXP}MZY9X zjjYH>Z?9p2$57{((X7EF%Cun*T8)gfQ4NeT#zhtr!7h*%CBT64l@a=u=wgSVI7NOX zXMh$Kd|oN3E3?KPRN7bb_Hm$#If&P5mAsmClw$gp?T;Mh^A1Fyj@bLI+2g&fmdybE z$v*UKnOcMFEK!=p7$4ICr|Dc}R1)RNF2Tjr=H*C>Rq}SKv7^3A^X9e7RbZ9t$PFH? zafkmv+@jm+`pv3Gfo5CFVU$JF636@XvY#Vz+MHjbemM$_Pp?jul^_2}Ky};f>R3WNorXC+0%ZpZ%5M;zb=oIuRa_?Vxj-M?Xa7Jk z*OUO`vL93n*&1YA?MiA@-;!+qEOIE*aobKTi3A%U;+JJux(r?~t1Wi-=zuE2w-ZJb zj<%;V`WVH~(;sw-5|b9mw;yEv!O}Q=1L%Glf;*mzt^+d^QA&quPSKr4H&B#w*+wjy zGkZlnc(L?YUtHw2h$y_Pa5&i|W7VVZ3(Q6;=MTSQ(AdDNc5=DM&MtB%4nK{NI`J25 z?+$*@jV@~BoMii=e$!>0ROI7ACWah&dCnkbz1lX)nD%kjunv;q7)+@s`o2oBqWp%}iAAYETBG;iv3qx+&dg*9 zL2rMR*u!|HNX?Pa+44x@{%*KILu}RKIqk0mu@TwPW&8|LoAa${1zOE&JSNB1g$K-y z)9wY+7yiz9PrTZelAQMEbx2*f9HCZo2`AxPA<)4RL!qv>E|c%wgcP7y5T$f%)@c^F z=DncvS%j1o`my=kgZC19_By2j&Av%5s*C_y6`!DpHwsvNm<3f~eWIE#hm-z=G(9UIy)9%O89nBh^P|KOuF{V8aGI6dNFrbxs>?I>Jf z5LyjuW`M)V^5Qi^h|*J*Xvs9`Z259|keS3#`G-ultjdq)S8oatVNzdt#ge^XFX)_R z>TTZQR{2v};e~{=fr(CaWc=*=#L?L zc*hpWGd{4TbpE^>r(_noitZN_a7*hh0n)u*aP`@Oj!5~u*M*i?HDB$Yyg_!0o=>Xe zi`5k^j8s&ahZQY;;iitI)b-mv+_f&nbQ9Z!b<$$_Pd3DK*=}1My@lymo_#3SHc!cQ zzwH)}XAi9~wrvSIP}TzTMG;N+;}AmLnOEe0_ASY#8tOy-EM!8@enyPYGBO%Tt(*On)ldDeRTRK%D^J9?SXj0MK;M*<|2g-k^S3jl~H94iWsKW7s zW=_x2>48@3A7$Bg0K6&RHric(OJ*O0Ao^)SoX?Um_(bt@u*L=w`I+xgIFXrUM9R}< zRE6ni-r=Yyr*s>yWXsH_&zdL?QV@M6V(!mf?Od4Nd+bOXqHyH}zFM}-gN?pHutW8W zb~k~KgmlJ{i~nd((N1L4&@gH>kre#q#1IY&jrqs{|BJtyr5pa8rALBq$Likq86)`_ zC6%YX7u59n1vTNu&KB2E5*D`2=y!C2F4f{?M&1x!-yd4$q08)j#b+-suyskttWDCi zI%&Jk%9l!+49;-R#iWfF=14(xHdRuz5d0BF-_TcabG;ICa#n&ckfI{rkXpS6={v$5#)fA&6&k1{qZlpN!Mj8p^6Uh^;ASV zWpX6bON*z@G~nnCtXB-=$i6CSV8};IaRf}fz4et?lj7|2ek=7t$NI|P`>A{ruOwj2 zJh&eMN*T7DMq|GHff%FyFewxws|GI2u5VY&i%%}B&%0KU;f~m76bd2dKlDh+-s388 z8(8?YbAdRPiss+pDc}pg<}!r8MCCznO{5}CeH-VaC+`9U7B~13uCbv-X@|!r$}w8tSF$?>Z*aO6W@4Kz0mfu-C)gS)sCy9qc>siusP8w zkTXD}+=RbSwaBp;lZkrR*alA;slur6;T)1=b4D>zLdnawBa8l2TN-DBkTP)VP}|UI zI_iSvKwEzy1X5!}y=cR|QUOzCqTsIml5LpMcUtZjnDm(#gUl zbyuDdnTJ9%+P!05*c3^LF+r~sy1Dw;7#BKcH_sr*^#(0Lx(0#1AQD`M#rIDa-4b)h z3j8TNJ>HN)g}Te94<3|~?a#ssl@#p{bK)vmH61exih$;{Q1BhV43rA;v9o7e-`U13 zY41m|Ym9exi3|E{5|i~|6x3v6LhW%Dn`zF3-Do9Jt#R zd0vOf%#8D|sFt-6@m?t9hIlt2_&CeDMwH#gOy~%TIht&ep*J4QP&bjlVJo;R9UwqDVur1&B#SfWvWN)C#2$55v zyjcIz)S2x2pK~q>pu9CDqImJ6w~rK2n4r&IS|DYLD$3Io5yh?fTs&~KrKj#Ql~s5a zCCQq#HaVeZ zTQrlZz7t(30W;nu7}*)F`Fv5e?kDfo_=m>_t_4zj?mF>_8y$*``ryVH<&oz1X)WT@8k5Z zPyHFpw+7G5Dth{lGkvpqvQTAo#J@S2zq_33{t4(H?y*UMt3I+l)EZi?km5aX66IF= zjBrND|EViJVK64Qw4&NI{=ejZStOWq6sTz|g=s4Nvyr(J{AA0s!>k9>@x$)E>|XVj zvCwN{#ThiCjJeP^X-XYK8?)l8x7`EG&`TsydZJK7ixZ{okm*?qhBTvaKaorLz|_D_ zk)P?F8GD>Tx-b9&oK@eq6Zx?0I-;4s|D8`w=5>aeLAp^2N-xpn0iY`5OA%O;rc$xJ0aSAcHevgS^v^-=0sF!j#A;P&Ir?h;pJM?3 z!saKBnFwbQ+Zv&F=-I1Blc8r?Mn^$T8ZM%7#||!VYExSz*`RTfcA|)V$5%f}<%>Ts z5k;aN4xkk}4-@|!k{mIZPv}p~W?XW3+QqwJ)E{x9*leDb8n{0&)XKkmVG^4{0Fyu& z@Dd;*&0O#=Xv(tYt1>=Tx&0F4GAA?g(Fj>R=jTSGOy5k zkzqiX9%UK%o((n%E1RDiH5ug0R-`eu>T6S| z!2s62)IXtPpugI=-=I0(>wERMP=|FG-iJyR?}2zO{9@jK-2|7@oDAk2TLE%OUyjJk z=1#GCrr&zigkbf7DXKIl;uRJ zq&yeRB1b5uLu4SDtx1PW4$t~1eX}s}>~$d1b*j*-FV=}UoGLLcvF*7wkksM+F+*Vk^v`H;t=5i9$6WL|&fUFukEQI(?AE>7oiaA~YE zdrrFNdX1($Mq(?rd2EkI_MFe_Z_^ynkgg|RcjWmg@+9fE=FUPamU;qPeU$iADmNZCBAFLqh>EWX)cXOz-;> z^PVG#y+{-;M+3Xu^B6=&h6)FZ6(YY~O#7C8*xKSWNI$d*G>nE{nX44yq9KE_@$qtp z&_b=)etDFcm1MmS@%?<)^X*C3v8I7M_M&WAgwHZ>MA4v4>LxR0f>4g-kIWd}tsN)e zf`+?Fvf1;UO9OnSuo@mF#!z{DZ}P*Mh&Ci%i;(s9YzvIx_U`s2ijRyE!Z{DahlEAS zoL^3~rzt{>$V1NtLV59B+HkfC>7^3r#fZ8v3CeXNeC%r@$Clh+?@B)loE_6AFkcy> z32x_}QExwJcTG`EUTXgv-Oq_EaM1Q2_J7A2g_uwqOP+mgy`aOdze|We?Zgf}U@V7# z>(E#efv`@AiKy!S6V{1Yfr(2w(Z=7j)=p`C`_$(tR{O1}^2aHD#9+=EiVU%zKKndV zRpKdnJd!h1!M?CIL1p<7A1^3$vO5EB_!*jL=Pw{T8@oKPL)yWgE&bKC@O@b3)kzM) z7j=W+w5TEnXA0h5V&w479puhac`5!3ONSTqS;v{8MMx+gqx|i*QeQU4y2f%uIKc$5 z>^5zY!DDS&WQwg$WaFb_Xz+sIQm%v&M1VH6LYlo3@STC~m(kl0Q(1Lvd761O!yHQJ zvv9-9e3I75UA!PE<8O-4=7`r5lj?1p>Mtw-CNTA> ztcw=qsK7Rz`k^G0P>Hs8%yQ3W{^d}+0H?&aerd2;+os5mqB$zx)M&0NubE^8a!H{U zmliMIE_^+`+G8yMd_^lF3Vx4;@w%TNPMKET-rLyIywstYzKPlZ;CWejr$iHYp&pqA zQ8+I(*|M%I2i#}Bx^L3{OqTOpnR>o!PF-rcA<(RYMFsoAEi+y25(p{-1m`p z;%(F|k}c(+(8|}@WxJw(ky~f=iqWAkcOfJGXmI1OAi%2jG~nJU|HjKsp&w?4=0j+EGOaTI9HX<^qrf(PA9v5 zcOgaJ&BiWeg%DGYa_cef+6;(Y5 zE3HM2nPS|xt>q=Pb-wPufy;}7D%@Tga~fn0_md2ao?$CAHtPxrowfx{t~J|oAMi@< zaXG_Wr`*kCOe=G`A-az;4!^JFDx_Z2)tX(G(b{&NK{|dG3zIhR3-yf$WZl==*I%u@ znW0=5bQKbR?j7syjeo-%6@REhC<(t$Gr%#@+0d_S^RSL^sN=ZL2`BWp<2nM${nm`R zF466g+~g`aJn=>)mNtpr9%B)#X<%Xr2p#@`fY3o7ha4a#gD_gk-oq@_%2EhSQESS1 zK2rLlF!L<_ylF!wXV9UKQn}Y>@XVdznD$sB*~fyB7Ku}x5v8VQowF#2XVMnZKv3(S zaFr%rC#&Y+aQw*ELfDsk=rUN}Ado1d8zva!xSrlqvJappOeBW|qkFG(rGZ_xXraNl z73@0Wj=F;jN0VhsKW=dnd4p-ke})~VDY6x?=z2ghZZ~n(am~$gScHzU^hAni<q%{Vz9uk_?nr5$LpKCGJ;+mTG={r0I>!olgC;UcOeg3``+^@oO> znrUQ_%1tP9#kS$gC(`S5H%6mwQs_e%-JOeMONPf@{%w2GCxtf1r$dj=$vIc#s48YJ z*Z@Cc7caukm`#PTLJun8C}Pv-R;RKjio0j(r{5H*O#;lpPCmc#HpmHAWp`i}=nlq+ z&KW96^A5dFpQROKIhu)L;RJX;@n%^e4X^teyw$tfFbA4*bqRrb!1zA>9T&C4c7REr z7_A$o6fjXPwiRcyJ$$0|Cy|vE5K|xr$k1htUUW(hPCBYpV^vTMnAVaA)AiGD1s`#l z_u1qUKza7m%5nEfDRSNYS|HT86N4=fyNKB<^+=O#+8y{376v1Jz)KY2^ozP&rt+IbTCFhqwGT(l?rd0C z%~XIvbbhtY=6y{D3RkuL%G&5GTlMKRx1HCSIUJMDx-W$-+nEIdEI*#r%%+6bEQ)NB zDrihPDc7{BtpeP>1B6P9+?_>(*)>Bvb0K|jcrJy;+#tumPsc@8 ztDq19m8k~jc^SUE8Hc*5{2BGf1PBQG3n7O817TBwiM+n_!+)vA+dLggk6NnL>X<9O z6j!uuTcggn%Hm4K@I)+{GLyAw*~i5I_C|)S#@`LkOT8iSsb&rgYSbB_sad2TUUYYN!cg|68wk_}2H)Z;{1hreS zGZQwZxqoK?%stVgk~D?!mD-Z$%l?9Toq8`Vnw{_BLE3ap+M(P+6hb%HA5oAv=31vp z$kOO3TPsPKCV9xG@@t`=#}KOw{_jda)uX8QM`_D>p)DEg;+-kYtHI(V8l(XUt_Je#0pTR!19s7 z{Hoj0O)BZ9+syCu?uzG(c)#t<0iIfTo=^wpia`<^_}VlF z)+sXxrn6Ig2iyt)H0YglyD0$n*bV7;7NUUw=ux0eosu$WLD-~BwEQT&I;4jHyU865;DP`|{Dqx_~NxnJN$o!Dw#;KHF%mRrVY9Jr)widyqM`V8;w zw4li@W$kg+GVxA-&L`XqGBJ`w_!_zF0@YK+S18}}7c2PIOKaI}^j9RFijwT8&>Un- zG=C-`wRgfY5LsWB!LXSjH6EIg-)duoUv*7UER#-{?j;YTzRa!SP`a&nnLqijLyiR& z|DoVZFMmw+W}>-(wwg44I8wE2dOs=OT+WGY3+1!~Y=MEE3WEL#V-nzMnbe>?kHDo%q?JFRp_2=zcM3qz2s zcT&Nt8jL84m;?qLcmXQz#5M}Fgxl^E9X`9Swu1#P=`5P3MP$p7K~BIKO90>>j+t$P z#&^1nekqqf?q56)7XtYHyO;;h0PLf@l;&Ke5RtK|*~L2K&g=rsQ?Y{ zCmSq>`ovxMK>^^m(@G8s1erOz3c{r8$@Cc{x$f_YZNE4(NyyMInWkg%coMCr9A{%k zP4=*EH0NdX6xErtR`sDDpwb)p)SLa>pG4(+ujgWn_8y0)wV4stX$6eV4jGB zBA}_jiCFm1ll>?i-V)LMJ}P{ui0UIkNy7bi$}ujMH#}y!w{=(bCuS1@ixy-Uk0Fsy zRZbZK6`pq@3GcAL=G;_)R`2}(#MIOgzQ>kyAD*JXCk3yalV$TdAHvF1bWMKP43Lhg zNQ#BIS){vYA~PHWk1*c|88orz68Yvv&K1r@O4naFuV3y{*87r4ilVeQxt~2~;y+Us zc``GD4z6zF+$_IErg=j`)95H6UiNS4z(G~c?;;&-YIY@H?|2|w0=;Kr8zw}C?}>q9 zw)Xd!z1jVKHAu)y;8)4%c)7y3&vK8lnz&a_n5g3&K#%;;i|hS116$wIDG_Bhm|E{h z+K7y8sT&Gn#X#mf0ZcQ{$+#jKYMFlUZThExU%QX}BKwOpz?Z9G$QCH?TtSYjdM0b0 z@yB>ECbmDzjro}It~WSw2~5LRl$2|4YcUwGqZ8afTR7US&G6sRdsgzhc#(u zSCRBCMm1Qe>d(`bzk4>5ICynp<{t{?;`p+4breSHWrrg`CYJxdgG_#0)+1MPxYxJX zi^sPJvbb={RjSi%n_q_xs4GQ1pbuQs#p=o;r_Z7osuK8wH*CchsYZ^$NPx6;(FuW< zEjCu{blRuC=XY4wW)`}@llRokk@e!jxpq!+QX$gK&3s@nC?BEb0k*p+dg>+d~8;pya;&;l4bbabx=^ces;$pzXK+M)V16VqCn z55o@o-|OF35R+rg5(m;?olPqHwcTie#J&@Ir>P-t6+|o7@4ElUtA9KJpbN*Mwwn@d zs`W;k>`D@Tub5Mls~CpE3=j1C(d8|SE_R;H1+MXUx_-_0GQSWIR>R-E16#z;{JKwF ztxM#bib_u)S7QPxFv~M08KrbeW;5RZx^t=w0rRjPUP{!;p%3Pnkc(OIWYj*wj0vZh zezVrl3DSVFw0w`IWdfUlOF7gFM2{V;FC|tgza6YvTc`P4%#aiq0&LLf<$tij!w-*D z6I&t7V#SjS}ZeiGE>|*)Nzq7_;Cv44A{MSS~LtkCe`cs*3e=KlrEnZWf z)ZaK4&;4~69WR6w$=vs$oyLo=4TSkxlR9W?w|KQ@u-JJihrF8EK^t- z*_zl9%Pf>UradHHPTpG?=L~1)c$z5JZlJzFru}r&B6luH#jV3Fuptfb+-qp@aw_%?{${;Dm8TM8g*@r-m&&nC+f)7)3 z`*ip#%O3yByW?+2;$?nRj7*FQm)guG>2=!5W%79T+er1qcR*=BdxPng(Uso;<#Vc@ z+@P(fDUaq1dq4)$;M}V11H?_o&m|d|d^EEACB!#~;+2JiinUkBeW@oczZkhz z>O#JfXOIOgigbq`z2)N`XZNU8Fl?67wRp}V zr;sCPP>?1(6KVs3`~|wVrK#yYyhQQzom+3wAFnb;)_D?%amVlFLc!Dz9U*-a*^OB> z78s?1hMdp+V{|!FjI?{e;$J=ZoOoIYz&h6dhINTx6dC-FV^6|)8eIw4CPs3qCgz|~ zGvX*UOhiv@Fc^0(Ki&EOW3GM}JybVcgRt1t+&gREw^GTlCls+_$g7!k$dgqsOJteu zbIg_8=e6|-J9)5b*q-pFt|E43@6pM?malqSO5Ifdp;+qWkHK(PfEU(G>!;K@C4BQ$8nUS9L3Px`1AN0n9uw3LeO zqshpL8|!Ts6NLiGnEh3Xw0bHg{c|rf7-DEpER4DkC1hdWQRVO>7YrMRPb+X45~#2s z74rW80G__0fbnED*HLRsqWMQPP{Kb<%dHGkoj4>sOMfIey1z!ah@}gdHD@vizk{1k zC>~YP8azmQDlb*L%ei?czwyal>T8g1KRQ$b_(29QNRy&HL_h#}+HdMuC}uML3~dMY zH4p7GJMrb-S=1a~5Ov6_xC!5UShh$j5X=<2B=9utp-%<<&pZlKhW$(9fa!wxy?^4aoABA)GJ;Rbd z!A=0diKN;WK>N9u0vFYfHE~l>s3qsTsyzEAqkL>RCCb{thr8d!rYxyS_E`ZPBbeiV zo(|ydx_JZwW0QvbdRMkJ?NA{lMY(Gj)8W);{K8f8ucWRIO%8lb_dyBetke2Orn=5a zg-Id>l|BV`2uFh37;o~zdZJc|uiq-E_w@pB$zH^$Au_xmS=?`~6(T8TTak?jH3e@3 zzPV4}RS_ z2zhP~Z*kczR2*TaYKsYp`z0{RP|>P{Y%pt*cJT~ez3Y@~$^&<{nm@1XjyGER(zC2j zo6_BhGjSFNVAVFF|A|$j34$DRo?_U)-TTm=vQ4dX^`bS&ka~yafyozf(cR{eOx4gGiBz!WWP<4 z)ydd4m?$~2S#vwoFY$SD@mBQ2_XyZ}e5mUHW=GuS^Qld=htH`IRtU3r&X}A7NRBVmUifiCxT4TU<9F)tRJvjqiuKJ9b2!t4q9G5_*A>?7T-7Kw13r zBV@;M)7Y8WaS;HuWSl>M(kJY-oe*T_J zAG%`~WF=*ijQ9E5B3WONu|m5W4#@2b_wr%Q|;zqkJgelhv`UMLp(luh|$^ptS=2h6U1uc8t7flr5d+^SH4E{zp^F$cjev|=*X!5%BHmgX zEM$}57!@245Y--_&sgY!z_G1QG`0N~i#{mJL1BXAVltLNw+#yuO43j%I#HB%bjIp8 z9G>n8-A?7RB5VNUJ4#}r=~z@G`+;35IQE`DbqwhwQ~P!M900E@EqHGP_yEw;>@eD1 z2;pUg!1zqUYZvbX%Cw+FvohbP9=4h{iq-uodhp(Vieh7c+!t!+(>p7vPxo30D9>YH z@&rhMfhy3C9d!O|6713>$7AZ|w#j>@dtxT}sBFAe}W=Aix{9l;&hu6}c&-quK)w+enw*SNRm>f&KWf9TC zj%vIf4XjV)DU%6B0%d~Np{5j_AgJvN*2YMfpqRU@&0X+V%X3f4RwvKx(c$O(;7UKG zwz9y;^ALYB+k>5$%)IOPakOXvRlYYlKeNj2INJ&?pl;bIS_&Kx2r1b-?q7sA>9m$bh1fkY)?eqHL0XfJ zFWcRe5MJ_;`-3HQ%^gA3&%03nhx;tRL|BNamh_gK7V~1euZn`2g43<$G|=9-dFXR# z0GbZwuc{rC=qmikddWR<&g&{U^ysP&5%sitWSrMxB9fnm9a`?z)%WdF{#c+nx6KMB zD5EL5JtD*mg@B!3rHBp}V?`KIfq0{0O@7+yME*3c?-hdbm68lpRhSnxe0wSlWNx4T zmAMZX@3%m7*=DC`LfbYctY2P!$0a3zqVaCDN~TTV;H@t24WfUTOOo#DEyy@N_9-cM znt|n*8SItbFU^+-SbWZ|sT5#BtjBSD7oK32ZT1YYteVaV-a_>LNUjHZ(w`)lN1iT{tKLJntUhkMV>8^Pc|MFbqxZk+ynlQl#16}yy z21f_R%s&LminnxF;1NoiF=WM3asOb^b~8=OSnH@N2d%b9A=Rt-IE}4LuX6AtmqNa% z+*or!+ifmk=V%PRSmX)B1&JG$deeb59>~uXiF;eqm$3JKaWCt|Q6aMzR>_V~omDx?viBFKnri?#rw^-9nWx;-9VH)4clS8qcyAzWmHHY|< z;5{;u28%l6%$}788l^4f1tAZrB|MdI0M(s8XW6^9mb~WmwH*h+4s)Ftgz$GR_!iNJ z7)bEnFdIm-jJIjlPWgA5&379E{hV-Cbtz*mAR0?zEgf)S%#oKOfsPo2;a5rjrTqg| z+Sv|<7#3_usPR4U*kD%u6>N$! zvnKJj5^tLs^T|XO1-Mb;`{lD4veLS!-cDwYtAMT=F5-TbJ#wtVyeUw$f;CH$FN~W^ zrJ)3XllBwY#SWhvcu7Y36LW@Gm6rP`4EG45 z$~hn(aDR|SDNvLCwut^Yqzc#1+ zdk_C->Gt3D@DGmlU$Ww=Y>{*#7v&R27tC85SJ@}b@qoob^{(IH$X&fD=fy{EMJ9>& z3BT=+P5rc$$>OIEeLx?+s2kCh6@dS@-hix1uc?Fwa-*2c0W3ofB!Dw%hRLk_xmxI~ zhm-8U9Dm&e=Ig4;>4ijt)ba;&8>Jq8SrdJJ9;F{+eI_RB)BF>1q+6WAy6>5?ona&C zho$&062%aI)7+y3)e!OD77aD{&R^Iq(9y|>EH|wt?t&o^H^A5E#f!~mfN?)*Auy)) zVFGSYT?^>)mwM1h;i*I;?IW2z=TCUsvi4cBX7L8-2`k>+y}4av8_?!QKx{-Mvp^2; zxt(v3+2DFW4HwDI(awlvdA;V5YSWL6tt78Q>{O`XXk-EK!bb>RsNxb7*sxSSKKTsPX^JS&i@7gQ%jM-F_V z<_E|VE4oPF*fv?B1ph@AHD#4dn4qwsjOpF8NYKQ}Q89u!GFdye641S%d)2W~9g%l^ zz7p>=Jvasi)WZ~aiEp#GG;Q}2``ux@$&D6v#Gd^`l@^oe(LF02pGtgBC&x>kXe?{q zqyd)Bfi%9Z1nacli8Ua4jv1xKv73$-V}<)Ru`1=~Zo#JTN%DEpZz-`XcMoE1o~0IO z6)TT{2tWNxw!jw$Rh>mHJdgN*{g?PT2vpy52$15zQ*-cDL@Vj31pPlpo&dmT@cY{b zQvUcXWk!*MwBLJB%n{jV8`~*$osAL5q*^e>2wWI9mR*knvP5j3GE+i8m(uVvN29$Y zLr1K>FNS{X2(`$$#1G7O{V+wabel35SM&?9!-WIpKq|CFTe6%PQ6RnkSB1=<^J%RD zI@Ip4Z$bFhp%Ct&H&rR51KbKheU%Tk#IP~Xcm%xI3^vv-VD0(s^x5KdR>MMh?hjaf z4DQhl6^FtE3tz4KaP6hKbi0Vqoei*l7pBF6uTdSO;S?d3Yt8lI1s5GGTI+gO|yP5yW<%LGT%=3@0w=aSMuJHHvaPcak_nsb0c>Rx zYfiS2u@EWy#{`OxNuZTv(bC8ae+5~zjK@V7CO_+`Yct(_2eFbxD3P6f@$G?#x7Xm3- z{4b;kFfkv5|L0@0ry~anw4pR;u?qavESAU3}i-g39 z(!Nn`IJM)}VtmEeqy#8ro1XHPw4M?7W;`!YGxuSSyfyb&C`UXmkfZluG*;szI}{^8 z!D=?8A`Pk^E^~R;`Do@4-6N-Ww$Rz<_!sWc>eofe!eTf=jB%m)7Yp{0E>RXa(@Hft z8B`!TpYcfD=;i&HG^pz7#~}_sfB+b9^RX15%<$=u-9<>axWG=H!i@M8{LfAnbOBtC zAEOcLcYr@s4yZ8y7C>pv1~?WPXt3dH6#L(!3U7C^`}GSxI#`fY{hX*;49P&hkY>np zt247JpiEnPk)Ue3S41)g)4-N!W$@HQ4sd-l((G+-2LPRc4Fu4kO|75F8T#X4n}|@c zxBrksh!`)G_%G38^X;-2!* zn<%c(>bNw?-|(XQ^@Z7j74UBx_#Zl)juOn?z5E9YRVQl!I?~4g#7pw1DMu0iM?Agz zAEEZv^!j>@guTZJCGCEa^AS&!S-~t~XHrN?Um-p6(bJ@W&iERu5!wfHap4kuH~=f1ZFwyO@Ny&~3#0%a`8y^b?1t{_l?p(&(_>ix z^j_F(8H^e4XYx27++up~Z^|bG=y} zL?rr`*)+I_OL%T zLdd0vqZInuM>}Bg?9)&O;I|`X=@LXci^RP&jKBiB1ibb!za8zfKky&|3k3@WXV*t6 zSqH8{0SAVBhdYE~B^^R%nt`f&7&H@7bm_(jCiP`up>^bpwg8gl2R#q^ zUk~rMQS|4;RQy%ra}jF%7GQ8Orat96%t(5!WL{8o%EmM%-9g9$S)MUB@XSF)DrXjp zA?jTbBtRZ1Ci*KN>9dYurr!zB1yH(gIB`D;4i1>`X_!oG3q*#CaGLl`nU0k}83ZM0 zReGUwyR$&d~1Qyz^mRwvZ)`w`BtPK4f zhI<dn!b-QJKvo zAbn&iR0&Jtt|deK9|8W_GK?24$p8Z3ki!51_wSTO=`NQ|jrSB#cK}=^EkF)H4~sp# zc;Kk8S;UTTo++c@s_P+va~}(kU)>U(o+O=5AdJ0Izc~P6AD==LV}pI38YtGWVuk_Y zY?aKp5E_l|oo9O7XG-LzkJjGGlfHPKfK8(zm-NCh*f?1I&^>a%FiPU`@CFP#y9}c) z2sHabD4PVY`ymPW1rUEJiqn8(A=^=R)QdRN{Fpj`Dv zP<=&k9eLqHP}3bGIy@>QfQ`a3O0@{Z-m2E(skKoWCc@OQQAT%VFMpL6uc}Ad4x(e) zw!Pi?@+3qml^g<;``?q=AqO-{-9c*xiQ=~GAORvPpXvY!xEDh?ySCtg|G*EFbl^Rt9b1Wz08rS8trqYi z4HSSFeRs?eUF_-#P=jwdN=#>3@1M!bw?G)!doA9YSQfdu${>KdYaV$r0I_94fDmW% zPVK=L`@JL^FCGCLA1f@q`;`7&GNT_W)nVM`-30SezggMS|BJGqM2}L_tG2m;QDH8x z8`pyZ1%7P)wm6ea%qw;|EO#DfoMq!-+zD6#`d}^+4D*&NvEZG7-W77F(1yn%8O|+E zVxQOTH1|>;<}H)UBc3n9n#NR80^gNmt+kNC=dJu+5gN$uP4=uCq9D`7 z^S=u+miJ_lcD}_M6zg5F75E{LNK7wE#j@ro$+XQLC0U84j^-cZnTB||sTkfc;y5Cg zyQBQO^%Du|E~Y7peCtBGeWseja9*HM1CRoM{Or~KQ5fW@#KdV@4$3r*QPdXQOJbM! zrjPs^NdE@?T_pdv=Ub#*Nc%a-vi=hnrKVyyFXzsbGn>sl2gWmOY@-s2l0OWsIHi+| z1Vae%)z&sFXsq9w)b^l5fqjlLeu6UvoH0TWP!kH}n7)THE_G)y7P0-t4?t7-|NW(^ z4nVWOG#|BE@shEN<1P57Pw_es4PSf63yagz=)CDj~@vjb}Y!CP~bgL z`S<&XhEQUTT?KG4 zTb;lkB=Q!o#~U2p$Xg4>ZRY{4UohSG{jPNWTSC-gLA3<%_p*LLX+ahjIAFD#&Wd?*W%Px`V`M4lXnZVp zBhkdqy(qBE2Qa-KbI=MO9RPl$?AU9by;Lwxlh_@o@kSmL3to`a-fe0VpZ~5|Tg4F$PnLfr z6+dqGG&3!o+dtyX?ZZ&V1!hWOH#@O7x9b<0cZ6AvpR#?$i_aaGIBpjzQO_;VAe^nT z#58i-d6058aU-_`OcaKMg3(1z%m-GQA8mPOKfp#5V>9TU}-}!hngWkeVdx zV}f~Q+0&2zSi$v$56{zRNQZ;OcP@48hcpVCp5)3!f3j*Q=#so)n^>ssu1&+#O%wH5 z3FKSOJr&=|=8{A((LUVCx88Tbf#&g@DKNpvGSqrC(Qb=Ql%BE`y_!=1gHDZ24 z_Dr;HH%r2|B5OHXRDI}Xh%|GoDR6gu%=ktRwPtMbl5`;Bu-3RKD~p2Pwvjg7^D*;M z_ZOeW(`)F)NLTPr+rpdK8i}}HQ|&E2hOg8GFRo5&RVF^5qZlG~x|op>h z#*^&{t+|JgL+W9?;e$Cnxk#FdDNgy-5L#oz0EN)Sf^S_X)S?@3%)y$S>SGW*(E}lW ztWpO^-~^h``ad_u0&A#bMW4f_(6i!50~g~6H_V%FUEoiI!m8z@PMU@61Ba!z5v$XQ zW21!T-<9MaZKJzKj{iyc7m3&!*BdaLED zQ|0*$Fs`R~qSfK3ksf#939sahuBza$vApma?a<~XFiXq-Jr1Q=-Lj5R^T|)i*=p-98c0_)AZ!XXM78;t0*58nBQe)Hbe6YG&RH`1kN`VK_ z_#N3^rP1Q72FqOGJdx@%n>*wb`>N!&PcHd1 zP+<07C};H4nE02|JY&+MkuhLWqbxA7(Zb$iC=0!4$J8&MT3;reckowHA~Eqqw)0SP zPNA^bPB>v^eeI^_L9y%3gy7~I!9{m!-*ZNGDGKoh^ZpB|9}RC(L5To zVwgqiPDXrAbp$W09*gmrrN2r3hO3+0pN>7Zbe;gr_Yz`Z`gKB5ej$ftj)e)fr=#Ic zYNn>x`VFs9jTW5hhwGFcD8A41PgrbzJr;?4L;_@)$PBPmO+Noepa=+XQi<0atGs8& zkD0G5VS-mwUT^Mzn}!wq$j_7|gN=cr7vOj|ewnL;2C6#k;CcC&b{~kHA{3k{`;j;_ z%WV>2F|F1_MQhEfdr98?xn%faashTez9qlQ$qdi#+EDV_Daq4}7@wXi?{ub<9UsT3 z6pl>j7()_GT;?rnEH=%=edqZFM|zmkpTQ~m#)ia-v8a|QUhr|63{Bujs#!s==}8Ebo6cq zV{vmqOAh-h(qDG)+l}WHc108-hNScfssNc>l5ZnpE>gp1?LWoFRi4)B*KxB{AgF*) zoG22sSN-S4hri03kP%O>&sy=_n$v~LVF>j4vF{^MsM1`QoS1^&xgziECsXlskJdlK zcM(H%M=cW#iv_=~H;ZnBb6STQ!Ni7ccRlZg&pax$8880}=uDa4x4ARW#3bao5fZ#0 zMZ#qHcGsKqs?#gp?s`7-0m9o|52B0gK-nY1+>XJ%C&3UXP)HrvmG+H#<^_zK$Hsh9 z_xG;v26p|{`u1M-P1f3FecqpuNCQ7l=MV9yy}Ex?;Co$z?MS~=?YepSKJm04a0$~l zD1QFH%ltsIX#kke@oY%qCQmp+krh#4fS`Q%XR#yh!b;{59~$G-O?wQ zW6){yk#U4{hx8jQVzk$J?Y`2$|M_gxtg-Y71JnRgZT?z-#G~$0~;yj_j&bO69AaCp>c~b_@2++jY1xn_>fXOXNq3!7Y z9k_$t7BFnSrnw6kfoHTtXmWvte#Q|V8YT?Wlhs!A1wr$5i;_T4wkrKe z=06t7x^2TAzV%w2#e85C%P24cOI~oX?owLKp4Q_#7?*nD7n!f>%xYO|xongz5Xzli z{t)M-1tv7-zI_X-zE0pUuz_WzZeG$}Td&c_KyULWXY61`;J-Cap`W>R%ElZ1?x?yA zCWB%OIy8u2a=`vX)tMd^% zk?Nd4*la3%GQ+%4&I-|ctr&~!NGY=uEfV!75wdWc@g5(%6RdeE!*6pLMeQmLsYvtwLl(Q zczw?KMV4Q8ThIts(ws9yxvPAI1MyLZa(+TNd>`4UOYrkQnde3EY-Eu8Ula$a#L z6`1o$0dFx9pgn63;S$|n-RIlSced<>G+fC2bUj!+_G#9;SdLcQxVh$yT>zhAcVT?7 z6p@l!phJ8z!FE(vA~+ff+v-G%OYhwyZd&-oowx%tg!24P>z;JE?OdIMt9HFcZ=8qNx#pLXpQ%Uihmg%DeF;}jtW;L&J}gZDR&HnG`#X8{ z@r$}x*-xF$OLwU^f!R|NhhH+iMI7e8bg)$U8Y6~nj&AZ@#ive!ntOyjyQSs@?IlLf zLxJgmba+X7!B@_|KFQ0pyZStvs~$yJS^gxP z#!rEnlCsHGr&wP8vot3cHG4>z~6FfeK$fVGe_%G{8dj7 zSX$J6Smf?4(?J>&dU+?>Ig4gK3C1h((q)F%v;V>DNF*u^fb*gKUguwANk5pgRxb!mJdONb{T=K-9keTa z65EWI4f^*#fN*fMTssRAO-rU|fbJq8&0LzpjD7L30-* z`HZA5!u+iuqKOL{pJyLEX!+%h^LL99Eqm3a`VWQ+^*X?YWdQ#2#+ZXrrRqM_r2;;F z8uIPu|7R^cP(Jy6kHkKS{^i2Bs0c)ga!<1xJ6U8~#3KFuUjcax{#WK)@8gJu7rMmkU-XxZ2mp|+1DBaAFSWmKaY8HrO z(=K}og&*)5y?&z#P`1vsh}a&jmkx;#~$r7_P!$aa{R7Q=jEi7@r=Fd>gsfH^KJN-+1^*6 ze?9r1m)(1O2j8Y?xW_>+GaQmtJv2*=>JFQ)9~NBnv84Dkv~X;*t-<+ooz{;hkcLKN zn%zb5?5@q}9E4R|U`c^Zr-F*Zq&eckXnwBz;mZH<0fFy?aVf9#wg>^PqGpYc{*Sft z_vZxx^2A_M;u;%sR@3&!hno?PzM^I=4qm7HYTR0T?j-)ab4$z}IJD7NluERI2l(-v zCKO5UrT&xA!P>0i7SfbO>9t~Z5Sw%5Dyp-v+--kOEByH~L^ zwEX@3^-R;GBt6=dvm#H_+|Cvda~f@f4{pJ z{)gHCSrmHJBxGW3fRZyc!Rwkc=Mmb}+|6t8*_QwxqY(c|K3lEr(3BZ|kya|sc#-Oq z`5(iT?QlIZPEL6@VS#gMvJRO&!Jn-K9x@>P*D{_FB5l)h6X)D25O&@plK*+&?|=p| zfXRg-r^YFzasCOiIT{O|ka5w>asDYIImLuWllHZuRpRr`mrY*dRD;va=IC0(7t1Un zKCdh$f%&I|@^So82+{R$sIg4evAoRMnH=+#US2Qysq+=K?*R9aQsPY+NI#Ly>jbBK z2)HIBVU6=lTGDCkLhZ{}O~1cdhmIw%1Z`Y=V7&JK=FY_G}k_3e`WXNkkG1Od8l83fSY~6*}11 zLOthr{zK&e?QQg|e)NKZHTc#(O~?2(%puTvnVVAoHlH>QhXFo-Ao>$M6KX^U>J3=! z=YCiBKWJ>9^dgCND}`Wt(U@y_Tua~71dM#>@um}V{bV@^3(Wy*K3^=K(*?gDP`2r4KGf<6k~dkxDGAHVK)ttE4nI)+2)UtJs4ib>9gB zaf87#t3XU1u0mQphFuZJgPwUU%99w`>$59H&buL|9pjr%s>@H*rUqK(1G%hgv*7&bw$e@Onvr2qL-HYX=gKyx6p0TOm*A^J7fe}?$3A%Vv5 zGxldm{^LizIDk#dO6X|*ey{Vm$q%uuXW+-t9r8f2OihvVwryX($;+p_qJGn_dN^5^e%gRng5%EPckqrDn@+&R)Q~Et;ABzVs}ElV;#vcE6xlU7fzK zgTv5z@FvIRuG|XVa&JEGpw){WL_|zR2OKadX@Z;|HpNPr8C%#;^ zamvTo+4GT5a)uK9_!sX_jO-pz?;!yA=h6QU>i-p7ar%Za3Yql*yH4BfENjH?)GkL9`2>RXvh zM{E!?jDO*1qSwXh8x-9cTYIxo^eNk!4K7?UVPI|#Rher;U~ajZjZgLHn2OM%uqj5~ zC`!&xbT?4=LD9&|md|z$n0yNTMG~*=2>JLP9tarBs`g>8k=^;GV<47`?}N$yVsM0QqCAcEy%xXb zv0i`%?(t{%t|WIRlt22MUJ#c?Q{tCk={Kz{<0~!wm35yu;&|~!vwf%TzI`{&1p*a> zA+F5TxTd+UU*?WLaBj>5DFYdi!u>MdVW#7+Z8vkT&U*+7Bzm37+j48&5DurHNrU^s z<=k66#(A;b2O()53+nyddEm3pb|1;7_0@D|=Vv*vh&ys3%>+_Kl02khQvDD?-8*KB zs9rs9+f1xkI8b@w=*fT&rQ$u~xYei=rH&5yT#VmvV;SQg&%_%IAt_eFjI9L}J|2T^ zKZ(Z8wE5S8aci2*n6xuXlQ642Rt4$6+OzOwZnVF%BZl0pmAs$woNzv~-7STNsKdiW{UX;{ zU+k!S>!MSJxW7d(y!}--d*E`WYhdpi3bs`DS97&?QQ0$}ukF7GL&*)x7`LosZXR|R z*mj4y2={ZmWZvzvP`HiY5rK|2e%%TQ;bgM*&2M-weqaLeAMosiG3-+yV$xAE2|MFHk`m6 zcg;-dhIu$!5dMlkHYKgnu$vnzbB)A!Y^Yf~tI-oyf3OpiVnx~!*tLOP{cUS{AA3eHrFX3@C16#}i8=;S^ zA70_HW_H{WtqBeFASr5tmTBm!Gcy&fglhJt$&4k9^~CTlYO$F%r>V^VBr*~<_gSh3 zq_1)l+-|RqUoCnoNk(_YGCz4M&H2_ug*}fsfjIVdrE0cHu@iaQ?ZRV2NdaQHg5yI8 zEwwV9yP2v&Q*l-_d#>UmGZH3hoi<@Xdq*A798#(i?)ojzLuN<5XsF@dbfEPRaM%)>nrdDf(y&G?QCZ9qNF+x~8)$r0jT-vp`W1(v1%Ki(}+SLUA+MOX+ zyVXw#wWw;uL^s?MrH$SdgAV5DyHFJ^&ekr`Tt#*GxA2=SZFjB*F4gd{r?j-Fc~0}- z7abJjG{uC6;c|O(@^DfOL(-ubTRzl+QKiKNTTegwqx}&1_%pG`&Dn^9)9}KIqrVPK z9sE2kqQGpdxd7<`edBft&0)E@3p+0PJk~l_hXKTaVQl+REoX{wX1K$;s|)k8_ki5t z*ysA8G1R&|4pHM=xi!DwZQAPV8qB_!U2>_#MyX>jd&07SNibUg2&2lp*Cs4uznKQ+ zY%y6^CW;06dJnt{W=BM@iDMbgpa*H~QA&08gZK9ERBY7aR@C*yi&~^rvWipmSCsRU z_oXB}kvGK9RLrXUSUq*}vdlWfV{jR_z<$7$3)aYP48PCG%%2-x-UFjrl zbmNm%N!XOoTN#q4r&y1YxIL*$3cMFk&||!a=^^S#i-sOG3=-zMEJv$>nv(4Y+Fq85 zj{Oy97B{U*jusWm{PGQ(wv9r7Z@-7-lX6$QX(seSf)`@T_K^#zfB;vjc~)na;?1^TlTfplM9feG{UJcOpx{tmWJq z33&_m2z9X=dt6ov%MC;=46O#2gRx7vLwcnD#7-H6zJRjmxwP5iZ&^G?9_G7or*eT5M()h+JJ-a)yTyjD-YB)DA~e9`(C2NG^Ryzb&P+Fk9i8*e2Sh{7{j&1uO4 zM}@F<$FfV`qLKa<(Nd-(;Xj2m=Euge``Zp}zIr)0Vr(s;GQ;7M&AZ{HNQ)&L!sA&3 zUQyUh7k3&{nGf1$Ta)^9TKz0g{7P=FLv39<{B|a4X-~Fz6~BnGx!iJBsRKDQN^o7e z^S&8YYXsIst-PWe7iVH0&uDv}~F)L`eO zm4pCX&$CciLO@x98IaAR=q;ZF-`t6;?Ry!%u@fni2?c?S4HgP5LUSnbkrq|pRb`Sp z%#QH!ljEQYW*)G_%vt^%KLz4NYR?zj-g z6%rlvxlf=v6=+>)c1&`B)D5RqTOzma&s>0k2(HV)nnXKmGQ>F-zv;IZZ`k}4iI6u9 zF;SBibNawoWDTO+R?n9B;c=vdVZM@UcEa0jx4+I+^ zRIT7Ij>9Onl8Esr=vE7hqjp~!`OFsx&mN~uCTQd!3-+*#yWL=5jxiaKx{T&0Y=&dl zmTpzHHO6Ota=qX(j)g(tfyu-HDaY#*af(W#`z0v=-OSk-sq06r>$1Z_%SaTrN~{)& ztuT5Te&)J>iCkMgvp1bIG%6>I)M>imkJ4DyXg9So3U=VjC_r4BkVp1$zW8!5-d8h) z>i+U4~j21Q&j)7`8rG62Z)=D+BXNzm)y6WNy zeKdYrCoZvq;;%E9c?h%cfyGB|1t#>MzKYci0mK_p^~gR0d_$;~@Rkr_))w-Tx}J9l z2r(Da&hc@^XM*^*+$R#sJ}_XPY4ySaP9twkH=7loKi5xpvwWWFf9XW?L zu~jTa!7WNd8*n+8N~@`RO)!xjb(4d)LeZ!Cg4pY7)x8q$L#Y8%n76#^dh=#WMDZgdEXZDv-*H3RB21NtC#;bFs7 zm*wlzPTfZ6&mqU$1O>Xqhaf2)VM!c-x#-?GrGv&KMl}j;WLJ&m`fBnue|>~g!23Mq3_vj2Oam;1VgS;pnl-%$n?hlFB*|(80jGl> zQ||vPEwMm?3aO{Xh3~%TwVNq~DM`~@n;jb(XO_kk^W2`X&6L(NPEE~#nK~`rz^|q} z_F|!~zePJm*OLt5cdxudr6Cg86~hwMLbV1&oe4S$=KRo*&(i*%pA^-ugGPBK?MHj7HEXsNy{On4ibmrxs5!Tr@0_ki~122eq$xqDe6R zq8z*JGF4jIBRCH6VxYomiQ$!8oP zBC%?m+F^S0h*IwHn}Rc5X^D`4r+OVBx7F49d1DKb09v^IFmA4i{ui9o*}s)BirJ3Eq$m=2k^syS4@v zf!0H_z3<}TI0~9IK6fbIL5`i-k*(&{BO($}O2F!>v7ILcE2UlHu}1bhe*5gR6G3`j z|HLSO&)VGB+P{$}dPp65@_yn9lx ztOXD=;8EHQV8%|j|5iGK1l`|X^D$*?04C3iRBu%S_iHR`;a>|$A-i1}1uy6dk=#b; zOtzI74{9km6LJbb*qVGV){5jG5{eC9!Yl_LOzo$5uYZ9XkL{x?B;FPo?^gGAB$nb8 zk$4~U``H~lH}bhZ z$raBNR;sXC+H6=G-?sX;eyPYMxJb5sGg0+Nefhyq|$MO2c`W z8%@N`3YsY8n*kv5%)E-N8ZHj_M-#$Y>E>qjMDN(ml@+g>1Q*O{iQs~{ZPpctkCgAj zT8rU%TO7^yBMb=#>T|>H*2X?d(Q`4`6EOI=yB}ECe_fRCe)|iA$DaOfEs_>F)lg!! z8Q;opEwo3$ld+I9Zm)(r+-}m5&pkdIO=exd9oBsMusQ=Gt)hBtNLG81Zi#};#cJtn zV*8N1b@1W4cS{98G0LY~b05}O0U3m+l(rX`8cB4QyFWsr4ygkBy7R7WMata&>WJNr z3qihisXAzBXmMMr2;Ny-Hg^;3%im;|#SfW|wfR%ILTde&CKVXvIzGnwdxcaT541YB zwFi7!ihXCWu>L55V;q`+Ueu54chz^FI_QPHIqSr;28M@I=|BA2zc!QBITw<(-VT!w z=#27;N%mV|z8n>l;3b;zX+vWp|!z!tc)DuHrmV9354>0rZGIh6-U6jF&#?e65 zIuc*SqyciQwplD|blkIwicsC;xb3sV!?ZUk(gvgk0)vIitc;ObLG}{CZ!rO;L2i>3 z4({!9E05Su;1w^cS19zL$icYxmydN4rRA@$7$+!%7?@@z+gju)khfPl=2M@(t3X0d zWumYu=)Vc18k--67X_UHsBUZ_37Qa^oPVE+Jtu zsqEhQ+C~Tn4p?nv*GD+|BVABg_9cj|xI9VW43+ErxOvIKeK*#FK{75%0P;l@% zc+2a@S=t?JB93+BajVeUyC1F=bkKGicA|+L3)A>1xOEdj>HAXqPs+IAT+7uFgf!&b z;Ul$F?~cuFUG)~#FP1voKrsAJY`4`c5wOlUp4%BgfAfLzFFu&pfqNBM`9u{$*?HBG zW4m6bm=(vQTe_9;YmEHvaxvHY%cSyxm!+;QN#Zo;$|9WF47MO*o55EQ3NLYynrj3u z&|YvGRerd72h+UR9{ag;m`9xks_5PtsJ2N{-#EA zA!%hw{G_@&%uF?|szY(xBg(<)$A`D=R*(Ks0-~!J)gNvY=K!tD=I03hi*YjOb8B-o zS%Q|h$^mO}sgP%K(59xFnP0WqkER{+dh2CNdZI!e%I`ZoLEYQ!sqy?o9I+a-sWyGS znS8j>b#|?_;8q)!+!S|s8ebBrPQxKU!Qovh?|_p-W+C4mdev~A=C!U^GxUdhZL!s^ zj$*^SKcE|=tnnyoj-C`_OFS=kA+<|@gXGNnc993N!<#UXuVBD7cfto|ECjpd5XE3G#3XK?Kg z0r#zW{~*F{lzRswQk4xHX+75N0q*T=W-t$VfhtmK8{a)@A;`MHEHWck~989*p;o4O@CcTi|Uv)Z4$SS z6HfX>4CfjveBs5BcT{pyu6J%ql~fa4rTBWvdJbFhHae|ozREqb*j`E*6LFcjM9 z;=BkBap(81!6EVOYmyH_4Shk0(zwwwoCoOm4KDtT@&Ob0$Wb%aBj{+=;l&={CVnqM zF;eb?#|D18bE>zwj-wYb)ULde@MpQ4n@1@W6GyM+({;c;rb))BxvBF2S~5qa^*;x7Bx0&S5~h`-SnNBfJrp^}(mN zjJb<0#!(&F_lC;j{k=aYy`Y$GLOekqDa?;|CwVzac83A%ko&EaJ1(^X!n}Mg94CK2 zNWoCnemH~Qiz9RC+SBjw5{H^T5@>Hx9oEu_Pu#7B zRoK>w?k+dxg9UCo=&JMXo892HK3Fg1-eBGq;UmPAhXC0{d%=??r5xd>pZSH1VHsKE zFt(!S8@WS4Mr4oXb=sE|+mS_yn~nLbWm@BdeCu^32?as-C-Qt_&}m78%HUz!bIS{* z+vtzBx8jeCpKfui0ckP30j=CO#}0*6z%5@s2sg0ZkRW}ekd`gBAKV>3xnlJ0sYTlH z;aG)2Da_wt;(mzkn6%8>nkq7hk<3JbC73DRY`#HS#Ye?L-}5vS6Fwvc4b*dM#uV#@ z)9BwQZyhLa9W3uM@?nzQhh@M6HDJOH(#!&eq;W0WGZ-n0iV)QMpxBlV2a$Jx^JUwn zf8DB8u4aOw;DmxFY3s|Uv9FXv3b#(* ze^LW{%a)NC7=u6hP&CE+y_}>}RhR$?vH=R04p;AuTxxfk@KIg_3W1GVzJf`RaBe_( zOREdtIIzCB1wGzB1ouem&<9-T1y?DS$u{k`dgia!+X}cO1sgy+ulmd^&bfQYqdvM- z#Y1@Lk3?g@?P{>2(gie>Scc$k_FE%_uMIo~FA$mngd)?ZDc=jz?H(;-9uqd56!;UF%h@D!sPwo;!Z;skkipH_zu`!^`FX9Pa=?>D}z~- z8n+va!5NbQac;pr4%!pjeto^TDgKFI(hp<1e@Rbvjm*F zjJN!4>xJcK`a6I#?^e4fVraZK48I5YxRN+5gwMf$J*>seIWIQYUOxyYr`<3f$16H5 zrqgyc+PLSp1Ad{ZLdZ?o?$`1m_1bVRAla_ND9IHHYW1~Fi&Hr2Vfr2%yB7xbs&fRT zL!(}7oovpTbw{WKzd{h#ei>&#&j)Uivke`cI{CQQZyyfjL43mrqnESXdjPLqDdsU) zS=8__{|YwsDkWM-waRlP-fQW;_G?ew4kTh>K5#=QhQ&2az;XUd(9GizuILMw5R_@2 zteMLP-WDeWsq15Jm@0C5k=!995X6{Vf;;a3b=LteJGTorJBn^z9?a9xJn!C+tK2b} zc^}{Q2ymYVe2)~dsWPqNh`cfmE$x^cI#50xAEk8_W zXC+Io%Uo#1KztZao6I1PHg25Q8O3v{8`t8=;WT$`zj@JmK6ZN{i`p8aP{rfdqU9|)jx3SkMN-jJWudzx9y-&p)Gl z4}hXh{r{kTYo+0rtP?>eC6r5pDjS&i5{;A^a1_# zv@8CPzM-(QWRCgT#5pA@zcmK|Z9AA3c3^1g`}^BSH-^l&K&?+@M~dmVb)Nk(GXslIT+NsF*NK00EPbD@ zE(3}9h>>daO_D!n5KJsjRCN@cap8}r=^}_Qwye)B{x#iTVrIt*1zY>bKL>mQ+Ntu( zw=`X5b2N8tC*5G)1er5HsCdKvcviW6lPWyKL+{^9wc!}SHZ}(eBk6iRC6}!EX_48AlI)GImsIf$_9wqRo2@; zcg2kJ#pd|q+%89F@`#@^)1@a+mr{U9^~d_Yk6L~U;1DF2ozjo7Kv{P>q1HN^FS3oKIgWh-!$|uh58Z{-wIo`2b#CwtE}-YYBv_GXQBT`MPb@kts-X@*)UmQJl$CPC(CgH$uEF%i5GW%a?Pm|(JqQHcAy%ILb@m+N=~{< zHj{AzsVVzd+mSO8AIl6|pYOeEaC=9QuXy2=LO+S!;ST?TfkMqG%c(8?>ECd+Kw?A; zlxt$3bm{Vca0?wL2!D>~z1t5G6A=r=-ZYSuH9j;zl?S4nv4 zOH&^_4-&S^b%UPm|AA=&a|zopyaLE}tN+BWWdjHdD?gndTv>iC{=_+Nkh&@iQ@VTtBe$~otd`I!w4Unsww{0=@? zb6uHJGAv%G>H=-uQ-}i-TxJ?#U$%kN&hIW<_zwyX-z8g53 zA1p4$r1s<|w|^3%E5l2C{nSa?M)Ago%-Nu`oWm)d6}ev`#U|R zfHJH&J+QwKEEGOPr_658HpKno4FJ`KLUhK&vzf9ZMi|uN-k;L(9ppq@8~HCOD%arj zrmEZu>yWK@7S+s2r@>i`6J6C{S)VAkR1G8s(#V%c_KdAKKk=}?nq{``c~|+)|2I36 zZ%+oatd?=OEc3im`F$z*YJh0Eh(9cj`LU9TNRW-deJsU9=fFA-y1``U|N-x>k_;pQbNy>taX< zr59cC5%QBY3brKjt`PawiHoGZ4g+DIxqdPtXM8p&ictuYRAtgwS;^-LFODJ5U8Jvt zhVNenBb^`MGJE0ZQ$M&2lwV5{w(&}p_EJkhE$K3n@*F3Sq$Iv@<+0$&Z}rgBMggrP zhsxgsu<$aVzsk@%i@)9D3aD(7f_qdq04O)+4!GMcYk{)wKj#S>ujyHT5h zE!^0XU!y4vOhUZqLA z)g5C9_GKmN!PVcM0#+270cb}1<+r83_-c&dt80`{OWkU$H{ZKDZn`8u6^kl*W;ma@ zG)8WIuP(EFxZ3&M9r@qzQOHHW(W{-p-|hi8S|;F#={%|0PkVAhx3h_-aX07WP-uw~ zr#xWl7U~u?4Y@y!oyaiqv(E@ZV)GV*fPO)sU46VX`Bh5n30$ZlYDCMn(U8d z*yI98^Ut`#^%H5tVke&O^)td>EPrktA9!~4GTC!V18q`Qz(#0>&q1{@#H*=7_2P`Z zS%V!U>=2eX?I|9xuW7{B-*^}(ot+f#VE_+iHuOvea^+Q<7)=@aIm6XpaX`wbI9O0C z@n33Y2Uzf6|6}@JVw*0aThAkjquJr>r=m?aW@P*Xj{+F6%n&I?<)lBil`j!GJ{oZ3mFU z61$iU7un5=KFv4}e1M^Xn=r~OJNk#@{%wW0}x1YmUr}|aZlE3Z!?H$70 zY5*J4b*t|;)8?$3?`VF1mrbIyJGqW)q~1vkk6oCN08rMqmu=J*X7s|`?*+WxsQ`?b zOsfU5y+^DLMpiLp(c=X?l5@odYUXS@NMZ}NGq#Ms#$uq;4UsIm^X}=`>+QXkhlWsm zbNN8)u-Uu03w}&y7~`7;_}6zxF$GINlhUuZfCL)B;}$ILO8=oB!!Dk9?i<7_9eGne ztt5LzO``p!>{V$$a?2bNBm8T)@2q@C78dwpl6M*S}J!Cyr}${8LsJfAUgjUpeCUtCpUW&A=%x-uO9 zODoV(^1b5OCxvtC*qfB$bUJ$ zbc&n?F6O{CQG7ApuYB~l;;;!zOqC@^tjPr_C@1|2RiR=|Awqz9_D|21$s*on`+ptIRfHhWAzr@~{%cs@#R(KcdA9y70NmPd-L~v;hroen!;6Cz0OF#x-Jw zu};RL>!;QHUx4~YJS7BmM^2f)dPB=M_9mF=E(c)zfk?uzJ8P-;$^GyKHhc2{^!xL& zKWO~R{{2s{@=vf_VTHb zdegG|thKQWP=~*Q@)4>4HYb7D&fF)#-b0B#Q|vo7udR`FM;ko)c%9+Di2~3xi8vTX zFXPQB@M0J(8y`eD5e*8asz?=F)fw6LsmgH!kh^B(@?#oQmth3=zjo< CLRzph&Tx z!QGv}m)`sS@4a>3THjjto^=j0nVCJZXJ*gdzdb~2YpM_v&=Fu@U=XXRD!sAqDrVj{uLp4 z|C6S7cU@!Rbo2W=t3K&|P8J#Mk(c+z|9QdFSS&#kzDI8>Jgp?lv1#(V?PhNb8Fu=01 zH`Mh1{=)ucRU)JGcedm{E@VTPxF!n;soreg2cdjRH*QolXhyqjnkpxXvaA!AFdUzJ z;M$_lcdp~olHVX*?$-;3YPLj;D7t}gARfN%db~7s6y=Jp_w|$T4!40OapjNnC1ZU< z51W<=78tC23}3QRQ)zI#ZrndL!>*ZeQNDY13jspnBU#+wa_D>{M zDw{u>KTLIhLgf1XkqsuM>uW(p;g7f~-G{WKA3B)H@PnNoW`|2f7?0%dP6SH)CEx$* z7|rdVm005H_GO`1?OZ(WFhp9qs4d~!DBT|phsWWr425e5-W^;4&Uv~*UVi?NMCxnv zj>LgNF&fZ~XGJqgBG!%NDhncz3AOO(X?4ra0kv&YW>L)IC*V!tGln5_l-S1(av5+X zzo7(l`Gnfa9y$|){gyf!Wot?JR*2@v#FzJflM<4KWl6IP>h+Wr5u8XNf(Dn;8*;|j zS`uF!+7bmSlJ)jfn8;IN$k-IbvxK!q;dVCwjCfXhC@5_AslR6#Kol09AJ| zcH#q$E^fkQ$<&Zy3yw707xEGYB$L5s7Q)jw-tSwNSc-5}I@DaLOdf!jBpV6!wKyU8 ze(h4f6Ik%@a{!**7=p^BWVqdrkDfnB)P6z`t@t|8^9dn2o4XB%5HpvG9_vn0nJV$I zusgOyw29no65^-gcS7G#eu#vFSRZmgElEUGXUK48w}UUMoDb z#9bCxCYn>v4D(T9O_Hw#_;s|VDg5FXX5j}oKiTILB}YUjM7KVn=nr0%JLc?3Z2Ye9 zn#+OFfpiOdi=g<^L}5X>-H-JjR0SzNIP`d4m1rZ%yiN8#%nH{9R#VM<*j0}Qob-?P z5B@~-$E^;oYP!oRr&}o=6+Y3f<~n(r{5jyW@Mq}fhVAX`^=+B$l|Rbc9)EcLkQQa@ z2Nm7D|Djk{SY7P!M#78Bi?c4;Fa0{@d7j~T$lKyth1u6e#CwnSFw3+;%a=<#Mwc9a zjTVg+jW^~Vz4%n>kl#O+QEFIfnB%K@Qf=2jWjJUQQ`Yn6Yng7om(oswUWKSBwAMS; zJL{ZcZ+@1#HhU-0v(!t$>r#@?vwkaM%=cyACY7gXrb@QfqNc3k!36vE?54YCjn|;p z#diJn`R3MU(+>NV#(2q?RKZk7JIy2!30rDatXra6=#g945#A(TM^q2nd0e9qvh_|C z#S-v7@XK8wYUi4nI1MKUM*@e3Xq$MS9vN{Su|ix(=PU%Wo|b;?^LCk!+gdE}l;vK@#TS>~Lg`p+R z8+=~W8rk~0ZQ!mNYkO&n#eI77_r9v@soNtdJ*frHT*<184;k+=nIwfX@-oyjb~4T5 zsu_|c-}MxE`$jh+4JaC;BIw3YfXAhW*&J>;Y~wsj;_$X{Uv_a z#nr&U(0##S>l~GuK6@>oR`G_+2tQE0!n14;B(Z(cF*V-s z`{LU{cA#dUL|_XlE1`;(jix5xmvxXwQ2D*yeLRMpoL_rNaJ*cNoU?`3QXWeTOW^PL zZ}z-WdZLb`JGzzXl_Hm}htPT;l&Xabn-HIri_n4i555MGDf2bUFAy(Jsc0$Z9Gm}h zhz>S@Rme)YTO(dDvafjgH1>>6%5ir~^_`9X>h({RSLd(BihA8P8>?3I;##P|kNM)u z6EFoc(sTtctie`47B0{Ue#Cbdf31Zch-9?p0_w>pRNedoL7tI{orWH{RL z|8(ncwMT)gR{TA$y}?35K0)Mlvtq<|xx5>jP#mu< zj4rHu*^u1^xvoK0BD3w5gdxIT?Y|CXh@C9+PL`I{B+by)q;DAfG88EEaK4-~J$ZWK zzK+sEzOJrbt+?txp{J$+rnM{`kuJ+lq`dq5LfwV`)VR@?yiK*X$g2v0^ooIhJ{sgt zY5A=GImoEf*!`$)R95d!yi&x&VMl1hHa&$hH70e@fV|Oa>cw7i4-az%UBeIOXC7WN z+wjSkh8{VctyU*S14dV~@dHHz5nd@fDHS)hW{r1#x~_ljh@aC_xj^7a@S}l(ZyGnE z^e+61w{9_S2g}Nqjdy;OmGIP)H#`PIo24CYnzCU*KV~c&^ZffZGLe~#ElBUo@}nQc zGvHdNA)gUX#op|v`a-bF&xMEp&71mt`(2ssduI66!T&riLZX1D& zNbc8<5X*Walg)!>sr0k{vvi2QT4p!}WNr0NVu^i)Te)d7Q$Q=~IWo>zY~0y<4!P(T zD0OkZBc<$feK6dr(x~rkz7yDkm52KWjzG1+yJ}XZyAmV$5|GUE0l%QP$I-j}g~JcE z9JF|{zQ~mL?qA=&)i=;b#6$xn&0m8>nj4Ugf~Z0vhbxdEAlIF7kGUg z54|_c_k*5Y^q$K=QZLHy0}Qj}7t2W(n1=&i-d&akZF7zl4vctb)5Dblo5T{u1Xz|| zG=-{Q5{ZfkQwEDkVSdYRufc*fyyD;@*9%av8=F+}uPgmi$v_-Xyuc=#WEclb#0RNQ6;L9y~Jk{{3AX7FKpcmxT+~ z?>FCIq1<732SmmhkBiDq9$%V$z8H6Lziq?)fH&81fr4XzD-yJ$Wv}qirpE_c12sDh z4GeB{91jBbvv~jVr<%fV>|JH*6f=HsHU|Ua176{nM z*+UW{&H9fLlIZx~WFRZcKZrT)aG`Sy}%!^xw}v`)Lbt_@9=XJ^pK0=m7%%<^Tox1%Uru zH<}dmH&s&G0b=W9sN?`f^9NtbZld z^{{nUbOECq^_2Oa3HvYN|DE|?gdpJGvHve#{FBlDNJVp6h5!Wo?^%-}kT5L&ik?UY z2PLgH=n%ck{yq;7=s!>Y8KUD@;5y-qlRgX#ISe%=`8N>E-Ar8AAEnvIJ};D$BcdlF zq%{V-2Y&UcD#xNPe)GpPlzP{6s_lbmmCr6QVRNokmo9JAH-pLYDAl7u;i>3@FXnQ(cv}Et;@KmGpu|Qz%|FHWM$YPSHV7&k2l_N&?yaY2#^znZ*ZZb^#qc^xp-@?h$ z#2r4SgM6#gMI5Sc_8Jy%Z&z)&DgXUS-+n=N$nndDa{fDOY>t;1n;e=Mt7!vDa@haw zTfqN-0;yrTp`H&`#y)fxv+Pv5*a^d5I5Fjs6k+`EZ?mhG3teAb@pxG%7#|x??8cF` zo&J8Of-gs$JM`bKEJ`l!FXPF-iBiAsC1W|=y*z?T!j}90-9e(u8{wiS!Klx7;?>KC z*u5yB1wi+w=zo7T)c$2xUHM6Ip2K@=4y~-+KsDHsMutf7!xT+rihqA1i;{!UuoA_@ zIjeR=`*$V(NKR0AE+3X!$-g~B3vNypz`~or2fDW@>KNn;Bhh#V4U2(}P2q3;6Mntp zU;&s7;U&Mvo8XiapUv(=v1&oiM&CyN+ml!;`IlwQIzO=9;bW66YrF&@|C0_G$^M_+&cqfQwPaBfRZhLM_O2&GV%awc z^ZRW{zJ^$1rzB-m^~bm~#eZ9H8Iixo#KLJzjfCwcy#1rA?_LC#SptSO}-nM zQ+&0*72*a~3bO;<58(H0HylT-SA`CDtLth?BNO9>c3<*eT`l!^bVrfz4+7gfKXGWe zdyGgo0M)IJX=MXpQfsR^w}JO}7x0#S>1MGXL}h@Z!{sh?Z|62i^Hmapj)rBoaGW$&vGl8ZHWp@v|<`_JF zy*jENN;;e}4>}7F8a}v3E#5zCRG%e;5qMO56?e-ucI|j*8cD)fu-T+-JhtRek{Wyx z=nnscI)1EY&;hR56FnPyx%Cj(c9{!xT?%cZX}#Fq+cDBfEiP(4MfasSLFW4B#m0Ju zhi1d?PC|_%M|f1AWzwy&AHra@in}63dFf*e&@DUYt|@3(^0CCZfUv_5YU6O~{h;gdY}h7c`5<3|iSCtN^Q)w@+_3;|Q(NpTziqCI>AW-PpRB)U zec%DDEEUxmAJm>X&xv2OqevTb6eA}G6NS9gl@@p^VD7D6d=4G+KJ$AKM6}2l&r9;i z7Vo{;x+tXE-lErr>3*Ep_I3Or=<2hirJfn4EaV=`XXx3KP5lM}++YeoF2Mrq`SguH zD(6?*ni!+5&rhOLjoxuJAog2y>n()~{I0hO=kpRK&SEa+JhU37kulF^7Gi#=N9mCN zV#`Q~BV|3m+gKnz&qVIMLzybUD<_3)z>BXDy`|Of40l*v*JundO415ftjY%k>L(jzFW>sUG;B$k^yjpI6w!(iTp4e)Gz;W%0(6_qK@aFYO|!G%^OwG+Gd0JV)s>${5)3u#LDi4 zU$`wpeBFm(DGSYS~@nW~t-dW~*%l+NWJYlFgUb>Cua{Z2T%eA)f7yLkT@x%A; z_pdgxFW@8+t7He{B_`LCjpcZN1s)(Axeq%Tu7)%_P4{?hjpaLiHPWLp1is^ntmk7V z%cjODB2UI92P=YA9GvU!trk38^Yeoj_Cd-V)8rF>*Q#3v`e6*H2`>cZ!^fvjH zxAUh&-)!thYJ*Z0J~N96bf|7&M?+iyd$BOf``x9Xi=@-EfX{fGSpHx!>FoySVab|F z7>G_dZpUe|K6$~qy1vYIrjJclvuEXg^Om$>!Efi!N7H4*izxjMwNcGV(Blfi`(zTE znn*P7i&wD-L6~R(oHNAH%adzv@Zv|KIbRi+cYpJc5a4CVDqnuS{&~x`pNw4D*jWhcXct=k<9WOoWIRwoZ;!_T*!@huHrDZRBloEXu z_c?T4M_qJjS$hoXb`x}tE`XNmMM~CEOegnh$4UBwr--(yBkT@8PRTmFUAVVU`s!Jj zg%C4LGr~VA&;%^#MjON(GECP^nXc#=6*mjyRN=X_U9EdKmer*gdyXp4r{3R;LDipt zj0HfmWsS%W%l48z>4ZQP`28Ie?sPt5?}GrtGfCNF#2(>*`eKVuE~A!0Qd@{V8mv6r zeXMVi)P`X<@3&L2p&UWf2}7S5`%U)QCpqs7#Sl(4O?mM$+$ZdUW+~3Ju7v$CfI@pH zqBbaN657D}#1OLFa@0$Ig9@uP)WMGM&)1mIk~sT}6Am@>eYrRI?lH1e>{j|j$|s7YzzF?yhdYtDAeFK2Qt2UIA}<&p zEuRW&j`;VzesgpftAUNp>e0;sFng&4|5qE}n-_&e?9$iO)-#46RLRalD-?-&pyQ*4 zWWZ94YEaG9Y23&{DDnF5`Ol8R%?iAa0#ff^-J5|0P>TEr;qqsg@Z~k3aI_-GS>i@-w)%h2m5PH$m!_$5z zI+h!5$8j^=4jq5A>7i#(PZ1E<_2~@5-w#{SI+P`U%1ZGrMy~{I+YDjNrMpaq(+^8> zl1g7DLeX16+6ZUme6vm^CoQI&I-IIJ&fZQ@wxVUf*?D|Oln)RxC9aS%dUv`v)nH?) zb9;H$axhP8pOIu2uq2P$e7=V$gny}8&_A?8o6tAOr4_3x#uP}wC2zE$(KMR(yzuSe z6Y|yBXU#{+8X3<&HnTpck8l zuIOe=+Gdl;(0v7ma;`uuU(e!`kZM3qtxU-6hP^$*uM&( zMtTED$78dp${uR-ISpCV>6R$*kbf$kn9Pk+EOpe7%nd{ITWd41J_ZkwTEph7#tr7c z!<>uy+9d@-w4k5O-`OSF;?T(W454b7JUduitY}{S7^9N_5q^?8WT0x_&~OrFqQnph z2-);;htGjs;C!^av_@hEAJ^oE+ZyM=7xO}jYsgpeo(7Xklzm-O>jqOA&DYe`cPgiS zBv0+5H%l=v<0F}m`p)cXSVfR%>jss}YiXbwQz+WGW|i(#9nJR3JY{)i8LcBoC}*DRU0 zP*0XSTSew@(-ouiZA`0ksX9m8NkU(7cH%xf&A$4b^Ll0B3=X{C2)x}=2_gk7{!Umn zQ<|^6$W3%1M|CFZ=j&Y4go%7J$xsJjtsCkgRE^37ulr8nbZp!C_wvk%d&T-7ELY-( zdTtV((ot)^UQ(y{)tA+#ji~}!##vMMRsnp^?}>mjrw03e)M~;%DS&M`(;*@?H}K5#tWTGk%&w(|5PTmYzq7Sby}P0#P3(sWo|j46xmcbWGcLQ0}vjU+Z(^^?1Oc zko{urIjCy}lvc6U#=N21?}D%k-#Du@o%HIH9Kd6{R;ZO;zG8EtE)Xa_yNZJ;Ak>+G z2iHSV@s)g|RBs6@DK$ZW*23<-UCN0=dsPafD5${mAW?t+$U~~ZmdTn~%}ckD0#rVV zBtSen>F)pf1Zu?}fI@RAt3=HyQc^CW3>9GRTVN*TUt;NGK&sbet?S!=VXqJ35qjBu z6WqNw+a(qA%PRNe!#i`rS{h~_L>BT?O?;{~FVWI6PTfpWQx%6cy_0N+(d!rUt=~aY zi*fmQbyLd^rKrAMm$qlT_&U(ck-}maQkS(Gy8gv}ZY|Yxxl84`GfmdmWxgv0cc2M- z?ct1u*!-?F6j#d*5ED*qI1NVQj?R%8uA#6w*xfZfjO@dE3P(cT%3y@olg!@1m|sj8%awoDb&WOzy&6{>G9s{yKH4o73hTTkZ9oE$4!>!p_3QK-Rg zi0NeXEVR*N{$Aw`2 z(75R5%x-MihYiB9>j!DSKf#{+74&5WdSq?7yEjO3y5c}8xQ@n}QvHGq0K|bUxEHa>h$s)4;{GTzk$G zniPwEB&tNlGx|#jp>3v%pIr%;Jyj|!I~}D_e&pwwV#-9WXa=T0FbEy+*;{ol%3k2u z(rhYxemvZ-DRr9zexRITu0E+7HAm7jX+aty#0c`i+~{9_8$*DUksWZq|S@1cZD z$3alz^M=j(@Ie9;{YFQVP0)l?tjB^&8xGoTL>r;o z6jOUABeDlO8S@rvx_ak1BhIkp-j9x~y9u=$Ssvxgwf1cpk zgS!O#m{xE_4Ts%a+tRA}wc6EZE$Su{)}7Qhh37L)v)^i2t+Z(r*&!y4M*TCg7KxhK z^lG0^Llm0WRAb^u`QMH-!B=O}U0_>Gew%QCx8p+ zb9S z%K!$SUAMNlIB8v~KR}`zr?(#tPlu%rUfv`Eq-{;@Gri_|O~v@P)N5p%>5EB6WKNv8 zqgaToB9iagK9a^+9FUh1J~w3#Yu;-K_i}fPxkL`)Q&E@rHD7gII)#b$ko|=j45I3Ve-;i_R$Ml}gzS9Yu`@Vsdv9GG zAs!LXJ z>Q|w{qiWjdLCH4qxBeQt`;vS$y&L!!NQ$rD$xD#oR(o!`VA;nwH>M6Wt)9CpTBGG( z)!7My*P!pSEQ|K|BybohgSKI+C? zSBS=G+~jNbY1{EY$!@OS$vlN69zd&%n#GJ8ZDTC#?^(J`sk>0`&Ok@L$KIq8c~^qj znU0!0w~)Av__|+hiSEpTy3YEk>lwGp)_b=2r4GJEsFkI%7zTgaU&j<{;sw5LnD>U# zaq~JFr<65s|JXm~;a7({?Ju-O(jQr7e&cqe?*_Nf1DKYre2?P6^;dR*azaiQolDfP zw{eRQ-!6o4){zx+m7+j5iKQGvg*)uFkB(q|K;6mA&f3_iD%{v{PqHHXRt9bP>yT5J zRUqZn$FQZYi}JdhTB~sn44;T^E`_?|CUMiw0TN>Fypj})NX{`e280}q~QaAID^n6L%&X!={Z#mw561C~ve8d44 zXPU6jF=cicbiqj=D;WLKWwop{de(XHWP>ymAA&`Y+gxf>i%;YX*Z?~ZS;1XBsijRRk4^cSZS=r zxh{wAU%yFw$(RqmLmPhq2nz9Dyk zn05G_29`Y|(CTIs*rx!JYRpK^vfah%P)lK9BjL(U#$E7!yHn~@<*onFUysImI^fH#QVh+{*o2Fov*?t32D(6u%FTjXWn>+Wary~>m9vuZfwiY=rb`@)dV zor9dcO{;X-UXzBX1DNcp*O4+c6lm`2Kt_k!=()eVrd_Ow*`{9KL-2EcW>jc&Px(_( z1!n70$QB>bLjy&>5&~5d61gTm!S-sx$bl$Ma?J%D&WzPi)^p1t0v^L*;n%z2!+zeq z&{s)W!Q91Ir;0^d^(J+v*5bqOE(YuCwclx)k6w{QkVTRvAIFkDdwWs^Bdwc#%`D_f;FTo#A_zp)Wei|q zUg#M~17r*2Gv05=-19a~RrBvg+DpO8mIHW4j(w&gZWdpteNFJ^X} z{G`XeB)#!3KdteZdz< zVUl5u@tHROm`!J0e|=>R>bDlvwZJ)`sT zLpJL;ub?5OzrJB-ccI3qN8TsF#`Efm+c-OZPqK0)eas3g=cf}JO3Iq65ycxM;cFVt z*TNvMO69jyv1AoQ+`oiJ<^tscERI=$5PL-n&*gCH2}*;d)}4t(^L;_N?$maFl%ycO z>GMta4dsDe)Ow{%zZ?%%WXEAHwb{=h+51~FiwIYn=KJ*F*6V?iePlPK>GXL$!iDb$ zq+d)1+;tr9Zo%y&#ko{Txa*F2ixyMPt`7z0bWs&VYN*ecv6()zJkjcINMnb}SW`+l{1$Z4rqvVT-^(q*Ty}%1-V!_xjx~QOoPz9hXL9=O*^s z(+A(k{H6%5^^C#KRHXZbZyuzj{(s4Pht?gkeV=Lf*##L@#d!f-bC-6xv9j&@|FWx-nrs&Thi3Lz3=6 z=i`;2zK4?6x)7-qTj>av5cysbM#)R+86c_e%oP13fTi6Ud)xxuSPCD)!O+}=Ms>~c z7=2CP+2i;lstmh>J>d+QZbb^{LNGx7MZG4$2%NRwEpbkkl|;J;NR-OYPM> zWF@W`;~@aA^F^$+3K2c*LvNowuDe2Dy(W@2qMm&Mu#KCw5fU5;u0ED)teF^7ztXmi z`V&GO#qy2d=7;B3>h0vjaR&1R4B#HYSs9=v)b@LRK>K(fZ_t+>=*RC_xOV^`Pd8f_ zsA1) zlSmo@R@$W5n-09$+t}!0KJRE{r#XAqq&euDpyNN+u7Z(cHhSNYXIcpYFa@w+W6il# zE_n?sq&tGGB}B1Z@m_Sw=$SYuFK#TQp?xDFj{`2T`?DKciO)n!D?I5Mf|RG&_w&&+ z>Se@GzTz7ArO-t=eIe1%1#FUj3NBI!(>dD^r9k#6z;ds{iIYEFd!e1*<2L@Q?TphTBCyn@R+!%%uhQ8)DmhaBe^bw7hA) z&|2nb%0VOOBMh=j+bOGBJRhoooNqjmzuaBEU)fJWL_!DzjuA#+kC zjPDE}Va8h?gJ&E_&2wBQAJw37LldGFBD zvC?_IIobd7$Fto((;E#&VUXIE3G&!GeMrUo%XsS!@u?hUy*KxL_D**q&!ebCS0o~Q zTw(B)`9<_Cj;-ejbc}j8=g&S%nHJIhD+o;Xo=agV>B;f0y#5xWSRcwk_7$CuS(mM6?{cyS@dRWp~?;r&~}VW8oN`cPhiWH0H1k6DikV9^HaSgGfWu>6S39a(xA3<~x$Fn=-M_KK=*8(oMo>t5B zo$NSyf@ZZyFxz?9qho--Hcg^6?ZR-U#r{fy^uD=&b%v`gk6Jy_K^e zi%hS|;hA~L6cvX%giO8hg1QHO!+M2-wM|4v!73J5<*ba|@$Gqpw{l^FJn}tlD1z+|MS)T41tQ0o{#WAr?*h?Z+%i7F1VuX4tv6Vx& zmguU_H11h`ilZ!5x=rSIqh{}(qE5z+tG}gOLI)D9-Hrtv^-!BVVXn6w@cx|Y$VwCH zD_OGTP9HEwu24dOpJWq%|A+_GnmW4$ryGnsg^c2 zv?CkTdOX0hKPYG~(so6D?9+c^0XK>#am$!K9QFho0f{eSLg%M=i0u!#^Ljd&_Y zD3ETlEK1IYvt80*=cJ^d$#-CDaFI7oDpx8vPlBVnQQn}vZRJMo)s&LX1Uuq@aPCmD zX0IOMC$DP|As%e4-2E`p;#4+NF3t8F7A}GZIhv$F&)Z`(gmJZ@p$L(hWMjf-E(<%Y z#ezt$h_9T_)yGY^#0#G~cAY~gR`UR{u5Dpw#8ivG6&cE{M*XULi{(J3K#u^|05^C6 zDO0Q?APhx3h&;@!2Qpmnb&3Ab+-ps%W<-1T*++0|i6JkEtYD2nCSciuNz`oM>q&{V zJFRi~L_8A>*^3UCL0&kNpRO~^$MYBD_CoYl%OE}Xuw-kx8;PwA2jx09-CC2b)8MU zoFOAYi`FUZ&fnAOX^-V>qxbg$HxrhUrU~}mqJe2?i1ixnp9P(N%39`a#X2412ILNR z+dlH{!A&jl^m3)|((Luni7}r7XfQ00JpjxLl$3vkVs0^C2TMEsWMkTDs`rhETWp=S zjyh;^;{3lC1Ji`C%eR8!ppFLfeHYYEG&8GzMdT2h9aoPrx*q}p1^p;tC)BnY+}()Q zi#Fxt8YdZ@0eYhu1$G|hpyREGkB_PYyND-wo@D0=S8c%av+|4*nz+ItDog?X*T+Yt z!kQXpcthItjdA!IQvCSE&a-Gc{0CLmFi)Z9do*GTCzTUyN4qIo$GyC9MtrnnO?`-&((#ZAn}q2cj#<=gXq~*- z{LiyjGTC0|UmU7?@s1*3x38tE2xylxw|W;9Z5KQar2D5<2(NCz3sKkyK}#}`VtLbt zv6X*P=EteOj(~1n9*?<-X78@2yJ+GxjvSrzF$OtppK%Yf9r&Q(kAZfJn^@sro9G=* zT05PZ%s>bnS)u+)`oxS7mz2rm^`jfBaX;NCbInwz&$lcY#K6@mi1q{lu0g_u5{%r4 zO^H9ps;gaQ2Qs78B*+uH{BUoyk6|x$167s#z4SecR9dXqx24SZTeLg1TBLRj5XpdC z*90l|_F8ZwMa`AdaPIRD z7U7U8AGUProFf`Ci}peQ;QN`oJk#L}`a+@lES(ffTw(Z1yllCRobWEaC2o#a2pS3r zdt?gilvydBC$+V;kZxO_#>v4q!>tsz5gBxvR+^=P>Eev?Vu^%(kL%$&k|W9G?>4Oh zELk4P5~UfEe;o=vzSx@*TL7UnR0Y$-Cf_d7hE+e8sTEd?B&mx*f%=#V3&90^QG?>| zCW^Y#H*Eu3c;)SX&Jj2n+R;w$M4d-^7iENF4!qcgW@xc1z#!?Ri}k;b>Rfs_CU9}e zo;o_|Jz<2}b03@Z-IOUssn7>kVq!}DDm^-T1dgb?Ie^O&3-{Miz#6Dt$?iTg>z3|K zK@10Fgh|0}j|Wk?)AS`8sbVe%g}w?f7`vxt)WnCn(*Y@G9s0(5inGmcZzP*o221fa@^U0caAl&nt!pkq8GT-M(pFT$ zv|gVIo77#P8ewrLQ?zwU^)eF0qDRDZ?y%u-5ISQIOj)aITFYAesuQKJbkE7qk}0Ye z)u2)#{X(Xfz}F29L!Bc~Bc-^8z#+Ri_2B0X`f&G+7!yIbB^ZFUPow=8yv#u*|oX$IA zLdWHYTKx|84)xy8`%W>+D5*Ge=$0;pul^{RAl_!Bf^8xt-%}eJRxtpGZ_qyf`B2k_ zU)6(+m{`u5Q!`(TKglnXiEe-3;rDSYHQbOVs`|;)a&fF?jrnap>#8l_CLdq}Y`J|M zIYq-uaucKNRx>18wh`CGIeck7q9u_4p-oTW?M#1Yh93fnrk)GqHAP?ZWejaTXghKC zbM}>BRw6rh^pQ$beX9(bU!%q9#@nidXn(SWiLX6;CxEj;KCuKQ0Gfqe=a$|+w~3ko z4(_#!TAI?>0PVfM5dkonI!jIcw(@1V@%x-xF_SomCYA$ONce0|Dnl#L2#29%pOehm zI_)Nnj6Z}sHcGm|0Kl}+LpE#k<*f4&Gz%?;6eyO-frF)TRdY*pmKAuWae^3)JLN6c z9*i4TJsZ)~rG(pUi9hL=@DK)CDth9t(60KMn8Jxy-I)fzMhfaeZ+t`ZFXl2K7{0~B zSW&I#R-}FabE(8}?fHf*%|lPh&hc3go{R44)RUZyqtEAQqL>wO9lK{kRef0>I_s#R zr(GW8OtF>w^PjZq;W2>kr6|8+2}RLRzz@Me2T08>W(dF>||m?7&Q%CGVs`Yds=3nQp{uSNGrwH2Tn& zwO4*3ESVDdXBK!W_4A4ndZ6gpjP}RexE4#Ke~$qp4EROt4vlDH*ukhu)<2%O@DUa| z6;OPS@3eNO-XkgyKil*s+Lv;QMYSIe`OqB_SyXygtfjri3Ed$yxsBpXk#< ziBK@gjq13*6o}Fm*f4&t2*XsL z+a#(Z5mbGJjio=FLTuvhBGS8fKfz}mf8-8TRHmn_A3(bvcTL%?lR|Yp?)m^-4g%-e zHNA{A&k1v5{^*Fgi55J@G;js|Dh;vUevpWtW;Jisk!6Yj>VR8Os4eFtruW>E1<1v( zR?IZvbq%79$yju%3*)UHUSzO-VBws`{JAIiyS6FKOk!oK_M&XLzqQ@!S_)@eQul8T z!g9iHmCIawX!dQCI_Geliu@p|dsO+g2#Q>HstS)(3W<3I6T(C!#Jxp~qmG zZw-Xhg!fzBbG=wN`LnfEwGEI!pYGRHMevwdocmIyqO7up6If`A!K{RA^0{npL`-d@jje7F34s7O$X{5g%ZiXjMgtTZ0~EPNlrnXb!uQ1puB z^LFA5EgpUmrw8tp6OB}}B(JCJ#nvO5q?7tPrna6Z(>jVkXG2S00Sf z>hnBMzQY=6!0K2Kl4{vdP`%i!K}h+x;o6?Xk8Iu%&-=1)gm zuz$`Qw(Fn8(RstQl}_u zklBZeR`=+KZ3+5jo3E=2-FEpu`jM*{w^UlSJqUYS<-{|=f5%Ce=bKdRLeC~12s(DK zhdIhGzzA|XmcKWaUT~A^+clKq_z7?5@)2KzKt?sH4z<2Iq(qoxhT1CT-@LO8W5@pM0v(q}TRzU)A02wFlO zbvw+dmXvPGYWDJ#U^e42)1Znmn=HeUOwu8deeqI>DU7VxL~d-}7+?nrU%}M_l%?Co zd>2T&UiMYI0GZV`D(tT_R&%4L@~08iRrlLh8f}m{=-FvfVlI@UbM+YfuZ`4E@^~_& zcNN9Tm|0J*7&()Q-?{{%9?)VTNtsX_tiQ%z$;DhuX=<4%h=rQ^_1NxRkUlvn0N95M z?V}T{w%(((abRZlB1!&h7--=?V4%RJG9Pg-TNqiKd{%hC)!BJwIP=kx+~I*NAl(=h zhziLizIEYHRGNs<2*-TM!y6;uIymSy8lWi*XY{QJbW5w8=gSA6ZAf3a&pH8+-fv7` zY%-3HMzs$!Id;9gVDX0GOuotHZ&#nIfJ+}64E7=OvF5w`a2i5FwOiG}B$7iQ>gYmM z5R(t3kk{g^Ta5F{1)ylq4)d)LJ5GeeXG&66A{I-2qJS3iZ-fpTp`1&%nSJ*`8D4-s z`^f{=?cq?G3Gi*Jq2v-%`5_uyE=8smW9p_pf))d2T)||{)g)q! zJ>KwgiS2GyJ5re=fJB>O zcd-Q)$o}s8q1q*J=FF5Y-IRv3d(so!-j<~yKwrnlL#QJaAB^bdts9F7X!DigIA?pW z|7)BoRmB4zb0pqzkHbwuyn(=FT5lJn)hkVHZUw{T1aRV7u{N$C1_0`a4~=GIkW>sVgpT z2(3OA$crj!+R^GCa*1+veUKnQV3?d0SC#%I`ae|f0^Jb>e1{30bp7P;FS?`!6XpypdWB|+m&HNf$tl8IL&1>yGSpj)%&OaSX5I-xd5V` zB5LOQQ}id!cJ5`mqH$~hN7wALFF=dg=cdI0>0krO12}mgrRc8`N8v@HCt(mig2Obw z*O5~W53>oF%l7MQWxENmRhUX?d8^tg;Z^I5m3zMY0Qu&>DK<6d|%4O0WsKTdRJppD1cg+%pLDl8neYoOPwADn;)4`>l<16R1b%pE=TMXMwy-+)~x0) z*p%cx+*!X-U6&LFUoPJ(9ZM|oK#a7&z!?A^`C8o>do>B@CU?BHY8BH=HJc7Yz*7$|%cdPSPhSLCLUD5Waom@3W4pXJfpMvPX)JE75@@Q9tcUx=> zO~5CbKoJ`uN#o;MkCwp58_j&&Mo^lAS3}gr!Iby4_LsPVCkK3wpfYlX#dnC-g}$fS ziD|r43=ZEp>|zc$%5;B~;z@l?a?YMwR@;y0+J+N2r-x{o*(SUk@of2YoA3Y^*HDE~ zYO`I^MbGfo59keMNX6dt3WIR76ED$MJ12+HDZihpR$>gxQ^pN{NQ$Ti*$ z{iy8^FI8h*fHG{WSvY}?hQ%P7a#34ng=gtM45}%=hG`$%YbxVkXK?`Xg?OS@G>;Vt09nVVWS&Qs7zAHCg zBSyCoaCL#vA+@vgPegP+4FS(C)X3dd+=#WX0mL4M7ovN|(4+mY!G<6v1v8w6$)ft* zEkK26FK51)VF2xFlsnsCLoOvqTams1Ef~!h#I8*{6dg|$*6JMyKCV6k9u@vm*3n2# zkY?d1>()nNybLO<1PFfcw!Fol|7y8lhEJU8XE`)3QHJY4Uj)x?*PT+b>>p>LYv55> z*}@W%7&FQuOElBYlnRtEF=T_0+smX9t+FZ8Ub6X3-71{;1cD0b%awPQ7%|KT%JFZI zq8D0wh~fs85q^aHh~0FzT&bNTJZ9Z+qpKt!f+I;)Zirx$el+f(RZ{}~a3saD?Ob`Q zoA6q2W*>h(Hh#cY%ElCyoIQ^9=ja-|v}R*}=t-nq?k8wm3CVpyL=ki}tW{JO(XB(DMKNZ)K12#l} zA`an2fpdKuZw|PuQr*-xatR{BKj)T+FWg%{GxrC0Z;hwZ^;xlxDt4TKWVFqADOtPg z*{szy)OnBZA$K5-M~luEs@dK8!GOI`8ngXWq8i)Btbcs> z`H z#swdJlyEU~`Uu{=1^r7Y0`YpIp0fhxtS2#A3VEhU;2ZgbUA4_O32U&-HO1`qIs~Yv zURD8<^34Xb7NOikLTEtsGGBYgFx1ufoKL)&e#B0*mdagtz0aP9Noif(rSYV*H}o0f zrLz!ApwrwtzeH%5Ygr5Aabj21Vn@hDJM4==nBX7k_`e3_iV0tu6_Sz01>Q@*2Ju98n?q zJHkSb_646!1=T}9a41>M1R{~ydB*>g1Y0tSw-?xatqJGn;yf>(ne^cv>LxsWxqS_o ziWOw?;vJ6HzXUY5=fPU4I_1%op9c8QdV0dTzq8T?H$#!Od41t0HA$O zRw7f0q2j{$k6+Wz2Vk9=K4TyFy`QQY zj)b(H2@nG%3vLx_FI<+z#{hH(Rum__)g51%VT6>CfuN7xe-~fy6Gjy^e&24;cgesF zB3f%E>uk8}+`i@<=9wLxN4~$Dgvcvem4|svB?oAbUn9wSpUL8^2M@n@NpjCd%#=xk z%nGkdl8mwhVI^=e2Xi>;xgyysH{=>qH1R!=Zq)g2gSJ#QhW9V06K5dGJT^|-{@p-? zMP~_5BE}3M%nx5c_1lF_ay&VH7v?5UZ%d#T4K_V#&P-4$vQ3(!11w=0vUH4hQlNZ7Tctq>_ks@*+N_ zq&nA4$y^+bIv-^BkZ6-KehQM8Ha11qa|U?~N_9EaEQNVd%DKplisq5U1^pV+Go4Gi zL3-mBvtM)ghZsWWGuJ+6;~drw1fCoMuV1yxLLgX+$lcb5&SDM_-g}z+p+X1Ip)`0& z+2smw!Yj{AW1zh)YifNdP}36SP2}Q%$LRNLUE(&h=PIlNrxhyjpSV;Pq>ArlQ-z4?B!sOBH$ zCs+WWfL;_};dk${y)}Y$ zOZkh>Kr|zdU32^me(t;FskcF!KzV0gJa15}301C|36Sz0Pq91gr)!q?>$Qjxm5OgW zkhc6ISkwe#GO=o_NIESIB*3@h;;V=fe$B-H)_dG>+~t{U>zYF{d8nS;(l549z+TJP zZP$ToD)!wQ`S|D^3kSZK8Vw<;p!)%T0r@$8YVTdC7gYe>2ld3oHebA6ijolNeGY!TIR2jY{HlW{^vq)77dnQbT-J?omWcG)Eny$gs1j$uZ%c|`!% z^G9-9BzM6^YMj7cUH%>$&Ov0y=c?JUs?yAX;Y&u(qvx>!N{;3MDPXIMhO6E>fUfyl z^tqC0*?er7^m3?mR9wUwcBek>+6hCELaq{#c-xREs8BUgq?9bqR{4k!;EscyVS(I8^`s)g=hW_B4wKnnS5!; zep-_U!R%mP{rV=@R7l&9X1B@Qc+~z#td8Xr@XZJ$&hLX;sc-<0RJ|_Bp2dAtv<_?;_ixir3B% z_L!(e++WBs#Wu+e=m|z;AhbCqs5d9|9d;D;Sli1%);`*!9(gd9hozJBwjUIvy>z#Q z(+auA<}vCdHId9fPLlO{OuA_bLv4tB(h8aps{(=M-MX0dk%piABDbzWghGFWfP+GE z|1nh=k|faOYR_NYFpeRM3r?UdUecMrrvzqLt8ZKIu!DKX`!>r|FH~*0mWlo5rDO7M z2RZj}P-`E;D1<|DIHa9)Qiwt7HQiYxaw7U7`VnNLZVQG87_t#?WiemXtaJX1UoOT4 zKe>ihi|d@>YFs$hCC&@0O_eT97vskpjhB}9 zm3}~6PYD^Au|=3NGVzyOUKG3M7t}>&kOtCP7zZ{G`@Np$i30-@ZR16Iboqc-zUgiOty9DCxCg!6_g~C_;DZ?!OH6*n0GTa4R=P26 z&GbzKw|e*MgJ4;rH+ZPw`>FRWp_iz*k7Wj#O#IVyB@rD@piuk_d~=?``cz`;yWwos zQj@~8;UK2RcV8>xRPp${XUD~TbYDTzlEFJqD}DAoA@4>b7A=Jg4fQK{dCd+n*CQf7 z=&Yw}ov;7^lkA=YckA0XvLi4$6=bBvp};!8QyundX8|7OOTG3GmIV0=*Lk`jV=)wo zB*w&}UR(B}z2SJ>_!wT^(Mk~eW87Ds3HlmEtAq_N$p$=uc(iuEI25@-Ed=1iAod76 z2?=L7fhDThfUNsP(Q9#2~N4s>KHaY zF-Ww%Ge#8d;kh?EPWt%?hZQ21g14bPLCPO$)V!x=R1!WJ};Po)zZ(||PmpuLc|vMDX@x*dsVVV>4g zC^pVNp02i{Jcvbz&c62#xYVI`9Y&7Ed}*~*6k!)Op^iM? z0^$S7oz!a2EZb^|E60tTqnwRH+MedgC%3)Nij$bGrnFq^V*6AAO#%!?*CV8PA-E>H zGO5J74H*k)*yFhl?9=_b$xgdNv+38Q(B7n(U6S5FP?- z`VpnzzyuIMOVL=pUz?>C`}K7(q7ZI~$EXPa~Y}zP!LDg~0iZ{!E<;G5*HLpD8X{AT!ZH z7lu#ABX6({OW@ir*J6T1&q4Unh`P>=(&G@iDoZ1qtFCo!5G*It=N~hs*ZzPPAGe1V zM`vI7sF4zQ2_J9PHypAPQAg9ovt6sm+PPg8U|>2dLcLTfb6SCeUCJxf)Qg_vW&+uu zqV)^^51`xc1Dd!yzuzsb4ehGKECep>R&DQ@5p}w>%Uo*^NsZ6f>0LPZ6qr$&?FQBM ztOc#*6t_sm$$}WYHkLNOIrmr`NNyKx=W33CtZL*4cEfA#ShM(aF?#PGg7+p%`j}f4 z6NPDsqpB%D9e|%y@|{1XzSf3